CertGetCRLFromStore

The CertGetCRLFromStore function gets the first or next CRL_CONTEXT from the certificate store for the specified issuer certificate and performs. Performs the enabled verification checks on the CRL.

#include <wincrypt.h>
PCCRL_CONTEXT WINAPI CertGetCRLFromStore(
  HCERTSTORE hCertStore,                // in
  PCCERT_CONTEXT pIssuerContext,        // in, optional
  PCCRL_CONTEXT pPrevCrlContext,        // in
  DWORD *pdwFlags                       // in/out
);

Parameters

hCertStore
Handle to the certificate store.
pIssuerContext
Optional, it is a pointer to an issuer certificate context. The pIssuerContext may have been obtained from this store or another store, or created by the caller application. When created by the caller, the CertCreateCertificateContext function must have been called. If NULL is passed for this parameter, all the CRLs in the store will be found.
pPrevCrlContext
Pointer to a CRL_CONTEXT. An issuer may have multiple CRLs. For example, it can generate delta CRLs by using an X.509 v3 extension. This parameter must be NULL on the first call to get the CRL. To get the next CRL for the issuer, the parameter is set to the CRL_CONTEXT returned by a previous call. A non-NULL pPrevCrlContext is always freed by this function by using a call to CertFreeCRLContext, even for an error.
pdwFlags
The following flags can be set in *pdwFlags to enable verification checks on the returned CRL:
Flag name Description
CERT_STORE_SIGNATURE_
FLAG		 Use the public key in the issuer's certificate to verify the signature on the returned CRL.
CERT_STORE_TIME_
VALIDITY_FLAG		 Get the current time and verify that it's within the CRL's "ThisUpdate" and "NextUpdate" validity period.

If an enabled verification check succeeds, its flag is set to zero. If an enabled verification check fails, then its flag is set upon return. If pIssuerContext is NULL, then an enabled CERT_STORE_SIGNATURE_FLAG always fails and the CERT_STORE_NO_ISSUER_FLAG is also set. For more details see the Remarks section.

For a verification check failure, a pointer to the first or next CRL_CONTEXT is still returned and SetLastError isn't updated.

Return Values

If the first or next CRL is not found, NULL is returned. Otherwise, a pointer to a read-only CRL_CONTEXT is returned. The CRL_CONTEXT must be freed by calling CertFreeCRLContext. However, when the returned CRL_CONTEXT is supplied for pPrevCrlContext on a subsequent call, the function frees it.

Call GetLastError to see the reason for any failures. This function has the following error codes:

Error code Description
E_INVALIDARG The hCertStore argument isn't the same as the hCertStore in the CRL context pointed to by the pPrevCrlContext argument. Unsupported bit was set in *pdwFlags.
CRYPT_E_NOT_FOUND Either no CRLs in the store for the issuer or reached the end of the store's list.

Remarks

CertDuplicateCRLContext can be called to make a duplicate CRL.

The hexadecimal values of the flags may be combined together with a bitwise OR operation in order to enable both verifications. For example, to enable both verifications the value 0x00000003 would be placed in the double word *pdwFlags, and the pointer to this word is passed in pdwFlags. If CERT_STORE_SIGNATURE_FLAG verification succeeded, but CERT_STORE_TIME_VALIDITY_FLAG verification failed, *pdwFlags would be set to 0x00000002 when the function returns.

Example

See the example for CertEnumCertificatesInStore, change all references from "certificate" to "CRL."

QuickInfo

  Windows NT: Requires version 4.0 SP3 or later. Available also in IE 3.02 and later.
  Windows: Requires Windows 95 OSR2 or later.
  Windows CE: Unsupported.
  Header: Declared in wincrypt.h.
  Import Library: Use crypt32.lib.

See Also

CertGetCRLContextProperty