This class provides a simple way to validate X.509 certificate and it's issuer (CA) certificates with one call.

Description

    Use TElX509CertificateValidator to validate X.509 certificate according to validation rules described in RFC 3280. This component performs validation of the certificate itself and it's issuer (CA) certificates. Also, if CRL and OCSP validation are enabled, the component uses CRLs and OCSP to perform additional checking of the certificates. Certificates, used to sign CRLs and OCSP responses, are validated automatically according to the same settings and parameters, as the ones used for validation of the main certificate chain.

    In Windows TElX509CertificateValidator automatically uses Windows Certificate Stores to access CA and Root certificates, as well as Trusted and Blocked ceritificate lists. On other platoforms or additionally to Windows Certificate Stores you can specify your own trusted, known and blocked certificate lists.

    To retrieve Certificate Revocation Lists (CRLs) TElX509CertificateValidator uses pluggable TElCRLRetriever class and it's descendants. HTTP CRL Retriever class is located in SBHTTPCRL unit / namespace. In .NET edition you need to reference SBHTTPCRL namespace from your code, then call SBHTTPCRL.Unit.RegisterHTTPCRLRetrieverFactory() method. In VCL edition this class is activated automatically when you add SBHTTPCRL unit to Uses clause. In ActiveX edition HTTP CRL Retriever is used always. Note: use of HTTP CRL Retriever requires a license for SSLBlackbox client-only package (or one of packages, which include SSLBlackbox). Alternatively you can disable CRL checks.

    For OCSP requests TElX509CertificateValidator uses pluggable TElOCSPClient class and it's descendants. HTTP OCSP Client class is located in SBHTTPOCSPClient unit / namespace. In .NET edition you need to reference SBHTTPOCSPClient namespace from your code, then call SBHTTPOCSPClient.Unit.RegisterHTTPOCSPClientFactory() method. In VCL edition this class is activated automatically when you add SBHTTPOCSPClient unit to Uses clause. In ActiveX edition HTTP OCSP Client is used always. Note: use of HTTP OCSP Client requires a license for SSLBlackbox client-only package (or one of packages, which include SSLBlackbox). Alternatively you can disable OCSP checks.

Properties

• CheckCRL
• CheckOCSP
• CheckValidityPeriodForTrusted
• ForceCompleteChainValidationForTrusted
• ForceRevocationCheckForRoot
• IgnoreBadOCSPChains
• IgnoreCAKeyUsage
• IgnoreRevocationKeyUsage
• IgnoreSSLKeyUsage
• IgnoreSystemTrust
• ImplicitlyTrustSelfSignedCertificates
• MandatoryCRLCheck
• MandatoryOCSPCheck
• MandatoryRevocationCheck
• OfflineMode
• PromoteLongOCSPResponses
• RevocationMomentGracePeriod
• UsedCertificates
• UsedCRLs
• UsedOCSPResponses
• UseSystemStorages
• ValidateInvalidCertificates
• WinStorageBlocked
• WinStorageCA
• WinStorageTrust

Methods

• AddBlockedCertificates
• AddKnownCertificates
• AddKnownCRLs
• AddKnownOCSPResponses
• AddTrustedCertificates
• ClearBlockedCertificates
• ClearKnownCertificates
• ClearKnownCRLs
• ClearKnownOCSPResponses
• ClearTrustedCertificates
• InitializeWinStorages
• Validate
• ValidateForSMIME
• ValidateForSSL
• ValidateForTimestamping

Events

• OnAfterCertificateValidation
• OnAfterCRLUse
• OnAfterOCSPResponseUse
• OnBeforeCertificateRetrieverUse
• OnBeforeCertificateValidation
• OnBeforeCRLRetrieverUse
• OnBeforeOCSPClientUse
• OnCACertificateNeeded
• OnCACertificateNotFound
• OnCACertificateRetrieved
• OnCRLError
• OnCRLNeeded
• OnCRLRetrieved
• OnOCSPError

Declared in

.NET:

• Namespace: SBCertValidator
• Assembly: SecureBlackbox

• Unit: SBCertValidator

• SBB 7 interface module: BaseBBox7.dll

Licensing

To use the component in development and distribution of your projects, you need to purchase one of the licenses:

.NET: Any SecureBlackbox package

VCL: Any SecureBlackbox package

ActiveX/DLL: Any SecureBlackbox package