NPKIT_VerifyCertificate

Determines if the specified subjectCertificate can be verified by the issuerCertificate (formerly NWPKIVerifyCertificate).

Syntax

   #include "NPKIT_Verify.h"
   
   NWRCODE NPKIT_VerifyCertificate
   (
      const pnuint8        issuerCertificate,
      const nuint32        issuerCertificateLen,
      const pnuint8        subjectCertificate,
      const nuint32        subjectCertificateLen,
      const pnuint8        CRL,
      const nuint32        CRLLen,
      pnuint32             reason,
      pnuint32             holdInstruction,
      void                *reserved1, 
      void                *reserved2,
      void                *reserved3,
      void                *reserved4
   );

Parameters

issuerCertificate
(IN) Points to the DER encoded X.509 certificate to use to verify the subject certificate.
issuerCertificateLen
(IN) Specifies the size of the issuer certificate.
subjectCertificate
(IN) Points to the DER encoded X.509 subject certificate to verify.
subjectCertificateLen
(IN) Specifies the size of the subject certificate.
CRL
(IN) Specifies the DER encoded CRL. (Not implemented in this release; pass in NULL.)
CRLLen
(IN) Specifies the size of the CRL. (Not implemented in this release; pass in NULL.)
reason
(OUT) If the certificate is invalid, otherwise specifies the reason code. See Section 4.7, NPKIT_x509 Certificate Invalidity Reason Flags.
holdInstruction
(OUT) If the certificate has been revoked, and the reason code is certificateHold, otherwise specifies the hold instruction from the CRL. (Not implemented in this release; pass in NULL.)
reserved1
Reserved for future use. Pass in NULL.
reserved2
Reserved for future use. Pass in NULL.
reserved3
Reserved for future use. Pass in NULL.
reserved4
Reserved for future use. Pass in NULL.

Return Values

Returns 0 if successful or a PKI or NICI error code if not successful. For a listing of NPKIT error codes, see Certificate Server Error Code Constants.

Remarks

In this release NPKIT_VerifyCertificate (page 28) checks the following:

  • Issuer and subject names agree.
  • Subject validity dates are a subset of issuer validity dates.
  • Validity dates are valid.
  • The issuer certificate signed the subject certificate.
  • The issuer is a CA.
  • The path length constraints have not been exceeded.
  • The key usage of issuer allows for certificate signing.
  • The issuer’s critical extensions are supported

This function does not check for certificate revocation. Use NPKIT_VerifyCertChain for complete certificate verification

See Also

NPKIT_VerifyCertChain, NPKIT_VerifyCertChainWithCallback