HTTPs SAN field and CA validation

Question

HTTPs SAN field and CA validation

S Abijith 466

Hi All,

We have an HTTPs client application built on .Net Framework 4.8.

In this application, we are trying to validate the certificate using the code attached in the question.Https_Server_Callback.txt

public bool AcceptAllCertifications(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certification, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
    if (sslPolicyErrors == SslPolicyErrors.None)
    {
        return true;
    }
    else
    {
        return false;
    }
}

However, the below two checks are failing:

The SAN field is not validated. If we have an incorrect IP address in the SAN field of the server certificate, the server callback method is returning true. It should have actually returned false as the SAN field has an incorrect IP address.
If the CA certificate is missing on the server, the server callback method is returning true. It should have actually returned false as the CA certificate is missing on the server.

Is there any way that we can validate the above two conditions correctly.

Please help us on this!!

S Abijith 466 Reputation points

2023-08-08T09:15:49.47+00:00

Hi @Jiale Xue - MSFT ,

We tried the code provided, it worked well for SAN field validation after a few modifications.

However, there is no logic for checking if the CA file exists or not. Can you please suggest any logic for it??

And also, is there any single validation within this callback which can handle all these validations rather than checking them individually??

Please let us know on this!!

Jiale Xue - MSFT 49,831 Microsoft External Staff

Hi @S Abijith ,

You should be able to write a method to tie all the validations together. Code is for reference only.

public bool ValidateCertificate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
    if (sslPolicyErrors == SslPolicyErrors.None)
    {
        bool isValid = ValidateSanField(certificate) && ValidateCaCertificate(chain);

        return isValid;
    }
    else
    {
        return false; // There are other SSL policy errors
    }
}

private bool ValidateSanField(System.Security.Cryptography.X509Certificates.X509Certificate certificate)
{
    // Check the SAN field here and return true if valid, false otherwise
}

private bool ValidateCaCertificate(System.Security.Cryptography.X509Certificates.X509Chain chain)
{
    // Load your expected CA certificate's public key or certificate information
    System.Security.Cryptography.X509Certificates.X509Certificate2 expectedCaCertificate = LoadExpectedCaCertificate();

    // Verify if the CA certificate in the chain matches the expected CA certificate
    foreach (var chainElement in chain.ChainElements)
    {
        if (chainElement.Certificate.RawData.SequenceEqual(expectedCaCertificate.RawData))
        {
            return true; // Found a matching CA certificate in the chain
        }
    }

    return false; // No matching CA certificate found in the chain
}

private System.Security.Cryptography.X509Certificates.X509Certificate2 LoadExpectedCaCertificate()
{
    // Load and return your expected CA certificate's public key or certificate information
}

S Abijith 466 Reputation points

2023-08-09T05:27:07.7+00:00

Hi @Jiale Xue - MSFT ,

Thank you for your response.

The LoadExpectedCaCertificate() method does not show as to how to get the required certificate. Can you please let us know as to how to get it.

Actually we wanted to know if anything is provided by Microsoft that does all these checks automatically without having the need to validate them separately. Please let us know if anything like that exists.

Thank you!!
Jiale Xue - MSFT 49,831 Reputation points Microsoft External Staff

2023-08-11T08:14:57.6066667+00:00

Hi @S Abijith ,

Regarding X509Certificates, only these two certificates are officially supported, X509Certificate and X509Certificate2 You may need to consult the issuing unit of your certificate.
S Abijith 466 Reputation points

2023-08-11T12:07:33.6066667+00:00

Hi @Jiale Xue - MSFT ,

We have already got the certificate. We need the code for this method which was provided by you.

private System.Security.Cryptography.X509Certificates.X509Certificate2 LoadExpectedCaCertificate()

{

}

Can you please provide the complete code for this method.

