模拟服务器

开发平台：

C/C++

WinCrypt.h：源码内容

//+-------------------------------------------------------------------------
// CMSG_CTRL_DEL_CERT
//
// Delete a certificate from a signed-data or signed-and-enveloped-data
// message.
//
// pvCtrlPara points to a DWORD containing the 0-based index of the
// certificate to be removed.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_ADD_CRL
//
// Add a CRL to a signed-data or signed-and-enveloped-data message.
//
// pvCtrlPara points to a CRYPT_DATA_BLOB containing the CRL's
// encoded bytes.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_DEL_CRL
//
// Delete a CRL from a signed-data or signed-and-enveloped-data message.
//
// pvCtrlPara points to a DWORD containing the 0-based index of the CRL
// to be removed.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_ADD_ATTR_CERT
//
// Add an attribute certificate to a signed-data message.
//
// pvCtrlPara points to a CRYPT_DATA_BLOB containing the attribute
// certificate's encoded bytes.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_DEL_ATTR_CERT
//
// Delete an attribute certificate from a signed-data message.
//
// pvCtrlPara points to a DWORD containing the 0-based index of the
// attribute certificate to be removed.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Verify a countersignature, at the SignerInfo level.
// ie. verify that pbSignerInfoCountersignature contains the encrypted
// hash of the encryptedDigest field of pbSignerInfo.
//
// hCryptProv is used to hash the encryptedDigest field of pbSignerInfo.
// The only fields referenced from pciCountersigner are SerialNumber, Issuer,
// and SubjectPublicKeyInfo.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptMsgVerifyCountersignatureEncoded(
IN HCRYPTPROV hCryptProv,
IN DWORD dwEncodingType,
IN PBYTE pbSignerInfo,
IN DWORD cbSignerInfo,
IN PBYTE pbSignerInfoCountersignature,
IN DWORD cbSignerInfoCountersignature,
IN PCERT_INFO pciCountersigner
);
//+-------------------------------------------------------------------------
// Verify a countersignature, at the SignerInfo level.
// ie. verify that pbSignerInfoCountersignature contains the encrypted
// hash of the encryptedDigest field of pbSignerInfo.
//
// hCryptProv is used to hash the encryptedDigest field of pbSignerInfo.
//
// The signer can be a CERT_PUBLIC_KEY_INFO, certificate context or a
// chain context.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptMsgVerifyCountersignatureEncodedEx(
IN HCRYPTPROV hCryptProv,
IN DWORD dwEncodingType,
IN PBYTE pbSignerInfo,
IN DWORD cbSignerInfo,
IN PBYTE pbSignerInfoCountersignature,
IN DWORD cbSignerInfoCountersignature,
IN DWORD dwSignerType,
IN void *pvSigner,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved
);
// See CMSG_CTRL_VERIFY_SIGNATURE_EX_PARA for dwSignerType definitions
//+-------------------------------------------------------------------------
// Countersign an already-existing signature in a message
//
// dwIndex is a zero-based index of the SignerInfo to be countersigned.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptMsgCountersign(
IN OUT HCRYPTMSG hCryptMsg,
IN DWORD dwIndex,
IN DWORD cCountersigners,
IN PCMSG_SIGNER_ENCODE_INFO rgCountersigners
);
//+-------------------------------------------------------------------------
// Countersign an already-existing signature (encoded SignerInfo).
// Output an encoded SignerInfo blob, suitable for use as a countersignature
// attribute in the unauthenticated attributes of a signed-data or
// signed-and-enveloped-data message.
//--------------------------------------------------------------------------
BOOL
WINAPI
CryptMsgCountersignEncoded(
IN DWORD dwEncodingType,
IN PBYTE pbSignerInfo,
IN DWORD cbSignerInfo,
IN DWORD cCountersigners,
IN PCMSG_SIGNER_ENCODE_INFO rgCountersigners,
OUT PBYTE pbCountersignature,
IN OUT PDWORD pcbCountersignature
);
//+-------------------------------------------------------------------------
// CryptMsg OID installable functions
//--------------------------------------------------------------------------
typedef void * (WINAPI *PFN_CMSG_ALLOC) (
IN size_t cb
);
typedef void (WINAPI *PFN_CMSG_FREE)(
IN void *pv
);
// Note, the following 3 installable functions are obsolete and have been
// replaced with GenContentEncryptKey, ExportKeyTrans, ExportKeyAgree,
// ExportMailList, ImportKeyTrans, ImportKeyAgree and ImportMailList
// installable functions.
// If *phCryptProv is NULL upon entry, then, if supported, the installable
// function should acquire a default provider and return. Note, its up
// to the installable function to release at process detach.
//
// If paiEncrypt->Parameters.cbData is 0, then, the callback may optionally
// return default encoded parameters in *ppbEncryptParameters and
// *pcbEncryptParameters. pfnAlloc must be called for the allocation.
#define CMSG_OID_GEN_ENCRYPT_KEY_FUNC "CryptMsgDllGenEncryptKey"
typedef BOOL (WINAPI *PFN_CMSG_GEN_ENCRYPT_KEY) (
IN OUT HCRYPTPROV *phCryptProv,
IN PCRYPT_ALGORITHM_IDENTIFIER paiEncrypt,
IN PVOID pvEncryptAuxInfo,
IN PCERT_PUBLIC_KEY_INFO pPublicKeyInfo,
IN PFN_CMSG_ALLOC pfnAlloc,
OUT HCRYPTKEY *phEncryptKey,
OUT PBYTE *ppbEncryptParameters,
OUT PDWORD pcbEncryptParameters
);
#define CMSG_OID_EXPORT_ENCRYPT_KEY_FUNC "CryptMsgDllExportEncryptKey"
typedef BOOL (WINAPI *PFN_CMSG_EXPORT_ENCRYPT_KEY) (
IN HCRYPTPROV hCryptProv,
IN HCRYPTKEY hEncryptKey,
IN PCERT_PUBLIC_KEY_INFO pPublicKeyInfo,
OUT PBYTE pbData,
IN OUT PDWORD pcbData
);
#define CMSG_OID_IMPORT_ENCRYPT_KEY_FUNC "CryptMsgDllImportEncryptKey"
typedef BOOL (WINAPI *PFN_CMSG_IMPORT_ENCRYPT_KEY) (
IN HCRYPTPROV hCryptProv,
IN DWORD dwKeySpec,
IN PCRYPT_ALGORITHM_IDENTIFIER paiEncrypt,
IN PCRYPT_ALGORITHM_IDENTIFIER paiPubKey,
IN PBYTE pbEncodedKey,
IN DWORD cbEncodedKey,
OUT HCRYPTKEY *phEncryptKey
);
// To get the default installable function for GenContentEncryptKey,
// ExportKeyTrans, ExportKeyAgree, ExportMailList, ImportKeyTrans,
// ImportKeyAgree or ImportMailList call CryptGetOIDFunctionAddress()
// with the pszOID argument set to the following constant. dwEncodingType
// should be set to CRYPT_ASN_ENCODING or X509_ASN_ENCODING.
#define CMSG_DEFAULT_INSTALLABLE_FUNC_OID ((LPCSTR) 1)
//+-------------------------------------------------------------------------
// Content Encrypt Info
//
// The following data structure contains the information shared between
// the GenContentEncryptKey and the ExportKeyTrans, ExportKeyAgree and
// ExportMailList installable functions.
//--------------------------------------------------------------------------
typedef struct _CMSG_CONTENT_ENCRYPT_INFO {
DWORD cbSize;
HCRYPTPROV hCryptProv;
CRYPT_ALGORITHM_IDENTIFIER ContentEncryptionAlgorithm;
void *pvEncryptionAuxInfo;
DWORD cRecipients;
PCMSG_RECIPIENT_ENCODE_INFO rgCmsRecipients;
PFN_CMSG_ALLOC pfnAlloc;
PFN_CMSG_FREE pfnFree;
DWORD dwEncryptFlags;
HCRYPTKEY hContentEncryptKey;
DWORD dwFlags;
} CMSG_CONTENT_ENCRYPT_INFO, *PCMSG_CONTENT_ENCRYPT_INFO;
#define CMSG_CONTENT_ENCRYPT_PAD_ENCODED_LEN_FLAG 0x00000001
#define CMSG_CONTENT_ENCRYPT_FREE_PARA_FLAG 0x00000001
#define CMSG_CONTENT_ENCRYPT_RELEASE_CONTEXT_FLAG 0x00008000
//+-------------------------------------------------------------------------
// Upon input, ContentEncryptInfo has been initialized from the
// EnvelopedEncodeInfo.
//
// Note, if rgpRecipients instead of rgCmsRecipients are set in the
// EnvelopedEncodeInfo, then, the rgpRecipients have been converted
// to rgCmsRecipients in the ContentEncryptInfo.
//
// The following fields may be changed in ContentEncryptInfo:
// hContentEncryptKey
// hCryptProv
// ContentEncryptionAlgorithm.Parameters
// dwFlags
//
// All other fields in the ContentEncryptInfo are READONLY.
//
// If CMSG_CONTENT_ENCRYPT_PAD_ENCODED_LEN_FLAG is set upon entry
// in dwEncryptFlags, then, any potentially variable length encoded
// output should be padded with zeroes to always obtain the
// same maximum encoded length. This is necessary for
// CryptMsgCalculateEncodedLength() or CryptMsgOpenToEncode() with
// definite length streaming.
//
// The hContentEncryptKey must be updated.
//
// If hCryptProv is NULL upon input, then, it must be updated.
// If a HCRYPTPROV is acquired that must be released, then, the
// CMSG_CONTENT_ENCRYPT_RELEASE_CONTEXT_FLAG must be set in dwFlags.
//
// If ContentEncryptionAlgorithm.Parameters is updated, then, the
// CMSG_CONTENT_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags. pfnAlloc and
// pfnFree must be used for doing the allocation.
//
// ContentEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
//--------------------------------------------------------------------------
#define CMSG_OID_GEN_CONTENT_ENCRYPT_KEY_FUNC "CryptMsgDllGenContentEncryptKey"
typedef BOOL (WINAPI *PFN_CMSG_GEN_CONTENT_ENCRYPT_KEY) (
IN OUT PCMSG_CONTENT_ENCRYPT_INFO pContentEncryptInfo,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved
);
//+-------------------------------------------------------------------------
// Key Transport Encrypt Info
//
// The following data structure contains the information updated by the
// ExportKeyTrans installable function.
//--------------------------------------------------------------------------
typedef struct _CMSG_KEY_TRANS_ENCRYPT_INFO {
DWORD cbSize;
DWORD dwRecipientIndex;
CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
CRYPT_DATA_BLOB EncryptedKey;
DWORD dwFlags;
} CMSG_KEY_TRANS_ENCRYPT_INFO, *PCMSG_KEY_TRANS_ENCRYPT_INFO;
#define CMSG_KEY_TRANS_ENCRYPT_FREE_PARA_FLAG 0x00000001
//+-------------------------------------------------------------------------
// Upon input, KeyTransEncryptInfo has been initialized from the
// KeyTransEncodeInfo.
//
// The following fields may be changed in KeyTransEncryptInfo:
// EncryptedKey
// KeyEncryptionAlgorithm.Parameters
// dwFlags
//
// All other fields in the KeyTransEncryptInfo are READONLY.
//
// The EncryptedKey must be updated. The pfnAlloc and pfnFree specified in
// ContentEncryptInfo must be used for doing the allocation.
//
// If the KeyEncryptionAlgorithm.Parameters is updated, then, the
// CMSG_KEY_TRANS_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags.
// The pfnAlloc and pfnFree specified in ContentEncryptInfo must be used
// for doing the allocation.
//
// KeyEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
//--------------------------------------------------------------------------
#define CMSG_OID_EXPORT_KEY_TRANS_FUNC "CryptMsgDllExportKeyTrans"
typedef BOOL (WINAPI *PFN_CMSG_EXPORT_KEY_TRANS) (
IN PCMSG_CONTENT_ENCRYPT_INFO pContentEncryptInfo,
IN PCMSG_KEY_TRANS_RECIPIENT_ENCODE_INFO pKeyTransEncodeInfo,
IN OUT PCMSG_KEY_TRANS_ENCRYPT_INFO pKeyTransEncryptInfo,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved
);
//+-------------------------------------------------------------------------
// Key Agree Key Encrypt Info
//
// The following data structure contains the information updated by the
// ExportKeyAgree installable function for each encrypted key agree
// recipient.
//--------------------------------------------------------------------------
typedef struct _CMSG_KEY_AGREE_KEY_ENCRYPT_INFO {
DWORD cbSize;
CRYPT_DATA_BLOB EncryptedKey;
} CMSG_KEY_AGREE_KEY_ENCRYPT_INFO, *PCMSG_KEY_AGREE_KEY_ENCRYPT_INFO;
//+-------------------------------------------------------------------------
// Key Agree Encrypt Info
//
// The following data structure contains the information applicable to
// all recipients. Its updated by the ExportKeyAgree installable function.
//--------------------------------------------------------------------------
typedef struct _CMSG_KEY_AGREE_ENCRYPT_INFO {
DWORD cbSize;
DWORD dwRecipientIndex;
CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
CRYPT_DATA_BLOB UserKeyingMaterial;
DWORD dwOriginatorChoice;
union {
// CMSG_KEY_AGREE_ORIGINATOR_CERT
CERT_ID OriginatorCertId;
// CMSG_KEY_AGREE_ORIGINATOR_PUBLIC_KEY
CERT_PUBLIC_KEY_INFO OriginatorPublicKeyInfo;
};
DWORD cKeyAgreeKeyEncryptInfo;
PCMSG_KEY_AGREE_KEY_ENCRYPT_INFO *rgpKeyAgreeKeyEncryptInfo;
DWORD dwFlags;
} CMSG_KEY_AGREE_ENCRYPT_INFO, *PCMSG_KEY_AGREE_ENCRYPT_INFO;
#define CMSG_KEY_AGREE_ENCRYPT_FREE_PARA_FLAG 0x00000001
#define CMSG_KEY_AGREE_ENCRYPT_FREE_MATERIAL_FLAG 0x00000002
#define CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_ALG_FLAG 0x00000004
#define CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_PARA_FLAG 0x00000008
#define CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_BITS_FLAG 0x00000010
//+-------------------------------------------------------------------------
// Upon input, KeyAgreeEncryptInfo has been initialized from the
// KeyAgreeEncodeInfo.
//
// The following fields may be changed in KeyAgreeEncryptInfo:
// KeyEncryptionAlgorithm.Parameters
// UserKeyingMaterial
// dwOriginatorChoice
// OriginatorCertId
// OriginatorPublicKeyInfo
// dwFlags
//
// All other fields in the KeyAgreeEncryptInfo are READONLY.
//
// If the KeyEncryptionAlgorithm.Parameters is updated, then, the
// CMSG_KEY_AGREE_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags.
// The pfnAlloc and pfnFree specified in ContentEncryptInfo must be used
// for doing the allocation.
//
// If the UserKeyingMaterial is updated, then, the
// CMSG_KEY_AGREE_ENCRYPT_FREE_MATERIAL_FLAG must be set in dwFlags.
// pfnAlloc and pfnFree must be used for doing the allocation.
//
// The dwOriginatorChoice must be updated to either
// CMSG_KEY_AGREE_ORIGINATOR_CERT or CMSG_KEY_AGREE_ORIGINATOR_PUBLIC_KEY.
//
// If the OriginatorPublicKeyInfo is updated, then, the appropriate
// CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_*_FLAG must be set in dwFlags and
// pfnAlloc and pfnFree must be used for doing the allocation.
//
// If CMSG_CONTENT_ENCRYPT_PAD_ENCODED_LEN_FLAG is set upon entry
// in pContentEncryptInfo->dwEncryptFlags, then, the OriginatorPublicKeyInfo's
// Ephemeral PublicKey should be padded with zeroes to always obtain the
// same maximum encoded length. Note, the length of the generated ephemeral Y
// public key can vary depending on the number of leading zero bits.
//
// Upon input, the array of *rgpKeyAgreeKeyEncryptInfo has been initialized.
// The EncryptedKey must be updated for each recipient key.
// The pfnAlloc and pfnFree specified in
// ContentEncryptInfo must be used for doing the allocation.
//
// KeyEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
//--------------------------------------------------------------------------
#define CMSG_OID_EXPORT_KEY_AGREE_FUNC "CryptMsgDllExportKeyAgree"
typedef BOOL (WINAPI *PFN_CMSG_EXPORT_KEY_AGREE) (
IN PCMSG_CONTENT_ENCRYPT_INFO pContentEncryptInfo,
IN PCMSG_KEY_AGREE_RECIPIENT_ENCODE_INFO pKeyAgreeEncodeInfo,
IN OUT PCMSG_KEY_AGREE_ENCRYPT_INFO pKeyAgreeEncryptInfo,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved
);
//+-------------------------------------------------------------------------
// Mail List Encrypt Info
//
// The following data structure contains the information updated by the
// ExportMailList installable function.
