Windows编程

开发平台：

Delphi

JwaWinCrypt.pas：源码内容

//+=========================================================================
// Certificate Verify CTL Usage Data Structures and APIs
//==========================================================================
type
PCTL_VERIFY_USAGE_PARA = ^CTL_VERIFY_USAGE_PARA;
{$EXTERNALSYM PCTL_VERIFY_USAGE_PARA}
_CTL_VERIFY_USAGE_PARA = record
cbSize: DWORD;
ListIdentifier: CRYPT_DATA_BLOB; // OPTIONAL
cCtlStore: DWORD;
rghCtlStore: PHCERTSTORE; // OPTIONAL
cSignerStore: DWORD;
rghSignerStore: PHCERTSTORE; // OPTIONAL
end;
{$EXTERNALSYM _CTL_VERIFY_USAGE_PARA}
CTL_VERIFY_USAGE_PARA = _CTL_VERIFY_USAGE_PARA;
{$EXTERNALSYM CTL_VERIFY_USAGE_PARA}
TCtlVerifyUsagePara = CTL_VERIFY_USAGE_PARA;
PCtlVerifyUsagePara = PCTL_VERIFY_USAGE_PARA;
PCTL_VERIFY_USAGE_STATUS = ^CTL_VERIFY_USAGE_STATUS;
{$EXTERNALSYM PCTL_VERIFY_USAGE_STATUS}
_CTL_VERIFY_USAGE_STATUS = record
cbSize: DWORD;
dwError: DWORD;
dwFlags: DWORD;
ppCtl: PPCCTL_CONTEXT; // IN OUT OPTIONAL
dwCtlEntryIndex: DWORD;
ppSigner: PPCCERT_CONTEXT; // IN OUT OPTIONAL
dwSignerIndex: DWORD;
end;
{$EXTERNALSYM _CTL_VERIFY_USAGE_STATUS}
CTL_VERIFY_USAGE_STATUS = _CTL_VERIFY_USAGE_STATUS;
{$EXTERNALSYM CTL_VERIFY_USAGE_STATUS}
TCtlVerifyUsageStatus = CTL_VERIFY_USAGE_STATUS;
PCtlVerifyUsageStatus = PCTL_VERIFY_USAGE_STATUS;
const
CERT_VERIFY_INHIBIT_CTL_UPDATE_FLAG = $1;
{$EXTERNALSYM CERT_VERIFY_INHIBIT_CTL_UPDATE_FLAG}
CERT_VERIFY_TRUSTED_SIGNERS_FLAG = $2;
{$EXTERNALSYM CERT_VERIFY_TRUSTED_SIGNERS_FLAG}
CERT_VERIFY_NO_TIME_CHECK_FLAG = $4;
{$EXTERNALSYM CERT_VERIFY_NO_TIME_CHECK_FLAG}
CERT_VERIFY_ALLOW_MORE_USAGE_FLAG = $8;
{$EXTERNALSYM CERT_VERIFY_ALLOW_MORE_USAGE_FLAG}
CERT_VERIFY_UPDATED_CTL_FLAG = $1;
{$EXTERNALSYM CERT_VERIFY_UPDATED_CTL_FLAG}
//+-------------------------------------------------------------------------
// Verify that a subject is trusted for the specified usage by finding a
// signed and time valid CTL with the usage identifiers and containing the
// the subject. A subject can be identified by either its certificate context
// or any identifier such as its SHA1 hash.
//
// See CertFindSubjectInCTL for definition of dwSubjectType and pvSubject
// parameters.
//
// Via pVerifyUsagePara, the caller can specify the stores to be searched
// to find the CTL. The caller can also specify the stores containing
// acceptable CTL signers. By setting the ListIdentifier, the caller
// can also restrict to a particular signer CTL list.
//
// Via pVerifyUsageStatus, the CTL containing the subject, the subject's
// index into the CTL's array of entries, and the signer of the CTL
// are returned. If the caller is not interested, ppCtl and ppSigner can be set
// to NULL. Returned contexts must be freed via the store's free context APIs.
//
// If the CERT_VERIFY_INHIBIT_CTL_UPDATE_FLAG isn't set, then, a time
// invalid CTL in one of the CtlStores may be replaced. When replaced, the
// CERT_VERIFY_UPDATED_CTL_FLAG is set in pVerifyUsageStatus->dwFlags.
//
// If the CERT_VERIFY_TRUSTED_SIGNERS_FLAG is set, then, only the
// SignerStores specified in pVerifyUsageStatus are searched to find
// the signer. Otherwise, the SignerStores provide additional sources
// to find the signer's certificate.
//
// If CERT_VERIFY_NO_TIME_CHECK_FLAG is set, then, the CTLs aren't checked
// for time validity.
//
// If CERT_VERIFY_ALLOW_MORE_USAGE_FLAG is set, then, the CTL may contain
// additional usage identifiers than specified by pSubjectUsage. Otherwise,
// the found CTL will contain the same usage identifers and no more.
//
// CertVerifyCTLUsage will be implemented as a dispatcher to OID installable
// functions. First, it will try to find an OID function matching the first
// usage object identifier in the pUsage sequence. Next, it will dispatch
// to the default CertDllVerifyCTLUsage functions.
//
// If the subject is trusted for the specified usage, then, TRUE is
// returned. Otherwise, FALSE is returned with dwError set to one of the
// following:
// CRYPT_E_NO_VERIFY_USAGE_DLL
// CRYPT_E_NO_VERIFY_USAGE_CHECK
// CRYPT_E_VERIFY_USAGE_OFFLINE
// CRYPT_E_NOT_IN_CTL
// CRYPT_E_NO_TRUSTED_SIGNER
//--------------------------------------------------------------------------
function CertVerifyCTLUsage(dwEncodingType: DWORD; dwSubjectType: DWORD;
pvSubject: Pointer; pSubjectUsage: PCTL_USAGE; dwFlags: DWORD;
pVerifyUsagePara: PCTL_VERIFY_USAGE_PARA;
pVerifyUsageStatus: PCTL_VERIFY_USAGE_STATUS): BOOL; stdcall;
{$EXTERNALSYM CertVerifyCTLUsage}
//+=========================================================================
// Certificate Revocation Data Structures and APIs
//==========================================================================
//+-------------------------------------------------------------------------
// The following data structure may be passed to CertVerifyRevocation to
// assist in finding the issuer of the context to be verified.
//
// When pIssuerCert is specified, pIssuerCert is the issuer of
// rgpvContext[cContext - 1].
//
// When cCertStore and rgCertStore are specified, these stores may contain
// an issuer certificate.
//
// When hCrlStore is specified then a handler which uses CRLs can search this
// store for them
//
// When pftTimeToUse is specified then the handler (if possible) must determine
// revocation status relative to the time given otherwise the answer may be
// independent of time or relative to current time
//--------------------------------------------------------------------------
type
PCERT_REVOCATION_PARA = ^CERT_REVOCATION_PARA;
{$EXTERNALSYM PCERT_REVOCATION_PARA}
_CERT_REVOCATION_PARA = record
cbSize: DWORD;
pIssuerCert: PCCERT_CONTEXT;
cCertStore: DWORD;
rgCertStore: PHCERTSTORE;
hCrlStore: HCERTSTORE;
pftTimeToUse: LPFILETIME;
end;
{$EXTERNALSYM _CERT_REVOCATION_PARA}
CERT_REVOCATION_PARA = _CERT_REVOCATION_PARA;
{$EXTERNALSYM CERT_REVOCATION_PARA}
TCertRevocationPara = CERT_REVOCATION_PARA;
PCertRevocationPara = PCERT_REVOCATION_PARA;
//+-------------------------------------------------------------------------
// The following data structure is returned by CertVerifyRevocation to
// specify the status of the revoked or unchecked context. Review the
// following CertVerifyRevocation comments for details.
//
// Upon input to CertVerifyRevocation, cbSize must be set to a size
// >= sizeof(CERT_REVOCATION_STATUS). Otherwise, CertVerifyRevocation
// returns FALSE and sets LastError to E_INVALIDARG.
//
// Upon input to the installed or registered CRYPT_OID_VERIFY_REVOCATION_FUNC
// functions, the dwIndex, dwError and dwReason have been zero'ed.
//--------------------------------------------------------------------------
PCERT_REVOCATION_STATUS = ^CERT_REVOCATION_STATUS;
{$EXTERNALSYM PCERT_REVOCATION_STATUS}
_CERT_REVOCATION_STATUS = record
cbSize: DWORD;
dwIndex: DWORD;
dwError: DWORD;
dwReason: DWORD;
end;
{$EXTERNALSYM _CERT_REVOCATION_STATUS}
CERT_REVOCATION_STATUS = _CERT_REVOCATION_STATUS;
{$EXTERNALSYM CERT_REVOCATION_STATUS}
TCertRevocationStatus = CERT_REVOCATION_STATUS;
PCertRevocationStatus = PCERT_REVOCATION_STATUS;
//+-------------------------------------------------------------------------
// Verifies the array of contexts for revocation. The dwRevType parameter
// indicates the type of the context data structure passed in rgpvContext.
// Currently only the revocation of certificates is defined.
//
// If the CERT_VERIFY_REV_CHAIN_FLAG flag is set, then, CertVerifyRevocation
// is verifying a chain of certs where, rgpvContext[i + 1] is the issuer
// of rgpvContext[i]. Otherwise, CertVerifyRevocation makes no assumptions
// about the order of the contexts.
//
// To assist in finding the issuer, the pRevPara may optionally be set. See
// the CERT_REVOCATION_PARA data structure for details.
//
// The contexts must contain enough information to allow the
// installable or registered revocation DLLs to find the revocation server. For
// certificates, this information would normally be conveyed in an
// extension such as the IETF's AuthorityInfoAccess extension.
//
// CertVerifyRevocation returns TRUE if all of the contexts were successfully
// checked and none were revoked. Otherwise, returns FALSE and updates the
// returned pRevStatus data structure as follows:
// dwIndex
// Index of the first context that was revoked or unable to
// be checked for revocation
// dwError
// Error status. LastError is also set to this error status.
// dwError can be set to one of the following error codes defined
// in winerror.h:
// ERROR_SUCCESS - good context
// CRYPT_E_REVOKED - context was revoked. dwReason contains the
// reason for revocation
// CRYPT_E_REVOCATION_OFFLINE - unable to connect to the
// revocation server
// CRYPT_E_NOT_IN_REVOCATION_DATABASE - the context to be checked
// was not found in the revocation server's database.
// CRYPT_E_NO_REVOCATION_CHECK - the called revocation function
// wasn't able to do a revocation check on the context
// CRYPT_E_NO_REVOCATION_DLL - no installed or registered Dll was
// found to verify revocation
// dwReason
// The dwReason is currently only set for CRYPT_E_REVOKED and contains
// the reason why the context was revoked. May be one of the following
// CRL reasons defined by the CRL Reason Code extension ("2.5.29.21")
// CRL_REASON_UNSPECIFIED 0
// CRL_REASON_KEY_COMPROMISE 1
// CRL_REASON_CA_COMPROMISE 2
// CRL_REASON_AFFILIATION_CHANGED 3
// CRL_REASON_SUPERSEDED 4
// CRL_REASON_CESSATION_OF_OPERATION 5
// CRL_REASON_CERTIFICATE_HOLD 6
//
// For each entry in rgpvContext, CertVerifyRevocation iterates
// through the CRYPT_OID_VERIFY_REVOCATION_FUNC
// function set's list of installed DEFAULT functions.
// CryptGetDefaultOIDFunctionAddress is called with pwszDll = NULL. If no
// installed functions are found capable of doing the revocation verification,
// CryptVerifyRevocation iterates through CRYPT_OID_VERIFY_REVOCATION_FUNC's
// list of registered DEFAULT Dlls. CryptGetDefaultOIDDllList is called to
// get the list. CryptGetDefaultOIDFunctionAddress is called to load the Dll.
//
// The called functions have the same signature as CertVerifyRevocation. A
// called function returns TRUE if it was able to successfully check all of
// the contexts and none were revoked. Otherwise, the called function returns
// FALSE and updates pRevStatus. dwIndex is set to the index of
// the first context that was found to be revoked or unable to be checked.
// dwError and LastError are updated. For CRYPT_E_REVOKED, dwReason
// is updated. Upon input to the called function, dwIndex, dwError and
// dwReason have been zero'ed. cbSize has been checked to be >=
// sizeof(CERT_REVOCATION_STATUS).
//
// If the called function returns FALSE, and dwError isn't set to
// CRYPT_E_REVOKED, then, CertVerifyRevocation either continues on to the
// next DLL in the list for a returned dwIndex of 0 or for a returned
// dwIndex > 0, restarts the process of finding a verify function by
// advancing the start of the context array to the returned dwIndex and
// decrementing the count of remaining contexts.
//--------------------------------------------------------------------------
function CertVerifyRevocation(dwEncodingType, dwRevType, cContext: DWORD;
rgpvContext: PVOID; dwFlags: DWORD; pRevPara: PCERT_REVOCATION_PARA;
pRevStatus: PCERT_REVOCATION_STATUS): BOOL; stdcall;
{$EXTERNALSYM CertVerifyRevocation}
//+-------------------------------------------------------------------------
// Revocation types
//--------------------------------------------------------------------------
const
CERT_CONTEXT_REVOCATION_TYPE = 1;
{$EXTERNALSYM CERT_CONTEXT_REVOCATION_TYPE}
//+-------------------------------------------------------------------------
// When the following flag is set, rgpvContext[] consists of a chain
// of certificates, where rgpvContext[i + 1] is the issuer of rgpvContext[i].
//--------------------------------------------------------------------------
CERT_VERIFY_REV_CHAIN_FLAG = $00000001;
{$EXTERNALSYM CERT_VERIFY_REV_CHAIN_FLAG}
//+-------------------------------------------------------------------------
// CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION prevents the revocation handler from
// accessing any network based resources for revocation checking
//--------------------------------------------------------------------------
CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION = $00000002;
{$EXTERNALSYM CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION}
//+-------------------------------------------------------------------------
// CERT_CONTEXT_REVOCATION_TYPE
//
// pvContext points to a const CERT_CONTEXT.
//--------------------------------------------------------------------------
//+=========================================================================
// Certificate Helper APIs
//==========================================================================
//+-------------------------------------------------------------------------
// Compare two multiple byte integer blobs to see if they are identical.
//
// Before doing the comparison, leading zero bytes are removed from a
// positive number and leading 0xFF bytes are removed from a negative
// number.
//
// The multiple byte integers are treated as Little Endian. pbData[0] is the
// least significant byte and pbData[cbData - 1] is the most significant
// byte.
//
// Returns TRUE if the integer blobs are identical after removing leading
// 0 or 0xFF bytes.
//--------------------------------------------------------------------------
function CertCompareIntegerBlob(pInt1, pInt2: PCRYPT_INTEGER_BLOB): BOOL; stdcall;
{$EXTERNALSYM CertCompareIntegerBlob}
//+-------------------------------------------------------------------------
// Compare two certificates to see if they are identical.
//
// Since a certificate is uniquely identified by its Issuer and SerialNumber,
// these are the only fields needing to be compared.
//
// Returns TRUE if the certificates are identical.
//--------------------------------------------------------------------------
function CertCompareCertificate(dwCertEncodingType: DWORD; pCertId1, pCertId2: PCERT_INFO): BOOL; stdcall;
{$EXTERNALSYM CertCompareCertificate}
//+-------------------------------------------------------------------------
// Compare two certificate names to see if they are identical.
//
// Returns TRUE if the names are identical.
//--------------------------------------------------------------------------
function CertCompareCertificateName(dwCertEncodingType: DWORD;
pCertName1: PCERT_NAME_BLOB; pCertName2: PCERT_NAME_BLOB): BOOL; stdcall;
{$EXTERNALSYM CertCompareCertificateName}
//+-------------------------------------------------------------------------
// Compare the attributes in the certificate name with the specified
// Relative Distinguished Name's (CERT_RDN) array of attributes.
// The comparison iterates through the CERT_RDN attributes and looks for an
// attribute match in any of the certificate name's RDNs.
// Returns TRUE if all the attributes are found and match.
//
// The CERT_RDN_ATTR fields can have the following special values:
// pszObjId == NULL - ignore the attribute object identifier
// dwValueType == RDN_ANY_TYPE - ignore the value type
//
// CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG should be set to do
// a case insensitive match. Otherwise, defaults to an exact, case sensitive
// match.
//
// CERT_UNICODE_IS_RDN_ATTRS_FLAG should be set if the pRDN was initialized
// with unicode strings as for CryptEncodeObject(X509_UNICODE_NAME).
//--------------------------------------------------------------------------
function CertIsRDNAttrsInCertificateName(dwCertEncodingType, dwFlags: DWORD;
pCertName: PCERT_NAME_BLOB; pRDN: PCERT_RDN): BOOL; stdcall;
{$EXTERNALSYM CertIsRDNAttrsInCertificateName}
const
CERT_UNICODE_IS_RDN_ATTRS_FLAG = $1;
{$EXTERNALSYM CERT_UNICODE_IS_RDN_ATTRS_FLAG}
CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG = $2;
{$EXTERNALSYM CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG}
//+-------------------------------------------------------------------------
// Compare two public keys to see if they are identical.
//
// Returns TRUE if the keys are identical.
//--------------------------------------------------------------------------
function CertComparePublicKeyInfo(dwCertEncodingType: DWORD;
pPublicKey1, pPublicKey2: PCERT_PUBLIC_KEY_INFO): BOOL; stdcall;
{$EXTERNALSYM CertComparePublicKeyInfo}
//+-------------------------------------------------------------------------
// Get the public/private key's bit length.
//
// Returns 0 if unable to determine the key's length.
