模拟服务器

开发平台：

C/C++

WinCrypt.h：源码内容

// cbSize must be set to the sizeof(CRYPT_SIGN_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//
// pvHashAuxInfo currently isn't used and must be set to NULL.
//
// dwFlags normally is set to 0. However, if the encoded output
// is to be a CMSG_SIGNED inner content of an outer cryptographic message,
// such as a CMSG_ENVELOPED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
// should be set. If not set, then it would be encoded as an inner content
// type of CMSG_DATA.
//
// dwInnerContentType is normally set to 0. It needs to be set if the
// ToBeSigned input is the encoded output of another cryptographic
// message, such as, an CMSG_ENVELOPED. When set, it's one of the cryptographic
// message types, for example, CMSG_ENVELOPED.
//
// If the inner content of a nested cryptographic message is data (CMSG_DATA
// the default), then, neither dwFlags or dwInnerContentType need to be set.
//
// For CMS messages, CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG may be
// set to encapsulate nonData inner content within an OCTET STRING.
//
// For CMS messages, CRYPT_MESSAGE_KEYID_SIGNER_FLAG may be set to identify
// signers by their Key Identifier and not their Issuer and Serial Number.
//
// The CRYPT_MESSAGE_SILENT_KEYSET_FLAG can be set to suppress any UI by the
// CSP. See CryptAcquireContext's CRYPT_SILENT flag for more details.
//
// If HashEncryptionAlgorithm is present and not NULL its used instead of
// the SigningCert's PublicKeyInfo.Algorithm.
//
// Note, for RSA, the hash encryption algorithm is normally the same as
// the public key algorithm. For DSA, the hash encryption algorithm is
// normally a DSS signature algorithm.
//
// pvHashEncryptionAuxInfo currently isn't used and must be set to NULL if
// present in the data structure.
//--------------------------------------------------------------------------
typedef struct _CRYPT_SIGN_MESSAGE_PARA {
DWORD cbSize;
DWORD dwMsgEncodingType;
PCCERT_CONTEXT pSigningCert;
CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
void *pvHashAuxInfo;
DWORD cMsgCert;
PCCERT_CONTEXT *rgpMsgCert;
DWORD cMsgCrl;
PCCRL_CONTEXT *rgpMsgCrl;
DWORD cAuthAttr;
PCRYPT_ATTRIBUTE rgAuthAttr;
DWORD cUnauthAttr;
PCRYPT_ATTRIBUTE rgUnauthAttr;
DWORD dwFlags;
DWORD dwInnerContentType;
#ifdef CRYPT_SIGN_MESSAGE_PARA_HAS_CMS_FIELDS
CRYPT_ALGORITHM_IDENTIFIER HashEncryptionAlgorithm;
void *pvHashEncryptionAuxInfo;
#endif
} CRYPT_SIGN_MESSAGE_PARA, *PCRYPT_SIGN_MESSAGE_PARA;
#define CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG 0x00000001
// When set, nonData type inner content is encapsulated within an
// OCTET STRING
#define CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG 0x00000002
// When set, signers are identified by their Key Identifier and not
// their Issuer and Serial Number.
#define CRYPT_MESSAGE_KEYID_SIGNER_FLAG 0x00000004
// When set, suppresses any UI by the CSP.
// See CryptAcquireContext's CRYPT_SILENT flag for more details.
#define CRYPT_MESSAGE_SILENT_KEYSET_FLAG 0x00000040
//+-------------------------------------------------------------------------
// The CRYPT_VERIFY_MESSAGE_PARA are used to verify signed messages.
//
// hCryptProv is used to do hashing and signature verification.
//
// The dwCertEncodingType specifies the encoding type of the certificates
// and/or CRLs in the message.
//
// pfnGetSignerCertificate is called to get and verify the message signer's
// certificate.
//
// cbSize must be set to the sizeof(CRYPT_VERIFY_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
typedef struct _CRYPT_VERIFY_MESSAGE_PARA {
DWORD cbSize;
DWORD dwMsgAndCertEncodingType;
HCRYPTPROV hCryptProv;
PFN_CRYPT_GET_SIGNER_CERTIFICATE pfnGetSignerCertificate;
void *pvGetArg;
} CRYPT_VERIFY_MESSAGE_PARA, *PCRYPT_VERIFY_MESSAGE_PARA;
//+-------------------------------------------------------------------------
// The CRYPT_ENCRYPT_MESSAGE_PARA are used for encrypting messages.
//
// hCryptProv is used to do content encryption, recipient key
// encryption, and recipient key export. Its private key
// isn't used.
//
// Currently, pvEncryptionAuxInfo is only defined for RC2 or RC4 encryption
// algorithms. Otherwise, its not used and must be set to NULL.
// See CMSG_RC2_AUX_INFO for the RC2 encryption algorithms.
// See CMSG_RC4_AUX_INFO for the RC4 encryption algorithms.
//
// To enable SP3 compatible encryption, pvEncryptionAuxInfo should point to
// a CMSG_SP3_COMPATIBLE_AUX_INFO data structure.
//
// cbSize must be set to the sizeof(CRYPT_ENCRYPT_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//
// dwFlags normally is set to 0. However, if the encoded output
// is to be a CMSG_ENVELOPED inner content of an outer cryptographic message,
// such as a CMSG_SIGNED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
// should be set. If not set, then it would be encoded as an inner content
// type of CMSG_DATA.
//
// dwInnerContentType is normally set to 0. It needs to be set if the
// ToBeEncrypted input is the encoded output of another cryptographic
// message, such as, an CMSG_SIGNED. When set, it's one of the cryptographic
// message types, for example, CMSG_SIGNED.
//
// If the inner content of a nested cryptographic message is data (CMSG_DATA
// the default), then, neither dwFlags or dwInnerContentType need to be set.
//
// For CMS messages, CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG may be
// set to encapsulate nonData inner content within an OCTET STRING before
// encrypting.
//
// For CMS messages, CRYPT_MESSAGE_KEYID_RECIPIENT_FLAG may be set to identify
// recipients by their Key Identifier and not their Issuer and Serial Number.
//--------------------------------------------------------------------------
typedef struct _CRYPT_ENCRYPT_MESSAGE_PARA {
DWORD cbSize;
DWORD dwMsgEncodingType;
HCRYPTPROV hCryptProv;
CRYPT_ALGORITHM_IDENTIFIER ContentEncryptionAlgorithm;
void *pvEncryptionAuxInfo;
DWORD dwFlags;
DWORD dwInnerContentType;
} CRYPT_ENCRYPT_MESSAGE_PARA, *PCRYPT_ENCRYPT_MESSAGE_PARA;
// When set, recipients are identified by their Key Identifier and not
// their Issuer and Serial Number.
#define CRYPT_MESSAGE_KEYID_RECIPIENT_FLAG 0x4
//+-------------------------------------------------------------------------
// The CRYPT_DECRYPT_MESSAGE_PARA are used for decrypting messages.
//
// The CertContext to use for decrypting a message is obtained from one
// of the specified cert stores. An encrypted message can have one or
// more recipients. The recipients are identified by their CertId (Issuer
// and SerialNumber). The cert stores are searched to find the CertContext
// corresponding to the CertId.
//
// For CMS, the recipients may also be identified by their KeyId.
// CMS also allows Key Agreement (Diffie Hellman) in addition to
// Key Transport (RSA) recipients.
//
// Only CertContexts in the store with either
// the CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID set
// can be used. Either property specifies the private exchange key to use.
//
// cbSize must be set to the sizeof(CRYPT_DECRYPT_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
typedef struct _CRYPT_DECRYPT_MESSAGE_PARA {
DWORD cbSize;
DWORD dwMsgAndCertEncodingType;
DWORD cCertStore;
HCERTSTORE *rghCertStore;
#ifdef CRYPT_DECRYPT_MESSAGE_PARA_HAS_EXTRA_FIELDS
// The above defined, CRYPT_MESSAGE_SILENT_KEYSET_FLAG, can be set to
// suppress UI by the CSP. See CryptAcquireContext's CRYPT_SILENT
// flag for more details.
DWORD dwFlags;
#endif
} CRYPT_DECRYPT_MESSAGE_PARA, *PCRYPT_DECRYPT_MESSAGE_PARA;
//+-------------------------------------------------------------------------
// The CRYPT_HASH_MESSAGE_PARA are used for hashing or unhashing
// messages.
//
// hCryptProv is used to compute the hash.
//
// pvHashAuxInfo currently isn't used and must be set to NULL.
//
// cbSize must be set to the sizeof(CRYPT_HASH_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
typedef struct _CRYPT_HASH_MESSAGE_PARA {
DWORD cbSize;
DWORD dwMsgEncodingType;
HCRYPTPROV hCryptProv;
CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
void *pvHashAuxInfo;
} CRYPT_HASH_MESSAGE_PARA, *PCRYPT_HASH_MESSAGE_PARA;
//+-------------------------------------------------------------------------
// The CRYPT_KEY_SIGN_MESSAGE_PARA are used for signing messages until a
// certificate has been created for the signature key.
//
// pvHashAuxInfo currently isn't used and must be set to NULL.
//
// If PubKeyAlgorithm isn't set, defaults to szOID_RSA_RSA.
//
// cbSize must be set to the sizeof(CRYPT_KEY_SIGN_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
typedef struct _CRYPT_KEY_SIGN_MESSAGE_PARA {
DWORD cbSize;
DWORD dwMsgAndCertEncodingType;
HCRYPTPROV hCryptProv;
DWORD dwKeySpec;
CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
void *pvHashAuxInfo;
CRYPT_ALGORITHM_IDENTIFIER PubKeyAlgorithm;
} CRYPT_KEY_SIGN_MESSAGE_PARA, *PCRYPT_KEY_SIGN_MESSAGE_PARA;
//+-------------------------------------------------------------------------
// The CRYPT_KEY_VERIFY_MESSAGE_PARA are used to verify signed messages without
// a certificate for the signer.
//
// Normally used until a certificate has been created for the key.
//
// hCryptProv is used to do hashing and signature verification.
//
// cbSize must be set to the sizeof(CRYPT_KEY_VERIFY_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
typedef struct _CRYPT_KEY_VERIFY_MESSAGE_PARA {
DWORD cbSize;
DWORD dwMsgEncodingType;
HCRYPTPROV hCryptProv;
} CRYPT_KEY_VERIFY_MESSAGE_PARA, *PCRYPT_KEY_VERIFY_MESSAGE_PARA;
//+-------------------------------------------------------------------------
// Sign the message.
//
// If fDetachedSignature is TRUE, the "to be signed" content isn't included
// in the encoded signed blob.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptSignMessage(
IN PCRYPT_SIGN_MESSAGE_PARA pSignPara,
IN BOOL fDetachedSignature,
IN DWORD cToBeSigned,
IN const BYTE *rgpbToBeSigned[],
IN DWORD rgcbToBeSigned[],
OUT BYTE *pbSignedBlob,
IN OUT DWORD *pcbSignedBlob
);
//+-------------------------------------------------------------------------
// Verify a signed message.
//
// If pbDecoded == NULL, then, *pcbDecoded is implicitly set to 0 on input.
// For *pcbDecoded == 0 && ppSignerCert == NULL on input, the signer isn't
// verified.
//
// A message might have more than one signer. Set dwSignerIndex to iterate
// through all the signers. dwSignerIndex == 0 selects the first signer.
//
// pVerifyPara's pfnGetSignerCertificate is called to get the signer's
// certificate.
//
// For a verified signer and message, *ppSignerCert is updated
// with the CertContext of the signer. It must be freed by calling
// CertFreeCertificateContext. Otherwise, *ppSignerCert is set to NULL.
//
// ppSignerCert can be NULL, indicating the caller isn't interested
// in getting the CertContext of the signer.
//
// pcbDecoded can be NULL, indicating the caller isn't interested in getting
// the decoded content. Furthermore, if the message doesn't contain any
// content or signers, then, pcbDecoded must be set to NULL, to allow the
// pVerifyPara->pfnGetCertificate to be called. Normally, this would be
// the case when the signed message contains only certficates and CRLs.
// If pcbDecoded is NULL and the message doesn't have the indicated signer,
// pfnGetCertificate is called with pSignerId set to NULL.
//
// If the message doesn't contain any signers || dwSignerIndex > message's
// SignerCount, then, an error is returned with LastError set to
// CRYPT_E_NO_SIGNER. Also, for CRYPT_E_NO_SIGNER, pfnGetSignerCertificate
// is still called with pSignerId set to NULL.
//
// Note, an alternative way to get the certificates and CRLs from a
// signed message is to call CryptGetMessageCertificates.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptVerifyMessageSignature(
IN PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara,
IN DWORD dwSignerIndex,
IN const BYTE *pbSignedBlob,
IN DWORD cbSignedBlob,
OUT BYTE OPTIONAL *pbDecoded,
IN OUT OPTIONAL DWORD *pcbDecoded,
OUT OPTIONAL PCCERT_CONTEXT *ppSignerCert
);
//+-------------------------------------------------------------------------
// Returns the count of signers in the signed message. For no signers, returns
// 0. For an error returns -1 with LastError updated accordingly.
//--------------------------------------------------------------------------
WINCRYPT32API
LONG
WINAPI
CryptGetMessageSignerCount(
IN DWORD dwMsgEncodingType,
IN const BYTE *pbSignedBlob,
IN DWORD cbSignedBlob
);
//+-------------------------------------------------------------------------
// Returns the cert store containing the message's certs and CRLs.
// For an error, returns NULL with LastError updated.
//--------------------------------------------------------------------------
WINCRYPT32API
HCERTSTORE
WINAPI
CryptGetMessageCertificates(
IN DWORD dwMsgAndCertEncodingType,
IN HCRYPTPROV hCryptProv, // passed to CertOpenStore
IN DWORD dwFlags, // passed to CertOpenStore
IN const BYTE *pbSignedBlob,
IN DWORD cbSignedBlob
);
//+-------------------------------------------------------------------------
// Verify a signed message containing detached signature(s).
// The "to be signed" content is passed in separately. No
// decoded output. Otherwise, identical to CryptVerifyMessageSignature.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptVerifyDetachedMessageSignature(
IN PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara,
IN DWORD dwSignerIndex,
IN const BYTE *pbDetachedSignBlob,
IN DWORD cbDetachedSignBlob,
IN DWORD cToBeSigned,
IN const BYTE *rgpbToBeSigned[],
IN DWORD rgcbToBeSigned[],
OUT OPTIONAL PCCERT_CONTEXT *ppSignerCert
);
//+-------------------------------------------------------------------------
// Encrypts the message for the recipient(s).
