Recuperación de un certificado emitido de Active Directory
Una entidad de certificación (CA) empresarial publica certificados emitidos en Active Directory; Una entidad de certificación independiente también puede publicar certificados emitidos en Active Directory. En el ejemplo siguiente se muestra cómo adquirir un contexto de certificado para un certificado almacenado en Active Directory. Una vez adquirido el contexto del certificado, puede recuperar el contenido del certificado o realizar operaciones de certificado mediante las funciones CryptoAPI.
En el ejemplo siguiente se muestra cómo recuperar un certificado de Active Directory.
// Copyright (C) Microsoft. All rights reserved.
// Retrieve a user certificate from Active Directory.
//
// This example uses CryptoAPI calls to retrieve
// a certificate previously published to Active Directory
// by Microsoft Certificate Services.
// Ensure Crypt32.lib and Secur32.lib are part of link libraries.
#pragma comment(lib, "crypt32.lib")
#define SECURITY_WIN32 1
#define UNICODE 1
#include <stdio.h>
#include <windows.h>
#include <Wincrypt.h>
#include <strsafe.h>
#include <security.h>
#define MAXBUFF 512
void __cdecl main()
{
HCERTSTORE hStore=NULL;
PCCERT_CONTEXT pCertCtx = NULL;
WCHAR wszDN[MAXBUFF];
ULONG cchDN = MAXBUFF;
WCHAR wszQuery[MAXBUFF * 2];
ULONG cchQuery = MAXBUFF * 2;
// Determine the name of the user whose certificate is being
// retrieved. This value can be constructed by other means,
// but this example will use GetUserNameEx.
if (!GetUserNameEx(NameFullyQualifiedDN,
wszDN,
&cchDN))
{
printf("Failed GetUserNameEx: %x\n",
GetLastError());
exit(1);
}
// Build the LDAP query string.
if (S_OK != StringCchPrintf(wszQuery,
cchQuery,
L"ldap:///%s?%s",
wszDN,
L"userCertificate"))
{
printf("Failed StringCchPrintf\n");
exit(1);
}
// Open the Active Directory certificate store.
hStore = CertOpenStore(CERT_STORE_PROV_LDAP,
0,
0,
CERT_STORE_READONLY_FLAG,
wszQuery);
if ( NULL == hStore)
{
printf("Failed CertOpenStore - %x\n", GetLastError());
exit(1);
}
// Retrieve a certificate context from this opened store.
// Here, retrieve any existing certificate stored for
// the user in Active Directory.
// If more than one certificate exists, consult
// CertFindCertificateInStore documentation for search
// types and calling instructions.
pCertCtx = CertFindCertificateInStore(hStore,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
0,
CERT_FIND_ANY,
NULL,
NULL);
if (NULL == pCertCtx)
{
DWORD dwErr;
dwErr = GetLastError();
if (CRYPT_E_NOT_FOUND == dwErr)
printf("User does not have certificate"
"in Active Directory\n");
else
printf("Failed CertFindCertificateInStore - %x\n",
dwErr);
}
else
{
// Use the certificate context as needed.
// Here, display the serial number.
DWORD dwLen, i;
dwLen = pCertCtx->pCertInfo->SerialNumber.cbData;
// The serial number bytes are stored
// least significant byte first.
printf("Serial number: ");
for (i = dwLen-1; i != MAXDWORD; i--)
printf("%02x",
*(pCertCtx->pCertInfo->SerialNumber.pbData + i));
printf("\n");
// Free the certificate context.
CertFreeCertificateContext(pCertCtx);
}
// Close the certificate store.
CertCloseStore(hStore, 0);
}