Need help reading from Certificate Revocation Lists in .NET
From: anonymoustechie2005 (anonymoustechie2005_at_discussions.microsoft.com)
Date: 06/24/05
- Next message: dl: "Re: custom event log"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: custom event log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Jun 2005 19:44:01 -0700
If there is anyone who is familiar with X509 certificates and certificate
revocation lists, any help would be appreciated.
We are trying to build a VB.NET-based tool that will check if a certificate
is found in a certificate revocation list (CRL) -
utilizing P/Invoke and the Crypt32.dll API. The first approach we tried to
use had these steps:
1. Place the certificate in a CERT Context using the function
CertCreateCertificateContext.
2. Place CRL in a CRL Context using the function CertCreateCRLContext.
3. Check if the cert is in the CRL by using the function
CertFindCertificateInCRL,
passing in as parameters the CERT Context and CRL Context.
Here’s what the actual code looks like:
Dim contextCert As IntPtr = IntPtr.Zero
Dim contextCRL As IntPtr = IntPtr.Zero
Dim contextCertInCRL As IntPtr = IntPtr.Zero
Dim wasCRLSearched As Boolean
contextCert = CertCreateCertificateContext(MY_ENCODING_TYPE, cert,
Convert.ToUInt32(cert.Length))
contextCRL = CertCreateCRLContext(MY_ENCODING_TYPE, crl,
Convert.ToUInt32(crl.Length))
'CertFindCertificateInCRL returns True if the CRL was searched.
'If the certificate is found in the CRL, the parameter contextCertInCRL is
updated with a pointer to the entry.
'Otherwise, it is set to NULL. The returned entry is not allocated and must
not be freed.
wasCRLSearched = CertFindCertificateInCRL(contextCert, contextCRL,
Convert.ToUInt32(0), IntPtr.Zero, contextCertInCRL)
If wasCRLSearched = True Then
'check if the parameter was changed
If contextCertInCRL.Equals(NULL) OR contextCertInCRL.Equals(IntPtr.Zero) Then
Return False 'certificate is not found in the CRL
Else
Return True 'certificate is found in the CRL
End If
Else
'TO DO: show message that CRL search was not successful
End If
We found out that the function CertCreateCRLContext() may be incomplete in
its implementation from Microsoft.
According to MSDN, the function is supposed to take an encoded CRL in raw
format and return a PCCRL_CONTEXT structure,
which contains all of the CRL data packaged and easily accessible. But
according to a source we found,
the current implementation of CertCreateCRLContext does not do any data
decoding for the encoded CRL input. It just
creates a new PCCRL_CONTEXT structure then copies the encoded data into one
of its fields. No data decoding is
performed and so the returned structure is no more useful than the encoded
data.
If this is true, can somebody suggest other approaches that would work? With
our current approach,
we are not getting any errors, but we are not getting the desired results
either. We use a manual reading check of
the CRL file to verify the correctness of the code. The code returns False
even if the certificate is in the CRL.
Again, any help would be appreciated, thanks!
- Next message: dl: "Re: custom event log"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: custom event log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
