A certificate chain is a hierarchy of certificates that lead to a trusted certificate, usually a CA's certificate. The purpose of the certificate chain is to allow a sender to establish trust with the recipient. Within the Toolkit, an application can build a chain using the Vtk_ValidationAddCertChain function. This validation function builds a certificate chain for the specified certificate and adds all the certificates to the validation query.
The CA certificates stored in the Vtk_Ctxt are used while constructing the chain using the Vtk_ValidationAddCertChain function. When an application calls this function, the application can use Vtk_ChainBuildCallback function to provide a function pointer that will be called every time the Toolkit discovers a new link in the certificate chain.
Certificates in a certificate chain are either from the intermediate certificate store or the trusted certificate store. Certificates in the intermediate certificate store are not the highest certificate in the certificate hierarchy. However, an application can trust the intermediate certificate and discontinue building a certificate chain or continue building the certificate chain until a certificate that the application is satisfied to trust, usually one from the trusted certificate store, has been encountered.
Code Sample for Building and Validating Certificate Chain
This sample demonstrates how to validate the entire certificate chain for the specified certificate.
/* * ChainValidation * * Parameters: * pCtxt - pointer to Toolkit context * pUserCert - user certificate to be validated * pCAsFile - name of the file with trusted CA * certificates in Base64 format. * */ int ChainValidation(Vtk_Ctxt *pCtxt, const Vtk_Cert *pUserCert, const char *pCAsFile) { Vtk_CertStore *pCaStore = NULL; Vtk_Validation *pVal = NULL; Vtk_uint32 ret, status; /* * Create a validation structure. * Validation structures encapsulate validation operation to a VA * using any of the toolkit supported validation protocols. */ pVal = Vtk_ValidationNew(pCtxt);assert(pVal); /* * Initialize structures for certificate store * with trusted CA certificates. */ pCaStore = Vtk_CertStoreNew(pCtxt); assert(pCaStore); /* * Load trusted CA certificates from specified files. */ if ((ret = Vtk_CertStoreLoadFromFile(pCtxt, pCaStore, pCAsFile, VTK_DF_BASE64)) != VTK_OK) { Vtk_CertStoreDelete(pCaStore); Vtk_ValidationDelete(pVal); showError("Vtk_CertStoreLoadFromFile", ret); return -1; } /* * This call adds certificates to the list of trusted * certificates. These can be VA or CA certificates, or both. */ ret = Vtk_CtxtAddCerts(pCtxt, VTK_TRUSTED_CA_CERT, pCaStore); Vtk_CertStoreDelete(pCaStore); pCaStore = NULL; if (ret != VTK_OK) { showError("Vtk_CtxtAddCerts", ret); Vtk_ValidationDelete(pVal); return -1; } /* * Vtk_ValidationAddCertChain * * This call builds a certificate chain for the specified * certificate and adds all the certificates to the validation * structure. The CA certificates stored in the Vtk_Ctxt are used * while constructing the chain. */ ret = Vtk_ValidationAddCertChain(pCtxt, pVal, pUserCert, NULL, NULL); if (ret != VTK_OK) { showError("Vtk_ValidationAddCert", ret); Vtk_ValidationDelete(pVal); return -1; } /* * Vtk_ValidationValidate * * Performs the certificate validation */ ret = Vtk_ValidationValidate(pCtxt, pVal, &status); if (ret != VTK_OK) { showError("Vtk_ValidationValidate", ret); Vtk_ValidationDelete(pVal); return -1; } /* * IMPORTANT * * At this point the application would continue processing * validation results such as display, store, or call another * function. */ Vtk_ValidationDelete(pVal); return 0; } /* ChainValidation */