EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate chain validation

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
Posted: 06/26/2007 11:03:13
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 172


I need to validate a certificate chain. The actual operation options are numerous (set self-signed certificate or real PKI) but there is one thing that isn't clear for me:

Assuming the certificate I need to validate has been signed by an intermediary CA and by a root CA. Assuming that I have all these certificates in a certificate store and assuming I have the root CA in a different TElX509Certificate instance in addition to the store. How would I go about validating that chain correctly ?

Can I use ValidateWithCA in this case ? Do I need to loop through all the chain, validating each certificate with it's issuer ? Do I need to use the Store's Validate method ?

Thank you
Posted: 06/27/2007 01:46:51
by Ken Ivanov (EldoS Corp.)

The idea is to iterate from end-entity certificate up to the Root CA validating each certificate with the parent one (except the Root CA). Call TElCustomCertStorage.GetIssuerCertificate() method to get certificate issuer's index in a storage, then use TElX509Certificate.ValidateWithCA() method to perform validation. Root CA (self-signed) certificate should be validated in a different way, via TElX509Certificate.Validate() method.
Posted: 06/27/2007 01:56:36
by Eugene Mayevski (EldoS Corp.)

If all certificates are in the same storage, you can do the following:

1) call ElCustomCertStorage.BuildChain method to retrieve the complete chain
2) call TElX509CertificateChain.Validate method to validate the chain

Sincerely yours
Eugene Mayevski
Posted: 06/27/2007 02:21:49
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 172

Thank you, that's exactly the answer I was looking for.

Just one additional question: is there an easy way to know exactly to which chain a specific certificates belong to ?
Posted: 06/27/2007 02:31:41
by Eugene Mayevski (EldoS Corp.)

Chain is not something physical. It's just a relation between certificates. This relation can be determined by using GetIssuerCertificate() method.

Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.



Topic viewed 2446 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!