WinCrypt.h
上传用户:dzyhzl
上传日期:2019-04-29
资源大小:56270k
文件大小:634k
- // cbSize must be set to the sizeof(CRYPT_SIGN_MESSAGE_PARA) or else
- // LastError will be updated with E_INVALIDARG.
- //
- // pvHashAuxInfo currently isn't used and must be set to NULL.
- //
- // dwFlags normally is set to 0. However, if the encoded output
- // is to be a CMSG_SIGNED inner content of an outer cryptographic message,
- // such as a CMSG_ENVELOPED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
- // should be set. If not set, then it would be encoded as an inner content
- // type of CMSG_DATA.
- //
- // dwInnerContentType is normally set to 0. It needs to be set if the
- // ToBeSigned input is the encoded output of another cryptographic
- // message, such as, an CMSG_ENVELOPED. When set, it's one of the cryptographic
- // message types, for example, CMSG_ENVELOPED.
- //
- // If the inner content of a nested cryptographic message is data (CMSG_DATA
- // the default), then, neither dwFlags or dwInnerContentType need to be set.
- //
- // For CMS messages, CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG may be
- // set to encapsulate nonData inner content within an OCTET STRING.
- //
- // For CMS messages, CRYPT_MESSAGE_KEYID_SIGNER_FLAG may be set to identify
- // signers by their Key Identifier and not their Issuer and Serial Number.
- //
- // The CRYPT_MESSAGE_SILENT_KEYSET_FLAG can be set to suppress any UI by the
- // CSP. See CryptAcquireContext's CRYPT_SILENT flag for more details.
- //
- // If HashEncryptionAlgorithm is present and not NULL its used instead of
- // the SigningCert's PublicKeyInfo.Algorithm.
- //
- // Note, for RSA, the hash encryption algorithm is normally the same as
- // the public key algorithm. For DSA, the hash encryption algorithm is
- // normally a DSS signature algorithm.
- //
- // pvHashEncryptionAuxInfo currently isn't used and must be set to NULL if
- // present in the data structure.
- //--------------------------------------------------------------------------
- typedef struct _CRYPT_SIGN_MESSAGE_PARA {
- DWORD cbSize;
- DWORD dwMsgEncodingType;
- PCCERT_CONTEXT pSigningCert;
- CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
- void *pvHashAuxInfo;
- DWORD cMsgCert;
- PCCERT_CONTEXT *rgpMsgCert;
- DWORD cMsgCrl;
- PCCRL_CONTEXT *rgpMsgCrl;
- DWORD cAuthAttr;
- PCRYPT_ATTRIBUTE rgAuthAttr;
- DWORD cUnauthAttr;
- PCRYPT_ATTRIBUTE rgUnauthAttr;
- DWORD dwFlags;
- DWORD dwInnerContentType;
- #ifdef CRYPT_SIGN_MESSAGE_PARA_HAS_CMS_FIELDS
- CRYPT_ALGORITHM_IDENTIFIER HashEncryptionAlgorithm;
- void *pvHashEncryptionAuxInfo;
- #endif
- } CRYPT_SIGN_MESSAGE_PARA, *PCRYPT_SIGN_MESSAGE_PARA;
- #define CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG 0x00000001
- // When set, nonData type inner content is encapsulated within an
- // OCTET STRING
- #define CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG 0x00000002
- // When set, signers are identified by their Key Identifier and not
- // their Issuer and Serial Number.
- #define CRYPT_MESSAGE_KEYID_SIGNER_FLAG 0x00000004
- // When set, suppresses any UI by the CSP.
- // See CryptAcquireContext's CRYPT_SILENT flag for more details.
- #define CRYPT_MESSAGE_SILENT_KEYSET_FLAG 0x00000040
- //+-------------------------------------------------------------------------
- // The CRYPT_VERIFY_MESSAGE_PARA are used to verify signed messages.
- //
- // hCryptProv is used to do hashing and signature verification.
- //
- // The dwCertEncodingType specifies the encoding type of the certificates
- // and/or CRLs in the message.
- //
- // pfnGetSignerCertificate is called to get and verify the message signer's
- // certificate.
- //
- // cbSize must be set to the sizeof(CRYPT_VERIFY_MESSAGE_PARA) or else
- // LastError will be updated with E_INVALIDARG.
- //--------------------------------------------------------------------------
- typedef struct _CRYPT_VERIFY_MESSAGE_PARA {
- DWORD cbSize;
- DWORD dwMsgAndCertEncodingType;
- HCRYPTPROV hCryptProv;
- PFN_CRYPT_GET_SIGNER_CERTIFICATE pfnGetSignerCertificate;
- void *pvGetArg;
- } CRYPT_VERIFY_MESSAGE_PARA, *PCRYPT_VERIFY_MESSAGE_PARA;
- //+-------------------------------------------------------------------------
- // The CRYPT_ENCRYPT_MESSAGE_PARA are used for encrypting messages.
- //
- // hCryptProv is used to do content encryption, recipient key
- // encryption, and recipient key export. Its private key
- // isn't used.
- //
- // Currently, pvEncryptionAuxInfo is only defined for RC2 or RC4 encryption
- // algorithms. Otherwise, its not used and must be set to NULL.
- // See CMSG_RC2_AUX_INFO for the RC2 encryption algorithms.
- // See CMSG_RC4_AUX_INFO for the RC4 encryption algorithms.
- //
- // To enable SP3 compatible encryption, pvEncryptionAuxInfo should point to
- // a CMSG_SP3_COMPATIBLE_AUX_INFO data structure.
- //
- // cbSize must be set to the sizeof(CRYPT_ENCRYPT_MESSAGE_PARA) or else
- // LastError will be updated with E_INVALIDARG.
- //
- // dwFlags normally is set to 0. However, if the encoded output
- // is to be a CMSG_ENVELOPED inner content of an outer cryptographic message,
- // such as a CMSG_SIGNED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
- // should be set. If not set, then it would be encoded as an inner content
- // type of CMSG_DATA.
- //
- // dwInnerContentType is normally set to 0. It needs to be set if the
- // ToBeEncrypted input is the encoded output of another cryptographic
- // message, such as, an CMSG_SIGNED. When set, it's one of the cryptographic
- // message types, for example, CMSG_SIGNED.
- //
- // If the inner content of a nested cryptographic message is data (CMSG_DATA
- // the default), then, neither dwFlags or dwInnerContentType need to be set.
- //
- // For CMS messages, CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG may be
- // set to encapsulate nonData inner content within an OCTET STRING before
- // encrypting.
- //
- // For CMS messages, CRYPT_MESSAGE_KEYID_RECIPIENT_FLAG may be set to identify
- // recipients by their Key Identifier and not their Issuer and Serial Number.
- //--------------------------------------------------------------------------
- typedef struct _CRYPT_ENCRYPT_MESSAGE_PARA {
- DWORD cbSize;
- DWORD dwMsgEncodingType;
- HCRYPTPROV hCryptProv;
- CRYPT_ALGORITHM_IDENTIFIER ContentEncryptionAlgorithm;
- void *pvEncryptionAuxInfo;
- DWORD dwFlags;
- DWORD dwInnerContentType;
- } CRYPT_ENCRYPT_MESSAGE_PARA, *PCRYPT_ENCRYPT_MESSAGE_PARA;
- // When set, recipients are identified by their Key Identifier and not
- // their Issuer and Serial Number.
- #define CRYPT_MESSAGE_KEYID_RECIPIENT_FLAG 0x4
- //+-------------------------------------------------------------------------
- // The CRYPT_DECRYPT_MESSAGE_PARA are used for decrypting messages.
- //
- // The CertContext to use for decrypting a message is obtained from one
- // of the specified cert stores. An encrypted message can have one or
- // more recipients. The recipients are identified by their CertId (Issuer
- // and SerialNumber). The cert stores are searched to find the CertContext
- // corresponding to the CertId.
- //
- // For CMS, the recipients may also be identified by their KeyId.
- // CMS also allows Key Agreement (Diffie Hellman) in addition to
- // Key Transport (RSA) recipients.
- //
- // Only CertContexts in the store with either
- // the CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID set
- // can be used. Either property specifies the private exchange key to use.
- //
- // cbSize must be set to the sizeof(CRYPT_DECRYPT_MESSAGE_PARA) or else
- // LastError will be updated with E_INVALIDARG.
- //--------------------------------------------------------------------------
- typedef struct _CRYPT_DECRYPT_MESSAGE_PARA {
- DWORD cbSize;
- DWORD dwMsgAndCertEncodingType;
- DWORD cCertStore;
- HCERTSTORE *rghCertStore;
- #ifdef CRYPT_DECRYPT_MESSAGE_PARA_HAS_EXTRA_FIELDS
- // The above defined, CRYPT_MESSAGE_SILENT_KEYSET_FLAG, can be set to
- // suppress UI by the CSP. See CryptAcquireContext's CRYPT_SILENT
- // flag for more details.
- DWORD dwFlags;
- #endif
- } CRYPT_DECRYPT_MESSAGE_PARA, *PCRYPT_DECRYPT_MESSAGE_PARA;
- //+-------------------------------------------------------------------------
- // The CRYPT_HASH_MESSAGE_PARA are used for hashing or unhashing
- // messages.
- //
- // hCryptProv is used to compute the hash.
- //
- // pvHashAuxInfo currently isn't used and must be set to NULL.
- //
- // cbSize must be set to the sizeof(CRYPT_HASH_MESSAGE_PARA) or else
- // LastError will be updated with E_INVALIDARG.
- //--------------------------------------------------------------------------
- typedef struct _CRYPT_HASH_MESSAGE_PARA {
- DWORD cbSize;
- DWORD dwMsgEncodingType;
- HCRYPTPROV hCryptProv;
- CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
- void *pvHashAuxInfo;
- } CRYPT_HASH_MESSAGE_PARA, *PCRYPT_HASH_MESSAGE_PARA;
- //+-------------------------------------------------------------------------
- // The CRYPT_KEY_SIGN_MESSAGE_PARA are used for signing messages until a
- // certificate has been created for the signature key.
- //
- // pvHashAuxInfo currently isn't used and must be set to NULL.
- //
- // If PubKeyAlgorithm isn't set, defaults to szOID_RSA_RSA.
- //
- // cbSize must be set to the sizeof(CRYPT_KEY_SIGN_MESSAGE_PARA) or else
- // LastError will be updated with E_INVALIDARG.
- //--------------------------------------------------------------------------
- typedef struct _CRYPT_KEY_SIGN_MESSAGE_PARA {
- DWORD cbSize;
- DWORD dwMsgAndCertEncodingType;
- HCRYPTPROV hCryptProv;
- DWORD dwKeySpec;
- CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
- void *pvHashAuxInfo;
- CRYPT_ALGORITHM_IDENTIFIER PubKeyAlgorithm;
- } CRYPT_KEY_SIGN_MESSAGE_PARA, *PCRYPT_KEY_SIGN_MESSAGE_PARA;
- //+-------------------------------------------------------------------------
- // The CRYPT_KEY_VERIFY_MESSAGE_PARA are used to verify signed messages without
- // a certificate for the signer.
- //
- // Normally used until a certificate has been created for the key.
- //
- // hCryptProv is used to do hashing and signature verification.
- //
- // cbSize must be set to the sizeof(CRYPT_KEY_VERIFY_MESSAGE_PARA) or else
- // LastError will be updated with E_INVALIDARG.
- //--------------------------------------------------------------------------
- typedef struct _CRYPT_KEY_VERIFY_MESSAGE_PARA {
- DWORD cbSize;
- DWORD dwMsgEncodingType;
- HCRYPTPROV hCryptProv;
- } CRYPT_KEY_VERIFY_MESSAGE_PARA, *PCRYPT_KEY_VERIFY_MESSAGE_PARA;
- //+-------------------------------------------------------------------------
- // Sign the message.
- //
- // If fDetachedSignature is TRUE, the "to be signed" content isn't included
- // in the encoded signed blob.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptSignMessage(
- IN PCRYPT_SIGN_MESSAGE_PARA pSignPara,
- IN BOOL fDetachedSignature,
- IN DWORD cToBeSigned,
- IN const BYTE *rgpbToBeSigned[],
- IN DWORD rgcbToBeSigned[],
- OUT BYTE *pbSignedBlob,
- IN OUT DWORD *pcbSignedBlob
- );
- //+-------------------------------------------------------------------------
- // Verify a signed message.
- //
- // If pbDecoded == NULL, then, *pcbDecoded is implicitly set to 0 on input.
- // For *pcbDecoded == 0 && ppSignerCert == NULL on input, the signer isn't
- // verified.
- //
- // A message might have more than one signer. Set dwSignerIndex to iterate
- // through all the signers. dwSignerIndex == 0 selects the first signer.
- //
- // pVerifyPara's pfnGetSignerCertificate is called to get the signer's
- // certificate.
- //
- // For a verified signer and message, *ppSignerCert is updated
- // with the CertContext of the signer. It must be freed by calling
- // CertFreeCertificateContext. Otherwise, *ppSignerCert is set to NULL.
- //
- // ppSignerCert can be NULL, indicating the caller isn't interested
- // in getting the CertContext of the signer.
- //
- // pcbDecoded can be NULL, indicating the caller isn't interested in getting
- // the decoded content. Furthermore, if the message doesn't contain any
- // content or signers, then, pcbDecoded must be set to NULL, to allow the
- // pVerifyPara->pfnGetCertificate to be called. Normally, this would be
- // the case when the signed message contains only certficates and CRLs.
- // If pcbDecoded is NULL and the message doesn't have the indicated signer,
- // pfnGetCertificate is called with pSignerId set to NULL.
- //
- // If the message doesn't contain any signers || dwSignerIndex > message's
- // SignerCount, then, an error is returned with LastError set to
- // CRYPT_E_NO_SIGNER. Also, for CRYPT_E_NO_SIGNER, pfnGetSignerCertificate
- // is still called with pSignerId set to NULL.
- //
- // Note, an alternative way to get the certificates and CRLs from a
- // signed message is to call CryptGetMessageCertificates.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptVerifyMessageSignature(
- IN PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara,
- IN DWORD dwSignerIndex,
- IN const BYTE *pbSignedBlob,
- IN DWORD cbSignedBlob,
- OUT BYTE OPTIONAL *pbDecoded,
- IN OUT OPTIONAL DWORD *pcbDecoded,
- OUT OPTIONAL PCCERT_CONTEXT *ppSignerCert
- );
- //+-------------------------------------------------------------------------
- // Returns the count of signers in the signed message. For no signers, returns
- // 0. For an error returns -1 with LastError updated accordingly.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- LONG
- WINAPI
- CryptGetMessageSignerCount(
- IN DWORD dwMsgEncodingType,
- IN const BYTE *pbSignedBlob,
- IN DWORD cbSignedBlob
- );
- //+-------------------------------------------------------------------------
- // Returns the cert store containing the message's certs and CRLs.
- // For an error, returns NULL with LastError updated.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- HCERTSTORE
- WINAPI
- CryptGetMessageCertificates(
- IN DWORD dwMsgAndCertEncodingType,
- IN HCRYPTPROV hCryptProv, // passed to CertOpenStore
- IN DWORD dwFlags, // passed to CertOpenStore
- IN const BYTE *pbSignedBlob,
- IN DWORD cbSignedBlob
- );
- //+-------------------------------------------------------------------------
- // Verify a signed message containing detached signature(s).
