Certificate Authentication

Authentication is the process of determining whether or not a remote host can be trusted. To establish its trustworthiness, the remote host must provide an acceptable authentication certificate based on public-key cryptography. Windows CE supports X.509-style certificates.

Remote hosts establish their trustworthiness by obtaining a certificate from a Certificate Authority (CA). The CA may, in turn, have certification from a higher authority, and so on, creating a chain of trust. To determine whether a certificate is trustworthy, an application must determine the identity of the root CA, and then decide if it can be trusted.

Windows CE maintains a database of trusted CAs. When a secure connection is attempted by an application, Windows CE extracts the root certificate from the certification chain and checks it against the CA database. It delivers the root certificate to the application through a certificate validation callback function, along with the results of the comparison against the CA database.

Applications bear ultimate responsibility for deciding whether or not the certificate is acceptable. They are free to accept or reject any certificate, based on whatever criteria are appropriate. If the certificate is rejected, the connection is not completed. At a minimum, a certificate should meet the following two requirements: It should be current, and the identity contained within the certificate should match the identity of the root CA.

The certificate validation callback function must be implemented by all client applications that use secure sockets. The value it returns determines whether or not the connection will be completed by Winsock. It must have the following syntax:

int SslValidate (
         DWORD      dwType
         LPVOID     pvArg
         DWORD      dwChainLen
         LPBLOB     pCertChain
         DWORD      dwFlags
);

The parameters contain the following information:

The dwType parameter specifies the type of data pointed to by pCertChain. This must be SSL_CERT_X.509, specifying that pCertChain is a pointer to an X509 style certificate.
The pvArg parameter is the application-defined context, passed by the SSLVALIDATECERTHOOK structure.
The dwChainLen parameter is the number of certificates pointed to by pCertChain. It will always be equal to one.
The pCertChain parameter is a pointer to the root certificate.
If the root issuer of the certificate could not be found in the CA database, the dwFlags parameter will contain SSL_CERT_FLAG_ISSUER_UNKNOWN. The application can either attempt to verify the issuer itself, or return SSL_ERR_CERT_UNKNOWN.

The values returned by the callback function are described in the following table.

Return value	Description
SSL_ERR_BAD_DATA	The certificate is not properly formatted.
SSL_ERR_BAD_SIG	The signature check failed.
SSL_ERR_CERT_EXPIRED	The certificate has expired.
SSL_ERR_CERT_REVOKED	The certificate has been revoked by its issuer.
SSL_ERR_CERT_UNKNOWN	The issuer is unknown, or some unspecified problem arose in the processing of the certificate, rendering it unacceptable
SSL_ERR_OKAY	The certificate is acceptable.