Reputation: 1995
How SignedXml.CheckSignature verify the certificate
Here I have a question about the principle of SignedXml.CheckSignature.
As we know, if we call the function with verifySignatureOnly = false, it can verify the certificate.
[ComVisibleAttribute(false)]
public bool CheckSignature(
X509Certificate2 certificate,
bool verifySignatureOnly
)
But how can it verify? According to my understanding, certificate should be a public key encrypted by CA private key. so CheckSignature can get the CA public key, then decrypt the certificate? I want to know how it works. Hope some one can help.
Upvotes: 1
Views: 632
Answers (1)
Reputation: 8877
It uses windows certificate store to build a certificate chain up to trusted root authority. When it is building the chain the method also verifies revocation status of the certificates (usually from CRLs of all authorities in the chain) to check if any of the certificates in the chain are still valid.
If there are links to OCSP in the certificates then the method could prefer to check OCSP status of these certificates but it depends on OS you are using (I think Win Xp didn't use OCSP but win 7+ does it by default).
If any of the checks the method performs fails, i.e. CRL not available or chain could not be built to a trusted root authority or certificate is revoked, then method returns false.
Upvotes: 1
Related Questions
- Best practices for validating SignedXml
- SignedXml checksignature returns false
- CheckSignature returns false
- SignedXml checksignature returns false.
- SignedXml.CheckSignature fails in .NET 4 but it works in .NET 3.5, 3 or 2
- C# SignedXml CheckSignature throwing ArgumentNullException
- signedXml.CheckSignature always returns false
- SignedXml.CheckSignature only returns true if I verify with private key
- SignedXml.CheckSignature Method (X509Certificate2, false) does not check certificate validity
- How to verify certificate in SignedXml against machine store