Jump to navigation

Poupou's Corner of the Web

Looking for perfect security? Try a wireless brick.
Otherwise you may find some unperfect stuff here...

Weblog

in chains: The Good

Recently I've been buzy completing X.509 support in the 2.0 class libraries. This, somewhat basic, stuff is required to complete S/MIME (Pkcs namespace inside System.Security.dll) and more CardSpace foo.

Right now I'm implementing X509Chain. This is a small class that nicely hides a 129 pages RFC (3280) that references all kind of stuff, like X.500. I've known for a long time that this step was required and would be somewhat frustrating. I wasn't totally wrong ;-)

Now that the subject is introduced, let's start with what's good...

First we have test cases, more a full test suite, thanks to NIST. In 2004 NIST released the Public Key Interoperability Test Suite (PKITS) for Certificate Path Validation (where path == chain). You can download the test data along with a nice, 293 pages, document.

Next we have the design. In the 2.0 framework System.Security.Cryptography.X509Certificates.X509Chain is exposed, i.e. it's not a new feature but it was totally hidden previously (mostly because it resides in, the unmanaged, CryptoAPI) and replaceable, i.e. you can supply an alternative implementation to be used as the default (using CryptoConfig and machine.config).

Other good news is that, for some cases, it seems that MS follows RFC3280. That one is more complex than it looks like because it's not a framework functionality, it's part of CryptoAPI. So every Windows version has an updated CryptoAPI that is (or should be) more RFC3280 compliant than the previous ones (I'm keeping not-good news for another post ;-).

Current results (out of 16 sections)

SectionTest CasesRFC3280MS[1]Mono 
4.6.1Signature Verification666 
4.6.2Validity Period888 

Notes
[1] Tested under Windows XP service pack 2 - YMMV

Sadly I may have run out of good news...


12/5/2006 20:53:41 | Comments

The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.