You can customize validation information about the VA that is validating certificates issued by specific CAs. Customizing this information allows an application to contact different VAs for the CAs.
You can use the Vtk_CtxtSetVaInfo function to set the validation information. The VA validation information includes the VA URL, validation mechanism and optionally, the list of trusted VA certificates to be used with the VA.
Note: If you do not set the list of trusted VA certificates using the Vtk_CtxtSetVaInfo function, you must set the list through the Vtk_CtxtAddCert or Vtk_CtxtAddCerts functions.
The VA URL and validation mechanism specified in the Vtk_CtxtSetVaInfo function will be used as the default for all validations performed for certificates issued by this CA. If you specify CRL as the validation mechanism, you must also set details about the protocol in the Vtk_ProtocolDetails structure.
Code Sample for Customizing VA Information
The following code sample demonstrates how to customize VA information for a specific CA. It includes information for the OCSP, CRT and CRL validation mechanisms.
/* * SetVAForSpecificCA * * Parameters: * pCtxt - pointer to Toolkit context * pCaCert1 - CA certificates for which specific VA will be set * pCaCert2 * pCaCert3 * vaUrl1 - URL of the OCSP VA, for example: http://ocsp.valicert.net:80/ * vaUrl2 - URL of the CRT VA, for example: http://ci.valicert.net:80/ * vaUrl3 - URL of the CRL VA, for example: http://testlab/crl_test/testlab.crl * pVaCerts - certificate store with trusted VA certificates * */ int SetVAForSpecificCA(Vtk_Ctxt *pCtxt, const Vtk_Cert *pCaCert1, const Vtk_Cert *pCaCert2, const Vtk_Cert *pCaCert3, const char *vaUrl1, const char *vaUrl2, const char *vaUrl3, const Vtk_CertStore *pVaCerts) { Vtk_uint32 ret; enum Vtk_ValidationMech mech; Vtk_ProtocolDetails protocol; /* * * This call sets the validation information specific to an * individual CA. The VA is using OCSP protocol - Protocol Details * need not to be provided. The VA certificate must in the with * trusted VA certificates store, pVaCerts * * */ mech = VTK_VM_OCSP; ret = Vtk_CtxtSetVaInfo(pCtxt, pCaCert1, vaUrl1, mech, NULL, pVaCerts); { showError("Vtk_CtxtSetVaInfo", ret); return -1; } /* * * This call sets the individual VA information (in this case - * CRT validation mechanism for CA represented by certificate * pCaCert2. VA certificate is in this case provided in following * function Vtk_CtxtAddCerts. * */ mech = VTK_VM_CRT; ret = Vtk_CtxtSetVaInfo(pCtxt, pCaCert2, vaUrl2, mech, NULL, NULL); { showError("Vtk_CtxtSetVaInfo", ret); return -1; } ret = Vtk_CtxtAddCerts(pCtxt, VTK_VA_CERT, pVaCerts); { showError("Vtk_CtxtAddCerts", ret); return -1; } /* * * This call sets the individual VA information for CA represented * by certificate pCaCert2. Since VA is using CRL validation * mechanism, protocol details must be provided. * * * VA certificate is already set in the context through * Vtk_CtxtAddCerts function.so it need not be set in this call. * */ protocol.type = VTK_VM_CRL; protocol.d.crl.encoding = VTK_DF_DER; protocol.d.crl.type = VTK_DT_CRL; ret = Vtk_CtxtSetVaInfo(pCtxt, pCaCert3, vaUrl3, VTK_VM_CRL, &protocol, NULL); { showError("Vtk_CtxtSetDefaultVa", ret); return -1; } return 0; }