Jiale Xue - MSFT 49,831 Microsoft External Staff

Maybe you could try this:

private System.Security.Cryptography.X509Certificates.X509Certificate2 LoadExpectedCaCertificate()
{
    // Load the CA certificate from a file (replace with your actual file path)
    string caCertificateFilePath = "path_to_ca_certificate.cer"; // Replace with your actual file path
    try
    {
        // Load the CA certificate from the file
        X509Certificate2 caCertificate = new X509Certificate2(caCertificateFilePath);
        return caCertificate;
    }
    catch (Exception ex)
    {
        // Handle any errors that might occur during certificate loading
        Console.WriteLine($"Error loading CA certificate: {ex.Message}");
        return null;
    }
}

Jiale Xue - MSFT 49,831 Reputation points Microsoft External Staff

2023-08-17T08:14:14.2933333+00:00

Hi @S Abijith , Is there any update in this issue?
S Abijith 466 Reputation points

2023-08-23T05:31:58.92+00:00

Hi @Jiale Xue - MSFT ,

We are currently testing this out. Please give us some time.. will get back to you on this.

Thank you!!
S Abijith 466 Reputation points

2023-09-04T08:16:00.7766667+00:00

Hi @Jiale Xue - MSFT ,

The solution is working.

But I'm not able to mark it as an answer. Hence, I have voted for it.
Jiale Xue - MSFT 49,831 Reputation points Microsoft External Staff

2023-09-04T08:22:56.52+00:00

Hi @S Abijith , I have converted it to answer. You could mark it now. If there are any omissions in the answer, you can let me know and I will correct it.
S Abijith 466 Reputation points

2023-09-04T08:24:50.0833333+00:00

The solution worked as it is. I have marked it as answer.

Thank you @Jiale Xue - MSFT !!

Accepted answer

1 additional answer

Your answer

S Abijith 466 Reputation points

2023-08-08T09:15:49.47+00:00

Hi @Jiale Xue - MSFT ,

We tried the code provided, it worked well for SAN field validation after a few modifications.

However, there is no logic for checking if the CA file exists or not. Can you please suggest any logic for it??

And also, is there any single validation within this callback which can handle all these validations rather than checking them individually??

Please let us know on this!!
Jiale Xue - MSFT 49,831 Reputation points Microsoft External Staff

2023-08-08T09:33:06.3266667+00:00

Hi @S Abijith ,

You should be able to write a method to tie all the validations together. Code is for reference only.

public bool ValidateCertificate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors) { if (sslPolicyErrors == SslPolicyErrors.None) { bool isValid = ValidateSanField(certificate) && ValidateCaCertificate(chain); return isValid; } else { return false; // There are other SSL policy errors } } private bool ValidateSanField(System.Security.Cryptography.X509Certificates.X509Certificate certificate) { // Check the SAN field here and return true if valid, false otherwise } private bool ValidateCaCertificate(System.Security.Cryptography.X509Certificates.X509Chain chain) { // Load your expected CA certificate's public key or certificate information System.Security.Cryptography.X509Certificates.X509Certificate2 expectedCaCertificate = LoadExpectedCaCertificate(); // Verify if the CA certificate in the chain matches the expected CA certificate foreach (var chainElement in chain.ChainElements) { if (chainElement.Certificate.RawData.SequenceEqual(expectedCaCertificate.RawData)) { return true; // Found a matching CA certificate in the chain } } return false; // No matching CA certificate found in the chain } private System.Security.Cryptography.X509Certificates.X509Certificate2 LoadExpectedCaCertificate() { // Load and return your expected CA certificate's public key or certificate information }
S Abijith 466 Reputation points

2023-08-09T05:27:07.7+00:00

Hi @Jiale Xue - MSFT ,

Thank you for your response.

The LoadExpectedCaCertificate() method does not show as to how to get the required certificate. Can you please let us know as to how to get it.

Actually we wanted to know if anything is provided by Microsoft that does all these checks automatically without having the need to validate them separately. Please let us know if anything like that exists.

