[xmlsec] Verify - OpenSSL vs mscrypto

Edward Shallow ed.shallow at rogers.com
Wed Jan 11 11:06:57 PST 2006


Dmitry,

I have not checked your latest patch, but to avoid my concern 2) below, can
you call certCreateCertificateContext from the pbCertEncoded certificate
extracted from the signed document instead of expecting it to already be in
a store ? This would avoid the need for the verifier to have the signer's
public certificate in any of their stores.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/s
ecurity/certcreatecertificatecontext.asp

If you are not already doing this, is this possible ?

Ed

-----Original Message-----
From: Edward Shallow [mailto:ed.shallow at rogers.com] 
Sent: January 11, 2006 1:16 PM
To: 'Dmitry Belyavsky'
Cc: 'xmlsec at aleksey.com'
Subject: RE: [xmlsec] Verify - OpenSSL vs mscrypto

Yes I see what you are saying now. In my environment the store is called
"other people".

So from a recipient as a verifier 'MY' signing cert would be in his "Other
People" store. However if the cert is in 'MY' as opposed to 'OtherPeople' it
should still work.

There are 2 concerns here:

1) the verifier may have to check multiple stores to find the signer's cert

2) why does the cert even have to be in "any" store if it is already
contained in the signed document ?

In the case of OpenSSL all you need to verify the trust chain is the issuer
or issuers certs loaded into the KeysMngr. This makes sense. In mscrypto,
why can't we start the chain search from the signer's issuer extracted from
the cert in the signed document, and not from the signer itself ?

   There will be many situations where the recipient does not have the
signer's public cert in their store.

Ed

   

-----Original Message-----
From: Dmitry Belyavsky [mailto:beldmit at cryptocom.ru]
Sent: January 11, 2006 11:51 AM
To: Edward Shallow
Cc: xmlsec at aleksey.com
Subject: RE: [xmlsec] Verify - OpenSSL vs mscrypto

Greetings!

On Wed, 11 Jan 2006, Edward Shallow wrote:

> > Dmitry wrote ...
> >
> > Edward, when you verify the signature using your own certs ('MY' 
> > cert storage), the library doesn't verify chain using my patch. To 
> > see my patch really works you need to verify the signature from the 
> > other user's account with signer's CA cert and CRL installed.

> I do not know what you mean by "the other user's account". All 
> personal certificates used by an individual are installed in the default
'MY' store.
> At verification time, the starting point for the get certificate chain 
> processing is from the cert context of the signer's cert no matter who 
> does that verification. In fact the signer's cert should not have to 
> be in the verifier's store at verify time. The first certificate to 
> chase in the chain should be the immediate issuer's certificate etc 
> ... What does "other user's account" mean ?

I mean the signature is verified more often with the user differing from the
signer. So sender's certs are not placed in "MY" store. In my copy of
windows the store is known as "Trusted users", though my collegues say it's
correct name is "Addressbook".

--
SY, Dmitry Belyavsky (ICQ UIN 11116575)






More information about the xmlsec mailing list