News  [SoftwareSite

Latest News
Older News
RSS Feed
 
Complete Projects
Useful Classes
Top Downloads
Message Board
AllAPI.net
 
Send Comments
Software License
Mentalis.org Buttons
Donate
 
Forums -> Security Library Forum
 
Certificate CRL check  
by Gabriele [gzannoni at supereva dot it]
posted on 2003/10/22

Hi to all,
I have to check if a certificate have been revoked. Is this check performed automatically by the CertificateChain::VerifyChain method? If not, is there a way to do that by using the security library?
Thanks in advance,
Gabriele

by Pieter Philippaerts [Pieter at mentalis dot org]
posted on 2003/10/22

When verifying a certificate, the library calls the CertVerifyCertificateChainPolicy function [http://msdn.microsoft.com/library/en-us/security/security/certverifycertificatechainpolicy.asp] and specifies the CERT_CHAIN_POLICY_SSL policy OID. I looked through the documentation and that didn't specify the exact checks that were being performed, but I do think that the CRL is indeed verified.

There's a specific certificate that we use during the testing of the library that takes over 7 seconds to verify. The only reason I can come up with is that the verification takes so long because the CryptoAPI is connecting to the online CRL server [the other tests should only take a fraction of a second].

by Gabriele
posted on 2003/10/23

Pieter,
what you say can be right, but I tryed to verify a chain while offline (with the network cable unplugged) and the result is CertificateStatus.ValidCertificate and not CertificateStatus.RevocationServerOffline... so I think that the CRL verification is not actually performed.

Thank you for your answer,
Gabriele

by Pieter Philippaerts [Pieter at mentalis dot org]
posted on 2003/10/23

I've posted this question on one of Microsofts technical forums. When I get the answer there, I'll post it over here.

by Gabriele [gzannoni at deis dot unibo dot it]
posted on 2003/10/24

I've read the answer on the newsgroup... Now I have to find how to perform the crl checking. I'm trying do do that by using capicom (that's a little simpler than CryptoApi). A question: why don't have you used capicom instead of CryptoApi?

Thanks,
Gabriele

by Pieter Philippaerts [Pieter at mentalis dot org]
posted on 2003/10/24

It appears that CRL checking is being done when constructing the certificate chain and not when calling the CertVerifyCertificateChainPolicy method. In the current version of the security library, the CRLs are not verified when building a chain. We'll add support for CRL checking in the next version of the library.

 

Copyright © 2002-2007, The Mentalis.org Team. All rights reserved.
This site is located at http://www.mentalis.org/
Send comments to the webmaster.