locked
Describes how to get the CERT_TRUST_IS_PARTIAL_CHAIN error when mixing Java and Crypto API generated certificates RRS feed

  • Question

  • (This is to record a problem, the cause, and the solution.  )

    A certificate created by CryptSignAndEncodeCertificate gave a CERT_TRUST_IS_PARTIAL_CHAIN error when trying to use CertGetCertificateChain with a certstore that had a parent certificate created with Java libraries.  The problem was that I passed the issuer's subject name as a string, and CertStrToName encoded the newly created certificates issuer name differently than the parent certificate's subject name.
     
    Even though the names were textually the same, the Java encoding used UTF8String, and CertStrToName used String.
     
    JAVA
     universal Sequence of len 12
    universal Object Identifier 2.5.4.3 szOID_COMMON_NAME
     universal UTF8String IdentityN
     
    CRYPTOAPI
    universal Sequence of len 12
    universal Object Identifier 2.5.4.3 szOID_COMMON_NAME
     universal UTF8String IdentityN
     
    and that difference caused a failure to find the parent certificate, and thus a CERT_TRUST_IS_PARTIAL_CHAIN error.
     
    The solution is to copy the encoded subject name from the parent cert into the Issuer field.
     
    PCCERT_CONTEXT issuerCertContext;     CERT_INFO cert_info;
    // Use the already encoded Issuer name from the issuerCertContext
     // We cannot use the cryptoapi to encode Issuer subject name strings because they do not use "UTF8String" per rfc3280 section 4.1.2.4  Issuer
     //
       cert_info.Issuer.pbData= issuerCertContext->pCertInfo->Subject.pbData;
       cert_info.Issuer.cbData= issuerCertContext->pCertInfo->Subject.cbData;

    Thursday, June 23, 2011 8:46 PM