[prev in list] [next in list] [prev in thread] [next in thread]
List: ms-cryptoapi
Subject: CertGetCertificateChain()
From: bug84 () HUSHMAIL ! COM
Date: 2001-08-29 18:44:05
[Download RAW message or body]
[Attachment #2 (text/plain)]
-----BEGIN PGP SIGNED MESSAGE-----
Hi,
I am having some trouble with CertGetCertificateChain(). It is supposed to allow \
checking of an "additional store" location if the HCERTSTORE handle is passed as the \
4th param. If the first param is HCCE_CURRENT_USER (which is mis-spelt in the MSDN \
docs btw) then the additional store is accessed but not used in trust checking.
I may be wrong in this but I cannot get CA Certs that have been added to the \
SystemCertificates\root\ store in the registry to be included in the trust check on \
an incoming server cert.
this is what I am doing :
1 - get a cert context to the remote (ssl server) cert
2 - call CertOpenStore() on the "ROOT" store under CERT_SYSTEM_STORE_CURRENT_USER and \
I have tried setting the CERT_SYSTEM_STORE_UNPROTECTED_FLAG as well in this call to \
CertOpenStore()
3 - call CertGetCertificateChain(HCCE_CURRENT_USER, certctx, NULL, extraCertStore, \
...) and this call succeeds and it also does access the registry entry where the \
extraCertStore is pointing to but the .TrustStatus member that is returned is 32 \
which means untrusted root...
4 - I continue on to call CertVerifyCertificateChainPolicy() and, as expected, I get \
an untrusted root error.
The Server cert I am checking is signed by an MS CA on another machine and it is \
completely valid.
If I insert the CA cert into the same registry location under HK_LOCAL_MACHINE then \
everything works fine -- the server cert is verified correctly.
Is this a bug in CertGetCertificateChain() not checking the addtional store or am I \
doing something incorrectly?
Any help would be appreciated.
thanks
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.0
wloEARECABoFAjuNOFsTHGJ1Zzg0QGh1c2htYWlsLmNvbQAKCRBBxU4wEsSpMWSgAJ9x
0yGhxtEfXF/pCwTjzc0jG4+rJQCeNwHUFh2ub8A9L3XGIk9xYGIrxyk=
=hJBX
-----END PGP SIGNATURE-----
----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic