EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Understanding Certificate Validation

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#25016
Posted: 05/21/2013 21:44:36
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

Sorry for the dumb questions, but I'm trying to get my head around this stuff.

I've got a key, and certificate and a bundle file from my CA (which contains 2 certificates).

If I try to load them into a TElMemoryCertStorage object then try to validate any of the certificates (using TElX509CertificateValidator) or the entire chain, I always get a result of cvInvalid and reason vrInvalidSignature;

I have no idea why this is happening because those same certificates are loading correctly in OpenSSL.

Am I missing something??? This is quite frustrating.
#25018
Posted: 05/21/2013 23:09:51
by Eugene Mayevski (EldoS Corp.)

Most likely the problem comes from the fact that the bundle file is not loaded completely (as I described in another forum post).

Now, Validate methods of TElX509Certificate and TElCustomCertStorage have limited usability (we probably have to remove/hide them in SBB 11 release). You need to use TElX509CertificateValidator class for proper certificatevalidation.


Sincerely yours
Eugene Mayevski
#25021
Posted: 05/21/2013 23:45:11
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

Hi Eugene,

Thank you for your response.

I agree with you that this has more to do with cert chain than synapse/sbb interface. I realized that after my first post.

I've created a basic program to load and validate the cert chain, which reliably fails.

- It loads CA Self signed cert from bundle into an TElX509Certificate object (CertA).
- It adds that to a TElMemoryCertStorage object

- It loads a non-self-signed cert from a second PEM file (from CA Bundle) into another TElX509Certificate object (CertB)
- It adds that to a TElMemoryCertStorage object

- It load the non-self-signed cert and key from PEM files into another TElX509Certificate object (CertC)

- It then instantiates a TElX509CertificateValidator and calls the validate method on that ... ie Validator.Validate(CertC, ValidityResult, ValidityReason).

EDIT: What I should have mentioned is that the TElMemoryCertStorage object is added to the TElX509CertificateValidator with AddTrustedCertificates().

We've traced through the source code of that method, and it fails right near the bottom when calling the ValidateWithCA() method ...

We've traced into that method and the failure appears to be caused by the FKeyMaterial being nil near the bottom of that method.

Any help would be appreciated.

Kind regards

Erich
#25022
Posted: 05/22/2013 00:01:23
by Eugene Mayevski (EldoS Corp.)

Quote
Erich Kuba wrote:
- It loads CA Self signed cert from bundle into an TElX509Certificate object (CertA). - It adds that to a TElMemoryCertStorage object

- It loads a non-self-signed cert from a second PEM file (from CA Bundle) into another TElX509Certificate object (CertB) - It adds that to a TElMemoryCertStorage object


I don't understand this yet I feel that something is not loaded right in this case. As I said, CA Bundles are not loaded completely now and CABundle in OpenSSL can have multiple certificates. Loading just one of them is not enough.

I'll move your question to HelpDesk.


Sincerely yours
Eugene Mayevski
#25023
Posted: 05/22/2013 00:15:09
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

Thank you, and just for the sake of clarity, I've split the bundle file into two files and am loading both parts into their own TElX509Certificate objects.

Thanks for your help
#25024
Posted: 05/22/2013 00:17:22
by Eugene Mayevski (EldoS Corp.)

Still a picture (a test case) is worth a thousand words :).


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 1017 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!