SecureBlackbox 2020 macOS Edition

Questions / Feedback?

CertificateValidator Module

Properties   Methods   Events   Configuration Settings   Errors  

The CertificateValidator component provides fine-grained validation of X.509 certificates.

Syntax

nsoftware.SecureBlackbox.Certificatevalidator

Remarks

This is a powerful and configurable class which can be used to validate all kinds of certificates and their chains.

The purpose of CertificateValidator is to validate certificate chains according to the X.509 specification. It supports a variety of technologies, including CRL and OCSP services, and can provide a comprehensive output on the certificate cryptographic validity, chain integrity, and trust levels. CertificateValidator is used internally in many other SecureBlackbox components, such as PDFSigner, HTTPClient, and OfficeVerifier.

To validate a certificate, please tune up the component as following:

Depending on the complexity of the chain and the configuration of the component, the validation routine may take certain amount of time. The validator reports chain validation progress using a selection of events, such as BeforeCertificateProcessing, AfterCertificateProcessing, and CRLDownloaded events. It may also ask you for missing objects using CRLNeeded or CACertificateNeeded events. In each such event handler you can access the currently validated certificate via the CurrentCertificate property, and the interim validity figures via the InterimValidationResult and InterimValidationDetails property.

The return of the Validate (or similar) method indicates the completion of the validation procedure. The outcome of the chain validation is represented with the two parameters:

  • ChainValidationResult reports the general validation outcome: valid, valid-but-untrusted, invalid, and unknown. As a rule, only the valid result can be taken as a good reason to consider the chain valid.
  • ChainValidationDetails provides insights into the factors that caused the validation to fail.
Apart from these two parameters, you can check the low-level validation details by consulting the ValidationLog property. The validation log is often a great source for tracking and reacting to various validation issues.

Note 1: On Windows, CertificateValidator can use CA and ROOT system stores to look for any missing CA certificates and trust anchors. No similar functionality is currently available for other platforms, so in most cases you must provide your own list of trusted and CA certificates via TrustedCertificates and KnownCertificates collections to have your chains validate fully in Linux and macOS projects.

Note 2: The OfflineMode property is a handy way to check the completeness of your revocation/validation information. When the offline mode is on, CertificateValidator won't go online for any missing certificates, CRLs, and OCSP responses. Paired with a switched-off UseSystemCertificates property, it allows to make sure that any content provided via KnownCertificates, KnownCRLs, and KnownOCSPs represents the complete set of validation information required to validate the chain.

Property List


The following is the full list of the properties of the module with short descriptions. Click on the links for further details.

BlockedCertificatesThe certificates that must be rejected as trust anchors.
CacheValidationResultsEnables or disables validation result caching.
CertificateThe certificate to be validated.
ChainValidationDetailsThe details of a certificate chain validation outcome.
ChainValidationResultThe general outcome of a certificate chain validation routine. Use ChainValidationDetails to get information about the reasons that contributed to the validation result.
CurrentCACertificateThe CA of the currently processed certificate.
CurrentCertificateThe certificate that is currently being processed.
GracePeriodSpecifies a grace period to apply during certificate validation.
InterimValidationDetailsContains the validation details of the moment.
InterimValidationResultContains the validation status of the moment.
KnownCertificatesAdditional certificates for chain validation.
KnownCRLsAdditional CRLs for chain validation.
KnownOCSPsAdditional OCSP responses for chain validation.
MaxValidationTimeSpecifies the maximum time the validation process may take.
OfflineModeSwitches the component to the offline mode.
ProxyThe proxy server settings.
QualifiedIndicates a qualified electronic signature.
RevocationCheckSpecifies the kind(s) of revocation check to perform.
SocketSettingsManages network connection settings.
TLSClientChainThe TLS client certificate chain.
TLSServerChainThe TLS server's certificate chain.
TLSSettingsManages TLS layer settings.
TrustedCertificatesA list of trusted certificates for chain validation.
UsedCertificatesContains a list of certificates used during the chain validation routine.
UsedCRLsContains a list of CRLs used during the chain validation routine.
UseDefaultTSLsEnables or disables the use of the default TSLs.
UsedOCSPsContains a list of OCSP responses used during the chain validation routine.
UseSystemCertificatesEnables or disables the use of the system certificates.
ValidationLogContains the complete log of the certificate validation routine.
ValidationMomentThe time point at which chain validity is to be established.

Method List


The following is the full list of the methods of the module with short descriptions. Click on the links for further details.

ConfigSets or retrieves a configuration setting.
RefreshCacheRefreshes the certificate cache.
ResetCacheClears all data contained in the validation cache.
TerminateTerminates the validation process.
ValidateValidates the certificate chain.
ValidateForSMIMEValidates an e-mail signing certificate.
ValidateForSSLValidates a server-side SSL/TLS certificate.

Event List


The following is the full list of the events fired by the module with short descriptions. Click on the links for further details.