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptEncryptMessage(
IN PCRYPT_ENCRYPT_MESSAGE_PARA pEncryptPara,
IN DWORD cRecipientCert,
IN PCCERT_CONTEXT rgpRecipientCert[],
IN const BYTE *pbToBeEncrypted,
IN DWORD cbToBeEncrypted,
OUT BYTE *pbEncryptedBlob,
IN OUT DWORD *pcbEncryptedBlob
);
//+-------------------------------------------------------------------------
// Decrypts the message.
//
// If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
// For *pcbDecrypted == 0 && ppXchgCert == NULL on input, the message isn't
// decrypted.
//
// For a successfully decrypted message, *ppXchgCert is updated
// with the CertContext used to decrypt. It must be freed by calling
// CertStoreFreeCert. Otherwise, *ppXchgCert is set to NULL.
//
// ppXchgCert can be NULL, indicating the caller isn't interested
// in getting the CertContext used to decrypt.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptDecryptMessage(
IN PCRYPT_DECRYPT_MESSAGE_PARA pDecryptPara,
IN const BYTE *pbEncryptedBlob,
IN DWORD cbEncryptedBlob,
OUT OPTIONAL BYTE *pbDecrypted,
IN OUT OPTIONAL DWORD *pcbDecrypted,
OUT OPTIONAL PCCERT_CONTEXT *ppXchgCert
);
//+-------------------------------------------------------------------------
// Sign the message and encrypt for the recipient(s). Does a CryptSignMessage
// followed with a CryptEncryptMessage.
//
// Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
// inside of an CMSG_ENVELOPED.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptSignAndEncryptMessage(
IN PCRYPT_SIGN_MESSAGE_PARA pSignPara,
IN PCRYPT_ENCRYPT_MESSAGE_PARA pEncryptPara,
IN DWORD cRecipientCert,
IN PCCERT_CONTEXT rgpRecipientCert[],
IN const BYTE *pbToBeSignedAndEncrypted,
IN DWORD cbToBeSignedAndEncrypted,
OUT BYTE *pbSignedAndEncryptedBlob,
IN OUT DWORD *pcbSignedAndEncryptedBlob
);
//+-------------------------------------------------------------------------
// Decrypts the message and verifies the signer. Does a CryptDecryptMessage
// followed with a CryptVerifyMessageSignature.
//
// If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
// For *pcbDecrypted == 0 && ppSignerCert == NULL on input, the signer isn't
// verified.
//
// A message might have more than one signer. Set dwSignerIndex to iterate
// through all the signers. dwSignerIndex == 0 selects the first signer.
//
// The pVerifyPara's VerifySignerPolicy is called to verify the signer's
// certificate.
//
// For a successfully decrypted and verified message, *ppXchgCert and
// *ppSignerCert are updated. They must be freed by calling
// CertStoreFreeCert. Otherwise, they are set to NULL.
//
// ppXchgCert and/or ppSignerCert can be NULL, indicating the
// caller isn't interested in getting the CertContext.
//
// Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
// inside of an CMSG_ENVELOPED.
//
// The message always needs to be decrypted to allow access to the
// signed message. Therefore, if ppXchgCert != NULL, its always updated.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptDecryptAndVerifyMessageSignature(
IN PCRYPT_DECRYPT_MESSAGE_PARA pDecryptPara,
IN PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara,
IN DWORD dwSignerIndex,
IN const BYTE *pbEncryptedBlob,
IN DWORD cbEncryptedBlob,
OUT OPTIONAL BYTE *pbDecrypted,
IN OUT OPTIONAL DWORD *pcbDecrypted,
OUT OPTIONAL PCCERT_CONTEXT *ppXchgCert,
OUT OPTIONAL PCCERT_CONTEXT *ppSignerCert
);
//+-------------------------------------------------------------------------
// Decodes a cryptographic message which may be one of the following types:
// CMSG_DATA
// CMSG_SIGNED
// CMSG_ENVELOPED
// CMSG_SIGNED_AND_ENVELOPED
// CMSG_HASHED
//
// dwMsgTypeFlags specifies the set of allowable messages. For example, to
// decode either SIGNED or ENVELOPED messages, set dwMsgTypeFlags to:
// CMSG_SIGNED_FLAG | CMSG_ENVELOPED_FLAG.
//
// dwProvInnerContentType is only applicable when processing nested
// crytographic messages. When processing an outer crytographic message
// it must be set to 0. When decoding a nested cryptographic message
// its the dwInnerContentType returned by a previous CryptDecodeMessage
// of the outer message. The InnerContentType can be any of the CMSG types,
// for example, CMSG_DATA, CMSG_SIGNED, ...
//
// The optional *pdwMsgType is updated with the type of message.
//
// The optional *pdwInnerContentType is updated with the type of the inner
// message. Unless there is cryptographic message nesting, CMSG_DATA
// is returned.
//
// For CMSG_DATA: returns decoded content.
// For CMSG_SIGNED: same as CryptVerifyMessageSignature.
// For CMSG_ENVELOPED: same as CryptDecryptMessage.
// For CMSG_SIGNED_AND_ENVELOPED: same as CryptDecryptMessage plus
// CryptVerifyMessageSignature.
// For CMSG_HASHED: verifies the hash and returns decoded content.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptDecodeMessage(
IN DWORD dwMsgTypeFlags,
IN PCRYPT_DECRYPT_MESSAGE_PARA pDecryptPara,
IN PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara,
IN DWORD dwSignerIndex,
IN const BYTE *pbEncodedBlob,
IN DWORD cbEncodedBlob,
IN DWORD dwPrevInnerContentType,
OUT OPTIONAL DWORD *pdwMsgType,
OUT OPTIONAL DWORD *pdwInnerContentType,
OUT OPTIONAL BYTE *pbDecoded,
IN OUT OPTIONAL DWORD *pcbDecoded,
OUT OPTIONAL PCCERT_CONTEXT *ppXchgCert,
OUT OPTIONAL PCCERT_CONTEXT *ppSignerCert
);
//+-------------------------------------------------------------------------
// Hash the message.
//
// If fDetachedHash is TRUE, only the ComputedHash is encoded in the
// pbHashedBlob. Otherwise, both the ToBeHashed and ComputedHash
// are encoded.
//
// pcbHashedBlob or pcbComputedHash can be NULL, indicating the caller
// isn't interested in getting the output.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptHashMessage(
IN PCRYPT_HASH_MESSAGE_PARA pHashPara,
IN BOOL fDetachedHash,
IN DWORD cToBeHashed,
IN const BYTE *rgpbToBeHashed[],
IN DWORD rgcbToBeHashed[],
OUT OPTIONAL BYTE *pbHashedBlob,
IN OUT OPTIONAL DWORD *pcbHashedBlob,
OUT OPTIONAL BYTE *pbComputedHash,
IN OUT OPTIONAL DWORD *pcbComputedHash
);
//+-------------------------------------------------------------------------
// Verify a hashed message.
//
// pcbToBeHashed or pcbComputedHash can be NULL,
// indicating the caller isn't interested in getting the output.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptVerifyMessageHash(
IN PCRYPT_HASH_MESSAGE_PARA pHashPara,
IN BYTE *pbHashedBlob,
IN DWORD cbHashedBlob,
OUT OPTIONAL BYTE *pbToBeHashed,
IN OUT OPTIONAL DWORD *pcbToBeHashed,
OUT OPTIONAL BYTE *pbComputedHash,
IN OUT OPTIONAL DWORD *pcbComputedHash
);
//+-------------------------------------------------------------------------
// Verify a hashed message containing a detached hash.
// The "to be hashed" content is passed in separately. No
// decoded output. Otherwise, identical to CryptVerifyMessageHash.
//
// pcbComputedHash can be NULL, indicating the caller isn't interested
// in getting the output.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptVerifyDetachedMessageHash(
IN PCRYPT_HASH_MESSAGE_PARA pHashPara,
IN BYTE *pbDetachedHashBlob,
IN DWORD cbDetachedHashBlob,
IN DWORD cToBeHashed,
IN const BYTE *rgpbToBeHashed[],
IN DWORD rgcbToBeHashed[],
OUT OPTIONAL BYTE *pbComputedHash,
IN OUT OPTIONAL DWORD *pcbComputedHash
);
//+-------------------------------------------------------------------------
// Sign the message using the provider's private key specified in the
// parameters. A dummy SignerId is created and stored in the message.
//
// Normally used until a certificate has been created for the key.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptSignMessageWithKey(
IN PCRYPT_KEY_SIGN_MESSAGE_PARA pSignPara,
IN const BYTE *pbToBeSigned,
IN DWORD cbToBeSigned,
OUT BYTE *pbSignedBlob,
IN OUT DWORD *pcbSignedBlob
);
//+-------------------------------------------------------------------------
// Verify a signed message using the specified public key info.
//
// Normally called by a CA until it has created a certificate for the
// key.
//
// pPublicKeyInfo contains the public key to use to verify the signed
// message. If NULL, the signature isn't verified (for instance, the decoded
// content may contain the PublicKeyInfo).
//
// pcbDecoded can be NULL, indicating the caller isn't interested
// in getting the decoded content.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptVerifyMessageSignatureWithKey(
IN PCRYPT_KEY_VERIFY_MESSAGE_PARA pVerifyPara,
IN OPTIONAL PCERT_PUBLIC_KEY_INFO pPublicKeyInfo,
IN const BYTE *pbSignedBlob,
IN DWORD cbSignedBlob,
OUT OPTIONAL BYTE *pbDecoded,
IN OUT OPTIONAL DWORD *pcbDecoded
);
//+=========================================================================
// System Certificate Store Data Structures and APIs
//==========================================================================
//+-------------------------------------------------------------------------
// Get a system certificate store based on a subsystem protocol.
//
// Current examples of subsystems protocols are:
// "MY" Cert Store hold certs with associated Private Keys
// "CA" Certifying Authority certs
// "ROOT" Root Certs
// "SPC" Software publisher certs
//
//
// If hProv is NULL the default provider "1" is opened for you.
// When the store is closed the provider is release. Otherwise
// if hProv is not NULL, no provider is created or released.
//
// The returned Cert Store can be searched for an appropriate Cert
// using the Cert Store API's (see certstor.h)
//
// When done, the cert store should be closed using CertStoreClose
//--------------------------------------------------------------------------
WINCRYPT32API
HCERTSTORE
WINAPI
CertOpenSystemStoreA(
HCRYPTPROV hProv,
LPCSTR szSubsystemProtocol
);
WINCRYPT32API
HCERTSTORE
WINAPI
CertOpenSystemStoreW(
HCRYPTPROV hProv,
LPCWSTR szSubsystemProtocol
);
#ifdef UNICODE
#define CertOpenSystemStore CertOpenSystemStoreW
#else
#define CertOpenSystemStore CertOpenSystemStoreA
#endif // !UNICODE
WINCRYPT32API
BOOL
WINAPI
CertAddEncodedCertificateToSystemStoreA(
LPCSTR szCertStoreName,
const BYTE * pbCertEncoded,
DWORD cbCertEncoded
);
WINCRYPT32API
BOOL
WINAPI
CertAddEncodedCertificateToSystemStoreW(
LPCWSTR szCertStoreName,
const BYTE * pbCertEncoded,
DWORD cbCertEncoded
);
#ifdef UNICODE
#define CertAddEncodedCertificateToSystemStore CertAddEncodedCertificateToSystemStoreW
#else
#define CertAddEncodedCertificateToSystemStore CertAddEncodedCertificateToSystemStoreA
#endif // !UNICODE
//+-------------------------------------------------------------------------
// Find all certificate chains tying the given issuer name to any certificate
// that the current user has a private key for.
//
// If no certificate chain is found, FALSE is returned with LastError set
// to CRYPT_E_NOT_FOUND and the counts zeroed.
//
// IE 3.0 ASSUMPTION:
// The client certificates are in the "My" system store. The issuer
// cerificates may be in the "Root", "CA" or "My" system stores.
//--------------------------------------------------------------------------
typedef struct _CERT_CHAIN {
DWORD cCerts; // number of certs in chain
PCERT_BLOB certs; // pointer to array of cert chain blobs
// representing the certs
CRYPT_KEY_PROV_INFO keyLocatorInfo; // key locator for cert
} CERT_CHAIN, *PCERT_CHAIN;
// WINCRYPT32API This is not exported by crypt32, it is exported by softpub
HRESULT
WINAPI
FindCertsByIssuer(
OUT PCERT_CHAIN pCertChains,
IN OUT DWORD *pcbCertChains,
OUT DWORD *pcCertChains, // count of certificates chains returned
IN BYTE* pbEncodedIssuerName, // DER encoded issuer name
IN DWORD cbEncodedIssuerName, // count in bytes of encoded issuer name
IN LPCWSTR pwszPurpose, // "ClientAuth" or "CodeSigning"
IN DWORD dwKeySpec // only return signers supporting this
// keyspec
);
//-------------------------------------------------------------------------
//
// CryptQueryObject takes a CERT_BLOB or a file name and returns the
// information about the content in the blob or in the file.
//
// Parameters:
// INPUT dwObjectType:
// Indicate the type of the object. Should be one of the
// following:
// CERT_QUERY_OBJECT_FILE
// CERT_QUERY_OBJECT_BLOB
//
// INPUT pvObject:
// If dwObjectType == CERT_QUERY_OBJECT_FILE, it is a
// LPWSTR, that is, the pointer to a wchar file name
// if dwObjectType == CERT_QUERY_OBJECT_BLOB, it is a
// PCERT_BLOB, that is, a pointer to a CERT_BLOB
//
// INPUT dwExpectedContentTypeFlags:
// Indicate the expected contenet type.
// Can be one of the following:
// CERT_QUERY_CONTENT_FLAG_ALL (the content can be any type)
// CERT_QUERY_CONTENT_FLAG_CERT
// CERT_QUERY_CONTENT_FLAG_CTL
// CERT_QUERY_CONTENT_FLAG_CRL
// CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE
// CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT
// CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL
// CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL
// CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED
// CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED
// CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED
// CERT_QUERY_CONTENT_FLAG_PKCS10
// CERT_QUERY_CONTENT_FLAG_PFX
// CERT_QUERY_CONTENT_FLAG_CERT_PAIR
//
// INPUT dwExpectedFormatTypeFlags:
// Indicate the expected format type.
