CertFindCertificateInStore

[This is preliminary documentation and subject to change.]

The CertFindCertificateInStore function finds in a certificate store the first or next certificate context that matches a search criteria. The search criteria is established by the dwFindType and its associated pvFindPara.

#include <wincrypt.h>
PCCERT_CONTEXT WINAPI CertFindCertificateInStore(
  HCERTSTORE hCertStore,              // in
  DWORD dwCertEncodingType,           // in
  DWORD dwFindFlags,                  // in
  DWORD dwFindType,                   // in
  const void *pvFindPara,             // in
  PCCERT_CONTEXT pPrevCertContext     // in
);
 

Parameters

hCertStore
Handle of the certificate store to be searched.
dwCertEncodingType
Type of encoding used on the certificate. The LOWORD specifies the encoding type of certificates, CRLs, and CTLs in the cryptographic message. The HIWORD specifies the encoding type of the message.

Currently defined encoding types are shown in the following table.
Encoding type Value
X509_ASN_ENCODING 0x00000001
PKCS_7_ASN_ENCODING 0x00010000

Both a certificate and message encoding type should be specified. This is done by combining them with a bitwise OR operation, as shown in the following example:

X509_ASN_ENCODING | PKCS_7_ASN_ENCODING
 
dwFindFlags
dwFindFlags values are used with some dwFindTypes to modify the search criteria. For most find types, it is not used and should be set to 0. See the Remarks section for detailed information.
dwFindType
DWORD that determines the type of search being made. The find type used determines the data type, contents, and use of pvFindPara. Currently defined find types and their required data type of pvFindPara are:
dwFindType pvFindPara
CERT_FIND_ANY NULL. pvFindPara not used
CERT_FIND_HASH CRYPT_HASH_BLOB
CERT_FIND_SHA1_HASH CRYPT_HASH_BLOB
CERT_FIND_MD5_HASH CRYPT_HASH_BLOB
CERT_FIND_SIGNATURE_HASH CRYPT_HASH_BLOB
CERT_FIND_PROPERTY DWORD for the PROP_ID
CERT_FIND_PUBLIC_KEY CERT_PUBLIC_KEY_INFO
CERT_FIND_SUBJECT_NAME CERT_NAME_BLOB
CERT_FIND_ISSUER_NAME CERT_NAME_BLOB
CERT_FIND_SUBJECT_ATTR CERT_RDN structure
CERT_FIND_ISSUER_ATTR CERT_RDN structure
CERT_FIND_SUBJECT_STR NULL terminated wide (unicode) string
CERT_FIND_ISSUER_STR NULL terminated wide (unicode) string
CERT_FIND_KEY_SPEC DWORD for dwKeySpec
CERT_FIND_ENHKEY_USAGE CERT_ENHKEY_USAGE structure
CERT_FIND_SUBJECT_CERT CERT_INFO structure
CERT_FIND_ISSUER_OF CERT_CONTEXT structure
CERT_FIND_EXISTING CERT_CONTEXT structure

Note  There are alternate forms of find types that pass a string in pvFindPara. One form uses a unicode string and the other an ASCII string. Find types that end in "_W" or that end without a suffix use unicode. Find types that end with "_A" use ASCII strings.

CERT_FIND_ANY
This find type uses no search criteria and returns the next certificate in the store.
CERT_FIND_HASH and CERT_FIND_SHA1_HASH
These find types are exactly the same. Each searches for a certificate with a SHA1 hash that matches the hash in the CRYPT_HASH_BLOB.
CERT_FIND_MD5_HASH
This find type searches for a certificate with an MD5 hash that matches the hash in the CRYPT_HASH_BLOB.
CERT_FIND_SIGNATURE_HASH
This find type searches for a certificate with a signature hash that matches the signature hash in the CRYPT_HASH_BLOB.
CERT_FIND_PROPERTY
This find type searches for a certificate with a property that matches the property in the PROP_ID identified by the DWORD.
CERT_FIND_PUBLIC_KEY
This find type searches for a certificate with a public key that matches the public key in the CERT_PUBLIC_KEY_INFO.
CERT_FIND_SUBJECT_NAME and CERT_FIND_ISSUER_NAME
These find types search for a certificate with an exact match of the entire subject or issuer name with the name in the CERT_NAME_BLOB. The search is restricted to certificates that match the dwCertEncodingType.
CERT_FIND_SUBJECT_ATTR and CERT_FIND_ISSUER_ATTR
These find types search for a certificate with specified subject or issuer attributes that match an attribute in the CERT_RDN (Relative Distinguished Name). Attributes of the subject or the issuer in a certificate are compared with elements of the CERT_RDN_ATTR array in CERT_RDN. Comparisons iterate through the CERT_RDN_ATTR attributes looking for a match with the certificate's subject or issuer attributes.

