X509_QueryCert queries an X.509 certificate file for selected information.
Public Declare Function X509_QueryCert Lib "diCrPKI.dll"
(ByVal strDataOut As String, ByVal nOutChars As Long,
ByVal strFileIn As String, ByVal strQuery As String, ByVal nOptions As Long) As Long
nRet = X509_QueryCert(strDataOut, nOutChars, strFileIn, strQuery,
nOptions) As Long
String to receive the output.Long specifying the length of the output string.String with name of X.509 certificate file
(or base64 representation).String specifying the query (see Remarks below).Long option flags:
long _stdcall X509_QueryCert(char *szOutput, long nOutChars, const char *szCertFile, const char *szQuery, long nOptions);
Long: If successful, the return value is a positive integer indicating either the result itself
(if the result is a number)
or the number of characters in the output string (if the query is looking for a string).
If the item queried is not present, the return value is zero.
If there is an error (e.g. a missing or invalid certificate file), it returns a negative error code.
X509.QueryCert Method (String, String)
X509.QueryCert Method (String, String, X509.Options)
This function queries a given X.509 certificate file for selected information. Both binary BER-encoded and PEM-encoded
files can be read automatically.
The VB6/C functions behave differently depending on whether the output is a string or a number.
If the result data type is a number then it returns the value directly.
If the result is a string, then it sets strDataOut and returns the number of characters in the string.
The required number of characters can be found by passing zero for nOutChars or a null string for
strDataOut.
However, note that the C#/VB.NET methods always return a string.
The query string is case-insensitive, so "version", "Version" and "VeRsIoN"
are all valid.
Valid queries are:
| Query String | Searches for | Data Type |
|---|---|---|
version | X.509 version number, e.g. 3. | Number |
serialNumber | Serial number in hex-encoded format | String |
signatureAlgorithm | Signature algorithm used, e.g. "sha1WithRSAEncryption". | String |
sigAlgId | ID of signature algorithm used, see PKI_SIG_ values | Number |
signatureValue | Signature value in hex-encoded format | String |
notBefore | Date on which the certificate validity period begins in format yyyy-mm-ddThh:nn:ssZ | String |
notAfter | Date on which the certificate validity period ends in format yyyy-mm-ddThh:nn:ssZ | String |
issuerName | Distinguished name (DN) of entity who has signed and issued the certificate | String |
subjectName | Distinguished name (DN) of the subject | String |
subjectPublicKeyAlgorithm | Algorithm used in subject's public key, e.g. "dsa". | String |
subjectKeyIdentifier | The subject key identifier extension, if present, in hex-encoded format | String |
authorityKeyIdentifier | The authority key identifier extension, if present, in hex-encoded format | String |
rfc822Name | Internet mail address contained in a subjectAltName extension, if present | String |
isCA | Returns 1 if the subject type is a CA, otherwise returns 0. | Number |
keyUsageString | keyUsage flags in text format, e.g. "digitalSignature,nonRepudiation" | String |
extKeyUsageString† | extKeyUsage purposes in text format, e.g. "codeSigning,timeStamping" | String |
cRLDistributionPointsURI† | First URI found in cRLDistributionPoints, if any | String |
authorityInfoAccessURI† | First URI found in authorityInfoAccess, if any | String |
Some of these queries duplicate existing functions, e.g. the query "notAfter" produces the same result
as X509_CertExpiresOn.
To find out the type of data returned for a given query, use the PKI_QUERY_GETTYPE option.
The function will return either PKI_QUERY_NUMBER (1) or PKI_QUERY_STRING (2),
or a negative "invalid query" error.
For example
nRet = X509_QueryCert("", 0, "", "version", PKI_QUERY_GETTYPE)
This example queries information from a sample X.509 certificate file.
Dim nRet As Long Dim strOutput As String Dim strQuery As String Dim strCertFile As String strCertFile = "CarlRSASelf.cer" ' Make a large buffer to receive output strOutput = String(512, " ") strQuery = "version" nRet = X509_QueryCert(strOutput, Len(strOutput), strCertFile, strQuery, 0) Debug.Print strQuery & "=" & nRet strQuery = "serialNumber" nRet = X509_QueryCert(strOutput, Len(strOutput), strCertFile, strQuery, 0) If nRet <= 0 Then Exit Sub ' catch error Debug.Print strQuery & "=" & Left(strOutput, nRet) strQuery = "signatureAlgorithm" nRet = X509_QueryCert(strOutput, Len(strOutput), strCertFile, strQuery, 0) If nRet <= 0 Then Exit Sub ' catch error Debug.Print strQuery & "=" & Left(strOutput, nRet) strQuery = "notAfter" nRet = X509_QueryCert(strOutput, Len(strOutput), strCertFile, strQuery, 0) If nRet <= 0 Then Exit Sub ' catch error Debug.Print strQuery & "=" & Left(strOutput, nRet)
For the S/MIME test file CarlRSASelf.cer, the output is as follows
version=3 serialNumber=46346bc7800056bc11d36e2e9ff25020 signatureAlgorithm=sha1WithRSAEncryption notAfter=2039-12-31T23:59:59Z
To query the type of data returned for a given query.
Dim nRet As Long Dim strQuery As String ' Find out the data type for a given query strQuery = "version" nRet = X509_QueryCert("", 0, "", strQuery, PKI_QUERY_GETTYPE) Debug.Print "Type(" & strQuery & ")=" & nRet strQuery = "serialNumber" nRet = X509_QueryCert("", 0, "", strQuery, PKI_QUERY_GETTYPE) Debug.Print "Type(" & strQuery & ")=" & nRet strQuery = "NotAValidQuery" nRet = X509_QueryCert("", 0, "", strQuery, PKI_QUERY_GETTYPE) Debug.Print "Type(" & strQuery & ")=" & nRet
This should produce output
Type(version)=1 Type(serialNumber)=2 Type(NotAValidQuery)=-29
where 1 indicates a number, 2 indicates a string, and -29 indicates an invalid query.
X509_KeyUsageFlags X509_CertSubjectName