Code which deals with preparing certificate chain
10 views
Skip to first unread message
Aravind
Nov 10, 2008, 5:55:40 AM11/10/08
to Pathfinder Mailing List
Hi all,
I am new to Pathfinder.I just checked the code of pathfinder for some
time.
I think " pathfinder_dbus_verify " is the API which will verify the
certificate.Am i right ? Sorry if anything is wrong ?
Basically we are developing a certificate management library which
will be used by other applications.
We have an API in that library which will verify the peer certificate
but we have to give the whole peer certificate chain for that API to
verify.
But applications will give me only the peer certificate .So i have to
prepare a certificate chain from this certificate.We have verification
code in place.Just i need the code of certificate chain
preperation.Can you please point me the exact code where this
preparation of certificate chain will happen ?
Thanks in advance,
Aravind.
I am new to Pathfinder.I just checked the code of pathfinder for some
time.
I think " pathfinder_dbus_verify " is the API which will verify the
certificate.Am i right ? Sorry if anything is wrong ?
Basically we are developing a certificate management library which
will be used by other applications.
We have an API in that library which will verify the peer certificate
but we have to give the whole peer certificate chain for that API to
verify.
But applications will give me only the peer certificate .So i have to
prepare a certificate chain from this certificate.We have verification
code in place.Just i need the code of certificate chain
preperation.Can you please point me the exact code where this
preparation of certificate chain will happen ?
Thanks in advance,
Aravind.
Patrick Patterson
Nov 10, 2008, 10:14:16 AM11/10/08
to pathfinder...@googlegroups.com
Hi Aravind:
Ok - to do verification, you need two things:
1: The certificate that you are trying to verify.
and
2: The trust anchor (CA Certificate) that you are trying to build a path back to.
If you don't have the second, then your security model is fatally flawed, as you have no point of trust to start the process from.
In Pathfinder, what you want to do is to call the callback - you are right to use pathfinder_dbus_verify as follows (in your own validation callback, whatever that is):
I'm going to assume that you have the certificate in the unsigned char * buffer 'cert' in DER format, and the size of that buffer in an size_t variable cert_size:
const char* hex = "0123456789ABCDEF";
unsigned char *iend;
iend = cert + cert_size;
char *certdata_str = new char[(cert_size * 2 + 1)];
unsigned char *cp = cert;
char *certdata_str_i = certdata_str;
while (cp < iend)
{
unsigned char ch = *cp++;
*certdata_str_i++ = hex[(ch >> 4) & 0xf];
*certdata_str_i++ = hex[ch & 0xf];
}
*certdata_str_i = 0;
const char *policy = "2.5.29.32.0"; // anyPolicy
char *errmsg;
int validated = pathfinder_dbus_verify(certdata_str, policy, 0, 0,
&errmsg);
And that's it. The first part of this code just converts the DER encoded certificate to a character based "hexified" buffer. After that, take that buffer, and run it against the pathfinder_dbus_verify() function. Validated will return 0 if it fails, and errmsg will be set accordingly, validated will be non-zero on success.
The validation (including checking CRLs, chasing AIA extensions, and other Path Discovery and Validation checks as defined by RFC3280) is all done in the pathfinder daemon, which you can set up with your trust anchors in the directory pointed to by:
[Trusted directories]
Extra certs = /tmp/trusted
(in this example, your trust anchors (CA Root Certificates) will be in /tmp/trusted)
You shouldn't have to implement any code to do verification and validation at all. Just supply the "peer" certificate in the callback, and give the Pathfinder daemon your trust anchor, and you should be good to go.
Hope this helps.
Patrick.--
Personal Mail from Patrick Patterson
No company affiliation
Ok - to do verification, you need two things:
1: The certificate that you are trying to verify.
and
2: The trust anchor (CA Certificate) that you are trying to build a path back to.
If you don't have the second, then your security model is fatally flawed, as you have no point of trust to start the process from.
In Pathfinder, what you want to do is to call the callback - you are right to use pathfinder_dbus_verify as follows (in your own validation callback, whatever that is):
I'm going to assume that you have the certificate in the unsigned char * buffer 'cert' in DER format, and the size of that buffer in an size_t variable cert_size:
const char* hex = "0123456789ABCDEF";
unsigned char *iend;
iend = cert + cert_size;
char *certdata_str = new char[(cert_size * 2 + 1)];
unsigned char *cp = cert;
char *certdata_str_i = certdata_str;
while (cp < iend)
{
unsigned char ch = *cp++;
*certdata_str_i++ = hex[(ch >> 4) & 0xf];
*certdata_str_i++ = hex[ch & 0xf];
}
*certdata_str_i = 0;
const char *policy = "2.5.29.32.0"; // anyPolicy
char *errmsg;
int validated = pathfinder_dbus_verify(certdata_str, policy, 0, 0,
&errmsg);
And that's it. The first part of this code just converts the DER encoded certificate to a character based "hexified" buffer. After that, take that buffer, and run it against the pathfinder_dbus_verify() function. Validated will return 0 if it fails, and errmsg will be set accordingly, validated will be non-zero on success.
The validation (including checking CRLs, chasing AIA extensions, and other Path Discovery and Validation checks as defined by RFC3280) is all done in the pathfinder daemon, which you can set up with your trust anchors in the directory pointed to by:
[Trusted directories]
Extra certs = /tmp/trusted
(in this example, your trust anchors (CA Root Certificates) will be in /tmp/trusted)
You shouldn't have to implement any code to do verification and validation at all. Just supply the "peer" certificate in the callback, and give the Pathfinder daemon your trust anchor, and you should be good to go.
Hope this helps.
Patrick.
Personal Mail from Patrick Patterson
No company affiliation
Aravinda babu
Nov 11, 2008, 6:49:27 AM11/11/08
to pathfinder...@googlegroups.com
Hi Patrick,
Thanks for your detailed info and explaination.I got your point.
But i need only the creation of certificate chain from a peer certificate code part.Can you please point me to this code ?
Thanks in advance,
Aravind.
Thanks for your detailed info and explaination.I got your point.
But i need only the creation of certificate chain from a peer certificate code part.Can you please point me to this code ?
Thanks in advance,
Aravind.
Patrick Patterson
Nov 11, 2008, 9:12:58 AM11/11/08
to pathfinder...@googlegroups.com
Hi Aravind:
Well, the part of Pathfinder that does Path building is quite long (I think that it is several hundred lines) and is integrated into the Validation code (since we wouldn't want to add a link to the certificate chain that wasn't valid). And there are MANY ways that you need to perform the validation (time validity, Revocation status, Name Constraints, Policy Constraints and Mappings), so to do path building in an efficient manner (especially in a complex environment, like the US FBCA), you need to do the validation as you are building the path, and pruning off non-valid nodes as you encounter them.
Patrick.
Well, the part of Pathfinder that does Path building is quite long (I think that it is several hundred lines) and is integrated into the Validation code (since we wouldn't want to add a link to the certificate chain that wasn't valid). And there are MANY ways that you need to perform the validation (time validity, Revocation status, Name Constraints, Policy Constraints and Mappings), so to do path building in an efficient manner (especially in a complex environment, like the US FBCA), you need to do the validation as you are building the path, and pruning off non-valid nodes as you encounter them.
Patrick.
Reply all
Reply to author
Forward
0 new messages