The CertVerifySubjectCertificateContext function performs the enabled verification checks on the subject certificate by using the issuer.
#include <wincrypt.h>
BOOL WINAPI CertVerifySubjectCertificateContext(
PCCERT_CONTEXT pSubject, // in
PCCERT_CONTEXT pIssuer, // in, optional
DWORD *pdwFlags // in/out
);
If an enabled verification check succeeds, its flag is set to zero. If it fails, then its flag is set upon return.
If CERT_STORE_REVOCATION_FLAG was enabled and the issuer doesn't have a CRL in the store, then CERT_STORE_NO_CRL_FLAG is set in addition to the CERT_STORE_REVOCATION_FLAG.
For a verification check failure, TRUE is still returned. FALSE is returned only when a bad parameter is passed in.
Call GetLastError to see the reason for any failures. This function has the following error code:
Error code | Description |
---|---|
E_INVALIDARG | Unsupported bit was set in *pdwFlags. Any combination of: CERT_STORE_SIGNATURE_FLAG, CERT_STORE_TIME_VALIDITY_FLAG, or CERT_STORE_REVOCATION_FLAG maybe set. If pIssuer argument is NULL, only CERT_STORE_TIME_VALIDITY_FLAG may be set. |
The hexadecimal value of the flags may be combined together with a bitwise OR operation in order to enable multiple verifications. For example, to enable both signature and time validity, the value CERT_STORE_SIGNATURE_FLAG | CERT_STORE_TIME_VALIDITY_FLAG ( which is equal to 0x00000003) would be placed in the double word *pdwFlags as an "in" parameter. If CERT_STORE_SIGNATURE_FLAG verification succeeded, but CERT_STORE_TIME_VALIDITY_FLAG verification failed, *pdwFlags would be set to the value of CERT_STORE_TIME_VALIDITY_FLAG (which is equal to 0x00000002), as an "out" parameter, when the function returns.
// CertVerifySubjectCertificateContext
// Check a certificate for all verification checks.
// handle_error() is a function defined in a separate file.
HCERTSTORE hSubjectStoreHandle; // The store that is the source of
// the subject certificate.
HCERTSTORE hIssuerStoreHandle; // The store that is the source of
// the issuer certificate.
PCCERT_CONTEXT pSubjectCert;
PCCERT_CONTEXT pIssuerCert;
DWORD dwFlags=0;
//
// Set dwFlags to check for three validity conditions.
dwFlags = CERT_STORE_REVOCATION_FLAG|
CERT_STORE_SIGNATURE_FLAG|
CERT_STORE_TIME_VALIDITY_FLAG;
//
// Open a store and get a subject cert.
if(hSubjectStoreHandle = CertOpenSystemStore(0,"MY"))
printf("The MY store is open. Continue.\n");
else
handle_error("The MY store did not open.");
//
// Open a second store and get an issuer cert.
if(hIssuerStoreHandle = CertOpenSystemStore(0,"CA"))
printf("The CA store is open. Continue. \n");
else
handle_error("The CA store did not open.");
//
// Get a subject cert from the MY store.
if(pSubjectCert=CertEnumCertificatesInStore(
hSubjectStoreHandle,NULL))
printf("A subject certificate is available. Continue.\n");
else
handle_error("A subject certificate was not retrieved.\n\
Perhaps the store is empty.");
if(pIssuerCert=CertEnumCertificatesInStore(
hIssuerStoreHandle,NULL))
printf("An issuer certificate is available. Continue.\n");
else
handle_error("The issuer certificate was not retrieved.\n\
perhaps the store is empty.");
//
// Verify the subject certificate.
if(CertVerifySubjectCertificateContext(
pSubjectCert, // Pointer to the subject certificate.
pIssuerCert, // Pointer to an issuer certificate.
&dwFlags // dwFlags indicating the validity
// conditions to be checked.
))
printf("Verify functioned correctly. Continue.\n");
else
handle_error("CertVerify did not function correctly.");
//
// Check the returned flags to see if the certificate passed
// The verification checks.
if (dwFlags > 0)
{
// One or more checks did not pass. Determine which checks failed.
printf("dwFlags value is %d \n",dwFlags);
if ((dwFlags & CERT_STORE_REVOCATION_FLAG) > 0)
printf("The revocation check failed.\n");
if ((dwFlags & CERT_STORE_SIGNATURE_FLAG) > 0 )
printf("The signature check failed.\n");
if ((dwFlags & CERT_STORE_TIME_VALIDITY_FLAG) > 0 )
printf("The time validity check failed.\n");
}
else
printf("The certificate passed all validity checks.\n");
//
printf("The program ran to completion without error.\n");
Windows NT: Requires version 4.0 SP3 or later. Available also in IE 3.02 and later.
Windows: Requires Windows 98 (or Windows 95 with IE 3.02 or later).
Windows CE: Unsupported.
Header: Declared in wincrypt.h.
Import Library: Use crypt32.lib.
CertGetIssuerCertificateFromStore