Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

10695 lines
495 KiB

  1. Attribute VB_Name = "Const"
  2. Option Explicit
  3. '+---------------------------------------------------------------------------
  4. '
  5. ' Microsoft Windows
  6. '
  7. ' File: wincrypt.h
  8. '
  9. ' Contents: Cryptographic API Prototypes and Definitions
  10. '
  11. '----------------------------------------------------------------------------
  12. '
  13. ' Algorithm IDs and Flags
  14. '
  15. ' ALG_ID crackers
  16. ' Algorithm classes
  17. Public Const ALG_CLASS_ANY As Long = 0
  18. ' Algorithm types
  19. Public Const ALG_TYPE_ANY As Long = 0
  20. ' Generic sub-ids
  21. Public Const ALG_SID_ANY As Long = 0
  22. ' Some RSA sub-ids
  23. Public Const ALG_SID_RSA_ANY As Long = 0
  24. Public Const ALG_SID_RSA_PKCS As Long = 1
  25. Public Const ALG_SID_RSA_MSATWORK As Long = 2
  26. Public Const ALG_SID_RSA_ENTRUST As Long = 3
  27. Public Const ALG_SID_RSA_PGP As Long = 4
  28. ' Some DSS sub-ids
  29. '
  30. Public Const ALG_SID_DSS_ANY As Long = 0
  31. Public Const ALG_SID_DSS_PKCS As Long = 1
  32. Public Const ALG_SID_DSS_DMS As Long = 2
  33. ' Block cipher sub ids
  34. ' DES sub_ids
  35. Public Const ALG_SID_DES As Long = 1
  36. Public Const ALG_SID_3DES As Long = 3
  37. Public Const ALG_SID_DESX As Long = 4
  38. Public Const ALG_SID_IDEA As Long = 5
  39. Public Const ALG_SID_CAST As Long = 6
  40. Public Const ALG_SID_SAFERSK64 As Long = 7
  41. Public Const ALG_SID_SAFERSK128 As Long = 8
  42. Public Const ALG_SID_3DES_112 As Long = 9
  43. Public Const ALG_SID_CYLINK_MEK As Long = 12
  44. Public Const ALG_SID_RC5 As Long = 13
  45. ' Fortezza sub-ids
  46. Public Const ALG_SID_SKIPJACK As Long = 10
  47. Public Const ALG_SID_TEK As Long = 11
  48. ' KP_MODE
  49. Public Const CRYPT_MODE_CBCI As Long = 6
  50. Public Const CRYPT_MODE_CFBP As Long = 7
  51. Public Const CRYPT_MODE_OFBP As Long = 8
  52. Public Const CRYPT_MODE_CBCOFM As Long = 9
  53. Public Const CRYPT_MODE_CBCOFMI As Long = 10
  54. ' RC2 sub-ids
  55. Public Const ALG_SID_RC2 As Long = 2
  56. ' Stream cipher sub-ids
  57. Public Const ALG_SID_RC4 As Long = 1
  58. Public Const ALG_SID_SEAL As Long = 2
  59. ' Diffie-Hellman sub-ids
  60. Public Const ALG_SID_DH_SANDF As Long = 1
  61. Public Const ALG_SID_DH_EPHEM As Long = 2
  62. Public Const ALG_SID_AGREED_KEY_ANY As Long = 3
  63. Public Const ALG_SID_KEA As Long = 4
  64. ' Hash sub ids
  65. Public Const ALG_SID_MD2 As Long = 1
  66. Public Const ALG_SID_MD4 As Long = 2
  67. Public Const ALG_SID_MD5 As Long = 3
  68. Public Const ALG_SID_SHA As Long = 4
  69. Public Const ALG_SID_SHA1 As Long = 4
  70. Public Const ALG_SID_MAC As Long = 5
  71. Public Const ALG_SID_RIPEMD As Long = 6
  72. Public Const ALG_SID_RIPEMD160 As Long = 7
  73. Public Const ALG_SID_SSL3SHAMD5 As Long = 8
  74. Public Const ALG_SID_HMAC As Long = 9
  75. Public Const ALG_SID_TLS1PRF As Long = 10
  76. ' secure channel sub ids
  77. Public Const ALG_SID_SSL3_MASTER As Long = 1
  78. Public Const ALG_SID_SCHANNEL_MASTER_HASH As Long = 2
  79. Public Const ALG_SID_SCHANNEL_MAC_KEY As Long = 3
  80. Public Const ALG_SID_PCT1_MASTER As Long = 4
  81. Public Const ALG_SID_SSL2_MASTER As Long = 5
  82. Public Const ALG_SID_TLS1_MASTER As Long = 6
  83. Public Const ALG_SID_SCHANNEL_ENC_KEY As Long = 7
  84. ' Our silly example sub-id
  85. Public Const ALG_SID_EXAMPLE As Long = 80
  86. ' algorithm identifier definitions
  87. ' resource number for signatures in the CSP
  88. Public Const SIGNATURE_RESOURCE_NUMBER As Long = &H29A
  89. ' dwFlags definitions for CryptAcquireContext
  90. Public Const CRYPT_VERIFYCONTEXT As Long = &HF0000000
  91. Public Const CRYPT_NEWKEYSET As Long = &H00000008
  92. Public Const CRYPT_DELETEKEYSET As Long = &H00000010
  93. Public Const CRYPT_MACHINE_KEYSET As Long = &H00000020
  94. Public Const CRYPT_SILENT As Long = &H00000040
  95. ' dwFlag definitions for CryptGenKey
  96. Public Const CRYPT_EXPORTABLE As Long = &H00000001
  97. Public Const CRYPT_USER_PROTECTED As Long = &H00000002
  98. Public Const CRYPT_CREATE_SALT As Long = &H00000004
  99. Public Const CRYPT_UPDATE_KEY As Long = &H00000008
  100. Public Const CRYPT_NO_SALT As Long = &H00000010
  101. Public Const CRYPT_PREGEN As Long = &H00000040
  102. Public Const CRYPT_RECIPIENT As Long = &H00000010
  103. Public Const CRYPT_INITIATOR As Long = &H00000040
  104. Public Const CRYPT_ONLINE As Long = &H00000080
  105. Public Const CRYPT_SF As Long = &H00000100
  106. Public Const CRYPT_CREATE_IV As Long = &H00000200
  107. Public Const CRYPT_KEK As Long = &H00000400
  108. Public Const CRYPT_DATA_KEY As Long = &H00000800
  109. Public Const CRYPT_VOLATILE As Long = &H00001000
  110. Public Const CRYPT_SGCKEY As Long = &H00002000
  111. Public Const RSA1024BIT_KEY As Long = &H04000000
  112. ' dwFlags definitions for CryptDeriveKey
  113. Public Const CRYPT_SERVER As Long = &H00000400
  114. Public Const KEY_LENGTH_MASK As Long = &HFFFF0000
  115. ' dwFlag definitions for CryptExportKey
  116. Public Const CRYPT_Y_ONLY As Long = &H00000001
  117. Public Const CRYPT_SSL2_FALLBACK As Long = &H00000002
  118. Public Const CRYPT_DESTROYKEY As Long = &H00000004
  119. Public Const CRYPT_OAEP As Long = &H00000040
  120. Public Const CRYPT_BLOB_VER3 As Long = &H00000080
  121. ' dwFlags definitions for CryptCreateHash
  122. Public Const CRYPT_SECRETDIGEST As Long = &H00000001
  123. ' dwFlags definitions for CryptHashSessionKey
  124. Public Const CRYPT_LITTLE_ENDIAN As Long = &H00000001
  125. ' dwFlags definitions for CryptSignHash and CryptVerifySignature
  126. Public Const CRYPT_NOHASHOID As Long = &H00000001
  127. Public Const CRYPT_TYPE2_FORMAT As Long = &H00000002
  128. Public Const CRYPT_X931_FORMAT As Long = &H00000004
  129. ' dwFlag definitions for CryptSetProviderEx and CryptGetDefaultProvider
  130. Public Const CRYPT_MACHINE_DEFAULT As Long = &H00000001
  131. Public Const CRYPT_USER_DEFAULT As Long = &H00000002
  132. Public Const CRYPT_DELETE_DEFAULT As Long = &H00000004
  133. ' exported key blob definitions
  134. Public Const SIMPLEBLOB As Long = &H1
  135. Public Const PUBLICKEYBLOB As Long = &H6
  136. Public Const PRIVATEKEYBLOB As Long = &H7
  137. Public Const PLAINTEXTKEYBLOB As Long = &H8
  138. Public Const OPAQUEKEYBLOB As Long = &H9
  139. Public Const PUBLICKEYBLOBEX As Long = &HA
  140. Public Const SYMMETRICWRAPKEYBLOB As Long = &HB
  141. Public Const AT_KEYEXCHANGE As Long = 1
  142. Public Const AT_SIGNATURE As Long = 2
  143. Public Const CRYPT_USERDATA As Long = 1
  144. ' dwParam
  145. Public Const KP_IV As Long = 1
  146. Public Const KP_SALT As Long = 2
  147. Public Const KP_PADDING As Long = 3
  148. Public Const KP_MODE As Long = 4
  149. Public Const KP_MODE_BITS As Long = 5
  150. Public Const KP_PERMISSIONS As Long = 6
  151. Public Const KP_ALGID As Long = 7
  152. Public Const KP_BLOCKLEN As Long = 8
  153. Public Const KP_KEYLEN As Long = 9
  154. Public Const KP_SALT_EX As Long = 10
  155. Public Const KP_P As Long = 11
  156. Public Const KP_G As Long = 12
  157. Public Const KP_Q As Long = 13
  158. Public Const KP_X As Long = 14
  159. Public Const KP_Y As Long = 15
  160. Public Const KP_RA As Long = 16
  161. Public Const KP_RB As Long = 17
  162. Public Const KP_INFO As Long = 18
  163. Public Const KP_EFFECTIVE_KEYLEN As Long = 19
  164. Public Const KP_SCHANNEL_ALG As Long = 20
  165. Public Const KP_CLIENT_RANDOM As Long = 21
  166. Public Const KP_SERVER_RANDOM As Long = 22
  167. Public Const KP_RP As Long = 23
  168. Public Const KP_PRECOMP_MD5 As Long = 24
  169. Public Const KP_PRECOMP_SHA As Long = 25
  170. Public Const KP_CERTIFICATE As Long = 26
  171. Public Const KP_CLEAR_KEY As Long = 27
  172. Public Const KP_PUB_EX_LEN As Long = 28
  173. Public Const KP_PUB_EX_VAL As Long = 29
  174. Public Const KP_KEYVAL As Long = 30
  175. Public Const KP_ADMIN_PIN As Long = 31
  176. Public Const KP_KEYEXCHANGE_PIN As Long = 32
  177. Public Const KP_SIGNATURE_PIN As Long = 33
  178. Public Const KP_PREHASH As Long = 34
  179. Public Const KP_OAEP_PARAMS As Long = 36
  180. Public Const KP_CMS_KEY_INFO As Long = 37
  181. Public Const KP_CMS_DH_KEY_INFO As Long = 38
  182. Public Const KP_PUB_PARAMS As Long = 39
  183. Public Const KP_VERIFY_PARAMS As Long = 40
  184. Public Const KP_HIGHEST_VERSION As Long = 41
  185. ' KP_PADDING
  186. Public Const PKCS5_PADDING As Long = 1
  187. Public Const RANDOM_PADDING As Long = 2
  188. Public Const ZERO_PADDING As Long = 3
  189. ' KP_MODE
  190. Public Const CRYPT_MODE_CBC As Long = 1
  191. Public Const CRYPT_MODE_ECB As Long = 2
  192. Public Const CRYPT_MODE_OFB As Long = 3
  193. Public Const CRYPT_MODE_CFB As Long = 4
  194. Public Const CRYPT_MODE_CTS As Long = 5
  195. ' KP_PERMISSIONS
  196. Public Const CRYPT_ENCRYPT As Long = &H0001
  197. Public Const CRYPT_DECRYPT As Long = &H0002
  198. Public Const CRYPT_EXPORT As Long = &H0004
  199. Public Const CRYPT_READ As Long = &H0008
  200. Public Const CRYPT_WRITE As Long = &H0010
  201. Public Const CRYPT_MAC As Long = &H0020
  202. Public Const CRYPT_EXPORT_KEY As Long = &H0040
  203. Public Const CRYPT_IMPORT_KEY As Long = &H0080
  204. Public Const HP_ALGID As Long = &H0001
  205. Public Const HP_HASHVAL As Long = &H0002
  206. Public Const HP_HASHSIZE As Long = &H0004
  207. Public Const HP_HMAC_INFO As Long = &H0005
  208. Public Const HP_TLS1PRF_LABEL As Long = &H0006
  209. Public Const HP_TLS1PRF_SEED As Long = &H0007
  210. '
  211. ' CryptGetProvParam
  212. '
  213. Public Const PP_ENUMALGS As Long = 1
  214. Public Const PP_ENUMCONTAINERS As Long = 2
  215. Public Const PP_IMPTYPE As Long = 3
  216. Public Const PP_NAME As Long = 4
  217. Public Const PP_VERSION As Long = 5
  218. Public Const PP_CONTAINER As Long = 6
  219. Public Const PP_CHANGE_PASSWORD As Long = 7
  220. Public Const PP_KEYSET_SEC_DESCR As Long = 8
  221. Public Const PP_CERTCHAIN As Long = 9
  222. Public Const PP_KEY_TYPE_SUBTYPE As Long = 10
  223. Public Const PP_PROVTYPE As Long = 16
  224. Public Const PP_KEYSTORAGE As Long = 17
  225. Public Const PP_APPLI_CERT As Long = 18
  226. Public Const PP_SYM_KEYSIZE As Long = 19
  227. Public Const PP_SESSION_KEYSIZE As Long = 20
  228. Public Const PP_UI_PROMPT As Long = 21
  229. Public Const PP_ENUMALGS_EX As Long = 22
  230. Public Const PP_ENUMMANDROOTS As Long = 25
  231. Public Const PP_ENUMELECTROOTS As Long = 26
  232. Public Const PP_KEYSET_TYPE As Long = 27
  233. Public Const PP_ADMIN_PIN As Long = 31
  234. Public Const PP_KEYEXCHANGE_PIN As Long = 32
  235. Public Const PP_SIGNATURE_PIN As Long = 33
  236. Public Const PP_SIG_KEYSIZE_INC As Long = 34
  237. Public Const PP_KEYX_KEYSIZE_INC As Long = 35
  238. Public Const PP_UNIQUE_CONTAINER As Long = 36
  239. Public Const PP_SGC_INFO As Long = 37
  240. Public Const PP_USE_HARDWARE_RNG As Long = 38
  241. Public Const PP_KEYSPEC As Long = 39
  242. Public Const PP_ENUMEX_SIGNING_PROT As Long = 40
  243. Public Const CRYPT_FIRST As Long = 1
  244. Public Const CRYPT_NEXT As Long = 2
  245. Public Const CRYPT_SGC_ENUM As Long = 4
  246. Public Const CRYPT_IMPL_HARDWARE As Long = 1
  247. Public Const CRYPT_IMPL_SOFTWARE As Long = 2
  248. Public Const CRYPT_IMPL_MIXED As Long = 3
  249. Public Const CRYPT_IMPL_UNKNOWN As Long = 4
  250. Public Const CRYPT_IMPL_REMOVABLE As Long = 8
  251. ' key storage flags
  252. Public Const CRYPT_SEC_DESCR As Long = &H00000001
  253. Public Const CRYPT_PSTORE As Long = &H00000002
  254. Public Const CRYPT_UI_PROMPT As Long = &H00000004
  255. ' protocol flags
  256. Public Const CRYPT_FLAG_PCT1 As Long = &H0001
  257. Public Const CRYPT_FLAG_SSL2 As Long = &H0002
  258. Public Const CRYPT_FLAG_SSL3 As Long = &H0004
  259. Public Const CRYPT_FLAG_TLS1 As Long = &H0008
  260. Public Const CRYPT_FLAG_IPSEC As Long = &H0010
  261. Public Const CRYPT_FLAG_SIGNING As Long = &H0020
  262. ' SGC flags
  263. Public Const CRYPT_SGC As Long = &H0001
  264. Public Const CRYPT_FASTSGC As Long = &H0002
  265. '
  266. ' CryptSetProvParam
  267. '
  268. Public Const PP_CLIENT_HWND As Long = 1
  269. Public Const PP_CONTEXT_INFO As Long = 11
  270. Public Const PP_KEYEXCHANGE_KEYSIZE As Long = 12
  271. Public Const PP_SIGNATURE_KEYSIZE As Long = 13
  272. Public Const PP_KEYEXCHANGE_ALG As Long = 14
  273. Public Const PP_SIGNATURE_ALG As Long = 15
  274. Public Const PP_DELETEKEY As Long = 24
  275. Public Const PROV_RSA_FULL As Long = 1
  276. Public Const PROV_RSA_SIG As Long = 2
  277. Public Const PROV_DSS As Long = 3
  278. Public Const PROV_FORTEZZA As Long = 4
  279. Public Const PROV_MS_EXCHANGE As Long = 5
  280. Public Const PROV_SSL As Long = 6
  281. Public Const PROV_RSA_SCHANNEL As Long = 12
  282. Public Const PROV_DSS_DH As Long = 13
  283. Public Const PROV_EC_ECDSA_SIG As Long = 14
  284. Public Const PROV_EC_ECNRA_SIG As Long = 15
  285. Public Const PROV_EC_ECDSA_FULL As Long = 16
  286. Public Const PROV_EC_ECNRA_FULL As Long = 17
  287. Public Const PROV_DH_SCHANNEL As Long = 18
  288. Public Const PROV_SPYRUS_LYNKS As Long = 20
  289. Public Const PROV_RNG As Long = 21
  290. Public Const PROV_INTEL_SEC As Long = 22
  291. '
  292. ' STT defined Providers
  293. '
  294. Public Const PROV_STT_MER As Long = 7
  295. Public Const PROV_STT_ACQ As Long = 8
  296. Public Const PROV_STT_BRND As Long = 9
  297. Public Const PROV_STT_ROOT As Long = 10
  298. Public Const PROV_STT_ISS As Long = 11
  299. '
  300. ' Provider friendly names
  301. '
  302. Public Const MS_DEF_PROV_A As String = "Microsoft Base Cryptographic Provider v1.0"
  303. Public Const MS_DEF_PROV_W As String = "Microsoft Base Cryptographic Provider v1.0"
  304. Public Const MS_ENHANCED_PROV_A As String = "Microsoft Enhanced Cryptographic Provider v1.0"
  305. Public Const MS_ENHANCED_PROV_W As String = "Microsoft Enhanced Cryptographic Provider v1.0"
  306. Public Const MS_STRONG_PROV_A As String = "Microsoft Strong Cryptographic Provider"
  307. Public Const MS_STRONG_PROV_W As String = "Microsoft Strong Cryptographic Provider"
  308. Public Const MS_DEF_RSA_SIG_PROV_A As String = "Microsoft RSA Signature Cryptographic Provider"
  309. Public Const MS_DEF_RSA_SIG_PROV_W As String = "Microsoft RSA Signature Cryptographic Provider"
  310. Public Const MS_DEF_RSA_SCHANNEL_PROV_A As String = "Microsoft RSA SChannel Cryptographic Provider"
  311. Public Const MS_DEF_RSA_SCHANNEL_PROV_W As String = "Microsoft RSA SChannel Cryptographic Provider"
  312. Public Const MS_DEF_DSS_PROV_A As String = "Microsoft Base DSS Cryptographic Provider"
  313. Public Const MS_DEF_DSS_PROV_W As String = "Microsoft Base DSS Cryptographic Provider"
  314. Public Const MS_DEF_DSS_DH_PROV_A As String = "Microsoft Base DSS and Diffie-Hellman Cryptographic Provider"
  315. Public Const MS_DEF_DSS_DH_PROV_W As String = "Microsoft Base DSS and Diffie-Hellman Cryptographic Provider"
  316. Public Const MS_ENH_DSS_DH_PROV_A As String = "Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider"
  317. Public Const MS_ENH_DSS_DH_PROV_W As String = "Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider"
  318. Public Const MS_DEF_DH_SCHANNEL_PROV_A As String = "Microsoft DH SChannel Cryptographic Provider"
  319. Public Const MS_DEF_DH_SCHANNEL_PROV_W As String = "Microsoft DH SChannel Cryptographic Provider"
  320. Public Const MS_SCARD_PROV_A As String = "Microsoft Base Smart Card Crypto Provider"
  321. Public Const MS_SCARD_PROV_W As String = "Microsoft Base Smart Card Crypto Provider"
  322. Public Const MAXUIDLEN As Long = 64
  323. ' Exponentiation Offload Reg Location
  324. Public Const EXPO_OFFLOAD_REG_VALUE As String = "ExpoOffload"
  325. Public Const EXPO_OFFLOAD_FUNC_NAME As String = "OffloadModExpo"
  326. Public Const CUR_BLOB_VERSION As Long = 2
  327. ' structure for use with CryptSetKeyParam for CMS keys
  328. ' DO NOT USE THIS STRUCTURE!!!!!
  329. ' structure for use with CryptSetHashParam with CALG_HMAC
  330. ' structure for use with CryptSetKeyParam with KP_SCHANNEL_ALG
  331. ' uses of algortihms for SCHANNEL_ALG structure
  332. Public Const SCHANNEL_MAC_KEY As Long = &H00000000
  333. Public Const SCHANNEL_ENC_KEY As Long = &H00000001
  334. ' uses of dwFlags SCHANNEL_ALG structure
  335. Public Const INTERNATIONAL_USAGE As Long = &H00000001
  336. '+-------------------------------------------------------------------------
  337. ' CRYPTOAPI BLOB definitions
  338. '--------------------------------------------------------------------------
  339. ' structure for use with CryptSetKeyParam for CMS keys
  340. '+-------------------------------------------------------------------------
  341. ' In a CRYPT_BIT_BLOB the last byte may contain 0-7 unused bits. Therefore, the
  342. ' overall bit length is cbData * 8 - cUnusedBits.
  343. '--------------------------------------------------------------------------
  344. '+-------------------------------------------------------------------------
  345. ' Type used for any algorithm
  346. '
  347. ' Where the Parameters CRYPT_OBJID_BLOB is in its encoded representation. For most
  348. '--------------------------------------------------------------------------
  349. ' Following are the definitions of various algorithm object identifiers
  350. ' RSA
  351. Public Const szOID_RSA As String = "1.2.840.113549"
  352. Public Const szOID_PKCS As String = "1.2.840.113549.1"
  353. Public Const szOID_RSA_HASH As String = "1.2.840.113549.2"
  354. Public Const szOID_RSA_ENCRYPT As String = "1.2.840.113549.3"
  355. Public Const szOID_PKCS_1 As String = "1.2.840.113549.1.1"
  356. Public Const szOID_PKCS_2 As String = "1.2.840.113549.1.2"
  357. Public Const szOID_PKCS_3 As String = "1.2.840.113549.1.3"
  358. Public Const szOID_PKCS_4 As String = "1.2.840.113549.1.4"
  359. Public Const szOID_PKCS_5 As String = "1.2.840.113549.1.5"
  360. Public Const szOID_PKCS_6 As String = "1.2.840.113549.1.6"
  361. Public Const szOID_PKCS_7 As String = "1.2.840.113549.1.7"
  362. Public Const szOID_PKCS_8 As String = "1.2.840.113549.1.8"
  363. Public Const szOID_PKCS_9 As String = "1.2.840.113549.1.9"
  364. Public Const szOID_PKCS_10 As String = "1.2.840.113549.1.10"
  365. Public Const szOID_PKCS_12 As String = "1.2.840.113549.1.12"
  366. Public Const szOID_RSA_RSA As String = "1.2.840.113549.1.1.1"
  367. Public Const szOID_RSA_MD2RSA As String = "1.2.840.113549.1.1.2"
  368. Public Const szOID_RSA_MD4RSA As String = "1.2.840.113549.1.1.3"
  369. Public Const szOID_RSA_MD5RSA As String = "1.2.840.113549.1.1.4"
  370. Public Const szOID_RSA_SHA1RSA As String = "1.2.840.113549.1.1.5"
  371. Public Const szOID_RSA_SETOAEP_RSA As String = "1.2.840.113549.1.1.6"
  372. Public Const szOID_RSA_DH As String = "1.2.840.113549.1.3.1"
  373. Public Const szOID_RSA_data As String = "1.2.840.113549.1.7.1"
  374. Public Const szOID_RSA_signedData As String = "1.2.840.113549.1.7.2"
  375. Public Const szOID_RSA_envelopedData As String = "1.2.840.113549.1.7.3"
  376. Public Const szOID_RSA_signEnvData As String = "1.2.840.113549.1.7.4"
  377. Public Const szOID_RSA_digestedData As String = "1.2.840.113549.1.7.5"
  378. Public Const szOID_RSA_hashedData As String = "1.2.840.113549.1.7.5"
  379. Public Const szOID_RSA_encryptedData As String = "1.2.840.113549.1.7.6"
  380. Public Const szOID_RSA_emailAddr As String = "1.2.840.113549.1.9.1"
  381. Public Const szOID_RSA_unstructName As String = "1.2.840.113549.1.9.2"
  382. Public Const szOID_RSA_contentType As String = "1.2.840.113549.1.9.3"
  383. Public Const szOID_RSA_messageDigest As String = "1.2.840.113549.1.9.4"
  384. Public Const szOID_RSA_signingTime As String = "1.2.840.113549.1.9.5"
  385. Public Const szOID_RSA_counterSign As String = "1.2.840.113549.1.9.6"
  386. Public Const szOID_RSA_challengePwd As String = "1.2.840.113549.1.9.7"
  387. Public Const szOID_RSA_unstructAddr As String = "1.2.840.113549.1.9.8"
  388. Public Const szOID_RSA_extCertAttrs As String = "1.2.840.113549.1.9.9"
  389. Public Const szOID_RSA_certExtensions As String = "1.2.840.113549.1.9.14"
  390. Public Const szOID_RSA_SMIMECapabilities As String = "1.2.840.113549.1.9.15"
  391. Public Const szOID_RSA_preferSignedData As String = "1.2.840.113549.1.9.15.1"
  392. Public Const szOID_RSA_SMIMEalg As String = "1.2.840.113549.1.9.16.3"
  393. Public Const szOID_RSA_SMIMEalgESDH As String = "1.2.840.113549.1.9.16.3.5"
  394. Public Const szOID_RSA_SMIMEalgCMS3DESwrap As String = "1.2.840.113549.1.9.16.3.6"
  395. Public Const szOID_RSA_SMIMEalgCMSRC2wrap As String = "1.2.840.113549.1.9.16.3.7"
  396. Public Const szOID_RSA_MD2 As String = "1.2.840.113549.2.2"
  397. Public Const szOID_RSA_MD4 As String = "1.2.840.113549.2.4"
  398. Public Const szOID_RSA_MD5 As String = "1.2.840.113549.2.5"
  399. Public Const szOID_RSA_RC2CBC As String = "1.2.840.113549.3.2"
  400. Public Const szOID_RSA_RC4 As String = "1.2.840.113549.3.4"
  401. Public Const szOID_RSA_DES_EDE3_CBC As String = "1.2.840.113549.3.7"
  402. Public Const szOID_RSA_RC5_CBCPad As String = "1.2.840.113549.3.9"
  403. Public Const szOID_ANSI_X942 As String = "1.2.840.10046"
  404. Public Const szOID_ANSI_X942_DH As String = "1.2.840.10046.2.1"
  405. Public Const szOID_X957 As String = "1.2.840.10040"
  406. Public Const szOID_X957_DSA As String = "1.2.840.10040.4.1"
  407. Public Const szOID_X957_SHA1DSA As String = "1.2.840.10040.4.3"
  408. ' ITU-T UsefulDefinitions
  409. Public Const szOID_DS As String = "2.5"
  410. Public Const szOID_DSALG As String = "2.5.8"
  411. Public Const szOID_DSALG_CRPT As String = "2.5.8.1"
  412. Public Const szOID_DSALG_HASH As String = "2.5.8.2"
  413. Public Const szOID_DSALG_SIGN As String = "2.5.8.3"
  414. Public Const szOID_DSALG_RSA As String = "2.5.8.1.1"
  415. ' http:
  416. ' http:
  417. Public Const szOID_OIW As String = "1.3.14"
  418. Public Const szOID_OIWSEC As String = "1.3.14.3.2"
  419. Public Const szOID_OIWSEC_md4RSA As String = "1.3.14.3.2.2"
  420. Public Const szOID_OIWSEC_md5RSA As String = "1.3.14.3.2.3"
  421. Public Const szOID_OIWSEC_md4RSA2 As String = "1.3.14.3.2.4"
  422. Public Const szOID_OIWSEC_desECB As String = "1.3.14.3.2.6"
  423. Public Const szOID_OIWSEC_desCBC As String = "1.3.14.3.2.7"
  424. Public Const szOID_OIWSEC_desOFB As String = "1.3.14.3.2.8"
  425. Public Const szOID_OIWSEC_desCFB As String = "1.3.14.3.2.9"
  426. Public Const szOID_OIWSEC_desMAC As String = "1.3.14.3.2.10"
  427. Public Const szOID_OIWSEC_rsaSign As String = "1.3.14.3.2.11"
  428. Public Const szOID_OIWSEC_dsa As String = "1.3.14.3.2.12"
  429. Public Const szOID_OIWSEC_shaDSA As String = "1.3.14.3.2.13"
  430. Public Const szOID_OIWSEC_mdc2RSA As String = "1.3.14.3.2.14"
  431. Public Const szOID_OIWSEC_shaRSA As String = "1.3.14.3.2.15"
  432. Public Const szOID_OIWSEC_dhCommMod As String = "1.3.14.3.2.16"
  433. Public Const szOID_OIWSEC_desEDE As String = "1.3.14.3.2.17"
  434. Public Const szOID_OIWSEC_sha As String = "1.3.14.3.2.18"
  435. Public Const szOID_OIWSEC_mdc2 As String = "1.3.14.3.2.19"
  436. Public Const szOID_OIWSEC_dsaComm As String = "1.3.14.3.2.20"
  437. Public Const szOID_OIWSEC_dsaCommSHA As String = "1.3.14.3.2.21"
  438. Public Const szOID_OIWSEC_rsaXchg As String = "1.3.14.3.2.22"
  439. Public Const szOID_OIWSEC_keyHashSeal As String = "1.3.14.3.2.23"
  440. Public Const szOID_OIWSEC_md2RSASign As String = "1.3.14.3.2.24"
  441. Public Const szOID_OIWSEC_md5RSASign As String = "1.3.14.3.2.25"
  442. Public Const szOID_OIWSEC_sha1 As String = "1.3.14.3.2.26"
  443. Public Const szOID_OIWSEC_dsaSHA1 As String = "1.3.14.3.2.27"
  444. Public Const szOID_OIWSEC_dsaCommSHA1 As String = "1.3.14.3.2.28"
  445. Public Const szOID_OIWSEC_sha1RSASign As String = "1.3.14.3.2.29"
  446. Public Const szOID_OIWDIR As String = "1.3.14.7.2"
  447. Public Const szOID_OIWDIR_CRPT As String = "1.3.14.7.2.1"
  448. Public Const szOID_OIWDIR_HASH As String = "1.3.14.7.2.2"
  449. Public Const szOID_OIWDIR_SIGN As String = "1.3.14.7.2.3"
  450. Public Const szOID_OIWDIR_md2 As String = "1.3.14.7.2.2.1"
  451. Public Const szOID_OIWDIR_md2RSA As String = "1.3.14.7.2.3.1"
  452. ' INFOSEC Algorithms
  453. Public Const szOID_INFOSEC As String = "2.16.840.1.101.2.1"
  454. Public Const szOID_INFOSEC_sdnsSignature As String = "2.16.840.1.101.2.1.1.1"
  455. Public Const szOID_INFOSEC_mosaicSignature As String = "2.16.840.1.101.2.1.1.2"
  456. Public Const szOID_INFOSEC_sdnsConfidentiality As String = "2.16.840.1.101.2.1.1.3"
  457. Public Const szOID_INFOSEC_mosaicConfidentiality As String = "2.16.840.1.101.2.1.1.4"
  458. Public Const szOID_INFOSEC_sdnsIntegrity As String = "2.16.840.1.101.2.1.1.5"
  459. Public Const szOID_INFOSEC_mosaicIntegrity As String = "2.16.840.1.101.2.1.1.6"
  460. Public Const szOID_INFOSEC_sdnsTokenProtection As String = "2.16.840.1.101.2.1.1.7"
  461. Public Const szOID_INFOSEC_mosaicTokenProtection As String = "2.16.840.1.101.2.1.1.8"
  462. Public Const szOID_INFOSEC_sdnsKeyManagement As String = "2.16.840.1.101.2.1.1.9"
  463. Public Const szOID_INFOSEC_mosaicKeyManagement As String = "2.16.840.1.101.2.1.1.10"
  464. Public Const szOID_INFOSEC_sdnsKMandSig As String = "2.16.840.1.101.2.1.1.11"
  465. Public Const szOID_INFOSEC_mosaicKMandSig As String = "2.16.840.1.101.2.1.1.12"
  466. Public Const szOID_INFOSEC_SuiteASignature As String = "2.16.840.1.101.2.1.1.13"
  467. Public Const szOID_INFOSEC_SuiteAConfidentiality As String = "2.16.840.1.101.2.1.1.14"
  468. Public Const szOID_INFOSEC_SuiteAIntegrity As String = "2.16.840.1.101.2.1.1.15"
  469. Public Const szOID_INFOSEC_SuiteATokenProtection As String = "2.16.840.1.101.2.1.1.16"
  470. Public Const szOID_INFOSEC_SuiteAKeyManagement As String = "2.16.840.1.101.2.1.1.17"
  471. Public Const szOID_INFOSEC_SuiteAKMandSig As String = "2.16.840.1.101.2.1.1.18"
  472. Public Const szOID_INFOSEC_mosaicUpdatedSig As String = "2.16.840.1.101.2.1.1.19"
  473. Public Const szOID_INFOSEC_mosaicKMandUpdSig As String = "2.16.840.1.101.2.1.1.20"
  474. Public Const szOID_INFOSEC_mosaicUpdatedInteg As String = "2.16.840.1.101.2.1.1.21"
  475. '+-------------------------------------------------------------------------
  476. '--------------------------------------------------------------------------
  477. '+-------------------------------------------------------------------------
  478. ' Type used for an extension to an encoded content
  479. '
  480. ' Where the Value's CRYPT_OBJID_BLOB is in its encoded representation.
  481. '--------------------------------------------------------------------------
  482. '+-------------------------------------------------------------------------
  483. ' AttributeTypeValue
  484. '
  485. ' Where the Value's CRYPT_OBJID_BLOB is in its encoded representation.
  486. '--------------------------------------------------------------------------
  487. '+-------------------------------------------------------------------------
  488. ' Attributes
  489. '
  490. ' Where the Value's PATTR_BLOBs are in their encoded representation.
  491. '--------------------------------------------------------------------------
  492. '+-------------------------------------------------------------------------
  493. '
  494. ' The interpretation of the Value depends on the dwValueType.
  495. ' See below for a list of the types.
  496. '--------------------------------------------------------------------------
  497. '+-------------------------------------------------------------------------
  498. ' CERT_RDN attribute Object Identifiers
  499. '--------------------------------------------------------------------------
  500. ' Labeling attribute types:
  501. Public Const szOID_COMMON_NAME As String = "2.5.4.3"
  502. Public Const szOID_SUR_NAME As String = "2.5.4.4"
  503. Public Const szOID_DEVICE_SERIAL_NUMBER As String = "2.5.4.5"
  504. ' Geographic attribute types:
  505. Public Const szOID_COUNTRY_NAME As String = "2.5.4.6"
  506. Public Const szOID_LOCALITY_NAME As String = "2.5.4.7"
  507. Public Const szOID_STATE_OR_PROVINCE_NAME As String = "2.5.4.8"
  508. Public Const szOID_STREET_ADDRESS As String = "2.5.4.9"
  509. ' Organizational attribute types:
  510. Public Const szOID_ORGANIZATION_NAME As String = "2.5.4.10"
  511. Public Const szOID_ORGANIZATIONAL_UNIT_NAME As String = "2.5.4.11"
  512. Public Const szOID_TITLE As String = "2.5.4.12"
  513. ' Explanatory attribute types:
  514. Public Const szOID_DESCRIPTION As String = "2.5.4.13"
  515. Public Const szOID_SEARCH_GUIDE As String = "2.5.4.14"
  516. Public Const szOID_BUSINESS_CATEGORY As String = "2.5.4.15"
  517. ' Postal addressing attribute types:
  518. Public Const szOID_POSTAL_ADDRESS As String = "2.5.4.16"
  519. Public Const szOID_POSTAL_CODE As String = "2.5.4.17"
  520. Public Const szOID_POST_OFFICE_BOX As String = "2.5.4.18"
  521. Public Const szOID_PHYSICAL_DELIVERY_OFFICE_NAME As String = "2.5.4.19"
  522. ' Telecommunications addressing attribute types:
  523. Public Const szOID_TELEPHONE_NUMBER As String = "2.5.4.20"
  524. Public Const szOID_TELEX_NUMBER As String = "2.5.4.21"
  525. Public Const szOID_TELETEXT_TERMINAL_IDENTIFIER As String = "2.5.4.22"
  526. Public Const szOID_FACSIMILE_TELEPHONE_NUMBER As String = "2.5.4.23"
  527. Public Const szOID_X21_ADDRESS As String = "2.5.4.24"
  528. Public Const szOID_INTERNATIONAL_ISDN_NUMBER As String = "2.5.4.25"
  529. Public Const szOID_REGISTERED_ADDRESS As String = "2.5.4.26"
  530. Public Const szOID_DESTINATION_INDICATOR As String = "2.5.4.27"
  531. ' Preference attribute types:
  532. Public Const szOID_PREFERRED_DELIVERY_METHOD As String = "2.5.4.28"
  533. ' OSI application attribute types:
  534. Public Const szOID_PRESENTATION_ADDRESS As String = "2.5.4.29"
  535. Public Const szOID_SUPPORTED_APPLICATION_CONTEXT As String = "2.5.4.30"
  536. ' Relational application attribute types:
  537. Public Const szOID_MEMBER As String = "2.5.4.31"
  538. Public Const szOID_OWNER As String = "2.5.4.32"
  539. Public Const szOID_ROLE_OCCUPANT As String = "2.5.4.33"
  540. Public Const szOID_SEE_ALSO As String = "2.5.4.34"
  541. ' Security attribute types:
  542. Public Const szOID_USER_PASSWORD As String = "2.5.4.35"
  543. Public Const szOID_USER_CERTIFICATE As String = "2.5.4.36"
  544. Public Const szOID_CA_CERTIFICATE As String = "2.5.4.37"
  545. Public Const szOID_AUTHORITY_REVOCATION_LIST As String = "2.5.4.38"
  546. Public Const szOID_CERTIFICATE_REVOCATION_LIST As String = "2.5.4.39"
  547. Public Const szOID_CROSS_CERTIFICATE_PAIR As String = "2.5.4.40"
  548. ' Undocumented attribute types???
  549. '#define szOID_??? "2.5.4.41"
  550. Public Const szOID_GIVEN_NAME As String = "2.5.4.42"
  551. Public Const szOID_INITIALS As String = "2.5.4.43"
  552. ' The DN Qualifier attribute type specifies disambiguating information to add
  553. ' to the relative distinguished name of an entry. It is intended to be used
  554. ' for entries held in multiple DSAs which would otherwise have the same name,
  555. ' and that its value be the same in a given DSA for all entries to which
  556. ' the information has been added.
  557. Public Const szOID_DN_QUALIFIER As String = "2.5.4.46"
  558. ' Pilot user attribute types:
  559. Public Const szOID_DOMAIN_COMPONENT As String = "0.9.2342.19200300.100.1.25"
  560. ' used for PKCS 12 attributes
  561. Public Const szOID_PKCS_12_FRIENDLY_NAME_ATTR As String = "1.2.840.113549.1.9.20"
  562. Public Const szOID_PKCS_12_LOCAL_KEY_ID As String = "1.2.840.113549.1.9.21"
  563. Public Const szOID_PKCS_12_KEY_PROVIDER_NAME_ATTR As String = "1.3.6.1.4.1.311.17.1"
  564. Public Const szOID_LOCAL_MACHINE_KEYSET As String = "1.3.6.1.4.1.311.17.2"
  565. '+-------------------------------------------------------------------------
  566. ' Microsoft CERT_RDN attribute Object Identifiers
  567. '--------------------------------------------------------------------------
  568. ' Special RDN containing the KEY_ID. Its value type is CERT_RDN_OCTET_STRING.
  569. Public Const szOID_KEYID_RDN As String = "1.3.6.1.4.1.311.10.7.1"
  570. '+-------------------------------------------------------------------------
  571. ' CERT_RDN Attribute Value Types
  572. '
  573. ' For RDN_ENCODED_BLOB, the Value's CERT_RDN_VALUE_BLOB is in its encoded
  574. ' representation. Otherwise, its an array of bytes.
  575. '
  576. ' For all CERT_RDN types, Value.cbData is always the number of bytes, not
  577. ' necessarily the number of elements in the string. For instance,
  578. '
  579. ' These UNICODE characters are encoded as UTF8 8 bit characters.
  580. '
  581. ' For CertDecodeName, two 0 bytes are always appended to the end of the
  582. ' These added 0 bytes are't included in the BLOB.cbData.
  583. '--------------------------------------------------------------------------
  584. Public Const CERT_RDN_ANY_TYPE As Long = 0
  585. Public Const CERT_RDN_ENCODED_BLOB As Long = 1
  586. Public Const CERT_RDN_OCTET_STRING As Long = 2
  587. Public Const CERT_RDN_NUMERIC_STRING As Long = 3
  588. Public Const CERT_RDN_PRINTABLE_STRING As Long = 4
  589. Public Const CERT_RDN_TELETEX_STRING As Long = 5
  590. Public Const CERT_RDN_T61_STRING As Long = 5
  591. Public Const CERT_RDN_VIDEOTEX_STRING As Long = 6
  592. Public Const CERT_RDN_IA5_STRING As Long = 7
  593. Public Const CERT_RDN_GRAPHIC_STRING As Long = 8
  594. Public Const CERT_RDN_VISIBLE_STRING As Long = 9
  595. Public Const CERT_RDN_ISO646_STRING As Long = 9
  596. Public Const CERT_RDN_GENERAL_STRING As Long = 10
  597. Public Const CERT_RDN_UNIVERSAL_STRING As Long = 11
  598. Public Const CERT_RDN_INT4_STRING As Long = 11
  599. Public Const CERT_RDN_BMP_STRING As Long = 12
  600. Public Const CERT_RDN_UNICODE_STRING As Long = 12
  601. Public Const CERT_RDN_UTF8_STRING As Long = 13
  602. Public Const CERT_RDN_TYPE_MASK As Long = &H000000FF
  603. Public Const CERT_RDN_FLAGS_MASK As Long = &HFF000000
  604. '+-------------------------------------------------------------------------
  605. ' Flags that can be or'ed with the above Value Type when encoding/decoding
  606. '--------------------------------------------------------------------------
  607. ' For encoding: when set, CERT_RDN_T61_STRING is selected instead of
  608. ' CERT_RDN_UNICODE_STRING if all the unicode characters are <= 0xFF
  609. Public Const CERT_RDN_ENABLE_T61_UNICODE_FLAG As Long = &H80000000
  610. ' For encoding: when set, CERT_RDN_UTF8_STRING is selected instead of
  611. ' CERT_RDN_UNICODE_STRING.
  612. Public Const CERT_RDN_ENABLE_UTF8_UNICODE_FLAG As Long = &H20000000
  613. ' For encoding: when set, the characters aren't checked to see if they
  614. ' are valid for the Value Type.
  615. Public Const CERT_RDN_DISABLE_CHECK_TYPE_FLAG As Long = &H40000000
  616. ' For decoding: by default, CERT_RDN_T61_STRING values are initially decoded
  617. ' as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
  618. ' Setting this flag skips the initial attempt to decode as UTF8.
  619. Public Const CERT_RDN_DISABLE_IE4_UTF8_FLAG As Long = &H01000000
  620. ' Macro to check that the dwValueType is a character string and not an
  621. ' encoded blob or octet string
  622. '+-------------------------------------------------------------------------
  623. ' A CERT_RDN consists of an array of the above attributes
  624. '--------------------------------------------------------------------------
  625. '+-------------------------------------------------------------------------
  626. ' Information stored in a subject's or issuer's name. The information
  627. ' is represented as an array of the above RDNs.
