EldoS | Feel safer!

Software components for data protection, secure storage and transfer

cert chain (ref_howto_pki_certstg_build.html)

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#36564
Posted: 04/24/2016 05:47:01
by Luis Pardo (Basic support level)
Joined: 03/23/2016
Posts: 17

Quote
Note, that some certificate chains are not complete and incude only the end-entity certificate and its issuer certificate. This may happen when the rest of the chains is supposed to be known to the recipient. For example, if Thawte certificates are included into Windows certificate storage by default, there's no need to include them to every certificate chain where these certificates are used.


Can I get certificate chain that includes always all certificates?
#36565
Posted: 04/24/2016 09:48:07
by Eugene Mayevski (EldoS Corp.)

Unfortunately your question is not clear. The quoted text says that in some cases you must deal with incomplete chains (and complete them yourself). In this case you must build a chain yourself. For example, when you connect to the web server, and it presents only an end-entity certificate, you are supposed to build a chain suitable for validation of such certificate.


Sincerely yours
Eugene Mayevski
#36566
Posted: 04/24/2016 10:34:16
by Luis Pardo (Basic support level)
Joined: 03/23/2016
Posts: 17

Ok, I have tried to get a chain for a user certificate this way:

Code
TElWinCertStorage WinCertStorage2(NULL);
TElX509CertificateChain *chain = new TElX509CertificateChain(WinCertStorage2.BuildChain(cert),true);


So, if I understand you well, I have to check Complete property, and if this property is false, I would have to complete the chain by myself (I think I could use TElCustomCertStorage.GetIssuerCertificate). But, in this example, if I check for Complete property I get false, although I find the root certificate in the chain. Do I am doing something wrong, or I have to check each certificate in the chain to be sure that I get a self-signed certificate?.

Thanks
Luis
#36567
Posted: 04/25/2016 07:14:31
by Eugene Mayevski (EldoS Corp.)

I think it will be easier to answer your question if you described the task that you want to accomplish (building a chain is not a task, but a step in achieving the goal).


Sincerely yours
Eugene Mayevski
#36569
Posted: 04/25/2016 13:44:34
by Luis Pardo (Basic support level)
Joined: 03/23/2016
Posts: 17

I would try to explain the task my Company have asked me to do. I am evaluating eldos library to replace our java applet with other non-java client. This client has some functions, one of them generates a xades signature of a file and send this signature and the signing certificate chain (full path including root CA cert) to a server (this server expects this full path to do the verification). We can't easily change the server side code, so I have to evaluate how many of the client functions could be implemented with eldos library without any change, and how many functions needs changes in the server operation. For this job I am reading online docs and, sometimes, writing some code snippets to test how applet functions could be implemented with eldos.

Best Regards
Luis
#36570
Posted: 04/25/2016 14:03:48
by Eugene Mayevski (EldoS Corp.)

Thank you very much for the explanation.

So basically what you need to do is build a certificate chain.

This task is not very trivial, because solving it depends on where various certificates in the chain are located. In the simplest cases you have all certificates in Windows Certificate Storage, and then a simple call can build the complete chain.

To properly use Windows Certificate Storage you would need to initialize it right:

Code
TElWinCertStorage *Storage = new TElWinCertStorage(NULL);
Storage->SystemStores.Add("CA");
Storage->SystemStores.Add("ROOT");
Storage->Open();
TElX509CertificateChain *chain = new TElX509CertificateChain(Storage->BuildChain(cert),true);


In more complex cases you might need to lookup for CA certificates in multiple places and add them one by one to the instance of TElMemoryCertStorage class. You can do lookup in a variety of methods, which I won't comment now.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 1845 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!