EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate validation in Silverlight

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
Posted: 09/01/2011 17:43:22
by Oberon (Standard support level)
Joined: 09/01/2011
Posts: 3

I'm struggling with the validation of the certificates in a Silverlight application.

I'm using the TElSecureClient class for SSL communication. This is my implementation of the OnCertificateValidate callback. When I replace it with "Validate = true;", everything works fine; however, SSL wouldn't make much sense without proper certificate handling.
      readonly static TElX509CertificateValidator certificateValidator =
         new TElX509CertificateValidator {
            CheckCRL = false,
            CheckOCSP = false,
            CheckValidityPeriodForTrusted = false,
            IgnoreCAKeyUsage = true,
            MandatoryCRLCheck = false,
            MandatoryOCSPCheck = false,
            ValidateInvalidCertificates = false

      void OnCertificateValidate (object Sender, TElX509Certificate X509Certificate, ref bool Validate) {
         if (((X509Certificate.Chain == null) ||
               (X509Certificate.Chain.get_Certificates(0) == X509Certificate))) {
            TSBCertificateValidity Validity = TSBCertificateValidity.cvInvalid;
            int Reason = 0;
               X509Certificate, ((DnsEndPoint)socket.RemoteEndPoint).Host.ToString(),
               "", TSBHostRole.hrServer, null, false, false, DateTime.Now, ref Validity,
               ref Reason);
            Validate = (Validity == TSBCertificateValidity.cvOk);
         } else {
            Validate = true;

As SBHTTPCRL.Unit.RegisterHTTPCRLRetrieverFactory and SBHTTPOCSPClient.Unit.RegisterHTTPOCSPClientFactory are not available in the Silverlight assemblies, I think that CRL and OCSP checking are not supported.

Therefore, I've chosen the settings with least security. However, I'm just getting the values of

Validity = cvInvalid = 2
Reason = SBX509.Unit.vrUnknownCA = 32

Documentation states that this error means "Issuer (CA) certificate was not found." Therefore, I think that I have to give the CA certificates to silverlight manually.

For this, I've checked the TElX509CertificateValidator class documentation and found that the InitializeWinStorages method is also not available under Silverlight. However, the AddTrustedCertificates function is available and I guess that this should be used to push the *.p7b files which I've exported from the windows certificate store into the system.

As ElWinCertStorage is also not available, I've tried ElFileCertStorage.
However, I'm running into problems when I try to set up the TElFileCertStorage instance. I've added the certificate file to the Visual Studio 2010 project, and I've chosen the following settings in the file properties:

  • Build Action: Resource
  • Copy to Output Directory: Copy always
  • Custom Tool: -
  • Custom Tool Namespace: -

The file is located at certificates/trusted.p7b

      readonly static TElFileCertStorage trustedCertificates =
            new TElFileCertStorage {
               FileName = "certificates/trusted.p7b"

      static SslStream () {


However, I get a EEICertStorageError exception with description "Unable to mount file storage" when the static initializer is called.

Sadly, I could not find much about certificate validation using Silverlight in the documentation, the site search, the knowledge base, and the forums. I would appreciate any help with this as certificate validation is a key element of the security of SSL.
Posted: 09/02/2011 00:27:14
by Eugene Mayevski (EldoS Corp.)

You are doing everything perfectly right. It's just Silverlight that doesn't let you do anything. Most likely you don't have permissions to access the file. You can try checking this by using TElMemoryCertStorage class and loading certificates to it using LoadFromStream*() methods. LoadFromStream*() methods expect a Stream from you and you can create a FileStream from file and see if it works or fails (and why).

FYI: Silverlight 5 has access to Windows certificate storage and to file system (subject to some security restrictions but still). Silverlight 5 is in beta now, and the latest pre-release of SecureBlackbox 9.1 has assemblies for this beta.

Sincerely yours
Eugene Mayevski
Posted: 09/02/2011 05:48:06
by Oberon (Standard support level)
Joined: 09/01/2011
Posts: 3

First of all, thanks for the fast answer.

FileStream won't work in browser; however, using Application.GetResourceStream allows the access to the file.

The problem now is that I don't seem to get it right. I'm trying to connect to https://secure.yaler.net and added the "SwissSign" certificate to both the list of trusted and known certificates.

However, the OnCACertificateNeeded event handler is called regardless and when I don't use it I get the old vrUnknownCA validity reason. When I then return the certificate from the TElMemoryCertStorage, I get a vrInvalidSignature = 16 reason ("Certificate contains invalid digital signature, it could be corrupted.").

Could you explain to me which certificates I have to add to the known certificates list and which certificates to add to the trusted certificates list to be able to connect to https://secure.yaler.net?
Posted: 09/02/2011 06:14:58
by Vsevolod Ievgiienko (EldoS Corp.)


added the "SwissSign" certificate to both the list of trusted and known certificates.

There are two certificates that should be added to the list of known certificates. You can find them in the attachment.

[ Download ]
Posted: 09/02/2011 14:16:05
by Oberon (Standard support level)
Joined: 09/01/2011
Posts: 3

Thanks, this solved the problem and the certificate now validates correctly!

         string prefix = "/" + visualStudioProjectName + ";component/certificates/";
         Uri certFile = new Uri(prefix + "SwissSign Gold CA - G2.p7b", UriKind.Relative);
         trustedCertificates.LoadFromStreamPKCS7(Application.GetResourceStream(certFile).Stream, 0);
         knownCertificates.LoadFromStreamPKCS7(Application.GetResourceStream(certFile).Stream, 0);
         certFile = new Uri(prefix + "SwissSign Server Gold CA 2008 - G2.p7b", UriKind.Relative);
         knownCertificates.LoadFromStreamPKCS7(Application.GetResourceStream(certFile).Stream, 0);

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.



Topic viewed 2404 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!