EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Validate certificate against CRL contained in certificate

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#6959
Posted: 07/17/2008 02:47:41
by Simone Ferrari (Basic support level)
Joined: 12/03/2007
Posts: 22

Perhaps it's a stupid question, but when I use TElWinCertStorage.Validate does this method check the revocation status of the certificate against the CRL eventually contained in the certificate itself?

Simone
#6963
Posted: 07/17/2008 03:14:13
by Ken Ivanov (EldoS Corp.)

No, it's a task of a user application to download a CRL and then validate the certificate against this CRL (do I understand you right that you mean the CRL that is specified by a path in certificate extensions?).
#6964
Posted: 07/17/2008 03:37:10
by Simone Ferrari (Basic support level)
Joined: 12/03/2007
Posts: 22

Quote
Innokentiy Ivanov wrote:
No, it's a task of a user application to download a CRL and then validate the certificate against this CRL (do I understand you right that you mean the CRL that is specified by a path in certificate extensions?).


Yes, the path of the CRL is specified in the certificate extensions.

So basically I have to check the CRLDistributionPoints, get the url of the crl, download it, and then check against that?

But, the certificates I'm using contain an ldap url in the CRLDistributionPoint, isn't that supposed to be used to make a query instead of downloading the whole CRL?


#6967
Posted: 07/17/2008 06:54:14
by Ken Ivanov (EldoS Corp.)

Quote
So basically I have to check the CRLDistributionPoints, get the url of the crl, download it, and then check against that?

Yes. Please note, that the CRL accessible by the path specified in CRL distribution points extension contains revocation information for the certificates *issued* by this certificate (i.e., this CRL cannot be used to validate the certificate in whose extension it is specified).

Quote
But, the certificates I'm using contain an ldap url in the CRLDistributionPoint, isn't that supposed to be used to make a query instead of downloading the whole CRL?

As far as I understand, the provided LDAP URL should be used to download the CRL, isn't it?
#6970
Posted: 07/17/2008 08:22:45
by Simone Ferrari (Basic support level)
Joined: 12/03/2007
Posts: 22

Yes the CRL info found should be used to validate the certificates issued by that certificate. Infact, for a specific certificate, I am looking at the CRL info contained in the issuer certificate during validation, although the certificate itself contains the same CRL info for some reason.

As for the LDAP url I am not really sure, hoped you knew better.

Regarding the actual revocation status check: when TElWinCertStorage.Validate is called, one of the reasons for invalidity can be SBX509.Unit.vrRevoked, but you've told me that I have to do the revocation check myself, when/how is SBX509.Unit.vrRevoked returned by SBB then?

#6973
Posted: 07/17/2008 09:06:08
by Ken Ivanov (EldoS Corp.)

Quote
Regarding the actual revocation status check: when TElWinCertStorage.Validate is called, one of the reasons for invalidity can be SBX509.Unit.vrRevoked, but you've told me that I have to do the revocation check myself, when/how is SBX509.Unit.vrRevoked returned by SBB then?

You can force descendants of TElCustomCertStorage to check certificates against a CRL assigned to the TElCustomCertStorage.CRL property. However, this makes little sense with TElWinCertStorage, as TElWinCertStorage usually contains a number of certificates issued by different CA's, so you will need to assign a different CRL (corresponding to a particular CA) each time the certificate is validated.
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 2162 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!