// Can be one of the following:
// CERT_QUERY_FORMAT_FLAG_ALL (the content can be any format)
// CERT_QUERY_FORMAT_FLAG_BINARY
// CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED
// CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED
//
//
// INPUT dwFlags
// Reserved flag. Should always set to 0
//
// OUTPUT pdwMsgAndCertEncodingType
// Optional output. If NULL != pdwMsgAndCertEncodingType,
// it contains the encoding type of the content as any
// combination of the following:
// X509_ASN_ENCODING
// PKCS_7_ASN_ENCODING
//
// OUTPUT pdwContentType
// Optional output. If NULL!=pdwContentType, it contains
// the content type as one of the the following:
// CERT_QUERY_CONTENT_CERT
// CERT_QUERY_CONTENT_CTL
// CERT_QUERY_CONTENT_CRL
// CERT_QUERY_CONTENT_SERIALIZED_STORE
// CERT_QUERY_CONTENT_SERIALIZED_CERT
// CERT_QUERY_CONTENT_SERIALIZED_CTL
// CERT_QUERY_CONTENT_SERIALIZED_CRL
// CERT_QUERY_CONTENT_PKCS7_SIGNED
// CERT_QUERY_CONTENT_PKCS7_UNSIGNED
// CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
// CERT_QUERY_CONTENT_PKCS10
// CERT_QUERY_CONTENT_PFX
// CERT_QUERY_CONTENT_CERT_PAIR
//
// OUTPUT pdwFormatType
// Optional output. If NULL !=pdwFormatType, it
// contains the format type of the content as one of the
// following:
// CERT_QUERY_FORMAT_BINARY
// CERT_QUERY_FORMAT_BASE64_ENCODED
// CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED
//
//
// OUTPUT phCertStore
// Optional output. If NULL !=phStore,
// it contains a cert store that includes all of certificates,
// CRL, and CTL in the object if the object content type is
// one of the following:
// CERT_QUERY_CONTENT_CERT
// CERT_QUERY_CONTENT_CTL
// CERT_QUERY_CONTENT_CRL
// CERT_QUERY_CONTENT_SERIALIZED_STORE
// CERT_QUERY_CONTENT_SERIALIZED_CERT
// CERT_QUERY_CONTENT_SERIALIZED_CTL
// CERT_QUERY_CONTENT_SERIALIZED_CRL
// CERT_QUERY_CONTENT_PKCS7_SIGNED
// CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
// CERT_QUERY_CONTENT_CERT_PAIR
//
// Caller should free *phCertStore via CertCloseStore.
//
//
// OUTPUT phMsg Optional output. If NULL != phMsg,
// it contains a handle to a opened message if
// the content type is one of the following:
// CERT_QUERY_CONTENT_PKCS7_SIGNED
// CERT_QUERY_CONTENT_PKCS7_UNSIGNED
// CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
//
// Caller should free *phMsg via CryptMsgClose.
//
// OUTPUT pContext Optional output. If NULL != pContext,
// it contains either a PCCERT_CONTEXT or PCCRL_CONTEXT,
// or PCCTL_CONTEXT based on the content type.
//
// If the content type is CERT_QUERY_CONTENT_CERT or
// CERT_QUERY_CONTENT_SERIALIZED_CERT, it is a PCCERT_CONTEXT;
// Caller should free the pContext via CertFreeCertificateContext.
//
// If the content type is CERT_QUERY_CONTENT_CRL or
// CERT_QUERY_CONTENT_SERIALIZED_CRL, it is a PCCRL_CONTEXT;
// Caller should free the pContext via CertFreeCRLContext.
//
// If the content type is CERT_QUERY_CONTENT_CTL or
// CERT_QUERY_CONTENT_SERIALIZED_CTL, it is a PCCTL_CONTEXT;
// Caller should free the pContext via CertFreeCTLContext.
//
// If the *pbObject is of type CERT_QUERY_CONTENT_PKCS10 or CERT_QUERY_CONTENT_PFX, CryptQueryObject
// will not return anything in *phCertstore, *phMsg, or *ppvContext.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptQueryObject(
DWORD dwObjectType,
const void *pvObject,
DWORD dwExpectedContentTypeFlags,
DWORD dwExpectedFormatTypeFlags,
DWORD dwFlags,
DWORD *pdwMsgAndCertEncodingType,
DWORD *pdwContentType,
DWORD *pdwFormatType,
HCERTSTORE *phCertStore,
HCRYPTMSG *phMsg,
const void **ppvContext
);
//-------------------------------------------------------------------------
//dwObjectType for CryptQueryObject
//-------------------------------------------------------------------------
#define CERT_QUERY_OBJECT_FILE 0x00000001
#define CERT_QUERY_OBJECT_BLOB 0x00000002
//-------------------------------------------------------------------------
//dwContentType for CryptQueryObject
//-------------------------------------------------------------------------
//encoded single certificate
#define CERT_QUERY_CONTENT_CERT 1
//encoded single CTL
#define CERT_QUERY_CONTENT_CTL 2
//encoded single CRL
#define CERT_QUERY_CONTENT_CRL 3
//serialized store
#define CERT_QUERY_CONTENT_SERIALIZED_STORE 4
//serialized single certificate
#define CERT_QUERY_CONTENT_SERIALIZED_CERT 5
//serialized single CTL
#define CERT_QUERY_CONTENT_SERIALIZED_CTL 6
//serialized single CRL
#define CERT_QUERY_CONTENT_SERIALIZED_CRL 7
//a PKCS#7 signed message
#define CERT_QUERY_CONTENT_PKCS7_SIGNED 8
//a PKCS#7 message, such as enveloped message. But it is not a signed message,
#define CERT_QUERY_CONTENT_PKCS7_UNSIGNED 9
//a PKCS7 signed message embedded in a file
#define CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED 10
//an encoded PKCS#10
#define CERT_QUERY_CONTENT_PKCS10 11
//an encoded PKX BLOB
#define CERT_QUERY_CONTENT_PFX 12
//an encoded CertificatePair (contains forward and/or reverse cross certs)
#define CERT_QUERY_CONTENT_CERT_PAIR 13
//-------------------------------------------------------------------------
//dwExpectedConentTypeFlags for CryptQueryObject
//-------------------------------------------------------------------------
//encoded single certificate
#define CERT_QUERY_CONTENT_FLAG_CERT
( 1 << CERT_QUERY_CONTENT_CERT)
//encoded single CTL
#define CERT_QUERY_CONTENT_FLAG_CTL
( 1 << CERT_QUERY_CONTENT_CTL)
//encoded single CRL
#define CERT_QUERY_CONTENT_FLAG_CRL
( 1 << CERT_QUERY_CONTENT_CRL)
//serialized store
#define CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE
( 1 << CERT_QUERY_CONTENT_SERIALIZED_STORE)
//serialized single certificate
#define CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT
( 1 << CERT_QUERY_CONTENT_SERIALIZED_CERT)
//serialized single CTL
#define CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL
( 1 << CERT_QUERY_CONTENT_SERIALIZED_CTL)
//serialized single CRL
#define CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL
( 1 << CERT_QUERY_CONTENT_SERIALIZED_CRL)
//an encoded PKCS#7 signed message
#define CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED
( 1 << CERT_QUERY_CONTENT_PKCS7_SIGNED)
//an encoded PKCS#7 message. But it is not a signed message
#define CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED
( 1 << CERT_QUERY_CONTENT_PKCS7_UNSIGNED)
//the content includes an embedded PKCS7 signed message
#define CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED
( 1 << CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED)
//an encoded PKCS#10
#define CERT_QUERY_CONTENT_FLAG_PKCS10
( 1 << CERT_QUERY_CONTENT_PKCS10)
//an encoded PFX BLOB
#define CERT_QUERY_CONTENT_FLAG_PFX
( 1 << CERT_QUERY_CONTENT_PFX)
//an encoded CertificatePair (contains forward and/or reverse cross certs)
#define CERT_QUERY_CONTENT_FLAG_CERT_PAIR
( 1 << CERT_QUERY_CONTENT_CERT_PAIR)
//content can be any type
#define CERT_QUERY_CONTENT_FLAG_ALL
CERT_QUERY_CONTENT_FLAG_CERT |
CERT_QUERY_CONTENT_FLAG_CTL |
CERT_QUERY_CONTENT_FLAG_CRL |
CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE |
CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT |
CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL |
CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL |
CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED |
CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED |
CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED |
CERT_QUERY_CONTENT_FLAG_PKCS10 |
CERT_QUERY_CONTENT_FLAG_PFX |
CERT_QUERY_CONTENT_FLAG_CERT_PAIR
//-------------------------------------------------------------------------
//dwFormatType for CryptQueryObject
//-------------------------------------------------------------------------
//the content is in binary format
#define CERT_QUERY_FORMAT_BINARY 1
//the content is base64 encoded
#define CERT_QUERY_FORMAT_BASE64_ENCODED 2
//the content is ascii hex encoded with "{ASN}" prefix
#define CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED 3
//-------------------------------------------------------------------------
//dwExpectedFormatTypeFlags for CryptQueryObject
//-------------------------------------------------------------------------
//the content is in binary format
#define CERT_QUERY_FORMAT_FLAG_BINARY
( 1 << CERT_QUERY_FORMAT_BINARY)
//the content is base64 encoded
#define CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED
( 1 << CERT_QUERY_FORMAT_BASE64_ENCODED)
//the content is ascii hex encoded with "{ASN}" prefix
#define CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED
( 1 << CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED)
//the content can be of any format
#define CERT_QUERY_FORMAT_FLAG_ALL
CERT_QUERY_FORMAT_FLAG_BINARY |
CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED |
CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED
//
// Crypt32 Memory Management Routines. All Crypt32 API which return allocated
// buffers will do so via CryptMemAlloc, CryptMemRealloc. Clients can free
// those buffers using CryptMemFree. Also included is CryptMemSize
//
WINCRYPT32API
LPVOID
WINAPI
CryptMemAlloc (
IN ULONG cbSize
);
WINCRYPT32API
LPVOID
WINAPI
CryptMemRealloc (
IN LPVOID pv,
IN ULONG cbSize
);
WINCRYPT32API
VOID
WINAPI
CryptMemFree (
IN LPVOID pv
);
//
// Crypt32 Asynchronous Parameter Management Routines. All Crypt32 API which
// expose asynchronous mode operation use a Crypt32 Async Handle to pass
// around information about the operation e.g. callback routines. The
// following API are used for manipulation of the async handle
//
typedef HANDLE HCRYPTASYNC, *PHCRYPTASYNC;
typedef VOID (WINAPI *PFN_CRYPT_ASYNC_PARAM_FREE_FUNC) (
LPSTR pszParamOid,
LPVOID pvParam
);
WINCRYPT32API
BOOL
WINAPI
CryptCreateAsyncHandle (
IN DWORD dwFlags,
OUT PHCRYPTASYNC phAsync
);
WINCRYPT32API
BOOL
WINAPI
CryptSetAsyncParam (
IN HCRYPTASYNC hAsync,
IN LPSTR pszParamOid,
IN LPVOID pvParam,
IN OPTIONAL PFN_CRYPT_ASYNC_PARAM_FREE_FUNC pfnFree
);
WINCRYPT32API
BOOL
WINAPI
CryptGetAsyncParam (
IN HCRYPTASYNC hAsync,
IN LPSTR pszParamOid,
OUT LPVOID* ppvParam,
OUT OPTIONAL PFN_CRYPT_ASYNC_PARAM_FREE_FUNC* ppfnFree
);
WINCRYPT32API
BOOL
WINAPI
CryptCloseAsyncHandle (
IN HCRYPTASYNC hAsync
);
//
// Crypt32 Remote Object Retrieval Routines. This API allows retrieval of
// remote PKI objects where the location is given by an URL. The remote
// object retrieval manager exposes two provider models. One is the "Scheme
// Provider" model which allows for installable protocol providers as defined
// by the URL scheme e.g. ldap, http, ftp. The scheme provider entry point is
// the same as the CryptRetrieveObjectByUrl however the *ppvObject returned
// is ALWAYS a counted array of encoded bits (one per object retrieved). The
// second provider model is the "Context Provider" model which allows for
// installable creators of CAPI2 context handles (objects) based on the
// retrieved encoded bits. These are dispatched based on the object OID given
// in the call to CryptRetrieveObjectByUrl.
//
typedef struct _CRYPT_BLOB_ARRAY {
DWORD cBlob;
PCRYPT_DATA_BLOB rgBlob;
} CRYPT_BLOB_ARRAY, *PCRYPT_BLOB_ARRAY;
typedef struct _CRYPT_CREDENTIALS {
DWORD cbSize;
LPCSTR pszCredentialsOid;
LPVOID pvCredentials;
} CRYPT_CREDENTIALS, *PCRYPT_CREDENTIALS;
#define CREDENTIAL_OID_PASSWORD_CREDENTIALS_A ((LPCSTR)1)
#define CREDENTIAL_OID_PASSWORD_CREDENTIALS_W ((LPCSTR)2)
#ifdef UNICODE
#define CREDENTIAL_OID_PASSWORD_CREDENTIALS CREDENTIAL_OID_PASSWORD_CREDENTIALS_W
#else
#define CREDENTIAL_OID_PASSWORD_CREDENTIALS CREDENTIAL_OID_PASSWORD_CREDENTIALS_A
#endif //UNICODE
typedef struct _CRYPT_PASSWORD_CREDENTIALSA {
DWORD cbSize;
LPSTR pszUsername;
LPSTR pszPassword;
} CRYPT_PASSWORD_CREDENTIALSA, *PCRYPT_PASSWORD_CREDENTIALSA;
typedef struct _CRYPT_PASSWORD_CREDENTIALSW {
DWORD cbSize;
LPWSTR pszUsername;
LPWSTR pszPassword;
} CRYPT_PASSWORD_CREDENTIALSW, *PCRYPT_PASSWORD_CREDENTIALSW;
#ifdef UNICODE
typedef CRYPT_PASSWORD_CREDENTIALSW CRYPT_PASSWORD_CREDENTIALS;
typedef PCRYPT_PASSWORD_CREDENTIALSW PCRYPT_PASSWORD_CREDENTIALS;
#else
typedef CRYPT_PASSWORD_CREDENTIALSA CRYPT_PASSWORD_CREDENTIALS;
typedef PCRYPT_PASSWORD_CREDENTIALSA PCRYPT_PASSWORD_CREDENTIALS;
#endif // UNICODE
//
// Scheme Provider Signatures
//
#define SCHEME_OID_RETRIEVE_ENCODED_OBJECT_FUNC "SchemeDllRetrieveEncodedObject"
typedef VOID (WINAPI *PFN_FREE_ENCODED_OBJECT_FUNC) (
LPCSTR pszObjectOid,
PCRYPT_BLOB_ARRAY pObject,
LPVOID pvFreeContext
);
//
// SchemeDllRetrieveEncodedObject has the following signature:
//
// BOOL WINAPI SchemeDllRetrieveEncodedObject (
// IN LPCSTR pszUrl,
// IN LPCSTR pszObjectOid,
// IN DWORD dwRetrievalFlags,
// IN DWORD dwTimeout, // milliseconds
// OUT PCRYPT_BLOB_ARRAY pObject,
// OUT PFN_FREE_ENCODED_OBJECT_FUNC* ppfnFreeObject,
// OUT LPVOID* ppvFreeContext,
// IN HCRYPTASYNC hAsyncRetrieve,
// IN PCRYPT_CREDENTIALS pCredentials,
// IN PCRYPT_RETRIEVE_AUX_INFO pAuxInfo
// )
//
//
// Context Provider Signatures
//
#define CONTEXT_OID_CREATE_OBJECT_CONTEXT_FUNC "ContextDllCreateObjectContext"
#define CONTEXT_OID_CERTIFICATE ((LPCSTR)1)
#define CONTEXT_OID_CRL ((LPCSTR)2)
#define CONTEXT_OID_CTL ((LPCSTR)3)
#define CONTEXT_OID_PKCS7 ((LPCSTR)4)
#define CONTEXT_OID_CAPI2_ANY ((LPCSTR)5)
//
// ContextDllCreateObjectContext has the following signature:
//
// BOOL WINAPI ContextDllCreateObjectContext (
// IN LPCSTR pszObjectOid,
// IN DWORD dwRetrievalFlags,
// IN PCRYPT_BLOB_ARRAY pObject,
// OUT LPVOID* ppvContext
// )
//
//
// Remote Object Retrieval API
//
//
// Retrieval flags
//
#define CRYPT_RETRIEVE_MULTIPLE_OBJECTS 0x00000001
#define CRYPT_CACHE_ONLY_RETRIEVAL 0x00000002
#define CRYPT_WIRE_ONLY_RETRIEVAL 0x00000004
#define CRYPT_DONT_CACHE_RESULT 0x00000008
#define CRYPT_ASYNC_RETRIEVAL 0x00000010
#define CRYPT_STICKY_CACHE_RETRIEVAL 0x00001000
#define CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL 0x00002000
#define CRYPT_OFFLINE_CHECK_RETRIEVAL 0x00004000
// When the following flag is set, the following 2 NULL terminated ascii
// strings are inserted at the beginning of each returned blob:
// "%d%s", dwEntryIndex, pszAttribute
//
// The first dwEntryIndex is 0, "0".