If CERT_RDN_ATTR.pszObjId is NULL, the attribute object identifier is ignored.

If CERT_RDN_ATTR.dwValueType is CERT_RDN_ANY_TYPE, the value type is ignored.

If CERT_RDN_VALUE_BLOB.pbData is NULL, any value is a match.

Currently only an exact, case sensitive, match is supported. See the Remarks section for details on unicode options. The search is restricted to certificates matching the dwCertEncodingType.

CERT_FIND_SUBJECT_STR and CERT_FIND_ISSUER_STR
These find types search for a certificate containing the specified subject or issuer name string. The certificate's subject or issuer member is converted to a name string of the appropriate type using the appropriate form of CertNameToStr formatted as CERT_SIMPLE_NAME_STR. Then a case insensitive substring-within-a-string match is performed. The search is restricted to certificates matching the dwCertEncodingType.
CERT_FIND_KEY_SPEC
This find type searches for a certificate having a CERT_KEY_SPEC_PROP_ID property matching the dwKeySpec passed as pvFindPara.
CERT_FIND_ENHKEY_USAGE
Find a certificate in the store having
1. either the enhanced key usage extension or the enhanced key usage property and
2. usage identifiers that match the pszUsageIdentifers in the CERT_ENHKEY_USAGE data structure passed as pvFindPara.

A certificate has the enhanced key usage extension if it has a CERT_EXTENSION with pszObjId set to szOID_ENHANCED_KEY_USAGE. It has the enhanced key usage property if its CERT_ENHKEY_USAGE_PROP_ID is set.

The pvFindPara parameter points to a CERT_ENHKEY_USAGE data structure. If pvFindPara is NULL or CERT_ENHKEY_USAGE.cUsageIdentifier is 0, no pszUsageIdentifers need to be matched and any certificate that has either the enhanced key usage extension or the enhanced key usage property meets the selection criteria.

See the Remarks section for details on flag modifications to find criteria.

This find type searches for a certificate having the szOID_ENHANCED_KEY_USAGE extension or the CERT_ENHKEY_USAGE_PROP_ID that matches the pszUsageIdentifer in the CERT_ENHKEY_USAGE structure pointed to by pvFindPara.

If pvFindPara is NULL or the cUsageIdentifier in the CERT_ENHKEY_USAGE structure is 0, any certificate having enhanced key usage is a match.

If CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set in dwFindFlags, certificates without the key usage extension or property are also matches.

If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set in dwFindFlags, certificates without the key usage extension or property are found. Setting this flag takes precedence over passing NULL in pvFindPara.

If CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG is set, a match is done only on the extension.

CERT_FIND_CTL_USAGE
This find type searches for a certificate having a szOID_ENHANCED_KEY_USAGE extension or a CERT_CTL_PROP_ID that matchs the pszUsageIdentifier in the CTL_USAGE structure pointed to by pvFindPara.
CERT_FIND_SUBJECT_CERT
This find type searches for a certificate with both an issuer and a serial number that match the issuer and serial number in the CERT_INFO pointed to by pvFindPara.
CERT_FIND_ISSUER_OF
This find type search for a certificate with an issuer that matches the issuer in the CERT_CONTEXT pointed to by pvFindPara.
CERT_FIND_EXISTING
This find type searches for a certificate that is an exact match of the certificate context pointed to by pvFindPara.
pvFindPara
Points to a data item or structure associated with the dwFindType. Information on the type of the information to be passed in pvFindPara can be found in the list under dwFindType.
pPrevCertContext
Pointer to the last CERT_CONTEXT returned by this function. It must be NULL on the first call of the function. A pPrevCertContext that is not NULL is always freed by this even if the function causes an error.

Return Values

If a certificate that matches the search criteria is not found, NULL is returned. Otherwise, a pointer to a read-only CERT_CONTEXT is returned. A non-NULL CERT_CONTEXT returned must be freed by CertFreeCertificateContext or by being passed as pPrevCertContext on a subsequent call to CertFindCertificateInStore.

CertDuplicateCertificateContext can be called to make a duplicate of the returned context. The returned context may be added to a different certificate store using CertAddCertificateContextToStore or a link to that certificate context can be added to a non-collection store using CertAddCertificateLinkToStore

GetLastError may be called to indicate the reason for any failure. This function uses the following error codes:

Error code Description
E_INVALIDARG The hCertStore argument isn't the same as the hCertStore of the certificate context pointed to by the pPrevCertContext argument or an invalid find type specified by dwFindType argument.
CRYPT_E_NOT_FOUND No certificate was found matching the find criteria. This can happen if the store is empty or the end of the store's list is reached.