//--------------------------------------------------------------------------
function CertGetPublicKeyLength(dwCertEncodingType: DWORD;
pPublicKey: PCERT_PUBLIC_KEY_INFO): DWORD; stdcall;
{$EXTERNALSYM CertGetPublicKeyLength}
//+-------------------------------------------------------------------------
// Verify the signature of a subject certificate or a CRL using the
// public key info
//
// Returns TRUE for a valid signature.
//
// hCryptProv specifies the crypto provider to use to verify the signature.
// It doesn't need to use a private key.
//--------------------------------------------------------------------------
function CryptVerifyCertificateSignature(hCryptProv: HCRYPTPROV;
dwCertEncodingType: DWORD; pbEncoded: LPBYTE; cbEncoded: DWORD;
pPublicKey: PCERT_PUBLIC_KEY_INFO): BOOL; stdcall;
{$EXTERNALSYM CryptVerifyCertificateSignature}
//+-------------------------------------------------------------------------
// Verify the signature of a subject certificate, CRL, certificate request
// or keygen request using the issuer's public key.
//
// Returns TRUE for a valid signature.
//
// The subject can be an encoded blob or a context for a certificate or CRL.
// For a subject certificate context, if the certificate is missing
// inheritable PublicKey Algorithm Parameters, the context's
// CERT_PUBKEY_ALG_PARA_PROP_ID is updated with the issuer's public key
// algorithm parameters for a valid signature.
//
// The issuer can be a pointer to a CERT_PUBLIC_KEY_INFO, certificate
// context or a chain context.
//
// hCryptProv specifies the crypto provider to use to verify the signature.
// Its private key isn't used. If hCryptProv is NULL, a default
// provider is picked according to the PublicKey Algorithm OID.
//--------------------------------------------------------------------------
function CryptVerifyCertificateSignatureEx(hCryptProv: HCRYPTPROV;
dwCertEncodingType, dwSubjectType: DWORD; pvSubject: Pointer;
dwIssuerType: DWORD; pvIssuer: Pointer; dwFlags: DWORD; pvReserved: Pointer): BOOL; stdcall;
{$EXTERNALSYM CryptVerifyCertificateSignatureEx}
// Subject Types
const
CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB = 1;
{$EXTERNALSYM CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB}
// pvSubject :: PCRYPT_DATA_BLOB
CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT = 2;
{$EXTERNALSYM CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT}
// pvSubject :: PCCERT_CONTEXT
CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL = 3;
{$EXTERNALSYM CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL}
// pvSubject :: PCCRL_CONTEXT
// Issuer Types
CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY = 1;
{$EXTERNALSYM CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY}
// pvIssuer :: PCERT_PUBLIC_KEY_INFO
CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT = 2;
{$EXTERNALSYM CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT}
// pvIssuer :: PCCERT_CONTEXT
CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN = 3;
{$EXTERNALSYM CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN}
// pvIssuer :: PCCERT_CHAIN_CONTEXT
//+-------------------------------------------------------------------------
// Compute the hash of the "to be signed" information in the encoded
// signed content (CERT_SIGNED_CONTENT_INFO).
//
// hCryptProv specifies the crypto provider to use to compute the hash.
// It doesn't need to use a private key.
//--------------------------------------------------------------------------
function CryptHashToBeSigned(hCryptProv: HCRYPTPROV; dwCertEncodingType: DWORD;
pbEncoded: LPBYTE; cbEncoded: DWORD; pbComputedHash: LPBYTE;
var pcbComputedHash: DWORD): BOOL; stdcall;
{$EXTERNALSYM CryptHashToBeSigned}
//+-------------------------------------------------------------------------
// Hash the encoded content.
//
// hCryptProv specifies the crypto provider to use to compute the hash.
// It doesn't need to use a private key.
//
// Algid specifies the CAPI hash algorithm to use. If Algid is 0, then, the
// default hash algorithm (currently SHA1) is used.
//--------------------------------------------------------------------------
function CryptHashCertificate(hCryptProv: HCRYPTPROV; Algid: ALG_ID;
dwFlags: DWORD; pbEncoded: LPBYTE; cbEncoded: DWORD; pbComputedHash: LPBYTE;
var pcbComputedHash: DWORD): BOOL; stdcall;
{$EXTERNALSYM CryptHashCertificate}
//+-------------------------------------------------------------------------
// Sign the "to be signed" information in the encoded signed content.
//
// hCryptProv specifies the crypto provider to use to do the signature.
// It uses the specified private key.
//--------------------------------------------------------------------------
function CryptSignCertificate(hCryptProv: HCRYPTPROV; dwKeySpec: DWORD;
dwCertEncodingType: DWORD; pbEncodedToBeSigned: LPBYTE; cbEncodedToBeSigned: DWORD;
pSignatureAlgorithm: PCRYPT_ALGORITHM_IDENTIFIER; pvHashAuxInfo: Pointer;
pbSignature: LPBYTE; var pcbSignature: DWORD): BOOL; stdcall;
{$EXTERNALSYM CryptSignCertificate}
//+-------------------------------------------------------------------------
// Encode the "to be signed" information. Sign the encoded "to be signed".
// Encode the "to be signed" and the signature.
//
// hCryptProv specifies the crypto provider to use to do the signature.
// It uses the specified private key.
//--------------------------------------------------------------------------
function CryptSignAndEncodeCertificate(hCryptProv: HCRYPTPROV; dwKeySpec: DWORD;
dwCertEncodingType: DWORD; lpszStructType: LPCSTR; pvStructInfo: Pointer;
pSignatureAlgorithm: PCRYPT_ALGORITHM_IDENTIFIER; pvHashAuxInfo: Pointer;
pbEncoded: PBYTE; var pcbEncoded: DWORD): BOOL; stdcall;
{$EXTERNALSYM CryptSignAndEncodeCertificate}
//+-------------------------------------------------------------------------
// Verify the time validity of a certificate.
//
// Returns -1 if before NotBefore, +1 if after NotAfter and otherwise 0 for
// a valid certificate
//
// If pTimeToVerify is NULL, uses the current time.
//--------------------------------------------------------------------------
function CertVerifyTimeValidity(pTimeToVerify: LPFILETIME; pCertInfo: PCERT_INFO): LONG; stdcall;
{$EXTERNALSYM CertVerifyTimeValidity}
//+-------------------------------------------------------------------------
// Verify the time validity of a CRL.
//
// Returns -1 if before ThisUpdate, +1 if after NextUpdate and otherwise 0 for
// a valid CRL
//
// If pTimeToVerify is NULL, uses the current time.
//--------------------------------------------------------------------------
function CertVerifyCRLTimeValidity(pTimeToVerify: LPFILETIME; pCrlInfo: PCRL_INFO): LONG; stdcall;
{$EXTERNALSYM CertVerifyCRLTimeValidity}
//+-------------------------------------------------------------------------
// Verify that the subject's time validity nests within the issuer's time
// validity.
//
// Returns TRUE if it nests. Otherwise, returns FALSE.
//--------------------------------------------------------------------------
function CertVerifyValidityNesting(pSubjectInfo, pIssuerInfo: PCERT_INFO): BOOL; stdcall;
{$EXTERNALSYM CertVerifyValidityNesting}
//+-------------------------------------------------------------------------
// Verify that the subject certificate isn't on its issuer CRL.
//
// Returns true if the certificate isn't on the CRL.
//--------------------------------------------------------------------------
function CertVerifyCRLRevocation(dwCertEncodingType: DWORD; pCertId: PCERT_INFO;
cCrlInfo: DWORD; rgpCrlInfo: PCRL_INFO): BOOL; stdcall;
{$EXTERNALSYM CertVerifyCRLRevocation}
//+-------------------------------------------------------------------------
// Convert the CAPI AlgId to the ASN.1 Object Identifier string
//
// Returns NULL if there isn't an ObjId corresponding to the AlgId.
//--------------------------------------------------------------------------
function CertAlgIdToOID(dwAlgId: DWORD): LPCSTR; stdcall;
{$EXTERNALSYM CertAlgIdToOID}
//+-------------------------------------------------------------------------
// Convert the ASN.1 Object Identifier string to the CAPI AlgId.
//
// Returns 0 if there isn't an AlgId corresponding to the ObjId.
//--------------------------------------------------------------------------
function CertOIDToAlgId(pszObjId: LPCSTR): DWORD; stdcall;
{$EXTERNALSYM CertOIDToAlgId}
//+-------------------------------------------------------------------------
// Find an extension identified by its Object Identifier.
//
// If found, returns pointer to the extension. Otherwise, returns NULL.
//--------------------------------------------------------------------------
function CertFindExtension(pszObjId: LPCSTR; cExtensions: DWORD;
rgExtensions: PCERT_EXTENSION): PCERT_EXTENSION; stdcall;
{$EXTERNALSYM CertFindExtension}
//+-------------------------------------------------------------------------
// Find the first attribute identified by its Object Identifier.
//
// If found, returns pointer to the attribute. Otherwise, returns NULL.
//--------------------------------------------------------------------------
function CertFindAttribute(pszObjId: LPCSTR; cAttr: DWORD;
rgAttr: PCRYPT_ATTRIBUTE): PCRYPT_ATTRIBUTE; stdcall;
{$EXTERNALSYM CertFindAttribute}
//+-------------------------------------------------------------------------
// Find the first CERT_RDN attribute identified by its Object Identifier in
// the name's list of Relative Distinguished Names.
//
// If found, returns pointer to the attribute. Otherwise, returns NULL.
//--------------------------------------------------------------------------
function CertFindRDNAttr(pszObjId: LPCSTR; pName: PCERT_NAME_INFO): PCERT_RDN_ATTR; stdcall;
{$EXTERNALSYM CertFindRDNAttr}
//+-------------------------------------------------------------------------
// Get the intended key usage bytes from the certificate.
//
// If the certificate doesn't have any intended key usage bytes, returns FALSE
// and *pbKeyUsage is zeroed. Otherwise, returns TRUE and up through
// cbKeyUsage bytes are copied into *pbKeyUsage. Any remaining uncopied
// bytes are zeroed.
//--------------------------------------------------------------------------
function CertGetIntendedKeyUsage(dwCertEncodingType: DWORD; pCertInfo: PCERT_INFO;
pbKeyUsage: LPBYTE; cbKeyUsage: DWORD): BOOL; stdcall;
{$EXTERNALSYM CertGetIntendedKeyUsage}
type
HCRYPTDEFAULTCONTEXT = Pointer;
{$EXTERNALSYM HCRYPTDEFAULTCONTEXT}
//+-------------------------------------------------------------------------
// Install a previously CryptAcquiredContext'ed HCRYPTPROV to be used as
// a default context.
//
// dwDefaultType and pvDefaultPara specify where the default context is used.
// For example, install the HCRYPTPROV to be used to verify certificate's
// having szOID_OIWSEC_md5RSA signatures.
//
// By default, the installed HCRYPTPROV is only applicable to the current
// thread. Set CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG to allow the HCRYPTPROV
// to be used by all threads in the current process.
//
// For a successful install, TRUE is returned and *phDefaultContext is
// updated with the HANDLE to be passed to CryptUninstallDefaultContext.
//
// The installed HCRYPTPROVs are stack ordered (the last installed
// HCRYPTPROV is checked first). All thread installed HCRYPTPROVs are
// checked before any process HCRYPTPROVs.
//
// The installed HCRYPTPROV remains available for default usage until
// CryptUninstallDefaultContext is called or the thread or process exits.
//
// If CRYPT_DEFAULT_CONTEXT_AUTO_RELEASE_FLAG is set, then, the HCRYPTPROV
// is CryptReleaseContext'ed at thread or process exit. However,
// not CryptReleaseContext'ed if CryptUninstallDefaultContext is
// called.
//--------------------------------------------------------------------------
function CryptInstallDefaultContext(hCryptProv: HCRYPTPROV; dwDefaultType: DWORD;
pvDefaultPara: Pointer; dwFlags: DWORD; pvReserved: Pointer;
var phDefaultContext: HCRYPTDEFAULTCONTEXT): BOOL; stdcall;
{$EXTERNALSYM CryptInstallDefaultContext}
// dwFlags
const
CRYPT_DEFAULT_CONTEXT_AUTO_RELEASE_FLAG = $00000001;
{$EXTERNALSYM CRYPT_DEFAULT_CONTEXT_AUTO_RELEASE_FLAG}
CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG = $00000002;
{$EXTERNALSYM CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG}
// List of dwDefaultType's
CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID = 1;
{$EXTERNALSYM CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID}
CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID = 2;
{$EXTERNALSYM CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID}
//+-------------------------------------------------------------------------
// CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID
//
// Install a default HCRYPTPROV used to verify a certificate
// signature. pvDefaultPara points to the szOID of the certificate
// signature algorithm, for example, szOID_OIWSEC_md5RSA. If
// pvDefaultPara is NULL, then, the HCRYPTPROV is used to verify all
// certificate signatures. Note, pvDefaultPara can't be NULL when
// CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG is set.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID
//
// Same as CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID. However, the default
// HCRYPTPROV is to be used for multiple signature szOIDs. pvDefaultPara
// points to a CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA structure containing
// an array of szOID pointers.
//--------------------------------------------------------------------------
type
PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA = ^CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA;
{$EXTERNALSYM PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA}
_CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA = record
cOID: DWORD;
rgpszOID: LPLPSTR;
end;
{$EXTERNALSYM _CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA}
CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA = _CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA;
{$EXTERNALSYM CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA}
TCryptDefaultContextMultiOidPara = CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA;
PCryptDefaultContextMultiOidPara = PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA;
//+-------------------------------------------------------------------------
// Uninstall a default context previously installed by
// CryptInstallDefaultContext.
//
// For a default context installed with CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG
// set, if any other threads are currently using this context,
// this function will block until they finish.
//--------------------------------------------------------------------------
function CryptUninstallDefaultContext(hDefaultContext: HCRYPTDEFAULTCONTEXT;
dwFlags: DWORD; pvReserved: Pointer): BOOL; stdcall;
{$EXTERNALSYM CryptUninstallDefaultContext}
//+-------------------------------------------------------------------------
// Export the public key info associated with the provider's corresponding
// private key.
//
// Calls CryptExportPublicKeyInfo with pszPublicKeyObjId = szOID_RSA_RSA,
// dwFlags = 0 and pvAuxInfo = NULL.
//--------------------------------------------------------------------------
function CryptExportPublicKeyInfo(hCryptProv: HCRYPTPROV; dwKeySpec: DWORD;
dwCertEncodingType: DWORD; pInfo: PCERT_PUBLIC_KEY_INFO; var pcbInfo: DWORD): BOOL; stdcall;
{$EXTERNALSYM CryptExportPublicKeyInfo}
//+-------------------------------------------------------------------------
// Export the public key info associated with the provider's corresponding
// private key.
//
// Uses the dwCertEncodingType and pszPublicKeyObjId to call the
// installable CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC. The called function
// has the same signature as CryptExportPublicKeyInfoEx.
//
// If unable to find an installable OID function for the pszPublicKeyObjId,
// attempts to export as a RSA Public Key (szOID_RSA_RSA).
//
// The dwFlags and pvAuxInfo aren't used for szOID_RSA_RSA.
//--------------------------------------------------------------------------
const
CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC = 'CryptDllExportPublicKeyInfoEx';
{$EXTERNALSYM CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC}
function CryptExportPublicKeyInfoEx(hCryptProv: HCRYPTPROV; dwKeySpec: DWORD;
dwCertEncodingType: DWORD; pszPublicKeyObjId: LPSTR; dwFlags: DWORD;
pvAuxInfo: Pointer; pInfo: PCERT_PUBLIC_KEY_INFO; var pcbInfo: DWORD): BOOL; stdcall;
{$EXTERNALSYM CryptExportPublicKeyInfoEx}
//+-------------------------------------------------------------------------
// Convert and import the public key info into the provider and return a
// handle to the public key.
//
// Calls CryptImportPublicKeyInfoEx with aiKeyAlg = 0, dwFlags = 0 and
// pvAuxInfo = NULL.
//--------------------------------------------------------------------------
function CryptImportPublicKeyInfo(hCryptProv: HCRYPTPROV; dwCertEncodingType: DWORD;
pInfo: PCERT_PUBLIC_KEY_INFO; var phKey: HCRYPTKEY): BOOL; stdcall;
{$EXTERNALSYM CryptImportPublicKeyInfo}
//+-------------------------------------------------------------------------
// Convert and import the public key info into the provider and return a
// handle to the public key.
//
// Uses the dwCertEncodingType and pInfo->Algorithm.pszObjId to call the
// installable CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC. The called function
// has the same signature as CryptImportPublicKeyInfoEx.
//
// If unable to find an installable OID function for the pszObjId,
// attempts to import as a RSA Public Key (szOID_RSA_RSA).
//
// For szOID_RSA_RSA: aiKeyAlg may be set to CALG_RSA_SIGN or CALG_RSA_KEYX.
// Defaults to CALG_RSA_KEYX. The dwFlags and pvAuxInfo aren't used.
//--------------------------------------------------------------------------
const
CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC = 'CryptDllImportPublicKeyInfoEx';
{$EXTERNALSYM CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC}
function CryptImportPublicKeyInfoEx(hCryptProv: HCRYPTPROV; dwCertEncodingType: DWORD;
pInfo: PCERT_PUBLIC_KEY_INFO; aiKeyAlg: ALG_ID; dwFlags: DWORD; pvAuxInfo: Pointer;
var phKey: HCRYPTKEY): BOOL; stdcall;
{$EXTERNALSYM CryptImportPublicKeyInfoEx}
//+-------------------------------------------------------------------------
// Acquire a HCRYPTPROV handle and dwKeySpec for the specified certificate
// context. Uses the certificate's CERT_KEY_PROV_INFO_PROP_ID property.
