[xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain

Dmitry Belyavsky beldmit at cryptocom.ru
Tue Dec 20 11:17:00 PST 2005


Greetings!

On Tue, 20 Dec 2005, Aleksey Sanin wrote:

> I am probably missing something but I don't see how this patch
> solves the CRL issue. It seems to me that it does exactly
> the same thing as before.

No. There was an error in original patch - wrong flags in
CertGetCertificateChain() call caused ignorance of installed CRLs.

The other problem in the  previous version of the patch fixed in the
current version was the processing of some return values. If cert chain
status is CERT_TRUST_IS_NOT_TIME_VALID, CERT_TRUST_IS_NOT_TIME_NESTED,
CERT_TRUST_IS_REVOKED or CERT_TRUST_IS_NOT_SIGNATURE_VALID, we can
return FALSE - no new information is able to make chain correct.

> I would think that the right approach would be to modify
> xmlSecBuildChainUsingWinapi() function to return not the
> yes/no (error code) but the certificate it finds. Then
> the existing logic can be applied to this certificate
> "as-is". Then it might be a good idea to add to the
> xmlSecMSCryptoX509StoreConstructCertsChain() function
> extra code to check revocation list in the Windows storage
> (right now it does CRL check only for CRLs in the XML
> document itself). After making these two changes, the
> code would do both chain creation and CRL verification
> against both: certs/crls in the XML document and certs/crls
> in the MSCrypto storage.

I'm not sure it's necessary to check for CRL from XML document if valid
CRL is installed, though it's necessary to check for CRL from XML if
chain status is CERT_TRUST_REVOCATION_STATUS_UNKNOWN.

I like your idea and we try to implement it if time permits.

-- 
SY, Dmitry Belyavsky (ICQ UIN 11116575)



More information about the xmlsec mailing list