EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate Validation

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#4275
Posted: 11/09/2007 11:43:34
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

reading one more time ETSI TS 101 903, on page 90 i found that in this case the certficate present in key info should be checked with the references of signingCertificate.
the check should include the 3 tasks:
verify the issuer name (distinguished name)
verify the both serial numbers
verify digestvalue

the problem with digest property lookup resolved, i need to set lookUp.CertificateHashAlgorithm, but i cant discover how to pass the string to a SBConstant Algorithm.

I cant discover how to set the lookup.issuerRDN too...
#4276
Posted: 11/09/2007 15:22:35
by Dmytro Bogatskyy (EldoS Corp.)

Quote
if i only add serialnumber to criteria or set options for ExactMatch only, it returns a index. But when searching for serialnumber and CertHash it returns -1.

Add following line:
lookUp.CertificateHashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA1; // for sha1 digest
Quote
verify the issuer name (distinguished name)

Yes, you should include this in the lookup.
Quote
When validating the certificates from bottom to up, on the first call of memCertStorage.Validate(cert, ref reason, date) method, the date should be the signingTime present in Object element, right?
When validating an issuercertificate the date should be the "valid from" date of the child certificate??

I think, the correct for you to pass a current time "DateTime.Now.ToUniversalTime()" or SigningTime for all certificates. So, you'll find, if they are valid now or on moment of signing. Maybe check for both times.
#4277
Posted: 11/09/2007 15:25:54
by Dmytro Bogatskyy (EldoS Corp.)

Quote
I cant discover how to set the lookup.issuerRDN too...

Use Assign method: lookUp.IssuerRDN.Assign(cert.IssuerRDN)
#4320
Posted: 11/14/2007 10:36:39
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

hi,

i add the lookUp.IssuerRDN.Assign and the SBCustomCertStorage.Unit.lcIssuer to the criteria.

If i remove issuer from criteria i find the certficate in memoryStorage
but if i add issuer to criteria the certificate the search return -1.

i compared the certificate info in signingcertificate and the correct certificate in memorystorage and the only difference is in Non-public Members->FTags, one have the values to 12 and the other to 19.

why this occur?
#4322
Posted: 11/14/2007 14:05:01
by Dmytro Bogatskyy (EldoS Corp.)

Quote
i compared the certificate info in signingcertificate and the correct certificate in memorystorage and the only difference is in Non-public Members->FTags, one have the values to 12 and the other to 19.
why this occur?

Sorry, for pointing you in wrong direction. TElCertificateLookup currently supports only exact matching of tag and value.
In your case, you have a following tags:
12 - UTF8 string ASN.1 tag
19 - printable string ASN.1 tag (latin characters)
It means that your certificate has issuer rdn value as a printable string, but the issuer rdn value that loaded from xml was set to utf8 (there is no way to find out a real ASN.1 tag used in certificate).
At the moment you will need to compare this values manually, there is no public method that can do this in such way.
#4342
Posted: 11/16/2007 10:34:05
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

no problem, i compare the values manually.

i can´t understand one thing relative to ElXMLKeyInfoX509Data class.

The documentation refers:
Quote

The application can place a certificate or certificate chain together with the signed data according to the following:

1.If CertStorage is not set, Certificate points to the certificate to be used for signing.
2.If CertStorage is set and Certificate is set, the certificate to be used for signing is searched using the signature algorithm
3.If CertStorage is set and Certificate refers to one of CertStorage certificates, the certificate chain is built starting from Certificate


This is my interpretation:

1 - If only certificate is present, this is the certificate used for signing and that will be used for verifying the signature.

2 and 3 means the same for me. Both are set. What is the difference betwwen refers and is set?

thanks

#4344
Posted: 11/16/2007 13:34:45
by Dmytro Bogatskyy (EldoS Corp.)

In 2 rule should be: ... Certificate is not set ...
Thank you for pointing this.
#4356
Posted: 11/20/2007 11:10:50
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Quote
Bogatskyy wrote:
In 2 rule should be: ... Certificate is not set ...
Thank you for pointing this.


no problem, that's my role.

I can´t understand one procedure.
I am trying to implement one protocol that adds signingCertificate element, adds the same certificate to the Signer.KeyData.Certificate and the complete chain to Signer.KeyData.CertStorage.

