Microsoft KB Archive/304298

= How To Perform CRL Checking with CAPICOM =

Article ID: 304298

Article Last Modified on 11/21/2006

-

APPLIES TO

 Microsoft Win32 Application Programming Interface, when used with:  Microsoft Windows 98 Standard Edition

 Microsoft Windows Millennium Edition

 Microsoft Windows NT 4.0

 Microsoft Windows 2000 Standard Edition</li></ul>

 Microsoft Windows XP Professional</li></ul> </li></ul>

-

<div class="notice_section">

This article was previously published under Q304298

<div class="summary_section">

SUMMARY
By default, Certificate Revocation List (CRL) checking is not performed by the Certificate.IsValid or Chain.Build function. However, you can turn on CRL checking for both functions by correctly setting the Certificate.IsValid.CheckFlag property before calling.

<div class="moreinformation_section">

Two Variations of CRL Checking
There are two settings for the Certificate.IsValid.CheckFlag property that induce CRL checking:

CAPICOM_CHECK_OFFLINE_REVOCATION_STATUS

CAPICOM_CHECK_ONLINE_REVOCATION_STATUS

The OFFLINE setting causes CAPICOM to check for local CRLs. These may be intentionally downloaded by the user or automatically cached. If there are no local CRLs, and ONLINE checking is not turned on, a CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN constant is returned in Certificate.Status.

The ONLINE setting causes CAPICOM to check for local CRLs just as in the OFFLINE case. However, if no valid local CRLs are found, CAPICOM checks the CRL Distribution Point (CDP) listed in the certificate. If a CDP is not specified or cannot be resolved, a CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN constant is returned in Certificate.Status.

CRL Checking on an Individual Certificate
For example, consider the following code, in which cert has been instantiated as a valid CAPICOM Certificate object:

cert.IsValid.CheckFlag = CAPICOM_CHECK_TRUSTED_ROOT Or _ CAPICOM_CHECK_TIME_VALIDITY Or _ CAPICOM_CHECK_SIGNATURE_VALIDITY Or _ CAPICOM_CHECK_ONLINE_REVOCATION_STATUS If cert.IsValid.Result Then 'CERTIFICATE IS VALID! Else Dim chain As New Chain chain.Build (cert)

If CAPICOM_TRUST_IS_REVOKED And chain.Status Then 'AT LEAST ONE CERTIFICATE IN THE CHAIN HAS BEEN REVOKED. End If  If CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN And chain.Status Then 'THE REVOCATION STATUS COULD NOT BE DETERMINED. End If End If

CRL Checking on Certificates in a SignedData Object
The SignedData.Verify method does not trigger CRL checking even when CAPICOM_VERIFY_SIGNATURE_AND_CERTIFICATE is turned on. To perform CRL checking on the certificates in a SignedData object is no different from performing CRL checking on an individual certificate. The Certificate.IsValid.CheckFlag property must be set for each signer's certificate. Consider the following code, in which sData has been instantiated as a valid CAPICOM SignedData object:

Dim cert Dim chain as New Chain

For i = 1 To sData.Certificates.Count

Set cert = sData.Certificates(i)

cert.IsValid.CheckFlag = CAPICOM_CHECK_TRUSTED_ROOT Or _ CAPICOM_CHECK_TIME_VALIDITY Or _ CAPICOM_CHECK_SIGNATURE_VALIDITY Or _ CAPICOM_CHECK_ONLINE_REVOCATION_STATUS

If cert.IsValid.Result Then 'CERTIFICATE IS VALID! Else chain.Build cert

If CAPICOM_TRUST_IS_REVOKED And chain.Status Then 'AT LEAST ONE CERTIFICATE IN THE CHAIN HAS BEEN REVOKED. End If    If CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN And chain.Status Then 'THE REVOCATION STATUS COULD NOT BE DETERMINED. End If  End If   Next i

The only addition to this code when compared to the sample code in the &quot;CRL Checking on an Individual Certificate&quot; section of this article is the loop over all of the certificates in the SignedData object.

<div class="references_section">