//
// When set, pszObjectOid must be NULL, so that a PCRYPT_BLOB_ARRAY is returned.
#define CRYPT_LDAP_INSERT_ENTRY_ATTRIBUTE 0x00008000
// Set this flag to digitally sign all of the ldap traffic to and from a
// Windows 2000 LDAP server using the Kerberos authentication protocol.
// This feature provides integrity required by some applications.
#define CRYPT_LDAP_SIGN_RETRIEVAL 0x00010000
// Set this flag to inhibit automatic authentication handling. See the
// wininet flag, INTERNET_FLAG_NO_AUTH, for more details.
#define CRYPT_NO_AUTH_RETRIEVAL 0x00020000
// Performs an A-Record only DNS lookup on the supplied host string.
// This prevents bogus DNS queries from being generated when resolving host
// names. Use this flag whenever passing a hostname as opposed to a
// domain name for the hostname parameter.
//
// See LDAP_OPT_AREC_EXCLUSIVE defined in winldap.h for more details.
#define CRYPT_LDAP_AREC_EXCLUSIVE_RETRIEVAL 0x00040000
//
// Data verification retrieval flags
//
// CRYPT_VERIFY_CONTEXT_SIGNATURE is used to get signature verification
// on the context created. In this case pszObjectOid must be non-NULL and
// pvVerify points to the signer certificate context
//
// CRYPT_VERIFY_DATA_HASH is used to get verification of the blob data
// retrieved by the protocol. The pvVerify points to an URL_DATA_HASH
// structure (TBD)
//
#define CRYPT_VERIFY_CONTEXT_SIGNATURE 0x00000020
#define CRYPT_VERIFY_DATA_HASH 0x00000040
//
// Time Valid Object flags
//
#define CRYPT_KEEP_TIME_VALID 0x00000080
#define CRYPT_DONT_VERIFY_SIGNATURE 0x00000100
#define CRYPT_DONT_CHECK_TIME_VALIDITY 0x00000200
// The default checks if ftNextUpdate >= ftValidFor. Set this flag to
// check if ftThisUpdate >= ftValidFor.
#define CRYPT_CHECK_FRESHNESS_TIME_VALIDITY 0x00000400
#define CRYPT_ACCUMULATIVE_TIMEOUT 0x00000800
typedef struct _CRYPT_RETRIEVE_AUX_INFO {
DWORD cbSize;
FILETIME *pLastSyncTime;
} CRYPT_RETRIEVE_AUX_INFO, *PCRYPT_RETRIEVE_AUX_INFO;
WINCRYPT32API
BOOL
WINAPI
CryptRetrieveObjectByUrlA (
IN LPCSTR pszUrl,
IN LPCSTR pszObjectOid,
IN DWORD dwRetrievalFlags,
IN DWORD dwTimeout, // milliseconds
OUT LPVOID* ppvObject,
IN HCRYPTASYNC hAsyncRetrieve,
IN OPTIONAL PCRYPT_CREDENTIALS pCredentials,
IN OPTIONAL LPVOID pvVerify,
IN OPTIONAL PCRYPT_RETRIEVE_AUX_INFO pAuxInfo
);
WINCRYPT32API
BOOL
WINAPI
CryptRetrieveObjectByUrlW (
IN LPCWSTR pszUrl,
IN LPCSTR pszObjectOid,
IN DWORD dwRetrievalFlags,
IN DWORD dwTimeout, // milliseconds
OUT LPVOID* ppvObject,
IN HCRYPTASYNC hAsyncRetrieve,
IN OPTIONAL PCRYPT_CREDENTIALS pCredentials,
IN OPTIONAL LPVOID pvVerify,
IN OPTIONAL PCRYPT_RETRIEVE_AUX_INFO pAuxInfo
);
#ifdef UNICODE
#define CryptRetrieveObjectByUrl CryptRetrieveObjectByUrlW
#else
#define CryptRetrieveObjectByUrl CryptRetrieveObjectByUrlA
#endif // !UNICODE
//
// Call back function to cancel object retrieval
//
// The function can be installed on a per thread basis.
// If CryptInstallCancelRetrieval is called for multiple times, only the most recent
// installation will be kept.
//
// This is only effective for http, https, gopher, and ftp protocol.
// It is ignored by the rest of the protocols.
typedef BOOL (WINAPI *PFN_CRYPT_CANCEL_RETRIEVAL)(
IN DWORD dwFlags,
IN void *pvArg
);
//
// PFN_CRYPT_CANCEL_RETRIEVAL
//
// This function should return FALSE when the object retrieval should be continued
// and return TRUE when the object retrieval should be cancelled.
//
WINCRYPT32API
BOOL
WINAPI
CryptInstallCancelRetrieval(
IN PFN_CRYPT_CANCEL_RETRIEVAL pfnCancel,
IN const void *pvArg,
IN DWORD dwFlags,
IN void *pvReserved
);
WINCRYPT32API
BOOL
WINAPI
CryptUninstallCancelRetrieval(
IN DWORD dwFlags,
IN void *pvReserved
);
WINCRYPT32API
BOOL
WINAPI
CryptCancelAsyncRetrieval (
HCRYPTASYNC hAsyncRetrieval
);
//
// Remote Object Async Retrieval parameters
//
//
// A client that wants to be notified of asynchronous object retrieval
// completion sets this parameter on the async handle
//
#define CRYPT_PARAM_ASYNC_RETRIEVAL_COMPLETION ((LPCSTR)1)
typedef VOID (WINAPI *PFN_CRYPT_ASYNC_RETRIEVAL_COMPLETION_FUNC) (
IN LPVOID pvCompletion,
IN DWORD dwCompletionCode,
IN LPCSTR pszUrl,
IN LPSTR pszObjectOid,
IN LPVOID pvObject
);
typedef struct _CRYPT_ASYNC_RETRIEVAL_COMPLETION {
PFN_CRYPT_ASYNC_RETRIEVAL_COMPLETION_FUNC pfnCompletion;
LPVOID pvCompletion;
} CRYPT_ASYNC_RETRIEVAL_COMPLETION, *PCRYPT_ASYNC_RETRIEVAL_COMPLETION;
//
// This function is set on the async handle by a scheme provider that
// supports asynchronous retrieval
//
#define CRYPT_PARAM_CANCEL_ASYNC_RETRIEVAL ((LPCSTR)2)
typedef BOOL (WINAPI *PFN_CANCEL_ASYNC_RETRIEVAL_FUNC) (
HCRYPTASYNC hAsyncRetrieve
);
//
// Get the locator for a CAPI object
//
#define CRYPT_GET_URL_FROM_PROPERTY 0x00000001
#define CRYPT_GET_URL_FROM_EXTENSION 0x00000002
#define CRYPT_GET_URL_FROM_UNAUTH_ATTRIBUTE 0x00000004
#define CRYPT_GET_URL_FROM_AUTH_ATTRIBUTE 0x00000008
typedef struct _CRYPT_URL_ARRAY {
DWORD cUrl;
LPWSTR* rgwszUrl;
} CRYPT_URL_ARRAY, *PCRYPT_URL_ARRAY;
typedef struct _CRYPT_URL_INFO {
DWORD cbSize;
// Seconds between syncs
DWORD dwSyncDeltaTime;
// Returned URLs may be grouped. For instance, groups of cross cert
// distribution points. Each distribution point may have multiple
// URLs, (LDAP and HTTP scheme).
DWORD cGroup;
DWORD *rgcGroupEntry;
} CRYPT_URL_INFO, *PCRYPT_URL_INFO;
WINCRYPT32API
BOOL
WINAPI
CryptGetObjectUrl (
IN LPCSTR pszUrlOid,
IN LPVOID pvPara,
IN DWORD dwFlags,
OUT OPTIONAL PCRYPT_URL_ARRAY pUrlArray,
IN OUT DWORD* pcbUrlArray,
OUT OPTIONAL PCRYPT_URL_INFO pUrlInfo,
IN OUT OPTIONAL DWORD* pcbUrlInfo,
IN OPTIONAL LPVOID pvReserved
);
#define URL_OID_GET_OBJECT_URL_FUNC "UrlDllGetObjectUrl"
//
// UrlDllGetObjectUrl has the same signature as CryptGetObjectUrl
//
//
// URL_OID_CERTIFICATE_ISSUER
//
// pvPara == PCCERT_CONTEXT, certificate whose issuer's URL is being requested
//
// This will be retrieved from the authority info access extension or property
// on the certificate
//
// URL_OID_CERTIFICATE_CRL_DIST_POINT
//
// pvPara == PCCERT_CONTEXT, certificate whose CRL distribution point is being
// requested
//
// This will be retrieved from the CRL distribution point extension or property
// on the certificate
//
// URL_OID_CTL_ISSUER
//
// pvPara == PCCTL_CONTEXT, Signer Index, CTL whose issuer's URL (identified
// by the signer index) is being requested
//
// This will be retrieved from an authority info access attribute method encoded
// in each signer info in the PKCS7 (CTL)
//
// URL_OID_CTL_NEXT_UPDATE
//
// pvPara == PCCTL_CONTEXT, Signer Index, CTL whose next update URL is being
// requested and an optional signer index in case we need to check signer
// info attributes
//
// This will be retrieved from an authority info access CTL extension, property,
// or signer info attribute method
//
// URL_OID_CRL_ISSUER
//
// pvPara == PCCRL_CONTEXT, CRL whose issuer's URL is being requested
//
// This will be retrieved from a property on the CRL which has been inherited
// from the subject cert (either from the subject cert issuer or the subject
// cert distribution point extension). It will be encoded as an authority
// info access extension method.
//
// URL_OID_CERTIFICATE_FRESHEST_CRL
//
// pvPara == PCCERT_CONTEXT, certificate whose freshest CRL distribution point
// is being requested
//
// This will be retrieved from the freshest CRL extension or property
// on the certificate
//
// URL_OID_CRL_FRESHEST_CRL
//
// pvPara == PCCERT_CRL_CONTEXT_PAIR, certificate's base CRL whose
// freshest CRL distribution point is being requested
//
// This will be retrieved from the freshest CRL extension or property
// on the CRL
//
// URL_OID_CROSS_CERT_DIST_POINT
//
// pvPara == PCCERT_CONTEXT, certificate whose cross certificate distribution
// point is being requested
//
// This will be retrieved from the cross certificate distribution point
// extension or property on the certificate
//
#define URL_OID_CERTIFICATE_ISSUER ((LPCSTR)1)
#define URL_OID_CERTIFICATE_CRL_DIST_POINT ((LPCSTR)2)
#define URL_OID_CTL_ISSUER ((LPCSTR)3)
#define URL_OID_CTL_NEXT_UPDATE ((LPCSTR)4)
#define URL_OID_CRL_ISSUER ((LPCSTR)5)
#define URL_OID_CERTIFICATE_FRESHEST_CRL ((LPCSTR)6)
#define URL_OID_CRL_FRESHEST_CRL ((LPCSTR)7)
#define URL_OID_CROSS_CERT_DIST_POINT ((LPCSTR)8)
typedef struct _CERT_CRL_CONTEXT_PAIR {
PCCERT_CONTEXT pCertContext;
PCCRL_CONTEXT pCrlContext;
} CERT_CRL_CONTEXT_PAIR, *PCERT_CRL_CONTEXT_PAIR;
typedef const CERT_CRL_CONTEXT_PAIR *PCCERT_CRL_CONTEXT_PAIR;
//
// Get a time valid CAPI2 object
//
WINCRYPT32API
BOOL
WINAPI
CryptGetTimeValidObject (
IN LPCSTR pszTimeValidOid,
IN LPVOID pvPara,
IN PCCERT_CONTEXT pIssuer,
IN OPTIONAL LPFILETIME pftValidFor,
IN DWORD dwFlags,
IN DWORD dwTimeout, // milliseconds
OUT OPTIONAL LPVOID* ppvObject,
IN OPTIONAL PCRYPT_CREDENTIALS pCredentials,
IN OPTIONAL LPVOID pvReserved
);
#define TIME_VALID_OID_GET_OBJECT_FUNC "TimeValidDllGetObject"
//
// TimeValidDllGetObject has the same signature as CryptGetTimeValidObject
//
//
// TIME_VALID_OID_GET_CTL
//
// pvPara == PCCTL_CONTEXT, the current CTL
//
// TIME_VALID_OID_GET_CRL
//
// pvPara == PCCRL_CONTEXT, the current CRL
//
// TIME_VALID_OID_GET_CRL_FROM_CERT
//
// pvPara == PCCERT_CONTEXT, the subject cert
//
// TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CERT
//
// pvPara == PCCERT_CONTEXT, the subject cert
//
// TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CRL
//
// pvPara == PCCERT_CRL_CONTEXT_PAIR, the subject cert and its base CRL
//
#define TIME_VALID_OID_GET_CTL ((LPCSTR)1)
#define TIME_VALID_OID_GET_CRL ((LPCSTR)2)
#define TIME_VALID_OID_GET_CRL_FROM_CERT ((LPCSTR)3)
#define TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CERT ((LPCSTR)4)
#define TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CRL ((LPCSTR)5)
WINCRYPT32API
BOOL
WINAPI
CryptFlushTimeValidObject (
IN LPCSTR pszFlushTimeValidOid,
IN LPVOID pvPara,
IN PCCERT_CONTEXT pIssuer,
IN DWORD dwFlags,
IN LPVOID pvReserved
);
#define TIME_VALID_OID_FLUSH_OBJECT_FUNC "TimeValidDllFlushObject"
//
// TimeValidDllFlushObject has the same signature as CryptFlushTimeValidObject
//
//
// TIME_VALID_OID_FLUSH_CTL
//
// pvPara == PCCTL_CONTEXT, the CTL to flush
//
// TIME_VALID_OID_FLUSH_CRL
//
// pvPara == PCCRL_CONTEXT, the CRL to flush
//
// TIME_VALID_OID_FLUSH_CRL_FROM_CERT
//
// pvPara == PCCERT_CONTEXT, the subject cert's CRL to flush
//
// TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CERT
//
// pvPara == PCCERT_CONTEXT, the subject cert's freshest CRL to flush
//
// TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CRL
//
// pvPara == PCCERT_CRL_CONTEXT_PAIR, the subject cert and its base CRL's
// freshest CRL to flush
//
#define TIME_VALID_OID_FLUSH_CTL ((LPCSTR)1)
#define TIME_VALID_OID_FLUSH_CRL ((LPCSTR)2)
#define TIME_VALID_OID_FLUSH_CRL_FROM_CERT ((LPCSTR)3)
#define TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CERT ((LPCSTR)4)
#define TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CRL ((LPCSTR)5)
//-------------------------------------------------------------------------
// Data Protection APIs
//-------------------------------------------------------------------------
//
// Data protection APIs enable applications to easily secure data.