- // The "to be signed" content is passed in separately. No
- // decoded output. Otherwise, identical to CryptVerifyMessageSignature.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptVerifyDetachedMessageSignature(
- IN PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara,
- IN DWORD dwSignerIndex,
- IN const BYTE *pbDetachedSignBlob,
- IN DWORD cbDetachedSignBlob,
- IN DWORD cToBeSigned,
- IN const BYTE *rgpbToBeSigned[],
- IN DWORD rgcbToBeSigned[],
- OUT OPTIONAL PCCERT_CONTEXT *ppSignerCert
- );
- //+-------------------------------------------------------------------------
- // Encrypts the message for the recipient(s).
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptEncryptMessage(
- IN PCRYPT_ENCRYPT_MESSAGE_PARA pEncryptPara,
- IN DWORD cRecipientCert,
- IN PCCERT_CONTEXT rgpRecipientCert[],
- IN const BYTE *pbToBeEncrypted,
- IN DWORD cbToBeEncrypted,
- OUT BYTE *pbEncryptedBlob,
- IN OUT DWORD *pcbEncryptedBlob
- );
- //+-------------------------------------------------------------------------
- // Decrypts the message.
- //
- // If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
- // For *pcbDecrypted == 0 && ppXchgCert == NULL on input, the message isn't
- // decrypted.
- //
- // For a successfully decrypted message, *ppXchgCert is updated
- // with the CertContext used to decrypt. It must be freed by calling
- // CertStoreFreeCert. Otherwise, *ppXchgCert is set to NULL.
- //
- // ppXchgCert can be NULL, indicating the caller isn't interested
- // in getting the CertContext used to decrypt.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptDecryptMessage(
- IN PCRYPT_DECRYPT_MESSAGE_PARA pDecryptPara,
- IN const BYTE *pbEncryptedBlob,
- IN DWORD cbEncryptedBlob,
- OUT OPTIONAL BYTE *pbDecrypted,
- IN OUT OPTIONAL DWORD *pcbDecrypted,
- OUT OPTIONAL PCCERT_CONTEXT *ppXchgCert
- );
- //+-------------------------------------------------------------------------
- // Sign the message and encrypt for the recipient(s). Does a CryptSignMessage
- // followed with a CryptEncryptMessage.
- //
- // Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
- // inside of an CMSG_ENVELOPED.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptSignAndEncryptMessage(
- IN PCRYPT_SIGN_MESSAGE_PARA pSignPara,
- IN PCRYPT_ENCRYPT_MESSAGE_PARA pEncryptPara,
- IN DWORD cRecipientCert,
- IN PCCERT_CONTEXT rgpRecipientCert[],
- IN const BYTE *pbToBeSignedAndEncrypted,
- IN DWORD cbToBeSignedAndEncrypted,
- OUT BYTE *pbSignedAndEncryptedBlob,
- IN OUT DWORD *pcbSignedAndEncryptedBlob
- );
- //+-------------------------------------------------------------------------
- // Decrypts the message and verifies the signer. Does a CryptDecryptMessage
- // followed with a CryptVerifyMessageSignature.
- //
- // If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
- // For *pcbDecrypted == 0 && ppSignerCert == NULL on input, the signer isn't
- // verified.
- //
- // A message might have more than one signer. Set dwSignerIndex to iterate
- // through all the signers. dwSignerIndex == 0 selects the first signer.
- //
- // The pVerifyPara's VerifySignerPolicy is called to verify the signer's
- // certificate.
- //
- // For a successfully decrypted and verified message, *ppXchgCert and
- // *ppSignerCert are updated. They must be freed by calling
- // CertStoreFreeCert. Otherwise, they are set to NULL.
- //
- // ppXchgCert and/or ppSignerCert can be NULL, indicating the
- // caller isn't interested in getting the CertContext.
- //
- // Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
- // inside of an CMSG_ENVELOPED.
- //
- // The message always needs to be decrypted to allow access to the
- // signed message. Therefore, if ppXchgCert != NULL, its always updated.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptDecryptAndVerifyMessageSignature(
- IN PCRYPT_DECRYPT_MESSAGE_PARA pDecryptPara,
- IN PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara,
- IN DWORD dwSignerIndex,
- IN const BYTE *pbEncryptedBlob,
- IN DWORD cbEncryptedBlob,
- OUT OPTIONAL BYTE *pbDecrypted,
- IN OUT OPTIONAL DWORD *pcbDecrypted,
- OUT OPTIONAL PCCERT_CONTEXT *ppXchgCert,
- OUT OPTIONAL PCCERT_CONTEXT *ppSignerCert
- );
- //+-------------------------------------------------------------------------
- // Decodes a cryptographic message which may be one of the following types:
- // CMSG_DATA
- // CMSG_SIGNED
- // CMSG_ENVELOPED
- // CMSG_SIGNED_AND_ENVELOPED
- // CMSG_HASHED
- //
- // dwMsgTypeFlags specifies the set of allowable messages. For example, to
- // decode either SIGNED or ENVELOPED messages, set dwMsgTypeFlags to:
- // CMSG_SIGNED_FLAG | CMSG_ENVELOPED_FLAG.
- //
- // dwProvInnerContentType is only applicable when processing nested
- // crytographic messages. When processing an outer crytographic message
- // it must be set to 0. When decoding a nested cryptographic message
- // its the dwInnerContentType returned by a previous CryptDecodeMessage
- // of the outer message. The InnerContentType can be any of the CMSG types,
- // for example, CMSG_DATA, CMSG_SIGNED, ...
- //
- // The optional *pdwMsgType is updated with the type of message.
- //
- // The optional *pdwInnerContentType is updated with the type of the inner
- // message. Unless there is cryptographic message nesting, CMSG_DATA
- // is returned.
- //
- // For CMSG_DATA: returns decoded content.
- // For CMSG_SIGNED: same as CryptVerifyMessageSignature.
- // For CMSG_ENVELOPED: same as CryptDecryptMessage.
- // For CMSG_SIGNED_AND_ENVELOPED: same as CryptDecryptMessage plus
- // CryptVerifyMessageSignature.
- // For CMSG_HASHED: verifies the hash and returns decoded content.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptDecodeMessage(
- IN DWORD dwMsgTypeFlags,
- IN PCRYPT_DECRYPT_MESSAGE_PARA pDecryptPara,
- IN PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara,
- IN DWORD dwSignerIndex,
- IN const BYTE *pbEncodedBlob,
- IN DWORD cbEncodedBlob,
- IN DWORD dwPrevInnerContentType,
- OUT OPTIONAL DWORD *pdwMsgType,
- OUT OPTIONAL DWORD *pdwInnerContentType,
- OUT OPTIONAL BYTE *pbDecoded,
- IN OUT OPTIONAL DWORD *pcbDecoded,
- OUT OPTIONAL PCCERT_CONTEXT *ppXchgCert,
- OUT OPTIONAL PCCERT_CONTEXT *ppSignerCert
- );
- //+-------------------------------------------------------------------------
- // Hash the message.
- //
- // If fDetachedHash is TRUE, only the ComputedHash is encoded in the
- // pbHashedBlob. Otherwise, both the ToBeHashed and ComputedHash
- // are encoded.
- //
- // pcbHashedBlob or pcbComputedHash can be NULL, indicating the caller
- // isn't interested in getting the output.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptHashMessage(
- IN PCRYPT_HASH_MESSAGE_PARA pHashPara,
- IN BOOL fDetachedHash,
- IN DWORD cToBeHashed,
- IN const BYTE *rgpbToBeHashed[],
- IN DWORD rgcbToBeHashed[],
- OUT OPTIONAL BYTE *pbHashedBlob,
- IN OUT OPTIONAL DWORD *pcbHashedBlob,
- OUT OPTIONAL BYTE *pbComputedHash,
- IN OUT OPTIONAL DWORD *pcbComputedHash
- );
- //+-------------------------------------------------------------------------
- // Verify a hashed message.
- //
- // pcbToBeHashed or pcbComputedHash can be NULL,
- // indicating the caller isn't interested in getting the output.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptVerifyMessageHash(
- IN PCRYPT_HASH_MESSAGE_PARA pHashPara,
- IN BYTE *pbHashedBlob,
- IN DWORD cbHashedBlob,
- OUT OPTIONAL BYTE *pbToBeHashed,
- IN OUT OPTIONAL DWORD *pcbToBeHashed,
- OUT OPTIONAL BYTE *pbComputedHash,
- IN OUT OPTIONAL DWORD *pcbComputedHash
- );
- //+-------------------------------------------------------------------------
- // Verify a hashed message containing a detached hash.
- // The "to be hashed" content is passed in separately. No
- // decoded output. Otherwise, identical to CryptVerifyMessageHash.
- //
- // pcbComputedHash can be NULL, indicating the caller isn't interested
- // in getting the output.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptVerifyDetachedMessageHash(
- IN PCRYPT_HASH_MESSAGE_PARA pHashPara,
- IN BYTE *pbDetachedHashBlob,
- IN DWORD cbDetachedHashBlob,
- IN DWORD cToBeHashed,
- IN const BYTE *rgpbToBeHashed[],
- IN DWORD rgcbToBeHashed[],
- OUT OPTIONAL BYTE *pbComputedHash,
- IN OUT OPTIONAL DWORD *pcbComputedHash
- );
- //+-------------------------------------------------------------------------
- // Sign the message using the provider's private key specified in the
- // parameters. A dummy SignerId is created and stored in the message.
- //
- // Normally used until a certificate has been created for the key.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptSignMessageWithKey(
- IN PCRYPT_KEY_SIGN_MESSAGE_PARA pSignPara,
- IN const BYTE *pbToBeSigned,
- IN DWORD cbToBeSigned,
- OUT BYTE *pbSignedBlob,
- IN OUT DWORD *pcbSignedBlob
- );
- //+-------------------------------------------------------------------------
- // Verify a signed message using the specified public key info.
- //
- // Normally called by a CA until it has created a certificate for the
- // key.
- //
- // pPublicKeyInfo contains the public key to use to verify the signed
- // message. If NULL, the signature isn't verified (for instance, the decoded
- // content may contain the PublicKeyInfo).
- //
- // pcbDecoded can be NULL, indicating the caller isn't interested
- // in getting the decoded content.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptVerifyMessageSignatureWithKey(
- IN PCRYPT_KEY_VERIFY_MESSAGE_PARA pVerifyPara,
- IN OPTIONAL PCERT_PUBLIC_KEY_INFO pPublicKeyInfo,
- IN const BYTE *pbSignedBlob,
- IN DWORD cbSignedBlob,
- OUT OPTIONAL BYTE *pbDecoded,
- IN OUT OPTIONAL DWORD *pcbDecoded
- );
- //+=========================================================================
- // System Certificate Store Data Structures and APIs
- //==========================================================================
- //+-------------------------------------------------------------------------
- // Get a system certificate store based on a subsystem protocol.
- //
- // Current examples of subsystems protocols are:
- // "MY" Cert Store hold certs with associated Private Keys
- // "CA" Certifying Authority certs
- // "ROOT" Root Certs
- // "SPC" Software publisher certs
- //
- //
- // If hProv is NULL the default provider "1" is opened for you.
- // When the store is closed the provider is release. Otherwise
- // if hProv is not NULL, no provider is created or released.
- //
- // The returned Cert Store can be searched for an appropriate Cert
- // using the Cert Store API's (see certstor.h)
- //
- // When done, the cert store should be closed using CertStoreClose
- //--------------------------------------------------------------------------
- WINCRYPT32API
- HCERTSTORE
- WINAPI
- CertOpenSystemStoreA(
- HCRYPTPROV hProv,
- LPCSTR szSubsystemProtocol
- );
- WINCRYPT32API
- HCERTSTORE
- WINAPI
- CertOpenSystemStoreW(
- HCRYPTPROV hProv,
- LPCWSTR szSubsystemProtocol
- );
- #ifdef UNICODE
- #define CertOpenSystemStore CertOpenSystemStoreW
- #else
- #define CertOpenSystemStore CertOpenSystemStoreA
- #endif // !UNICODE
- WINCRYPT32API
- BOOL
- WINAPI
- CertAddEncodedCertificateToSystemStoreA(
- LPCSTR szCertStoreName,
- const BYTE * pbCertEncoded,
- DWORD cbCertEncoded
- );
- WINCRYPT32API
- BOOL
- WINAPI
- CertAddEncodedCertificateToSystemStoreW(
- LPCWSTR szCertStoreName,
- const BYTE * pbCertEncoded,
- DWORD cbCertEncoded
- );
- #ifdef UNICODE
- #define CertAddEncodedCertificateToSystemStore CertAddEncodedCertificateToSystemStoreW
- #else
- #define CertAddEncodedCertificateToSystemStore CertAddEncodedCertificateToSystemStoreA
- #endif // !UNICODE
- //+-------------------------------------------------------------------------
- // Find all certificate chains tying the given issuer name to any certificate
- // that the current user has a private key for.
- //
- // If no certificate chain is found, FALSE is returned with LastError set
- // to CRYPT_E_NOT_FOUND and the counts zeroed.
- //
- // IE 3.0 ASSUMPTION:
- // The client certificates are in the "My" system store. The issuer
- // cerificates may be in the "Root", "CA" or "My" system stores.
- //--------------------------------------------------------------------------
- typedef struct _CERT_CHAIN {
- DWORD cCerts; // number of certs in chain
- PCERT_BLOB certs; // pointer to array of cert chain blobs
- // representing the certs
- CRYPT_KEY_PROV_INFO keyLocatorInfo; // key locator for cert
- } CERT_CHAIN, *PCERT_CHAIN;
- // WINCRYPT32API This is not exported by crypt32, it is exported by softpub
- HRESULT
- WINAPI
- FindCertsByIssuer(
- OUT PCERT_CHAIN pCertChains,
- IN OUT DWORD *pcbCertChains,
- OUT DWORD *pcCertChains, // count of certificates chains returned
- IN BYTE* pbEncodedIssuerName, // DER encoded issuer name
- IN DWORD cbEncodedIssuerName, // count in bytes of encoded issuer name
- IN LPCWSTR pwszPurpose, // "ClientAuth" or "CodeSigning"
- IN DWORD dwKeySpec // only return signers supporting this
- // keyspec
- );
- //-------------------------------------------------------------------------
- //
- // CryptQueryObject takes a CERT_BLOB or a file name and returns the
- // information about the content in the blob or in the file.
- //
- // Parameters:
- // INPUT dwObjectType:
- // Indicate the type of the object. Should be one of the
- // following:
- // CERT_QUERY_OBJECT_FILE
- // CERT_QUERY_OBJECT_BLOB
- //
- // INPUT pvObject:
- // If dwObjectType == CERT_QUERY_OBJECT_FILE, it is a
- // LPWSTR, that is, the pointer to a wchar file name
- // if dwObjectType == CERT_QUERY_OBJECT_BLOB, it is a
- // PCERT_BLOB, that is, a pointer to a CERT_BLOB
- //
- // INPUT dwExpectedContentTypeFlags:
- // Indicate the expected contenet type.
- // Can be one of the following:
- // CERT_QUERY_CONTENT_FLAG_ALL (the content can be any type)
- // CERT_QUERY_CONTENT_FLAG_CERT
- // CERT_QUERY_CONTENT_FLAG_CTL
- // CERT_QUERY_CONTENT_FLAG_CRL
- // CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE
- // CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT
- // CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL
- // CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL
- // CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED
- // CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED
- // CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED
- // CERT_QUERY_CONTENT_FLAG_PKCS10
- // CERT_QUERY_CONTENT_FLAG_PFX
- // CERT_QUERY_CONTENT_FLAG_CERT_PAIR
- //
- // INPUT dwExpectedFormatTypeFlags:
- // Indicate the expected format type.
- // Can be one of the following:
- // CERT_QUERY_FORMAT_FLAG_ALL (the content can be any format)
- // CERT_QUERY_FORMAT_FLAG_BINARY
- // CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED
- // CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED
- //
- //
- // INPUT dwFlags
- // Reserved flag. Should always set to 0
- //
- // OUTPUT pdwMsgAndCertEncodingType
- // Optional output. If NULL != pdwMsgAndCertEncodingType,
- // it contains the encoding type of the content as any
- // combination of the following:
- // X509_ASN_ENCODING
- // PKCS_7_ASN_ENCODING
- //
- // OUTPUT pdwContentType
- // Optional output. If NULL!=pdwContentType, it contains
- // the content type as one of the the following:
- // CERT_QUERY_CONTENT_CERT
- // CERT_QUERY_CONTENT_CTL
- // CERT_QUERY_CONTENT_CRL
- // CERT_QUERY_CONTENT_SERIALIZED_STORE
- // CERT_QUERY_CONTENT_SERIALIZED_CERT
- // CERT_QUERY_CONTENT_SERIALIZED_CTL
- // CERT_QUERY_CONTENT_SERIALIZED_CRL
- // CERT_QUERY_CONTENT_PKCS7_SIGNED
- // CERT_QUERY_CONTENT_PKCS7_UNSIGNED
- // CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
- // CERT_QUERY_CONTENT_PKCS10
- // CERT_QUERY_CONTENT_PFX
- // CERT_QUERY_CONTENT_CERT_PAIR
- //
- // OUTPUT pdwFormatType
- // Optional output. If NULL !=pdwFormatType, it
- // contains the format type of the content as one of the
- // following:
- // CERT_QUERY_FORMAT_BINARY
- // CERT_QUERY_FORMAT_BASE64_ENCODED
- // CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED
- //
- //
- // OUTPUT phCertStore
- // Optional output. If NULL !=phStore,
- // it contains a cert store that includes all of certificates,
- // CRL, and CTL in the object if the object content type is
- // one of the following:
- // CERT_QUERY_CONTENT_CERT
- // CERT_QUERY_CONTENT_CTL
- // CERT_QUERY_CONTENT_CRL
- // CERT_QUERY_CONTENT_SERIALIZED_STORE
- // CERT_QUERY_CONTENT_SERIALIZED_CERT
- // CERT_QUERY_CONTENT_SERIALIZED_CTL
- // CERT_QUERY_CONTENT_SERIALIZED_CRL
- // CERT_QUERY_CONTENT_PKCS7_SIGNED
- // CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
- // CERT_QUERY_CONTENT_CERT_PAIR
- //
- // Caller should free *phCertStore via CertCloseStore.
- //
- //
- // OUTPUT phMsg Optional output. If NULL != phMsg,
- // it contains a handle to a opened message if
- // the content type is one of the following:
- // CERT_QUERY_CONTENT_PKCS7_SIGNED
- // CERT_QUERY_CONTENT_PKCS7_UNSIGNED
- // CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
- //
- // Caller should free *phMsg via CryptMsgClose.
- //
- // OUTPUT pContext Optional output. If NULL != pContext,
- // it contains either a PCCERT_CONTEXT or PCCRL_CONTEXT,
- // or PCCTL_CONTEXT based on the content type.
- //
- // If the content type is CERT_QUERY_CONTENT_CERT or
- // CERT_QUERY_CONTENT_SERIALIZED_CERT, it is a PCCERT_CONTEXT;
- // Caller should free the pContext via CertFreeCertificateContext.
- //
- // If the content type is CERT_QUERY_CONTENT_CRL or
- // CERT_QUERY_CONTENT_SERIALIZED_CRL, it is a PCCRL_CONTEXT;
- // Caller should free the pContext via CertFreeCRLContext.
- //
- // If the content type is CERT_QUERY_CONTENT_CTL or
- // CERT_QUERY_CONTENT_SERIALIZED_CTL, it is a PCCTL_CONTEXT;
- // Caller should free the pContext via CertFreeCTLContext.
- //
- // If the *pbObject is of type CERT_QUERY_CONTENT_PKCS10 or CERT_QUERY_CONTENT_PFX, CryptQueryObject
- // will not return anything in *phCertstore, *phMsg, or *ppvContext.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptQueryObject(
- DWORD dwObjectType,
- const void *pvObject,
- DWORD dwExpectedContentTypeFlags,
- DWORD dwExpectedFormatTypeFlags,
- DWORD dwFlags,
- DWORD *pdwMsgAndCertEncodingType,
- DWORD *pdwContentType,
- DWORD *pdwFormatType,
- HCERTSTORE *phCertStore,
- HCRYPTMSG *phMsg,
- const void **ppvContext
- );
- //-------------------------------------------------------------------------
- //dwObjectType for CryptQueryObject
- //-------------------------------------------------------------------------
- #define CERT_QUERY_OBJECT_FILE 0x00000001
- #define CERT_QUERY_OBJECT_BLOB 0x00000002
- //-------------------------------------------------------------------------
- //dwContentType for CryptQueryObject
- //-------------------------------------------------------------------------
- //encoded single certificate
- #define CERT_QUERY_CONTENT_CERT 1
- //encoded single CTL
- #define CERT_QUERY_CONTENT_CTL 2
- //encoded single CRL
- #define CERT_QUERY_CONTENT_CRL 3
- //serialized store
- #define CERT_QUERY_CONTENT_SERIALIZED_STORE 4
- //serialized single certificate
- #define CERT_QUERY_CONTENT_SERIALIZED_CERT 5
- //serialized single CTL
- #define CERT_QUERY_CONTENT_SERIALIZED_CTL 6
- //serialized single CRL
- #define CERT_QUERY_CONTENT_SERIALIZED_CRL 7
- //a PKCS#7 signed message
- #define CERT_QUERY_CONTENT_PKCS7_SIGNED 8
- //a PKCS#7 message, such as enveloped message. But it is not a signed message,
- #define CERT_QUERY_CONTENT_PKCS7_UNSIGNED 9
- //a PKCS7 signed message embedded in a file
- #define CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED 10
- //an encoded PKCS#10
- #define CERT_QUERY_CONTENT_PKCS10 11
- //an encoded PKX BLOB
- #define CERT_QUERY_CONTENT_PFX 12
- //an encoded CertificatePair (contains forward and/or reverse cross certs)
- #define CERT_QUERY_CONTENT_CERT_PAIR 13
- //-------------------------------------------------------------------------
- //dwExpectedConentTypeFlags for CryptQueryObject
- //-------------------------------------------------------------------------
- //encoded single certificate
- #define CERT_QUERY_CONTENT_FLAG_CERT
- ( 1 << CERT_QUERY_CONTENT_CERT)
- //encoded single CTL
- #define CERT_QUERY_CONTENT_FLAG_CTL
- ( 1 << CERT_QUERY_CONTENT_CTL)
- //encoded single CRL
- #define CERT_QUERY_CONTENT_FLAG_CRL
- ( 1 << CERT_QUERY_CONTENT_CRL)
- //serialized store
- #define CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE
- ( 1 << CERT_QUERY_CONTENT_SERIALIZED_STORE)
- //serialized single certificate
- #define CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT
- ( 1 << CERT_QUERY_CONTENT_SERIALIZED_CERT)
- //serialized single CTL
- #define CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL
- ( 1 << CERT_QUERY_CONTENT_SERIALIZED_CTL)
- //serialized single CRL
- #define CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL
- ( 1 << CERT_QUERY_CONTENT_SERIALIZED_CRL)
- //an encoded PKCS#7 signed message
- #define CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED
- ( 1 << CERT_QUERY_CONTENT_PKCS7_SIGNED)
- //an encoded PKCS#7 message. But it is not a signed message
- #define CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED
- ( 1 << CERT_QUERY_CONTENT_PKCS7_UNSIGNED)
- //the content includes an embedded PKCS7 signed message
- #define CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED
- ( 1 << CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED)
- //an encoded PKCS#10
- #define CERT_QUERY_CONTENT_FLAG_PKCS10
- ( 1 << CERT_QUERY_CONTENT_PKCS10)
- //an encoded PFX BLOB
- #define CERT_QUERY_CONTENT_FLAG_PFX
- ( 1 << CERT_QUERY_CONTENT_PFX)
- //an encoded CertificatePair (contains forward and/or reverse cross certs)
- #define CERT_QUERY_CONTENT_FLAG_CERT_PAIR
- ( 1 << CERT_QUERY_CONTENT_CERT_PAIR)
- //content can be any type
- #define CERT_QUERY_CONTENT_FLAG_ALL
- CERT_QUERY_CONTENT_FLAG_CERT |
- CERT_QUERY_CONTENT_FLAG_CTL |
- CERT_QUERY_CONTENT_FLAG_CRL |
- CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE |
- CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT |
- CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL |
- CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL |
- CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED |
- CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED |
- CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED |
- CERT_QUERY_CONTENT_FLAG_PKCS10 |
- CERT_QUERY_CONTENT_FLAG_PFX |
- CERT_QUERY_CONTENT_FLAG_CERT_PAIR
- //-------------------------------------------------------------------------
- //dwFormatType for CryptQueryObject
- //-------------------------------------------------------------------------
- //the content is in binary format
- #define CERT_QUERY_FORMAT_BINARY 1
- //the content is base64 encoded
- #define CERT_QUERY_FORMAT_BASE64_ENCODED 2
- //the content is ascii hex encoded with "{ASN}" prefix
- #define CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED 3
- //-------------------------------------------------------------------------
- //dwExpectedFormatTypeFlags for CryptQueryObject
- //-------------------------------------------------------------------------
- //the content is in binary format
- #define CERT_QUERY_FORMAT_FLAG_BINARY
- ( 1 << CERT_QUERY_FORMAT_BINARY)
- //the content is base64 encoded
- #define CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED
- ( 1 << CERT_QUERY_FORMAT_BASE64_ENCODED)
- //the content is ascii hex encoded with "{ASN}" prefix
- #define CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED
- ( 1 << CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED)
- //the content can be of any format
- #define CERT_QUERY_FORMAT_FLAG_ALL
- CERT_QUERY_FORMAT_FLAG_BINARY |
- CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED |
- CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED
- //
- // Crypt32 Memory Management Routines. All Crypt32 API which return allocated
- // buffers will do so via CryptMemAlloc, CryptMemRealloc. Clients can free
- // those buffers using CryptMemFree. Also included is CryptMemSize
- //
- WINCRYPT32API
- LPVOID
- WINAPI
- CryptMemAlloc (
- IN ULONG cbSize
- );
- WINCRYPT32API
- LPVOID
- WINAPI
- CryptMemRealloc (
- IN LPVOID pv,
- IN ULONG cbSize
- );
- WINCRYPT32API
- VOID
- WINAPI
- CryptMemFree (
- IN LPVOID pv
- );
- //
- // Crypt32 Asynchronous Parameter Management Routines. All Crypt32 API which
- // expose asynchronous mode operation use a Crypt32 Async Handle to pass
- // around information about the operation e.g. callback routines. The
- // following API are used for manipulation of the async handle
- //
- typedef HANDLE HCRYPTASYNC, *PHCRYPTASYNC;
- typedef VOID (WINAPI *PFN_CRYPT_ASYNC_PARAM_FREE_FUNC) (
- LPSTR pszParamOid,
- LPVOID pvParam
- );
- WINCRYPT32API
- BOOL
- WINAPI
- CryptCreateAsyncHandle (
- IN DWORD dwFlags,
- OUT PHCRYPTASYNC phAsync
- );
- WINCRYPT32API
- BOOL
- WINAPI
- CryptSetAsyncParam (
- IN HCRYPTASYNC hAsync,
- IN LPSTR pszParamOid,
- IN LPVOID pvParam,
- IN OPTIONAL PFN_CRYPT_ASYNC_PARAM_FREE_FUNC pfnFree
- );
- WINCRYPT32API
- BOOL
- WINAPI
- CryptGetAsyncParam (
- IN HCRYPTASYNC hAsync,
- IN LPSTR pszParamOid,
- OUT LPVOID* ppvParam,
- OUT OPTIONAL PFN_CRYPT_ASYNC_PARAM_FREE_FUNC* ppfnFree
- );
- WINCRYPT32API
- BOOL
- WINAPI
- CryptCloseAsyncHandle (
- IN HCRYPTASYNC hAsync
- );
- //
- // Crypt32 Remote Object Retrieval Routines. This API allows retrieval of
- // remote PKI objects where the location is given by an URL. The remote
- // object retrieval manager exposes two provider models. One is the "Scheme
- // Provider" model which allows for installable protocol providers as defined
- // by the URL scheme e.g. ldap, http, ftp. The scheme provider entry point is
- // the same as the CryptRetrieveObjectByUrl however the *ppvObject returned
- // is ALWAYS a counted array of encoded bits (one per object retrieved). The
- // second provider model is the "Context Provider" model which allows for
- // installable creators of CAPI2 context handles (objects) based on the
- // retrieved encoded bits. These are dispatched based on the object OID given
- // in the call to CryptRetrieveObjectByUrl.
