copensslcryptoapiwincrypt

How to get next certificate in chain

I want to get parent certificate (or all certificates in chain for that matter) from Windows Certificate Store (assuming I know the location of the end certificate). I need to get each one in order to build my own custom X509_STORE (using OpenSSL).

I think the proper course of action would be:

  1. obtain first certificate using CertFindCertificateInStore (done)
  2. get the certificate chain using CertGetCertificateChain (done)
  3. extract the certificates from chain (?)
  4. for each certificate in chain, convert it using d2i_X509 (done)

or

  1. obtain first certificate using CertFindCertificateInStore (done)
  2. get the parent certificate (if exists) (?)
  3. convert it using d2i_X509, go to 2. (done)

Then create the store.

The question to answer is then - how to get the parent certificate or all certificates in chain using Windows Certificate Store? I'm probably missing some more or less occult function here.

Solution

  • as the CertFindCertificateInStore outputs a chain context, one can access it's members using the beautiful construction:

    chainContext->rgpChain[0]->rgpElement[iCertIndex]->pCertContext->pbCertEncoded

    where iCertIndex is between 0 (end-certificate) and chainSize -1 (self-signed root certificate).