CryptoSys PKI Pro Manual

X509_VerifyCert

Verifies that an X.509 certificate - or X.509 certificate revocation list (CRL) or PKCS-10 certificate signing request (CSR) - has been signed by its issuer.

VBA/VB6 Syntax

Public Declare Function X509_VerifyCert Lib "diCrPKI.dll" (ByVal strCertToVerify As String, ByVal strIssuerCert As String, ByVal nOptions As Long) As Long

nRet = X509_VerifyCert(strCertToVerify, strIssuerCert, nOptions)

C/C++ Syntax

long __stdcall X509_VerifyCert(const char *szCertToVerify, const char *szIssuerCert, long nOptions);

Parameters

szCertToVerify
[in] Name of the file to be verified (or a PEM string).
szIssuerCert
[in] Name of the issuer's certificate file (or a PEM string). Leave empty "" for a PKCS#10 CSR.
nOptions
[in] option flags: not used in this release. Specify zero.

Returns (VBA/C)

Zero (0) if the certificate's signature is valid. If the certificate is otherwise of correct format but the validation fails, the return value is PKI_X509_VERIFY_FAILURE (+22 = SIGNATURE_ERROR); otherwise it returns a positive error code.

.NET Equivalent

X509.VerifyCert Method

Python Equivalent

static X509.cert_is_verified(certfile, issuercert)

Remarks

This function verifies only that the certificate was signed by the owner of the public key in the issuer's certificate. It does not check the validity dates of either certificate (to do that use X509_CertIsValidNow()). Nor does it check that the certficate has been revoked (to do that use X509_CheckCertInCRL()). Only certificates signed with supported signature algorithms can be checked: see Supported Algorithms. The certificate file may be in binary BER/DER format or base64 PEM file format, or may be passed in base64 representation or as a PEM string.

This function can also be used to verify that an X.509 Certificate Revocation List (CRL) has been signed by the owner of the issuer's certificate or that the self-signed signature in a PKCS#10 Certificate Signing Request (CSR) is valid. Just pass the name of the file (or its PEM string form) as szCertToVerify.

[New in v12.0] A PKCS#10 Certificate Signing Request (CSR) contains its own public key which it can use to verify its own signature directly. To verify a CSR, pass its name in szCertToVerify and set szIssuerCert="". See example below.

[Changed in v12.0] If the certificate is otherwise of correct format but the validation fails, this function returns SIGNATURE_ERROR (22). Previous versions would return -1.

Example

This example verifies that the certificate myuser.cer has been signed by the owner of myca.cer. 

' Returns 0 if OK, PKI_X509_VERIFY_FAILURE if fails to validate, or +ve other error
Dim nRet As Long
nRet = X509_VerifyCert("myuser.cer", "myca.cer", 0)
If nRet = 0 Then
    Debug.Print "Verification is OK"
ElseIf nRet = PKI_X509_VERIFY_FAILURE Then
    Debug.Print "Cert not issued by this Issuer"
Else
    Debug.Print "Error: " & nRet & pkiGetLastError()
End If

This example verifies the signature in a PKCS#10 Certificate Signing Request.

Dim nRet As Long
nRet = X509_VerifyCert("myreq.p10.txt", "", 0)
If nRet = 0 Then
    Debug.Print "Verification is OK"
ElseIf nRet = PKI_X509_VERIFY_FAILURE Then
    Debug.Print "Signature is invalid"
Else
    Debug.Print "Error: " & nRet & pkiGetLastError()
End If

See Also

X509_CertIsValidNow X509_ValidatePath X509_CheckCertInCRL

[Contents] [Index]

[PREV: X509_ValidatePath...]   [Contents]   [Index]   
   [NEXT: XOF_Bytes...]
Copyright © 2004-24 D.I. Management Services Pty Ltd. All rights reserved. Generated 2024-09-23T07:52:09Z.