//
// The base provider provides protection based on the users' logon
// credentials. The data secured with these APIs follow the same
// roaming characteristics as HKCU -- if HKCU roams, the data
// protected by the base provider may roam as well. This makes
// the API ideal for the munging of data stored in the registry.
//
//
// Prompt struct -- what to tell users about the access
//
typedef struct _CRYPTPROTECT_PROMPTSTRUCT
{
DWORD cbSize;
DWORD dwPromptFlags;
HWND hwndApp;
LPCWSTR szPrompt;
} CRYPTPROTECT_PROMPTSTRUCT, *PCRYPTPROTECT_PROMPTSTRUCT;
//
// base provider action
//
#define CRYPTPROTECT_DEFAULT_PROVIDER { 0xdf9d8cd0, 0x1501, 0x11d1, {0x8c, 0x7a, 0x00, 0xc0, 0x4f, 0xc2, 0x97, 0xeb} }
//
// CryptProtect PromptStruct dwPromtFlags
//
//
// prompt on unprotect
#define CRYPTPROTECT_PROMPT_ON_UNPROTECT 0x1 // 1<<0
//
// prompt on protect
#define CRYPTPROTECT_PROMPT_ON_PROTECT 0x2 // 1<<1
#define CRYPTPROTECT_PROMPT_RESERVED 0x04 // reserved, do not use.
//
// only allow strong variant UI protection (user supplied password currently).
#define CRYPTPROTECT_PROMPT_STRONG 0x08 // 1<<3
//
// CryptProtectData and CryptUnprotectData dwFlags
//
// for remote-access situations where ui is not an option
// if UI was specified on protect or unprotect operation, the call
// will fail and GetLastError() will indicate ERROR_PASSWORD_RESTRICTION
#define CRYPTPROTECT_UI_FORBIDDEN 0x1
//
// per machine protected data -- any user on machine where CryptProtectData
// took place may CryptUnprotectData
#define CRYPTPROTECT_LOCAL_MACHINE 0x4
//
// force credential synchronize during CryptProtectData()
// Synchronize is only operation that occurs during this operation
#define CRYPTPROTECT_CRED_SYNC 0x8
//
// Generate an Audit on protect and unprotect operations
//
#define CRYPTPROTECT_AUDIT 0x10
//
// Protect data with a non-recoverable key
//
#define CRYPTPROTECT_NO_RECOVERY 0x20
//
// Verify the protection of a protected blob
//
#define CRYPTPROTECT_VERIFY_PROTECTION 0x40
//
// Regenerate the local machine protection
//
#define CRYPTPROTECT_CRED_REGENERATE 0x80
// flags reserved for system use
#define CRYPTPROTECT_FIRST_RESERVED_FLAGVAL 0x0FFFFFFF
#define CRYPTPROTECT_LAST_RESERVED_FLAGVAL 0xFFFFFFFF
//
// flags specific to base provider
//
WINCRYPT32API
BOOL
WINAPI
CryptProtectData(
IN DATA_BLOB* pDataIn,
IN LPCWSTR szDataDescr,
IN OPTIONAL DATA_BLOB* pOptionalEntropy,
IN PVOID pvReserved,
IN OPTIONAL CRYPTPROTECT_PROMPTSTRUCT* pPromptStruct,
IN DWORD dwFlags,
OUT DATA_BLOB* pDataOut // out encr blob
);
WINCRYPT32API
BOOL
WINAPI
CryptUnprotectData(
IN DATA_BLOB* pDataIn, // in encr blob
OUT OPTIONAL LPWSTR* ppszDataDescr, // out
IN OPTIONAL DATA_BLOB* pOptionalEntropy,
IN PVOID pvReserved,
IN OPTIONAL CRYPTPROTECT_PROMPTSTRUCT* pPromptStruct,
IN DWORD dwFlags,
OUT DATA_BLOB* pDataOut
);
//+=========================================================================
// Helper functions to build certificates
//==========================================================================
//+-------------------------------------------------------------------------
//
// Builds a self-signed certificate and returns a PCCERT_CONTEXT representing
// the certificate. A hProv must be specified to build the cert context.
//
// pSubjectIssuerBlob is the DN for the certifcate. If an alternate subject
// name is desired it must be specified as an extension in the pExtensions
// parameter. pSubjectIssuerBlob can NOT be NULL, so minimually an empty DN
// must be specified.
//
// By default:
// pKeyProvInfo - The CSP is queried for the KeyProvInfo parameters. Only the Provider,
// Provider Type and Container is queried. Many CSPs don't support these
// queries and will cause a failure. In such cases the pKeyProvInfo
// must be specified (RSA BASE works fine).
//
// pSignatureAlgorithm - will default to SHA1RSA
// pStartTime will default to the current time
// pEndTime will default to 1 year
// pEntensions will be empty.
//
// The returned PCCERT_CONTEXT will reference the private keys by setting the
// CERT_KEY_PROV_INFO_PROP_ID. However, if this property is not desired specify the
// CERT_CREATE_SELFSIGN_NO_KEY_INFO in dwFlags.
//
// If the cert being built is only a dummy placeholder cert for speed it may not
// need to be signed. Signing of the cert is skipped if CERT_CREATE_SELFSIGN_NO_SIGN
// is specified in dwFlags.
//
//--------------------------------------------------------------------------
WINCRYPT32API
PCCERT_CONTEXT
WINAPI
CertCreateSelfSignCertificate(
IN HCRYPTPROV hProv,
IN PCERT_NAME_BLOB pSubjectIssuerBlob,
IN DWORD dwFlags,
OPTIONAL PCRYPT_KEY_PROV_INFO pKeyProvInfo,
OPTIONAL PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
OPTIONAL PSYSTEMTIME pStartTime,
OPTIONAL PSYSTEMTIME pEndTime,
OPTIONAL PCERT_EXTENSIONS pExtensions
);
#define CERT_CREATE_SELFSIGN_NO_SIGN 1
#define CERT_CREATE_SELFSIGN_NO_KEY_INFO 2
//+=========================================================================
// Key Identifier Property Data Structures and APIs
//==========================================================================
//+-------------------------------------------------------------------------
// Get the property for the specified Key Identifier.
//
// The Key Identifier is the SHA1 hash of the encoded CERT_PUBLIC_KEY_INFO.
// The Key Identifier for a certificate can be obtained by getting the
// certificate's CERT_KEY_IDENTIFIER_PROP_ID. The
// CryptCreateKeyIdentifierFromCSP API can be called to create the Key
// Identifier from a CSP Public Key Blob.
//
// A Key Identifier can have the same properties as a certificate context.
// CERT_KEY_PROV_INFO_PROP_ID is the property of most interest.
// For CERT_KEY_PROV_INFO_PROP_ID, pvData points to a CRYPT_KEY_PROV_INFO
// structure. Elements pointed to by fields in the pvData structure follow the
// structure. Therefore, *pcbData will exceed the size of the structure.
//
// If CRYPT_KEYID_ALLOC_FLAG is set, then, *pvData is updated with a
// pointer to allocated memory. LocalFree() must be called to free the
// allocated memory.
//
// By default, searches the CurrentUser's list of Key Identifiers.
// CRYPT_KEYID_MACHINE_FLAG can be set to search the LocalMachine's list
// of Key Identifiers. When CRYPT_KEYID_MACHINE_FLAG is set, pwszComputerName
// can also be set to specify the name of a remote computer to be searched
// instead of the local machine.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptGetKeyIdentifierProperty(
IN const CRYPT_HASH_BLOB *pKeyIdentifier,
IN DWORD dwPropId,
IN DWORD dwFlags,
IN OPTIONAL LPCWSTR pwszComputerName,
IN OPTIONAL void *pvReserved,
OUT void *pvData,
IN OUT DWORD *pcbData
);
// When the following flag is set, searches the LocalMachine instead of the
// CurrentUser. This flag is applicable to all the KeyIdentifierProperty APIs.
#define CRYPT_KEYID_MACHINE_FLAG 0x00000020
// When the following flag is set, *pvData is updated with a pointer to
// allocated memory. LocalFree() must be called to free the allocated memory.
#define CRYPT_KEYID_ALLOC_FLAG 0x00008000
//+-------------------------------------------------------------------------
// Set the property for the specified Key Identifier.
//
// For CERT_KEY_PROV_INFO_PROP_ID pvData points to the
// CRYPT_KEY_PROV_INFO data structure. For all other properties, pvData
// points to a CRYPT_DATA_BLOB.
//
// Setting pvData == NULL, deletes the property.
//
// Set CRYPT_KEYID_MACHINE_FLAG to set the property for a LocalMachine
// Key Identifier. Set pwszComputerName, to select a remote computer.
//
// If CRYPT_KEYID_DELETE_FLAG is set, the Key Identifier and all its
// properties is deleted.
//
// If CRYPT_KEYID_SET_NEW_FLAG is set, the set fails if the property already
// exists. For an existing property, FALSE is returned with LastError set to
// CRYPT_E_EXISTS.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptSetKeyIdentifierProperty(
IN const CRYPT_HASH_BLOB *pKeyIdentifier,
IN DWORD dwPropId,
IN DWORD dwFlags,
IN OPTIONAL LPCWSTR pwszComputerName,
IN OPTIONAL void *pvReserved,
IN const void *pvData
);
// When the following flag is set, the Key Identifier and all its properties
// are deleted.
#define CRYPT_KEYID_DELETE_FLAG 0x00000010
// When the following flag is set, the set fails if the property already
// exists.
#define CRYPT_KEYID_SET_NEW_FLAG 0x00002000
//+-------------------------------------------------------------------------
// For CERT_KEY_PROV_INFO_PROP_ID, rgppvData[] points to a
// CRYPT_KEY_PROV_INFO.
//
// Return FALSE to stop the enumeration.
//--------------------------------------------------------------------------
typedef BOOL (WINAPI *PFN_CRYPT_ENUM_KEYID_PROP)(
IN const CRYPT_HASH_BLOB *pKeyIdentifier,
IN DWORD dwFlags,
IN void *pvReserved,
IN void *pvArg,
IN DWORD cProp,
IN DWORD *rgdwPropId,
IN void **rgpvData,
IN DWORD *rgcbData
);
//+-------------------------------------------------------------------------
// Enumerate the Key Identifiers.
//
// If pKeyIdentifier is NULL, enumerates all Key Identifers. Otherwise,
// calls the callback for the specified KeyIdentifier. If dwPropId is
// 0, calls the callback with all the properties. Otherwise, only calls
// the callback with the specified property (cProp = 1).
// Furthermore, when dwPropId is specified, skips KeyIdentifiers not
// having the property.
//
// Set CRYPT_KEYID_MACHINE_FLAG to enumerate the LocalMachine
// Key Identifiers. Set pwszComputerName, to enumerate Key Identifiers on
// a remote computer.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptEnumKeyIdentifierProperties(
IN OPTIONAL const CRYPT_HASH_BLOB *pKeyIdentifier,
IN DWORD dwPropId,
IN DWORD dwFlags,
IN OPTIONAL LPCWSTR pwszComputerName,
IN OPTIONAL void *pvReserved,
IN OPTIONAL void *pvArg,
IN PFN_CRYPT_ENUM_KEYID_PROP pfnEnum
);
//+-------------------------------------------------------------------------
// Create a KeyIdentifier from the CSP Public Key Blob.
//
// Converts the CSP PUBLICKEYSTRUC into a X.509 CERT_PUBLIC_KEY_INFO and
// encodes. The encoded CERT_PUBLIC_KEY_INFO is SHA1 hashed to obtain
// the Key Identifier.
//
// By default, the pPubKeyStruc->aiKeyAlg is used to find the appropriate
// public key Object Identifier. pszPubKeyOID can be set to override
// the default OID obtained from the aiKeyAlg.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CryptCreateKeyIdentifierFromCSP(
IN DWORD dwCertEncodingType,
IN OPTIONAL LPCSTR pszPubKeyOID,
IN const PUBLICKEYSTRUC *pPubKeyStruc,
IN DWORD cbPubKeyStruc,
IN DWORD dwFlags,
IN OPTIONAL void *pvReserved,
OUT BYTE *pbHash,
IN OUT DWORD *pcbHash
);
//+=========================================================================
// Certificate Chaining Infrastructure
//==========================================================================
//
// The chain engine defines the store namespace and cache partitioning for
// the Certificate Chaining infrastructure. A default chain engine
// is defined for the process which uses all default system stores e.g.
