API Reference | developer.brewmp.com API Reference | developer.brewmp.com

Developer

API Reference

IX509CHAIN

Brew Release
Brew MP 1.0.2
Description
The IX509Chain interface is deprecated. Refer to the ICertChain, ICertParse, and ICertBag interfaces instead.
This interface is used for managing and verifying a chain of X.509 certificates.
The IX509Chain interface performs the following tasks:
- Manages the storage of certs, or accomodates your means of storage.

- Gives access to parsed fields in the cert for display to the user or other.

- Verifies the cert chain against a set of trusted roots and parameters.

- Stores a cert using the standard inherited WebOpts functions.
Usage

To use the IX509Chain interface:


1) Add root certs, the server's cert and the intermediate (branch) certs using IX509Chain_AddCert() or IX509CHAIN_AddOpt().
2) Call IX509CHAIN_Verify() to find out of the chain is trusted
3) If it's not trusted and you want to override it, add some X509TrustOverride records with AddOpt.
4) Use the IX509CHAIN_GetBasic() or IX509CHAIN_GetRSAKey() function to get the public key if you need it for some function such as encrypting a session key.

To display a single certificate:


1) The cert itself has to be identified out of the collection. This is by the certificate type (root, branch or leaf) and an index. The WebOpt ID gives the certificate type (see constants below) and the WebOpt index gives the certificate index.
2) Next the field of the cert must be identied. For example extensions, subject, or serial number. This is either implicit in the parts returned when calling GetBasic, or for larger items that won't fit on the stack and need to be treated as binary blobs, by passing the ID of the field to GetField or GetFieldPart. If you're not using GetFieldPart skip the next to steps.
3) Next you have to give the OID of the part of the issuer/subject, or the OID for the extension. There are two ways to give the OID, pre-defined IDs in AEEASN1OIDS.h, or the full OID in DER/BER encoded ANS.1 format.
4) Finally, you have to specify which instance of the OID in the field you want. For example you might want the second OU (org unit) out of the issuer field. You may also iterate over all instances.

To verify a chain:


1) Add root certificates, the server's cert and the intermediate (branch) certs using IX509CHAIN_AddCert() or IX509CHAIN_AddOpt().
2) Call IX509CHAIN_Verify() to find out of the chain is trusted
3) If it's not trusted and you want to override add some X509TrustOverride records with AddOpt.
4) Use the IX509CHAIN_GetBasic() or IX509CHAIN_GetRSAKey() function to get the public key if you need it for some function such as encrypting a session key.