I currently doing a proof of concept to encrypt data using a certificate. It works well but now, I want to try a scenario when the certificate is expired. I created an expired certificate and I was surprise to notice that everthing works property even with the expired certificate. I was expecting an error.
Do you know if it's because it's a self signed certificate ?
Here's the code I using to test my case
[TestMethod]
public void Encrypt_decrypt_with_expired_certificate()
{
//Arrange
var baseString = "This is an encryption test";
X509Certificate2 newX509Certificate2 = new X509Certificate2("d:\\testx509certExpired.pfx", "apassword");
Console.WriteLine(newX509Certificate2.NotAfter); //Show the expiration date which is in the past
var encryptor = new CertificateEncryptor(newX509Certificate2); //This class is a simple wrapper around RSACryptoServiceProvider
//Act
string encryptedResult = encryptor.Encrypt(baseString); //Exception expected because of the expired certificate but not thrown
//Assert
Console.WriteLine("Base string : {0}", baseString);
Console.WriteLine("Encrypted string : {0}", encryptedResult);
Assert.IsNotNull(encryptedResult);
//revert back
string decryptedString = encryptor.Decrypt(encryptedResult);
Console.WriteLine("Decrypted string : {0}", decryptedString);
Assert.AreEqual(baseString, decryptedString);
}
Thanks
As GregS said, RSACryptoServiceProvider
class (not X509Certificate2) provides an ability to perform cryptographic operations. RSACryptoServiceProvider
knows nothing about certificate, it knows only keys and their parameters. This is why you don't see any errors.
This means that certificate validation -- is your app responsibility. You should check certificate when encrypting data and skip all certificate checks to decrypt data.
When attempting to access the X509Certificate2.PublicKey.Key attribute of the certificate, a CryptographicException should be thrown if the certificate is not within its validity period.
Here is how I load the public & private keys from a certificate to perform cryptographic operations:
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
class Example
{
private RSACryptoServiceProvider publicKey,
privateKey;
private bool getRSAKeys(X509Certificate2 cert, StoreLocation location)
{
try
{
//This will throw a CryptographicException if the certificate is expired
publicKey = (RSACryptoServiceProvider)cert.PublicKey.Key;
privateKey = (RSACryptoServiceProvider)cert.PrivateKey;
return true;
}
catch (CryptographicException e)
{
Console.WriteLine("The certificate is expired or otherwise unusable\r\n" + e.ToString());
return false;
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.