- //
- typedef struct _CRYPT_BLOB_ARRAY {
- DWORD cBlob;
- PCRYPT_DATA_BLOB rgBlob;
- } CRYPT_BLOB_ARRAY, *PCRYPT_BLOB_ARRAY;
- typedef struct _CRYPT_CREDENTIALS {
- DWORD cbSize;
- LPCSTR pszCredentialsOid;
- LPVOID pvCredentials;
- } CRYPT_CREDENTIALS, *PCRYPT_CREDENTIALS;
- #define CREDENTIAL_OID_PASSWORD_CREDENTIALS_A ((LPCSTR)1)
- #define CREDENTIAL_OID_PASSWORD_CREDENTIALS_W ((LPCSTR)2)
- #ifdef UNICODE
- #define CREDENTIAL_OID_PASSWORD_CREDENTIALS CREDENTIAL_OID_PASSWORD_CREDENTIALS_W
- #else
- #define CREDENTIAL_OID_PASSWORD_CREDENTIALS CREDENTIAL_OID_PASSWORD_CREDENTIALS_A
- #endif //UNICODE
- typedef struct _CRYPT_PASSWORD_CREDENTIALSA {
- DWORD cbSize;
- LPSTR pszUsername;
- LPSTR pszPassword;
- } CRYPT_PASSWORD_CREDENTIALSA, *PCRYPT_PASSWORD_CREDENTIALSA;
- typedef struct _CRYPT_PASSWORD_CREDENTIALSW {
- DWORD cbSize;
- LPWSTR pszUsername;
- LPWSTR pszPassword;
- } CRYPT_PASSWORD_CREDENTIALSW, *PCRYPT_PASSWORD_CREDENTIALSW;
- #ifdef UNICODE
- typedef CRYPT_PASSWORD_CREDENTIALSW CRYPT_PASSWORD_CREDENTIALS;
- typedef PCRYPT_PASSWORD_CREDENTIALSW PCRYPT_PASSWORD_CREDENTIALS;
- #else
- typedef CRYPT_PASSWORD_CREDENTIALSA CRYPT_PASSWORD_CREDENTIALS;
- typedef PCRYPT_PASSWORD_CREDENTIALSA PCRYPT_PASSWORD_CREDENTIALS;
- #endif // UNICODE
- //
- // Scheme Provider Signatures
- //
- #define SCHEME_OID_RETRIEVE_ENCODED_OBJECT_FUNC "SchemeDllRetrieveEncodedObject"
- typedef VOID (WINAPI *PFN_FREE_ENCODED_OBJECT_FUNC) (
- LPCSTR pszObjectOid,
- PCRYPT_BLOB_ARRAY pObject,
- LPVOID pvFreeContext
- );
- //
- // SchemeDllRetrieveEncodedObject has the following signature:
- //
- // BOOL WINAPI SchemeDllRetrieveEncodedObject (
- // IN LPCSTR pszUrl,
- // IN LPCSTR pszObjectOid,
- // IN DWORD dwRetrievalFlags,
- // IN DWORD dwTimeout, // milliseconds
- // OUT PCRYPT_BLOB_ARRAY pObject,
- // OUT PFN_FREE_ENCODED_OBJECT_FUNC* ppfnFreeObject,
- // OUT LPVOID* ppvFreeContext,
- // IN HCRYPTASYNC hAsyncRetrieve,
- // IN PCRYPT_CREDENTIALS pCredentials,
- // IN PCRYPT_RETRIEVE_AUX_INFO pAuxInfo
- // )
- //
- //
- // Context Provider Signatures
- //
- #define CONTEXT_OID_CREATE_OBJECT_CONTEXT_FUNC "ContextDllCreateObjectContext"
- #define CONTEXT_OID_CERTIFICATE ((LPCSTR)1)
- #define CONTEXT_OID_CRL ((LPCSTR)2)
- #define CONTEXT_OID_CTL ((LPCSTR)3)
- #define CONTEXT_OID_PKCS7 ((LPCSTR)4)
- #define CONTEXT_OID_CAPI2_ANY ((LPCSTR)5)
- //
- // ContextDllCreateObjectContext has the following signature:
- //
- // BOOL WINAPI ContextDllCreateObjectContext (
- // IN LPCSTR pszObjectOid,
- // IN DWORD dwRetrievalFlags,
- // IN PCRYPT_BLOB_ARRAY pObject,
- // OUT LPVOID* ppvContext
- // )
- //
- //
- // Remote Object Retrieval API
- //
- //
- // Retrieval flags
- //
- #define CRYPT_RETRIEVE_MULTIPLE_OBJECTS 0x00000001
- #define CRYPT_CACHE_ONLY_RETRIEVAL 0x00000002
- #define CRYPT_WIRE_ONLY_RETRIEVAL 0x00000004
- #define CRYPT_DONT_CACHE_RESULT 0x00000008
- #define CRYPT_ASYNC_RETRIEVAL 0x00000010
- #define CRYPT_STICKY_CACHE_RETRIEVAL 0x00001000
- #define CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL 0x00002000
- #define CRYPT_OFFLINE_CHECK_RETRIEVAL 0x00004000
- // When the following flag is set, the following 2 NULL terminated ascii
- // strings are inserted at the beginning of each returned blob:
- // "%d %s ", dwEntryIndex, pszAttribute
- //
- // The first dwEntryIndex is 0, "0 ".
- //
- // When set, pszObjectOid must be NULL, so that a PCRYPT_BLOB_ARRAY is returned.
- #define CRYPT_LDAP_INSERT_ENTRY_ATTRIBUTE 0x00008000
- // Set this flag to digitally sign all of the ldap traffic to and from a
- // Windows 2000 LDAP server using the Kerberos authentication protocol.
- // This feature provides integrity required by some applications.
- #define CRYPT_LDAP_SIGN_RETRIEVAL 0x00010000
- // Set this flag to inhibit automatic authentication handling. See the
- // wininet flag, INTERNET_FLAG_NO_AUTH, for more details.
- #define CRYPT_NO_AUTH_RETRIEVAL 0x00020000
- // Performs an A-Record only DNS lookup on the supplied host string.
- // This prevents bogus DNS queries from being generated when resolving host
- // names. Use this flag whenever passing a hostname as opposed to a
- // domain name for the hostname parameter.
- //
- // See LDAP_OPT_AREC_EXCLUSIVE defined in winldap.h for more details.
- #define CRYPT_LDAP_AREC_EXCLUSIVE_RETRIEVAL 0x00040000
- //
- // Data verification retrieval flags
- //
- // CRYPT_VERIFY_CONTEXT_SIGNATURE is used to get signature verification
- // on the context created. In this case pszObjectOid must be non-NULL and
- // pvVerify points to the signer certificate context
- //
- // CRYPT_VERIFY_DATA_HASH is used to get verification of the blob data
- // retrieved by the protocol. The pvVerify points to an URL_DATA_HASH
- // structure (TBD)
- //
- #define CRYPT_VERIFY_CONTEXT_SIGNATURE 0x00000020
- #define CRYPT_VERIFY_DATA_HASH 0x00000040
- //
- // Time Valid Object flags
- //
- #define CRYPT_KEEP_TIME_VALID 0x00000080
- #define CRYPT_DONT_VERIFY_SIGNATURE 0x00000100
- #define CRYPT_DONT_CHECK_TIME_VALIDITY 0x00000200
- // The default checks if ftNextUpdate >= ftValidFor. Set this flag to
- // check if ftThisUpdate >= ftValidFor.
- #define CRYPT_CHECK_FRESHNESS_TIME_VALIDITY 0x00000400
- #define CRYPT_ACCUMULATIVE_TIMEOUT 0x00000800
- typedef struct _CRYPT_RETRIEVE_AUX_INFO {
- DWORD cbSize;
- FILETIME *pLastSyncTime;
- } CRYPT_RETRIEVE_AUX_INFO, *PCRYPT_RETRIEVE_AUX_INFO;
- WINCRYPT32API
- BOOL
- WINAPI
- CryptRetrieveObjectByUrlA (
- IN LPCSTR pszUrl,
- IN LPCSTR pszObjectOid,
- IN DWORD dwRetrievalFlags,
- IN DWORD dwTimeout, // milliseconds
- OUT LPVOID* ppvObject,
- IN HCRYPTASYNC hAsyncRetrieve,
- IN OPTIONAL PCRYPT_CREDENTIALS pCredentials,
- IN OPTIONAL LPVOID pvVerify,
- IN OPTIONAL PCRYPT_RETRIEVE_AUX_INFO pAuxInfo
- );
- WINCRYPT32API
- BOOL
- WINAPI
- CryptRetrieveObjectByUrlW (
- IN LPCWSTR pszUrl,
- IN LPCSTR pszObjectOid,
- IN DWORD dwRetrievalFlags,
- IN DWORD dwTimeout, // milliseconds
- OUT LPVOID* ppvObject,
- IN HCRYPTASYNC hAsyncRetrieve,
- IN OPTIONAL PCRYPT_CREDENTIALS pCredentials,
- IN OPTIONAL LPVOID pvVerify,
- IN OPTIONAL PCRYPT_RETRIEVE_AUX_INFO pAuxInfo
- );
- #ifdef UNICODE
- #define CryptRetrieveObjectByUrl CryptRetrieveObjectByUrlW
- #else
- #define CryptRetrieveObjectByUrl CryptRetrieveObjectByUrlA
- #endif // !UNICODE
- //
- // Call back function to cancel object retrieval
- //
- // The function can be installed on a per thread basis.
- // If CryptInstallCancelRetrieval is called for multiple times, only the most recent
- // installation will be kept.
- //
- // This is only effective for http, https, gopher, and ftp protocol.
- // It is ignored by the rest of the protocols.
- typedef BOOL (WINAPI *PFN_CRYPT_CANCEL_RETRIEVAL)(
- IN DWORD dwFlags,
- IN void *pvArg
- );
- //
- // PFN_CRYPT_CANCEL_RETRIEVAL
- //
- // This function should return FALSE when the object retrieval should be continued
- // and return TRUE when the object retrieval should be cancelled.
- //
- WINCRYPT32API
- BOOL
- WINAPI
- CryptInstallCancelRetrieval(
- IN PFN_CRYPT_CANCEL_RETRIEVAL pfnCancel,
- IN const void *pvArg,
- IN DWORD dwFlags,
- IN void *pvReserved
- );
- WINCRYPT32API
- BOOL
- WINAPI
- CryptUninstallCancelRetrieval(
- IN DWORD dwFlags,
- IN void *pvReserved
- );
- WINCRYPT32API
- BOOL
- WINAPI
- CryptCancelAsyncRetrieval (
- HCRYPTASYNC hAsyncRetrieval
- );
- //
- // Remote Object Async Retrieval parameters
- //
- //
- // A client that wants to be notified of asynchronous object retrieval
- // completion sets this parameter on the async handle
- //
- #define CRYPT_PARAM_ASYNC_RETRIEVAL_COMPLETION ((LPCSTR)1)
- typedef VOID (WINAPI *PFN_CRYPT_ASYNC_RETRIEVAL_COMPLETION_FUNC) (
- IN LPVOID pvCompletion,
- IN DWORD dwCompletionCode,
- IN LPCSTR pszUrl,
- IN LPSTR pszObjectOid,
- IN LPVOID pvObject
- );
- typedef struct _CRYPT_ASYNC_RETRIEVAL_COMPLETION {
- PFN_CRYPT_ASYNC_RETRIEVAL_COMPLETION_FUNC pfnCompletion;
- LPVOID pvCompletion;
- } CRYPT_ASYNC_RETRIEVAL_COMPLETION, *PCRYPT_ASYNC_RETRIEVAL_COMPLETION;
- //
- // This function is set on the async handle by a scheme provider that
- // supports asynchronous retrieval
- //
- #define CRYPT_PARAM_CANCEL_ASYNC_RETRIEVAL ((LPCSTR)2)
- typedef BOOL (WINAPI *PFN_CANCEL_ASYNC_RETRIEVAL_FUNC) (
- HCRYPTASYNC hAsyncRetrieve
- );
- //
- // Get the locator for a CAPI object
- //
- #define CRYPT_GET_URL_FROM_PROPERTY 0x00000001
- #define CRYPT_GET_URL_FROM_EXTENSION 0x00000002
- #define CRYPT_GET_URL_FROM_UNAUTH_ATTRIBUTE 0x00000004
- #define CRYPT_GET_URL_FROM_AUTH_ATTRIBUTE 0x00000008
- typedef struct _CRYPT_URL_ARRAY {
- DWORD cUrl;
- LPWSTR* rgwszUrl;
- } CRYPT_URL_ARRAY, *PCRYPT_URL_ARRAY;
- typedef struct _CRYPT_URL_INFO {
- DWORD cbSize;
- // Seconds between syncs
- DWORD dwSyncDeltaTime;
- // Returned URLs may be grouped. For instance, groups of cross cert
- // distribution points. Each distribution point may have multiple
- // URLs, (LDAP and HTTP scheme).
- DWORD cGroup;
- DWORD *rgcGroupEntry;
- } CRYPT_URL_INFO, *PCRYPT_URL_INFO;
- WINCRYPT32API
- BOOL
- WINAPI
- CryptGetObjectUrl (
- IN LPCSTR pszUrlOid,
- IN LPVOID pvPara,
- IN DWORD dwFlags,
- OUT OPTIONAL PCRYPT_URL_ARRAY pUrlArray,
- IN OUT DWORD* pcbUrlArray,
- OUT OPTIONAL PCRYPT_URL_INFO pUrlInfo,
- IN OUT OPTIONAL DWORD* pcbUrlInfo,
- IN OPTIONAL LPVOID pvReserved
- );
- #define URL_OID_GET_OBJECT_URL_FUNC "UrlDllGetObjectUrl"
- //
- // UrlDllGetObjectUrl has the same signature as CryptGetObjectUrl
- //
- //
- // URL_OID_CERTIFICATE_ISSUER
- //
- // pvPara == PCCERT_CONTEXT, certificate whose issuer's URL is being requested
- //
- // This will be retrieved from the authority info access extension or property
- // on the certificate
- //
- // URL_OID_CERTIFICATE_CRL_DIST_POINT
- //
- // pvPara == PCCERT_CONTEXT, certificate whose CRL distribution point is being
- // requested
- //
- // This will be retrieved from the CRL distribution point extension or property
- // on the certificate
- //
- // URL_OID_CTL_ISSUER
- //
- // pvPara == PCCTL_CONTEXT, Signer Index, CTL whose issuer's URL (identified
- // by the signer index) is being requested
- //
- // This will be retrieved from an authority info access attribute method encoded
- // in each signer info in the PKCS7 (CTL)
- //
- // URL_OID_CTL_NEXT_UPDATE
- //
- // pvPara == PCCTL_CONTEXT, Signer Index, CTL whose next update URL is being
- // requested and an optional signer index in case we need to check signer
- // info attributes
- //
- // This will be retrieved from an authority info access CTL extension, property,
- // or signer info attribute method
- //
- // URL_OID_CRL_ISSUER
- //
- // pvPara == PCCRL_CONTEXT, CRL whose issuer's URL is being requested
- //
- // This will be retrieved from a property on the CRL which has been inherited
- // from the subject cert (either from the subject cert issuer or the subject
- // cert distribution point extension). It will be encoded as an authority
- // info access extension method.
