4

I have the following code that attempts to verify a server certificate against the CA in my private PKI. Its used with ServicePointManager and RemoteCertificateValidationCallback:

static bool VerifyServerCertificate(object sender, X509Certificate certificate,
    X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    X509Certificate2 ca = new X509Certificate2();
    ca.Import("ca-rsa-cert.der");

    X509Chain chain2 = new X509Chain();
    chain2.ChainPolicy.ExtraStore.Add(ca);

    // Check all properties
    chain2.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;

    // This setup does not have revocation information
    chain2.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;

    chain2.Build(new X509Certificate2(certificate));
    if (chain2.ChainStatus.Length == 0)
    {
        return true;
    }

    bool result = chain2.ChainStatus[0].Status == X509ChainStatusFlags.NoError;
    Debug.Assert(result == true);

    return result;
}

The problem is that chain2.ChainStatus.Length is always 0.

If I set X509RevocationMode to X509RevocationMode.Online, then ChainStatus.Length == 1 and the status is set to X509ChainStatusFlags.RevocationStatusUnknown. (Its expected because there's no revocation in the test rig).

Question: What does a 0 length ChainStatus.Length mean?

Question: If its success, then why is X509ChainStatusFlags.NoError not used?

jww
  • 97,681
  • 90
  • 411
  • 885

1 Answers1

1

If the ChainStatuts.Lenght = 0; that means that your chain is correctly built. You can also check the result with the Verify() function. It use the Online Revocation mode and use the standard policy verification.

jww
  • 97,681
  • 90
  • 411
  • 885
hally mama
  • 11
  • 1
  • 1
    Welcome to StackOverflow: if you post code, XML or data samples, please highlight those lines in the text editor and click on the "code samples" button ( { } ) on the editor toolbar or using Ctrl+K on your keyboard to nicely format and syntax highlight it! – WhatsThePoint Jan 10 '18 at 13:25