Checks whether an X.509 certificate has been revoked in a Certificate Revocation List (CRL).
Public Declare Function X509_CheckCertInCRL Lib "diCrPKI.dll" (ByVal strCertFile As String, ByVal strCrlFile As String, ByVal strCRLIssuerCert As String, ByVal strDate As String, ByVal nOptions As Long) As Long
nRet = X509_CheckCertInCRL(strCertFile, strCrlFile, strCRLIssuerCert,
strDate, nOptions)
String with name of X.509 certificate to be checked
(or base64 representation).String with name of CRL file.String (optional) with name of X.509 certificate file for the entity that issued the CRL
(or base64 representation).String (optional) with date in ISO format
(yyyy-mm-dd[Thh[:nn:ss]][Z]) on or after you wish to check for revocation.
Leave empty "" for any date. The time must be in GMT (UTC, Zulu time).
Long Option flags. Not used. Specify zero.
long _stdcall X509_CheckCertInCRL(const char *szCertFile, const char *szCrlFile, const char *szCRLIssuerCert, const char *szDate, long nOptions);
Long: Zero if the certificate is not in the CRL; PKI_X509_REVOKED (+1) if the certificate has been revoked;
otherwise a negative error code.
The optional strDate parameter allows you to check whether a certificate was revoked only after the given date-time,
which must be in GMT (UTC). If the optional strCRLIssuerCert is specified,
the signature of the CRL will be checked against the key in the issuer's certificate and a SIGNATURE_ERROR will result
if the signature is invalid.
You can also verify the signature in the CRL file using the X509_VerifyCert function, which [as of v3.5] will now verify the signature of CRLs as well as X.509 certificates.
Note that the sign of the error codes here is the opposite to those for X509_VerifyCert (-1 vs +1). Always use the pre-defined constants (e.g. PKI_X509_REVOKED, PKI_X509_VERIFY_FAILURE) in your code in case we change this in a later version to make it more consistent. Zero will always indicate success.
Dim nRet As Long Dim strCrlFile As String Dim strCertFile As String Dim strDate As String ' Use test CRL and certs from RFC3280 strCrlFile = "rfc3280bis_CRL.crl" ' This cert has not been revoked. strCertFile = "rfc3280bis_cert1.cer" Debug.Print "CrlFile=" & strCrlFile Debug.Print "CertFile=" & strCertFile nRet = X509_CheckCertInCRL(strCertFile, strCrlFile, "", "", 0) Debug.Print "X509_CheckCertInCRL returns " & nRet If nRet = PKI_X509_REVOKED Then Debug.Print "CERT HAS BEEN REVOKED" ElseIf nRet = 0 Then Debug.Print "Cert has not been revoked" Else Debug.Print "ERROR: " & pkiErrorLookup(nRet) & ": " & pkiGetLastError() End If ' This cert has been revoked. strCertFile = "rfc3280bis_cert2.cer" Debug.Print "CrlFile=" & strCrlFile Debug.Print "CertFile=" & strCertFile nRet = X509_CheckCertInCRL(strCertFile, strCrlFile, "", "", 0) Debug.Print "X509_CheckCertInCRL returns " & nRet If nRet = PKI_X509_REVOKED Then Debug.Print "CERT HAS BEEN REVOKED" ElseIf nRet = 0 Then Debug.Print "Cert has not been revoked" Else Debug.Print "ERROR: " & pkiErrorLookup(nRet) & ": " & pkiGetLastError() End If ' But the same cert was not revoked as at 15:00 GMT on 19 November 2004 strCertFile = "rfc3280bis_cert2.cer" strDate = "2004-11-19T15:00Z" Debug.Print "CrlFile=" & strCrlFile Debug.Print "CertFile=" & strCertFile Debug.Print "Date=" & strDate nRet = X509_CheckCertInCRL(strCertFile, strCrlFile, "", strDate, 0) Debug.Print "X509_CheckCertInCRL(" & strDate & ") returns " & nRet If nRet = PKI_X509_REVOKED Then Debug.Print "CERT HAS BEEN REVOKED" ElseIf nRet = 0 Then Debug.Print "Cert has not been revoked" Else Debug.Print "ERROR: " & pkiErrorLookup(nRet) & ": " & pkiGetLastError() End If
This code should produce the following output
CrlFile=rfc3280bis_CRL.crl CertFile=rfc3280bis_cert1.cer X509_CheckCertInCRL returns 0 Cert has not been revoked CrlFile=rfc3280bis_CRL.crl CertFile=rfc3280bis_cert2.cer X509_CheckCertInCRL returns 1 CERT HAS BEEN REVOKED CrlFile=rfc3280bis_CRL.crl CertFile=rfc3280bis_cert2.cer Date=2004-11-19T15:00Z X509_CheckCertInCRL(2004-11-19T15:00Z) returns 0 Cert has not been revoked
X509_MakeCRL X509_VerifyCert X509_CertIsValidNow