EldoS | Feel safer!

Software components for data protection, secure storage and transfer

About ElX509CertificateValidator.Validate method

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#21119
Posted: 08/22/2012 07:49:25
by Zack Jhuang (Standard support level)
Joined: 06/11/2012
Posts: 15

Dear Sir:

public void Validate(TElX509Certificate Certificate, ref TSBCertificateValidity Validity, ref int Reason);
public void Validate(TElX509Certificate Certificate, TElCustomCertStorage AdditionalCertificates, bool CompleteChainValidation, bool ResetCertificateCache, DateTime ValidityMoment, ref TSBCertificateValidity Validity, ref int Reason);

Above method definition is different with the following official documentation description, which one is the latest verison?

Declaration

[C#]
void Validate(ElX509Certificate Certificate, ElCustomCertStorage AdditionalCertificates, bool CompleteChainValidation, bool ResetCertificateCache, ref TSBCertificateValidity Validity, ref TSBCertificateValidityReason Reason, DateTime ValidityMoment);
void Validate(ElX509Certificate Certificate, bool CompleteChainValidation, bool ResetCertificateCache, ref TSBCertificateValidity Validity, ref TSBCertificateValidityReason Reason, DateTime ValidityMoment);
#21122
Posted: 08/22/2012 08:00:14
by Eugene Mayevski (EldoS Corp.)

The one shown by Reflector :).

The code is updated from time to time and documentation lags behind.

As of version 10 source code declaration is

Code
    procedure Validate(Certificate: TElX509Certificate;
      AdditionalCertificates : TElCustomCertStorage;
      CompleteChainValidation : boolean;
      ResetCertificateCache : boolean;
      ValidityMoment: TElDateTime;
      var Validity : TSBCertificateValidity;
      var Reason: TSBCertificateValidityReason
    );

    procedure Validate(Certificate: TElX509Certificate;
      var Validity : TSBCertificateValidity;
      var Reason: TSBCertificateValidityReason
      Res : TElX509CertificateValidatorResult
    );


There are two overloaded variants of the method present.


Sincerely yours
Eugene Mayevski
#21124
Posted: 08/22/2012 09:05:57
by Zack Jhuang (Standard support level)
Joined: 06/11/2012
Posts: 15

The method shown in version 9.1.215:
Code
public void Validate(TElX509Certificate Certificate, ref TSBCertificateValidity Validity, ref int Reason);

public void Validate(TElX509Certificate Certificate, TElCustomCertStorage AdditionalCertificates, bool CompleteChainValidation, bool ResetCertificateCache, DateTime ValidityMoment, ref TSBCertificateValidity Validity, ref int Reason);


The following code written by me uses the first to validate a client certificate, and get the true result, even if the issuer(CA) certificate does not exists in the root store ! It's really wired...!

Besides, according to the following testing, the variable "reason" value seems not be resetd by the validate method, since it was initialized as 0. (definition of validity reason does not contain the the value 0)

Is there any problem about my code or the TElX509CertificateValidator.validate method?

Code
public bool ValidateCertiicate(TElX509Certificate clientCert)
{
   bool result = false;

   TElX509CertificateValidator validator = new TElX509CertificateValidator();
   SBX509.TSBCertificateValidity validity = SBX509.TSBCertificateValidity.cvInvalid;
   int reason = 0;
          
   validator.CheckCRL = false;
   validator.CheckOCSP = false;
   validator.CheckValidityPeriodForTrusted = true;
   validator.IgnoreCAKeyUsage = false;
   validator.IgnoreSystemTrust = false;
   validator.UseSystemStorages = true;                
   validator.ValidateInvalidCertificates = true;
          
   validator.Validate(clientCert, ref validity, ref reason);
   validator.Dispose();
          
   if (validity == SBX509.TSBCertificateValidity.cvOk)
      result = true;

   return result;  
}
#21125
Posted: 08/22/2012 09:14:19
by Eugene Mayevski (EldoS Corp.)

Reason is a combination of bit flags. Consequently it can be empty if no flags were set.

Quote
Zack Jhuang wrote:
The following code written by me uses the first to validate a client certificate, and get the true result, even if the issuer(CA) certificate does not exists in the root store
for why your

It's hard to say where the certificate comes from, but you can handle OnAfterCertificateValidation and check if CA certificate is being validated. If it is, then it's probably found in Intermediate CA storage, or is picked in some other way.


Sincerely yours
Eugene Mayevski
#21127
Posted: 08/22/2012 10:39:46
by Zack Jhuang (Standard support level)
Joined: 06/11/2012
Posts: 15

Quote
Eugene Mayevski wrote:
It's hard to say where the certificate comes from... it's probably found in Intermediate CA storage, or is picked in some other way.


I found that the CA certificate does not comes from "Trusted Root Certification Authorities" but "Trusted Publishers"!

By setting validator.IgnoreSystemTrust as false, the certificates found in trusted Windows Certificate Stores are not validated!

Quote
Eugene Mayevski wrote:
Reason is a combination of bit flags. Consequently it can be empty if no flags were set.


Now the validity value is "vrCAUnauthorized" (because CA can not be found), but the reason value is still 0 ("vrUnknownCA" could be expected). How to "enable" the reason by setting some flags?
#21128
Posted: 08/22/2012 10:41:33
by Eugene Mayevski (EldoS Corp.)

Quote
Zack Jhuang wrote:
By setting validator.IgnoreSystemTrust as false, the certificates found in trusted Windows Certificate Stores are not validated!


That's exactly what the property is for. If you deny system's trust in the CA, how can the validator trust it?

Quote
Zack Jhuang wrote:
but the reason value is still 0 ("vrUnknownCA" is expected).


That's what you expect. Validator has found the certificate so the CA is known.


Sincerely yours
Eugene Mayevski
#21129
Posted: 08/22/2012 10:51:02
by Zack Jhuang (Standard support level)
Joined: 06/11/2012
Posts: 15

I got it, thanks very much!
#21130
Posted: 08/22/2012 10:56:58
by Zack Jhuang (Standard support level)
Joined: 06/11/2012
Posts: 15

Is the version 10 that you mentioned goning to be released?
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 1236 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!