[kmf-discuss] Certificate validation algorithm

Wyllys Ingersoll wyllys.ingersoll at sun.com
Wed May 7 07:55:58 PDT 2008 

Scott Rotondo wrote:
> Algorithm 1 below is what I believe we discussed in today's meeting. 
> [These aren't the right function names or arguments for the KMF API, 
> but the meaning should be clear.] Algorithm 2 is a possible 
> simplification.
>
>     Scott
>
> Algorithm 1
> -----------
> Input:
>     cert = leaf certificate used to sign manifest
>     ta_list = list of trust anchors specified by administrator
>
> while (cert not in ta_list) {
>     parent = FindIssuer(cert);
>     if (ValidateCert(cert, parent) == FAIL)
>         return (FAIL);
>     cert = parent;
> }
> // cert is one of the trust anchors; validate the file
> if (open(cert, O_VERIFY) == FAIL)
>     return (FAIL);
> else
>     return (PASS);
>

This sounds about right.  The cert-not-in-ta-list function could be a 
complicated function.
I guess it depends how you are building your ta-list - is it a list of 
cert data blobs, cert
filenames, or a list of Subject Names + Serial #s (like a CRL) ?

If it is filenames, it is easy (but not accurate unless you are 
verifying that the
contents of any given file  is actually a cert). 

If it is data blobs, then KMF has some functions that can help pull out 
the subject/issuer/serial
number and compare them to others.  This is probably the most secure way 
of matching certs
since it looks at individual fields.

If it is name/serial number list, then it is also pretty easy using KMF 
to pull out the name/serial
from a cert for comparison in both native binary and human-readable form.

I think we identified a couple of shortcomings in the current 
implementation of kmf_validate_cert().
#1 - We need an option for the caller to EITHER
      (a)  - pass in the parent/issuer cert to be used.
 or   (b) - pass in an optional parameter that tells kmf_validate_cert() 
to go FIND the issuer of the
            subject cert and use that to verify it (assume the issuer is 
in the same keystore location
            as the given subject cert).

If option (b) is done, then you don't need the FindIssuer step, just 
call kmf_validate_cert
with the right arguments and it should "Just Work".

I will talk to the KMF team and figure out how we will fix 
kmf_validate_cert.

Your algorighm (B) looked fine also, the same issues for KMF apply 
either way.

-Wyllys

More information about the kmf-discuss mailing list