//--------------------------------------------------------------------------
typedef struct _CMSG_MAIL_LIST_ENCRYPT_INFO {
DWORD cbSize;
DWORD dwRecipientIndex;
CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
CRYPT_DATA_BLOB EncryptedKey;
DWORD dwFlags;
} CMSG_MAIL_LIST_ENCRYPT_INFO, *PCMSG_MAIL_LIST_ENCRYPT_INFO;
#define CMSG_MAIL_LIST_ENCRYPT_FREE_PARA_FLAG 0x00000001
//+-------------------------------------------------------------------------
// Upon input, MailListEncryptInfo has been initialized from the
// MailListEncodeInfo.
//
// The following fields may be changed in MailListEncryptInfo:
// EncryptedKey
// KeyEncryptionAlgorithm.Parameters
// dwFlags
//
// All other fields in the MailListEncryptInfo are READONLY.
//
// The EncryptedKey must be updated. The pfnAlloc and pfnFree specified in
// ContentEncryptInfo must be used for doing the allocation.
//
// If the KeyEncryptionAlgorithm.Parameters is updated, then, the
// CMSG_MAIL_LIST_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags.
// The pfnAlloc and pfnFree specified in ContentEncryptInfo must be used
// for doing the allocation.
//
// KeyEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
//--------------------------------------------------------------------------
#define CMSG_OID_EXPORT_MAIL_LIST_FUNC "CryptMsgDllExportMailList"
typedef BOOL (WINAPI *PFN_CMSG_EXPORT_MAIL_LIST) (
IN PCMSG_CONTENT_ENCRYPT_INFO pContentEncryptInfo,
IN PCMSG_MAIL_LIST_RECIPIENT_ENCODE_INFO pMailListEncodeInfo,
IN OUT PCMSG_MAIL_LIST_ENCRYPT_INFO pMailListEncryptInfo,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved
);
//+-------------------------------------------------------------------------
// OID Installable functions for importing an encoded and encrypted content
// encryption key.
//
// There's a different installable function for each CMS Recipient choice:
// ImportKeyTrans
// ImportKeyAgree
// ImportMailList
//
// Iterates through the following OIDs to get the OID installable function:
// KeyEncryptionOID!ContentEncryptionOID
// KeyEncryptionOID
// ContentEncryptionOID
//
// If the OID installable function doesn't support the specified
// KeyEncryption and ContentEncryption OIDs, then, return FALSE with
// LastError set to E_NOTIMPL.
//--------------------------------------------------------------------------
#define CMSG_OID_IMPORT_KEY_TRANS_FUNC "CryptMsgDllImportKeyTrans"
typedef BOOL (WINAPI *PFN_CMSG_IMPORT_KEY_TRANS) (
IN PCRYPT_ALGORITHM_IDENTIFIER pContentEncryptionAlgorithm,
IN PCMSG_CTRL_KEY_TRANS_DECRYPT_PARA pKeyTransDecryptPara,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT HCRYPTKEY *phContentEncryptKey
);
#define CMSG_OID_IMPORT_KEY_AGREE_FUNC "CryptMsgDllImportKeyAgree"
typedef BOOL (WINAPI *PFN_CMSG_IMPORT_KEY_AGREE) (
IN PCRYPT_ALGORITHM_IDENTIFIER pContentEncryptionAlgorithm,
IN PCMSG_CTRL_KEY_AGREE_DECRYPT_PARA pKeyAgreeDecryptPara,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT HCRYPTKEY *phContentEncryptKey
);
#define CMSG_OID_IMPORT_MAIL_LIST_FUNC "CryptMsgDllImportMailList"
typedef BOOL (WINAPI *PFN_CMSG_IMPORT_MAIL_LIST) (
IN PCRYPT_ALGORITHM_IDENTIFIER pContentEncryptionAlgorithm,
IN PCMSG_CTRL_MAIL_LIST_DECRYPT_PARA pMailListDecryptPara,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT HCRYPTKEY *phContentEncryptKey
);
//+=========================================================================
// Certificate Store Data Structures and APIs
//==========================================================================
//+-------------------------------------------------------------------------
// In its most basic implementation, a cert store is simply a
// collection of certificates and/or CRLs. This is the case when
// a cert store is opened with all of its certificates and CRLs
// coming from a PKCS #7 encoded cryptographic message.
//
// Nonetheless, all cert stores have the following properties:
// - A public key may have more than one certificate in the store.
// For example, a private/public key used for signing may have a
// certificate issued for VISA and another issued for
// Mastercard. Also, when a certificate is renewed there might
// be more than one certificate with the same subject and
// issuer.
// - However, each certificate in the store is uniquely
// identified by its Issuer and SerialNumber.
// - There's an issuer of subject certificate relationship. A
// certificate's issuer is found by doing a match of
// pSubjectCert->Issuer with pIssuerCert->Subject.
// The relationship is verified by using
// the issuer's public key to verify the subject certificate's
// signature. Note, there might be X.509 v3 extensions
// to assist in finding the issuer certificate.
// - Since issuer certificates might be renewed, a subject
// certificate might have more than one issuer certificate.
// - There's an issuer of CRL relationship. An
// issuer's CRL is found by doing a match of
// pIssuerCert->Subject with pCrl->Issuer.
// The relationship is verified by using
// the issuer's public key to verify the CRL's
// signature. Note, there might be X.509 v3 extensions
// to assist in finding the CRL.
// - Since some issuers might support the X.509 v3 delta CRL
// extensions, an issuer might have more than one CRL.
// - The store shouldn't have any redundant certificates or
// CRLs. There shouldn't be two certificates with the same
// Issuer and SerialNumber. There shouldn't be two CRLs with
// the same Issuer, ThisUpdate and NextUpdate.
// - The store has NO policy or trust information. No
// certificates are tagged as being "root". Its up to
// the application to maintain a list of CertIds (Issuer +
// SerialNumber) for certificates it trusts.
// - The store might contain bad certificates and/or CRLs.
// The issuer's signature of a subject certificate or CRL may
// not verify. Certificates or CRLs may not satisfy their
// time validity requirements. Certificates may be
// revoked.
//
// In addition to the certificates and CRLs, properties can be
// stored. There are two predefined property IDs for a user
// certificate: CERT_KEY_PROV_HANDLE_PROP_ID and
// CERT_KEY_PROV_INFO_PROP_ID. The CERT_KEY_PROV_HANDLE_PROP_ID
// is a HCRYPTPROV handle to the private key assoicated
// with the certificate. The CERT_KEY_PROV_INFO_PROP_ID contains
// information to be used to call
// CryptAcquireContext and CryptSetProvParam to get a handle
// to the private key associated with the certificate.
//
// There exists two more predefined property IDs for certificates
// and CRLs, CERT_SHA1_HASH_PROP_ID and CERT_MD5_HASH_PROP_ID.
// If these properties don't already exist, then, a hash of the
// content is computed. (CERT_HASH_PROP_ID maps to the default
// hash algorithm, currently, CERT_SHA1_HASH_PROP_ID).
//
// There are additional APIs for creating certificate and CRL
// contexts not in a store (CertCreateCertificateContext and
// CertCreateCRLContext).
//
//--------------------------------------------------------------------------
typedef void *HCERTSTORE;
//+-------------------------------------------------------------------------
// Certificate context.
//
// A certificate context contains both the encoded and decoded representation
// of a certificate. A certificate context returned by a cert store function
// must be freed by calling the CertFreeCertificateContext function. The
// CertDuplicateCertificateContext function can be called to make a duplicate
// copy (which also must be freed by calling CertFreeCertificateContext).
//--------------------------------------------------------------------------
typedef struct _CERT_CONTEXT {
DWORD dwCertEncodingType;
BYTE *pbCertEncoded;
DWORD cbCertEncoded;
PCERT_INFO pCertInfo;
HCERTSTORE hCertStore;
} CERT_CONTEXT, *PCERT_CONTEXT;
typedef const CERT_CONTEXT *PCCERT_CONTEXT;
//+-------------------------------------------------------------------------
// CRL context.
//
// A CRL context contains both the encoded and decoded representation
// of a CRL. A CRL context returned by a cert store function
// must be freed by calling the CertFreeCRLContext function. The
// CertDuplicateCRLContext function can be called to make a duplicate
// copy (which also must be freed by calling CertFreeCRLContext).
//--------------------------------------------------------------------------
typedef struct _CRL_CONTEXT {
DWORD dwCertEncodingType;
BYTE *pbCrlEncoded;
DWORD cbCrlEncoded;
PCRL_INFO pCrlInfo;
HCERTSTORE hCertStore;
} CRL_CONTEXT, *PCRL_CONTEXT;
typedef const CRL_CONTEXT *PCCRL_CONTEXT;
//+-------------------------------------------------------------------------
// Certificate Trust List (CTL) context.
//
// A CTL context contains both the encoded and decoded representation
// of a CTL. Also contains an opened HCRYPTMSG handle to the decoded
// cryptographic signed message containing the CTL_INFO as its inner content.
// pbCtlContent is the encoded inner content of the signed message.
//
// The CryptMsg APIs can be used to extract additional signer information.
//--------------------------------------------------------------------------
typedef struct _CTL_CONTEXT {
DWORD dwMsgAndCertEncodingType;
BYTE *pbCtlEncoded;
DWORD cbCtlEncoded;
PCTL_INFO pCtlInfo;
HCERTSTORE hCertStore;
HCRYPTMSG hCryptMsg;
BYTE *pbCtlContent;
DWORD cbCtlContent;
} CTL_CONTEXT, *PCTL_CONTEXT;
typedef const CTL_CONTEXT *PCCTL_CONTEXT;
//+-------------------------------------------------------------------------
// Certificate, CRL and CTL property IDs
//
// See CertSetCertificateContextProperty or CertGetCertificateContextProperty
// for usage information.
//--------------------------------------------------------------------------
#define CERT_KEY_PROV_HANDLE_PROP_ID 1
#define CERT_KEY_PROV_INFO_PROP_ID 2
#define CERT_SHA1_HASH_PROP_ID 3
#define CERT_MD5_HASH_PROP_ID 4
#define CERT_HASH_PROP_ID CERT_SHA1_HASH_PROP_ID
#define CERT_KEY_CONTEXT_PROP_ID 5
#define CERT_KEY_SPEC_PROP_ID 6
#define CERT_IE30_RESERVED_PROP_ID 7
#define CERT_PUBKEY_HASH_RESERVED_PROP_ID 8
#define CERT_ENHKEY_USAGE_PROP_ID 9
#define CERT_CTL_USAGE_PROP_ID CERT_ENHKEY_USAGE_PROP_ID
#define CERT_NEXT_UPDATE_LOCATION_PROP_ID 10
#define CERT_FRIENDLY_NAME_PROP_ID 11
#define CERT_PVK_FILE_PROP_ID 12
#define CERT_DESCRIPTION_PROP_ID 13
#define CERT_ACCESS_STATE_PROP_ID 14
#define CERT_SIGNATURE_HASH_PROP_ID 15
#define CERT_SMART_CARD_DATA_PROP_ID 16
#define CERT_EFS_PROP_ID 17
#define CERT_FORTEZZA_DATA_PROP_ID 18
#define CERT_ARCHIVED_PROP_ID 19
#define CERT_KEY_IDENTIFIER_PROP_ID 20
#define CERT_AUTO_ENROLL_PROP_ID 21
#define CERT_PUBKEY_ALG_PARA_PROP_ID 22
#define CERT_CROSS_CERT_DIST_POINTS_PROP_ID 23
#define CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID 24
#define CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID 25
#define CERT_ENROLLMENT_PROP_ID 26
#define CERT_DATE_STAMP_PROP_ID 27
#define CERT_ISSUER_SERIAL_NUMBER_MD5_HASH_PROP_ID 28
#define CERT_SUBJECT_NAME_MD5_HASH_PROP_ID 29
#define CERT_EXTENDED_ERROR_INFO_PROP_ID 30
// Note, 32 - 35 are reserved for the CERT, CRL, CTL and KeyId file element IDs.
// 36 - 63 are reserved for future element IDs.
#define CERT_RENEWAL_PROP_ID 64
#define CERT_ARCHIVED_KEY_HASH_PROP_ID 65
#define CERT_FIRST_RESERVED_PROP_ID 66
#define CERT_LAST_RESERVED_PROP_ID 0x00007FFF
#define CERT_FIRST_USER_PROP_ID 0x00008000
#define CERT_LAST_USER_PROP_ID 0x0000FFFF
#define IS_CERT_HASH_PROP_ID(X) (CERT_SHA1_HASH_PROP_ID == (X) ||
CERT_MD5_HASH_PROP_ID == (X) ||
CERT_SIGNATURE_HASH_PROP_ID == (X))
#define IS_PUBKEY_HASH_PROP_ID(X) (CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID == (X) ||
CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID == (X))
#define IS_CHAIN_HASH_PROP_ID(X) (CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID == (X) ||
CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID == (X) ||
CERT_ISSUER_SERIAL_NUMBER_MD5_HASH_PROP_ID == (X) ||
CERT_SUBJECT_NAME_MD5_HASH_PROP_ID == (X))
//+-------------------------------------------------------------------------
// Property OIDs
//--------------------------------------------------------------------------
// The OID component following the prefix contains the PROP_ID (decimal)
#define szOID_CERT_PROP_ID_PREFIX "1.3.6.1.4.1.311.10.11."
#define szOID_CERT_KEY_IDENTIFIER_PROP_ID "1.3.6.1.4.1.311.10.11.20"
#define szOID_CERT_ISSUER_SERIAL_NUMBER_MD5_HASH_PROP_ID
"1.3.6.1.4.1.311.10.11.28"
#define szOID_CERT_SUBJECT_NAME_MD5_HASH_PROP_ID
"1.3.6.1.4.1.311.10.11.29"
//+-------------------------------------------------------------------------
// Access State flags returned by CERT_ACCESS_STATE_PROP_ID. Note,
// CERT_ACCESS_PROP_ID is read only.
//--------------------------------------------------------------------------
// Set if context property writes are persisted. For instance, not set for
// memory store contexts. Set for registry based stores opened as read or write.
// Not set for registry based stores opened as read only.
#define CERT_ACCESS_STATE_WRITE_PERSIST_FLAG 0x1
// Set if context resides in a SYSTEM or SYSTEM_REGISTRY store.
#define CERT_ACCESS_STATE_SYSTEM_STORE_FLAG 0x2
//+-------------------------------------------------------------------------
// Cryptographic Key Provider Information
//
// CRYPT_KEY_PROV_INFO defines the CERT_KEY_PROV_INFO_PROP_ID's pvData.
//
// The CRYPT_KEY_PROV_INFO fields are passed to CryptAcquireContext
// to get a HCRYPTPROV handle. The optional CRYPT_KEY_PROV_PARAM fields are
// passed to CryptSetProvParam to further initialize the provider.
//
// The dwKeySpec field identifies the private key to use from the container
// For example, AT_KEYEXCHANGE or AT_SIGNATURE.
//--------------------------------------------------------------------------
typedef struct _CRYPT_KEY_PROV_PARAM {
DWORD dwParam;
BYTE *pbData;
DWORD cbData;
DWORD dwFlags;
} CRYPT_KEY_PROV_PARAM, *PCRYPT_KEY_PROV_PARAM;
typedef struct _CRYPT_KEY_PROV_INFO {
LPWSTR pwszContainerName;
LPWSTR pwszProvName;
DWORD dwProvType;
DWORD dwFlags;
DWORD cProvParam;
PCRYPT_KEY_PROV_PARAM rgProvParam;
DWORD dwKeySpec;
} CRYPT_KEY_PROV_INFO, *PCRYPT_KEY_PROV_INFO;
//+-------------------------------------------------------------------------
// The following flag should be set in the above dwFlags to enable
// a CertSetCertificateContextProperty(CERT_KEY_CONTEXT_PROP_ID) after a
// CryptAcquireContext is done in the Sign or Decrypt Message functions.
//
// The following define must not collide with any of the
// CryptAcquireContext dwFlag defines.
//--------------------------------------------------------------------------
#define CERT_SET_KEY_PROV_HANDLE_PROP_ID 0x00000001
#define CERT_SET_KEY_CONTEXT_PROP_ID 0x00000001
//+-------------------------------------------------------------------------
// Certificate Key Context
//
// CERT_KEY_CONTEXT defines the CERT_KEY_CONTEXT_PROP_ID's pvData.
