I need to perform certificate revocation checks. The user must be allowed to select either OCSP-only, CRL-only, or both. The project is using C#, but .NET does not offer independent OCSP/CRL checks out-of-the-box.
By default, Windows first checks OCSPs and if OCSP servers are not accessible, only then checks CRLs. For details:
- Windows XP: Certificate Status and Revocation Checking
- How Certificate Revocation Works
- Managing OCSP Settings with Group Policy
This is not what must be implemented, and the requirements cannot be changed.
Win32 API apparently allows to perform certificate revocation checks using OCSP-only:
- CertVerifyRevocation with CERT_VERIFY_REV_SERVER_OCSP_FLAG enabled.
I don't see any similar option for CLR-only checks.
The only way to do it, as I see it, would be to use
- CryptGetObjectUrl to extract CRL urls
- CryptRetrieveObjectByUrl to download the CRLs
- CertVerifyCRLRevocation to perform the verification
Question:
Is there any other easier way to perform CRL-only checks using Win32?
Note:
Third party libraries like Bouncy Castle for e.g. do not do everything that Windows does for revocation checking and I would prefer not to reinvent the wheel.
That's why I would stick to the Win32 methods since they already handle many things: delta CRLs, stapled OCSP, caching, timeouts, retries, configurability etc.