- //
- // URL_OID_CERTIFICATE_FRESHEST_CRL
- //
- // pvPara == PCCERT_CONTEXT, certificate whose freshest CRL distribution point
- // is being requested
- //
- // This will be retrieved from the freshest CRL extension or property
- // on the certificate
- //
- // URL_OID_CRL_FRESHEST_CRL
- //
- // pvPara == PCCERT_CRL_CONTEXT_PAIR, certificate's base CRL whose
- // freshest CRL distribution point is being requested
- //
- // This will be retrieved from the freshest CRL extension or property
- // on the CRL
- //
- // URL_OID_CROSS_CERT_DIST_POINT
- //
- // pvPara == PCCERT_CONTEXT, certificate whose cross certificate distribution
- // point is being requested
- //
- // This will be retrieved from the cross certificate distribution point
- // extension or property on the certificate
- //
- #define URL_OID_CERTIFICATE_ISSUER ((LPCSTR)1)
- #define URL_OID_CERTIFICATE_CRL_DIST_POINT ((LPCSTR)2)
- #define URL_OID_CTL_ISSUER ((LPCSTR)3)
- #define URL_OID_CTL_NEXT_UPDATE ((LPCSTR)4)
- #define URL_OID_CRL_ISSUER ((LPCSTR)5)
- #define URL_OID_CERTIFICATE_FRESHEST_CRL ((LPCSTR)6)
- #define URL_OID_CRL_FRESHEST_CRL ((LPCSTR)7)
- #define URL_OID_CROSS_CERT_DIST_POINT ((LPCSTR)8)
- typedef struct _CERT_CRL_CONTEXT_PAIR {
- PCCERT_CONTEXT pCertContext;
- PCCRL_CONTEXT pCrlContext;
- } CERT_CRL_CONTEXT_PAIR, *PCERT_CRL_CONTEXT_PAIR;
- typedef const CERT_CRL_CONTEXT_PAIR *PCCERT_CRL_CONTEXT_PAIR;
- //
- // Get a time valid CAPI2 object
- //
- WINCRYPT32API
- BOOL
- WINAPI
- CryptGetTimeValidObject (
- IN LPCSTR pszTimeValidOid,
- IN LPVOID pvPara,
- IN PCCERT_CONTEXT pIssuer,
- IN OPTIONAL LPFILETIME pftValidFor,
- IN DWORD dwFlags,
- IN DWORD dwTimeout, // milliseconds
- OUT OPTIONAL LPVOID* ppvObject,
- IN OPTIONAL PCRYPT_CREDENTIALS pCredentials,
- IN OPTIONAL LPVOID pvReserved
- );
- #define TIME_VALID_OID_GET_OBJECT_FUNC "TimeValidDllGetObject"
- //
- // TimeValidDllGetObject has the same signature as CryptGetTimeValidObject
- //
- //
- // TIME_VALID_OID_GET_CTL
- //
- // pvPara == PCCTL_CONTEXT, the current CTL
- //
- // TIME_VALID_OID_GET_CRL
- //
- // pvPara == PCCRL_CONTEXT, the current CRL
- //
- // TIME_VALID_OID_GET_CRL_FROM_CERT
- //
- // pvPara == PCCERT_CONTEXT, the subject cert
- //
- // TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CERT
- //
- // pvPara == PCCERT_CONTEXT, the subject cert
- //
- // TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CRL
- //
- // pvPara == PCCERT_CRL_CONTEXT_PAIR, the subject cert and its base CRL
- //
- #define TIME_VALID_OID_GET_CTL ((LPCSTR)1)
- #define TIME_VALID_OID_GET_CRL ((LPCSTR)2)
- #define TIME_VALID_OID_GET_CRL_FROM_CERT ((LPCSTR)3)
- #define TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CERT ((LPCSTR)4)
- #define TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CRL ((LPCSTR)5)
- WINCRYPT32API
- BOOL
- WINAPI
- CryptFlushTimeValidObject (
- IN LPCSTR pszFlushTimeValidOid,
- IN LPVOID pvPara,
- IN PCCERT_CONTEXT pIssuer,
- IN DWORD dwFlags,
- IN LPVOID pvReserved
- );
- #define TIME_VALID_OID_FLUSH_OBJECT_FUNC "TimeValidDllFlushObject"
- //
- // TimeValidDllFlushObject has the same signature as CryptFlushTimeValidObject
- //
- //
- // TIME_VALID_OID_FLUSH_CTL
- //
- // pvPara == PCCTL_CONTEXT, the CTL to flush
- //
- // TIME_VALID_OID_FLUSH_CRL
- //
- // pvPara == PCCRL_CONTEXT, the CRL to flush
- //
- // TIME_VALID_OID_FLUSH_CRL_FROM_CERT
- //
- // pvPara == PCCERT_CONTEXT, the subject cert's CRL to flush
- //
- // TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CERT
- //
- // pvPara == PCCERT_CONTEXT, the subject cert's freshest CRL to flush
- //
- // TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CRL
- //
- // pvPara == PCCERT_CRL_CONTEXT_PAIR, the subject cert and its base CRL's
- // freshest CRL to flush
- //
- #define TIME_VALID_OID_FLUSH_CTL ((LPCSTR)1)
- #define TIME_VALID_OID_FLUSH_CRL ((LPCSTR)2)
- #define TIME_VALID_OID_FLUSH_CRL_FROM_CERT ((LPCSTR)3)
- #define TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CERT ((LPCSTR)4)
- #define TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CRL ((LPCSTR)5)
- //-------------------------------------------------------------------------
- // Data Protection APIs
- //-------------------------------------------------------------------------
- //
- // Data protection APIs enable applications to easily secure data.
- //
- // The base provider provides protection based on the users' logon
- // credentials. The data secured with these APIs follow the same
- // roaming characteristics as HKCU -- if HKCU roams, the data
- // protected by the base provider may roam as well. This makes
- // the API ideal for the munging of data stored in the registry.
- //
- //
- // Prompt struct -- what to tell users about the access
- //
- typedef struct _CRYPTPROTECT_PROMPTSTRUCT
- {
- DWORD cbSize;
- DWORD dwPromptFlags;
- HWND hwndApp;
- LPCWSTR szPrompt;
- } CRYPTPROTECT_PROMPTSTRUCT, *PCRYPTPROTECT_PROMPTSTRUCT;
- //
- // base provider action
- //
- #define CRYPTPROTECT_DEFAULT_PROVIDER { 0xdf9d8cd0, 0x1501, 0x11d1, {0x8c, 0x7a, 0x00, 0xc0, 0x4f, 0xc2, 0x97, 0xeb} }
- //
- // CryptProtect PromptStruct dwPromtFlags
- //
- //
- // prompt on unprotect
- #define CRYPTPROTECT_PROMPT_ON_UNPROTECT 0x1 // 1<<0
- //
- // prompt on protect
- #define CRYPTPROTECT_PROMPT_ON_PROTECT 0x2 // 1<<1
- #define CRYPTPROTECT_PROMPT_RESERVED 0x04 // reserved, do not use.
- //
- // only allow strong variant UI protection (user supplied password currently).
- #define CRYPTPROTECT_PROMPT_STRONG 0x08 // 1<<3
- //
- // CryptProtectData and CryptUnprotectData dwFlags
- //
- // for remote-access situations where ui is not an option
- // if UI was specified on protect or unprotect operation, the call
- // will fail and GetLastError() will indicate ERROR_PASSWORD_RESTRICTION
- #define CRYPTPROTECT_UI_FORBIDDEN 0x1
- //
- // per machine protected data -- any user on machine where CryptProtectData
- // took place may CryptUnprotectData
- #define CRYPTPROTECT_LOCAL_MACHINE 0x4
- //
- // force credential synchronize during CryptProtectData()
- // Synchronize is only operation that occurs during this operation
- #define CRYPTPROTECT_CRED_SYNC 0x8
- //
- // Generate an Audit on protect and unprotect operations
- //
- #define CRYPTPROTECT_AUDIT 0x10
- //
- // Protect data with a non-recoverable key
- //
- #define CRYPTPROTECT_NO_RECOVERY 0x20
- //
- // Verify the protection of a protected blob
- //
- #define CRYPTPROTECT_VERIFY_PROTECTION 0x40
- //
- // Regenerate the local machine protection
- //
- #define CRYPTPROTECT_CRED_REGENERATE 0x80
- // flags reserved for system use
- #define CRYPTPROTECT_FIRST_RESERVED_FLAGVAL 0x0FFFFFFF
- #define CRYPTPROTECT_LAST_RESERVED_FLAGVAL 0xFFFFFFFF
- //
- // flags specific to base provider
- //
- WINCRYPT32API
- BOOL
- WINAPI
- CryptProtectData(
- IN DATA_BLOB* pDataIn,
- IN LPCWSTR szDataDescr,
- IN OPTIONAL DATA_BLOB* pOptionalEntropy,
- IN PVOID pvReserved,
- IN OPTIONAL CRYPTPROTECT_PROMPTSTRUCT* pPromptStruct,
- IN DWORD dwFlags,
- OUT DATA_BLOB* pDataOut // out encr blob
- );
- WINCRYPT32API
- BOOL
- WINAPI
- CryptUnprotectData(
- IN DATA_BLOB* pDataIn, // in encr blob
- OUT OPTIONAL LPWSTR* ppszDataDescr, // out
- IN OPTIONAL DATA_BLOB* pOptionalEntropy,
- IN PVOID pvReserved,
- IN OPTIONAL CRYPTPROTECT_PROMPTSTRUCT* pPromptStruct,
- IN DWORD dwFlags,
- OUT DATA_BLOB* pDataOut
- );
- //+=========================================================================
- // Helper functions to build certificates
- //==========================================================================
- //+-------------------------------------------------------------------------
- //
- // Builds a self-signed certificate and returns a PCCERT_CONTEXT representing
- // the certificate. A hProv must be specified to build the cert context.
- //
- // pSubjectIssuerBlob is the DN for the certifcate. If an alternate subject
- // name is desired it must be specified as an extension in the pExtensions
- // parameter. pSubjectIssuerBlob can NOT be NULL, so minimually an empty DN
- // must be specified.
- //
- // By default:
- // pKeyProvInfo - The CSP is queried for the KeyProvInfo parameters. Only the Provider,
- // Provider Type and Container is queried. Many CSPs don't support these
- // queries and will cause a failure. In such cases the pKeyProvInfo
- // must be specified (RSA BASE works fine).
- //
- // pSignatureAlgorithm - will default to SHA1RSA
- // pStartTime will default to the current time
- // pEndTime will default to 1 year
- // pEntensions will be empty.
- //
- // The returned PCCERT_CONTEXT will reference the private keys by setting the
- // CERT_KEY_PROV_INFO_PROP_ID. However, if this property is not desired specify the
- // CERT_CREATE_SELFSIGN_NO_KEY_INFO in dwFlags.
- //
- // If the cert being built is only a dummy placeholder cert for speed it may not
- // need to be signed. Signing of the cert is skipped if CERT_CREATE_SELFSIGN_NO_SIGN
- // is specified in dwFlags.
- //
- //--------------------------------------------------------------------------
- WINCRYPT32API
- PCCERT_CONTEXT
- WINAPI
- CertCreateSelfSignCertificate(
- IN HCRYPTPROV hProv,
- IN PCERT_NAME_BLOB pSubjectIssuerBlob,
- IN DWORD dwFlags,
- OPTIONAL PCRYPT_KEY_PROV_INFO pKeyProvInfo,
- OPTIONAL PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
- OPTIONAL PSYSTEMTIME pStartTime,
- OPTIONAL PSYSTEMTIME pEndTime,
- OPTIONAL PCERT_EXTENSIONS pExtensions
- );
- #define CERT_CREATE_SELFSIGN_NO_SIGN 1
- #define CERT_CREATE_SELFSIGN_NO_KEY_INFO 2
- //+=========================================================================
- // Key Identifier Property Data Structures and APIs
- //==========================================================================
- //+-------------------------------------------------------------------------
- // Get the property for the specified Key Identifier.
- //
- // The Key Identifier is the SHA1 hash of the encoded CERT_PUBLIC_KEY_INFO.
- // The Key Identifier for a certificate can be obtained by getting the
- // certificate's CERT_KEY_IDENTIFIER_PROP_ID. The
- // CryptCreateKeyIdentifierFromCSP API can be called to create the Key
- // Identifier from a CSP Public Key Blob.
- //
- // A Key Identifier can have the same properties as a certificate context.
- // CERT_KEY_PROV_INFO_PROP_ID is the property of most interest.
- // For CERT_KEY_PROV_INFO_PROP_ID, pvData points to a CRYPT_KEY_PROV_INFO
- // structure. Elements pointed to by fields in the pvData structure follow the
- // structure. Therefore, *pcbData will exceed the size of the structure.
- //
- // If CRYPT_KEYID_ALLOC_FLAG is set, then, *pvData is updated with a
- // pointer to allocated memory. LocalFree() must be called to free the
- // allocated memory.
- //
- // By default, searches the CurrentUser's list of Key Identifiers.
- // CRYPT_KEYID_MACHINE_FLAG can be set to search the LocalMachine's list
- // of Key Identifiers. When CRYPT_KEYID_MACHINE_FLAG is set, pwszComputerName
- // can also be set to specify the name of a remote computer to be searched
- // instead of the local machine.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptGetKeyIdentifierProperty(
- IN const CRYPT_HASH_BLOB *pKeyIdentifier,
- IN DWORD dwPropId,
- IN DWORD dwFlags,
- IN OPTIONAL LPCWSTR pwszComputerName,
- IN OPTIONAL void *pvReserved,
- OUT void *pvData,
- IN OUT DWORD *pcbData
- );
- // When the following flag is set, searches the LocalMachine instead of the
- // CurrentUser. This flag is applicable to all the KeyIdentifierProperty APIs.
- #define CRYPT_KEYID_MACHINE_FLAG 0x00000020
- // When the following flag is set, *pvData is updated with a pointer to
- // allocated memory. LocalFree() must be called to free the allocated memory.
- #define CRYPT_KEYID_ALLOC_FLAG 0x00008000
- //+-------------------------------------------------------------------------
- // Set the property for the specified Key Identifier.
- //
- // For CERT_KEY_PROV_INFO_PROP_ID pvData points to the
- // CRYPT_KEY_PROV_INFO data structure. For all other properties, pvData
- // points to a CRYPT_DATA_BLOB.
- //
- // Setting pvData == NULL, deletes the property.
- //
- // Set CRYPT_KEYID_MACHINE_FLAG to set the property for a LocalMachine
- // Key Identifier. Set pwszComputerName, to select a remote computer.
- //
- // If CRYPT_KEYID_DELETE_FLAG is set, the Key Identifier and all its
- // properties is deleted.
- //
- // If CRYPT_KEYID_SET_NEW_FLAG is set, the set fails if the property already
- // exists. For an existing property, FALSE is returned with LastError set to
- // CRYPT_E_EXISTS.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptSetKeyIdentifierProperty(
- IN const CRYPT_HASH_BLOB *pKeyIdentifier,
- IN DWORD dwPropId,
- IN DWORD dwFlags,
- IN OPTIONAL LPCWSTR pwszComputerName,
- IN OPTIONAL void *pvReserved,
- IN const void *pvData
- );
- // When the following flag is set, the Key Identifier and all its properties
- // are deleted.
- #define CRYPT_KEYID_DELETE_FLAG 0x00000010
- // When the following flag is set, the set fails if the property already
- // exists.
- #define CRYPT_KEYID_SET_NEW_FLAG 0x00002000
- //+-------------------------------------------------------------------------
- // For CERT_KEY_PROV_INFO_PROP_ID, rgppvData[] points to a
- // CRYPT_KEY_PROV_INFO.
- //
- // Return FALSE to stop the enumeration.
- //--------------------------------------------------------------------------
- typedef BOOL (WINAPI *PFN_CRYPT_ENUM_KEYID_PROP)(
- IN const CRYPT_HASH_BLOB *pKeyIdentifier,
- IN DWORD dwFlags,
- IN void *pvReserved,
- IN void *pvArg,
- IN DWORD cProp,
- IN DWORD *rgdwPropId,
- IN void **rgpvData,
- IN DWORD *rgcbData
- );
- //+-------------------------------------------------------------------------
- // Enumerate the Key Identifiers.
- //
- // If pKeyIdentifier is NULL, enumerates all Key Identifers. Otherwise,
- // calls the callback for the specified KeyIdentifier. If dwPropId is
- // 0, calls the callback with all the properties. Otherwise, only calls
- // the callback with the specified property (cProp = 1).
- // Furthermore, when dwPropId is specified, skips KeyIdentifiers not
- // having the property.
- //
- // Set CRYPT_KEYID_MACHINE_FLAG to enumerate the LocalMachine
- // Key Identifiers. Set pwszComputerName, to enumerate Key Identifiers on
- // a remote computer.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptEnumKeyIdentifierProperties(
- IN OPTIONAL const CRYPT_HASH_BLOB *pKeyIdentifier,
- IN DWORD dwPropId,
- IN DWORD dwFlags,
- IN OPTIONAL LPCWSTR pwszComputerName,
- IN OPTIONAL void *pvReserved,
- IN OPTIONAL void *pvArg,
- IN PFN_CRYPT_ENUM_KEYID_PROP pfnEnum
- );
- //+-------------------------------------------------------------------------
- // Create a KeyIdentifier from the CSP Public Key Blob.
- //
- // Converts the CSP PUBLICKEYSTRUC into a X.509 CERT_PUBLIC_KEY_INFO and
- // encodes. The encoded CERT_PUBLIC_KEY_INFO is SHA1 hashed to obtain
- // the Key Identifier.
- //
- // By default, the pPubKeyStruc->aiKeyAlg is used to find the appropriate
- // public key Object Identifier. pszPubKeyOID can be set to override
- // the default OID obtained from the aiKeyAlg.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CryptCreateKeyIdentifierFromCSP(
- IN DWORD dwCertEncodingType,
- IN OPTIONAL LPCSTR pszPubKeyOID,
- IN const PUBLICKEYSTRUC *pPubKeyStruc,
- IN DWORD cbPubKeyStruc,
- IN DWORD dwFlags,
- IN OPTIONAL void *pvReserved,
- OUT BYTE *pbHash,
- IN OUT DWORD *pcbHash
- );
- //+=========================================================================
- // Certificate Chaining Infrastructure
- //==========================================================================
- //
- // The chain engine defines the store namespace and cache partitioning for
- // the Certificate Chaining infrastructure. A default chain engine
- // is defined for the process which uses all default system stores e.g.
