Checking Certificate Revocation Status
[CAPICOM is a 32-bit only component that is available for use in the following operating systems: Windows Server 2008, Windows Vista, and Windows XP. Instead, use the .NET Framework to implement security features. For more information, see Alternatives to Using CAPICOM.]
CAPICOM does not enable certificate revocation checking by default. However, certificate revocation checking can be enabled programmatically for a particular certificate through the IsValid.CheckFlag property of a Certificate object. After the appropriate value of CheckFlag has been set, accessing the Certificate object's IsValid.Result property or building the certificate's verification path using a Chain object's Build method forces revocation checking.
In the following example, cert has been instantiated as a valid CAPICOM certificate.
Dim cert As Certificate
Dim LocalStore As New Store
' Open the My store.
LocalStore.Open LocalStore.Open CAPICOM_CURRENT_USER_STORE, _
CAPICOM_MY_STORE, CAPICOM_STORE_OPEN_READ_WRITE
' Get the first certificate in the My store.
set cert = LocalStore.Certificates.Item(1)
cert.IsValid.CheckFlag = CAPICOM_CHECK_TRUSTED_ROOT Or _
CAPICOM_CHECK_TIME_VALIDITY Or _
CAPICOM_CHECK_SIGNATURE_VALIDITY Or _
CAPICOM_CHECK_ONLINE_REVOCATION_STATUS
If cert.IsValid.Result Then
'CERTIFICATE IS VALID!
Else
Dim chain As New Chain
chain.Build (cert)
If CAPICOM_TRUST_IS_REVOKED And chain.Status Then
'AT LEAST ONE CERTIFICATE IN THE CHAIN HAS BEEN REVOKED
End If
If CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN And chain.Status Then
'THE REVOCATION STATUS COULD NOT BE DETERMINED
End If
End If
The preceding applies to an individual certificate, no matter how it was obtained. Performing revocation checking on the certificates in a SignedData object is no different because the SignedData object's Verify method cannot be used for this purpose because enabling CAPICOM_VERIFY_SIGNATURE_AND_CERTIFICATE does not cause CRL checking.
Instead, the CheckFlag must be set for each signer's certificate. Consider the following example where sData has been instantiated as a valid CAPICOM SignedData object.
Dim cert As Certificate
Dim chain As New Chain
' sData is an existing SignedData object.
For I = 1 To sData.Certificates.Count
set cert = sData.Certificates(I)
cert.IsValid.CheckFlag = _
CAPICOM_CHECK_TRUSTED_ROOT Or _
CAPICOM_CHECK_TIME_VALIDITY Or _
CAPICOM_CHECK_SIGNATURE_VALIDITY Or _
CAPICOM_CHECK_ONLINE_REVOCATION_STATUS
If cert.IsValid.Result Then
'THE CERTIFICATE IS VALID!
Else
chain.Build cert
If CAPICOM_TRUST_IS_REVOKED And chain.Status Then
'AT LEAST ONE CERTIFICATE IN THE CHAIN HAS BEEN REVOKED
End If
If CAPICOM_TRUST_REVOCATION_STATUS_UNKNOWN And chain.Status Then
'THE REVOCATION STATUS COULD NOT BE DETERMINED
End If
End If
Next I
The additional example is the loop over all the certificates in the SignedData object.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for