模拟服务器

开发平台：

C/C++

WinCrypt.h：源码内容

BOOL fInhibitPolicyMapping;
DWORD dwInhibitPolicyMappingSkipCerts;
} CERT_POLICY_CONSTRAINTS_INFO, *PCERT_POLICY_CONSTRAINTS_INFO;
//+-------------------------------------------------------------------------
// RSA_CSP_PUBLICKEYBLOB
//
// pvStructInfo points to a PUBLICKEYSTRUC immediately followed by a
// RSAPUBKEY and the modulus bytes.
//
// CryptExportKey outputs the above StructInfo for a dwBlobType of
// PUBLICKEYBLOB. CryptImportKey expects the above StructInfo when
// importing a public key.
//
// For dwCertEncodingType = X509_ASN_ENCODING, the RSA_CSP_PUBLICKEYBLOB is
// encoded as a PKCS #1 RSAPublicKey consisting of a SEQUENCE of a
// modulus INTEGER and a publicExponent INTEGER. The modulus is encoded
// as being a unsigned integer. When decoded, if the modulus was encoded
// as unsigned integer with a leading 0 byte, the 0 byte is removed before
// converting to the CSP modulus bytes.
//
// For decode, the aiKeyAlg field of PUBLICKEYSTRUC is always set to
// CALG_RSA_KEYX.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_KEYGEN_REQUEST_TO_BE_SIGNED
//
// pvStructInfo points to CERT_KEYGEN_REQUEST_INFO.
//
// For CryptDecodeObject(), the pbEncoded is the "to be signed" plus its
// signature (output of a X509_CERT CryptEncodeObject()).
//
// For CryptEncodeObject(), the pbEncoded is just the "to be signed".
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// PKCS_ATTRIBUTE data structure
//
// pvStructInfo points to a CRYPT_ATTRIBUTE.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// PKCS_ATTRIBUTES data structure
//
// pvStructInfo points to a CRYPT_ATTRIBUTES.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// PKCS_CONTENT_INFO_SEQUENCE_OF_ANY data structure
//
// pvStructInfo points to following CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY.
//
// For X509_ASN_ENCODING: encoded as a PKCS#7 ContentInfo structure wrapping
// a sequence of ANY. The value of the contentType field is pszObjId,
// while the content field is the following structure:
// SequenceOfAny ::= SEQUENCE OF ANY
//
// The CRYPT_DER_BLOBs point to the already encoded ANY content.
//--------------------------------------------------------------------------
typedef struct _CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY {
LPSTR pszObjId;
DWORD cValue;
PCRYPT_DER_BLOB rgValue;
} CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY, *PCRYPT_CONTENT_INFO_SEQUENCE_OF_ANY;
//+-------------------------------------------------------------------------
// PKCS_CONTENT_INFO data structure
//
// pvStructInfo points to following CRYPT_CONTENT_INFO.
//
// For X509_ASN_ENCODING: encoded as a PKCS#7 ContentInfo structure.
// The CRYPT_DER_BLOB points to the already encoded ANY content.
//--------------------------------------------------------------------------
typedef struct _CRYPT_CONTENT_INFO {
LPSTR pszObjId;
CRYPT_DER_BLOB Content;
} CRYPT_CONTENT_INFO, *PCRYPT_CONTENT_INFO;
//+-------------------------------------------------------------------------
// X509_OCTET_STRING data structure
//
// pvStructInfo points to a CRYPT_DATA_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_BITS data structure
//
// pvStructInfo points to a CRYPT_BIT_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_BITS_WITHOUT_TRAILING_ZEROES data structure
//
// pvStructInfo points to a CRYPT_BIT_BLOB.
//
// The same as X509_BITS, except before encoding, the bit length is
// decremented to exclude trailing zero bits.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_INTEGER data structure
//
// pvStructInfo points to an int.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_MULTI_BYTE_INTEGER data structure
//
// pvStructInfo points to a CRYPT_INTEGER_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_ENUMERATED data structure
//
// pvStructInfo points to an int containing the enumerated value
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_CHOICE_OF_TIME data structure
//
// pvStructInfo points to a FILETIME.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_SEQUENCE_OF_ANY data structure
//
// pvStructInfo points to following CRYPT_SEQUENCE_OF_ANY.
//
// The CRYPT_DER_BLOBs point to the already encoded ANY content.
//--------------------------------------------------------------------------
typedef struct _CRYPT_SEQUENCE_OF_ANY {
DWORD cValue;
PCRYPT_DER_BLOB rgValue;
} CRYPT_SEQUENCE_OF_ANY, *PCRYPT_SEQUENCE_OF_ANY;
//+-------------------------------------------------------------------------
// X509_AUTHORITY_KEY_ID2
// szOID_AUTHORITY_KEY_IDENTIFIER2
//
// pvStructInfo points to following CERT_AUTHORITY_KEY_ID2_INFO.
//
// For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
// *pcbEncoded by CryptEncodeObject(X509_AUTHORITY_KEY_ID2)
//
// See X509_ALTERNATE_NAME for error location defines.
//--------------------------------------------------------------------------
typedef struct _CERT_AUTHORITY_KEY_ID2_INFO {
CRYPT_DATA_BLOB KeyId;
CERT_ALT_NAME_INFO AuthorityCertIssuer; // Optional, set cAltEntry
// to 0 to omit.
CRYPT_INTEGER_BLOB AuthorityCertSerialNumber;
} CERT_AUTHORITY_KEY_ID2_INFO, *PCERT_AUTHORITY_KEY_ID2_INFO;
//+-------------------------------------------------------------------------
// szOID_SUBJECT_KEY_IDENTIFIER
//
// pvStructInfo points to a CRYPT_DATA_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_AUTHORITY_INFO_ACCESS
// szOID_AUTHORITY_INFO_ACCESS
//
// pvStructInfo points to following CERT_AUTHORITY_INFO_ACCESS.
//
// For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
// *pcbEncoded by CryptEncodeObject(X509_AUTHORITY_INFO_ACCESS)
//
// Error location consists of:
// ENTRY_INDEX - 8 bits << 16
// VALUE_INDEX - 16 bits (unicode character index)
//
// See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
// defines.
//--------------------------------------------------------------------------
typedef struct _CERT_ACCESS_DESCRIPTION {
LPSTR pszAccessMethod; // pszObjId
CERT_ALT_NAME_ENTRY AccessLocation;
} CERT_ACCESS_DESCRIPTION, *PCERT_ACCESS_DESCRIPTION;
typedef struct _CERT_AUTHORITY_INFO_ACCESS {
DWORD cAccDescr;
PCERT_ACCESS_DESCRIPTION rgAccDescr;
} CERT_AUTHORITY_INFO_ACCESS, *PCERT_AUTHORITY_INFO_ACCESS;
//+-------------------------------------------------------------------------
// PKIX Access Description: Access Method Object Identifiers
//--------------------------------------------------------------------------
#define szOID_PKIX_ACC_DESCR "1.3.6.1.5.5.7.48"
#define szOID_PKIX_OCSP "1.3.6.1.5.5.7.48.1"
#define szOID_PKIX_CA_ISSUERS "1.3.6.1.5.5.7.48.2"
//+-------------------------------------------------------------------------
// X509_CRL_REASON_CODE
// szOID_CRL_REASON_CODE
//
// pvStructInfo points to an int which can be set to one of the following
// enumerated values:
//--------------------------------------------------------------------------
#define CRL_REASON_UNSPECIFIED 0
#define CRL_REASON_KEY_COMPROMISE 1
#define CRL_REASON_CA_COMPROMISE 2
#define CRL_REASON_AFFILIATION_CHANGED 3
#define CRL_REASON_SUPERSEDED 4
#define CRL_REASON_CESSATION_OF_OPERATION 5
#define CRL_REASON_CERTIFICATE_HOLD 6
#define CRL_REASON_REMOVE_FROM_CRL 8
//+-------------------------------------------------------------------------
// X509_CRL_DIST_POINTS
// szOID_CRL_DIST_POINTS
//
// pvStructInfo points to following CRL_DIST_POINTS_INFO.
//
// For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
// *pcbEncoded by CryptEncodeObject(X509_CRL_DIST_POINTS)
//
// Error location consists of:
// CRL_ISSUER_BIT - 1 bit << 31 (0 for FullName, 1 for CRLIssuer)
// POINT_INDEX - 7 bits << 24
// ENTRY_INDEX - 8 bits << 16
// VALUE_INDEX - 16 bits (unicode character index)
//
// See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
// defines.
//--------------------------------------------------------------------------
typedef struct _CRL_DIST_POINT_NAME {
DWORD dwDistPointNameChoice;
union {
CERT_ALT_NAME_INFO FullName; // 1
// Not implemented IssuerRDN; // 2
};
} CRL_DIST_POINT_NAME, *PCRL_DIST_POINT_NAME;
#define CRL_DIST_POINT_NO_NAME 0
#define CRL_DIST_POINT_FULL_NAME 1
#define CRL_DIST_POINT_ISSUER_RDN_NAME 2
typedef struct _CRL_DIST_POINT {
CRL_DIST_POINT_NAME DistPointName; // OPTIONAL
CRYPT_BIT_BLOB ReasonFlags; // OPTIONAL
CERT_ALT_NAME_INFO CRLIssuer; // OPTIONAL
} CRL_DIST_POINT, *PCRL_DIST_POINT;
#define CRL_REASON_UNUSED_FLAG 0x80
#define CRL_REASON_KEY_COMPROMISE_FLAG 0x40
#define CRL_REASON_CA_COMPROMISE_FLAG 0x20
#define CRL_REASON_AFFILIATION_CHANGED_FLAG 0x10
#define CRL_REASON_SUPERSEDED_FLAG 0x08
#define CRL_REASON_CESSATION_OF_OPERATION_FLAG 0x04
#define CRL_REASON_CERTIFICATE_HOLD_FLAG 0x02
typedef struct _CRL_DIST_POINTS_INFO {
DWORD cDistPoint;
PCRL_DIST_POINT rgDistPoint;
} CRL_DIST_POINTS_INFO, *PCRL_DIST_POINTS_INFO;
#define CRL_DIST_POINT_ERR_INDEX_MASK 0x7F
#define CRL_DIST_POINT_ERR_INDEX_SHIFT 24
#define GET_CRL_DIST_POINT_ERR_INDEX(X)
((X >> CRL_DIST_POINT_ERR_INDEX_SHIFT) & CRL_DIST_POINT_ERR_INDEX_MASK)
#define CRL_DIST_POINT_ERR_CRL_ISSUER_BIT 0x80000000L
#define IS_CRL_DIST_POINT_ERR_CRL_ISSUER(X)
(0 != (X & CRL_DIST_POINT_ERR_CRL_ISSUER_BIT))
//+-------------------------------------------------------------------------
// X509_CROSS_CERT_DIST_POINTS
// szOID_CROSS_CERT_DIST_POINTS
//
// pvStructInfo points to following CROSS_CERT_DIST_POINTS_INFO.
//
// For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
// *pcbEncoded by CryptEncodeObject(X509_CRL_DIST_POINTS)
//
// Error location consists of:
// POINT_INDEX - 8 bits << 24
// ENTRY_INDEX - 8 bits << 16
// VALUE_INDEX - 16 bits (unicode character index)
//
// See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
// defines.
//--------------------------------------------------------------------------
typedef struct _CROSS_CERT_DIST_POINTS_INFO {
// Seconds between syncs. 0 implies use client default.
DWORD dwSyncDeltaTime;
DWORD cDistPoint;
PCERT_ALT_NAME_INFO rgDistPoint;
} CROSS_CERT_DIST_POINTS_INFO, *PCROSS_CERT_DIST_POINTS_INFO;
#define CROSS_CERT_DIST_POINT_ERR_INDEX_MASK 0xFF
#define CROSS_CERT_DIST_POINT_ERR_INDEX_SHIFT 24
#define GET_CROSS_CERT_DIST_POINT_ERR_INDEX(X)
((X >> CROSS_CERT_DIST_POINT_ERR_INDEX_SHIFT) &
CROSS_CERT_DIST_POINT_ERR_INDEX_MASK)
//+-------------------------------------------------------------------------
// X509_ENHANCED_KEY_USAGE
// szOID_ENHANCED_KEY_USAGE
//
// pvStructInfo points to a CERT_ENHKEY_USAGE, CTL_USAGE.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_CERT_PAIR
//
// pvStructInfo points to the following CERT_PAIR.
//--------------------------------------------------------------------------
typedef struct _CERT_PAIR {
CERT_BLOB Forward; // OPTIONAL, if Forward.cbData == 0, omitted
CERT_BLOB Reverse; // OPTIONAL, if Reverse.cbData == 0, omitted
} CERT_PAIR, *PCERT_PAIR;
//+-------------------------------------------------------------------------
// szOID_CRL_NUMBER
//
// pvStructInfo points to an int.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_DELTA_CRL_INDICATOR
//
// pvStructInfo points to an int.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_ISSUING_DIST_POINT
// X509_ISSUING_DIST_POINT
//
// pvStructInfo points to the following CRL_ISSUING_DIST_POINT.
//
// For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
// *pcbEncoded by CryptEncodeObject(X509_ISSUING_DIST_POINT)
//
// Error location consists of:
// ENTRY_INDEX - 8 bits << 16
// VALUE_INDEX - 16 bits (unicode character index)
//
// See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
// defines.
//--------------------------------------------------------------------------
typedef struct _CRL_ISSUING_DIST_POINT {
CRL_DIST_POINT_NAME DistPointName; // OPTIONAL
BOOL fOnlyContainsUserCerts;
BOOL fOnlyContainsCACerts;
CRYPT_BIT_BLOB OnlySomeReasonFlags; // OPTIONAL
BOOL fIndirectCRL;
} CRL_ISSUING_DIST_POINT, *PCRL_ISSUING_DIST_POINT;
//+-------------------------------------------------------------------------
// szOID_FRESHEST_CRL
//
// pvStructInfo points to CRL_DIST_POINTS_INFO.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NAME_CONSTRAINTS
// X509_NAME_CONSTRAINTS
//
// pvStructInfo points to the following CERT_NAME_CONSTRAINTS_INFO
//
// For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
// *pcbEncoded by CryptEncodeObject(X509_NAME_CONSTRAINTS)
//
// Error location consists of:
// EXCLUDED_SUBTREE_BIT - 1 bit << 31 (0 for permitted, 1 for excluded)
// ENTRY_INDEX - 8 bits << 16
// VALUE_INDEX - 16 bits (unicode character index)
//
// See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
// defines.
//--------------------------------------------------------------------------
typedef struct _CERT_GENERAL_SUBTREE {
CERT_ALT_NAME_ENTRY Base;
DWORD dwMinimum;
BOOL fMaximum;
DWORD dwMaximum;
} CERT_GENERAL_SUBTREE, *PCERT_GENERAL_SUBTREE;
typedef struct _CERT_NAME_CONSTRAINTS_INFO {
DWORD cPermittedSubtree;
PCERT_GENERAL_SUBTREE rgPermittedSubtree;
DWORD cExcludedSubtree;
PCERT_GENERAL_SUBTREE rgExcludedSubtree;
} CERT_NAME_CONSTRAINTS_INFO, *PCERT_NAME_CONSTRAINTS_INFO;
#define CERT_EXCLUDED_SUBTREE_BIT 0x80000000L
#define IS_CERT_EXCLUDED_SUBTREE(X)
(0 != (X & CERT_EXCLUDED_SUBTREE_BIT))
//+-------------------------------------------------------------------------
// szOID_NEXT_UPDATE_LOCATION
//
// pvStructInfo points to a CERT_ALT_NAME_INFO.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_REMOVE_CERTIFICATE
//
// pvStructInfo points to an int which can be set to one of the following
// 0 - Add certificate
// 1 - Remove certificate
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// PKCS_CTL
// szOID_CTL
//
// pvStructInfo points to a CTL_INFO.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// PKCS_SORTED_CTL
//
// pvStructInfo points to a CTL_INFO.
