Edit

Share via

CERT_STORE_PROV_FIND_INFO structure (wincrypt.h)

  • Article

The CERT_STORE_PROV_FIND_INFO structure is used by many of the store provider callback functions. It contains find criteria for finding a certificate, certificate revocation list (CRL), or certificate trust list (CTL) in a certificate store.

Syntax

typedef struct _CERT_STORE_PROV_FIND_INFO {
  DWORD      cbSize;
  DWORD      dwMsgAndCertEncodingType;
  DWORD      dwFindFlags;
  DWORD      dwFindType;
  const void *pvFindPara;
} CERT_STORE_PROV_FIND_INFO, *PCERT_STORE_PROV_FIND_INFO;

Members

cbSize

Size of the structure.

dwMsgAndCertEncodingType

Specifies the encoding type used for messages and certificates. The certificate and message encoding types can be combined with a bitwise-OR operation. Here are the defined encoding types:

  • X509_ASN_ENCODING
  • PKCS_7_ASN_ENCODING

dwFindFlags

Used with some dwFindType values to modify the search criteria. For most dwFindType values, dwFindFlags is not used and should be set to zero.

dwFindType

Specifies the type of search being made. The search type determines the data type, contents, and the use of pvFindPara. Currently defined dwFindType values and the data type each requires for pvFindPara are as follows.

Value Meaning
CERT_FIND_ANY
NULL; pvFindPara not used
 No search criteria used. Returns the next certificate in the store.
CERT_FIND_CERT_ID
CERT_ID structure
 Finds the certificate identified by the specified CERT_ID.
CERT_FIND_CTL_USAGE
CTL_USAGE structure
 Searches for a certificate having a szOID_ENHANCED_KEY_USAGE extension or a CERT_CTL_PROP_ID that matches the pszUsageIdentifier member of the CTL_USAGE structure.
CERT_FIND_ENHKEY_USAGE
CERT_ENHKEY_USAGE structure
 Searches for a certificate in the store having either an enhanced key usage extension or an enhanced key usage property and a usage identifier that matches the pszUsageIdentifier member in the CERT_ENHKEY_USAGE structure.

A certificate has an enhanced key usage extension if it has a CERT_EXTENSION structure with the pszObjId member set to szOID_ENHANCED_KEY_USAGE. A certificate has an enhanced key usage property if its CERT_ENHKEY_USAGE_PROP_ID identifier is set.

If pvFindPara is NULL or the cUsageIdentifier member of CERT_ENHKEY_USAGE is zero, any certificate that has either the enhanced key usage extension or the enhanced key usage property meets the selection criteria.

If pvFindPara is NULL or the cUsageIdentifier member of the CERT_ENHKEY_USAGE structure is zero, any certificate having enhanced key usage is a match.

If CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set in dwFindFlags, certificates without the key usage extension or property are also matches. Setting this flag takes precedence over passing NULL in pvFindPara.

If CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG is set, a match is done only on the key usage extension.

For information about flag modifications to search criteria, see Remarks.
CERT_FIND_EXISTING
CERT_CONTEXT structure
 Searches for a certificate that is an exact match of the specified certificate context.
CERT_FIND_HASH
CRYPT_HASH_BLOB structure
 Searches for a certificate with a SHA1 hash that matches the hash in the CRYPT_HASH_BLOB structure.
CERT_FIND_ISSUER_ATTR
CERT_RDN structure
 Search for a certificate with specified issuer attributes that match attributes in the CERT_RDN structure. If these values are set, the function compares attributes of the issuer in a certificate with elements of the CERT_RDN_ATTR array in this CERT_RDN structure. Comparisons iterate through the CERT_RDN_ATTR attributes looking for a match with the certificate's issuer attributes.

If the pszObjId member of CERT_RDN_ATTR is NULL, the attribute object identifier is ignored.

If the dwValueType member of CERT_RDN_ATTR is CERT_RDN_ANY_TYPE, the value type is ignored.

If the pbData member of CERT_RDN_VALUE_BLOB is NULL, any value is a match.