- // Root, CA, Trust, for chain building and caching. If an application
- // wishes to define its own store namespace or have its own partitioned
- // cache then it can create its own chain engine. It is advisable to create
- // a chain engine at application startup and use it throughout the lifetime
- // of the application in order to get optimal caching behavior
- //
- typedef HANDLE HCERTCHAINENGINE;
- #define HCCE_CURRENT_USER ((HCERTCHAINENGINE)NULL)
- #define HCCE_LOCAL_MACHINE ((HCERTCHAINENGINE)0x1)
- //
- // Create a certificate chain engine.
- //
- //
- // Configuration parameters for the certificate chain engine
- //
- // hRestrictedRoot - restrict the root store (must be a subset of "Root")
- //
- // hRestrictedTrust - restrict the store for CTLs
- //
- // hRestrictedOther - restrict the store for certs and CRLs
- //
- // cAdditionalStore, rghAdditionalStore - additional stores
- //
- // NOTE: The algorithm used to define the stores for the engine is as
- // follows:
- //
- // hRoot = hRestrictedRoot or System Store "Root"
- //
- // hTrust = hRestrictedTrust or hWorld (defined later)
- //
- // hOther = hRestrictedOther or (hRestrictedTrust == NULL) ? hWorld :
- // hRestrictedTrust + hWorld
- //
- // hWorld = hRoot + "CA" + "My" + "Trust" + rghAdditionalStore
- //
- // dwFlags - flags
- //
- // CERT_CHAIN_CACHE_END_CERT - information will be cached on
- // the end cert as well as the other
- // certs in the chain
- //
- // CERT_CHAIN_THREAD_STORE_SYNC - use separate thread for store syncs
- // and related cache updates
- //
- // CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL - don't hit the wire to get
- // URL based objects
- //
- // dwUrlRetrievalTimeout - timeout for wire based URL object retrievals
- // (milliseconds)
- //
- #define CERT_CHAIN_CACHE_END_CERT 0x00000001
- #define CERT_CHAIN_THREAD_STORE_SYNC 0x00000002
- #define CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL 0x00000004
- #define CERT_CHAIN_USE_LOCAL_MACHINE_STORE 0x00000008
- #define CERT_CHAIN_ENABLE_CACHE_AUTO_UPDATE 0x00000010
- #define CERT_CHAIN_ENABLE_SHARE_STORE 0x00000020
- typedef struct _CERT_CHAIN_ENGINE_CONFIG {
- DWORD cbSize;
- HCERTSTORE hRestrictedRoot;
- HCERTSTORE hRestrictedTrust;
- HCERTSTORE hRestrictedOther;
- DWORD cAdditionalStore;
- HCERTSTORE* rghAdditionalStore;
- DWORD dwFlags;
- DWORD dwUrlRetrievalTimeout; // milliseconds
- DWORD MaximumCachedCertificates;
- DWORD CycleDetectionModulus;
- } CERT_CHAIN_ENGINE_CONFIG, *PCERT_CHAIN_ENGINE_CONFIG;
- WINCRYPT32API
- BOOL
- WINAPI
- CertCreateCertificateChainEngine (
- IN PCERT_CHAIN_ENGINE_CONFIG pConfig,
- OUT HCERTCHAINENGINE* phChainEngine
- );
- //
- // Free a certificate trust engine
- //
- WINCRYPT32API
- VOID
- WINAPI
- CertFreeCertificateChainEngine (
- IN HCERTCHAINENGINE hChainEngine
- );
- //
- // Resync the certificate chain engine. This resync's the stores backing
- // the engine and updates the engine caches.
- //
- WINCRYPT32API
- BOOL
- WINAPI
- CertResyncCertificateChainEngine (
- IN HCERTCHAINENGINE hChainEngine
- );
- //
- // When an application requests a certificate chain, the data structure
- // returned is in the form of a CERT_CHAIN_CONTEXT. This contains
- // an array of CERT_SIMPLE_CHAIN where each simple chain goes from
- // an end cert to a self signed cert and the chain context connects simple
- // chains via trust lists. Each simple chain contains the chain of
- // certificates, summary trust information about the chain and trust information
- // about each certificate element in the chain.
- //
- //
- // Trust status bits
- //
- typedef struct _CERT_TRUST_STATUS {
- DWORD dwErrorStatus;
- DWORD dwInfoStatus;
- } CERT_TRUST_STATUS, *PCERT_TRUST_STATUS;
- //
- // The following are error status bits
- //
- // These can be applied to certificates and chains
- #define CERT_TRUST_NO_ERROR 0x00000000
- #define CERT_TRUST_IS_NOT_TIME_VALID 0x00000001
- #define CERT_TRUST_IS_NOT_TIME_NESTED 0x00000002
- #define CERT_TRUST_IS_REVOKED 0x00000004
- #define CERT_TRUST_IS_NOT_SIGNATURE_VALID 0x00000008
- #define CERT_TRUST_IS_NOT_VALID_FOR_USAGE 0x00000010
- #define CERT_TRUST_IS_UNTRUSTED_ROOT 0x00000020
- #define CERT_TRUST_REVOCATION_STATUS_UNKNOWN 0x00000040
- #define CERT_TRUST_IS_CYCLIC 0x00000080
- #define CERT_TRUST_INVALID_EXTENSION 0x00000100
- #define CERT_TRUST_INVALID_POLICY_CONSTRAINTS 0x00000200
- #define CERT_TRUST_INVALID_BASIC_CONSTRAINTS 0x00000400
- #define CERT_TRUST_INVALID_NAME_CONSTRAINTS 0x00000800
- #define CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT 0x00001000
- #define CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT 0x00002000
- #define CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT 0x00004000
- #define CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT 0x00008000
- #define CERT_TRUST_IS_OFFLINE_REVOCATION 0x01000000
- #define CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY 0x02000000
- // These can be applied to chains only
- #define CERT_TRUST_IS_PARTIAL_CHAIN 0x00010000
- #define CERT_TRUST_CTL_IS_NOT_TIME_VALID 0x00020000
- #define CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID 0x00040000
- #define CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE 0x00080000
- //
- // The following are info status bits
- //
- // These can be applied to certificates only
- #define CERT_TRUST_HAS_EXACT_MATCH_ISSUER 0x00000001
- #define CERT_TRUST_HAS_KEY_MATCH_ISSUER 0x00000002
- #define CERT_TRUST_HAS_NAME_MATCH_ISSUER 0x00000004
- #define CERT_TRUST_IS_SELF_SIGNED 0x00000008
- // These can be applied to certificates and chains
- #define CERT_TRUST_HAS_PREFERRED_ISSUER 0x00000100
- #define CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY 0x00000200
- #define CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS 0x00000400
- // These can be applied to chains only
- #define CERT_TRUST_IS_COMPLEX_CHAIN 0x00010000
- //
- // Each certificate context in a simple chain has a corresponding chain element
- // in the simple chain context
- //
- // dwErrorStatus has CERT_TRUST_IS_REVOKED, pRevocationInfo set
- // dwErrorStatus has CERT_TRUST_REVOCATION_STATUS_UNKNOWN, pRevocationInfo set
- //
- // Note that the post processing revocation supported in the first
- // version only sets cbSize and dwRevocationResult. Everything else
- // is NULL
- //
- //
- // Revocation Information
- //
- typedef struct _CERT_REVOCATION_INFO {
- DWORD cbSize;
- DWORD dwRevocationResult;
- LPCSTR pszRevocationOid;
- LPVOID pvOidSpecificInfo;
- // fHasFreshnessTime is only set if we are able to retrieve revocation
- // information. For a CRL its CurrentTime - ThisUpdate.
- BOOL fHasFreshnessTime;
- DWORD dwFreshnessTime; // seconds
- // NonNULL for CRL base revocation checking
- PCERT_REVOCATION_CRL_INFO pCrlInfo;
- } CERT_REVOCATION_INFO, *PCERT_REVOCATION_INFO;
- //
- // Trust List Information
- //
- typedef struct _CERT_TRUST_LIST_INFO {
- DWORD cbSize;
- PCTL_ENTRY pCtlEntry;
- PCCTL_CONTEXT pCtlContext;
- } CERT_TRUST_LIST_INFO, *PCERT_TRUST_LIST_INFO;
- //
- // Chain Element
- //
- typedef struct _CERT_CHAIN_ELEMENT {
- DWORD cbSize;
- PCCERT_CONTEXT pCertContext;
- CERT_TRUST_STATUS TrustStatus;
- PCERT_REVOCATION_INFO pRevocationInfo;
- PCERT_ENHKEY_USAGE pIssuanceUsage; // If NULL, any
- PCERT_ENHKEY_USAGE pApplicationUsage; // If NULL, any
- LPCWSTR pwszExtendedErrorInfo; // If NULL, none
- } CERT_CHAIN_ELEMENT, *PCERT_CHAIN_ELEMENT;
- //
- // The simple chain is an array of chain elements and a summary trust status
- // for the chain
- //
- // rgpElements[0] is the end certificate chain element
- //
- // rgpElements[cElement-1] is the self-signed "root" certificate chain element
- //
- typedef struct _CERT_SIMPLE_CHAIN {
- DWORD cbSize;
- CERT_TRUST_STATUS TrustStatus;
- DWORD cElement;
- PCERT_CHAIN_ELEMENT* rgpElement;
- PCERT_TRUST_LIST_INFO pTrustListInfo;
- // fHasRevocationFreshnessTime is only set if we are able to retrieve
- // revocation information for all elements checked for revocation.
- // For a CRL its CurrentTime - ThisUpdate.
- //
- // dwRevocationFreshnessTime is the largest time across all elements
- // checked.
- BOOL fHasRevocationFreshnessTime;
- DWORD dwRevocationFreshnessTime; // seconds
- } CERT_SIMPLE_CHAIN, *PCERT_SIMPLE_CHAIN;
- //
- // And the chain context contains an array of simple chains and summary trust
- // status for all the connected simple chains
- //
- // rgpChains[0] is the end certificate simple chain
- //
- // rgpChains[cChain-1] is the final (possibly trust list signer) chain which
- // ends in a certificate which is contained in the root store
- //
- typedef struct _CERT_CHAIN_CONTEXT CERT_CHAIN_CONTEXT, *PCERT_CHAIN_CONTEXT;
- typedef const CERT_CHAIN_CONTEXT *PCCERT_CHAIN_CONTEXT;
- struct _CERT_CHAIN_CONTEXT {
- DWORD cbSize;
- CERT_TRUST_STATUS TrustStatus;
- DWORD cChain;
- PCERT_SIMPLE_CHAIN* rgpChain;
- // Following is returned when CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS
- // is set in dwFlags
- DWORD cLowerQualityChainContext;
- PCCERT_CHAIN_CONTEXT* rgpLowerQualityChainContext;
- // fHasRevocationFreshnessTime is only set if we are able to retrieve
- // revocation information for all elements checked for revocation.
- // For a CRL its CurrentTime - ThisUpdate.
- //
- // dwRevocationFreshnessTime is the largest time across all elements
- // checked.
- BOOL fHasRevocationFreshnessTime;
- DWORD dwRevocationFreshnessTime; // seconds
- };
- //
- // When building a chain, the there are various parameters used for finding
- // issuing certificates and trust lists. They are identified in the
- // following structure
- //
- // Default usage match type is AND with value zero
- #define USAGE_MATCH_TYPE_AND 0x00000000
- #define USAGE_MATCH_TYPE_OR 0x00000001
- typedef struct _CERT_USAGE_MATCH {
- DWORD dwType;
- CERT_ENHKEY_USAGE Usage;
- } CERT_USAGE_MATCH, *PCERT_USAGE_MATCH;
- typedef struct _CTL_USAGE_MATCH {
- DWORD dwType;
- CTL_USAGE Usage;
- } CTL_USAGE_MATCH, *PCTL_USAGE_MATCH;
- typedef struct _CERT_CHAIN_PARA {
- DWORD cbSize;
- CERT_USAGE_MATCH RequestedUsage;
- #ifdef CERT_CHAIN_PARA_HAS_EXTRA_FIELDS
- // Note, if you #define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS, then, you
- // must zero all unused fields in this data structure.
- // More fields could be added in a future release.
- CERT_USAGE_MATCH RequestedIssuancePolicy;
- DWORD dwUrlRetrievalTimeout; // milliseconds
- BOOL fCheckRevocationFreshnessTime;
- DWORD dwRevocationFreshnessTime; // seconds
- #endif
- } CERT_CHAIN_PARA, *PCERT_CHAIN_PARA;
- //
- // The following API is used for retrieving certificate chains
- //
- // Parameters:
- //
- // hChainEngine - the chain engine (namespace and cache) to use, NULL
- // mean use the default chain engine
- //
- // pCertContext - the context we are retrieving the chain for, it
- // will be the zero index element in the chain
- //
- // pTime - the point in time that we want the chain validated
- // for. Note that the time does not affect trust list,
- // revocation, or root store checking. NULL means use
- // the current system time
- //
- // hAdditionalStore - additional store to use when looking up objects
- //
- // pChainPara - parameters for chain building
- //
- // dwFlags - flags such as should revocation checking be done
- // on the chain?
- //
- // pvReserved - reserved parameter, must be NULL
- //
- // ppChainContext - chain context returned
- //
- // CERT_CHAIN_CACHE_END_CERT can be used here as well
- // Revocation flags are in the high nibble
- #define CERT_CHAIN_REVOCATION_CHECK_END_CERT 0x10000000
- #define CERT_CHAIN_REVOCATION_CHECK_CHAIN 0x20000000
- #define CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT 0x40000000
- #define CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY 0x80000000
- // By default, the dwUrlRetrievalTimeout in pChainPara is the timeout used
- // for each revocation URL wire retrieval. When the following flag is set,
- // dwUrlRetrievalTimeout is the accumulative timeout across all
- // revocation URL wire retrievals.
- #define CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT 0x08000000
- // First pass determines highest quality based upon:
- // - Chain signature valid (higest quality bit of this set)
- // - Complete chain
- // - Trusted root (lowestest quality bit of this set)
- // By default, second pass only considers paths >= highest first pass quality
- #define CERT_CHAIN_DISABLE_PASS1_QUALITY_FILTERING 0x00000040
- #define CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS 0x00000080
- #define CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE 0x00000100
- // When this flag is set, pTime will be used as the timestamp time.
- // pTime will be used to determine if the end certificate was valid at this
- // time. Revocation checking will be relative to pTime.
- // In addition, current time will also be used
- // to determine if the certificate is still time valid. All remaining
- // CA and root certificates will be checked using current time and not pTime.
- //
- // This flag was added 4/5/01 in WXP.