// The returned HCRYPTPROV handle may optionally be cached using the
// certificate's CERT_KEY_CONTEXT_PROP_ID property.
//
// If CRYPT_ACQUIRE_CACHE_FLAG is set, then, if an already acquired and
// cached HCRYPTPROV exists for the certificate, its returned. Otherwise,
// a HCRYPTPROV is acquired and then cached via the certificate's
// CERT_KEY_CONTEXT_PROP_ID.
//
// The CRYPT_ACQUIRE_USE_PROV_INFO_FLAG can be set to use the dwFlags field of
// the certificate's CERT_KEY_PROV_INFO_PROP_ID property's CRYPT_KEY_PROV_INFO
// data structure to determine if the returned HCRYPTPROV should be cached.
// HCRYPTPROV caching is enabled if the CERT_SET_KEY_CONTEXT_PROP_ID flag was
// set.
//
// If CRYPT_ACQUIRE_COMPARE_KEY_FLAG is set, then,
// the public key in the certificate is compared with the public
// key returned by the cryptographic provider. If the keys don't match, the
// acquire fails and LastError is set to NTE_BAD_PUBLIC_KEY. Note, if
// a cached HCRYPTPROV is returned, the comparison isn't done. We assume the
// comparison was done on the initial acquire.
//
// *pfCallerFreeProv is returned set to FALSE for:
// - Acquire or public key comparison fails.
// - CRYPT_ACQUIRE_CACHE_FLAG is set.
// - CRYPT_ACQUIRE_USE_PROV_INFO_FLAG is set AND
// CERT_SET_KEY_CONTEXT_PROP_ID flag is set in the dwFlags field of the
// certificate's CERT_KEY_PROV_INFO_PROP_ID property's
// CRYPT_KEY_PROV_INFO data structure.
// When *pfCallerFreeProv is FALSE, the caller must not release. The
// returned HCRYPTPROV will be released on the last free of the certificate
// context.
//
// Otherwise, *pfCallerFreeProv is TRUE and the returned HCRYPTPROV must
// be released by the caller by calling CryptReleaseContext.
//--------------------------------------------------------------------------
function CryptAcquireCertificatePrivateKey(pCert: PCCERT_CONTEXT; dwFlags: DWORD;
pvReserved: Pointer; var phCryptProv: HCRYPTPROV; pdwKeySpec: LPDWORD;
pfCallerFreeProv: PBOOL): BOOL; stdcall;
{$EXTERNALSYM CryptAcquireCertificatePrivateKey}
const
CRYPT_ACQUIRE_CACHE_FLAG = $1;
{$EXTERNALSYM CRYPT_ACQUIRE_CACHE_FLAG}
CRYPT_ACQUIRE_USE_PROV_INFO_FLAG = $2;
{$EXTERNALSYM CRYPT_ACQUIRE_USE_PROV_INFO_FLAG}
CRYPT_ACQUIRE_COMPARE_KEY_FLAG = $4;
{$EXTERNALSYM CRYPT_ACQUIRE_COMPARE_KEY_FLAG}
//+-------------------------------------------------------------------------
// Enumerates the cryptographic providers and their containers to find the
// private key corresponding to the certificate's public key. For a match,
// the certificate's CERT_KEY_PROV_INFO_PROP_ID property is updated.
//
// If the CERT_KEY_PROV_INFO_PROP_ID is already set, then, its checked to
// see if it matches the provider's public key. For a match, the above
// enumeration is skipped.
//
// By default both the user and machine key containers are searched.
// The CRYPT_FIND_USER_KEYSET_FLAG or CRYPT_FIND_MACHINE_KEYSET_FLAG
// can be set in dwFlags to restrict the search to either of the containers.
//
// If a container isn't found, returns FALSE with LastError set to
// NTE_NO_KEY.
//--------------------------------------------------------------------------
function CryptFindCertificateKeyProvInfo(pCert: PCCERT_CONTEXT; dwFlags: DWORD;
pvReserved: Pointer): BOOL; stdcall;
{$EXTERNALSYM CryptFindCertificateKeyProvInfo}
const
CRYPT_FIND_USER_KEYSET_FLAG = $1;
{$EXTERNALSYM CRYPT_FIND_USER_KEYSET_FLAG}
CRYPT_FIND_MACHINE_KEYSET_FLAG = $2;
{$EXTERNALSYM CRYPT_FIND_MACHINE_KEYSET_FLAG}
//+-------------------------------------------------------------------------
// This is the prototype for the installable function which is called to
// actually import a key into a CSP. an installable of this type is called
// from CryptImportPKCS8. the algorithm OID of the private key is used
// to look up the proper installable function to call.
//
// hCryptProv - the provider to import the key to
// pPrivateKeyInfo - describes the key to be imported
// dwFlags - The available flags are:
// CRYPT_EXPORTABLE
// this flag is used when importing private keys, for a full
// explanation please see the documentation for CryptImportKey.
// pvAuxInfo - reserved for future, must be NULL
//--------------------------------------------------------------------------
type
PFN_IMPORT_PRIV_KEY_FUNC = function (hCryptProv: HCRYPTPROV;
pPrivateKeyInfo: PCRYPT_PRIVATE_KEY_INFO; dwFlags: DWORD;
pvAuxInfo: Pointer): BOOL; stdcall;
{$EXTERNALSYM PFN_IMPORT_PRIV_KEY_FUNC}
PFnImportPrivKeyFunc = PFN_IMPORT_PRIV_KEY_FUNC;
const
CRYPT_OID_IMPORT_PRIVATE_KEY_INFO_FUNC = 'CryptDllImportPrivateKeyInfoEx';
{$EXTERNALSYM CRYPT_OID_IMPORT_PRIVATE_KEY_INFO_FUNC}
//+-------------------------------------------------------------------------
// Convert (from PKCS8 format) and import the private key into a provider
// and return a handle to the provider as well as the KeySpec used to import to.
//
// This function will call the PRESOLVE_HCRYPTPROV_FUNC in the
// privateKeyAndParams to obtain a handle of provider to import the key to.
// if the PRESOLVE_HCRYPTPROV_FUNC is NULL then the default provider will be used.
//
// privateKeyAndParams - private key blob and corresponding parameters
// dwFlags - The available flags are:
// CRYPT_EXPORTABLE
// this flag is used when importing private keys, for a full
// explanation please see the documentation for CryptImportKey.
// phCryptProv - filled in with the handle of the provider the key was
// imported to, the caller is responsible for freeing it
// pvAuxInfo - This parameter is reserved for future use and should be set
// to NULL in the interim.
//--------------------------------------------------------------------------
function CryptImportPKCS8(sImportParams: CRYPT_PKCS8_IMPORT_PARAMS; dwFlags: DWORD;
phCryptProv: PHCRYPTPROV; pvAuxInfo: Pointer): BOOL; stdcall;
{$EXTERNALSYM CryptImportPKCS8}
//+-------------------------------------------------------------------------
// this is the prototype for installable functions for exporting the private key
//--------------------------------------------------------------------------
type
PFN_EXPORT_PRIV_KEY_FUNC = function (hCryptProv: HCRYPTPROV; dwKeySpec: DWORD;
pszPrivateKeyObjId: LPSTR; dwFlags: DWORD; pvAuxInfo: Pointer;
var pPrivateKeyInfo: CRYPT_PRIVATE_KEY_INFO; var pcbPrivateKeyBlob: DWORD): BOOL; stdcall;
{$EXTERNALSYM PFN_EXPORT_PRIV_KEY_FUNC}
PfnExportPrivKeyFunc = PFN_EXPORT_PRIV_KEY_FUNC;
const
CRYPT_OID_EXPORT_PRIVATE_KEY_INFO_FUNC = 'CryptDllExportPrivateKeyInfoEx';
{$EXTERNALSYM CRYPT_OID_EXPORT_PRIVATE_KEY_INFO_FUNC}
CRYPT_DELETE_KEYSET = $0001;
{$EXTERNALSYM CRYPT_DELETE_KEYSET}
//+-------------------------------------------------------------------------
// CryptExportPKCS8 -- superseded by CryptExportPKCS8Ex
//
// Export the private key in PKCS8 format
//--------------------------------------------------------------------------
function CryptExportPKCS8(hCryptProv: HCRYPTPROV; dwKeySpec: DWORD;
pszPrivateKeyObjId: LPSTR; dwFlags: DWORD; pvAuxInfo: Pointer;
pbPrivateKeyBlob: LPBYTE; var pcbPrivateKeyBlob: DWORD): BOOL; stdcall;
{$EXTERNALSYM CryptExportPKCS8}
//+-------------------------------------------------------------------------
// CryptExportPKCS8Ex
//
// Export the private key in PKCS8 format
//
//
// Uses the pszPrivateKeyObjId to call the
// installable CRYPT_OID_EXPORT_PRIVATE_KEY_INFO_FUNC. The called function
// has the signature defined by PFN_EXPORT_PRIV_KEY_FUNC.
//
// If unable to find an installable OID function for the pszPrivateKeyObjId,
// attempts to export as a RSA Private Key (szOID_RSA_RSA).
//
// psExportParams - specifies information about the key to export
// dwFlags - The flag values. None currently supported
// pvAuxInfo - This parameter is reserved for future use and should be set to
// NULL in the interim.
// pbPrivateKeyBlob - A pointer to the private key blob. It will be encoded
// as a PKCS8 PrivateKeyInfo.
// pcbPrivateKeyBlob - A pointer to a DWORD that contains the size, in bytes,
// of the private key blob being exported.
//+-------------------------------------------------------------------------
function CryptExportPKCS8Ex(psExportParams: PCRYPT_PKCS8_EXPORT_PARAMS;
dwFlags: DWORD; pvAuxInfo: Pointer; pbPrivateKeyBlob: LPBYTE;
var pcbPrivateKeyBlob: DWORD): BOOL; stdcall;
{$EXTERNALSYM CryptExportPKCS8Ex}
//+-------------------------------------------------------------------------
// Compute the hash of the encoded public key info.
//
// The public key info is encoded and then hashed.
//--------------------------------------------------------------------------
function CryptHashPublicKeyInfo(hCryptProv: HCRYPTPROV; Algid: ALG_ID;
dwFlags: DWORD; dwCertEncodingType: DWORD; pInfo: PCERT_PUBLIC_KEY_INFO;
pbComputedHash: LPBYTE; var pcbComputedHash: DWORD): BOOL; stdcall;
{$EXTERNALSYM CryptHashPublicKeyInfo}
//+-------------------------------------------------------------------------
// Convert a Name Value to a null terminated char string
//
// Returns the number of characters converted including the terminating null
// character. If psz is NULL or csz is 0, returns the required size of the
// destination string (including the terminating null char).
//
// If psz != NULL && csz != 0, returned psz is always NULL terminated.
//
// Note: csz includes the NULL char.
//--------------------------------------------------------------------------
function CertRDNValueToStrA(dwValueType: DWORD; pValue: PCERT_RDN_VALUE_BLOB;
psz: LPSTR; csz: DWORD): DWORD; stdcall;
{$EXTERNALSYM CertRDNValueToStrA}
//+-------------------------------------------------------------------------
// Convert a Name Value to a null terminated char string
//
// Returns the number of characters converted including the terminating null
// character. If psz is NULL or csz is 0, returns the required size of the
// destination string (including the terminating null char).
//
// If psz != NULL && csz != 0, returned psz is always NULL terminated.
//
// Note: csz includes the NULL char.
//--------------------------------------------------------------------------
function CertRDNValueToStrW(dwValueType: DWORD; pValue: PCERT_RDN_VALUE_BLOB;
psz: LPWSTR; csz: DWORD): DWORD; stdcall;
{$EXTERNALSYM CertRDNValueToStrW}
{$IFDEF UNICODE}
function CertRDNValueToStr(dwValueType: DWORD; pValue: PCERT_RDN_VALUE_BLOB;
psz: LPWSTR; csz: DWORD): DWORD; stdcall;
{$EXTERNALSYM CertRDNValueToStr}
{$ELSE}
function CertRDNValueToStr(dwValueType: DWORD; pValue: PCERT_RDN_VALUE_BLOB;
psz: LPSTR; csz: DWORD): DWORD; stdcall;
{$EXTERNALSYM CertRDNValueToStr}
{$ENDIF}
//+-------------------------------------------------------------------------
// Convert the certificate name blob to a null terminated char string.
//
// Follows the string representation of distinguished names specified in
// RFC 1779. (Note, added double quoting "" for embedded quotes, quote
// empty strings and don't quote strings containing consecutive spaces).
// RDN values of type CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING are
// formatted in hexadecimal (e.g. #0A56CF).
//
// The name string is formatted according to the dwStrType:
// CERT_SIMPLE_NAME_STR
// The object identifiers are discarded. CERT_RDN entries are separated
// by ", ". Multiple attributes per CERT_RDN are separated by " + ".
// For example:
// Microsoft, Joe Cool + Programmer
// CERT_OID_NAME_STR
// The object identifiers are included with a "=" separator from their
// attribute value. CERT_RDN entries are separated by ", ".
// Multiple attributes per CERT_RDN are separated by " + ". For example:
// 2.5.4.11=Microsoft, 2.5.4.3=Joe Cool + 2.5.4.12=Programmer
// CERT_X500_NAME_STR
// The object identifiers are converted to their X500 key name. Otherwise,
// same as CERT_OID_NAME_STR. If the object identifier doesn't have
// a corresponding X500 key name, then, the object identifier is used with
// a "OID." prefix. For example:
// OU=Microsoft, CN=Joe Cool + T=Programmer, OID.1.2.3.4.5.6=Unknown
//
// We quote the RDN value if it contains leading or trailing whitespace
// or one of the following characters: ",", "+", "=", """, "n", "<", ">",
// "#" or ";". The quoting character is ". If the the RDN Value contains
// a " it is double quoted (""). For example:
// OU=" Microsoft", CN="Joe ""Cool""" + T="Programmer, Manager"
//
// CERT_NAME_STR_SEMICOLON_FLAG can be or'ed into dwStrType to replace
// the ", " separator with a "; " separator.
//
// CERT_NAME_STR_CRLF_FLAG can be or'ed into dwStrType to replace
// the ", " separator with a "rn" separator.
//
// CERT_NAME_STR_NO_PLUS_FLAG can be or'ed into dwStrType to replace the
// " + " separator with a single space, " ".
//
// CERT_NAME_STR_NO_QUOTING_FLAG can be or'ed into dwStrType to inhibit
// the above quoting.
//
// CERT_NAME_STR_REVERSE_FLAG can be or'ed into dwStrType to reverse the
// order of the RDNs before converting to the string.
//
// By default, CERT_RDN_T61_STRING encoded values are initially decoded
// as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
// CERT_NAME_STR_DISABLE_IE4_UTF8_FLAG can be or'ed into dwStrType to
// skip the initial attempt to decode as UTF8.
//
// Returns the number of characters converted including the terminating null
// character. If psz is NULL or csz is 0, returns the required size of the
// destination string (including the terminating null char).
//
// If psz != NULL && csz != 0, returned psz is always NULL terminated.
//
// Note: csz includes the NULL char.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
//--------------------------------------------------------------------------
function CertNameToStrA(dwCertEncodingType: DWORD; pName: PCERT_NAME_BLOB;
dwStrType: DWORD; psz: LPSTR; csz: DWORD): DWORD; stdcall;
{$EXTERNALSYM CertNameToStrA}
//+-------------------------------------------------------------------------
//--------------------------------------------------------------------------
function CertNameToStrW(dwCertEncodingType: DWORD; pName: PCERT_NAME_BLOB;
dwStrType: DWORD; psz: LPWSTR; csz: DWORD): DWORD; stdcall;
{$EXTERNALSYM CertNameToStrW}
{$IFDEF UNICODE}
function CertNameToStr(dwCertEncodingType: DWORD; pName: PCERT_NAME_BLOB;
dwStrType: DWORD; psz: LPWSTR; csz: DWORD): DWORD; stdcall;
{$EXTERNALSYM CertNameToStr}
{$ELSE}
function CertNameToStr(dwCertEncodingType: DWORD; pName: PCERT_NAME_BLOB;
dwStrType: DWORD; psz: LPSTR; csz: DWORD): DWORD; stdcall;
{$EXTERNALSYM CertNameToStr}
{$ENDIF}
//+-------------------------------------------------------------------------
// Certificate name string types
//--------------------------------------------------------------------------
const
CERT_SIMPLE_NAME_STR = 1;
{$EXTERNALSYM CERT_SIMPLE_NAME_STR}
CERT_OID_NAME_STR = 2;
{$EXTERNALSYM CERT_OID_NAME_STR}
CERT_X500_NAME_STR = 3;
{$EXTERNALSYM CERT_X500_NAME_STR}
//+-------------------------------------------------------------------------
// Certificate name string type flags OR'ed with the above types
//--------------------------------------------------------------------------
CERT_NAME_STR_SEMICOLON_FLAG = $40000000;
{$EXTERNALSYM CERT_NAME_STR_SEMICOLON_FLAG}
CERT_NAME_STR_NO_PLUS_FLAG = $20000000;
{$EXTERNALSYM CERT_NAME_STR_NO_PLUS_FLAG}
CERT_NAME_STR_NO_QUOTING_FLAG = $10000000;
{$EXTERNALSYM CERT_NAME_STR_NO_QUOTING_FLAG}
CERT_NAME_STR_CRLF_FLAG = $08000000;
{$EXTERNALSYM CERT_NAME_STR_CRLF_FLAG}
CERT_NAME_STR_COMMA_FLAG = $04000000;
{$EXTERNALSYM CERT_NAME_STR_COMMA_FLAG}
CERT_NAME_STR_REVERSE_FLAG = $02000000;
{$EXTERNALSYM CERT_NAME_STR_REVERSE_FLAG}
CERT_NAME_STR_DISABLE_IE4_UTF8_FLAG = $00010000;
{$EXTERNALSYM CERT_NAME_STR_DISABLE_IE4_UTF8_FLAG}
CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG = $00020000;
{$EXTERNALSYM CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG}
CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG = $00040000;
{$EXTERNALSYM CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG}
//+-------------------------------------------------------------------------
// Convert the null terminated X500 string to an encoded certificate name.
