EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Custom conditions in chain verification process

Posted: 01/28/2016 05:25:40
by Vsevolod Ievgiienko (Team)


1/ How to properly use library to validate certificate

Your code is correct if you do not need to check revocation information (CRLs, OCSP) for validated chain.

2/ Can I specify conditions to build chain and if so how to do that ?

You can use TElMemoryCertStorage.Chains property to extract individual chains from a storage.

if I remove found chain certs, I receive one more valid chain

Not sure I undestand how could it happen. Each certificate has only one parent certificate. Its possible that you have multiple certificates with the same subject names in the same storage and X509Chain doesn't check the signatures.

So can I force the engine to serach valid chain until it finds one ?

You can extract a valid chain using TElMemoryCertStorage.Chains property and add only certificates from this chain to the validator.
Posted: 01/28/2016 05:51:55
by Ken Ivanov (Team)

Hi Marcin,

Thank you.

So let's clarify the issue first of all. As far as I understood you, the certificate you want to check is a part of more than one chain (e.g. CRT -> CA1 -> CA2 -> ROOT1, and CRT -> CA1 -> CA3 -> CA4 -> ROOT2), and you want SecureBlackbox to pick a specific chain when validating it.

This kind of trust relations is called cross-certification, and this is not supported natively in current SecureBlackbox revision. TElX509CertificateValidator in its current form always takes the first applicable CA certificate when building the chain, ignoring the rest of matching CAs. However, the cross-certification functionality itself is planned as a new feature for SecureBlackbox 15; it has already been implemented and is going to be released this coming Spring.

In the mean time, you can use the following approach to validate chains containing cross-certified certificates. This will put certain coding burden on you, but unfortunately this is the only way to manage that:

I. Build all possible chains for the certificate being checked.

1. Create an ArrayList object where you will keep the chains. We will store each chain in its own TElMemoryCertStorage object.

2. Create the first chain object (TElMemoryCertStorage) and add your end-entity certificate to it. Add the storage to the ArrayList.

3. While true do

3.1. Iterate over all chain objects in ArrayList. Let Chain[I] = ArrayList[I].

3.2. Search for all issuers of the last certificate in the Chain[I]. For each issuer found:

- create a duplicate of Chain[I];
- add the issuer to the cloned chain;
- add the cloned and extended chain to ArrayList.

3.3. If any issuers were found on step 3.2, remove Chain[I] from ArrayList (basically, we are replacing incomplete chain with an appropriate number of more complete chains).

3.4. If no chains were extended on steps 3.2-3.3 (which means that either all chains reached their root certificates, or some chains can't be extended due to missing CA certificates), exit the 'while true' loop.

After completing the algorithm your ArrayList contains all possible chains for your certificate.

Note that the algorithm is not that optimal (in most cases there is no need to remove the chain from the list and add another chain in place of it on step 3.2), but I sacrificed efficiency for clarity.

II. Validate each chain individually and come up with some cumulative decision on certificate validity - you will need to resolve conflicts if some chains validate OK and the others don't.

As I said above, all this is already implemented and will be available in SBB 15. So if you have a reasonable amount of time for your project, you might consider waiting for SBB 15 and obtaining this functionality out of the box. If you need the solution faster, we may discuss that privately and maybe come up with some offer suitable for you.

Posted: 01/29/2016 05:28:15
by Marcin  (Standard support level)
Joined: 01/26/2016
Posts: 14

I have one more problem.
When I verify my CRT against CA list and remove from this list one important cert from chain exactly Trusted Root CA, then the method TElX509CertificateValidator.Validate fails, a mean not respond for more than 10min.
I can give you more details just tell me what you need ?
Posted: 01/29/2016 05:44:00
by Marcin  (Standard support level)
Joined: 01/26/2016
Posts: 14

To simplify that, I found 2 such a certificates that causes method
TElX509CertificateValidator.Validate(..) not to respond in a finite time.
Posted: 01/29/2016 06:20:42
by Ken Ivanov (Team)


Does the component eventually unfreeze and return some results, or it hangs infinitely so you are forced to shut the application down?

If it's the former, then the best place to start is to check the TElX509CertificateValidator's log for the chain(s) in problem. The log can be read after validation terminates from TElX509CertificateValidator.InternalLogger.Log.Text variable.

Posted: 01/29/2016 07:14:00
by Marcin  (Standard support level)
Joined: 01/26/2016
Posts: 14

I have to stop application manually because the method does not "respond", return after invocation so I cannot access this TElX509CertificateValidator.InternalLogger.Log object.
Posted: 01/29/2016 08:07:00
by Marcin  (Standard support level)
Joined: 01/26/2016
Posts: 14

Besides I do not see property
even this
I have this version of library:
Posted: 01/29/2016 08:13:20
by Eugene Mayevski (Team)

Your version of SecureBlackbox is quite dated and doesn't include those properties. We suggest that you use SecureBlackbox 14 and test your problem on your side with that version. It is very likely that the problem will go away with the new version.

Sincerely yours
Eugene Mayevski
Posted: 01/29/2016 08:37:08
by Marcin  (Standard support level)
Joined: 01/26/2016
Posts: 14

I downloaded that version but:
1/ I need .NET 4.0 implementation. So which version of yours library should I choose ?
2/ when I reference to MONO_40\SecureBlackbox.dll my key is wrong.
So should I buy new licence for SecureBlackBox version 14 ?
Posted: 01/29/2016 08:43:11
by Eugene Mayevski (Team)

It should be NET_40, not Mono.

Yes, an upgrade is required. You can use the evaluation license, found in LicenseKey.txt file, for tests. I have created a helpdesk ticket for you where I will provide the details about possible upgrade.

Sincerely yours
Eugene Mayevski



Topic viewed 7323 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!