Thank you!!
Jiale Xue - MSFT 49,831 Reputation points Microsoft External Staff

2023-08-11T08:14:57.6066667+00:00

Hi @S Abijith ,

Regarding X509Certificates, only these two certificates are officially supported, X509Certificate and X509Certificate2 You may need to consult the issuing unit of your certificate.
S Abijith 466 Reputation points

2023-08-11T12:07:33.6066667+00:00

Hi @Jiale Xue - MSFT ,

We have already got the certificate. We need the code for this method which was provided by you.

private System.Security.Cryptography.X509Certificates.X509Certificate2 LoadExpectedCaCertificate()

{

}

Can you please provide the complete code for this method.
Jiale Xue - MSFT 49,831 Reputation points Microsoft External Staff

2023-08-14T08:33:58.3366667+00:00

Maybe you could try this:

private System.Security.Cryptography.X509Certificates.X509Certificate2 LoadExpectedCaCertificate() { // Load the CA certificate from a file (replace with your actual file path) string caCertificateFilePath = "path_to_ca_certificate.cer"; // Replace with your actual file path try { // Load the CA certificate from the file X509Certificate2 caCertificate = new X509Certificate2(caCertificateFilePath); return caCertificate; } catch (Exception ex) { // Handle any errors that might occur during certificate loading Console.WriteLine($"Error loading CA certificate: {ex.Message}"); return null; } }
Jiale Xue - MSFT 49,831 Reputation points Microsoft External Staff

2023-08-17T08:14:14.2933333+00:00

Hi @S Abijith , Is there any update in this issue?
S Abijith 466 Reputation points

2023-08-23T05:31:58.92+00:00

Hi @Jiale Xue - MSFT ,

We are currently testing this out. Please give us some time.. will get back to you on this.

Thank you!!
S Abijith 466 Reputation points

2023-09-04T08:16:00.7766667+00:00

Hi @Jiale Xue - MSFT ,

The solution is working.

But I'm not able to mark it as an answer. Hence, I have voted for it.
Jiale Xue - MSFT 49,831 Reputation points Microsoft External Staff

2023-09-04T08:22:56.52+00:00

Hi @S Abijith , I have converted it to answer. You could mark it now. If there are any omissions in the answer, you can let me know and I will correct it.
S Abijith 466 Reputation points

2023-09-04T08:24:50.0833333+00:00

The solution worked as it is. I have marked it as answer.

Thank you @Jiale Xue - MSFT !!

Answer 1

Hi @S Abijith , Welcome to Microsoft Q&A,

You don't seem to know how to verify the certificate, I found the following example. Try it out, and let me know if you encounter errors and provide information.

public bool ValidateCertificate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
    if (sslPolicyErrors == SslPolicyErrors.None)
    {
        // Check if the certificate has the correct IP address in the SAN field
        string expectedIpAddress = "correct_ip_address"; // Replace with the correct IP address
        bool sanValid = false;

        foreach (var extension in certificate.Extensions)
        {
            if (extension is System.Security.Cryptography.X509Certificates.X509Extension sanExtension && sanExtension.Oid.Value == "2.5.29.17") // OID for Subject Alternative Name
            {
                var rawData = sanExtension.RawData;
                // Parse rawData to extract IP addresses and host names from SAN extension
                // Compare with expectedIpAddress

                if (/* SAN contains the expected IP address */)
                {
                    sanValid = true;
                    break;
                }
            }
        }

        if (!sanValid)
        {
            return false;
        }

        // Check if the CA certificate is present on the server
        bool caCertificatePresent = /* Logic to check if CA certificate is present */;
        if (!caCertificatePresent)
        {
            return false;
        }

        return true; // All checks passed
    }
    else
    {
        return false; // There are other SSL policy errors
    }
}

private System.Security.Cryptography.X509Certificates.X509Certificate2 LoadExpectedCaCertificate()
{
    // Load the CA certificate from a file (replace with your actual file path)
    string caCertificateFilePath = "path_to_ca_certificate.cer"; // Replace with your actual file path
    try
    {
        // Load the CA certificate from the file
        X509Certificate2 caCertificate = new X509Certificate2(caCertificateFilePath);
        return caCertificate;
    }
    catch (Exception ex)
    {
        // Handle any errors that might occur during certificate loading
        Console.WriteLine($"Error loading CA certificate: {ex.Message}");
        return null;
    }
}

Best Regards,

Jiale

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

HTTPs SAN field and CA validation

1 additional answer

Your answer