Greetings! On Mon, 19 Dec 2005, Edward Shallow wrote:
> Dmitry I understand is patching mscrypto to do the certificate chain > validation. Is this correct ? Yes, you are right. I suppose the machine where the signature is validated has up-to-date set of CRL's. > I can't find where CRL checking is done. Is certificate verification against > a CRL the application's responsibility outside of xmlsec ? CertGetCertificateChain seems to be able to check revokation status. > Ed > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Dmitry Belyavsky > Sent: December 19, 2005 4:44 AM > To: Aleksey Sanin > Cc: XMLSec > Subject: Re: [xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain > > Greetings! > > On Sun, 18 Dec 2005, Aleksey Sanin wrote: > > > Sorry for delay with response... Just too many things happen in the > > same time :( > > > > Anyway, I have some questions about the patch: > > > > 1) Do you have some specific problem you are trying to address with > > this patch? It seem like you do call xmlSecBuildChainUsingWinapi() > > function right before doing xmlsec cert verification. And in all my > > tests cases this function never returns "OK". > > Yes, I do. I try to build chain when a signer certificate is present in the > signed file and the other are not. So existing code does not build chain and > my does. > > > 2) In all the MSDN examples I can find, CertGetCertificateChain() > > function always has NULL for the "additional store" parameter and in > > the code you pass the trusted certificates handle. Are you sure that > > this is the correct way? Shouldn't it be untrusted certs or may be > > CRLs list instead? > > I'm not sure in it. May be NULL should be passed always and possibly there > should be 2 calls, 1st with the trusted store and the 2nd with the untrusted > one. > > > 3) I don't see how CertGetCertificateChain() function handles CRLs > > that might have been passed to xmlsec. > > CertGetCertificateChain seems not use CRL (accept already installed) at all. > So it's a problem my Winapi knowledge are not enough to solve. > > Thank you! > > -- > SY, Dmitry Belyavsky (ICQ UIN 11116575) > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > > > -- SY, Dmitry Belyavsky (ICQ UIN 11116575) _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
