EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Ceritificate/ CRL Validation with CA

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#2037
Posted: 01/24/2007 01:18:08
by Venkatasairam Y (Basic support level)
Joined: 01/24/2007
Posts: 7

Hi

I am using the Secure BBox ActiveX control and DLL library using a trial License Key.

I have a valid Certificate signed by the CA using RSAPSS algorithm (1.2.840.113549.1.1.10). I try to verify it using SBX509ValidateWithCA, it fails. But, if i push the CA certificate into the certificate storage SBMemoryCertStorageAdd(hStorage, hCertCA); and then perform the validation using SBMemoryCertStorageValidate(hStorage, hCert, &reason); it succeeds.

I am also not able to verify the CRL signature using SBCertificateRevocationListValidate.

1. Does the toolkit support RSA-PSS algorithms for certificate verification?
2. Is it because I am using a trail license key that few functions might not work?

Please explain.

Thanks

Regards
Venkata
#2041
Posted: 01/24/2007 11:21:29
by Ken Ivanov (EldoS Corp.)

Would you be so kind to provide us a chunk of your code that performs validation?

Quote
1. Does the toolkit support RSA-PSS algorithms for certificate verification?

Yes.

Quote
2. Is it because I am using a trail license key that few functions might not work?

No, the only limitations of evaluation version are (a) significant time delays and (b) the nag screen.
#2047
Posted: 01/24/2007 21:20:49
by Venkatasairam Y (Basic support level)
Joined: 01/24/2007
Posts: 7

Hi,

Please explain the different validation results.

1. There is a difference in results when using SBMemoryCertStorageValidate
SBX509ValidateWithCA

2. During CRL validation i get an error 8716 SB_CRL_ERROR_INTERNAL_ERROR.

Please help.

Thanks
#2049
Posted: 01/25/2007 00:24:44
by Ken Ivanov (EldoS Corp.)

Please provide us a chunk of code that exposes the problem, so that we could try to reproduce it in our conditions.
#2050
Posted: 01/25/2007 02:21:14
by Venkatasairam Y (Basic support level)
Joined: 01/24/2007
Posts: 7

Please see my code and the comments below.

Code
if (!SBPKIInitialize()) {
      return FALSE;
   };
   BOOL ok = SBPKISetLicenseKey(<LICENSE_KEY>);
   
   HANDLE hCert, hCertCA, hStorage, hCRL;
   hCert = SBX509Create();
   hCertCA = SBX509Create();
   hStorage = SBMemoryCertStorageCreate();
   hCRL = SBCertificateRevocationListCreate();

   SBX509LoadFromBuffer(hCert, cert->v, cert->l);
   SBX509LoadFromBuffer(hCertCA, certca->v, cert->l);
   SBCertificateRevocationListLoadFromBuffer(hCRL, crl->v, crl->l);
   int version = -1;
   version = SBX509GetVersion(hCert);
   // I get a version = 3 as expected. So hCert should be of correct format
   version = -1;
   version = SBX509GetVersion(hCertCA);
   //I get version = 3 as expected. So hCertCA should be of correct format
   int countCRL = -1;
   countCRL = SBCertificateRevocationListGetCount(hCRL);
   //I get the count = 0 as my CRL doesnt have any revoked certs as expected. So hCRL should be of correct format
   
   SBMemoryCertStorageAdd(hStorage, hCertCA);
   
   int storageValidate = -1;
   int reason = 0;
   storageValidate = SBMemoryCertStorageValidate(hStorage, hCert, &reason);
   //storage Validate = 1, according to the document it means SB_CERT_VALIDITY_OK , certificate was validated successfully and is valid
   
   
   int validateCertWithCA = -1;
   validateCertWithCA = SBX509ValidateWithCA(hCert, certca->v, certca->l);
   //validateCertWithCA is still -1 that is contradicting the storage Validate
   
   int crlValidate = -1;
   crlValidate = SBCertificateRevocationListValidate(hCRL, hCertCA);
   //crlValidate is get a value of 8716


1. Certificate verification using two methods is giving contradictory results.
2. CRL validation is giving a error code 8716.

Please advice.
Thanks
#2055
Posted: 01/25/2007 09:39:26
by Ken Ivanov (EldoS Corp.)

Quote

SBX509LoadFromBuffer(hCert, cert->v, cert->l);
SBX509LoadFromBuffer(hCertCA, certca->v, cert->l);

Please note, that in the above code you are passing the wrong value as third parameter to the second SBX509LoadFromBuffer call. This leads to both errors you reported.

It is a good idea to check results returned by SBB functions to prevent further errors (produced by uninitialized object in this case).
#2067
Posted: 01/25/2007 22:17:52
by Venkatasairam Y (Basic support level)
Joined: 01/24/2007
Posts: 7

That is just a typo when I copy/paste my code. In my code, I have
SBX509LoadFromBuffer(hCert, cert->v, cert->l);
SBX509LoadFromBuffer(hCertCA, certca->v, certca->l);

Both cert, certca is PT_TLV
typedef struct {
int l;
unsigned char *v;
} T_TLV, *PT_TLV;

1. I still get the unexpected results as I stated in the previous post. Any idea why?

2. What is the expected result for SBX509LoadFromBuffer for a successful initialization?
#2068
Posted: 01/26/2007 01:54:55
by Ken Ivanov (EldoS Corp.)

1. Please find attached two sample certificates and a CRL and check if your application shows correct results for them. On our side the results are correct (the end-entity certificate is validated right either using ValidateWithCA or via memory certificate storage; the CRL is also validated fine).

2. The routine is declared in the following way:
Code
__stdcall BOOL SBX509LoadFromBuffer(HANDLE handle, void * Buffer, int * Size);

Return value is TRUE if the certificate was loaded correctly and FALSE otherwise.


[ Download ]
#2069
Posted: 01/26/2007 02:47:59
by Venkatasairam Y (Basic support level)
Joined: 01/24/2007
Posts: 7

Hi

Thanks for the certificates. I tried my program using the certificates.

1. The return value i get from
[code]
int load = -10;
load = SBX509LoadFromBuffer(hCert, cert->v, cert->l);
//load = -1
load = -10;
load = SBX509LoadFromBuffer(hCertCA, certca->v, certca->l);
//load = -1
load = -10;
load = SBCertificateRevocationListLoadFromBuffer(hCRL, crl->v, crl->l);
//load = 0

Even for my certificates the loadfromBuffer gives similar results.

Is there any issue with the use of the LoadFromBuffer method?

2. The certificate validation is failing and for the CRL validation I get 8708
#2070
Posted: 01/26/2007 03:17:19
by Ken Ivanov (EldoS Corp.)

1.
Quote
load = SBX509LoadFromBuffer(hCert, cert->v, cert->l);
//load = -1

-1 (0xFFFFFFFF) stands for the TRUE constant, so the results you get are correct.

Quote
load = SBCertificateRevocationListLoadFromBuffer(hCRL, crl->v, crl->l);
//load = 0

The return value of SBCertificateRevocationListLoadFromBuffer() function is of integer type. The 0 value means that the CRL was loaded correctly (please consider using the documentation to read about possible error codes, http://www.eldos.com/documentation/sb...ffer.html).

2. Hmm, it's quite strange, as the same files are validated correctly in our conditions.

Please find attached a simple application that we used to reproduce the issue you reported. Please run it in your conditions and check if CRL error appears with it.


[ Download ]
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 7923 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!