Validate X509 data against an online CRL

yoggiebhr

New member
Joined
Jul 16, 2008
Messages
1
Programming Experience
1-3
Hello all,

I am in desperate need. I have a VB.Net application that receives XML documents from an online source. These documents are signed with the digital certificate information contained in the X509 tag. I am able to to get the data out of the tag and decode it into a human readable format. However, I need to be able to validate the certificate against an online CRL using the information that is contained in the X509 data. Every example I have found through my web searches assumes that you are checking against a local CRL and that won't work because even though I receive the XML documents from one source, that source is just a routing site for documents that could come from literally hundreds of document origination points.

Can anyone provide a code snippet on how this would work?

This is just a small snippet of what I've done so far, just to show I'm getting to the cert information:

Dim certRawData As Byte() = System.Convert.FromBase64String(x509Data)
Dim cert As New X509Certificate2(certRawData)

Dim rsaCryptoSP As RSACryptoServiceProvider = DirectCast(cert.PublicKey.Key, RSACryptoServiceProvider)
Dim strCertEffectiveDate As String
strCertEffectiveDate = cert.GetEffectiveDateString()
Dim strCertExpirationDate As String
strCertExpirationDate = cert.GetExpirationDateString

ch.ChainPolicy.RevocationMode = X509RevocationMode.Online
ch.ChainPolicy.UrlRetrievalTimeout = New TimeSpan(0, 1, 0)

ch.Build(cert)
Console.WriteLine("Chain Information")
Console.WriteLine("Chain revocation flag: {0}", ch.ChainPolicy.RevocationFlag)
Console.WriteLine("Chain revocation mode: {0}", ch.ChainPolicy.RevocationMode)
Console.WriteLine("Chain verification flag: {0}", ch.ChainPolicy.VerificationFlags)
Console.WriteLine("Chain verification time: {0}", ch.ChainPolicy.VerificationTime)
Console.WriteLine("Chain status length: {0}", ch.ChainStatus.Length)
Console.WriteLine("Chain application policy count: {0}", ch.ChainPolicy.ApplicationPolicy.Count)
Console.WriteLine("Chain certificate policy count: {0} {1}", ch.ChainPolicy.CertificatePolicy.Count, Environment.NewLine)
For Each status1 As X509ChainStatus In ch.ChainStatus
MsgBox(status1.Status.ToString())
Next
Console.WriteLine("****************************************************")
'Output chain element information.
Console.WriteLine("Chain Element Information")
Console.WriteLine("Number of chain elements: {0}", ch.ChainElements.Count)
Console.WriteLine("Chain elements synchronized? {0} {1}", ch.ChainElements.IsSynchronized, Environment.NewLine)

Dim element As X509ChainElement
For Each element In ch.ChainElements
Console.WriteLine("Element issuer name: {0}", element.Certificate.Issuer)
Console.WriteLine("Element certificate valid until: {0}", element.Certificate.NotAfter)
Console.WriteLine("Element certificate is valid: {0}", element.Certificate.Verify())
Console.WriteLine("Element error status length: {0}", element.ChainElementStatus.Length)
Console.WriteLine("Element information: {0}", element.Information)
Console.WriteLine("Number of element extensions: {0}{1}", element.Certificate.Extensions.Count, Environment.NewLine)
Console.WriteLine("Number of element extensions: {0}{1}", element.Certificate.Extensions.Count, Environment.NewLine)
Dim strCertFullName As String
strCertFullName = element.Information
Next element

So, I can pluck all kinds of information out of the certificate, but I am not successful in getting a valid response, probably because I'm leaving out something important. I thought the following lines would force an online check:

ch.ChainPolicy.RevocationMode = X509RevocationMode.Online
ch.ChainPolicy.UrlRetrievalTimeout = New TimeSpan(0, 1, 0)

Can anyone please help?
Thanks!!
Gregg
 
Top Bottom