EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to pin certificate without validating chain (WinStore assemblies)

Posted: 07/02/2015 04:56:22
by OGAlex (Standard support level)
Joined: 06/08/2015
Posts: 13

I previously had some issues (https://www.eldos.com/forum/read.php?FID=7&TID=6034) that I thought were resolved but actually aren't.

certificateValidator = new TElX509CertificateValidator();
certificateValidator.CheckCRL = false;
certificateValidator.CheckOCSP = false;
certificateValidator.ForceCompleteChainValidationForTrusted = false;

This setup, without any trusted certificates in the validator, is returning cvOk when I call:

certificateValidator.ValidateForSSL(certificate, "https://mytestserver.com", "", TSBHostRole.hrServer, null, true, false, DateTime.Now, ref validity, ref reason);

I thought this method would check for a trusted certificate but I assume it isn't because of the false ForceCompleteChainValidationForTrusted. But if I set that to true, I get a cvchaininvalid by providing only the server cert or intermediate cert as trusted.

I want to have the ability to provide:
- the intermediate cert, WITHOUT trusting or even knowing the root CA and return valid
- the server cert, WITHOUT trusting or even knowing the root CA AND intermediate CA and return valid
- root cert, return valid
- another cert or no cert, return invalid

Is there another way to manually check that the server certificate, OR the intermediate certificate that I receive from the server are identical to a cert that I load from the file system?

Thanks very much for your time!
Posted: 07/02/2015 05:14:05
by Eugene Mayevski (Team)

I've moved your question to the previous topic to avoid duplication and keep the context of the talk. I will also answer there.

Sincerely yours
Eugene Mayevski



Topic viewed 875 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!