5. Validation & Trust
Scenarios: 5
FFI Functions: ~40
Status: Planned
This category covers all scenarios for validating certificates and certificate chains. Chain building, revocation checks, and policy validation.
Scenarios
| ID | Scenario | Description | Complexity | Status | |
|---|---|---|---|---|---|
| 5.1 | Chain Building | Build certificate chain | * | Planned | | 5.2 | Chain Validation | Complete chain verification | | Planned | | 5.3 | Revocation Check | CRL/OCSP status verification | * | Planned | |
| 5.4 | Policy Validation | Check certificate policies | * | Planned | | 5.5 | Name Constraints | Verify namespace restrictions | | Planned | —- ===== Validation Process ===== <mermaid> flowchart TB START[Receive certificate] –> BUILD[Chain Building] BUILD –> SIG[Verify signature] SIG –> TIME[Check validity] TIME –> REV[Check revocation] REV –> POLICY[Check policy] POLICY –> CONSTR[Check constraints] CONSTR –> RESULT{Result} RESULT –> |OK| VALID[Valid] RESULT –> |Error| INVALID[Invalid] style VALID fill:#e8f5e9 style INVALID fill:#ffcdd2 </mermaid> —- ===== Validation Steps ===== ^ Step ^ Check ^ Error Condition ^ | 1. Chain Building | Build chain to trust anchor | Missing intermediate | | 2. Signature | Each certificate signed by issuer | Invalid signature | | 3. Validity | notBefore ⇐ now ⇐ notAfter | Expired / Not yet valid | | 4. Basic Constraints | CA flag, pathLen | Non-CA signs certificate | | 5. Key Usage | keyCertSign for CAs | Wrong key usage | | 6. Revocation | CRL or OCSP | Revoked | | 7. Policy | Certificate Policies | Policy not accepted | | 8. Name Constraints | permitted/excluded subtrees | Name outside scope | —- ===== Revocation Strategies ===== ^ Method ^ Advantages ^ Disadvantages ^ Usage ^ | CRL | Offline capable, simple | Large files, delay | Enterprise, Offline | | OCSP | Real-time, compact | Server required | Online services | | OCSP Stapling | Performance, privacy | TLS server support needed | Web servers | —- ===== Industry-Specific Requirements ===== ^ Industry ^ Revocation ^ Specifics ^ | Energy/SCADA | CRL (Offline) | No internet connection possible | | Healthcare | OCSP | Real-time validation for ePrescription | | Automotive | CRL + OCSP | V2X requires fast verification | | Industry 4.0** | CRL | Production networks isolated |
Quick Start Code
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; // Load trust store var trustStore = ctx.LoadTrustStore("trust-store.p7b"); // Validate certificate var result = ctx.ValidateCertificate( certificate: serverCert, trustStore: trustStore, options: new ValidationOptions { CheckRevocation = true, RevocationMode = RevocationMode.Online, // CRL + OCSP ValidatePolicy = true, AcceptedPolicies = new[] { "1.3.6.1.4.1.99999.1.1" } // Custom Policy OID } ); if (result.IsValid) { Console.WriteLine("Certificate valid"); Console.WriteLine($"Chain: {string.Join(" -> ", result.Chain.Select(c => c.Subject))}"); } else { Console.WriteLine($"Error: {result.ErrorCode} - {result.ErrorMessage}"); }
Related Categories
| Category | Relationship |
|---|---|
| 1. PKI Infrastructure | Set up trust store |
| 6. Revocation | Provide CRL/OCSP |
| 10. TLS/mTLS | Validation in TLS handshake |
« <- 4. Manage Certificates | ^ Scenarios | 6. Revocation -> »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: on 2026/01/30 at 12:30 AM