//
// Same as for PKCS_CTL, except, the CTL entries are sorted. The following
// extension containing the sort information is inserted as the first
// extension in the encoded CTL.
//
// Only supported for Encoding. CRYPT_ENCODE_ALLOC_FLAG flag must be
// set.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Sorted CTL TrustedSubjects extension
//
// Array of little endian DWORDs:
// [0] - Flags
// [1] - Count of HashBucket entry offsets
// [2] - Maximum HashBucket entry collision count
// [3 ..] (Count + 1) HashBucket entry offsets
//
// When this extension is present in the CTL,
// the ASN.1 encoded sequence of TrustedSubjects are HashBucket ordered.
//
// The entry offsets point to the start of the first encoded TrustedSubject
// sequence for the HashBucket. The encoded TrustedSubjects for a HashBucket
// continue until the encoded offset of the next HashBucket. A HashBucket has
// no entries if HashBucket[N] == HashBucket[N + 1].
//
// The HashBucket offsets are from the start of the ASN.1 encoded CTL_INFO.
//--------------------------------------------------------------------------
#define SORTED_CTL_EXT_FLAGS_OFFSET (0*4)
#define SORTED_CTL_EXT_COUNT_OFFSET (1*4)
#define SORTED_CTL_EXT_MAX_COLLISION_OFFSET (2*4)
#define SORTED_CTL_EXT_HASH_BUCKET_OFFSET (3*4)
// If the SubjectIdentifiers are a MD5 or SHA1 hash, the following flag is
// set. When set, the first 4 bytes of the SubjectIdentifier are used as
// the dwhash. Otherwise, the SubjectIdentifier bytes are hashed into dwHash.
// In either case the HashBucket index = dwHash % cHashBucket.
#define SORTED_CTL_EXT_HASHED_SUBJECT_IDENTIFIER_FLAG 0x1
//+-------------------------------------------------------------------------
// X509_MULTI_BYTE_UINT
//
// pvStructInfo points to a CRYPT_UINT_BLOB. Before encoding, inserts a
// leading 0x00. After decoding, removes a leading 0x00.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_DSS_PUBLICKEY
//
// pvStructInfo points to a CRYPT_UINT_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_DSS_PARAMETERS
//
// pvStructInfo points to following CERT_DSS_PARAMETERS data structure.
//--------------------------------------------------------------------------
typedef struct _CERT_DSS_PARAMETERS {
CRYPT_UINT_BLOB p;
CRYPT_UINT_BLOB q;
CRYPT_UINT_BLOB g;
} CERT_DSS_PARAMETERS, *PCERT_DSS_PARAMETERS;
//+-------------------------------------------------------------------------
// X509_DSS_SIGNATURE
//
// pvStructInfo is a BYTE rgbSignature[CERT_DSS_SIGNATURE_LEN]. The
// bytes are ordered as output by the DSS CSP's CryptSignHash().
//--------------------------------------------------------------------------
#define CERT_DSS_R_LEN 20
#define CERT_DSS_S_LEN 20
#define CERT_DSS_SIGNATURE_LEN (CERT_DSS_R_LEN + CERT_DSS_S_LEN)
// Sequence of 2 unsigned integers (the extra +1 is for a potential leading
// 0x00 to make the integer unsigned)
#define CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN (2 + 2*(2 + 20 +1))
//+-------------------------------------------------------------------------
// X509_DH_PUBLICKEY
//
// pvStructInfo points to a CRYPT_UINT_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_DH_PARAMETERS
//
// pvStructInfo points to following CERT_DH_PARAMETERS data structure.
//--------------------------------------------------------------------------
typedef struct _CERT_DH_PARAMETERS {
CRYPT_UINT_BLOB p;
CRYPT_UINT_BLOB g;
} CERT_DH_PARAMETERS, *PCERT_DH_PARAMETERS;
//+-------------------------------------------------------------------------
// X942_DH_PARAMETERS
//
// pvStructInfo points to following CERT_X942_DH_PARAMETERS data structure.
//
// If q.cbData == 0, then, the following fields are zero'ed.
//--------------------------------------------------------------------------
typedef struct _CERT_X942_DH_VALIDATION_PARAMS {
CRYPT_BIT_BLOB seed;
DWORD pgenCounter;
} CERT_X942_DH_VALIDATION_PARAMS, *PCERT_X942_DH_VALIDATION_PARAMS;
typedef struct _CERT_X942_DH_PARAMETERS {
CRYPT_UINT_BLOB p; // odd prime, p = jq + 1
CRYPT_UINT_BLOB g; // generator, g
CRYPT_UINT_BLOB q; // factor of p - 1, OPTIONAL
CRYPT_UINT_BLOB j; // subgroup factor, OPTIONAL
PCERT_X942_DH_VALIDATION_PARAMS pValidationParams; // OPTIONAL
} CERT_X942_DH_PARAMETERS, *PCERT_X942_DH_PARAMETERS;
//+-------------------------------------------------------------------------
// X942_OTHER_INFO
//
// pvStructInfo points to following CRYPT_X942_OTHER_INFO data structure.
//
// rgbCounter and rgbKeyLength are in Little Endian order.
//--------------------------------------------------------------------------
#define CRYPT_X942_COUNTER_BYTE_LENGTH 4
#define CRYPT_X942_KEY_LENGTH_BYTE_LENGTH 4
#define CRYPT_X942_PUB_INFO_BYTE_LENGTH (512/8)
typedef struct _CRYPT_X942_OTHER_INFO {
LPSTR pszContentEncryptionObjId;
BYTE rgbCounter[CRYPT_X942_COUNTER_BYTE_LENGTH];
BYTE rgbKeyLength[CRYPT_X942_KEY_LENGTH_BYTE_LENGTH];
CRYPT_DATA_BLOB PubInfo; // OPTIONAL
} CRYPT_X942_OTHER_INFO, *PCRYPT_X942_OTHER_INFO;
//+-------------------------------------------------------------------------
// PKCS_RC2_CBC_PARAMETERS
// szOID_RSA_RC2CBC
//
// pvStructInfo points to following CRYPT_RC2_CBC_PARAMETERS data structure.
//--------------------------------------------------------------------------
typedef struct _CRYPT_RC2_CBC_PARAMETERS {
DWORD dwVersion;
BOOL fIV; // set if has following IV
BYTE rgbIV[8];
} CRYPT_RC2_CBC_PARAMETERS, *PCRYPT_RC2_CBC_PARAMETERS;
#define CRYPT_RC2_40BIT_VERSION 160
#define CRYPT_RC2_56BIT_VERSION 52
#define CRYPT_RC2_64BIT_VERSION 120
#define CRYPT_RC2_128BIT_VERSION 58
//+-------------------------------------------------------------------------
// PKCS_SMIME_CAPABILITIES
// szOID_RSA_SMIMECapabilities
//
// pvStructInfo points to following CRYPT_SMIME_CAPABILITIES data structure.
//
// Note, for CryptEncodeObject(X509_ASN_ENCODING), Parameters.cbData == 0
// causes the encoded parameters to be omitted and not encoded as a NULL
// (05 00) as is done when encoding a CRYPT_ALGORITHM_IDENTIFIER. This
// is per the SMIME specification for encoding capabilities.
//--------------------------------------------------------------------------
typedef struct _CRYPT_SMIME_CAPABILITY {
LPSTR pszObjId;
CRYPT_OBJID_BLOB Parameters;
} CRYPT_SMIME_CAPABILITY, *PCRYPT_SMIME_CAPABILITY;
typedef struct _CRYPT_SMIME_CAPABILITIES {
DWORD cCapability;
PCRYPT_SMIME_CAPABILITY rgCapability;
} CRYPT_SMIME_CAPABILITIES, *PCRYPT_SMIME_CAPABILITIES;
//+-------------------------------------------------------------------------
// PKCS7_SIGNER_INFO
//
// pvStructInfo points to CMSG_SIGNER_INFO.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMS_SIGNER_INFO
//
// pvStructInfo points to CMSG_CMS_SIGNER_INFO.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Verisign Certificate Extension Object Identifiers
//--------------------------------------------------------------------------
// Octet String containing Boolean
#define szOID_VERISIGN_PRIVATE_6_9 "2.16.840.1.113733.1.6.9"
// Octet String containing IA5 string: lower case 32 char hex string
#define szOID_VERISIGN_ONSITE_JURISDICTION_HASH "2.16.840.1.113733.1.6.11"
// Octet String containing Bit string
#define szOID_VERISIGN_BITSTRING_6_13 "2.16.840.1.113733.1.6.13"
// EKU
#define szOID_VERISIGN_ISS_STRONG_CRYPTO "2.16.840.1.113733.1.8.1"
//+-------------------------------------------------------------------------
// Netscape Certificate Extension Object Identifiers
//--------------------------------------------------------------------------
#define szOID_NETSCAPE "2.16.840.1.113730"
#define szOID_NETSCAPE_CERT_EXTENSION "2.16.840.1.113730.1"
#define szOID_NETSCAPE_CERT_TYPE "2.16.840.1.113730.1.1"
#define szOID_NETSCAPE_BASE_URL "2.16.840.1.113730.1.2"
#define szOID_NETSCAPE_REVOCATION_URL "2.16.840.1.113730.1.3"
#define szOID_NETSCAPE_CA_REVOCATION_URL "2.16.840.1.113730.1.4"
#define szOID_NETSCAPE_CERT_RENEWAL_URL "2.16.840.1.113730.1.7"
#define szOID_NETSCAPE_CA_POLICY_URL "2.16.840.1.113730.1.8"
#define szOID_NETSCAPE_SSL_SERVER_NAME "2.16.840.1.113730.1.12"
#define szOID_NETSCAPE_COMMENT "2.16.840.1.113730.1.13"
//+-------------------------------------------------------------------------
// Netscape Certificate Data Type Object Identifiers
//--------------------------------------------------------------------------
#define szOID_NETSCAPE_DATA_TYPE "2.16.840.1.113730.2"
#define szOID_NETSCAPE_CERT_SEQUENCE "2.16.840.1.113730.2.5"
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_CERT_TYPE extension
//
// Its value is a bit string. CryptDecodeObject/CryptEncodeObject using
// X509_BITS or X509_BITS_WITHOUT_TRAILING_ZEROES.
//
// The following bits are defined:
//--------------------------------------------------------------------------
#define NETSCAPE_SSL_CLIENT_AUTH_CERT_TYPE 0x80
#define NETSCAPE_SSL_SERVER_AUTH_CERT_TYPE 0x40
#define NETSCAPE_SMIME_CERT_TYPE 0x20
#define NETSCAPE_SIGN_CERT_TYPE 0x10
#define NETSCAPE_SSL_CA_CERT_TYPE 0x04
#define NETSCAPE_SMIME_CA_CERT_TYPE 0x02
#define NETSCAPE_SIGN_CA_CERT_TYPE 0x01
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_BASE_URL extension
//
// Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
// X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
// dwValueType = CERT_RDN_IA5_STRING.
//
// When present this string is added to the beginning of all relative URLs
// in the certificate. This extension can be considered an optimization
// to reduce the size of the URL extensions.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_REVOCATION_URL extension
//
// Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
// X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
// dwValueType = CERT_RDN_IA5_STRING.
//
// It is a relative or absolute URL that can be used to check the
// revocation status of a certificate. The revocation check will be
// performed as an HTTP GET method using a url that is the concatenation of
// revocation-url and certificate-serial-number.
// Where the certificate-serial-number is encoded as a string of
// ascii hexadecimal digits. For example, if the netscape-base-url is
// https://www.certs-r-us.com/, the netscape-revocation-url is
// cgi-bin/check-rev.cgi?, and the certificate serial number is 173420,
// the resulting URL would be:
// https://www.certs-r-us.com/cgi-bin/check-rev.cgi?02a56c
//
// The server should return a document with a Content-Type of
// application/x-netscape-revocation. The document should contain
// a single ascii digit, '1' if the certificate is not curently valid,
// and '0' if it is curently valid.
//
// Note: for all of the URLs that include the certificate serial number,
// the serial number will be encoded as a string which consists of an even
// number of hexadecimal digits. If the number of significant digits is odd,
// the string will have a single leading zero to ensure an even number of
// digits is generated.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_CA_REVOCATION_URL extension
//
// Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
// X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
// dwValueType = CERT_RDN_IA5_STRING.
//
// It is a relative or absolute URL that can be used to check the
// revocation status of any certificates that are signed by the CA that
// this certificate belongs to. This extension is only valid in CA
// certificates. The use of this extension is the same as the above
// szOID_NETSCAPE_REVOCATION_URL extension.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_CERT_RENEWAL_URL extension
//
// Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
// X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
// dwValueType = CERT_RDN_IA5_STRING.
//
// It is a relative or absolute URL that points to a certificate renewal
// form. The renewal form will be accessed with an HTTP GET method using a
// url that is the concatenation of renewal-url and
// certificate-serial-number. Where the certificate-serial-number is
// encoded as a string of ascii hexadecimal digits. For example, if the
// netscape-base-url is https://www.certs-r-us.com/, the
// netscape-cert-renewal-url is cgi-bin/check-renew.cgi?, and the
// certificate serial number is 173420, the resulting URL would be:
// https://www.certs-r-us.com/cgi-bin/check-renew.cgi?02a56c
// The document returned should be an HTML form that will allow the user
// to request a renewal of their certificate.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_CA_POLICY_URL extension
//
// Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
// X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
// dwValueType = CERT_RDN_IA5_STRING.
//
// It is a relative or absolute URL that points to a web page that
// describes the policies under which the certificate was issued.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_SSL_SERVER_NAME extension
//
// Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
// X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
// dwValueType = CERT_RDN_IA5_STRING.
//
// It is a "shell expression" that can be used to match the hostname of the
// SSL server that is using this certificate. It is recommended that if
// the server's hostname does not match this pattern the user be notified
// and given the option to terminate the SSL connection. If this extension
// is not present then the CommonName in the certificate subject's
// distinguished name is used for the same purpose.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_COMMENT extension
//
// Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
// X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
// dwValueType = CERT_RDN_IA5_STRING.
//
// It is a comment that may be displayed to the user when the certificate
// is viewed.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_CERT_SEQUENCE
//
// Its value is a PKCS#7 ContentInfo structure wrapping a sequence of
// certificates. The value of the contentType field is
// szOID_NETSCAPE_CERT_SEQUENCE, while the content field is the following
// structure:
// CertificateSequence ::= SEQUENCE OF Certificate.
//
// CryptDecodeObject/CryptEncodeObject using
// PKCS_CONTENT_INFO_SEQUENCE_OF_ANY, where,
// pszObjId = szOID_NETSCAPE_CERT_SEQUENCE and the CRYPT_DER_BLOBs point
// to encoded X509 certificates.
//--------------------------------------------------------------------------
//+=========================================================================
// Certificate Management Messages over CMS (CMC) Data Structures
//==========================================================================
// Content Type (request)
#define szOID_CT_PKI_DATA "1.3.6.1.5.5.7.12.2"
// Content Type (response)
#define szOID_CT_PKI_RESPONSE "1.3.6.1.5.5.7.12.3"
// Signature value that only contains the hash octets. The parameters for
// this algorithm must be present and must be encoded as NULL.
