Is it possible for anyone to create fake certification?

Question

Is it possible for anyone to create fake certification?

I created my own certification and installed it on my client. A reliable root was used for .pfx [server side] to confirm that certification and authentication go smoothly without any errors.

But there is a question that really bothers me, is there a way for a hacker to fake authentication with my client? with its fake certificate and server?

Example:

My certification confirmation code

    private static bool OnCertificateValidation(
        object sender,
        X509Certificate certificate,
        X509Chain chain,
        SslPolicyErrors sslPolicyErrors)
    {
        if (sslPolicyErrors == SslPolicyErrors.None)
        {
            if (CaVerify(chain) && ServerVerify(certificate)) return true;
        }
        return false;
    }

    public static bool CaVerify(X509Chain chain)
    {
        if (chain.ChainElements.Count > 0)
        {
            var certHash = chain.ChainElements[chain.ChainElements.Count - 1].Certificate.GetCertHash();
            if (certHash.Length == ApiCertHash.Length)
            {
                for (var idx = 0; idx < certHash.Length; idx++)
                {
                    if (certHash[idx] == ApiCertHash[idx])
                    {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    public static bool ServerVerify(X509Certificate certificate)
    {
        var certHash = certificate.GetCertHash();

        if (certHash.Length == ApiCertHash.Length)
        {
            for (var idx = 0; idx < certHash.Length; idx++)
            {
                if (certHash[idx] == ApiCertHash[idx])
                {
                    return true;
                }
            }

        }
        return false;
    }

So can someone create a fake .pfx certificate and associate it with its fake server and connect my client to its fake server?

+5

c # certificate ssl

Daniel Eugen 15 sept. '12 at 10:43

source share

2 answers

, , ,

private static bool OnCertificateValidation(
    object sender,
    X509Certificate certificate,
    X509Chain chain,
    SslPolicyErrors sslPolicyErrors)
{
    if (sslPolicyErrors == SslPolicyErrors.None)
    {
        return true;

    }
    return false;
}

+1

Roman Ratskey 16 . '12 2:53

Scott Chamberlain · Accepted Answer · 2012-09-15T23:07:03+0000

Common Name (CN) SSL DNS- , . " ", CN, DNS-, CN.

, (CA) . , , , , CN, .

"" , , , "", .

, . - CA . SSL, , , "CN=*.google.com Signed by VeriSign" "CN=*.google.com, XYZ Corperate Proxy". IT , .

, - , CA, , " XYZ Coperate Proxy", , CA, RemoteCertificateChainErrors sslPolicyErrors.

CA.

if (sslPolicyErrors == SslPolicyErrors.None)
{
    var apiCertHash = new byte[] { 0x79, 0x04, 0x15, 0xC5, 0xC4, 0xF1, 0x6A, 0xA7, 0xC9, 0x12, 0xBB, 0x23, 0xED, 0x5A, 0x60, 0xA7, 0x92, 0xA8, 0xD5, 0x94 };
    if(chain.ChainElements.Count > 0)
    {
        //Not 100% if the root is first or last in the array. Don't have the program running to check.
        var certHash = chain.ChainElements[chain.ChainElements.Count - 1].Certificate.GetCertHash();
        if (certHash.Length == apiCertHash.Length)
        {
            for (var idx = 0; idx < certHash.Length; idx++)
            {
                if (certHash[idx] == apiCertHash[idx])
                {
                    return true;
                }
            }
        }
    }
}

Is it possible for anyone to create fake certification?

More articles: