Hi Edwin,
NotifyServerCertificate simply passes through the certificate chain sent
by the server, details of which you didn't provide. So if there is only
one certificate in the chain, only one was sent by the server.
This comment from RFC 2246 may help to explain why:
certificate_list
This is a sequence (chain) of X.509v3 certificates. The sender's
certificate must come first in the list. Each following
certificate must directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate which specifies the
root certificate authority may optionally be omitted from the
chain, under the assumption that the remote end must already
possess it in order to validate it in any case.
Regards,
Pete Dettman
On 16/07/2013 5:17 PM, Edwin Van Schaick wrote:
Hello,
I am currently implementing a TLS client to perform custom certificate
validation of the root certificate to do SSL Pinning. I’ve created a
class, that inherits from DefaultTlsClient. In the GetAuthentication
method I supply another class, that implements the TlsAuthentication
interface.
However, in the NotifyServerCertificate method the serverCertificate
parameter seems to have only one certificate in the certs member,
while I would expect all certificates in the chain, including the Root
CA certificate I want to verify. How can I access the Root CA
certificate from the chain?
The implementation is done for Windows Phone 7 & 8.
Best regards,
Edwin.
