Checks whether an X.509 certificate has been revoked in a Certificate Revocation List (CRL).
Public Declare Function X509_CheckCertInCRL Lib "diCrPKI.dll" (ByVal strCertFile As String, ByVal strCrlFile As String, ByVal strCRLIssuerCert As String, ByVal strDate As String, ByVal nOptions As Long) As Long
nRet = X509_CheckCertInCRL(strCertFile, strCrlFile, strCRLIssuerCert,
strDate, nOptions)
long __stdcall X509_CheckCertInCRL(const char *szCertFile, const char *szCrlFile, const char *szCRLIssuerCert, const char *szDate, long nOptions);
2009-12-31T12:59:59Z)
on or after you wish to check for revocation.
Leave empty "" for any date. The time must be in GMT (UTC, Zulu time).
Zero (0) if the certificate is not in the CRL (i.e has not been revoked by that particular CRL).
If the certificate has been revoked it returns PKI_X509_REVOKED (+42=REVOCATION_ERROR);
otherwise a negative error code.
static X509.cert_is_revoked(certfile, crlfile, crl_issuercert="", isodate="")
The optional szDate parameter allows you to check whether a certificate was revoked only after the given date-time,
which must be in GMT (UTC). If the optional szCRLIssuerCert is specified,
the signature of the CRL will be checked against the key in the issuer's certificate and a SIGNATURE_ERROR will result
if the signature is invalid.
You can directly verify the signature in the CRL file using the X509_VerifyCert() function.
[Changed in v12.0] If the certificate is otherwise of correct format but has been revoked, this function returns REVOCATION_ERROR (42). Previous versions would return +1.
Dim nRet As Long Dim strCrlFile As String Dim strCertFile As String Dim strDate As String ' Use test CRL and certs from RFC3280 strCrlFile = "rfc3280bis_CRL.crl" ' This cert has not been revoked. strCertFile = "rfc3280bis_cert1.cer" Debug.Print "CrlFile=" & strCrlFile Debug.Print "CertFile=" & strCertFile nRet = X509_CheckCertInCRL(strCertFile, strCrlFile, "", "", 0) Debug.Print "X509_CheckCertInCRL returns " & nRet If nRet = PKI_X509_REVOKED Then Debug.Print "CERT HAS BEEN REVOKED" ElseIf nRet = 0 Then Debug.Print "Cert has not been revoked" Else Debug.Print "ERROR: " & pkiErrorLookup(nRet) & ": " & pkiGetLastError() End If ' This cert has been revoked. strCertFile = "rfc3280bis_cert2.cer" Debug.Print "CrlFile=" & strCrlFile Debug.Print "CertFile=" & strCertFile nRet = X509_CheckCertInCRL(strCertFile, strCrlFile, "", "", 0) Debug.Print "X509_CheckCertInCRL returns " & nRet If nRet = PKI_X509_REVOKED Then Debug.Print "CERT HAS BEEN REVOKED" ElseIf nRet = 0 Then Debug.Print "Cert has not been revoked" Else Debug.Print "ERROR: " & pkiErrorLookup(nRet) & ": " & pkiGetLastError() End If ' But the same cert was not revoked as at 15:00 GMT on 19 November 2004 strCertFile = "rfc3280bis_cert2.cer" strDate = "2004-11-19T15:00Z" Debug.Print "CrlFile=" & strCrlFile Debug.Print "CertFile=" & strCertFile Debug.Print "Date=" & strDate nRet = X509_CheckCertInCRL(strCertFile, strCrlFile, "", strDate, 0) Debug.Print "X509_CheckCertInCRL(" & strDate & ") returns " & nRet If nRet = PKI_X509_REVOKED Then Debug.Print "CERT HAS BEEN REVOKED" ElseIf nRet = 0 Then Debug.Print "Cert has not been revoked" Else Debug.Print "ERROR: " & pkiErrorLookup(nRet) & ": " & pkiGetLastError() End If
This code should produce the following output
CrlFile=rfc3280bis_CRL.crl CertFile=rfc3280bis_cert1.cer X509_CheckCertInCRL returns 0 Cert has not been revoked CrlFile=rfc3280bis_CRL.crl CertFile=rfc3280bis_cert2.cer X509_CheckCertInCRL returns 1 CERT HAS BEEN REVOKED CrlFile=rfc3280bis_CRL.crl CertFile=rfc3280bis_cert2.cer Date=2004-11-19T15:00Z X509_CheckCertInCRL(2004-11-19T15:00Z) returns 0 Cert has not been revoked
X509_MakeCRL X509_VerifyCert X509_CertIsValidNow X509_ValidatePath