//
// The input string is expected to be formatted the same as the output
// from the above CertNameToStr API.
//
// The CERT_SIMPLE_NAME_STR type isn't supported. Otherwise, when dwStrType
// is set to 0, CERT_OID_NAME_STR or CERT_X500_NAME_STR, allow either a
// case insensitive X500 key (CN=), case insensitive "OID." prefixed
// object identifier (OID.1.2.3.4.5.6=) or an object identifier (1.2.3.4=).
//
// If no flags are OR'ed into dwStrType, then, allow "," or ";" as RDN
// separators and "+" as the multiple RDN value separator. Quoting is
// supported. A quote may be included in a quoted value by double quoting,
// for example (CN="Joe ""Cool"""). A value starting with a "#" is treated
// as ascii hex and converted to a CERT_RDN_OCTET_STRING. Embedded whitespace
// is skipped (1.2.3 = # AB CD 01 is the same as 1.2.3=#ABCD01).
//
// Whitespace surrounding the keys, object identifers and values is removed.
//
// CERT_NAME_STR_COMMA_FLAG can be or'ed into dwStrType to only allow the
// "," as the RDN separator.
//
// CERT_NAME_STR_SEMICOLON_FLAG can be or'ed into dwStrType to only allow the
// ";" as the RDN separator.
//
// CERT_NAME_STR_CRLF_FLAG can be or'ed into dwStrType to only allow
// "r" or "n" as the RDN separator.
//
// CERT_NAME_STR_NO_PLUS_FLAG can be or'ed into dwStrType to ignore "+"
// as a separator and not allow multiple values per RDN.
//
// CERT_NAME_STR_NO_QUOTING_FLAG can be or'ed into dwStrType to inhibit
// quoting.
//
// CERT_NAME_STR_REVERSE_FLAG can be or'ed into dwStrType to reverse the
// order of the RDNs after converting from the string and before encoding.
//
// CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG can be or'ed into dwStrType to
// to select the CERT_RDN_T61_STRING encoded value type instead of
// CERT_RDN_UNICODE_STRING if all the UNICODE characters are <= 0xFF.
//
// CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG can be or'ed into dwStrType to
// to select the CERT_RDN_UTF8_STRING encoded value type instead of
// CERT_RDN_UNICODE_STRING.
//
// Support the following X500 Keys:
//
// Key Object Identifier RDN Value Type(s)
// --- ----------------- -----------------
// CN szOID_COMMON_NAME Printable, Unicode
// L szOID_LOCALITY_NAME Printable, Unicode
// O szOID_ORGANIZATION_NAME Printable, Unicode
// OU szOID_ORGANIZATIONAL_UNIT_NAME Printable, Unicode
// E szOID_RSA_emailAddr Only IA5
// Email szOID_RSA_emailAddr Only IA5
// C szOID_COUNTRY_NAME Only Printable
// S szOID_STATE_OR_PROVINCE_NAME Printable, Unicode
// ST szOID_STATE_OR_PROVINCE_NAME Printable, Unicode
// STREET szOID_STREET_ADDRESS Printable, Unicode
// T szOID_TITLE Printable, Unicode
// Title szOID_TITLE Printable, Unicode
// G szOID_GIVEN_NAME Printable, Unicode
// GivenName szOID_GIVEN_NAME Printable, Unicode
// I szOID_INITIALS Printable, Unicode
// Initials szOID_INITIALS Printable, Unicode
// SN szOID_SUR_NAME Printable, Unicode
// DC szOID_DOMAIN_COMPONENT IA5, UTF8
//
// Note, T61 is selected instead of Unicode if
// CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG is set and all the unicode
// characters are <= 0xFF.
//
// Note, UTF8 is selected instead of Unicode if
// CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG is set.
//
// Returns TRUE if successfully parsed the input string and encoded
// the name.
//
// If the input string is detected to be invalid, *ppszError is updated
// to point to the beginning of the invalid character sequence. Otherwise,
// *ppszError is set to NULL. *ppszError is updated with a non-NULL pointer
// for the following errors:
// CRYPT_E_INVALID_X500_STRING
// CRYPT_E_INVALID_NUMERIC_STRING
// CRYPT_E_INVALID_PRINTABLE_STRING
// CRYPT_E_INVALID_IA5_STRING
//
// ppszError can be set to NULL if not interested in getting a pointer
// to the invalid character sequence.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
//--------------------------------------------------------------------------
function CertStrToNameA(dwCertEncodingType: DWORD; pszX500: LPCSTR;
dwStrType: DWORD; pvReserved: Pointer; pbEncoded: LPBYTE; var pcbEncoded: DWORD;
ppszError: LPLPCSTR): BOOL; stdcall;
{$EXTERNALSYM CertStrToNameA}
function CertStrToNameW(dwCertEncodingType: DWORD; pszX500: LPCWSTR;
dwStrType: DWORD; pvReserved: Pointer; pbEncoded: LPBYTE; var pcbEncoded: DWORD;
ppszError: LPLPCWSTR): BOOL; stdcall;
{$EXTERNALSYM CertStrToNameW}
{$IFDEF UNICODE}
function CertStrToName(dwCertEncodingType: DWORD; pszX500: LPCWSTR;
dwStrType: DWORD; pvReserved: Pointer; pbEncoded: LPBYTE; var pcbEncoded: DWORD;
ppszError: LPLPCWSTR): BOOL; stdcall;
{$EXTERNALSYM CertStrToName}
{$ELSE}
function CertStrToName(dwCertEncodingType: DWORD; pszX500: LPCSTR;
dwStrType: DWORD; pvReserved: Pointer; pbEncoded: LPBYTE; var pcbEncoded: DWORD;
ppszError: LPLPCSTR): BOOL; stdcall;
{$EXTERNALSYM CertStrToName}
{$ENDIF}
//+-------------------------------------------------------------------------
// Get the subject or issuer name from the certificate and
// according to the specified format type, convert to a null terminated
// character string.
//
// CERT_NAME_ISSUER_FLAG can be set to get the issuer's name. Otherwise,
// gets the subject's name.
//
// By default, CERT_RDN_T61_STRING encoded values are initially decoded
// as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
// CERT_NAME_DISABLE_IE4_UTF8_FLAG can be set in dwFlags to
// skip the initial attempt to decode as UTF8.
//
// The name string is formatted according to the dwType:
// CERT_NAME_EMAIL_TYPE
// If the certificate has a Subject Alternative Name extension (for
// issuer, Issuer Alternative Name), searches for first rfc822Name choice.
// If the rfc822Name choice isn't found in the extension, searches the
// Subject Name field for the Email OID, "1.2.840.113549.1.9.1".
// If the rfc822Name or Email OID is found, returns the string. Otherwise,
// returns an empty string (returned character count is 1).
// CERT_NAME_RDN_TYPE
// Converts the Subject Name blob by calling CertNameToStr. pvTypePara
// points to a DWORD containing the dwStrType passed to CertNameToStr.
// If the Subject Name field is empty and the certificate has a
// Subject Alternative Name extension, searches for and converts
// the first directoryName choice.
// CERT_NAME_ATTR_TYPE
// pvTypePara points to the Object Identifier specifying the name attribute
// to be returned. For example, to get the CN,
// pvTypePara = szOID_COMMON_NAME ("2.5.4.3"). Searches, the Subject Name
// field for the attribute.
// If the Subject Name field is empty and the certificate has a
// Subject Alternative Name extension, checks for
// the first directoryName choice and searches it.
//
// Note, searches the RDNs in reverse order.
//
// CERT_NAME_SIMPLE_DISPLAY_TYPE
// Iterates through the following list of name attributes and searches
// the Subject Name and then the Subject Alternative Name extension
// for the first occurrence of:
// szOID_COMMON_NAME ("2.5.4.3")
// szOID_ORGANIZATIONAL_UNIT_NAME ("2.5.4.11")
// szOID_ORGANIZATION_NAME ("2.5.4.10")
// szOID_RSA_emailAddr ("1.2.840.113549.1.9.1")
//
// If none of the above attributes is found, then, searches the
// Subject Alternative Name extension for a rfc822Name choice.
//
// If still no match, then, returns the first attribute.
//
// Note, like CERT_NAME_ATTR_TYPE, searches the RDNs in reverse order.
//
// CERT_NAME_FRIENDLY_DISPLAY_TYPE
// First checks if the certificate has a CERT_FRIENDLY_NAME_PROP_ID
// property. If it does, then, this property is returned. Otherwise,
// returns the above CERT_NAME_SIMPLE_DISPLAY_TYPE.
//
// Returns the number of characters converted including the terminating null
// character. If pwszNameString is NULL or cchNameString is 0, returns the
// required size of the destination string (including the terminating null
// char). If the specified name type isn't found. returns an empty string
// with a returned character count of 1.
//
// If pwszNameString != NULL && cwszNameString != 0, returned pwszNameString
// is always NULL terminated.
//
// Note: cchNameString includes the NULL char.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
//--------------------------------------------------------------------------
function CertGetNameStringA(pCertContext: PCCERT_CONTEXT; dwType, dwFlags: DWORD;
pvTypePara: Pointer; pszNameString: LPSTR; cchNameString: DWORD): DWORD; stdcall;
{$EXTERNALSYM CertGetNameStringA}
function CertGetNameStringW(pCertContext: PCCERT_CONTEXT; dwType, dwFlags: DWORD;
pvTypePara: Pointer; pszNameString: LPWSTR; cchNameString: DWORD): DWORD; stdcall;
{$EXTERNALSYM CertGetNameStringW}
{$IFDEF UNICODE}
function CertGetNameString(pCertContext: PCCERT_CONTEXT; dwType, dwFlags: DWORD;
pvTypePara: Pointer; pszNameString: LPWSTR; cchNameString: DWORD): DWORD; stdcall;
{$EXTERNALSYM CertGetNameString}
{$ELSE}
function CertGetNameString(pCertContext: PCCERT_CONTEXT; dwType, dwFlags: DWORD;
pvTypePara: Pointer; pszNameString: LPSTR; cchNameString: DWORD): DWORD; stdcall;
{$EXTERNALSYM CertGetNameString}
{$ENDIF}
//+-------------------------------------------------------------------------
// Certificate name types
//--------------------------------------------------------------------------
const
CERT_NAME_EMAIL_TYPE = 1;
{$EXTERNALSYM CERT_NAME_EMAIL_TYPE}
CERT_NAME_RDN_TYPE = 2;
{$EXTERNALSYM CERT_NAME_RDN_TYPE}
CERT_NAME_ATTR_TYPE = 3;
{$EXTERNALSYM CERT_NAME_ATTR_TYPE}
CERT_NAME_SIMPLE_DISPLAY_TYPE = 4;
{$EXTERNALSYM CERT_NAME_SIMPLE_DISPLAY_TYPE}
CERT_NAME_FRIENDLY_DISPLAY_TYPE = 5;
{$EXTERNALSYM CERT_NAME_FRIENDLY_DISPLAY_TYPE}
//+-------------------------------------------------------------------------
// Certificate name flags
//--------------------------------------------------------------------------
CERT_NAME_ISSUER_FLAG = $1;
{$EXTERNALSYM CERT_NAME_ISSUER_FLAG}
CERT_NAME_DISABLE_IE4_UTF8_FLAG = $00010000;
{$EXTERNALSYM CERT_NAME_DISABLE_IE4_UTF8_FLAG}
//+=========================================================================
// Simplified Cryptographic Message Data Structures and APIs
//==========================================================================
//+-------------------------------------------------------------------------
// Conventions for the *pb and *pcb output parameters:
//
// Upon entry to the function:
// if pcb is OPTIONAL && pcb == NULL, then,
// No output is returned
// else if pb == NULL && pcb != NULL, then,
// Length only determination. No length error is
// returned.
// otherwise where (pb != NULL && pcb != NULL && *pcb != 0)
// Output is returned. If *pcb isn't big enough a
// length error is returned. In all cases *pcb is updated
// with the actual length needed/returned.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Type definitions of the parameters used for doing the cryptographic
// operations.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Callback to get and verify the signer's certificate.
//
// Passed the CertId of the signer (its Issuer and SerialNumber) and a
// handle to its cryptographic signed message's cert store.
//
// For CRYPT_E_NO_SIGNER, called with pSignerId == NULL.
//
// For a valid signer certificate, returns a pointer to a read only
// CERT_CONTEXT. The returned CERT_CONTEXT is either obtained from a
// cert store or was created via CertCreateCertificateContext. For either case,
// its freed via CertFreeCertificateContext.
//
// If a valid certificate isn't found, this callback returns NULL with
// LastError set via SetLastError().
//
// The NULL implementation tries to get the Signer certificate from the
// message cert store. It doesn't verify the certificate.
//
// Note, if the KEYID choice was selected for a CMS SignerId, then, the
// SerialNumber is 0 and the Issuer is encoded containing a single RDN with a
// single Attribute whose OID is szOID_KEYID_RDN, value type is
// CERT_RDN_OCTET_STRING and value is the KEYID. When the
// CertGetSubjectCertificateFromStore and
// CertFindCertificateInStore(CERT_FIND_SUBJECT_CERT) APIs see this
// special KEYID Issuer and SerialNumber, they do a KEYID match.
//--------------------------------------------------------------------------
type
PFN_CRYPT_GET_SIGNER_CERTIFICATE = function (pvGetArg: Pointer;
dwCertEncodingType: DWORD; pSignerId: PCERT_INFO;
hMsgCertStore: HCERTSTORE): PCCERT_CONTEXT; stdcall;
{$EXTERNALSYM PFN_CRYPT_GET_SIGNER_CERTIFICATE}
PfnCryptGetSignerCertificate = PFN_CRYPT_GET_SIGNER_CERTIFICATE;
//+-------------------------------------------------------------------------
// The CRYPT_SIGN_MESSAGE_PARA are used for signing messages using the
// specified signing certificate context.
//
// Either the CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID must
// be set for each rgpSigningCert[]. Either one specifies the private
// signature key to use.
//
// If any certificates and/or CRLs are to be included in the signed message,
// then, the MsgCert and MsgCrl parameters need to be updated. If the
// rgpSigningCerts are to be included, then, they must also be in the
// rgpMsgCert array.
//
// cbSize must be set to the sizeof(CRYPT_SIGN_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//
// pvHashAuxInfo currently isn't used and must be set to NULL.
//
// dwFlags normally is set to 0. However, if the encoded output
// is to be a CMSG_SIGNED inner content of an outer cryptographic message,
// such as a CMSG_ENVELOPED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
// should be set. If not set, then it would be encoded as an inner content
// type of CMSG_DATA.
//
// dwInnerContentType is normally set to 0. It needs to be set if the
// ToBeSigned input is the encoded output of another cryptographic
// message, such as, an CMSG_ENVELOPED. When set, it's one of the cryptographic
// message types, for example, CMSG_ENVELOPED.
//
// If the inner content of a nested cryptographic message is data (CMSG_DATA
// the default), then, neither dwFlags or dwInnerContentType need to be set.
//
// For CMS messages, CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG may be
// set to encapsulate nonData inner content within an OCTET STRING.
//
// For CMS messages, CRYPT_MESSAGE_KEYID_SIGNER_FLAG may be set to identify
// signers by their Key Identifier and not their Issuer and Serial Number.
//
// If HashEncryptionAlgorithm is present and not NULL its used instead of
// the SigningCert's PublicKeyInfo.Algorithm.
//
// Note, for RSA, the hash encryption algorithm is normally the same as
// the public key algorithm. For DSA, the hash encryption algorithm is
// normally a DSS signature algorithm.
//
// pvHashEncryptionAuxInfo currently isn't used and must be set to NULL if
// present in the data structure.
//--------------------------------------------------------------------------
type
PCRYPT_SIGN_MESSAGE_PARA = ^CRYPT_SIGN_MESSAGE_PARA;
{$EXTERNALSYM PCRYPT_SIGN_MESSAGE_PARA}
_CRYPT_SIGN_MESSAGE_PARA = record
cbSize: DWORD;
dwMsgEncodingType: DWORD;
pSigningCert: PCCERT_CONTEXT;
HashAlgorithm: CRYPT_ALGORITHM_IDENTIFIER;
pvHashAuxInfo: Pointer;
cMsgCert: DWORD;
rgpMsgCert: PPCCERT_CONTEXT;
cMsgCrl: DWORD;
rgpMsgCrl: PPCCRL_CONTEXT;
cAuthAttr: DWORD;
rgAuthAttr: PCRYPT_ATTRIBUTE;
cUnauthAttr: DWORD;
rgUnauthAttr: PCRYPT_ATTRIBUTE;
dwFlags: DWORD;
dwInnerContentType: DWORD;
{$IFDEF CRYPT_SIGN_MESSAGE_PARA_HAS_CMS_FIELDS}
HashEncryptionAlgorithm: CRYPT_ALGORITHM_IDENTIFIER;
pvHashEncryptionAuxInfo: Pointer;
{$ENDIF}
end;
{$EXTERNALSYM _CRYPT_SIGN_MESSAGE_PARA}
CRYPT_SIGN_MESSAGE_PARA = _CRYPT_SIGN_MESSAGE_PARA;
{$EXTERNALSYM CRYPT_SIGN_MESSAGE_PARA}
TCryptSignMessagePara = CRYPT_SIGN_MESSAGE_PARA;
PCryptSignMessagePara = PCRYPT_SIGN_MESSAGE_PARA;
const
CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG = $1;
{$EXTERNALSYM CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG}
// When set, nonData type inner content is encapsulated within an
// OCTET STRING
CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG = $2;
{$EXTERNALSYM CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG}
// When set, signers are identified by their Key Identifier and not
// their Issuer and Serial Number.