- #define CERT_CHAIN_TIMESTAMP_TIME 0x00000200
- WINCRYPT32API
- BOOL
- WINAPI
- CertGetCertificateChain (
- IN OPTIONAL HCERTCHAINENGINE hChainEngine,
- IN PCCERT_CONTEXT pCertContext,
- IN OPTIONAL LPFILETIME pTime,
- IN OPTIONAL HCERTSTORE hAdditionalStore,
- IN PCERT_CHAIN_PARA pChainPara,
- IN DWORD dwFlags,
- IN LPVOID pvReserved,
- OUT PCCERT_CHAIN_CONTEXT* ppChainContext
- );
- //
- // Free a certificate chain
- //
- WINCRYPT32API
- VOID
- WINAPI
- CertFreeCertificateChain (
- IN PCCERT_CHAIN_CONTEXT pChainContext
- );
- //
- // Duplicate (add a reference to) a certificate chain
- //
- WINCRYPT32API
- PCCERT_CHAIN_CONTEXT
- WINAPI
- CertDuplicateCertificateChain (
- IN PCCERT_CHAIN_CONTEXT pChainContext
- );
- //
- // Specific Revocation Type OID and structure definitions
- //
- //
- // CRL Revocation OID
- //
- #define REVOCATION_OID_CRL_REVOCATION ((LPCSTR)1)
- //
- // For the CRL revocation OID the pvRevocationPara is NULL
- //
- //
- // CRL Revocation Info
- //
- typedef struct _CRL_REVOCATION_INFO {
- PCRL_ENTRY pCrlEntry;
- PCCRL_CONTEXT pCrlContext;
- PCCERT_CHAIN_CONTEXT pCrlIssuerChain;
- } CRL_REVOCATION_INFO, *PCRL_REVOCATION_INFO;
- //+-------------------------------------------------------------------------
- // Find the first or next certificate chain context in the store.
- //
- // The chain context is found according to the dwFindFlags, dwFindType and
- // its pvFindPara. See below for a list of the find types and its parameters.
- //
- // If the first or next chain context isn't found, NULL is returned.
- // Otherwise, a pointer to a read only CERT_CHAIN_CONTEXT is returned.
- // CERT_CHAIN_CONTEXT must be freed by calling CertFreeCertificateChain
- // or is freed when passed as the
- // pPrevChainContext on a subsequent call. CertDuplicateCertificateChain
- // can be called to make a duplicate.
- //
- // pPrevChainContext MUST BE NULL on the first
- // call to find the chain context. To find the next chain context, the
- // pPrevChainContext is set to the CERT_CHAIN_CONTEXT returned by a previous
- // call.
- //
- // NOTE: a NON-NULL pPrevChainContext is always CertFreeCertificateChain'ed by
- // this function, even for an error.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- PCCERT_CHAIN_CONTEXT
- WINAPI
- CertFindChainInStore(
- IN HCERTSTORE hCertStore,
- IN DWORD dwCertEncodingType,
- IN DWORD dwFindFlags,
- IN DWORD dwFindType,
- IN const void *pvFindPara,
- IN PCCERT_CHAIN_CONTEXT pPrevChainContext
- );
- #define CERT_CHAIN_FIND_BY_ISSUER 1
- //+-------------------------------------------------------------------------
- // CERT_CHAIN_FIND_BY_ISSUER
- //
- // Find a certificate chain having a private key for the end certificate and
- // matching one of the given issuer names. A matching dwKeySpec and
- // enhanced key usage can also be specified. Additionally a callback can
- // be provided for even more caller provided filtering before building the
- // chain.
- //
- // By default, only the issuers in the first simple chain are compared
- // for a name match. CERT_CHAIN_FIND_BY_ISSUER_COMPLEX_CHAIN_FLAG can
- // be set in dwFindFlags to match issuers in all the simple chains.
- //
- // CERT_CHAIN_FIND_BY_ISSUER_NO_KEY_FLAG can be set in dwFindFlags to
- // not check if the end certificate has a private key.
- //
- // CERT_CHAIN_FIND_BY_ISSUER_COMPARE_KEY_FLAG can be set in dwFindFlags
- // to compare the public key in the end certificate with the crypto
- // provider's public key. The dwAcquirePrivateKeyFlags can be set
- // in CERT_CHAIN_FIND_BY_ISSUER_PARA to enable caching of the private key's
- // HKEY returned by the CSP.
- //
- // If dwCertEncodingType == 0, defaults to X509_ASN_ENCODING for the
- // array of encoded issuer names.
- //
- // By default, the hCertStore passed to CertFindChainInStore, is passed
- // as an additional store to CertGetCertificateChain.
- // CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_FLAG can be set in dwFindFlags
- // to improve performance by only searching the cached system stores
- // (root, my, ca, trust) to find the issuer certificates. If you are doing
- // a find in the "my" system store, than, this flag should be set to
- // improve performance.
- //
- // Setting CERT_CHAIN_FIND_BY_ISSUER_LOCAL_MACHINE_FLAG in dwFindFlags
- // restricts CertGetCertificateChain to search the Local Machine
- // cached system stores instead of the Current User's.
- //
- // Setting CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG in dwFindFlags
- // restricts CertGetCertificateChain to only search the URL cache
- // and not hit the wire.
- //--------------------------------------------------------------------------
- // Returns FALSE to skip this certificate. Otherwise, returns TRUE to
- // build a chain for this certificate.
- typedef BOOL (WINAPI *PFN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK)(
- IN PCCERT_CONTEXT pCert,
- IN void *pvFindArg
- );
- typedef struct _CERT_CHAIN_FIND_BY_ISSUER_PARA {
- DWORD cbSize;
- // If pszUsageIdentifier == NULL, matches any usage.
- LPCSTR pszUsageIdentifier;
- // If dwKeySpec == 0, matches any KeySpec
- DWORD dwKeySpec;
- // When CERT_CHAIN_FIND_BY_ISSUER_COMPARE_KEY_FLAG is set in dwFindFlags,
- // CryptAcquireCertificatePrivateKey is called to do the public key
- // comparison. The following flags can be set to enable caching
- // of the acquired private key or suppress CSP UI. See the API for more
- // details on these flags.
- DWORD dwAcquirePrivateKeyFlags;
- // Pointer to an array of X509, ASN.1 encoded issuer name blobs. If
- // cIssuer == 0, matches any issuer
- DWORD cIssuer;
- CERT_NAME_BLOB *rgIssuer;
- // If NULL or Callback returns TRUE, builds the chain for the end
- // certificate having a private key with the specified KeySpec and
- // enhanced key usage.
- PFN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK pfnFindCallback;
- void *pvFindArg;
- #ifdef CERT_CHAIN_FIND_BY_ISSUER_PARA_HAS_EXTRA_FIELDS
- // Note, if you #define CERT_CHAIN_FIND_BY_ISSUER_PARA_HAS_EXTRA_FIELDS,
- // then, you must zero all unused fields in this data structure.
- // More fields could be added in a future release.
- // If the following pointers are nonNull, returns the index of the
- // matching issuer certificate, which is at:
- // pChainContext->
- // rgpChain[*pdwIssuerChainIndex]->rgpElement[*pdwIssuerElementIndex].
- //
- // The issuer name blob is compared against the Issuer field in the
- // certificate. The *pdwIssuerElementIndex is set to the index of this
- // subject certificate + 1. Therefore, its possible for a partial chain or
- // a self signed certificate matching the name blob, where
- // *pdwIssuerElementIndex points past the last certificate in the chain.
- //
- // Note, not updated if the above cIssuer == 0.
- DWORD *pdwIssuerChainIndex;
- DWORD *pdwIssuerElementIndex;
- #endif
- } CERT_CHAIN_FIND_ISSUER_PARA, *PCERT_CHAIN_FIND_ISSUER_PARA,
- CERT_CHAIN_FIND_BY_ISSUER_PARA, *PCERT_CHAIN_FIND_BY_ISSUER_PARA;
- // The following dwFindFlags can be set for CERT_CHAIN_FIND_BY_ISSUER
- // If set, compares the public key in the end certificate with the crypto
- // provider's public key. This comparison is the last check made on the
- // build chain.
- #define CERT_CHAIN_FIND_BY_ISSUER_COMPARE_KEY_FLAG 0x0001
- // If not set, only checks the first simple chain for an issuer name match.
- // When set, also checks second and subsequent simple chains.
- #define CERT_CHAIN_FIND_BY_ISSUER_COMPLEX_CHAIN_FLAG 0x0002
- // If set, CertGetCertificateChain only searches the URL cache and
- // doesn't hit the wire.
- #define CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG 0x0004
- // If set, CertGetCertificateChain only opens the Local Machine
- // certificate stores instead of the Current User's.
- #define CERT_CHAIN_FIND_BY_ISSUER_LOCAL_MACHINE_FLAG 0x0008
- // If set, no check is made to see if the end certificate has a private
- // key associated with it.
- #define CERT_CHAIN_FIND_BY_ISSUER_NO_KEY_FLAG 0x4000
- // By default, the hCertStore passed to CertFindChainInStore, is passed
- // as the additional store to CertGetCertificateChain. This flag can be
- // set to improve performance by only searching the cached system stores
- // (root, my, ca, trust) to find the issuer certificates. If not set, then,
- // the hCertStore is always searched in addition to the cached system
- // stores.
- #define CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_FLAG 0x8000
- //+=========================================================================
- // Certificate Chain Policy Data Structures and APIs
- //==========================================================================
- typedef struct _CERT_CHAIN_POLICY_PARA {
- DWORD cbSize;
- DWORD dwFlags;
- void *pvExtraPolicyPara; // pszPolicyOID specific
- } CERT_CHAIN_POLICY_PARA, *PCERT_CHAIN_POLICY_PARA;
- // If both lChainIndex and lElementIndex are set to -1, the dwError applies
- // to the whole chain context. If only lElementIndex is set to -1, the
- // dwError applies to the lChainIndex'ed chain. Otherwise, the dwError applies
- // to the certificate element at
- // pChainContext->rgpChain[lChainIndex]->rgpElement[lElementIndex].
- typedef struct _CERT_CHAIN_POLICY_STATUS {
- DWORD cbSize;
- DWORD dwError;
- LONG lChainIndex;
- LONG lElementIndex;
- void *pvExtraPolicyStatus; // pszPolicyOID specific
- } CERT_CHAIN_POLICY_STATUS, *PCERT_CHAIN_POLICY_STATUS;
- // Common chain policy flags
- #define CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG 0x00000001
- #define CERT_CHAIN_POLICY_IGNORE_CTL_NOT_TIME_VALID_FLAG 0x00000002
- #define CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG 0x00000004
- #define CERT_CHAIN_POLICY_IGNORE_INVALID_BASIC_CONSTRAINTS_FLAG 0x00000008
- #define CERT_CHAIN_POLICY_IGNORE_ALL_NOT_TIME_VALID_FLAGS (
- CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG |
- CERT_CHAIN_POLICY_IGNORE_CTL_NOT_TIME_VALID_FLAG |
- CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG
- )
- #define CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG 0x00000010
- #define CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG 0x00000020
- #define CERT_CHAIN_POLICY_IGNORE_INVALID_NAME_FLAG 0x00000040
- #define CERT_CHAIN_POLICY_IGNORE_INVALID_POLICY_FLAG 0x00000080
- #define CERT_CHAIN_POLICY_IGNORE_END_REV_UNKNOWN_FLAG 0x00000100
- #define CERT_CHAIN_POLICY_IGNORE_CTL_SIGNER_REV_UNKNOWN_FLAG 0x00000200
- #define CERT_CHAIN_POLICY_IGNORE_CA_REV_UNKNOWN_FLAG 0x00000400
- #define CERT_CHAIN_POLICY_IGNORE_ROOT_REV_UNKNOWN_FLAG 0x00000800
- #define CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS (
- CERT_CHAIN_POLICY_IGNORE_END_REV_UNKNOWN_FLAG |
- CERT_CHAIN_POLICY_IGNORE_CTL_SIGNER_REV_UNKNOWN_FLAG |
- CERT_CHAIN_POLICY_IGNORE_CA_REV_UNKNOWN_FLAG |
- CERT_CHAIN_POLICY_IGNORE_ROOT_REV_UNKNOWN_FLAG
- )
- #define CERT_CHAIN_POLICY_ALLOW_TESTROOT_FLAG 0x00008000
- #define CERT_CHAIN_POLICY_TRUST_TESTROOT_FLAG 0x00004000
- //+-------------------------------------------------------------------------
- // Verify that the certificate chain satisfies the specified policy
- // requirements. If we were able to verify the chain policy, TRUE is returned
- // and the dwError field of the pPolicyStatus is updated. A dwError of 0
- // (ERROR_SUCCESS, S_OK) indicates the chain satisfies the specified policy.
- //
- // If dwError applies to the entire chain context, both lChainIndex and
- // lElementIndex are set to -1. If dwError applies to a simple chain,
- // lElementIndex is set to -1 and lChainIndex is set to the index of the
- // first offending chain having the error. If dwError applies to a
- // certificate element, lChainIndex and lElementIndex are updated to
- // index the first offending certificate having the error, where, the
- // the certificate element is at:
- // pChainContext->rgpChain[lChainIndex]->rgpElement[lElementIndex].
- //
- // The dwFlags in pPolicyPara can be set to change the default policy checking
- // behaviour. In addition, policy specific parameters can be passed in
- // the pvExtraPolicyPara field of pPolicyPara.
- //
- // In addition to returning dwError, in pPolicyStatus, policy OID specific
- // extra status may be returned via pvExtraPolicyStatus.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- CertVerifyCertificateChainPolicy(
- IN LPCSTR pszPolicyOID,
- IN PCCERT_CHAIN_CONTEXT pChainContext,
- IN PCERT_CHAIN_POLICY_PARA pPolicyPara,
- IN OUT PCERT_CHAIN_POLICY_STATUS pPolicyStatus
- );
- // Predefined OID Function Names
- #define CRYPT_OID_VERIFY_CERTIFICATE_CHAIN_POLICY_FUNC
- "CertDllVerifyCertificateChainPolicy"
- // CertDllVerifyCertificateChainPolicy has same function signature as
- // CertVerifyCertificateChainPolicy.
- //+-------------------------------------------------------------------------
- // Predefined verify chain policies
- //--------------------------------------------------------------------------
- #define CERT_CHAIN_POLICY_BASE ((LPCSTR) 1)
- #define CERT_CHAIN_POLICY_AUTHENTICODE ((LPCSTR) 2)
- #define CERT_CHAIN_POLICY_AUTHENTICODE_TS ((LPCSTR) 3)
- #define CERT_CHAIN_POLICY_SSL ((LPCSTR) 4)
- #define CERT_CHAIN_POLICY_BASIC_CONSTRAINTS ((LPCSTR) 5)
- #define CERT_CHAIN_POLICY_NT_AUTH ((LPCSTR) 6)
- #define CERT_CHAIN_POLICY_MICROSOFT_ROOT ((LPCSTR) 7)
- //+-------------------------------------------------------------------------
- // CERT_CHAIN_POLICY_BASE
- //
- // Implements the base chain policy verification checks. dwFlags can
- // be set in pPolicyPara to alter the default policy checking behaviour.
- //--------------------------------------------------------------------------
- //+-------------------------------------------------------------------------
- // CERT_CHAIN_POLICY_AUTHENTICODE
- //
- // Implements the Authenticode chain policy verification checks.
- //
- // pvExtraPolicyPara may optionally be set to point to the following
- // AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA.
- //
- // pvExtraPolicyStatus may optionally be set to point to the following
- // AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS.
- //--------------------------------------------------------------------------
- // dwRegPolicySettings are defined in wintrust.h
- typedef struct _AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA {
- DWORD cbSize;
- DWORD dwRegPolicySettings;
- PCMSG_SIGNER_INFO pSignerInfo; // optional
- } AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA,
- *PAUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA;
- typedef struct _AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS {
- DWORD cbSize;
- BOOL fCommercial; // obtained from signer statement
- } AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS,
- *PAUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS;
- //+-------------------------------------------------------------------------
- // CERT_CHAIN_POLICY_AUTHENTICODE_TS
- //
- // Implements the Authenticode Time Stamp chain policy verification checks.
