How To Perform CRL Checking with CAPICOM (304298)
The information in this article applies to:
- Microsoft Win32 Application Programming Interface (API), when used with:
- the operating system: Microsoft Windows 98
- the operating system: Microsoft Windows Millennium Edition
- the operating system: Microsoft Windows NT 4.0
- the operating system: Microsoft Windows 2000
- the operating system: Microsoft Windows XP
This article was previously published under Q304298 SUMMARY
By default, Certificate Revocation List (CRL) checking is not performed by the Certificate.IsValid or Chain.Build function. However, you can turn on CRL checking for both functions by correctly setting the Certificate.IsValid.CheckFlag property before calling.
MORE INFORMATIONTwo Variations of CRL Checking
There are two settings for the Certificate.IsValid.CheckFlag property that induce CRL checking:
CAPICOM_CHECK_OFFLINE_REVOCATION_STATUS
CAPICOM_CHECK_ONLINE_REVOCATION_STATUS
The OFFLINE setting causes CAPICOM to check for local CRLs. These may be intentionally downloaded by the user or automatically cached. If there are no local CRLs, and ONLINE checking is not turned on, a CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN constant is returned in Certificate.Status.
The ONLINE setting causes CAPICOM to check for local CRLs just as in the OFFLINE case. However, if no valid local CRLs are found, CAPICOM checks the CRL Distribution Point (CDP) listed in the certificate. If a CDP is not specified or cannot be resolved, a CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN constant is returned in Certificate.Status. CRL Checking on an Individual Certificate
For example, consider the following code, in which cert
has been instantiated as a valid CAPICOM Certificate
object:
cert.IsValid.CheckFlag = CAPICOM_CHECK_TRUSTED_ROOT Or _
CAPICOM_CHECK_TIME_VALIDITY Or _
CAPICOM_CHECK_SIGNATURE_VALIDITY Or _
CAPICOM_CHECK_ONLINE_REVOCATION_STATUS
If cert.IsValid.Result Then
'CERTIFICATE IS VALID!
Else
Dim chain As New Chain
chain.Build (cert)
If CAPICOM_TRUST_IS_REVOKED And chain.Status Then
'AT LEAST ONE CERTIFICATE IN THE CHAIN HAS BEEN REVOKED.
End If
If CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN And chain.Status Then
'THE REVOCATION STATUS COULD NOT BE DETERMINED.
End If
End If
CRL Checking on Certificates in a SignedData Object
The SignedData.Verify method does not trigger CRL checking even when CAPICOM_VERIFY_SIGNATURE_AND_CERTIFICATE is turned on. To perform CRL checking on the certificates in a SignedData object is no different from performing CRL checking on an individual certificate. The Certificate.IsValid.CheckFlag property must be set for each signer's certificate. Consider the following code, in which sData
has been instantiated as a valid CAPICOM SignedData object:
Dim cert
Dim chain as New Chain
For i = 1 To sData.Certificates.Count
Set cert = sData.Certificates(i)
cert.IsValid.CheckFlag = CAPICOM_CHECK_TRUSTED_ROOT Or _
CAPICOM_CHECK_TIME_VALIDITY Or _
CAPICOM_CHECK_SIGNATURE_VALIDITY Or _
CAPICOM_CHECK_ONLINE_REVOCATION_STATUS
If cert.IsValid.Result Then
'CERTIFICATE IS VALID!
Else
chain.Build cert
If CAPICOM_TRUST_IS_REVOKED And chain.Status Then
'AT LEAST ONE CERTIFICATE IN THE CHAIN HAS BEEN REVOKED.
End If
If CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN And chain.Status Then
'THE REVOCATION STATUS COULD NOT BE DETERMINED.
End If
End If
Next i
The only addition to this code when compared to the sample code in the "CRL Checking on an Individual Certificate" section of this article is the loop over all of the certificates in the SignedData object. REFERENCES
For additional information about how to use CAPICOM, see the Platform SDK documentation.
| Modification Type: | Minor | Last Reviewed: | 9/27/2004 |
|---|
| Keywords: | kbAPI kbCrypt kbhowto kbKernBase kbSecurity KB304298 |
|---|
|