EldoS | Feel safer!

Software components for data protection, secure storage and transfer

ElMessageDecryptor.CertIDs question

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#159
Posted: 05/11/2006 07:00:47
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Hi!,

In my program, i get this ElMessageDecryptor.CertIDs to search in the stores for the certificates that encrypted the message, and auto-select them. If i can't find it, i show a message with the information of the certificates that encrypted the file.

The problem is that i can only get the serialnumber, because, ElPKCS7Issuer.Issuer only returns a little bit of information. And i wanted to get the SB_CERT_OID_COMMON_NAME of the original Certificate.SubjectRDN to show them.

How can i do that? why isn't that oid appearing?
#160
Posted: 05/11/2006 07:02:57
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

P.S. I always have to sign to post messages in the forum; the checkbox on the webpage "remember me" seems to be not working (and i don't hace in my explorer any severe security restriction to cookies or something similar)
#162
Posted: 05/11/2006 13:49:00
by Ken Ivanov (EldoS Corp.)

Quote
The problem is that i can only get the serialnumber, because, ElPKCS7Issuer.Issuer only returns a little bit of information. And i wanted to get the SB_CERT_OID_COMMON_NAME of the original Certificate.SubjectRDN to show them.

PKCS#7 specification defines certificate identifier as <*issuer*, serial number> pair. That is, ElPKCS7Issuer.Issuer is equal to the IssuerRDN field of the recipient's certificate. With PKCS#7 messages, there's no possibility to get the subject of the recipient's certificate, so you have to search the recipient's certificate by its *issuer* and serial number fields.
#174
Posted: 05/12/2006 04:05:15
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

I've got a little "programming-security" question... I'm only comparing .serialnumber (if [certid].serialnumber=[mycertinstore].serial then ...). Is it enough? (or in some circunstance it would lead me to wrong results?). Also, i see that the serialnumber may be a string with non-base64 chars, should i use ansistringcompare function?.

Another question is if i also look for issuer=issuerRDN is there any pseudocode to do that comparation faster than looping trough all OID's and getting their values?

Thanks
#175
Posted: 05/12/2006 04:18:46
by Ken Ivanov (EldoS Corp.)

Quote
I've got a little "programming-security" question... I'm only comparing .serialnumber (if [certid].serialnumber=[mycertinstore].serial then ...). Is it enough? (or in some circunstance it would lead me to wrong results?).

No, you should compare both serial number and issuer.

Quote
Also, i see that the serialnumber may be a string with non-base64 chars, should i use ansistringcompare function?.

Yes. Actually, CompareStr function will also work.

Quote
Another question is if i also look for issuer=issuerRDN is there any pseudocode to do that comparation faster than looping trough all OID's and getting their values?

Unfortunately, no. The only way to compare their values is to iterate over RDN values. However, usually a certificate RDN contains 3-6 entries, so it will not take long time anyway.
#176
Posted: 05/12/2006 04:27:51
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

And is this pseudo-algorithm correct:

EqualRDN:=False;
//check for serialnumber
if [certids].issuer.count=[mycert].issuerRDN.count then
begin
for i:=0 to [certids].issuer.count-1 do
begin
if not CompareStr([certids].issuer.Values[i],[mycert].issuerRDN.Values[i])=0 then begin EqualRDN:=False;break;end;
end;
if i=[certids].issuer.count-1 then EqualRDN:=True;
end;
#177
Posted: 05/12/2006 04:33:58
by Ken Ivanov (EldoS Corp.)

Sorry for not answering in the previous post -- you can use the CompareRDN function from the SBMessages unit. It does exactly what you need.
#178
Posted: 05/12/2006 04:37:51
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

Wow!, many thanks, it's quite more sofisticated than my algorithm ;). I'll use it right now.

Thanks again
#181
Posted: 05/12/2006 05:17:52
by Santiago Castaño (Standard support level)
Joined: 04/16/2006
Posts: 155

The CompareRDN gives me always false, because de TAG in Certids.issuer seems to be 4 and in my store is 19. The rest is equal, but the function returns False because of this difference in the tag. Can i copy your function and remove this check of the tag? what's the function of this TAG? (i can't see in the helpfile)

Thanks
#182
Posted: 05/12/2006 05:26:21
by Ken Ivanov (EldoS Corp.)

Hmm, it's quite strange. Would you be so kind to provide us the following information:
a) what software was used to encrypt the file,
b) does this error appear with SecureBlackbox sample certificate?

As a quick fix, you can remove tag comparison (tag means the type of the stored value, e.g. 19 (SB_ASN1_PRINTABLESTRING) means that the value should be interpreted as printable string).
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 14369 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!