| ||||
| ||||
Добрый день волнует вопрос по проверки сертификата на отозванность, после блуждания по форуму, вывел две функции которые можно использовать: CertIsValidCRLForCertificate() Через цепочки сртификатов. Интересует такой вопрос, с помощью какой функии правильнее это делать? Ниже привожу код с помощью которого проверяю цепочки: Но получаю ошибку CERT_TRUST_REVOCATION_STATUS_UNKNOWN, а чем может быть собака зарыта (CRL создаю нормально без ошибок, устанавливаю из файла, вот тольео куда он должен установиться, в какой блоб? это второй вопрос. Спасибо. CCC_CertLib::CRPT_Cert_Chain_VerifyWin(unsigned char *mypCertContext) { PCCERT_CONTEXT pCertContext = (PCCERT_CONTEXT)mypCertContext; HCERTCHAINENGINE hChainEngine; CERT_CHAIN_ENGINE_CONFIG ChainConfig; PCCERT_CHAIN_CONTEXT pChainContext; CERT_ENHKEY_USAGE EnhkeyUsage; CERT_USAGE_MATCH CertUsage; CERT_CHAIN_PARA ChainPara; EnhkeyUsage.cUsageIdentifier = 0; EnhkeyUsage.rgpszUsageIdentifier=NULL; CertUsage.dwType = USAGE_MATCH_TYPE_AND; CertUsage.Usage = EnhkeyUsage; ChainPara.cbSize = sizeof(CERT_CHAIN_PARA); ChainPara.RequestedUsage=CertUsage; ChainConfig.cbSize = sizeof(CERT_CHAIN_ENGINE_CONFIG); ChainConfig.hRestrictedRoot= NULL ; ChainConfig.hRestrictedTrust= NULL ; ChainConfig.hRestrictedOther= NULL ; ChainConfig.cAdditionalStore=0 ; ChainConfig.rghAdditionalStore = NULL ; ChainConfig.dwFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN; ChainConfig.dwUrlRetrievalTimeout= 0 ; ChainConfig.MaximumCachedCertificates=0 ; ChainConfig.CycleDetectionModulus = 0; //--------------------------------------------------------- // Create the nondefault certificate chain engine. if(!CertCreateCertificateChainEngine(&ChainConfig,&hChainEngine)) return FALSE; if(!CertGetCertificateChain( NULL, // Use the default chain engine. pCertContext, // Pointer to the end certificate. NULL, // Use the default time. NULL, // Search no additional stores. &ChainPara, // Use AND logic, and enhanced key usage // as indicated in the ChainPara // data structure. CERT_CHAIN_REVOCATION_CHECK_CHAIN, NULL, // Currently reserved. &pChainContext)) // Return a pointer to the chain created. { MessageBox(0,"Opa!", "gopa000", MB_OK); CertFreeCertificateChainEngine(hChainEngine); return FALSE; } if(pChainContext->TrustStatus.dwErrorStatus!=0) { switch(pChainContext->TrustStatus.dwErrorStatus) { case CERT_TRUST_NO_ERROR : printf("No error found for this certificate or chain.\n"); break; case CERT_TRUST_IS_NOT_TIME_VALID: printf("This certificate or one of the certificates in the " "certificate chain is not time-valid.\n"); break; case CERT_TRUST_IS_NOT_TIME_NESTED: printf("Certificates in the chain are not properly " "time-nested.\n"); break; case CERT_TRUST_IS_REVOKED: printf("Trust for this certificate or one of the certificates " "in the certificate chain has been revoked.\n"); break; case CERT_TRUST_IS_NOT_SIGNATURE_VALID: printf("The certificate or one of the certificates in the " "certificate chain does not have a valid signature.\n"); break; case CERT_TRUST_IS_NOT_VALID_FOR_USAGE: printf("The certificate or certificate chain is not valid " "in its proposed usage.\n"); break; case CERT_TRUST_IS_UNTRUSTED_ROOT: printf("The certificate or certificate chain is based " "on an untrusted root.\n"); break; case CERT_TRUST_REVOCATION_STATUS_UNKNOWN: printf("The revocation status of the certificate or one of the" "certificates in the certificate chain is unknown.\n"); break; case CERT_TRUST_IS_CYCLIC : printf("One of the certificates in the chain was issued by a " "certification authority that the original certificate " "had certified.\n"); break; case CERT_TRUST_IS_PARTIAL_CHAIN: printf("The certificate chain is not complete.\n"); break; case CERT_TRUST_CTL_IS_NOT_TIME_VALID: printf("A CTL used to create this chain was not time-valid.\n"); break; case CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID: printf("A CTL used to create this chain did not have a valid " "signature.\n"); break; case CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE: printf("A CTL used to create this chain is not valid for this " "usage.\n"); } // End switch printf("\nInfo status for the chain:\n"); switch(pChainContext->TrustStatus.dwInfoStatus) { case 0: printf("No information status reported.\n"); break; case CERT_TRUST_HAS_EXACT_MATCH_ISSUER : printf("An exact match issuer certificate has been found for " "this certificate.\n"); break; case CERT_TRUST_HAS_KEY_MATCH_ISSUER: printf("A key match issuer certificate has been found for this " "certificate.\n"); break; case CERT_TRUST_HAS_NAME_MATCH_ISSUER: printf("A name match issuer certificate has been found for this " "certificate.\n"); break; case CERT_TRUST_IS_SELF_SIGNED: printf("This certificate is self-signed.\n"); break; case CERT_TRUST_IS_COMPLEX_CHAIN: printf("The certificate chain created is a complex chain.\n"); break; } // end switch // Если возникла ошибка записываем ее в файл. MessageBox(0,"Opa!","Error in status", MB_OK); CertFreeCertificateChainEngine(hChainEngine); CertFreeCertificateChain(pChainContext); return FALSE; } CertFreeCertificateChainEngine(hChainEngine); CertFreeCertificateChain(pChainContext); return TRUE; } | ||||
Ответы: | ||||
| ||||
Правильнее через цепочки. Для этого CRL дб установлен в хранилище Промежуточные ЦС иначе по умолчанию его функция проверки цеопчек находить не будет. Но можно его установить в любое хранилище и функции указать, где искать. С блобами она не работает. | ||||