29.06.2006 14:37:26Проверка на отозванность сертификата (CRL) Ответов: 1
Ivan
Добрый день волнует вопрос по проверки сертификата на отозванность, после блуждания по форуму, вывел две функции которые можно использовать:
CertIsValidCRLForCertificate()
Через цепочки сртификатов.
Интересует такой вопрос, с помощью какой функии правильнее это делать?

Ниже привожу код с помощью которого проверяю цепочки:
Но получаю ошибку CERT_TRUST_REVOCATION_STATUS_UNKNOWN, а чем может быть собака зарыта (CRL создаю нормально без ошибок, устанавливаю из файла, вот тольео куда он должен установиться, в какой блоб? это второй вопрос.
Спасибо.

CCC_CertLib::CRPT_Cert_Chain_VerifyWin(unsigned char *mypCertContext)
{

PCCERT_CONTEXT pCertContext = (PCCERT_CONTEXT)mypCertContext;
HCERTCHAINENGINE hChainEngine;
CERT_CHAIN_ENGINE_CONFIG ChainConfig;
PCCERT_CHAIN_CONTEXT pChainContext;
CERT_ENHKEY_USAGE EnhkeyUsage;
CERT_USAGE_MATCH CertUsage;
CERT_CHAIN_PARA ChainPara;


EnhkeyUsage.cUsageIdentifier = 0;
EnhkeyUsage.rgpszUsageIdentifier=NULL;
CertUsage.dwType = USAGE_MATCH_TYPE_AND;
CertUsage.Usage = EnhkeyUsage;
ChainPara.cbSize = sizeof(CERT_CHAIN_PARA);
ChainPara.RequestedUsage=CertUsage;

ChainConfig.cbSize = sizeof(CERT_CHAIN_ENGINE_CONFIG);
ChainConfig.hRestrictedRoot= NULL ;
ChainConfig.hRestrictedTrust= NULL ;
ChainConfig.hRestrictedOther= NULL ;
ChainConfig.cAdditionalStore=0 ;
ChainConfig.rghAdditionalStore = NULL ;
ChainConfig.dwFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN;
ChainConfig.dwUrlRetrievalTimeout= 0 ;
ChainConfig.MaximumCachedCertificates=0 ;
ChainConfig.CycleDetectionModulus = 0;


//---------------------------------------------------------
// Create the nondefault certificate chain engine.

if(!CertCreateCertificateChainEngine(&ChainConfig,&hChainEngine)) return FALSE;

if(!CertGetCertificateChain(
NULL, // Use the default chain engine.
pCertContext, // Pointer to the end certificate.
NULL, // Use the default time.
NULL, // Search no additional stores.
&ChainPara, // Use AND logic, and enhanced key usage
// as indicated in the ChainPara
// data structure.
CERT_CHAIN_REVOCATION_CHECK_CHAIN,
NULL, // Currently reserved.
&pChainContext)) // Return a pointer to the chain created.
{
MessageBox(0,"Opa!", "gopa000", MB_OK);
CertFreeCertificateChainEngine(hChainEngine);
return FALSE;
}

if(pChainContext->TrustStatus.dwErrorStatus!=0)
{
switch(pChainContext->TrustStatus.dwErrorStatus)
{
case CERT_TRUST_NO_ERROR :
printf("No error found for this certificate or chain.\n");
break;
case CERT_TRUST_IS_NOT_TIME_VALID:
printf("This certificate or one of the certificates in the "
"certificate chain is not time-valid.\n");
break;
case CERT_TRUST_IS_NOT_TIME_NESTED:
printf("Certificates in the chain are not properly "
"time-nested.\n");
break;
case CERT_TRUST_IS_REVOKED:
printf("Trust for this certificate or one of the certificates "
"in the certificate chain has been revoked.\n");
break;
case CERT_TRUST_IS_NOT_SIGNATURE_VALID:
printf("The certificate or one of the certificates in the "
"certificate chain does not have a valid signature.\n");
break;
case CERT_TRUST_IS_NOT_VALID_FOR_USAGE:
printf("The certificate or certificate chain is not valid "
"in its proposed usage.\n");
break;
case CERT_TRUST_IS_UNTRUSTED_ROOT:
printf("The certificate or certificate chain is based "
"on an untrusted root.\n");
break;
case CERT_TRUST_REVOCATION_STATUS_UNKNOWN:
printf("The revocation status of the certificate or one of the"
"certificates in the certificate chain is unknown.\n");
break;
case CERT_TRUST_IS_CYCLIC :
printf("One of the certificates in the chain was issued by a "
"certification authority that the original certificate "
"had certified.\n");
break;
case CERT_TRUST_IS_PARTIAL_CHAIN:
printf("The certificate chain is not complete.\n");
break;
case CERT_TRUST_CTL_IS_NOT_TIME_VALID:
printf("A CTL used to create this chain was not time-valid.\n");
break;
case CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID:
printf("A CTL used to create this chain did not have a valid "
"signature.\n");
break;
case CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE:
printf("A CTL used to create this chain is not valid for this "
"usage.\n");
} // End switch

printf("\nInfo status for the chain:\n");
switch(pChainContext->TrustStatus.dwInfoStatus)
{
case 0:
printf("No information status reported.\n");
break;
case CERT_TRUST_HAS_EXACT_MATCH_ISSUER :
printf("An exact match issuer certificate has been found for "
"this certificate.\n");
break;
case CERT_TRUST_HAS_KEY_MATCH_ISSUER:
printf("A key match issuer certificate has been found for this "
"certificate.\n");
break;
case CERT_TRUST_HAS_NAME_MATCH_ISSUER:
printf("A name match issuer certificate has been found for this "
"certificate.\n");
break;
case CERT_TRUST_IS_SELF_SIGNED:
printf("This certificate is self-signed.\n");
break;
case CERT_TRUST_IS_COMPLEX_CHAIN:
printf("The certificate chain created is a complex chain.\n");
break;
} // end switch
// Если возникла ошибка записываем ее в файл.
MessageBox(0,"Opa!","Error in status", MB_OK);

CertFreeCertificateChainEngine(hChainEngine);
CertFreeCertificateChain(pChainContext);
return FALSE;
}
CertFreeCertificateChainEngine(hChainEngine);
CertFreeCertificateChain(pChainContext);
return TRUE;
}
 
Ответы:
29.06.2006 15:41:55Kirill Sobolev
Правильнее через цепочки.
Для этого CRL дб установлен в хранилище Промежуточные ЦС иначе по умолчанию его функция проверки цеопчек находить не будет. Но можно его установить в любое хранилище и функции указать, где искать. С блобами она не работает.