beldmit at cryptocom.ru
Mon Dec 19 08:09:30 PST 2005
On Mon, 19 Dec 2005, Edward Shallow wrote:
> Dmitry I understand is patching mscrypto to do the certificate chain
> validation. Is this correct ?
Yes, you are right.
I suppose the machine where the signature is validated has up-to-date
set of CRL's.
> I can't find where CRL checking is done. Is certificate verification against
> a CRL the application's responsibility outside of xmlsec ?
CertGetCertificateChain seems to be able to check revokation status.
> -----Original Message-----
> From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] On
> Behalf Of Dmitry Belyavsky
> Sent: December 19, 2005 4:44 AM
> To: Aleksey Sanin
> Cc: XMLSec
> Subject: Re: [xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain
> On Sun, 18 Dec 2005, Aleksey Sanin wrote:
> > Sorry for delay with response... Just too many things happen in the
> > same time :(
> > Anyway, I have some questions about the patch:
> > 1) Do you have some specific problem you are trying to address with
> > this patch? It seem like you do call xmlSecBuildChainUsingWinapi()
> > function right before doing xmlsec cert verification. And in all my
> > tests cases this function never returns "OK".
> Yes, I do. I try to build chain when a signer certificate is present in the
> signed file and the other are not. So existing code does not build chain and
> my does.
> > 2) In all the MSDN examples I can find, CertGetCertificateChain()
> > function always has NULL for the "additional store" parameter and in
> > the code you pass the trusted certificates handle. Are you sure that
> > this is the correct way? Shouldn't it be untrusted certs or may be
> > CRLs list instead?
> I'm not sure in it. May be NULL should be passed always and possibly there
> should be 2 calls, 1st with the trusted store and the 2nd with the untrusted
> > 3) I don't see how CertGetCertificateChain() function handles CRLs
> > that might have been passed to xmlsec.
> CertGetCertificateChain seems not use CRL (accept already installed) at all.
> So it's a problem my Winapi knowledge are not enough to solve.
> Thank you!
> SY, Dmitry Belyavsky (ICQ UIN 11116575)
> xmlsec mailing list
> xmlsec at aleksey.com
SY, Dmitry Belyavsky (ICQ UIN 11116575)
More information about the xmlsec