EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Validating a X509Certificate

Posted: 05/27/2009 05:27:17
by Marius  (Standard support level)
Joined: 05/23/2009
Posts: 13


I'm wundering if the following code is alright for validating a certificate. I want it to be validated against the complete chain of CA parents (is that the correct way to say that?). Do i need to include the CA certificates also in the TElMemoryCertStorage or is the following code enough for a full validation?

ACertificateStorage := TElMemoryCertStorage.Create(nil);
AValidate := ACertificateStorage.Validate(ACertificate, AReason);
if AValidate = cvInvalid
then ShowMessage('not valid');

Posted: 05/27/2009 06:13:14
by Ken Ivanov (Team)

TElMemoryCertStorage.Validate() performs certificate validation against CA certificates stored in it. First, it looks up for the immediate parent of the passed certificate and validates the integrity of the signature; second, it looks for the parent of the immediate parent certificate and, in turn, validates the integrity of its signature, and so on -- until the topmost certificate in the chain is reached. To perform complete certificate validation, you have to put the entire certificate chain to the TElMemoryCertStorage object.
Posted: 05/27/2009 06:22:10
by Marius  (Standard support level)
Joined: 05/23/2009
Posts: 13

So the current code wasn't correct in verifing the whole chain (i was already afraid of that but did not have enough knowledge to say that for sure).

How can i retrieve and lookup the parent CA's? And how do i know if the whole chain of CA's is present (no missing certificates) and that it is valid against the certificate i present?

Posted: 05/27/2009 07:28:33
by Ken Ivanov (Team)

There's no unified answer to this question (the answer differs depending on the application area). Usually CA certificates are stored in Windows system stores ("ROOT" and "CA"). Some protocols (e.g., SSL, PKCS#7) utilize the means of providing a partial chain along with the data, so part of the chain are returned by the protocol, while the missing certificates are taken from some other (e.g., system) storage.
Posted: 05/29/2009 04:23:54
by Marius  (Standard support level)
Joined: 05/23/2009
Posts: 13

At least for SSL (TElClientIndySSLIOHandlerSocket.OnCertificateValidate) i need to validate the certificate. From what i can tell i need to check if there is a parent CA for the certificate and i need to retrieve that one from the registry/winstorage and validate that.

Since creating and loading the winstorage takes a lot of time (almost 5 seconds here) i think rhis is not really an option. Is there a function that can check for the parent CA certifcate and load it from the registry/winstorage (without creating/loading the winstorage)?

For the moment i have exported the certificate chain and included them in a TElMemoryCertStorage and call the TElMemoryCertStorage.Validate but that can't be an option in the long term.

Where do i go wrong here, or do i take security to serious here?

Posted: 05/29/2009 04:55:40
by Eugene Mayevski (Team)

First of all, you don't need all stores in Windows Certificate Storage. Use SystemStores property to select only ROOT and CA stores. This will reduce the number of certificates loaded. Next, you will need just one instance of TElWinCertStorage. So you can create it once during application startup in a background thread. This will be more efficient (and much easier to implement) than on-demand reading of certificates from Windows Certificate Storage.

Sincerely yours
Eugene Mayevski
Posted: 05/29/2009 06:18:41
by Marius  (Standard support level)
Joined: 05/23/2009
Posts: 13

Only loading the CA and ROOT saves quit some time. I'm suprised it actually saves that much. With this in mind i will implement it as a global object just like you suggested it.




Topic viewed 1646 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!