#define szOID_PKIX_NO_SIGNATURE "1.3.6.1.5.5.7.6.2"
#define szOID_CMC "1.3.6.1.5.5.7.7"
#define szOID_CMC_STATUS_INFO "1.3.6.1.5.5.7.7.1"
#define szOID_CMC_IDENTIFICATION "1.3.6.1.5.5.7.7.2"
#define szOID_CMC_IDENTITY_PROOF "1.3.6.1.5.5.7.7.3"
#define szOID_CMC_DATA_RETURN "1.3.6.1.5.5.7.7.4"
// Transaction Id (integer)
#define szOID_CMC_TRANSACTION_ID "1.3.6.1.5.5.7.7.5"
// Sender Nonce (octet string)
#define szOID_CMC_SENDER_NONCE "1.3.6.1.5.5.7.7.6"
// Recipient Nonce (octet string)
#define szOID_CMC_RECIPIENT_NONCE "1.3.6.1.5.5.7.7.7"
#define szOID_CMC_ADD_EXTENSIONS "1.3.6.1.5.5.7.7.8"
#define szOID_CMC_ENCRYPTED_POP "1.3.6.1.5.5.7.7.9"
#define szOID_CMC_DECRYPTED_POP "1.3.6.1.5.5.7.7.10"
#define szOID_CMC_LRA_POP_WITNESS "1.3.6.1.5.5.7.7.11"
// Issuer Name + Serial
#define szOID_CMC_GET_CERT "1.3.6.1.5.5.7.7.15"
// Issuer Name [+ CRL Name] + Time [+ Reasons]
#define szOID_CMC_GET_CRL "1.3.6.1.5.5.7.7.16"
// Issuer Name + Serial [+ Reason] [+ Effective Time] [+ Secret] [+ Comment]
#define szOID_CMC_REVOKE_REQUEST "1.3.6.1.5.5.7.7.17"
// (octet string) URL-style parameter list (IA5?)
#define szOID_CMC_REG_INFO "1.3.6.1.5.5.7.7.18"
#define szOID_CMC_RESPONSE_INFO "1.3.6.1.5.5.7.7.19"
// (octet string)
#define szOID_CMC_QUERY_PENDING "1.3.6.1.5.5.7.7.21"
#define szOID_CMC_ID_POP_LINK_RANDOM "1.3.6.1.5.5.7.7.22"
#define szOID_CMC_ID_POP_LINK_WITNESS "1.3.6.1.5.5.7.7.23"
// optional Name + Integer
#define szOID_CMC_ID_CONFIRM_CERT_ACCEPTANCE "1.3.6.1.5.5.7.7.24"
#define szOID_CMC_ADD_ATTRIBUTES "1.3.6.1.4.1.311.10.10.1"
//+-------------------------------------------------------------------------
// CMC_DATA
// CMC_RESPONSE
//
// Certificate Management Messages over CMS (CMC) PKIData and Response
// messages.
//
// For CMC_DATA, pvStructInfo points to a CMC_DATA_INFO.
// CMC_DATA_INFO contains optional arrays of tagged attributes, requests,
// content info and/or arbitrary other messages.
//
// For CMC_RESPONSE, pvStructInfo points to a CMC_RESPONSE_INFO.
// CMC_RESPONSE_INFO is the same as CMC_DATA_INFO without the tagged
// requests.
//--------------------------------------------------------------------------
typedef struct _CMC_TAGGED_ATTRIBUTE {
DWORD dwBodyPartID;
CRYPT_ATTRIBUTE Attribute;
} CMC_TAGGED_ATTRIBUTE, *PCMC_TAGGED_ATTRIBUTE;
typedef struct _CMC_TAGGED_CERT_REQUEST {
DWORD dwBodyPartID;
CRYPT_DER_BLOB SignedCertRequest;
} CMC_TAGGED_CERT_REQUEST, *PCMC_TAGGED_CERT_REQUEST;
typedef struct _CMC_TAGGED_REQUEST {
DWORD dwTaggedRequestChoice;
union {
// CMC_TAGGED_CERT_REQUEST_CHOICE
PCMC_TAGGED_CERT_REQUEST pTaggedCertRequest;
};
} CMC_TAGGED_REQUEST, *PCMC_TAGGED_REQUEST;
#define CMC_TAGGED_CERT_REQUEST_CHOICE 1
typedef struct _CMC_TAGGED_CONTENT_INFO {
DWORD dwBodyPartID;
CRYPT_DER_BLOB EncodedContentInfo;
} CMC_TAGGED_CONTENT_INFO, *PCMC_TAGGED_CONTENT_INFO;
typedef struct _CMC_TAGGED_OTHER_MSG {
DWORD dwBodyPartID;
LPSTR pszObjId;
CRYPT_OBJID_BLOB Value;
} CMC_TAGGED_OTHER_MSG, *PCMC_TAGGED_OTHER_MSG;
// All the tagged arrays are optional
typedef struct _CMC_DATA_INFO {
DWORD cTaggedAttribute;
PCMC_TAGGED_ATTRIBUTE rgTaggedAttribute;
DWORD cTaggedRequest;
PCMC_TAGGED_REQUEST rgTaggedRequest;
DWORD cTaggedContentInfo;
PCMC_TAGGED_CONTENT_INFO rgTaggedContentInfo;
DWORD cTaggedOtherMsg;
PCMC_TAGGED_OTHER_MSG rgTaggedOtherMsg;
} CMC_DATA_INFO, *PCMC_DATA_INFO;
// All the tagged arrays are optional
typedef struct _CMC_RESPONSE_INFO {
DWORD cTaggedAttribute;
PCMC_TAGGED_ATTRIBUTE rgTaggedAttribute;
DWORD cTaggedContentInfo;
PCMC_TAGGED_CONTENT_INFO rgTaggedContentInfo;
DWORD cTaggedOtherMsg;
PCMC_TAGGED_OTHER_MSG rgTaggedOtherMsg;
} CMC_RESPONSE_INFO, *PCMC_RESPONSE_INFO;
//+-------------------------------------------------------------------------
// CMC_STATUS
//
// Certificate Management Messages over CMS (CMC) Status.
//
// pvStructInfo points to a CMC_STATUS_INFO.
//--------------------------------------------------------------------------
typedef struct _CMC_PEND_INFO {
CRYPT_DATA_BLOB PendToken;
FILETIME PendTime;
} CMC_PEND_INFO, *PCMC_PEND_INFO;
typedef struct _CMC_STATUS_INFO {
DWORD dwStatus;
DWORD cBodyList;
DWORD *rgdwBodyList;
LPWSTR pwszStatusString; // OPTIONAL
DWORD dwOtherInfoChoice;
union {
// CMC_OTHER_INFO_NO_CHOICE
// none
// CMC_OTHER_INFO_FAIL_CHOICE
DWORD dwFailInfo;
// CMC_OTHER_INFO_PEND_CHOICE
PCMC_PEND_INFO pPendInfo;
};
} CMC_STATUS_INFO, *PCMC_STATUS_INFO;
#define CMC_OTHER_INFO_NO_CHOICE 0
#define CMC_OTHER_INFO_FAIL_CHOICE 1
#define CMC_OTHER_INFO_PEND_CHOICE 2
//
// dwStatus values
//
// Request was granted
#define CMC_STATUS_SUCCESS 0
// Request failed, more information elsewhere in the message
#define CMC_STATUS_FAILED 2
// The request body part has not yet been processed. Requester is responsible
// to poll back. May only be returned for certificate request operations.
#define CMC_STATUS_PENDING 3
// The requested operation is not supported
#define CMC_STATUS_NO_SUPPORT 4
// Confirmation using the idConfirmCertAcceptance control is required
// before use of certificate
#define CMC_STATUS_CONFIRM_REQUIRED 5
//
// dwFailInfo values
//
// Unrecognized or unsupported algorithm
#define CMC_FAIL_BAD_ALG 0
// Integrity check failed
#define CMC_FAIL_BAD_MESSAGE_CHECK 1
// Transaction not permitted or supported
#define CMC_FAIL_BAD_REQUEST 2
// Message time field was not sufficiently close to the system time
#define CMC_FAIL_BAD_TIME 3
// No certificate could be identified matching the provided criteria
#define CMC_FAIL_BAD_CERT_ID 4
// A requested X.509 extension is not supported by the recipient CA.
#define CMC_FAIL_UNSUPORTED_EXT 5
// Private key material must be supplied
#define CMC_FAIL_MUST_ARCHIVE_KEYS 6
// Identification Attribute failed to verify
#define CMC_FAIL_BAD_IDENTITY 7
// Server requires a POP proof before issuing certificate
#define CMC_FAIL_POP_REQUIRED 8
// POP processing failed
#define CMC_FAIL_POP_FAILED 9
// Server policy does not allow key re-use
#define CMC_FAIL_NO_KEY_REUSE 10
#define CMC_FAIL_INTERNAL_CA_ERROR 11
#define CMC_FAIL_TRY_LATER 12
//+-------------------------------------------------------------------------
// CMC_ADD_EXTENSIONS
//
// Certificate Management Messages over CMS (CMC) Add Extensions control
// attribute.
//
// pvStructInfo points to a CMC_ADD_EXTENSIONS_INFO.
//--------------------------------------------------------------------------
typedef struct _CMC_ADD_EXTENSIONS_INFO {
DWORD dwCmcDataReference;
DWORD cCertReference;
DWORD *rgdwCertReference;
DWORD cExtension;
PCERT_EXTENSION rgExtension;
} CMC_ADD_EXTENSIONS_INFO, *PCMC_ADD_EXTENSIONS_INFO;
//+-------------------------------------------------------------------------
// CMC_ADD_ATTRIBUTES
//
// Certificate Management Messages over CMS (CMC) Add Attributes control
// attribute.
//
// pvStructInfo points to a CMC_ADD_ATTRIBUTES_INFO.
//--------------------------------------------------------------------------
typedef struct _CMC_ADD_ATTRIBUTES_INFO {
DWORD dwCmcDataReference;
DWORD cCertReference;
DWORD *rgdwCertReference;
DWORD cAttribute;
PCRYPT_ATTRIBUTE rgAttribute;
} CMC_ADD_ATTRIBUTES_INFO, *PCMC_ADD_ATTRIBUTES_INFO;
//+-------------------------------------------------------------------------
// X509_CERTIFICATE_TEMPLATE
// szOID_CERTIFICATE_TEMPLATE
//
// pvStructInfo points to following CERT_TEMPLATE_EXT data structure.
//
//--------------------------------------------------------------------------
typedef struct _CERT_TEMPLATE_EXT {
LPSTR pszObjId;
DWORD dwMajorVersion;
BOOL fMinorVersion; // TRUE for a minor version
DWORD dwMinorVersion;
} CERT_TEMPLATE_EXT, *PCERT_TEMPLATE_EXT;
//+=========================================================================
// Object IDentifier (OID) Installable Functions: Data Structures and APIs
//==========================================================================
typedef void *HCRYPTOIDFUNCSET;
typedef void *HCRYPTOIDFUNCADDR;
// Predefined OID Function Names
#define CRYPT_OID_ENCODE_OBJECT_FUNC "CryptDllEncodeObject"
#define CRYPT_OID_DECODE_OBJECT_FUNC "CryptDllDecodeObject"
#define CRYPT_OID_ENCODE_OBJECT_EX_FUNC "CryptDllEncodeObjectEx"
#define CRYPT_OID_DECODE_OBJECT_EX_FUNC "CryptDllDecodeObjectEx"
#define CRYPT_OID_CREATE_COM_OBJECT_FUNC "CryptDllCreateCOMObject"
#define CRYPT_OID_VERIFY_REVOCATION_FUNC "CertDllVerifyRevocation"
#define CRYPT_OID_VERIFY_CTL_USAGE_FUNC "CertDllVerifyCTLUsage"
#define CRYPT_OID_FORMAT_OBJECT_FUNC "CryptDllFormatObject"
#define CRYPT_OID_FIND_OID_INFO_FUNC "CryptDllFindOIDInfo"
#define CRYPT_OID_FIND_LOCALIZED_NAME_FUNC "CryptDllFindLocalizedName"
// CryptDllEncodeObject has same function signature as CryptEncodeObject.
// CryptDllDecodeObject has same function signature as CryptDecodeObject.
// CryptDllEncodeObjectEx has same function signature as CryptEncodeObjectEx.
// The Ex version MUST support the CRYPT_ENCODE_ALLOC_FLAG option.
//
// If an Ex function isn't installed or registered, then, attempts to find
// a non-EX version. If the ALLOC flag is set, then, CryptEncodeObjectEx,
// does the allocation and calls the non-EX version twice.
// CryptDllDecodeObjectEx has same function signature as CryptDecodeObjectEx.
// The Ex version MUST support the CRYPT_DECODE_ALLOC_FLAG option.
//
// If an Ex function isn't installed or registered, then, attempts to find
// a non-EX version. If the ALLOC flag is set, then, CryptDecodeObjectEx,
// does the allocation and calls the non-EX version twice.
// CryptDllCreateCOMObject has the following signature:
// BOOL WINAPI CryptDllCreateCOMObject(
// IN DWORD dwEncodingType,
// IN LPCSTR pszOID,
// IN PCRYPT_DATA_BLOB pEncodedContent,
// IN DWORD dwFlags,
// IN REFIID riid,
// OUT void **ppvObj);
// CertDllVerifyRevocation has the same signature as CertVerifyRevocation
// (See CertVerifyRevocation for details on when called)
// CertDllVerifyCTLUsage has the same signature as CertVerifyCTLUsage
// CryptDllFindOIDInfo currently is only used to store values used by
// CryptFindOIDInfo. See CryptFindOIDInfo() for more details.
// CryptDllFindLocalizedName is only used to store localized string
// values used by CryptFindLocalizedName. See CryptFindLocalizedName() for
// more details.
// Example of a complete OID Function Registry Name:
// HKEY_LOCAL_MACHINESoftwareMicrosoftCryptographyOID
// Encoding Type 1CryptDllEncodeObject1.2.3
//
// The key's L"Dll" value contains the name of the Dll.
// The key's L"FuncName" value overrides the default function name
#define CRYPT_OID_REGPATH "Software\Microsoft\Cryptography\OID"
#define CRYPT_OID_REG_ENCODING_TYPE_PREFIX "EncodingType "
#define CRYPT_OID_REG_DLL_VALUE_NAME L"Dll"
#define CRYPT_OID_REG_FUNC_NAME_VALUE_NAME L"FuncName"
#define CRYPT_OID_REG_FUNC_NAME_VALUE_NAME_A "FuncName"
// CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG can be set in the key's L"CryptFlags"
// value to register the functions before the installed functions.
//
// CryptSetOIDFunctionValue must be called to set this value. L"CryptFlags"
// must be set using a dwValueType of REG_DWORD.
#define CRYPT_OID_REG_FLAGS_VALUE_NAME L"CryptFlags"
// OID used for Default OID functions
#define CRYPT_DEFAULT_OID "DEFAULT"
typedef struct _CRYPT_OID_FUNC_ENTRY {
LPCSTR pszOID;
void *pvFuncAddr;
} CRYPT_OID_FUNC_ENTRY, *PCRYPT_OID_FUNC_ENTRY;
#define CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG 1
//+-------------------------------------------------------------------------
// Install a set of callable OID function addresses.
