Certificate Authentication
A version of this page is also available for
4/8/2010
Authentication is the process of determining if a remote host can be trusted. To establish its trustworthiness, the remote host must provide an acceptable authentication certificate.
Remote hosts establish their trustworthiness by obtaining a certificate from a certification authority (CA). The CA may, in turn, have certification from a higher authority, and so on, creating a chain of trust. To determine whether a certificate is trustworthy, an application must determine the identity of the root CA, and then determine if it is trustworthy.
Windows Embedded CE maintains a database of trusted CAs. When a connection with a security infrastructure is attempted by an application, Windows Embedded CE extracts the root certificate from the certification chain and checks it against the CA database. It delivers the root certificate to the application through a certificate validation callback function, along with the results of the comparison against the CA database.
Applications bear ultimate responsibility for verifying that a certificate is acceptable. Applications can accept or reject any certificate. If a certificate is rejected, the connection is not completed. At a minimum, a certificate should meet two requirements: The certificate is current, and the identity contained in the certificate matches the root CA identity.
The certificate validation callback function must be implemented by all client applications that use secure sockets. The value it returns determines if the connection will be completed by Winsock. The value must have the following syntax.
int SslValidate (
DWORD dwType
LPVOID pvArg
DWORD dwChainLen
LPBLOB pCertChain
DWORD dwFlags
);
The parameters contain the following data:
- The dwType parameter specifies the data type pointed to by pCertChain. This must be SSL_CERT_X.509, specifying that pCertChain is a pointer to an X.509 style certificate.
- The pvArg parameter is the application-defined context, passed by the SSLVALIDATECERTHOOK structure.
- The dwChainLen parameter is the number of certificates pointed to by pCertChain. It will always be equal to one.
- The pCertChain parameter is a pointer to the root certificate. The BLOB struct is defined in Sslsock.h in the SDK. The pBlobData field points to a X.509 certificate (ISO standard). The certificate is not the root certificate but the server certificate. The caller must parse the certificate to extract the pertinent data like the subject and issuer names.
- If the root issuer of the certificate could not be found in the CA database, the dwFlags parameter will contain SSL_CERT_FLAG_ISSUER_UNKNOWN. The application can either attempt to verify the issuer itself, or return SSL_ERR_CERT_UNKNOWN.
The following table shows values returned by the callback function.
Return value | Description |
---|---|
SSL_ERR_BAD_DATA |
The certificate is not properly formatted. |
SSL_ERR_BAD_SIG |
The signature check failed. |
SSL_ERR_CERT_EXPIRED |
The certificate has expired. |
SSL_ERR_CERT_REVOKED |
The certificate has been revoked. |
SSL_ERR_CERT_UNKNOWN |
The issuer is unknown, or some unspecified problem arose in the certificate processing, rendering it unacceptable. |
SSL_ERR_OKAY |
The certificate is acceptable. |