EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Custom conditions in chain verification process

Posted: 01/27/2016 06:20:05
by Marcin  (Standard support level)
Joined: 01/26/2016
Posts: 14

I am using PKIBlackbox package of library version for .NET
I have some problems \ questions:

1/ How to properly use library to validate certificate (lets name it CRT) against list of CA certificates (there may be more than one chains that validate CRT)
Here is code that I use:

            TElX509Certificate primaryCert = new TElX509Certificate();
            int reason = -1;
            TElMemoryCertStorage storeTrusted = new TElMemoryCertStorage();
            TElMemoryCertStorage storeKnown   = new TElMemoryCertStorage();
            foreach (var additionalCertificate in additionalCertificates)
                TElX509Certificate cert = new TElX509Certificate();
                if (cert.SelfSigned)
                    storeTrusted.Add(cert, true);    
                    storeKnown.Add(cert, true);
            TElX509CertificateValidator certificateValidator = new TElX509CertificateValidator();
            certificateValidator.OfflineMode                 = true;
            certificateValidator.MandatoryCRLCheck           = false;
            certificateValidator.MandatoryRevocationCheck    = false;
            certificateValidator.MandatoryOCSPCheck          = false;
            certificateValidator.CheckCRL                    = false;
            certificateValidator.CheckOCSP                   = false;
            certificateValidator.IgnoreCAKeyUsage            = false;
            certificateValidator.ValidateInvalidCertificates = false;
            certificateValidator.UseSystemStorages = false;


            TSBCertificateValidity validity = TSBCertificateValidity.cvChainUnvalidated;
            certificateValidator.Validate(primaryCert, ref validity, ref reason);

Is it correct ?

2/ Can I specify conditions to build chain and if so how to do that ?

I ask because when I use X509Chain class from .NET on the same list of CA certs and intermidiate certs I receive correct chain (if I remove found chain certs, I receive one more valid chain) that validates my CRT but with SecureBlackBox I also receive one more CA (so this is also chain) that verifies my CRT.
Furtermore when I add some certs that are not validating my CRT but also can occur on production, the validation method returns "Invalid" status and I expect that validation process should omit this cert if it is not issuer of CRT and search proper chain which is present on mentioned CA list.
Here is the reason that method returns:
Certificate contains invalid digital signature, it could be corrupted

So can I force the engine to serach valid chain until it finds one ?

Thanks for any help
Posted: 01/27/2016 06:27:24
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

Technical Support is provided to customers with the linked Support Access Ticket. You will find your Support Access Ticket together with all the details about how to use it in the registration e-mail that we’ve sent to you upon the purchase. The procedure of linking the Support Access Ticket is described in the registration e-mail as well.

I am afraid that without the Support Access Ticket linked we won't be able to assist you. Thank you for understanding.
Posted: 01/27/2016 06:36:13
by Marcin  (Standard support level)
Joined: 01/26/2016
Posts: 14

I have a trial version now but also purchased version but I dont have an access to registration email of last one.
Can I simply create ticket from my "trial account" ?
Posted: 01/27/2016 06:57:36
by Ken Ivanov (Team)


May I please ask you to create a support ticket in our Helpdesk system and provide some details of the license you have there (such as your license key, the licensee name or an e-mail address that was used to purchase the license - simply anything that might help to establish your licensing circumstances)?

Please do not post this information here - this is a public forum and you don't want your private details to be available for third parties.

Thanks in advance.

Posted: 01/27/2016 07:04:17
by Marcin  (Standard support level)
Joined: 01/26/2016
Posts: 14

Yes of course.
Which category to choose ?
Posted: 01/27/2016 07:22:35
by Ken Ivanov (Team)

Thank you - I believe 'Sales: ordered license has not been received' will do.
Posted: 01/27/2016 07:35:05
by Marcin  (Standard support level)
Joined: 01/26/2016
Posts: 14

Ok. Done.
Posted: 01/27/2016 07:53:23
by Marcin  (Standard support level)
Joined: 01/26/2016
Posts: 14

Should I also create ticked for this topic ?
Posted: 01/27/2016 08:00:47
by Ken Ivanov (Team)

Not yet - someone will answer you here, shortly after your license question is clarified. You don't need to take any further actions for now. Sorry for making you wait.
Posted: 01/28/2016 04:53:38
by Marcin  (Standard support level)
Joined: 01/26/2016
Posts: 14

Ok Done.



Topic viewed 7309 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!