// Root, CA, Trust, for chain building and caching. If an application
// wishes to define its own store namespace or have its own partitioned
// cache then it can create its own chain engine. It is advisable to create
// a chain engine at application startup and use it throughout the lifetime
// of the application in order to get optimal caching behavior
//
typedef HANDLE HCERTCHAINENGINE;
#define HCCE_CURRENT_USER ((HCERTCHAINENGINE)NULL)
#define HCCE_LOCAL_MACHINE ((HCERTCHAINENGINE)0x1)
//
// Create a certificate chain engine.
//
//
// Configuration parameters for the certificate chain engine
//
// hRestrictedRoot - restrict the root store (must be a subset of "Root")
//
// hRestrictedTrust - restrict the store for CTLs
//
// hRestrictedOther - restrict the store for certs and CRLs
//
// cAdditionalStore, rghAdditionalStore - additional stores
//
// NOTE: The algorithm used to define the stores for the engine is as
// follows:
//
// hRoot = hRestrictedRoot or System Store "Root"
//
// hTrust = hRestrictedTrust or hWorld (defined later)
//
// hOther = hRestrictedOther or (hRestrictedTrust == NULL) ? hWorld :
// hRestrictedTrust + hWorld
//
// hWorld = hRoot + "CA" + "My" + "Trust" + rghAdditionalStore
//
// dwFlags - flags
//
// CERT_CHAIN_CACHE_END_CERT - information will be cached on
// the end cert as well as the other
// certs in the chain
//
// CERT_CHAIN_THREAD_STORE_SYNC - use separate thread for store syncs
// and related cache updates
//
// CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL - don't hit the wire to get
// URL based objects
//
// dwUrlRetrievalTimeout - timeout for wire based URL object retrievals
// (milliseconds)
//
#define CERT_CHAIN_CACHE_END_CERT 0x00000001
#define CERT_CHAIN_THREAD_STORE_SYNC 0x00000002
#define CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL 0x00000004
#define CERT_CHAIN_USE_LOCAL_MACHINE_STORE 0x00000008
#define CERT_CHAIN_ENABLE_CACHE_AUTO_UPDATE 0x00000010
#define CERT_CHAIN_ENABLE_SHARE_STORE 0x00000020
typedef struct _CERT_CHAIN_ENGINE_CONFIG {
DWORD cbSize;
HCERTSTORE hRestrictedRoot;
HCERTSTORE hRestrictedTrust;
HCERTSTORE hRestrictedOther;
DWORD cAdditionalStore;
HCERTSTORE* rghAdditionalStore;
DWORD dwFlags;
DWORD dwUrlRetrievalTimeout; // milliseconds
DWORD MaximumCachedCertificates;
DWORD CycleDetectionModulus;
} CERT_CHAIN_ENGINE_CONFIG, *PCERT_CHAIN_ENGINE_CONFIG;
WINCRYPT32API
BOOL
WINAPI
CertCreateCertificateChainEngine (
IN PCERT_CHAIN_ENGINE_CONFIG pConfig,
OUT HCERTCHAINENGINE* phChainEngine
);
//
// Free a certificate trust engine
//
WINCRYPT32API
VOID
WINAPI
CertFreeCertificateChainEngine (
IN HCERTCHAINENGINE hChainEngine
);
//
// Resync the certificate chain engine. This resync's the stores backing
// the engine and updates the engine caches.
//
WINCRYPT32API
BOOL
WINAPI
CertResyncCertificateChainEngine (
IN HCERTCHAINENGINE hChainEngine
);
//
// When an application requests a certificate chain, the data structure
// returned is in the form of a CERT_CHAIN_CONTEXT. This contains
// an array of CERT_SIMPLE_CHAIN where each simple chain goes from
// an end cert to a self signed cert and the chain context connects simple
// chains via trust lists. Each simple chain contains the chain of
// certificates, summary trust information about the chain and trust information
// about each certificate element in the chain.
//
//
// Trust status bits
//
typedef struct _CERT_TRUST_STATUS {
DWORD dwErrorStatus;
DWORD dwInfoStatus;
} CERT_TRUST_STATUS, *PCERT_TRUST_STATUS;
//
// The following are error status bits
//
// These can be applied to certificates and chains
#define CERT_TRUST_NO_ERROR 0x00000000
#define CERT_TRUST_IS_NOT_TIME_VALID 0x00000001
#define CERT_TRUST_IS_NOT_TIME_NESTED 0x00000002
#define CERT_TRUST_IS_REVOKED 0x00000004
#define CERT_TRUST_IS_NOT_SIGNATURE_VALID 0x00000008
#define CERT_TRUST_IS_NOT_VALID_FOR_USAGE 0x00000010
#define CERT_TRUST_IS_UNTRUSTED_ROOT 0x00000020
#define CERT_TRUST_REVOCATION_STATUS_UNKNOWN 0x00000040
#define CERT_TRUST_IS_CYCLIC 0x00000080
#define CERT_TRUST_INVALID_EXTENSION 0x00000100
#define CERT_TRUST_INVALID_POLICY_CONSTRAINTS 0x00000200
#define CERT_TRUST_INVALID_BASIC_CONSTRAINTS 0x00000400
#define CERT_TRUST_INVALID_NAME_CONSTRAINTS 0x00000800
#define CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT 0x00001000
#define CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT 0x00002000
#define CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT 0x00004000
#define CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT 0x00008000
#define CERT_TRUST_IS_OFFLINE_REVOCATION 0x01000000
#define CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY 0x02000000
// These can be applied to chains only
#define CERT_TRUST_IS_PARTIAL_CHAIN 0x00010000
#define CERT_TRUST_CTL_IS_NOT_TIME_VALID 0x00020000
#define CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID 0x00040000
#define CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE 0x00080000
//
// The following are info status bits
//
// These can be applied to certificates only
#define CERT_TRUST_HAS_EXACT_MATCH_ISSUER 0x00000001
#define CERT_TRUST_HAS_KEY_MATCH_ISSUER 0x00000002
#define CERT_TRUST_HAS_NAME_MATCH_ISSUER 0x00000004
#define CERT_TRUST_IS_SELF_SIGNED 0x00000008
// These can be applied to certificates and chains
#define CERT_TRUST_HAS_PREFERRED_ISSUER 0x00000100
#define CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY 0x00000200
#define CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS 0x00000400
// These can be applied to chains only
#define CERT_TRUST_IS_COMPLEX_CHAIN 0x00010000
//
// Each certificate context in a simple chain has a corresponding chain element
// in the simple chain context
//
// dwErrorStatus has CERT_TRUST_IS_REVOKED, pRevocationInfo set
// dwErrorStatus has CERT_TRUST_REVOCATION_STATUS_UNKNOWN, pRevocationInfo set
//
// Note that the post processing revocation supported in the first
// version only sets cbSize and dwRevocationResult. Everything else
// is NULL
//
//
// Revocation Information
//
typedef struct _CERT_REVOCATION_INFO {
DWORD cbSize;
DWORD dwRevocationResult;
LPCSTR pszRevocationOid;
LPVOID pvOidSpecificInfo;
// fHasFreshnessTime is only set if we are able to retrieve revocation
// information. For a CRL its CurrentTime - ThisUpdate.
BOOL fHasFreshnessTime;
DWORD dwFreshnessTime; // seconds
// NonNULL for CRL base revocation checking
PCERT_REVOCATION_CRL_INFO pCrlInfo;
} CERT_REVOCATION_INFO, *PCERT_REVOCATION_INFO;
//
// Trust List Information
//
typedef struct _CERT_TRUST_LIST_INFO {
DWORD cbSize;
PCTL_ENTRY pCtlEntry;
PCCTL_CONTEXT pCtlContext;
} CERT_TRUST_LIST_INFO, *PCERT_TRUST_LIST_INFO;
//
// Chain Element
//
typedef struct _CERT_CHAIN_ELEMENT {
DWORD cbSize;
PCCERT_CONTEXT pCertContext;
CERT_TRUST_STATUS TrustStatus;
PCERT_REVOCATION_INFO pRevocationInfo;
PCERT_ENHKEY_USAGE pIssuanceUsage; // If NULL, any
PCERT_ENHKEY_USAGE pApplicationUsage; // If NULL, any
LPCWSTR pwszExtendedErrorInfo; // If NULL, none
} CERT_CHAIN_ELEMENT, *PCERT_CHAIN_ELEMENT;
//
// The simple chain is an array of chain elements and a summary trust status
// for the chain
//
// rgpElements[0] is the end certificate chain element
//
// rgpElements[cElement-1] is the self-signed "root" certificate chain element
//
typedef struct _CERT_SIMPLE_CHAIN {
DWORD cbSize;
CERT_TRUST_STATUS TrustStatus;
DWORD cElement;
PCERT_CHAIN_ELEMENT* rgpElement;
PCERT_TRUST_LIST_INFO pTrustListInfo;
// fHasRevocationFreshnessTime is only set if we are able to retrieve
// revocation information for all elements checked for revocation.
// For a CRL its CurrentTime - ThisUpdate.
//
// dwRevocationFreshnessTime is the largest time across all elements
// checked.
BOOL fHasRevocationFreshnessTime;
DWORD dwRevocationFreshnessTime; // seconds
} CERT_SIMPLE_CHAIN, *PCERT_SIMPLE_CHAIN;
//
// And the chain context contains an array of simple chains and summary trust
// status for all the connected simple chains
//
// rgpChains[0] is the end certificate simple chain
//
// rgpChains[cChain-1] is the final (possibly trust list signer) chain which
// ends in a certificate which is contained in the root store
//
typedef struct _CERT_CHAIN_CONTEXT CERT_CHAIN_CONTEXT, *PCERT_CHAIN_CONTEXT;
typedef const CERT_CHAIN_CONTEXT *PCCERT_CHAIN_CONTEXT;
struct _CERT_CHAIN_CONTEXT {
DWORD cbSize;
CERT_TRUST_STATUS TrustStatus;
DWORD cChain;
PCERT_SIMPLE_CHAIN* rgpChain;
// Following is returned when CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS
// is set in dwFlags
DWORD cLowerQualityChainContext;
PCCERT_CHAIN_CONTEXT* rgpLowerQualityChainContext;
// fHasRevocationFreshnessTime is only set if we are able to retrieve
// revocation information for all elements checked for revocation.
// For a CRL its CurrentTime - ThisUpdate.
//
// dwRevocationFreshnessTime is the largest time across all elements
// checked.
BOOL fHasRevocationFreshnessTime;
DWORD dwRevocationFreshnessTime; // seconds
};
//
// When building a chain, the there are various parameters used for finding
// issuing certificates and trust lists. They are identified in the
// following structure
//
// Default usage match type is AND with value zero
#define USAGE_MATCH_TYPE_AND 0x00000000
#define USAGE_MATCH_TYPE_OR 0x00000001
typedef struct _CERT_USAGE_MATCH {
DWORD dwType;
CERT_ENHKEY_USAGE Usage;
} CERT_USAGE_MATCH, *PCERT_USAGE_MATCH;
typedef struct _CTL_USAGE_MATCH {
DWORD dwType;
CTL_USAGE Usage;
} CTL_USAGE_MATCH, *PCTL_USAGE_MATCH;
typedef struct _CERT_CHAIN_PARA {
DWORD cbSize;
CERT_USAGE_MATCH RequestedUsage;
#ifdef CERT_CHAIN_PARA_HAS_EXTRA_FIELDS
// Note, if you #define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS, then, you
// must zero all unused fields in this data structure.
// More fields could be added in a future release.
CERT_USAGE_MATCH RequestedIssuancePolicy;
DWORD dwUrlRetrievalTimeout; // milliseconds
BOOL fCheckRevocationFreshnessTime;
DWORD dwRevocationFreshnessTime; // seconds
#endif
} CERT_CHAIN_PARA, *PCERT_CHAIN_PARA;
//
// The following API is used for retrieving certificate chains
//
// Parameters:
//
// hChainEngine - the chain engine (namespace and cache) to use, NULL
// mean use the default chain engine
//
// pCertContext - the context we are retrieving the chain for, it
// will be the zero index element in the chain
//
// pTime - the point in time that we want the chain validated
// for. Note that the time does not affect trust list,
// revocation, or root store checking. NULL means use
// the current system time
//
// hAdditionalStore - additional store to use when looking up objects
//
// pChainPara - parameters for chain building
//
// dwFlags - flags such as should revocation checking be done
// on the chain?
//
// pvReserved - reserved parameter, must be NULL
//
// ppChainContext - chain context returned
//
// CERT_CHAIN_CACHE_END_CERT can be used here as well
// Revocation flags are in the high nibble
#define CERT_CHAIN_REVOCATION_CHECK_END_CERT 0x10000000
#define CERT_CHAIN_REVOCATION_CHECK_CHAIN 0x20000000
#define CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT 0x40000000
#define CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY 0x80000000
// By default, the dwUrlRetrievalTimeout in pChainPara is the timeout used
// for each revocation URL wire retrieval. When the following flag is set,
// dwUrlRetrievalTimeout is the accumulative timeout across all
// revocation URL wire retrievals.
#define CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT 0x08000000
// First pass determines highest quality based upon:
// - Chain signature valid (higest quality bit of this set)
// - Complete chain
// - Trusted root (lowestest quality bit of this set)
// By default, second pass only considers paths >= highest first pass quality
#define CERT_CHAIN_DISABLE_PASS1_QUALITY_FILTERING 0x00000040
#define CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS 0x00000080
#define CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE 0x00000100
// When this flag is set, pTime will be used as the timestamp time.
// pTime will be used to determine if the end certificate was valid at this
// time. Revocation checking will be relative to pTime.
// In addition, current time will also be used
// to determine if the certificate is still time valid. All remaining
// CA and root certificates will be checked using current time and not pTime.
//
// This flag was added 4/5/01 in WXP.
