Validates a certificate path.
Public Declare Function X509_ValidatePath Lib "diCrPKI.dll" (ByVal strCertListOrP7File As String, ByVal strTrustedCert As String, ByVal nOptions As Long) As Long
nRet = X509_ValidatePath(strCertListOrP7File, strTrustedCert, nOptions)
long __stdcall X509_ValidatePath(const char *szCertListOrP7File, const char *szTrustedCert, long nOptions);
Zero (0) if the certification path is valid.
If the certificates are otherwise of correct format but the validation fails, the return value is PKI_X509_INVALID (+43 = CERT_PATH_ERROR);
otherwise a negative error code.
X509.ValidatePath Method (String)
static X509.cert_path_is_valid(certlist, trustedcert="", no_timecheck=False)
A basic validation is carried out confirming that the subject of certificate x is the issuer of certificate x+1,
that certficate x was signed by certificate x-1, and that each certificate is valid as at the time on the system clock.
Only distinguished names are used to identify subjects and issuers, not alternative names or IDs.
Certificate policies are ignored and no checks are made for revocation
(use X509_CheckCertInCRL() individually).
The order of the certificates in the input list is not important, but a complete chain must exist.
Note that the certificates must either all exist inside one .p7c cert chain file, or exist individually as .cer files.
In the latter case, specify all the file names in a semi-colon-separated list.
You can also pass the individual certificate information in its base64 representation rather than filenames, as in
szCertList="MIHgMIGaAgE...se348UN/Q=;MIHgMIGaAgEB...9j8eEtvHw=;...etc.
The szTrustedCert parameter is required unless a self-signed trust anchor is included in the list.
If there is no self-signed certificate,
then you must specify a trusted certificate which has signed the certificate at the top of your chain.
If specified, this must exist separately as a .cer file.
All certificates must be valid at the time the check is made or an error will result, unless
the PKI_X509_NO_TIMECHECK option is used.
More information on the reason for an invalid certification path may be available by using
PKI_LastError().
[Changed in v12.0] If the certificates are otherwise of correct format but the validation fails, this function returns CERT_PATH_ERROR (+43). Previous versions would return +1.
Dim nRet As Long Dim strP7cFile As String Dim strTrustedCert As String Dim strCertList As String ' A p7c "certs-only" file which includes a self-signed cert strP7cFile = "testcerts1.p7c" nRet = X509_ValidatePath(strP7cFile, "", 0) Debug.Print "X509_ValidatePath returns " & nRet & " (expected 0)" ' Same again but specify the trusted root cert ' (which is the same as the self-signed cert in the p7c file) strP7cFile = "testcerts1.p7c" strTrustedCert = "testcert00.cer" nRet = X509_ValidatePath(strP7cFile, strTrustedCert, 0) Debug.Print "X509_ValidatePath returns " & nRet & " (expected 0)" ' Specify a cert list - testcert00.cer is the self-signed cert strCertList = "testcert00.cer;testcert03.cer;testcert01.cer;testcert02.cer" nRet = X509_ValidatePath(strCertList, "", 0) Debug.Print "X509_ValidatePath returns " & nRet & " (expected 0)" ' Same again but specify the trusted root cert (this time it is not in the list) strCertList = "testcert01.cer;testcert02.cer;testcert03.cer" strTrustedCert = "testcert00.cer" nRet = X509_ValidatePath(strCertList, strTrustedCert, 0) Debug.Print "X509_ValidatePath returns " & nRet & " (expected 0)"
X509_VerifyCert X509_CertIsValidNow X509_CheckCertInCRL