CRYPT_MESSAGE_KEYID_SIGNER_FLAG = $4;
{$EXTERNALSYM CRYPT_MESSAGE_KEYID_SIGNER_FLAG}
//+-------------------------------------------------------------------------
// The CRYPT_VERIFY_MESSAGE_PARA are used to verify signed messages.
//
// hCryptProv is used to do hashing and signature verification.
//
// The dwCertEncodingType specifies the encoding type of the certificates
// and/or CRLs in the message.
//
// pfnGetSignerCertificate is called to get and verify the message signer's
// certificate.
//
// cbSize must be set to the sizeof(CRYPT_VERIFY_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
type
PCRYPT_VERIFY_MESSAGE_PARA = ^CRYPT_VERIFY_MESSAGE_PARA;
{$EXTERNALSYM PCRYPT_VERIFY_MESSAGE_PARA}
_CRYPT_VERIFY_MESSAGE_PARA = record
cbSize: DWORD;
dwMsgAndCertEncodingType: DWORD;
hCryptProv: HCRYPTPROV;
pfnGetSignerCertificate: PFN_CRYPT_GET_SIGNER_CERTIFICATE;
pvGetArg: Pointer;
end;
{$EXTERNALSYM _CRYPT_VERIFY_MESSAGE_PARA}
CRYPT_VERIFY_MESSAGE_PARA = _CRYPT_VERIFY_MESSAGE_PARA;
{$EXTERNALSYM CRYPT_VERIFY_MESSAGE_PARA}
TCryptVerifyMessagePara = CRYPT_VERIFY_MESSAGE_PARA;
PCryptVerifyMessagePara = PCRYPT_VERIFY_MESSAGE_PARA;
//+-------------------------------------------------------------------------
// The CRYPT_ENCRYPT_MESSAGE_PARA are used for encrypting messages.
//
// hCryptProv is used to do content encryption, recipient key
// encryption, and recipient key export. Its private key
// isn't used.
//
// Currently, pvEncryptionAuxInfo is only defined for RC2 or RC4 encryption
// algorithms. Otherwise, its not used and must be set to NULL.
// See CMSG_RC2_AUX_INFO for the RC2 encryption algorithms.
// See CMSG_RC4_AUX_INFO for the RC4 encryption algorithms.
//
// To enable SP3 compatible encryption, pvEncryptionAuxInfo should point to
// a CMSG_SP3_COMPATIBLE_AUX_INFO data structure.
//
// cbSize must be set to the sizeof(CRYPT_ENCRYPT_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//
// dwFlags normally is set to 0. However, if the encoded output
// is to be a CMSG_ENVELOPED inner content of an outer cryptographic message,
// such as a CMSG_SIGNED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
// should be set. If not set, then it would be encoded as an inner content
// type of CMSG_DATA.
//
// dwInnerContentType is normally set to 0. It needs to be set if the
// ToBeEncrypted input is the encoded output of another cryptographic
// message, such as, an CMSG_SIGNED. When set, it's one of the cryptographic
// message types, for example, CMSG_SIGNED.
//
// If the inner content of a nested cryptographic message is data (CMSG_DATA
// the default), then, neither dwFlags or dwInnerContentType need to be set.
//
// For CMS messages, CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG may be
// set to encapsulate nonData inner content within an OCTET STRING before
// encrypting.
//
// For CMS messages, CRYPT_MESSAGE_KEYID_RECIPIENT_FLAG may be set to identify
// recipients by their Key Identifier and not their Issuer and Serial Number.
//--------------------------------------------------------------------------
type
PCRYPT_ENCRYPT_MESSAGE_PARA = ^CRYPT_ENCRYPT_MESSAGE_PARA;
{$EXTERNALSYM PCRYPT_ENCRYPT_MESSAGE_PARA}
_CRYPT_ENCRYPT_MESSAGE_PARA = record
cbSize: DWORD;
dwMsgEncodingType: DWORD;
hCryptProv: HCRYPTPROV;
ContentEncryptionAlgorithm: CRYPT_ALGORITHM_IDENTIFIER;
pvEncryptionAuxInfo: Pointer;
dwFlags: DWORD;
dwInnerContentType: DWORD;
end;
{$EXTERNALSYM _CRYPT_ENCRYPT_MESSAGE_PARA}
CRYPT_ENCRYPT_MESSAGE_PARA = _CRYPT_ENCRYPT_MESSAGE_PARA;
{$EXTERNALSYM CRYPT_ENCRYPT_MESSAGE_PARA}
TCryptEncryptMessagePara = CRYPT_ENCRYPT_MESSAGE_PARA;
PCryptEncryptMessagePara = PCRYPT_ENCRYPT_MESSAGE_PARA;
// When set, recipients are identified by their Key Identifier and not
// their Issuer and Serial Number.
const
CRYPT_MESSAGE_KEYID_RECIPIENT_FLAG = $4;
{$EXTERNALSYM CRYPT_MESSAGE_KEYID_RECIPIENT_FLAG}
//+-------------------------------------------------------------------------
// The CRYPT_DECRYPT_MESSAGE_PARA are used for decrypting messages.
//
// The CertContext to use for decrypting a message is obtained from one
// of the specified cert stores. An encrypted message can have one or
// more recipients. The recipients are identified by their CertId (Issuer
// and SerialNumber). The cert stores are searched to find the CertContext
// corresponding to the CertId.
//
// For CMS, the recipients may also be identified by their KeyId.
// CMS also allows Key Agreement (Diffie Hellman) in addition to
// Key Transport (RSA) recipients.
//
// Only CertContexts in the store with either
// the CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID set
// can be used. Either property specifies the private exchange key to use.
//
// cbSize must be set to the sizeof(CRYPT_DECRYPT_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
type
PCRYPT_DECRYPT_MESSAGE_PARA = ^CRYPT_DECRYPT_MESSAGE_PARA;
{$EXTERNALSYM PCRYPT_DECRYPT_MESSAGE_PARA}
_CRYPT_DECRYPT_MESSAGE_PARA = record
cbSize: DWORD;
dwMsgAndCertEncodingType: DWORD;
cCertStore: DWORD;
rghCertStore: PHCERTSTORE;
end;
{$EXTERNALSYM _CRYPT_DECRYPT_MESSAGE_PARA}
CRYPT_DECRYPT_MESSAGE_PARA = _CRYPT_DECRYPT_MESSAGE_PARA;
{$EXTERNALSYM CRYPT_DECRYPT_MESSAGE_PARA}
TCryptDecryptMessagePara = CRYPT_DECRYPT_MESSAGE_PARA;
PCryptDecryptMessagePara = PCRYPT_DECRYPT_MESSAGE_PARA;
//+-------------------------------------------------------------------------
// The CRYPT_HASH_MESSAGE_PARA are used for hashing or unhashing
// messages.
//
// hCryptProv is used to compute the hash.
//
// pvHashAuxInfo currently isn't used and must be set to NULL.
//
// cbSize must be set to the sizeof(CRYPT_HASH_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
PCRYPT_HASH_MESSAGE_PARA = ^CRYPT_HASH_MESSAGE_PARA;
{$EXTERNALSYM PCRYPT_HASH_MESSAGE_PARA}
_CRYPT_HASH_MESSAGE_PARA = record
cbSize: DWORD;
dwMsgEncodingType: DWORD;
hCryptProv: HCRYPTPROV;
HashAlgorithm: CRYPT_ALGORITHM_IDENTIFIER;
pvHashAuxInfo: Pointer;
end;
{$EXTERNALSYM _CRYPT_HASH_MESSAGE_PARA}
CRYPT_HASH_MESSAGE_PARA = _CRYPT_HASH_MESSAGE_PARA;
{$EXTERNALSYM CRYPT_HASH_MESSAGE_PARA}
TCryptHashMessagePara = CRYPT_HASH_MESSAGE_PARA;
PCryptHashMessagePara = PCRYPT_HASH_MESSAGE_PARA;
//+-------------------------------------------------------------------------
// The CRYPT_KEY_SIGN_MESSAGE_PARA are used for signing messages until a
// certificate has been created for the signature key.
//
// pvHashAuxInfo currently isn't used and must be set to NULL.
//
// If PubKeyAlgorithm isn't set, defaults to szOID_RSA_RSA.
//
// cbSize must be set to the sizeof(CRYPT_KEY_SIGN_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
PCRYPT_KEY_SIGN_MESSAGE_PARA = ^CRYPT_KEY_SIGN_MESSAGE_PARA;
{$EXTERNALSYM PCRYPT_KEY_SIGN_MESSAGE_PARA}
_CRYPT_KEY_SIGN_MESSAGE_PARA = record
cbSize: DWORD;
dwMsgAndCertEncodingType: DWORD;
hCryptProv: HCRYPTPROV;
dwKeySpec: DWORD;
HashAlgorithm: CRYPT_ALGORITHM_IDENTIFIER;
pvHashAuxInfo: Pointer;
PubKeyAlgorithm: CRYPT_ALGORITHM_IDENTIFIER;
end;
{$EXTERNALSYM _CRYPT_KEY_SIGN_MESSAGE_PARA}
CRYPT_KEY_SIGN_MESSAGE_PARA = _CRYPT_KEY_SIGN_MESSAGE_PARA;
{$EXTERNALSYM CRYPT_KEY_SIGN_MESSAGE_PARA}
TCryptKeySignMessagePara = CRYPT_KEY_SIGN_MESSAGE_PARA;
PCryptKeySignMessagePara = PCRYPT_KEY_SIGN_MESSAGE_PARA;
//+-------------------------------------------------------------------------
// The CRYPT_KEY_VERIFY_MESSAGE_PARA are used to verify signed messages without
// a certificate for the signer.
//
// Normally used until a certificate has been created for the key.
//
// hCryptProv is used to do hashing and signature verification.
//
// cbSize must be set to the sizeof(CRYPT_KEY_VERIFY_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
PCRYPT_KEY_VERIFY_MESSAGE_PARA = ^CRYPT_KEY_VERIFY_MESSAGE_PARA;
{$EXTERNALSYM PCRYPT_KEY_VERIFY_MESSAGE_PARA}
_CRYPT_KEY_VERIFY_MESSAGE_PARA = record
cbSize: DWORD;
dwMsgEncodingType: DWORD;
hCryptProv: HCRYPTPROV;
end;
{$EXTERNALSYM _CRYPT_KEY_VERIFY_MESSAGE_PARA}
CRYPT_KEY_VERIFY_MESSAGE_PARA = _CRYPT_KEY_VERIFY_MESSAGE_PARA;
{$EXTERNALSYM CRYPT_KEY_VERIFY_MESSAGE_PARA}
TCryptKeyVerifyMessagePara = CRYPT_KEY_VERIFY_MESSAGE_PARA;
PCryptKeyVerifyMessagePara = PCRYPT_KEY_VERIFY_MESSAGE_PARA;
//+-------------------------------------------------------------------------
// Sign the message.
//
// If fDetachedSignature is TRUE, the "to be signed" content isn't included
// in the encoded signed blob.
//--------------------------------------------------------------------------
function CryptSignMessage(pSignPara: PCRYPT_SIGN_MESSAGE_PARA;
fDetachedSignature: BOOL; cToBeSigned: DWORD; rgpbToBeSigned: LPBYTE;
rgcbToBeSigned: LPDWORD; pbSignedBlob: LPBYTE; var pcbSignedBlob: DWORD): BOOL; stdcall;
{$EXTERNALSYM CryptSignMessage}
//+-------------------------------------------------------------------------
// Verify a signed message.
//
// If pbDecoded == NULL, then, *pcbDecoded is implicitly set to 0 on input.
// For *pcbDecoded == 0 && ppSignerCert == NULL on input, the signer isn't
// verified.
//
// A message might have more than one signer. Set dwSignerIndex to iterate
// through all the signers. dwSignerIndex == 0 selects the first signer.
//
// pVerifyPara's pfnGetSignerCertificate is called to get the signer's
// certificate.
//
// For a verified signer and message, *ppSignerCert is updated
// with the CertContext of the signer. It must be freed by calling
// CertFreeCertificateContext. Otherwise, *ppSignerCert is set to NULL.
//
// ppSignerCert can be NULL, indicating the caller isn't interested
// in getting the CertContext of the signer.
//
// pcbDecoded can be NULL, indicating the caller isn't interested in getting
// the decoded content. Furthermore, if the message doesn't contain any
// content or signers, then, pcbDecoded must be set to NULL, to allow the
// pVerifyPara->pfnGetCertificate to be called. Normally, this would be
// the case when the signed message contains only certficates and CRLs.
// If pcbDecoded is NULL and the message doesn't have the indicated signer,
// pfnGetCertificate is called with pSignerId set to NULL.
//
// If the message doesn't contain any signers || dwSignerIndex > message's
// SignerCount, then, an error is returned with LastError set to
// CRYPT_E_NO_SIGNER. Also, for CRYPT_E_NO_SIGNER, pfnGetSignerCertificate
// is still called with pSignerId set to NULL.
//
// Note, an alternative way to get the certificates and CRLs from a
// signed message is to call CryptGetMessageCertificates.
//--------------------------------------------------------------------------
function CryptVerifyMessageSignature(pVerifyPara: PCRYPT_VERIFY_MESSAGE_PARA;
dwSignerIndex: DWORD; pbSignedBlob: LPBYTE; cbSignedBlob: DWORD;
pbDecoded: LPBYTE; pcbDecoded: LPDWORD; ppSignerCert: PPCCERT_CONTEXT): BOOL; stdcall;
{$EXTERNALSYM CryptVerifyMessageSignature}
//+-------------------------------------------------------------------------
// Returns the count of signers in the signed message. For no signers, returns
// 0. For an error returns -1 with LastError updated accordingly.
//--------------------------------------------------------------------------
function CryptGetMessageSignerCount(dwMsgEncodingType: DWORD; pbSignedBlob: LPBYTE;
cbSignedBlob: DWORD): LONG; stdcall;
{$EXTERNALSYM CryptGetMessageSignerCount}
//+-------------------------------------------------------------------------
// Returns the cert store containing the message's certs and CRLs.
// For an error, returns NULL with LastError updated.
//--------------------------------------------------------------------------
function CryptGetMessageCertificates(dwMsgAndCertEncodingType: DWORD;
hCryptProv: HCRYPTPROV; dwFlags: DWORD; pbSignedBlob: LPBYTE;
cbSignedBlob: DWORD): HCERTSTORE; stdcall;
{$EXTERNALSYM CryptGetMessageCertificates}
//+-------------------------------------------------------------------------
// Verify a signed message containing detached signature(s).
// The "to be signed" content is passed in separately. No
// decoded output. Otherwise, identical to CryptVerifyMessageSignature.
//--------------------------------------------------------------------------
function CryptVerifyDetachedMessageSignature(pVerifyPara: PCRYPT_VERIFY_MESSAGE_PARA;
dwSignerIndex: DWORD; pbDetachedSignBlob: LPBYTE; cbDetachedSignBlob: DWORD;
cToBeSigned: DWORD; rgpbToBeSigned: LPBYTE; rgcbToBeSigned: LPDWORD;
ppSignerCert: PPCCERT_CONTEXT): BOOL; stdcall;
{$EXTERNALSYM CryptVerifyDetachedMessageSignature}
//+-------------------------------------------------------------------------
// Encrypts the message for the recipient(s).
//--------------------------------------------------------------------------
function CryptEncryptMessage(pEncryptPara: PCRYPT_ENCRYPT_MESSAGE_PARA;
cRecipientCert: DWORD; rgpRecipientCert: PCCERT_CONTEXT; pbToBeEncrypted: LPBYTE;
cbToBeEncrypted: DWORD; pbEncryptedBlob: LPBYTE; var pcbEncryptedBlob: DWORD): BOOL; stdcall;
{$EXTERNALSYM CryptEncryptMessage}
//+-------------------------------------------------------------------------
// Decrypts the message.
//
// If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
// For *pcbDecrypted == 0 && ppXchgCert == NULL on input, the message isn't
// decrypted.
//
// For a successfully decrypted message, *ppXchgCert is updated
// with the CertContext used to decrypt. It must be freed by calling
// CertStoreFreeCert. Otherwise, *ppXchgCert is set to NULL.
//
// ppXchgCert can be NULL, indicating the caller isn't interested
// in getting the CertContext used to decrypt.
//--------------------------------------------------------------------------
function CryptDecryptMessage(pDecryptPara: PCRYPT_DECRYPT_MESSAGE_PARA;
pbEncryptedBlob: LPBYTE; cbEncryptedBlob: DWORD; pbDecrypted: LPBYTE;
pcbDecrypted: LPDWORD; ppXchgCert: PPCCERT_CONTEXT): BOOL; stdcall;
{$EXTERNALSYM CryptDecryptMessage}
//+-------------------------------------------------------------------------
// Sign the message and encrypt for the recipient(s). Does a CryptSignMessage
// followed with a CryptEncryptMessage.
//
// Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
// inside of an CMSG_ENVELOPED.
//--------------------------------------------------------------------------
function CryptSignAndEncryptMessage(pSignPara: PCRYPT_SIGN_MESSAGE_PARA;
pEncryptPara: PCRYPT_ENCRYPT_MESSAGE_PARA; cRecipientCert: DWORD;
rgpRecipientCert: PCCERT_CONTEXT; pbToBeSignedAndEncrypted: LPBYTE;
cbToBeSignedAndEncrypted: DWORD; pbSignedAndEncryptedBlob: LPBYTE;
var pcbSignedAndEncryptedBlob: DWORD): BOOL; stdcall;
{$EXTERNALSYM CryptSignAndEncryptMessage}
//+-------------------------------------------------------------------------
// Decrypts the message and verifies the signer. Does a CryptDecryptMessage
// followed with a CryptVerifyMessageSignature.
