EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate chain validation

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#3222
Posted: 06/26/2007 11:03:13
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Hello,

I need to validate a certificate chain. The actual operation options are numerous (set self-signed certificate or real PKI) but there is one thing that isn't clear for me:

Assuming the certificate I need to validate has been signed by an intermediary CA and by a root CA. Assuming that I have all these certificates in a certificate store and assuming I have the root CA in a different TElX509Certificate instance in addition to the store. How would I go about validating that chain correctly ?

Can I use ValidateWithCA in this case ? Do I need to loop through all the chain, validating each certificate with it's issuer ? Do I need to use the Store's Validate method ?

Thank you
#3226
Posted: 06/27/2007 01:46:51
by Ken Ivanov (EldoS Corp.)

The idea is to iterate from end-entity certificate up to the Root CA validating each certificate with the parent one (except the Root CA). Call TElCustomCertStorage.GetIssuerCertificate() method to get certificate issuer's index in a storage, then use TElX509Certificate.ValidateWithCA() method to perform validation. Root CA (self-signed) certificate should be validated in a different way, via TElX509Certificate.Validate() method.
#3227
Posted: 06/27/2007 01:56:36
by Eugene Mayevski (EldoS Corp.)

If all certificates are in the same storage, you can do the following:

1) call ElCustomCertStorage.BuildChain method to retrieve the complete chain
2) call TElX509CertificateChain.Validate method to validate the chain


Sincerely yours
Eugene Mayevski
#3228
Posted: 06/27/2007 02:21:49
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thank you, that's exactly the answer I was looking for.

Just one additional question: is there an easy way to know exactly to which chain a specific certificates belong to ?
#3229
Posted: 06/27/2007 02:31:41
by Eugene Mayevski (EldoS Corp.)

Chain is not something physical. It's just a relation between certificates. This relation can be determined by using GetIssuerCertificate() method.


Sincerely yours
Eugene Mayevski
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 2346 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!