AfterCertificateProcessingMarks the end of a single certificate processing step.
AfterCertificateValidationMarks the end of a single certificate validation step.
BeforeCACertificateDownloadFires when a CA certificate is about to be downloaded.
BeforeCertificateProcessingReports the start of certificate processing.
BeforeCertificateValidationReports the start of certificate validation.
BeforeCRLDownloadFires when a CRL is about to be downloaded.
BeforeOCSPDownloadFires when a certificate's OCSP status is about to be requested.
CACertificateDownloadedMarks the success of a certificate download.
CACertificateNeededRequests a missing certificate from the user.
CRLDownloadedMarks the success of a CRL download.
CRLNeededRequests a missing CRL from the user.
ErrorInformation about errors during certificate validation.
NotificationThis event notifies the application about an underlying control flow event.
OCSPDownloadedMarks the success of an OCSP request.
TLSCertValidateThis event is fired upon receipt of the TLS server's certificate, allowing the user to control its acceptance.

Configuration Settings


The following is a list of configuration settings for the module with short descriptions. Click on the links for further details.

CacheValidityTimeTime period during which to keep validation cache.
CheckStrongAlgorithmForTrustedWhether to check a 'strong' hash algorithm for trusted certificates.
CheckValidityPeriodForTrustedWhether to check validity period for trusted certificates.
CrossCertificationValidationStrategyDefines how the cross certification validation is performed.
ForceCompleteChainValidationForTrustedWhether to validate the whole chain.
ForceRevocationCheckForRootWhether to check revocation info for root certificates.
IgnoreBadOCSPChainsWhether to ignore bad OCSP chains during validation.
IgnoreCABasicConstraintsWhether to ignore the Basic Constraints extension for the CA certificates.
IgnoreCAKeyUsageWhether to ignore Key Usage extension for CA certificates.
IgnoreCANameConstraintsWhether to ignore the Name Constraints extension for the CA certificates.
IgnoreOCSPNoCheckExtensionWhether OCSP NoCheck extension should be ignored.
IgnoreRevocationKeyUsageWhether to check the CA certs used to sign revocation info.
IgnoreSSLKeyUsageWhether to check the CA certs used in SSL/TLS.
IgnoreSystemTrustWhether trusted Windows Certificate Stores should be treated as trusted.
ImplicitlyTrustSelfSignedCertificatesWhether to trust self-signed certificates.
LookupCRLByNameIfDPNotPresentWhether to look for implicit CRL Distribution Points.
PromoteLongOCSPResponsesWhether long OCSP responses are requested.
RevocationMomentGracePeriodGrace period for revocation information propagation.
SkipSubjectNameIfAltNameExistsWhether to check CommonName if SubjectAltName is present.
UseMicrosoftCTLEnables or disables automatic use of Microsoft online certificate trust list.
ValidateInvalidCertificatesWhether to do all checks on invalid certificates.
WeakAlgorithmHandlingModeHow to handle certificates signed with a 'weak' hash algorithm.
CustomTSLsSpecifies the custom TSLs.
QualifiedStatusIndicates a qualified electronic signature.
TSLDistributionPointsContains XML content of distribution points of the TSL used.
TSLDistributionPoints[Idx]Contains distribution point of the specified index of the TSL used.
TSLHistoricalInformationPeriodContains historical information period of the TSL used.
TSLLegalNoticesContains XML content of legal notices of the TSL used.
TSLLegalNotices[lang]Contains legal notices for the specified language of the TSL used.
TSLListIssueDateTimeContains list issue date and time of the TSL used.
TSLNextUpdateContains next update date and time of the TSL used.
TSLPoliciesContains XML content of policies of the TSL used.
TSLPolicies[lang]Contains policies for the specified language of the TSL used.
TSLSchemeExtensionsContains XML content of scheme extensions of the TSL used.
TSLSchemeExtensions[Idx]Contains XML content of scheme extension of the specified index of the TSL used.
TSLSchemeInformationURIContains XML content of scheme information URI of the TSL used.
TSLSchemeInformationURI[lang]Contains scheme information URI for the specified language of the TSL used.
TSLSchemeNameContains XML content of scheme name of the TSL used.
TSLSchemeName[lang]Contains scheme name for the specified language of the TSL used.
TSLSchemeOperatorAddressContains XML content of scheme operator address of the TSL used.
TSLSchemeOperatorNameContains XML content of scheme operator name of the TSL used.
TSLSchemeOperatorName[lang]Contains scheme operator name for the specified language of the TSL used.
TSLSchemeTerritoryContains scheme territory of the TSL used.
TSLSchemeTypeCommunityRulesContains XML content of scheme type/community/rules of the TSL used.
TSLSchemeTypeCommunityRules[lang]Contains scheme type/community/rules for the specified language of the TSL used.
TSLSequenceNumberContains sequence number of the TSL used.
TSLsRetrieveLogContains the complete log of the TSLs retrieve.
TSLStatusDeterminationApproachContains status determination approach of the TSL used.
TSLsValidationLogContains the complete log of the TSLs validation.
TSLTSPAdditionalServiceInformationContains addtional service information of the TSP service used.
