EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Get CRL from Windows System Store

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#20694
Posted: 06/30/2012 08:25:44
by eblackmo  (Standard support level)
Joined: 05/09/2012
Posts: 24

How do I get the CRLs for a particular Windows store?
#20695
Posted: 06/30/2012 10:05:10
by Eugene Mayevski (EldoS Corp.)

SecureBlackbox doesn't import CRLs via Windows CryptoAPI. You can probably serialize needed CRLs by calling CryptoAPI functions, then load them to TElCertificateRevocationList class.

But generally there doesn't seem to be much sense in working with Windows CRLs - TElX509CertificateValidator downloads CRL when needed and keeps them in cache, the same is done when *AdES is prepared.


Sincerely yours
Eugene Mayevski
#20699
Posted: 06/30/2012 19:08:16
by eblackmo  (Standard support level)
Joined: 05/09/2012
Posts: 24

Ok cheers Eugene I'm just assessing the options.
#20725
Posted: 07/04/2012 20:59:53
by Steven Spencer (Standard support level)
Joined: 07/04/2012
Posts: 1

Eugene,

Our application has many native apps (e.g) IIS that also rely on the same PKI as our application. For this reason we will be ensuring that the windows CRL store is regularly updated and it seems a waste to require every one of our application services to load data when this is being done once and cached by the windows operating system in the certificate store.

Can you elaborate on the caching behaviour of the API? We cannot confirm that network access will be granted to the application using the CRLs, hence our plan to utilise the windows store. I've noted that although the "TElX509CertificateValidator.AddKnownCRLs" function takes a TElCustomCertStorage parameter, there appears to be no way to get a TElWinCertStorage to load the CRL from the store even if it is present?

Have I misunderstood this point?

Are there any functions in the current library that will allow us to load the CRL from the store? Otherwise from what I can see we have no choice but to use unsafe methods to load the CRL and then use the TElCertificateRevokationList.LoadFromxxx methods to create a CRL and pass it in manually to the Validator.
#20726
Posted: 07/05/2012 00:04:23
by Eugene Mayevski (EldoS Corp.)

Quote
Steven Spencer wrote:
I've noted that although the "TElX509CertificateValidator.AddKnownCRLs" function takes a TElCustomCertStorage parameter, there appears to be no way to get a TElWinCertStorage to load the CRL from the store even if it is present?


Not CustomCertStorage but CustomCRLStorage.

We currently don't have plans to read CRLs from the OS - in 10 years when SecureBlackbox exists the request in this thread is the first one for this feature. You are welcome to post the idea to the wishlist and if people are interested, we will implement work with CRLs in Windows CryptoAPI.

Quote
Steven Spencer wrote:
Are there any functions in the current library that will allow us to load the CRL from the store? Otherwise from what I can see we have no choice but to use unsafe methods to load the CRL and then use the TElCertificateRevokationList.LoadFromxxx methods to create a CRL and pass it in manually to the Validator.


None. You don't need "unsafe" functions. You call CryptoAPI via P/Invoke in the same way SecureBlackbox does for existing functionality.


Sincerely yours
Eugene Mayevski
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages

Reply

Statistics

Topic viewed 1706 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!