Comments on: Summarizing PKI Certificate Validation http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/ Simple Security. Thu, 12 Jan 2012 15:08:16 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Walter Goulet http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/comment-page-1/#comment-2971 Walter Goulet Thu, 12 Jan 2012 13:56:05 +0000 http://blog.securism.com/?p=106#comment-2971 Hi Deepak, BER (Basic Encoding Rules - en.wikipedia.org/wiki/Basic_Encoding_Rules) is basically just a method to encode certificate data in a protocol message. Sounds like what you are seeing is that your endpoint is not properly configured with a certificate so it's not sending anything to the peer. Walter Hi Deepak,

BER (Basic Encoding Rules – en.wikipedia.org/wiki/Basic_Encoding_Rules) is basically just a method to encode certificate data in a protocol message. Sounds like what you are seeing is that your endpoint is not properly configured with a certificate so it’s not sending anything to the peer.

Walter

]]> By: Deepak Khandelwal http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/comment-page-1/#comment-2905 Deepak Khandelwal Tue, 03 Jan 2012 15:36:15 +0000 http://blog.securism.com/?p=106#comment-2905 I am trying to establishing a IPSec tunnel with the authentication method using certificates. the peer end asks for a certificate as certification request payload in the ISAKMP . But my end replied with some BER Error: Empty choice was found. Any idea what is BER and what can be the problem ?? I am trying to establishing a IPSec tunnel with the authentication method using certificates. the peer end asks for a certificate as certification request payload in the ISAKMP . But my end replied with some BER Error: Empty choice was found.
Any idea what is BER and what can be the problem ??

]]> By: Walter Goulet http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/comment-page-1/#comment-2098 Walter Goulet Wed, 07 Sep 2011 18:53:25 +0000 http://blog.securism.com/?p=106#comment-2098 Thanks! In light of the Diginotar breach, I have some additional thoughts I plan on blogging about soon. You might be interested in this article I wrote up for the InfoSec Institute last month as well: http://resources.infosecinstitute.com/understanding-pki/ Thanks! In light of the Diginotar breach, I have some additional thoughts I plan on blogging about soon. You might be interested in this article I wrote up for the InfoSec Institute last month as well: http://resources.infosecinstitute.com/understanding-pki/

]]> By: Jon H http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/comment-page-1/#comment-2096 Jon H Wed, 07 Sep 2011 18:23:29 +0000 http://blog.securism.com/?p=106#comment-2096 Excellent summary - all the pertinent info in one place! Excellent summary – all the pertinent info in one place!

]]> By: Understanding the Public Key Infrastructure behind SSL secured websites |  InfoSec Resources http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/comment-page-1/#comment-1828 Understanding the Public Key Infrastructure behind SSL secured websites |  InfoSec Resources Thu, 04 Aug 2011 20:02:38 +0000 http://blog.securism.com/?p=106#comment-1828 [...] 1) http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/ [...] [...] 1) http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/ [...]

]]> By: Use of publicly trusted certificates in enterprise networks « Securism Blog http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/comment-page-1/#comment-790 Use of publicly trusted certificates in enterprise networks « Securism Blog Tue, 26 Apr 2011 20:49:25 +0000 http://blog.securism.com/?p=106#comment-790 [...] a little background. Previous visitors that have read my post on certificate validation will recall that a standard PKI hierarchy has a single CA (root CA) that [...] [...] a little background. Previous visitors that have read my post on certificate validation will recall that a standard PKI hierarchy has a single CA (root CA) that [...]

]]> By: Who can you trust? PKI under attack « Securism Blog http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/comment-page-1/#comment-690 Who can you trust? PKI under attack « Securism Blog Thu, 14 Apr 2011 02:55:05 +0000 http://blog.securism.com/?p=106#comment-690 [...] seriously question the value of CAs and look at alternative trust models. As explained in my other post, the current CA trust model requires users to trust their browser, operating system, and device [...] [...] seriously question the value of CAs and look at alternative trust models. As explained in my other post, the current CA trust model requires users to trust their browser, operating system, and device [...]