  628. '--------------------------------------------------------------------------
  629. '+-------------------------------------------------------------------------
  630. ' Name attribute value without the Object Identifier
  631. '
  632. ' The interpretation of the Value depends on the dwValueType.
  633. ' See above for a list of the types.
  634. '--------------------------------------------------------------------------
  635. '+-------------------------------------------------------------------------
  636. ' Public Key Info
  637. '
  638. ' The PublicKey is the encoded representation of the information as it is
  639. ' stored in the bit string
  640. '--------------------------------------------------------------------------
  641. '+-------------------------------------------------------------------------
  642. ' structure that contains all the information in a PKCS#8 PrivateKeyInfo
  643. '--------------------------------------------------------------------------
  644. '+-------------------------------------------------------------------------
  645. ' structure that contains all the information in a PKCS#8
  646. ' EncryptedPrivateKeyInfo
  647. '--------------------------------------------------------------------------
  648. '+-------------------------------------------------------------------------
  649. ' this callback is given when an EncryptedProvateKeyInfo structure is
  650. ' encountered during ImportPKCS8. the caller is then expected to decrypt
  651. ' the private key and hand back the decrypted contents.
  652. '
  653. ' the parameters are:
  654. ' Algorithm - the algorithm used to encrypt the PrivateKeyInfo
  655. ' EncryptedPrivateKey - the encrypted private key blob
  656. ' pClearTextKey - a buffer to receive the clear text
  657. ' cbClearTextKey - the number of bytes of the pClearTextKey buffer
  658. ' note the if this is zero then this should be
  659. ' filled in with the size required to decrypt the
  660. ' key into, and pClearTextKey should be ignored
  661. ' pVoidDecryptFunc - this is the pVoid that was passed into the call
  662. ' and is preserved and passed back as context
  663. '+-------------------------------------------------------------------------
  664. '+-------------------------------------------------------------------------
  665. ' this callback is given when creating a PKCS8 EncryptedPrivateKeyInfo.
  666. ' The caller is then expected to encrypt the private key and hand back
  667. ' the encrypted contents.
  668. '
  669. ' the parameters are:
  670. ' Algorithm - the algorithm used to encrypt the PrivateKeyInfo
  671. ' pClearTextPrivateKey - the cleartext private key to be encrypted
  672. ' pbEncryptedKey - the output encrypted private key blob
  673. ' cbEncryptedKey - the number of bytes of the pbEncryptedKey buffer
  674. ' note the if this is zero then this should be
  675. ' filled in with the size required to encrypt the
  676. ' key into, and pbEncryptedKey should be ignored
  677. ' pVoidEncryptFunc - this is the pVoid that was passed into the call
  678. ' and is preserved and passed back as context
  679. '+-------------------------------------------------------------------------
  680. '+-------------------------------------------------------------------------
  681. ' this callback is given from the context of a ImportPKCS8 calls. the caller
  682. ' is then expected to hand back an HCRYPTPROV to receive the key being imported
  683. '
  684. ' the parameters are:
  685. ' pPrivateKeyInfo - pointer to a CRYPT_PRIVATE_KEY_INFO structure which
  686. ' describes the key being imported
  687. ' EncryptedPrivateKey - the encrypted private key blob
  688. ' phCryptProv - a pointer to a HCRRYPTPROV to be filled in
  689. ' pVoidResolveFunc - this is the pVoidResolveFunc passed in by the caller in the
  690. ' CRYPT_PRIVATE_KEY_BLOB_AND_PARAMS struct
  691. '+-------------------------------------------------------------------------
  692. '+-------------------------------------------------------------------------
  693. ' this struct contains a PKCS8 private key and two pointers to callback
  694. ' functions, with a corresponding pVoids. the first callback is used to give
  695. ' the caller the opportunity to specify where the key is imported to. the callback
  696. ' passes the caller the algoroithm OID and key size to use in making the decision.
  697. ' the other callback is used to decrypt the private key if the PKCS8 contains an
  698. ' EncryptedPrivateKeyInfo. both pVoids are preserved and passed back to the caller
  699. ' in the respective callback
  700. '+-------------------------------------------------------------------------
  701. '+-------------------------------------------------------------------------
  702. ' this struct contains information identifying a private key and a pointer
  703. ' to a callback function, with a corresponding pVoid. The callback is used
  704. ' to encrypt the private key. If the pEncryptPrivateKeyFunc is NULL, the
  705. ' key will not be encrypted and an EncryptedPrivateKeyInfo will not be generated.
  706. ' The pVoid is preserved and passed back to the caller in the respective callback
  707. '+-------------------------------------------------------------------------
  708. '+-------------------------------------------------------------------------
  709. ' Information stored in a certificate
  710. '
  711. ' The Issuer, Subject, Algorithm, PublicKey and Extension BLOBs are the
  712. ' encoded representation of the information.
  713. '--------------------------------------------------------------------------
  714. '+-------------------------------------------------------------------------
  715. ' Certificate versions
  716. '--------------------------------------------------------------------------
  717. Public Const CERT_V1 As Long = 0
  718. Public Const CERT_V2 As Long = 1
  719. Public Const CERT_V3 As Long = 2
  720. '+-------------------------------------------------------------------------
  721. ' Certificate Information Flags
  722. '--------------------------------------------------------------------------
  723. Public Const CERT_INFO_VERSION_FLAG As Long = 1
  724. Public Const CERT_INFO_SERIAL_NUMBER_FLAG As Long = 2
  725. Public Const CERT_INFO_SIGNATURE_ALGORITHM_FLAG As Long = 3
  726. Public Const CERT_INFO_ISSUER_FLAG As Long = 4
  727. Public Const CERT_INFO_NOT_BEFORE_FLAG As Long = 5
  728. Public Const CERT_INFO_NOT_AFTER_FLAG As Long = 6
  729. Public Const CERT_INFO_SUBJECT_FLAG As Long = 7
  730. Public Const CERT_INFO_SUBJECT_PUBLIC_KEY_INFO_FLAG As Long = 8
  731. Public Const CERT_INFO_ISSUER_UNIQUE_ID_FLAG As Long = 9
  732. Public Const CERT_INFO_SUBJECT_UNIQUE_ID_FLAG As Long = 10
  733. Public Const CERT_INFO_EXTENSION_FLAG As Long = 11
  734. '+-------------------------------------------------------------------------
  735. ' An entry in a CRL
  736. '
  737. ' The Extension BLOBs are the encoded representation of the information.
  738. '--------------------------------------------------------------------------
  739. '+-------------------------------------------------------------------------
  740. ' Information stored in a CRL
  741. '
  742. ' The Issuer, Algorithm and Extension BLOBs are the encoded
  743. ' representation of the information.
  744. '--------------------------------------------------------------------------
  745. '+-------------------------------------------------------------------------
  746. ' CRL versions
  747. '--------------------------------------------------------------------------
  748. Public Const CRL_V1 As Long = 0
  749. Public Const CRL_V2 As Long = 1
  750. '+-------------------------------------------------------------------------
  751. ' Information stored in a certificate request
  752. '
  753. ' The Subject, Algorithm, PublicKey and Attribute BLOBs are the encoded
  754. ' representation of the information.
  755. '--------------------------------------------------------------------------
  756. '+-------------------------------------------------------------------------
  757. ' Certificate Request versions
  758. '--------------------------------------------------------------------------
  759. Public Const CERT_REQUEST_V1 As Long = 0
  760. '+-------------------------------------------------------------------------
  761. ' Information stored in Netscape's Keygen request
  762. '--------------------------------------------------------------------------
  763. Public Const CERT_KEYGEN_REQUEST_V1 As Long = 0
  764. '+-------------------------------------------------------------------------
  765. ' Certificate, CRL, Certificate Request or Keygen Request Signed Content
  766. '
  767. ' The "to be signed" encoded content plus its signature. The ToBeSigned
  768. ' is the encoded CERT_INFO, CRL_INFO, CERT_REQUEST_INFO or
  769. ' CERT_KEYGEN_REQUEST_INFO.
  770. '--------------------------------------------------------------------------
  771. '+-------------------------------------------------------------------------
  772. '--------------------------------------------------------------------------
  773. '+-------------------------------------------------------------------------
  774. ' CTL Usage. Also used for EnhancedKeyUsage extension.
  775. '--------------------------------------------------------------------------
  776. '+-------------------------------------------------------------------------
  777. ' An entry in a CTL
  778. '--------------------------------------------------------------------------
  779. '+-------------------------------------------------------------------------
  780. ' Information stored in a CTL
  781. '--------------------------------------------------------------------------
  782. '+-------------------------------------------------------------------------
  783. ' CTL versions
  784. '--------------------------------------------------------------------------
  785. Public Const CTL_V1 As Long = 0
  786. '+-------------------------------------------------------------------------
  787. ' TimeStamp Request
  788. '
  789. ' The pszTimeStamp is the OID for the Time type requested
  790. ' The pszContentType is the Content Type OID for the content, usually DATA
  791. ' The Content is a un-decoded blob
  792. '--------------------------------------------------------------------------
  793. '+-------------------------------------------------------------------------
  794. ' Name Value Attribute
  795. '--------------------------------------------------------------------------
  796. '+-------------------------------------------------------------------------
  797. ' CSP Provider
  798. '--------------------------------------------------------------------------
  799. '+-------------------------------------------------------------------------
  800. ' Certificate and Message encoding types
  801. '
  802. ' The encoding type is a DWORD containing both the certificate and message
  803. ' encoding types. The certificate encoding type is stored in the LOWORD.
  804. ' The message encoding type is stored in the HIWORD. Some functions or
  805. ' structure fields require only one of the encoding types. The following
  806. ' required:
  807. '
  808. ' Its always acceptable to specify both.
  809. '--------------------------------------------------------------------------
  810. Public Const CERT_ENCODING_TYPE_MASK As Long = &H0000FFFF
  811. Public Const CMSG_ENCODING_TYPE_MASK As Long = &HFFFF0000
  812. Public Const CRYPT_ASN_ENCODING As Long = &H00000001
  813. Public Const CRYPT_NDR_ENCODING As Long = &H00000002
  814. Public Const X509_ASN_ENCODING As Long = &H00000001
  815. Public Const X509_NDR_ENCODING As Long = &H00000002
  816. Public Const PKCS_7_ASN_ENCODING As Long = &H00010000
  817. Public Const PKCS_7_NDR_ENCODING As Long = &H00020000
  818. '+-------------------------------------------------------------------------
  819. ' format the specified data structure according to the certificate
  820. ' encoding type.
  821. '
  822. ' The default behavior of CryptFormatObject is to return single line
  823. ' display of the encoded data, that is, each subfield will be concatenated with
  824. ' a ", " on one line. If user prefers to display the data in multiple line,
  825. ' set the flag CRYPT_FORMAT_STR_MULTI_LINE, that is, each subfield will be displayed
  826. ' on a seperate line.
  827. '
  828. ' If there is no formatting routine installed or registered
  829. ' for the lpszStructType, the hex dump of the encoded BLOB will be returned.
  830. ' User can set the flag CRYPT_FORMAT_STR_NO_HEX to disable the hex dump.
  831. '--------------------------------------------------------------------------
  832. '-------------------------------------------------------------------------
  833. ' constants for dwFormatStrType of function CryptFormatObject
  834. '-------------------------------------------------------------------------
  835. Public Const CRYPT_FORMAT_STR_MULTI_LINE As Long = &H0001
  836. Public Const CRYPT_FORMAT_STR_NO_HEX As Long = &H0010
  837. '-------------------------------------------------------------------------
  838. ' constants for dwFormatType of function CryptFormatObject
  839. ' when format X509_NAME or X509_UNICODE_NAME
  840. '-------------------------------------------------------------------------
  841. ' Just get the simple string
  842. Public Const CRYPT_FORMAT_SIMPLE As Long = &H0001
  843. 'Put an attribute name infront of the attribute
  844. 'such as "O=Microsoft,DN=xiaohs"
  845. Public Const CRYPT_FORMAT_X509 As Long = &H0002
  846. 'Put an OID infront of the simple string, such as
  847. '"2.5.4.22=Microsoft,2.5.4.3=xiaohs"
  848. Public Const CRYPT_FORMAT_OID As Long = &H0004
  849. 'Put a ";" between each RDN. The default is ","
  850. Public Const CRYPT_FORMAT_RDN_SEMICOLON As Long = &H0100
  851. 'Put a "\n" between each RDN.
  852. Public Const CRYPT_FORMAT_RDN_CRLF As Long = &H0200
  853. 'Unquote the DN value, which is quoated by default va the following
  854. 'rules: if the DN contains leading or trailing
  855. 'white space or one of the following characters: ",", "+", "=",
  856. '""", "\n", "<", ">", "#" or ";". The quoting character is ".
  857. Public Const CRYPT_FORMAT_RDN_UNQUOTE As Long = &H0400
  858. 'reverse the order of the RDNs before converting to the string
  859. Public Const CRYPT_FORMAT_RDN_REVERSE As Long = &H0800
  860. '-------------------------------------------------------------------------
  861. ' contants dwFormatType of function CryptFormatObject when format a DN.:
  862. '
  863. ' The following three values are defined in the section above:
  864. ' CRYPT_FORMAT_SIMPLE: Just a simple string
  865. ' such as "Microsoft+xiaohs+NT"
  866. ' CRYPT_FORMAT_X509 Put an attribute name infront of the attribute
  867. ' such as "O=Microsoft+xiaohs+NT"
  868. '
  869. ' CRYPT_FORMAT_OID Put an OID infront of the simple string,
  870. ' such as "2.5.4.22=Microsoft+xiaohs+NT"
  871. '
  872. ' Additional values are defined as following:
  873. '----------------------------------------------------------------------------
  874. 'Put a "," between each value. Default is "+"
  875. Public Const CRYPT_FORMAT_COMMA As Long = &H1000
  876. 'Put a ";" between each value
  877. 'Put a "\n" between each value
  878. '+-------------------------------------------------------------------------
  879. ' Encode / decode the specified data structure according to the certificate
  880. ' encoding type.
  881. '
  882. ' See below for a list of the predefined data structures.
  883. '--------------------------------------------------------------------------
  884. ' By default the signature bytes are reversed. The following flag can
  885. ' be set to inhibit the byte reversal.
  886. '
  887. ' This flag is applicable to
  888. ' X509_CERT_TO_BE_SIGNED
  889. Public Const CRYPT_ENCODE_NO_SIGNATURE_BYTE_REVERSAL_FLAG As Long = &H8
  890. ' When the following flag is set the called encode function allocates
  891. ' memory for the encoded bytes. A pointer to the allocated bytes
  892. ' is returned in pvEncoded. If pEncodePara or pEncodePara->pfnAlloc is
  893. ' NULL, then, LocalAlloc is called for the allocation and LocalFree must
  894. ' be called to do the free. Otherwise, pEncodePara->pfnAlloc is called
  895. ' for the allocation.
  896. '
  897. ' *pcbEncoded is ignored on input and updated with the length of the
  898. ' allocated, encoded bytes.
  899. '
  900. ' If pfnAlloc is set, then, pfnFree should also be set.
  901. Public Const CRYPT_ENCODE_ALLOC_FLAG As Long = &H8000
  902. ' The following flag is applicable when encoding X509_UNICODE_NAME.
  903. ' When set, CERT_RDN_T61_STRING is selected instead of
  904. ' CERT_RDN_UNICODE_STRING if all the unicode characters are <= 0xFF
  905. ' The following flag is applicable when encoding X509_UNICODE_NAME.
  906. ' When set, CERT_RDN_UTF8_STRING is selected instead of
  907. ' CERT_RDN_UNICODE_STRING.
  908. ' The following flag is applicable when encoding X509_UNICODE_NAME,
  909. ' X509_UNICODE_NAME_VALUE or X509_UNICODE_ANY_STRING.
  910. ' When set, the characters aren't checked to see if they
  911. ' are valid for the specified Value Type.
  912. ' The following flag is applicable when encoding the PKCS_SORTED_CTL. This
  913. ' flag should be set if the identifier for the TrustedSubjects is a hash,
  914. ' such as, MD5 or SHA1.
  915. Public Const CRYPT_SORTED_CTL_ENCODE_HASHED_SUBJECT_IDENTIFIER_FLAG As Long = &H10000
  916. ' When the following flag is set the nocopy optimization is enabled.
  917. ' This optimization where appropriate, updates the pvStructInfo fields
  918. ' to point to content residing within pbEncoded instead of making a copy
  919. ' of and appending to pvStructInfo.
  920. '
  921. ' Note, when set, pbEncoded can't be freed until pvStructInfo is freed.
  922. Public Const CRYPT_DECODE_NOCOPY_FLAG As Long = &H1
  923. ' plus its signature. Set the following flag, if pbEncoded points to only
  924. ' the "to be signed".
  925. '
  926. ' This flag is applicable to
  927. ' X509_CERT_TO_BE_SIGNED
  928. ' X509_CERT_CRL_TO_BE_SIGNED
  929. ' X509_CERT_REQUEST_TO_BE_SIGNED
  930. ' X509_KEYGEN_REQUEST_TO_BE_SIGNED
  931. Public Const CRYPT_DECODE_TO_BE_SIGNED_FLAG As Long = &H2
  932. ' When the following flag is set, the OID strings are allocated in
  933. ' crypt32.dll and shared instead of being copied into the returned
  934. ' data structure. This flag may be set if crypt32.dll isn't unloaded
  935. ' before the caller is unloaded.
  936. Public Const CRYPT_DECODE_SHARE_OID_STRING_FLAG As Long = &H4
  937. ' By default the signature bytes are reversed. The following flag can
  938. ' be set to inhibit the byte reversal.
  939. '
  940. ' This flag is applicable to
  941. ' X509_CERT_TO_BE_SIGNED
  942. Public Const CRYPT_DECODE_NO_SIGNATURE_BYTE_REVERSAL_FLAG As Long = &H8
  943. ' When the following flag is set the called decode function allocates
  944. ' memory for the decoded structure. A pointer to the allocated structure
  945. ' is returned in pvStructInfo. If pDecodePara or pDecodePara->pfnAlloc is
  946. ' NULL, then, LocalAlloc is called for the allocation and LocalFree must
  947. ' be called to do the free. Otherwise, pDecodePara->pfnAlloc is called
  948. ' for the allocation.
  949. '
  950. ' *pcbStructInfo is ignored on input and updated with the length of the
  951. ' allocated, decoded structure.
  952. '
  953. ' This flag may also be set in the CryptDecodeObject API. Since
  954. ' CryptDecodeObject doesn't take a pDecodePara, LocalAlloc is always
  955. ' called for the allocation which must be freed by calling LocalFree.
  956. Public Const CRYPT_DECODE_ALLOC_FLAG As Long = &H8000
  957. ' The following flag is applicable when decoding X509_UNICODE_NAME,
  958. ' X509_UNICODE_NAME_VALUE or X509_UNICODE_ANY_STRING.
  959. ' By default, CERT_RDN_T61_STRING values are initially decoded
  960. ' as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
  961. ' Setting this flag skips the initial attempt to decode as UTF8.
  962. '+-------------------------------------------------------------------------
  963. ' Predefined X509 certificate data structures that can be encoded / decoded.
  964. '--------------------------------------------------------------------------
  965. Public Const CRYPT_ENCODE_DECODE_NONE As Long = 0
  966. '+-------------------------------------------------------------------------
  967. ' Predefined X509 certificate extension data structures that can be
  968. ' encoded / decoded.
  969. '--------------------------------------------------------------------------
  970. '+-------------------------------------------------------------------------
  971. ' Additional predefined data structures that can be encoded / decoded.
  972. '--------------------------------------------------------------------------
  973. '+-------------------------------------------------------------------------
  974. ' Predefined primitive data structures that can be encoded / decoded.
  975. '--------------------------------------------------------------------------
  976. '+-------------------------------------------------------------------------
  977. ' More predefined X509 certificate extension data structures that can be
  978. ' encoded / decoded.
  979. '--------------------------------------------------------------------------
  980. '+-------------------------------------------------------------------------
  981. ' data structures for private keys
  982. '--------------------------------------------------------------------------
  983. '+-------------------------------------------------------------------------
  984. ' certificate policy qualifier
  985. '--------------------------------------------------------------------------
  986. '+-------------------------------------------------------------------------
  987. ' Diffie-Hellman Key Exchange
  988. '--------------------------------------------------------------------------
  989. '+-------------------------------------------------------------------------
  990. ' X942 Diffie-Hellman
  991. '--------------------------------------------------------------------------
  992. '+-------------------------------------------------------------------------
  993. ' The following is the same as X509_BITS, except before encoding,
  994. ' the bit length is decremented to exclude trailing zero bits.
  995. '--------------------------------------------------------------------------
  996. '+-------------------------------------------------------------------------
  997. ' X942 Diffie-Hellman Other Info
  998. '--------------------------------------------------------------------------
  999. '+-------------------------------------------------------------------------
  1000. '--------------------------------------------------------------------------
  1001. '+-------------------------------------------------------------------------
  1002. ' Predefined PKCS #7 data structures that can be encoded / decoded.
  1003. '--------------------------------------------------------------------------
  1004. '+-------------------------------------------------------------------------
  1005. ' Predefined PKCS #7 data structures that can be encoded / decoded.
  1006. '--------------------------------------------------------------------------
  1007. '+-------------------------------------------------------------------------
  1008. ' can be encoded / decoded.
  1009. '
  1010. ' Predefined values: 2000 .. 2999
  1011. '
  1012. ' See spc.h for value and data structure definitions.
  1013. '--------------------------------------------------------------------------
  1014. '+-------------------------------------------------------------------------
  1015. ' Extension Object Identifiers
  1016. '--------------------------------------------------------------------------
  1017. Public Const szOID_AUTHORITY_KEY_IDENTIFIER As String = "2.5.29.1"
  1018. Public Const szOID_KEY_ATTRIBUTES As String = "2.5.29.2"
  1019. Public Const szOID_CERT_POLICIES_95 As String = "2.5.29.3"
  1020. Public Const szOID_KEY_USAGE_RESTRICTION As String = "2.5.29.4"
  1021. Public Const szOID_SUBJECT_ALT_NAME As String = "2.5.29.7"
  1022. Public Const szOID_ISSUER_ALT_NAME As String = "2.5.29.8"
  1023. Public Const szOID_BASIC_CONSTRAINTS As String = "2.5.29.10"
  1024. Public Const szOID_KEY_USAGE As String = "2.5.29.15"
  1025. Public Const szOID_PRIVATEKEY_USAGE_PERIOD As String = "2.5.29.16"
  1026. Public Const szOID_BASIC_CONSTRAINTS2 As String = "2.5.29.19"
  1027. Public Const szOID_CERT_POLICIES As String = "2.5.29.32"
  1028. Public Const szOID_ANY_CERT_POLICY As String = "2.5.29.32.0"
  1029. Public Const szOID_AUTHORITY_KEY_IDENTIFIER2 As String = "2.5.29.35"
  1030. Public Const szOID_SUBJECT_KEY_IDENTIFIER As String = "2.5.29.14"
  1031. Public Const szOID_SUBJECT_ALT_NAME2 As String = "2.5.29.17"
  1032. Public Const szOID_ISSUER_ALT_NAME2 As String = "2.5.29.18"
  1033. Public Const szOID_CRL_REASON_CODE As String = "2.5.29.21"
  1034. Public Const szOID_CRL_DIST_POINTS As String = "2.5.29.31"
  1035. Public Const szOID_ENHANCED_KEY_USAGE As String = "2.5.29.37"
  1036. ' szOID_CRL_NUMBER -- Base CRLs only. Monotonically increasing sequence
  1037. ' number for each CRL issued by a CA.
  1038. Public Const szOID_CRL_NUMBER As String = "2.5.29.20"
  1039. ' szOID_DELTA_CRL_INDICATOR -- Delta CRLs only. Marked critical.
  1040. ' Contains the minimum base CRL Number that can be used with a delta CRL.
  1041. Public Const szOID_DELTA_CRL_INDICATOR As String = "2.5.29.27"
  1042. Public Const szOID_ISSUING_DIST_POINT As String = "2.5.29.28"
  1043. ' szOID_FRESHEST_CRL -- Base CRLs only. Formatted identically to a CDP
  1044. ' extension that holds URLs to fetch the delta CRL.
  1045. Public Const szOID_FRESHEST_CRL As String = "2.5.29.46"
  1046. Public Const szOID_NAME_CONSTRAINTS As String = "2.5.29.30"
  1047. ' Note on 1/1/2000 szOID_POLICY_MAPPINGS was changed from "2.5.29.5"
  1048. Public Const szOID_POLICY_MAPPINGS As String = "2.5.29.33"
  1049. Public Const szOID_LEGACY_POLICY_MAPPINGS As String = "2.5.29.5"
  1050. Public Const szOID_POLICY_CONSTRAINTS As String = "2.5.29.36"
  1051. ' Microsoft PKCS10 Attributes
  1052. Public Const szOID_RENEWAL_CERTIFICATE As String = "1.3.6.1.4.1.311.13.1"
  1053. Public Const szOID_ENROLLMENT_NAME_VALUE_PAIR As String = "1.3.6.1.4.1.311.13.2.1"
  1054. Public Const szOID_ENROLLMENT_CSP_PROVIDER As String = "1.3.6.1.4.1.311.13.2.2"
  1055. Public Const szOID_OS_VERSION As String = "1.3.6.1.4.1.311.13.2.3"
  1056. '
  1057. ' Extension contain certificate type
  1058. Public Const szOID_ENROLLMENT_AGENT As String = "1.3.6.1.4.1.311.20.2.1"
  1059. Public Const szOID_PKIX As String = "1.3.6.1.5.5.7"
  1060. Public Const szOID_PKIX_PE As String = "1.3.6.1.5.5.7.1"
  1061. Public Const szOID_AUTHORITY_INFO_ACCESS As String = "1.3.6.1.5.5.7.1.1"
  1062. ' Microsoft extensions or attributes
  1063. Public Const szOID_CERT_EXTENSIONS As String = "1.3.6.1.4.1.311.2.1.14"
  1064. Public Const szOID_NEXT_UPDATE_LOCATION As String = "1.3.6.1.4.1.311.10.2"
  1065. Public Const szOID_REMOVE_CERTIFICATE As String = "1.3.6.1.4.1.311.10.8.1"
  1066. Public Const szOID_CROSS_CERT_DIST_POINTS As String = "1.3.6.1.4.1.311.10.9.1"
  1067. ' Microsoft PKCS #7 ContentType Object Identifiers
  1068. Public Const szOID_CTL As String = "1.3.6.1.4.1.311.10.1"
  1069. ' Microsoft Sorted CTL Extension Object Identifier
  1070. Public Const szOID_SORTED_CTL As String = "1.3.6.1.4.1.311.10.1.1"
  1071. ' serialized serial numbers for PRS
  1072. Public Const szOID_SERIALIZED As String = "1.3.6.1.4.1.311.10.3.3.1"
  1073. ' UPN principal name in SubjectAltName
  1074. Public Const szOID_NT_PRINCIPAL_NAME As String = "1.3.6.1.4.1.311.20.2.3"
  1075. ' Windows product update unauthenticated attribute
  1076. Public Const szOID_PRODUCT_UPDATE As String = "1.3.6.1.4.1.311.31.1"
  1077. '+-------------------------------------------------------------------------
  1078. ' Object Identifiers for use with Auto Enrollment
  1079. '--------------------------------------------------------------------------
  1080. Public Const szOID_AUTO_ENROLL_CTL_USAGE As String = "1.3.6.1.4.1.311.20.1"
  1081. ' Extension contain certificate type
  1082. Public Const szOID_ENROLL_CERTTYPE_EXTENSION As String = "1.3.6.1.4.1.311.20.2"
  1083. Public Const szOID_CERT_MANIFOLD As String = "1.3.6.1.4.1.311.20.3"
  1084. '+-------------------------------------------------------------------------
  1085. ' Object Identifiers for use with the MS Certificate Server
  1086. '--------------------------------------------------------------------------
  1087. Public Const szOID_CERTSRV_CA_VERSION As String = "1.3.6.1.4.1.311.21.1"
  1088. ' szOID_CERTSRV_PREVIOUS_CERT_HASH -- Contains the sha1 hash of the previous
  1089. ' version of the CA certificate.
  1090. Public Const szOID_CERTSRV_PREVIOUS_CERT_HASH As String = "1.3.6.1.4.1.311.21.2"
  1091. ' szOID_CRL_VIRTUAL_BASE -- Delta CRLs only. Contains the base CRL Number
  1092. ' of the corresponding base CRL.
  1093. Public Const szOID_CRL_VIRTUAL_BASE As String = "1.3.6.1.4.1.311.21.3"
  1094. ' szOID_CRL_NEXT_PUBLISH -- Contains the time when the next CRL is expected
  1095. ' to be published. This may be sooner than the CRL's NextUpdate field.
  1096. Public Const szOID_CRL_NEXT_PUBLISH As String = "1.3.6.1.4.1.311.21.4"
  1097. ' Enhanced Key Usage for CA encryption certificate
  1098. Public Const szOID_KP_CA_EXCHANGE As String = "1.3.6.1.4.1.311.21.5"
  1099. ' Enhanced Key Usage for key recovery agent certificate
  1100. Public Const szOID_KP_KEY_RECOVERY_AGENT As String = "1.3.6.1.4.1.311.21.6"
  1101. Public Const szOID_CERTIFICATE_TEMPLATE As String = "1.3.6.1.4.1.311.21.7"
  1102. ' The root oid for all enterprise specific oids
  1103. Public Const szOID_ENTERPRISE_OID_ROOT As String = "1.3.6.1.4.1.311.21.8"
  1104. ' Dummy signing Subject RDN
  1105. Public Const szOID_RDN_DUMMY_SIGNER As String = "1.3.6.1.4.1.311.21.9"
  1106. ' Application Policies extension -- same encoding as szOID_CERT_POLICIES
  1107. Public Const szOID_APPLICATION_CERT_POLICIES As String = "1.3.6.1.4.1.311.21.10"
  1108. ' Application Policy Mappings -- same encoding as szOID_POLICY_MAPPINGS
  1109. Public Const szOID_APPLICATION_POLICY_MAPPINGS As String = "1.3.6.1.4.1.311.21.11"
  1110. ' Application Policy Constraints -- same encoding as szOID_POLICY_CONSTRAINTS
  1111. Public Const szOID_APPLICATION_POLICY_CONSTRAINTS As String = "1.3.6.1.4.1.311.21.12"
  1112. Public Const szOID_ARCHIVED_KEY_ATTR As String = "1.3.6.1.4.1.311.21.13"
  1113. Public Const szOID_CRL_SELF_CDP As String = "1.3.6.1.4.1.311.21.14"
  1114. ' Requires all certificates below the root to have a non-empty intersecting
  1115. ' issuance certificate policy usage.
  1116. Public Const szOID_REQUIRE_CERT_CHAIN_POLICY As String = "1.3.6.1.4.1.311.21.15"
  1117. '+-------------------------------------------------------------------------
  1118. ' Object Identifiers for use with the MS Directory Service
  1119. '--------------------------------------------------------------------------
  1120. Public Const szOID_NTDS_REPLICATION As String = "1.3.6.1.4.1.311.25.1"
  1121. '+-------------------------------------------------------------------------
  1122. '--------------------------------------------------------------------------
  1123. Public Const szOID_SUBJECT_DIR_ATTRS As String = "2.5.29.9"
  1124. '+-------------------------------------------------------------------------
  1125. '--------------------------------------------------------------------------
  1126. Public Const szOID_PKIX_KP As String = "1.3.6.1.5.5.7.3"
  1127. ' Consistent key usage bits: DIGITAL_SIGNATURE, KEY_ENCIPHERMENT
  1128. ' or KEY_AGREEMENT
  1129. Public Const szOID_PKIX_KP_SERVER_AUTH As String = "1.3.6.1.5.5.7.3.1"
  1130. ' Consistent key usage bits: DIGITAL_SIGNATURE
  1131. Public Const szOID_PKIX_KP_CLIENT_AUTH As String = "1.3.6.1.5.5.7.3.2"
  1132. ' Consistent key usage bits: DIGITAL_SIGNATURE
  1133. Public Const szOID_PKIX_KP_CODE_SIGNING As String = "1.3.6.1.5.5.7.3.3"
  1134. ' Consistent key usage bits: DIGITAL_SIGNATURE, NON_REPUDIATION and/or
  1135. Public Const szOID_PKIX_KP_EMAIL_PROTECTION As String = "1.3.6.1.5.5.7.3.4"
  1136. ' Consistent key usage bits: DIGITAL_SIGNATURE and/or
  1137. Public Const szOID_PKIX_KP_IPSEC_END_SYSTEM As String = "1.3.6.1.5.5.7.3.5"
  1138. ' Consistent key usage bits: DIGITAL_SIGNATURE and/or
  1139. Public Const szOID_PKIX_KP_IPSEC_TUNNEL As String = "1.3.6.1.5.5.7.3.6"
  1140. ' Consistent key usage bits: DIGITAL_SIGNATURE and/or
  1141. Public Const szOID_PKIX_KP_IPSEC_USER As String = "1.3.6.1.5.5.7.3.7"
  1142. ' Consistent key usage bits: DIGITAL_SIGNATURE or NON_REPUDIATION
  1143. Public Const szOID_PKIX_KP_TIMESTAMP_SIGNING As String = "1.3.6.1.5.5.7.3.8"
  1144. '+-------------------------------------------------------------------------
  1145. '+-------------------------------------------------------------------------
  1146. ' Signer of CTLs
  1147. Public Const szOID_KP_CTL_USAGE_SIGNING As String = "1.3.6.1.4.1.311.10.3.1"
  1148. ' Signer of TimeStamps
  1149. Public Const szOID_KP_TIME_STAMP_SIGNING As String = "1.3.6.1.4.1.311.10.3.2"
  1150. Public Const szOID_SERVER_GATED_CRYPTO As String = "1.3.6.1.4.1.311.10.3.3"
  1151. Public Const szOID_SGC_NETSCAPE As String = "2.16.840.1.113730.4.1"
  1152. Public Const szOID_KP_EFS As String = "1.3.6.1.4.1.311.10.3.4"
  1153. Public Const szOID_WHQL_CRYPTO As String = "1.3.6.1.4.1.311.10.3.5"
  1154. ' Signed by the NT5 build lab
  1155. Public Const szOID_NT5_CRYPTO As String = "1.3.6.1.4.1.311.10.3.6"
  1156. ' Signed by and OEM of WHQL
  1157. Public Const szOID_OEM_WHQL_CRYPTO As String = "1.3.6.1.4.1.311.10.3.7"
  1158. ' Signed by the Embedded NT
  1159. Public Const szOID_EMBEDDED_NT_CRYPTO As String = "1.3.6.1.4.1.311.10.3.8"
  1160. ' Signer of a CTL containing trusted roots
  1161. Public Const szOID_ROOT_LIST_SIGNER As String = "1.3.6.1.4.1.311.10.3.9"
  1162. ' Can sign cross-cert and subordinate CA requests with qualified
  1163. Public Const szOID_KP_QUALIFIED_SUBORDINATION As String = "1.3.6.1.4.1.311.10.3.10"
  1164. ' Can be used to encrypt/recover escrowed keys
  1165. Public Const szOID_KP_KEY_RECOVERY As String = "1.3.6.1.4.1.311.10.3.11"
  1166. Public Const szOID_DRM As String = "1.3.6.1.4.1.311.10.5.1"
  1167. Public Const szOID_LICENSES As String = "1.3.6.1.4.1.311.10.6.1"
  1168. Public Const szOID_LICENSE_SERVER As String = "1.3.6.1.4.1.311.10.6.2"
  1169. Public Const szOID_KP_SMARTCARD_LOGON As String = "1.3.6.1.4.1.311.20.2.2"
  1170. '+-------------------------------------------------------------------------
  1171. ' Microsoft Attribute Object Identifiers
  1172. '+-------------------------------------------------------------------------
  1173. Public Const szOID_YESNO_TRUST_ATTR As String = "1.3.6.1.4.1.311.10.4.1"
  1174. '+-------------------------------------------------------------------------
  1175. ' Qualifiers that may be part of the szOID_CERT_POLICIES and
  1176. ' szOID_CERT_POLICIES95 extensions
  1177. '+-------------------------------------------------------------------------
  1178. Public Const szOID_PKIX_POLICY_QUALIFIER_CPS As String = "1.3.6.1.5.5.7.2.1"
  1179. Public Const szOID_PKIX_POLICY_QUALIFIER_USERNOTICE As String = "1.3.6.1.5.5.7.2.2"
  1180. ' OID for old qualifer
  1181. Public Const szOID_CERT_POLICIES_95_QUALIFIER1 As String = "2.16.840.1.113733.1.7.1.1"
  1182. '+-------------------------------------------------------------------------
  1183. ' X509_CERT
  1184. '
  1185. ' The "to be signed" encoded content plus its signature. The ToBeSigned
  1186. ' X509_CERT_TO_BE_SIGNED, X509_CERT_CRL_TO_BE_SIGNED or
  1187. ' X509_CERT_REQUEST_TO_BE_SIGNED.
  1188. '
  1189. ' pvStructInfo points to CERT_SIGNED_CONTENT_INFO.
  1190. '--------------------------------------------------------------------------
  1191. '+-------------------------------------------------------------------------
  1192. ' X509_CERT_TO_BE_SIGNED
  1193. '
  1194. ' pvStructInfo points to CERT_INFO.
  1195. '
  1196. '
  1197. '--------------------------------------------------------------------------
  1198. '+-------------------------------------------------------------------------
  1199. ' X509_CERT_CRL_TO_BE_SIGNED
  1200. '
  1201. ' pvStructInfo points to CRL_INFO.
  1202. '
  1203. '
  1204. '--------------------------------------------------------------------------
  1205. '+-------------------------------------------------------------------------
  1206. ' X509_CERT_REQUEST_TO_BE_SIGNED
  1207. '
  1208. ' pvStructInfo points to CERT_REQUEST_INFO.
  1209. '
  1210. '
  1211. '--------------------------------------------------------------------------
  1212. '+-------------------------------------------------------------------------
  1213. ' X509_EXTENSIONS
  1214. ' szOID_CERT_EXTENSIONS
  1215. '
  1216. ' pvStructInfo points to following CERT_EXTENSIONS.
  1217. '--------------------------------------------------------------------------
  1218. '+-------------------------------------------------------------------------
  1219. ' X509_NAME_VALUE
  1220. ' X509_ANY_STRING
  1221. '
  1222. ' pvStructInfo points to CERT_NAME_VALUE.
  1223. '--------------------------------------------------------------------------
  1224. '+-------------------------------------------------------------------------
  1225. ' X509_UNICODE_NAME_VALUE
  1226. ' X509_UNICODE_ANY_STRING
  1227. '
  1228. ' pvStructInfo points to CERT_NAME_VALUE.
  1229. '
  1230. ' The name values are unicode strings.
  1231. '
  1232. ' For CryptEncodeObject:
  1233. ' Value.pbData points to the unicode string.
  1234. ' If Value.cbData = 0, then, the unicode string is NULL terminated.
  1235. ' Otherwise, Value.cbData is the unicode string byte count. The byte count
  1236. ' is twice the character count.
  1237. '
  1238. ' If the unicode string contains an invalid character for the specified
  1239. ' dwValueType, then, *pcbEncoded is updated with the unicode character
  1240. ' index of the first invalid character. LastError is set to:
  1241. ' CRYPT_E_INVALID_NUMERIC_STRING, CRYPT_E_INVALID_PRINTABLE_STRING or
  1242. ' CRYPT_E_INVALID_IA5_STRING.
  1243. '
  1244. ' To disable the above check, either set CERT_RDN_DISABLE_CHECK_TYPE_FLAG
  1245. ' in dwValueType or set CRYPT_UNICODE_NAME_ENCODE_DISABLE_CHECK_TYPE_FLAG
  1246. ' in dwFlags passed to CryptEncodeObjectEx.
  1247. '
  1248. ' The unicode string is converted before being encoded according to
  1249. ' the specified dwValueType. If dwValueType is set to 0, LastError
  1250. ' is set to E_INVALIDARG.
  1251. '
  1252. ' CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING), then, CryptEncodeObject
  1253. ' will return FALSE with LastError set to CRYPT_E_NOT_CHAR_STRING.
  1254. '
  1255. ' For CryptDecodeObject:
  1256. ' Value.pbData points to a NULL terminated unicode string. Value.cbData
  1257. ' contains the byte count of the unicode string excluding the NULL
  1258. ' terminator. dwValueType contains the type used in the encoded object.
  1259. ' Its not forced to CERT_RDN_UNICODE_STRING. The encoded value is
  1260. ' converted to the unicode string according to the dwValueType.
  1261. '
  1262. ' If the encoded object isn't one of the character string types, then,
  1263. ' CryptDecodeObject will return FALSE with LastError set to
  1264. ' CRYPT_E_NOT_CHAR_STRING. For a non character string, decode using
  1265. ' X509_NAME_VALUE or X509_ANY_STRING.
  1266. '
  1267. ' By default, CERT_RDN_T61_STRING values are initially decoded
  1268. ' as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
  1269. ' Set CRYPT_UNICODE_NAME_DECODE_DISABLE_IE4_UTF8_FLAG in dwFlags
  1270. ' passed to either CryptDecodeObject or CryptDecodeObjectEx to
  1271. ' skip the initial attempt to decode as UTF8.
  1272. '--------------------------------------------------------------------------
  1273. '+-------------------------------------------------------------------------
  1274. ' X509_NAME
  1275. '
  1276. ' pvStructInfo points to CERT_NAME_INFO.
  1277. '--------------------------------------------------------------------------
  1278. '+-------------------------------------------------------------------------
  1279. ' X509_UNICODE_NAME
  1280. '
  1281. ' pvStructInfo points to CERT_NAME_INFO.
  1282. '
  1283. ' The RDN attribute values are unicode strings except for the dwValueTypes of
  1284. ' CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING. These dwValueTypes are
  1285. ' the same as for a X509_NAME. Their values aren't converted to/from unicode.
  1286. '
  1287. ' For CryptEncodeObject:
  1288. ' Value.pbData points to the unicode string.
  1289. ' If Value.cbData = 0, then, the unicode string is NULL terminated.
  1290. ' Otherwise, Value.cbData is the unicode string byte count. The byte count
  1291. ' is twice the character count.
  1292. '
  1293. ' an acceptable dwValueType. If the unicode string contains an
  1294. ' invalid character for the found or specified dwValueType, then,
  1295. ' *pcbEncoded is updated with the error location of the invalid character.
  1296. ' See below for details. LastError is set to:
  1297. ' CRYPT_E_INVALID_NUMERIC_STRING, CRYPT_E_INVALID_PRINTABLE_STRING or
  1298. ' CRYPT_E_INVALID_IA5_STRING.
  1299. '
  1300. ' To disable the above check, either set CERT_RDN_DISABLE_CHECK_TYPE_FLAG
  1301. ' in dwValueType or set CRYPT_UNICODE_NAME_ENCODE_DISABLE_CHECK_TYPE_FLAG
  1302. ' in dwFlags passed to CryptEncodeObjectEx.
  1303. '
  1304. ' Set CERT_RDN_UNICODE_STRING in dwValueType or set
  1305. ' CRYPT_UNICODE_NAME_ENCODE_ENABLE_T61_UNICODE_FLAG in dwFlags passed
  1306. ' to CryptEncodeObjectEx to select CERT_RDN_T61_STRING instead of
  1307. ' CERT_RDN_UNICODE_STRING if all the unicode characters are <= 0xFF.
  1308. '
  1309. ' Set CERT_RDN_ENABLE_UTF8_UNICODE_STRING in dwValueType or set
  1310. ' CRYPT_UNICODE_NAME_ENCODE_ENABLE_UTF8_UNICODE_FLAG in dwFlags passed
  1311. ' to CryptEncodeObjectEx to select CERT_RDN_UTF8_STRING instead of
  1312. ' CERT_RDN_UNICODE_STRING.
  1313. '
  1314. ' The unicode string is converted before being encoded according to
  1315. ' the specified or ObjId matching dwValueType.
  1316. '
  1317. ' For CryptDecodeObject:
  1318. ' Value.pbData points to a NULL terminated unicode string. Value.cbData
  1319. ' contains the byte count of the unicode string excluding the NULL
  1320. ' terminator. dwValueType contains the type used in the encoded object.
  1321. ' Its not forced to CERT_RDN_UNICODE_STRING. The encoded value is
  1322. ' converted to the unicode string according to the dwValueType.