Remarks

The dwFindFlags parameter is used to modify the criteria of some search types.

CERT_UNICODE_IS_RDN_ATTRS_FLAG is used only with CERT_FIND_SUBJECT_ATTR and CERT_FIND_ISSUER_ATTR.
This flag must be set if the CERT_RDN_ATTR structure was initialized with UNICODE strings. Before any comparison is made the string to be matched is converted via X509_UNICODE_NAME to provide for unicode comparisons.

The following dwFindFlags are used only with CERT_FIND_ENKEY_USAGE:

CERT_FIND_OR_ENHKEY_USAGE_FLAG
The find criteria can be altered by setting one or more dwFindFlags. By default, if pszUsageIdentifers are to be match, all of those identifiers must be matched to satisfy the search criteria; however, if CERT_FIND_OR_ENHKEY_USAGE_FLAG is set, an "OR" match of any of the specified pszUsageIdentifiers is done and matching any one of the identifiers is sufficient.
CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG
When this flag is set, in addition to normal matches, any certificate that has neither the enhanced key usage extension nor the enhanced key usage property meets the search criteria.
CERT_FIND_NO_ENHKEY_USAGE_FLAG
When this flag is set, only those certificates that have neither an enhanced key usage nor the enhanced key usage property are matches. This flag setting takes precedence over pvFindPara being NULL.
CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG
When this flag is set, the matching process involves only the extension usage identifiers. If pvFindPara is NULL or cUsageIdentifier is 0, any certificate having the enhanced key usage extension is a match. If CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is also set, any certificate without the enhanced key usage extension is also a match. When CERT_FIND_NO_ENHKEY_USAGE_FLAG is also set, only certificates without the enhanced key usage extension are matches.
CERT_FIND_EXT_PROP_ENHKEY_USAGE_FLAG
When this flag is set, the matching process involves only usage identifiers that are properties. If pvFindPara is NULL or cUsageIdentifier is set to 0, any certificate having an enhanced key usage property is a match. If CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is also set, any certificate without the enhanced key usage property is also a match. If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set, only certificates without the enhanced key usage property are matches.

Example

//
// Find a certificate meeting a specific search critera 
// using CertFindCertificateInStore. 
// In this case, a search is made for a certificate that has
// has a CERT_HASH_PROP_ID attached.
//
// handle_error() is a function defined in a separate file.
//
HCERTSTORE         hStoreHandle;
PCCERT_CONTEXT     pCertContext = NULL;
DWORD              PropId = CERT_HASH_PROP_ID;
int                i = 0;                          

// Open a certificate store. 
// For details, see CertOpenStore.
if(hStoreHandle = CertOpenStore(
CERT_STORE_PROV_SYSTEM,0,NULL,CERT_SYSTEM_STORE_CURRENT_USER,
L"MY"))
printf("The MY store is open. Continue.\n");
else
handle_error("The store did not open.");
//
// Find all of the certificates in the store meeting the search 
// criteria. In this case, in a loop find all certificates 
// that have the CERT_HASH_PROP_ID property.
while ((pCertContext= CertFindCertificateInStore(
 hStoreHandle,         // Handle of the store to be searched.
 0,                    // Encoding type. Not used for this search.
 0,                    // dwFindFlags. Special find criteria.
                       // Not used in this search.
 CERT_FIND_PROPERTY,   // Find type. Determines the kind of search 
                       // to be done. In this case, search for 
                       // certificates that have a specific 
                       // extended property.
 &PropId,              // pvFindPara. Gives the specific 
                       // value searched for, here, the id of an
                       // extented property.
 pCertContext)))       // pCertContext is NULL for the 
                       // first call to the function. 
                       // If the function were being called
                       // in a loop, after the first call,
                       // pCertContext would be the cert
                       // returned by the previous call.
printf("Certificate %d has been retrieved.\n",++i);
//
// After the while loop, print a completion message. 
printf("The process ran to completion with no errors.\n");
 

QuickInfo

  Windows NT: Requires version 4.0 SP3 or later. Available also in IE 3.02 and later.
  Windows: Requires Windows 95 OSR2 or later.
  Windows CE: Unsupported.
  Header: Declared in wincrypt.h.
  Import Library: Use crypt32.lib.

See Also

CertEnumCertificatesInStore