]]> By: Joe Juric http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/comment-page-1/#comment-625 Joe Juric Mon, 04 Apr 2011 13:47:39 +0000 http://blog.securism.com/?p=106#comment-625 I've managed to find API which have a mathod that inspect digital signature versus its signer, both for Java and C# (http://www.bouncycastle.org/) The problem with the Microsoft Verify() method is that its only suitable for basic chain verification, not digital signature (chain verification can be faked through manual certificate creation). Note that you can't see method implementation, so you can't know what degree of basic is implemented. If you want, you can implement your own chain verification overriding Validate method in your own class MyX509CertificateValidator : X509CertificateValidator. I've also done verification in OpenSSL, and it worked. Regards, Joe I’ve managed to find API which have a mathod that inspect digital signature versus its signer, both for Java and C# (http://www.bouncycastle.org/)

The problem with the Microsoft Verify() method is that its only suitable for basic chain verification, not digital signature (chain verification can be faked through manual certificate creation).
Note that you can’t see method implementation, so you can’t know what degree of basic is implemented.
If you want, you can implement your own chain verification overriding Validate method in your own class MyX509CertificateValidator : X509CertificateValidator.

I’ve also done verification in OpenSSL, and it worked.

Regards, Joe

]]> By: Walter Goulet http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/comment-page-1/#comment-620 Walter Goulet Mon, 04 Apr 2011 02:34:33 +0000 http://blog.securism.com/?p=106#comment-620 @joe I'm not much of a programmer myself; when I do need to inspect and validate certificates I usually use openssl in scripts. I do know that certificate validation is usually a built in function in certificate handling APIs. For example, in the X509Certificate2 class you describe, the verify method (http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.verify.aspx) is intended to do just that. The signatureValue field is well defined in RFC3280, so any API should be able to export that value for you. It's just a matter of finding an API that exposes the details you need. If it's an academic exercise and you just want to extract signatures directly, you could try the following openssl command line: openssl x509 -in cacert.pem -text -certopt ca_default,no_header,no_version,no_serial,no_validity,no_subject,no_issuer,no_signame,no_pubkey,no_extensions -noout Hope this helps, Walter @joe

I’m not much of a programmer myself; when I do need to inspect and validate certificates I usually use openssl in scripts. I do know that certificate validation is usually a built in function in certificate handling APIs. For example, in the X509Certificate2 class you describe, the verify method (http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.verify.aspx) is intended to do just that.

The signatureValue field is well defined in RFC3280, so any API should be able to export that value for you. It’s just a matter of finding an API that exposes the details you need. If it’s an academic exercise and you just want to extract signatures directly, you could try the following openssl command line:
openssl x509 -in cacert.pem -text -certopt ca_default,no_header,no_version,no_serial,no_validity,no_subject,no_issuer,no_signame,no_pubkey,no_extensions -noout

Hope this helps,
Walter

]]> By: Joe Juric http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/comment-page-1/#comment-597 Joe Juric Sat, 02 Apr 2011 14:36:51 +0000 http://blog.securism.com/?p=106#comment-597 Hi First, thank you for your answer. But, I still have a problem how to validate a certificate (programmatically). In section eight, you described in detail how one will do so. I got that, but the thing is that I don't know how to get signatureValue from the certificate (nor by inspecting certificate "visually" nor by programmatically digging properties, such as Subject, Issuer, Dates, Thumbprint etc., I'm using C# .NET X509Certificate2 and other related libraries), so I can decrypt the digital signature (with public key of the issuer), and compare its content to a hash that I've previously computed., ie validate certificate. Thank you in advance, Joe Hi
First, thank you for your answer.
But, I still have a problem how to validate a certificate (programmatically).
In section eight, you described in detail how one will do so. I got that, but the thing is that I don’t know how to get signatureValue from the certificate
(nor by inspecting certificate “visually” nor by programmatically digging properties,
such as Subject, Issuer, Dates, Thumbprint etc., I’m using C# .NET X509Certificate2 and other related libraries), so I can decrypt the digital signature (with public key of the issuer), and compare its content to a hash that I’ve previously computed., ie validate certificate.

Thank you in advance,
Joe

]]>