beldmit at cryptocom.ru
Mon Dec 19 01:44:12 PST 2005
On Sun, 18 Dec 2005, Aleksey Sanin wrote:
> Sorry for delay with response... Just too many things happen
> in the same time :(
> Anyway, I have some questions about the patch:
> 1) Do you have some specific problem you are trying to address
> with this patch? It seem like you do call xmlSecBuildChainUsingWinapi()
> function right before doing xmlsec cert verification. And in all
> my tests cases this function never returns "OK".
Yes, I do. I try to build chain when a signer certificate is present in
the signed file and the other are not. So existing code does not build
chain and my does.
> 2) In all the MSDN examples I can find, CertGetCertificateChain()
> function always has NULL for the "additional store" parameter and
> in the code you pass the trusted certificates handle. Are you sure
> that this is the correct way? Shouldn't it be untrusted certs or
> may be CRLs list instead?
I'm not sure in it. May be NULL should be passed always and possibly
there should be 2 calls, 1st with the trusted store and the 2nd with the
> 3) I don't see how CertGetCertificateChain() function handles CRLs
> that might have been passed to xmlsec.
CertGetCertificateChain seems not use CRL (accept already installed) at
all. So it's a problem my Winapi knowledge are not enough to solve.
SY, Dmitry Belyavsky (ICQ UIN 11116575)
More information about the xmlsec