'CertGetCertificateChain()'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    CertGetCertificateChain()
From:       bug84 () HUSHMAIL ! COM
Date:       2001-08-29 18:44:05
[Download RAW message or body]

[Attachment #2 (text/plain)]

-----BEGIN PGP SIGNED MESSAGE-----

Hi,


I am having some trouble with CertGetCertificateChain().  It is supposed to allow \
checking of an "additional store" location if the HCERTSTORE handle is passed as the \
4th param.  If the first param is HCCE_CURRENT_USER (which is mis-spelt in the MSDN \
docs btw) then the additional store is accessed but not used in trust checking.

I may be wrong in this but I cannot get CA Certs that have been added to the \
SystemCertificates\root\ store in the registry to be included in the trust check on \
an incoming server cert.

this is what I am doing :

1 - get a cert context to the remote (ssl server) cert

2 - call CertOpenStore() on the "ROOT" store under CERT_SYSTEM_STORE_CURRENT_USER and \
I have tried setting the CERT_SYSTEM_STORE_UNPROTECTED_FLAG as well in this call to \
CertOpenStore()

3 - call CertGetCertificateChain(HCCE_CURRENT_USER, certctx, NULL, extraCertStore, \
...) and this call succeeds and it also does access the registry entry where the \
extraCertStore is pointing to but the .TrustStatus member that is returned is 32 \
which means untrusted root...

4 - I continue on to call CertVerifyCertificateChainPolicy() and, as expected, I get \
an untrusted root error.

The Server cert I am checking is signed by an MS CA on another machine and it is \
completely valid.

If I insert the CA cert into the same registry location under HK_LOCAL_MACHINE then \
everything works fine -- the server cert is verified correctly.

Is this a bug in CertGetCertificateChain() not checking the addtional store or am I \
doing something incorrectly?

Any help would be appreciated.

thanks






-----BEGIN PGP SIGNATURE-----
Version: Hush 2.0

wloEARECABoFAjuNOFsTHGJ1Zzg0QGh1c2htYWlsLmNvbQAKCRBBxU4wEsSpMWSgAJ9x
0yGhxtEfXF/pCwTjzc0jG4+rJQCeNwHUFh2ub8A9L3XGIk9xYGIrxyk=
=hJBX
-----END PGP SIGNATURE-----


----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic