Dywagacje na temat certyfikatu

1. Czy można korzystać z certyfikatu kwalifikowanego (podpisu) nie instalując do w repozytorium (np. gdy ma się go na karcie)
   
2. W naszej firmie i innych, które nam ufają warto postawić serwer PKI. Można wtedy wystawiać certyfikaty własne (trzeba im wtedy zaufać). Zbyszek mi przygotuje środowisko
   
3. To samo w odniesieniu do Kerberosa
4. Sprawdzanie ważności certyfikatu to jest niełatwa sprawa, trudno tu bez przygotowania zrobić coś poprawnie. Można jednak pokusić się o jakieś rozwiązanie:
1. Użytkownik dostaje dane podpisane certyfikatem jakiegoś innego użytkownika. Jak możne zweryfikować jego ważność?
2. Weryfikacja może być:
1. online - poprzez sprawdzenie listy CRL:
1. ze strony poprzez usługę OCSP - niektóre firmy wystawiające certyfikat jej nie świadczą
2. poprzez kontakt ze stroną zawierającą CRL - zapamiętaniu jej lokalnie
   
2. offline - poprzez weryfikację na liście CRL w cache repozytorium. Do repozytorium ściągnąć aktualną listę można poprzez automatyczą aktualizację po kliknięciu na stronę zawierającą listę crl.
   
3. Może na podstawie certyfikatu lub danych podpisanych "wyciągnąć" unikalny numer seryjny użytkownika tego certyfikatu
4. Co jeszcze można "wypruć" z certyfikatu/podpisanego dokumentu. Ten ostatni jest lepszy, nie musimy "zdobywać" certyfikatu?
5. Ciąg dalszy nastąpi...
6. Można usługę wystawiania certyfikatów i podpisu zaoferować KHW
7. Linki (praca):
1. Szukaj informacji na forum dyskusyjnym - microsoft.public.security.crypto
2. http://groups.google.com/group/microsoft.public.security.crypto/index/browse_frm/month/2004-12?_done=%2Fgroup%2Fmicrosoft.public.security.crypto%2Fbrowse_frm%2Fmonth%2F2004-12%3F&
   
3. http://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2004-12/0043.html -capicom / cryptoapi certificate chain verification error 0x80092004

---

Date: Fri, 03 Dec 2004 18:16:28 +0100

Hello,
I was trying to use capicom from VB6 code to verify the validity of a
certificate, but Kelvin Yiu from MS posted a message
(news://msnews.microsoft.com:119/eV9j2id0EHA.1392@tk2msftngp13.phx.gbl)
in which he says "There is no way to use CAPICOM to access the CRLs used
to validate the chain. You must call the Win32 API".

Then, David Cross suggested to use capimon to trace the error. Such
trace (see previous post "meaning of
CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN or the attached capimon output)
shows the error 0x80092004.

I didn't write any code to access the api directly yet, I just want to
understand what is this error: the description "Cannot find object or
property." does not mean anything to me.
David suggested it could be a problem with CRL, but the certificate I'm
trying to validate incudes a reachable CRL Distribution Point (via http;
it also has other 2 DP, SMB and HTTP wich are not reachable, but the
third is).

Actually, If I access the distribution point with a browser I can
download the CRL, so that I believe this is not the problem.
Can anybody help me understanding?

thanks,
al.

1. Sprawdzenie OCSP (skrypt):#!/bin/sh
   ##
   ## Copyright (c) 1998-2005 Unizeto Technologies S.A. All rights reserved.
   ##
   ## Online Certificate Status Protocol
   ##
   
   # Config default for openssl 0.9.7
   
   VAFILE="/usr/share/ssl/ocsp.pem" # http://www.certum.pl/keys/vs.pem
   ISSUER="/usr/share/ssl/CA.pem" # http://www.certum.pl/CA.pem
   
   URL="http://ocsp.certum.pl"
   
   if [ "$1" = "" ]; then
   echo -e "Usage: $0 serialn"
   echo -e "tserial:tSerial number to checkn"
   exit 0
   fi
   
   openssl ocsp
   -issuer "$ISSUER"
   -serial "$1"
   -url "$URL"
   -resp_text
   -respout /dev/null
   -VAfile "$VAFILE"
   exit 0
   
   
2. http://support.microsoft.com/kb/304298 -How To Perform CRL Checking with CAPICOM
3. http://files.redfoxuk.com/Shared%20Files/CAPICOM%20Interface%20Definition.HTML#class115 - CAPICOM interfejs, opis wszystkich stałych
4. http://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2003-10/0431.html - How to force CAPICO for CRL checking + lista dyskusyjna
5. JENSIGN -świetny
   
6. http://www.tutorials-se.com/platformsdksecurity/verify-certificate/ - How to verify certificate with CAPICOM + Impersonate + lista dyskusyjna + list programu (http://www.tutorials-se.com/platformsdksecurity/CAPICOM-documentation/)!
   