//
// If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
// For *pcbDecrypted == 0 && ppSignerCert == NULL on input, the signer isn't
// verified.
//
// A message might have more than one signer. Set dwSignerIndex to iterate
// through all the signers. dwSignerIndex == 0 selects the first signer.
//
// The pVerifyPara's VerifySignerPolicy is called to verify the signer's
// certificate.
//
// For a successfully decrypted and verified message, *ppXchgCert and
// *ppSignerCert are updated. They must be freed by calling
// CertStoreFreeCert. Otherwise, they are set to NULL.
//
// ppXchgCert and/or ppSignerCert can be NULL, indicating the
// caller isn't interested in getting the CertContext.
//
// Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
// inside of an CMSG_ENVELOPED.
//
// The message always needs to be decrypted to allow access to the
// signed message. Therefore, if ppXchgCert != NULL, its always updated.
//--------------------------------------------------------------------------
function CryptDecryptAndVerifyMessageSignature(pDecryptPara: PCRYPT_DECRYPT_MESSAGE_PARA;
pVerifyPara: PCRYPT_VERIFY_MESSAGE_PARA; dwSignerIndex: DWORD; pbEncryptedBlob: LPBYTE;
cbEncryptedBlob: DWORD; pbDecrypted: LPBYTE; pcbDecrypted: LPDWORD;
ppXchgCert: PPCCERT_CONTEXT; ppSignerCert: PPCCERT_CONTEXT): BOOL; stdcall;
{$EXTERNALSYM CryptDecryptAndVerifyMessageSignature}
//+-------------------------------------------------------------------------
// Decodes a cryptographic message which may be one of the following types:
// CMSG_DATA
// CMSG_SIGNED
// CMSG_ENVELOPED
// CMSG_SIGNED_AND_ENVELOPED
// CMSG_HASHED
//
// dwMsgTypeFlags specifies the set of allowable messages. For example, to
// decode either SIGNED or ENVELOPED messages, set dwMsgTypeFlags to:
// CMSG_SIGNED_FLAG | CMSG_ENVELOPED_FLAG.
//
// dwProvInnerContentType is only applicable when processing nested
// crytographic messages. When processing an outer crytographic message
// it must be set to 0. When decoding a nested cryptographic message
// its the dwInnerContentType returned by a previous CryptDecodeMessage
// of the outer message. The InnerContentType can be any of the CMSG types,
// for example, CMSG_DATA, CMSG_SIGNED, ...
//
// The optional *pdwMsgType is updated with the type of message.
//
// The optional *pdwInnerContentType is updated with the type of the inner
// message. Unless there is cryptographic message nesting, CMSG_DATA
// is returned.
//
// For CMSG_DATA: returns decoded content.
// For CMSG_SIGNED: same as CryptVerifyMessageSignature.
// For CMSG_ENVELOPED: same as CryptDecryptMessage.
// For CMSG_SIGNED_AND_ENVELOPED: same as CryptDecryptMessage plus
// CryptVerifyMessageSignature.
// For CMSG_HASHED: verifies the hash and returns decoded content.
//--------------------------------------------------------------------------
function CryptDecodeMessage(dwMsgTypeFlags: DWORD; pDecryptPara: PCRYPT_DECRYPT_MESSAGE_PARA;
pVerifyPara: PCRYPT_VERIFY_MESSAGE_PARA; dwSignerIndex: DWORD; pbEncodedBlob: LPBYTE;
cbEncodedBlob: DWORD; dwPrevInnerContentType: DWORD; pdwMsgType: LPDWORD;
pdwInnerContentType: LPDWORD; pbDecoded: LPBYTE; pcbDecoded: LPDWORD;
ppXchgCert: PPCCERT_CONTEXT; ppSignerCert: PPCCERT_CONTEXT): BOOL; stdcall;
{$EXTERNALSYM CryptDecodeMessage}
//+-------------------------------------------------------------------------
// Hash the message.
//
// If fDetachedHash is TRUE, only the ComputedHash is encoded in the
// pbHashedBlob. Otherwise, both the ToBeHashed and ComputedHash
// are encoded.
//
// pcbHashedBlob or pcbComputedHash can be NULL, indicating the caller
// isn't interested in getting the output.
//--------------------------------------------------------------------------
function CryptHashMessage(pHashPara: PCRYPT_HASH_MESSAGE_PARA; fDetachedHash: BOOL;
cToBeHashed: DWORD; rgpbToBeHashed: LPBYTE; rgcbToBeHashed: LPDWORD;
pbHashedBlob: LPBYTE; pcbHashedBlob: LPDWORD; pbComputedHash: LPBYTE;
pcbComputedHash: LPDWORD): BOOL; stdcall;
{$EXTERNALSYM CryptHashMessage}
//+-------------------------------------------------------------------------
// Verify a hashed message.
//
// pcbToBeHashed or pcbComputedHash can be NULL,
// indicating the caller isn't interested in getting the output.
//--------------------------------------------------------------------------
function CryptVerifyMessageHash(pHashPara: PCRYPT_HASH_MESSAGE_PARA;
pbHashedBlob: LPBYTE; cbHashedBlob: DWORD; pbToBeHashed: LPBYTE;
pcbToBeHashed: LPDWORD; pbComputedHash: LPBYTE; pcbComputedHash: LPDWORD): BOOL; stdcall;
{$EXTERNALSYM CryptVerifyMessageHash}
//+-------------------------------------------------------------------------
// Verify a hashed message containing a detached hash.
// The "to be hashed" content is passed in separately. No
// decoded output. Otherwise, identical to CryptVerifyMessageHash.
//
// pcbComputedHash can be NULL, indicating the caller isn't interested
// in getting the output.
//--------------------------------------------------------------------------
function CryptVerifyDetachedMessageHash(pHashPara: PCRYPT_HASH_MESSAGE_PARA;
pbDetachedHashBlob: LPBYTE; cbDetachedHashBlob: DWORD; cToBeHashed: DWORD;
rgpbToBeHashed: LPBYTE; rgcbToBeHashed: LPDWORD; pbComputedHash: LPBYTE;
pcbComputedHash: LPDWORD): BOOL; stdcall;
{$EXTERNALSYM CryptVerifyDetachedMessageHash}
//+-------------------------------------------------------------------------
// Sign the message using the provider's private key specified in the
// parameters. A dummy SignerId is created and stored in the message.
//
// Normally used until a certificate has been created for the key.
//--------------------------------------------------------------------------
function CryptSignMessageWithKey(pSignPara: PCRYPT_KEY_SIGN_MESSAGE_PARA;
pbToBeSigned: LPBYTE; cbToBeSigned: DWORD; pbSignedBlob: LPBYTE;
var pcbSignedBlob: DWORD): BOOL; stdcall;
{$EXTERNALSYM CryptSignMessageWithKey}
//+-------------------------------------------------------------------------
// Verify a signed message using the specified public key info.
//
// Normally called by a CA until it has created a certificate for the
// key.
//
// pPublicKeyInfo contains the public key to use to verify the signed
// message. If NULL, the signature isn't verified (for instance, the decoded
// content may contain the PublicKeyInfo).
//
// pcbDecoded can be NULL, indicating the caller isn't interested
// in getting the decoded content.
//--------------------------------------------------------------------------
function CryptVerifyMessageSignatureWithKey(pVerifyPara: PCRYPT_KEY_VERIFY_MESSAGE_PARA;
pPublicKeyInfo: PCERT_PUBLIC_KEY_INFO; pbSignedBlob: LPBYTE; cbSignedBlob: DWORD;
pbDecoded: LPBYTE; pcbDecoded: LPDWORD): BOOL; stdcall;
{$EXTERNALSYM CryptVerifyMessageSignatureWithKey}
//+=========================================================================
// System Certificate Store Data Structures and APIs
//==========================================================================
//+-------------------------------------------------------------------------
// Get a system certificate store based on a subsystem protocol.
//
// Current examples of subsystems protocols are:
// "MY" Cert Store hold certs with associated Private Keys
// "CA" Certifying Authority certs
// "ROOT" Root Certs
// "SPC" Software publisher certs
//
//
// If hProv is NULL the default provider "1" is opened for you.
// When the store is closed the provider is release. Otherwise
// if hProv is not NULL, no provider is created or released.
//
// The returned Cert Store can be searched for an appropriate Cert
// using the Cert Store API's (see certstor.h)
//
// When done, the cert store should be closed using CertStoreClose
//--------------------------------------------------------------------------
function CertOpenSystemStoreA(hProv: HCRYPTPROV; szSubsystemProtocol: LPCSTR): HCERTSTORE; stdcall;
{$EXTERNALSYM CertOpenSystemStoreA}
function CertOpenSystemStoreW(hProv: HCRYPTPROV; szSubsystemProtocol: LPCWSTR): HCERTSTORE; stdcall;
{$EXTERNALSYM CertOpenSystemStoreW}
{$IFDEF UNICODE}
function CertOpenSystemStore(hProv: HCRYPTPROV; szSubsystemProtocol: LPCWSTR): HCERTSTORE; stdcall;
{$EXTERNALSYM CertOpenSystemStore}
{$ELSE}
function CertOpenSystemStore(hProv: HCRYPTPROV; szSubsystemProtocol: LPCSTR): HCERTSTORE; stdcall;
{$EXTERNALSYM CertOpenSystemStore}
{$ENDIF}
function CertAddEncodedCertificateToSystemStoreA(szCertStoreName: LPCSTR;
pbCertEncoded: LPBYTE; cbCertEncoded: DWORD): BOOL; stdcall;
{$EXTERNALSYM CertAddEncodedCertificateToSystemStoreA}
function CertAddEncodedCertificateToSystemStoreW(szCertStoreName: LPCWSTR;
pbCertEncoded: LPBYTE; cbCertEncoded: DWORD): BOOL; stdcall;
{$EXTERNALSYM CertAddEncodedCertificateToSystemStoreW}
{$IFDEF UNICODE}
function CertAddEncodedCertificateToSystemStore(szCertStoreName: LPCWSTR;
pbCertEncoded: LPBYTE; cbCertEncoded: DWORD): BOOL; stdcall;
{$EXTERNALSYM CertAddEncodedCertificateToSystemStore}
{$ELSE}
function CertAddEncodedCertificateToSystemStore(szCertStoreName: LPCSTR;
pbCertEncoded: LPBYTE; cbCertEncoded: DWORD): BOOL; stdcall;
{$EXTERNALSYM CertAddEncodedCertificateToSystemStore}
{$ENDIF}
//+-------------------------------------------------------------------------
// Find all certificate chains tying the given issuer name to any certificate
// that the current user has a private key for.
//
// If no certificate chain is found, FALSE is returned with LastError set
// to CRYPT_E_NOT_FOUND and the counts zeroed.
//
// IE 3.0 ASSUMPTION:
// The client certificates are in the "My" system store. The issuer
// cerificates may be in the "Root", "CA" or "My" system stores.
//--------------------------------------------------------------------------
type
PCERT_CHAIN = ^CERT_CHAIN;
{$EXTERNALSYM PCERT_CHAIN}
_CERT_CHAIN = record
cCerts: DWORD; // number of certs in chain
certs: PCERT_BLOB; // pointer to array of cert chain blobs
// representing the certs
keyLocatorInfo: CRYPT_KEY_PROV_INFO; // key locator for cert
end;
{$EXTERNALSYM _CERT_CHAIN}
CERT_CHAIN = _CERT_CHAIN;
{$EXTERNALSYM CERT_CHAIN}
TCertChain = CERT_CHAIN;
PCertChain = PCERT_CHAIN;
// WINCRYPT32API This is not exported by crypt32, it is exported by softpub
function FindCertsByIssuer(pCertChains: PCERT_CHAIN; var pcbCertChains: DWORD;
pcCertChains: LPDWORD; pbEncodedIssuerName: LPBYTE; cbEncodedIssuerName: DWORD;
pwszPurpose: LPCWSTR; dwKeySpec: DWORD): HRESULT; stdcall;
{$EXTERNALSYM FindCertsByIssuer}
//-------------------------------------------------------------------------
//
// CryptQueryObject takes a CERT_BLOB or a file name and returns the
// information about the content in the blob or in the file.
//
// Parameters:
// INPUT dwObjectType:
// Indicate the type of the object. Should be one of the
// following:
// CERT_QUERY_OBJECT_FILE
// CERT_QUERY_OBJECT_BLOB
//
// INPUT pvObject:
// If dwObjectType == CERT_QUERY_OBJECT_FILE, it is a
// LPWSTR, that is, the pointer to a wchar file name
// if dwObjectType == CERT_QUERY_OBJECT_BLOB, it is a
// PCERT_BLOB, that is, a pointer to a CERT_BLOB
//
// INPUT dwExpectedContentTypeFlags:
// Indicate the expected contenet type.
// Can be one of the following:
// CERT_QUERY_CONTENT_FLAG_ALL (the content can be any type)
// CERT_QUERY_CONTENT_FLAG_CERT
// CERT_QUERY_CONTENT_FLAG_CTL
// CERT_QUERY_CONTENT_FLAG_CRL
// CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE
// CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT
// CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL
// CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL
// CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED
// CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED
// CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED
// CERT_QUERY_CONTNET_FLAG_PKCS10
// CERT_QUERY_CONTNET_FLAG_PFX
//
// INPUT dwExpectedFormatTypeFlags:
// Indicate the expected format type.
// Can be one of the following:
// CERT_QUERY_FORMAT_FLAG_ALL (the content can be any format)
// CERT_QUERY_FORMAT_FLAG_BINARY
// CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED
//
//
// INPUT dwFlags
// Reserved flag. Should always set to 0
//
// OUTPUT pdwMsgAndCertEncodingType
// Optional output. If NULL != pdwMsgAndCertEncodingType,
// it contains the encoding type of the content as any
// combination of the following:
// X509_ASN_ENCODING
// PKCS_7_ASN_ENCODING
//
// OUTPUT pdwContentType
// Optional output. If NULL!=pdwContentType, it contains
// the content type as one of the the following:
// CERT_QUERY_CONTENT_CERT
// CERT_QUERY_CONTENT_CTL
// CERT_QUERY_CONTENT_CRL
// CERT_QUERY_CONTENT_SERIALIZED_STORE
// CERT_QUERY_CONTENT_SERIALIZED_CERT
// CERT_QUERY_CONTENT_SERIALIZED_CTL
// CERT_QUERY_CONTENT_SERIALIZED_CRL
// CERT_QUERY_CONTENT_PKCS7_SIGNED
// CERT_QUERY_CONTENT_PKCS7_UNSIGNED
// CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
// CERT_QUERY_CONTENT_PKCS10
// CERT_QUERY_CONTENT_PFX
//
// OUTPUT pdwFormatType
// Optional output. If NULL !=pdwFormatType, it
// contains the format type of the content as one of the
// following:
// CERT_QUERY_FORMAT_BINARY
// CERT_QUERY_FORMAT_BASE64_ENCODED
//
//
// OUTPUT phCertStore
// Optional output. If NULL !=phStore,
// it contains a cert store that includes all of certificates,
// CRL, and CTL in the object if the object content type is
// one of the following:
// CERT_QUERY_CONTENT_CERT
// CERT_QUERY_CONTENT_CTL
// CERT_QUERY_CONTENT_CRL
// CERT_QUERY_CONTENT_SERIALIZED_STORE
// CERT_QUERY_CONTENT_SERIALIZED_CERT
// CERT_QUERY_CONTENT_SERIALIZED_CTL
// CERT_QUERY_CONTENT_SERIALIZED_CRL
// CERT_QUERY_CONTENT_PKCS7_SIGNED
// CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
//
// Caller should free *phCertStore via CertCloseStore.
//
//
// OUTPUT phMsg Optional output. If NULL != phMsg,
// it contains a handle to a opened message if
// the content type is one of the following:
// CERT_QUERY_CONTENT_PKCS7_SIGNED
// CERT_QUERY_CONTENT_PKCS7_UNSIGNED
// CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
//
// Caller should free *phMsg via CryptMsgClose.
//
// OUTPUT pContext Optional output. If NULL != pContext,
// it contains either a PCCERT_CONTEXT or PCCRL_CONTEXT,
// or PCCTL_CONTEXT based on the content type.
//
// If the content type is CERT_QUERY_CONTENT_CERT or
// CERT_QUERY_CONTENT_SERIALIZED_CERT, it is a PCCERT_CONTEXT;
// Caller should free the pContext via CertFreeCertificateContext.
//
// If the content type is CERT_QUERY_CONTENT_CRL or
// CERT_QUERY_CONTENT_SERIALIZED_CRL, it is a PCCRL_CONTEXT;
// Caller should free the pContext via CertFreeCRLContext.
//
// If the content type is CERT_QUERY_CONTENT_CTL or
// CERT_QUERY_CONTENT_SERIALIZED_CTL, it is a PCCTL_CONTEXT;
// Caller should free the pContext via CertFreeCTLContext.
//
// If the *pbObject is of type CERT_QUERY_CONTENT_PKCS10 or CERT_QUERY_CONTENT_PFX, CryptQueryObject
// will not return anything in *phCertstore, *phMsg, or *ppvContext.