//
// By default the functions are installed at end of the list.
// Set CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG to install at beginning of list.
//
// hModule should be updated with the hModule passed to DllMain to prevent
// the Dll containing the function addresses from being unloaded by
// CryptGetOIDFuncAddress/CryptFreeOIDFunctionAddress. This would be the
// case when the Dll has also regsvr32'ed OID functions via
// CryptRegisterOIDFunction.
//
// DEFAULT functions are installed by setting rgFuncEntry[].pszOID =
// CRYPT_DEFAULT_OID.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptInstallOIDFunctionAddress(
IN HMODULE hModule, // hModule passed to DllMain
IN DWORD dwEncodingType,
IN LPCSTR pszFuncName,
IN DWORD cFuncEntry,
IN const CRYPT_OID_FUNC_ENTRY rgFuncEntry[],
IN DWORD dwFlags
);
//+-------------------------------------------------------------------------
// Initialize and return handle to the OID function set identified by its
// function name.
//
// If the set already exists, a handle to the existing set is returned.
//--------------------------------------------------------------------------
WINCRYPT32API
HCRYPTOIDFUNCSET
WINAPI
CryptInitOIDFunctionSet(
IN LPCSTR pszFuncName,
IN DWORD dwFlags
);
//+-------------------------------------------------------------------------
// Search the list of installed functions for an encoding type and OID match.
// If not found, search the registry.
//
// For success, returns TRUE with *ppvFuncAddr updated with the function's
// address and *phFuncAddr updated with the function address's handle.
// The function's handle is AddRef'ed. CryptFreeOIDFunctionAddress needs to
// be called to release it.
//
// For a registry match, the Dll containing the function is loaded.
//
// By default, both the registered and installed function lists are searched.
// Set CRYPT_GET_INSTALLED_OID_FUNC_FLAG to only search the installed list
// of functions. This flag would be set by a registered function to get
// the address of a pre-installed function it was replacing. For example,
// the registered function might handle a new special case and call the
// pre-installed function to handle the remaining cases.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptGetOIDFunctionAddress(
IN HCRYPTOIDFUNCSET hFuncSet,
IN DWORD dwEncodingType,
IN LPCSTR pszOID,
IN DWORD dwFlags,
OUT void **ppvFuncAddr,
OUT HCRYPTOIDFUNCADDR *phFuncAddr
);
#define CRYPT_GET_INSTALLED_OID_FUNC_FLAG 0x1
//+-------------------------------------------------------------------------
// Get the list of registered default Dll entries for the specified
// function set and encoding type.
//
// The returned list consists of none, one or more null terminated Dll file
// names. The list is terminated with an empty (L"") Dll file name.
// For example: L"first.dll" L"" L"second.dll" L"" L""
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptGetDefaultOIDDllList(
IN HCRYPTOIDFUNCSET hFuncSet,
IN DWORD dwEncodingType,
OUT LPWSTR pwszDllList,
IN OUT DWORD *pcchDllList
);
//+-------------------------------------------------------------------------
// Either: get the first or next installed DEFAULT function OR
// load the Dll containing the DEFAULT function.
//
// If pwszDll is NULL, search the list of installed DEFAULT functions.
// *phFuncAddr must be set to NULL to get the first installed function.
// Successive installed functions are returned by setting *phFuncAddr
// to the hFuncAddr returned by the previous call.
//
// If pwszDll is NULL, the input *phFuncAddr
// is always CryptFreeOIDFunctionAddress'ed by this function, even for
// an error.
//
// If pwszDll isn't NULL, then, attempts to load the Dll and the DEFAULT
// function. *phFuncAddr is ignored upon entry and isn't
// CryptFreeOIDFunctionAddress'ed.
//
// For success, returns TRUE with *ppvFuncAddr updated with the function's
// address and *phFuncAddr updated with the function address's handle.
// The function's handle is AddRef'ed. CryptFreeOIDFunctionAddress needs to
// be called to release it or CryptGetDefaultOIDFunctionAddress can also
// be called for a NULL pwszDll.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptGetDefaultOIDFunctionAddress(
IN HCRYPTOIDFUNCSET hFuncSet,
IN DWORD dwEncodingType,
IN OPTIONAL LPCWSTR pwszDll,
IN DWORD dwFlags,
OUT void **ppvFuncAddr,
IN OUT HCRYPTOIDFUNCADDR *phFuncAddr
);
//+-------------------------------------------------------------------------
// Releases the handle AddRef'ed and returned by CryptGetOIDFunctionAddress
// or CryptGetDefaultOIDFunctionAddress.
//
// If a Dll was loaded for the function its unloaded. However, before doing
// the unload, the DllCanUnloadNow function exported by the loaded Dll is
// called. It should return S_FALSE to inhibit the unload or S_TRUE to enable
// the unload. If the Dll doesn't export DllCanUnloadNow, the Dll is unloaded.
//
// DllCanUnloadNow has the following signature:
// STDAPI DllCanUnloadNow(void);
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptFreeOIDFunctionAddress(
IN HCRYPTOIDFUNCADDR hFuncAddr,
IN DWORD dwFlags
);
//+-------------------------------------------------------------------------
// Register the Dll containing the function to be called for the specified
// encoding type, function name and OID.
//
// pwszDll may contain environment-variable strings
// which are ExpandEnvironmentStrings()'ed before loading the Dll.
//
// In addition to registering the DLL, you may override the
// name of the function to be called. For example,
// pszFuncName = "CryptDllEncodeObject",
// pszOverrideFuncName = "MyEncodeXyz".
// This allows a Dll to export multiple OID functions for the same
// function name without needing to interpose its own OID dispatcher function.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptRegisterOIDFunction(
IN DWORD dwEncodingType,
IN LPCSTR pszFuncName,
IN LPCSTR pszOID,
IN OPTIONAL LPCWSTR pwszDll,
IN OPTIONAL LPCSTR pszOverrideFuncName
);
//+-------------------------------------------------------------------------
// Unregister the Dll containing the function to be called for the specified
// encoding type, function name and OID.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptUnregisterOIDFunction(
IN DWORD dwEncodingType,
IN LPCSTR pszFuncName,
IN LPCSTR pszOID
);
//+-------------------------------------------------------------------------
// Register the Dll containing the default function to be called for the
// specified encoding type and function name.
//
// Unlike CryptRegisterOIDFunction, you can't override the function name
// needing to be exported by the Dll.
//
// The Dll is inserted before the entry specified by dwIndex.
// dwIndex == 0, inserts at the beginning.
// dwIndex == CRYPT_REGISTER_LAST_INDEX, appends at the end.
//
// pwszDll may contain environment-variable strings
// which are ExpandEnvironmentStrings()'ed before loading the Dll.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptRegisterDefaultOIDFunction(
IN DWORD dwEncodingType,
IN LPCSTR pszFuncName,
IN DWORD dwIndex,
IN LPCWSTR pwszDll
);
#define CRYPT_REGISTER_FIRST_INDEX 0
#define CRYPT_REGISTER_LAST_INDEX 0xFFFFFFFF
//+-------------------------------------------------------------------------
// Unregister the Dll containing the default function to be called for
// the specified encoding type and function name.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptUnregisterDefaultOIDFunction(
IN DWORD dwEncodingType,
IN LPCSTR pszFuncName,
IN LPCWSTR pwszDll
);
//+-------------------------------------------------------------------------
// Set the value for the specified encoding type, function name, OID and
// value name.
//
// See RegSetValueEx for the possible value types.
//
// String types are UNICODE.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptSetOIDFunctionValue(
IN DWORD dwEncodingType,
IN LPCSTR pszFuncName,
IN LPCSTR pszOID,
IN LPCWSTR pwszValueName,
IN DWORD dwValueType,
IN const BYTE *pbValueData,
IN DWORD cbValueData
);
//+-------------------------------------------------------------------------
// Get the value for the specified encoding type, function name, OID and
// value name.
//
// See RegEnumValue for the possible value types.
//
// String types are UNICODE.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptGetOIDFunctionValue(
IN DWORD dwEncodingType,
IN LPCSTR pszFuncName,
IN LPCSTR pszOID,
IN LPCWSTR pwszValueName,
OUT DWORD *pdwValueType,
OUT BYTE *pbValueData,
IN OUT DWORD *pcbValueData
);
typedef BOOL (WINAPI *PFN_CRYPT_ENUM_OID_FUNC)(
IN DWORD dwEncodingType,
IN LPCSTR pszFuncName,
IN LPCSTR pszOID,
IN DWORD cValue,
IN const DWORD rgdwValueType[],
IN LPCWSTR const rgpwszValueName[],
IN const BYTE * const rgpbValueData[],
IN const DWORD rgcbValueData[],
IN void *pvArg
);
//+-------------------------------------------------------------------------
// Enumerate the OID functions identified by their encoding type,
// function name and OID.
//
// pfnEnumOIDFunc is called for each registry key matching the input
// parameters. Setting dwEncodingType to CRYPT_MATCH_ANY_ENCODING_TYPE matches
// any. Setting pszFuncName or pszOID to NULL matches any.
//
// Set pszOID == CRYPT_DEFAULT_OID to restrict the enumeration to only the
// DEFAULT functions
//
// String types are UNICODE.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptEnumOIDFunction(
IN DWORD dwEncodingType,
IN OPTIONAL LPCSTR pszFuncName,
IN OPTIONAL LPCSTR pszOID,
IN DWORD dwFlags,
IN void *pvArg,
IN PFN_CRYPT_ENUM_OID_FUNC pfnEnumOIDFunc
);
#define CRYPT_MATCH_ANY_ENCODING_TYPE 0xFFFFFFFF
//+=========================================================================
// Object IDentifier (OID) Information: Data Structures and APIs
//==========================================================================
//+-------------------------------------------------------------------------
// OID Information
//--------------------------------------------------------------------------
typedef struct _CRYPT_OID_INFO {
DWORD cbSize;
LPCSTR pszOID;
LPCWSTR pwszName;
DWORD dwGroupId;
union {
DWORD dwValue;
ALG_ID Algid;
DWORD dwLength;
};
CRYPT_DATA_BLOB ExtraInfo;
} CRYPT_OID_INFO, *PCRYPT_OID_INFO;
typedef const CRYPT_OID_INFO CCRYPT_OID_INFO, *PCCRYPT_OID_INFO;
//+-------------------------------------------------------------------------
// OID Group IDs
//--------------------------------------------------------------------------
#define CRYPT_HASH_ALG_OID_GROUP_ID 1
#define CRYPT_ENCRYPT_ALG_OID_GROUP_ID 2
#define CRYPT_PUBKEY_ALG_OID_GROUP_ID 3
#define CRYPT_SIGN_ALG_OID_GROUP_ID 4
#define CRYPT_RDN_ATTR_OID_GROUP_ID 5
#define CRYPT_EXT_OR_ATTR_OID_GROUP_ID 6
#define CRYPT_ENHKEY_USAGE_OID_GROUP_ID 7
#define CRYPT_POLICY_OID_GROUP_ID 8
#define CRYPT_TEMPLATE_OID_GROUP_ID 9
#define CRYPT_LAST_OID_GROUP_ID 9
#define CRYPT_FIRST_ALG_OID_GROUP_ID CRYPT_HASH_ALG_OID_GROUP_ID
#define CRYPT_LAST_ALG_OID_GROUP_ID CRYPT_SIGN_ALG_OID_GROUP_ID
// The CRYPT_*_ALG_OID_GROUP_ID's have an Algid. The CRYPT_RDN_ATTR_OID_GROUP_ID
// has a dwLength. The CRYPT_EXT_OR_ATTR_OID_GROUP_ID,
// CRYPT_ENHKEY_USAGE_OID_GROUP_ID, CRYPT_POLICY_OID_GROUP_ID or
// CRYPT_TEMPLATE_OID_GROUP_ID don't have a dwValue.
//
// CRYPT_PUBKEY_ALG_OID_GROUP_ID has the following optional ExtraInfo:
// DWORD[0] - Flags. CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG can be set to
// inhibit the reformatting of the signature before
// CryptVerifySignature is called or after CryptSignHash
// is called. CRYPT_OID_USE_PUBKEY_PARA_FOR_PKCS7_FLAG can
// be set to include the public key algorithm's parameters
// in the PKCS7's digestEncryptionAlgorithm's parameters.
// CRYPT_OID_NO_NULL_ALGORITHM_PARA_FLAG can be set to omit
// NULL parameters when encoding.
#define CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG 0x1
#define CRYPT_OID_USE_PUBKEY_PARA_FOR_PKCS7_FLAG 0x2
#define CRYPT_OID_NO_NULL_ALGORITHM_PARA_FLAG 0x4
// CRYPT_SIGN_ALG_OID_GROUP_ID has the following optional ExtraInfo:
// DWORD[0] - Public Key Algid.
// DWORD[1] - Flags. Same as above for CRYPT_PUBKEY_ALG_OID_GROUP_ID.
// DWORD[2] - Optional CryptAcquireContext(CRYPT_VERIFYCONTEXT)'s dwProvType.
// If omitted or 0, uses Public Key Algid to select
// appropriate dwProvType for signature verification.
// CRYPT_RDN_ATTR_OID_GROUP_ID has the following optional ExtraInfo:
// Array of DWORDs:
// [0 ..] - Null terminated list of acceptable RDN attribute
// value types. An empty list implies CERT_RDN_PRINTABLE_STRING,
// CERT_RDN_UNICODE_STRING, 0.
//+-------------------------------------------------------------------------
// Find OID information. Returns NULL if unable to find any information
// for the specified key and group. Note, returns a pointer to a constant
// data structure. The returned pointer MUST NOT be freed.
//
// dwKeyType's:
// CRYPT_OID_INFO_OID_KEY, pvKey points to a szOID
// CRYPT_OID_INFO_NAME_KEY, pvKey points to a wszName
// CRYPT_OID_INFO_ALGID_KEY, pvKey points to an ALG_ID
// CRYPT_OID_INFO_SIGN_KEY, pvKey points to an array of two ALG_ID's:
// ALG_ID[0] - Hash Algid
// ALG_ID[1] - PubKey Algid
//
// Setting dwGroupId to 0, searches all groups according to the dwKeyType.
// Otherwise, only the dwGroupId is searched.
//--------------------------------------------------------------------------
WINCRYPT32API
PCCRYPT_OID_INFO
WINAPI
CryptFindOIDInfo(
IN DWORD dwKeyType,
IN void *pvKey,
IN DWORD dwGroupId
);
#define CRYPT_OID_INFO_OID_KEY 1
#define CRYPT_OID_INFO_NAME_KEY 2
#define CRYPT_OID_INFO_ALGID_KEY 3
#define CRYPT_OID_INFO_SIGN_KEY 4
//+-------------------------------------------------------------------------
// Register OID information. The OID information specified in the
// CCRYPT_OID_INFO structure is persisted to the registry.
//
// crypt32.dll contains information for the commonly known OIDs. This function
// allows applications to augment crypt32.dll's OID information. During
// CryptFindOIDInfo's first call, the registered OID information is installed.
