[Cryptography Team] SSL Certificate Validation
Robert Withers
reefedjib at yahoo.com
Wed Jan 24 05:28:56 UTC 2007
All,
I've been doing a little SSL coding, since it isn't a fully developed
project yet. The most glaring omission has been the lack of
certificate chain processing and validation, thereby leaving a rather
large security hole in the implementation. The code still doesn't
handle client certificates.
I have added the capability for a certificate to verify itself with
it's parent certificate. Roughly, this entails comparing the hash of
the certificate (tbsCertificate) with its decrypted signature. using
the parent certificate's publicKey. The parent is identified as
having the same subject as the child's issuer. A self-signed
certificate has the same issuer and subject. These are currently
allowed. Furthermore, the certificate is valid if the validity dates
enclose the current date.
The code hook for all this is in
SSLSecurityCoordinator>>#validateCertificateChain: certChain
The test certificate currently passes, but will expire later this year.
I also added the CACert, Verisign and Thawte's root CAs to the
SSLCertificateStore, but there is no mechanism to add external root
certs.
I also coded and tested MD2 hash function, so that some certs can be
validated.
Changes to the following packages:
Cryptography-ASN1
Cryptography-MD4
Cryptography-SSL
Cryptography-Tests
Cryptography-X509
cheers,
Robert
More information about the Cryptography
mailing list