[Cryptography Team] RE: SSL Certificate Validation

Ron Teitelbaum Ron at USMedRec.com
Wed Jan 24 14:49:12 UTC 2007 

Very cool Rob!

I've been working with the code, testing on multiple machines and it's
working well!  I haven't been focusing on the actual certificates, but will
need to do so in a few months.  I'm hoping to be able to create client
certificates automatically during installation and to be able to renew them
periodically.  For all this to work I'll need to have client and server
certificates working and validated plus a working CA.  I'm planning on using
certificate extensions to handle service authorization.  I'm very pleased
with the code and how well it responds.  I'll start working with the new
code and let you know if I see any issues.

Thank you for your work on this!!

Ron


> From: Robert Withers
> Sent: Wednesday, January 24, 2007 12:29 AM
> 
> All,
> 
> I've been doing a little SSL coding, since it isn't a fully developed
> project yet.  The most glaring omission has been the lack of
> certificate chain processing and validation, thereby leaving a rather
> large security hole in the implementation.  The code still doesn't
> handle client certificates.
> 
> I have added the capability for a certificate to verify itself with
> it's parent certificate.  Roughly, this entails comparing the hash of
> the certificate (tbsCertificate) with its decrypted signature. using
> the parent certificate's publicKey.  The parent is identified as
> having the same subject as the child's issuer.  A self-signed
> certificate has the same issuer and subject.  These are currently
> allowed.  Furthermore, the certificate is valid if the validity dates
> enclose the current date.
> 
> The code hook for all this is in
> SSLSecurityCoordinator>>#validateCertificateChain: certChain
> 
> The test certificate currently passes, but will expire later this year.
> 
> I also added the CACert, Verisign and Thawte's root CAs to the
> SSLCertificateStore, but there is no mechanism to add external root
> certs.
> 
> I also coded and tested MD2 hash function, so that some certs can be
> validated.
> 
> Changes to the following packages:
> 	Cryptography-ASN1
> 	Cryptography-MD4
> 	Cryptography-SSL
> 	Cryptography-Tests
> 	Cryptography-X509
> 
> cheers,
> Robert
>

More information about the Cryptography mailing list