//
// By default the registered OID information is installed after crypt32.dll's
// OID entries. Set CRYPT_INSTALL_OID_INFO_BEFORE_FLAG to install before.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptRegisterOIDInfo(
IN PCCRYPT_OID_INFO pInfo,
IN DWORD dwFlags
);
#define CRYPT_INSTALL_OID_INFO_BEFORE_FLAG 1
//+-------------------------------------------------------------------------
// Unregister OID information. Only the pszOID and dwGroupId fields are
// used to identify the OID information to be unregistered.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptUnregisterOIDInfo(
IN PCCRYPT_OID_INFO pInfo
);
// If the callback returns FALSE, stops the enumeration.
typedef BOOL (WINAPI *PFN_CRYPT_ENUM_OID_INFO)(
IN PCCRYPT_OID_INFO pInfo,
IN void *pvArg
);
//+-------------------------------------------------------------------------
// Enumerate the OID information.
//
// pfnEnumOIDInfo is called for each OID information entry.
//
// Setting dwGroupId to 0 matches all groups. Otherwise, only enumerates
// entries in the specified group.
//
// dwFlags currently isn't used and must be set to 0.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptEnumOIDInfo(
IN DWORD dwGroupId,
IN DWORD dwFlags,
IN void *pvArg,
IN PFN_CRYPT_ENUM_OID_INFO pfnEnumOIDInfo
);
//+-------------------------------------------------------------------------
// Find the localized name for the specified name. For example, find the
// localized name for the "Root" system store name. A case insensitive
// string comparison is done.
//
// Returns NULL if unable to find the the specified name.
//
// Localized names for the predefined system stores ("Root", "My") and
// predefined physical stores (".Default", ".LocalMachine") are pre-installed
// as resource strings in crypt32.dll. CryptSetOIDFunctionValue can be called
// as follows to register additional localized strings:
// dwEncodingType = CRYPT_LOCALIZED_NAME_ENCODING_TYPE
// pszFuncName = CRYPT_OID_FIND_LOCALIZED_NAME_FUNC
// pszOID = CRYPT_LOCALIZED_NAME_OID
// pwszValueName = Name to be localized, for example, L"ApplicationStore"
// dwValueType = REG_SZ
// pbValueData = pointer to the UNICODE localized string
// cbValueData = (wcslen(UNICODE localized string) + 1) * sizeof(WCHAR)
//
// To unregister, set pbValueData to NULL and cbValueData to 0.
//
// The registered names are searched before the pre-installed names.
//--------------------------------------------------------------------------
WINCRYPT32API
LPCWSTR
WINAPI
CryptFindLocalizedName(
IN LPCWSTR pwszCryptName
);
#define CRYPT_LOCALIZED_NAME_ENCODING_TYPE 0
#define CRYPT_LOCALIZED_NAME_OID "LocalizedNames"
//+=========================================================================
// Low Level Cryptographic Message Data Structures and APIs
//==========================================================================
typedef void *HCRYPTMSG;
#define szOID_PKCS_7_DATA "1.2.840.113549.1.7.1"
#define szOID_PKCS_7_SIGNED "1.2.840.113549.1.7.2"
#define szOID_PKCS_7_ENVELOPED "1.2.840.113549.1.7.3"
#define szOID_PKCS_7_SIGNEDANDENVELOPED "1.2.840.113549.1.7.4"
#define szOID_PKCS_7_DIGESTED "1.2.840.113549.1.7.5"
#define szOID_PKCS_7_ENCRYPTED "1.2.840.113549.1.7.6"
#define szOID_PKCS_9_CONTENT_TYPE "1.2.840.113549.1.9.3"
#define szOID_PKCS_9_MESSAGE_DIGEST "1.2.840.113549.1.9.4"
//+-------------------------------------------------------------------------
// Message types
//--------------------------------------------------------------------------
#define CMSG_DATA 1
#define CMSG_SIGNED 2
#define CMSG_ENVELOPED 3
#define CMSG_SIGNED_AND_ENVELOPED 4
#define CMSG_HASHED 5
#define CMSG_ENCRYPTED 6
//+-------------------------------------------------------------------------
// Message Type Bit Flags
//--------------------------------------------------------------------------
#define CMSG_ALL_FLAGS (~0UL)
#define CMSG_DATA_FLAG (1 << CMSG_DATA)
#define CMSG_SIGNED_FLAG (1 << CMSG_SIGNED)
#define CMSG_ENVELOPED_FLAG (1 << CMSG_ENVELOPED)
#define CMSG_SIGNED_AND_ENVELOPED_FLAG (1 << CMSG_SIGNED_AND_ENVELOPED)
#define CMSG_HASHED_FLAG (1 << CMSG_HASHED)
#define CMSG_ENCRYPTED_FLAG (1 << CMSG_ENCRYPTED)
//+-------------------------------------------------------------------------
// Certificate Issuer and SerialNumber
//--------------------------------------------------------------------------
typedef struct _CERT_ISSUER_SERIAL_NUMBER {
CERT_NAME_BLOB Issuer;
CRYPT_INTEGER_BLOB SerialNumber;
} CERT_ISSUER_SERIAL_NUMBER, *PCERT_ISSUER_SERIAL_NUMBER;
//+-------------------------------------------------------------------------
// Certificate Identifier
//--------------------------------------------------------------------------
typedef struct _CERT_ID {
DWORD dwIdChoice;
union {
// CERT_ID_ISSUER_SERIAL_NUMBER
CERT_ISSUER_SERIAL_NUMBER IssuerSerialNumber;
// CERT_ID_KEY_IDENTIFIER
CRYPT_HASH_BLOB KeyId;
// CERT_ID_SHA1_HASH
CRYPT_HASH_BLOB HashId;
};
} CERT_ID, *PCERT_ID;
#define CERT_ID_ISSUER_SERIAL_NUMBER 1
#define CERT_ID_KEY_IDENTIFIER 2
#define CERT_ID_SHA1_HASH 3
//+-------------------------------------------------------------------------
// The message encode information (pvMsgEncodeInfo) is message type dependent
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_DATA: pvMsgEncodeInfo = NULL
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_SIGNED
//
// The pCertInfo in the CMSG_SIGNER_ENCODE_INFO provides the Issuer, SerialNumber
// and PublicKeyInfo.Algorithm. The PublicKeyInfo.Algorithm implicitly
// specifies the HashEncryptionAlgorithm to be used.
//
// If the SignerId is present with a nonzero dwIdChoice its used instead
// of the Issuer and SerialNumber in pCertInfo.
//
// CMS supports the KEY_IDENTIFIER and ISSUER_SERIAL_NUMBER CERT_IDs. PKCS #7
// version 1.5 only supports the ISSUER_SERIAL_NUMBER CERT_ID choice.
//
// If HashEncryptionAlgorithm is present and not NULL its used instead of
// the PublicKeyInfo.Algorithm.
//
// Note, for RSA, the hash encryption algorithm is normally the same as
// the public key algorithm. For DSA, the hash encryption algorithm is
// normally a DSS signature algorithm.
//
// pvHashEncryptionAuxInfo currently isn't used and must be set to NULL if
// present in the data structure.
//
// The hCryptProv and dwKeySpec specify the private key to use. If dwKeySpec
// == 0, then, defaults to AT_SIGNATURE.
//
// If the HashEncryptionAlgorithm is set to szOID_PKIX_NO_SIGNATURE, then,
// the signature value only contains the hash octets. hCryptProv must still
// be specified. However, since a private key isn't used the hCryptProv can be
// acquired using CRYPT_VERIFYCONTEXT.
//
// If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
// passed to CryptMsgOpenToEncode(), the signer hCryptProv's are released.
//
// pvHashAuxInfo currently isn't used and must be set to NULL.
//
// CMS signed messages allow the inclusion of Attribute Certs.
//--------------------------------------------------------------------------
typedef struct _CMSG_SIGNER_ENCODE_INFO {
DWORD cbSize;
PCERT_INFO pCertInfo;
HCRYPTPROV hCryptProv;
DWORD dwKeySpec;
CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
void *pvHashAuxInfo;
DWORD cAuthAttr;
PCRYPT_ATTRIBUTE rgAuthAttr;
DWORD cUnauthAttr;
PCRYPT_ATTRIBUTE rgUnauthAttr;
#ifdef CMSG_SIGNER_ENCODE_INFO_HAS_CMS_FIELDS
CERT_ID SignerId;
CRYPT_ALGORITHM_IDENTIFIER HashEncryptionAlgorithm;
void *pvHashEncryptionAuxInfo;
#endif
} CMSG_SIGNER_ENCODE_INFO, *PCMSG_SIGNER_ENCODE_INFO;
typedef struct _CMSG_SIGNED_ENCODE_INFO {
DWORD cbSize;
DWORD cSigners;
PCMSG_SIGNER_ENCODE_INFO rgSigners;
DWORD cCertEncoded;
PCERT_BLOB rgCertEncoded;
DWORD cCrlEncoded;
PCRL_BLOB rgCrlEncoded;
#ifdef CMSG_SIGNED_ENCODE_INFO_HAS_CMS_FIELDS
DWORD cAttrCertEncoded;
PCERT_BLOB rgAttrCertEncoded;
#endif
} CMSG_SIGNED_ENCODE_INFO, *PCMSG_SIGNED_ENCODE_INFO;
//+-------------------------------------------------------------------------
// CMSG_ENVELOPED
//
// The PCERT_INFO for the rgRecipients provides the Issuer, SerialNumber
// and PublicKeyInfo. The PublicKeyInfo.Algorithm implicitly
// specifies the KeyEncryptionAlgorithm to be used.
//
// The PublicKeyInfo.PublicKey in PCERT_INFO is used to encrypt the content
// encryption key for the recipient.
//
// hCryptProv is used to do the content encryption, recipient key encryption
// and export. The hCryptProv's private keys aren't used. If hCryptProv
// is NULL, a default hCryptProv is chosen according to the
// ContentEncryptionAlgorithm and the first recipient KeyEncryptionAlgorithm.
//
// If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
// passed to CryptMsgOpenToEncode(), the envelope's hCryptProv is released.
//
// Note: CAPI currently doesn't support more than one KeyEncryptionAlgorithm
// per provider. This will need to be fixed.
//
// Currently, pvEncryptionAuxInfo is only defined for RC2 or RC4 encryption
// algorithms. Otherwise, its not used and must be set to NULL.
// See CMSG_RC2_AUX_INFO for the RC2 encryption algorithms.
// See CMSG_RC4_AUX_INFO for the RC4 encryption algorithms.
//
// To enable SP3 compatible encryption, pvEncryptionAuxInfo should point to
// a CMSG_SP3_COMPATIBLE_AUX_INFO data structure.
//
// To enable the CMS envelope enhancements, rgpRecipients must be set to
// NULL, and rgCmsRecipients updated to point to an array of
// CMSG_RECIPIENT_ENCODE_INFO's.
//
// Also, CMS envelope enhancements support the inclusion of a bag of
// Certs, CRLs, Attribute Certs and/or Unprotected Attributes.
//--------------------------------------------------------------------------
typedef struct _CMSG_RECIPIENT_ENCODE_INFO CMSG_RECIPIENT_ENCODE_INFO,
*PCMSG_RECIPIENT_ENCODE_INFO;
typedef struct _CMSG_ENVELOPED_ENCODE_INFO {
DWORD cbSize;
HCRYPTPROV hCryptProv;
CRYPT_ALGORITHM_IDENTIFIER ContentEncryptionAlgorithm;
void *pvEncryptionAuxInfo;
DWORD cRecipients;
// The following array may only be used for transport recipients identified
// by their IssuereAndSerialNumber. If rgpRecipients != NULL, then,
// the rgCmsRecipients must be NULL.
PCERT_INFO *rgpRecipients;
#ifdef CMSG_ENVELOPED_ENCODE_INFO_HAS_CMS_FIELDS
// If rgCmsRecipients != NULL, then, the above rgpRecipients must be
// NULL.
PCMSG_RECIPIENT_ENCODE_INFO rgCmsRecipients;
DWORD cCertEncoded;
PCERT_BLOB rgCertEncoded;
DWORD cCrlEncoded;
PCRL_BLOB rgCrlEncoded;
DWORD cAttrCertEncoded;
PCERT_BLOB rgAttrCertEncoded;
DWORD cUnprotectedAttr;
PCRYPT_ATTRIBUTE rgUnprotectedAttr;
#endif
} CMSG_ENVELOPED_ENCODE_INFO, *PCMSG_ENVELOPED_ENCODE_INFO;
//+-------------------------------------------------------------------------
// Key Transport Recipient Encode Info
//
// hCryptProv is used to do the recipient key encryption
// and export. The hCryptProv's private keys aren't used.
//
// If hCryptProv is NULL, then, the hCryptProv specified in
// CMSG_ENVELOPED_ENCODE_INFO is used.
//
// Note, even if CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
// passed to CryptMsgOpenToEncode(), this hCryptProv isn't released.
//
// CMS supports the KEY_IDENTIFIER and ISSUER_SERIAL_NUMBER CERT_IDs. PKCS #7
// version 1.5 only supports the ISSUER_SERIAL_NUMBER CERT_ID choice.
//--------------------------------------------------------------------------
typedef struct _CMSG_KEY_TRANS_RECIPIENT_ENCODE_INFO {
DWORD cbSize;
CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
void *pvKeyEncryptionAuxInfo;
HCRYPTPROV hCryptProv;
CRYPT_BIT_BLOB RecipientPublicKey;
CERT_ID RecipientId;
} CMSG_KEY_TRANS_RECIPIENT_ENCODE_INFO, *PCMSG_KEY_TRANS_RECIPIENT_ENCODE_INFO;
//+-------------------------------------------------------------------------
// Key Agreement Recipient Encode Info
//
// If hCryptProv is NULL, then, the hCryptProv specified in
// CMSG_ENVELOPED_ENCODE_INFO is used.
//
// For the CMSG_KEY_AGREE_STATIC_KEY_CHOICE, both the hCryptProv and
// dwKeySpec must be specified to select the sender's private key.
//
// Note, even if CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
// passed to CryptMsgOpenToEncode(), this hCryptProv isn't released.
//
// CMS supports the KEY_IDENTIFIER and ISSUER_SERIAL_NUMBER CERT_IDs.
//
// There is 1 key choice, ephemeral originator. The originator's ephemeral
// key is generated using the public key algorithm parameters shared
// amongst all the recipients.
//
// There are 2 key choices: ephemeral originator or static sender. The
// originator's ephemeral key is generated using the public key algorithm
// parameters shared amongst all the recipients. For the static sender its
// private key is used. The hCryptProv and dwKeySpec specify the private key.
// The pSenderId identifies the certificate containing the sender's public key.
//
// Currently, pvKeyEncryptionAuxInfo isn't used and must be set to NULL.
//
// If KeyEncryptionAlgorithm.Parameters.cbData == 0, then, its Parameters
// are updated with the encoded KeyWrapAlgorithm.
//
// Currently, pvKeyWrapAuxInfo is only defined for algorithms with
// RC2. Otherwise, its not used and must be set to NULL.
// When set for RC2 algorithms, points to a CMSG_RC2_AUX_INFO containing
// the RC2 effective key length.
//
// Note, key agreement recipients are not supported in PKCS #7 version 1.5.
//--------------------------------------------------------------------------
typedef struct _CMSG_RECIPIENT_ENCRYPTED_KEY_ENCODE_INFO {
DWORD cbSize;
CRYPT_BIT_BLOB RecipientPublicKey;
CERT_ID RecipientId;
// Following fields are optional and only applicable to KEY_IDENTIFIER
// CERT_IDs.
FILETIME Date;
PCRYPT_ATTRIBUTE_TYPE_VALUE pOtherAttr;
} CMSG_RECIPIENT_ENCRYPTED_KEY_ENCODE_INFO,
*PCMSG_RECIPIENT_ENCRYPTED_KEY_ENCODE_INFO;
typedef struct _CMSG_KEY_AGREE_RECIPIENT_ENCODE_INFO {
DWORD cbSize;
CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
void *pvKeyEncryptionAuxInfo;
CRYPT_ALGORITHM_IDENTIFIER KeyWrapAlgorithm;
void *pvKeyWrapAuxInfo;
// The following hCryptProv and dwKeySpec must be specified for the
// CMSG_KEY_AGREE_STATIC_KEY_CHOICE.
//
// For CMSG_KEY_AGREE_EPHEMERAL_KEY_CHOICE, dwKeySpec isn't applicable
// and hCryptProv is optional.
HCRYPTPROV hCryptProv;
DWORD dwKeySpec;
DWORD dwKeyChoice;
union {
// CMSG_KEY_AGREE_EPHEMERAL_KEY_CHOICE
//
// The ephemeral public key algorithm and parameters.
PCRYPT_ALGORITHM_IDENTIFIER pEphemeralAlgorithm;
// CMSG_KEY_AGREE_STATIC_KEY_CHOICE
//
// The CertId of the sender's certificate
PCERT_ID pSenderId;
};
CRYPT_DATA_BLOB UserKeyingMaterial; // OPTIONAL
DWORD cRecipientEncryptedKeys;
PCMSG_RECIPIENT_ENCRYPTED_KEY_ENCODE_INFO *rgpRecipientEncryptedKeys;
} CMSG_KEY_AGREE_RECIPIENT_ENCODE_INFO, *PCMSG_KEY_AGREE_RECIPIENT_ENCODE_INFO;
#define CMSG_KEY_AGREE_EPHEMERAL_KEY_CHOICE 1
#define CMSG_KEY_AGREE_STATIC_KEY_CHOICE 2
//+-------------------------------------------------------------------------
// Mail List Recipient Encode Info
//
// There is 1 choice for the KeyEncryptionKey: an already created CSP key
// handle. For the key handle choice, hCryptProv must be nonzero. This key
// handle isn't destroyed.
//
// Note, even if CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
// passed to CryptMsgOpenToEncode(), this hCryptProv isn't released.
//
// Currently, pvKeyEncryptionAuxInfo is only defined for RC2 key wrap
// algorithms. Otherwise, its not used and must be set to NULL.
// When set for RC2 algorithms, points to a CMSG_RC2_AUX_INFO containing
// the RC2 effective key length.
//
// Note, mail list recipients are not supported in PKCS #7 version 1.5.
//--------------------------------------------------------------------------
typedef struct _CMSG_MAIL_LIST_RECIPIENT_ENCODE_INFO {
DWORD cbSize;
CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
void *pvKeyEncryptionAuxInfo;
HCRYPTPROV hCryptProv;
DWORD dwKeyChoice;
union {
// CMSG_MAIL_LIST_HANDLE_KEY_CHOICE
HCRYPTKEY hKeyEncryptionKey;
// Reserve space for a potential pointer choice
void *pvKeyEncryptionKey;
};
CRYPT_DATA_BLOB KeyId;
// Following fields are optional.
FILETIME Date;
PCRYPT_ATTRIBUTE_TYPE_VALUE pOtherAttr;
} CMSG_MAIL_LIST_RECIPIENT_ENCODE_INFO, *PCMSG_MAIL_LIST_RECIPIENT_ENCODE_INFO;
#define CMSG_MAIL_LIST_HANDLE_KEY_CHOICE 1
//+-------------------------------------------------------------------------
// Recipient Encode Info
//
// Note, only key transport recipients are supported in PKCS #7 version 1.5.
//--------------------------------------------------------------------------
struct _CMSG_RECIPIENT_ENCODE_INFO {
DWORD dwRecipientChoice;
union {
// CMSG_KEY_TRANS_RECIPIENT
PCMSG_KEY_TRANS_RECIPIENT_ENCODE_INFO pKeyTrans;
// CMSG_KEY_AGREE_RECIPIENT
PCMSG_KEY_AGREE_RECIPIENT_ENCODE_INFO pKeyAgree;
// CMSG_MAIL_LIST_RECIPIENT
PCMSG_MAIL_LIST_RECIPIENT_ENCODE_INFO pMailList;
};
};
#define CMSG_KEY_TRANS_RECIPIENT 1
#define CMSG_KEY_AGREE_RECIPIENT 2
#define CMSG_MAIL_LIST_RECIPIENT 3
//+-------------------------------------------------------------------------
// CMSG_RC2_AUX_INFO
//
// AuxInfo for RC2 encryption algorithms. The pvEncryptionAuxInfo field
// in CMSG_ENCRYPTED_ENCODE_INFO should be updated to point to this
// structure. If not specified, defaults to 40 bit.
//
// Note, this AuxInfo is only used when, the ContentEncryptionAlgorithm's
// Parameter.cbData is zero. Otherwise, the Parameters is decoded to
// get the bit length.
//
// If CMSG_SP3_COMPATIBLE_ENCRYPT_FLAG is set in dwBitLen, then, SP3
// compatible encryption is done and the bit length is ignored.
//--------------------------------------------------------------------------
typedef struct _CMSG_RC2_AUX_INFO {
DWORD cbSize;
DWORD dwBitLen;
} CMSG_RC2_AUX_INFO, *PCMSG_RC2_AUX_INFO;
//+-------------------------------------------------------------------------
// CMSG_SP3_COMPATIBLE_AUX_INFO
//
// AuxInfo for enabling SP3 compatible encryption.
//
// The CMSG_SP3_COMPATIBLE_ENCRYPT_FLAG is set in dwFlags to enable SP3
// compatible encryption. When set, uses zero salt instead of no salt,
// the encryption algorithm parameters are NULL instead of containing the
// encoded RC2 parameters or encoded IV octet string and the encrypted
// symmetric key is encoded little endian instead of big endian.
//--------------------------------------------------------------------------
typedef struct _CMSG_SP3_COMPATIBLE_AUX_INFO {
DWORD cbSize;
DWORD dwFlags;
} CMSG_SP3_COMPATIBLE_AUX_INFO, *PCMSG_SP3_COMPATIBLE_AUX_INFO;
#define CMSG_SP3_COMPATIBLE_ENCRYPT_FLAG 0x80000000
//+-------------------------------------------------------------------------
// CMSG_RC4_AUX_INFO
//
// AuxInfo for RC4 encryption algorithms. The pvEncryptionAuxInfo field
// in CMSG_ENCRYPTED_ENCODE_INFO should be updated to point to this
// structure. If not specified, uses the CSP's default bit length with no
// salt. Note, the base CSP has a 40 bit default and the enhanced CSP has
// a 128 bit default.
//
// If CMSG_RC4_NO_SALT_FLAG is set in dwBitLen, then, no salt is generated.
// Otherwise, (128 - dwBitLen)/8 bytes of salt are generated and encoded
// as an OCTET STRING in the algorithm parameters field.
//--------------------------------------------------------------------------
typedef struct _CMSG_RC4_AUX_INFO {
DWORD cbSize;
DWORD dwBitLen;
} CMSG_RC4_AUX_INFO, *PCMSG_RC4_AUX_INFO;
#define CMSG_RC4_NO_SALT_FLAG 0x40000000
//+-------------------------------------------------------------------------
// CMSG_SIGNED_AND_ENVELOPED
//
// For PKCS #7, a signed and enveloped message doesn't have the
// signer's authenticated or unauthenticated attributes. Otherwise, a
// combination of the CMSG_SIGNED_ENCODE_INFO and CMSG_ENVELOPED_ENCODE_INFO.
//--------------------------------------------------------------------------
typedef struct _CMSG_SIGNED_AND_ENVELOPED_ENCODE_INFO {
DWORD cbSize;
CMSG_SIGNED_ENCODE_INFO SignedInfo;
CMSG_ENVELOPED_ENCODE_INFO EnvelopedInfo;
} CMSG_SIGNED_AND_ENVELOPED_ENCODE_INFO, *PCMSG_SIGNED_AND_ENVELOPED_ENCODE_INFO;
//+-------------------------------------------------------------------------
// CMSG_HASHED
//
// hCryptProv is used to do the hash. Doesn't need to use a private key.
//
// If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
// passed to CryptMsgOpenToEncode(), the hCryptProv is released.
//
// If fDetachedHash is set, then, the encoded message doesn't contain
// any content (its treated as NULL Data)
//
// pvHashAuxInfo currently isn't used and must be set to NULL.
//--------------------------------------------------------------------------
typedef struct _CMSG_HASHED_ENCODE_INFO {
DWORD cbSize;
HCRYPTPROV hCryptProv;
CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
void *pvHashAuxInfo;
} CMSG_HASHED_ENCODE_INFO, *PCMSG_HASHED_ENCODE_INFO;
//+-------------------------------------------------------------------------
// CMSG_ENCRYPTED
//
// The key used to encrypt the message is identified outside of the message
// content (for example, password).
//
// The content input to CryptMsgUpdate has already been encrypted.
//
// pvEncryptionAuxInfo currently isn't used and must be set to NULL.
//--------------------------------------------------------------------------
typedef struct _CMSG_ENCRYPTED_ENCODE_INFO {
DWORD cbSize;
CRYPT_ALGORITHM_IDENTIFIER ContentEncryptionAlgorithm;
void *pvEncryptionAuxInfo;
} CMSG_ENCRYPTED_ENCODE_INFO, *PCMSG_ENCRYPTED_ENCODE_INFO;
//+-------------------------------------------------------------------------
// This parameter allows messages to be of variable length with streamed
// output.
//
// By default, messages are of a definite length and
// CryptMsgGetParam(CMSG_CONTENT_PARAM) is
// called to get the cryptographically processed content. Until closed,
// the handle keeps a copy of the processed content.
//
// With streamed output, the processed content can be freed as its streamed.
//
// If the length of the content to be updated is known at the time of the
// open, then, ContentLength should be set to that length. Otherwise, it
// should be set to CMSG_INDEFINITE_LENGTH.
//--------------------------------------------------------------------------
typedef BOOL (WINAPI *PFN_CMSG_STREAM_OUTPUT)(
IN const void *pvArg,
IN BYTE *pbData,
IN DWORD cbData,
IN BOOL fFinal
);
#define CMSG_INDEFINITE_LENGTH (0xFFFFFFFF)
typedef struct _CMSG_STREAM_INFO {
DWORD cbContent;
PFN_CMSG_STREAM_OUTPUT pfnStreamOutput;
void *pvArg;
} CMSG_STREAM_INFO, *PCMSG_STREAM_INFO;
//+-------------------------------------------------------------------------
// Open dwFlags
//--------------------------------------------------------------------------
#define CMSG_BARE_CONTENT_FLAG 0x00000001
#define CMSG_LENGTH_ONLY_FLAG 0x00000002
#define CMSG_DETACHED_FLAG 0x00000004
#define CMSG_AUTHENTICATED_ATTRIBUTES_FLAG 0x00000008
#define CMSG_CONTENTS_OCTETS_FLAG 0x00000010
#define CMSG_MAX_LENGTH_FLAG 0x00000020
// When set, nonData type inner content is encapsulated within an
// OCTET STRING. Applicable to both Signed and Enveloped messages.
#define CMSG_CMS_ENCAPSULATED_CONTENT_FLAG 0x00000040
// If set, then, the hCryptProv passed to CryptMsgOpenToEncode or
// CryptMsgOpenToDecode is released on the final CryptMsgClose.
// Not released if CryptMsgOpenToEncode or CryptMsgOpenToDecode fails.
//
// Note, the envelope recipient hCryptProv's aren't released.
#define CMSG_CRYPT_RELEASE_CONTEXT_FLAG 0x00008000
//+-------------------------------------------------------------------------
// Open a cryptographic message for encoding
//
// If CMSG_BARE_CONTENT_FLAG is specified for a streamed message,
// the streamed output will not have an outer ContentInfo wrapper. This
// makes it suitable to be streamed into an enclosing message.
//
// The pStreamInfo parameter needs to be set to stream the encoded message
// output.
//--------------------------------------------------------------------------
WINCRYPT32API
HCRYPTMSG
WINAPI
CryptMsgOpenToEncode(
IN DWORD dwMsgEncodingType,
IN DWORD dwFlags,
IN DWORD dwMsgType,
IN void const *pvMsgEncodeInfo,
IN OPTIONAL LPSTR pszInnerContentObjID,
IN OPTIONAL PCMSG_STREAM_INFO pStreamInfo
);
//+-------------------------------------------------------------------------
// Calculate the length of an encoded cryptographic message.
//
// Calculates the length of the encoded message given the
// message type, encoding parameters and total length of
// the data to be updated. Note, this might not be the exact length. However,
// it will always be greater than or equal to the actual length.
//--------------------------------------------------------------------------
WINCRYPT32API
DWORD
WINAPI
CryptMsgCalculateEncodedLength(
IN DWORD dwMsgEncodingType,
IN DWORD dwFlags,
IN DWORD dwMsgType,
IN void const *pvMsgEncodeInfo,
IN OPTIONAL LPSTR pszInnerContentObjID,
IN DWORD cbData
);
//+-------------------------------------------------------------------------
// Open a cryptographic message for decoding
//
// hCryptProv specifies the crypto provider to use for hashing and/or
// decrypting the message. If hCryptProv is NULL, a default crypt provider
// is used.
//
// Currently pRecipientInfo isn't used and should be set to NULL.
//
// The pStreamInfo parameter needs to be set to stream the decoded content
// output.
//--------------------------------------------------------------------------
WINCRYPT32API
HCRYPTMSG
WINAPI
CryptMsgOpenToDecode(
IN DWORD dwMsgEncodingType,
IN DWORD dwFlags,
IN DWORD dwMsgType,
IN HCRYPTPROV hCryptProv,
IN OPTIONAL PCERT_INFO pRecipientInfo,
IN OPTIONAL PCMSG_STREAM_INFO pStreamInfo
);
//+-------------------------------------------------------------------------
// Duplicate a cryptographic message handle
//--------------------------------------------------------------------------
WINCRYPT32API
HCRYPTMSG
WINAPI
CryptMsgDuplicate(
IN HCRYPTMSG hCryptMsg
);
//+-------------------------------------------------------------------------
// Close a cryptographic message handle
//
// LastError is preserved unless FALSE is returned.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptMsgClose(
IN HCRYPTMSG hCryptMsg
);
//+-------------------------------------------------------------------------
// Update the content of a cryptographic message. Depending on how the
// message was opened, the content is either encoded or decoded.
//
// This function is repetitively called to append to the message content.
// fFinal is set to identify the last update. On fFinal, the encode/decode
// is completed. The encoded/decoded content and the decoded parameters
// are valid until the open and all duplicated handles are closed.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptMsgUpdate(
IN HCRYPTMSG hCryptMsg,
IN const BYTE *pbData,
IN DWORD cbData,
IN BOOL fFinal
);
//+-------------------------------------------------------------------------
// Get a parameter after encoding/decoding a cryptographic message. Called
// after the final CryptMsgUpdate. Only the CMSG_CONTENT_PARAM and
// CMSG_COMPUTED_HASH_PARAM are valid for an encoded message.
//
// For an encoded HASHED message, the CMSG_COMPUTED_HASH_PARAM can be got
// before any CryptMsgUpdates to get its length.
//
// The pvData type definition depends on the dwParamType value.
//
// Elements pointed to by fields in the pvData structure follow the
// structure. Therefore, *pcbData may exceed the size of the structure.
//
// Upon input, if *pcbData == 0, then, *pcbData is updated with the length
// of the data and the pvData parameter is ignored.
//
// Upon return, *pcbData is updated with the length of the data.
//
// The OBJID BLOBs returned in the pvData structures point to
// their still encoded representation. The appropriate functions
// must be called to decode the information.
//
// See below for a list of the parameters to get.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptMsgGetParam(
IN HCRYPTMSG hCryptMsg,
IN DWORD dwParamType,
IN DWORD dwIndex,
OUT void *pvData,
IN OUT DWORD *pcbData
);
//+-------------------------------------------------------------------------
// Get parameter types and their corresponding data structure definitions.
//--------------------------------------------------------------------------
#define CMSG_TYPE_PARAM 1
#define CMSG_CONTENT_PARAM 2
#define CMSG_BARE_CONTENT_PARAM 3
#define CMSG_INNER_CONTENT_TYPE_PARAM 4
#define CMSG_SIGNER_COUNT_PARAM 5
#define CMSG_SIGNER_INFO_PARAM 6
#define CMSG_SIGNER_CERT_INFO_PARAM 7
#define CMSG_SIGNER_HASH_ALGORITHM_PARAM 8
#define CMSG_SIGNER_AUTH_ATTR_PARAM 9
#define CMSG_SIGNER_UNAUTH_ATTR_PARAM 10
#define CMSG_CERT_COUNT_PARAM 11
#define CMSG_CERT_PARAM 12
#define CMSG_CRL_COUNT_PARAM 13
#define CMSG_CRL_PARAM 14
#define CMSG_ENVELOPE_ALGORITHM_PARAM 15
#define CMSG_RECIPIENT_COUNT_PARAM 17
#define CMSG_RECIPIENT_INDEX_PARAM 18
#define CMSG_RECIPIENT_INFO_PARAM 19
#define CMSG_HASH_ALGORITHM_PARAM 20
#define CMSG_HASH_DATA_PARAM 21
#define CMSG_COMPUTED_HASH_PARAM 22
#define CMSG_ENCRYPT_PARAM 26
#define CMSG_ENCRYPTED_DIGEST 27
#define CMSG_ENCODED_SIGNER 28
#define CMSG_ENCODED_MESSAGE 29
#define CMSG_VERSION_PARAM 30
#define CMSG_ATTR_CERT_COUNT_PARAM 31
#define CMSG_ATTR_CERT_PARAM 32
#define CMSG_CMS_RECIPIENT_COUNT_PARAM 33
#define CMSG_CMS_RECIPIENT_INDEX_PARAM 34
#define CMSG_CMS_RECIPIENT_ENCRYPTED_KEY_INDEX_PARAM 35
#define CMSG_CMS_RECIPIENT_INFO_PARAM 36
#define CMSG_UNPROTECTED_ATTR_PARAM 37
#define CMSG_SIGNER_CERT_ID_PARAM 38
#define CMSG_CMS_SIGNER_INFO_PARAM 39
//+-------------------------------------------------------------------------
// CMSG_TYPE_PARAM
//
// The type of the decoded message.
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CONTENT_PARAM
//
// The encoded content of a cryptographic message. Depending on how the
// message was opened, the content is either the whole PKCS#7
// message (opened to encode) or the inner content (opened to decode).
// In the decode case, the decrypted content is returned, if enveloped.
// If not enveloped, and if the inner content is of type DATA, the returned
// data is the contents octets of the inner content.
//
// pvData points to the buffer receiving the content bytes
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_BARE_CONTENT_PARAM
//
// The encoded content of an encoded cryptographic message, without the
// outer layer of ContentInfo. That is, only the encoding of the
// ContentInfo.content field is returned.
//
// pvData points to the buffer receiving the content bytes
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_INNER_CONTENT_TYPE_PARAM
//
// The type of the inner content of a decoded cryptographic message,
// in the form of a NULL-terminated object identifier string
// (eg. "1.2.840.113549.1.7.1").
//
// pvData points to the buffer receiving the object identifier string
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_SIGNER_COUNT_PARAM
//
// Count of signers in a SIGNED or SIGNED_AND_ENVELOPED message
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_SIGNER_CERT_INFO_PARAM
//
// To get all the signers, repetitively call CryptMsgGetParam, with
// dwIndex set to 0 .. SignerCount - 1.
//
// pvData points to a CERT_INFO struct.
//
// Only the following fields have been updated in the CERT_INFO struct:
// Issuer and SerialNumber.
//
// Note, if the KEYID choice was selected for a CMS SignerId, then, the
// SerialNumber is 0 and the Issuer is encoded containing a single RDN with a
// single Attribute whose OID is szOID_KEYID_RDN, value type is
// CERT_RDN_OCTET_STRING and value is the KEYID. When the
// CertGetSubjectCertificateFromStore and
// CertFindCertificateInStore(CERT_FIND_SUBJECT_CERT) APIs see this
// special KEYID Issuer and SerialNumber, they do a KEYID match.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_SIGNER_INFO_PARAM
//
// To get all the signers, repetitively call CryptMsgGetParam, with
// dwIndex set to 0 .. SignerCount - 1.
//
// pvData points to a CMSG_SIGNER_INFO struct.
//
// Note, if the KEYID choice was selected for a CMS SignerId, then, the
// SerialNumber is 0 and the Issuer is encoded containing a single RDN with a
// single Attribute whose OID is szOID_KEYID_RDN, value type is
// CERT_RDN_OCTET_STRING and value is the KEYID. When the
// CertGetSubjectCertificateFromStore and
// CertFindCertificateInStore(CERT_FIND_SUBJECT_CERT) APIs see this
// special KEYID Issuer and SerialNumber, they do a KEYID match.
//--------------------------------------------------------------------------
typedef struct _CMSG_SIGNER_INFO {
DWORD dwVersion;
CERT_NAME_BLOB Issuer;
CRYPT_INTEGER_BLOB SerialNumber;
CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
CRYPT_ALGORITHM_IDENTIFIER HashEncryptionAlgorithm;
CRYPT_DATA_BLOB EncryptedHash;
CRYPT_ATTRIBUTES AuthAttrs;
CRYPT_ATTRIBUTES UnauthAttrs;
} CMSG_SIGNER_INFO, *PCMSG_SIGNER_INFO;
//+-------------------------------------------------------------------------
// CMSG_SIGNER_CERT_ID_PARAM
//
// To get all the signers, repetitively call CryptMsgGetParam, with
// dwIndex set to 0 .. SignerCount - 1.
//
// pvData points to a CERT_ID struct.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CMS_SIGNER_INFO_PARAM
//
// Same as CMSG_SIGNER_INFO_PARAM, except, contains SignerId instead of
// Issuer and SerialNumber.
//
// To get all the signers, repetitively call CryptMsgGetParam, with
// dwIndex set to 0 .. SignerCount - 1.
//
// pvData points to a CMSG_CMS_SIGNER_INFO struct.
//--------------------------------------------------------------------------
typedef struct _CMSG_CMS_SIGNER_INFO {
DWORD dwVersion;
CERT_ID SignerId;
CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
CRYPT_ALGORITHM_IDENTIFIER HashEncryptionAlgorithm;
CRYPT_DATA_BLOB EncryptedHash;
CRYPT_ATTRIBUTES AuthAttrs;
CRYPT_ATTRIBUTES UnauthAttrs;
} CMSG_CMS_SIGNER_INFO, *PCMSG_CMS_SIGNER_INFO;
//+-------------------------------------------------------------------------
// CMSG_SIGNER_HASH_ALGORITHM_PARAM
//
// This parameter specifies the HashAlgorithm that was used for the signer.
//
// Set dwIndex to iterate through all the signers.
//
// pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_SIGNER_AUTH_ATTR_PARAM
//
// The authenticated attributes for the signer.
//
// Set dwIndex to iterate through all the signers.
//
// pvData points to a CMSG_ATTR struct.
//--------------------------------------------------------------------------
typedef CRYPT_ATTRIBUTES CMSG_ATTR;
typedef CRYPT_ATTRIBUTES *PCMSG_ATTR;
//+-------------------------------------------------------------------------
// CMSG_SIGNER_UNAUTH_ATTR_PARAM
//
// The unauthenticated attributes for the signer.
//
// Set dwIndex to iterate through all the signers.
//
// pvData points to a CMSG_ATTR struct.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CERT_COUNT_PARAM
//
// Count of certificates in a SIGNED or SIGNED_AND_ENVELOPED message.
//
// CMS, also supports certificates in an ENVELOPED message.
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CERT_PARAM
//
// To get all the certificates, repetitively call CryptMsgGetParam, with
// dwIndex set to 0 .. CertCount - 1.
//
// pvData points to an array of the certificate's encoded bytes.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CRL_COUNT_PARAM
//
// Count of CRLs in a SIGNED or SIGNED_AND_ENVELOPED message.
//
// CMS, also supports CRLs in an ENVELOPED message.
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CRL_PARAM
//
// To get all the CRLs, repetitively call CryptMsgGetParam, with
// dwIndex set to 0 .. CrlCount - 1.
//
// pvData points to an array of the CRL's encoded bytes.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_ENVELOPE_ALGORITHM_PARAM
//
// The ContentEncryptionAlgorithm that was used in
// an ENVELOPED or SIGNED_AND_ENVELOPED message.
//
// For streaming you must be able to successfully get this parameter before
// doing a CryptMsgControl decrypt.
//
// pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_RECIPIENT_COUNT_PARAM
//
// Count of recipients in an ENVELOPED or SIGNED_AND_ENVELOPED message.
//
// Count of key transport recepients.
//
// The CMSG_CMS_RECIPIENT_COUNT_PARAM has the total count of
// recipients (it also includes key agree and mail list recipients).
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_RECIPIENT_INDEX_PARAM
//
// Index of the recipient used to decrypt an ENVELOPED or SIGNED_AND_ENVELOPED
// message.
//
// Index of a key transport recipient. If a non key transport
// recipient was used to decrypt, fails with LastError set to
// CRYPT_E_INVALID_INDEX.
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_RECIPIENT_INFO_PARAM
//
// To get all the recipients, repetitively call CryptMsgGetParam, with
// dwIndex set to 0 .. RecipientCount - 1.
//
// Only returns the key transport recepients.
//
// The CMSG_CMS_RECIPIENT_INFO_PARAM returns all recipients.
//
// pvData points to a CERT_INFO struct.
//
// Only the following fields have been updated in the CERT_INFO struct:
// Issuer, SerialNumber and PublicKeyAlgorithm. The PublicKeyAlgorithm
// specifies the KeyEncryptionAlgorithm that was used.
//
// Note, if the KEYID choice was selected for a key transport recipient, then,
// the SerialNumber is 0 and the Issuer is encoded containing a single RDN
// with a single Attribute whose OID is szOID_KEYID_RDN, value type is
// CERT_RDN_OCTET_STRING and value is the KEYID. When the
// CertGetSubjectCertificateFromStore and
// CertFindCertificateInStore(CERT_FIND_SUBJECT_CERT) APIs see this
// special KEYID Issuer and SerialNumber, they do a KEYID match.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_HASH_ALGORITHM_PARAM
//
// The HashAlgorithm in a HASHED message.
//
// pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_HASH_DATA_PARAM
//
// The hash in a HASHED message.
//
// pvData points to an array of bytes.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_COMPUTED_HASH_PARAM
//
// The computed hash for a HASHED message.
// This may be called for either an encoded or decoded message.
//
// Also, the computed hash for one of the signer's in a SIGNED message.
// It may be called for either an encoded or decoded message after the
// final update. Set dwIndex to iterate through all the signers.
//
// pvData points to an array of bytes.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_ENCRYPT_PARAM
//
// The ContentEncryptionAlgorithm that was used in an ENCRYPTED message.
//
// pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_ENCODED_MESSAGE
//
// The full encoded message. This is useful in the case of a decoded
// message which has been modified (eg. a signed-data or
// signed-and-enveloped-data message which has been countersigned).
//
// pvData points to an array of the message's encoded bytes.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_VERSION_PARAM
//
// The version of the decoded message.
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
#define CMSG_SIGNED_DATA_V1 1
#define CMSG_SIGNED_DATA_V3 3
#define CMSG_SIGNED_DATA_PKCS_1_5_VERSION CMSG_SIGNED_DATA_V1
#define CMSG_SIGNED_DATA_CMS_VERSION CMSG_SIGNED_DATA_V3
#define CMSG_SIGNER_INFO_V1 1
#define CMSG_SIGNER_INFO_V3 3
#define CMSG_SIGNER_INFO_PKCS_1_5_VERSION CMSG_SIGNER_INFO_V1
#define CMSG_SIGNER_INFO_CMS_VERSION CMSG_SIGNER_INFO_V3
#define CMSG_HASHED_DATA_V0 0
#define CMSG_HASHED_DATA_V2 2
#define CMSG_HASHED_DATA_PKCS_1_5_VERSION CMSG_HASHED_DATA_V0
#define CMSG_HASHED_DATA_CMS_VERSION CMSG_HASHED_DATA_V2
#define CMSG_ENVELOPED_DATA_V0 0
#define CMSG_ENVELOPED_DATA_V2 2
#define CMSG_ENVELOPED_DATA_PKCS_1_5_VERSION CMSG_ENVELOPED_DATA_V0
#define CMSG_ENVELOPED_DATA_CMS_VERSION CMSG_ENVELOPED_DATA_V2
//+-------------------------------------------------------------------------
// CMSG_ATTR_CERT_COUNT_PARAM
//
// Count of attribute certificates in a SIGNED or ENVELOPED message.
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_ATTR_CERT_PARAM
//
// To get all the attribute certificates, repetitively call CryptMsgGetParam,
// with dwIndex set to 0 .. AttrCertCount - 1.
//
// pvData points to an array of the attribute certificate's encoded bytes.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CMS_RECIPIENT_COUNT_PARAM
//
// Count of all CMS recipients in an ENVELOPED message.
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CMS_RECIPIENT_INDEX_PARAM
//
// Index of the CMS recipient used to decrypt an ENVELOPED message.
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CMS_RECIPIENT_ENCRYPTED_KEY_INDEX_PARAM
//
// For a CMS key agreement recipient, the index of the encrypted key
// used to decrypt an ENVELOPED message.
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CMS_RECIPIENT_INFO_PARAM
//
// To get all the CMS recipients, repetitively call CryptMsgGetParam, with
// dwIndex set to 0 .. CmsRecipientCount - 1.
//
// pvData points to a CMSG_CMS_RECIPIENT_INFO struct.
//--------------------------------------------------------------------------
typedef struct _CMSG_KEY_TRANS_RECIPIENT_INFO {
DWORD dwVersion;
// Currently, only ISSUER_SERIAL_NUMBER or KEYID choices
CERT_ID RecipientId;
CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
CRYPT_DATA_BLOB EncryptedKey;
} CMSG_KEY_TRANS_RECIPIENT_INFO, *PCMSG_KEY_TRANS_RECIPIENT_INFO;
typedef struct _CMSG_RECIPIENT_ENCRYPTED_KEY_INFO {
// Currently, only ISSUER_SERIAL_NUMBER or KEYID choices
CERT_ID RecipientId;
CRYPT_DATA_BLOB EncryptedKey;
// The following optional fields are only applicable to KEYID choice
FILETIME Date;
PCRYPT_ATTRIBUTE_TYPE_VALUE pOtherAttr;
} CMSG_RECIPIENT_ENCRYPTED_KEY_INFO, *PCMSG_RECIPIENT_ENCRYPTED_KEY_INFO;
typedef struct _CMSG_KEY_AGREE_RECIPIENT_INFO {
DWORD dwVersion;
DWORD dwOriginatorChoice;
union {
// CMSG_KEY_AGREE_ORIGINATOR_CERT
CERT_ID OriginatorCertId;
// CMSG_KEY_AGREE_ORIGINATOR_PUBLIC_KEY
CERT_PUBLIC_KEY_INFO OriginatorPublicKeyInfo;
};
CRYPT_DATA_BLOB UserKeyingMaterial;
CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
DWORD cRecipientEncryptedKeys;
PCMSG_RECIPIENT_ENCRYPTED_KEY_INFO *rgpRecipientEncryptedKeys;
} CMSG_KEY_AGREE_RECIPIENT_INFO, *PCMSG_KEY_AGREE_RECIPIENT_INFO;
#define CMSG_KEY_AGREE_ORIGINATOR_CERT 1
#define CMSG_KEY_AGREE_ORIGINATOR_PUBLIC_KEY 2
typedef struct _CMSG_MAIL_LIST_RECIPIENT_INFO {
DWORD dwVersion;
CRYPT_DATA_BLOB KeyId;
CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
CRYPT_DATA_BLOB EncryptedKey;
// The following fields are optional
FILETIME Date;
PCRYPT_ATTRIBUTE_TYPE_VALUE pOtherAttr;
} CMSG_MAIL_LIST_RECIPIENT_INFO, *PCMSG_MAIL_LIST_RECIPIENT_INFO;
typedef struct _CMSG_CMS_RECIPIENT_INFO {
DWORD dwRecipientChoice;
union {
// CMSG_KEY_TRANS_RECIPIENT
PCMSG_KEY_TRANS_RECIPIENT_INFO pKeyTrans;
// CMSG_KEY_AGREE_RECIPIENT
PCMSG_KEY_AGREE_RECIPIENT_INFO pKeyAgree;
// CMSG_MAIL_LIST_RECIPIENT
PCMSG_MAIL_LIST_RECIPIENT_INFO pMailList;
};
} CMSG_CMS_RECIPIENT_INFO, *PCMSG_CMS_RECIPIENT_INFO;
// dwVersion numbers for the KeyTrans, KeyAgree and MailList recipients
#define CMSG_ENVELOPED_RECIPIENT_V0 0
#define CMSG_ENVELOPED_RECIPIENT_V2 2
#define CMSG_ENVELOPED_RECIPIENT_V3 3
#define CMSG_ENVELOPED_RECIPIENT_V4 4
#define CMSG_KEY_TRANS_PKCS_1_5_VERSION CMSG_ENVELOPED_RECIPIENT_V0
#define CMSG_KEY_TRANS_CMS_VERSION CMSG_ENVELOPED_RECIPIENT_V2
#define CMSG_KEY_AGREE_VERSION CMSG_ENVELOPED_RECIPIENT_V3
#define CMSG_MAIL_LIST_VERSION CMSG_ENVELOPED_RECIPIENT_V4
//+-------------------------------------------------------------------------
// CMSG_UNPROTECTED_ATTR_PARAM
//
// The unprotected attributes in the envelped message.
//
// pvData points to a CMSG_ATTR struct.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Perform a special "control" function after the final CryptMsgUpdate of a
// encoded/decoded cryptographic message.
//
// The dwCtrlType parameter specifies the type of operation to be performed.
//
// The pvCtrlPara definition depends on the dwCtrlType value.
//
// See below for a list of the control operations and their pvCtrlPara
// type definition.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptMsgControl(
IN HCRYPTMSG hCryptMsg,
IN DWORD dwFlags,
IN DWORD dwCtrlType,
IN void const *pvCtrlPara
);
//+-------------------------------------------------------------------------
// Message control types
//--------------------------------------------------------------------------
#define CMSG_CTRL_VERIFY_SIGNATURE 1
#define CMSG_CTRL_DECRYPT 2
#define CMSG_CTRL_VERIFY_HASH 5
#define CMSG_CTRL_ADD_SIGNER 6
#define CMSG_CTRL_DEL_SIGNER 7
#define CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR 8
#define CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR 9
#define CMSG_CTRL_ADD_CERT 10
#define CMSG_CTRL_DEL_CERT 11
#define CMSG_CTRL_ADD_CRL 12
#define CMSG_CTRL_DEL_CRL 13
#define CMSG_CTRL_ADD_ATTR_CERT 14
#define CMSG_CTRL_DEL_ATTR_CERT 15
#define CMSG_CTRL_KEY_TRANS_DECRYPT 16
#define CMSG_CTRL_KEY_AGREE_DECRYPT 17
#define CMSG_CTRL_MAIL_LIST_DECRYPT 18
#define CMSG_CTRL_VERIFY_SIGNATURE_EX 19
#define CMSG_CTRL_ADD_CMS_SIGNER_INFO 20
//+-------------------------------------------------------------------------
// CMSG_CTRL_VERIFY_SIGNATURE
//
// Verify the signature of a SIGNED or SIGNED_AND_ENVELOPED
// message after it has been decoded.
//
// For a SIGNED_AND_ENVELOPED message, called after
// CryptMsgControl(CMSG_CTRL_DECRYPT), if CryptMsgOpenToDecode was called
// with a NULL pRecipientInfo.
//
// pvCtrlPara points to a CERT_INFO struct.
//
// The CERT_INFO contains the Issuer and SerialNumber identifying
// the Signer of the message. The CERT_INFO also contains the
// PublicKeyInfo
// used to verify the signature. The cryptographic provider specified
// in CryptMsgOpenToDecode is used.
//
// Note, if the message contains CMS signers identified by KEYID, then,
// the CERT_INFO's Issuer and SerialNumber is ignored and only the public
// key is used to find a signer whose signature verifies.
//
// The following CMSG_CTRL_VERIFY_SIGNATURE_EX should be used instead.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_VERIFY_SIGNATURE_EX
//
// Verify the signature of a SIGNED message after it has been decoded.
//
// pvCtrlPara points to the following CMSG_CTRL_VERIFY_SIGNATURE_EX_PARA.
//
// If hCryptProv is NULL, uses the cryptographic provider specified in
// CryptMsgOpenToDecode. If CryptMsgOpenToDecode's hCryptProv is also NULL,
// gets default provider according to the signer's public key OID.
//
// dwSignerIndex is the index of the signer to use to verify the signature.
//
// The signer can be a pointer to a CERT_PUBLIC_KEY_INFO, certificate
// context or a chain context.
//
// If the signer's HashEncryptionAlgorithm is szOID_PKIX_NO_SIGNATURE, then,
// the signature is expected to contain the hash octets. Only dwSignerType
// of CMSG_VERIFY_SIGNER_NULL may be specified to verify this no signature
// case.
//--------------------------------------------------------------------------
typedef struct _CMSG_CTRL_VERIFY_SIGNATURE_EX_PARA {
DWORD cbSize;
HCRYPTPROV hCryptProv;
DWORD dwSignerIndex;
DWORD dwSignerType;
void *pvSigner;
} CMSG_CTRL_VERIFY_SIGNATURE_EX_PARA, *PCMSG_CTRL_VERIFY_SIGNATURE_EX_PARA;
// Signer Types
#define CMSG_VERIFY_SIGNER_PUBKEY 1
// pvSigner :: PCERT_PUBLIC_KEY_INFO
#define CMSG_VERIFY_SIGNER_CERT 2
// pvSigner :: PCCERT_CONTEXT
#define CMSG_VERIFY_SIGNER_CHAIN 3
// pvSigner :: PCCERT_CHAIN_CONTEXT
#define CMSG_VERIFY_SIGNER_NULL 4
// pvSigner :: NULL
//+-------------------------------------------------------------------------
// CMSG_CTRL_DECRYPT
//
// Decrypt an ENVELOPED or SIGNED_AND_ENVELOPED message after it has been
// decoded.
//
// This decrypt is only applicable to key transport recipients.
//
// hCryptProv and dwKeySpec specify the private key to use. For dwKeySpec ==
// 0, defaults to AT_KEYEXCHANGE.
//
// If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
// to CryptMsgControl, then, the hCryptProv is released on the final
// CryptMsgClose. Not released if CryptMsgControl fails.
//
// dwRecipientIndex is the index of the recipient in the message associated
// with the hCryptProv's private key.
//
// The dwRecipientIndex is the index of a key transport recipient.
//
// Note, the message can only be decrypted once.
//--------------------------------------------------------------------------
typedef struct _CMSG_CTRL_DECRYPT_PARA {
DWORD cbSize;
HCRYPTPROV hCryptProv;
DWORD dwKeySpec;
DWORD dwRecipientIndex;
} CMSG_CTRL_DECRYPT_PARA, *PCMSG_CTRL_DECRYPT_PARA;
//+-------------------------------------------------------------------------
// CMSG_CTRL_KEY_TRANS_DECRYPT
//
// Decrypt an ENVELOPED message after it has been decoded for a key
// transport recipient.
//
// hCryptProv and dwKeySpec specify the private key to use. For dwKeySpec ==
// 0, defaults to AT_KEYEXCHANGE.
//
// If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
// to CryptMsgControl, then, the hCryptProv is released on the final
// CryptMsgClose. Not released if CryptMsgControl fails.
//
// pKeyTrans points to the CMSG_KEY_TRANS_RECIPIENT_INFO obtained via
// CryptMsgGetParam(CMSG_CMS_RECIPIENT_INFO_PARAM)
//
// dwRecipientIndex is the index of the recipient in the message associated
// with the hCryptProv's private key.
//
// Note, the message can only be decrypted once.
//--------------------------------------------------------------------------
typedef struct _CMSG_CTRL_KEY_TRANS_DECRYPT_PARA {
DWORD cbSize;
HCRYPTPROV hCryptProv;
DWORD dwKeySpec;
PCMSG_KEY_TRANS_RECIPIENT_INFO pKeyTrans;
DWORD dwRecipientIndex;
} CMSG_CTRL_KEY_TRANS_DECRYPT_PARA, *PCMSG_CTRL_KEY_TRANS_DECRYPT_PARA;
//+-------------------------------------------------------------------------
// CMSG_CTRL_KEY_AGREE_DECRYPT
//
// Decrypt an ENVELOPED message after it has been decoded for a key
// agreement recipient.
//
// hCryptProv and dwKeySpec specify the private key to use. For dwKeySpec ==
// 0, defaults to AT_KEYEXCHANGE.
//
// If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
// to CryptMsgControl, then, the hCryptProv is released on the final
// CryptMsgClose. Not released if CryptMsgControl fails.
//
// pKeyAgree points to the CMSG_KEY_AGREE_RECIPIENT_INFO obtained via
// CryptMsgGetParam(CMSG_CMS_RECIPIENT_INFO_PARAM) for dwRecipientIndex.
//
// dwRecipientIndex, dwRecipientEncryptedKeyIndex are the indices of the
// recipient's encrypted key in the message associated with the hCryptProv's
// private key.
//
// OriginatorPublicKey is the originator's public key obtained from either
// the originator's certificate or the CMSG_KEY_AGREE_RECIPIENT_INFO obtained
// via the CMSG_CMS_RECIPIENT_INFO_PARAM.
//
// Note, the message can only be decrypted once.
//--------------------------------------------------------------------------
typedef struct _CMSG_CTRL_KEY_AGREE_DECRYPT_PARA {
DWORD cbSize;
HCRYPTPROV hCryptProv;
DWORD dwKeySpec;
PCMSG_KEY_AGREE_RECIPIENT_INFO pKeyAgree;
DWORD dwRecipientIndex;
DWORD dwRecipientEncryptedKeyIndex;
CRYPT_BIT_BLOB OriginatorPublicKey;
} CMSG_CTRL_KEY_AGREE_DECRYPT_PARA, *PCMSG_CTRL_KEY_AGREE_DECRYPT_PARA;
//+-------------------------------------------------------------------------
// CMSG_CTRL_MAIL_LIST_DECRYPT
//
// Decrypt an ENVELOPED message after it has been decoded for a mail
// list recipient.
//
// pMailList points to the CMSG_MAIL_LIST_RECIPIENT_INFO obtained via
// CryptMsgGetParam(CMSG_CMS_RECIPIENT_INFO_PARAM) for dwRecipientIndex.
//
// There is 1 choice for the KeyEncryptionKey: an already created CSP key
// handle. For the key handle choice, hCryptProv must be nonzero. This key
// handle isn't destroyed.
//
// If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
// to CryptMsgControl, then, the hCryptProv is released on the final
// CryptMsgClose. Not released if CryptMsgControl fails.
//
// For RC2 wrap, the effective key length is obtained from the
// KeyEncryptionAlgorithm parameters and set on the hKeyEncryptionKey before
// decrypting.
//
// Note, the message can only be decrypted once.
//--------------------------------------------------------------------------
typedef struct _CMSG_CTRL_MAIL_LIST_DECRYPT_PARA {
DWORD cbSize;
HCRYPTPROV hCryptProv;
PCMSG_MAIL_LIST_RECIPIENT_INFO pMailList;
DWORD dwRecipientIndex;
DWORD dwKeyChoice;
union {
// CMSG_MAIL_LIST_HANDLE_KEY_CHOICE
HCRYPTKEY hKeyEncryptionKey;
// Reserve space for a potential pointer choice
void *pvKeyEncryptionKey;
};
} CMSG_CTRL_MAIL_LIST_DECRYPT_PARA, *PCMSG_CTRL_MAIL_LIST_DECRYPT_PARA;
//+-------------------------------------------------------------------------
// CMSG_CTRL_VERIFY_HASH
//
// Verify the hash of a HASHED message after it has been decoded.
//
// Only the hCryptMsg parameter is used, to specify the message whose
// hash is being verified.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_ADD_SIGNER
//
// Add a signer to a signed-data message.
//
// pvCtrlPara points to a CMSG_SIGNER_ENCODE_INFO.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_ADD_CMS_SIGNER_INFO
//
// Add a signer to a signed-data message.
//
// Differs from the above, CMSG_CTRL_ADD_SIGNER, wherein, the signer info
// already contains the signature.
//
// pvCtrlPara points to a CMSG_CMS_SIGNER_INFO.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_DEL_SIGNER
//
// Remove a signer from a signed-data or signed-and-enveloped-data message.
//
// pvCtrlPara points to a DWORD containing the 0-based index of the
// signer to be removed.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR
//
// Add an unauthenticated attribute to the SignerInfo of a signed-data or
// signed-and-enveloped-data message.
//
// The unauthenticated attribute is input in the form of an encoded blob.
//--------------------------------------------------------------------------
typedef struct _CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR_PARA {
DWORD cbSize;
DWORD dwSignerIndex;
CRYPT_DATA_BLOB blob;
} CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR_PARA, *PCMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR_PARA;
//+-------------------------------------------------------------------------
// CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR
//
// Delete an unauthenticated attribute from the SignerInfo of a signed-data
// or signed-and-enveloped-data message.
//
// The unauthenticated attribute to be removed is specified by
// a 0-based index.
//--------------------------------------------------------------------------
typedef struct _CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR_PARA {
DWORD cbSize;
DWORD dwSignerIndex;
DWORD dwUnauthAttrIndex;
} CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR_PARA, *PCMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR_PARA;
//+-------------------------------------------------------------------------
// CMSG_CTRL_ADD_CERT
//
// Add a certificate to a signed-data or signed-and-enveloped-data message.
//
// pvCtrlPara points to a CRYPT_DATA_BLOB containing the certificate's
// encoded bytes.
//--------------------------------------------------------------------------