CertGetSubjectCertificateFromStore function (wincrypt.h)
The CertGetSubjectCertificateFromStore function returns from a certificate store a subject certificate context uniquely identified by its issuer and serial number.
Syntax
PCCERT_CONTEXT CertGetSubjectCertificateFromStore(
[in] HCERTSTORE hCertStore,
[in] DWORD dwCertEncodingType,
[in] PCERT_INFO pCertId
);
Parameters
[in] hCertStore
A handle of a certificate store.
[in] dwCertEncodingType
The type of encoding used. It is always acceptable to specify both the certificate and message encoding types by combining them with a bitwise-OR operation as shown in the following example:
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING Currently defined encoding types are:
- X509_ASN_ENCODING
- PKCS_7_ASN_ENCODING
[in] pCertId
A pointer to a CERT_INFO structure. Only the Issuer and SerialNumber members are used.
Return value
If the function succeeds, the function returns a pointer to a read-only CERT_CONTEXT. The CERT_CONTEXT must be freed by calling CertFreeCertificateContext.
The returned certificate might not be valid. Usually, it is verified when getting its issuer certificate (CertGetIssuerCertificateFromStore).
For extended error information, call GetLastError. One possible error code is the following.
| Return code | Description |
|---|---|
|
The subject certificate was not found in the store. |
Remarks
CertDuplicateCertificateContext can be called to make a duplicate certificate.
Examples
The following example shows retrieving a subject's certificate context, uniquely identified by its issuer and serial number, from the certificate store. For an example that includes the complete context for this example, see Example C Program: Signing, Encoding, Decoding, and Verifying a Message.
#include <windows.h>
#include <stdio.h>
#include <Wincrypt.h>
#define MY_ENCODING_TYPE (PKCS_7_ASN_ENCODING | X509_ASN_ENCODING)
void main()
{
//-------------------------------------------------------------------
// Declare and initialize variables.
HCERTSTORE hStoreHandle; // certificate store handle
HCRYPTMSG hMsg;
PCCERT_CONTEXT pSignerCertContext;
DWORD cbSignerCertInfo;
PCERT_INFO pSignerCertInfo;
//-------------------------------------------------------------------
// This code is based on hMsg being a signed, encoded message
// read from a file or otherwise acquired. For detailed code, see
// "Example C Program: Signing, Encoding, Decoding, and Verifying a
// Message."
//-------------------------------------------------------------------
// Retrieve the signer CERT_INFO from the message by first getting
// the size of the memory required for the certificate.
if(CryptMsgGetParam(
hMsg, // handle to the message
CMSG_SIGNER_CERT_INFO_PARAM, // parameter type
0, // index
NULL,
&cbSignerCertInfo)) // size of the returned information
{
printf("%d bytes needed for the buffer.\n", cbSignerCertInfo);
}
else
{
printf("Verify SIGNER_CERT_INFO #1 failed\n");
exit(1);
}
//-------------------------------------------------------------------
// Allocate memory.
pSignerCertInfo = (PCERT_INFO) malloc(cbSignerCertInfo);
if (!pSignerCertInfo)
{
printf("Verify memory allocation failed.\n");
exit(1);
}
//-------------------------------------------------------------------
// Get the message certificate information (CERT_INFO
// structure).
if(!(CryptMsgGetParam(
hMsg, // handle to the message
CMSG_SIGNER_CERT_INFO_PARAM, // parameter type
0, // index
pSignerCertInfo, // address for returned information
&cbSignerCertInfo))) // size of the returned information
{
printf("Verify SIGNER_CERT_INFO #2 failed.\n");
exit(1);
}
//-------------------------------------------------------------------
// Open a certificate store in memory using CERT_STORE_PROV_MSG,
// which initializes it with the certificates from the message.
hStoreHandle = CertOpenStore(
CERT_STORE_PROV_MSG, // store provider type
MY_ENCODING_TYPE, // encoding type
NULL, // cryptographic provider
// use NULL for the default
0, // flags
hMsg)); // handle to the message
if (hStoreHandle)
{
printf("The certificate store to be used for message\n ");
printf(" verification has been opened. \n");
}
else
{
printf("Verify open store failed.\n");
exit(1);
}
//-------------------------------------------------------------------
// Find the signer's certificate in the store.
pSignerCertContext = CertGetSubjectCertificateFromStore(
hStoreHandle, // handle to store
MY_ENCODING_TYPE, // encoding type
pSignerCertInfo)); // pointer to retrieved CERT_CONTEXT
if(pSignerCertContext)
{
//-------------------------------------------------------------------
// Use the certificate retrieved from the message. For some
// processing that can be done with the certificate, see the full
// program.
}
//-------------------------------------------------------------------
// Clean up.
if(pSignerCertInfo)
free(pSignerCertInfo);
if(pSignerCertContext)
CertFreeCertificateContext(pSignerCertContext);
if(hStoreHandle)
CertCloseStore(hStoreHandle, CERT_CLOSE_STORE_FORCE_FLAG);
if(hMsg)
CryptMsgClose(hMsg);
}
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows XP [desktop apps | UWP apps] |
| Minimum supported server | Windows Server 2003 [desktop apps | UWP apps] |
| Target Platform | Windows |
| Header | wincrypt.h |
| Library | Crypt32.lib |
| DLL | Crypt32.dll |
See also
CertDuplicateCertificateContext
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for