Reputation: 32177
WinVerifyTrust returning CERT_E_CHAINING
Some Users are reporting that Desura (program that I develop) wont start due to the service returning the error code CERT_E_CHAINING when it tries to verify the code signing certificate.
Msdn reports this as: A chain of certificates was not correctly created.
I cant seem to work out what causes this or what this error means. Any ideas?
Upvotes: 1
Views: 4386
Answers (1)
Reputation: 221997
In the documentation of WinVerifyTrust on the MSDN you can read
For certificate verification, use the CertGetCertificateChain and CertVerifyCertificateChainPolicy functions.
The problem is that quite a few work should be done if one need to verify whether one certificate are permitted for code signing. First of all the certificate itself must by valid and it must has szOID_PKIX_KP_CODE_SIGNING ("1.3.6.1.5.5.7.3.3"). Additionally its parent and the parent's parent should be OK. For example if the parent has only szOID_PKIX_KP_CLIENT_AUTH ("1.3.6.1.5.5.7.3.2") in the Enhanced Key Usage or if the one from the parent certificates are relocated the certificate which you try to verify will be invalid. So the chain have to be build and the chain have to be verified.
Many interesting substitution can took place. For example, it can be that one from the parent certificates is expired now. On the other side the certificates will by typically not only signed, but the Time Stamping was used. So one can verify that the root certificate as the Issuer is expired now, but the root certificate was still valid at the time of issuing of the child certificate. If the time of the signing of the child certificate was proved by the corresponding time signature, and the Issued certificate is not yet expired the child certificate will be valid. I hope the example is not too complex. I want only show that not only every certificate in the chain should be verified, but the whole chain should be validated. Sorry for so long explanation.
I suppose, that WinVerifyTrust uses internally the functions CertGetCertificateChain and CertVerifyCertificateChainPolicy in some ways, but with which parameters exactly it's not clear. Many things depend on the parameters of WINTRUST_DATA which you use.
In any way the error CERT_E_CHAINING can come from CertGetCertificateChain, CertVerifyCertificateChainPolicy or any other API used internally. For example it can be from the dwError field of CERT_CHAIN_POLICY_STATUS used as pPolicyStatus parameter of CertVerifyCertificateChainPolicy.
You wrote that "some Users are reporting" the error, so it can be that the users try to use your application in the wrong way or some certificates are installed incorrectly. If one export certificate for example one can do it together with parent certificates of without the parents. If one export certificate without parents the validation of the imported certificate will be a little more complex. In some situations the root certificate can be downloaded based on the URLs from the child certificate, but in other situation it will be impossible. If the parent certificate or the parent's parent can not be found or downloaded you will the CERT_E_CHAINING error.
Upvotes: 4
Related Questions
- Getting WinVerifyTrust to work with catalog signed files such as cmd.exe
- Digital signature verification - WinVerifyTrust keeps returning true
- How to verify that my orgainization signed a trusted windows binary?
- How to retrieve information from multiple/dual code signatures on an executable file
- I get 0x80070057 error code on certcreatecertificatechainengine func
- How to Sign an EXE with Additional Certificates using CryptoAPI and SignerSign
- Installing Root CA Cert via code on Win32
- Digital signature with CryptVerifySignature
- Getting CERT_E_REVOCATION_FAILURE from WinVerifyTrust
- Cannot add wintrust.dll