NPKIVerifyCertificateWithTrustedRoots

Constructs a certificate chain starting with the specified certificate and using all of the Trusted Root objects within the specified Trusted Root container (formerly NWPKIVerifyCertificateWithTrustedRoots).

Syntax

    #include "npki.h"
    
    NWRCODE NPKIVerifyCertificateWithTrustedRoots(
       const NPKIContext             context, 
       const pnuint8                 certificate,
       const nuint32                 certificateLen,
       const unicode                *TRContextDN,
       void                         *reserved1,
       nuint32                       flags,
       pnuint32                      cRLReason,
       pnuint32                      cRLHoldInstruction,
       time_t                       *cRLRevocationTime,
       time_t                       *cRLInvalidityDateTime, 
       pnuint32                      certInvalidityReason,
       void                         *reserved4);

Parameters

context
(IN) Specifies the NPKI context for the request.
certificate
(IN) Specifies the DER-encoded X.509 certificate you want to verify.
certificateLen
(IN) Specifies the size of the certificate.
TRContextDN
(IN) Specifies the FDN of the Trusted Root container that is to be searched.
reserved1
Reserved for future use
flags
(IN) Specifies whether to verify the certificate, check certificate revocation, both, or neither. For related flag definitions, see Section 4.12, NPKIx509 Certificate Invalidity Reasons and Section 4.13, NPKIx509 CRL Hold Types.
cRLReason
(OUT) Returns the reason code, if the certificate has been revoked (that is, the reason the certificate has been revoked; private key compromised, affiliate change, superseded, etc.). This field is set only if the return code is set to PKI_E_CERT_INVALID and the certInvalidityReason is set to NPKIx509Invalid_Certificate_On_CRL.
cRLHoldInstruction
(OUT) Returns the hold instruction from the CRL, if the certificate has been revoked and the reason code is certificateHold, points to the hold instruction from the CRL. This field will be set only if the return code is set to PKI_E_CERT_INVALID and the certInvalidityReason is set to NPKIx509Invalid_Certificate_On_CRL and the cRLReason is set to PKI_CERTIFICATE_HOLD.
cRLRevocationTime
(OUT) Returns the date the certificate became invalid. This field is set only if the return code is set to PKI_E_CERT_INVALID and the certInvalidityReason is set to NPKIx509Invalid_Certificate_On_CRL.
cRLInvalidityDateTime
(OUT) Returns the date the CRL becomes invalid.
certInvalidityReason
(OUT) Returns the reason why the certificate is invalid. (that is, revoked, invalid issuer, unreadable extensions, expired, etc.). This field is set only if the return code is set to PKI_E_CERT_INVALID.
reserved4
Reserved for future use.

Return Values

Returns 0 if successful, or an eDirectory or PKI error code if not successful.

Remarks

The chain is considered complete once a self-signed certificate has been found. Once the complete certificate chain has been constructed, it is to verified. Certificate revocation checking is supported.

For sample code, see VerifyWithTrustedRoot.

See Also

NPKICreateTrustedRootContainer, NPKICreateTrustedRoot, NPKIFindTrustedRootsInContext, NPKIGetTrustedRootInfo