Quote
If CertStorage is set and Certificate refers to one of CertStorage certificates, the certificate chain is built starting from Certificate


Code
X509KeyData = new TElXMLKeyInfoX509Data(false);
                X509KeyData.Certificate = FCertificate;
                X509KeyData.CertStorage = result; //result is a CustomCertStorage that contain all the certificates from the chain used to sign, from signing certificate to root certificate
                Signer.KeyData = X509KeyData;


On the signer side the result is Signer.KeyData.Certificate = SigningCertificate and Signer.KeyData.CertStorage.Count = 4 but the xml created only have 4 certificates (i supose that´s because the signing certificate it´s duplicated...)

Code
<KeyInfo>
        <KeyValue>
            <RSAKeyValue>
                <Modulus>
82RXP5R0L8A7whO+mQZF2QaIgEXP8Z7vdAmgYqC74aFTvnRPHY3+diq9BVAMEejW
eBggZOX8GAHOZBMFCadGPKPFtdJdH6yc6WS+MGCUMZycGNCqP6WYdh+0GFInDyRL
r4ZnsXCGNr1HdsDhVx75EEWTcatTPb55VVSbKVXsiZU=
                </Modulus>
                <Exponent>AQAB</Exponent>
            </RSAKeyValue>
        </KeyValue>
        <X509Data>
            <X509IssuerSerial>
                <X509IssuerName>C=PT, ST=Lisboa, L=Lisboa, O=CAZonaCentro, OU=CAZonaCentro, CN=CAZonaCentro</X509IssuerName>
                <X509SerialNumber>8949253169487676052</X509SerialNumber>
            </X509IssuerSerial>
            <X509IssuerSerial>
                <X509IssuerName>C=PT, ST=Portugal, L=Portugal, O=CAPortugal, OU=CAPortugal, CN=CAPortugal</X509IssuerName>
                <X509SerialNumber>0</X509SerialNumber>
            </X509IssuerSerial>
            <X509IssuerSerial>
                <X509IssuerName>C=PT, ST=Lisboa, L=Lisboa, O=ROOT, OU=ROOT, CN=ROOT</X509IssuerName>
                <X509SerialNumber>0</X509SerialNumber>
            </X509IssuerSerial>
            <X509IssuerSerial>
                <X509IssuerName>C=PT, ST=Lisboa, L=Lisboa, O=ROOT, OU=ROOT, CN=ROOT</X509IssuerName>
                <X509SerialNumber>0</X509SerialNumber>
            </X509IssuerSerial>
            <X509SubjectName>C=PT, ST=lx, L=lx, O=EmpresaY, OU=EmpresaY, CN=EmpresaY</X509SubjectName>
            <X509SubjectName>C=PT, ST=Lisboa, L=Lisboa, O=CAZonaCentro, OU=CAZonaCentro, CN=CAZonaCentro</X509SubjectName>
            <X509SubjectName>C=PT, ST=Portugal, L=Portugal, O=CAPortugal, OU=CAPortugal, CN=CAPortugal</X509SubjectName>
            <X509SubjectName>C=PT, ST=Lisboa, L=Lisboa, O=ROOT, OU=ROOT, CN=ROOT</X509SubjectName>
            <X509Certificate>....

On the verification side the TElXMLKeyInfoX509Data.Certificate is null and the TElXMLKeyInfoX509Data.CertStorage.Count = 3, it looses one intermediate certificate...

what am i doing wrong?
#4357
Posted: 11/20/2007 12:23:30
by Dmytro Bogatskyy (EldoS Corp.)

Quote
On the signer side the result is Signer.KeyData.Certificate = SigningCertificate and Signer.KeyData.CertStorage.Count = 4 but the xml created only have 4 certificates (i supose that´s because the signing certificate it´s duplicated...)

That's right.
Quote
On the verification side the TElXMLKeyInfoX509Data.Certificate is null and the TElXMLKeyInfoX509Data.CertStorage.Count = 3, it looses one intermediate certificate...

Does X509Data element contains four X509Certificate elements?
Can you attach a signed xml.
#4358
Posted: 11/20/2007 12:30:05
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

yes, i send the signed xml as attachment


[ Download ]
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 28477 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!