Jump to navigation

Poupou's Corner of the Web

Looking for perfect security? Try a wireless brick.
Otherwise you may find some unperfect stuff here...


Strangest X509Certificate ever seen ?

The source code at the end of this post does a Authenticode® self-check. That is, it check if it has, itself, been signed by a X.509 certificate. This is done using the (rather crudely documented) X509Certificate.CreateFromSignedFile.

If the assembly is signed you would expect a valid X509Certificate as the output, would you? Well you got it. Or if the assembly has been modified, so the code signature doesn't verify, you would expect an exception, right? Got it again. But if the assembly wasn't signed what would you expect ?

  1. null
  2. DivideByZeroException
  3. X509Certificate

If you expected a null, then you'll be (at least) disappointed and probably surprised at lot the first time you run your program. If you expected a DivideByZeroException then you should stop reading my blog right now and go to sleep - do not try again unless you have slept for a minimum of 8 straight hours. If you (really) expected an X509Certificate then tell me, without looking to the source code, what it should contains ?

Actually it doesn't contains much and the best way to detect it is to call GetHashCode () and check if it returns 0. As I said i'm unsure if this a feature or a bug - but it certainly complicates unit testing (and not only for Mono ;-).

Here's the promised code for doing an Authenticode® self-check on an assembly. This works on both Mono (post 0.28, which means CVS right now) and the Microsoft framework.

using System; using System.Reflection; using System.Runtime.InteropServices; using System.Security.Cryptography.X509Certificates; public class MainClass { public static void Main (string[] args) { Assembly self = Assembly.GetEntryAssembly (); try { X509Certificate x509 = X509Certificate.CreateFromSignedFile (self.Location); if (x509.GetHashCode () != 0) Console.WriteLine (x509.ToString (true)); else Console.WriteLine ("Assembly isn't signed by a software publisher certificate"); } catch (COMException ce) { // using a test certificate without trusting the test root ? Console.WriteLine (ce.Message); } } }

Hmmm... a little explaination may not hurt everyone, so:

> makecert.exe -n "CN=your name" -sv yourkeypair.pvk yourcert.cer
> cert2spc.exe yourcert.cer yourspc.spc
> signcode.exe -v yourkeypair.pvk -spc yourspc.spc -t http://timestamp.verisign.com/scripts/timstamp.dll selfcheck.exe
> chktrust.exe selfcheck.exe
> selfcheck.exe
Format: X509
Name: CN=your name
Issuing CA: CN=Root Agency
Key Algorithm: 1.2.840.113549.1.1.1
Serial Number: 88488DD7C38FED4E907DB55418353D04
Key Alogrithm Parameters: 0500
Public Key: 30818902818100BB16FBE837D1B326BA547936A4CE3068FC63AE5D9F885


  1. Under Windows and the MS runtime you have to add trust to the test root in order for this demonstration to work, otherwise the self-check will fail with the message: The certification path terminates with the test root which is not trusted with the current policy settings.
  2. You must add mono before each command when using the Mono:: runtime.

Actually the title is a little misleading - it is strange but surely not the strangest X.509 certificate you can find. Warning: This is a funny read whether or not you care about X.509 certificates (in the last case just read the citations).

10/12/2003 20:28:02 | Comments

The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.