//--------------------------------------------------------------------------
typedef struct _CERT_KEY_CONTEXT {
DWORD cbSize; // sizeof(CERT_KEY_CONTEXT)
HCRYPTPROV hCryptProv;
DWORD dwKeySpec;
} CERT_KEY_CONTEXT, *PCERT_KEY_CONTEXT;
//+-------------------------------------------------------------------------
// Certificate Store Provider Types
//--------------------------------------------------------------------------
#define CERT_STORE_PROV_MSG ((LPCSTR) 1)
#define CERT_STORE_PROV_MEMORY ((LPCSTR) 2)
#define CERT_STORE_PROV_FILE ((LPCSTR) 3)
#define CERT_STORE_PROV_REG ((LPCSTR) 4)
#define CERT_STORE_PROV_PKCS7 ((LPCSTR) 5)
#define CERT_STORE_PROV_SERIALIZED ((LPCSTR) 6)
#define CERT_STORE_PROV_FILENAME_A ((LPCSTR) 7)
#define CERT_STORE_PROV_FILENAME_W ((LPCSTR) 8)
#define CERT_STORE_PROV_FILENAME CERT_STORE_PROV_FILENAME_W
#define CERT_STORE_PROV_SYSTEM_A ((LPCSTR) 9)
#define CERT_STORE_PROV_SYSTEM_W ((LPCSTR) 10)
#define CERT_STORE_PROV_SYSTEM CERT_STORE_PROV_SYSTEM_W
#define CERT_STORE_PROV_COLLECTION ((LPCSTR) 11)
#define CERT_STORE_PROV_SYSTEM_REGISTRY_A ((LPCSTR) 12)
#define CERT_STORE_PROV_SYSTEM_REGISTRY_W ((LPCSTR) 13)
#define CERT_STORE_PROV_SYSTEM_REGISTRY CERT_STORE_PROV_SYSTEM_REGISTRY_W
#define CERT_STORE_PROV_PHYSICAL_W ((LPCSTR) 14)
#define CERT_STORE_PROV_PHYSICAL CERT_STORE_PROV_PHYSICAL_W
#define CERT_STORE_PROV_SMART_CARD_W ((LPCSTR) 15)
#define CERT_STORE_PROV_SMART_CARD CERT_STORE_PROV_SMART_CARD_W
#define CERT_STORE_PROV_LDAP_W ((LPCSTR) 16)
#define CERT_STORE_PROV_LDAP CERT_STORE_PROV_LDAP_W
#define sz_CERT_STORE_PROV_MEMORY "Memory"
#define sz_CERT_STORE_PROV_FILENAME_W "File"
#define sz_CERT_STORE_PROV_FILENAME sz_CERT_STORE_PROV_FILENAME_W
#define sz_CERT_STORE_PROV_SYSTEM_W "System"
#define sz_CERT_STORE_PROV_SYSTEM sz_CERT_STORE_PROV_SYSTEM_W
#define sz_CERT_STORE_PROV_PKCS7 "PKCS7"
#define sz_CERT_STORE_PROV_SERIALIZED "Serialized"
#define sz_CERT_STORE_PROV_COLLECTION "Collection"
#define sz_CERT_STORE_PROV_SYSTEM_REGISTRY_W "SystemRegistry"
#define sz_CERT_STORE_PROV_SYSTEM_REGISTRY sz_CERT_STORE_PROV_SYSTEM_REGISTRY_W
#define sz_CERT_STORE_PROV_PHYSICAL_W "Physical"
#define sz_CERT_STORE_PROV_PHYSICAL sz_CERT_STORE_PROV_PHYSICAL_W
#define sz_CERT_STORE_PROV_SMART_CARD_W "SmartCard"
#define sz_CERT_STORE_PROV_SMART_CARD sz_CERT_STORE_PROV_SMART_CARD_W
#define sz_CERT_STORE_PROV_LDAP_W "Ldap"
#define sz_CERT_STORE_PROV_LDAP sz_CERT_STORE_PROV_LDAP_W
//+-------------------------------------------------------------------------
// Certificate Store verify/results flags
//--------------------------------------------------------------------------
#define CERT_STORE_SIGNATURE_FLAG 0x00000001
#define CERT_STORE_TIME_VALIDITY_FLAG 0x00000002
#define CERT_STORE_REVOCATION_FLAG 0x00000004
#define CERT_STORE_NO_CRL_FLAG 0x00010000
#define CERT_STORE_NO_ISSUER_FLAG 0x00020000
#define CERT_STORE_BASE_CRL_FLAG 0x00000100
#define CERT_STORE_DELTA_CRL_FLAG 0x00000200
//+-------------------------------------------------------------------------
// Certificate Store open/property flags
//--------------------------------------------------------------------------
#define CERT_STORE_NO_CRYPT_RELEASE_FLAG 0x00000001
#define CERT_STORE_SET_LOCALIZED_NAME_FLAG 0x00000002
#define CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG 0x00000004
#define CERT_STORE_DELETE_FLAG 0x00000010
#define CERT_STORE_SHARE_STORE_FLAG 0x00000040
#define CERT_STORE_SHARE_CONTEXT_FLAG 0x00000080
#define CERT_STORE_MANIFOLD_FLAG 0x00000100
#define CERT_STORE_ENUM_ARCHIVED_FLAG 0x00000200
#define CERT_STORE_UPDATE_KEYID_FLAG 0x00000400
#define CERT_STORE_BACKUP_RESTORE_FLAG 0x00000800
#define CERT_STORE_READONLY_FLAG 0x00008000
#define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000
#define CERT_STORE_CREATE_NEW_FLAG 0x00002000
#define CERT_STORE_MAXIMUM_ALLOWED_FLAG 0x00001000
//+-------------------------------------------------------------------------
// Certificate Store Provider flags are in the HiWord (0xFFFF0000)
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Certificate System Store Flag Values
//--------------------------------------------------------------------------
// Includes flags and location
#define CERT_SYSTEM_STORE_MASK 0xFFFF0000
// Set if pvPara points to a CERT_SYSTEM_STORE_RELOCATE_PARA structure
#define CERT_SYSTEM_STORE_RELOCATE_FLAG 0x80000000
typedef struct _CERT_SYSTEM_STORE_RELOCATE_PARA {
union {
HKEY hKeyBase;
void *pvBase;
};
union {
void *pvSystemStore;
LPCSTR pszSystemStore;
LPCWSTR pwszSystemStore;
};
} CERT_SYSTEM_STORE_RELOCATE_PARA, *PCERT_SYSTEM_STORE_RELOCATE_PARA;
// By default, when the CurrentUser "Root" store is opened, any SystemRegistry
// roots not also on the protected root list are deleted from the cache before
// CertOpenStore() returns. Set the following flag to return all the roots
// in the SystemRegistry without checking the protected root list.
#define CERT_SYSTEM_STORE_UNPROTECTED_FLAG 0x40000000
// Location of the system store:
#define CERT_SYSTEM_STORE_LOCATION_MASK 0x00FF0000
#define CERT_SYSTEM_STORE_LOCATION_SHIFT 16
// Registry: HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE
#define CERT_SYSTEM_STORE_CURRENT_USER_ID 1
#define CERT_SYSTEM_STORE_LOCAL_MACHINE_ID 2
// Registry: HKEY_LOCAL_MACHINESoftwareMicrosoftCryptographyServices
#define CERT_SYSTEM_STORE_CURRENT_SERVICE_ID 4
#define CERT_SYSTEM_STORE_SERVICES_ID 5
// Registry: HKEY_USERS
#define CERT_SYSTEM_STORE_USERS_ID 6
// Registry: HKEY_CURRENT_USERSoftwarePoliciesMicrosoftSystemCertificates
#define CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY_ID 7
// Registry: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftSystemCertificates
#define CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY_ID 8
// Registry: HKEY_LOCAL_MACHINESoftwareMicrosoftEnterpriseCertificates
#define CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE_ID 9
#define CERT_SYSTEM_STORE_CURRENT_USER
(CERT_SYSTEM_STORE_CURRENT_USER_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
#define CERT_SYSTEM_STORE_LOCAL_MACHINE
(CERT_SYSTEM_STORE_LOCAL_MACHINE_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
#define CERT_SYSTEM_STORE_CURRENT_SERVICE
(CERT_SYSTEM_STORE_CURRENT_SERVICE_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
#define CERT_SYSTEM_STORE_SERVICES
(CERT_SYSTEM_STORE_SERVICES_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
#define CERT_SYSTEM_STORE_USERS
(CERT_SYSTEM_STORE_USERS_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
#define CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY
(CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY_ID <<
CERT_SYSTEM_STORE_LOCATION_SHIFT)
#define CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
(CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY_ID <<
CERT_SYSTEM_STORE_LOCATION_SHIFT)
#define CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
(CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE_ID <<
CERT_SYSTEM_STORE_LOCATION_SHIFT)
//+-------------------------------------------------------------------------
// Group Policy Store Defines
//--------------------------------------------------------------------------
// Registry path to the Group Policy system stores
#define CERT_GROUP_POLICY_SYSTEM_STORE_REGPATH
L"Software\Policies\Microsoft\SystemCertificates"
//+-------------------------------------------------------------------------
// EFS Defines
//--------------------------------------------------------------------------
// Registry path to the EFS EFSBlob SubKey - Value type is REG_BINARY
#define CERT_EFSBLOB_REGPATH
CERT_GROUP_POLICY_SYSTEM_STORE_REGPATH L"\EFS"
#define CERT_EFSBLOB_VALUE_NAME L"EFSBlob"
//+-------------------------------------------------------------------------
// Protected Root Defines
//--------------------------------------------------------------------------
// Registry path to the Protected Roots Flags SubKey
#define CERT_PROT_ROOT_FLAGS_REGPATH
CERT_GROUP_POLICY_SYSTEM_STORE_REGPATH L"\Root\ProtectedRoots"
#define CERT_PROT_ROOT_FLAGS_VALUE_NAME L"Flags"
// Set the following flag to inhibit the opening of the CurrentUser's
// .Default physical store when opening the CurrentUser's "Root" system store.
// The .Default physical store open's the CurrentUser SystemRegistry "Root"
// store.
#define CERT_PROT_ROOT_DISABLE_CURRENT_USER_FLAG 0x1
// Set the following flag to inhibit the adding of roots from the
// CurrentUser SystemRegistry "Root" store to the protected root list
// when the "Root" store is initially protected.
#define CERT_PROT_ROOT_INHIBIT_ADD_AT_INIT_FLAG 0x2
// Set the following flag to inhibit the purging of protected roots from the
// CurrentUser SystemRegistry "Root" store that are
// also in the LocalMachine SystemRegistry "Root" store. Note, when not
// disabled, the purging is done silently without UI.
#define CERT_PROT_ROOT_INHIBIT_PURGE_LM_FLAG 0x4
// Set the following flag to inhibit the opening of the LocalMachine's
// .AuthRoot physical store when opening the LocalMachine's "Root" system store.
// The .AuthRoot physical store open's the LocalMachine SystemRegistry
// "AuthRoot" store. The "AuthRoot" store contains the pre-installed
// SSL ServerAuth and the ActiveX Authenticode "root" certificates.
#define CERT_PROT_ROOT_DISABLE_LM_AUTH_FLAG 0x8
// The semantics for the following legacy definition has been changed to be
// the same as for the CERT_PROT_ROOT_DISABLE_LM_AUTH_FLAG.
#define CERT_PROT_ROOT_ONLY_LM_GPT_FLAG 0x8
// Set the following flag to disable the requiring of the issuing CA
// certificate being in the "NTAuth" system registry store found in the
// CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE store location.
//
// When set, CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_NT_AUTH)
// will check that the chain has a valid name constraint for all name
// spaces, including UPN if the issuing CA isn't in the "NTAuth" store.
#define CERT_PROT_ROOT_DISABLE_NT_AUTH_REQUIRED_FLAG 0x10
//+-------------------------------------------------------------------------
// Trusted Publisher Definitions
//--------------------------------------------------------------------------
// Registry path to the trusted publisher "Safer" group policy subkey
#define CERT_TRUST_PUB_SAFER_GROUP_POLICY_REGPATH
CERT_GROUP_POLICY_SYSTEM_STORE_REGPATH L"\TrustedPublisher\Safer"
// Registry path to the Local Machine system stores
#define CERT_LOCAL_MACHINE_SYSTEM_STORE_REGPATH
L"Software\Microsoft\SystemCertificates"
// Registry path to the trusted publisher "Safer" local machine subkey
#define CERT_TRUST_PUB_SAFER_LOCAL_MACHINE_REGPATH
CERT_LOCAL_MACHINE_SYSTEM_STORE_REGPATH L"\TrustedPublisher\Safer"
// "Safer" subkey value names. All values are DWORDs.
#define CERT_TRUST_PUB_AUTHENTICODE_FLAGS_VALUE_NAME L"AuthenticodeFlags"
// AuthenticodeFlags definitions
// Definition of who is allowed to trust publishers
//
// Setting allowed trust to MACHINE_ADMIN or ENTERPRISE_ADMIN disables UI,
// only trusts publishers in the "TrustedPublisher" system store and
// inhibits the opening of the CurrentUser's .Default physical store when
// opening the CurrentUsers's "TrustedPublisher" system store.
//
// The .Default physical store open's the CurrentUser SystemRegistry
// "TrustedPublisher" store.
//
// Setting allowed trust to ENTERPRISE_ADMIN only opens the
// LocalMachine's .GroupPolicy and .Enterprise physical stores when opening
// the CurrentUser's "TrustedPublisher" system store or when opening the
// LocalMachine's "TrustedPublisher" system store.
#define CERT_TRUST_PUB_ALLOW_TRUST_MASK 0x00000003
#define CERT_TRUST_PUB_ALLOW_END_USER_TRUST 0x00000000
#define CERT_TRUST_PUB_ALLOW_MACHINE_ADMIN_TRUST 0x00000001
#define CERT_TRUST_PUB_ALLOW_ENTERPRISE_ADMIN_TRUST 0x00000002
// Set the following flag to enable revocation checking of the publisher
// chain.
#define CERT_TRUST_PUB_CHECK_PUBLISHER_REV_FLAG 0x00000100
// Set the following flag to enable revocation checking of the time stamp
// chain.
#define CERT_TRUST_PUB_CHECK_TIMESTAMP_REV_FLAG 0x00000200
//+-------------------------------------------------------------------------
// OCM Subcomponents Definitions
//--------------------------------------------------------------------------
// Registry path to the OCM Subcomponents local machine subkey
#define CERT_OCM_SUBCOMPONENTS_LOCAL_MACHINE_REGPATH
L"SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents"
// REG_DWORD, 1 is installed, 0 is NOT installed
#define CERT_OCM_SUBCOMPONENTS_ROOT_AUTO_UPDATE_VALUE_NAME L"RootAutoUpdate"
//+-------------------------------------------------------------------------
// AuthRoot Auto Update Definitions
//--------------------------------------------------------------------------
// Registry path to the AuthRoot "Auto Update" local machine subkey
#define CERT_AUTH_ROOT_AUTO_UPDATE_LOCAL_MACHINE_REGPATH
CERT_LOCAL_MACHINE_SYSTEM_STORE_REGPATH L"\AuthRoot\AutoUpdate"
// AuthRoot Auto Update subkey value names.
// REG_SZ, URL to the directory containing the AuthRoots, CTL and Seq files
#define CERT_AUTH_ROOT_AUTO_UPDATE_ROOT_DIR_URL_VALUE_NAME L"RootDirUrl"
// REG_DWORD, seconds between syncs. 0 implies use default.
#define CERT_AUTH_ROOT_AUTO_UPDATE_SYNC_DELTA_TIME_VALUE_NAME L"SyncDeltaTime"
// REG_DWORD, misc flags
#define CERT_AUTH_ROOT_AUTO_UPDATE_FLAGS_VALUE_NAME L"Flags"
#define CERT_AUTH_ROOT_AUTO_UPDATE_DISABLE_UNTRUSTED_ROOT_LOGGING_FLAG 0x1
#define CERT_AUTH_ROOT_AUTO_UPDATE_DISABLE_PARTIAL_CHAIN_LOGGING_FLAG 0x2
// AuthRoot Auto Update filenames
// CTL containing the list of certs in the AuthRoot store
#define CERT_AUTH_ROOT_CTL_FILENAME L"authroot.stl"
#define CERT_AUTH_ROOT_CTL_FILENAME_A "authroot.stl"
// Cab containing the above CTL
#define CERT_AUTH_ROOT_CAB_FILENAME L"authrootstl.cab"
// SequenceNumber (Formatted as big endian ascii hex)
#define CERT_AUTH_ROOT_SEQ_FILENAME L"authrootseq.txt"
// Root certs extension
#define CERT_AUTH_ROOT_CERT_EXT L".crt"
//+-------------------------------------------------------------------------
// Certificate Registry Store Flag Values (CERT_STORE_REG)
//--------------------------------------------------------------------------
// Set this flag if the HKEY passed in pvPara points to a remote computer
// registry key.
