NPKIVerifyCertificateWithTrustedRoots
Constructs a certificate chain starting with the specified
certificate and using all of the Trusted Root objects within the
specified Trusted Root container (formerly NWPKIVerifyCertificateWithTrustedRoots).
Syntax
#include "npki.h"
NWRCODE NPKIVerifyCertificateWithTrustedRoots(
const NPKIContext context,
const pnuint8 certificate,
const nuint32 certificateLen,
const unicode *TRContextDN,
void *reserved1,
nuint32 flags,
pnuint32 cRLReason,
pnuint32 cRLHoldInstruction,
time_t *cRLRevocationTime,
time_t *cRLInvalidityDateTime,
pnuint32 certInvalidityReason,
void *reserved4);
Parameters
- context
- (IN) Specifies the NPKI context for the request.
- certificate
- (IN) Specifies the DER-encoded X.509 certificate
you want to verify.
- certificateLen
- (IN) Specifies the size of the certificate.
- TRContextDN
- (IN) Specifies the FDN of the Trusted Root container
that is to be searched.
- reserved1
- Reserved for future use
- flags
- (IN) Specifies whether to verify the certificate,
check certificate revocation, both, or neither. For related flag
definitions, see Section 4.12, NPKIx509 Certificate
Invalidity Reasons and Section 4.13, NPKIx509 CRL Hold
Types.
- cRLReason
- (OUT) Returns the reason code, if the certificate
has been revoked (that is, the reason the certificate has been revoked;
private key compromised, affiliate change, superseded, etc.). This field
is set only if the return code is set to PKI_E_CERT_INVALID
and the certInvalidityReason is set to NPKIx509Invalid_Certificate_On_CRL.
- cRLHoldInstruction
- (OUT) Returns the hold instruction from the CRL,
if the certificate has been revoked and the reason code is certificateHold,
points to the hold instruction from the CRL. This field will be
set only if the return code is set to PKI_E_CERT_INVALID
and the certInvalidityReason is set to NPKIx509Invalid_Certificate_On_CRL
and the cRLReason is set to PKI_CERTIFICATE_HOLD.
- cRLRevocationTime
- (OUT) Returns the date the certificate became invalid.
This field is set only if the return code is set to PKI_E_CERT_INVALID
and the certInvalidityReason is set to NPKIx509Invalid_Certificate_On_CRL.
- cRLInvalidityDateTime
- (OUT) Returns the date the CRL becomes invalid.
- certInvalidityReason
- (OUT) Returns the reason why the certificate is
invalid. (that is, revoked, invalid issuer, unreadable extensions,
expired, etc.). This field is set only if the return code is set
to PKI_E_CERT_INVALID.
- reserved4
- Reserved for future use.
Return Values
Returns 0 if successful, or an eDirectory or PKI error code
if not successful.
Remarks
The chain is considered complete once a self-signed certificate
has been found. Once the complete certificate chain has been constructed,
it is to verified. Certificate revocation checking is supported.
For sample code, see VerifyWithTrustedRoot.