The CertFindChainInStore function finds the first or next certificate in a store that meets the specified criteria. It then builds and verifies a certificate chain context for that certificate. The certificate that is found and for which the chain is built is selected according to criteria established by the dwFindFlags, dwFindType, and pvFindPara parameters. This function can be used in a loop to find all of the certificates in a certificate store that match the specified find criteria and to build a certificate chain context for each certificate found.
PCCERT_CHAIN_CONTEXT WINAPI CertFindChainInStore( _In_ HCERTSTORE hCertStore, _In_ DWORD dwCertEncodingType, _In_ DWORD dwFindFlags, _In_ DWORD dwFindType, _In_ const void *pvFindPara, _In_ PCCERT_CHAIN_CONTEXT pPrevChainContext );
- hCertStore [in]
The handle of the store to be searched for a certificate upon which a chain is built. This handle is passed as an additional store to the CertGetCertificateChain function as the chain is built.
- dwCertEncodingType [in]
This parameter can be the following currently defined certificate encoding type.
- 1 (0x1)
Specifies X.509 certificate encoding.
- dwFindFlags [in]
Contains additional options for the search. The possible values for this parameter depend on the value of the dwFindType parameter.
This parameter can contain zero or a combination of one or more of the following values when dwFindType contains CERT_CHAIN_FIND_BY_ISSUER.
Because the hCryptProv member of an issuer contains a private key, it might need to be checked several times during this process; to facilitate this checking, the dwAcquirePrivateKeyFlags member can be set in the CERT_CHAIN_FIND_BY_ISSUER_PARA structure to enable caching of that hCryptProv.
By default, only the first simple chain is checked for issuer name matches. With this flag set, the default is overridden and subsequent simple chains are also checked for issuer name matches.
Improves the performance of this function by causing it to search only the cached system stores (Root, My, Ca, Trust) to find issuer certificates. If this flag is not set, the function searches the cached system stores and the store represented by the hCertStore parameter.
Only the URL cache is searched. The Internet is not searched.
Only opens the Local Machine certificate stores. The certificate stores of the current user are not opened.
No check is made to determine whether the certificate has an associated private key.
- dwFindType [in]
Determines what criteria to use to find a certificate in the store.
This parameter can be the following currently defined value.
Finds the certificate based on the name of the issuer. The pvFindPara parameter is a pointer to a CERT_CHAIN_FIND_BY_ISSUER_PARA structure that contains members that modify the search.
The certificate chain is built for a certificate with an available private key. By default, only the issuers in the first simple chain are compared in an issuer name match. If this flag is set, all of the chains are checked for an issuer certificate that matches one of a set of issuer names.
This function does not perform any revocation checks.
If pPrevChainContext is not NULL, this function will return a chain for a different certificate every time the function is called. If there is only one suitable certificate, but there are two matching issuing certificate authorities, one of which is revoked, it is possible for this function to return the revoked chain. If the application then checks for revocation itself through calls to the CertVerifyRevocation function and finds the chain unsuitable, an additional call to the CertFindChainInStore function will not return a chain that includes the same certificate from the valid certification authority. It will instead return a completely different chain with a different certificate or NULL, if no such chain can be found.
- pvFindPara [in]
A pointer that contains additional search criteria. The type and format of the data this parameter points to depends on the value of the dwFindType parameter.
- pPrevChainContext [in]
A pointer to a CERT_CHAIN_CONTEXT structure returned from a previous call to this function. The search is begun from this certificate. For the first call to this function, this parameter must be NULL. In subsequent calls, it is the pointer returned by the previous call to the function. If this parameter is not NULL, this function will free this structure.
If the first or next chain context is not built, NULL is returned. Otherwise, a pointer to a read-only CERT_CHAIN_CONTEXT structure is returned. The CERT_CHAIN_CONTEXT structure is freed when passed as the pPrevChainContext parameter on a subsequent call to this function. Otherwise, the CERT_CHAIN_CONTEXT structure must be freed explicitly by calling the CertFreeCertificateChain function.
The pPrevChainContext parameter must be NULL on the first call to build the chain context. To build the next chain context, the pPrevChainContext is set to the CERT_CHAIN_CONTEXT structure returned by a previous call. If pPrevChainContext is not NULL, the structure is always freed by this function by using the CertFreeCertificateChain function, even if an error occurs.
Minimum supported client
|Windows XP [desktop apps only]|
Minimum supported server
|Windows Server 2003 [desktop apps only]|
- Certificate Chain Verification Functions
Build date: 11/16/2013