EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Validate Trusted Root Certification Authorities with SMime

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
Posted: 09/28/2011 09:15:55
by  Flemming Hansen

We are using SecureBlackBox 8.0.176 to Encode/Decode SMime messages and it works great.

Now we are looking at the validation of the certificates when decoding the SMime messages.
At the moment we are using a TElMemoryCertStorage where we load our certificate with key into, the one used to encrypt the SMime message.
We would like to have SecureBlackBox to validate the Signer Certificate and its Root Certificate against the Trusted Root Certificaten Authorities.
There is a property : UseSystemCertificates on TElMessagePartHandlerSMime which seems to do that, but we have trouble verifying that, and we cant seem to find anything in the How-To nor the Documentation.

Is it correct that in order to verify the Root Certificate Authority from the Signer Certificate Chain, we can use the UseSystemCertificates, and then SecureBlackBox will validate the certificate chain for us?
If not, what are our options in order to do this.

Also, if this property UseSystemCertificates is the answer, what are its default value, the documentation dont say so, it just says its set to the value of global (namespace-level in .net) variable UseSystemCertificatesDefault (no value).

An example:
We receive a SMime Message, encrypted with Certificate A, and signed with Certificate B.
We load Certificate A into out TElMemoryCertStorage and let SecureBlackBox decode the Message.
We get an error if there is problems with the Certificate B/the message.
We would like to validate that Certificate B is issued by Certificate C (from a Root Certification Authority). There can be a long Certificate Chain from Certificate B to C, which we dont care about.

Hope this makes any sense

Kind Regards
Posted: 09/28/2011 09:49:30
by Eugene Mayevski (Team)

It's a good idea to upgrade to SecureBlackbox 9 (the license for which you have) and use TElX509CertificateValidator class. All other validation methods can be treated as obsolete after addition of TElX509CertificateValidator. MIMEBlackbox's methods have been written long time ago (in '2004) and while they perform certain validation, they miss such steps as CRL and OCSP validation and also they are not as flexible as TElX509CertificateValidator .

Sincerely yours
Eugene Mayevski
Posted: 09/29/2011 01:41:28
by Soren Nielsen (Basic support level)
Joined: 09/29/2011
Posts: 1

Hi Eugene

Thanks for the answer about the new class in version 9.

Unfortunately the code is already running in production so using a new version will take some time and a lot of new validation.

Is there any checks in the version we are using now, 8.0.176, that either gets performed already or we can get it to perform, perhaps by using the useSystemCertificate property?

What checks does version 8 support, besides validating the signed message and decrypt the message with out supplied certificate.

Kind Regards

PS: Im a coworker with flemming who have the day of, therefore im not able to get him to write the message himself.
Posted: 09/29/2011 01:54:16
by Vsevolod Ievgiienko (Team)

TElX509CertificateValidator is also available in the 8th version of SecureBlackbox so you can use it without an upgrade.
Posted: 09/29/2011 02:11:30
by Eugene Mayevski (Team)

Yes, TElXCertificateValidator was added in 7.2. Although it has some improvements in later versions (made mainly for handling invalid responses etc).

UseSystemCertificates in MIME seem to have no effect at all as of now.

Sincerely yours
Eugene Mayevski
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.



Topic viewed 1460 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!