Function

CertGetIssuerCertificateFromStore

Directives

External
Name
Stdcall

Module

wcrypt2

Last Modified

7/15/2014 3:26:44 PM

Comments

+-------------------------------------------------------------------------
  Get the certificate context from the store for the first or next issuer
  of the specified subject certificate. Perform the enabled
  verification checks on the subject. (Note, the checks are on the subject
  using the returned issuer certificate.)
  If the first or next issuer certificate isn't found, NULL is returned.
  Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
  must be freed by calling CertFreeCertificateContext or is freed when passed as the
  pPrevIssuerContext on a subsequent call. CertDuplicateCertificateContext
  can be called to make a duplicate.
  For a self signed subject certificate, NULL is returned with LastError set
  to CERT_STORE_SELF_SIGNED. The enabled verification checks are still done.
  The pSubjectContext may have been obtained from this store, another store
  or created by the caller application. When created by the caller, the
  CertCreateCertificateContext function must have been called.
  An issuer may have multiple certificates. This may occur when the validity
  period is about to change. pPrevIssuerContext MUST BE NULL on the first
  call to get the issuer. To get the next certificate for the issuer, the
  pPrevIssuerContext is set to the CERT_CONTEXT returned by a previous call.
  NOTE: a NON-NULL pPrevIssuerContext is always CertFreeCertificateContext'ed by
  this function, even for an error.
  The following flags can be set in *pdwFlags to enable verification checks
  on the subject certificate context:
      CERT_STORE_SIGNATURE_FLAG     - use the public key in the returned
                                      issuer certificate to verify the
                                      signature on the subject certificate.
                                      Note, if pSubjectContext->hCertStore ==
                                      hCertStore, the store provider might
                                      be able to eliminate a redo of
                                      the signature verify.
      CERT_STORE_TIME_VALIDITY_FLAG - get the current time and verify that
                                      its within the subject certificate's
                                      validity period
      CERT_STORE_REVOCATION_FLAG    - check if the subject certificate is on
                                      the issuer's revocation list
  If an enabled verification check fails, then, its flag is set upon return.
  If CERT_STORE_REVOCATION_FLAG was enabled and the issuer doesn't have a
  CRL in the store, then, CERT_STORE_NO_CRL_FLAG is set in addition to
  the CERT_STORE_REVOCATION_FLAG.
  If CERT_STORE_SIGNATURE_FLAG or CERT_STORE_REVOCATION_FLAG is set, then,
  CERT_STORE_NO_ISSUER_FLAG is set if it doesn't have an issuer certificate
  in the store.
  For a verification check failure, a pointer to the issuer's CERT_CONTEXT
  is still returned and SetLastError isn't updated.
--------------------------------------------------------------------------

Scope

Interfaced

Declaration

function CertGetIssuerCertificateFromStore(hCertStore :HCERTSTORE;
                                           pSubjectContext :PCCERT_CONTEXT;
                                           pPrevIssuerContext :PCCERT_CONTEXT; //OPTIONAL
                                           pdwFlags :PDWORD):PCCERT_CONTEXT ; stdcall;


Source