EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate Validation

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#4436
Posted: 12/04/2007 13:45:09
by Dmytro Bogatskyy (EldoS Corp.)

Quote
it works, but is SBXMLSec.Unit.ToCryptoBinary.

Yes, sure.
Quote
Stream m = webresponse.GetResponseStream();

LoadFromStream method does not support reading from streams that "does not support seek operations".
So, read data to the buffer and then pass it to crl.LoadFromBuffer(...) method.
#4440
Posted: 12/05/2007 04:37:49
by Dmytro Bogatskyy (EldoS Corp.)

Quote
How can i know the OID for CN? i searched in some SB... librarys but dindnt find any constant with his value...

SBUtils.Unit.SB_CERT_OID_COMMON_NAME
Quote
my idea is to get the value from both CN and compare, as i understand i should use ...IssuerRDN.GetValuesByOID() rigth?

In general, you should check that all rdns from xml (issuerSerial element) exists in the certificate.
The next version will have SBXMLSec.Unit.CompareRDNStringsNonstrict public method, which will do this check (it also used by ElXMLCertIDList.HasCertificate).
#4455
Posted: 12/06/2007 11:30:30
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

humm

i am validating the certificates..

from the used to sign to the top level certificate

for each certificate in the tree i call a method that receive the certificate, the memorycertStorage and the date that the certificate was used.

this method uses:

Code
memCertStorage.Validate(cert, ref reason, time);


this validate the cert in memomorycertStorage, and update the reason.
One of the reasons is "Certificate is revoked by Issuer", but if this method dont verify the CRL how it can return this reason?

after this i try to get the CRL referenced by the certificate and do:
Code
if ((crl.Count != 0) && (crl.IsPresent(cert)))
                                {
                                    index = crl.IndexOf(cert);

                                    return "Certificado Revogado: " + GetReason(crl.get_Items(index).Extensions.ReasonCode.Reason) + " (" + crl.get_Items(index).RevocationDate.ToString() + ")";
                                }

with this i get the reason why the cert was revoked (if its present in CRL)

I think that faults the validating of CRL, right?
There is the "clr.Validate(TElX509Certificate Certificate)", i supose that i have to call this.
This certificate its the one used to sign the CRL so i need to get the certificate form the call memoryCertStorage.getIssuercertificate(cert) right?

thanks
#4458
Posted: 12/06/2007 15:15:31
by Dmytro Bogatskyy (EldoS Corp.)

Quote
One of the reasons is "Certificate is revoked by Issuer", but if this method dont verify the CRL how it can return this reason?

TElCustomCertStorage class has a property CRL. If CRL not set then return Reason value couldn't have vrRevoked flag.
http://www.eldos.com/documentation/sb...eason.html
http://www.eldos.com/documentation/sb...p_crl.html
Quote
There is the "clr.Validate(TElX509Certificate Certificate)", i supose that i have to call this.
This certificate its the one used to sign the CRL so i need to get the certificate form the call memoryCertStorage.getIssuercertificate(cert) right?

Yes, that's right. You'll find if this CRL corresponds to issuer certificate.
#4463
Posted: 12/10/2007 10:11:33
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

hi,

for each certificate in the certificate chain used to sign a file i use the following code:
Code
memCertStorage.CRL = new TElCertificateRevocationList();
memCertStorage.CRL.LoadFromBuffer(data);
                                
//validar assinatura da CRL
int state = memCertStorage.CRL.Validate(memCertStorage.get_Certificates(memCertStorage.GetIssuerCertificate(cert)));
                                
TSBCertificateValidity validity = memCertStorage.Validate(cert, ref reason, time);


The cert used was been revoked.

At the end of first cycle the outup is:

state stores "0", so the CRL is correctly signed by issuer entity.
validity stores "cvInvalid" like was expected.
But reason have "34" as value that denotes:
"SB_CERT_VALIDITY_REASON_REVOKED = 2" correct
"SB_CERT_VALIDITY_REASON_UNKNOWN_CA = 32" dont know how it occurs because IssuerCertificate exists and is in the ROOT storage.

thanks


#4467
Posted: 12/10/2007 14:53:07
by Dmytro Bogatskyy (EldoS Corp.)

Quote
"SB_CERT_VALIDITY_REASON_UNKNOWN_CA = 32" dont know how it occurs because IssuerCertificate exists and is in the ROOT storage.

Is the CA certificate in a memCertStorage? Because, Validate method wouldn't check any other storage.
#4476
Posted: 12/11/2007 08:23:59
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Quote
Bogatskyy wrote:
Quote
"SB_CERT_VALIDITY_REASON_UNKNOWN_CA = 32" dont know how it occurs because IssuerCertificate exists and is in the ROOT storage.

Is the CA certificate in a memCertStorage? Because, Validate method wouldn't check any other storage.


yes, because in

Code
int state = memCertStorage.CRL.Valida­te(memCertStorage.get_Cer­tificates(memCertStorage.GetIssuerCertificate(cert­)));


memCertStorage.GetIssuerCertificate(cert­) returns "23" (the index of Issuer Certificate, the CA certificate)

thanks
#4478
Posted: 12/11/2007 13:14:37
by Dmytro Bogatskyy (EldoS Corp.)

Please, check what returns following statements:
TElX509Certificate CACert = memCertStorage.get_Certificates(memCertStorage.GetIssuerCertificate(cert);

Boolean b1 = SBMessages.Unit.CompareRDN(cert.IssuerRDN, CACert.SubjectRDN);
Boolean b2 = cert.ValidateWithCA(CACert);
#4479
Posted: 12/12/2007 07:49:04
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Quote
Bogatskyy wrote:
TElX509Certificate CACert = memCertStorage.get_Certif­icates(memCertStorage.Get­IssuerCertificate(cert);

CACert stores the self signed certificate

Quote
Bogatskyy wrote:
Boolean b1 = SBMessages.Unit.CompareRD­N(cert.IssuerRDN, CACert.SubjectRDN);

true

Quote
Bogatskyy wrote:
Boolean b2 = cert.ValidateWithCA(CACer­t)

true

#4480
Posted: 12/12/2007 08:39:39
by Dmytro Bogatskyy (EldoS Corp.)

Quote
...true

Ah, ok, I got it.
If the certificate is revoked, then no other check would be performed. So, certificate is not validated with CA certificate, because it is not necessary.
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 28486 times

Number of guests: 2, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!