Manually Validating Schannel Credentials

By default, Schannel validates the server certificate by calling the WinVerifyTrust function; however, if you have disabled this feature using the ISC_REQ_MANUAL_CRED_VALIDATION flag, you must validate the certificate provided by the server that is attempting to establish its identity.

To manually validate the server certificate, you must first get it. Use the QueryContextAttributes (General) function and specify the SECPKG_ATTR_REMOTE_CERT_CONTEXT attribute value. This attribute returns a CERT_CONTEXT structure with the certificate chain supplied by the server. This certificate chain contains the leaf certificate. It is called the leaf certificate because it is the last certificate in the certificate chain and is farthest away from the root certificate. Certificate ordering in the SSPI context buffer does not imply any certificate chaining relationship.

Using the leaf certificate you must verify the following:

• The certificate chain is complete and the root is a certificate from a trusted certification authority (CA).
• The current time is not beyond the begin and end dates for each of the certificates in the certificate chain.
• None of the certificates in the certificate chain have been revoked.
• The depth of the leaf certificate is not deeper than the maximum allowable depth specified in the certificate extension. This check is only necessary if there is a depth specified.
• The usage of the certificate is correct, for example, a client certificate should not be used to authenticate a server.
• For server authentication, the server identity contained in the server's leaf certificate matches the server that the client is attempting to contact. Typically, the client will match some item in the certificate's Subject Name field to the server's IP address or DNS name.