EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate chain validation

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#3222
Posted: 06/26/2007 11:03:13
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Hello,

I need to validate a certificate chain. The actual operation options are numerous (set self-signed certificate or real PKI) but there is one thing that isn't clear for me:

Assuming the certificate I need to validate has been signed by an intermediary CA and by a root CA. Assuming that I have all these certificates in a certificate store and assuming I have the root CA in a different TElX509Certificate instance in addition to the store. How would I go about validating that chain correctly ?

Can I use ValidateWithCA in this case ? Do I need to loop through all the chain, validating each certificate with it's issuer ? Do I need to use the Store's Validate method ?

Thank you
#3226
Posted: 06/27/2007 01:46:51
by Ken Ivanov (EldoS Corp.)

The idea is to iterate from end-entity certificate up to the Root CA validating each certificate with the parent one (except the Root CA). Call TElCustomCertStorage.GetIssuerCertificate() method to get certificate issuer's index in a storage, then use TElX509Certificate.ValidateWithCA() method to perform validation. Root CA (self-signed) certificate should be validated in a different way, via TElX509Certificate.Validate() method.
#3227
Posted: 06/27/2007 01:56:36
by Eugene Mayevski (EldoS Corp.)

If all certificates are in the same storage, you can do the following:

1) call ElCustomCertStorage.BuildChain method to retrieve the complete chain
2) call TElX509CertificateChain.Validate method to validate the chain


Sincerely yours
Eugene Mayevski
#3228
Posted: 06/27/2007 02:21:49
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thank you, that's exactly the answer I was looking for.

Just one additional question: is there an easy way to know exactly to which chain a specific certificates belong to ?
#3229
Posted: 06/27/2007 02:31:41
by Eugene Mayevski (EldoS Corp.)

Chain is not something physical. It's just a relation between certificates. This relation can be determined by using GetIssuerCertificate() method.


Sincerely yours
Eugene Mayevski
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 2354 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!