[xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain

Dmitry Belyavsky beldmit at cryptocom.ru
Mon Dec 19 08:09:30 PST 2005 

Greetings!

On Mon, 19 Dec 2005, Edward Shallow wrote:

> Dmitry I understand is patching mscrypto to do the certificate chain
> validation. Is this correct ?

Yes, you are right.
I suppose the machine where the signature is validated has up-to-date
set of CRL's.

> I can't find where CRL checking is done. Is certificate verification against
> a CRL the application's responsibility outside of xmlsec ?

CertGetCertificateChain seems to be able to check revokation status.


> Ed
>
> -----Original Message-----
> From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
> Behalf Of Dmitry Belyavsky
> Sent: December 19, 2005 4:44 AM
> To: Aleksey Sanin
> Cc: XMLSec
> Subject: Re: [xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain
>
> Greetings!
>
> On Sun, 18 Dec 2005, Aleksey Sanin wrote:
>
> > Sorry for delay with response... Just too many things happen in the
> > same time :(
> >
> > Anyway, I have some questions about the patch:
> >
> > 1) Do you have some specific problem you are trying to address with
> > this patch? It seem like you do call xmlSecBuildChainUsingWinapi()
> > function right before doing xmlsec cert verification. And in all my
> > tests cases this function never returns "OK".
>
> Yes, I do. I try to build chain when a signer certificate is present in the
> signed file and the other are not. So existing code does not build chain and
> my does.
>
> > 2) In all the MSDN examples I can find, CertGetCertificateChain()
> > function always has NULL for the "additional store" parameter and in
> > the code you pass the trusted certificates handle. Are you sure that
> > this is the correct way? Shouldn't it be untrusted certs or may be
> > CRLs list instead?
>
> I'm not sure in it. May be NULL should be passed always and possibly there
> should be 2 calls, 1st with the trusted store and the 2nd with the untrusted
> one.
>
> > 3) I don't see how CertGetCertificateChain() function handles CRLs
> > that might have been passed to xmlsec.
>
> CertGetCertificateChain seems not use CRL (accept already installed) at all.
> So it's a problem my Winapi knowledge are not enough to solve.
>
> Thank you!
>
> --
> SY, Dmitry Belyavsky (ICQ UIN 11116575)
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>

-- 
SY, Dmitry Belyavsky (ICQ UIN 11116575)

More information about the xmlsec mailing list