X509Chain.Build() method explanation

Question

I want to validate chain of certificates, I get a X509Certificate2 collection and have to validate if all the certificates build one chain.

Usually, in order to verify the certificates chain I should take the digital signature from the leaf certificate and check if it is signed by the root certificate - but in .NET I can't find a way to extract the signature from the X509Certificate2 object.

Therefore, I thought of using X509Chain.Build() method in the following way:

   void ValidateChain(X509Certificate2Collection collection, X509Certificate2 leaf)
    {
        X509Chain x509Chain = new X509Chain();
        x509Chain.ChainPolicy.ExtraStore.AddRange(collection);
        bool isValid = x509Chain.Build(leaf); 
    }

But I have some questions about the build method:

1. As I understood, the chain was built also from my computer store, and I want that it is built only from the ExtraStore, how can I define this behaviour?
2. I saw that after the chain was built it doesn't contain the Root Certificate; my question is why, and how can I verify that the chain has Root CA, since this is not part of the chain elements.

I will so appreciate it if someone can explain to me how the Build() method works.

Answer 1

You should use the ChainStatus value after the Build operation. MSDN reference here:

The X509Chain object has a global error status called ChainStatus that should be used for certificate validation. The rules governing certificate validation are complex, and it is easy to oversimplify the validation logic by ignoring the error status of one or more of the elements involved. The global error status takes into consideration the status of each element in the chain.