Handler Return Value Requirements

When a function has been found that can perform the revocation verification check, it is called and passed the same parameters originally passed to CertVerifyRevocation, with the exception of rgpvContext[] and cContext. Because a called function has the option to process one or more of the contexts, rgpvContext[] and cContext are updated to specify the remaining count of contexts and the next context to be checked. Also, the cbSize member of pRevStatus has been checked to be equal to or greater than the size of CERT_REVOCATION_STATUS, and the remaining members have been zeroed.

A called revocation verification function reports back it's progress in the same manner that the CertVerifyRevocation return value is specified, with errors handled as follows:

If all the contexts were successfully checked and none were revoked, then TRUE should be returned, otherwise FALSE should be returned.

If FALSE is returned, the following actions should be taken:

• If one of the contexts is found to be revoked, the index of the revoked certificate context should be returned in the dwIndex member of pRevStatus. Additionally, the dwError member of pRevStatus should be set to CRYPT_E_REVOKED. If the reason for revocation is known, the dwReason member of pRevStatus should be set to one of the predefined reasons. See CERT_REVOCATION_STATUS for a list of reasons.
• If a context can't be checked for revocation, then the index of the unverified certificate context should be returned to the dwIndex member of pRevStatus. Additionally:
  • If the called function was capable of processing the context, but was unable to complete the revocation check, the dwError member of pRevStatus should be set to CRYPT_E_REVOCATION_OFFLINE.
  • If the called function was not capable of processing the context, the dwError member of pRevStatus should be set to CRYPT_E_NO_REVOCATION_CHECK.

Note  CertVerifyRevocation sets LastError to the value returned in the dwError member of pRevStatus.