//--------------------------------------------------------------------------
function CryptQueryObject(dwObjectType: DWORD; pvObject: Pointer;
dwExpectedContentTypeFlags, dwExpectedFormatTypeFlags, dwFlags: DWORD;
pdwMsgAndCertEncodingType, pdwContentType, pdwFormatType: LPDWORD;
phCertStore: PHCERTSTORE; phMsg: PHCRYPTMSG; ppvContext: PPointer): BOOL; stdcall;
{$EXTERNALSYM CryptQueryObject}
//-------------------------------------------------------------------------
//dwObjectType for CryptQueryObject
//-------------------------------------------------------------------------
const
CERT_QUERY_OBJECT_FILE = $00000001;
{$EXTERNALSYM CERT_QUERY_OBJECT_FILE}
CERT_QUERY_OBJECT_BLOB = $00000002;
{$EXTERNALSYM CERT_QUERY_OBJECT_BLOB}
//-------------------------------------------------------------------------
//dwConentType for CryptQueryObject
//-------------------------------------------------------------------------
//encoded single certificate
CERT_QUERY_CONTENT_CERT = 1;
{$EXTERNALSYM CERT_QUERY_CONTENT_CERT}
//encoded single CTL
CERT_QUERY_CONTENT_CTL = 2;
{$EXTERNALSYM CERT_QUERY_CONTENT_CTL}
//encoded single CRL
CERT_QUERY_CONTENT_CRL = 3;
{$EXTERNALSYM CERT_QUERY_CONTENT_CRL}
//serialized store
CERT_QUERY_CONTENT_SERIALIZED_STORE = 4;
{$EXTERNALSYM CERT_QUERY_CONTENT_SERIALIZED_STORE}
//serialized single certificate
CERT_QUERY_CONTENT_SERIALIZED_CERT = 5;
{$EXTERNALSYM CERT_QUERY_CONTENT_SERIALIZED_CERT}
//serialized single CTL
CERT_QUERY_CONTENT_SERIALIZED_CTL = 6;
{$EXTERNALSYM CERT_QUERY_CONTENT_SERIALIZED_CTL}
//serialized single CRL
CERT_QUERY_CONTENT_SERIALIZED_CRL = 7;
{$EXTERNALSYM CERT_QUERY_CONTENT_SERIALIZED_CRL}
//a PKCS#7 signed message
CERT_QUERY_CONTENT_PKCS7_SIGNED = 8;
{$EXTERNALSYM CERT_QUERY_CONTENT_PKCS7_SIGNED}
//a PKCS#7 message, such as enveloped message. But it is not a signed message,
CERT_QUERY_CONTENT_PKCS7_UNSIGNED = 9;
{$EXTERNALSYM CERT_QUERY_CONTENT_PKCS7_UNSIGNED}
//a PKCS7 signed message embedded in a file
CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED = 10;
{$EXTERNALSYM CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED}
//an encoded PKCS#10
CERT_QUERY_CONTENT_PKCS10 = 11;
{$EXTERNALSYM CERT_QUERY_CONTENT_PKCS10}
//an encoded PKX BLOB
CERT_QUERY_CONTENT_PFX = 12;
{$EXTERNALSYM CERT_QUERY_CONTENT_PFX}
//-------------------------------------------------------------------------
//dwExpectedConentTypeFlags for CryptQueryObject
//-------------------------------------------------------------------------
//encoded single certificate
CERT_QUERY_CONTENT_FLAG_CERT = (1 shl CERT_QUERY_CONTENT_CERT);
{$EXTERNALSYM CERT_QUERY_CONTENT_FLAG_CERT}
//encoded single CTL
CERT_QUERY_CONTENT_FLAG_CTL = (1 shl CERT_QUERY_CONTENT_CTL);
{$EXTERNALSYM CERT_QUERY_CONTENT_FLAG_CTL}
//encoded single CRL
CERT_QUERY_CONTENT_FLAG_CRL = (1 shl CERT_QUERY_CONTENT_CRL);
{$EXTERNALSYM CERT_QUERY_CONTENT_FLAG_CRL}
//serialized store
CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE = (1 shl CERT_QUERY_CONTENT_SERIALIZED_STORE);
{$EXTERNALSYM CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE}
//serialized single certificate
CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT = (1 shl CERT_QUERY_CONTENT_SERIALIZED_CERT);
{$EXTERNALSYM CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT}
//serialized single CTL
CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL = (1 shl CERT_QUERY_CONTENT_SERIALIZED_CTL);
{$EXTERNALSYM CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL}
//serialized single CRL
CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL = (1 shl CERT_QUERY_CONTENT_SERIALIZED_CRL);
{$EXTERNALSYM CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL}
//an encoded PKCS#7 signed message
CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED = (1 shl CERT_QUERY_CONTENT_PKCS7_SIGNED);
{$EXTERNALSYM CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED}
//an encoded PKCS#7 message. But it is not a signed message
CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED = (1 shl CERT_QUERY_CONTENT_PKCS7_UNSIGNED);
{$EXTERNALSYM CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED}
//the content includes an embedded PKCS7 signed message
CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED = (1 shl CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED);
{$EXTERNALSYM CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED}
//an encoded PKCS#10
CERT_QUERY_CONTENT_FLAG_PKCS10 = (1 shl CERT_QUERY_CONTENT_PKCS10);
{$EXTERNALSYM CERT_QUERY_CONTENT_FLAG_PKCS10}
//an encoded PFX BLOB
CERT_QUERY_CONTENT_FLAG_PFX = (1 shl CERT_QUERY_CONTENT_PFX);
{$EXTERNALSYM CERT_QUERY_CONTENT_FLAG_PFX}
//content can be any type
CERT_QUERY_CONTENT_FLAG_ALL = CERT_QUERY_CONTENT_FLAG_CERT or
CERT_QUERY_CONTENT_FLAG_CTL or
CERT_QUERY_CONTENT_FLAG_CRL or
CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE or
CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT or
CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL or
CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL or
CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED or
CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED or
CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED or
CERT_QUERY_CONTENT_FLAG_PKCS10 or
CERT_QUERY_CONTENT_FLAG_PFX;
{$EXTERNALSYM CERT_QUERY_CONTENT_FLAG_ALL}
//-------------------------------------------------------------------------
//dwFormatType for CryptQueryObject
//-------------------------------------------------------------------------
//the content is in binary format
CERT_QUERY_FORMAT_BINARY = 1;
{$EXTERNALSYM CERT_QUERY_FORMAT_BINARY}
//the content is base64 encoded
CERT_QUERY_FORMAT_BASE64_ENCODED = 2;
{$EXTERNALSYM CERT_QUERY_FORMAT_BASE64_ENCODED}
//-------------------------------------------------------------------------
//dwExpectedFormatTypeFlags for CryptQueryObject
//-------------------------------------------------------------------------
//the content is in binary format
CERT_QUERY_FORMAT_FLAG_BINARY = (1 shl CERT_QUERY_FORMAT_BINARY);
{$EXTERNALSYM CERT_QUERY_FORMAT_FLAG_BINARY}
//the content is base64 encoded
CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED = (1 shl CERT_QUERY_FORMAT_BASE64_ENCODED);
{$EXTERNALSYM CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED}
//the content can be of any format
CERT_QUERY_FORMAT_FLAG_ALL = CERT_QUERY_FORMAT_FLAG_BINARY or CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED;
{$EXTERNALSYM CERT_QUERY_FORMAT_FLAG_ALL}
//
// Crypt32 Memory Management Routines. All Crypt32 API which return allocated
// buffers will do so via CryptMemAlloc, CryptMemRealloc. Clients can free
// those buffers using CryptMemFree. Also included is CryptMemSize
//
function CryptMemAlloc(cbSize: ULONG): LPVOID; stdcall;
{$EXTERNALSYM CryptMemAlloc}
function CryptMemRealloc(pv: LPVOID; cbSize: ULONG): LPVOID; stdcall;
{$EXTERNALSYM CryptMemRealloc}
procedure CryptMemFree(pv: LPVOID); stdcall;
{$EXTERNALSYM CryptMemFree}
//
// Crypt32 Asynchronous Parameter Management Routines. All Crypt32 API which
// expose asynchronous mode operation use a Crypt32 Async Handle to pass
// around information about the operation e.g. callback routines. The
// following API are used for manipulation of the async handle
//
type
HCRYPTASYNC = HANDLE;
{$EXTERNALSYM HCRYPTASYNC}
PHCRYPTASYNC = ^HCRYPTASYNC;
{$EXTERNALSYM PHCRYPTASYNC}
PFN_CRYPT_ASYNC_PARAM_FREE_FUNC = procedure (pszParamOid: LPSTR; pvParam: LPVOID); stdcall;
{$EXTERNALSYM PFN_CRYPT_ASYNC_PARAM_FREE_FUNC}
PFnCryptAsyncParamFreeFunc = PFN_CRYPT_ASYNC_PARAM_FREE_FUNC;
function CryptCreateAsyncHandle(dwFlags: DWORD; phAsync: PHCRYPTASYNC): BOOL; stdcall;
{$EXTERNALSYM CryptCreateAsyncHandle}
function CryptSetAsyncParam(hAsync: HCRYPTASYNC; pszParamOid: LPSTR;
pvParam: LPVOID; pfnFree: PFN_CRYPT_ASYNC_PARAM_FREE_FUNC): BOOL; stdcall;
{$EXTERNALSYM CryptSetAsyncParam}
function CryptGetAsyncParam(hAsync: HCRYPTASYNC; pszParamOid: LPSTR;
var ppvParam: LPVOID; var ppfnFree: PFN_CRYPT_ASYNC_PARAM_FREE_FUNC): BOOL; stdcall;
{$EXTERNALSYM CryptGetAsyncParam}
function CryptCloseAsyncHandle(hAsync: HCRYPTASYNC): BOOL; stdcall;
{$EXTERNALSYM CryptCloseAsyncHandle}
//
// Crypt32 Remote Object Retrieval Routines. This API allows retrieval of
// remote PKI objects where the location is given by an URL. The remote
// object retrieval manager exposes two provider models. One is the "Scheme
// Provider" model which allows for installable protocol providers as defined
// by the URL scheme e.g. ldap, http, ftp. The scheme provider entry point is
// the same as the CryptRetrieveObjectByUrl however the *ppvObject returned
// is ALWAYS a counted array of encoded bits (one per object retrieved). The
// second provider model is the "Context Provider" model which allows for
// installable creators of CAPI2 context handles (objects) based on the
// retrieved encoded bits. These are dispatched based on the object OID given
// in the call to CryptRetrieveObjectByUrl.
//
type
PCRYPT_BLOB_ARRAY = ^CRYPT_BLOB_ARRAY;
{$EXTERNALSYM PCRYPT_BLOB_ARRAY}
_CRYPT_BLOB_ARRAY = record
cBlob: DWORD;
rgBlob: PCRYPT_DATA_BLOB;
end;
{$EXTERNALSYM _CRYPT_BLOB_ARRAY}
CRYPT_BLOB_ARRAY = _CRYPT_BLOB_ARRAY;
{$EXTERNALSYM CRYPT_BLOB_ARRAY}
TCryptBlobArray = CRYPT_BLOB_ARRAY;
PCryptBlobArray = PCRYPT_BLOB_ARRAY;
PCRYPT_CREDENTIALS = ^CRYPT_CREDENTIALS;
{$EXTERNALSYM PCRYPT_CREDENTIALS}
_CRYPT_CREDENTIALS = record
cbSize: DWORD;
pszCredentialsOid: LPCSTR;
pvCredentials: LPVOID;
end;
{$EXTERNALSYM _CRYPT_CREDENTIALS}
CRYPT_CREDENTIALS = _CRYPT_CREDENTIALS;
{$EXTERNALSYM CRYPT_CREDENTIALS}
TCryptCredentials = CRYPT_CREDENTIALS;
PCryptCredentials = PCRYPT_CREDENTIALS;
const
CREDENTIAL_OID_PASSWORD_CREDENTIALS_A = LPCSTR(1);
{$EXTERNALSYM CREDENTIAL_OID_PASSWORD_CREDENTIALS_A}
CREDENTIAL_OID_PASSWORD_CREDENTIALS_W = LPCSTR(2);
{$EXTERNALSYM CREDENTIAL_OID_PASSWORD_CREDENTIALS_W}
{$IFDEF UNICODE}
CREDENTIAL_OID_PASSWORD_CREDENTIALS = CREDENTIAL_OID_PASSWORD_CREDENTIALS_W;
{$EXTERNALSYM CREDENTIAL_OID_PASSWORD_CREDENTIALS}
{$ELSE}
CREDENTIAL_OID_PASSWORD_CREDENTIALS = CREDENTIAL_OID_PASSWORD_CREDENTIALS_A;
{$EXTERNALSYM CREDENTIAL_OID_PASSWORD_CREDENTIALS}
{$ENDIF}
type
PCRYPT_PASSWORD_CREDENTIALSA = ^CRYPT_PASSWORD_CREDENTIALSA;
{$EXTERNALSYM PCRYPT_PASSWORD_CREDENTIALSA}
_CRYPT_PASSWORD_CREDENTIALSA = record
cbSize: DWORD;
pszUsername: LPSTR;
pszPassword: LPSTR;
end;
{$EXTERNALSYM _CRYPT_PASSWORD_CREDENTIALSA}
CRYPT_PASSWORD_CREDENTIALSA = _CRYPT_PASSWORD_CREDENTIALSA;
{$EXTERNALSYM CRYPT_PASSWORD_CREDENTIALSA}
TCryptPasswordCredentialsA = CRYPT_PASSWORD_CREDENTIALSA;
PCryptPasswordCredentialsA = PCRYPT_PASSWORD_CREDENTIALSA;
PCRYPT_PASSWORD_CREDENTIALSW = ^CRYPT_PASSWORD_CREDENTIALSW;
{$EXTERNALSYM PCRYPT_PASSWORD_CREDENTIALSW}
_CRYPT_PASSWORD_CREDENTIALSW = record
cbSize: DWORD;
pszUsername: LPWSTR;
pszPassword: LPWSTR;
end;
{$EXTERNALSYM _CRYPT_PASSWORD_CREDENTIALSW}
CRYPT_PASSWORD_CREDENTIALSW = _CRYPT_PASSWORD_CREDENTIALSW;
{$EXTERNALSYM CRYPT_PASSWORD_CREDENTIALSW}
TCryptPasswordCredentialsW = CRYPT_PASSWORD_CREDENTIALSW;
PCryptPasswordCredentialsW = PCRYPT_PASSWORD_CREDENTIALSW;
{$IFDEF UNICODE}
CRYPT_PASSWORD_CREDENTIALS = CRYPT_PASSWORD_CREDENTIALSW;
{$EXTERNALSYM CRYPT_PASSWORD_CREDENTIALS}
PCRYPT_PASSWORD_CREDENTIALS = PCRYPT_PASSWORD_CREDENTIALSW;
{$EXTERNALSYM PCRYPT_PASSWORD_CREDENTIALS}
TCryptPasswordCredentials = TCryptPasswordCredentialsW;
PCryptPasswordCredentials = PCryptPasswordCredentialsW;
{$ELSE}
CRYPT_PASSWORD_CREDENTIALS = CRYPT_PASSWORD_CREDENTIALSA;
{$EXTERNALSYM CRYPT_PASSWORD_CREDENTIALS}
PCRYPT_PASSWORD_CREDENTIALS = PCRYPT_PASSWORD_CREDENTIALSA;
{$EXTERNALSYM PCRYPT_PASSWORD_CREDENTIALS}
TCryptPasswordCredentials = TCryptPasswordCredentialsA;
PCryptPasswordCredentials = PCryptPasswordCredentialsA;
{$ENDIF}
//
// Scheme Provider Signatures
//
const
SCHEME_OID_RETRIEVE_ENCODED_OBJECT_FUNC = 'SchemeDllRetrieveEncodedObject';
{$EXTERNALSYM SCHEME_OID_RETRIEVE_ENCODED_OBJECT_FUNC}
type
PFN_FREE_ENCODED_OBJECT_FUNC = procedure (pszObjectOid: LPCSTR;
pObject: PCRYPT_BLOB_ARRAY; pvFreeContext: LPVOID); stdcall;
{$EXTERNALSYM PFN_FREE_ENCODED_OBJECT_FUNC}
PFnFreeEncodedObjectFunc = PFN_FREE_ENCODED_OBJECT_FUNC;
//
// SchemeDllRetrieveEncodedObject has the following signature:
//
// BOOL WINAPI SchemeDllRetrieveEncodedObject (
// IN LPCSTR pszUrl,
// IN LPCSTR pszObjectOid,
// IN DWORD dwRetrievalFlags,
// IN DWORD dwTimeout,
// OUT PCRYPT_BLOB_ARRAY pObject,
// OUT PFN_FREE_ENCODED_OBJECT_FUNC* ppfnFreeObject,
// OUT LPVOID* ppvFreeContext,
// IN HCRYPTASYNC hAsyncRetrieve,
// IN PCRYPT_CREDENTIALS pCredentials,
// IN LPVOID pvReserved
// )
//
//
// Context Provider Signatures
//
const
CONTEXT_OID_CREATE_OBJECT_CONTEXT_FUNC = 'ContextDllCreateObjectContext';
{$EXTERNALSYM CONTEXT_OID_CREATE_OBJECT_CONTEXT_FUNC}
CONTEXT_OID_CERTIFICATE = LPCSTR(1);
{$EXTERNALSYM CONTEXT_OID_CERTIFICATE}
CONTEXT_OID_CRL = LPCSTR(2);
{$EXTERNALSYM CONTEXT_OID_CRL}
CONTEXT_OID_CTL = LPCSTR(3);
{$EXTERNALSYM CONTEXT_OID_CTL}
CONTEXT_OID_PKCS7 = LPCSTR(4);
{$EXTERNALSYM CONTEXT_OID_PKCS7}
CONTEXT_OID_CAPI2_ANY = LPCSTR(5);
{$EXTERNALSYM CONTEXT_OID_CAPI2_ANY}
//
// ContextDllCreateObjectContext has the following signature:
//
// BOOL WINAPI ContextDllCreateObjectContext (
// IN LPCSTR pszObjectOid,
// IN DWORD dwRetrievalFlags,
// IN PCRYPT_BLOB_ARRAY pObject,
// OUT LPVOID* ppvContext
// )
//
//
// Remote Object Retrieval API
//
//
// Retrieval flags
//
CRYPT_RETRIEVE_MULTIPLE_OBJECTS = $00000001;
{$EXTERNALSYM CRYPT_RETRIEVE_MULTIPLE_OBJECTS}
CRYPT_CACHE_ONLY_RETRIEVAL = $00000002;
{$EXTERNALSYM CRYPT_CACHE_ONLY_RETRIEVAL}
CRYPT_WIRE_ONLY_RETRIEVAL = $00000004;
{$EXTERNALSYM CRYPT_WIRE_ONLY_RETRIEVAL}
CRYPT_DONT_CACHE_RESULT = $00000008;
{$EXTERNALSYM CRYPT_DONT_CACHE_RESULT}
CRYPT_ASYNC_RETRIEVAL = $00000010;
{$EXTERNALSYM CRYPT_ASYNC_RETRIEVAL}
//
// Data verification retrieval flags
//
// CRYPT_VERIFY_CONTEXT_SIGNATURE is used to get signature verification
// on the context created. In this case pszObjectOid must be non-NULL and
// pvVerify points to the signer certificate context
//
// CRYPT_VERIFY_DATA_HASH is used to get verification of the blob data
// retrieved by the protocol. The pvVerify points to an URL_DATA_HASH
// structure (TBD)
//
CRYPT_VERIFY_CONTEXT_SIGNATURE = $00000020;
{$EXTERNALSYM CRYPT_VERIFY_CONTEXT_SIGNATURE}
CRYPT_VERIFY_DATA_HASH = $00000040;
{$EXTERNALSYM CRYPT_VERIFY_DATA_HASH}
//
// Time Valid Object flags
//
CRYPT_KEEP_TIME_VALID = $00000080;
{$EXTERNALSYM CRYPT_KEEP_TIME_VALID}
CRYPT_DONT_VERIFY_SIGNATURE = $00000100;
{$EXTERNALSYM CRYPT_DONT_VERIFY_SIGNATURE}
CRYPT_DONT_CHECK_TIME_VALIDITY = $00000200;
{$EXTERNALSYM CRYPT_DONT_CHECK_TIME_VALIDITY}
function CryptRetrieveObjectByUrlA(pszUrl: LPCSTR; pszObjectOid: LPCSTR;
dwRetrievalFlags: DWORD; dwTimeout: DWORD; var ppvObject: LPVOID;
hAsyncRetrieve: HCRYPTASYNC; pCredentials: PCRYPT_CREDENTIALS;
pvVerify: LPVOID; pvReserved: LPVOID): BOOL; stdcall;
{$EXTERNALSYM CryptRetrieveObjectByUrlA}
function CryptRetrieveObjectByUrlW(pszUrl: LPCWSTR; pszObjectOid: LPCSTR;
dwRetrievalFlags: DWORD; dwTimeout: DWORD; var ppvObject: LPVOID;
hAsyncRetrieve: HCRYPTASYNC; pCredentials: PCRYPT_CREDENTIALS;
pvVerify: LPVOID; pvReserved: LPVOID): BOOL; stdcall;
{$EXTERNALSYM CryptRetrieveObjectByUrlW}
{$IFDEF UNICODE}
function CryptRetrieveObjectByUrl(pszUrl: LPCWSTR; pszObjectOid: LPCSTR;
dwRetrievalFlags: DWORD; dwTimeout: DWORD; var ppvObject: LPVOID;
hAsyncRetrieve: HCRYPTASYNC; pCredentials: PCRYPT_CREDENTIALS;
pvVerify: LPVOID; pvReserved: LPVOID): BOOL; stdcall;
{$EXTERNALSYM CryptRetrieveObjectByUrl}
{$ELSE}
function CryptRetrieveObjectByUrl(pszUrl: LPCSTR; pszObjectOid: LPCSTR;
dwRetrievalFlags: DWORD; dwTimeout: DWORD; var ppvObject: LPVOID;
hAsyncRetrieve: HCRYPTASYNC; pCredentials: PCRYPT_CREDENTIALS;
pvVerify: LPVOID; pvReserved: LPVOID): BOOL; stdcall;
{$EXTERNALSYM CryptRetrieveObjectByUrl}
{$ENDIF}
//
// Call back function to cancel object retrieval
//
// The function can be installed on a per thread basis.