Currently, only an exact, case-sensitive match is supported. For information about Unicode options, see Remarks. When these values are set, the search is restricted to certificates whose encoding type matches dwMsgAndCertEncodingType.
CERT_FIND_ISSUER_NAME
CERT_NAME_BLOB structure
 Search for a certificate with an exact match of the entire issuer name with the name in CERT_NAME_BLOB. The search is restricted to certificates that match the dwMsgAndCertEncodingType.
CERT_FIND_ISSUER_OF
CERT_CONTEXT structure
 Searches for a certificate with an issuer that matches the issuer in CERT_CONTEXT.

Instead of using the CertFindCertificateInStore function with this value, use the CertGetCertificateChain function.
CERT_FIND_ISSUER_STR
Null-terminated wide (Unicode) string
 Search for a certificate that contains the specified issuer name string. The certificate's issuer member is converted to a name string of the appropriate type using the appropriate form of CertNameToStr formatted as CERT_SIMPLE_NAME_STR. Then a case-insensitive substring-within-a-string match is performed. When this value is set, the search is restricted to certificates whose encoding type matches dwMsgAndCertEncodingType.
CERT_FIND_KEY_IDENTIFIER
CRYPT_HASH_BLOB structure
 Searches for a certificate with a CERT_KEY_IDENTIFIER_PROP_ID property matching the key identifier in CRYPT_HASH_BLOB.
CERT_FIND_KEY_SPEC
DWORD containing a key specification
 Searches for a certificate having a CERT_KEY_SPEC_PROP_ID property matching the key specification in pvFindPara.
CERT_FIND_MD5_HASH
CRYPT_HASH_BLOB structure
 Searches for a certificate with an MD5 hash that matches the hash in CRYPT_HASH_BLOB.
CERT_FIND_PROPERTY
DWORD that contains a property identifier
 Searches for a certificate with a property that matches the property identifier specified by the DWORD in pvFindPara.
CERT_FIND_PUBLIC_KEY
CERT_PUBLIC_KEY_INFO structure
 Searches for a certificate with a public key that matches the public key in the CERT_PUBLIC_KEY_INFO structure.
CERT_FIND_SHA1_HASH
CRYPT_HASH_BLOB structure
 Searches for a certificate with a SHA1 hash that matches the hash in the CRYPT_HASH_BLOB structure.
CERT_FIND_SIGNATURE_HASH
CRYPT_HASH_BLOB structure
 Searches for a certificate with a signature hash that matches the signature hash in the CRYPT_HASH_BLOB structure.
CERT_FIND_SUBJECT_ATTR
CERT_RDN structure
 Searches for a certificate with specified subject attributes that match attributes in the CERT_RDN structure. If RDN values are set, the function compares attributes of the subject in a certificate with elements of the CERT_RDN_ATTR array in this CERT_RDN structure. Comparisons iterate through the CERT_RDN_ATTR attributes looking for a match with the certificate's subject's attributes.

If the pszObjId member of CERT_RDN_ATTR is NULL, the attribute object identifier is ignored.

If the dwValueType member of CERT_RDN_ATTR is CERT_RDN_ANY_TYPE, the value type is ignored.

If the pbData member of CERT_RDN_VALUE_BLOB is NULL, any value is a match.

Currently, only an exact, case-sensitive match is supported.

For information about Unicode options, see Remarks. When these values are set, the search is restricted to certificates whose encoding type matches dwMsgAndCertEncodingType.
CERT_FIND_SUBJECT_CERT
CERT_INFO structure
 Searches for a certificate with both an issuer and a serial number that match the issuer and serial number in the CERT_INFO structure.
CERT_FIND_SUBJECT_NAME
CERT_NAME_BLOB structure
 Searches for a certificate with an exact match of the entire subject name with the name in the CERT_NAME_BLOB structure. The search is restricted to certificates that match the value of dwMsgAndCertEncodingType.
CERT_FIND_SUBJECT_STR
Null-terminated wide (Unicode) string
 Searches for a certificate that contains the specified subject name string. The certificate's subject member is converted to a name string of the appropriate type using the appropriate form of CertNameToStr formatted as CERT_SIMPLE_NAME_STR. Then a case-insensitive substring-within-a-string match is performed. When this value is set, the search is restricted to certificates whose encoding type matches dwMsgAndCertEncodingType.
 
