CERT_CHAIN_PARA structure (wincrypt.h)
The CERT_CHAIN_PARA structure establishes the searching and matching criteria to be used in building a certificate chain.
Syntax
typedef struct _CERT_CHAIN_PARA {
DWORD cbSize;
CERT_USAGE_MATCH RequestedUsage;
CERT_USAGE_MATCH RequestedIssuancePolicy;
DWORD dwUrlRetrievalTimeout;
BOOL fCheckRevocationFreshnessTime;
DWORD dwRevocationFreshnessTime;
LPFILETIME pftCacheResync;
PCCERT_STRONG_SIGN_PARA pStrongSignPara;
DWORD dwStrongSignFlags;
} CERT_CHAIN_PARA, *PCERT_CHAIN_PARA;
Members
cbSize
The size, in bytes, of this structure.
RequestedUsage
Structure indicating the kind of matching necessary to find issuer certificates for building a certificate chain. The structure pointed to indicates whether AND or OR logic is to be used in the matching process. The structure also includes an array of OIDs to be matched.
RequestedIssuancePolicy
Optional structure that indicates the kind of issuance policy constraint matching that applies when building a certificate chain. The structure pointed to indicates whether AND or OR logic is to be used in the matching process. The structure also includes an array of OIDs to be matched.
dwUrlRetrievalTimeout
Optional time, in milliseconds, before revocation checking times out. This member is optional.
fCheckRevocationFreshnessTime
Optional member. When this flag is TRUE, an attempt is made to retrieve a new CRL if this update is greater than or equal to the current system time minus the dwRevocationFreshnessTime value. If this flag is not set, the CRL's next update time is used.
dwRevocationFreshnessTime
The current time, in seconds, minus the CRL's update time of all elements checked.
pftCacheResync
Optional member. When set to a non-NULL value, information cached before the time specified is considered to be not valid and cache resynchronization is performed.
Windows Vista: Support for this member begins.
pStrongSignPara
Optional. Specify a pointer to a CERT_STRONG_SIGN_PARA structure to enable strong signature checking.
Windows 8 and Windows Server 2012: Support for this member begins.
dwStrongSignFlags
Optional flags that modify chain retrieval behavior. This can be zero or the following value.
Windows 8 and Windows Server 2012: Support for this property begins.
Remarks
The following remarks apply when checking for strong signatures.
- Set the pStrongSignPara member to check for strong signatures when using the CertGetCertificateChain or CertSelectCertificateChains function.
- If a certificate without a strong signature is found in the chain, the CERT_TRUST_HAS_WEAK_SIGNATURE and CERT_TRUST_IS_NOT_SIGNATURE_VALID errors are set in the dwErrorStatus field of the CERT_TRUST_STATUS structure. The ppChainContext parameter of the CertGetCertificateChain function and the pprgpSelection parameter of the CertSelectCertificateChains function point to a CERT_CHAIN_CONTEXT structure which, in turn, points to the CERT_TRUST_STATUS structure.
- If the chain is strong signed, the public key in the end certificate is checked to determine whether it satisfies the minimum public key length requirements for a strong signature. If the condition is not satisfied, the CERT_TRUST_HAS_WEAK_SIGNATURE and CERT_TRUST_IS_NOT_SIGNATURE_VALID errors are set in the dwErrorStatus field of the CERT_TRUST_STATUS structure. Set the CERT_CHAIN_STRONG_SIGN_DISABLE_END_CHECK_FLAG value in the dwStrongSignFlags member to disable this check.
- If the CERT_STRONG_SIGN_ENABLE_CRL_CHECK or CERT_STRONG_SIGN_ENABLE_OCSP_CHECK flags are set in the CERT_STRONG_SIGN_SERIALIZED_INFO structure referenced by the CERT_STRONG_SIGN_PARA structure pointed to by the pStrongSignPara member, and a CRL or OCSP response is found without a strong signature, the CRL or OCSP response will be treated as being offline. That is, the CERT_TRUST_IS_OFFLINE_REVOCATION and CERT_TRUST_REVOCATION_STATUS_UNKNOWN errors are set in the dwErrorStatus field of the CERT_TRUST_STATUS structure. Also, the dwRevocationResult member of the CERT_REVOCATION_INFO structure is set to NTE_BAD_ALGID.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows XP [desktop apps only] |
| Minimum supported server | Windows Server 2003 [desktop apps only] |
| Header | wincrypt.h |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for