#define CERT_REGISTRY_STORE_REMOTE_FLAG 0x10000
// Set this flag if the contexts are to be persisted as a single serialized
// store in the registry. Mainly used for stores downloaded from the GPT.
// Such as the CurrentUserGroupPolicy or LocalMachineGroupPolicy stores.
#define CERT_REGISTRY_STORE_SERIALIZED_FLAG 0x20000
// The following flags are for internal use. When set, the
// pvPara parameter passed to CertOpenStore is a pointer to the following
// data structure and not the HKEY. The above CERT_REGISTRY_STORE_REMOTE_FLAG
// is also set if hKeyBase was obtained via RegConnectRegistry().
#define CERT_REGISTRY_STORE_CLIENT_GPT_FLAG 0x80000000
#define CERT_REGISTRY_STORE_LM_GPT_FLAG 0x01000000
typedef struct _CERT_REGISTRY_STORE_CLIENT_GPT_PARA {
HKEY hKeyBase;
LPWSTR pwszRegPath;
} CERT_REGISTRY_STORE_CLIENT_GPT_PARA, *PCERT_REGISTRY_STORE_CLIENT_GPT_PARA;
// The following flag is for internal use. When set, the contexts are
// persisted into roaming files instead of the registry. Such as, the
// CurrentUser "My" store. When this flag is set, the following data structure
// is passed to CertOpenStore instead of HKEY.
#define CERT_REGISTRY_STORE_ROAMING_FLAG 0x40000
// hKey may be NULL or non-NULL. When non-NULL, existing contexts are
// moved from the registry to roaming files.
typedef struct _CERT_REGISTRY_STORE_ROAMING_PARA {
HKEY hKey;
LPWSTR pwszStoreDirectory;
} CERT_REGISTRY_STORE_ROAMING_PARA, *PCERT_REGISTRY_STORE_ROAMING_PARA;
// The following flag is for internal use. When set, the "My" DWORD value
// at HKLMSoftwareMicrosoftCryptographyIEDirtyFlags is set to 0x1
// whenever a certificate is added to the registry store.
#define CERT_REGISTRY_STORE_MY_IE_DIRTY_FLAG 0x80000
// Registry path to the subkey containing the "My" DWORD value to be set
#define CERT_IE_DIRTY_FLAGS_REGPATH
L"Software\Microsoft\Cryptography\IEDirtyFlags"
//+-------------------------------------------------------------------------
// Certificate File Store Flag Values for the providers:
// CERT_STORE_PROV_FILE
// CERT_STORE_PROV_FILENAME
// CERT_STORE_PROV_FILENAME_A
// CERT_STORE_PROV_FILENAME_W
// sz_CERT_STORE_PROV_FILENAME_W
//--------------------------------------------------------------------------
// Set this flag if any store changes are to be committed to the file.
// The changes are committed at CertCloseStore or by calling
// CertControlStore(CERT_STORE_CTRL_COMMIT).
//
// The open fails with E_INVALIDARG if both CERT_FILE_STORE_COMMIT_ENABLE_FLAG
// and CERT_STORE_READONLY_FLAG are set in dwFlags.
//
// For the FILENAME providers: if the file contains an X509 encoded
// certificate, the open fails with ERROR_ACCESS_DENIED.
//
// For the FILENAME providers: if CERT_STORE_CREATE_NEW_FLAG is set, the
// CreateFile uses CREATE_NEW. If CERT_STORE_OPEN_EXISTING is set, uses
// OPEN_EXISTING. Otherwise, defaults to OPEN_ALWAYS.
//
// For the FILENAME providers: the file is committed as either a PKCS7 or
// serialized store depending on the type read at open. However, if the
// file is empty then, if the filename has either a ".p7c" or ".spc"
// extension its committed as a PKCS7. Otherwise, its committed as a
// serialized store.
//
// For CERT_STORE_PROV_FILE, the file handle is duplicated. Its always
// committed as a serialized store.
//
#define CERT_FILE_STORE_COMMIT_ENABLE_FLAG 0x10000
//+-------------------------------------------------------------------------
// Certificate LDAP Store Flag Values for the providers:
// CERT_STORE_PROV_LDAP
// CERT_STORE_PROV_LDAP_W
// sz_CERT_STORE_PROV_LDAP_W
// sz_CERT_STORE_PROV_LDAP
//--------------------------------------------------------------------------
// Set this flag to digitally sign all of the ldap traffic to and from a
// Windows 2000 LDAP server using the Kerberos authentication protocol.
// This feature provides integrity required by some applications.
//
#define CERT_LDAP_STORE_SIGN_FLAG 0x10000
// Performs an A-Record only DNS lookup on the supplied host string.
// This prevents bogus DNS queries from being generated when resolving host
// names. Use this flag whenever passing a hostname as opposed to a
// domain name for the hostname parameter.
//
// See LDAP_OPT_AREC_EXCLUSIVE defined in winldap.h for more details.
#define CERT_LDAP_STORE_AREC_EXCLUSIVE_FLAG 0x20000
//+-------------------------------------------------------------------------
// Open the cert store using the specified store provider.
//
// If CERT_STORE_DELETE_FLAG is set, then, the store is deleted. NULL is
// returned for both success and failure. However, GetLastError() returns 0
// for success and nonzero for failure.
//
// If CERT_STORE_SET_LOCALIZED_NAME_FLAG is set, then, if supported, the
// provider sets the store's CERT_STORE_LOCALIZED_NAME_PROP_ID property.
// The store's localized name can be retrieved by calling
// CertSetStoreProperty(dwPropID = CERT_STORE_LOCALIZED_NAME_PROP_ID).
// This flag is supported by the following providers (and their sz_
// equivalent):
// CERT_STORE_PROV_FILENAME_A
// CERT_STORE_PROV_FILENAME_W
// CERT_STORE_PROV_SYSTEM_A
// CERT_STORE_PROV_SYSTEM_W
// CERT_STORE_PROV_SYSTEM_REGISTRY_A
// CERT_STORE_PROV_SYSTEM_REGISTRY_W
// CERT_STORE_PROV_PHYSICAL_W
//
// If CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG is set, then, the
// closing of the store's provider is deferred until all certificate,
// CRL and CTL contexts obtained from the store are freed. Also,
// if a non NULL HCRYPTPROV was passed, then, it will continue to be used.
// By default, the store's provider is closed on the final CertCloseStore.
// If this flag isn't set, then, any property changes made to previously
// duplicated contexts after the final CertCloseStore will not be persisted.
// By setting this flag, property changes made
// after the CertCloseStore will be persisted. Note, setting this flag
// causes extra overhead in doing context duplicates and frees.
// If CertCloseStore is called with CERT_CLOSE_STORE_FORCE_FLAG, then,
// the CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG flag is ignored.
//
// CERT_STORE_MANIFOLD_FLAG can be set to check for certificates having the
// manifold extension and archive the "older" certificates with the same
// manifold extension value. A certificate is archived by setting the
// CERT_ARCHIVED_PROP_ID.
//
// By default, contexts having the CERT_ARCHIVED_PROP_ID, are skipped
// during enumeration. CERT_STORE_ENUM_ARCHIVED_FLAG can be set to include
// archived contexts when enumerating. Note, contexts having the
// CERT_ARCHIVED_PROP_ID are still found for explicit finds, such as,
// finding a context with a specific hash or finding a certificate having
// a specific issuer and serial number.
//
// CERT_STORE_UPDATE_KEYID_FLAG can be set to also update the Key Identifier's
// CERT_KEY_PROV_INFO_PROP_ID property whenever a certificate's
// CERT_KEY_IDENTIFIER_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID property is set
// and the other property already exists. If the Key Identifier's
// CERT_KEY_PROV_INFO_PROP_ID already exists, it isn't updated. Any
// errors encountered are silently ignored.
//
// By default, this flag is implicitly set for the "My.Default" CurrentUser
// and LocalMachine physical stores.
//
// CERT_STORE_READONLY_FLAG can be set to open the store as read only.
// Otherwise, the store is opened as read/write.
//
// CERT_STORE_OPEN_EXISTING_FLAG can be set to only open an existing
// store. CERT_STORE_CREATE_NEW_FLAG can be set to create a new store and
// fail if the store already exists. Otherwise, the default is to open
// an existing store or create a new store if it doesn't already exist.
//
// hCryptProv specifies the crypto provider to use to create the hash
// properties or verify the signature of a subject certificate or CRL.
// The store doesn't need to use a private
// key. If the CERT_STORE_NO_CRYPT_RELEASE_FLAG isn't set, hCryptProv is
// CryptReleaseContext'ed on the final CertCloseStore.
//
// Note, if the open fails, hCryptProv is released if it would have been
// released when the store was closed.
//
// If hCryptProv is zero, then, the default provider and container for the
// PROV_RSA_FULL provider type is CryptAcquireContext'ed with
// CRYPT_VERIFYCONTEXT access. The CryptAcquireContext is deferred until
// the first create hash or verify signature. In addition, once acquired,
// the default provider isn't released until process exit when crypt32.dll
// is unloaded. The acquired default provider is shared across all stores
// and threads.
//
// After initializing the store's data structures and optionally acquiring a
// default crypt provider, CertOpenStore calls CryptGetOIDFunctionAddress to
// get the address of the CRYPT_OID_OPEN_STORE_PROV_FUNC specified by
// lpszStoreProvider. Since a store can contain certificates with different
// encoding types, CryptGetOIDFunctionAddress is called with dwEncodingType
// set to 0 and not the dwEncodingType passed to CertOpenStore.
// PFN_CERT_DLL_OPEN_STORE_FUNC specifies the signature of the provider's
// open function. This provider open function is called to load the
// store's certificates and CRLs. Optionally, the provider may return an
// array of functions called before a certificate or CRL is added or deleted
// or has a property that is set.
//
// Use of the dwEncodingType parameter is provider dependent. The type
// definition for pvPara also depends on the provider.
//
// Store providers are installed or registered via
// CryptInstallOIDFunctionAddress or CryptRegisterOIDFunction, where,
// dwEncodingType is 0 and pszFuncName is CRYPT_OID_OPEN_STORE_PROV_FUNC.
//
// Here's a list of the predefined provider types (implemented in crypt32.dll):
//
// CERT_STORE_PROV_MSG:
// Gets the certificates and CRLs from the specified cryptographic message.
// dwEncodingType contains the message and certificate encoding types.
// The message's handle is passed in pvPara. Given,
// HCRYPTMSG hCryptMsg; pvPara = (const void *) hCryptMsg;
//
// CERT_STORE_PROV_MEMORY
// sz_CERT_STORE_PROV_MEMORY:
// Opens a store without any initial certificates or CRLs. pvPara
// isn't used.
//
// CERT_STORE_PROV_FILE:
// Reads the certificates and CRLs from the specified file. The file's
// handle is passed in pvPara. Given,
// HANDLE hFile; pvPara = (const void *) hFile;
//
// For a successful open, the file pointer is advanced past
// the certificates and CRLs and their properties read from the file.
// Note, only expects a serialized store and not a file containing
// either a PKCS #7 signed message or a single encoded certificate.
//
// The hFile isn't closed.
//
// CERT_STORE_PROV_REG:
// Reads the certificates and CRLs from the registry. The registry's
// key handle is passed in pvPara. Given,
// HKEY hKey; pvPara = (const void *) hKey;
//
// The input hKey isn't closed by the provider. Before returning, the
// provider opens it own copy of the hKey.
//
// If CERT_STORE_READONLY_FLAG is set, then, the registry subkeys are
// RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry subkeys
// are RegCreateKey'ed with KEY_ALL_ACCESS.
//
// This provider returns the array of functions for reading, writing,
// deleting and property setting certificates and CRLs.
// Any changes to the opened store are immediately pushed through to
// the registry. However, if CERT_STORE_READONLY_FLAG is set, then,
// writing, deleting or property setting results in a
// SetLastError(E_ACCESSDENIED).
//
// Note, all the certificates and CRLs are read from the registry
// when the store is opened. The opened store serves as a write through
// cache.
//
// If CERT_REGISTRY_STORE_SERIALIZED_FLAG is set, then, the
// contexts are persisted as a single serialized store subkey in the
// registry.
//
// CERT_STORE_PROV_PKCS7:
// sz_CERT_STORE_PROV_PKCS7:
// Gets the certificates and CRLs from the encoded PKCS #7 signed message.
// dwEncodingType specifies the message and certificate encoding types.
// The pointer to the encoded message's blob is passed in pvPara. Given,
// CRYPT_DATA_BLOB EncodedMsg; pvPara = (const void *) &EncodedMsg;
//
// Note, also supports the IE3.0 special version of a
// PKCS #7 signed message referred to as a "SPC" formatted message.
//
// CERT_STORE_PROV_SERIALIZED:
// sz_CERT_STORE_PROV_SERIALIZED:
// Gets the certificates and CRLs from memory containing a serialized
// store. The pointer to the serialized memory blob is passed in pvPara.
// Given,
// CRYPT_DATA_BLOB Serialized; pvPara = (const void *) &Serialized;
//
// CERT_STORE_PROV_FILENAME_A:
// CERT_STORE_PROV_FILENAME_W:
// CERT_STORE_PROV_FILENAME:
// sz_CERT_STORE_PROV_FILENAME_W:
// sz_CERT_STORE_PROV_FILENAME:
// Opens the file and first attempts to read as a serialized store. Then,
// as a PKCS #7 signed message. Finally, as a single encoded certificate.
// The filename is passed in pvPara. The filename is UNICODE for the
// "_W" provider and ASCII for the "_A" provider. For "_W": given,
// LPCWSTR pwszFilename; pvPara = (const void *) pwszFilename;
// For "_A": given,
// LPCSTR pszFilename; pvPara = (const void *) pszFilename;
//
// Note, the default (without "_A" or "_W") is unicode.
//
// Note, also supports the reading of the IE3.0 special version of a
// PKCS #7 signed message file referred to as a "SPC" formatted file.
//
// CERT_STORE_PROV_SYSTEM_A:
// CERT_STORE_PROV_SYSTEM_W:
// CERT_STORE_PROV_SYSTEM:
// sz_CERT_STORE_PROV_SYSTEM_W:
// sz_CERT_STORE_PROV_SYSTEM:
// Opens the specified logical "System" store. The upper word of the
// dwFlags parameter is used to specify the location of the system store.
//
// A "System" store is a collection consisting of one or more "Physical"
// stores. A "Physical" store is registered via the
// CertRegisterPhysicalStore API. Each of the registered physical stores
// is CertStoreOpen'ed and added to the collection via
// CertAddStoreToCollection.
//
// The CERT_SYSTEM_STORE_CURRENT_USER, CERT_SYSTEM_STORE_LOCAL_MACHINE,
// CERT_SYSTEM_STORE_CURRENT_SERVICE, CERT_SYSTEM_STORE_SERVICES,
// CERT_SYSTEM_STORE_USERS, CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY,
// CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and
// CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRSE
// system stores by default have a "SystemRegistry" store that is
// opened and added to the collection.
//
// The system store name is passed in pvPara. The name is UNICODE for the
// "_W" provider and ASCII for the "_A" provider. For "_W": given,
// LPCWSTR pwszSystemName; pvPara = (const void *) pwszSystemName;
// For "_A": given,
// LPCSTR pszSystemName; pvPara = (const void *) pszSystemName;
//
// Note, the default (without "_A" or "_W") is UNICODE.
//
// The system store name can't contain any backslashes.
//
// If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvPara
// points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure instead
// of pointing to a null terminated UNICODE or ASCII string.
// Sibling physical stores are also opened as relocated using
// pvPara's hKeyBase.
//
// The CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS system
// store name must be prefixed with the ServiceName or UserName.
// For example, "ServiceNameTrust".
//
// Stores on remote computers can be accessed for the
// CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_SERVICES,
// CERT_SYSTEM_STORE_USERS, CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
// or CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
// locations by prepending the computer name. For example, a remote
// local machine store is accessed via "\ComputerNameTrust" or
// "ComputerNameTrust". A remote service store is accessed via
// "\ComputerNameServiceNameTrust". The leading "\" backslashes are
// optional in the ComputerName.
//
// If CERT_STORE_READONLY_FLAG is set, then, the registry is
// RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry is
// RegCreateKey'ed with KEY_ALL_ACCESS.
//
// The "root" store is treated differently from the other system
// stores. Before a certificate is added to or deleted from the "root"
// store, a pop up message box is displayed. The certificate's subject,
// issuer, serial number, time validity, sha1 and md5 thumbprints are
// displayed. The user is given the option to do the add or delete.
// If they don't allow the operation, LastError is set to E_ACCESSDENIED.