- //
- // pvExtraPolicyPara may optionally be set to point to the following
- // AUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA.
- //
- // pvExtraPolicyStatus isn't used and must be set to NULL.
- //--------------------------------------------------------------------------
- // dwRegPolicySettings are defined in wintrust.h
- typedef struct _AUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA {
- DWORD cbSize;
- DWORD dwRegPolicySettings;
- BOOL fCommercial;
- } AUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA,
- *PAUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA;
- //+-------------------------------------------------------------------------
- // CERT_CHAIN_POLICY_SSL
- //
- // Implements the SSL client/server chain policy verification checks.
- //
- // pvExtraPolicyPara may optionally be set to point to the following
- // SSL_EXTRA_CERT_CHAIN_POLICY_PARA data structure
- //--------------------------------------------------------------------------
- // fdwChecks flags are defined in wininet.h
- typedef struct _HTTPSPolicyCallbackData
- {
- union {
- DWORD cbStruct; // sizeof(HTTPSPolicyCallbackData);
- DWORD cbSize; // sizeof(HTTPSPolicyCallbackData);
- };
- DWORD dwAuthType;
- # define AUTHTYPE_CLIENT 1
- # define AUTHTYPE_SERVER 2
- DWORD fdwChecks;
- WCHAR *pwszServerName; // used to check against CN=xxxx
- } HTTPSPolicyCallbackData, *PHTTPSPolicyCallbackData,
- SSL_EXTRA_CERT_CHAIN_POLICY_PARA, *PSSL_EXTRA_CERT_CHAIN_POLICY_PARA;
- //+-------------------------------------------------------------------------
- // CERT_CHAIN_POLICY_BASIC_CONSTRAINTS
- //
- // Implements the basic constraints chain policy.
- //
- // Iterates through all the certificates in the chain checking for either
- // a szOID_BASIC_CONSTRAINTS or a szOID_BASIC_CONSTRAINTS2 extension. If
- // neither extension is present, the certificate is assumed to have
- // valid policy. Otherwise, for the first certificate element, checks if
- // it matches the expected CA_FLAG or END_ENTITY_FLAG specified in
- // pPolicyPara->dwFlags. If neither or both flags are set, then, the first
- // element can be either a CA or END_ENTITY. All other elements must be
- // a CA. If the PathLenConstraint is present in the extension, its
- // checked.
- //
- // The first elements in the remaining simple chains (ie, the certificate
- // used to sign the CTL) are checked to be an END_ENTITY.
- //
- // If this verification fails, dwError will be set to
- // TRUST_E_BASIC_CONSTRAINTS.
- //--------------------------------------------------------------------------
- #define BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_CA_FLAG 0x80000000
- #define BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_END_ENTITY_FLAG 0x40000000
- //+-------------------------------------------------------------------------
- // CERT_CHAIN_POLICY_NT_AUTH
- //
- // Implements the NT Authentication chain policy.
- //
- // The NT Authentication chain policy consists of 3 distinct chain
- // verifications in the following order:
- // [1] CERT_CHAIN_POLICY_BASE - Implements the base chain policy
- // verification checks. The LOWORD of dwFlags can be set in
- // pPolicyPara to alter the default policy checking behaviour. See
- // CERT_CHAIN_POLICY_BASE for more details.
- //
- // [2] CERT_CHAIN_POLICY_BASIC_CONSTRAINTS - Implements the basic
- // constraints chain policy. The HIWORD of dwFlags can be set
- // to specify if the first element must be either a CA or END_ENTITY.
- // See CERT_CHAIN_POLICY_BASIC_CONSTRAINTS for more details.
- //
- // [3] Checks if the second element in the chain, the CA that issued
- // the end certificate, is a trusted CA for NT
- // Authentication. A CA is considered to be trusted if it exists in
- // the "NTAuth" system registry store found in the
- // CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE store location.
- // If this verification fails, whereby the CA isn't trusted,
- // dwError is set to CERT_E_UNTRUSTEDCA.
- //
- // If CERT_PROT_ROOT_DISABLE_NT_AUTH_REQUIRED_FLAG is set
- // in the "Flags" value of the HKLM policy "ProtectedRoots" subkey
- // defined by CERT_PROT_ROOT_FLAGS_REGPATH, then,
- // if the above check fails, checks if the chain
- // has CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS set in dwInfoStatus. This
- // will only be set if there was a valid name constraint for all
- // name spaces including UPN. If the chain doesn't have this info
- // status set, dwError is set to CERT_E_UNTRUSTEDCA.
- //--------------------------------------------------------------------------
- //+-------------------------------------------------------------------------
- // CERT_CHAIN_POLICY_MICROSOFT_ROOT
- //
- // Checks if the last element of the first simple chain contains a
- // Microsoft root public key. If it doesn't contain a Microsoft root
- // public key, dwError is set to CERT_E_UNTRUSTEDROOT.
- //
- // pvExtraPolicyPara and pvExtraPolicyStatus aren't used and must be set
- // to NULL.
- //--------------------------------------------------------------------------
- //+-------------------------------------------------------------------------
- // convert formatted string to binary
- // If cchString is 0, then pszString is NULL terminated and
- // cchString is obtained via strlen() + 1.
- // dwFlags defines string format
- // if pbBinary is NULL, *pcbBinary returns the size of required memory
- // *pdwSkip returns the character count of skipped strings, optional
- // *pdwFlags returns the actual format used in the conversion, optional
- //--------------------------------------------------------------------------
- WINCRYPT32STRINGAPI
- BOOL
- WINAPI
- CryptStringToBinaryA(
- IN LPCSTR pszString,
- IN DWORD cchString,
- IN DWORD dwFlags,
- IN BYTE *pbBinary,
- IN OUT DWORD *pcbBinary,
- OUT DWORD *pdwSkip, //OPTIONAL
- OUT DWORD *pdwFlags //OPTIONAL
- );
- //+-------------------------------------------------------------------------
- // convert formatted string to binary
- // If cchString is 0, then pszString is NULL terminated and
- // cchString is obtained via strlen() + 1.
- // dwFlags defines string format
- // if pbBinary is NULL, *pcbBinary returns the size of required memory
- // *pdwSkip returns the character count of skipped strings, optional
- // *pdwFlags returns the actual format used in the conversion, optional
- //--------------------------------------------------------------------------
- WINCRYPT32STRINGAPI
- BOOL
- WINAPI
- CryptStringToBinaryW(
- IN LPCWSTR pszString,
- IN DWORD cchString,
- IN DWORD dwFlags,
- IN BYTE *pbBinary,
- IN OUT DWORD *pcbBinary,
- OUT DWORD *pdwSkip, //OPTIONAL
- OUT DWORD *pdwFlags //OPTIONAL
- );
- #ifdef UNICODE
- #define CryptStringToBinary CryptStringToBinaryW
- #else
- #define CryptStringToBinary CryptStringToBinaryA
- #endif // !UNICODE
- //+-------------------------------------------------------------------------
- // convert binary to formatted string
- // dwFlags defines string format
- // if pszString is NULL, *pcchString returns the size of required memory in byte
- //--------------------------------------------------------------------------
- WINCRYPT32STRINGAPI
- BOOL
- WINAPI
- CryptBinaryToStringA(
- IN CONST BYTE *pbBinary,
- IN DWORD cbBinary,
- IN DWORD dwFlags,
- IN LPSTR pszString,
- IN OUT DWORD *pcchString
- );
- //+-------------------------------------------------------------------------
- // convert binary to formatted string
- // dwFlags defines string format
- // if pszString is NULL, *pcchString returns the size of required memory in byte
- //--------------------------------------------------------------------------
- WINCRYPT32STRINGAPI
- BOOL
- WINAPI
- CryptBinaryToStringW(
- IN CONST BYTE *pbBinary,
- IN DWORD cbBinary,
- IN DWORD dwFlags,
- IN LPWSTR pszString,
- IN OUT DWORD *pcchString
- );
- #ifdef UNICODE
- #define CryptBinaryToString CryptBinaryToStringW
- #else
- #define CryptBinaryToString CryptBinaryToStringA
- #endif // !UNICODE
- // dwFlags has the following defines
- #define CRYPT_STRING_BASE64HEADER 0x00000000
- #define CRYPT_STRING_BASE64 0x00000001
- #define CRYPT_STRING_BINARY 0x00000002
- #define CRYPT_STRING_BASE64REQUESTHEADER 0x00000003
- #define CRYPT_STRING_HEX 0x00000004
- #define CRYPT_STRING_HEXASCII 0x00000005
- #define CRYPT_STRING_BASE64_ANY 0x00000006
- #define CRYPT_STRING_ANY 0x00000007
- #define CRYPT_STRING_HEX_ANY 0x00000008
- #define CRYPT_STRING_BASE64X509CRLHEADER 0x00000009
- #define CRYPT_STRING_HEXADDR 0x0000000a
- #define CRYPT_STRING_HEXASCIIADDR 0x0000000b
- #define CRYPT_STRING_NOCR 0x80000000
- // CryptBinaryToString uses the following flags
- // CRYPT_STRING_BASE64HEADER - base64 format with certificate begin
- // and end headers
- // CRYPT_STRING_BASE64 - only base64 without headers
- // CRYPT_STRING_BINARY - pure binary copy
- // CRYPT_STRING_BASE64REQUESTHEADER - base64 format with request begin
- // and end headers
- // CRYPT_STRING_BASE64X509CRLHEADER - base64 format with x509 crl begin
- // and end headers
- // CRYPT_STRING_HEX - only hex format
- // CRYPT_STRING_HEXASCII - hex format with ascii char display
- // CRYPT_STRING_HEXADDR - hex format with address display
- // CRYPT_STRING_HEXASCIIADDR - hex format with ascii char and address display
- //
- // CryptBinaryToString accepts CRYPT_STRING_NOCR or'd into one of the above.
- // When set, line breaks contain only LF, instead of CR-LF pairs.
- // CryptStringToBinary uses the following flags
- // CRYPT_STRING_BASE64_ANY tries the following, in order:
- // CRYPT_STRING_BASE64HEADER
- // CRYPT_STRING_BASE64
- // CRYPT_STRING_ANY tries the following, in order:
- // CRYPT_STRING_BASE64_ANY
- // CRYPT_STRING_BINARY -- should always succeed
- // CRYPT_STRING_HEX_ANY tries the following, in order:
- // CRYPT_STRING_HEXADDR
- // CRYPT_STRING_HEXASCIIADDR
- // CRYPT_STRING_HEXASCII
- // CRYPT_STRING_HEX
- //+=========================================================================
- // PFX (PKCS #12) function defintions and types
- //==========================================================================
- //+-------------------------------------------------------------------------
- // PFXImportCertStore
- //
- // Import the PFX blob and return a store containing certificates
- //
- // If the password parameter is incorrect or any other problems decoding
- // the PFX blob are encountered, the function will return NULL and the
- // error code can be found from GetLastError().
- //
- // The dwFlags parameter may be set to the following:
- // CRYPT_EXPORTABLE - specify that any imported keys should be marked as
- // exportable (see documentation on CryptImportKey)
- // CRYPT_USER_PROTECTED - (see documentation on CryptImportKey)
- // CRYPT_MACHINE_KEYSET - used to force the private key to be stored in the
- // the local machine and not the current user.
- // CRYPT_USER_KEYSET - used to force the private key to be stored in the
- // the current user and not the local machine, even if
- // the pfx blob specifies that it should go into local
- // machine.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- HCERTSTORE
- WINAPI
- PFXImportCertStore(
- IN CRYPT_DATA_BLOB* pPFX,
- IN LPCWSTR szPassword,
- IN DWORD dwFlags);
- // dwFlags definitions for PFXImportCertStore
- //#define CRYPT_EXPORTABLE 0x00000001 // CryptImportKey dwFlags
- //#define CRYPT_USER_PROTECTED 0x00000002 // CryptImportKey dwFlags
- //#define CRYPT_MACHINE_KEYSET 0x00000020 // CryptAcquireContext dwFlags
- #define CRYPT_USER_KEYSET 0x00001000
- #define PKCS12_IMPORT_RESERVED_MASK 0xffff0000
- //+-------------------------------------------------------------------------
- // PFXIsPFXBlob
- //
- // This function will try to decode the outer layer of the blob as a pfx
- // blob, and if that works it will return TRUE, it will return FALSE otherwise
- //
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- PFXIsPFXBlob(
- IN CRYPT_DATA_BLOB* pPFX);
- //+-------------------------------------------------------------------------
- // PFXVerifyPassword
- //
- // This function will attempt to decode the outer layer of the blob as a pfx
- // blob and decrypt with the given password. No data from the blob will be
- // imported.
- //
- // Return value is TRUE if password appears correct, FALSE otherwise.
- //
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- PFXVerifyPassword(
- IN CRYPT_DATA_BLOB* pPFX,
- IN LPCWSTR szPassword,
- IN DWORD dwFlags);
- //+-------------------------------------------------------------------------
- // PFXExportCertStoreEx
- //
- // Export the certificates and private keys referenced in the passed-in store
- //
- // This API encodes the blob under a stronger algorithm. The resulting
- // PKCS12 blobs are incompatible with the earlier PFXExportCertStore API.
- //
- // The value passed in the password parameter will be used to encrypt and
- // verify the integrity of the PFX packet. If any problems encoding the store
- // are encountered, the function will return FALSE and the error code can
- // be found from GetLastError().
- //
- // The dwFlags parameter may be set to any combination of
- // EXPORT_PRIVATE_KEYS
- // REPORT_NO_PRIVATE_KEY
- // REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY
- //
- // The encoded PFX blob is returned in *pPFX. If pPFX->pbData is NULL upon
- // input, this is a length only calculation, whereby, pPFX->cbData is updated
- // with the number of bytes required for the encoded blob. Otherwise,
- // the memory pointed to by pPFX->pbData is updated with the encoded bytes
- // and pPFX->cbData is updated with the encoded byte length.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- PFXExportCertStoreEx(
- IN HCERTSTORE hStore,
- IN OUT CRYPT_DATA_BLOB* pPFX,
- IN LPCWSTR szPassword,
- IN void* pvReserved,
- IN DWORD dwFlags);
- // dwFlags definitions for PFXExportCertStoreEx
- #define REPORT_NO_PRIVATE_KEY 0x0001
- #define REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY 0x0002
- #define EXPORT_PRIVATE_KEYS 0x0004
- #define PKCS12_EXPORT_RESERVED_MASK 0xffff0000
- //+-------------------------------------------------------------------------
- // PFXExportCertStore
- //
- // Export the certificates and private keys referenced in the passed-in store
- //
- // This is an old API kept for compatibility with IE4 clients. New applications
- // should call the above PfxExportCertStoreEx for enhanced security.
- //--------------------------------------------------------------------------
- WINCRYPT32API
- BOOL
- WINAPI
- PFXExportCertStore(
- IN HCERTSTORE hStore,
- IN OUT CRYPT_DATA_BLOB* pPFX,
- IN LPCWSTR szPassword,
- IN DWORD dwFlags);
- #ifdef __cplusplus
- } // Balance extern "C" above
- #endif
- #if defined (_MSC_VER)
- #if ( _MSC_VER >= 800 )
- #if _MSC_VER >= 1200
- #pragma warning(pop)
- #else
- #pragma warning(default:4201)
- #endif
- #endif
- #endif
- #endif // __WINCRYPT_H__