  1323. '
  1324. ' If the dwValueType of the encoded value isn't a character string
  1325. ' type, then, it isn't converted to UNICODE. Use the
  1326. ' that Value.pbData points to a converted unicode string.
  1327. '
  1328. ' By default, CERT_RDN_T61_STRING values are initially decoded
  1329. ' as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
  1330. ' Set CRYPT_UNICODE_NAME_DECODE_DISABLE_IE4_UTF8_FLAG in dwFlags
  1331. ' passed to either CryptDecodeObject or CryptDecodeObjectEx to
  1332. ' skip the initial attempt to decode as UTF8.
  1333. '--------------------------------------------------------------------------
  1334. '+-------------------------------------------------------------------------
  1335. ' Unicode Name Value Error Location Definitions
  1336. '
  1337. ' Error location is returned in *pcbEncoded by
  1338. '
  1339. ' Error location consists of:
  1340. ' RDN_INDEX - 10 bits << 22
  1341. ' ATTR_INDEX - 6 bits << 16
  1342. '--------------------------------------------------------------------------
  1343. Public Const CERT_UNICODE_RDN_ERR_INDEX_MASK As Long = &H3FF
  1344. Public Const CERT_UNICODE_RDN_ERR_INDEX_SHIFT As Long = 22
  1345. Public Const CERT_UNICODE_ATTR_ERR_INDEX_MASK As Long = &H003F
  1346. Public Const CERT_UNICODE_ATTR_ERR_INDEX_SHIFT As Long = 16
  1347. Public Const CERT_UNICODE_VALUE_ERR_INDEX_MASK As Long = &H0000FFFF
  1348. Public Const CERT_UNICODE_VALUE_ERR_INDEX_SHIFT As Long = 0
  1349. '+-------------------------------------------------------------------------
  1350. ' X509_PUBLIC_KEY_INFO
  1351. '
  1352. ' pvStructInfo points to CERT_PUBLIC_KEY_INFO.
  1353. '--------------------------------------------------------------------------
  1354. '+-------------------------------------------------------------------------
  1355. ' X509_AUTHORITY_KEY_ID
  1356. ' szOID_AUTHORITY_KEY_IDENTIFIER
  1357. '
  1358. ' pvStructInfo points to following CERT_AUTHORITY_KEY_ID_INFO.
  1359. '--------------------------------------------------------------------------
  1360. '+-------------------------------------------------------------------------
  1361. ' X509_KEY_ATTRIBUTES
  1362. ' szOID_KEY_ATTRIBUTES
  1363. '
  1364. ' pvStructInfo points to following CERT_KEY_ATTRIBUTES_INFO.
  1365. '--------------------------------------------------------------------------
  1366. ' Byte[0]
  1367. Public Const CERT_DIGITAL_SIGNATURE_KEY_USAGE As Long = &H80
  1368. Public Const CERT_NON_REPUDIATION_KEY_USAGE As Long = &H40
  1369. Public Const CERT_KEY_ENCIPHERMENT_KEY_USAGE As Long = &H20
  1370. Public Const CERT_DATA_ENCIPHERMENT_KEY_USAGE As Long = &H10
  1371. Public Const CERT_KEY_AGREEMENT_KEY_USAGE As Long = &H08
  1372. Public Const CERT_KEY_CERT_SIGN_KEY_USAGE As Long = &H04
  1373. Public Const CERT_OFFLINE_CRL_SIGN_KEY_USAGE As Long = &H02
  1374. Public Const CERT_CRL_SIGN_KEY_USAGE As Long = &H02
  1375. Public Const CERT_ENCIPHER_ONLY_KEY_USAGE As Long = &H01
  1376. ' Byte[1]
  1377. Public Const CERT_DECIPHER_ONLY_KEY_USAGE As Long = &H80
  1378. '+-------------------------------------------------------------------------
  1379. ' X509_KEY_USAGE_RESTRICTION
  1380. ' szOID_KEY_USAGE_RESTRICTION
  1381. '
  1382. ' pvStructInfo points to following CERT_KEY_USAGE_RESTRICTION_INFO.
  1383. '--------------------------------------------------------------------------
  1384. ' See CERT_KEY_ATTRIBUTES_INFO for definition of the RestrictedKeyUsage bits
  1385. '+-------------------------------------------------------------------------
  1386. ' X509_ALTERNATE_NAME
  1387. ' szOID_SUBJECT_ALT_NAME
  1388. ' szOID_ISSUER_ALT_NAME
  1389. ' szOID_SUBJECT_ALT_NAME2
  1390. ' szOID_ISSUER_ALT_NAME2
  1391. '
  1392. ' pvStructInfo points to following CERT_ALT_NAME_INFO.
  1393. '--------------------------------------------------------------------------
  1394. Public Const CERT_ALT_NAME_OTHER_NAME As Long = 1
  1395. Public Const CERT_ALT_NAME_RFC822_NAME As Long = 2
  1396. Public Const CERT_ALT_NAME_DNS_NAME As Long = 3
  1397. Public Const CERT_ALT_NAME_X400_ADDRESS As Long = 4
  1398. Public Const CERT_ALT_NAME_DIRECTORY_NAME As Long = 5
  1399. Public Const CERT_ALT_NAME_EDI_PARTY_NAME As Long = 6
  1400. Public Const CERT_ALT_NAME_URL As Long = 7
  1401. Public Const CERT_ALT_NAME_IP_ADDRESS As Long = 8
  1402. Public Const CERT_ALT_NAME_REGISTERED_ID As Long = 9
  1403. '+-------------------------------------------------------------------------
  1404. ' Alternate name IA5 Error Location Definitions for
  1405. ' CRYPT_E_INVALID_IA5_STRING.
  1406. '
  1407. ' Error location is returned in *pcbEncoded by
  1408. '
  1409. ' Error location consists of:
  1410. ' ENTRY_INDEX - 8 bits << 16
  1411. '--------------------------------------------------------------------------
  1412. Public Const CERT_ALT_NAME_ENTRY_ERR_INDEX_MASK As Long = &HFF
  1413. Public Const CERT_ALT_NAME_ENTRY_ERR_INDEX_SHIFT As Long = 16
  1414. Public Const CERT_ALT_NAME_VALUE_ERR_INDEX_MASK As Long = &H0000FFFF
  1415. Public Const CERT_ALT_NAME_VALUE_ERR_INDEX_SHIFT As Long = 0
  1416. '+-------------------------------------------------------------------------
  1417. ' X509_BASIC_CONSTRAINTS
  1418. ' szOID_BASIC_CONSTRAINTS
  1419. '
  1420. ' pvStructInfo points to following CERT_BASIC_CONSTRAINTS_INFO.
  1421. '--------------------------------------------------------------------------
  1422. Public Const CERT_CA_SUBJECT_FLAG As Long = &H80
  1423. Public Const CERT_END_ENTITY_SUBJECT_FLAG As Long = &H40
  1424. '+-------------------------------------------------------------------------
  1425. ' X509_BASIC_CONSTRAINTS2
  1426. ' szOID_BASIC_CONSTRAINTS2
  1427. '
  1428. ' pvStructInfo points to following CERT_BASIC_CONSTRAINTS2_INFO.
  1429. '--------------------------------------------------------------------------
  1430. '+-------------------------------------------------------------------------
  1431. ' X509_KEY_USAGE
  1432. ' szOID_KEY_USAGE
  1433. '
  1434. ' pvStructInfo points to a CRYPT_BIT_BLOB. Has same bit definitions as
  1435. ' CERT_KEY_ATTRIBUTES_INFO's IntendedKeyUsage.
  1436. '--------------------------------------------------------------------------
  1437. '+-------------------------------------------------------------------------
  1438. ' X509_CERT_POLICIES
  1439. ' szOID_CERT_POLICIES
  1440. ' szOID_CERT_POLICIES_95 NOTE--Only allowed for decoding!!!
  1441. '
  1442. ' pvStructInfo points to following CERT_POLICIES_INFO.
  1443. '
  1444. ' NOTE: when decoding using szOID_CERT_POLICIES_95 the pszPolicyIdentifier
  1445. ' may contain an empty string
  1446. '--------------------------------------------------------------------------
  1447. '+-------------------------------------------------------------------------
  1448. ' X509_PKIX_POLICY_QUALIFIER_USERNOTICE
  1449. ' szOID_PKIX_POLICY_QUALIFIER_USERNOTICE
  1450. '
  1451. ' pvStructInfo points to following CERT_POLICY_QUALIFIER_USER_NOTICE.
  1452. '
  1453. '--------------------------------------------------------------------------
  1454. '+-------------------------------------------------------------------------
  1455. ' szOID_CERT_POLICIES_95_QUALIFIER1 - Decode Only!!!!
  1456. '
  1457. ' pvStructInfo points to following CERT_POLICY95_QUALIFIER1.
  1458. '
  1459. '--------------------------------------------------------------------------
  1460. '+-------------------------------------------------------------------------
  1461. ' X509_POLICY_MAPPINGS
  1462. ' szOID_POLICY_MAPPINGS
  1463. ' szOID_LEGACY_POLICY_MAPPINGS
  1464. '
  1465. ' pvStructInfo points to following CERT_POLICY_MAPPINGS_INFO.
  1466. '--------------------------------------------------------------------------
  1467. '+-------------------------------------------------------------------------
  1468. ' X509_POLICY_CONSTRAINTS
  1469. ' szOID_POLICY_CONSTRAINTS
  1470. '
  1471. ' pvStructInfo points to following CERT_POLICY_CONSTRAINTS_INFO.
  1472. '--------------------------------------------------------------------------
  1473. '+-------------------------------------------------------------------------
  1474. ' RSA_CSP_PUBLICKEYBLOB
  1475. '
  1476. ' pvStructInfo points to a PUBLICKEYSTRUC immediately followed by a
  1477. ' RSAPUBKEY and the modulus bytes.
  1478. '
  1479. ' CryptExportKey outputs the above StructInfo for a dwBlobType of
  1480. ' PUBLICKEYBLOB. CryptImportKey expects the above StructInfo when
  1481. ' importing a public key.
  1482. '
  1483. ' For dwCertEncodingType = X509_ASN_ENCODING, the RSA_CSP_PUBLICKEYBLOB is
  1484. ' encoded as a PKCS #1 RSAPublicKey consisting of a SEQUENCE of a
  1485. ' modulus INTEGER and a publicExponent INTEGER. The modulus is encoded
  1486. ' as being a unsigned integer. When decoded, if the modulus was encoded
  1487. ' as unsigned integer with a leading 0 byte, the 0 byte is removed before
  1488. ' converting to the CSP modulus bytes.
  1489. '
  1490. ' For decode, the aiKeyAlg field of PUBLICKEYSTRUC is always set to
  1491. ' CALG_RSA_KEYX.
  1492. '--------------------------------------------------------------------------
  1493. '+-------------------------------------------------------------------------
  1494. ' X509_KEYGEN_REQUEST_TO_BE_SIGNED
  1495. '
  1496. ' pvStructInfo points to CERT_KEYGEN_REQUEST_INFO.
  1497. '
  1498. '
  1499. '--------------------------------------------------------------------------
  1500. '+-------------------------------------------------------------------------
  1501. ' PKCS_ATTRIBUTE data structure
  1502. '
  1503. ' pvStructInfo points to a CRYPT_ATTRIBUTE.
  1504. '--------------------------------------------------------------------------
  1505. '+-------------------------------------------------------------------------
  1506. ' PKCS_ATTRIBUTES data structure
  1507. '
  1508. ' pvStructInfo points to a CRYPT_ATTRIBUTES.
  1509. '--------------------------------------------------------------------------
  1510. '+-------------------------------------------------------------------------
  1511. ' PKCS_CONTENT_INFO_SEQUENCE_OF_ANY data structure
  1512. '
  1513. ' pvStructInfo points to following CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY.
  1514. '
  1515. ' For X509_ASN_ENCODING: encoded as a PKCS#7 ContentInfo structure wrapping
  1516. ' a sequence of ANY. The value of the contentType field is pszObjId,
  1517. ' while the content field is the following structure:
  1518. ' SequenceOfAny ::= SEQUENCE OF ANY
  1519. '
  1520. ' The CRYPT_DER_BLOBs point to the already encoded ANY content.
  1521. '--------------------------------------------------------------------------
  1522. '+-------------------------------------------------------------------------
  1523. ' PKCS_CONTENT_INFO data structure
  1524. '
  1525. ' pvStructInfo points to following CRYPT_CONTENT_INFO.
  1526. '
  1527. ' For X509_ASN_ENCODING: encoded as a PKCS#7 ContentInfo structure.
  1528. ' The CRYPT_DER_BLOB points to the already encoded ANY content.
  1529. '--------------------------------------------------------------------------
  1530. '+-------------------------------------------------------------------------
  1531. ' X509_OCTET_STRING data structure
  1532. '
  1533. ' pvStructInfo points to a CRYPT_DATA_BLOB.
  1534. '--------------------------------------------------------------------------
  1535. '+-------------------------------------------------------------------------
  1536. ' X509_BITS data structure
  1537. '
  1538. ' pvStructInfo points to a CRYPT_BIT_BLOB.
  1539. '--------------------------------------------------------------------------
  1540. '+-------------------------------------------------------------------------
  1541. ' X509_BITS_WITHOUT_TRAILING_ZEROES data structure
  1542. '
  1543. ' pvStructInfo points to a CRYPT_BIT_BLOB.
  1544. '
  1545. ' The same as X509_BITS, except before encoding, the bit length is
  1546. ' decremented to exclude trailing zero bits.
  1547. '--------------------------------------------------------------------------
  1548. '+-------------------------------------------------------------------------
  1549. ' X509_INTEGER data structure
  1550. '
  1551. ' pvStructInfo points to an int.
  1552. '--------------------------------------------------------------------------
  1553. '+-------------------------------------------------------------------------
  1554. ' X509_MULTI_BYTE_INTEGER data structure
  1555. '
  1556. ' pvStructInfo points to a CRYPT_INTEGER_BLOB.
  1557. '--------------------------------------------------------------------------
  1558. '+-------------------------------------------------------------------------
  1559. ' X509_ENUMERATED data structure
  1560. '
  1561. ' pvStructInfo points to an int containing the enumerated value
  1562. '--------------------------------------------------------------------------
  1563. '+-------------------------------------------------------------------------
  1564. ' X509_CHOICE_OF_TIME data structure
  1565. '
  1566. ' pvStructInfo points to a FILETIME.
  1567. '--------------------------------------------------------------------------
  1568. '+-------------------------------------------------------------------------
  1569. ' X509_SEQUENCE_OF_ANY data structure
  1570. '
  1571. ' pvStructInfo points to following CRYPT_SEQUENCE_OF_ANY.
  1572. '
  1573. ' The CRYPT_DER_BLOBs point to the already encoded ANY content.
  1574. '--------------------------------------------------------------------------
  1575. '+-------------------------------------------------------------------------
  1576. ' X509_AUTHORITY_KEY_ID2
  1577. ' szOID_AUTHORITY_KEY_IDENTIFIER2
  1578. '
  1579. ' pvStructInfo points to following CERT_AUTHORITY_KEY_ID2_INFO.
  1580. '
  1581. ' For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
  1582. '
  1583. ' See X509_ALTERNATE_NAME for error location defines.
  1584. '--------------------------------------------------------------------------
  1585. '+-------------------------------------------------------------------------
  1586. ' szOID_SUBJECT_KEY_IDENTIFIER
  1587. '
  1588. ' pvStructInfo points to a CRYPT_DATA_BLOB.
  1589. '--------------------------------------------------------------------------
  1590. '+-------------------------------------------------------------------------
  1591. ' X509_AUTHORITY_INFO_ACCESS
  1592. ' szOID_AUTHORITY_INFO_ACCESS
  1593. '
  1594. ' pvStructInfo points to following CERT_AUTHORITY_INFO_ACCESS.
  1595. '
  1596. ' For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
  1597. '
  1598. ' Error location consists of:
  1599. ' ENTRY_INDEX - 8 bits << 16
  1600. '
  1601. ' See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
  1602. ' defines.
  1603. '--------------------------------------------------------------------------
  1604. '+-------------------------------------------------------------------------
  1605. ' PKIX Access Description: Access Method Object Identifiers
  1606. '--------------------------------------------------------------------------
  1607. Public Const szOID_PKIX_ACC_DESCR As String = "1.3.6.1.5.5.7.48"
  1608. Public Const szOID_PKIX_OCSP As String = "1.3.6.1.5.5.7.48.1"
  1609. Public Const szOID_PKIX_CA_ISSUERS As String = "1.3.6.1.5.5.7.48.2"
  1610. '+-------------------------------------------------------------------------
  1611. ' X509_CRL_REASON_CODE
  1612. ' szOID_CRL_REASON_CODE
  1613. '
  1614. ' pvStructInfo points to an int which can be set to one of the following
  1615. ' enumerated values:
  1616. '--------------------------------------------------------------------------
  1617. Public Const CRL_REASON_UNSPECIFIED As Long = 0
  1618. Public Const CRL_REASON_KEY_COMPROMISE As Long = 1
  1619. Public Const CRL_REASON_CA_COMPROMISE As Long = 2
  1620. Public Const CRL_REASON_AFFILIATION_CHANGED As Long = 3
  1621. Public Const CRL_REASON_SUPERSEDED As Long = 4
  1622. Public Const CRL_REASON_CESSATION_OF_OPERATION As Long = 5
  1623. Public Const CRL_REASON_CERTIFICATE_HOLD As Long = 6
  1624. Public Const CRL_REASON_REMOVE_FROM_CRL As Long = 8
  1625. '+-------------------------------------------------------------------------
  1626. ' X509_CRL_DIST_POINTS
  1627. ' szOID_CRL_DIST_POINTS
  1628. '
  1629. ' pvStructInfo points to following CRL_DIST_POINTS_INFO.
  1630. '
  1631. ' For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
  1632. '
  1633. ' Error location consists of:
  1634. ' POINT_INDEX - 7 bits << 24
  1635. ' ENTRY_INDEX - 8 bits << 16
  1636. '
  1637. ' See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
  1638. ' defines.
  1639. '--------------------------------------------------------------------------
  1640. Public Const CRL_DIST_POINT_NO_NAME As Long = 0
  1641. Public Const CRL_DIST_POINT_FULL_NAME As Long = 1
  1642. Public Const CRL_DIST_POINT_ISSUER_RDN_NAME As Long = 2
  1643. Public Const CRL_REASON_UNUSED_FLAG As Long = &H80
  1644. Public Const CRL_REASON_KEY_COMPROMISE_FLAG As Long = &H40
  1645. Public Const CRL_REASON_CA_COMPROMISE_FLAG As Long = &H20
  1646. Public Const CRL_REASON_AFFILIATION_CHANGED_FLAG As Long = &H10
  1647. Public Const CRL_REASON_SUPERSEDED_FLAG As Long = &H08
  1648. Public Const CRL_REASON_CESSATION_OF_OPERATION_FLAG As Long = &H04
  1649. Public Const CRL_REASON_CERTIFICATE_HOLD_FLAG As Long = &H02
  1650. Public Const CRL_DIST_POINT_ERR_INDEX_MASK As Long = &H7F
  1651. Public Const CRL_DIST_POINT_ERR_INDEX_SHIFT As Long = 24
  1652. '+-------------------------------------------------------------------------
  1653. ' X509_CROSS_CERT_DIST_POINTS
  1654. ' szOID_CROSS_CERT_DIST_POINTS
  1655. '
  1656. ' pvStructInfo points to following CROSS_CERT_DIST_POINTS_INFO.
  1657. '
  1658. ' For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
  1659. '
  1660. ' Error location consists of:
  1661. ' POINT_INDEX - 8 bits << 24
  1662. ' ENTRY_INDEX - 8 bits << 16
  1663. '
  1664. ' See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
  1665. ' defines.
  1666. '--------------------------------------------------------------------------
  1667. Public Const CROSS_CERT_DIST_POINT_ERR_INDEX_MASK As Long = &HFF
  1668. Public Const CROSS_CERT_DIST_POINT_ERR_INDEX_SHIFT As Long = 24
  1669. '+-------------------------------------------------------------------------
  1670. ' X509_ENHANCED_KEY_USAGE
  1671. ' szOID_ENHANCED_KEY_USAGE
  1672. '
  1673. ' pvStructInfo points to a CERT_ENHKEY_USAGE, CTL_USAGE.
  1674. '--------------------------------------------------------------------------
  1675. '+-------------------------------------------------------------------------
  1676. ' X509_CERT_PAIR
  1677. '
  1678. ' pvStructInfo points to the following CERT_PAIR.
  1679. '--------------------------------------------------------------------------
  1680. '+-------------------------------------------------------------------------
  1681. ' szOID_CRL_NUMBER
  1682. '
  1683. ' pvStructInfo points to an int.
  1684. '--------------------------------------------------------------------------
  1685. '+-------------------------------------------------------------------------
  1686. ' szOID_DELTA_CRL_INDICATOR
  1687. '
  1688. ' pvStructInfo points to an int.
  1689. '--------------------------------------------------------------------------
  1690. '+-------------------------------------------------------------------------
  1691. ' szOID_ISSUING_DIST_POINT
  1692. ' X509_ISSUING_DIST_POINT
  1693. '
  1694. ' pvStructInfo points to the following CRL_ISSUING_DIST_POINT.
  1695. '
  1696. ' For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
  1697. '
  1698. ' Error location consists of:
  1699. ' ENTRY_INDEX - 8 bits << 16
  1700. '
  1701. ' See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
  1702. ' defines.
  1703. '--------------------------------------------------------------------------
  1704. '+-------------------------------------------------------------------------
  1705. ' szOID_FRESHEST_CRL
  1706. '
  1707. ' pvStructInfo points to CRL_DIST_POINTS_INFO.
  1708. '--------------------------------------------------------------------------
  1709. '+-------------------------------------------------------------------------
  1710. ' szOID_NAME_CONSTRAINTS
  1711. ' X509_NAME_CONSTRAINTS
  1712. '
  1713. ' pvStructInfo points to the following CERT_NAME_CONSTRAINTS_INFO
  1714. '
  1715. ' For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
  1716. '
  1717. ' Error location consists of:
  1718. ' ENTRY_INDEX - 8 bits << 16
  1719. '
  1720. ' See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
  1721. ' defines.
  1722. '--------------------------------------------------------------------------
  1723. '+-------------------------------------------------------------------------
  1724. ' szOID_NEXT_UPDATE_LOCATION
  1725. '
  1726. ' pvStructInfo points to a CERT_ALT_NAME_INFO.
  1727. '--------------------------------------------------------------------------
  1728. '+-------------------------------------------------------------------------
  1729. ' szOID_REMOVE_CERTIFICATE
  1730. '
  1731. ' pvStructInfo points to an int which can be set to one of the following
  1732. ' 0 - Add certificate
  1733. ' 1 - Remove certificate
  1734. '--------------------------------------------------------------------------
  1735. '+-------------------------------------------------------------------------
  1736. ' PKCS_CTL
  1737. ' szOID_CTL
  1738. '
  1739. ' pvStructInfo points to a CTL_INFO.
  1740. '--------------------------------------------------------------------------
  1741. '+-------------------------------------------------------------------------
  1742. ' PKCS_SORTED_CTL
  1743. '
  1744. ' pvStructInfo points to a CTL_INFO.
  1745. '
  1746. ' Same as for PKCS_CTL, except, the CTL entries are sorted. The following
  1747. ' extension containing the sort information is inserted as the first
  1748. ' extension in the encoded CTL.
  1749. '
  1750. ' Only supported for Encoding. CRYPT_ENCODE_ALLOC_FLAG flag must be
  1751. ' set.
  1752. '--------------------------------------------------------------------------
  1753. '+-------------------------------------------------------------------------
  1754. ' Sorted CTL TrustedSubjects extension
  1755. '
  1756. ' Array of little endian DWORDs:
  1757. ' [0] - Flags
  1758. ' [1] - Count of HashBucket entry offsets
  1759. ' [2] - Maximum HashBucket entry collision count
  1760. '
  1761. ' When this extension is present in the CTL,
  1762. ' the ASN.1 encoded sequence of TrustedSubjects are HashBucket ordered.
  1763. '
  1764. ' The entry offsets point to the start of the first encoded TrustedSubject
  1765. ' sequence for the HashBucket. The encoded TrustedSubjects for a HashBucket
  1766. ' continue until the encoded offset of the next HashBucket. A HashBucket has
  1767. ' no entries if HashBucket[N] == HashBucket[N + 1].
  1768. '
  1769. ' The HashBucket offsets are from the start of the ASN.1 encoded CTL_INFO.
  1770. '--------------------------------------------------------------------------
  1771. ' If the SubjectIdentifiers are a MD5 or SHA1 hash, the following flag is
  1772. ' set. When set, the first 4 bytes of the SubjectIdentifier are used as
  1773. ' the dwhash. Otherwise, the SubjectIdentifier bytes are hashed into dwHash.
  1774. ' In either case the HashBucket index = dwHash % cHashBucket.
  1775. Public Const SORTED_CTL_EXT_HASHED_SUBJECT_IDENTIFIER_FLAG As Long = &H1
  1776. '+-------------------------------------------------------------------------
  1777. ' X509_MULTI_BYTE_UINT
  1778. '
  1779. ' pvStructInfo points to a CRYPT_UINT_BLOB. Before encoding, inserts a
  1780. ' leading 0x00. After decoding, removes a leading 0x00.
  1781. '--------------------------------------------------------------------------
  1782. '+-------------------------------------------------------------------------
  1783. ' X509_DSS_PUBLICKEY
  1784. '
  1785. ' pvStructInfo points to a CRYPT_UINT_BLOB.
  1786. '--------------------------------------------------------------------------
  1787. '+-------------------------------------------------------------------------
  1788. ' X509_DSS_PARAMETERS
  1789. '
  1790. ' pvStructInfo points to following CERT_DSS_PARAMETERS data structure.
  1791. '--------------------------------------------------------------------------
  1792. '+-------------------------------------------------------------------------
  1793. ' X509_DSS_SIGNATURE
  1794. '
  1795. ' pvStructInfo is a BYTE rgbSignature[CERT_DSS_SIGNATURE_LEN]. The
  1796. '--------------------------------------------------------------------------
  1797. Public Const CERT_DSS_R_LEN As Long = 20
  1798. Public Const CERT_DSS_S_LEN As Long = 20
  1799. ' 0x00 to make the integer unsigned)
  1800. '+-------------------------------------------------------------------------
  1801. ' X509_DH_PUBLICKEY
  1802. '
  1803. ' pvStructInfo points to a CRYPT_UINT_BLOB.
  1804. '--------------------------------------------------------------------------
  1805. '+-------------------------------------------------------------------------
  1806. ' X509_DH_PARAMETERS
  1807. '
  1808. ' pvStructInfo points to following CERT_DH_PARAMETERS data structure.
  1809. '--------------------------------------------------------------------------
  1810. '+-------------------------------------------------------------------------
  1811. ' X942_DH_PARAMETERS
  1812. '
  1813. ' pvStructInfo points to following CERT_X942_DH_PARAMETERS data structure.
  1814. '
  1815. ' If q.cbData == 0, then, the following fields are zero'ed.
  1816. '--------------------------------------------------------------------------
  1817. '+-------------------------------------------------------------------------
  1818. ' X942_OTHER_INFO
  1819. '
  1820. ' pvStructInfo points to following CRYPT_X942_OTHER_INFO data structure.
  1821. '
  1822. ' rgbCounter and rgbKeyLength are in Little Endian order.
  1823. '--------------------------------------------------------------------------
  1824. Public Const CRYPT_X942_COUNTER_BYTE_LENGTH As Long = 4
  1825. Public Const CRYPT_X942_KEY_LENGTH_BYTE_LENGTH As Long = 4
  1826. '+-------------------------------------------------------------------------
  1827. ' PKCS_RC2_CBC_PARAMETERS
  1828. ' szOID_RSA_RC2CBC
  1829. '
  1830. ' pvStructInfo points to following CRYPT_RC2_CBC_PARAMETERS data structure.
  1831. '--------------------------------------------------------------------------
  1832. Public Const CRYPT_RC2_40BIT_VERSION As Long = 160
  1833. Public Const CRYPT_RC2_56BIT_VERSION As Long = 52
  1834. Public Const CRYPT_RC2_64BIT_VERSION As Long = 120
  1835. Public Const CRYPT_RC2_128BIT_VERSION As Long = 58
  1836. '+-------------------------------------------------------------------------
  1837. ' PKCS_SMIME_CAPABILITIES
  1838. ' szOID_RSA_SMIMECapabilities
  1839. '
  1840. ' pvStructInfo points to following CRYPT_SMIME_CAPABILITIES data structure.
  1841. '
  1842. ' causes the encoded parameters to be omitted and not encoded as a NULL
  1843. ' is per the SMIME specification for encoding capabilities.
  1844. '--------------------------------------------------------------------------
  1845. '+-------------------------------------------------------------------------
  1846. ' PKCS7_SIGNER_INFO
  1847. '
  1848. ' pvStructInfo points to CMSG_SIGNER_INFO.
  1849. '--------------------------------------------------------------------------
  1850. '+-------------------------------------------------------------------------
  1851. ' CMS_SIGNER_INFO
  1852. '
  1853. ' pvStructInfo points to CMSG_CMS_SIGNER_INFO.
  1854. '--------------------------------------------------------------------------
  1855. '+-------------------------------------------------------------------------
  1856. ' Netscape Certificate Extension Object Identifiers
  1857. '--------------------------------------------------------------------------
  1858. Public Const szOID_NETSCAPE As String = "2.16.840.1.113730"
  1859. Public Const szOID_NETSCAPE_CERT_EXTENSION As String = "2.16.840.1.113730.1"
  1860. Public Const szOID_NETSCAPE_CERT_TYPE As String = "2.16.840.1.113730.1.1"
  1861. Public Const szOID_NETSCAPE_BASE_URL As String = "2.16.840.1.113730.1.2"
  1862. Public Const szOID_NETSCAPE_REVOCATION_URL As String = "2.16.840.1.113730.1.3"
  1863. Public Const szOID_NETSCAPE_CA_REVOCATION_URL As String = "2.16.840.1.113730.1.4"
  1864. Public Const szOID_NETSCAPE_CERT_RENEWAL_URL As String = "2.16.840.1.113730.1.7"
  1865. Public Const szOID_NETSCAPE_CA_POLICY_URL As String = "2.16.840.1.113730.1.8"
  1866. Public Const szOID_NETSCAPE_SSL_SERVER_NAME As String = "2.16.840.1.113730.1.12"
  1867. Public Const szOID_NETSCAPE_COMMENT As String = "2.16.840.1.113730.1.13"
  1868. '+-------------------------------------------------------------------------
  1869. ' Netscape Certificate Data Type Object Identifiers
  1870. '--------------------------------------------------------------------------
  1871. Public Const szOID_NETSCAPE_DATA_TYPE As String = "2.16.840.1.113730.2"
  1872. Public Const szOID_NETSCAPE_CERT_SEQUENCE As String = "2.16.840.1.113730.2.5"
  1873. '+-------------------------------------------------------------------------
  1874. ' szOID_NETSCAPE_CERT_TYPE extension
  1875. '
  1876. ' Its value is a bit string. CryptDecodeObject/CryptEncodeObject using
  1877. ' X509_BITS or X509_BITS_WITHOUT_TRAILING_ZEROES.
  1878. '
  1879. ' The following bits are defined:
  1880. '--------------------------------------------------------------------------
  1881. Public Const NETSCAPE_SSL_CLIENT_AUTH_CERT_TYPE As Long = &H80
  1882. Public Const NETSCAPE_SSL_SERVER_AUTH_CERT_TYPE As Long = &H40
  1883. Public Const NETSCAPE_SMIME_CERT_TYPE As Long = &H20
  1884. Public Const NETSCAPE_SIGN_CERT_TYPE As Long = &H10
  1885. Public Const NETSCAPE_SSL_CA_CERT_TYPE As Long = &H04
  1886. Public Const NETSCAPE_SMIME_CA_CERT_TYPE As Long = &H02
  1887. Public Const NETSCAPE_SIGN_CA_CERT_TYPE As Long = &H01
  1888. '+-------------------------------------------------------------------------
  1889. ' szOID_NETSCAPE_BASE_URL extension
  1890. '
  1891. ' Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
  1892. ' X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
  1893. ' dwValueType = CERT_RDN_IA5_STRING.
  1894. '
  1895. ' When present this string is added to the beginning of all relative URLs
  1896. ' in the certificate. This extension can be considered an optimization
  1897. ' to reduce the size of the URL extensions.
  1898. '--------------------------------------------------------------------------
  1899. '+-------------------------------------------------------------------------
  1900. ' szOID_NETSCAPE_REVOCATION_URL extension
  1901. '
  1902. ' Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
  1903. ' X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
  1904. ' dwValueType = CERT_RDN_IA5_STRING.
  1905. '
  1906. ' It is a relative or absolute URL that can be used to check the
  1907. ' revocation status of a certificate. The revocation check will be
  1908. ' performed as an HTTP GET method using a url that is the concatenation of
  1909. ' revocation-url and certificate-serial-number.
  1910. ' Where the certificate-serial-number is encoded as a string of
  1911. ' ascii hexadecimal digits. For example, if the netscape-base-url is
  1912. ' https:
  1913. ' cgi-bin/check-rev.cgi?, and the certificate serial number is 173420,
  1914. ' the resulting URL would be:
  1915. ' https:
  1916. '
  1917. ' The server should return a document with a Content-Type of
  1918. ' application/x-netscape-revocation. The document should contain
  1919. ' a single ascii digit, '1' if the certificate is not curently valid,
  1920. ' and '0' if it is curently valid.
  1921. '
  1922. ' Note: for all of the URLs that include the certificate serial number,
  1923. ' the serial number will be encoded as a string which consists of an even
  1924. ' number of hexadecimal digits. If the number of significant digits is odd,
  1925. ' the string will have a single leading zero to ensure an even number of
  1926. ' digits is generated.
  1927. '--------------------------------------------------------------------------
  1928. '+-------------------------------------------------------------------------
  1929. ' szOID_NETSCAPE_CA_REVOCATION_URL extension
  1930. '
  1931. ' Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
  1932. ' X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
  1933. ' dwValueType = CERT_RDN_IA5_STRING.
  1934. '
  1935. ' It is a relative or absolute URL that can be used to check the
  1936. ' revocation status of any certificates that are signed by the CA that
  1937. ' this certificate belongs to. This extension is only valid in CA
  1938. ' certificates. The use of this extension is the same as the above
  1939. ' szOID_NETSCAPE_REVOCATION_URL extension.
  1940. '--------------------------------------------------------------------------
  1941. '+-------------------------------------------------------------------------
  1942. ' szOID_NETSCAPE_CERT_RENEWAL_URL extension
  1943. '
  1944. ' Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
  1945. ' X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
  1946. ' dwValueType = CERT_RDN_IA5_STRING.
  1947. '
  1948. ' It is a relative or absolute URL that points to a certificate renewal
  1949. ' form. The renewal form will be accessed with an HTTP GET method using a
  1950. ' url that is the concatenation of renewal-url and
  1951. ' certificate-serial-number. Where the certificate-serial-number is
  1952. ' encoded as a string of ascii hexadecimal digits. For example, if the
  1953. ' netscape-base-url is https:
  1954. ' netscape-cert-renewal-url is cgi-bin/check-renew.cgi?, and the
  1955. ' certificate serial number is 173420, the resulting URL would be:
  1956. ' https:
  1957. ' The document returned should be an HTML form that will allow the user
  1958. ' to request a renewal of their certificate.
  1959. '--------------------------------------------------------------------------
  1960. '+-------------------------------------------------------------------------
  1961. ' szOID_NETSCAPE_CA_POLICY_URL extension
  1962. '
  1963. ' Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
  1964. ' X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
  1965. ' dwValueType = CERT_RDN_IA5_STRING.
  1966. '
  1967. ' It is a relative or absolute URL that points to a web page that
  1968. ' describes the policies under which the certificate was issued.
  1969. '--------------------------------------------------------------------------
  1970. '+-------------------------------------------------------------------------
  1971. ' szOID_NETSCAPE_SSL_SERVER_NAME extension
  1972. '
  1973. ' Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
  1974. ' X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
  1975. ' dwValueType = CERT_RDN_IA5_STRING.
  1976. '
  1977. ' It is a "shell expression" that can be used to match the hostname of the
  1978. ' SSL server that is using this certificate. It is recommended that if
  1979. ' the server's hostname does not match this pattern the user be notified
  1980. ' and given the option to terminate the SSL connection. If this extension
  1981. ' is not present then the CommonName in the certificate subject's
  1982. ' distinguished name is used for the same purpose.
  1983. '--------------------------------------------------------------------------
  1984. '+-------------------------------------------------------------------------
  1985. ' szOID_NETSCAPE_COMMENT extension
  1986. '
  1987. ' Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
  1988. ' X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
  1989. ' dwValueType = CERT_RDN_IA5_STRING.
  1990. '
  1991. ' It is a comment that may be displayed to the user when the certificate
  1992. ' is viewed.
  1993. '--------------------------------------------------------------------------
  1994. '+-------------------------------------------------------------------------
  1995. ' szOID_NETSCAPE_CERT_SEQUENCE
  1996. '
  1997. ' Its value is a PKCS#7 ContentInfo structure wrapping a sequence of
  1998. ' certificates. The value of the contentType field is
  1999. ' szOID_NETSCAPE_CERT_SEQUENCE, while the content field is the following
  2000. ' structure:
  2001. ' CertificateSequence ::= SEQUENCE OF Certificate.
  2002. '
  2003. ' CryptDecodeObject/CryptEncodeObject using
  2004. ' PKCS_CONTENT_INFO_SEQUENCE_OF_ANY, where,
  2005. ' pszObjId = szOID_NETSCAPE_CERT_SEQUENCE and the CRYPT_DER_BLOBs point
  2006. ' to encoded X509 certificates.
  2007. '--------------------------------------------------------------------------
  2008. '+=========================================================================
  2009. '==========================================================================
  2010. Public Const szOID_CT_PKI_DATA As String = "1.3.6.1.5.5.7.5.2"
  2011. Public Const szOID_CT_PKI_RESPONSE As String = "1.3.6.1.5.5.7.5.3"
  2012. Public Const szOID_CMC As String = "1.3.6.1.5.5.7.7"
  2013. Public Const szOID_CMC_STATUS_INFO As String = "1.3.6.1.5.5.7.7.1"
  2014. Public Const szOID_CMC_ADD_EXTENSIONS As String = "1.3.6.1.5.5.7.7.8"
  2015. Public Const szOID_CMC_ADD_ATTRIBUTES As String = "1.3.6.1.4.1.311.10.10.1"
  2016. '+-------------------------------------------------------------------------
  2017. ' CMC_DATA
  2018. ' CMC_RESPONSE
  2019. '
  2020. ' messages.
  2021. '
  2022. ' For CMC_DATA, pvStructInfo points to a CMC_DATA_INFO.
  2023. ' CMC_DATA_INFO contains optional arrays of tagged attributes, requests,
  2024. ' content info and/or arbitrary other messages.
  2025. '
  2026. ' For CMC_RESPONSE, pvStructInfo points to a CMC_RESPONSE_INFO.
  2027. ' CMC_RESPONSE_INFO is the same as CMC_DATA_INFO without the tagged
  2028. ' requests.
  2029. '--------------------------------------------------------------------------
  2030. Public Const CMC_TAGGED_CERT_REQUEST_CHOICE As Long = 1
  2031. ' All the tagged arrays are optional
  2032. ' All the tagged arrays are optional
  2033. '+-------------------------------------------------------------------------
  2034. ' CMC_STATUS
  2035. '
  2036. '
  2037. ' pvStructInfo points to a CMC_STATUS_INFO.
  2038. '--------------------------------------------------------------------------
  2039. Public Const CMC_OTHER_INFO_NO_CHOICE As Long = 0
  2040. Public Const CMC_OTHER_INFO_FAIL_CHOICE As Long = 1
  2041. Public Const CMC_OTHER_INFO_PEND_CHOICE As Long = 2
  2042. '
  2043. ' dwStatus values
  2044. '
  2045. ' Request was granted
  2046. Public Const CMC_STATUS_SUCCESS As Long = 0
  2047. ' Request failed, more information elsewhere in the message
  2048. Public Const CMC_STATUS_FAILED As Long = 2
  2049. ' The request body part has not yet been processed. Requester is responsible
  2050. ' to poll back. May only be returned for certificate request operations.
  2051. Public Const CMC_STATUS_PENDING As Long = 3
  2052. ' The requested operation is not supported
  2053. Public Const CMC_STATUS_NO_SUPPORT As Long = 4
  2054. ' Confirmation using the idConfirmCertAcceptance control is required
  2055. ' before use of certificate
  2056. Public Const CMC_STATUS_CONFIRM_REQUIRED As Long = 5
  2057. '
  2058. ' dwFailInfo values
  2059. '
  2060. ' Unrecognized or unsupported algorithm
  2061. Public Const CMC_FAIL_BAD_ALG As Long = 0
  2062. ' Integrity check failed
  2063. Public Const CMC_FAIL_BAD_MESSAGE_CHECK As Long = 1
  2064. ' Transaction not permitted or supported
  2065. Public Const CMC_FAIL_BAD_REQUEST As Long = 2
  2066. ' Message time field was not sufficiently close to the system time
  2067. Public Const CMC_FAIL_BAD_TIME As Long = 3
  2068. ' No certificate could be identified matching the provided criteria
  2069. Public Const CMC_FAIL_BAD_CERT_ID As Long = 4
  2070. ' A requested X.509 extension is not supported by the recipient CA.
  2071. Public Const CMC_FAIL_UNSUPORTED_EXT As Long = 5
  2072. ' Private key material must be supplied
  2073. Public Const CMC_FAIL_MUST_ARCHIVE_KEYS As Long = 6
  2074. ' Identification Attribute failed to verify
  2075. Public Const CMC_FAIL_BAD_IDENTITY As Long = 7
  2076. ' Server requires a POP proof before issuing certificate
  2077. Public Const CMC_FAIL_POP_REQUIRED As Long = 8
  2078. ' POP processing failed
  2079. Public Const CMC_FAIL_POP_FAILED As Long = 9
  2080. ' Server policy does not allow key re-use
  2081. Public Const CMC_FAIL_NO_KEY_REUSE As Long = 10
  2082. Public Const CMC_FAIL_INTERNAL_CA_ERROR As Long = 11
  2083. Public Const CMC_FAIL_TRY_LATER As Long = 12
  2084. '+-------------------------------------------------------------------------
  2085. ' CMC_ADD_EXTENSIONS
  2086. '
  2087. ' attribute.
  2088. '
  2089. ' pvStructInfo points to a CMC_ADD_EXTENSIONS_INFO.
  2090. '--------------------------------------------------------------------------
  2091. '+-------------------------------------------------------------------------
  2092. ' CMC_ADD_ATTRIBUTES
  2093. '
  2094. ' attribute.
  2095. '
  2096. ' pvStructInfo points to a CMC_ADD_ATTRIBUTES_INFO.
  2097. '--------------------------------------------------------------------------
  2098. '+=========================================================================
  2099. '==========================================================================
  2100. ' Predefined OID Function Names
  2101. Public Const CRYPT_OID_ENCODE_OBJECT_FUNC As String = "CryptDllEncodeObject"
  2102. Public Const CRYPT_OID_DECODE_OBJECT_FUNC As String = "CryptDllDecodeObject"
  2103. Public Const CRYPT_OID_ENCODE_OBJECT_EX_FUNC As String = "CryptDllEncodeObjectEx"
  2104. Public Const CRYPT_OID_DECODE_OBJECT_EX_FUNC As String = "CryptDllDecodeObjectEx"
  2105. Public Const CRYPT_OID_CREATE_COM_OBJECT_FUNC As String = "CryptDllCreateCOMObject"
  2106. Public Const CRYPT_OID_VERIFY_REVOCATION_FUNC As String = "CertDllVerifyRevocation"
  2107. Public Const CRYPT_OID_VERIFY_CTL_USAGE_FUNC As String = "CertDllVerifyCTLUsage"
  2108. Public Const CRYPT_OID_FORMAT_OBJECT_FUNC As String = "CryptDllFormatObject"
  2109. Public Const CRYPT_OID_FIND_OID_INFO_FUNC As String = "CryptDllFindOIDInfo"
  2110. Public Const CRYPT_OID_FIND_LOCALIZED_NAME_FUNC As String = "CryptDllFindLocalizedName"
  2111. ' CryptDllEncodeObject has same function signature as CryptEncodeObject.
