[xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain

Edward Shallow ed.shallow at rogers.com
Mon Dec 19 07:50:15 PST 2005

As far as I know certificate chain verification and CRL checking are 2
distinct functions in the MS world. They are not even in the same library.

CRL checking is part of the Microsoft Crypto API (CAPI) and can be found in
crypt32.dll. The function in question is CertVerifyCRLRevocation and
requires a certificate context and a CRL context and compares one to the
other. The CRL context can be created from a CRL file or retrieved and

Presently I do not think xmlsec does either for mscrypto. For OpenSSL,
xmlSecOpenSSLX509StoreVerify in x509vfy.c does perform the check for the
issuer certificate (i.e. certificate chain verification) and one must
perform an xmlSecCryptoAppKeysMngrCertLoad in order to get the trusted
issuer certificate into the KeyMngr prior to the verify call to avoid an
"Unable to get local issuer certificate" error msg. 

Dmitry I understand is patching mscrypto to do the certificate chain
validation. Is this correct ?

I can't find where CRL checking is done. Is certificate verification against
a CRL the application's responsibility outside of xmlsec ?


-----Original Message-----
From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
Behalf Of Dmitry Belyavsky
Sent: December 19, 2005 4:44 AM
To: Aleksey Sanin
Cc: XMLSec
Subject: Re: [xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain


On Sun, 18 Dec 2005, Aleksey Sanin wrote:

> Sorry for delay with response... Just too many things happen in the 
> same time :(
> Anyway, I have some questions about the patch:
> 1) Do you have some specific problem you are trying to address with 
> this patch? It seem like you do call xmlSecBuildChainUsingWinapi() 
> function right before doing xmlsec cert verification. And in all my 
> tests cases this function never returns "OK".

Yes, I do. I try to build chain when a signer certificate is present in the
signed file and the other are not. So existing code does not build chain and
my does.

> 2) In all the MSDN examples I can find, CertGetCertificateChain() 
> function always has NULL for the "additional store" parameter and in 
> the code you pass the trusted certificates handle. Are you sure that 
> this is the correct way? Shouldn't it be untrusted certs or may be 
> CRLs list instead?

I'm not sure in it. May be NULL should be passed always and possibly there
should be 2 calls, 1st with the trusted store and the 2nd with the untrusted

> 3) I don't see how CertGetCertificateChain() function handles CRLs 
> that might have been passed to xmlsec.

CertGetCertificateChain seems not use CRL (accept already installed) at all.
So it's a problem my Winapi knowledge are not enough to solve.

Thank you!

SY, Dmitry Belyavsky (ICQ UIN 11116575)

xmlsec mailing list
xmlsec at aleksey.com

More information about the xmlsec mailing list