#define CERT_CHAIN_TIMESTAMP_TIME 0x00000200
WINCRYPT32API
BOOL
WINAPI
CertGetCertificateChain (
IN OPTIONAL HCERTCHAINENGINE hChainEngine,
IN PCCERT_CONTEXT pCertContext,
IN OPTIONAL LPFILETIME pTime,
IN OPTIONAL HCERTSTORE hAdditionalStore,
IN PCERT_CHAIN_PARA pChainPara,
IN DWORD dwFlags,
IN LPVOID pvReserved,
OUT PCCERT_CHAIN_CONTEXT* ppChainContext
);
//
// Free a certificate chain
//
WINCRYPT32API
VOID
WINAPI
CertFreeCertificateChain (
IN PCCERT_CHAIN_CONTEXT pChainContext
);
//
// Duplicate (add a reference to) a certificate chain
//
WINCRYPT32API
PCCERT_CHAIN_CONTEXT
WINAPI
CertDuplicateCertificateChain (
IN PCCERT_CHAIN_CONTEXT pChainContext
);
//
// Specific Revocation Type OID and structure definitions
//
//
// CRL Revocation OID
//
#define REVOCATION_OID_CRL_REVOCATION ((LPCSTR)1)
//
// For the CRL revocation OID the pvRevocationPara is NULL
//
//
// CRL Revocation Info
//
typedef struct _CRL_REVOCATION_INFO {
PCRL_ENTRY pCrlEntry;
PCCRL_CONTEXT pCrlContext;
PCCERT_CHAIN_CONTEXT pCrlIssuerChain;
} CRL_REVOCATION_INFO, *PCRL_REVOCATION_INFO;
//+-------------------------------------------------------------------------
// Find the first or next certificate chain context in the store.
//
// The chain context is found according to the dwFindFlags, dwFindType and
// its pvFindPara. See below for a list of the find types and its parameters.
//
// If the first or next chain context isn't found, NULL is returned.
// Otherwise, a pointer to a read only CERT_CHAIN_CONTEXT is returned.
// CERT_CHAIN_CONTEXT must be freed by calling CertFreeCertificateChain
// or is freed when passed as the
// pPrevChainContext on a subsequent call. CertDuplicateCertificateChain
// can be called to make a duplicate.
//
// pPrevChainContext MUST BE NULL on the first
// call to find the chain context. To find the next chain context, the
// pPrevChainContext is set to the CERT_CHAIN_CONTEXT returned by a previous
// call.
//
// NOTE: a NON-NULL pPrevChainContext is always CertFreeCertificateChain'ed by
// this function, even for an error.
//--------------------------------------------------------------------------
WINCRYPT32API
PCCERT_CHAIN_CONTEXT
WINAPI
CertFindChainInStore(
IN HCERTSTORE hCertStore,
IN DWORD dwCertEncodingType,
IN DWORD dwFindFlags,
IN DWORD dwFindType,
IN const void *pvFindPara,
IN PCCERT_CHAIN_CONTEXT pPrevChainContext
);
#define CERT_CHAIN_FIND_BY_ISSUER 1
//+-------------------------------------------------------------------------
// CERT_CHAIN_FIND_BY_ISSUER
//
// Find a certificate chain having a private key for the end certificate and
// matching one of the given issuer names. A matching dwKeySpec and
// enhanced key usage can also be specified. Additionally a callback can
// be provided for even more caller provided filtering before building the
// chain.
//
// By default, only the issuers in the first simple chain are compared
// for a name match. CERT_CHAIN_FIND_BY_ISSUER_COMPLEX_CHAIN_FLAG can
// be set in dwFindFlags to match issuers in all the simple chains.
//
// CERT_CHAIN_FIND_BY_ISSUER_NO_KEY_FLAG can be set in dwFindFlags to
// not check if the end certificate has a private key.
//
// CERT_CHAIN_FIND_BY_ISSUER_COMPARE_KEY_FLAG can be set in dwFindFlags
// to compare the public key in the end certificate with the crypto
// provider's public key. The dwAcquirePrivateKeyFlags can be set
// in CERT_CHAIN_FIND_BY_ISSUER_PARA to enable caching of the private key's
// HKEY returned by the CSP.
//
// If dwCertEncodingType == 0, defaults to X509_ASN_ENCODING for the
// array of encoded issuer names.
//
// By default, the hCertStore passed to CertFindChainInStore, is passed
// as an additional store to CertGetCertificateChain.
// CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_FLAG can be set in dwFindFlags
// to improve performance by only searching the cached system stores
// (root, my, ca, trust) to find the issuer certificates. If you are doing
// a find in the "my" system store, than, this flag should be set to
// improve performance.
//
// Setting CERT_CHAIN_FIND_BY_ISSUER_LOCAL_MACHINE_FLAG in dwFindFlags
// restricts CertGetCertificateChain to search the Local Machine
// cached system stores instead of the Current User's.
//
// Setting CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG in dwFindFlags
// restricts CertGetCertificateChain to only search the URL cache
// and not hit the wire.
//--------------------------------------------------------------------------
// Returns FALSE to skip this certificate. Otherwise, returns TRUE to
// build a chain for this certificate.
typedef BOOL (WINAPI *PFN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK)(
IN PCCERT_CONTEXT pCert,
IN void *pvFindArg
);
typedef struct _CERT_CHAIN_FIND_BY_ISSUER_PARA {
DWORD cbSize;
// If pszUsageIdentifier == NULL, matches any usage.
LPCSTR pszUsageIdentifier;
// If dwKeySpec == 0, matches any KeySpec
DWORD dwKeySpec;
// When CERT_CHAIN_FIND_BY_ISSUER_COMPARE_KEY_FLAG is set in dwFindFlags,
// CryptAcquireCertificatePrivateKey is called to do the public key
// comparison. The following flags can be set to enable caching
// of the acquired private key or suppress CSP UI. See the API for more
// details on these flags.
DWORD dwAcquirePrivateKeyFlags;
// Pointer to an array of X509, ASN.1 encoded issuer name blobs. If
// cIssuer == 0, matches any issuer
DWORD cIssuer;
CERT_NAME_BLOB *rgIssuer;
// If NULL or Callback returns TRUE, builds the chain for the end
// certificate having a private key with the specified KeySpec and
// enhanced key usage.
PFN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK pfnFindCallback;
void *pvFindArg;
#ifdef CERT_CHAIN_FIND_BY_ISSUER_PARA_HAS_EXTRA_FIELDS
// Note, if you #define CERT_CHAIN_FIND_BY_ISSUER_PARA_HAS_EXTRA_FIELDS,
// then, you must zero all unused fields in this data structure.
// More fields could be added in a future release.
// If the following pointers are nonNull, returns the index of the
// matching issuer certificate, which is at:
// pChainContext->
// rgpChain[*pdwIssuerChainIndex]->rgpElement[*pdwIssuerElementIndex].
//
// The issuer name blob is compared against the Issuer field in the
// certificate. The *pdwIssuerElementIndex is set to the index of this
// subject certificate + 1. Therefore, its possible for a partial chain or
// a self signed certificate matching the name blob, where
// *pdwIssuerElementIndex points past the last certificate in the chain.
//
// Note, not updated if the above cIssuer == 0.
DWORD *pdwIssuerChainIndex;
DWORD *pdwIssuerElementIndex;
#endif
} CERT_CHAIN_FIND_ISSUER_PARA, *PCERT_CHAIN_FIND_ISSUER_PARA,
CERT_CHAIN_FIND_BY_ISSUER_PARA, *PCERT_CHAIN_FIND_BY_ISSUER_PARA;
// The following dwFindFlags can be set for CERT_CHAIN_FIND_BY_ISSUER
// If set, compares the public key in the end certificate with the crypto
// provider's public key. This comparison is the last check made on the
// build chain.
#define CERT_CHAIN_FIND_BY_ISSUER_COMPARE_KEY_FLAG 0x0001
// If not set, only checks the first simple chain for an issuer name match.
// When set, also checks second and subsequent simple chains.
#define CERT_CHAIN_FIND_BY_ISSUER_COMPLEX_CHAIN_FLAG 0x0002
// If set, CertGetCertificateChain only searches the URL cache and
// doesn't hit the wire.
#define CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG 0x0004
// If set, CertGetCertificateChain only opens the Local Machine
// certificate stores instead of the Current User's.
#define CERT_CHAIN_FIND_BY_ISSUER_LOCAL_MACHINE_FLAG 0x0008
// If set, no check is made to see if the end certificate has a private
// key associated with it.
#define CERT_CHAIN_FIND_BY_ISSUER_NO_KEY_FLAG 0x4000
// By default, the hCertStore passed to CertFindChainInStore, is passed
// as the additional store to CertGetCertificateChain. This flag can be
// set to improve performance by only searching the cached system stores
// (root, my, ca, trust) to find the issuer certificates. If not set, then,
// the hCertStore is always searched in addition to the cached system
// stores.
#define CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_FLAG 0x8000
//+=========================================================================
// Certificate Chain Policy Data Structures and APIs
//==========================================================================
typedef struct _CERT_CHAIN_POLICY_PARA {
DWORD cbSize;
DWORD dwFlags;
void *pvExtraPolicyPara; // pszPolicyOID specific
} CERT_CHAIN_POLICY_PARA, *PCERT_CHAIN_POLICY_PARA;
// If both lChainIndex and lElementIndex are set to -1, the dwError applies
// to the whole chain context. If only lElementIndex is set to -1, the
// dwError applies to the lChainIndex'ed chain. Otherwise, the dwError applies
// to the certificate element at
// pChainContext->rgpChain[lChainIndex]->rgpElement[lElementIndex].
typedef struct _CERT_CHAIN_POLICY_STATUS {
DWORD cbSize;
DWORD dwError;
LONG lChainIndex;
LONG lElementIndex;
void *pvExtraPolicyStatus; // pszPolicyOID specific
} CERT_CHAIN_POLICY_STATUS, *PCERT_CHAIN_POLICY_STATUS;
// Common chain policy flags
#define CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG 0x00000001
#define CERT_CHAIN_POLICY_IGNORE_CTL_NOT_TIME_VALID_FLAG 0x00000002
#define CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG 0x00000004
#define CERT_CHAIN_POLICY_IGNORE_INVALID_BASIC_CONSTRAINTS_FLAG 0x00000008
#define CERT_CHAIN_POLICY_IGNORE_ALL_NOT_TIME_VALID_FLAGS (
CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG |
CERT_CHAIN_POLICY_IGNORE_CTL_NOT_TIME_VALID_FLAG |
CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG
)
#define CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG 0x00000010
#define CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG 0x00000020
#define CERT_CHAIN_POLICY_IGNORE_INVALID_NAME_FLAG 0x00000040
#define CERT_CHAIN_POLICY_IGNORE_INVALID_POLICY_FLAG 0x00000080
#define CERT_CHAIN_POLICY_IGNORE_END_REV_UNKNOWN_FLAG 0x00000100
#define CERT_CHAIN_POLICY_IGNORE_CTL_SIGNER_REV_UNKNOWN_FLAG 0x00000200
#define CERT_CHAIN_POLICY_IGNORE_CA_REV_UNKNOWN_FLAG 0x00000400
#define CERT_CHAIN_POLICY_IGNORE_ROOT_REV_UNKNOWN_FLAG 0x00000800
#define CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS (
CERT_CHAIN_POLICY_IGNORE_END_REV_UNKNOWN_FLAG |
CERT_CHAIN_POLICY_IGNORE_CTL_SIGNER_REV_UNKNOWN_FLAG |
CERT_CHAIN_POLICY_IGNORE_CA_REV_UNKNOWN_FLAG |
CERT_CHAIN_POLICY_IGNORE_ROOT_REV_UNKNOWN_FLAG
)
#define CERT_CHAIN_POLICY_ALLOW_TESTROOT_FLAG 0x00008000
#define CERT_CHAIN_POLICY_TRUST_TESTROOT_FLAG 0x00004000
//+-------------------------------------------------------------------------
// Verify that the certificate chain satisfies the specified policy
// requirements. If we were able to verify the chain policy, TRUE is returned
// and the dwError field of the pPolicyStatus is updated. A dwError of 0
// (ERROR_SUCCESS, S_OK) indicates the chain satisfies the specified policy.
//
// If dwError applies to the entire chain context, both lChainIndex and
// lElementIndex are set to -1. If dwError applies to a simple chain,
// lElementIndex is set to -1 and lChainIndex is set to the index of the
// first offending chain having the error. If dwError applies to a
// certificate element, lChainIndex and lElementIndex are updated to
// index the first offending certificate having the error, where, the
// the certificate element is at:
// pChainContext->rgpChain[lChainIndex]->rgpElement[lElementIndex].
//
// The dwFlags in pPolicyPara can be set to change the default policy checking
// behaviour. In addition, policy specific parameters can be passed in
// the pvExtraPolicyPara field of pPolicyPara.
//
// In addition to returning dwError, in pPolicyStatus, policy OID specific
// extra status may be returned via pvExtraPolicyStatus.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
CertVerifyCertificateChainPolicy(
IN LPCSTR pszPolicyOID,
IN PCCERT_CHAIN_CONTEXT pChainContext,
IN PCERT_CHAIN_POLICY_PARA pPolicyPara,
IN OUT PCERT_CHAIN_POLICY_STATUS pPolicyStatus
);
// Predefined OID Function Names
#define CRYPT_OID_VERIFY_CERTIFICATE_CHAIN_POLICY_FUNC
"CertDllVerifyCertificateChainPolicy"
// CertDllVerifyCertificateChainPolicy has same function signature as
// CertVerifyCertificateChainPolicy.
//+-------------------------------------------------------------------------
// Predefined verify chain policies
//--------------------------------------------------------------------------
#define CERT_CHAIN_POLICY_BASE ((LPCSTR) 1)
#define CERT_CHAIN_POLICY_AUTHENTICODE ((LPCSTR) 2)
#define CERT_CHAIN_POLICY_AUTHENTICODE_TS ((LPCSTR) 3)
#define CERT_CHAIN_POLICY_SSL ((LPCSTR) 4)
#define CERT_CHAIN_POLICY_BASIC_CONSTRAINTS ((LPCSTR) 5)
#define CERT_CHAIN_POLICY_NT_AUTH ((LPCSTR) 6)
#define CERT_CHAIN_POLICY_MICROSOFT_ROOT ((LPCSTR) 7)
//+-------------------------------------------------------------------------
// CERT_CHAIN_POLICY_BASE
//
// Implements the base chain policy verification checks. dwFlags can
// be set in pPolicyPara to alter the default policy checking behaviour.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_CHAIN_POLICY_AUTHENTICODE
//
// Implements the Authenticode chain policy verification checks.
//
// pvExtraPolicyPara may optionally be set to point to the following
// AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA.
//
// pvExtraPolicyStatus may optionally be set to point to the following
// AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS.
//--------------------------------------------------------------------------
// dwRegPolicySettings are defined in wintrust.h
typedef struct _AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA {
DWORD cbSize;
DWORD dwRegPolicySettings;
PCMSG_SIGNER_INFO pSignerInfo; // optional
} AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA,
*PAUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA;
typedef struct _AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS {
DWORD cbSize;
BOOL fCommercial; // obtained from signer statement
} AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS,
*PAUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS;
//+-------------------------------------------------------------------------
// CERT_CHAIN_POLICY_AUTHENTICODE_TS
//
// Implements the Authenticode Time Stamp chain policy verification checks.