  2112. ' CryptDllDecodeObject has same function signature as CryptDecodeObject.
  2113. ' CryptDllEncodeObjectEx has same function signature as CryptEncodeObjectEx.
  2114. ' The Ex version MUST support the CRYPT_ENCODE_ALLOC_FLAG option.
  2115. '
  2116. ' If an Ex function isn't installed or registered, then, attempts to find
  2117. ' a non-EX version. If the ALLOC flag is set, then, CryptEncodeObjectEx,
  2118. ' does the allocation and calls the non-EX version twice.
  2119. ' CryptDllDecodeObjectEx has same function signature as CryptDecodeObjectEx.
  2120. ' The Ex version MUST support the CRYPT_DECODE_ALLOC_FLAG option.
  2121. '
  2122. ' If an Ex function isn't installed or registered, then, attempts to find
  2123. ' a non-EX version. If the ALLOC flag is set, then, CryptDecodeObjectEx,
  2124. ' does the allocation and calls the non-EX version twice.
  2125. ' CryptDllCreateCOMObject has the following signature:
  2126. ' IN DWORD dwEncodingType,
  2127. ' IN LPCSTR pszOID,
  2128. ' IN PCRYPT_DATA_BLOB pEncodedContent,
  2129. ' IN DWORD dwFlags,
  2130. ' IN REFIID riid,
  2131. ' OUT void **ppvObj);
  2132. ' CertDllVerifyRevocation has the same signature as CertVerifyRevocation
  2133. ' CertDllVerifyCTLUsage has the same signature as CertVerifyCTLUsage
  2134. ' CryptDllFindOIDInfo currently is only used to store values used by
  2135. ' CryptDllFindLocalizedName is only used to store localized string
  2136. ' more details.
  2137. ' Example of a complete OID Function Registry Name:
  2138. ' HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
  2139. ' Encoding Type 1\CryptDllEncodeObject\1.2.3
  2140. '
  2141. ' The key's L"Dll" value contains the name of the Dll.
  2142. ' The key's L"FuncName" value overrides the default function name
  2143. Public Const CRYPT_OID_REGPATH As String = "Software\\Microsoft\\Cryptography\\OID"
  2144. Public Const CRYPT_OID_REG_ENCODING_TYPE_PREFIX As String = "EncodingType "
  2145. Public Const CRYPT_OID_REG_DLL_VALUE_NAME As String = "Dll"
  2146. Public Const CRYPT_OID_REG_FUNC_NAME_VALUE_NAME As String = "FuncName"
  2147. Public Const CRYPT_OID_REG_FUNC_NAME_VALUE_NAME_A As String = "FuncName"
  2148. ' CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG can be set in the key's L"CryptFlags"
  2149. ' value to register the functions before the installed functions.
  2150. '
  2151. ' CryptSetOIDFunctionValue must be called to set this value. L"CryptFlags"
  2152. ' must be set using a dwValueType of REG_DWORD.
  2153. Public Const CRYPT_OID_REG_FLAGS_VALUE_NAME As String = "CryptFlags"
  2154. ' OID used for Default OID functions
  2155. Public Const CRYPT_DEFAULT_OID As String = "DEFAULT"
  2156. Public Const CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG As Long = 1
  2157. '+-------------------------------------------------------------------------
  2158. ' Install a set of callable OID function addresses.
  2159. '
  2160. ' By default the functions are installed at end of the list.
  2161. ' Set CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG to install at beginning of list.
  2162. '
  2163. ' hModule should be updated with the hModule passed to DllMain to prevent
  2164. ' the Dll containing the function addresses from being unloaded by
  2165. ' CryptGetOIDFuncAddress/CryptFreeOIDFunctionAddress. This would be the
  2166. ' case when the Dll has also regsvr32'ed OID functions via
  2167. ' CryptRegisterOIDFunction.
  2168. '
  2169. ' DEFAULT functions are installed by setting rgFuncEntry[].pszOID =
  2170. ' CRYPT_DEFAULT_OID.
  2171. '--------------------------------------------------------------------------
  2172. '+-------------------------------------------------------------------------
  2173. ' Initialize and return handle to the OID function set identified by its
  2174. ' function name.
  2175. '
  2176. ' If the set already exists, a handle to the existing set is returned.
  2177. '--------------------------------------------------------------------------
  2178. '+-------------------------------------------------------------------------
  2179. ' Search the list of installed functions for an encoding type and OID match.
  2180. ' If not found, search the registry.
  2181. '
  2182. ' For success, returns TRUE with *ppvFuncAddr updated with the function's
  2183. ' address and *phFuncAddr updated with the function address's handle.
  2184. ' The function's handle is AddRef'ed. CryptFreeOIDFunctionAddress needs to
  2185. ' be called to release it.
  2186. '
  2187. ' For a registry match, the Dll containing the function is loaded.
  2188. '
  2189. ' By default, both the registered and installed function lists are searched.
  2190. ' Set CRYPT_GET_INSTALLED_OID_FUNC_FLAG to only search the installed list
  2191. ' of functions. This flag would be set by a registered function to get
  2192. ' the address of a pre-installed function it was replacing. For example,
  2193. ' the registered function might handle a new special case and call the
  2194. ' pre-installed function to handle the remaining cases.
  2195. '--------------------------------------------------------------------------
  2196. Public Const CRYPT_GET_INSTALLED_OID_FUNC_FLAG As Long = &H1
  2197. '+-------------------------------------------------------------------------
  2198. ' Get the list of registered default Dll entries for the specified
  2199. ' function set and encoding type.
  2200. '
  2201. ' The returned list consists of none, one or more null terminated Dll file
  2202. ' For example: L"first.dll" L"\0" L"second.dll" L"\0" L"\0"
  2203. '--------------------------------------------------------------------------
  2204. '+-------------------------------------------------------------------------
  2205. ' Either: get the first or next installed DEFAULT function OR
  2206. ' load the Dll containing the DEFAULT function.
  2207. '
  2208. ' If pwszDll is NULL, search the list of installed DEFAULT functions.
  2209. ' *phFuncAddr must be set to NULL to get the first installed function.
  2210. ' Successive installed functions are returned by setting *phFuncAddr
  2211. ' to the hFuncAddr returned by the previous call.
  2212. '
  2213. ' If pwszDll is NULL, the input *phFuncAddr
  2214. ' is always CryptFreeOIDFunctionAddress'ed by this function, even for
  2215. ' an error.
  2216. '
  2217. ' If pwszDll isn't NULL, then, attempts to load the Dll and the DEFAULT
  2218. ' function. *phFuncAddr is ignored upon entry and isn't
  2219. ' CryptFreeOIDFunctionAddress'ed.
  2220. '
  2221. ' For success, returns TRUE with *ppvFuncAddr updated with the function's
  2222. ' address and *phFuncAddr updated with the function address's handle.
  2223. ' The function's handle is AddRef'ed. CryptFreeOIDFunctionAddress needs to
  2224. ' be called to release it or CryptGetDefaultOIDFunctionAddress can also
  2225. ' be called for a NULL pwszDll.
  2226. '--------------------------------------------------------------------------
  2227. '+-------------------------------------------------------------------------
  2228. ' Releases the handle AddRef'ed and returned by CryptGetOIDFunctionAddress
  2229. ' or CryptGetDefaultOIDFunctionAddress.
  2230. '
  2231. ' If a Dll was loaded for the function its unloaded. However, before doing
  2232. ' the unload, the DllCanUnloadNow function exported by the loaded Dll is
  2233. ' called. It should return S_FALSE to inhibit the unload or S_TRUE to enable
  2234. ' the unload. If the Dll doesn't export DllCanUnloadNow, the Dll is unloaded.
  2235. '
  2236. ' DllCanUnloadNow has the following signature:
  2237. '--------------------------------------------------------------------------
  2238. '+-------------------------------------------------------------------------
  2239. ' Register the Dll containing the function to be called for the specified
  2240. ' encoding type, function name and OID.
  2241. '
  2242. ' pwszDll may contain environment-variable strings
  2243. '
  2244. ' In addition to registering the DLL, you may override the
  2245. ' name of the function to be called. For example,
  2246. ' pszFuncName = "CryptDllEncodeObject",
  2247. ' pszOverrideFuncName = "MyEncodeXyz".
  2248. ' This allows a Dll to export multiple OID functions for the same
  2249. ' function name without needing to interpose its own OID dispatcher function.
  2250. '--------------------------------------------------------------------------
  2251. '+-------------------------------------------------------------------------
  2252. ' Unregister the Dll containing the function to be called for the specified
  2253. ' encoding type, function name and OID.
  2254. '--------------------------------------------------------------------------
  2255. '+-------------------------------------------------------------------------
  2256. ' Register the Dll containing the default function to be called for the
  2257. ' specified encoding type and function name.
  2258. '
  2259. ' Unlike CryptRegisterOIDFunction, you can't override the function name
  2260. ' needing to be exported by the Dll.
  2261. '
  2262. ' The Dll is inserted before the entry specified by dwIndex.
  2263. ' dwIndex == 0, inserts at the beginning.
  2264. ' dwIndex == CRYPT_REGISTER_LAST_INDEX, appends at the end.
  2265. '
  2266. ' pwszDll may contain environment-variable strings
  2267. '--------------------------------------------------------------------------
  2268. Public Const CRYPT_REGISTER_FIRST_INDEX As Long = 0
  2269. Public Const CRYPT_REGISTER_LAST_INDEX As Long = &HFFFFFFFF
  2270. '+-------------------------------------------------------------------------
  2271. ' Unregister the Dll containing the default function to be called for
  2272. ' the specified encoding type and function name.
  2273. '--------------------------------------------------------------------------
  2274. '+-------------------------------------------------------------------------
  2275. ' Set the value for the specified encoding type, function name, OID and
  2276. ' value name.
  2277. '
  2278. ' See RegSetValueEx for the possible value types.
  2279. '
  2280. ' String types are UNICODE.
  2281. '--------------------------------------------------------------------------
  2282. '+-------------------------------------------------------------------------
  2283. ' Get the value for the specified encoding type, function name, OID and
  2284. ' value name.
  2285. '
  2286. ' See RegEnumValue for the possible value types.
  2287. '
  2288. ' String types are UNICODE.
  2289. '--------------------------------------------------------------------------
  2290. '+-------------------------------------------------------------------------
  2291. ' Enumerate the OID functions identified by their encoding type,
  2292. ' function name and OID.
  2293. '
  2294. ' pfnEnumOIDFunc is called for each registry key matching the input
  2295. ' parameters. Setting dwEncodingType to CRYPT_MATCH_ANY_ENCODING_TYPE matches
  2296. ' any. Setting pszFuncName or pszOID to NULL matches any.
  2297. '
  2298. ' Set pszOID == CRYPT_DEFAULT_OID to restrict the enumeration to only the
  2299. ' DEFAULT functions
  2300. '
  2301. ' String types are UNICODE.
  2302. '--------------------------------------------------------------------------
  2303. Public Const CRYPT_MATCH_ANY_ENCODING_TYPE As Long = &HFFFFFFFF
  2304. '+=========================================================================
  2305. '==========================================================================
  2306. '+-------------------------------------------------------------------------
  2307. ' OID Information
  2308. '--------------------------------------------------------------------------
  2309. '+-------------------------------------------------------------------------
  2310. ' OID Group IDs
  2311. '--------------------------------------------------------------------------
  2312. Public Const CRYPT_HASH_ALG_OID_GROUP_ID As Long = 1
  2313. Public Const CRYPT_ENCRYPT_ALG_OID_GROUP_ID As Long = 2
  2314. Public Const CRYPT_PUBKEY_ALG_OID_GROUP_ID As Long = 3
  2315. Public Const CRYPT_SIGN_ALG_OID_GROUP_ID As Long = 4
  2316. Public Const CRYPT_RDN_ATTR_OID_GROUP_ID As Long = 5
  2317. Public Const CRYPT_EXT_OR_ATTR_OID_GROUP_ID As Long = 6
  2318. Public Const CRYPT_ENHKEY_USAGE_OID_GROUP_ID As Long = 7
  2319. Public Const CRYPT_POLICY_OID_GROUP_ID As Long = 8
  2320. Public Const CRYPT_LAST_OID_GROUP_ID As Long = 8
  2321. ' The CRYPT_*_ALG_OID_GROUP_ID's have an Algid. The CRYPT_RDN_ATTR_OID_GROUP_ID
  2322. ' has a dwLength. The CRYPT_EXT_OR_ATTR_OID_GROUP_ID,
  2323. ' CRYPT_ENHKEY_USAGE_OID_GROUP_ID or CRYPT_POLICY_OID_GROUP_ID don't have a
  2324. ' dwValue.
  2325. '
  2326. ' CRYPT_PUBKEY_ALG_OID_GROUP_ID has the following optional ExtraInfo:
  2327. ' DWORD[0] - Flags. CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG can be set to
  2328. ' inhibit the reformatting of the signature before
  2329. ' CryptVerifySignature is called or after CryptSignHash
  2330. ' is called. CRYPT_OID_USE_PUBKEY_PARA_FOR_PKCS7_FLAG can
  2331. ' be set to include the public key algorithm's parameters
  2332. ' in the PKCS7's digestEncryptionAlgorithm's parameters.
  2333. ' CRYPT_OID_NO_NULL_ALGORITHM_PARA_FLAG can be set to omit
  2334. ' NULL parameters when encoding.
  2335. Public Const CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG As Long = &H1
  2336. Public Const CRYPT_OID_USE_PUBKEY_PARA_FOR_PKCS7_FLAG As Long = &H2
  2337. Public Const CRYPT_OID_NO_NULL_ALGORITHM_PARA_FLAG As Long = &H4
  2338. ' CRYPT_SIGN_ALG_OID_GROUP_ID has the following optional ExtraInfo:
  2339. ' DWORD[0] - Public Key Algid.
  2340. ' DWORD[1] - Flags. Same as above for CRYPT_PUBKEY_ALG_OID_GROUP_ID.
  2341. ' If omitted or 0, uses Public Key Algid to select
  2342. ' appropriate dwProvType for signature verification.
  2343. ' CRYPT_RDN_ATTR_OID_GROUP_ID has the following optional ExtraInfo:
  2344. ' Array of DWORDs:
  2345. ' [0 ..] - Null terminated list of acceptable RDN attribute
  2346. ' value types. An empty list implies CERT_RDN_PRINTABLE_STRING,
  2347. ' CERT_RDN_UNICODE_STRING, 0.
  2348. '+-------------------------------------------------------------------------
  2349. ' Find OID information. Returns NULL if unable to find any information
  2350. ' for the specified key and group. Note, returns a pointer to a constant
  2351. ' data structure. The returned pointer MUST NOT be freed.
  2352. '
  2353. ' dwKeyType's:
  2354. ' CRYPT_OID_INFO_OID_KEY, pvKey points to a szOID
  2355. ' CRYPT_OID_INFO_NAME_KEY, pvKey points to a wszName
  2356. ' CRYPT_OID_INFO_ALGID_KEY, pvKey points to an ALG_ID
  2357. ' CRYPT_OID_INFO_SIGN_KEY, pvKey points to an array of two ALG_ID's:
  2358. ' ALG_ID[0] - Hash Algid
  2359. ' ALG_ID[1] - PubKey Algid
  2360. '
  2361. ' Setting dwGroupId to 0, searches all groups according to the dwKeyType.
  2362. ' Otherwise, only the dwGroupId is searched.
  2363. '--------------------------------------------------------------------------
  2364. Public Const CRYPT_OID_INFO_OID_KEY As Long = 1
  2365. Public Const CRYPT_OID_INFO_NAME_KEY As Long = 2
  2366. Public Const CRYPT_OID_INFO_ALGID_KEY As Long = 3
  2367. Public Const CRYPT_OID_INFO_SIGN_KEY As Long = 4
  2368. '+-------------------------------------------------------------------------
  2369. ' Register OID information. The OID information specified in the
  2370. ' CCRYPT_OID_INFO structure is persisted to the registry.
  2371. '
  2372. ' crypt32.dll contains information for the commonly known OIDs. This function
  2373. ' allows applications to augment crypt32.dll's OID information. During
  2374. ' CryptFindOIDInfo's first call, the registered OID information is installed.
  2375. '
  2376. ' By default the registered OID information is installed after crypt32.dll's
  2377. ' OID entries. Set CRYPT_INSTALL_OID_INFO_BEFORE_FLAG to install before.
  2378. '--------------------------------------------------------------------------
  2379. Public Const CRYPT_INSTALL_OID_INFO_BEFORE_FLAG As Long = 1
  2380. '+-------------------------------------------------------------------------
  2381. ' Unregister OID information. Only the pszOID and dwGroupId fields are
  2382. ' used to identify the OID information to be unregistered.
  2383. '--------------------------------------------------------------------------
  2384. ' If the callback returns FALSE, stops the enumeration.
  2385. '+-------------------------------------------------------------------------
  2386. ' Enumerate the OID information.
  2387. '
  2388. ' pfnEnumOIDInfo is called for each OID information entry.
  2389. '
  2390. ' Setting dwGroupId to 0 matches all groups. Otherwise, only enumerates
  2391. ' entries in the specified group.
  2392. '
  2393. ' dwFlags currently isn't used and must be set to 0.
  2394. '--------------------------------------------------------------------------
  2395. '+-------------------------------------------------------------------------
  2396. ' Find the localized name for the specified name. For example, find the
  2397. ' localized name for the "Root" system store name. A case insensitive
  2398. ' string comparison is done.
  2399. '
  2400. ' Returns NULL if unable to find the the specified name.
  2401. '
  2402. ' as resource strings in crypt32.dll. CryptSetOIDFunctionValue can be called
  2403. ' as follows to register additional localized strings:
  2404. ' dwEncodingType = CRYPT_LOCALIZED_NAME_ENCODING_TYPE
  2405. ' pszFuncName = CRYPT_OID_FIND_LOCALIZED_NAME_FUNC
  2406. ' pszOID = CRYPT_LOCALIZED_NAME_OID
  2407. ' pwszValueName = Name to be localized, for example, L"ApplicationStore"
  2408. ' dwValueType = REG_SZ
  2409. ' pbValueData = pointer to the UNICODE localized string
  2410. '
  2411. ' To unregister, set pbValueData to NULL and cbValueData to 0.
  2412. '
  2413. ' The registered names are searched before the pre-installed names.
  2414. '--------------------------------------------------------------------------
  2415. Public Const CRYPT_LOCALIZED_NAME_ENCODING_TYPE As Long = 0
  2416. Public Const CRYPT_LOCALIZED_NAME_OID As String = "LocalizedNames"
  2417. '+=========================================================================
  2418. ' Low Level Cryptographic Message Data Structures and APIs
  2419. '==========================================================================
  2420. Public Const szOID_PKCS_7_DATA As String = "1.2.840.113549.1.7.1"
  2421. Public Const szOID_PKCS_7_SIGNED As String = "1.2.840.113549.1.7.2"
  2422. Public Const szOID_PKCS_7_ENVELOPED As String = "1.2.840.113549.1.7.3"
  2423. Public Const szOID_PKCS_7_SIGNEDANDENVELOPED As String = "1.2.840.113549.1.7.4"
  2424. Public Const szOID_PKCS_7_DIGESTED As String = "1.2.840.113549.1.7.5"
  2425. Public Const szOID_PKCS_7_ENCRYPTED As String = "1.2.840.113549.1.7.6"
  2426. Public Const szOID_PKCS_9_CONTENT_TYPE As String = "1.2.840.113549.1.9.3"
  2427. Public Const szOID_PKCS_9_MESSAGE_DIGEST As String = "1.2.840.113549.1.9.4"
  2428. '+-------------------------------------------------------------------------
  2429. ' Message types
  2430. '--------------------------------------------------------------------------
  2431. Public Const CMSG_DATA As Long = 1
  2432. Public Const CMSG_SIGNED As Long = 2
  2433. Public Const CMSG_ENVELOPED As Long = 3
  2434. Public Const CMSG_SIGNED_AND_ENVELOPED As Long = 4
  2435. Public Const CMSG_HASHED As Long = 5
  2436. Public Const CMSG_ENCRYPTED As Long = 6
  2437. '+-------------------------------------------------------------------------
  2438. ' Message Type Bit Flags
  2439. '--------------------------------------------------------------------------
  2440. '+-------------------------------------------------------------------------
  2441. ' Certificate Issuer and SerialNumber
  2442. '--------------------------------------------------------------------------
  2443. '+-------------------------------------------------------------------------
  2444. ' Certificate Identifier
  2445. '--------------------------------------------------------------------------
  2446. Public Const CERT_ID_ISSUER_SERIAL_NUMBER As Long = 1
  2447. Public Const CERT_ID_KEY_IDENTIFIER As Long = 2
  2448. Public Const CERT_ID_SHA1_HASH As Long = 3
  2449. '+-------------------------------------------------------------------------
  2450. '--------------------------------------------------------------------------
  2451. '+-------------------------------------------------------------------------
  2452. ' CMSG_DATA: pvMsgEncodeInfo = NULL
  2453. '--------------------------------------------------------------------------
  2454. '+-------------------------------------------------------------------------
  2455. ' CMSG_SIGNED
  2456. '
  2457. ' The pCertInfo in the CMSG_SIGNER_ENCODE_INFO provides the Issuer, SerialNumber
  2458. ' and PublicKeyInfo.Algorithm. The PublicKeyInfo.Algorithm implicitly
  2459. ' specifies the HashEncryptionAlgorithm to be used.
  2460. '
  2461. ' If the SignerId is present with a nonzero dwIdChoice its used instead
  2462. ' of the Issuer and SerialNumber in pCertInfo.
  2463. '
  2464. ' CMS supports the KEY_IDENTIFIER and ISSUER_SERIAL_NUMBER CERT_IDs. PKCS #7
  2465. ' version 1.5 only supports the ISSUER_SERIAL_NUMBER CERT_ID choice.
  2466. '
  2467. ' If HashEncryptionAlgorithm is present and not NULL its used instead of
  2468. ' the PublicKeyInfo.Algorithm.
  2469. '
  2470. ' Note, for RSA, the hash encryption algorithm is normally the same as
  2471. ' the public key algorithm. For DSA, the hash encryption algorithm is
  2472. ' normally a DSS signature algorithm.
  2473. '
  2474. ' pvHashEncryptionAuxInfo currently isn't used and must be set to NULL if
  2475. ' present in the data structure.
  2476. '
  2477. ' The hCryptProv and dwKeySpec specify the private key to use. If dwKeySpec
  2478. ' == 0, then, defaults to AT_SIGNATURE.
  2479. '
  2480. ' If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
  2481. '
  2482. ' pvHashAuxInfo currently isn't used and must be set to NULL.
  2483. '
  2484. ' CMS signed messages allow the inclusion of Attribute Certs.
  2485. '--------------------------------------------------------------------------
  2486. '+-------------------------------------------------------------------------
  2487. ' CMSG_ENVELOPED
  2488. '
  2489. ' The PCERT_INFO for the rgRecipients provides the Issuer, SerialNumber
  2490. ' and PublicKeyInfo. The PublicKeyInfo.Algorithm implicitly
  2491. ' specifies the KeyEncryptionAlgorithm to be used.
  2492. '
  2493. ' The PublicKeyInfo.PublicKey in PCERT_INFO is used to encrypt the content
  2494. ' encryption key for the recipient.
  2495. '
  2496. ' hCryptProv is used to do the content encryption, recipient key encryption
  2497. ' and export. The hCryptProv's private keys aren't used. If hCryptProv
  2498. ' is NULL, a default hCryptProv is chosen according to the
  2499. ' ContentEncryptionAlgorithm and the first recipient KeyEncryptionAlgorithm.
  2500. '
  2501. ' If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
  2502. '
  2503. ' Note: CAPI currently doesn't support more than one KeyEncryptionAlgorithm
  2504. ' per provider. This will need to be fixed.
  2505. '
  2506. ' Currently, pvEncryptionAuxInfo is only defined for RC2 or RC4 encryption
  2507. ' algorithms. Otherwise, its not used and must be set to NULL.
  2508. ' See CMSG_RC2_AUX_INFO for the RC2 encryption algorithms.
  2509. ' See CMSG_RC4_AUX_INFO for the RC4 encryption algorithms.
  2510. '
  2511. ' To enable SP3 compatible encryption, pvEncryptionAuxInfo should point to
  2512. ' a CMSG_SP3_COMPATIBLE_AUX_INFO data structure.
  2513. '
  2514. ' To enable the CMS envelope enhancements, rgpRecipients must be set to
  2515. ' NULL, and rgCmsRecipients updated to point to an array of
  2516. ' CMSG_RECIPIENT_ENCODE_INFO's.
  2517. '
  2518. ' Also, CMS envelope enhancements support the inclusion of a bag of
  2519. ' Certs, CRLs, Attribute Certs and/or Unprotected Attributes.
  2520. '--------------------------------------------------------------------------
  2521. '+-------------------------------------------------------------------------
  2522. ' Key Transport Recipient Encode Info
  2523. '
  2524. ' hCryptProv is used to do the recipient key encryption
  2525. ' and export. The hCryptProv's private keys aren't used.
  2526. '
  2527. ' If hCryptProv is NULL, then, the hCryptProv specified in
  2528. ' CMSG_ENVELOPED_ENCODE_INFO is used.
  2529. '
  2530. ' Note, even if CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
  2531. '
  2532. ' CMS supports the KEY_IDENTIFIER and ISSUER_SERIAL_NUMBER CERT_IDs. PKCS #7
  2533. ' version 1.5 only supports the ISSUER_SERIAL_NUMBER CERT_ID choice.
  2534. '--------------------------------------------------------------------------
  2535. '+-------------------------------------------------------------------------
  2536. ' Key Agreement Recipient Encode Info
  2537. '
  2538. ' If hCryptProv is NULL, then, the hCryptProv specified in
  2539. ' CMSG_ENVELOPED_ENCODE_INFO is used.
  2540. '
  2541. ' For the CMSG_KEY_AGREE_STATIC_KEY_CHOICE, both the hCryptProv and
  2542. ' dwKeySpec must be specified to select the sender's private key.
  2543. '
  2544. ' Note, even if CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
  2545. '
  2546. ' CMS supports the KEY_IDENTIFIER and ISSUER_SERIAL_NUMBER CERT_IDs.
  2547. '
  2548. ' There is 1 key choice, ephemeral originator. The originator's ephemeral
  2549. ' key is generated using the public key algorithm parameters shared
  2550. ' amongst all the recipients.
  2551. '
  2552. ' There are 2 key choices: ephemeral originator or static sender. The
  2553. ' originator's ephemeral key is generated using the public key algorithm
  2554. ' parameters shared amongst all the recipients. For the static sender its
  2555. ' private key is used. The hCryptProv and dwKeySpec specify the private key.
  2556. ' The pSenderId identifies the certificate containing the sender's public key.
  2557. '
  2558. ' Currently, pvKeyEncryptionAuxInfo isn't used and must be set to NULL.
  2559. '
  2560. ' If KeyEncryptionAlgorithm.Parameters.cbData == 0, then, its Parameters
  2561. ' are updated with the encoded KeyWrapAlgorithm.
  2562. '
  2563. ' Currently, pvKeyWrapAuxInfo is only defined for algorithms with
  2564. ' RC2. Otherwise, its not used and must be set to NULL.
  2565. ' When set for RC2 algorithms, points to a CMSG_RC2_AUX_INFO containing
  2566. ' the RC2 effective key length.
  2567. '
  2568. ' Note, key agreement recipients are not supported in PKCS #7 version 1.5.
  2569. '--------------------------------------------------------------------------
  2570. Public Const CMSG_KEY_AGREE_EPHEMERAL_KEY_CHOICE As Long = 1
  2571. Public Const CMSG_KEY_AGREE_STATIC_KEY_CHOICE As Long = 2
  2572. '+-------------------------------------------------------------------------
  2573. ' Mail List Recipient Encode Info
  2574. '
  2575. ' There is 1 choice for the KeyEncryptionKey: an already created CSP key
  2576. ' handle. For the key handle choice, hCryptProv must be nonzero. This key
  2577. ' handle isn't destroyed.
  2578. '
  2579. ' Note, even if CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
  2580. '
  2581. ' Currently, pvKeyEncryptionAuxInfo is only defined for RC2 key wrap
  2582. ' algorithms. Otherwise, its not used and must be set to NULL.
  2583. ' When set for RC2 algorithms, points to a CMSG_RC2_AUX_INFO containing
  2584. ' the RC2 effective key length.
  2585. '
  2586. ' Note, mail list recipients are not supported in PKCS #7 version 1.5.
  2587. '--------------------------------------------------------------------------
  2588. Public Const CMSG_MAIL_LIST_HANDLE_KEY_CHOICE As Long = 1
  2589. '+-------------------------------------------------------------------------
  2590. ' Recipient Encode Info
  2591. '
  2592. ' Note, only key transport recipients are supported in PKCS #7 version 1.5.
  2593. '--------------------------------------------------------------------------
  2594. Public Const CMSG_KEY_TRANS_RECIPIENT As Long = 1
  2595. Public Const CMSG_KEY_AGREE_RECIPIENT As Long = 2
  2596. Public Const CMSG_MAIL_LIST_RECIPIENT As Long = 3
  2597. '+-------------------------------------------------------------------------
  2598. ' CMSG_RC2_AUX_INFO
  2599. '
  2600. ' AuxInfo for RC2 encryption algorithms. The pvEncryptionAuxInfo field
  2601. ' in CMSG_ENCRYPTED_ENCODE_INFO should be updated to point to this
  2602. ' structure. If not specified, defaults to 40 bit.
  2603. '
  2604. ' Note, this AuxInfo is only used when, the ContentEncryptionAlgorithm's
  2605. ' Parameter.cbData is zero. Otherwise, the Parameters is decoded to
  2606. ' get the bit length.
  2607. '
  2608. ' If CMSG_SP3_COMPATIBLE_ENCRYPT_FLAG is set in dwBitLen, then, SP3
  2609. ' compatible encryption is done and the bit length is ignored.
  2610. '--------------------------------------------------------------------------
  2611. '+-------------------------------------------------------------------------
  2612. ' CMSG_SP3_COMPATIBLE_AUX_INFO
  2613. '
  2614. ' AuxInfo for enabling SP3 compatible encryption.
  2615. '
  2616. ' The CMSG_SP3_COMPATIBLE_ENCRYPT_FLAG is set in dwFlags to enable SP3
  2617. ' compatible encryption. When set, uses zero salt instead of no salt,
  2618. ' the encryption algorithm parameters are NULL instead of containing the
  2619. ' encoded RC2 parameters or encoded IV octet string and the encrypted
  2620. ' symmetric key is encoded little endian instead of big endian.
  2621. '--------------------------------------------------------------------------
  2622. Public Const CMSG_SP3_COMPATIBLE_ENCRYPT_FLAG As Long = &H80000000
  2623. '+-------------------------------------------------------------------------
  2624. ' CMSG_RC4_AUX_INFO
  2625. '
  2626. ' AuxInfo for RC4 encryption algorithms. The pvEncryptionAuxInfo field
  2627. ' in CMSG_ENCRYPTED_ENCODE_INFO should be updated to point to this
  2628. ' structure. If not specified, uses the CSP's default bit length with no
  2629. ' salt. Note, the base CSP has a 40 bit default and the enhanced CSP has
  2630. ' a 128 bit default.
  2631. '
  2632. ' If CMSG_RC4_NO_SALT_FLAG is set in dwBitLen, then, no salt is generated.
  2633. ' as an OCTET STRING in the algorithm parameters field.
  2634. '--------------------------------------------------------------------------
  2635. Public Const CMSG_RC4_NO_SALT_FLAG As Long = &H40000000
  2636. '+-------------------------------------------------------------------------
  2637. ' CMSG_SIGNED_AND_ENVELOPED
  2638. '
  2639. ' For PKCS #7, a signed and enveloped message doesn't have the
  2640. ' signer's authenticated or unauthenticated attributes. Otherwise, a
  2641. ' combination of the CMSG_SIGNED_ENCODE_INFO and CMSG_ENVELOPED_ENCODE_INFO.
  2642. '--------------------------------------------------------------------------
  2643. '+-------------------------------------------------------------------------
  2644. ' CMSG_HASHED
  2645. '
  2646. ' hCryptProv is used to do the hash. Doesn't need to use a private key.
  2647. '
  2648. ' If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
  2649. '
  2650. ' If fDetachedHash is set, then, the encoded message doesn't contain
  2651. '
  2652. ' pvHashAuxInfo currently isn't used and must be set to NULL.
  2653. '--------------------------------------------------------------------------
  2654. '+-------------------------------------------------------------------------
  2655. ' CMSG_ENCRYPTED
  2656. '
  2657. ' The key used to encrypt the message is identified outside of the message
  2658. '
  2659. ' The content input to CryptMsgUpdate has already been encrypted.
  2660. '
  2661. ' pvEncryptionAuxInfo currently isn't used and must be set to NULL.
  2662. '--------------------------------------------------------------------------
  2663. '+-------------------------------------------------------------------------
  2664. ' This parameter allows messages to be of variable length with streamed
  2665. ' output.
  2666. '
  2667. ' By default, messages are of a definite length and
  2668. ' called to get the cryptographically processed content. Until closed,
  2669. ' the handle keeps a copy of the processed content.
  2670. '
  2671. ' With streamed output, the processed content can be freed as its streamed.
  2672. '
  2673. ' If the length of the content to be updated is known at the time of the
  2674. ' open, then, ContentLength should be set to that length. Otherwise, it
  2675. ' should be set to CMSG_INDEFINITE_LENGTH.
  2676. '--------------------------------------------------------------------------
  2677. Public Const CMSG_INDEFINITE_LENGTH As Long = &HFFFFFFFF
  2678. '+-------------------------------------------------------------------------
  2679. ' Open dwFlags
  2680. '--------------------------------------------------------------------------
  2681. Public Const CMSG_BARE_CONTENT_FLAG As Long = &H00000001
  2682. Public Const CMSG_LENGTH_ONLY_FLAG As Long = &H00000002
  2683. Public Const CMSG_DETACHED_FLAG As Long = &H00000004
  2684. Public Const CMSG_AUTHENTICATED_ATTRIBUTES_FLAG As Long = &H00000008
  2685. Public Const CMSG_CONTENTS_OCTETS_FLAG As Long = &H00000010
  2686. Public Const CMSG_MAX_LENGTH_FLAG As Long = &H00000020
  2687. ' When set, nonData type inner content is encapsulated within an
  2688. ' OCTET STRING. Applicable to both Signed and Enveloped messages.
  2689. Public Const CMSG_CMS_ENCAPSULATED_CONTENT_FLAG As Long = &H00000040
  2690. ' If set, then, the hCryptProv passed to CryptMsgOpenToEncode or
  2691. ' CryptMsgOpenToDecode is released on the final CryptMsgClose.
  2692. ' Not released if CryptMsgOpenToEncode or CryptMsgOpenToDecode fails.
  2693. '
  2694. ' Note, the envelope recipient hCryptProv's aren't released.
  2695. Public Const CMSG_CRYPT_RELEASE_CONTEXT_FLAG As Long = &H00008000
  2696. '+-------------------------------------------------------------------------
  2697. ' Open a cryptographic message for encoding
  2698. '
  2699. ' For PKCS #7:
  2700. ' If the content to be passed to CryptMsgUpdate has already
  2701. ' from another message encode), then, the CMSG_ENCODED_CONTENT_INFO_FLAG should
  2702. ' be set in dwFlags. If not set, then, the inner ContentType is Data and
  2703. ' the input to CryptMsgUpdate is treated as the inner Data type's Content,
  2704. ' a string of bytes.
  2705. ' If CMSG_BARE_CONTENT_FLAG is specified for a streamed message,
  2706. ' the streamed output will not have an outer ContentInfo wrapper. This
  2707. ' makes it suitable to be streamed into an enclosing message.
  2708. '
  2709. ' The pStreamInfo parameter needs to be set to stream the encoded message
  2710. ' output.
  2711. '--------------------------------------------------------------------------
  2712. '+-------------------------------------------------------------------------
  2713. ' Calculate the length of an encoded cryptographic message.
  2714. '
  2715. ' Calculates the length of the encoded message given the
  2716. ' message type, encoding parameters and total length of
  2717. ' the data to be updated. Note, this might not be the exact length. However,
  2718. ' it will always be greater than or equal to the actual length.
  2719. '--------------------------------------------------------------------------
  2720. '+-------------------------------------------------------------------------
  2721. ' Open a cryptographic message for decoding
  2722. '
  2723. ' hCryptProv specifies the crypto provider to use for hashing and/or
  2724. ' decrypting the message. If hCryptProv is NULL, a default crypt provider
  2725. ' is used.
  2726. '
  2727. ' Currently pRecipientInfo isn't used and should be set to NULL.
  2728. '
  2729. ' The pStreamInfo parameter needs to be set to stream the decoded content
  2730. ' output.
  2731. '--------------------------------------------------------------------------
  2732. '+-------------------------------------------------------------------------
  2733. ' Duplicate a cryptographic message handle
  2734. '--------------------------------------------------------------------------
  2735. '+-------------------------------------------------------------------------
  2736. ' Close a cryptographic message handle
  2737. '
  2738. ' LastError is preserved unless FALSE is returned.
  2739. '--------------------------------------------------------------------------
  2740. '+-------------------------------------------------------------------------
  2741. ' Update the content of a cryptographic message. Depending on how the
  2742. ' message was opened, the content is either encoded or decoded.
  2743. '
  2744. ' This function is repetitively called to append to the message content.
  2745. ' fFinal is set to identify the last update. On fFinal, the encode/decode
  2746. ' is completed. The encoded/decoded content and the decoded parameters
  2747. ' are valid until the open and all duplicated handles are closed.
  2748. '--------------------------------------------------------------------------
  2749. '+-------------------------------------------------------------------------
  2750. ' Get a parameter after encoding/decoding a cryptographic message. Called
  2751. ' after the final CryptMsgUpdate. Only the CMSG_CONTENT_PARAM and
  2752. ' CMSG_COMPUTED_HASH_PARAM are valid for an encoded message.
  2753. '
  2754. ' For an encoded HASHED message, the CMSG_COMPUTED_HASH_PARAM can be got
  2755. ' before any CryptMsgUpdates to get its length.
  2756. '
  2757. ' The pvData type definition depends on the dwParamType value.
  2758. '
  2759. ' Elements pointed to by fields in the pvData structure follow the
  2760. ' structure. Therefore, *pcbData may exceed the size of the structure.
  2761. '
  2762. ' Upon input, if *pcbData == 0, then, *pcbData is updated with the length
  2763. ' of the data and the pvData parameter is ignored.
  2764. '
  2765. ' Upon return, *pcbData is updated with the length of the data.
  2766. '
  2767. ' The OBJID BLOBs returned in the pvData structures point to
  2768. ' their still encoded representation. The appropriate functions
  2769. ' must be called to decode the information.
  2770. '
  2771. ' See below for a list of the parameters to get.
  2772. '--------------------------------------------------------------------------
  2773. '+-------------------------------------------------------------------------
  2774. ' Get parameter types and their corresponding data structure definitions.
  2775. '--------------------------------------------------------------------------
  2776. Public Const CMSG_TYPE_PARAM As Long = 1
  2777. Public Const CMSG_CONTENT_PARAM As Long = 2
  2778. Public Const CMSG_BARE_CONTENT_PARAM As Long = 3
  2779. Public Const CMSG_INNER_CONTENT_TYPE_PARAM As Long = 4
  2780. Public Const CMSG_SIGNER_COUNT_PARAM As Long = 5
  2781. Public Const CMSG_SIGNER_INFO_PARAM As Long = 6
  2782. Public Const CMSG_SIGNER_CERT_INFO_PARAM As Long = 7
  2783. Public Const CMSG_SIGNER_HASH_ALGORITHM_PARAM As Long = 8
  2784. Public Const CMSG_SIGNER_AUTH_ATTR_PARAM As Long = 9
  2785. Public Const CMSG_SIGNER_UNAUTH_ATTR_PARAM As Long = 10
  2786. Public Const CMSG_CERT_COUNT_PARAM As Long = 11
  2787. Public Const CMSG_CERT_PARAM As Long = 12
  2788. Public Const CMSG_CRL_COUNT_PARAM As Long = 13
  2789. Public Const CMSG_CRL_PARAM As Long = 14
  2790. Public Const CMSG_ENVELOPE_ALGORITHM_PARAM As Long = 15
  2791. Public Const CMSG_RECIPIENT_COUNT_PARAM As Long = 17
  2792. Public Const CMSG_RECIPIENT_INDEX_PARAM As Long = 18
  2793. Public Const CMSG_RECIPIENT_INFO_PARAM As Long = 19
  2794. Public Const CMSG_HASH_ALGORITHM_PARAM As Long = 20
  2795. Public Const CMSG_HASH_DATA_PARAM As Long = 21
  2796. Public Const CMSG_COMPUTED_HASH_PARAM As Long = 22
  2797. Public Const CMSG_ENCRYPT_PARAM As Long = 26
  2798. Public Const CMSG_ENCRYPTED_DIGEST As Long = 27
  2799. Public Const CMSG_ENCODED_SIGNER As Long = 28
  2800. Public Const CMSG_ENCODED_MESSAGE As Long = 29
  2801. Public Const CMSG_VERSION_PARAM As Long = 30
  2802. Public Const CMSG_ATTR_CERT_COUNT_PARAM As Long = 31
  2803. Public Const CMSG_ATTR_CERT_PARAM As Long = 32
  2804. Public Const CMSG_CMS_RECIPIENT_COUNT_PARAM As Long = 33
  2805. Public Const CMSG_CMS_RECIPIENT_INDEX_PARAM As Long = 34
  2806. Public Const CMSG_CMS_RECIPIENT_ENCRYPTED_KEY_INDEX_PARAM As Long = 35
  2807. Public Const CMSG_CMS_RECIPIENT_INFO_PARAM As Long = 36
  2808. Public Const CMSG_UNPROTECTED_ATTR_PARAM As Long = 37
  2809. Public Const CMSG_SIGNER_CERT_ID_PARAM As Long = 38
  2810. Public Const CMSG_CMS_SIGNER_INFO_PARAM As Long = 39
  2811. '+-------------------------------------------------------------------------
  2812. ' CMSG_TYPE_PARAM
  2813. '
  2814. ' The type of the decoded message.
  2815. '
  2816. ' pvData points to a DWORD
  2817. '--------------------------------------------------------------------------
  2818. '+-------------------------------------------------------------------------
  2819. ' CMSG_CONTENT_PARAM
  2820. '
  2821. ' The encoded content of a cryptographic message. Depending on how the
  2822. ' message was opened, the content is either the whole PKCS#7
  2823. ' In the decode case, the decrypted content is returned, if enveloped.
  2824. ' If not enveloped, and if the inner content is of type DATA, the returned
  2825. ' data is the contents octets of the inner content.
  2826. '
  2827. ' pvData points to the buffer receiving the content bytes
  2828. '--------------------------------------------------------------------------
  2829. '+-------------------------------------------------------------------------
  2830. ' CMSG_BARE_CONTENT_PARAM
  2831. '
  2832. ' The encoded content of an encoded cryptographic message, without the
  2833. ' outer layer of ContentInfo. That is, only the encoding of the
  2834. ' ContentInfo.content field is returned.
  2835. '
  2836. ' pvData points to the buffer receiving the content bytes
  2837. '--------------------------------------------------------------------------
  2838. '+-------------------------------------------------------------------------
  2839. ' CMSG_INNER_CONTENT_TYPE_PARAM
  2840. '
  2841. ' The type of the inner content of a decoded cryptographic message,
  2842. ' in the form of a NULL-terminated object identifier string
  2843. '
  2844. ' pvData points to the buffer receiving the object identifier string
  2845. '--------------------------------------------------------------------------
  2846. '+-------------------------------------------------------------------------
  2847. ' CMSG_SIGNER_COUNT_PARAM
  2848. '
  2849. ' Count of signers in a SIGNED or SIGNED_AND_ENVELOPED message
  2850. '
  2851. ' pvData points to a DWORD
  2852. '--------------------------------------------------------------------------
  2853. '+-------------------------------------------------------------------------
  2854. ' CMSG_SIGNER_CERT_INFO_PARAM
  2855. '
  2856. ' To get all the signers, repetitively call CryptMsgGetParam, with
  2857. ' dwIndex set to 0 .. SignerCount - 1.
  2858. '
  2859. ' pvData points to a CERT_INFO struct.
  2860. '
  2861. ' Only the following fields have been updated in the CERT_INFO struct:
  2862. ' Issuer and SerialNumber.
