CryptoSys PKI Pro Manual

X509_ValidatePath

Validates a certificate path.

VBA/VB6 Syntax

Public Declare Function X509_ValidatePath Lib "diCrPKI.dll" (ByVal strCertListOrP7File As String, ByVal strTrustedCert As String, ByVal nOptions As Long) As Long

nRet = X509_ValidatePath(strCertListOrP7File, strTrustedCert, nOptions)

C/C++ Syntax

long __stdcall X509_ValidatePath(const char *szCertListOrP7File, const char *szTrustedCert, long nOptions);

Parameters

szCertListOrP7File
[in] either a list of certificate names separated by a semicolon or the name of a PKCS-7 "certs-only" file containing the certificates to be validated.
szTrustedCert
[in] name of the trusted certificate (or base64 representation).
nOptions
[in] option flags:
PKI_X509_NO_TIMECHECK to avoid checking if the certificates are valid now (default = check validity dates against system clock).

Returns (VBA/C)

Zero (0) if the certification path is valid. If the certificates are otherwise of correct format but the validation fails, the return value is PKI_X509_INVALID (+43 = CERT_PATH_ERROR); otherwise a negative error code.

.NET Equivalent

X509.ValidatePath Method (String)

Python Equivalent

static X509.cert_path_is_valid(certlist, trustedcert="", no_timecheck=False)

Remarks

A basic validation is carried out confirming that the subject of certificate x is the issuer of certificate x+1, that certficate x was signed by certificate x-1, and that each certificate is valid as at the time on the system clock. Only distinguished names are used to identify subjects and issuers, not alternative names or IDs. Certificate policies are ignored and no checks are made for revocation (use X509_CheckCertInCRL() individually). The order of the certificates in the input list is not important, but a complete chain must exist. Note that the certificates must either all exist inside one .p7c cert chain file, or exist individually as .cer files. In the latter case, specify all the file names in a semi-colon-separated list. You can also pass the individual certificate information in its base64 representation rather than filenames, as in szCertList="MIHgMIGaAgE...se348UN/Q=;MIHgMIGaAgEB...9j8eEtvHw=;...etc.

The szTrustedCert parameter is required unless a self-signed trust anchor is included in the list. If there is no self-signed certificate, then you must specify a trusted certificate which has signed the certificate at the top of your chain. If specified, this must exist separately as a .cer file. All certificates must be valid at the time the check is made or an error will result, unless the PKI_X509_NO_TIMECHECK option is used. More information on the reason for an invalid certification path may be available by using PKI_LastError().

[Changed in v12.0] If the certificates are otherwise of correct format but the validation fails, this function returns CERT_PATH_ERROR (+43). Previous versions would return +1.

Example

Dim nRet As Long
Dim strP7cFile As String
Dim strTrustedCert As String
Dim strCertList As String

' A p7c "certs-only" file which includes a self-signed cert
strP7cFile = "testcerts1.p7c"
nRet = X509_ValidatePath(strP7cFile, "", 0)
Debug.Print "X509_ValidatePath returns " & nRet & " (expected 0)"

' Same again but specify the trusted root cert
' (which is the same as the self-signed cert in the p7c file)
strP7cFile = "testcerts1.p7c"
strTrustedCert = "testcert00.cer"
nRet = X509_ValidatePath(strP7cFile, strTrustedCert, 0)
Debug.Print "X509_ValidatePath returns " & nRet & " (expected 0)"

' Specify a cert list - testcert00.cer is the self-signed cert
strCertList = "testcert00.cer;testcert03.cer;testcert01.cer;testcert02.cer"
nRet = X509_ValidatePath(strCertList, "", 0)
Debug.Print "X509_ValidatePath returns " & nRet & " (expected 0)"

' Same again but specify the trusted root cert (this time it is not in the list)
strCertList = "testcert01.cer;testcert02.cer;testcert03.cer"
strTrustedCert = "testcert00.cer"
nRet = X509_ValidatePath(strCertList, strTrustedCert, 0)
Debug.Print "X509_ValidatePath returns " & nRet & " (expected 0)"

See Also

X509_VerifyCert X509_CertIsValidNow X509_CheckCertInCRL

[Contents] [Index]

[PREV: X509_TextDumpToString...]   [Contents]   [Index]   
   [NEXT: X509_VerifyCert...]

Copyright © 2004-24 D.I. Management Services Pty Ltd. All rights reserved. Generated 2024-01-01T11:51:59Z.