EldoS | Feel safer!

Software components for data protection, secure storage and transfer

ElX509CertificateChain.Validate returns 2 (certificate is self signed)

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#17574
Posted: 09/20/2011 08:07:45
by Daniel Kekesi (Standard support level)
Joined: 09/19/2011
Posts: 13

Hi All,

Why does ElX509CertificateChain.Validate always return 2 (certificate is self signed) in case a certificate chain's top certificate is a root CA cert?
In the documentation I also find it strange that if I validate a certificate chain it returns information on a certificate instead of a certificate chain.

Thanks for the information in advance.

Best Regards,
Daniel
#17576
Posted: 09/20/2011 08:21:48
by Eugene Mayevski (EldoS Corp.)

Please use TElX509CertificateValidator class for proper validation of certificate chains. This is the proper way to perform complete validation including OCSP and CRL checking.

Other methods are obsolete (while they work, they are limited to some subset of validation procedures).


Sincerely yours
Eugene Mayevski
#17578
Posted: 09/20/2011 08:42:18
by Daniel Kekesi (Standard support level)
Joined: 09/19/2011
Posts: 13

Hi Eugene,

Thanks for the information. I see that the TinyProcessor sample included in the download uses the TElX509CertificateValidator class. However, when I load a sample PDF into TinyProcessor and try to validate a signature I always get TSBCertificateValidity.cvInvalid as a result, whereas Adobe Reader X says the signature is valid.
I tried setting MandatoryCRLCheck and MandatoryOCSPCheck to false, but it did not change a thing.

What could be the problem?

Thanks.
#17579
Posted: 09/20/2011 09:31:00
by Daniel Kekesi (Standard support level)
Joined: 09/19/2011
Posts: 13

Hi Eugene,

Meanwhile I found that setting OCSPCheck and CRLCheck to False will let validate work. But If I set CRLCheck to True I get SB_CERT_VALIDITY_REASON_CRL_NOT_VERIFIED. Why is that? The certificate contains the URL for the CRL. Do I need to explicitly specify the URL somewhere?

Thanks.
#17580
Posted: 09/20/2011 09:39:01
by Vsevolod Ievgiienko (EldoS Corp.)

It is possible that CRL is stored in LDAP, but SBB ActiveX edition does not support LDAP and so it can't download this CRL.
#17581
Posted: 09/20/2011 09:39:01
by Eugene Mayevski (EldoS Corp.)

Most likely you didn't copy additional lines from the sample. Please refer to documentation for details.


Sincerely yours
Eugene Mayevski
#17583
Posted: 09/20/2011 10:13:49
by Daniel Kekesi (Standard support level)
Joined: 09/19/2011
Posts: 13

Hi,

Thanks for the replies.

It was a user error, indeed.

Br,
Daniel
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 748 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!