  2863. '
  2864. ' Note, if the KEYID choice was selected for a CMS SignerId, then, the
  2865. ' SerialNumber is 0 and the Issuer is encoded containing a single RDN with a
  2866. ' single Attribute whose OID is szOID_KEYID_RDN, value type is
  2867. ' CERT_RDN_OCTET_STRING and value is the KEYID. When the
  2868. ' CertGetSubjectCertificateFromStore and
  2869. ' special KEYID Issuer and SerialNumber, they do a KEYID match.
  2870. '--------------------------------------------------------------------------
  2871. '+-------------------------------------------------------------------------
  2872. ' CMSG_SIGNER_INFO_PARAM
  2873. '
  2874. ' To get all the signers, repetitively call CryptMsgGetParam, with
  2875. ' dwIndex set to 0 .. SignerCount - 1.
  2876. '
  2877. ' pvData points to a CMSG_SIGNER_INFO struct.
  2878. '
  2879. ' Note, if the KEYID choice was selected for a CMS SignerId, then, the
  2880. ' SerialNumber is 0 and the Issuer is encoded containing a single RDN with a
  2881. ' single Attribute whose OID is szOID_KEYID_RDN, value type is
  2882. ' CERT_RDN_OCTET_STRING and value is the KEYID. When the
  2883. ' CertGetSubjectCertificateFromStore and
  2884. ' special KEYID Issuer and SerialNumber, they do a KEYID match.
  2885. '--------------------------------------------------------------------------
  2886. '+-------------------------------------------------------------------------
  2887. ' CMSG_SIGNER_CERT_ID_PARAM
  2888. '
  2889. ' To get all the signers, repetitively call CryptMsgGetParam, with
  2890. ' dwIndex set to 0 .. SignerCount - 1.
  2891. '
  2892. ' pvData points to a CERT_ID struct.
  2893. '--------------------------------------------------------------------------
  2894. '+-------------------------------------------------------------------------
  2895. ' CMSG_CMS_SIGNER_INFO_PARAM
  2896. '
  2897. ' Same as CMSG_SIGNER_INFO_PARAM, except, contains SignerId instead of
  2898. ' Issuer and SerialNumber.
  2899. '
  2900. ' To get all the signers, repetitively call CryptMsgGetParam, with
  2901. ' dwIndex set to 0 .. SignerCount - 1.
  2902. '
  2903. ' pvData points to a CMSG_CMS_SIGNER_INFO struct.
  2904. '--------------------------------------------------------------------------
  2905. '+-------------------------------------------------------------------------
  2906. ' CMSG_SIGNER_HASH_ALGORITHM_PARAM
  2907. '
  2908. ' This parameter specifies the HashAlgorithm that was used for the signer.
  2909. '
  2910. ' Set dwIndex to iterate through all the signers.
  2911. '
  2912. ' pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
  2913. '--------------------------------------------------------------------------
  2914. '+-------------------------------------------------------------------------
  2915. ' CMSG_SIGNER_AUTH_ATTR_PARAM
  2916. '
  2917. ' The authenticated attributes for the signer.
  2918. '
  2919. ' Set dwIndex to iterate through all the signers.
  2920. '
  2921. ' pvData points to a CMSG_ATTR struct.
  2922. '--------------------------------------------------------------------------
  2923. '+-------------------------------------------------------------------------
  2924. ' CMSG_SIGNER_UNAUTH_ATTR_PARAM
  2925. '
  2926. ' The unauthenticated attributes for the signer.
  2927. '
  2928. ' Set dwIndex to iterate through all the signers.
  2929. '
  2930. ' pvData points to a CMSG_ATTR struct.
  2931. '--------------------------------------------------------------------------
  2932. '+-------------------------------------------------------------------------
  2933. ' CMSG_CERT_COUNT_PARAM
  2934. '
  2935. ' Count of certificates in a SIGNED or SIGNED_AND_ENVELOPED message.
  2936. '
  2937. ' CMS, also supports certificates in an ENVELOPED message.
  2938. '
  2939. ' pvData points to a DWORD
  2940. '--------------------------------------------------------------------------
  2941. '+-------------------------------------------------------------------------
  2942. ' CMSG_CERT_PARAM
  2943. '
  2944. ' To get all the certificates, repetitively call CryptMsgGetParam, with
  2945. ' dwIndex set to 0 .. CertCount - 1.
  2946. '
  2947. ' pvData points to an array of the certificate's encoded bytes.
  2948. '--------------------------------------------------------------------------
  2949. '+-------------------------------------------------------------------------
  2950. ' CMSG_CRL_COUNT_PARAM
  2951. '
  2952. ' Count of CRLs in a SIGNED or SIGNED_AND_ENVELOPED message.
  2953. '
  2954. ' CMS, also supports CRLs in an ENVELOPED message.
  2955. '
  2956. ' pvData points to a DWORD
  2957. '--------------------------------------------------------------------------
  2958. '+-------------------------------------------------------------------------
  2959. ' CMSG_CRL_PARAM
  2960. '
  2961. ' To get all the CRLs, repetitively call CryptMsgGetParam, with
  2962. ' dwIndex set to 0 .. CrlCount - 1.
  2963. '
  2964. ' pvData points to an array of the CRL's encoded bytes.
  2965. '--------------------------------------------------------------------------
  2966. '+-------------------------------------------------------------------------
  2967. ' CMSG_ENVELOPE_ALGORITHM_PARAM
  2968. '
  2969. ' The ContentEncryptionAlgorithm that was used in
  2970. ' an ENVELOPED or SIGNED_AND_ENVELOPED message.
  2971. '
  2972. ' For streaming you must be able to successfully get this parameter before
  2973. ' doing a CryptMsgControl decrypt.
  2974. '
  2975. ' pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
  2976. '--------------------------------------------------------------------------
  2977. '+-------------------------------------------------------------------------
  2978. ' CMSG_RECIPIENT_COUNT_PARAM
  2979. '
  2980. ' Count of recipients in an ENVELOPED or SIGNED_AND_ENVELOPED message.
  2981. '
  2982. ' Count of key transport recepients.
  2983. '
  2984. ' The CMSG_CMS_RECIPIENT_COUNT_PARAM has the total count of
  2985. '
  2986. ' pvData points to a DWORD
  2987. '--------------------------------------------------------------------------
  2988. '+-------------------------------------------------------------------------
  2989. ' CMSG_RECIPIENT_INDEX_PARAM
  2990. '
  2991. ' Index of the recipient used to decrypt an ENVELOPED or SIGNED_AND_ENVELOPED
  2992. ' message.
  2993. '
  2994. ' Index of a key transport recipient. If a non key transport
  2995. ' recipient was used to decrypt, fails with LastError set to
  2996. ' CRYPT_E_INVALID_INDEX.
  2997. '
  2998. ' pvData points to a DWORD
  2999. '--------------------------------------------------------------------------
  3000. '+-------------------------------------------------------------------------
  3001. ' CMSG_RECIPIENT_INFO_PARAM
  3002. '
  3003. ' To get all the recipients, repetitively call CryptMsgGetParam, with
  3004. ' dwIndex set to 0 .. RecipientCount - 1.
  3005. '
  3006. ' Only returns the key transport recepients.
  3007. '
  3008. ' The CMSG_CMS_RECIPIENT_INFO_PARAM returns all recipients.
  3009. '
  3010. ' pvData points to a CERT_INFO struct.
  3011. '
  3012. ' Only the following fields have been updated in the CERT_INFO struct:
  3013. ' Issuer, SerialNumber and PublicKeyAlgorithm. The PublicKeyAlgorithm
  3014. ' specifies the KeyEncryptionAlgorithm that was used.
  3015. '
  3016. ' Note, if the KEYID choice was selected for a key transport recipient, then,
  3017. ' the SerialNumber is 0 and the Issuer is encoded containing a single RDN
  3018. ' with a single Attribute whose OID is szOID_KEYID_RDN, value type is
  3019. ' CERT_RDN_OCTET_STRING and value is the KEYID. When the
  3020. ' CertGetSubjectCertificateFromStore and
  3021. ' special KEYID Issuer and SerialNumber, they do a KEYID match.
  3022. '--------------------------------------------------------------------------
  3023. '+-------------------------------------------------------------------------
  3024. ' CMSG_HASH_ALGORITHM_PARAM
  3025. '
  3026. ' The HashAlgorithm in a HASHED message.
  3027. '
  3028. ' pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
  3029. '--------------------------------------------------------------------------
  3030. '+-------------------------------------------------------------------------
  3031. ' CMSG_HASH_DATA_PARAM
  3032. '
  3033. ' The hash in a HASHED message.
  3034. '
  3035. ' pvData points to an array of bytes.
  3036. '--------------------------------------------------------------------------
  3037. '+-------------------------------------------------------------------------
  3038. ' CMSG_COMPUTED_HASH_PARAM
  3039. '
  3040. ' The computed hash for a HASHED message.
  3041. ' This may be called for either an encoded or decoded message.
  3042. '
  3043. ' Also, the computed hash for one of the signer's in a SIGNED message.
  3044. ' It may be called for either an encoded or decoded message after the
  3045. ' final update. Set dwIndex to iterate through all the signers.
  3046. '
  3047. ' pvData points to an array of bytes.
  3048. '--------------------------------------------------------------------------
  3049. '+-------------------------------------------------------------------------
  3050. ' CMSG_ENCRYPT_PARAM
  3051. '
  3052. ' The ContentEncryptionAlgorithm that was used in an ENCRYPTED message.
  3053. '
  3054. ' pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
  3055. '--------------------------------------------------------------------------
  3056. '+-------------------------------------------------------------------------
  3057. ' CMSG_ENCODED_MESSAGE
  3058. '
  3059. ' The full encoded message. This is useful in the case of a decoded
  3060. ' signed-and-enveloped-data message which has been countersigned).
  3061. '
  3062. ' pvData points to an array of the message's encoded bytes.
  3063. '--------------------------------------------------------------------------
  3064. '+-------------------------------------------------------------------------
  3065. ' CMSG_VERSION_PARAM
  3066. '
  3067. ' The version of the decoded message.
  3068. '
  3069. ' pvData points to a DWORD
  3070. '--------------------------------------------------------------------------
  3071. Public Const CMSG_SIGNED_DATA_V1 As Long = 1
  3072. Public Const CMSG_SIGNED_DATA_V3 As Long = 3
  3073. Public Const CMSG_SIGNER_INFO_V1 As Long = 1
  3074. Public Const CMSG_SIGNER_INFO_V3 As Long = 3
  3075. Public Const CMSG_HASHED_DATA_V0 As Long = 0
  3076. Public Const CMSG_HASHED_DATA_V2 As Long = 2
  3077. Public Const CMSG_ENVELOPED_DATA_V0 As Long = 0
  3078. Public Const CMSG_ENVELOPED_DATA_V2 As Long = 2
  3079. '+-------------------------------------------------------------------------
  3080. ' CMSG_ATTR_CERT_COUNT_PARAM
  3081. '
  3082. ' Count of attribute certificates in a SIGNED or ENVELOPED message.
  3083. '
  3084. ' pvData points to a DWORD
  3085. '--------------------------------------------------------------------------
  3086. '+-------------------------------------------------------------------------
  3087. ' CMSG_ATTR_CERT_PARAM
  3088. '
  3089. ' To get all the attribute certificates, repetitively call CryptMsgGetParam,
  3090. ' with dwIndex set to 0 .. AttrCertCount - 1.
  3091. '
  3092. ' pvData points to an array of the attribute certificate's encoded bytes.
  3093. '--------------------------------------------------------------------------
  3094. '+-------------------------------------------------------------------------
  3095. ' CMSG_CMS_RECIPIENT_COUNT_PARAM
  3096. '
  3097. ' Count of all CMS recipients in an ENVELOPED message.
  3098. '
  3099. ' pvData points to a DWORD
  3100. '--------------------------------------------------------------------------
  3101. '+-------------------------------------------------------------------------
  3102. ' CMSG_CMS_RECIPIENT_INDEX_PARAM
  3103. '
  3104. ' Index of the CMS recipient used to decrypt an ENVELOPED message.
  3105. '
  3106. ' pvData points to a DWORD
  3107. '--------------------------------------------------------------------------
  3108. '+-------------------------------------------------------------------------
  3109. ' CMSG_CMS_RECIPIENT_ENCRYPTED_KEY_INDEX_PARAM
  3110. '
  3111. ' For a CMS key agreement recipient, the index of the encrypted key
  3112. ' used to decrypt an ENVELOPED message.
  3113. '
  3114. ' pvData points to a DWORD
  3115. '--------------------------------------------------------------------------
  3116. '+-------------------------------------------------------------------------
  3117. ' CMSG_CMS_RECIPIENT_INFO_PARAM
  3118. '
  3119. ' To get all the CMS recipients, repetitively call CryptMsgGetParam, with
  3120. ' dwIndex set to 0 .. CmsRecipientCount - 1.
  3121. '
  3122. ' pvData points to a CMSG_CMS_RECIPIENT_INFO struct.
  3123. '--------------------------------------------------------------------------
  3124. Public Const CMSG_KEY_AGREE_ORIGINATOR_CERT As Long = 1
  3125. Public Const CMSG_KEY_AGREE_ORIGINATOR_PUBLIC_KEY As Long = 2
  3126. ' dwVersion numbers for the KeyTrans, KeyAgree and MailList recipients
  3127. Public Const CMSG_ENVELOPED_RECIPIENT_V0 As Long = 0
  3128. Public Const CMSG_ENVELOPED_RECIPIENT_V2 As Long = 2
  3129. Public Const CMSG_ENVELOPED_RECIPIENT_V3 As Long = 3
  3130. Public Const CMSG_ENVELOPED_RECIPIENT_V4 As Long = 4
  3131. '+-------------------------------------------------------------------------
  3132. ' CMSG_UNPROTECTED_ATTR_PARAM
  3133. '
  3134. ' The unprotected attributes in the envelped message.
  3135. '
  3136. ' pvData points to a CMSG_ATTR struct.
  3137. '--------------------------------------------------------------------------
  3138. '+-------------------------------------------------------------------------
  3139. ' Perform a special "control" function after the final CryptMsgUpdate of a
  3140. ' encoded/decoded cryptographic message.
  3141. '
  3142. ' The dwCtrlType parameter specifies the type of operation to be performed.
  3143. '
  3144. ' The pvCtrlPara definition depends on the dwCtrlType value.
  3145. '
  3146. ' See below for a list of the control operations and their pvCtrlPara
  3147. ' type definition.
  3148. '--------------------------------------------------------------------------
  3149. '+-------------------------------------------------------------------------
  3150. ' Message control types
  3151. '--------------------------------------------------------------------------
  3152. Public Const CMSG_CTRL_VERIFY_SIGNATURE As Long = 1
  3153. Public Const CMSG_CTRL_DECRYPT As Long = 2
  3154. Public Const CMSG_CTRL_VERIFY_HASH As Long = 5
  3155. Public Const CMSG_CTRL_ADD_SIGNER As Long = 6
  3156. Public Const CMSG_CTRL_DEL_SIGNER As Long = 7
  3157. Public Const CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR As Long = 8
  3158. Public Const CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR As Long = 9
  3159. Public Const CMSG_CTRL_ADD_CERT As Long = 10
  3160. Public Const CMSG_CTRL_DEL_CERT As Long = 11
  3161. Public Const CMSG_CTRL_ADD_CRL As Long = 12
  3162. Public Const CMSG_CTRL_DEL_CRL As Long = 13
  3163. Public Const CMSG_CTRL_ADD_ATTR_CERT As Long = 14
  3164. Public Const CMSG_CTRL_DEL_ATTR_CERT As Long = 15
  3165. Public Const CMSG_CTRL_KEY_TRANS_DECRYPT As Long = 16
  3166. Public Const CMSG_CTRL_KEY_AGREE_DECRYPT As Long = 17
  3167. Public Const CMSG_CTRL_MAIL_LIST_DECRYPT As Long = 18
  3168. Public Const CMSG_CTRL_VERIFY_SIGNATURE_EX As Long = 19
  3169. Public Const CMSG_CTRL_ADD_CMS_SIGNER_INFO As Long = 20
  3170. '+-------------------------------------------------------------------------
  3171. ' CMSG_CTRL_VERIFY_SIGNATURE
  3172. '
  3173. ' Verify the signature of a SIGNED or SIGNED_AND_ENVELOPED
  3174. ' message after it has been decoded.
  3175. '
  3176. ' For a SIGNED_AND_ENVELOPED message, called after
  3177. ' with a NULL pRecipientInfo.
  3178. '
  3179. ' pvCtrlPara points to a CERT_INFO struct.
  3180. '
  3181. ' The CERT_INFO contains the Issuer and SerialNumber identifying
  3182. ' the Signer of the message. The CERT_INFO also contains the
  3183. ' PublicKeyInfo
  3184. ' used to verify the signature. The cryptographic provider specified
  3185. ' in CryptMsgOpenToDecode is used.
  3186. '
  3187. ' Note, if the message contains CMS signers identified by KEYID, then,
  3188. ' the CERT_INFO's Issuer and SerialNumber is ignored and only the public
  3189. ' key is used to find a signer whose signature verifies.
  3190. '
  3191. ' The following CMSG_CTRL_VERIFY_SIGNATURE_EX should be used instead.
  3192. '--------------------------------------------------------------------------
  3193. '+-------------------------------------------------------------------------
  3194. ' CMSG_CTRL_VERIFY_SIGNATURE_EX
  3195. '
  3196. ' Verify the signature of a SIGNED message after it has been decoded.
  3197. '
  3198. ' pvCtrlPara points to the following CMSG_CTRL_VERIFY_SIGNATURE_EX_PARA.
  3199. '
  3200. ' If hCryptProv is NULL, uses the cryptographic provider specified in
  3201. ' CryptMsgOpenToDecode. If CryptMsgOpenToDecode's hCryptProv is also NULL,
  3202. ' gets default provider according to the signer's public key OID.
  3203. '
  3204. ' dwSignerIndex is the index of the signer to use to verify the signature.
  3205. '
  3206. ' The signer can be a pointer to a CERT_PUBLIC_KEY_INFO, certificate
  3207. ' context or a chain context.
  3208. '--------------------------------------------------------------------------
  3209. ' Signer Types
  3210. Public Const CMSG_VERIFY_SIGNER_PUBKEY As Long = 1
  3211. Public Const CMSG_VERIFY_SIGNER_CERT As Long = 2
  3212. Public Const CMSG_VERIFY_SIGNER_CHAIN As Long = 3
  3213. '+-------------------------------------------------------------------------
  3214. ' CMSG_CTRL_DECRYPT
  3215. '
  3216. ' Decrypt an ENVELOPED or SIGNED_AND_ENVELOPED message after it has been
  3217. ' decoded.
  3218. '
  3219. ' This decrypt is only applicable to key transport recipients.
  3220. '
  3221. ' hCryptProv and dwKeySpec specify the private key to use. For dwKeySpec ==
  3222. ' 0, defaults to AT_KEYEXCHANGE.
  3223. '
  3224. ' If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
  3225. ' to CryptMsgControl, then, the hCryptProv is released on the final
  3226. ' CryptMsgClose. Not released if CryptMsgControl fails.
  3227. '
  3228. ' dwRecipientIndex is the index of the recipient in the message associated
  3229. ' with the hCryptProv's private key.
  3230. '
  3231. ' The dwRecipientIndex is the index of a key transport recipient.
  3232. '
  3233. ' Note, the message can only be decrypted once.
  3234. '--------------------------------------------------------------------------
  3235. '+-------------------------------------------------------------------------
  3236. ' CMSG_CTRL_KEY_TRANS_DECRYPT
  3237. '
  3238. ' Decrypt an ENVELOPED message after it has been decoded for a key
  3239. ' transport recipient.
  3240. '
  3241. ' hCryptProv and dwKeySpec specify the private key to use. For dwKeySpec ==
  3242. ' 0, defaults to AT_KEYEXCHANGE.
  3243. '
  3244. ' If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
  3245. ' to CryptMsgControl, then, the hCryptProv is released on the final
  3246. ' CryptMsgClose. Not released if CryptMsgControl fails.
  3247. '
  3248. ' pKeyTrans points to the CMSG_KEY_TRANS_RECIPIENT_INFO obtained via
  3249. '
  3250. ' dwRecipientIndex is the index of the recipient in the message associated
  3251. ' with the hCryptProv's private key.
  3252. '
  3253. ' Note, the message can only be decrypted once.
  3254. '--------------------------------------------------------------------------
  3255. '+-------------------------------------------------------------------------
  3256. ' CMSG_CTRL_KEY_AGREE_DECRYPT
  3257. '
  3258. ' Decrypt an ENVELOPED message after it has been decoded for a key
  3259. ' agreement recipient.
  3260. '
  3261. ' hCryptProv and dwKeySpec specify the private key to use. For dwKeySpec ==
  3262. ' 0, defaults to AT_KEYEXCHANGE.
  3263. '
  3264. ' If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
  3265. ' to CryptMsgControl, then, the hCryptProv is released on the final
  3266. ' CryptMsgClose. Not released if CryptMsgControl fails.
  3267. '
  3268. ' pKeyAgree points to the CMSG_KEY_AGREE_RECIPIENT_INFO obtained via
  3269. '
  3270. ' dwRecipientIndex, dwRecipientEncryptedKeyIndex are the indices of the
  3271. ' recipient's encrypted key in the message associated with the hCryptProv's
  3272. ' private key.
  3273. '
  3274. ' OriginatorPublicKey is the originator's public key obtained from either
  3275. ' the originator's certificate or the CMSG_KEY_AGREE_RECIPIENT_INFO obtained
  3276. ' via the CMSG_CMS_RECIPIENT_INFO_PARAM.
  3277. '
  3278. ' Note, the message can only be decrypted once.
  3279. '--------------------------------------------------------------------------
  3280. '+-------------------------------------------------------------------------
  3281. ' CMSG_CTRL_MAIL_LIST_DECRYPT
  3282. '
  3283. ' Decrypt an ENVELOPED message after it has been decoded for a mail
  3284. ' list recipient.
  3285. '
  3286. ' pMailList points to the CMSG_MAIL_LIST_RECIPIENT_INFO obtained via
  3287. '
  3288. ' There is 1 choice for the KeyEncryptionKey: an already created CSP key
  3289. ' handle. For the key handle choice, hCryptProv must be nonzero. This key
  3290. ' handle isn't destroyed.
  3291. '
  3292. ' If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
  3293. ' to CryptMsgControl, then, the hCryptProv is released on the final
  3294. ' CryptMsgClose. Not released if CryptMsgControl fails.
  3295. '
  3296. ' For RC2 wrap, the effective key length is obtained from the
  3297. ' KeyEncryptionAlgorithm parameters and set on the hKeyEncryptionKey before
  3298. ' decrypting.
  3299. '
  3300. ' Note, the message can only be decrypted once.
  3301. '--------------------------------------------------------------------------
  3302. '+-------------------------------------------------------------------------
  3303. ' CMSG_CTRL_VERIFY_HASH
  3304. '
  3305. ' Verify the hash of a HASHED message after it has been decoded.
  3306. '
  3307. ' Only the hCryptMsg parameter is used, to specify the message whose
  3308. ' hash is being verified.
  3309. '--------------------------------------------------------------------------
  3310. '+-------------------------------------------------------------------------
  3311. ' CMSG_CTRL_ADD_SIGNER
  3312. '
  3313. ' Add a signer to a signed-data message.
  3314. '
  3315. ' pvCtrlPara points to a CMSG_SIGNER_ENCODE_INFO.
  3316. '--------------------------------------------------------------------------
  3317. '+-------------------------------------------------------------------------
  3318. ' CMSG_CTRL_ADD_CMS_SIGNER_INFO
  3319. '
  3320. ' Add a signer to a signed-data message.
  3321. '
  3322. ' Differs from the above, CMSG_CTRL_ADD_SIGNER, wherein, the signer info
  3323. ' already contains the signature.
  3324. '
  3325. ' pvCtrlPara points to a CMSG_CMS_SIGNER_INFO.
  3326. '--------------------------------------------------------------------------
  3327. '+-------------------------------------------------------------------------
  3328. ' CMSG_CTRL_DEL_SIGNER
  3329. '
  3330. ' Remove a signer from a signed-data or signed-and-enveloped-data message.
  3331. '
  3332. ' pvCtrlPara points to a DWORD containing the 0-based index of the
  3333. ' signer to be removed.
  3334. '--------------------------------------------------------------------------
  3335. '+-------------------------------------------------------------------------
  3336. ' CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR
  3337. '
  3338. ' Add an unauthenticated attribute to the SignerInfo of a signed-data or
  3339. ' signed-and-enveloped-data message.
  3340. '
  3341. ' The unauthenticated attribute is input in the form of an encoded blob.
  3342. '--------------------------------------------------------------------------
  3343. '+-------------------------------------------------------------------------
  3344. ' CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR
  3345. '
  3346. ' Delete an unauthenticated attribute from the SignerInfo of a signed-data
  3347. ' or signed-and-enveloped-data message.
  3348. '
  3349. ' The unauthenticated attribute to be removed is specified by
  3350. ' a 0-based index.
  3351. '--------------------------------------------------------------------------
  3352. '+-------------------------------------------------------------------------
  3353. ' CMSG_CTRL_ADD_CERT
  3354. '
  3355. ' Add a certificate to a signed-data or signed-and-enveloped-data message.
  3356. '
  3357. ' pvCtrlPara points to a CRYPT_DATA_BLOB containing the certificate's
  3358. ' encoded bytes.
  3359. '--------------------------------------------------------------------------
  3360. '+-------------------------------------------------------------------------
  3361. ' CMSG_CTRL_DEL_CERT
  3362. '
  3363. ' Delete a certificate from a signed-data or signed-and-enveloped-data
  3364. ' message.
  3365. '
  3366. ' pvCtrlPara points to a DWORD containing the 0-based index of the
  3367. ' certificate to be removed.
  3368. '--------------------------------------------------------------------------
  3369. '+-------------------------------------------------------------------------
  3370. ' CMSG_CTRL_ADD_CRL
  3371. '
  3372. ' Add a CRL to a signed-data or signed-and-enveloped-data message.
  3373. '
  3374. ' pvCtrlPara points to a CRYPT_DATA_BLOB containing the CRL's
  3375. ' encoded bytes.
  3376. '--------------------------------------------------------------------------
  3377. '+-------------------------------------------------------------------------
  3378. ' CMSG_CTRL_DEL_CRL
  3379. '
  3380. ' Delete a CRL from a signed-data or signed-and-enveloped-data message.
  3381. '
  3382. ' pvCtrlPara points to a DWORD containing the 0-based index of the CRL
  3383. ' to be removed.
  3384. '--------------------------------------------------------------------------
  3385. '+-------------------------------------------------------------------------
  3386. ' CMSG_CTRL_ADD_ATTR_CERT
  3387. '
  3388. ' Add an attribute certificate to a signed-data message.
  3389. '
  3390. ' pvCtrlPara points to a CRYPT_DATA_BLOB containing the attribute
  3391. ' certificate's encoded bytes.
  3392. '--------------------------------------------------------------------------
  3393. '+-------------------------------------------------------------------------
  3394. ' CMSG_CTRL_DEL_ATTR_CERT
  3395. '
  3396. ' Delete an attribute certificate from a signed-data message.
  3397. '
  3398. ' pvCtrlPara points to a DWORD containing the 0-based index of the
  3399. ' attribute certificate to be removed.
  3400. '--------------------------------------------------------------------------
  3401. '+-------------------------------------------------------------------------
  3402. ' Verify a countersignature, at the SignerInfo level.
  3403. ' ie. verify that pbSignerInfoCountersignature contains the encrypted
  3404. ' hash of the encryptedDigest field of pbSignerInfo.
  3405. '
  3406. ' hCryptProv is used to hash the encryptedDigest field of pbSignerInfo.
  3407. ' The only fields referenced from pciCountersigner are SerialNumber, Issuer,
  3408. ' and SubjectPublicKeyInfo.
  3409. '--------------------------------------------------------------------------
  3410. '+-------------------------------------------------------------------------
  3411. ' Verify a countersignature, at the SignerInfo level.
  3412. ' ie. verify that pbSignerInfoCountersignature contains the encrypted
  3413. ' hash of the encryptedDigest field of pbSignerInfo.
  3414. '
  3415. ' hCryptProv is used to hash the encryptedDigest field of pbSignerInfo.
  3416. '
  3417. ' The signer can be a CERT_PUBLIC_KEY_INFO, certificate context or a
  3418. ' chain context.
  3419. '--------------------------------------------------------------------------
  3420. ' See CMSG_CTRL_VERIFY_SIGNATURE_EX_PARA for dwSignerType definitions
  3421. '+-------------------------------------------------------------------------
  3422. ' Countersign an already-existing signature in a message
  3423. '
  3424. ' dwIndex is a zero-based index of the SignerInfo to be countersigned.
  3425. '--------------------------------------------------------------------------
  3426. '+-------------------------------------------------------------------------
  3427. ' Output an encoded SignerInfo blob, suitable for use as a countersignature
  3428. ' attribute in the unauthenticated attributes of a signed-data or
  3429. ' signed-and-enveloped-data message.
  3430. '--------------------------------------------------------------------------
  3431. '+-------------------------------------------------------------------------
  3432. ' CryptMsg OID installable functions
  3433. '--------------------------------------------------------------------------
  3434. ' Note, the following 3 installable functions are obsolete and have been
  3435. ' replaced with GenContentEncryptKey, ExportKeyTrans, ExportKeyAgree,
  3436. ' ExportMailList, ImportKeyTrans, ImportKeyAgree and ImportMailList
  3437. ' installable functions.
  3438. ' If *phCryptProv is NULL upon entry, then, if supported, the installable
  3439. ' function should acquire a default provider and return. Note, its up
  3440. ' to the installable function to release at process detach.
  3441. '
  3442. ' If paiEncrypt->Parameters.cbData is 0, then, the callback may optionally
  3443. ' return default encoded parameters in *ppbEncryptParameters and
  3444. ' *pcbEncryptParameters. pfnAlloc must be called for the allocation.
  3445. Public Const CMSG_OID_GEN_ENCRYPT_KEY_FUNC As String = "CryptMsgDllGenEncryptKey"
  3446. Public Const CMSG_OID_EXPORT_ENCRYPT_KEY_FUNC As String = "CryptMsgDllExportEncryptKey"
  3447. Public Const CMSG_OID_IMPORT_ENCRYPT_KEY_FUNC As String = "CryptMsgDllImportEncryptKey"
  3448. ' To get the default installable function for GenContentEncryptKey,
  3449. ' ExportKeyTrans, ExportKeyAgree, ExportMailList, ImportKeyTrans,
  3450. ' with the pszOID argument set to the following constant. dwEncodingType
  3451. ' should be set to CRYPT_ASN_ENCODING or X509_ASN_ENCODING.
  3452. '+-------------------------------------------------------------------------
  3453. ' Content Encrypt Info
  3454. '
  3455. ' The following data structure contains the information shared between
  3456. ' the GenContentEncryptKey and the ExportKeyTrans, ExportKeyAgree and
  3457. ' ExportMailList installable functions.
  3458. '--------------------------------------------------------------------------
  3459. Public Const CMSG_CONTENT_ENCRYPT_PAD_ENCODED_LEN_FLAG As Long = &H00000001
  3460. Public Const CMSG_CONTENT_ENCRYPT_FREE_PARA_FLAG As Long = &H00000001
  3461. Public Const CMSG_CONTENT_ENCRYPT_RELEASE_CONTEXT_FLAG As Long = &H00008000
  3462. '+-------------------------------------------------------------------------
  3463. ' Upon input, ContentEncryptInfo has been initialized from the
  3464. ' EnvelopedEncodeInfo.
  3465. '
  3466. ' Note, if rgpRecipients instead of rgCmsRecipients are set in the
  3467. ' EnvelopedEncodeInfo, then, the rgpRecipients have been converted
  3468. ' to rgCmsRecipients in the ContentEncryptInfo.
  3469. '
  3470. ' The following fields may be changed in ContentEncryptInfo:
  3471. ' hContentEncryptKey
  3472. ' hCryptProv
  3473. ' ContentEncryptionAlgorithm.Parameters
  3474. ' dwFlags
  3475. '
  3476. ' All other fields in the ContentEncryptInfo are READONLY.
  3477. '
  3478. ' If CMSG_CONTENT_ENCRYPT_PAD_ENCODED_LEN_FLAG is set upon entry
  3479. ' in dwEncryptFlags, then, any potentially variable length encoded
  3480. ' output should be padded with zeroes to always obtain the
  3481. ' same maximum encoded length. This is necessary for
  3482. ' definite length streaming.
  3483. '
  3484. ' The hContentEncryptKey must be updated.
  3485. '
  3486. ' If hCryptProv is NULL upon input, then, it must be updated.
  3487. ' If a HCRYPTPROV is acquired that must be released, then, the
  3488. ' CMSG_CONTENT_ENCRYPT_RELEASE_CONTEXT_FLAG must be set in dwFlags.
  3489. '
  3490. ' If ContentEncryptionAlgorithm.Parameters is updated, then, the
  3491. ' CMSG_CONTENT_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags. pfnAlloc and
  3492. ' pfnFree must be used for doing the allocation.
  3493. '
  3494. ' ContentEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
  3495. '--------------------------------------------------------------------------
  3496. Public Const CMSG_OID_GEN_CONTENT_ENCRYPT_KEY_FUNC As String = "CryptMsgDllGenContentEncryptKey"
  3497. '+-------------------------------------------------------------------------
  3498. ' Key Transport Encrypt Info
  3499. '
  3500. ' The following data structure contains the information updated by the
  3501. ' ExportKeyTrans installable function.
  3502. '--------------------------------------------------------------------------
  3503. Public Const CMSG_KEY_TRANS_ENCRYPT_FREE_PARA_FLAG As Long = &H00000001
  3504. '+-------------------------------------------------------------------------
  3505. ' Upon input, KeyTransEncryptInfo has been initialized from the
  3506. ' KeyTransEncodeInfo.
  3507. '
  3508. ' The following fields may be changed in KeyTransEncryptInfo:
  3509. ' EncryptedKey
  3510. ' KeyEncryptionAlgorithm.Parameters
  3511. ' dwFlags
  3512. '
  3513. ' All other fields in the KeyTransEncryptInfo are READONLY.
  3514. '
  3515. ' The EncryptedKey must be updated. The pfnAlloc and pfnFree specified in
  3516. ' ContentEncryptInfo must be used for doing the allocation.
  3517. '
  3518. ' If the KeyEncryptionAlgorithm.Parameters is updated, then, the
  3519. ' CMSG_KEY_TRANS_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags.
  3520. ' The pfnAlloc and pfnFree specified in ContentEncryptInfo must be used
  3521. ' for doing the allocation.
  3522. '
  3523. ' KeyEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
  3524. '--------------------------------------------------------------------------
  3525. Public Const CMSG_OID_EXPORT_KEY_TRANS_FUNC As String = "CryptMsgDllExportKeyTrans"
  3526. '+-------------------------------------------------------------------------
  3527. ' Key Agree Key Encrypt Info
  3528. '
  3529. ' The following data structure contains the information updated by the
  3530. ' ExportKeyAgree installable function for each encrypted key agree
  3531. ' recipient.
  3532. '--------------------------------------------------------------------------
  3533. '+-------------------------------------------------------------------------
  3534. ' Key Agree Encrypt Info
  3535. '
  3536. ' The following data structure contains the information applicable to
  3537. ' all recipients. Its updated by the ExportKeyAgree installable function.
  3538. '--------------------------------------------------------------------------
  3539. Public Const CMSG_KEY_AGREE_ENCRYPT_FREE_PARA_FLAG As Long = &H00000001
  3540. Public Const CMSG_KEY_AGREE_ENCRYPT_FREE_MATERIAL_FLAG As Long = &H00000002
  3541. Public Const CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_ALG_FLAG As Long = &H00000004
  3542. Public Const CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_PARA_FLAG As Long = &H00000008
  3543. Public Const CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_BITS_FLAG As Long = &H00000010
  3544. '+-------------------------------------------------------------------------
  3545. ' Upon input, KeyAgreeEncryptInfo has been initialized from the
  3546. ' KeyAgreeEncodeInfo.
  3547. '
  3548. ' The following fields may be changed in KeyAgreeEncryptInfo:
  3549. ' KeyEncryptionAlgorithm.Parameters
  3550. ' UserKeyingMaterial
  3551. ' dwOriginatorChoice
  3552. ' OriginatorCertId
  3553. ' OriginatorPublicKeyInfo
  3554. ' dwFlags
  3555. '
  3556. ' All other fields in the KeyAgreeEncryptInfo are READONLY.
  3557. '
  3558. ' If the KeyEncryptionAlgorithm.Parameters is updated, then, the
  3559. ' CMSG_KEY_AGREE_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags.
  3560. ' The pfnAlloc and pfnFree specified in ContentEncryptInfo must be used
  3561. ' for doing the allocation.
  3562. '
  3563. ' If the UserKeyingMaterial is updated, then, the
  3564. ' CMSG_KEY_AGREE_ENCRYPT_FREE_MATERIAL_FLAG must be set in dwFlags.
  3565. ' pfnAlloc and pfnFree must be used for doing the allocation.
  3566. '
  3567. ' The dwOriginatorChoice must be updated to either
  3568. ' CMSG_KEY_AGREE_ORIGINATOR_CERT or CMSG_KEY_AGREE_ORIGINATOR_PUBLIC_KEY.
  3569. '
  3570. ' If the OriginatorPublicKeyInfo is updated, then, the appropriate
  3571. ' CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_*_FLAG must be set in dwFlags and
  3572. ' pfnAlloc and pfnFree must be used for doing the allocation.
  3573. '
  3574. ' If CMSG_CONTENT_ENCRYPT_PAD_ENCODED_LEN_FLAG is set upon entry
  3575. ' in pContentEncryptInfo->dwEncryptFlags, then, the OriginatorPublicKeyInfo's
  3576. ' Ephemeral PublicKey should be padded with zeroes to always obtain the
  3577. ' same maximum encoded length. Note, the length of the generated ephemeral Y
  3578. ' public key can vary depending on the number of leading zero bits.
  3579. '
  3580. ' Upon input, the array of *rgpKeyAgreeKeyEncryptInfo has been initialized.
  3581. ' The EncryptedKey must be updated for each recipient key.
  3582. ' The pfnAlloc and pfnFree specified in
  3583. ' ContentEncryptInfo must be used for doing the allocation.
  3584. '
  3585. ' KeyEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
  3586. '--------------------------------------------------------------------------
  3587. Public Const CMSG_OID_EXPORT_KEY_AGREE_FUNC As String = "CryptMsgDllExportKeyAgree"
  3588. '+-------------------------------------------------------------------------
  3589. ' Mail List Encrypt Info
  3590. '
  3591. ' The following data structure contains the information updated by the
  3592. ' ExportMailList installable function.
  3593. '--------------------------------------------------------------------------
  3594. Public Const CMSG_MAIL_LIST_ENCRYPT_FREE_PARA_FLAG As Long = &H00000001
  3595. '+-------------------------------------------------------------------------
  3596. ' Upon input, MailListEncryptInfo has been initialized from the
  3597. ' MailListEncodeInfo.
  3598. '
  3599. ' The following fields may be changed in MailListEncryptInfo:
  3600. ' EncryptedKey
  3601. ' KeyEncryptionAlgorithm.Parameters
  3602. ' dwFlags
  3603. '
  3604. ' All other fields in the MailListEncryptInfo are READONLY.
  3605. '
  3606. ' The EncryptedKey must be updated. The pfnAlloc and pfnFree specified in
  3607. ' ContentEncryptInfo must be used for doing the allocation.
  3608. '
  3609. ' If the KeyEncryptionAlgorithm.Parameters is updated, then, the
  3610. ' CMSG_MAIL_LIST_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags.
  3611. ' The pfnAlloc and pfnFree specified in ContentEncryptInfo must be used
  3612. ' for doing the allocation.
  3613. '
  3614. ' KeyEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
  3615. '--------------------------------------------------------------------------
  3616. Public Const CMSG_OID_EXPORT_MAIL_LIST_FUNC As String = "CryptMsgDllExportMailList"
  3617. '+-------------------------------------------------------------------------
  3618. ' OID Installable functions for importing an encoded and encrypted content
  3619. ' encryption key.
  3620. '
  3621. ' There's a different installable function for each CMS Recipient choice:
  3622. ' ImportKeyTrans
  3623. ' ImportKeyAgree
  3624. ' ImportMailList
  3625. '
  3626. ' Iterates through the following OIDs to get the OID installable function:
  3627. ' KeyEncryptionOID!ContentEncryptionOID
  3628. ' KeyEncryptionOID
  3629. ' ContentEncryptionOID
  3630. '
  3631. ' If the OID installable function doesn't support the specified
  3632. ' KeyEncryption and ContentEncryption OIDs, then, return FALSE with
  3633. ' LastError set to E_NOTIMPL.
  3634. '--------------------------------------------------------------------------
  3635. Public Const CMSG_OID_IMPORT_KEY_TRANS_FUNC As String = "CryptMsgDllImportKeyTrans"
  3636. Public Const CMSG_OID_IMPORT_KEY_AGREE_FUNC As String = "CryptMsgDllImportKeyAgree"
  3637. Public Const CMSG_OID_IMPORT_MAIL_LIST_FUNC As String = "CryptMsgDllImportMailList"
  3638. '+=========================================================================
  3639. ' Certificate Store Data Structures and APIs
  3640. '==========================================================================
  3641. '+-------------------------------------------------------------------------
  3642. ' In its most basic implementation, a cert store is simply a
  3643. ' collection of certificates and/or CRLs. This is the case when
  3644. ' a cert store is opened with all of its certificates and CRLs
  3645. ' coming from a PKCS #7 encoded cryptographic message.
  3646. '
  3647. ' Nonetheless, all cert stores have the following properties:
  3648. ' - A public key may have more than one certificate in the store.
  3649. ' For example, a private/public key used for signing may have a
  3650. ' certificate issued for VISA and another issued for
  3651. ' Mastercard. Also, when a certificate is renewed there might
  3652. ' be more than one certificate with the same subject and
  3653. ' issuer.
  3654. ' - However, each certificate in the store is uniquely
  3655. ' identified by its Issuer and SerialNumber.
  3656. ' - There's an issuer of subject certificate relationship. A
  3657. ' certificate's issuer is found by doing a match of
  3658. ' pSubjectCert->Issuer with pIssuerCert->Subject.
  3659. ' The relationship is verified by using
  3660. ' the issuer's public key to verify the subject certificate's
  3661. ' signature. Note, there might be X.509 v3 extensions
  3662. ' to assist in finding the issuer certificate.
  3663. ' - Since issuer certificates might be renewed, a subject
  3664. ' certificate might have more than one issuer certificate.
  3665. ' - There's an issuer of CRL relationship. An
  3666. ' issuer's CRL is found by doing a match of
  3667. ' pIssuerCert->Subject with pCrl->Issuer.
  3668. ' The relationship is verified by using
  3669. ' the issuer's public key to verify the CRL's
  3670. ' signature. Note, there might be X.509 v3 extensions
  3671. ' to assist in finding the CRL.
  3672. ' - Since some issuers might support the X.509 v3 delta CRL
  3673. ' extensions, an issuer might have more than one CRL.
  3674. ' - The store shouldn't have any redundant certificates or
  3675. ' CRLs. There shouldn't be two certificates with the same
  3676. ' Issuer and SerialNumber. There shouldn't be two CRLs with
  3677. ' the same Issuer, ThisUpdate and NextUpdate.
  3678. ' - The store has NO policy or trust information. No
  3679. ' certificates are tagged as being "root". Its up to
  3680. ' SerialNumber) for certificates it trusts.
  3681. ' - The store might contain bad certificates and/or CRLs.
  3682. ' The issuer's signature of a subject certificate or CRL may
  3683. ' not verify. Certificates or CRLs may not satisfy their
  3684. ' time validity requirements. Certificates may be
  3685. ' revoked.
  3686. '
  3687. ' In addition to the certificates and CRLs, properties can be
  3688. ' stored. There are two predefined property IDs for a user
  3689. ' certificate: CERT_KEY_PROV_HANDLE_PROP_ID and
  3690. ' CERT_KEY_PROV_INFO_PROP_ID. The CERT_KEY_PROV_HANDLE_PROP_ID
  3691. ' is a HCRYPTPROV handle to the private key assoicated
  3692. ' with the certificate. The CERT_KEY_PROV_INFO_PROP_ID contains
  3693. ' information to be used to call
  3694. ' CryptAcquireContext and CryptSetProvParam to get a handle
  3695. ' to the private key associated with the certificate.
