Discuss this help topic in SecureBlackbox Forum
Validate certificate signature
SecureBlackbox offers high-level certificate handling classes such as TElX509CertificateValidator. Sometimes you might face the need to check the integrity of a particular standalone certificate 'on a lower level'. By checking integrity we mean ensuring that the information included in the certificate has not been changed by a third party. This is done by validation of the signature made over the certificate by the CA.
It is important to understand that the validation of the certificate signature only confirms that the data in it is valid, and has not been changed by an adversary. Validation of the certificate signature does not imply that the certificate is trusted, legally issued, or fit for a particular purpose.
Assume you have loaded your certificate into TElX509Certificate object cert. First of all, we need to find out if it is self-signed, or has been issued by some CA. If the certificate is self-signed (i.e., signed with its own key) you don't need anything else for validation: just call cert.Validate().
If your certificate is not self-signed, you will have to obtain the certificate of the issuing CA first. The CA's public key (contained in its certificate) is needed validate the signature of your certificate. Where exactly to look for the CA certificate depends on your particular case. For instance, it can be supplied together with your certificate (e.g., during a TLS session) or contained in one of the system stores. When the CA certificate is found, pass it to the cert.ValidateWithCA() method:
bool valid = false;
if (cert.SelfSigned)
{
valid = cert.Validate();
}
else
{
int idx = systemStore.GetIssuerCertificate(cert);
if (idx >= 0)
{
TElX509Certificate caCert = systemStore.get_Certificates(idx);
valid = cert.ValidateWithCA(caCert);
}
else
{
throw new Exception("CA certificate has not been found, can't validate the certificate");
}
}