//
// CERT_STORE_PROV_SYSTEM_REGISTRY_A
// CERT_STORE_PROV_SYSTEM_REGISTRY_W
// CERT_STORE_PROV_SYSTEM_REGISTRY
// sz_CERT_STORE_PROV_SYSTEM_REGISTRY_W
// sz_CERT_STORE_PROV_SYSTEM_REGISTRY
// Opens the "System" store's default "Physical" store residing in the
// registry. The upper word of the dwFlags
// parameter is used to specify the location of the system store.
//
// After opening the registry key associated with the system name,
// the CERT_STORE_PROV_REG provider is called to complete the open.
//
// The system store name is passed in pvPara. The name is UNICODE for the
// "_W" provider and ASCII for the "_A" provider. For "_W": given,
// LPCWSTR pwszSystemName; pvPara = (const void *) pwszSystemName;
// For "_A": given,
// LPCSTR pszSystemName; pvPara = (const void *) pszSystemName;
//
// Note, the default (without "_A" or "_W") is UNICODE.
//
// If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvPara
// points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure instead
// of pointing to a null terminated UNICODE or ASCII string.
//
// See above for details on prepending a ServiceName and/or ComputerName
// to the store name.
//
// If CERT_STORE_READONLY_FLAG is set, then, the registry is
// RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry is
// RegCreateKey'ed with KEY_ALL_ACCESS.
//
// The "root" store is treated differently from the other system
// stores. Before a certificate is added to or deleted from the "root"
// store, a pop up message box is displayed. The certificate's subject,
// issuer, serial number, time validity, sha1 and md5 thumbprints are
// displayed. The user is given the option to do the add or delete.
// If they don't allow the operation, LastError is set to E_ACCESSDENIED.
//
// CERT_STORE_PROV_PHYSICAL_W
// CERT_STORE_PROV_PHYSICAL
// sz_CERT_STORE_PROV_PHYSICAL_W
// sz_CERT_STORE_PROV_PHYSICAL
// Opens the specified "Physical" store in the "System" store.
//
// Both the system store and physical names are passed in pvPara. The
// names are separated with an intervening "". For example,
// "Root.Default". The string is UNICODE.
//
// The system and physical store names can't contain any backslashes.
//
// If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvPara
// points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure instead
// of pointing to a null terminated UNICODE string.
// The specified physical store is opened as relocated using pvPara's
// hKeyBase.
//
// For CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS,
// the system and physical store names
// must be prefixed with the ServiceName or UserName. For example,
// "ServiceNameRoot.Default".
//
// Physical stores on remote computers can be accessed for the
// CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_SERVICES,
// CERT_SYSTEM_STORE_USERS, CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
// or CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
// locations by prepending the computer name. For example, a remote
// local machine store is accessed via "\ComputerNameRoot.Default"
// or "ComputerNameRoot.Default". A remote service store is
// accessed via "\ComputerNameServiceNameRoot.Default". The
// leading "\" backslashes are optional in the ComputerName.
//
// CERT_STORE_PROV_COLLECTION
// sz_CERT_STORE_PROV_COLLECTION
// Opens a store that is a collection of other stores. Stores are
// added or removed to/from the collection via the CertAddStoreToCollection
// and CertRemoveStoreFromCollection APIs.
//
// CERT_STORE_PROV_SMART_CARD_W
// CERT_STORE_PROV_SMART_CARD
// sz_CERT_STORE_PROV_SMART_CARD_W
// sz_CERT_STORE_PROV_SMART_CARD
// Opens a store instantiated over a particular smart card storage. pvPara
// identifies where on the card the store is located and is of the
// following format:
//
// Card NameProvider NameProvider Type[Container Name]
//
// Container Name is optional and if NOT specified the Card Name is used
// as the Container Name. Future versions of the provider will support
// instantiating the store over the entire card in which case just
// Card Name ( or id ) will be sufficient.
//
// Here's a list of the predefined provider types (implemented in
// cryptnet.dll):
//
// CERT_STORE_PROV_LDAP_W
// CERT_STORE_PROV_LDAP
// sz_CERT_STORE_PROV_LDAP_W
// sz_CERT_STORE_PROV_LDAP
// Opens a store over the results of the query specified by and LDAP
// URL which is passed in via pvPara. In order to do writes to the
// store the URL must specify a BASE query, no filter and a single
// attribute.
//
//--------------------------------------------------------------------------
WINCRYPT32API
HCERTSTORE
WINAPI
CertOpenStore(
IN LPCSTR lpszStoreProvider,
IN DWORD dwEncodingType,
IN HCRYPTPROV hCryptProv,
IN DWORD dwFlags,
IN const void *pvPara
);
//+-------------------------------------------------------------------------
// OID Installable Certificate Store Provider Data Structures
//--------------------------------------------------------------------------
// Handle returned by the store provider when opened.
typedef void *HCERTSTOREPROV;
// Store Provider OID function's pszFuncName.
#define CRYPT_OID_OPEN_STORE_PROV_FUNC "CertDllOpenStoreProv"
// Note, the Store Provider OID function's dwEncodingType is always 0.
// The following information is returned by the provider when opened. Its
// zeroed with cbSize set before the provider is called. If the provider
// doesn't need to be called again after the open it doesn't need to
// make any updates to the CERT_STORE_PROV_INFO.
typedef struct _CERT_STORE_PROV_INFO {
DWORD cbSize;
DWORD cStoreProvFunc;
void **rgpvStoreProvFunc;
HCERTSTOREPROV hStoreProv;
DWORD dwStoreProvFlags;
HCRYPTOIDFUNCADDR hStoreProvFuncAddr2;
} CERT_STORE_PROV_INFO, *PCERT_STORE_PROV_INFO;
// Definition of the store provider's open function.
//
// *pStoreProvInfo has been zeroed before the call.
//
// Note, pStoreProvInfo->cStoreProvFunc should be set last. Once set,
// all subsequent store calls, such as CertAddSerializedElementToStore will
// call the appropriate provider callback function.
typedef BOOL (WINAPI *PFN_CERT_DLL_OPEN_STORE_PROV_FUNC)(
IN LPCSTR lpszStoreProvider,
IN DWORD dwEncodingType,
IN HCRYPTPROV hCryptProv,
IN DWORD dwFlags,
IN const void *pvPara,
IN HCERTSTORE hCertStore,
IN OUT PCERT_STORE_PROV_INFO pStoreProvInfo
);
// The open callback sets the following flag, if it maintains its
// contexts externally and not in the cached store.
#define CERT_STORE_PROV_EXTERNAL_FLAG 0x1
// The open callback sets the following flag for a successful delete.
// When set, the close callback isn't called.
#define CERT_STORE_PROV_DELETED_FLAG 0x2
// The open callback sets the following flag if it doesn't persist store
// changes.
#define CERT_STORE_PROV_NO_PERSIST_FLAG 0x4
// The open callback sets the following flag if the contexts are persisted
// to a system store.
#define CERT_STORE_PROV_SYSTEM_STORE_FLAG 0x8
// Indices into the store provider's array of callback functions.
//
// The provider can implement any subset of the following functions. It
// sets pStoreProvInfo->cStoreProvFunc to the last index + 1 and any
// preceding not implemented functions to NULL.
#define CERT_STORE_PROV_CLOSE_FUNC 0
#define CERT_STORE_PROV_READ_CERT_FUNC 1
#define CERT_STORE_PROV_WRITE_CERT_FUNC 2
#define CERT_STORE_PROV_DELETE_CERT_FUNC 3
#define CERT_STORE_PROV_SET_CERT_PROPERTY_FUNC 4
#define CERT_STORE_PROV_READ_CRL_FUNC 5
#define CERT_STORE_PROV_WRITE_CRL_FUNC 6
#define CERT_STORE_PROV_DELETE_CRL_FUNC 7
#define CERT_STORE_PROV_SET_CRL_PROPERTY_FUNC 8
#define CERT_STORE_PROV_READ_CTL_FUNC 9
#define CERT_STORE_PROV_WRITE_CTL_FUNC 10
#define CERT_STORE_PROV_DELETE_CTL_FUNC 11
#define CERT_STORE_PROV_SET_CTL_PROPERTY_FUNC 12
#define CERT_STORE_PROV_CONTROL_FUNC 13
#define CERT_STORE_PROV_FIND_CERT_FUNC 14
#define CERT_STORE_PROV_FREE_FIND_CERT_FUNC 15
#define CERT_STORE_PROV_GET_CERT_PROPERTY_FUNC 16
#define CERT_STORE_PROV_FIND_CRL_FUNC 17
#define CERT_STORE_PROV_FREE_FIND_CRL_FUNC 18
#define CERT_STORE_PROV_GET_CRL_PROPERTY_FUNC 19
#define CERT_STORE_PROV_FIND_CTL_FUNC 20
#define CERT_STORE_PROV_FREE_FIND_CTL_FUNC 21
#define CERT_STORE_PROV_GET_CTL_PROPERTY_FUNC 22
// Called by CertCloseStore when the store's reference count is
// decremented to 0.
typedef void (WINAPI *PFN_CERT_STORE_PROV_CLOSE)(
IN HCERTSTOREPROV hStoreProv,
IN DWORD dwFlags
);
// Currently not called directly by the store APIs. However, may be exported
// to support other providers based on it.
//
// Reads the provider's copy of the certificate context. If it exists,
// creates a new certificate context.
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_READ_CERT)(
IN HCERTSTOREPROV hStoreProv,
IN PCCERT_CONTEXT pStoreCertContext,
IN DWORD dwFlags,
OUT PCCERT_CONTEXT *ppProvCertContext
);
#define CERT_STORE_PROV_WRITE_ADD_FLAG 0x1
// Called by CertAddEncodedCertificateToStore,
// CertAddCertificateContextToStore or CertAddSerializedElementToStore before
// adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
// addition to the encoded certificate, the added pCertContext might also
// have properties.
//
// Returns TRUE if its OK to update the the store.
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_WRITE_CERT)(
IN HCERTSTOREPROV hStoreProv,
IN PCCERT_CONTEXT pCertContext,
IN DWORD dwFlags
);
// Called by CertDeleteCertificateFromStore before deleting from the
// store.
//
// Returns TRUE if its OK to delete from the store.
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_DELETE_CERT)(
IN HCERTSTOREPROV hStoreProv,
IN PCCERT_CONTEXT pCertContext,
IN DWORD dwFlags
);
// Called by CertSetCertificateContextProperty before setting the
// certificate's property. Also called by CertGetCertificateContextProperty,
// when getting a hash property that needs to be created and then persisted
// via the set.
//
// Upon input, the property hasn't been set for the pCertContext parameter.
//
// Returns TRUE if its OK to set the property.
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_SET_CERT_PROPERTY)(
IN HCERTSTOREPROV hStoreProv,
IN PCCERT_CONTEXT pCertContext,
IN DWORD dwPropId,
IN DWORD dwFlags,
IN const void *pvData
);
// Currently not called directly by the store APIs. However, may be exported
// to support other providers based on it.
//
// Reads the provider's copy of the CRL context. If it exists,
// creates a new CRL context.
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_READ_CRL)(
IN HCERTSTOREPROV hStoreProv,
IN PCCRL_CONTEXT pStoreCrlContext,
IN DWORD dwFlags,
OUT PCCRL_CONTEXT *ppProvCrlContext
);
// Called by CertAddEncodedCRLToStore,
// CertAddCRLContextToStore or CertAddSerializedElementToStore before
// adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
// addition to the encoded CRL, the added pCertContext might also
// have properties.
//
// Returns TRUE if its OK to update the the store.
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_WRITE_CRL)(
IN HCERTSTOREPROV hStoreProv,
IN PCCRL_CONTEXT pCrlContext,
IN DWORD dwFlags
);
// Called by CertDeleteCRLFromStore before deleting from the store.
//
// Returns TRUE if its OK to delete from the store.
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_DELETE_CRL)(
IN HCERTSTOREPROV hStoreProv,
IN PCCRL_CONTEXT pCrlContext,
IN DWORD dwFlags
);
// Called by CertSetCRLContextProperty before setting the
// CRL's property. Also called by CertGetCRLContextProperty,
// when getting a hash property that needs to be created and then persisted
// via the set.
//
// Upon input, the property hasn't been set for the pCrlContext parameter.
//
// Returns TRUE if its OK to set the property.
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_SET_CRL_PROPERTY)(
IN HCERTSTOREPROV hStoreProv,
IN PCCRL_CONTEXT pCrlContext,
IN DWORD dwPropId,
IN DWORD dwFlags,
IN const void *pvData
);
// Currently not called directly by the store APIs. However, may be exported
// to support other providers based on it.
//
// Reads the provider's copy of the CTL context. If it exists,
// creates a new CTL context.
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_READ_CTL)(
IN HCERTSTOREPROV hStoreProv,
IN PCCTL_CONTEXT pStoreCtlContext,
IN DWORD dwFlags,
OUT PCCTL_CONTEXT *ppProvCtlContext
);
// Called by CertAddEncodedCTLToStore,
// CertAddCTLContextToStore or CertAddSerializedElementToStore before
// adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
// addition to the encoded CTL, the added pCertContext might also
// have properties.
//
// Returns TRUE if its OK to update the the store.
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_WRITE_CTL)(
IN HCERTSTOREPROV hStoreProv,
IN PCCTL_CONTEXT pCtlContext,
IN DWORD dwFlags
);
// Called by CertDeleteCTLFromStore before deleting from the store.
//
// Returns TRUE if its OK to delete from the store.
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_DELETE_CTL)(
IN HCERTSTOREPROV hStoreProv,
IN PCCTL_CONTEXT pCtlContext,
IN DWORD dwFlags
);
// Called by CertSetCTLContextProperty before setting the
// CTL's property. Also called by CertGetCTLContextProperty,
// when getting a hash property that needs to be created and then persisted
// via the set.
//
// Upon input, the property hasn't been set for the pCtlContext parameter.
//
// Returns TRUE if its OK to set the property.
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_SET_CTL_PROPERTY)(
IN HCERTSTOREPROV hStoreProv,
IN PCCTL_CONTEXT pCtlContext,
IN DWORD dwPropId,
IN DWORD dwFlags,
IN const void *pvData
);
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_CONTROL)(
IN HCERTSTOREPROV hStoreProv,
IN DWORD dwFlags,
IN DWORD dwCtrlType,
IN void const *pvCtrlPara
);
typedef struct _CERT_STORE_PROV_FIND_INFO {
DWORD cbSize;
DWORD dwMsgAndCertEncodingType;
DWORD dwFindFlags;
DWORD dwFindType;
const void *pvFindPara;
} CERT_STORE_PROV_FIND_INFO, *PCERT_STORE_PROV_FIND_INFO;
typedef const CERT_STORE_PROV_FIND_INFO CCERT_STORE_PROV_FIND_INFO,
*PCCERT_STORE_PROV_FIND_INFO;
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_FIND_CERT)(
IN HCERTSTOREPROV hStoreProv,
IN PCCERT_STORE_PROV_FIND_INFO pFindInfo,
IN PCCERT_CONTEXT pPrevCertContext,
IN DWORD dwFlags,
IN OUT void **ppvStoreProvFindInfo,
OUT PCCERT_CONTEXT *ppProvCertContext
);
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_FREE_FIND_CERT)(
IN HCERTSTOREPROV hStoreProv,
IN PCCERT_CONTEXT pCertContext,
IN void *pvStoreProvFindInfo,
IN DWORD dwFlags
);
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_GET_CERT_PROPERTY)(
IN HCERTSTOREPROV hStoreProv,
IN PCCERT_CONTEXT pCertContext,
IN DWORD dwPropId,
IN DWORD dwFlags,
OUT void *pvData,
IN OUT DWORD *pcbData
);
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_FIND_CRL)(
IN HCERTSTOREPROV hStoreProv,
IN PCCERT_STORE_PROV_FIND_INFO pFindInfo,
IN PCCRL_CONTEXT pPrevCrlContext,
IN DWORD dwFlags,
IN OUT void **ppvStoreProvFindInfo,
OUT PCCRL_CONTEXT *ppProvCrlContext
);
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_FREE_FIND_CRL)(
IN HCERTSTOREPROV hStoreProv,
IN PCCRL_CONTEXT pCrlContext,
IN void *pvStoreProvFindInfo,
IN DWORD dwFlags
);
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_GET_CRL_PROPERTY)(
IN HCERTSTOREPROV hStoreProv,
IN PCCRL_CONTEXT pCrlContext,
IN DWORD dwPropId,
IN DWORD dwFlags,
OUT void *pvData,
IN OUT DWORD *pcbData
);
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_FIND_CTL)(
IN HCERTSTOREPROV hStoreProv,
IN PCCERT_STORE_PROV_FIND_INFO pFindInfo,
IN PCCTL_CONTEXT pPrevCtlContext,
IN DWORD dwFlags,
IN OUT void **ppvStoreProvFindInfo,
OUT PCCTL_CONTEXT *ppProvCtlContext
);
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_FREE_FIND_CTL)(
IN HCERTSTOREPROV hStoreProv,
IN PCCTL_CONTEXT pCtlContext,
IN void *pvStoreProvFindInfo,
IN DWORD dwFlags
);
typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_GET_CTL_PROPERTY)(
IN HCERTSTOREPROV hStoreProv,
IN PCCTL_CONTEXT pCtlContext,
IN DWORD dwPropId,
IN DWORD dwFlags,
OUT void *pvData,
IN OUT DWORD *pcbData
);
//+-------------------------------------------------------------------------
// Duplicate a cert store handle
//--------------------------------------------------------------------------
WINCRYPT32API
HCERTSTORE
WINAPI
CertDuplicateStore(
IN HCERTSTORE hCertStore
);
#define CERT_STORE_SAVE_AS_STORE 1
#define CERT_STORE_SAVE_AS_PKCS7 2
#define CERT_STORE_SAVE_TO_FILE 1
#define CERT_STORE_SAVE_TO_MEMORY 2
#define CERT_STORE_SAVE_TO_FILENAME_A 3
#define CERT_STORE_SAVE_TO_FILENAME_W 4
#define CERT_STORE_SAVE_TO_FILENAME CERT_STORE_SAVE_TO_FILENAME_W
//+-------------------------------------------------------------------------
// Save the cert store. Extended version with lots of options.
//
// According to the dwSaveAs parameter, the store can be saved as a
// serialized store (CERT_STORE_SAVE_AS_STORE) containing properties in
// addition to encoded certificates, CRLs and CTLs or the store can be saved
// as a PKCS #7 signed message (CERT_STORE_SAVE_AS_PKCS7) which doesn't
// include the properties or CTLs.
//
// Note, the CERT_KEY_CONTEXT_PROP_ID property (and its
// CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't saved into
// a serialized store.
//
// For CERT_STORE_SAVE_AS_PKCS7, the dwEncodingType specifies the message
// encoding type. The dwEncodingType parameter isn't used for
// CERT_STORE_SAVE_AS_STORE.
//
// The dwFlags parameter currently isn't used and should be set to 0.
//
// The dwSaveTo and pvSaveToPara parameters specify where to save the
// store as follows:
// CERT_STORE_SAVE_TO_FILE:
// Saves to the specified file. The file's handle is passed in
// pvSaveToPara. Given,
// HANDLE hFile; pvSaveToPara = (void *) hFile;
//
// For a successful save, the file pointer is positioned after the
// last write.
//
// CERT_STORE_SAVE_TO_MEMORY:
// Saves to the specified memory blob. The pointer to
// the memory blob is passed in pvSaveToPara. Given,
// CRYPT_DATA_BLOB SaveBlob; pvSaveToPara = (void *) &SaveBlob;
// Upon entry, the SaveBlob's pbData and cbData need to be initialized.
// Upon return, cbData is updated with the actual length.
// For a length only calculation, pbData should be set to NULL. If
// pbData is non-NULL and cbData isn't large enough, FALSE is returned
// with a last error of ERRROR_MORE_DATA.
//
// CERT_STORE_SAVE_TO_FILENAME_A:
// CERT_STORE_SAVE_TO_FILENAME_W:
// CERT_STORE_SAVE_TO_FILENAME:
// Opens the file and saves to it. The filename is passed in pvSaveToPara.
// The filename is UNICODE for the "_W" option and ASCII for the "_A"
// option. For "_W": given,
// LPCWSTR pwszFilename; pvSaveToPara = (void *) pwszFilename;
// For "_A": given,
// LPCSTR pszFilename; pvSaveToPara = (void *) pszFilename;
//
// Note, the default (without "_A" or "_W") is UNICODE.
//
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CertSaveStore(
IN HCERTSTORE hCertStore,
IN DWORD dwEncodingType,
IN DWORD dwSaveAs,
IN DWORD dwSaveTo,
IN OUT void *pvSaveToPara,
IN DWORD dwFlags
);
//+-------------------------------------------------------------------------
// Certificate Store close flags
//--------------------------------------------------------------------------
#define CERT_CLOSE_STORE_FORCE_FLAG 0x00000001
#define CERT_CLOSE_STORE_CHECK_FLAG 0x00000002
//+-------------------------------------------------------------------------
// Close a cert store handle.
//
// There needs to be a corresponding close for each open and duplicate.
//
// Even on the final close, the cert store isn't freed until all of its
// certificate and CRL contexts have also been freed.
//
// On the final close, the hCryptProv passed to CertStoreOpen is
// CryptReleaseContext'ed.
//
// To force the closure of the store with all of its memory freed, set the
// CERT_STORE_CLOSE_FORCE_FLAG. This flag should be set when the caller does
// its own reference counting and wants everything to vanish.
//
// To check if all the store's certificates and CRLs have been freed and that
// this is the last CertCloseStore, set the CERT_CLOSE_STORE_CHECK_FLAG. If
// set and certs, CRLs or stores still need to be freed/closed, FALSE is
// returned with LastError set to CRYPT_E_PENDING_CLOSE. Note, for FALSE,
// the store is still closed. This is a diagnostic flag.
//
// LastError is preserved unless CERT_CLOSE_STORE_CHECK_FLAG is set and FALSE
// is returned.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CertCloseStore(
IN HCERTSTORE hCertStore,
DWORD dwFlags
);
//+-------------------------------------------------------------------------
// Get the subject certificate context uniquely identified by its Issuer and
// SerialNumber from the store.
//
// If the certificate isn't found, NULL is returned. Otherwise, a pointer to
// a read only CERT_CONTEXT is returned. CERT_CONTEXT must be freed by calling
// CertFreeCertificateContext. CertDuplicateCertificateContext can be called to make a
// duplicate.
//
// The returned certificate might not be valid. Normally, it would be
// verified when getting its issuer certificate (CertGetIssuerCertificateFromStore).
//--------------------------------------------------------------------------
WINCRYPT32API
PCCERT_CONTEXT
WINAPI
CertGetSubjectCertificateFromStore(
IN HCERTSTORE hCertStore,
IN DWORD dwCertEncodingType,
IN PCERT_INFO pCertId // Only the Issuer and SerialNumber
// fields are used
);
//+-------------------------------------------------------------------------
// Enumerate the certificate contexts in the store.
//
// If a certificate isn't found, NULL is returned.
// Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
// must be freed by calling CertFreeCertificateContext or is freed when passed as the
// pPrevCertContext on a subsequent call. CertDuplicateCertificateContext
// can be called to make a duplicate.
//
// pPrevCertContext MUST BE NULL to enumerate the first
// certificate in the store. Successive certificates are enumerated by setting
// pPrevCertContext to the CERT_CONTEXT returned by a previous call.
//
// NOTE: a NON-NULL pPrevCertContext is always CertFreeCertificateContext'ed by
// this function, even for an error.
//--------------------------------------------------------------------------
WINCRYPT32API
PCCERT_CONTEXT
WINAPI
CertEnumCertificatesInStore(
IN HCERTSTORE hCertStore,
IN PCCERT_CONTEXT pPrevCertContext
);
//+-------------------------------------------------------------------------
// Find the first or next certificate context in the store.
//
// The certificate is found according to the dwFindType and its pvFindPara.
// See below for a list of the find types and its parameters.
//
// Currently dwFindFlags is only used for CERT_FIND_SUBJECT_ATTR,
// CERT_FIND_ISSUER_ATTR or CERT_FIND_CTL_USAGE. Otherwise, must be set to 0.
//
// Usage of dwCertEncodingType depends on the dwFindType.
//
// If the first or next certificate isn't found, NULL is returned.
// Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
// must be freed by calling CertFreeCertificateContext or is freed when passed as the
// pPrevCertContext on a subsequent call. CertDuplicateCertificateContext
// can be called to make a duplicate.
//
// pPrevCertContext MUST BE NULL on the first
// call to find the certificate. To find the next certificate, the
// pPrevCertContext is set to the CERT_CONTEXT returned by a previous call.
//
// NOTE: a NON-NULL pPrevCertContext is always CertFreeCertificateContext'ed by
// this function, even for an error.
//--------------------------------------------------------------------------
WINCRYPT32API
PCCERT_CONTEXT
WINAPI
CertFindCertificateInStore(
IN HCERTSTORE hCertStore,
IN DWORD dwCertEncodingType,
IN DWORD dwFindFlags,
IN DWORD dwFindType,
IN const void *pvFindPara,
IN PCCERT_CONTEXT pPrevCertContext
);
//+-------------------------------------------------------------------------
// Certificate comparison functions
//--------------------------------------------------------------------------
#define CERT_COMPARE_MASK 0xFFFF
#define CERT_COMPARE_SHIFT 16
#define CERT_COMPARE_ANY 0
#define CERT_COMPARE_SHA1_HASH 1
#define CERT_COMPARE_NAME 2
#define CERT_COMPARE_ATTR 3
#define CERT_COMPARE_MD5_HASH 4
#define CERT_COMPARE_PROPERTY 5
#define CERT_COMPARE_PUBLIC_KEY 6
#define CERT_COMPARE_HASH CERT_COMPARE_SHA1_HASH
#define CERT_COMPARE_NAME_STR_A 7
#define CERT_COMPARE_NAME_STR_W 8
#define CERT_COMPARE_KEY_SPEC 9
#define CERT_COMPARE_ENHKEY_USAGE 10
#define CERT_COMPARE_CTL_USAGE CERT_COMPARE_ENHKEY_USAGE
#define CERT_COMPARE_SUBJECT_CERT 11
#define CERT_COMPARE_ISSUER_OF 12
#define CERT_COMPARE_EXISTING 13
#define CERT_COMPARE_SIGNATURE_HASH 14
#define CERT_COMPARE_KEY_IDENTIFIER 15
#define CERT_COMPARE_CERT_ID 16
#define CERT_COMPARE_CROSS_CERT_DIST_POINTS 17
#define CERT_COMPARE_PUBKEY_MD5_HASH 18
//+-------------------------------------------------------------------------
// dwFindType
//
// The dwFindType definition consists of two components:
// - comparison function
// - certificate information flag
//--------------------------------------------------------------------------
#define CERT_FIND_ANY (CERT_COMPARE_ANY << CERT_COMPARE_SHIFT)
#define CERT_FIND_SHA1_HASH (CERT_COMPARE_SHA1_HASH << CERT_COMPARE_SHIFT)
#define CERT_FIND_MD5_HASH (CERT_COMPARE_MD5_HASH << CERT_COMPARE_SHIFT)
#define CERT_FIND_SIGNATURE_HASH (CERT_COMPARE_SIGNATURE_HASH << CERT_COMPARE_SHIFT)
#define CERT_FIND_KEY_IDENTIFIER (CERT_COMPARE_KEY_IDENTIFIER << CERT_COMPARE_SHIFT)
#define CERT_FIND_HASH CERT_FIND_SHA1_HASH
#define CERT_FIND_PROPERTY (CERT_COMPARE_PROPERTY << CERT_COMPARE_SHIFT)
#define CERT_FIND_PUBLIC_KEY (CERT_COMPARE_PUBLIC_KEY << CERT_COMPARE_SHIFT)
#define CERT_FIND_SUBJECT_NAME (CERT_COMPARE_NAME << CERT_COMPARE_SHIFT |
CERT_INFO_SUBJECT_FLAG)
#define CERT_FIND_SUBJECT_ATTR (CERT_COMPARE_ATTR << CERT_COMPARE_SHIFT |
CERT_INFO_SUBJECT_FLAG)
#define CERT_FIND_ISSUER_NAME (CERT_COMPARE_NAME << CERT_COMPARE_SHIFT |
CERT_INFO_ISSUER_FLAG)
#define CERT_FIND_ISSUER_ATTR (CERT_COMPARE_ATTR << CERT_COMPARE_SHIFT |
CERT_INFO_ISSUER_FLAG)
#define CERT_FIND_SUBJECT_STR_A (CERT_COMPARE_NAME_STR_A << CERT_COMPARE_SHIFT |
CERT_INFO_SUBJECT_FLAG)
#define CERT_FIND_SUBJECT_STR_W (CERT_COMPARE_NAME_STR_W << CERT_COMPARE_SHIFT |
CERT_INFO_SUBJECT_FLAG)
#define CERT_FIND_SUBJECT_STR CERT_FIND_SUBJECT_STR_W
#define CERT_FIND_ISSUER_STR_A (CERT_COMPARE_NAME_STR_A << CERT_COMPARE_SHIFT |
CERT_INFO_ISSUER_FLAG)
#define CERT_FIND_ISSUER_STR_W (CERT_COMPARE_NAME_STR_W << CERT_COMPARE_SHIFT |
CERT_INFO_ISSUER_FLAG)
#define CERT_FIND_ISSUER_STR CERT_FIND_ISSUER_STR_W
#define CERT_FIND_KEY_SPEC (CERT_COMPARE_KEY_SPEC << CERT_COMPARE_SHIFT)
#define CERT_FIND_ENHKEY_USAGE (CERT_COMPARE_ENHKEY_USAGE << CERT_COMPARE_SHIFT)
#define CERT_FIND_CTL_USAGE CERT_FIND_ENHKEY_USAGE
#define CERT_FIND_SUBJECT_CERT (CERT_COMPARE_SUBJECT_CERT << CERT_COMPARE_SHIFT)
#define CERT_FIND_ISSUER_OF (CERT_COMPARE_ISSUER_OF << CERT_COMPARE_SHIFT)
#define CERT_FIND_EXISTING (CERT_COMPARE_EXISTING << CERT_COMPARE_SHIFT)
#define CERT_FIND_CERT_ID (CERT_COMPARE_CERT_ID << CERT_COMPARE_SHIFT)
#define CERT_FIND_CROSS_CERT_DIST_POINTS
(CERT_COMPARE_CROSS_CERT_DIST_POINTS << CERT_COMPARE_SHIFT)
#define CERT_FIND_PUBKEY_MD5_HASH
(CERT_COMPARE_PUBKEY_MD5_HASH << CERT_COMPARE_SHIFT)
//+-------------------------------------------------------------------------
// CERT_FIND_ANY
//
// Find any certificate.
//
// pvFindPara isn't used.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_HASH
//
// Find a certificate with the specified hash.
//
// pvFindPara points to a CRYPT_HASH_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_KEY_IDENTIFIER
//
// Find a certificate with the specified KeyIdentifier. Gets the
// CERT_KEY_IDENTIFIER_PROP_ID property and compares with the input
// CRYPT_HASH_BLOB.
//
// pvFindPara points to a CRYPT_HASH_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_PROPERTY
//
// Find a certificate having the specified property.
//
// pvFindPara points to a DWORD containing the PROP_ID
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_PUBLIC_KEY
//
// Find a certificate matching the specified public key.
//
// pvFindPara points to a CERT_PUBLIC_KEY_INFO containing the public key
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_SUBJECT_NAME
// CERT_FIND_ISSUER_NAME
//
// Find a certificate with the specified subject/issuer name. Does an exact
// match of the entire name.
//
// Restricts search to certificates matching the dwCertEncodingType.
//
// pvFindPara points to a CERT_NAME_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_SUBJECT_ATTR
// CERT_FIND_ISSUER_ATTR
//
// Find a certificate with the specified subject/issuer attributes.
//
// Compares the attributes in the subject/issuer name with the
// Relative Distinguished Name's (CERT_RDN) array of attributes specified in
// pvFindPara. The comparison iterates through the CERT_RDN attributes and looks
// for an attribute match in any of the subject/issuer's RDNs.
//
// The CERT_RDN_ATTR fields can have the following special values:
// pszObjId == NULL - ignore the attribute object identifier
// dwValueType == RDN_ANY_TYPE - ignore the value type
// Value.pbData == NULL - match any value
//
// CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG should be set in dwFindFlags to do
// a case insensitive match. Otherwise, defaults to an exact, case sensitive
// match.
//
// CERT_UNICODE_IS_RDN_ATTRS_FLAG should be set in dwFindFlags if the RDN was
// initialized with unicode strings as for
// CryptEncodeObject(X509_UNICODE_NAME).
//
// Restricts search to certificates matching the dwCertEncodingType.
//
// pvFindPara points to a CERT_RDN (defined in wincert.h).
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_SUBJECT_STR_A
// CERT_FIND_SUBJECT_STR_W | CERT_FIND_SUBJECT_STR
// CERT_FIND_ISSUER_STR_A
// CERT_FIND_ISSUER_STR_W | CERT_FIND_ISSUER_STR
//
// Find a certificate containing the specified subject/issuer name string.
//
// First, the certificate's subject/issuer is converted to a name string
// via CertNameToStrA/CertNameToStrW(CERT_SIMPLE_NAME_STR). Then, a
// case insensitive substring within string match is performed.
//
// Restricts search to certificates matching the dwCertEncodingType.
//
// For *_STR_A, pvFindPara points to a null terminated character string.
// For *_STR_W, pvFindPara points to a null terminated wide character string.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_KEY_SPEC
//
// Find a certificate having a CERT_KEY_SPEC_PROP_ID property matching
// the specified KeySpec.
//
// pvFindPara points to a DWORD containing the KeySpec.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_ENHKEY_USAGE
//
// Find a certificate having the szOID_ENHANCED_KEY_USAGE extension or
// the CERT_ENHKEY_USAGE_PROP_ID and matching the specified pszUsageIdentifers.
//
// pvFindPara points to a CERT_ENHKEY_USAGE data structure. If pvFindPara
// is NULL or CERT_ENHKEY_USAGE's cUsageIdentifier is 0, then, matches any
// certificate having enhanced key usage.
//
// If the CERT_FIND_VALID_ENHKEY_USAGE_FLAG is set, then, only does a match
// for certificates that are valid for the specified usages. By default,
// the ceriticate must be valid for all usages. CERT_FIND_OR_ENHKEY_USAGE_FLAG
// can be set, if the certificate only needs to be valid for one of the
// specified usages. Note, CertGetValidUsages() is called to get the
// certificate's list of valid usages. Only the CERT_FIND_OR_ENHKEY_USAGE_FLAG
// is applicable when this flag is set.
//
// The CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG can be set in dwFindFlags to
// also match a certificate without either the extension or property.
//
// If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set in dwFindFlags, finds
// certificates without the key usage extension or property. Setting this
// flag takes precedence over pvFindPara being NULL.
//
// If the CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG is set, then, only does a match
// using the extension. If pvFindPara is NULL or cUsageIdentifier is set to
// 0, finds certificates having the extension. If
// CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set, also matches a certificate
// without the extension. If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set, finds
// certificates without the extension.
//
// If the CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG is set, then, only does a match
// using the property. If pvFindPara is NULL or cUsageIdentifier is set to
// 0, finds certificates having the property. If
// CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set, also matches a certificate
// without the property. If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set, finds
// certificates without the property.
//
// If CERT_FIND_OR_ENHKEY_USAGE_FLAG is set, does an "OR" match of any of
// the specified pszUsageIdentifiers. If not set, then, does an "AND" match
// of all of the specified pszUsageIdentifiers.
//--------------------------------------------------------------------------
#define CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG 0x1
#define CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG 0x2
#define CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG 0x4
#define CERT_FIND_NO_ENHKEY_USAGE_FLAG 0x8
#define CERT_FIND_OR_ENHKEY_USAGE_FLAG 0x10
#define CERT_FIND_VALID_ENHKEY_USAGE_FLAG 0x20
#define CERT_FIND_OPTIONAL_CTL_USAGE_FLAG CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG
#define CERT_FIND_EXT_ONLY_CTL_USAGE_FLAG
CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG
#define CERT_FIND_PROP_ONLY_CTL_USAGE_FLAG
CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG
#define CERT_FIND_NO_CTL_USAGE_FLAG CERT_FIND_NO_ENHKEY_USAGE_FLAG
#define CERT_FIND_OR_CTL_USAGE_FLAG CERT_FIND_OR_ENHKEY_USAGE_FLAG
#define CERT_FIND_VALID_CTL_USAGE_FLAG CERT_FIND_VALID_ENHKEY_USAGE_FLAG
//+-------------------------------------------------------------------------
// CERT_FIND_CERT_ID
//
// Find a certificate with the specified CERT_ID.
//
// pvFindPara points to a CERT_ID.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_CROSS_CERT_DIST_POINTS
//
// Find a certificate having either a cross certificate distribution
// point extension or property.
//
// pvFindPara isn't used.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Get the certificate context from the store for the first or next issuer
// of the specified subject certificate. Perform the enabled
// verification checks on the subject. (Note, the checks are on the subject
// using the returned issuer certificate.)
//
// If the first or next issuer certificate isn't found, NULL is returned.
// Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
// must be freed by calling CertFreeCertificateContext or is freed when passed as the
// pPrevIssuerContext on a subsequent call. CertDuplicateCertificateContext
// can be called to make a duplicate.
//
// For a self signed subject certificate, NULL is returned with LastError set
// to CERT_STORE_SELF_SIGNED. The enabled verification checks are still done.
//
// The pSubjectContext may have been obtained from this store, another store
// or created by the caller application. When created by the caller, the
// CertCreateCertificateContext function must have been called.
//
// An issuer may have multiple certificates. This may occur when the validity
// period is about to change. pPrevIssuerContext MUST BE NULL on the first
// call to get the issuer. To get the next certificate for the issuer, the
// pPrevIssuerContext is set to the CERT_CONTEXT returned by a previous call.
//
// NOTE: a NON-NULL pPrevIssuerContext is always CertFreeCertificateContext'ed by
// this function, even for an error.
//
// The following flags can be set in *pdwFlags to enable verification checks
// on the subject certificate context:
// CERT_STORE_SIGNATURE_FLAG - use the public key in the returned
// issuer certificate to verify the
// signature on the subject certificate.
// Note, if pSubjectContext->hCertStore ==
// hCertStore, the store provider might
// be able to eliminate a redo of
// the signature verify.
// CERT_STORE_TIME_VALIDITY_FLAG - get the current time and verify that
// its within the subject certificate's
// validity period
// CERT_STORE_REVOCATION_FLAG - check if the subject certificate is on
// the issuer's revocation list
//
// If an enabled verification check fails, then, its flag is set upon return.
// If CERT_STORE_REVOCATION_FLAG was enabled and the issuer doesn't have a
// CRL in the store, then, CERT_STORE_NO_CRL_FLAG is set in addition to
// the CERT_STORE_REVOCATION_FLAG.
//
// If CERT_STORE_SIGNATURE_FLAG or CERT_STORE_REVOCATION_FLAG is set, then,
// CERT_STORE_NO_ISSUER_FLAG is set if it doesn't have an issuer certificate
// in the store.
//
// For a verification check failure, a pointer to the issuer's CERT_CONTEXT
// is still returned and SetLastError isn't updated.
//--------------------------------------------------------------------------
WINCRYPT32API
PCCERT_CONTEXT
WINAPI
CertGetIssuerCertificateFromStore(
IN HCERTSTORE hCertStore,
IN PCCERT_CONTEXT pSubjectContext,
IN OPTIONAL PCCERT_CONTEXT pPrevIssuerContext,
IN OUT DWORD *pdwFlags
);
//+-------------------------------------------------------------------------
// Perform the enabled verification checks on the subject certificate
// using the issuer. Same checks and flags definitions as for the above
// CertGetIssuerCertificateFromStore.
//
// If you are only checking CERT_STORE_TIME_VALIDITY_FLAG, then, the
// issuer can be NULL.
//
// For a verification check failure, SUCCESS is still returned.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CertVerifySubjectCertificateContext(
IN PCCERT_CONTEXT pSubject,
IN OPTIONAL PCCERT_CONTEXT pIssuer,
IN OUT DWORD *pdwFlags
);
//+-------------------------------------------------------------------------
// Duplicate a certificate context
//--------------------------------------------------------------------------
WINCRYPT32API
PCCERT_CONTEXT
WINAPI
CertDuplicateCertificateContext(
IN PCCERT_CONTEXT pCertContext
);
//+-------------------------------------------------------------------------
// Create a certificate context from the encoded certificate. The created
// context isn't put in a store.
//
// Makes a copy of the encoded certificate in the created context.
//
// If unable to decode and create the certificate context, NULL is returned.
// Otherwise, a pointer to a read only CERT_CONTEXT is returned.
// CERT_CONTEXT must be freed by calling CertFreeCertificateContext.
// CertDuplicateCertificateContext can be called to make a duplicate.
//
// CertSetCertificateContextProperty and CertGetCertificateContextProperty can be called
// to store properties for the certificate.
//--------------------------------------------------------------------------
WINCRYPT32API
PCCERT_CONTEXT
WINAPI
CertCreateCertificateContext(
IN DWORD dwCertEncodingType,
IN const BYTE *pbCertEncoded,
IN DWORD cbCertEncoded
);
//+-------------------------------------------------------------------------
// Free a certificate context
//
// There needs to be a corresponding free for each context obtained by a
// get, find, duplicate or create.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CertFreeCertificateContext(
IN PCCERT_CONTEXT pCertContext
);
//+-------------------------------------------------------------------------
// Set the property for the specified certificate context.
//
// The type definition for pvData depends on the dwPropId value. There are
// five predefined types:
// CERT_KEY_PROV_HANDLE_PROP_ID - a HCRYPTPROV for the certificate's
// private key is passed in pvData. Updates the hCryptProv field
// of the CERT_KEY_CONTEXT_PROP_ID. If the CERT_KEY_CONTEXT_PROP_ID
// doesn't exist, its created with all the other fields zeroed out. If
// CERT_STORE_NO_CRYPT_RELEASE_FLAG isn't set, HCRYPTPROV is implicitly
// released when either the property is set to NULL or on the final
// free of the CertContext.
//
// CERT_KEY_PROV_INFO_PROP_ID - a PCRYPT_KEY_PROV_INFO for the certificate's
// private key is passed in pvData.
//
// CERT_SHA1_HASH_PROP_ID -
// CERT_MD5_HASH_PROP_ID -
// CERT_SIGNATURE_HASH_PROP_ID - normally, a hash property is implicitly
// set by doing a CertGetCertificateContextProperty. pvData points to a
// CRYPT_HASH_BLOB.
//
// CERT_KEY_CONTEXT_PROP_ID - a PCERT_KEY_CONTEXT for the certificate's
// private key is passed in pvData. The CERT_KEY_CONTEXT contains both the
// hCryptProv and dwKeySpec for the private key.
// See the CERT_KEY_PROV_HANDLE_PROP_ID for more information about
// the hCryptProv field and dwFlags settings. Note, more fields may
// be added for this property. The cbSize field value will be adjusted
// accordingly.
//
// CERT_KEY_SPEC_PROP_ID - the dwKeySpec for the private key. pvData
// points to a DWORD containing the KeySpec
//
// CERT_ENHKEY_USAGE_PROP_ID - enhanced key usage definition for the
// certificate. pvData points to a CRYPT_DATA_BLOB containing an
// ASN.1 encoded CERT_ENHKEY_USAGE (encoded via
// CryptEncodeObject(X509_ENHANCED_KEY_USAGE).
//
// CERT_NEXT_UPDATE_LOCATION_PROP_ID - location of the next update.
// Currently only applicable to CTLs. pvData points to a CRYPT_DATA_BLOB
// containing an ASN.1 encoded CERT_ALT_NAME_INFO (encoded via
// CryptEncodeObject(X509_ALTERNATE_NAME)).
//
// CERT_FRIENDLY_NAME_PROP_ID - friendly name for the cert, CRL or CTL.
// pvData points to a CRYPT_DATA_BLOB. pbData is a pointer to a NULL
// terminated unicode, wide character string.
// cbData = (wcslen((LPWSTR) pbData) + 1) * sizeof(WCHAR).
//
// CERT_DESCRIPTION_PROP_ID - description for the cert, CRL or CTL.
// pvData points to a CRYPT_DATA_BLOB. pbData is a pointer to a NULL
// terminated unicode, wide character string.
// cbData = (wcslen((LPWSTR) pbData) + 1) * sizeof(WCHAR).
//
// CERT_ARCHIVED_PROP_ID - when this property is set, the certificate
// is skipped during enumeration. Note, certificates having this property
// are still found for explicit finds, such as, finding a certificate
// with a specific hash or finding a certificate having a specific issuer
// and serial number. pvData points to a CRYPT_DATA_BLOB. This blob
// can be NULL (pbData = NULL, cbData = 0).
//
// CERT_PUBKEY_ALG_PARA_PROP_ID - for public keys supporting
// algorithm parameter inheritance. pvData points to a CRYPT_OBJID_BLOB
// containing the ASN.1 encoded PublicKey Algorithm Parameters. For
// DSS this would be the parameters encoded via
// CryptEncodeObject(X509_DSS_PARAMETERS). This property may be set
// by CryptVerifyCertificateSignatureEx().
//
// CERT_CROSS_CERT_DIST_POINTS_PROP_ID - location of the cross certs.
// Currently only applicable to certs. pvData points to a CRYPT_DATA_BLOB
// containing an ASN.1 encoded CROSS_CERT_DIST_POINTS_INFO (encoded via
// CryptEncodeObject(X509_CROSS_CERT_DIST_POINTS)).
//
// CERT_ENROLLMENT_PROP_ID - enrollment information of the pending request.
// It contains RequestID, CADNSName, CAName, and FriendlyName.
// The data format is defined as, the first 4 bytes - pending request ID,
// next 4 bytes - CADNSName size in characters including null-terminator
// followed by CADNSName string with null-terminator,
// next 4 bytes - CAName size in characters including null-terminator
// followed by CAName string with null-terminator,
// next 4 bytes - FriendlyName size in characters including null-terminator
// followed by FriendlyName string with null-terminator.
//
// CERT_DATE_STAMP_PROP_ID - contains the time when added to the store
// by an admin tool. pvData points to a CRYPT_DATA_BLOB containing
// the FILETIME.
//
// CERT_RENEWAL_PROP_ID - contains the hash of renewed certificate
//
// For all the other PROP_IDs: an encoded PCRYPT_DATA_BLOB is passed in pvData.
//
// If the property already exists, then, the old value is deleted and silently
// replaced. Setting, pvData to NULL, deletes the property.
//
// CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG can be set to ignore any
// provider write errors and always update the cached context's property.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CertSetCertificateContextProperty(
IN PCCERT_CONTEXT pCertContext,
IN DWORD dwPropId,
IN DWORD dwFlags,
IN const void *pvData
);
// Set this flag to ignore any store provider write errors and always update
// the cached context's property
#define CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG 0x80000000
// Set this flag to inhibit the persisting of this property
#define CERT_SET_PROPERTY_INHIBIT_PERSIST_FLAG 0x40000000
//+-------------------------------------------------------------------------
// Get the property for the specified certificate context.
//
// For CERT_KEY_PROV_HANDLE_PROP_ID, pvData points to a HCRYPTPROV.
//
// For CERT_KEY_PROV_INFO_PROP_ID, pvData points to a CRYPT_KEY_PROV_INFO structure.
// Elements pointed to by fields in the pvData structure follow the
// structure. Therefore, *pcbData may exceed the size of the structure.
//
// For CERT_KEY_CONTEXT_PROP_ID, pvData points to a CERT_KEY_CONTEXT structure.
//
// For CERT_KEY_SPEC_PROP_ID, pvData points to a DWORD containing the KeySpec.
// If the CERT_KEY_CONTEXT_PROP_ID exists, the KeySpec is obtained from there.
// Otherwise, if the CERT_KEY_PROV_INFO_PROP_ID exists, its the source
// of the KeySpec.
//
// For CERT_SHA1_HASH_PROP_ID or CERT_MD5_HASH_PROP_ID, if the hash
// doesn't already exist, then, its computed via CryptHashCertificate()
// and then set. pvData points to the computed hash. Normally, the length
// is 20 bytes for SHA and 16 for MD5.
//
// For CERT_SIGNATURE_HASH_PROP_ID, if the hash
// doesn't already exist, then, its computed via CryptHashToBeSigned()
// and then set. pvData points to the computed hash. Normally, the length
// is 20 bytes for SHA and 16 for MD5.
//
// For CERT_ACCESS_STATE_PROP_ID, pvData points to a DWORD containing the
// access state flags. The appropriate CERT_ACCESS_STATE_*_FLAG's are set
// in the returned DWORD. See the CERT_ACCESS_STATE_*_FLAG definitions
// above. Note, this property is read only. It can't be set.
//
// For CERT_KEY_IDENTIFIER_PROP_ID, if property doesn't already exist,
// first searches for the szOID_SUBJECT_KEY_IDENTIFIER extension. Next,
// does SHA1 hash of the certficate's SubjectPublicKeyInfo. pvData
// points to the key identifier bytes. Normally, the length is 20 bytes.
//
// For CERT_PUBKEY_ALG_PARA_PROP_ID, pvPara points to the ASN.1 encoded
// PublicKey Algorithm Parameters. This property will only be set
// for public keys supporting algorithm parameter inheritance and when the
// parameters have been omitted from the encoded and signed certificate.
//
// For CERT_DATE_STAMP_PROP_ID, pvPara points to a FILETIME updated by
// an admin tool to indicate when the certificate was added to the store.
//
// For all other PROP_IDs, pvData points to an encoded array of bytes.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CertGetCertificateContextProperty(
IN PCCERT_CONTEXT pCertContext,
IN DWORD dwPropId,
OUT void *pvData,
IN OUT DWORD *pcbData
);
//+-------------------------------------------------------------------------
// Enumerate the properties for the specified certificate context.
//
// To get the first property, set dwPropId to 0. The ID of the first
// property is returned. To get the next property, set dwPropId to the
// ID returned by the last call. To enumerate all the properties continue
// until 0 is returned.
