Application Security Arena : x509

A lot of errors are coming up while working with X509. there is a lot of confusion of where do I need to store the certificate ? where is my private key ?

the common error is that developers installs the private key to a location that the program not allowed to access.

It can be difficult to find the location and name of the private key file associated with a specific X.509 certificate in the certificate store. The FindPrivateKey.exe tool facilitates this process.

X.509 certificates are installed by an Administrator or any user in the machine. However the certificate may be accessed by a service running under a different account (for example the ASPNET on Windows XP or the NETWORK SERVICE accounts on Windows Server 2003).

This account may not have access to the private key file because the certificate was not installed by it originally. The FindPrivateKey tool gives you the location of a given X.509 Certificate's private key file. You can add permissions or remove permissions to this file once you know the location of the particular X.509 certificates' private key file.

to get this tool go to http://msdn2.microsoft.com/en-us/library/aa717039.aspx
click on download sample and then browse to
%InstallDir%\WCF_Samples\TechnologySamples\Tools\FindPrivateKey\CS

WCF Supporting Tokens

nluria — Sun, 04 Mar 2007 16:23:00 GMT

The Supporting Tokens sample demonstrates how to add additional tokens to a message that uses WS-Security.

The example adds an X.509 binary security token in addition to a username security token. The token is passed in a WS-Security message header from the client to the service and part of the message is signed with the private key associated with the X.509 security token to prove the possession of the X.509 certificate to the receiver.

This is useful in the case when there is a requirement to have multiple claims associated with a message to authenticate or authorize the sender. The service implements a contract that defines a request-reply communication pattern.

The sample demonstrates:

How a client can pass additional security tokens to a service.
How the server can access claims associated with additional security tokens.
How the server's X.509 certificate is used to protect the symmetric key used for message encryption and signature.

code can be downloaded here: http://msdn2.microsoft.com/en-us/library/ms751480.aspx

how to get AlternativeName and UPN from X509 certificate

nluria — Tue, 27 Feb 2007 23:23:00 GMT

using X509NameType Enumeration you can extract all the fields from a x509 certificate. this enum is new for .net 2.0

here is the code:

using System;
using System.Security.Cryptography;
using System.Security.Permissions;
using System.IO;
using System.Security.Cryptography.X509Certificates;

class CertSelect
{
    static void Main()
    {
        try
        {
            X509Store store = new X509Store("MY",StoreLocation.CurrentUser);
            store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
            X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
            X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByTimeValid,DateTime.Now,false);
            X509Certificate2Collection scollection = X509Certificate2UI.SelectFromCollection(fcollection, "Test Certificate Select","Select a certificate from the following list to get information on that certificate",X509SelectionFlag.MultiSelection);
            Console.WriteLine("Number of certificates: {0{1",scollection.Count,Environment.NewLine);
                foreach (X509Certificate2 x509 in scollection)
                {
                    byte[] rawdata = x509.RawData;
                    Console.WriteLine("Content Type: {0{1",X509Certificate2.GetCertContentType(rawdata),Environment.NewLine);
                    Console.WriteLine("Friendly Name: {0{1",x509.FriendlyName,Environment.NewLine);
                    Console.WriteLine("Certificate Verified?: {0{1",x509.Verify(),Environment.NewLine);
                    Console.WriteLine("Simple Name: {0{1",x509.GetNameInfo(X509NameType.SimpleName,true),Environment.NewLine);
                    Console.WriteLine("Signature Algorithm: {0{1",x509.SignatureAlgorithm.FriendlyName,Environment.NewLine);
                    Console.WriteLine("Private Key: {0{1",x509.PrivateKey.ToXmlString(false),Environment.NewLine);
                    Console.WriteLine("Public Key: {0{1",x509.PublicKey.Key.ToXmlString(false),Environment.NewLine);
                    Console.WriteLine("Certificate Archived?: {0{1",x509.Archived,Environment.NewLine);
                    Console.WriteLine("Length of Raw Data: {0{1",x509.RawData.Length,Environment.NewLine);
                    X509Certificate2UI.DisplayCertificate(x509);
                    x509.Reset();

            store.Close();

        catch (CryptographicException)
            {
                   Console.WriteLine("Information could not be written out for this certificate.");

more info at: http://msdn2.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509nametype(VS.80).aspx