NPKIT_VerifyCertificate
Determines if the specified subjectCertificate can be
verified by the issuerCertificate (formerly NWPKIVerifyCertificate).
Syntax
#include "NPKIT_Verify.h"
NWRCODE NPKIT_VerifyCertificate
(
const pnuint8 issuerCertificate,
const nuint32 issuerCertificateLen,
const pnuint8 subjectCertificate,
const nuint32 subjectCertificateLen,
const pnuint8 CRL,
const nuint32 CRLLen,
pnuint32 reason,
pnuint32 holdInstruction,
void *reserved1,
void *reserved2,
void *reserved3,
void *reserved4
);
Parameters
- issuerCertificate
- (IN) Points to the DER encoded X.509 certificate
to use to verify the subject certificate.
- issuerCertificateLen
- (IN) Specifies the size of the issuer certificate.
- subjectCertificate
- (IN) Points to the DER encoded X.509 subject certificate
to verify.
- subjectCertificateLen
- (IN) Specifies the size of the subject certificate.
- CRL
- (IN) Specifies the DER encoded CRL. (Not implemented
in this release; pass in NULL.)
- CRLLen
- (IN) Specifies the size of the CRL. (Not implemented
in this release; pass in NULL.)
- reason
- (OUT) If the certificate is invalid, otherwise specifies
the reason code. See Section 4.7, NPKIT_x509
Certificate Invalidity Reason Flags.
- holdInstruction
- (OUT) If the certificate has been revoked, and the
reason code is certificateHold, otherwise specifies
the hold instruction from the CRL. (Not implemented in this release;
pass in NULL.)
- reserved1
- Reserved for future use. Pass in NULL.
- reserved2
- Reserved for future use. Pass in NULL.
- reserved3
- Reserved for future use. Pass in NULL.
- reserved4
- Reserved for future use. Pass in NULL.
Remarks
In this release NPKIT_VerifyCertificate (page 28)
checks the following:
- Issuer and subject names agree.
- Subject validity dates are a subset of issuer validity
dates.
- Validity dates are valid.
- The issuer certificate signed the subject certificate.
- The issuer is a CA.
- The path length constraints have not been exceeded.
- The key usage of issuer allows for certificate signing.
- The issuer’s critical extensions are supported
This function does not check for certificate revocation. Use NPKIT_VerifyCertChain for complete certificate
verification