  3696. '
  3697. ' There exists two more predefined property IDs for certificates
  3698. ' and CRLs, CERT_SHA1_HASH_PROP_ID and CERT_MD5_HASH_PROP_ID.
  3699. ' If these properties don't already exist, then, a hash of the
  3700. ' hash algorithm, currently, CERT_SHA1_HASH_PROP_ID).
  3701. '
  3702. ' There are additional APIs for creating certificate and CRL
  3703. ' CertCreateCRLContext).
  3704. '
  3705. '--------------------------------------------------------------------------
  3706. '+-------------------------------------------------------------------------
  3707. ' Certificate context.
  3708. '
  3709. ' A certificate context contains both the encoded and decoded representation
  3710. ' of a certificate. A certificate context returned by a cert store function
  3711. ' must be freed by calling the CertFreeCertificateContext function. The
  3712. ' CertDuplicateCertificateContext function can be called to make a duplicate
  3713. '--------------------------------------------------------------------------
  3714. '+-------------------------------------------------------------------------
  3715. ' CRL context.
  3716. '
  3717. ' A CRL context contains both the encoded and decoded representation
  3718. ' of a CRL. A CRL context returned by a cert store function
  3719. ' must be freed by calling the CertFreeCRLContext function. The
  3720. ' CertDuplicateCRLContext function can be called to make a duplicate
  3721. '--------------------------------------------------------------------------
  3722. '+-------------------------------------------------------------------------
  3723. '
  3724. ' A CTL context contains both the encoded and decoded representation
  3725. ' of a CTL. Also contains an opened HCRYPTMSG handle to the decoded
  3726. ' cryptographic signed message containing the CTL_INFO as its inner content.
  3727. ' pbCtlContent is the encoded inner content of the signed message.
  3728. '
  3729. ' The CryptMsg APIs can be used to extract additional signer information.
  3730. '--------------------------------------------------------------------------
  3731. '+-------------------------------------------------------------------------
  3732. ' Certificate, CRL and CTL property IDs
  3733. '
  3734. ' See CertSetCertificateContextProperty or CertGetCertificateContextProperty
  3735. ' for usage information.
  3736. '--------------------------------------------------------------------------
  3737. Public Const CERT_KEY_PROV_HANDLE_PROP_ID As Long = 1
  3738. Public Const CERT_KEY_PROV_INFO_PROP_ID As Long = 2
  3739. Public Const CERT_SHA1_HASH_PROP_ID As Long = 3
  3740. Public Const CERT_MD5_HASH_PROP_ID As Long = 4
  3741. Public Const CERT_KEY_CONTEXT_PROP_ID As Long = 5
  3742. Public Const CERT_KEY_SPEC_PROP_ID As Long = 6
  3743. Public Const CERT_IE30_RESERVED_PROP_ID As Long = 7
  3744. Public Const CERT_PUBKEY_HASH_RESERVED_PROP_ID As Long = 8
  3745. Public Const CERT_ENHKEY_USAGE_PROP_ID As Long = 9
  3746. Public Const CERT_NEXT_UPDATE_LOCATION_PROP_ID As Long = 10
  3747. Public Const CERT_FRIENDLY_NAME_PROP_ID As Long = 11
  3748. Public Const CERT_PVK_FILE_PROP_ID As Long = 12
  3749. Public Const CERT_DESCRIPTION_PROP_ID As Long = 13
  3750. Public Const CERT_ACCESS_STATE_PROP_ID As Long = 14
  3751. Public Const CERT_SIGNATURE_HASH_PROP_ID As Long = 15
  3752. Public Const CERT_SMART_CARD_DATA_PROP_ID As Long = 16
  3753. Public Const CERT_EFS_PROP_ID As Long = 17
  3754. Public Const CERT_FORTEZZA_DATA_PROP_ID As Long = 18
  3755. Public Const CERT_ARCHIVED_PROP_ID As Long = 19
  3756. Public Const CERT_KEY_IDENTIFIER_PROP_ID As Long = 20
  3757. Public Const CERT_AUTO_ENROLL_PROP_ID As Long = 21
  3758. Public Const CERT_PUBKEY_ALG_PARA_PROP_ID As Long = 22
  3759. Public Const CERT_CROSS_CERT_DIST_POINTS_PROP_ID As Long = 23
  3760. Public Const CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID As Long = 24
  3761. Public Const CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID As Long = 25
  3762. Public Const CERT_ENROLLMENT_PROP_ID As Long = 26
  3763. Public Const CERT_FIRST_RESERVED_PROP_ID As Long = 27
  3764. ' Note, 32 - 35 are reserved for the CERT, CRL, CTL and KeyId file element IDs.
  3765. Public Const CERT_LAST_RESERVED_PROP_ID As Long = &H00007FFF
  3766. Public Const CERT_FIRST_USER_PROP_ID As Long = &H00008000
  3767. Public Const CERT_LAST_USER_PROP_ID As Long = &H0000FFFF
  3768. '+-------------------------------------------------------------------------
  3769. ' Access State flags returned by CERT_ACCESS_STATE_PROP_ID. Note,
  3770. ' CERT_ACCESS_PROP_ID is read only.
  3771. '--------------------------------------------------------------------------
  3772. ' Set if context property writes are persisted. For instance, not set for
  3773. ' memory store contexts. Set for registry based stores opened as read or write.
  3774. ' Not set for registry based stores opened as read only.
  3775. Public Const CERT_ACCESS_STATE_WRITE_PERSIST_FLAG As Long = &H1
  3776. ' Set if context resides in a SYSTEM or SYSTEM_REGISTRY store.
  3777. Public Const CERT_ACCESS_STATE_SYSTEM_STORE_FLAG As Long = &H2
  3778. '+-------------------------------------------------------------------------
  3779. ' Cryptographic Key Provider Information
  3780. '
  3781. ' CRYPT_KEY_PROV_INFO defines the CERT_KEY_PROV_INFO_PROP_ID's pvData.
  3782. '
  3783. ' The CRYPT_KEY_PROV_INFO fields are passed to CryptAcquireContext
  3784. ' to get a HCRYPTPROV handle. The optional CRYPT_KEY_PROV_PARAM fields are
  3785. ' passed to CryptSetProvParam to further initialize the provider.
  3786. '
  3787. ' The dwKeySpec field identifies the private key to use from the container
  3788. ' For example, AT_KEYEXCHANGE or AT_SIGNATURE.
  3789. '--------------------------------------------------------------------------
  3790. '+-------------------------------------------------------------------------
  3791. ' The following flag should be set in the above dwFlags to enable
  3792. ' CryptAcquireContext is done in the Sign or Decrypt Message functions.
  3793. '
  3794. ' The following define must not collide with any of the
  3795. ' CryptAcquireContext dwFlag defines.
  3796. '--------------------------------------------------------------------------
  3797. Public Const CERT_SET_KEY_PROV_HANDLE_PROP_ID As Long = &H00000001
  3798. Public Const CERT_SET_KEY_CONTEXT_PROP_ID As Long = &H00000001
  3799. '+-------------------------------------------------------------------------
  3800. ' Certificate Key Context
  3801. '
  3802. ' CERT_KEY_CONTEXT defines the CERT_KEY_CONTEXT_PROP_ID's pvData.
  3803. '--------------------------------------------------------------------------
  3804. '+-------------------------------------------------------------------------
  3805. ' Certificate Store Provider Types
  3806. '--------------------------------------------------------------------------
  3807. Public Const sz_CERT_STORE_PROV_MEMORY As String = "Memory"
  3808. Public Const sz_CERT_STORE_PROV_FILENAME_W As String = "File"
  3809. Public Const sz_CERT_STORE_PROV_SYSTEM_W As String = "System"
  3810. Public Const sz_CERT_STORE_PROV_PKCS7 As String = "PKCS7"
  3811. Public Const sz_CERT_STORE_PROV_SERIALIZED As String = "Serialized"
  3812. Public Const sz_CERT_STORE_PROV_COLLECTION As String = "Collection"
  3813. Public Const sz_CERT_STORE_PROV_SYSTEM_REGISTRY_W As String = "SystemRegistry"
  3814. Public Const sz_CERT_STORE_PROV_PHYSICAL_W As String = "Physical"
  3815. Public Const sz_CERT_STORE_PROV_SMART_CARD_W As String = "SmartCard"
  3816. Public Const sz_CERT_STORE_PROV_LDAP_W As String = "Ldap"
  3817. '+-------------------------------------------------------------------------
  3818. ' Certificate Store verify/results flags
  3819. '--------------------------------------------------------------------------
  3820. Public Const CERT_STORE_SIGNATURE_FLAG As Long = &H00000001
  3821. Public Const CERT_STORE_TIME_VALIDITY_FLAG As Long = &H00000002
  3822. Public Const CERT_STORE_REVOCATION_FLAG As Long = &H00000004
  3823. Public Const CERT_STORE_NO_CRL_FLAG As Long = &H00010000
  3824. Public Const CERT_STORE_NO_ISSUER_FLAG As Long = &H00020000
  3825. Public Const CERT_STORE_BASE_CRL_FLAG As Long = &H00000100
  3826. Public Const CERT_STORE_DELTA_CRL_FLAG As Long = &H00000200
  3827. '+-------------------------------------------------------------------------
  3828. ' Certificate Store open/property flags
  3829. '--------------------------------------------------------------------------
  3830. Public Const CERT_STORE_NO_CRYPT_RELEASE_FLAG As Long = &H00000001
  3831. Public Const CERT_STORE_SET_LOCALIZED_NAME_FLAG As Long = &H00000002
  3832. Public Const CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG As Long = &H00000004
  3833. Public Const CERT_STORE_DELETE_FLAG As Long = &H00000010
  3834. Public Const CERT_STORE_SHARE_STORE_FLAG As Long = &H00000040
  3835. Public Const CERT_STORE_SHARE_CONTEXT_FLAG As Long = &H00000080
  3836. Public Const CERT_STORE_MANIFOLD_FLAG As Long = &H00000100
  3837. Public Const CERT_STORE_ENUM_ARCHIVED_FLAG As Long = &H00000200
  3838. Public Const CERT_STORE_UPDATE_KEYID_FLAG As Long = &H00000400
  3839. Public Const CERT_STORE_READONLY_FLAG As Long = &H00008000
  3840. Public Const CERT_STORE_OPEN_EXISTING_FLAG As Long = &H00004000
  3841. Public Const CERT_STORE_CREATE_NEW_FLAG As Long = &H00002000
  3842. Public Const CERT_STORE_MAXIMUM_ALLOWED_FLAG As Long = &H00001000
  3843. '+-------------------------------------------------------------------------
  3844. ' Certificate Store Provider flags are in the HiWord 0xFFFF0000
  3845. '--------------------------------------------------------------------------
  3846. '+-------------------------------------------------------------------------
  3847. ' Certificate System Store Flag Values
  3848. '--------------------------------------------------------------------------
  3849. ' Includes flags and location
  3850. Public Const CERT_SYSTEM_STORE_MASK As Long = &HFFFF0000
  3851. ' Set if pvPara points to a CERT_SYSTEM_STORE_RELOCATE_PARA structure
  3852. Public Const CERT_SYSTEM_STORE_RELOCATE_FLAG As Long = &H80000000
  3853. ' By default, when the CurrentUser "Root" store is opened, any SystemRegistry
  3854. ' roots not also on the protected root list are deleted from the cache before
  3855. ' in the SystemRegistry without checking the protected root list.
  3856. Public Const CERT_SYSTEM_STORE_UNPROTECTED_FLAG As Long = &H40000000
  3857. ' Location of the system store:
  3858. Public Const CERT_SYSTEM_STORE_LOCATION_MASK As Long = &H00FF0000
  3859. Public Const CERT_SYSTEM_STORE_LOCATION_SHIFT As Long = 16
  3860. ' Registry: HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE
  3861. Public Const CERT_SYSTEM_STORE_CURRENT_USER_ID As Long = 1
  3862. Public Const CERT_SYSTEM_STORE_LOCAL_MACHINE_ID As Long = 2
  3863. ' Registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Services
  3864. Public Const CERT_SYSTEM_STORE_CURRENT_SERVICE_ID As Long = 4
  3865. Public Const CERT_SYSTEM_STORE_SERVICES_ID As Long = 5
  3866. ' Registry: HKEY_USERS
  3867. Public Const CERT_SYSTEM_STORE_USERS_ID As Long = 6
  3868. ' Registry: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
  3869. Public Const CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY_ID As Long = 7
  3870. ' Registry: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
  3871. Public Const CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY_ID As Long = 8
  3872. ' Registry: HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates
  3873. Public Const CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE_ID As Long = 9
  3874. '+-------------------------------------------------------------------------
  3875. ' Group Policy Store Defines
  3876. '--------------------------------------------------------------------------
  3877. ' Registry path to the Group Policy system stores
  3878. '+-------------------------------------------------------------------------
  3879. ' EFS Defines
  3880. '--------------------------------------------------------------------------
  3881. ' Registry path to the EFS EFSBlob SubKey - Value type is REG_BINARY
  3882. Public Const CERT_EFSBLOB_VALUE_NAME As String = "EFSBlob"
  3883. '+-------------------------------------------------------------------------
  3884. ' Protected Root Defines
  3885. '--------------------------------------------------------------------------
  3886. ' Registry path to the Protected Roots Flags SubKey
  3887. Public Const CERT_PROT_ROOT_FLAGS_VALUE_NAME As String = "Flags"
  3888. ' Set the following flag to inhibit the opening of the CurrentUser's
  3889. ' .Default physical store when opening the CurrentUser's "Root" system store.
  3890. ' The .Default physical store open's the CurrentUser SystemRegistry "Root"
  3891. ' store.
  3892. Public Const CERT_PROT_ROOT_DISABLE_CURRENT_USER_FLAG As Long = &H1
  3893. ' Set the following flag to inhibit the adding of roots from the
  3894. ' CurrentUser SystemRegistry "Root" store to the protected root list
  3895. ' when the "Root" store is initially protected.
  3896. Public Const CERT_PROT_ROOT_INHIBIT_ADD_AT_INIT_FLAG As Long = &H2
  3897. ' Set the following flag to inhibit the purging of protected roots from the
  3898. ' CurrentUser SystemRegistry "Root" store that are
  3899. ' also in the LocalMachine SystemRegistry "Root" store. Note, when not
  3900. ' disabled, the purging is done silently without UI.
  3901. Public Const CERT_PROT_ROOT_INHIBIT_PURGE_LM_FLAG As Long = &H4
  3902. ' Set the following flag to only open the .LocalMachineGroupPolicy
  3903. ' physical store when opening the CurrentUser's "Root" system store.
  3904. Public Const CERT_PROT_ROOT_ONLY_LM_GPT_FLAG As Long = &H8
  3905. '+-------------------------------------------------------------------------
  3906. '--------------------------------------------------------------------------
  3907. ' Set this flag if the HKEY passed in pvPara points to a remote computer
  3908. ' registry key.
  3909. Public Const CERT_REGISTRY_STORE_REMOTE_FLAG As Long = &H10000
  3910. ' Set this flag if the contexts are to be persisted as a single serialized
  3911. ' store in the registry. Mainly used for stores downloaded from the GPT.
  3912. ' Such as the CurrentUserGroupPolicy or LocalMachineGroupPolicy stores.
  3913. Public Const CERT_REGISTRY_STORE_SERIALIZED_FLAG As Long = &H20000
  3914. ' The following flags are for internal use. When set, the
  3915. ' pvPara parameter passed to CertOpenStore is a pointer to the following
  3916. ' data structure and not the HKEY. The above CERT_REGISTRY_STORE_REMOTE_FLAG
  3917. Public Const CERT_REGISTRY_STORE_CLIENT_GPT_FLAG As Long = &H80000000
  3918. Public Const CERT_REGISTRY_STORE_LM_GPT_FLAG As Long = &H01000000
  3919. ' The following flag is for internal use. When set, the contexts are
  3920. ' persisted into roaming files instead of the registry. Such as, the
  3921. ' CurrentUser "My" store. When this flag is set, the following data structure
  3922. ' is passed to CertOpenStore instead of HKEY.
  3923. Public Const CERT_REGISTRY_STORE_ROAMING_FLAG As Long = &H40000
  3924. ' hKey may be NULL or non-NULL. When non-NULL, existing contexts are
  3925. ' moved from the registry to roaming files.
  3926. ' The following flag is for internal use. When set, the "My" DWORD value
  3927. ' at HKLM\Software\Microsoft\Cryptography\IEDirtyFlags is set to 0x1
  3928. ' whenever a certificate is added to the registry store.
  3929. Public Const CERT_REGISTRY_STORE_MY_IE_DIRTY_FLAG As Long = &H80000
  3930. ' Registry path to the subkey containing the "My" DWORD value to be set
  3931. '+-------------------------------------------------------------------------
  3932. ' Certificate File Store Flag Values for the providers:
  3933. ' CERT_STORE_PROV_FILE
  3934. ' CERT_STORE_PROV_FILENAME
  3935. ' CERT_STORE_PROV_FILENAME_A
  3936. ' CERT_STORE_PROV_FILENAME_W
  3937. ' sz_CERT_STORE_PROV_FILENAME_W
  3938. '--------------------------------------------------------------------------
  3939. ' Set this flag if any store changes are to be committed to the file.
  3940. ' The changes are committed at CertCloseStore or by calling
  3941. '
  3942. ' The open fails with E_INVALIDARG if both CERT_FILE_STORE_COMMIT_ENABLE_FLAG
  3943. ' and CERT_STORE_READONLY_FLAG are set in dwFlags.
  3944. '
  3945. ' For the FILENAME providers: if the file contains an X509 encoded
  3946. ' certificate, the open fails with ERROR_ACCESS_DENIED.
  3947. '
  3948. ' For the FILENAME providers: if CERT_STORE_CREATE_NEW_FLAG is set, the
  3949. ' CreateFile uses CREATE_NEW. If CERT_STORE_OPEN_EXISTING is set, uses
  3950. ' OPEN_EXISTING. Otherwise, defaults to OPEN_ALWAYS.
  3951. '
  3952. ' For the FILENAME providers: the file is committed as either a PKCS7 or
  3953. ' serialized store depending on the type read at open. However, if the
  3954. ' file is empty then, if the filename has either a ".p7c" or ".spc"
  3955. ' extension its committed as a PKCS7. Otherwise, its committed as a
  3956. ' serialized store.
  3957. '
  3958. ' For CERT_STORE_PROV_FILE, the file handle is duplicated. Its always
  3959. ' committed as a serialized store.
  3960. '
  3961. Public Const CERT_FILE_STORE_COMMIT_ENABLE_FLAG As Long = &H10000
  3962. '+-------------------------------------------------------------------------
  3963. ' Open the cert store using the specified store provider.
  3964. '
  3965. ' If CERT_STORE_DELETE_FLAG is set, then, the store is deleted. NULL is
  3966. ' for success and nonzero for failure.
  3967. '
  3968. ' If CERT_STORE_SET_LOCALIZED_NAME_FLAG is set, then, if supported, the
  3969. ' provider sets the store's CERT_STORE_LOCALIZED_NAME_PROP_ID property.
  3970. ' The store's localized name can be retrieved by calling
  3971. ' equivalent):
  3972. ' CERT_STORE_PROV_FILENAME_A
  3973. ' CERT_STORE_PROV_FILENAME_W
  3974. ' CERT_STORE_PROV_SYSTEM_A
  3975. ' CERT_STORE_PROV_SYSTEM_W
  3976. ' CERT_STORE_PROV_SYSTEM_REGISTRY_A
  3977. ' CERT_STORE_PROV_SYSTEM_REGISTRY_W
  3978. ' CERT_STORE_PROV_PHYSICAL_W
  3979. '
  3980. ' If CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG is set, then, the
  3981. ' closing of the store's provider is deferred until all certificate,
  3982. ' CRL and CTL contexts obtained from the store are freed. Also,
  3983. ' if a non NULL HCRYPTPROV was passed, then, it will continue to be used.
  3984. ' By default, the store's provider is closed on the final CertCloseStore.
  3985. ' If this flag isn't set, then, any property changes made to previously
  3986. ' duplicated contexts after the final CertCloseStore will not be persisted.
  3987. ' By setting this flag, property changes made
  3988. ' after the CertCloseStore will be persisted. Note, setting this flag
  3989. ' causes extra overhead in doing context duplicates and frees.
  3990. ' If CertCloseStore is called with CERT_CLOSE_STORE_FORCE_FLAG, then,
  3991. ' the CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG flag is ignored.
  3992. '
  3993. ' CERT_STORE_MANIFOLD_FLAG can be set to check for certificates having the
  3994. ' manifold extension and archive the "older" certificates with the same
  3995. ' manifold extension value. A certificate is archived by setting the
  3996. ' CERT_ARCHIVED_PROP_ID.
  3997. '
  3998. ' By default, contexts having the CERT_ARCHIVED_PROP_ID, are skipped
  3999. ' during enumeration. CERT_STORE_ENUM_ARCHIVED_FLAG can be set to include
  4000. ' archived contexts when enumerating. Note, contexts having the
  4001. ' CERT_ARCHIVED_PROP_ID are still found for explicit finds, such as,
  4002. ' finding a context with a specific hash or finding a certificate having
  4003. ' a specific issuer and serial number.
  4004. '
  4005. ' CERT_STORE_UPDATE_KEYID_FLAG can be set to also update the Key Identifier's
  4006. ' CERT_KEY_PROV_INFO_PROP_ID property whenever a certificate's
  4007. ' CERT_KEY_IDENTIFIER_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID property is set
  4008. ' and the other property already exists. If the Key Identifier's
  4009. ' CERT_KEY_PROV_INFO_PROP_ID already exists, it isn't updated. Any
  4010. ' errors encountered are silently ignored.
  4011. '
  4012. ' By default, this flag is implicitly set for the "My\.Default" CurrentUser
  4013. ' and LocalMachine physical stores.
  4014. '
  4015. ' CERT_STORE_READONLY_FLAG can be set to open the store as read only.
  4016. ' Otherwise, the store is opened as read/write.
  4017. '
  4018. ' CERT_STORE_OPEN_EXISTING_FLAG can be set to only open an existing
  4019. ' store. CERT_STORE_CREATE_NEW_FLAG can be set to create a new store and
  4020. ' fail if the store already exists. Otherwise, the default is to open
  4021. ' an existing store or create a new store if it doesn't already exist.
  4022. '
  4023. ' hCryptProv specifies the crypto provider to use to create the hash
  4024. ' properties or verify the signature of a subject certificate or CRL.
  4025. ' The store doesn't need to use a private
  4026. ' key. If the CERT_STORE_NO_CRYPT_RELEASE_FLAG isn't set, hCryptProv is
  4027. ' CryptReleaseContext'ed on the final CertCloseStore.
  4028. '
  4029. ' Note, if the open fails, hCryptProv is released if it would have been
  4030. ' released when the store was closed.
  4031. '
  4032. ' If hCryptProv is zero, then, the default provider and container for the
  4033. ' PROV_RSA_FULL provider type is CryptAcquireContext'ed with
  4034. ' CRYPT_VERIFYCONTEXT access. The CryptAcquireContext is deferred until
  4035. ' the first create hash or verify signature. In addition, once acquired,
  4036. ' the default provider isn't released until process exit when crypt32.dll
  4037. ' is unloaded. The acquired default provider is shared across all stores
  4038. ' and threads.
  4039. '
  4040. ' After initializing the store's data structures and optionally acquiring a
  4041. ' default crypt provider, CertOpenStore calls CryptGetOIDFunctionAddress to
  4042. ' get the address of the CRYPT_OID_OPEN_STORE_PROV_FUNC specified by
  4043. ' lpszStoreProvider. Since a store can contain certificates with different
  4044. ' encoding types, CryptGetOIDFunctionAddress is called with dwEncodingType
  4045. ' set to 0 and not the dwEncodingType passed to CertOpenStore.
  4046. ' PFN_CERT_DLL_OPEN_STORE_FUNC specifies the signature of the provider's
  4047. ' open function. This provider open function is called to load the
  4048. ' store's certificates and CRLs. Optionally, the provider may return an
  4049. ' array of functions called before a certificate or CRL is added or deleted
  4050. ' or has a property that is set.
  4051. '
  4052. ' Use of the dwEncodingType parameter is provider dependent. The type
  4053. ' definition for pvPara also depends on the provider.
  4054. '
  4055. ' Store providers are installed or registered via
  4056. ' CryptInstallOIDFunctionAddress or CryptRegisterOIDFunction, where,
  4057. ' dwEncodingType is 0 and pszFuncName is CRYPT_OID_OPEN_STORE_PROV_FUNC.
  4058. '
  4059. '
  4060. ' CERT_STORE_PROV_MSG:
  4061. ' Gets the certificates and CRLs from the specified cryptographic message.
  4062. ' dwEncodingType contains the message and certificate encoding types.
  4063. ' The message's handle is passed in pvPara. Given,
  4064. '
  4065. ' CERT_STORE_PROV_MEMORY
  4066. ' sz_CERT_STORE_PROV_MEMORY:
  4067. ' Opens a store without any initial certificates or CRLs. pvPara
  4068. ' isn't used.
  4069. '
  4070. ' CERT_STORE_PROV_FILE:
  4071. ' Reads the certificates and CRLs from the specified file. The file's
  4072. ' handle is passed in pvPara. Given,
  4073. '
  4074. ' For a successful open, the file pointer is advanced past
  4075. ' the certificates and CRLs and their properties read from the file.
  4076. ' Note, only expects a serialized store and not a file containing
  4077. ' either a PKCS #7 signed message or a single encoded certificate.
  4078. '
  4079. ' The hFile isn't closed.
  4080. '
  4081. ' CERT_STORE_PROV_REG:
  4082. ' Reads the certificates and CRLs from the registry. The registry's
  4083. ' key handle is passed in pvPara. Given,
  4084. '
  4085. ' The input hKey isn't closed by the provider. Before returning, the
  4086. ' provider opens it own copy of the hKey.
  4087. '
  4088. ' If CERT_STORE_READONLY_FLAG is set, then, the registry subkeys are
  4089. ' RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry subkeys
  4090. ' are RegCreateKey'ed with KEY_ALL_ACCESS.
  4091. '
  4092. ' This provider returns the array of functions for reading, writing,
  4093. ' deleting and property setting certificates and CRLs.
  4094. ' Any changes to the opened store are immediately pushed through to
  4095. ' the registry. However, if CERT_STORE_READONLY_FLAG is set, then,
  4096. ' writing, deleting or property setting results in a
  4097. '
  4098. ' Note, all the certificates and CRLs are read from the registry
  4099. ' when the store is opened. The opened store serves as a write through
  4100. ' cache.
  4101. '
  4102. ' If CERT_REGISTRY_STORE_SERIALIZED_FLAG is set, then, the
  4103. ' contexts are persisted as a single serialized store subkey in the
  4104. ' registry.
  4105. '
  4106. ' CERT_STORE_PROV_PKCS7:
  4107. ' sz_CERT_STORE_PROV_PKCS7:
  4108. ' Gets the certificates and CRLs from the encoded PKCS #7 signed message.
  4109. ' dwEncodingType specifies the message and certificate encoding types.
  4110. ' The pointer to the encoded message's blob is passed in pvPara. Given,
  4111. '
  4112. ' Note, also supports the IE3.0 special version of a
  4113. ' PKCS #7 signed message referred to as a "SPC" formatted message.
  4114. '
  4115. ' CERT_STORE_PROV_SERIALIZED:
  4116. ' sz_CERT_STORE_PROV_SERIALIZED:
  4117. ' Gets the certificates and CRLs from memory containing a serialized
  4118. ' store. The pointer to the serialized memory blob is passed in pvPara.
  4119. ' Given,
  4120. '
  4121. ' CERT_STORE_PROV_FILENAME_A:
  4122. ' CERT_STORE_PROV_FILENAME_W:
  4123. ' CERT_STORE_PROV_FILENAME:
  4124. ' sz_CERT_STORE_PROV_FILENAME_W:
  4125. ' sz_CERT_STORE_PROV_FILENAME:
  4126. ' Opens the file and first attempts to read as a serialized store. Then,
  4127. ' as a PKCS #7 signed message. Finally, as a single encoded certificate.
  4128. ' The filename is passed in pvPara. The filename is UNICODE for the
  4129. ' "_W" provider and ASCII for the "_A" provider. For "_W": given,
  4130. ' For "_A": given,
  4131. '
  4132. '
  4133. ' Note, also supports the reading of the IE3.0 special version of a
  4134. ' PKCS #7 signed message file referred to as a "SPC" formatted file.
  4135. '
  4136. ' CERT_STORE_PROV_SYSTEM_A:
  4137. ' CERT_STORE_PROV_SYSTEM_W:
  4138. ' CERT_STORE_PROV_SYSTEM:
  4139. ' sz_CERT_STORE_PROV_SYSTEM_W:
  4140. ' sz_CERT_STORE_PROV_SYSTEM:
  4141. ' Opens the specified logical "System" store. The upper word of the
  4142. ' dwFlags parameter is used to specify the location of the system store.
  4143. '
  4144. ' A "System" store is a collection consisting of one or more "Physical"
  4145. ' stores. A "Physical" store is registered via the
  4146. ' CertRegisterPhysicalStore API. Each of the registered physical stores
  4147. ' is CertStoreOpen'ed and added to the collection via
  4148. ' CertAddStoreToCollection.
  4149. '
  4150. ' The CERT_SYSTEM_STORE_CURRENT_USER, CERT_SYSTEM_STORE_LOCAL_MACHINE,
  4151. ' CERT_SYSTEM_STORE_CURRENT_SERVICE, CERT_SYSTEM_STORE_SERVICES,
  4152. ' CERT_SYSTEM_STORE_USERS, CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY,
  4153. ' CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and
  4154. ' CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRSE
  4155. ' system stores by default have a "SystemRegistry" store that is
  4156. ' opened and added to the collection.
  4157. '
  4158. ' The system store name is passed in pvPara. The name is UNICODE for the
  4159. ' "_W" provider and ASCII for the "_A" provider. For "_W": given,
  4160. ' For "_A": given,
  4161. '
  4162. '
  4163. ' The system store name can't contain any backslashes.
  4164. '
  4165. ' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvPara
  4166. ' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure instead
  4167. ' of pointing to a null terminated UNICODE or ASCII string.
  4168. ' Sibling physical stores are also opened as relocated using
  4169. ' pvPara's hKeyBase.
  4170. '
  4171. ' The CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS system
  4172. ' store name must be prefixed with the ServiceName or UserName.
  4173. ' For example, "ServiceName\Trust".
  4174. '
  4175. ' Stores on remote computers can be accessed for the
  4176. ' CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_SERVICES,
  4177. ' CERT_SYSTEM_STORE_USERS, CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
  4178. ' or CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
  4179. ' locations by prepending the computer name. For example, a remote
  4180. ' local machine store is accessed via "\\ComputerName\Trust" or
  4181. ' "ComputerName\Trust". A remote service store is accessed via
  4182. ' "\\ComputerName\ServiceName\Trust". The leading "\\" backslashes are
  4183. ' optional in the ComputerName.
  4184. '
  4185. ' If CERT_STORE_READONLY_FLAG is set, then, the registry is
  4186. ' RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry is
  4187. ' RegCreateKey'ed with KEY_ALL_ACCESS.
  4188. '
  4189. ' The "root" store is treated differently from the other system
  4190. ' stores. Before a certificate is added to or deleted from the "root"
  4191. ' store, a pop up message box is displayed. The certificate's subject,
  4192. ' issuer, serial number, time validity, sha1 and md5 thumbprints are
  4193. ' displayed. The user is given the option to do the add or delete.
  4194. ' If they don't allow the operation, LastError is set to E_ACCESSDENIED.
  4195. '
  4196. ' CERT_STORE_PROV_SYSTEM_REGISTRY_A
  4197. ' CERT_STORE_PROV_SYSTEM_REGISTRY_W
  4198. ' CERT_STORE_PROV_SYSTEM_REGISTRY
  4199. ' sz_CERT_STORE_PROV_SYSTEM_REGISTRY_W
  4200. ' sz_CERT_STORE_PROV_SYSTEM_REGISTRY
  4201. ' Opens the "System" store's default "Physical" store residing in the
  4202. ' registry. The upper word of the dwFlags
  4203. ' parameter is used to specify the location of the system store.
  4204. '
  4205. ' After opening the registry key associated with the system name,
  4206. ' the CERT_STORE_PROV_REG provider is called to complete the open.
  4207. '
  4208. ' The system store name is passed in pvPara. The name is UNICODE for the
  4209. ' "_W" provider and ASCII for the "_A" provider. For "_W": given,
  4210. ' For "_A": given,
  4211. '
  4212. '
  4213. ' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvPara
  4214. ' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure instead
  4215. ' of pointing to a null terminated UNICODE or ASCII string.
  4216. '
  4217. ' See above for details on prepending a ServiceName and/or ComputerName
  4218. ' to the store name.
  4219. '
  4220. ' If CERT_STORE_READONLY_FLAG is set, then, the registry is
  4221. ' RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry is
  4222. ' RegCreateKey'ed with KEY_ALL_ACCESS.
  4223. '
  4224. ' The "root" store is treated differently from the other system
  4225. ' stores. Before a certificate is added to or deleted from the "root"
  4226. ' store, a pop up message box is displayed. The certificate's subject,
  4227. ' issuer, serial number, time validity, sha1 and md5 thumbprints are
  4228. ' displayed. The user is given the option to do the add or delete.
  4229. ' If they don't allow the operation, LastError is set to E_ACCESSDENIED.
  4230. '
  4231. ' CERT_STORE_PROV_PHYSICAL_W
  4232. ' CERT_STORE_PROV_PHYSICAL
  4233. ' sz_CERT_STORE_PROV_PHYSICAL_W
  4234. ' sz_CERT_STORE_PROV_PHYSICAL
  4235. ' Opens the specified "Physical" store in the "System" store.
  4236. '
  4237. ' Both the system store and physical names are passed in pvPara. The
  4238. ' names are separated with an intervening "\". For example,
  4239. ' "Root\.Default". The string is UNICODE.
  4240. '
  4241. ' The system and physical store names can't contain any backslashes.
  4242. '
  4243. ' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvPara
  4244. ' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure instead
  4245. ' of pointing to a null terminated UNICODE string.
  4246. ' The specified physical store is opened as relocated using pvPara's
  4247. ' hKeyBase.
  4248. '
  4249. ' For CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS,
  4250. ' the system and physical store names
  4251. ' must be prefixed with the ServiceName or UserName. For example,
  4252. ' "ServiceName\Root\.Default".
  4253. '
  4254. ' Physical stores on remote computers can be accessed for the
  4255. ' CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_SERVICES,
  4256. ' CERT_SYSTEM_STORE_USERS, CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
  4257. ' or CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
  4258. ' locations by prepending the computer name. For example, a remote
  4259. ' local machine store is accessed via "\\ComputerName\Root\.Default"
  4260. ' or "ComputerName\Root\.Default". A remote service store is
  4261. ' accessed via "\\ComputerName\ServiceName\Root\.Default". The
  4262. ' leading "\\" backslashes are optional in the ComputerName.
  4263. '
  4264. ' CERT_STORE_PROV_COLLECTION
  4265. ' sz_CERT_STORE_PROV_COLLECTION
  4266. ' Opens a store that is a collection of other stores. Stores are
  4267. ' added or removed to/from the collection via the CertAddStoreToCollection
  4268. ' and CertRemoveStoreFromCollection APIs.
  4269. '
  4270. ' CERT_STORE_PROV_SMART_CARD_W
  4271. ' CERT_STORE_PROV_SMART_CARD
  4272. ' sz_CERT_STORE_PROV_SMART_CARD_W
  4273. ' sz_CERT_STORE_PROV_SMART_CARD
  4274. ' Opens a store instantiated over a particular smart card storage. pvPara
  4275. ' identifies where on the card the store is located and is of the
  4276. ' following format:
  4277. '
  4278. ' Card Name\Provider Name\Provider Type[\Container Name]
  4279. '
  4280. ' Container Name is optional and if NOT specified the Card Name is used
  4281. ' as the Container Name. Future versions of the provider will support
  4282. ' instantiating the store over the entire card in which case just
  4283. '
  4284. ' cryptnet.dll):
  4285. '
  4286. ' CERT_STORE_PROV_LDAP_W
  4287. ' CERT_STORE_PROV_LDAP
  4288. ' sz_CERT_STORE_PROV_LDAP_W
  4289. ' sz_CERT_STORE_PROV_LDAP
  4290. ' Opens a store over the results of the query specified by and LDAP
  4291. ' URL which is passed in via pvPara. In order to do writes to the
  4292. ' store the URL must specify a BASE query, no filter and a single
  4293. ' attribute.
  4294. '
  4295. '--------------------------------------------------------------------------
  4296. '+-------------------------------------------------------------------------
  4297. ' OID Installable Certificate Store Provider Data Structures
  4298. '--------------------------------------------------------------------------
  4299. ' Handle returned by the store provider when opened.
  4300. ' Store Provider OID function's pszFuncName.
  4301. Public Const CRYPT_OID_OPEN_STORE_PROV_FUNC As String = "CertDllOpenStoreProv"
  4302. ' Note, the Store Provider OID function's dwEncodingType is always 0.
  4303. ' The following information is returned by the provider when opened. Its
  4304. ' zeroed with cbSize set before the provider is called. If the provider
  4305. ' doesn't need to be called again after the open it doesn't need to
  4306. ' make any updates to the CERT_STORE_PROV_INFO.
  4307. ' Definition of the store provider's open function.
  4308. '
  4309. ' *pStoreProvInfo has been zeroed before the call.
  4310. '
  4311. ' Note, pStoreProvInfo->cStoreProvFunc should be set last. Once set,
  4312. ' all subsequent store calls, such as CertAddSerializedElementToStore will
  4313. ' call the appropriate provider callback function.
  4314. ' The open callback sets the following flag, if it maintains its
  4315. ' contexts externally and not in the cached store.
  4316. Public Const CERT_STORE_PROV_EXTERNAL_FLAG As Long = &H1
  4317. ' The open callback sets the following flag for a successful delete.
  4318. ' When set, the close callback isn't called.
  4319. Public Const CERT_STORE_PROV_DELETED_FLAG As Long = &H2
  4320. ' The open callback sets the following flag if it doesn't persist store
  4321. ' changes.
  4322. Public Const CERT_STORE_PROV_NO_PERSIST_FLAG As Long = &H4
  4323. ' The open callback sets the following flag if the contexts are persisted
  4324. ' to a system store.
  4325. Public Const CERT_STORE_PROV_SYSTEM_STORE_FLAG As Long = &H8
  4326. ' Indices into the store provider's array of callback functions.
  4327. '
  4328. ' The provider can implement any subset of the following functions. It
  4329. ' sets pStoreProvInfo->cStoreProvFunc to the last index + 1 and any
  4330. ' preceding not implemented functions to NULL.
  4331. Public Const CERT_STORE_PROV_CLOSE_FUNC As Long = 0
  4332. Public Const CERT_STORE_PROV_READ_CERT_FUNC As Long = 1
  4333. Public Const CERT_STORE_PROV_WRITE_CERT_FUNC As Long = 2
  4334. Public Const CERT_STORE_PROV_DELETE_CERT_FUNC As Long = 3
  4335. Public Const CERT_STORE_PROV_SET_CERT_PROPERTY_FUNC As Long = 4
  4336. Public Const CERT_STORE_PROV_READ_CRL_FUNC As Long = 5
  4337. Public Const CERT_STORE_PROV_WRITE_CRL_FUNC As Long = 6
  4338. Public Const CERT_STORE_PROV_DELETE_CRL_FUNC As Long = 7
  4339. Public Const CERT_STORE_PROV_SET_CRL_PROPERTY_FUNC As Long = 8
  4340. Public Const CERT_STORE_PROV_READ_CTL_FUNC As Long = 9
  4341. Public Const CERT_STORE_PROV_WRITE_CTL_FUNC As Long = 10
  4342. Public Const CERT_STORE_PROV_DELETE_CTL_FUNC As Long = 11
  4343. Public Const CERT_STORE_PROV_SET_CTL_PROPERTY_FUNC As Long = 12
  4344. Public Const CERT_STORE_PROV_CONTROL_FUNC As Long = 13
  4345. Public Const CERT_STORE_PROV_FIND_CERT_FUNC As Long = 14
  4346. Public Const CERT_STORE_PROV_FREE_FIND_CERT_FUNC As Long = 15
  4347. Public Const CERT_STORE_PROV_GET_CERT_PROPERTY_FUNC As Long = 16
  4348. Public Const CERT_STORE_PROV_FIND_CRL_FUNC As Long = 17
  4349. Public Const CERT_STORE_PROV_FREE_FIND_CRL_FUNC As Long = 18
  4350. Public Const CERT_STORE_PROV_GET_CRL_PROPERTY_FUNC As Long = 19
  4351. Public Const CERT_STORE_PROV_FIND_CTL_FUNC As Long = 20
  4352. Public Const CERT_STORE_PROV_FREE_FIND_CTL_FUNC As Long = 21
  4353. Public Const CERT_STORE_PROV_GET_CTL_PROPERTY_FUNC As Long = 22
  4354. ' Called by CertCloseStore when the store's reference count is
  4355. ' decremented to 0.
  4356. ' Currently not called directly by the store APIs. However, may be exported
  4357. ' to support other providers based on it.
  4358. '
  4359. ' Reads the provider's copy of the certificate context. If it exists,
  4360. ' creates a new certificate context.
  4361. Public Const CERT_STORE_PROV_WRITE_ADD_FLAG As Long = &H1
  4362. ' Called by CertAddEncodedCertificateToStore,
  4363. ' CertAddCertificateContextToStore or CertAddSerializedElementToStore before
  4364. ' adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
  4365. ' addition to the encoded certificate, the added pCertContext might also
  4366. ' have properties.
  4367. '
  4368. ' Returns TRUE if its OK to update the the store.
  4369. ' Called by CertDeleteCertificateFromStore before deleting from the
  4370. ' store.
  4371. '
  4372. ' Returns TRUE if its OK to delete from the store.
  4373. ' Called by CertSetCertificateContextProperty before setting the
  4374. ' certificate's property. Also called by CertGetCertificateContextProperty,
  4375. ' when getting a hash property that needs to be created and then persisted
  4376. ' via the set.
  4377. '
  4378. ' Upon input, the property hasn't been set for the pCertContext parameter.
  4379. '
  4380. ' Returns TRUE if its OK to set the property.
  4381. ' Currently not called directly by the store APIs. However, may be exported
  4382. ' to support other providers based on it.
  4383. '
  4384. ' Reads the provider's copy of the CRL context. If it exists,
  4385. ' creates a new CRL context.
  4386. ' Called by CertAddEncodedCRLToStore,
  4387. ' CertAddCRLContextToStore or CertAddSerializedElementToStore before
  4388. ' adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
  4389. ' addition to the encoded CRL, the added pCertContext might also
  4390. ' have properties.
  4391. '
  4392. ' Returns TRUE if its OK to update the the store.
  4393. ' Called by CertDeleteCRLFromStore before deleting from the store.
  4394. '
  4395. ' Returns TRUE if its OK to delete from the store.
  4396. ' Called by CertSetCRLContextProperty before setting the
  4397. ' CRL's property. Also called by CertGetCRLContextProperty,
  4398. ' when getting a hash property that needs to be created and then persisted
  4399. ' via the set.
  4400. '
  4401. ' Upon input, the property hasn't been set for the pCrlContext parameter.
  4402. '
  4403. ' Returns TRUE if its OK to set the property.
  4404. ' Currently not called directly by the store APIs. However, may be exported
  4405. ' to support other providers based on it.
  4406. '
  4407. ' Reads the provider's copy of the CTL context. If it exists,
  4408. ' creates a new CTL context.
  4409. ' Called by CertAddEncodedCTLToStore,
  4410. ' CertAddCTLContextToStore or CertAddSerializedElementToStore before
  4411. ' adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
  4412. ' addition to the encoded CTL, the added pCertContext might also
  4413. ' have properties.
  4414. '
  4415. ' Returns TRUE if its OK to update the the store.
  4416. ' Called by CertDeleteCTLFromStore before deleting from the store.
  4417. '
  4418. ' Returns TRUE if its OK to delete from the store.
  4419. ' Called by CertSetCTLContextProperty before setting the
  4420. ' CTL's property. Also called by CertGetCTLContextProperty,
  4421. ' when getting a hash property that needs to be created and then persisted
  4422. ' via the set.
