Home/ Questions/Q 7605507
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T00:11:08+00:00

I have a certificate ( X509Certificate2 ) in my app, and I can enumerate

  • 0

I have a certificate (X509Certificate2) in my app, and I can enumerate all certificate’s extensions. One of those extensions is Certificate Policies, with OID 2.5.29.32. This extension is supposed to be just a sequence of OID’s, and I need to search for specific OID’s there. The problem is that this extension is coded as DER octet string. How can I get to the OID inside that I’m interested in? Do I have to manually parse a DER octet string? How can I do that?

EDIT: I’m going to see what Bouncy Castle has to offer, but I’m wondering if there is a ready solution in .NET framework. Framework parses certificates and other DER structures, so there might be DER decoder built in.

BOUNTY: I have found a solution for me, but I’m looking for improvements. Bounty goes to other solution if it satisfies one or more of the following, sorted by relevance:

  1. it uses standard .NET library functions
  2. it uses mature or proven source code or library, smaller than Bouncy Castle (I need only parsing, not the all the rest)
  3. it merely improves on the code I already have, in a matter that I find worthy

BUMP: Bounty expires today. If no one else provides an answer it’ll go to GalacticJello.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I had this problem a year ago.
    I found a small library that helped me a lot (site). This library transforms the file key in xml (using a .exe) and then we could read it on C#.

    I didn’t liked to transform my key in XML. I asked for the library’s developer to use the opensource code in my project, fortunately he accepted. So I built a fork that do exactly what I needed.

    After a long time, I have found another implementation in Mono project, avaiable here.

    A helper class that uses CryptoLib here and an example here:

    public IRegistryService Connect(String name, RSACryptoServiceProvider privateKey, X509Certificate2 acsCertificate) {
  if ((String.IsNullOrEmpty(name)) || (acsCertificate == null) || (privateKey == null))
    throw new ArgumentException("....");

  if (!String.IsNullOrEmpty(this.Credential.identifier))
    throw new ACSLoginFailureException("....");

  byte[] challenge = this.acs.getChallenge(name);      
  byte[] answer = new byte[0];
  try {
    answer = Crypto.GenerateAnswer(challenge, privateKey, acsCertificate);
  }
  catch (CryptographicException e) {
    throw new ACSLoginFailureException("....", e);
  }

  bool connect = this.acs.loginByCertificate(name, answer, out this.credential, out leaseTime);      

  // ...
}
    • 0