//
// CertGetCertificateContextProperty is called to get the property's data.
//
// Note, since, the CERT_KEY_PROV_HANDLE_PROP_ID and CERT_KEY_SPEC_PROP_ID
// properties are stored as fields in the CERT_KEY_CONTEXT_PROP_ID
// property, they aren't enumerated individually.
//--------------------------------------------------------------------------
WINCRYPT32API
DWORD
WINAPI
CertEnumCertificateContextProperties(
IN PCCERT_CONTEXT pCertContext,
IN DWORD dwPropId
);
//+-------------------------------------------------------------------------
// Creates a CTL entry whose attributes are the certificate context's
// properties.
//
// The SubjectIdentifier in the CTL entry is the SHA1 hash of the certificate.
//
// The certificate properties are added as attributes. The property attribute
// OID is the decimal PROP_ID preceded by szOID_CERT_PROP_ID_PREFIX. Each
// property value is copied as a single attribute value.
//
// Any additional attributes to be included in the CTL entry can be passed
// in via the cOptAttr and rgOptAttr parameters.
//
// CTL_ENTRY_FROM_PROP_CHAIN_FLAG can be set in dwFlags, to force the
// inclusion of the chain building hash properties as attributes.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CertCreateCTLEntryFromCertificateContextProperties(
IN PCCERT_CONTEXT pCertContext,
IN DWORD cOptAttr,
IN OPTIONAL PCRYPT_ATTRIBUTE rgOptAttr,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT OPTIONAL PCTL_ENTRY pCtlEntry,
IN OUT DWORD *pcbCtlEntry
);
// Set this flag to get and include the chain building hash properties
// as attributes in the CTL entry
#define CTL_ENTRY_FROM_PROP_CHAIN_FLAG 0x1
//+-------------------------------------------------------------------------
// Sets properties on the certificate context using the attributes in
// the CTL entry.
//
// The property attribute OID is the decimal PROP_ID preceded by
// szOID_CERT_PROP_ID_PREFIX. Only attributes containing such an OID are
// copied.
//
// CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG may be set in dwFlags.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CertSetCertificateContextPropertiesFromCTLEntry(
IN PCCERT_CONTEXT pCertContext,
IN PCTL_ENTRY pCtlEntry,
IN DWORD dwFlags
);
//+-------------------------------------------------------------------------
// Get the first or next CRL context from the store for the specified
// issuer certificate. Perform the enabled verification checks on the CRL.
//
// If the first or next CRL isn't found, NULL is returned.
// Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT
// must be freed by calling CertFreeCRLContext. However, the free must be
// pPrevCrlContext on a subsequent call. CertDuplicateCRLContext
// can be called to make a duplicate.
//
// The pIssuerContext may have been obtained from this store, another store
// or created by the caller application. When created by the caller, the
// CertCreateCertificateContext function must have been called.
//
// If pIssuerContext == NULL, finds all the CRLs in the store.
//
// An issuer may have multiple CRLs. For example, it generates delta CRLs
// using a X.509 v3 extension. pPrevCrlContext MUST BE NULL on the first
// call to get the CRL. To get the next CRL for the issuer, the
// pPrevCrlContext is set to the CRL_CONTEXT returned by a previous call.
//
// NOTE: a NON-NULL pPrevCrlContext is always CertFreeCRLContext'ed by
// this function, even for an error.
//
// The following flags can be set in *pdwFlags to enable verification checks
// on the returned CRL:
// CERT_STORE_SIGNATURE_FLAG - use the public key in the
// issuer's certificate to verify the
// signature on the returned CRL.
// Note, if pIssuerContext->hCertStore ==
// hCertStore, the store provider might
// be able to eliminate a redo of
// the signature verify.
// CERT_STORE_TIME_VALIDITY_FLAG - get the current time and verify that
// its within the CRL's ThisUpdate and
// NextUpdate validity period.
// CERT_STORE_BASE_CRL_FLAG - get base CRL.
// CERT_STORE_DELTA_CRL_FLAG - get delta CRL.
//
// If only one of CERT_STORE_BASE_CRL_FLAG or CERT_STORE_DELTA_CRL_FLAG is
// set, then, only returns either a base or delta CRL. In any case, the
// appropriate base or delta flag will be cleared upon returned. If both
// flags are set, then, only one of flags will be cleared.
//
// If an enabled verification check fails, then, its flag is set upon return.
//
// If pIssuerContext == NULL, then, an enabled CERT_STORE_SIGNATURE_FLAG
// always fails and the CERT_STORE_NO_ISSUER_FLAG is also set.
//
// For a verification check failure, a pointer to the first or next
// CRL_CONTEXT is still returned and SetLastError isn't updated.
//--------------------------------------------------------------------------
WINCRYPT32API
PCCRL_CONTEXT
WINAPI
CertGetCRLFromStore(
IN HCERTSTORE hCertStore,
IN OPTIONAL PCCERT_CONTEXT pIssuerContext,
IN PCCRL_CONTEXT pPrevCrlContext,
IN OUT DWORD *pdwFlags
);
//+-------------------------------------------------------------------------
// Enumerate the CRL contexts in the store.
//
// If a CRL isn't found, NULL is returned.
// Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT
// must be freed by calling CertFreeCRLContext or is freed when passed as the
// pPrevCrlContext on a subsequent call. CertDuplicateCRLContext
// can be called to make a duplicate.
//
// pPrevCrlContext MUST BE NULL to enumerate the first
// CRL in the store. Successive CRLs are enumerated by setting
// pPrevCrlContext to the CRL_CONTEXT returned by a previous call.
//
// NOTE: a NON-NULL pPrevCrlContext is always CertFreeCRLContext'ed by
// this function, even for an error.
//--------------------------------------------------------------------------
WINCRYPT32API
PCCRL_CONTEXT
WINAPI
CertEnumCRLsInStore(
IN HCERTSTORE hCertStore,
IN PCCRL_CONTEXT pPrevCrlContext
);
//+-------------------------------------------------------------------------
// Find the first or next CRL context in the store.
//
// The CRL is found according to the dwFindType and its pvFindPara.
// See below for a list of the find types and its parameters.
//
// Currently dwFindFlags isn't used and must be set to 0.
//
// Usage of dwCertEncodingType depends on the dwFindType.
//
// If the first or next CRL isn't found, NULL is returned.
// Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT
// must be freed by calling CertFreeCRLContext or is freed when passed as the
// pPrevCrlContext on a subsequent call. CertDuplicateCRLContext
// can be called to make a duplicate.
//
// pPrevCrlContext MUST BE NULL on the first
// call to find the CRL. To find the next CRL, the
// pPrevCrlContext is set to the CRL_CONTEXT returned by a previous call.
//
// NOTE: a NON-NULL pPrevCrlContext is always CertFreeCRLContext'ed by
// this function, even for an error.
//--------------------------------------------------------------------------
WINCRYPT32API
PCCRL_CONTEXT
WINAPI
CertFindCRLInStore(
IN HCERTSTORE hCertStore,
IN DWORD dwCertEncodingType,
IN DWORD dwFindFlags,
IN DWORD dwFindType,
IN const void *pvFindPara,
IN PCCRL_CONTEXT pPrevCrlContext
);
#define CRL_FIND_ANY 0
#define CRL_FIND_ISSUED_BY 1
#define CRL_FIND_EXISTING 2
#define CRL_FIND_ISSUED_FOR 3
//+-------------------------------------------------------------------------
// CRL_FIND_ANY
//
// Find any CRL.
//
// pvFindPara isn't used.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CRL_FIND_ISSUED_BY
//
// Find CRL matching the specified issuer.
//
// pvFindPara is the PCCERT_CONTEXT of the CRL issuer. May be NULL to
// match any issuer.
//
// By default, only does issuer name matching. The following flags can be
// set in dwFindFlags to do additional filtering.
//
// If CRL_FIND_ISSUED_BY_AKI_FLAG is set in dwFindFlags, then, checks if the
// CRL has an Authority Key Identifier (AKI) extension. If the CRL has an
// AKI, then, only returns a CRL whose AKI matches the issuer.
//
// Note, the AKI extension has the following OID:
// szOID_AUTHORITY_KEY_IDENTIFIER2 and its corresponding data structure.
//
// If CRL_FIND_ISSUED_BY_SIGNATURE_FLAG is set in dwFindFlags, then,
// uses the public key in the issuer's certificate to verify the
// signature on the CRL. Only returns a CRL having a valid signature.
//
// If CRL_FIND_ISSUED_BY_DELTA_FLAG is set in dwFindFlags, then, only
// returns a delta CRL.
//
// If CRL_FIND_ISSUED_BY_BASE_FLAG is set in dwFindFlags, then, only
// returns a base CRL.
//--------------------------------------------------------------------------
#define CRL_FIND_ISSUED_BY_AKI_FLAG 0x1
#define CRL_FIND_ISSUED_BY_SIGNATURE_FLAG 0x2
#define CRL_FIND_ISSUED_BY_DELTA_FLAG 0x4
#define CRL_FIND_ISSUED_BY_BASE_FLAG 0x8
//+-------------------------------------------------------------------------
// CRL_FIND_EXISTING
//
// Find existing CRL in the store.
//
// pvFindPara is the PCCRL_CONTEXT of the CRL to check if it already
// exists in the store.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CRL_FIND_ISSUED_FOR
//
// Find CRL for the specified subject and its issuer.
//
// pvFindPara points to the following CRL_FIND_ISSUED_FOR_PARA which contains
// both the subject and issuer certificates. Not optional.
//
// The subject's issuer name is used to match the CRL's issuer name. Otherwise,
// the issuer's certificate is used the same as in the above
// CRL_FIND_ISSUED_BY.
//
// Note, when cross certificates are used, the subject name in the issuer's
// certificate may not match the issuer name in the subject certificate and
// its corresponding CRL.
//
// All of the above CRL_FIND_ISSUED_BY_*_FLAGS apply to this find type.
//--------------------------------------------------------------------------
typedef struct _CRL_FIND_ISSUED_FOR_PARA {
PCCERT_CONTEXT pSubjectCert;
PCCERT_CONTEXT pIssuerCert;
} CRL_FIND_ISSUED_FOR_PARA, *PCRL_FIND_ISSUED_FOR_PARA;
//+-------------------------------------------------------------------------
// Duplicate a CRL context
//--------------------------------------------------------------------------
WINCRYPT32API
PCCRL_CONTEXT
WINAPI
CertDuplicateCRLContext(
IN PCCRL_CONTEXT pCrlContext
);
//+-------------------------------------------------------------------------
// Create a CRL context from the encoded CRL. The created
// context isn't put in a store.
//
// Makes a copy of the encoded CRL in the created context.
//
// If unable to decode and create the CRL context, NULL is returned.
// Otherwise, a pointer to a read only CRL_CONTEXT is returned.
// CRL_CONTEXT must be freed by calling CertFreeCRLContext.
// CertDuplicateCRLContext can be called to make a duplicate.
//
// CertSetCRLContextProperty and CertGetCRLContextProperty can be called
// to store properties for the CRL.
//--------------------------------------------------------------------------
WINCRYPT32API
PCCRL_CONTEXT
WINAPI
CertCreateCRLContext(
IN DWORD dwCertEncodingType,
IN const BYTE *pbCrlEncoded,
IN DWORD cbCrlEncoded
);
//+-------------------------------------------------------------------------
// Free a CRL context
//
// There needs to be a corresponding free for each context obtained by a
// get, duplicate or create.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CertFreeCRLContext(
IN PCCRL_CONTEXT pCrlContext
);
//+-------------------------------------------------------------------------
// Set the property for the specified CRL context.
//
// Same Property Ids and semantics as CertSetCertificateContextProperty.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CertSetCRLContextProperty(
IN PCCRL_CONTEXT pCrlContext,
IN DWORD dwPropId,
IN DWORD dwFlags,
IN const void *pvData
);
//+-------------------------------------------------------------------------
// Get the property for the specified CRL context.
//
// Same Property Ids and semantics as CertGetCertificateContextProperty.
//
// CERT_SHA1_HASH_PROP_ID, CERT_MD5_HASH_PROP_ID or
// CERT_SIGNATURE_HASH_PROP_ID is the predefined property of most interest.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CertGetCRLContextProperty(
IN PCCRL_CONTEXT pCrlContext,
IN DWORD dwPropId,
OUT void *pvData,
IN OUT DWORD *pcbData
);
//+-------------------------------------------------------------------------
// Enumerate the properties for the specified CRL context.
//
// To get the first property, set dwPropId to 0. The ID of the first
// property is returned. To get the next property, set dwPropId to the
// ID returned by the last call. To enumerate all the properties continue
// until 0 is returned.
//
// CertGetCRLContextProperty is called to get the property's data.
//--------------------------------------------------------------------------
WINCRYPT32API
DWORD
WINAPI
CertEnumCRLContextProperties(
IN PCCRL_CONTEXT pCrlContext,
IN DWORD dwPropId
);
//+-------------------------------------------------------------------------
// Search the CRL's list of entries for the specified certificate.
//
// TRUE is returned if we were able to search the list. Otherwise, FALSE is
// returned,
//
// For success, if the certificate was found in the list, *ppCrlEntry is
// updated with a pointer to the entry. Otherwise, *ppCrlEntry is set to NULL.
// The returned entry isn't allocated and must not be freed.
//
// dwFlags and pvReserved currently aren't used and must be set to 0 or NULL.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CertFindCertificateInCRL(
IN PCCERT_CONTEXT pCert,
IN PCCRL_CONTEXT pCrlContext,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT PCRL_ENTRY *ppCrlEntry
);
//+-------------------------------------------------------------------------
// Is the specified CRL valid for the certificate.
//
// Returns TRUE if the CRL's list of entries would contain the certificate
// if it was revoked. Note, doesn't check that the certificate is in the
// list of entries.
//
// If the CRL has an Issuing Distribution Point (IDP) extension, checks
// that it's valid for the subject certificate.
//
// dwFlags and pvReserved currently aren't used and must be set to 0 and NULL.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CertIsValidCRLForCertificate(
IN PCCERT_CONTEXT pCert,
IN PCCRL_CONTEXT pCrl,
IN DWORD dwFlags,
IN void *pvReserved
);
//+-------------------------------------------------------------------------
// Add certificate/CRL, encoded, context or element disposition values.
//--------------------------------------------------------------------------
#define CERT_STORE_ADD_NEW 1
#define CERT_STORE_ADD_USE_EXISTING 2
#define CERT_STORE_ADD_REPLACE_EXISTING 3
#define CERT_STORE_ADD_ALWAYS 4
#define CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES 5
#define CERT_STORE_ADD_NEWER 6
#define CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES 7
//+-------------------------------------------------------------------------
// Add the encoded certificate to the store according to the specified
// disposition action.
//
// Makes a copy of the encoded certificate before adding to the store.
//
// dwAddDispostion specifies the action to take if the certificate
// already exists in the store. This parameter must be one of the following
// values:
// CERT_STORE_ADD_NEW
// Fails if the certificate already exists in the store. LastError
// is set to CRYPT_E_EXISTS.
// CERT_STORE_ADD_USE_EXISTING
// If the certifcate already exists, then, its used and if ppCertContext
// is non-NULL, the existing context is duplicated.
// CERT_STORE_ADD_REPLACE_EXISTING
// If the certificate already exists, then, the existing certificate
// context is deleted before creating and adding the new context.
// CERT_STORE_ADD_ALWAYS
// No check is made to see if the certificate already exists. A
// new certificate context is always created. This may lead to
// duplicates in the store.
// CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES
// If the certificate already exists, then, its used.
// CERT_STORE_ADD_NEWER
// Fails if the certificate already exists in the store AND the NotBefore
// time of the existing certificate is equal to or greater than the
// NotBefore time of the new certificate being added. LastError
// is set to CRYPT_E_EXISTS.
//
// If an older certificate is replaced, same as
// CERT_STORE_ADD_REPLACE_EXISTING.
//
// For CRLs or CTLs compares the ThisUpdate times.
//
// CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES
// Same as CERT_STORE_ADD_NEWER. However, if an older certificate is
// replaced, same as CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES.
//
// CertGetSubjectCertificateFromStore is called to determine if the
// certificate already exists in the store.
//
// ppCertContext can be NULL, indicating the caller isn't interested
// in getting the CERT_CONTEXT of the added or existing certificate.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CertAddEncodedCertificateToStore(
IN HCERTSTORE hCertStore,
IN DWORD dwCertEncodingType,
IN const BYTE *pbCertEncoded,
IN DWORD cbCertEncoded,
IN DWORD dwAddDisposition,
OUT OPTIONAL PCCERT_CONTEXT *ppCertContext
);
//+-------------------------------------------------------------------------
// Add the certificate context to the store according to the specified
// disposition action.
//
// In addition to the encoded certificate, the context's properties are