How to get Certificate Information Using WinInet APIs


There are two different structures you can query in order to retrieve server certificate information.  You must do some sort of request to complete the SSL server certificate exchange, and then you can retrieve this information.  Here is an example of that technique.

C++ code listing for sample (Copy Code):

// CertificateInfo.cpp : Defines the entry point for the console application.
// This is sample code. You are responsible for input validation, and error processing.
// The following macros define the minimum required platform. The minimum required platform
// is the earliest version of Windows, Internet Explorer etc. that has the necessary features to run
// your application. The macros work by enabling all features available on platform versions up to and
// including the version specified.
// Modify the following defines if you have to target a platform prior to the ones specified below.
// Refer to MSDN for the latest info on corresponding values for different platforms.

 

#ifndef _WIN32_WINNT // Specifies that the minimum required platform is Windows Vista.
#define _WIN32_WINNT 0x0600 // Change this to the appropriate value to target other versions of Windows.
#endif
#ifndef
WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
#endif
#include
<windows.h>
#include <stdio.h>
#include <iostream>
#include <tchar.h>
#include <wininet.h> // make sure you link with WinInet.lib
int _tmain(int argc, _TCHAR* argv[])
{

  if (argc < 2)
{

std::cout << “Please specify and HTTPS address to query the certificate information for” << std::endl;
}
  else
  {
// Get Scheme and HostName from URL passed in
    ::URL_COMPONENTS urlComp;
::ZeroMemory((
void *)&urlComp,sizeof(URL_COMPONENTS));
urlComp.dwSchemeLength = -1;
urlComp.dwHostNameLength = -1;
urlComp.dwUrlPathLength = -1;
    urlComp.dwStructSize = sizeof(URL_COMPONENTS);
    if (!::InternetCrackUrl(argv[1],wcslen(argv[1]),0,&urlComp))
{
std::cout <<
“InternetCrackUrl failed” << std::endl;
}
    else
    {
if (urlComp.nScheme != INTERNET_SCHEME_HTTPS)
{
std::cout <<
“Please specify and HTTPS address to query the certificate information for: https://www.someserver.com” << std::endl;
}
        else
        {
std::wcout <<
“opening connection to host: “ << (LPWSTR)urlComp.lpszHostName << std::endl;

HINTERNET hInternet = ::InternetOpen(_T(“”), INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
            if (hInternet)
{
HINTERNET hConnect = ::InternetConnect( hInternet, urlComp.lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, INTERNET_FLAG_SECURE, NULL);
                if (hConnect)
{
// you could use HEAD,GET or POST here. HEAD will not return the body of the page so will be more efficient
                    HINTERNET hRequest = ::HttpOpenRequest(hConnect,_T(“HEAD”), NULL, NULL, NULL,
NULL, INTERNET_FLAG_SECURE, NULL);

if (NULL != hRequest)
{
// Send
                        BOOL fRet = ::HttpSendRequest( hRequest, _T(“”), 0, NULL, 0);

                        if (fRet)
{
char certificateInfoStr[2048];
certificateInfoStr[0] =
‘\0’;
DWORD certInfoLength = 2048;
                            if ( TRUE  == ::InternetQueryOption( hRequest, INTERNET_OPTION_SECURITY_CERTIFICATE, &certificateInfoStr, &certInfoLength) )
{
if ( certificateInfoStr )
{
std::cout << (
char *) certificateInfoStr << std::endl;
}
}
else
{
                                // process error here
DWORD error = GetLastError();
}

INTERNET_CERTIFICATE_INFO certificateInfo;
certInfoLength =

sizeof(INTERNET_CERTIFICATE_INFO);
if ( TRUE == InternetQueryOption( hRequest,
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT,
&certificateInfo,
&certInfoLength) )
{
// free up memory with LocalFree()

 

                                if ( certificateInfo.lpszEncryptionAlgName )
{
std::cout << (
char *) certificateInfo.lpszEncryptionAlgName << std::endl;
LocalFree( certificateInfo.lpszEncryptionAlgName);
}

                                if ( certificateInfo.lpszIssuerInfo )
{
std::cout << (
char *) certificateInfo.lpszIssuerInfo << std::endl;
LocalFree( certificateInfo.lpszIssuerInfo );
}

                                if ( certificateInfo.lpszProtocolName )
{
std::cout << (
char *) certificateInfo.lpszProtocolName << std::endl;
LocalFree( certificateInfo.lpszProtocolName );
}

                                if ( certificateInfo.lpszSignatureAlgName )
{
std::cout << (
char *) certificateInfo.lpszSignatureAlgName << std::endl;
LocalFree( certificateInfo.lpszSignatureAlgName );
}

                                if ( certificateInfo.lpszSubjectInfo )
{
std::cout << (
char *) certificateInfo.lpszSubjectInfo << std::endl;
LocalFree( certificateInfo.lpszSubjectInfo );
}

}
else
{
// process error
                                    DWORD error = GetLastError();
}
}

::InternetCloseHandle(hRequest);
}
else
{
std::cout <<
“HttpOpenRequest failed” << std::endl;
}

::InternetCloseHandle(hConnect);

}

                else
                {
std::cout <<
“InternetConnect failed” << std::endl;
}
::InternetCloseHandle(hInternet);
}
else
{
std::cout <<
“InternetOpen failed” << std::endl;
}
}
}
}

return 0;
}

Please Drop me a comment if you found this useful!

Comments (9)

  1. Lakshman Prabhu says:

    Useful post! Thanks.

    The dwStructSize of URL_COMPONENTS struct needs to be set to prevent InternetCrackUrl failing with error 87.

  2. Jeff Sanders says:

    You are correct.  I fixed the sample!

  3. Vino says:

    Thanks for the post. I am more concerned with the flags INTERNET_OPTION_SECURITY_CERTIFICATE*.

    This is my scenario. I have a SSL server which has client authentication enabled. There are multiple CA’s present on the server. On the client side I have a smart card which has 3 certificates certA, certB and certC. Of these certificates, certA alone is the one which has the corresponding CA on the server side. I have made certB as the default certificate which means when the server requests a certificate, it is certB which gets picked up and send to the server.

    What I wish to do is to read the list of CA’s from the server and pick a client cert whose CA is present. Is there any way I can get this information from the server. The other thing to note is that the CA of the server certificate and CA of the client certificate need not be the same.

    Here are the set of API’s I use to retrieve the certificate from the smart card

    CryptAcquireContext

    CryptGetProvParam

    CryptGetUserKey

    CryptGetKeyParam and

    CertCreateCertificateContext

    Thanks,

    Vino

  4. Jeff Sanders says:

    Hi Peter,

    Thanks for the comments!  I am honored that you think Thousands of people used my code (however this page only had 600 hits 🙂 ).

    You are correct that this would likely make an invalid request so I changed it to use NULL (using the hostname would be incorrect).  Enjoy!

    Again, thank you for finding the problem!

  5. Mtrep says:

    Confirm!  Just open a major site 48 hours ago and already have 80 hit with this type of request!

  6. Jeff Sanders says:

    Are you confirming people are using this code successfully or that they did not implement the NULL as specified in the fixed code?

  7. Jeff Sanders says:

    If that is the case, the person is not using the code as it is published currently.  You will need to contact the sender and have them correct the code.

  8. David Gil says:

    We've been seeing lots of bad HEAD requests with this format, which we tracked down to this code snippet … Please fix or remove … 🙁

  9. Jeff Sanders says:

    Hi David,  It was fixed in 2010.  I changed the UAHeader for future issues so you will not see it for anything related for code created later than 3-5-2010.

Skip to main content