How to ensure we're getting the topmost Root CA certificate from a chain?
I'm using this code to evaluate each certificate in a chain for Root CA status:
Function GetRootCaCertificates(Chain As X509Chain) As IEnumerable(Of X509Certificate2)
With Chain.ChainElements.Cast(Of X509ChainElement)
With .Select(Function(Element As X509ChainElement) Element.Certificate)
Return .Where(Function(Certificate As X509Certificate2)
With Certificate.Extensions.Cast(Of X509Extension)
With .Where(Function(Extension As X509Extension) TypeOf Extension Is X509BasicConstraintsExtension)
With .Cast(Of X509BasicConstraintsExtension)
Return .Where(Function(Extension As X509BasicConstraintsExtension) Extension.CertificateAuthority = True).Count > 0
End With
End With
End With
End Function).ToList
End With
End With
End Function
It works well, but in the current case it's returning the two StartCom certificates:
(Yes, I know that StartCom has been delisted—I'll be dealing with that later this week.)
The ServerCertificateValidationCallback delegate receives the X509Chain, which in turn contains an array of the certificates that make up the chain. I'm not confident that we can rely on the elements' order in the array to determine the top-level Root CA.
I found this and this, but the first relies on Magic Strings™ and the second relies on an optional field. And the Extension.CertificateAuthority property above doesn't narrow it down enough, either. As we can see, two certificates in the chain have this property set to True.
The public properties of an X509Certificate2 don't seem to include anything that we can use to reliably identify its issuer in the chain. Most handy would be something like Certificate.IssuerThumbprint or similar.
Obviously this information is available somehow, since the chain was built in the first place. And I'm having a hard time considering the possibility that this simple capability has been overlooked in the API.
I must be missing it somewhere.
--EDIT--
I found the X509ChainPolicy.ExtraStore property, which seems to contain all certificates except the one we're after. From here it's a simple matter of exclusion:
Dim oCertificates As List(Of X509Certificate2)
Dim oThumbprints As IEnumerable(Of String)
oThumbprints = Chain.ChainPolicy.ExtraStore.Cast(Of X509Certificate2).Select(Function(Certificate As X509Certificate2) Certificate.Thumbprint)
oCertificates = Chain.ChainElements.Cast(Of X509ChainElement).Select(Function(Element As X509ChainElement) Element.Certificate).ToList
oCertificates.RemoveAll(Function(Certificate As X509Certificate2) oThumbprints.Contains(Certificate.Thumbprint))
Is this a reliable means of finding the top-level Root CA in a chain?
The ChainElements are in order from leaf-most to root-most. So as long as you don't get a PartialChain error, it's the last ChainElement's Certificate.
private static X509Certificate2 GetRootCertificate(X509Chain chain)
{
// Assumes that chain.Build was already called
foreach (X509ChainStatus status in chain.ChainStatus)
{
if (status.Status == X509ChainStatusFlags.PartialChain)
{
return null;
}
}
X509ChainElement chainElement = chain.ChainElements[chain.ChainElements.Count - 1];
return chainElement.Certificate;
}
- Why .net 8.0.100 is a preview?
- Specifying SSL/TLS for System.Net.HttpWebRequest through App.config
- Microsoft InMemoryDatabase doesn't connect relationship in Entity Framework during test
- "Correlation failed." after upgrading 'Microsoft.IdentityModel.JsonWebTokens' and 'System.IdentityModel.Tokens.Jwt'
- How do I fix the Visual Studio compile error, "mismatch between processor architecture"?
- Can't open WinForms forms with Infragistics UltraWinGrid control anymore in Visual Studio designer after moving to .NET 8
- A certificate chain could not be built to a trusted root authority
- GhostScript generates a blank PDF file on a specific PDF document
- SafeHandle in C#
- How do I remove diacritics (accents) from a string in .NET?
- Why can't Windbg's SOS extension give me Syncblock data?
- Why is ProblemDetails not being returned in the HTTP response from my 'IExceptionHandler' implementation`?
- How to check if a number is a power of 2
- NuGet Framework Assemblies not working
- dotnet restore warning NU1701
- Functional way to check if array of numbers is sequential
- Initialize async data in ViewModel .NET MAUI
- "Invalid column" when called from another stored procedure from .Net
- Running .NET MAUI application on windows machine throwing exception from external code in Windows specific platform file
- Differences between nuget-packing a csproj vs. nuspec
- LINQ to Entities does not recognize the method Generic.List(int) to Generic.IEnumerable(int) method
- Flatten List<string[]> into single string with one line for each element
- Excel RTD server in a WPF .NET 8 application
- Why is an explicit `this` constructor initializer required in records with a primary constructor?
- What should I use instead of .net GraphQL FieldAsync method?
- How to loop through multiple dictionaries to obtain KVP?
- CollectionView only shows items, when I have a private or no setter in .NET MAUI
- What's the difference between AddScoped and AddSingleton in .NET Core Console Application?
- How to get the Properties of a *.mp3 File in C#
- How to save a dictionary into a database with C#?