How To Perform CRL Checking with CAPICOM

Summary

By default, Certificate Revocation List (CRL) checking is not performed by the Certificate.IsValid or Chain.Build function. However, you can turn on CRL checking for both functions by correctly setting the Certificate.IsValid.CheckFlag property before calling.

More Information

Two Variations of CRL Checking


There are two settings for the Certificate.IsValid.CheckFlag property that induce CRL checking:

CAPICOM_CHECK_OFFLINE_REVOCATION_STATUS
CAPICOM_CHECK_ONLINE_REVOCATION_STATUS
The OFFLINE setting causes CAPICOM to check for local CRLs. These may be intentionally downloaded by the user or automatically cached. If there are no local CRLs, and ONLINE checking is not turned on, a CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN constant is returned in Certificate.Status.

The ONLINE setting causes CAPICOM to check for local CRLs just as in the OFFLINE case. However, if no valid local CRLs are found, CAPICOM checks the CRL Distribution Point (CDP) listed in the certificate. If a CDP is not specified or cannot be resolved, a CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN constant is returned in Certificate.Status.

CRL Checking on an Individual Certificate



For example, consider the following code, in which cert has been instantiated as a valid CAPICOM Certificate
object:

cert.IsValid.CheckFlag = CAPICOM_CHECK_TRUSTED_ROOT Or _ 
CAPICOM_CHECK_TIME_VALIDITY Or _
CAPICOM_CHECK_SIGNATURE_VALIDITY Or _
CAPICOM_CHECK_ONLINE_REVOCATION_STATUS

If cert.IsValid.Result Then
'CERTIFICATE IS VALID!
Else
Dim chain As New Chain
chain.Build (cert)

If CAPICOM_TRUST_IS_REVOKED And chain.Status Then
'AT LEAST ONE CERTIFICATE IN THE CHAIN HAS BEEN REVOKED.
End If

If CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN And chain.Status Then
'THE REVOCATION STATUS COULD NOT BE DETERMINED.
End If
End If

CRL Checking on Certificates in a SignedData Object



The SignedData.Verify method does not trigger CRL checking even when CAPICOM_VERIFY_SIGNATURE_AND_CERTIFICATE is turned on. To perform CRL checking on the certificates in a SignedData object is no different from performing CRL checking on an individual certificate. The Certificate.IsValid.CheckFlag property must be set for each signer's certificate. Consider the following code, in which sData has been instantiated as a valid CAPICOM SignedData object:

Dim cert 
Dim chain as New Chain

For i = 1 To sData.Certificates.Count

Set cert = sData.Certificates(i)

cert.IsValid.CheckFlag = CAPICOM_CHECK_TRUSTED_ROOT Or _
CAPICOM_CHECK_TIME_VALIDITY Or _
CAPICOM_CHECK_SIGNATURE_VALIDITY Or _
CAPICOM_CHECK_ONLINE_REVOCATION_STATUS

If cert.IsValid.Result Then
'CERTIFICATE IS VALID!
Else
chain.Build cert

If CAPICOM_TRUST_IS_REVOKED And chain.Status Then
'AT LEAST ONE CERTIFICATE IN THE CHAIN HAS BEEN REVOKED.
End If

If CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN And chain.Status Then
'THE REVOCATION STATUS COULD NOT BE DETERMINED.
End If
End If
Next i

The only addition to this code when compared to the sample code in the "CRL Checking on an Individual Certificate" section of this article is the loop over all of the certificates in the SignedData object.

References

For additional information about how to use CAPICOM, see the Platform SDK documentation.
Proprietăți

ID articol: 304298 - Ultima examinare: 21 nov. 2006 - Revizie: 1

Feedback