TSLTSPAddressContains XML content of the address of the TSP used.
TSLTSPHistoryInstanceIndicates that TSP service history instance used.
TSLTSPHistoryInstanceAdditionalServiceInformationContains addtional service information of the TSP service history instance used.
TSLTSPHistoryInstanceQualifiersContains list of qualifiers of the TSP service history instance used.
TSLTSPHistoryInstanceServiceInformationExtensionsContains XML content of information extensions of the TSP service history instance used.
TSLTSPHistoryInstanceServiceInformationExtensions[Idx]Contains XML content of information extension of the specified index of the TSP service history instance used.
TSLTSPHistoryInstanceServiceNameContains XML content of name of the TSP service history instance used.
TSLTSPHistoryInstanceServiceName[lang]Contains name for the specified language of the TSP service history instance used.
TSLTSPHistoryInstanceServiceStatusContains status of the TSP service history instance used.
TSLTSPHistoryInstanceServiceStatusStartingTimeContains status starting time of the TSP service history instance used.
TSLTSPHistoryInstanceServiceTypeIdentifierContains type identifier of the TSP service history instance used.
TSLTSPHistoryInstanceXMLContains XML content of the TSP service history instance used.
TSLTSPInformationExtensionsContains XML content of information extensions of the TSP used.
TSLTSPInformationExtensions[Idx]Contains XML content of information extension of the specified index of the TSP used.
TSLTSPInformationURIContains XML content of information URI of the TSP used.
TSLTSPInformationURI[lang]Contains information URI for the specified language of the TSP used.
TSLTSPNameContains XML content of name of the TSP used.
TSLTSPName[lang]Contains name for the specified language of the TSP used.
TSLTSPSchemeServiceDefinitionURIContains XML content of scheme service definition URI of the TSP service used.
TSLTSPSchemeServiceDefinitionURI[lang]Contains scheme service definition URI for the specified language of the TSP service used.
TSLTSPServiceDefinitionURIContains XML content of definition URI of the TSP service used.
TSLTSPServiceDefinitionURI[lang]Contains definition URI for the specified language of the TSP service used.
TSLTSPServiceInformationExtensionsContains XML content of information extensions of the TSP service used.
TSLTSPServiceInformationExtensions[Idx]Contains XML content of information extension of the specified index of the TSP service used.
TSLTSPServiceNameContains XML content of name of the TSP service used.
TSLTSPServiceName[lang]Contains name for the specified language of the TSP service used.
TSLTSPServiceQualifiersContains list of qualifiers of the TSP service used.
TSLTSPServiceStatusContains status of the TSP service used.
TSLTSPServiceStatusStartingTimeContains status starting time of the TSP service used.
TSLTSPServiceSupplyPointsContains XML content of the supply points of the TSP service used.
TSLTSPServiceTypeIdentifierContains type identifier of the TSP service used.
TSLTSPServiceXMLContains XML content of the TSP service used.
TSLTSPTradeNameContains XML content of trade name of the TSP used.
TSLTSPTradeName[lang]Contains trade name for the specified language of the TSP used.
TSLTSPXMLContains XML content of the TSP used.
TSLTypeContains TSL type of the TSL used.
TSLVersionIdentifierContains version identifier of the TSL used.
TSLXMLContains XML content of the TSL used.
CheckKeyIntegrityBeforeUseEnables or disable private key integrity check before use.
CookieCachingSpecifies whether a cookie cache should be used for HTTP(S) transports.
CookiesGets or sets local cookies for the component (supported for HTTPClient, RESTClient and SOAPClient only).
DefDeriveKeyIterationsSpecifies the default key derivation algorithm iteration count.
EnableClientSideSSLFFDHEEnables or disables finite field DHE key exchange support in TLS clients.
GlobalCookiesGets or sets global cookies for all the HTTP transports.
HttpUserAgentSpecifies the user agent name to be used by all HTTP clients.
LogDestinationSpecifies the debug log destination.
LogDetailsSpecifies the debug log details to dump.
LogFileSpecifies the debug log filename.
LogFiltersSpecifies the debug log filters.
LogFlushModeSpecifies the log flush mode.
LogLevelSpecifies the debug log level.
LogMaxEventCountSpecifies the maximum number of events to cache before further action is taken.
LogRotationModeSpecifies the log rotation mode.
MaxASN1BufferLengthSpecifies the maximal allowed length for ASN.1 primitive tag data.
MaxASN1TreeDepthSpecifies the maximal depth for processed ASN.1 trees.
OCSPHashAlgorithmSpecifies the hash algorithm to be used to identify certificates in OCSP requests.
UseOwnDNSResolverSpecifies whether the client components should use own DNS resolver.
UseSharedSystemStoragesSpecifies whether the validation engine should use a global per-process copy of the system certificate stores.
UseSystemOAEPAndPSSEnforces or disables the use of system-driven RSA OAEP and PSS computations.
UseSystemRandomEnables or disables the use of the OS PRNG.

Copyright (c) 2022 /n software inc. - All rights reserved.
SecureBlackbox 2020 macOS Edition - Version 20.0 [Build 8165]