Note  There are alternate forms of the value of dwFindType that pass a string in pvFindPara. One form uses a Unicode string, and the other an ASCII string. Values that end in "_W" or without a suffix use Unicode. Values that end with "_A" use ASCII strings.
 

pvFindPara

Points to a data item or structure to be used with the find type indicated by the value of dwFindType.

Remarks

The dwFindFlags member is used to modify the criteria of some search types.

The dwFindFlags value of CERT_UNICODE_IS_RDN_ATTRS_FLAG is used only with the CERT_FIND_SUBJECT_ATTR and CERT_FIND_ISSUER_ATTR values for dwFindType. CERT_UNICODE_IS_RDN_ATTRS_FLAG must be set if the CERT_RDN_ATTR structure pointed to by pvFindPara was initialized with Unicode strings. Before any comparison is made, the string to be matched is converted by using X509_UNICODE_NAME to provide for Unicode comparisons.

The following dwFindFlags values are used only with the CERT_FIND_ENKEY_USAGE value for dwFindType.

Value Meaning
CERT_FIND_OR_ENHKEY_USAGE_FLAG The search criteria can be altered by setting one or more flags. By default, if the pszUsageIdentifier member of the CERT_ENHKEY_USAGE structure pointed to by pvFindPara is to be matched, each identifier must be matched to satisfy the search criteria. However, if CERT_FIND_OR_ENHKEY_USAGE_FLAG is set, a match can be made to all identifiers combined by using a bitwise-OR operation; thus, matching any one of the identifiers is sufficient.
CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG When this flag is set, in addition to usual matches, any certificate that has neither the enhanced key usage extension nor the enhanced key usage property meets the search criteria.
CERT_FIND_NO_ENHKEY_USAGE_FLAG When this flag is set, only those certificates that have neither an enhanced key usage nor the enhanced key usage property are matches. This flag setting takes precedence over pvFindPara being NULL.
CERT_FIND_VALID_ENHKEY_USAGE_FLAG When this flag is set, the function only matches those certificates that are valid for the specified usage. By default, in order to match, a certificate must be valid for all usages.

CERT_FIND_OR_ENHKEY_USAGE_FLAG can also be set if the certificate only needs to be valid for one of the specified usages. Note that CertGetValidUsages is called to get the list of valid uses for the certificate. Only CERT_FIND_OR_ENHKEY_USAGE_FLAG can also apply when CERT_FIND_VALID_ENHKEY_USAGE_FLAG is set.
CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG When this flag is set, the matching process involves only the extension usage identifiers. If pvFindPara is NULL or the cUsageIdentifier member of the CERT_ENHKEY_USAGE structure pointed to by pvFindPara is zero, any certificate having an enhanced key usage extension is a match. If CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is also set, any certificate without the enhanced key usage extension is also a match. If CERT_FIND_NO_ENHKEY_USAGE_FLAG is also set, only certificates without the enhanced key usage extension are matches.
CERT_FIND_EXT_PROP_ENHKEY_USAGE_FLAG When this flag is set, the matching process involves only usage identifiers that are properties. If pvFindPara is NULL or cUsageIdentifier is set to zero, any certificate having an enhanced key usage property is a match. If CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is also set, any certificate without the enhanced key usage property is also a match. If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set, only certificates without the enhanced key usage property are matches.
CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG Used only with CERT_FIND_SUBJECT_ATTR and CERT_FIND_ISSUER-ATTR values of dwFindType. By default, a case-sensitive, exact match is made. If this flag is set, the match is case-insensitive.

Requirements

Requirement Value
Minimum supported client Windows XP [desktop apps only]
Minimum supported server Windows Server 2003 [desktop apps only]
Header wincrypt.h