How to get Certificate Information Using WinInet APIs
There are two different structures you can query in order to retrieve server certificate information. You must do some sort of request to complete the SSL server certificate exchange, and then you can retrieve this information. Here is an example of that technique.
C++ code listing for sample (Copy Code):
// CertificateInfo.cpp : Defines the entry point for the console application.
// This is sample code. You are responsible for input validation, and error processing.
// The following macros define the minimum required platform. The minimum required platform
// is the earliest version of Windows, Internet Explorer etc. that has the necessary features to run
// your application. The macros work by enabling all features available on platform versions up to and
// including the version specified.
// Modify the following defines if you have to target a platform prior to the ones specified below.
// Refer to MSDN for the latest info on corresponding values for different platforms.
#ifndef _WIN32_WINNT // Specifies that the minimum required platform is Windows Vista.
#define _WIN32_WINNT 0x0600 // Change this to the appropriate value to target other versions of Windows.
#endif
#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
#endif
#include <windows.h>
#include <stdio.h>
#include <iostream>
#include <tchar.h>
#include <wininet.h> // make sure you link with WinInet.libint _tmain(int argc, _TCHAR* argv[])
{
if (argc < 2)
{
std::cout << "Please specify and HTTPS address to query the certificate information for" << std::endl;
}
else
{
// Get Scheme and HostName from URL passed in
::URL_COMPONENTS urlComp;
::ZeroMemory((void *)&urlComp,sizeof(URL_COMPONENTS));
urlComp.dwSchemeLength = -1;
urlComp.dwHostNameLength = -1;
urlComp.dwUrlPathLength = -1;
urlComp.dwStructSize = sizeof(URL_COMPONENTS);
if (!::InternetCrackUrl(argv[1],wcslen(argv[1]),0,&urlComp))
{
std::cout << "InternetCrackUrl failed" << std::endl;
}
else
{
if (urlComp.nScheme != INTERNET_SCHEME_HTTPS)
{
std::cout << "Please specify and HTTPS address to query the certificate information for: https://www.someserver.com" << std::endl;
}
else
{
std::wcout << "opening connection to host: " << (LPWSTR)urlComp.lpszHostName << std::endl;
HINTERNET hInternet = ::InternetOpen(_T(""), INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
if (hInternet)
{
HINTERNET hConnect = ::InternetConnect( hInternet, urlComp.lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, INTERNET_FLAG_SECURE, NULL);
if (hConnect)
{
// you could use HEAD,GET or POST here. HEAD will not return the body of the page so will be more efficient
HINTERNET hRequest = ::HttpOpenRequest(hConnect,_T("HEAD"), NULL, NULL, NULL,
NULL, INTERNET_FLAG_SECURE, NULL);
if (NULL != hRequest)
{
// Send
BOOL fRet = ::HttpSendRequest( hRequest, _T(""), 0, NULL, 0);
if (fRet)
{
char certificateInfoStr[2048];
certificateInfoStr[0] = '\0';
DWORD certInfoLength = 2048;
if ( TRUE == ::InternetQueryOption( hRequest, INTERNET_OPTION_SECURITY_CERTIFICATE, &certificateInfoStr, &certInfoLength) )
{
if ( certificateInfoStr )
{
std::cout << (char *) certificateInfoStr << std::endl;
}
}
else
{
// process error here
DWORD error = GetLastError();
}
INTERNET_CERTIFICATE_INFO certificateInfo;
certInfoLength =
sizeof(INTERNET_CERTIFICATE_INFO);
if ( TRUE == InternetQueryOption( hRequest,
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT,
&certificateInfo,
&certInfoLength) )
{
// free up memory with LocalFree()
if ( certificateInfo.lpszEncryptionAlgName )
{
std::cout << (char *) certificateInfo.lpszEncryptionAlgName << std::endl;
LocalFree( certificateInfo.lpszEncryptionAlgName);
}
if ( certificateInfo.lpszIssuerInfo )
{
std::cout << (char *) certificateInfo.lpszIssuerInfo << std::endl;
LocalFree( certificateInfo.lpszIssuerInfo );
}
if ( certificateInfo.lpszProtocolName )
{
std::cout << (char *) certificateInfo.lpszProtocolName << std::endl;
LocalFree( certificateInfo.lpszProtocolName );
}
if ( certificateInfo.lpszSignatureAlgName )
{
std::cout << (char *) certificateInfo.lpszSignatureAlgName << std::endl;
LocalFree( certificateInfo.lpszSignatureAlgName );
}
if ( certificateInfo.lpszSubjectInfo )
{
std::cout << (char *) certificateInfo.lpszSubjectInfo << std::endl;
LocalFree( certificateInfo.lpszSubjectInfo );
}
}
else
{
// process error
DWORD error = GetLastError();
}
}
::InternetCloseHandle(hRequest);
}
else
{
std::cout << "HttpOpenRequest failed" << std::endl;
}
::InternetCloseHandle(hConnect);
}
else
{
std::cout << "InternetConnect failed" << std::endl;
}
::InternetCloseHandle(hInternet);
}
else
{
std::cout << "InternetOpen failed" << std::endl;
}
}
}
}
return 0;
}
Please Drop me a comment if you found this useful!
Comments
Anonymous
May 08, 2009
Useful post! Thanks. The dwStructSize of URL_COMPONENTS struct needs to be set to prevent InternetCrackUrl failing with error 87.Anonymous
May 14, 2009
You are correct. I fixed the sample!Anonymous
June 25, 2009
Thanks for the post. I am more concerned with the flags INTERNET_OPTION_SECURITY_CERTIFICATE*. This is my scenario. I have a SSL server which has client authentication enabled. There are multiple CA's present on the server. On the client side I have a smart card which has 3 certificates certA, certB and certC. Of these certificates, certA alone is the one which has the corresponding CA on the server side. I have made certB as the default certificate which means when the server requests a certificate, it is certB which gets picked up and send to the server. What I wish to do is to read the list of CA's from the server and pick a client cert whose CA is present. Is there any way I can get this information from the server. The other thing to note is that the CA of the server certificate and CA of the client certificate need not be the same. Here are the set of API's I use to retrieve the certificate from the smart card CryptAcquireContext CryptGetProvParam CryptGetUserKey CryptGetKeyParam and CertCreateCertificateContext Thanks, VinoAnonymous
March 04, 2010
The comment has been removedAnonymous
December 02, 2010
Confirm! Just open a major site 48 hours ago and already have 80 hit with this type of request!Anonymous
December 05, 2010
Are you confirming people are using this code successfully or that they did not implement the NULL as specified in the fixed code?Anonymous
December 06, 2010
If that is the case, the person is not using the code as it is published currently. You will need to contact the sender and have them correct the code.Anonymous
September 30, 2014
The comment has been removedAnonymous
September 30, 2014
Hi David, It was fixed in 2010. I changed the UAHeader for future issues so you will not see it for anything related for code created later than 3-5-2010.