// If CryptInstallCancelRetrieval is called for multiple times, only the most recent
// installation will be kept.
//
// This is only effective for http, https, gopher, and ftp protocol.
// It is ignored by the rest of the protocols.
type
PFN_CRYPT_CANCEL_RETRIEVAL = function (dwFlags: DWORD; pvArg: Pointer): BOOL; stdcall;
{$EXTERNALSYM PFN_CRYPT_CANCEL_RETRIEVAL}
PFnCryptCancelRetrieval = PFN_CRYPT_CANCEL_RETRIEVAL;
//
// PFN_CRYPT_CANCEL_RETRIEVAL
//
// This function should return FALSE when the object retrieval should be continued
// and return TRUE when the object retrieval should be cancelled.
//
function CryptInstallCancelRetrieval(pfnCancel: PFN_CRYPT_CANCEL_RETRIEVAL;
pvArg: Pointer; dwFlags: DWORD; pvReserved: Pointer): BOOL; stdcall;
{$EXTERNALSYM CryptInstallCancelRetrieval}
function CryptUninstallCancelRetrieval(dwFlags: DWORD; pvReserved: Pointer): BOOL; stdcall;
{$EXTERNALSYM CryptUninstallCancelRetrieval}
function CryptCancelAsyncRetrieval(hAsyncRetrieval: HCRYPTASYNC): BOOL; stdcall;
{$EXTERNALSYM CryptCancelAsyncRetrieval}
//
// Remote Object Async Retrieval parameters
//
//
// A client that wants to be notified of asynchronous object retrieval
// completion sets this parameter on the async handle
//
const
CRYPT_PARAM_ASYNC_RETRIEVAL_COMPLETION = LPCSTR(1);
{$EXTERNALSYM CRYPT_PARAM_ASYNC_RETRIEVAL_COMPLETION}
type
PFN_CRYPT_ASYNC_RETRIEVAL_COMPLETION_FUNC = procedure (pvCompletion: LPVOID;
dwCompletionCode: DWORD; pszUrl: LPCSTR; pszObjectOid: LPSTR; pvObject: LPVOID); stdcall;
{$EXTERNALSYM PFN_CRYPT_ASYNC_RETRIEVAL_COMPLETION_FUNC}
PFnCryptASynchRetrievalCompletionFunc = PFN_CRYPT_ASYNC_RETRIEVAL_COMPLETION_FUNC;
PCRYPT_ASYNC_RETRIEVAL_COMPLETION = ^CRYPT_ASYNC_RETRIEVAL_COMPLETION;
{$EXTERNALSYM PCRYPT_ASYNC_RETRIEVAL_COMPLETION}
_CRYPT_ASYNC_RETRIEVAL_COMPLETION = record
pfnCompletion: PFN_CRYPT_ASYNC_RETRIEVAL_COMPLETION_FUNC;
pvCompletion: LPVOID;
end;
{$EXTERNALSYM _CRYPT_ASYNC_RETRIEVAL_COMPLETION}
CRYPT_ASYNC_RETRIEVAL_COMPLETION = _CRYPT_ASYNC_RETRIEVAL_COMPLETION;
{$EXTERNALSYM CRYPT_ASYNC_RETRIEVAL_COMPLETION}
TCryptAsyncRetrievalCompletion = CRYPT_ASYNC_RETRIEVAL_COMPLETION;
PCryptAsyncRetrievalCompletion = PCRYPT_ASYNC_RETRIEVAL_COMPLETION;
//
// This function is set on the async handle by a scheme provider that
// supports asynchronous retrieval
//
const
CRYPT_PARAM_CANCEL_ASYNC_RETRIEVAL = LPCSTR(2);
{$EXTERNALSYM CRYPT_PARAM_CANCEL_ASYNC_RETRIEVAL}
type
PFN_CANCEL_ASYNC_RETRIEVAL_FUNC = function (hAsyncRetrieve: HCRYPTASYNC): BOOL; stdcall;
{$EXTERNALSYM PFN_CANCEL_ASYNC_RETRIEVAL_FUNC}
PFnCancelASynchRetrievalFunc = PFN_CANCEL_ASYNC_RETRIEVAL_FUNC;
//
// Get the locator for a CAPI object
//
const
CRYPT_GET_URL_FROM_PROPERTY = $00000001;
{$EXTERNALSYM CRYPT_GET_URL_FROM_PROPERTY}
CRYPT_GET_URL_FROM_EXTENSION = $00000002;
{$EXTERNALSYM CRYPT_GET_URL_FROM_EXTENSION}
CRYPT_GET_URL_FROM_UNAUTH_ATTRIBUTE = $00000004;
{$EXTERNALSYM CRYPT_GET_URL_FROM_UNAUTH_ATTRIBUTE}
CRYPT_GET_URL_FROM_AUTH_ATTRIBUTE = $00000008;
{$EXTERNALSYM CRYPT_GET_URL_FROM_AUTH_ATTRIBUTE}
type
PCRYPT_URL_ARRAY = ^CRYPT_URL_ARRAY;
{$EXTERNALSYM PCRYPT_URL_ARRAY}
_CRYPT_URL_ARRAY = record
cUrl: DWORD;
rgwszUrl: LPWSTR;
end;
{$EXTERNALSYM _CRYPT_URL_ARRAY}
CRYPT_URL_ARRAY = _CRYPT_URL_ARRAY;
{$EXTERNALSYM CRYPT_URL_ARRAY}
TCryptUrlArray = CRYPT_URL_ARRAY;
PCryptUrlArray = PCRYPT_URL_ARRAY;
PCRYPT_URL_INFO = ^CRYPT_URL_INFO;
{$EXTERNALSYM PCRYPT_URL_INFO}
_CRYPT_URL_INFO = record
cbSize: DWORD;
end;
{$EXTERNALSYM _CRYPT_URL_INFO}
CRYPT_URL_INFO = _CRYPT_URL_INFO;
{$EXTERNALSYM CRYPT_URL_INFO}
TCryptUrlInfo = CRYPT_URL_INFO;
PCryptUrlInfo = PCRYPT_URL_INFO;
function CryptGetObjectUrl(pszUrlOid: LPCSTR; pvPara: LPVOID; dwFlags: DWORD;
pUrlArray: PCRYPT_URL_ARRAY; var pcbUrlArray: DWORD; pUrlInfo: PCRYPT_URL_INFO;
pcbUrlInfo: LPDWORD; pvReserved: LPVOID): BOOL; stdcall;
{$EXTERNALSYM CryptGetObjectUrl}
const
URL_OID_GET_OBJECT_URL_FUNC = 'UrlDllGetObjectUrl';
{$EXTERNALSYM URL_OID_GET_OBJECT_URL_FUNC}
//
// UrlDllGetObjectUrl has the same signature as CryptGetObjectUrl
//
//
// URL_OID_CERTIFICATE_ISSUER
//
// pvPara == PCCERT_CONTEXT, certificate whose issuer's URL is being requested
//
// This will be retrieved from the authority info access extension or property
// on the certificate
//
// URL_OID_CERTIFICATE_CRL_DIST_POINT
//
// pvPara == PCCERT_CONTEXT, certificate whose CRL distribution point is being
// requested
//
// This will be retrieved from the CRL distribution point extension or property
// on the certificate
//
// URL_OID_CTL_ISSUER
//
// pvPara == PCCTL_CONTEXT, Signer Index, CTL whose issuer's URL (identified
// by the signer index) is being requested
//
// This will be retrieved from an authority info access attribute method encoded
// in each signer info in the PKCS7 (CTL)
//
// URL_OID_CTL_NEXT_UPDATE
//
// pvPara == PCCTL_CONTEXT, Signer Index, CTL whose next update URL is being
// requested and an optional signer index in case we need to check signer
// info attributes
//
// This will be retrieved from an authority info access CTL extension, property,
// or signer info attribute method
//
// URL_OID_CRL_ISSUER
//
// pvPara == PCCRL_CONTEXT, CRL whose issuer's URL is being requested
//
// This will be retrieved from a property on the CRL which has been inherited
// from the subject cert (either from the subject cert issuer or the subject
// cert distribution point extension). It will be encoded as an authority
// info access extension method.
//
const
URL_OID_CERTIFICATE_ISSUER = LPCSTR(1);
{$EXTERNALSYM URL_OID_CERTIFICATE_ISSUER}
URL_OID_CERTIFICATE_CRL_DIST_POINT = LPCSTR(2);
{$EXTERNALSYM URL_OID_CERTIFICATE_CRL_DIST_POINT}
URL_OID_CTL_ISSUER = LPCSTR(3);
{$EXTERNALSYM URL_OID_CTL_ISSUER}
URL_OID_CTL_NEXT_UPDATE = LPCSTR(4);
{$EXTERNALSYM URL_OID_CTL_NEXT_UPDATE}
URL_OID_CRL_ISSUER = LPCSTR(5);
{$EXTERNALSYM URL_OID_CRL_ISSUER}
//
// Get a time valid CAPI2 object
//
function CryptGetTimeValidObject(pszTimeValidOid: LPCSTR; pvPara: LPVOID;
pIssuer: PCCERT_CONTEXT; pftValidFor: LPFILETIME; dwFlags, dwTimeout: DWORD;
ppvObject: LPLPVOID; pCredentials: PCRYPT_CREDENTIALS; pvReserved: LPVOID): BOOL; stdcall;
{$EXTERNALSYM CryptGetTimeValidObject}
const
TIME_VALID_OID_GET_OBJECT_FUNC = 'TimeValidDllGetObject';
{$EXTERNALSYM TIME_VALID_OID_GET_OBJECT_FUNC}
//
// TimeValidDllGetObject has the same signature as CryptGetTimeValidObject
//
//
// TIME_VALID_OID_GET_CTL
//
// pvPara == PCCTL_CONTEXT, the current CTL
//
// TIME_VALID_OID_GET_CRL
//
// pvPara == PCCRL_CONTEXT, the current CRL
//
// TIME_VALID_OID_GET_CRL_FROM_CERT
//
// pvPara == PCCERT_CONTEXT, the subject cert
//
TIME_VALID_OID_GET_CTL = LPCSTR(1);
{$EXTERNALSYM TIME_VALID_OID_GET_CTL}
TIME_VALID_OID_GET_CRL = LPCSTR(2);
{$EXTERNALSYM TIME_VALID_OID_GET_CRL}
TIME_VALID_OID_GET_CRL_FROM_CERT = LPCSTR(3);
{$EXTERNALSYM TIME_VALID_OID_GET_CRL_FROM_CERT}
function CryptFlushTimeValidObject(pszFlushTimeValidOid: LPCSTR; pvPara: LPVOID;
pIssuer: PCCERT_CONTEXT; dwFlags: DWORD; pvReserved: LPVOID): BOOL; stdcall;
{$EXTERNALSYM CryptFlushTimeValidObject}
const
TIME_VALID_OID_FLUSH_OBJECT_FUNC = 'TimeValidDllFlushObject';
{$EXTERNALSYM TIME_VALID_OID_FLUSH_OBJECT_FUNC}
//
// TimeValidDllFlushObject has the same signature as CryptFlushTimeValidObject
//
//
// TIME_VALID_OID_FLUSH_CTL
//
// pvPara == PCCTL_CONTEXT, the CTL to flush
//
// TIME_VALID_OID_FLUSH_CRL
//
// pvPara == PCCRL_CONTEXT, the CRL to flush
//
// TIME_VALID_OID_FLUSH_CRL_FROM_CERT
//
TIME_VALID_OID_FLUSH_CTL = LPCSTR(1);
{$EXTERNALSYM TIME_VALID_OID_FLUSH_CTL}
TIME_VALID_OID_FLUSH_CRL = LPCSTR(2);
{$EXTERNALSYM TIME_VALID_OID_FLUSH_CRL}
TIME_VALID_OID_FLUSH_CRL_FROM_CERT = LPCSTR(3);
{$EXTERNALSYM TIME_VALID_OID_FLUSH_CRL_FROM_CERT}
//-------------------------------------------------------------------------
// Data Protection APIs
//-------------------------------------------------------------------------
//
// Data protection APIs enable applications to easily secure data.
//
// The base provider provides protection based on the users' logon
// credentials. The data secured with these APIs follow the same
// roaming characteristics as HKCU -- if HKCU roams, the data
// protected by the base provider may roam as well. This makes
// the API ideal for the munging of data stored in the registry.
//
//
// Prompt struct -- what to tell users about the access
//
type
PCRYPTPROTECT_PROMPTSTRUCT = ^CRYPTPROTECT_PROMPTSTRUCT;
{$EXTERNALSYM PCRYPTPROTECT_PROMPTSTRUCT}
_CRYPTPROTECT_PROMPTSTRUCT = record
cbSize: DWORD;
dwPromptFlags: DWORD;
hwndApp: HWND;
szPrompt: LPCWSTR;
end;
{$EXTERNALSYM _CRYPTPROTECT_PROMPTSTRUCT}
CRYPTPROTECT_PROMPTSTRUCT = _CRYPTPROTECT_PROMPTSTRUCT;
{$EXTERNALSYM CRYPTPROTECT_PROMPTSTRUCT}
TCryptProtectPromptStruct = CRYPTPROTECT_PROMPTSTRUCT;