7. Kod z powyższego źródła:
   

   Impersonating access to AzMan Policy Store 
   
   I have a console app that runs under the identity UserA.  UserB has
   access to AzMan and ADAM.
   
   Whenever I try to impersonate UserB for the call to the
   AuthorizationStore, I get the exception: ArgumentException: "Value does
   not fall within the expected range"
   
   However, if I right click on the app and "Run As" UserB, everything
   works fine.
   
   I am verifying in code (using WindowsIdentity.GetCurrent()) that the
   impersonation is acutally succeeding.  Has anyone had this issue?
   
   Here is my code:
   
   
   
    [DllImport("advapi32.dll")]
           public static extern int LogonUserA(String lpszUserName, String
   lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider,
   ref IntPtr phToken);
           [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError
   = true)]
           public static extern int DuplicateToken(IntPtr hToken, int
   impersonationLevel, ref IntPtr hNewToken);
           [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError
   = true)]
           public static extern bool RevertToSelf();
           [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
           public static extern bool CloseHandle(IntPtr handle);
   
           private void button1_Click(object sender, EventArgs e)
           {
               try
               {
                   WindowsImpersonationContext ctx =
   ImpersonateValidUser("UserB", "domain", "password");
                   AzAuthorizationStoreClass authorizationStore = new
   AzAuthorizationStoreClass();
                   Console.WriteLine(WindowsIdentity.GetCurrent().Name);
                   authorizationStore.Initialize(0,
   "msldap://techarch2:389/CN=Company, DC=compan,DC=com", null);
                   ctx.Undo();
   
               }
               catch(Exception ex)
               {
                   Console.WriteLine(ex.Message);
               }
           }
   
           private static WindowsImpersonationContext
   ImpersonateValidUser(String userName, String domain, String password)
           {
               WindowsImpersonationContext impersonationContext;
               WindowsIdentity tempWindowsIdentity;
               IntPtr token = IntPtr.Zero;
               IntPtr tokenDuplicate = IntPtr.Zero;
   
               if (RevertToSelf())
               {
                   if (LogonUserA(userName, domain, password, 2, 0, ref
   token) != 0)
                   {
                       if (DuplicateToken(token, 2, ref tokenDuplicate) !=
   0)
                       {
                           tempWindowsIdentity = new
   WindowsIdentity(tokenDuplicate);
                           impersonationContext =
   tempWindowsIdentity.Impersonate();
                           if (impersonationContext != null)
                           {
                               CloseHandle(token);
                               CloseHandle(tokenDuplicate);
                               return impersonationContext;
                           }
                       }
                   }
               }
               if (token != IntPtr.Zero)
                   CloseHandle(token);
               if (tokenDuplicate != IntPtr.Zero)
                   CloseHandle(tokenDuplicate);
               return null;
           }
   
   

8. A oto wyciąg z MS: 
   

   Chain.Status

   The Status property retrieves the validity status of the chain or a specific certificate in the chain.

   Property Status( _
     ByVal Index As Long _
   ) As Long

   Parameters

   Index

   Index of certificate, or chain, to check validation. The default value is zero. The following table shows the possible values.

   Value	Meaning
   0	Returns the status of the entire chain.
   1	Returns the status of the end certificate.
   i	Returns the status of the Certificates.Item[i] certificate.
   Certificates.Count	Returns the status of the root certificate.

   Property Value

   A LONG value that represents the validity status indicator of the chain or the specified certificate. The following table shows the possible values. This property will contain zero if the chain or specified certificate is valid. Otherwise, this property will contain a combination of one or more of the following values.

   CAPICOM_TRUST_IS_NOT_TIME_VALID

   &H00000001
   This certificate or one of the certificates in the certificate chain is not time valid.

   CAPICOM_TRUST_IS_NOT_TIME_NESTED

   &H00000002
   Certificates in the chain are not properly time nested.

   CAPICOM_TRUST_IS_REVOKED

   &H00000004
   Trust for this certificate or one of the certificates in the certificate chain has been revoked.

   CAPICOM_TRUST_IS_NOT_SIGNATURE_VALID

   &H00000008
   The certificate or one of the certificates in the certificate chain does not have a valid signature.

   CAPICOM_TRUST_IS_NOT_VALID_FOR_USAGE

   &H00000010
   The certificate or certificate chain is not valid for its proposed usage.

   CAPICOM_TRUST_IS_UNTRUSTED_ROOT

   &H00000020
   The certificate or certificate chain is based on an untrusted root.

   CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN

   &H00000040
   The revocation status of the certificate or one of the certificates in the certificate chain is unknown.

   CAPICOM_TRUST_IS_CYCLIC

   &H00000080
   One of the certificates in the chain was issued by a certification authority that the original certificate had certified.

   CAPICOM_TRUST_INVALID_EXTENSION

   &H00000100
   One of the certificates has an extension that is not valid.

   CAPICOM_TRUST_INVALID_POLICY_CONSTRAINTS

   &H00000200
   The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.

