Re: capicom / cryptoapi certificate chain verification error 0x80092004

From: Kelvin Yiu [MS] (kelviny_at_online.microsoft.com)
Date: 12/06/04 

Date: Mon, 6 Dec 2004 14:48:57 -0800

> My wincrypt.h is from PSDK of May, 2003 (MSDN Disc 00004.7). It actually
> tells to #define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS to use extra fields, but
> I was not able to do that - I put the define in my code, but still get the
> error - yes I almost forgot C++ ;(.
>
> So... is it possible to set this timeout isn't it? Can you help me to set
> it?
>

Try adding this define before any #include statements:

#define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS 1

>
> Also, I'd like to better control the flags that are used for validation:
> what is the correct way to perform an online check? I mean in capicom you
> can easily set CAPICOM_CHECK_ONLINE_ALL, but what is the equivalent using
> cryptoapis?

Call CertGetCertificateChain with the
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT flags. Then call
CertVerifyCertificateChainPolicy with the resulting certificate chain
context and specify CERT_CHAIN_POLICY_BASE. 

-- 
Kelvin Yiu [MS]
This posting is provided "AS IS" with no warranties, and confers no rights
"AL" <alberto.velo@gruppoih.it> wrote in message 
news:OSOmNq62EHA.1144@TK2MSFTNGP09.phx.gbl...
> David Cross [MS] wrote:
>> another clue...since you indicate only the third CDP is reachable, it may 
>> be very well that CryptoAPI has too short of a default time interval 
>> remaining to retrieve the CRL.  This whitepaper explains the default 
>> timeout intervals and how they are increasingly smaller with each 
>> subsequent URL.
>>
>>  http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
>>
> David,
> I switched to CryptoAPI, writing a COM utility in C++/ATL, in order to 
> perform accurate certificate validation starting from a sample found at MS 
> site 
> (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/example_c_program_creating_a_certificate_chain.asp).
>
> I can now get a result from the validation, and understand if the 
> certificate is valid or what went wrong, by calling 
> CertGetCertificateChain as in the example.
>
> However, following what you told me in the above message, I'd like to set 
> my own timeout for CRL downloading: I then tried to set the 
> dwUrlRetrievalTimeout flag of the CERT_CHAIN_PARA structure, but only get 
> errors at compile time:
>
> dwUrlRetrievalTimeout' : is not a member of '_CERT_CHAIN_PARA'
>
> My wincrypt.h is from PSDK of May, 2003 (MSDN Disc 00004.7). It actually 
> tells to #define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS to use extra fields, but 
> I was not able to do that - I put the define in my code, but still get the 
> error - yes I almost forgot C++ ;(.
>
> So... is it possible to set this timeout isn't it? Can you help me to set 
> it?
>
>
> Also, I'd like to better control the flags that are used for validation: 
> what is the correct way to perform an online check? I mean in capicom you 
> can easily set CAPICOM_CHECK_ONLINE_ALL, but what is the equivalent using 
> cryptoapis?
>
>
>
>