  4423. '
  4424. ' Upon input, the property hasn't been set for the pCtlContext parameter.
  4425. '
  4426. ' Returns TRUE if its OK to set the property.
  4427. '+-------------------------------------------------------------------------
  4428. ' Duplicate a cert store handle
  4429. '--------------------------------------------------------------------------
  4430. Public Const CERT_STORE_SAVE_AS_STORE As Long = 1
  4431. Public Const CERT_STORE_SAVE_AS_PKCS7 As Long = 2
  4432. Public Const CERT_STORE_SAVE_TO_FILE As Long = 1
  4433. Public Const CERT_STORE_SAVE_TO_MEMORY As Long = 2
  4434. Public Const CERT_STORE_SAVE_TO_FILENAME_A As Long = 3
  4435. Public Const CERT_STORE_SAVE_TO_FILENAME_W As Long = 4
  4436. '+-------------------------------------------------------------------------
  4437. ' Save the cert store. Extended version with lots of options.
  4438. '
  4439. ' According to the dwSaveAs parameter, the store can be saved as a
  4440. ' addition to encoded certificates, CRLs and CTLs or the store can be saved
  4441. ' include the properties or CTLs.
  4442. '
  4443. ' CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't saved into
  4444. ' a serialized store.
  4445. '
  4446. ' For CERT_STORE_SAVE_AS_PKCS7, the dwEncodingType specifies the message
  4447. ' encoding type. The dwEncodingType parameter isn't used for
  4448. ' CERT_STORE_SAVE_AS_STORE.
  4449. '
  4450. ' The dwFlags parameter currently isn't used and should be set to 0.
  4451. '
  4452. ' The dwSaveTo and pvSaveToPara parameters specify where to save the
  4453. ' store as follows:
  4454. ' CERT_STORE_SAVE_TO_FILE:
  4455. ' Saves to the specified file. The file's handle is passed in
  4456. ' pvSaveToPara. Given,
  4457. '
  4458. ' For a successful save, the file pointer is positioned after the
  4459. ' last write.
  4460. '
  4461. ' CERT_STORE_SAVE_TO_MEMORY:
  4462. ' Saves to the specified memory blob. The pointer to
  4463. ' the memory blob is passed in pvSaveToPara. Given,
  4464. ' Upon entry, the SaveBlob's pbData and cbData need to be initialized.
  4465. ' Upon return, cbData is updated with the actual length.
  4466. ' For a length only calculation, pbData should be set to NULL. If
  4467. ' pbData is non-NULL and cbData isn't large enough, FALSE is returned
  4468. ' with a last error of ERRROR_MORE_DATA.
  4469. '
  4470. ' CERT_STORE_SAVE_TO_FILENAME_A:
  4471. ' CERT_STORE_SAVE_TO_FILENAME_W:
  4472. ' CERT_STORE_SAVE_TO_FILENAME:
  4473. ' Opens the file and saves to it. The filename is passed in pvSaveToPara.
  4474. ' The filename is UNICODE for the "_W" option and ASCII for the "_A"
  4475. ' option. For "_W": given,
  4476. ' For "_A": given,
  4477. '
  4478. '
  4479. '--------------------------------------------------------------------------
  4480. '+-------------------------------------------------------------------------
  4481. ' Certificate Store close flags
  4482. '--------------------------------------------------------------------------
  4483. Public Const CERT_CLOSE_STORE_FORCE_FLAG As Long = &H00000001
  4484. Public Const CERT_CLOSE_STORE_CHECK_FLAG As Long = &H00000002
  4485. '+-------------------------------------------------------------------------
  4486. ' Close a cert store handle.
  4487. '
  4488. ' There needs to be a corresponding close for each open and duplicate.
  4489. '
  4490. ' Even on the final close, the cert store isn't freed until all of its
  4491. ' certificate and CRL contexts have also been freed.
  4492. '
  4493. ' On the final close, the hCryptProv passed to CertStoreOpen is
  4494. ' CryptReleaseContext'ed.
  4495. '
  4496. ' To force the closure of the store with all of its memory freed, set the
  4497. ' CERT_STORE_CLOSE_FORCE_FLAG. This flag should be set when the caller does
  4498. ' its own reference counting and wants everything to vanish.
  4499. '
  4500. ' To check if all the store's certificates and CRLs have been freed and that
  4501. ' this is the last CertCloseStore, set the CERT_CLOSE_STORE_CHECK_FLAG. If
  4502. ' set and certs, CRLs or stores still need to be freed/closed, FALSE is
  4503. ' returned with LastError set to CRYPT_E_PENDING_CLOSE. Note, for FALSE,
  4504. ' the store is still closed. This is a diagnostic flag.
  4505. '
  4506. ' LastError is preserved unless CERT_CLOSE_STORE_CHECK_FLAG is set and FALSE
  4507. ' is returned.
  4508. '--------------------------------------------------------------------------
  4509. '+-------------------------------------------------------------------------
  4510. ' Get the subject certificate context uniquely identified by its Issuer and
  4511. ' SerialNumber from the store.
  4512. '
  4513. ' If the certificate isn't found, NULL is returned. Otherwise, a pointer to
  4514. ' a read only CERT_CONTEXT is returned. CERT_CONTEXT must be freed by calling
  4515. ' CertFreeCertificateContext. CertDuplicateCertificateContext can be called to make a
  4516. ' duplicate.
  4517. '
  4518. ' The returned certificate might not be valid. Normally, it would be
  4519. '--------------------------------------------------------------------------
  4520. '+-------------------------------------------------------------------------
  4521. ' Enumerate the certificate contexts in the store.
  4522. '
  4523. ' If a certificate isn't found, NULL is returned.
  4524. ' Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
  4525. ' must be freed by calling CertFreeCertificateContext or is freed when passed as the
  4526. ' pPrevCertContext on a subsequent call. CertDuplicateCertificateContext
  4527. ' can be called to make a duplicate.
  4528. '
  4529. ' pPrevCertContext MUST BE NULL to enumerate the first
  4530. ' certificate in the store. Successive certificates are enumerated by setting
  4531. ' pPrevCertContext to the CERT_CONTEXT returned by a previous call.
  4532. '
  4533. ' NOTE: a NON-NULL pPrevCertContext is always CertFreeCertificateContext'ed by
  4534. ' this function, even for an error.
  4535. '--------------------------------------------------------------------------
  4536. '+-------------------------------------------------------------------------
  4537. ' Find the first or next certificate context in the store.
  4538. '
  4539. ' The certificate is found according to the dwFindType and its pvFindPara.
  4540. ' See below for a list of the find types and its parameters.
  4541. '
  4542. ' Currently dwFindFlags is only used for CERT_FIND_SUBJECT_ATTR,
  4543. ' CERT_FIND_ISSUER_ATTR or CERT_FIND_CTL_USAGE. Otherwise, must be set to 0.
  4544. '
  4545. ' Usage of dwCertEncodingType depends on the dwFindType.
  4546. '
  4547. ' If the first or next certificate isn't found, NULL is returned.
  4548. ' Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
  4549. ' must be freed by calling CertFreeCertificateContext or is freed when passed as the
  4550. ' pPrevCertContext on a subsequent call. CertDuplicateCertificateContext
  4551. ' can be called to make a duplicate.
  4552. '
  4553. ' pPrevCertContext MUST BE NULL on the first
  4554. ' call to find the certificate. To find the next certificate, the
  4555. ' pPrevCertContext is set to the CERT_CONTEXT returned by a previous call.
  4556. '
  4557. ' NOTE: a NON-NULL pPrevCertContext is always CertFreeCertificateContext'ed by
  4558. ' this function, even for an error.
  4559. '--------------------------------------------------------------------------
  4560. '+-------------------------------------------------------------------------
  4561. ' Certificate comparison functions
  4562. '--------------------------------------------------------------------------
  4563. Public Const CERT_COMPARE_MASK As Long = &HFFFF
  4564. Public Const CERT_COMPARE_SHIFT As Long = 16
  4565. Public Const CERT_COMPARE_ANY As Long = 0
  4566. Public Const CERT_COMPARE_SHA1_HASH As Long = 1
  4567. Public Const CERT_COMPARE_NAME As Long = 2
  4568. Public Const CERT_COMPARE_ATTR As Long = 3
  4569. Public Const CERT_COMPARE_MD5_HASH As Long = 4
  4570. Public Const CERT_COMPARE_PROPERTY As Long = 5
  4571. Public Const CERT_COMPARE_PUBLIC_KEY As Long = 6
  4572. Public Const CERT_COMPARE_NAME_STR_A As Long = 7
  4573. Public Const CERT_COMPARE_NAME_STR_W As Long = 8
  4574. Public Const CERT_COMPARE_KEY_SPEC As Long = 9
  4575. Public Const CERT_COMPARE_ENHKEY_USAGE As Long = 10
  4576. Public Const CERT_COMPARE_SUBJECT_CERT As Long = 11
  4577. Public Const CERT_COMPARE_ISSUER_OF As Long = 12
  4578. Public Const CERT_COMPARE_EXISTING As Long = 13
  4579. Public Const CERT_COMPARE_SIGNATURE_HASH As Long = 14
  4580. Public Const CERT_COMPARE_KEY_IDENTIFIER As Long = 15
  4581. Public Const CERT_COMPARE_CERT_ID As Long = 16
  4582. Public Const CERT_COMPARE_CROSS_CERT_DIST_POINTS As Long = 17
  4583. Public Const CERT_COMPARE_PUBKEY_MD5_HASH As Long = 18
  4584. '+-------------------------------------------------------------------------
  4585. ' dwFindType
  4586. '
  4587. ' The dwFindType definition consists of two components:
  4588. ' - comparison function
  4589. ' - certificate information flag
  4590. '--------------------------------------------------------------------------
  4591. '+-------------------------------------------------------------------------
  4592. ' CERT_FIND_ANY
  4593. '
  4594. ' Find any certificate.
  4595. '
  4596. ' pvFindPara isn't used.
  4597. '--------------------------------------------------------------------------
  4598. '+-------------------------------------------------------------------------
  4599. ' CERT_FIND_HASH
  4600. '
  4601. ' Find a certificate with the specified hash.
  4602. '
  4603. ' pvFindPara points to a CRYPT_HASH_BLOB.
  4604. '--------------------------------------------------------------------------
  4605. '+-------------------------------------------------------------------------
  4606. ' CERT_FIND_KEY_IDENTIFIER
  4607. '
  4608. ' Find a certificate with the specified KeyIdentifier. Gets the
  4609. ' CERT_KEY_IDENTIFIER_PROP_ID property and compares with the input
  4610. ' CRYPT_HASH_BLOB.
  4611. '
  4612. ' pvFindPara points to a CRYPT_HASH_BLOB.
  4613. '--------------------------------------------------------------------------
  4614. '+-------------------------------------------------------------------------
  4615. ' CERT_FIND_PROPERTY
  4616. '
  4617. ' Find a certificate having the specified property.
  4618. '
  4619. ' pvFindPara points to a DWORD containing the PROP_ID
  4620. '--------------------------------------------------------------------------
  4621. '+-------------------------------------------------------------------------
  4622. ' CERT_FIND_PUBLIC_KEY
  4623. '
  4624. ' Find a certificate matching the specified public key.
  4625. '
  4626. ' pvFindPara points to a CERT_PUBLIC_KEY_INFO containing the public key
  4627. '--------------------------------------------------------------------------
  4628. '+-------------------------------------------------------------------------
  4629. ' CERT_FIND_SUBJECT_NAME
  4630. ' CERT_FIND_ISSUER_NAME
  4631. '
  4632. ' Find a certificate with the specified subject/issuer name. Does an exact
  4633. ' match of the entire name.
  4634. '
  4635. ' Restricts search to certificates matching the dwCertEncodingType.
  4636. '
  4637. ' pvFindPara points to a CERT_NAME_BLOB.
  4638. '--------------------------------------------------------------------------
  4639. '+-------------------------------------------------------------------------
  4640. ' CERT_FIND_SUBJECT_ATTR
  4641. ' CERT_FIND_ISSUER_ATTR
  4642. '
  4643. ' Find a certificate with the specified subject/issuer attributes.
  4644. '
  4645. ' Compares the attributes in the subject/issuer name with the
  4646. ' pvFindPara. The comparison iterates through the CERT_RDN attributes and looks
  4647. ' for an attribute match in any of the subject/issuer's RDNs.
  4648. '
  4649. ' The CERT_RDN_ATTR fields can have the following special values:
  4650. ' pszObjId == NULL - ignore the attribute object identifier
  4651. ' dwValueType == RDN_ANY_TYPE - ignore the value type
  4652. ' Value.pbData == NULL - match any value
  4653. '
  4654. ' CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG should be set in dwFindFlags to do
  4655. ' a case insensitive match. Otherwise, defaults to an exact, case sensitive
  4656. ' match.
  4657. '
  4658. ' CERT_UNICODE_IS_RDN_ATTRS_FLAG should be set in dwFindFlags if the RDN was
  4659. ' initialized with unicode strings as for
  4660. '
  4661. ' Restricts search to certificates matching the dwCertEncodingType.
  4662. '
  4663. '--------------------------------------------------------------------------
  4664. '+-------------------------------------------------------------------------
  4665. ' CERT_FIND_SUBJECT_STR_A
  4666. ' CERT_FIND_SUBJECT_STR_W | CERT_FIND_SUBJECT_STR
  4667. ' CERT_FIND_ISSUER_STR_A
  4668. ' CERT_FIND_ISSUER_STR_W | CERT_FIND_ISSUER_STR
  4669. '
  4670. ' Find a certificate containing the specified subject/issuer name string.
  4671. '
  4672. ' First, the certificate's subject/issuer is converted to a name string
  4673. ' case insensitive substring within string match is performed.
  4674. '
  4675. ' Restricts search to certificates matching the dwCertEncodingType.
  4676. '
  4677. ' For *_STR_A, pvFindPara points to a null terminated character string.
  4678. ' For *_STR_W, pvFindPara points to a null terminated wide character string.
  4679. '--------------------------------------------------------------------------
  4680. '+-------------------------------------------------------------------------
  4681. ' CERT_FIND_KEY_SPEC
  4682. '
  4683. ' Find a certificate having a CERT_KEY_SPEC_PROP_ID property matching
  4684. ' the specified KeySpec.
  4685. '
  4686. ' pvFindPara points to a DWORD containing the KeySpec.
  4687. '--------------------------------------------------------------------------
  4688. '+-------------------------------------------------------------------------
  4689. ' CERT_FIND_ENHKEY_USAGE
  4690. '
  4691. ' Find a certificate having the szOID_ENHANCED_KEY_USAGE extension or
  4692. ' the CERT_ENHKEY_USAGE_PROP_ID and matching the specified pszUsageIdentifers.
  4693. '
  4694. ' pvFindPara points to a CERT_ENHKEY_USAGE data structure. If pvFindPara
  4695. ' is NULL or CERT_ENHKEY_USAGE's cUsageIdentifier is 0, then, matches any
  4696. ' certificate having enhanced key usage.
  4697. '
  4698. ' If the CERT_FIND_VALID_ENHKEY_USAGE_FLAG is set, then, only does a match
  4699. ' for certificates that are valid for the specified usages. By default,
  4700. ' the ceriticate must be valid for all usages. CERT_FIND_OR_ENHKEY_USAGE_FLAG
  4701. ' can be set, if the certificate only needs to be valid for one of the
  4702. ' certificate's list of valid usages. Only the CERT_FIND_OR_ENHKEY_USAGE_FLAG
  4703. ' is applicable when this flag is set.
  4704. '
  4705. ' The CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG can be set in dwFindFlags to
  4706. ' also match a certificate without either the extension or property.
  4707. '
  4708. ' If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set in dwFindFlags, finds
  4709. ' certificates without the key usage extension or property. Setting this
  4710. ' flag takes precedence over pvFindPara being NULL.
  4711. '
  4712. ' If the CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG is set, then, only does a match
  4713. ' using the extension. If pvFindPara is NULL or cUsageIdentifier is set to
  4714. ' 0, finds certificates having the extension. If
  4715. ' CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set, also matches a certificate
  4716. ' without the extension. If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set, finds
  4717. ' certificates without the extension.
  4718. '
  4719. ' If the CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG is set, then, only does a match
  4720. ' using the property. If pvFindPara is NULL or cUsageIdentifier is set to
  4721. ' 0, finds certificates having the property. If
  4722. ' CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set, also matches a certificate
  4723. ' without the property. If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set, finds
  4724. ' certificates without the property.
  4725. '
  4726. ' If CERT_FIND_OR_ENHKEY_USAGE_FLAG is set, does an "OR" match of any of
  4727. ' the specified pszUsageIdentifiers. If not set, then, does an "AND" match
  4728. ' of all of the specified pszUsageIdentifiers.
  4729. '--------------------------------------------------------------------------
  4730. Public Const CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG As Long = &H1
  4731. Public Const CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG As Long = &H2
  4732. Public Const CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG As Long = &H4
  4733. Public Const CERT_FIND_NO_ENHKEY_USAGE_FLAG As Long = &H8
  4734. Public Const CERT_FIND_OR_ENHKEY_USAGE_FLAG As Long = &H10
  4735. Public Const CERT_FIND_VALID_ENHKEY_USAGE_FLAG As Long = &H20
  4736. '+-------------------------------------------------------------------------
  4737. ' CERT_FIND_CERT_ID
  4738. '
  4739. ' Find a certificate with the specified CERT_ID.
  4740. '
  4741. ' pvFindPara points to a CERT_ID.
  4742. '--------------------------------------------------------------------------
  4743. '+-------------------------------------------------------------------------
  4744. ' CERT_FIND_CROSS_CERT_DIST_POINTS
  4745. '
  4746. ' Find a certificate having either a cross certificate distribution
  4747. ' point extension or property.
  4748. '
  4749. ' pvFindPara isn't used.
  4750. '--------------------------------------------------------------------------
  4751. '+-------------------------------------------------------------------------
  4752. ' Get the certificate context from the store for the first or next issuer
  4753. ' of the specified subject certificate. Perform the enabled
  4754. ' using the returned issuer certificate.)
  4755. '
  4756. ' If the first or next issuer certificate isn't found, NULL is returned.
  4757. ' Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
  4758. ' must be freed by calling CertFreeCertificateContext or is freed when passed as the
  4759. ' pPrevIssuerContext on a subsequent call. CertDuplicateCertificateContext
  4760. ' can be called to make a duplicate.
  4761. '
  4762. ' For a self signed subject certificate, NULL is returned with LastError set
  4763. ' to CERT_STORE_SELF_SIGNED. The enabled verification checks are still done.
  4764. '
  4765. ' The pSubjectContext may have been obtained from this store, another store
  4766. ' or created by the caller application. When created by the caller, the
  4767. ' CertCreateCertificateContext function must have been called.
  4768. '
  4769. ' An issuer may have multiple certificates. This may occur when the validity
  4770. ' period is about to change. pPrevIssuerContext MUST BE NULL on the first
  4771. ' call to get the issuer. To get the next certificate for the issuer, the
  4772. ' pPrevIssuerContext is set to the CERT_CONTEXT returned by a previous call.
  4773. '
  4774. ' NOTE: a NON-NULL pPrevIssuerContext is always CertFreeCertificateContext'ed by
  4775. ' this function, even for an error.
  4776. '
  4777. ' The following flags can be set in *pdwFlags to enable verification checks
  4778. ' on the subject certificate context:
  4779. ' CERT_STORE_SIGNATURE_FLAG - use the public key in the returned
  4780. ' issuer certificate to verify the
  4781. ' signature on the subject certificate.
  4782. ' Note, if pSubjectContext->hCertStore ==
  4783. ' hCertStore, the store provider might
  4784. ' be able to eliminate a redo of
  4785. ' the signature verify.
  4786. ' CERT_STORE_TIME_VALIDITY_FLAG - get the current time and verify that
  4787. ' its within the subject certificate's
  4788. ' validity period
  4789. ' CERT_STORE_REVOCATION_FLAG - check if the subject certificate is on
  4790. ' the issuer's revocation list
  4791. '
  4792. ' If an enabled verification check fails, then, its flag is set upon return.
  4793. ' If CERT_STORE_REVOCATION_FLAG was enabled and the issuer doesn't have a
  4794. ' CRL in the store, then, CERT_STORE_NO_CRL_FLAG is set in addition to
  4795. ' the CERT_STORE_REVOCATION_FLAG.
  4796. '
  4797. ' If CERT_STORE_SIGNATURE_FLAG or CERT_STORE_REVOCATION_FLAG is set, then,
  4798. ' CERT_STORE_NO_ISSUER_FLAG is set if it doesn't have an issuer certificate
  4799. ' in the store.
  4800. '
  4801. ' For a verification check failure, a pointer to the issuer's CERT_CONTEXT
  4802. ' is still returned and SetLastError isn't updated.
  4803. '--------------------------------------------------------------------------
  4804. '+-------------------------------------------------------------------------
  4805. ' Perform the enabled verification checks on the subject certificate
  4806. ' using the issuer. Same checks and flags definitions as for the above
  4807. ' CertGetIssuerCertificateFromStore.
  4808. '
  4809. ' If you are only checking CERT_STORE_TIME_VALIDITY_FLAG, then, the
  4810. ' issuer can be NULL.
  4811. '
  4812. ' For a verification check failure, SUCCESS is still returned.
  4813. '--------------------------------------------------------------------------
  4814. '+-------------------------------------------------------------------------
  4815. ' Duplicate a certificate context
  4816. '--------------------------------------------------------------------------
  4817. '+-------------------------------------------------------------------------
  4818. ' Create a certificate context from the encoded certificate. The created
  4819. ' context isn't put in a store.
  4820. '
  4821. ' Makes a copy of the encoded certificate in the created context.
  4822. '
  4823. ' If unable to decode and create the certificate context, NULL is returned.
  4824. ' Otherwise, a pointer to a read only CERT_CONTEXT is returned.
  4825. ' CERT_CONTEXT must be freed by calling CertFreeCertificateContext.
  4826. ' CertDuplicateCertificateContext can be called to make a duplicate.
  4827. '
  4828. ' CertSetCertificateContextProperty and CertGetCertificateContextProperty can be called
  4829. ' to store properties for the certificate.
  4830. '--------------------------------------------------------------------------
  4831. '+-------------------------------------------------------------------------
  4832. ' Free a certificate context
  4833. '
  4834. ' There needs to be a corresponding free for each context obtained by a
  4835. ' get, find, duplicate or create.
  4836. '--------------------------------------------------------------------------
  4837. '+-------------------------------------------------------------------------
  4838. ' Set the property for the specified certificate context.
  4839. '
  4840. ' The type definition for pvData depends on the dwPropId value. There are
  4841. ' five predefined types:
  4842. ' CERT_KEY_PROV_HANDLE_PROP_ID - a HCRYPTPROV for the certificate's
  4843. ' private key is passed in pvData. Updates the hCryptProv field
  4844. ' of the CERT_KEY_CONTEXT_PROP_ID. If the CERT_KEY_CONTEXT_PROP_ID
  4845. ' doesn't exist, its created with all the other fields zeroed out. If
  4846. ' CERT_STORE_NO_CRYPT_RELEASE_FLAG isn't set, HCRYPTPROV is implicitly
  4847. ' released when either the property is set to NULL or on the final
  4848. ' free of the CertContext.
  4849. '
  4850. ' CERT_KEY_PROV_INFO_PROP_ID - a PCRYPT_KEY_PROV_INFO for the certificate's
  4851. ' private key is passed in pvData.
  4852. '
  4853. ' CERT_SHA1_HASH_PROP_ID -
  4854. ' CERT_MD5_HASH_PROP_ID -
  4855. ' CERT_SIGNATURE_HASH_PROP_ID - normally, a hash property is implicitly
  4856. ' set by doing a CertGetCertificateContextProperty. pvData points to a
  4857. ' CRYPT_HASH_BLOB.
  4858. '
  4859. ' CERT_KEY_CONTEXT_PROP_ID - a PCERT_KEY_CONTEXT for the certificate's
  4860. ' private key is passed in pvData. The CERT_KEY_CONTEXT contains both the
  4861. ' hCryptProv and dwKeySpec for the private key.
  4862. ' See the CERT_KEY_PROV_HANDLE_PROP_ID for more information about
  4863. ' the hCryptProv field and dwFlags settings. Note, more fields may
  4864. ' be added for this property. The cbSize field value will be adjusted
  4865. ' accordingly.
  4866. '
  4867. ' CERT_KEY_SPEC_PROP_ID - the dwKeySpec for the private key. pvData
  4868. ' points to a DWORD containing the KeySpec
  4869. '
  4870. ' CERT_ENHKEY_USAGE_PROP_ID - enhanced key usage definition for the
  4871. ' certificate. pvData points to a CRYPT_DATA_BLOB containing an
  4872. '
  4873. ' CERT_NEXT_UPDATE_LOCATION_PROP_ID - location of the next update.
  4874. ' Currently only applicable to CTLs. pvData points to a CRYPT_DATA_BLOB
  4875. '
  4876. ' CERT_FRIENDLY_NAME_PROP_ID - friendly name for the cert, CRL or CTL.
  4877. ' pvData points to a CRYPT_DATA_BLOB. pbData is a pointer to a NULL
  4878. ' terminated unicode, wide character string.
  4879. '
  4880. ' CERT_DESCRIPTION_PROP_ID - description for the cert, CRL or CTL.
  4881. ' pvData points to a CRYPT_DATA_BLOB. pbData is a pointer to a NULL
  4882. ' terminated unicode, wide character string.
  4883. '
  4884. ' CERT_ARCHIVED_PROP_ID - when this property is set, the certificate
  4885. ' is skipped during enumeration. Note, certificates having this property
  4886. ' are still found for explicit finds, such as, finding a certificate
  4887. ' with a specific hash or finding a certificate having a specific issuer
  4888. ' and serial number. pvData points to a CRYPT_DATA_BLOB. This blob
  4889. '
  4890. ' CERT_PUBKEY_ALG_PARA_PROP_ID - for public keys supporting
  4891. ' algorithm parameter inheritance. pvData points to a CRYPT_OBJID_BLOB
  4892. ' containing the ASN.1 encoded PublicKey Algorithm Parameters. For
  4893. ' DSS this would be the parameters encoded via
  4894. '
  4895. ' CERT_CROSS_CERT_DIST_POINTS_PROP_ID - location of the cross certs.
  4896. ' Currently only applicable to certs. pvData points to a CRYPT_DATA_BLOB
  4897. '
  4898. ' CERT_ENROLLMENT_PROP_ID - enrollment information of the pending request.
  4899. ' It contains RequestID, CADNSName, CAName, and FriendlyName.
  4900. ' The data format is defined as, the first 4 bytes - pending request ID,
  4901. ' next 4 bytes - CADNSName size in characters including null-terminator
  4902. ' followed by CADNSName string with null-terminator,
  4903. ' next 4 bytes - CAName size in characters including null-terminator
  4904. ' followed by CAName string with null-terminator,
  4905. ' next 4 bytes - FriendlyName size in characters including null-terminator
  4906. ' followed by FriendlyName string with null-terminator.
  4907. '
  4908. ' For all the other PROP_IDs: an encoded PCRYPT_DATA_BLOB is passed in pvData.
  4909. '
  4910. ' If the property already exists, then, the old value is deleted and silently
  4911. ' replaced. Setting, pvData to NULL, deletes the property.
  4912. '
  4913. ' CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG can be set to ignore any
  4914. ' provider write errors and always update the cached context's property.
  4915. '--------------------------------------------------------------------------
  4916. ' Set this flag to ignore any store provider write errors and always update
  4917. ' the cached context's property
  4918. Public Const CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG As Long = &H80000000
  4919. '+-------------------------------------------------------------------------
  4920. ' Get the property for the specified certificate context.
  4921. '
  4922. ' For CERT_KEY_PROV_HANDLE_PROP_ID, pvData points to a HCRYPTPROV.
  4923. '
  4924. ' For CERT_KEY_PROV_INFO_PROP_ID, pvData points to a CRYPT_KEY_PROV_INFO structure.
  4925. ' Elements pointed to by fields in the pvData structure follow the
  4926. ' structure. Therefore, *pcbData may exceed the size of the structure.
  4927. '
  4928. ' For CERT_KEY_CONTEXT_PROP_ID, pvData points to a CERT_KEY_CONTEXT structure.
  4929. '
  4930. ' For CERT_KEY_SPEC_PROP_ID, pvData points to a DWORD containing the KeySpec.
  4931. ' If the CERT_KEY_CONTEXT_PROP_ID exists, the KeySpec is obtained from there.
  4932. ' Otherwise, if the CERT_KEY_PROV_INFO_PROP_ID exists, its the source
  4933. ' of the KeySpec.
  4934. '
  4935. ' For CERT_SHA1_HASH_PROP_ID or CERT_MD5_HASH_PROP_ID, if the hash
  4936. ' and then set. pvData points to the computed hash. Normally, the length
  4937. ' is 20 bytes for SHA and 16 for MD5.
  4938. '
  4939. ' For CERT_SIGNATURE_HASH_PROP_ID, if the hash
  4940. ' and then set. pvData points to the computed hash. Normally, the length
  4941. ' is 20 bytes for SHA and 16 for MD5.
  4942. '
  4943. ' For CERT_ACCESS_STATE_PROP_ID, pvData points to a DWORD containing the
  4944. ' access state flags. The appropriate CERT_ACCESS_STATE_*_FLAG's are set
  4945. ' in the returned DWORD. See the CERT_ACCESS_STATE_*_FLAG definitions
  4946. ' above. Note, this property is read only. It can't be set.
  4947. '
  4948. ' For CERT_KEY_IDENTIFIER_PROP_ID, if property doesn't already exist,
  4949. ' first searches for the szOID_SUBJECT_KEY_IDENTIFIER extension. Next,
  4950. ' does SHA1 hash of the certficate's SubjectPublicKeyInfo. pvData
  4951. ' points to the key identifier bytes. Normally, the length is 20 bytes.
  4952. '
  4953. ' For CERT_PUBKEY_ALG_PARA_PROP_ID, pvPara points to the ASN.1 encoded
  4954. ' PublicKey Algorithm Parameters. This property will only be set
  4955. ' for public keys supporting algorithm parameter inheritance and when the
  4956. ' parameters have been omitted from the encoded and signed certificate.
  4957. '
  4958. ' For all other PROP_IDs, pvData points to an encoded array of bytes.
  4959. '--------------------------------------------------------------------------
  4960. '+-------------------------------------------------------------------------
  4961. ' Enumerate the properties for the specified certificate context.
  4962. '
  4963. ' To get the first property, set dwPropId to 0. The ID of the first
  4964. ' property is returned. To get the next property, set dwPropId to the
  4965. ' ID returned by the last call. To enumerate all the properties continue
  4966. ' until 0 is returned.
  4967. '
  4968. ' CertGetCertificateContextProperty is called to get the property's data.
  4969. '
  4970. ' Note, since, the CERT_KEY_PROV_HANDLE_PROP_ID and CERT_KEY_SPEC_PROP_ID
  4971. ' properties are stored as fields in the CERT_KEY_CONTEXT_PROP_ID
  4972. ' property, they aren't enumerated individually.
  4973. '--------------------------------------------------------------------------
  4974. '+-------------------------------------------------------------------------
  4975. ' Get the first or next CRL context from the store for the specified
  4976. ' issuer certificate. Perform the enabled verification checks on the CRL.
  4977. '
  4978. ' If the first or next CRL isn't found, NULL is returned.
  4979. ' Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT
  4980. ' must be freed by calling CertFreeCRLContext. However, the free must be
  4981. ' pPrevCrlContext on a subsequent call. CertDuplicateCRLContext
  4982. ' can be called to make a duplicate.
  4983. '
  4984. ' The pIssuerContext may have been obtained from this store, another store
  4985. ' or created by the caller application. When created by the caller, the
  4986. ' CertCreateCertificateContext function must have been called.
  4987. '
  4988. ' If pIssuerContext == NULL, finds all the CRLs in the store.
  4989. '
  4990. ' An issuer may have multiple CRLs. For example, it generates delta CRLs
  4991. ' using a X.509 v3 extension. pPrevCrlContext MUST BE NULL on the first
  4992. ' call to get the CRL. To get the next CRL for the issuer, the
  4993. ' pPrevCrlContext is set to the CRL_CONTEXT returned by a previous call.
  4994. '
  4995. ' NOTE: a NON-NULL pPrevCrlContext is always CertFreeCRLContext'ed by
  4996. ' this function, even for an error.
  4997. '
  4998. ' The following flags can be set in *pdwFlags to enable verification checks
  4999. ' on the returned CRL:
  5000. ' CERT_STORE_SIGNATURE_FLAG - use the public key in the
  5001. ' issuer's certificate to verify the
  5002. ' signature on the returned CRL.
  5003. ' Note, if pIssuerContext->hCertStore ==
  5004. ' hCertStore, the store provider might
  5005. ' be able to eliminate a redo of
  5006. ' the signature verify.
  5007. ' CERT_STORE_TIME_VALIDITY_FLAG - get the current time and verify that
  5008. ' its within the CRL's ThisUpdate and
  5009. ' NextUpdate validity period.
  5010. ' CERT_STORE_BASE_CRL_FLAG - get base CRL.
  5011. ' CERT_STORE_DELTA_CRL_FLAG - get delta CRL.
  5012. '
  5013. ' If only one of CERT_STORE_BASE_CRL_FLAG or CERT_STORE_DELTA_CRL_FLAG is
  5014. ' set, then, only returns either a base or delta CRL. In any case, the
  5015. ' appropriate base or delta flag will be cleared upon returned. If both
  5016. ' flags are set, then, only one of flags will be cleared.
  5017. '
  5018. ' If an enabled verification check fails, then, its flag is set upon return.
  5019. '
  5020. ' If pIssuerContext == NULL, then, an enabled CERT_STORE_SIGNATURE_FLAG
  5021. ' always fails and the CERT_STORE_NO_ISSUER_FLAG is also set.
  5022. '
  5023. ' For a verification check failure, a pointer to the first or next
  5024. ' CRL_CONTEXT is still returned and SetLastError isn't updated.
  5025. '--------------------------------------------------------------------------
  5026. '+-------------------------------------------------------------------------
  5027. ' Enumerate the CRL contexts in the store.
  5028. '
  5029. ' If a CRL isn't found, NULL is returned.
  5030. ' Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT
  5031. ' must be freed by calling CertFreeCRLContext or is freed when passed as the
  5032. ' pPrevCrlContext on a subsequent call. CertDuplicateCRLContext
  5033. ' can be called to make a duplicate.
  5034. '
  5035. ' pPrevCrlContext MUST BE NULL to enumerate the first
  5036. ' CRL in the store. Successive CRLs are enumerated by setting
  5037. ' pPrevCrlContext to the CRL_CONTEXT returned by a previous call.
  5038. '
  5039. ' NOTE: a NON-NULL pPrevCrlContext is always CertFreeCRLContext'ed by
  5040. ' this function, even for an error.
  5041. '--------------------------------------------------------------------------
  5042. '+-------------------------------------------------------------------------
  5043. ' Find the first or next CRL context in the store.
  5044. '
  5045. ' The CRL is found according to the dwFindType and its pvFindPara.
  5046. ' See below for a list of the find types and its parameters.
  5047. '
  5048. ' Currently dwFindFlags isn't used and must be set to 0.
  5049. '
  5050. ' Usage of dwCertEncodingType depends on the dwFindType.
  5051. '
  5052. ' If the first or next CRL isn't found, NULL is returned.
  5053. ' Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT
  5054. ' must be freed by calling CertFreeCRLContext or is freed when passed as the
  5055. ' pPrevCrlContext on a subsequent call. CertDuplicateCRLContext
  5056. ' can be called to make a duplicate.
  5057. '
  5058. ' pPrevCrlContext MUST BE NULL on the first
  5059. ' call to find the CRL. To find the next CRL, the
  5060. ' pPrevCrlContext is set to the CRL_CONTEXT returned by a previous call.
  5061. '
  5062. ' NOTE: a NON-NULL pPrevCrlContext is always CertFreeCRLContext'ed by
  5063. ' this function, even for an error.
  5064. '--------------------------------------------------------------------------
  5065. Public Const CRL_FIND_ANY As Long = 0
  5066. Public Const CRL_FIND_ISSUED_BY As Long = 1
  5067. Public Const CRL_FIND_EXISTING As Long = 2
  5068. '+-------------------------------------------------------------------------
  5069. ' CRL_FIND_ANY
  5070. '
  5071. ' Find any CRL.
  5072. '
  5073. ' pvFindPara isn't used.
  5074. '--------------------------------------------------------------------------
  5075. '+-------------------------------------------------------------------------
  5076. ' CRL_FIND_ISSUED_BY
  5077. '
  5078. ' Find CRL matching the specified issuer.
  5079. '
  5080. ' pvFindPara is the PCCERT_CONTEXT of the CRL issuer.
  5081. '
  5082. ' By default, only does issuer name matching. The following flags can be
  5083. ' set in dwFindFlags to do additional filtering.
  5084. '
  5085. ' If CRL_FIND_ISSUED_BY_AKI_FLAG is set in dwFindFlags, then, checks if the
  5086. ' AKI, then, only returns a CRL whose AKI matches the issuer.
  5087. '
  5088. ' Note, the AKI extension has the following OID:
  5089. ' szOID_AUTHORITY_KEY_IDENTIFIER2 and its corresponding data structure.
  5090. '
  5091. ' If CRL_FIND_ISSUED_BY_SIGNATURE_FLAG is set in dwFindFlags, then,
  5092. ' uses the public key in the issuer's certificate to verify the
  5093. ' signature on the CRL. Only returns a CRL having a valid signature.
  5094. '
  5095. ' If CRL_FIND_ISSUED_BY_DELTA_FLAG is set in dwFindFlags, then, only
  5096. ' returns a delta CRL.
  5097. '
  5098. ' If CRL_FIND_ISSUED_BY_BASE_FLAG is set in dwFindFlags, then, only
  5099. ' returns a base CRL.
  5100. '--------------------------------------------------------------------------
  5101. Public Const CRL_FIND_ISSUED_BY_AKI_FLAG As Long = &H1
  5102. Public Const CRL_FIND_ISSUED_BY_SIGNATURE_FLAG As Long = &H2
  5103. Public Const CRL_FIND_ISSUED_BY_DELTA_FLAG As Long = &H4
  5104. Public Const CRL_FIND_ISSUED_BY_BASE_FLAG As Long = &H8
  5105. '+-------------------------------------------------------------------------
  5106. ' CRL_FIND_EXISTING
  5107. '
  5108. ' Find existing CRL in the store.
  5109. '
  5110. ' pvFindPara is the PCCRL_CONTEXT of the CRL to check if it already
  5111. ' exists in the store.
  5112. '--------------------------------------------------------------------------
  5113. '+-------------------------------------------------------------------------
  5114. ' Duplicate a CRL context
  5115. '--------------------------------------------------------------------------
  5116. '+-------------------------------------------------------------------------
  5117. ' Create a CRL context from the encoded CRL. The created
  5118. ' context isn't put in a store.
  5119. '
  5120. ' Makes a copy of the encoded CRL in the created context.
  5121. '
  5122. ' If unable to decode and create the CRL context, NULL is returned.
  5123. ' Otherwise, a pointer to a read only CRL_CONTEXT is returned.
  5124. ' CRL_CONTEXT must be freed by calling CertFreeCRLContext.
  5125. ' CertDuplicateCRLContext can be called to make a duplicate.
  5126. '
  5127. ' CertSetCRLContextProperty and CertGetCRLContextProperty can be called
  5128. ' to store properties for the CRL.
  5129. '--------------------------------------------------------------------------
  5130. '+-------------------------------------------------------------------------
  5131. ' Free a CRL context
  5132. '
  5133. ' There needs to be a corresponding free for each context obtained by a
  5134. ' get, duplicate or create.
  5135. '--------------------------------------------------------------------------
  5136. '+-------------------------------------------------------------------------
  5137. ' Set the property for the specified CRL context.
  5138. '
  5139. ' Same Property Ids and semantics as CertSetCertificateContextProperty.
  5140. '--------------------------------------------------------------------------
  5141. '+-------------------------------------------------------------------------
  5142. ' Get the property for the specified CRL context.
  5143. '
  5144. ' Same Property Ids and semantics as CertGetCertificateContextProperty.
  5145. '
  5146. ' CERT_SHA1_HASH_PROP_ID, CERT_MD5_HASH_PROP_ID or
  5147. ' CERT_SIGNATURE_HASH_PROP_ID is the predefined property of most interest.
  5148. '--------------------------------------------------------------------------
  5149. '+-------------------------------------------------------------------------
  5150. ' Enumerate the properties for the specified CRL context.
  5151. '
  5152. ' To get the first property, set dwPropId to 0. The ID of the first
  5153. ' property is returned. To get the next property, set dwPropId to the
  5154. ' ID returned by the last call. To enumerate all the properties continue
  5155. ' until 0 is returned.
  5156. '
  5157. ' CertGetCRLContextProperty is called to get the property's data.
  5158. '--------------------------------------------------------------------------
  5159. '+-------------------------------------------------------------------------
  5160. ' Search the CRL's list of entries for the specified certificate.
  5161. '
  5162. ' TRUE is returned if we were able to search the list. Otherwise, FALSE is
  5163. ' returned,
  5164. '
  5165. ' For success, if the certificate was found in the list, *ppCrlEntry is
  5166. ' updated with a pointer to the entry. Otherwise, *ppCrlEntry is set to NULL.
  5167. ' The returned entry isn't allocated and must not be freed.
  5168. '
  5169. ' dwFlags and pvReserved currently aren't used and must be set to 0 or NULL.
  5170. '--------------------------------------------------------------------------
  5171. '+-------------------------------------------------------------------------
  5172. ' Is the specified CRL valid for the certificate.
  5173. '
  5174. ' Returns TRUE if the CRL's list of entries would contain the certificate
  5175. ' if it was revoked. Note, doesn't check that the certificate is in the
  5176. ' list of entries.
  5177. '
  5178. ' that it's valid for the subject certificate.
  5179. '
  5180. ' dwFlags and pvReserved currently aren't used and must be set to 0 and NULL.
  5181. '--------------------------------------------------------------------------
  5182. '+-------------------------------------------------------------------------
  5183. ' Add certificate/CRL, encoded, context or element disposition values.
  5184. '--------------------------------------------------------------------------
  5185. Public Const CERT_STORE_ADD_NEW As Long = 1
  5186. Public Const CERT_STORE_ADD_USE_EXISTING As Long = 2
  5187. Public Const CERT_STORE_ADD_REPLACE_EXISTING As Long = 3
  5188. Public Const CERT_STORE_ADD_ALWAYS As Long = 4
  5189. Public Const CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES As Long = 5
  5190. Public Const CERT_STORE_ADD_NEWER As Long = 6
  5191. Public Const CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES As Long = 7
  5192. '+-------------------------------------------------------------------------
  5193. ' Add the encoded certificate to the store according to the specified
  5194. ' disposition action.
  5195. '
  5196. ' Makes a copy of the encoded certificate before adding to the store.
  5197. '
  5198. ' dwAddDispostion specifies the action to take if the certificate
  5199. ' already exists in the store. This parameter must be one of the following
  5200. ' values:
  5201. ' CERT_STORE_ADD_NEW
  5202. ' Fails if the certificate already exists in the store. LastError
  5203. ' is set to CRYPT_E_EXISTS.
  5204. ' CERT_STORE_ADD_USE_EXISTING
  5205. ' If the certifcate already exists, then, its used and if ppCertContext
  5206. ' is non-NULL, the existing context is duplicated.
  5207. ' CERT_STORE_ADD_REPLACE_EXISTING
  5208. ' If the certificate already exists, then, the existing certificate
  5209. ' context is deleted before creating and adding the new context.
  5210. ' CERT_STORE_ADD_ALWAYS
  5211. ' No check is made to see if the certificate already exists. A
  5212. ' new certificate context is always created. This may lead to
  5213. ' duplicates in the store.
  5214. ' CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES
  5215. ' If the certificate already exists, then, its used.
  5216. ' CERT_STORE_ADD_NEWER
  5217. ' Fails if the certificate already exists in the store AND the NotBefore
  5218. ' time of the existing certificate is equal to or greater than the
  5219. ' NotBefore time of the new certificate being added. LastError
  5220. ' is set to CRYPT_E_EXISTS.
  5221. '
  5222. ' If an older certificate is replaced, same as
  5223. ' CERT_STORE_ADD_REPLACE_EXISTING.
  5224. '
  5225. ' For CRLs or CTLs compares the ThisUpdate times.
