[xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain

Dmitry Belyavsky beldmit at cryptocom.ru
Mon Dec 19 01:44:12 PST 2005


On Sun, 18 Dec 2005, Aleksey Sanin wrote:

> Sorry for delay with response... Just too many things happen
> in the same time :(
> Anyway, I have some questions about the patch:
> 1) Do you have some specific problem you are trying to address
> with this patch? It seem like you do call xmlSecBuildChainUsingWinapi()
> function right before doing xmlsec cert verification. And in all
> my tests cases this function never returns "OK".

Yes, I do. I try to build chain when a signer certificate is present in
the signed file and the other are not. So existing code does not build
chain and my does.

> 2) In all the MSDN examples I can find, CertGetCertificateChain()
> function always has NULL for the "additional store" parameter and
> in the code you pass the trusted certificates handle. Are you sure
> that this is the correct way? Shouldn't it be untrusted certs or
> may be CRLs list instead?

I'm not sure in it. May be NULL should be passed always and possibly
there should be 2 calls, 1st with the trusted store and the 2nd with the
untrusted one.

> 3) I don't see how CertGetCertificateChain() function handles CRLs
> that might have been passed to xmlsec.

CertGetCertificateChain seems not use CRL (accept already installed) at
all. So it's a problem my Winapi knowledge are not enough to solve.

Thank you!

SY, Dmitry Belyavsky (ICQ UIN 11116575)

More information about the xmlsec mailing list