   CAPICOM_TRUST_INVALID_BASIC_CONSTRAINTS

   &H00000400
   The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.

   CAPICOM_TRUST_INVALID_NAME_CONSTRAINTS

   &H00000800
   The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.

   CAPICOM_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT

   &H00001000
   The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields. The minimum and maximum fields are not supported. Thus minimum must always be zero and maximum must always be absent. Only UPN is supported for an Other Name. The following alternative name choices are not supported:

   • X400 Address
   • EDI Party Name
   • Registered Id

   CAPICOM_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT

   &H00002000
   The certificate or one of the certificates in the certificate chain has a name constraints extension, and a name constraint is missing for one of the name choices in the end certificate.

   CAPICOM_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT

   &H00004000
   The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.

   CAPICOM_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT

   &H00008000
   The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.

   CAPICOM_TRUST_IS_OFFLINE_REVOCATION

   &H01000000
   The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.

   CAPICOM_TRUST_NO_ISSUANCE_CHAIN_POLICY

   &H02000000
   The end certificate does not have any resultant issuance policies, and one of the issuing CA certificates has a policy constraints extension requiring it.

   CAPICOM_TRUST_IS_PARTIAL_CHAIN

   &H00010000
   The certificate chain is not compete.

   CAPICOM_TRUST_CTL_IS_NOT_TIME_VALID

   &H00020000
   A CTL used to create this chain was not time valid.

   CAPICOM_TRUST_CTL_IS_NOT_SIGNATURE_VALID

   &H00040000
   A CTL used to create this chain did not have a valid signature.

   CAPICOM_TRUST_CTL_IS_NOT_VALID_FOR_USAGE

   &H00080000
   A CTL used to create this chain is not valid for this usage.

9.  Sprawdź czy coś nie tak (poniżej)

10. Checking Certificate Revocation Status

    CAPICOM does not enable certificate revocation checking by default. However, certificate revocation checking can be enabled programmatically for a particular certificate through the IsValid.CheckFlag property of a Certificate object. After the appropriate value of CheckFlag has been set, accessing the Certificate object's IsValid.Result property or building the certificate's verification path using a Chain object's Build method forces revocation checking.

    _language="Visual Basic">

    In the following example, cert has been instantiated as a valid CAPICOM certificate.

    Dim cert As Certificate
    Dim LocalStore As New Store
    
    ' Open the My store.
    LocalStore.Open LocalStore.Open CAPICOM_CURRENT_USER_STORE, _
        CAPICOM_MY_STORE, CAPICOM_STORE_OPEN_READ_WRITE
    
    ' Get the first certificate in the My store.
    set cert = LocalStore.Certificates.Item(1)
    
    cert.IsValid.CheckFlag = CAPICOM_CHECK_TRUSTED_ROOT Or _ 
       CAPICOM_CHECK_TIME_VALIDITY Or _ 
       CAPICOM_CHECK_SIGNATURE_VALIDITY Or _ 
       CAPICOM_CHECK_ONLINE_REVOCATION_STATUS
    If cert.IsValid.Result Then
    'CERTIFICATE IS VALID!
    Else
    Dim chain As New Chain
         chain.Build (cert)
         If CAPICOM_TRUST_IS_REVOKED And chain.Status Then
    'AT LEAST ONE CERTIFICATE IN THE CHAIN HAS BEEN REVOKED
         End If
         If CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN And chain.Status Then
    'THE REVOCATION STATUS COULD NOT BE DETERMINED
         End If
    End If
    

    The preceding applies to an individual certificate, no matter how it was obtained. Performing revocation checking on the certificates in a SignedData object is no different because the SignedData object's Verify method cannot be used for this purpose because enabling CAPICOM_VERIFY_SIGNATURE_AND_CERTIFICATE does not cause CRL checking.

    _language="Visual Basic">

    Instead, the CheckFlag must be set for each signer's certificate. Consider the following example where sData has been instantiated as a valid CAPICOM SignedData object.

    Dim cert As Certificate
    Dim chain As New Chain
    
    ' sData is an existing SignedData object.
    
    For I = 1 To sData.Certificates.Count
       set cert = sData.Certificates(I) 
       cert.IsValid.CheckFlag = _ 
           CAPICOM_CHECK_TRUSTED_ROOT Or _ 
           CAPICOM_CHECK_TIME_VALIDITY Or _ 
           CAPICOM_CHECK_SIGNATURE_VALIDITY Or _ 
           CAPICOM_CHECK_ONLINE_REVOCATION_STATUS
       If cert.IsValid.Result Then
          'THE CERTIFICATE IS VALID!
       Else
          chain.Build cert
          If CAPICOM_TRUST_IS_REVOKED And chain.Status Then
             'AT LEAST ONE CERTIFICATE IN THE CHAIN HAS BEEN REVOKED
          End If
          If CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN And chain.Status Then
             'THE REVOCATION STATUS COULD NOT BE DETERMINED
          End If
       End If
    Next I