5

We happen to run a REST API service that exposes an https:// endpoint. Recently we changed our SSL certificate and several users, mostly libcurl and Java users, complained that they no longer can validate the certificate and their programs refuse to connect to our service. Other users, including .NET users, didn't observe any problems. Firefox is also happy to open pages on the site with that certificate.

We need to craft some code that validates the certificates the hardest way possible before we use them in production.

I crafted a piece of code that creates a X509Certificate2 object for the certificate and then tries to X509Chain.Build() from it:

var certDataArray = File.ReadAllBytes( path );
var cert = new X509Certificate2( certDataArray, password );
var chain = new X509Chain();
var result = chain.Build(cert);
var status = chain.ChainStatus;

This code runs okay for our previous certificate (which is not yet expired) and fails (Build() returns false and X509Chain.ChainStatus contains a number of elements - X509ChainStatusFlags.RevocationStatusUnknown, X509ChainStatusFlags.PartialChain, X509ChainStatusFlags.OfflineRevocation). So it looks like for this specific certificate this check is enough.

Is X509Chain.Build() enough to ensure that all of our users can successfully validate the certificate? Are any other checks necessary?

sharptooth
  • 167,383
  • 100
  • 513
  • 979
  • What did you change in your certificate? Did you use a new CA / issuer? – stephen.vakil Sep 08 '15 at 15:02
  • @stephen.vakil The new certificate came from another CA and there was something wrong with that CA infrastructure which prevented thorough validation. Does it really matter? – sharptooth Sep 09 '15 at 06:52

1 Answers1

4

The X509ChainStausFlags.PartialChain code is a sign you have a problem. At least one certificate in the chain a) does not have an issuer which is already in your local certificate stores and b) does not have a resolvable Authority Information Access extension which lets the system download the cert (though that could also be a network error).

If the missing certificate is the root, then providing it to chain.ChainPolicy.ExtraStore (before calling Build) would change X509ChainStatusFlags.PartialChain to X509ChainStatusFlags.UntrustedRoot. If it's an intermediate then it may well result in the chain building successfully.

The OfflineRevocation code seems weird, since you didn't specify X509RevocationMode.Offline (at least, not in your snippet here).

bartonjs
  • 30,352
  • 2
  • 71
  • 111