We use cookies to give you the best experience on our website. If you continue to browse, then you agree to our privacy policy and cookie policy. Image for the cookie policy date

Certificate validation check before signing

Syncfusion has  very useful function ValidateSignature() that is used in validation process which returns a powerful class with lots of properties such as revocationresult,ltvinfotmation, ValidationErrors...etc.

Is there another way that can be used in order to check the validity of certificate of Signer before starting the signing process such as checking certificate entire chain (not partial),revocation check...etc.?

Waiting for your reply... i hope there is a workaround or a plan to implement such functionality 😊


8 Replies 1 reply marked as answer

IJ Irfana Jaffer Sadhik Syncfusion Team March 14, 2023 10:22 AM UTC

Thank you for contacting Syncfusion support,


We do not have direct support to validate the validity of the signer for all intermediate certificates and revocation status. However, you can use the X509Certificate2 class from the System.Security.Cryptography.X509Certificates namespace to verify the validity of the certificate.


Please note that this only works with trusted certificates. Therefore, please ensure that your certificate is a trusted certificate or install your untrusted certificate in the Trusted Root Certificate Authorities.


The Verify() method checks the certificate's validity against the certificate chain, revocation lists, and other factors. If the certificate is valid, it returns true; otherwise, it returns false.


You can also check the specific reason why the certificate is invalid by examining the X509ChainStatus property of the X509Chain object that is returned by the Verify() method.


            // Load the certificate from a file

            X509Certificate2 cert = new X509Certificate2("your certicate path");

 

            // Check the certificate's validity

           bool isValid = cert.Verify();

            if (isValid)

            {

                Console.WriteLine("Certificate is valid!");

            }

            else

            {

                Console.WriteLine("Certificate is invalid!");

            }

 

            // Create a new chain policy object

            X509ChainPolicy chainPolicy = new X509ChainPolicy

            {

                RevocationMode = X509RevocationMode.Online

            };

 

            // Create a new chain object and build the chain

            X509Chain chain = new X509Chain();

            chain.ChainPolicy = chainPolicy;

            bool chainIsValid = chain.Build(cert);

 

            // Check the chain's validity

            if (chainIsValid)

            {

                Console.WriteLine("Certificate chain is valid!");

            }

            else

            {

                foreach (X509ChainStatus status in chain.ChainStatus)

                {

                    Console.WriteLine(status.StatusInformation);

                }

                Console.WriteLine("Certificate chain is invalid!");

            }



JA Jacobs replied to Irfana Jaffer Sadhik March 14, 2023 10:43 AM UTC

Thanks Irfana, 

actually that is what i am using right now ... but unfortunately it has inconsistent behaviour while checking revocation as sometimes it gives false build with error revocation server unavailable on winforms and webforms

winforms works fine all the time , while webforms sometimes gives error ( revocation server unavailable ) while testing the two projects on same machine.


That's why i was checking if you have a workaround or 



IJ Irfana Jaffer Sadhik Syncfusion Team March 15, 2023 11:24 AM UTC

We don't have any other workaround solution to check the validity and revocation status of intermediate certificates. If you want to stop signing signatures due to issues with the revocation server of an intermediate certificate, we recommend trying our EnableLTV API. When all intermediate certificate CRL/OCSP is embedded, the API returns 'true'; otherwise, it returns 'false'. Additionally, we have shared a custom NuGet package in forum  #180445 to address the EnableLTV problem. Please try it and let us know your feedback.



JA Jacobs March 15, 2023 11:31 AM UTC

Yes i know and i am alredy using it with the x509 build ... i didn't have the chance to try the fix yet ... but the enable ltv will only help in ensuring ltv signature ... i need also the other checks like checking for expired certificates or revoked , entire chain elements exist,...etc

Can syncfusion provide a function for signing checks same as you do in validation ? In future releases



IJ Irfana Jaffer Sadhik Syncfusion Team March 16, 2023 01:19 PM UTC

We don't have any plans for external validation requirements, such as checking the validity of intermediate certificates, the existence of all chains, and revocation status.


Marked as answer

JA Jacobs March 21, 2023 11:28 AM UTC

Thanks Irfana

Is syncfusion pdfvalidatesignature based on .net x509 verify() and chain build functions ?



IJ Irfana Jaffer Sadhik Syncfusion Team March 22, 2023 10:44 AM UTC

Is syncfusion pdfvalidatesignature based on .net x509 verify() and chain build functions ?

No, we are not using x509 verify() and chain build functions for signature validation. Instead, we have our own function to validate PDF signatures.



JA Jacobs March 23, 2023 10:36 AM UTC

Thanks


Loader.
Up arrow icon