//
// pvExtraPolicyPara may optionally be set to point to the following
// AUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA.
//
// pvExtraPolicyStatus isn't used and must be set to NULL.
//--------------------------------------------------------------------------
// dwRegPolicySettings are defined in wintrust.h
typedef struct _AUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA {
DWORD cbSize;
DWORD dwRegPolicySettings;
BOOL fCommercial;
} AUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA,
*PAUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA;
//+-------------------------------------------------------------------------
// CERT_CHAIN_POLICY_SSL
//
// Implements the SSL client/server chain policy verification checks.
//
// pvExtraPolicyPara may optionally be set to point to the following
// SSL_EXTRA_CERT_CHAIN_POLICY_PARA data structure
//--------------------------------------------------------------------------
// fdwChecks flags are defined in wininet.h
typedef struct _HTTPSPolicyCallbackData
{
union {
DWORD cbStruct; // sizeof(HTTPSPolicyCallbackData);
DWORD cbSize; // sizeof(HTTPSPolicyCallbackData);
};
DWORD dwAuthType;
# define AUTHTYPE_CLIENT 1
# define AUTHTYPE_SERVER 2
DWORD fdwChecks;
WCHAR *pwszServerName; // used to check against CN=xxxx
} HTTPSPolicyCallbackData, *PHTTPSPolicyCallbackData,
SSL_EXTRA_CERT_CHAIN_POLICY_PARA, *PSSL_EXTRA_CERT_CHAIN_POLICY_PARA;
//+-------------------------------------------------------------------------
// CERT_CHAIN_POLICY_BASIC_CONSTRAINTS
//
// Implements the basic constraints chain policy.
//
// Iterates through all the certificates in the chain checking for either
// a szOID_BASIC_CONSTRAINTS or a szOID_BASIC_CONSTRAINTS2 extension. If
// neither extension is present, the certificate is assumed to have
// valid policy. Otherwise, for the first certificate element, checks if
// it matches the expected CA_FLAG or END_ENTITY_FLAG specified in
// pPolicyPara->dwFlags. If neither or both flags are set, then, the first
// element can be either a CA or END_ENTITY. All other elements must be
// a CA. If the PathLenConstraint is present in the extension, its
// checked.
//
// The first elements in the remaining simple chains (ie, the certificate
// used to sign the CTL) are checked to be an END_ENTITY.
//
// If this verification fails, dwError will be set to
// TRUST_E_BASIC_CONSTRAINTS.
//--------------------------------------------------------------------------
#define BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_CA_FLAG 0x80000000
#define BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_END_ENTITY_FLAG 0x40000000
//+-------------------------------------------------------------------------
// CERT_CHAIN_POLICY_NT_AUTH
//
// Implements the NT Authentication chain policy.
//
// The NT Authentication chain policy consists of 3 distinct chain
// verifications in the following order:
// [1] CERT_CHAIN_POLICY_BASE - Implements the base chain policy
// verification checks. The LOWORD of dwFlags can be set in
// pPolicyPara to alter the default policy checking behaviour. See
// CERT_CHAIN_POLICY_BASE for more details.
//
// [2] CERT_CHAIN_POLICY_BASIC_CONSTRAINTS - Implements the basic
// constraints chain policy. The HIWORD of dwFlags can be set
// to specify if the first element must be either a CA or END_ENTITY.
// See CERT_CHAIN_POLICY_BASIC_CONSTRAINTS for more details.
//
// [3] Checks if the second element in the chain, the CA that issued
// the end certificate, is a trusted CA for NT
// Authentication. A CA is considered to be trusted if it exists in
// the "NTAuth" system registry store found in the
// CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE store location.
// If this verification fails, whereby the CA isn't trusted,
// dwError is set to CERT_E_UNTRUSTEDCA.
//
// If CERT_PROT_ROOT_DISABLE_NT_AUTH_REQUIRED_FLAG is set
// in the "Flags" value of the HKLM policy "ProtectedRoots" subkey
// defined by CERT_PROT_ROOT_FLAGS_REGPATH, then,
// if the above check fails, checks if the chain
// has CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS set in dwInfoStatus. This
// will only be set if there was a valid name constraint for all
// name spaces including UPN. If the chain doesn't have this info
// status set, dwError is set to CERT_E_UNTRUSTEDCA.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_CHAIN_POLICY_MICROSOFT_ROOT
//
// Checks if the last element of the first simple chain contains a
// Microsoft root public key. If it doesn't contain a Microsoft root
// public key, dwError is set to CERT_E_UNTRUSTEDROOT.
//
// pvExtraPolicyPara and pvExtraPolicyStatus aren't used and must be set
// to NULL.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// convert formatted string to binary
// If cchString is 0, then pszString is NULL terminated and
// cchString is obtained via strlen() + 1.
// dwFlags defines string format
// if pbBinary is NULL, *pcbBinary returns the size of required memory
// *pdwSkip returns the character count of skipped strings, optional
// *pdwFlags returns the actual format used in the conversion, optional
//--------------------------------------------------------------------------
WINCRYPT32STRINGAPI
BOOL
WINAPI
CryptStringToBinaryA(
IN LPCSTR pszString,
IN DWORD cchString,
IN DWORD dwFlags,
IN BYTE *pbBinary,
IN OUT DWORD *pcbBinary,
OUT DWORD *pdwSkip, //OPTIONAL
OUT DWORD *pdwFlags //OPTIONAL
);
//+-------------------------------------------------------------------------
// convert formatted string to binary
// If cchString is 0, then pszString is NULL terminated and
// cchString is obtained via strlen() + 1.
// dwFlags defines string format
// if pbBinary is NULL, *pcbBinary returns the size of required memory
// *pdwSkip returns the character count of skipped strings, optional
// *pdwFlags returns the actual format used in the conversion, optional
//--------------------------------------------------------------------------
WINCRYPT32STRINGAPI
BOOL
WINAPI
CryptStringToBinaryW(
IN LPCWSTR pszString,
IN DWORD cchString,
IN DWORD dwFlags,
IN BYTE *pbBinary,
IN OUT DWORD *pcbBinary,
OUT DWORD *pdwSkip, //OPTIONAL
OUT DWORD *pdwFlags //OPTIONAL
);
#ifdef UNICODE
#define CryptStringToBinary CryptStringToBinaryW
#else
#define CryptStringToBinary CryptStringToBinaryA
#endif // !UNICODE
//+-------------------------------------------------------------------------
// convert binary to formatted string
// dwFlags defines string format
// if pszString is NULL, *pcchString returns the size of required memory in byte
//--------------------------------------------------------------------------
WINCRYPT32STRINGAPI
BOOL
WINAPI
CryptBinaryToStringA(
IN CONST BYTE *pbBinary,
IN DWORD cbBinary,
IN DWORD dwFlags,
IN LPSTR pszString,
IN OUT DWORD *pcchString
);
//+-------------------------------------------------------------------------
// convert binary to formatted string
// dwFlags defines string format
// if pszString is NULL, *pcchString returns the size of required memory in byte
//--------------------------------------------------------------------------
WINCRYPT32STRINGAPI
BOOL
WINAPI
CryptBinaryToStringW(
IN CONST BYTE *pbBinary,
IN DWORD cbBinary,
IN DWORD dwFlags,
IN LPWSTR pszString,
IN OUT DWORD *pcchString
);
#ifdef UNICODE
#define CryptBinaryToString CryptBinaryToStringW
#else
#define CryptBinaryToString CryptBinaryToStringA
#endif // !UNICODE
// dwFlags has the following defines
#define CRYPT_STRING_BASE64HEADER 0x00000000
#define CRYPT_STRING_BASE64 0x00000001
#define CRYPT_STRING_BINARY 0x00000002
#define CRYPT_STRING_BASE64REQUESTHEADER 0x00000003
#define CRYPT_STRING_HEX 0x00000004
#define CRYPT_STRING_HEXASCII 0x00000005
#define CRYPT_STRING_BASE64_ANY 0x00000006
#define CRYPT_STRING_ANY 0x00000007
#define CRYPT_STRING_HEX_ANY 0x00000008
#define CRYPT_STRING_BASE64X509CRLHEADER 0x00000009
#define CRYPT_STRING_HEXADDR 0x0000000a
#define CRYPT_STRING_HEXASCIIADDR 0x0000000b
#define CRYPT_STRING_NOCR 0x80000000
// CryptBinaryToString uses the following flags
// CRYPT_STRING_BASE64HEADER - base64 format with certificate begin
// and end headers
// CRYPT_STRING_BASE64 - only base64 without headers
// CRYPT_STRING_BINARY - pure binary copy
// CRYPT_STRING_BASE64REQUESTHEADER - base64 format with request begin
// and end headers
// CRYPT_STRING_BASE64X509CRLHEADER - base64 format with x509 crl begin
// and end headers
// CRYPT_STRING_HEX - only hex format
// CRYPT_STRING_HEXASCII - hex format with ascii char display
// CRYPT_STRING_HEXADDR - hex format with address display
// CRYPT_STRING_HEXASCIIADDR - hex format with ascii char and address display
//
// CryptBinaryToString accepts CRYPT_STRING_NOCR or'd into one of the above.
// When set, line breaks contain only LF, instead of CR-LF pairs.
// CryptStringToBinary uses the following flags
// CRYPT_STRING_BASE64_ANY tries the following, in order:
// CRYPT_STRING_BASE64HEADER
// CRYPT_STRING_BASE64
// CRYPT_STRING_ANY tries the following, in order:
// CRYPT_STRING_BASE64_ANY
// CRYPT_STRING_BINARY -- should always succeed
// CRYPT_STRING_HEX_ANY tries the following, in order:
// CRYPT_STRING_HEXADDR
// CRYPT_STRING_HEXASCIIADDR
// CRYPT_STRING_HEXASCII
// CRYPT_STRING_HEX
//+=========================================================================
// PFX (PKCS #12) function defintions and types
//==========================================================================
//+-------------------------------------------------------------------------
// PFXImportCertStore
//
// Import the PFX blob and return a store containing certificates
//
// If the password parameter is incorrect or any other problems decoding
// the PFX blob are encountered, the function will return NULL and the
// error code can be found from GetLastError().
//
// The dwFlags parameter may be set to the following:
// CRYPT_EXPORTABLE - specify that any imported keys should be marked as
// exportable (see documentation on CryptImportKey)
// CRYPT_USER_PROTECTED - (see documentation on CryptImportKey)
// CRYPT_MACHINE_KEYSET - used to force the private key to be stored in the
// the local machine and not the current user.
// CRYPT_USER_KEYSET - used to force the private key to be stored in the
// the current user and not the local machine, even if
// the pfx blob specifies that it should go into local
// machine.
//--------------------------------------------------------------------------
WINCRYPT32API
HCERTSTORE
WINAPI
PFXImportCertStore(
IN CRYPT_DATA_BLOB* pPFX,
IN LPCWSTR szPassword,
IN DWORD dwFlags);
// dwFlags definitions for PFXImportCertStore
//#define CRYPT_EXPORTABLE 0x00000001 // CryptImportKey dwFlags
//#define CRYPT_USER_PROTECTED 0x00000002 // CryptImportKey dwFlags
//#define CRYPT_MACHINE_KEYSET 0x00000020 // CryptAcquireContext dwFlags
#define CRYPT_USER_KEYSET 0x00001000
#define PKCS12_IMPORT_RESERVED_MASK 0xffff0000
//+-------------------------------------------------------------------------
// PFXIsPFXBlob
//
// This function will try to decode the outer layer of the blob as a pfx
// blob, and if that works it will return TRUE, it will return FALSE otherwise
//
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
PFXIsPFXBlob(
IN CRYPT_DATA_BLOB* pPFX);
//+-------------------------------------------------------------------------
// PFXVerifyPassword
//
// This function will attempt to decode the outer layer of the blob as a pfx
// blob and decrypt with the given password. No data from the blob will be
// imported.
//
// Return value is TRUE if password appears correct, FALSE otherwise.
//
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
PFXVerifyPassword(
IN CRYPT_DATA_BLOB* pPFX,
IN LPCWSTR szPassword,
IN DWORD dwFlags);
//+-------------------------------------------------------------------------
// PFXExportCertStoreEx
//
// Export the certificates and private keys referenced in the passed-in store
//
// This API encodes the blob under a stronger algorithm. The resulting
// PKCS12 blobs are incompatible with the earlier PFXExportCertStore API.
//
// The value passed in the password parameter will be used to encrypt and
// verify the integrity of the PFX packet. If any problems encoding the store
// are encountered, the function will return FALSE and the error code can
// be found from GetLastError().
//
// The dwFlags parameter may be set to any combination of
// EXPORT_PRIVATE_KEYS
// REPORT_NO_PRIVATE_KEY
// REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY
//
// The encoded PFX blob is returned in *pPFX. If pPFX->pbData is NULL upon
// input, this is a length only calculation, whereby, pPFX->cbData is updated
// with the number of bytes required for the encoded blob. Otherwise,
// the memory pointed to by pPFX->pbData is updated with the encoded bytes
// and pPFX->cbData is updated with the encoded byte length.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
PFXExportCertStoreEx(
IN HCERTSTORE hStore,
IN OUT CRYPT_DATA_BLOB* pPFX,
IN LPCWSTR szPassword,
IN void* pvReserved,
IN DWORD dwFlags);
// dwFlags definitions for PFXExportCertStoreEx
#define REPORT_NO_PRIVATE_KEY 0x0001
#define REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY 0x0002
#define EXPORT_PRIVATE_KEYS 0x0004
#define PKCS12_EXPORT_RESERVED_MASK 0xffff0000
//+-------------------------------------------------------------------------
// PFXExportCertStore
//
// Export the certificates and private keys referenced in the passed-in store
//
// This is an old API kept for compatibility with IE4 clients. New applications
// should call the above PfxExportCertStoreEx for enhanced security.
//--------------------------------------------------------------------------
WINCRYPT32API
BOOL
WINAPI
PFXExportCertStore(
IN HCERTSTORE hStore,
IN OUT CRYPT_DATA_BLOB* pPFX,
IN LPCWSTR szPassword,
IN DWORD dwFlags);
#ifdef __cplusplus
} // Balance extern "C" above
#endif
#if defined (_MSC_VER)
#if ( _MSC_VER >= 800 )
#if _MSC_VER >= 1200
#pragma warning(pop)
#else
#pragma warning(default:4201)
#endif
#endif
#endif
#endif // __WINCRYPT_H__