acceptable certificate authorities from SSL connection in wininet or schannel

Vishal Mishra [MSFT]

2004-05-21 23:34:56 UTC

I don't know how to do this with WinInet but the SDK samples webserver.c and
webclient.c provide pretty good info on how to establish an SSL connection
using SSPI.

Once AcceptSecurityContext returns SEC_E_INCOMPLETE_CREDENTIALS, please call
QueryContextAttributes (not QueryCredentialsAttributes) with
SECPKG_ISSUER_LIST_EX.

I'm adding some sample code below to do that.

/*********************************************************************
// QueryContextAttributes for SECPKG_ISSUER_LIST_EX
**********************************************************************/
SECURITY_STATUS
QueryContextIssuerListEx( CtxtHandle *phContext )
{
SECURITY_STATUS secStatus;
SecPkgContext_IssuerListInfoEx IssuerListExInfo;
char* pszIssuer = NULL;
DWORD dwCnt = 0;
DWORD i;

secStatus = QueryContextAttributes ( phContext,
SECPKG_ATTR_ISSUER_LIST_EX,
(PVOID)&IssuerListExInfo
);
// check for error...

// print the issuer list info
printf("\nNumber of trusted certificate issuers: %d\n",
IssuerListExInfo.cIssuers);
for (i=0; i < IssuerListExInfo.cIssuers; i++)
{
// get size
dwCnt = CertNameToStrA( X509_ASN_ENCODING,
&IssuerListExInfo.aIssuers[i],
CERT_X500_NAME_STR,
pszIssuer,
dwCnt);
// check error etc...
pszIssuer = (char*) malloc( dwCnt );

// fetch issuer name
dwCnt = CertNameToStrA( X509_ASN_ENCODING,
&IssuerListExInfo.aIssuers[i],
CERT_X500_NAME_STR,
pszIssuer,
dwCnt);
// check for error etc...
printf(" Issuer: %s\n", pszIssuer);

if( pszIssuer )
{
free(pszIssuer);
pszIssuer = NULL;
dwCnt = 0;
}
}

cleanup:
if( IssuerListExInfo.cIssuers)
{
FreeContextBuffer(IssuerListExInfo.aIssuers);
}

return secStatus;
} // QueryContextIssuerListEx()
--
------------------------------------------
Regards,
Vishal Mishra [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Post by William Bardwell
How do I get at the list of acceptable client certificate authorities
(for a client certificate to be sent to an SSL server when establishing
the connection)?
WinInet lets you set the client certificate to be used, using
InternetSetOption(INTERNET_OPTION_CLIENT_CERT_CONTEXT), but
I need to know what certificate authorities the client certificate
can be signed by, so that I can filter the list of possible
certificates, and only choose or offer valid ones. (WinInet
does this itself in InternetErrorDlg, but I want to be able
to do it myself.) Is there a way to do this with WinInet?
So, I can't find anyway to do that in WinInet, so I was thinking
that maybe I could just make an extra connection to the SSL server
with schannel and get the acceptable certificate authority info from
that, but that is the most impenetrable API ever...So, does anyone
know how to get that info. out of schannel? (I am not finding
much in the way of samples of basic use of schannel to make a
connection, so if anyone knows of a good one, that would be helpful
too...) Am I supposed to use
QueryCredentialsAttributes(SECPKG_ATTR_ISSUER_LIST_EX)?
Thanks.
William Bardwell
aka