  5226. '
  5227. ' CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES
  5228. ' Same as CERT_STORE_ADD_NEWER. However, if an older certificate is
  5229. ' replaced, same as CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES.
  5230. '
  5231. ' CertGetSubjectCertificateFromStore is called to determine if the
  5232. ' certificate already exists in the store.
  5233. '
  5234. ' ppCertContext can be NULL, indicating the caller isn't interested
  5235. ' in getting the CERT_CONTEXT of the added or existing certificate.
  5236. '--------------------------------------------------------------------------
  5237. '+-------------------------------------------------------------------------
  5238. ' Add the certificate context to the store according to the specified
  5239. ' disposition action.
  5240. '
  5241. ' In addition to the encoded certificate, the context's properties are
  5242. ' CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't copied.
  5243. '
  5244. ' Makes a copy of the certificate context before adding to the store.
  5245. '
  5246. ' dwAddDispostion specifies the action to take if the certificate
  5247. ' already exists in the store. This parameter must be one of the following
  5248. ' values:
  5249. ' CERT_STORE_ADD_NEW
  5250. ' Fails if the certificate already exists in the store. LastError
  5251. ' is set to CRYPT_E_EXISTS.
  5252. ' CERT_STORE_ADD_USE_EXISTING
  5253. ' If the certifcate already exists, then, its used and if ppStoreContext
  5254. ' is non-NULL, the existing context is duplicated. Iterates
  5255. ' through pCertContext's properties and only copies the properties
  5256. ' that don't already exist. The SHA1 and MD5 hash properties aren't
  5257. ' copied.
  5258. ' CERT_STORE_ADD_REPLACE_EXISTING
  5259. ' If the certificate already exists, then, the existing certificate
  5260. ' context is deleted before creating and adding a new context.
  5261. ' Properties are copied before doing the add.
  5262. ' CERT_STORE_ADD_ALWAYS
  5263. ' No check is made to see if the certificate already exists. A
  5264. ' new certificate context is always created and added. This may lead to
  5265. ' duplicates in the store. Properties are
  5266. ' copied before doing the add.
  5267. ' CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES
  5268. ' If the certificate already exists, then, the existing certificate
  5269. ' context is used. Properties from the added context are copied and
  5270. ' replace existing properties. However, any existing properties not
  5271. ' in the added context remain and aren't deleted.
  5272. ' CERT_STORE_ADD_NEWER
  5273. ' Fails if the certificate already exists in the store AND the NotBefore
  5274. ' time of the existing context is equal to or greater than the
  5275. ' NotBefore time of the new context being added. LastError
  5276. ' is set to CRYPT_E_EXISTS.
  5277. '
  5278. ' If an older context is replaced, same as
  5279. ' CERT_STORE_ADD_REPLACE_EXISTING.
  5280. '
  5281. ' For CRLs or CTLs compares the ThisUpdate times.
  5282. '
  5283. ' CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES
  5284. ' Same as CERT_STORE_ADD_NEWER. However, if an older context is
  5285. ' replaced, same as CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES.
  5286. '
  5287. ' CertGetSubjectCertificateFromStore is called to determine if the
  5288. ' certificate already exists in the store.
  5289. '
  5290. ' ppStoreContext can be NULL, indicating the caller isn't interested
  5291. ' in getting the CERT_CONTEXT of the added or existing certificate.
  5292. '--------------------------------------------------------------------------
  5293. '+-------------------------------------------------------------------------
  5294. ' Certificate Store Context Types
  5295. '--------------------------------------------------------------------------
  5296. Public Const CERT_STORE_CERTIFICATE_CONTEXT As Long = 1
  5297. Public Const CERT_STORE_CRL_CONTEXT As Long = 2
  5298. Public Const CERT_STORE_CTL_CONTEXT As Long = 3
  5299. '+-------------------------------------------------------------------------
  5300. ' Certificate Store Context Bit Flags
  5301. '--------------------------------------------------------------------------
  5302. '+-------------------------------------------------------------------------
  5303. ' Add the serialized certificate or CRL element to the store.
  5304. '
  5305. ' The serialized element contains the encoded certificate, CRL or CTL and
  5306. ' its properties, such as, CERT_KEY_PROV_INFO_PROP_ID.
  5307. '
  5308. ' If hCertStore is NULL, creates a certificate, CRL or CTL context not
  5309. ' residing in any store.
  5310. '
  5311. ' dwAddDispostion specifies the action to take if the certificate or CRL
  5312. ' already exists in the store. See CertAddCertificateContextToStore for a
  5313. ' list of and actions taken.
  5314. '
  5315. ' dwFlags currently isn't used and should be set to 0.
  5316. '
  5317. ' dwContextTypeFlags specifies the set of allowable contexts. For example, to
  5318. ' add either a certificate or CRL, set dwContextTypeFlags to:
  5319. ' CERT_STORE_CERTIFICATE_CONTEXT_FLAG | CERT_STORE_CRL_CONTEXT_FLAG
  5320. '
  5321. ' *pdwContextType is updated with the type of the context returned in
  5322. ' *ppvContxt. pdwContextType or ppvContext can be NULL, indicating the
  5323. ' caller isn't interested in getting the output. If *ppvContext is
  5324. ' returned it must be freed by calling CertFreeCertificateContext or
  5325. ' CertFreeCRLContext.
  5326. '--------------------------------------------------------------------------
  5327. '+-------------------------------------------------------------------------
  5328. ' Delete the specified certificate from the store.
  5329. '
  5330. ' All subsequent gets or finds for the certificate will fail. However,
  5331. ' memory allocated for the certificate isn't freed until all of its contexts
  5332. ' have also been freed.
  5333. '
  5334. ' The pCertContext is obtained from a get, enum, find or duplicate.
  5335. '
  5336. ' Some store provider implementations might also delete the issuer's CRLs
  5337. ' if this is the last certificate for the issuer in the store.
  5338. '
  5339. ' NOTE: the pCertContext is always CertFreeCertificateContext'ed by
  5340. ' this function, even for an error.
  5341. '--------------------------------------------------------------------------
  5342. '+-------------------------------------------------------------------------
  5343. ' Add the encoded CRL to the store according to the specified
  5344. ' disposition option.
  5345. '
  5346. ' Makes a copy of the encoded CRL before adding to the store.
  5347. '
  5348. ' dwAddDispostion specifies the action to take if the CRL
  5349. ' already exists in the store. See CertAddEncodedCertificateToStore for a
  5350. ' list of and actions taken.
  5351. '
  5352. ' Compares the CRL's Issuer to determine if the CRL already exists in the
  5353. ' store.
  5354. '
  5355. ' ppCrlContext can be NULL, indicating the caller isn't interested
  5356. ' in getting the CRL_CONTEXT of the added or existing CRL.
  5357. '--------------------------------------------------------------------------
  5358. '+-------------------------------------------------------------------------
  5359. ' Add the CRL context to the store according to the specified
  5360. ' disposition option.
  5361. '
  5362. ' In addition to the encoded CRL, the context's properties are
  5363. ' CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't copied.
  5364. '
  5365. ' Makes a copy of the encoded CRL before adding to the store.
  5366. '
  5367. ' dwAddDispostion specifies the action to take if the CRL
  5368. ' already exists in the store. See CertAddCertificateContextToStore for a
  5369. ' list of and actions taken.
  5370. '
  5371. ' Compares the CRL's Issuer, ThisUpdate and NextUpdate to determine
  5372. ' if the CRL already exists in the store.
  5373. '
  5374. ' ppStoreContext can be NULL, indicating the caller isn't interested
  5375. ' in getting the CRL_CONTEXT of the added or existing CRL.
  5376. '--------------------------------------------------------------------------
  5377. '+-------------------------------------------------------------------------
  5378. ' Delete the specified CRL from the store.
  5379. '
  5380. ' All subsequent gets for the CRL will fail. However,
  5381. ' memory allocated for the CRL isn't freed until all of its contexts
  5382. ' have also been freed.
  5383. '
  5384. ' The pCrlContext is obtained from a get or duplicate.
  5385. '
  5386. ' NOTE: the pCrlContext is always CertFreeCRLContext'ed by
  5387. ' this function, even for an error.
  5388. '--------------------------------------------------------------------------
  5389. '+-------------------------------------------------------------------------
  5390. ' Serialize the certificate context's encoded certificate and its
  5391. ' properties.
  5392. '--------------------------------------------------------------------------
  5393. '+-------------------------------------------------------------------------
  5394. ' Serialize the CRL context's encoded CRL and its properties.
  5395. '--------------------------------------------------------------------------
  5396. '+=========================================================================
  5397. '==========================================================================
  5398. '+-------------------------------------------------------------------------
  5399. ' Duplicate a CTL context
  5400. '--------------------------------------------------------------------------
  5401. '+-------------------------------------------------------------------------
  5402. ' Create a CTL context from the encoded CTL. The created
  5403. ' context isn't put in a store.
  5404. '
  5405. ' Makes a copy of the encoded CTL in the created context.
  5406. '
  5407. ' If unable to decode and create the CTL context, NULL is returned.
  5408. ' Otherwise, a pointer to a read only CTL_CONTEXT is returned.
  5409. ' CTL_CONTEXT must be freed by calling CertFreeCTLContext.
  5410. ' CertDuplicateCTLContext can be called to make a duplicate.
  5411. '
  5412. ' CertSetCTLContextProperty and CertGetCTLContextProperty can be called
  5413. ' to store properties for the CTL.
  5414. '--------------------------------------------------------------------------
  5415. '+-------------------------------------------------------------------------
  5416. ' Free a CTL context
  5417. '
  5418. ' There needs to be a corresponding free for each context obtained by a
  5419. ' get, duplicate or create.
  5420. '--------------------------------------------------------------------------
  5421. '+-------------------------------------------------------------------------
  5422. ' Set the property for the specified CTL context.
  5423. '
  5424. ' Same Property Ids and semantics as CertSetCertificateContextProperty.
  5425. '--------------------------------------------------------------------------
  5426. '+-------------------------------------------------------------------------
  5427. ' Get the property for the specified CTL context.
  5428. '
  5429. ' Same Property Ids and semantics as CertGetCertificateContextProperty.
  5430. '
  5431. ' CERT_SHA1_HASH_PROP_ID or CERT_NEXT_UPDATE_LOCATION_PROP_ID are the
  5432. ' predefined properties of most interest.
  5433. '--------------------------------------------------------------------------
  5434. '+-------------------------------------------------------------------------
  5435. ' Enumerate the properties for the specified CTL context.
  5436. '--------------------------------------------------------------------------
  5437. '+-------------------------------------------------------------------------
  5438. ' Enumerate the CTL contexts in the store.
  5439. '
  5440. ' If a CTL isn't found, NULL is returned.
  5441. ' Otherwise, a pointer to a read only CTL_CONTEXT is returned. CTL_CONTEXT
  5442. ' must be freed by calling CertFreeCTLContext or is freed when passed as the
  5443. ' pPrevCtlContext on a subsequent call. CertDuplicateCTLContext
  5444. ' can be called to make a duplicate.
  5445. '
  5446. ' pPrevCtlContext MUST BE NULL to enumerate the first
  5447. ' CTL in the store. Successive CTLs are enumerated by setting
  5448. ' pPrevCtlContext to the CTL_CONTEXT returned by a previous call.
  5449. '
  5450. ' NOTE: a NON-NULL pPrevCtlContext is always CertFreeCTLContext'ed by
  5451. ' this function, even for an error.
  5452. '--------------------------------------------------------------------------
  5453. '+-------------------------------------------------------------------------
  5454. ' Attempt to find the specified subject in the CTL.
  5455. '
  5456. ' For CTL_CERT_SUBJECT_TYPE, pvSubject points to a CERT_CONTEXT. The CTL's
  5457. ' SubjectAlgorithm is examined to determine the representation of the
  5458. ' subject's identity. Initially, only SHA1 or MD5 hash will be supported.
  5459. ' The appropriate hash property is obtained from the CERT_CONTEXT.
  5460. '
  5461. ' For CTL_ANY_SUBJECT_TYPE, pvSubject points to the CTL_ANY_SUBJECT_INFO
  5462. ' structure which contains the SubjectAlgorithm to be matched in the CTL
  5463. ' and the SubjectIdentifer to be matched in one of the CTL entries.
  5464. '
  5465. ' The certificate's hash or the CTL_ANY_SUBJECT_INFO's SubjectIdentifier
  5466. ' is used as the key in searching the subject entries. A binary
  5467. ' memory comparison is done between the key and the entry's SubjectIdentifer.
  5468. '
  5469. ' dwEncodingType isn't used for either of the above SubjectTypes.
  5470. '--------------------------------------------------------------------------
  5471. ' Subject Types:
  5472. ' CTL_ANY_SUBJECT_TYPE, pvSubject points to following CTL_ANY_SUBJECT_INFO.
  5473. ' CTL_CERT_SUBJECT_TYPE, pvSubject points to CERT_CONTEXT.
  5474. Public Const CTL_ANY_SUBJECT_TYPE As Long = 1
  5475. Public Const CTL_CERT_SUBJECT_TYPE As Long = 2
  5476. '+-------------------------------------------------------------------------
  5477. ' Find the first or next CTL context in the store.
  5478. '
  5479. ' The CTL is found according to the dwFindType and its pvFindPara.
  5480. ' See below for a list of the find types and its parameters.
  5481. '
  5482. ' Currently dwFindFlags isn't used and must be set to 0.
  5483. '
  5484. ' Usage of dwMsgAndCertEncodingType depends on the dwFindType.
  5485. '
  5486. ' If the first or next CTL isn't found, NULL is returned.
  5487. ' Otherwise, a pointer to a read only CTL_CONTEXT is returned. CTL_CONTEXT
  5488. ' must be freed by calling CertFreeCTLContext or is freed when passed as the
  5489. ' pPrevCtlContext on a subsequent call. CertDuplicateCTLContext
  5490. ' can be called to make a duplicate.
  5491. '
  5492. ' pPrevCtlContext MUST BE NULL on the first
  5493. ' call to find the CTL. To find the next CTL, the
  5494. ' pPrevCtlContext is set to the CTL_CONTEXT returned by a previous call.
  5495. '
  5496. ' NOTE: a NON-NULL pPrevCtlContext is always CertFreeCTLContext'ed by
  5497. ' this function, even for an error.
  5498. '--------------------------------------------------------------------------
  5499. Public Const CTL_FIND_ANY As Long = 0
  5500. Public Const CTL_FIND_SHA1_HASH As Long = 1
  5501. Public Const CTL_FIND_MD5_HASH As Long = 2
  5502. Public Const CTL_FIND_USAGE As Long = 3
  5503. Public Const CTL_FIND_SUBJECT As Long = 4
  5504. Public Const CTL_FIND_EXISTING As Long = 5
  5505. Public Const CTL_FIND_NO_LIST_ID_CBDATA As Long = &HFFFFFFFF
  5506. Public Const CTL_FIND_SAME_USAGE_FLAG As Long = &H1
  5507. '+-------------------------------------------------------------------------
  5508. ' CTL_FIND_ANY
  5509. '
  5510. ' Find any CTL.
  5511. '
  5512. ' pvFindPara isn't used.
  5513. '--------------------------------------------------------------------------
  5514. '+-------------------------------------------------------------------------
  5515. ' CTL_FIND_SHA1_HASH
  5516. ' CTL_FIND_MD5_HASH
  5517. '
  5518. ' Find a CTL with the specified hash.
  5519. '
  5520. ' pvFindPara points to a CRYPT_HASH_BLOB.
  5521. '--------------------------------------------------------------------------
  5522. '+-------------------------------------------------------------------------
  5523. ' CTL_FIND_USAGE
  5524. '
  5525. ' Find a CTL having the specified usage identifiers, list identifier or
  5526. ' signer. The CertEncodingType of the signer is obtained from the
  5527. ' dwMsgAndCertEncodingType parameter.
  5528. '
  5529. ' pvFindPara points to a CTL_FIND_USAGE_PARA data structure. The
  5530. ' SubjectUsage.cUsageIdentifer can be 0 to match any usage. The
  5531. ' ListIdentifier.cbData can be 0 to match any list identifier. To only match
  5532. ' CTLs without a ListIdentifier, cbData must be set to
  5533. ' CTL_FIND_NO_LIST_ID_CBDATA. pSigner can be NULL to match any signer. Only
  5534. ' the Issuer and SerialNumber fields of the pSigner's PCERT_INFO are used.
  5535. ' To only match CTLs without a signer, pSigner must be set to
  5536. ' CTL_FIND_NO_SIGNER_PTR.
  5537. '
  5538. ' The CTL_FIND_SAME_USAGE_FLAG can be set in dwFindFlags to
  5539. ' only match CTLs with the same usage identifiers. CTLs having additional
  5540. ' usage identifiers aren't matched. For example, if only "1.2.3" is specified
  5541. ' in CTL_FIND_USAGE_PARA, then, for a match, the CTL must only contain
  5542. ' "1.2.3" and not any additional usage identifers.
  5543. '--------------------------------------------------------------------------
  5544. '+-------------------------------------------------------------------------
  5545. ' CTL_FIND_SUBJECT
  5546. '
  5547. ' Find a CTL having the specified subject. CertFindSubjectInCTL can be
  5548. ' called to get a pointer to the subject's entry in the CTL. pUsagePara can
  5549. ' optionally be set to enable the above CTL_FIND_USAGE matching.
  5550. '
  5551. ' pvFindPara points to a CTL_FIND_SUBJECT_PARA data structure.
  5552. '--------------------------------------------------------------------------
  5553. '+-------------------------------------------------------------------------
  5554. ' Add the encoded CTL to the store according to the specified
  5555. ' disposition option.
  5556. '
  5557. ' Makes a copy of the encoded CTL before adding to the store.
  5558. '
  5559. ' dwAddDispostion specifies the action to take if the CTL
  5560. ' already exists in the store. See CertAddEncodedCertificateToStore for a
  5561. ' list of and actions taken.
  5562. '
  5563. ' Compares the CTL's SubjectUsage, ListIdentifier and any of its signers
  5564. ' to determine if the CTL already exists in the store.
  5565. '
  5566. ' ppCtlContext can be NULL, indicating the caller isn't interested
  5567. ' in getting the CTL_CONTEXT of the added or existing CTL.
  5568. '--------------------------------------------------------------------------
  5569. '+-------------------------------------------------------------------------
  5570. ' Add the CTL context to the store according to the specified
  5571. ' disposition option.
  5572. '
  5573. ' In addition to the encoded CTL, the context's properties are
  5574. ' CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't copied.
  5575. '
  5576. ' Makes a copy of the encoded CTL before adding to the store.
  5577. '
  5578. ' dwAddDispostion specifies the action to take if the CTL
  5579. ' already exists in the store. See CertAddCertificateContextToStore for a
  5580. ' list of and actions taken.
  5581. '
  5582. ' Compares the CTL's SubjectUsage, ListIdentifier and any of its signers
  5583. ' to determine if the CTL already exists in the store.
  5584. '
  5585. ' ppStoreContext can be NULL, indicating the caller isn't interested
  5586. ' in getting the CTL_CONTEXT of the added or existing CTL.
  5587. '--------------------------------------------------------------------------
  5588. '+-------------------------------------------------------------------------
  5589. ' Serialize the CTL context's encoded CTL and its properties.
  5590. '--------------------------------------------------------------------------
  5591. '+-------------------------------------------------------------------------
  5592. ' Delete the specified CTL from the store.
  5593. '
  5594. ' All subsequent gets for the CTL will fail. However,
  5595. ' memory allocated for the CTL isn't freed until all of its contexts
  5596. ' have also been freed.
  5597. '
  5598. ' The pCtlContext is obtained from a get or duplicate.
  5599. '
  5600. ' NOTE: the pCtlContext is always CertFreeCTLContext'ed by
  5601. ' this function, even for an error.
  5602. '--------------------------------------------------------------------------
  5603. '+-------------------------------------------------------------------------
  5604. ' Certificate Store control types
  5605. '--------------------------------------------------------------------------
  5606. Public Const CERT_STORE_CTRL_RESYNC As Long = 1
  5607. Public Const CERT_STORE_CTRL_NOTIFY_CHANGE As Long = 2
  5608. Public Const CERT_STORE_CTRL_COMMIT As Long = 3
  5609. Public Const CERT_STORE_CTRL_AUTO_RESYNC As Long = 4
  5610. Public Const CERT_STORE_CTRL_CANCEL_NOTIFY As Long = 5
  5611. Public Const CERT_STORE_CTRL_INHIBIT_DUPLICATE_HANDLE_FLAG As Long = &H1
  5612. '+-------------------------------------------------------------------------
  5613. ' CERT_STORE_CTRL_RESYNC
  5614. '
  5615. ' Re-synchronize the store.
  5616. '
  5617. ' The pvCtrlPara points to the event HANDLE to be signaled on
  5618. ' the next store change. Normally, this would be the same
  5619. ' event HANDLE passed to CERT_STORE_CTRL_NOTIFY_CHANGE during initialization.
  5620. '
  5621. ' If pvCtrlPara is NULL, no events are re-armed.
  5622. '
  5623. ' By default the event HANDLE is DuplicateHandle'd.
  5624. ' CERT_STORE_CTRL_INHIBIT_DUPLICATE_HANDLE_FLAG can be set in dwFlags
  5625. ' to inhibit a DupicateHandle of the event HANDLE. If this flag
  5626. ' called for this event HANDLE before closing the hCertStore.
  5627. '--------------------------------------------------------------------------
  5628. '+-------------------------------------------------------------------------
  5629. ' CERT_STORE_CTRL_NOTIFY_CHANGE
  5630. '
  5631. ' Signal the event when the underlying store is changed.
  5632. '
  5633. ' pvCtrlPara points to the event HANDLE to be signaled.
  5634. '
  5635. ' pvCtrlPara can be NULL to inform the store of a subsequent
  5636. ' CERT_STORE_CTRL_RESYNC and allow it to optimize by only doing a resync
  5637. ' if the store has changed. For the registry based stores, an internal
  5638. ' notify change event is created and registered to be signaled.
  5639. '
  5640. ' Recommend calling CERT_STORE_CTRL_NOTIFY_CHANGE once for each event to
  5641. ' be passed to CERT_STORE_CTRL_RESYNC. This should only happen after
  5642. ' the event has been created. Not after each time the event is signaled.
  5643. '
  5644. ' By default the event HANDLE is DuplicateHandle'd.
  5645. ' CERT_STORE_CTRL_INHIBIT_DUPLICATE_HANDLE_FLAG can be set in dwFlags
  5646. ' to inhibit a DupicateHandle of the event HANDLE. If this flag
  5647. ' called for this event HANDLE before closing the hCertStore.
  5648. '--------------------------------------------------------------------------
  5649. '+-------------------------------------------------------------------------
  5650. ' CERT_STORE_CTRL_CANCEL_NOTIFY
  5651. '
  5652. ' Cancel notification signaling of the event HANDLE passed in a previous
  5653. ' CERT_STORE_CTRL_NOTIFY_CHANGE or CERT_STORE_CTRL_RESYNC.
  5654. '
  5655. ' pvCtrlPara points to the event HANDLE to be canceled.
  5656. '--------------------------------------------------------------------------
  5657. '+-------------------------------------------------------------------------
  5658. ' CERT_STORE_CTRL_AUTO_RESYNC
  5659. '
  5660. ' At the start of every enumeration or find store API call, check if the
  5661. ' underlying store has changed. If it has changed, re-synchronize.
  5662. '
  5663. ' This check is only done in the enumeration or find APIs when the
  5664. ' pPrevContext is NULL.
  5665. '
  5666. ' The pvCtrlPara isn't used and must be set to NULL.
  5667. '--------------------------------------------------------------------------
  5668. '+-------------------------------------------------------------------------
  5669. ' CERT_STORE_CTRL_COMMIT
  5670. '
  5671. ' If any changes have been to the cached store, they are committed to
  5672. ' persisted storage. If no changes have been made since the store was
  5673. ' opened or the last commit, this call is ignored. May also be ignored by
  5674. ' store providers that persist changes immediately.
  5675. '
  5676. ' CERT_STORE_CTRL_COMMIT_FORCE_FLAG can be set to force the store
  5677. ' to be committed even if it hasn't been touched.
  5678. '
  5679. ' CERT_STORE_CTRL_COMMIT_CLEAR_FLAG can be set to inhibit a commit on
  5680. ' store close.
  5681. '--------------------------------------------------------------------------
  5682. Public Const CERT_STORE_CTRL_COMMIT_FORCE_FLAG As Long = &H1
  5683. Public Const CERT_STORE_CTRL_COMMIT_CLEAR_FLAG As Long = &H2
  5684. '+=========================================================================
  5685. ' Cert Store Property Defines and APIs
  5686. '==========================================================================
  5687. '+-------------------------------------------------------------------------
  5688. ' Store property IDs. This is a property applicable to the entire store.
  5689. ' Its not a property on an individual certificate, CRL or CTL context.
  5690. '
  5691. ' most context properties which are persisted.)
  5692. '
  5693. ' See CertSetStoreProperty or CertGetStoreProperty for usage information.
  5694. '
  5695. ' Note, the range for predefined store properties should be outside
  5696. ' the range of predefined context properties. We will start at 4096.
  5697. '--------------------------------------------------------------------------
  5698. Public Const CERT_STORE_LOCALIZED_NAME_PROP_ID As Long = &H1000
  5699. '+-------------------------------------------------------------------------
  5700. ' Set a store property.
  5701. '
  5702. ' The type definition for pvData depends on the dwPropId value.
  5703. ' CERT_STORE_LOCALIZED_NAME_PROP_ID - localized name of the store.
  5704. ' pvData points to a CRYPT_DATA_BLOB. pbData is a pointer to a NULL
  5705. ' terminated unicode, wide character string.
  5706. '
  5707. ' For all the other PROP_IDs: an encoded PCRYPT_DATA_BLOB is passed in pvData.
  5708. '
  5709. ' If the property already exists, then, the old value is deleted and silently
  5710. ' replaced. Setting, pvData to NULL, deletes the property.
  5711. '--------------------------------------------------------------------------
  5712. '+-------------------------------------------------------------------------
  5713. ' Get a store property.
  5714. '
  5715. ' The type definition for pvData depends on the dwPropId value.
  5716. ' CERT_STORE_LOCALIZED_NAME_PROP_ID - localized name of the store.
  5717. ' pvData points to a NULL terminated unicode, wide character string.
  5718. '
  5719. ' For all other PROP_IDs, pvData points to an array of bytes.
  5720. '
  5721. ' If the property doesn't exist, returns FALSE and sets LastError to
  5722. ' CRYPT_E_NOT_FOUND.
  5723. '--------------------------------------------------------------------------
  5724. '+-------------------------------------------------------------------------
  5725. ' Creates the specified context from the encoded bytes. The created
  5726. ' context isn't put in a store.
  5727. '
  5728. ' dwContextType values:
  5729. ' CERT_STORE_CERTIFICATE_CONTEXT
  5730. ' CERT_STORE_CRL_CONTEXT
  5731. ' CERT_STORE_CTL_CONTEXT
  5732. '
  5733. ' If CERT_CREATE_CONTEXT_NOCOPY_FLAG is set, the created context points
  5734. ' directly to the pbEncoded instead of an allocated copy. See flag
  5735. ' definition for more details.
  5736. '
  5737. ' If CERT_CREATE_CONTEXT_SORTED_FLAG is set, the context is created
  5738. ' with sorted entries. This flag may only be set for CERT_STORE_CTL_CONTEXT.
  5739. ' Setting this flag implicitly sets CERT_CREATE_CONTEXT_NO_HCRYPTMSG_FLAG and
  5740. ' CERT_CREATE_CONTEXT_NO_ENTRY_FLAG. See flag definition for
  5741. ' more details.
  5742. '
  5743. ' If CERT_CREATE_CONTEXT_NO_HCRYPTMSG_FLAG is set, the context is created
  5744. ' without creating a HCRYPTMSG handle for the context. This flag may only be
  5745. ' set for CERT_STORE_CTL_CONTEXT. See flag definition for more details.
  5746. '
  5747. ' If CERT_CREATE_CONTEXT_NO_ENTRY_FLAG is set, the context is created
  5748. ' without decoding the entries. This flag may only be set for
  5749. ' CERT_STORE_CTL_CONTEXT. See flag definition for more details.
  5750. '
  5751. ' If unable to decode and create the context, NULL is returned.
  5752. ' Otherwise, a pointer to a read only CERT_CONTEXT, CRL_CONTEXT or
  5753. ' CTL_CONTEXT is returned. The context must be freed by the appropriate
  5754. ' free context API. The context can be duplicated by calling the
  5755. ' appropriate duplicate context API.
  5756. '--------------------------------------------------------------------------
  5757. ' When the following flag is set, the created context points directly to the
  5758. ' pbEncoded instead of an allocated copy. If pCreatePara and
  5759. ' pCreatePara->pfnFree are non-NULL, then, pfnFree is called to free
  5760. ' the pbEncoded when the context is last freed. Otherwise, no attempt is
  5761. ' made to free the pbEncoded. If pCreatePara->pvFree is non-NULL, then its
  5762. ' passed to pfnFree instead of pbEncoded.
  5763. '
  5764. ' Note, if CertCreateContext fails, pfnFree is still called.
  5765. Public Const CERT_CREATE_CONTEXT_NOCOPY_FLAG As Long = &H1
  5766. ' When the following flag is set, a context with sorted entries is created.
  5767. ' Currently only applicable to a CTL context.
  5768. '
  5769. ' For CTLs: the cCTLEntry in the returned CTL_INFO is always
  5770. ' 0. CertFindSubjectInSortedCTL and CertEnumSubjectInSortedCTL must be called
  5771. ' to find or enumerate the CTL entries.
  5772. '
  5773. ' The Sorted CTL TrustedSubjects extension isn't returned in the created
  5774. ' context's CTL_INFO.
  5775. Public Const CERT_CREATE_CONTEXT_SORTED_FLAG As Long = &H2
  5776. ' By default when a CTL context is created, a HCRYPTMSG handle to its
  5777. ' SignedData message is created. This flag can be set to improve performance
  5778. ' by not creating the HCRYPTMSG handle.
  5779. '
  5780. ' This flag is only applicable to a CTL context.
  5781. Public Const CERT_CREATE_CONTEXT_NO_HCRYPTMSG_FLAG As Long = &H4
  5782. ' By default when a CTL context is created, its entries are decoded.
  5783. ' This flag can be set to improve performance by not decoding the
  5784. ' entries.
  5785. '
  5786. ' This flag is only applicable to a CTL context.
  5787. Public Const CERT_CREATE_CONTEXT_NO_ENTRY_FLAG As Long = &H8
  5788. '+=========================================================================
  5789. ' Certificate System Store Data Structures and APIs
  5790. '==========================================================================
  5791. '+-------------------------------------------------------------------------
  5792. ' System Store Information
  5793. '
  5794. ' Currently, no system store information is persisted.
  5795. '--------------------------------------------------------------------------
  5796. '+-------------------------------------------------------------------------
  5797. ' Physical Store Information
  5798. '
  5799. ' the physical store.
  5800. '
  5801. ' By default all system stores located in the registry have an
  5802. ' implicit SystemRegistry physical store that is opened. To disable the
  5803. ' opening of this store, the SystemRegistry
  5804. ' physical store corresponding to the System store must be registered with
  5805. ' CERT_PHYSICAL_STORE_OPEN_DISABLE_FLAG set in dwFlags. Alternatively,
  5806. ' a physical store with the name of ".Default" may be registered.
  5807. '
  5808. ' Depending on the store location and store name, additional predefined
  5809. ' physical stores may be opened. For example, system stores in
  5810. ' CURRENT_USER have the predefined physical store, .LocalMachine.
  5811. ' To disable the opening of these predefined physical stores, the
  5812. ' corresponding physical store must be registered with
  5813. ' CERT_PHYSICAL_STORE_OPEN_DISABLE_FLAG set in dwFlags.
  5814. '
  5815. ' The CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG must be set in dwFlags
  5816. ' to enable the adding of a context to the store.
  5817. '
  5818. ' When a system store is opened via the SERVICES or USERS store location,
  5819. ' the ServiceName\ is prepended to the OpenParameters
  5820. ' for CERT_SYSTEM_STORE_CURRENT_USER or CERT_SYSTEM_STORE_CURRENT_SERVICE
  5821. ' physical stores and the dwOpenFlags store location is changed to
  5822. ' CERT_SYSTEM_STORE_USERS or CERT_SYSTEM_STORE_SERVICES.
  5823. '
  5824. ' By default the SYSTEM, SYSTEM_REGISTRY and PHYSICAL provider
  5825. ' stores are also opened remotely when the outer system store is opened.
  5826. ' The CERT_PHYSICAL_STORE_REMOTE_OPEN_DISABLE_FLAG may be set in dwFlags
  5827. ' to disable remote opens.
  5828. '
  5829. ' When opened remotely, the \\ComputerName is implicitly prepended to the
  5830. ' OpenParameters for the SYSTEM, SYSTEM_REGISTRY and PHYSICAL provider types.
  5831. ' To also prepend the \\ComputerName to other provider types, set the
  5832. ' CERT_PHYSICAL_STORE_INSERT_COMPUTER_NAME_ENABLE_FLAG in dwFlags.
  5833. '
  5834. ' When the system store is opened, its physical stores are ordered
  5835. ' according to the dwPriority. A larger dwPriority indicates higher priority.
  5836. '--------------------------------------------------------------------------
  5837. '+-------------------------------------------------------------------------
  5838. ' Physical Store Information dwFlags
  5839. '--------------------------------------------------------------------------
  5840. Public Const CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG As Long = &H1
  5841. Public Const CERT_PHYSICAL_STORE_OPEN_DISABLE_FLAG As Long = &H2
  5842. Public Const CERT_PHYSICAL_STORE_REMOTE_OPEN_DISABLE_FLAG As Long = &H4
  5843. Public Const CERT_PHYSICAL_STORE_INSERT_COMPUTER_NAME_ENABLE_FLAG As Long = &H8
  5844. '+-------------------------------------------------------------------------
  5845. ' Register a system store.
  5846. '
  5847. ' The upper word of the dwFlags parameter is used to specify the location of
  5848. ' the system store.
  5849. '
  5850. ' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
  5851. ' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
  5852. ' pvSystemStore points to a null terminated UNICODE string.
  5853. '
  5854. ' The CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS system store
  5855. ' name must be prefixed with the ServiceName or UserName. For example,
  5856. ' "ServiceName\Trust".
  5857. '
  5858. ' Stores on remote computers can be registered for the
  5859. ' CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_SERVICES,
  5860. ' CERT_SYSTEM_STORE_USERS, CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
  5861. ' or CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
  5862. ' locations by prepending the computer name. For example, a remote
  5863. ' local machine store is registered via "\\ComputerName\Trust" or
  5864. ' "ComputerName\Trust". A remote service store is registered via
  5865. ' "\\ComputerName\ServiceName\Trust". The leading "\\" backslashes are
  5866. ' optional in the ComputerName.
  5867. '
  5868. ' Set CERT_STORE_CREATE_NEW_FLAG to cause a failure if the system store
  5869. ' already exists in the store location.
  5870. '--------------------------------------------------------------------------
  5871. '+-------------------------------------------------------------------------
  5872. ' Register a physical store for the specified system store.
  5873. '
  5874. ' The upper word of the dwFlags parameter is used to specify the location of
  5875. ' the system store.
  5876. '
  5877. ' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
  5878. ' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
  5879. ' pvSystemStore points to a null terminated UNICODE string.
  5880. '
  5881. ' See CertRegisterSystemStore for details on prepending a ServiceName
  5882. ' and/or ComputerName to the system store name.
  5883. '
  5884. ' Set CERT_STORE_CREATE_NEW_FLAG to cause a failure if the physical store
  5885. ' already exists in the system store.
  5886. '--------------------------------------------------------------------------
  5887. '+-------------------------------------------------------------------------
  5888. ' Unregister the specified system store.
  5889. '
  5890. ' The upper word of the dwFlags parameter is used to specify the location of
  5891. ' the system store.
  5892. '
  5893. ' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
  5894. ' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
  5895. ' pvSystemStore points to a null terminated UNICODE string.
  5896. '
  5897. ' See CertRegisterSystemStore for details on prepending a ServiceName
  5898. ' and/or ComputerName to the system store name.
  5899. '
  5900. ' CERT_STORE_DELETE_FLAG can optionally be set in dwFlags.
  5901. '--------------------------------------------------------------------------
  5902. '+-------------------------------------------------------------------------
  5903. ' Unregister the physical store from the specified system store.
  5904. '
  5905. ' The upper word of the dwFlags parameter is used to specify the location of
  5906. ' the system store.
  5907. '
  5908. ' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
  5909. ' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
  5910. ' pvSystemStore points to a null terminated UNICODE string.
  5911. '
  5912. ' See CertRegisterSystemStore for details on prepending a ServiceName
  5913. ' and/or ComputerName to the system store name.
  5914. '
  5915. ' CERT_STORE_DELETE_FLAG can optionally be set in dwFlags.
  5916. '--------------------------------------------------------------------------
  5917. '+-------------------------------------------------------------------------
  5918. ' Enum callbacks
  5919. '
  5920. ' The CERT_SYSTEM_STORE_LOCATION_MASK bits in the dwFlags parameter
  5921. ' specifies the location of the system store
  5922. '
  5923. ' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
  5924. ' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
  5925. ' pvSystemStore points to a null terminated UNICODE string.
  5926. '
  5927. ' The callback returns FALSE and sets LAST_ERROR to stop the enumeration.
  5928. ' The LAST_ERROR is returned to the caller of the enumeration.
  5929. '
  5930. ' The pvSystemStore passed to the callback has leading ComputerName and/or
  5931. ' ServiceName prefixes where appropriate.
  5932. '--------------------------------------------------------------------------
  5933. ' In the PFN_CERT_ENUM_PHYSICAL_STORE callback the following flag is
  5934. ' set if the physical store wasn't registered and is an implicitly created
  5935. ' predefined physical store.
  5936. Public Const CERT_PHYSICAL_STORE_PREDEFINED_ENUM_FLAG As Long = &H1
  5937. ' Names of implicitly created predefined physical stores
  5938. Public Const CERT_PHYSICAL_STORE_DEFAULT_NAME As String = ".Default"
  5939. Public Const CERT_PHYSICAL_STORE_GROUP_POLICY_NAME As String = ".GroupPolicy"
  5940. Public Const CERT_PHYSICAL_STORE_LOCAL_MACHINE_NAME As String = ".LocalMachine"
  5941. Public Const CERT_PHYSICAL_STORE_DS_USER_CERTIFICATE_NAME As String = ".UserCertificate"
  5942. Public Const CERT_PHYSICAL_STORE_ENTERPRISE_NAME As String = ".Enterprise"
  5943. '+-------------------------------------------------------------------------
  5944. ' Enumerate the system store locations.
  5945. '--------------------------------------------------------------------------
  5946. '+-------------------------------------------------------------------------
  5947. ' Enumerate the system stores.
  5948. '
  5949. ' The upper word of the dwFlags parameter is used to specify the location of
  5950. ' the system store.
  5951. '
  5952. ' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags,
  5953. ' pvSystemStoreLocationPara points to a CERT_SYSTEM_STORE_RELOCATE_PARA
  5954. ' data structure. Otherwise, pvSystemStoreLocationPara points to a null
  5955. ' terminated UNICODE string.
  5956. '
  5957. ' For CERT_SYSTEM_STORE_LOCAL_MACHINE,
  5958. ' CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY or
  5959. ' CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, pvSystemStoreLocationPara can
  5960. ' optionally be set to a unicode computer name for enumerating local machine
  5961. ' stores on a remote computer. For example, "\\ComputerName" or
  5962. ' "ComputerName". The leading "\\" backslashes are optional in the
  5963. ' ComputerName.
  5964. '
  5965. ' For CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS,
  5966. ' if pvSystemStoreLocationPara is NULL, then,
  5967. ' enumerates both the service/user names and the stores for each service/user
  5968. ' name. Otherwise, pvSystemStoreLocationPara is a unicode string specifying a
  5969. ' remote computer name and/or service/user name. For example:
  5970. ' "ServiceName"
  5971. ' "\\ComputerName" or "ComputerName\"
  5972. ' "ComputerName\ServiceName"
  5973. ' Note, if only the ComputerName is specified, then, it must have either
  5974. ' the leading "\\" backslashes or a trailing backslash. Otherwise, its
  5975. ' interpretted as the ServiceName or UserName.
  5976. '--------------------------------------------------------------------------
  5977. '+-------------------------------------------------------------------------
  5978. ' Enumerate the physical stores for the specified system store.
  5979. '
  5980. ' The upper word of the dwFlags parameter is used to specify the location of
  5981. ' the system store.
  5982. '
  5983. ' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
  5984. ' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
  5985. ' pvSystemStore points to a null terminated UNICODE string.
  5986. '
  5987. ' See CertRegisterSystemStore for details on prepending a ServiceName
  5988. ' and/or ComputerName to the system store name.
  5989. '
  5990. ' If the system store location only supports system stores and doesn't
  5991. ' support physical stores, LastError is set to ERROR_CALL_NOT_IMPLEMENTED.
  5992. '--------------------------------------------------------------------------
  5993. '+-------------------------------------------------------------------------
  5994. ' Certificate System Store Installable Functions
  5995. '
  5996. ' The CERT_SYSTEM_STORE_LOCATION_MASK bits in the dwFlags parameter passed
  5997. ' Provider), CertRegisterSystemStore,
  5998. ' CertUnregisterSystemStore, CertEnumSystemStore, CertRegisterPhysicalStore,
  5999. ' CertUnregisterPhysicalStore and CertEnumPhysicalStore APIs is used as the
  6000. ' constant pszOID value passed to the OID installable functions.
  6001. '
  6002. ' The EncodingType is 0.
  6003. '--------------------------------------------------------------------------
  6004. ' Installable System Store Provider OID pszFuncNames.
  6005. Public Const CRYPT_OID_OPEN_SYSTEM_STORE_PROV_FUNC As String = "CertDllOpenSystemStoreProv"
  6006. Public Const CRYPT_OID_REGISTER_SYSTEM_STORE_FUNC As String = "CertDllRegisterSystemStore"
  6007. Public Const CRYPT_OID_UNREGISTER_SYSTEM_STORE_FUNC As String = "CertDllUnregisterSystemStore"
  6008. Public Const CRYPT_OID_ENUM_SYSTEM_STORE_FUNC As String = "CertDllEnumSystemStore"
  6009. Public Const CRYPT_OID_REGISTER_PHYSICAL_STORE_FUNC As String = "CertDllRegisterPhysicalStore"
  6010. Public Const CRYPT_OID_UNREGISTER_PHYSICAL_STORE_FUNC As String = "CertDllUnregisterPhysicalStore"
  6011. Public Const CRYPT_OID_ENUM_PHYSICAL_STORE_FUNC As String = "CertDllEnumPhysicalStore"
  6012. ' CertDllOpenSystemStoreProv has the same function signature as the
  6013. ' installable "CertDllOpenStoreProv" function. See CertOpenStore for
  6014. ' more details.
  6015. ' CertDllRegisterSystemStore has the same function signature as
  6016. ' CertRegisterSystemStore.
  6017. '
  6018. ' The "SystemStoreLocation" REG_SZ value must also be set for registered
  6019. ' CertDllEnumSystemStore OID functions.
  6020. Public Const CRYPT_OID_SYSTEM_STORE_LOCATION_VALUE_NAME As String = "SystemStoreLocation"
  6021. ' The remaining Register, Enum and Unregister OID installable functions
  6022. ' have the same signature as their Cert Store API counterpart.
  6023. '+=========================================================================
  6024. ' Enhanced Key Usage Helper Functions
  6025. '==========================================================================
  6026. '+-------------------------------------------------------------------------
  6027. ' Get the enhanced key usage extension or property from the certificate
  6028. ' and decode.
  6029. '
  6030. ' If the CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG is set, then, only get the
  6031. ' extension.
  6032. '
  6033. ' If the CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG is set, then, only get the
  6034. ' property.
  6035. '--------------------------------------------------------------------------
  6036. '+-------------------------------------------------------------------------
  6037. ' Set the enhanced key usage property for the certificate.
  6038. '--------------------------------------------------------------------------
  6039. '+-------------------------------------------------------------------------
  6040. ' Add the usage identifier to the certificate's enhanced key usage property.
  6041. '--------------------------------------------------------------------------
  6042. '+-------------------------------------------------------------------------
  6043. ' Remove the usage identifier from the certificate's enhanced key usage
  6044. ' property.
  6045. '--------------------------------------------------------------------------
  6046. '+---------------------------------------------------------------------------
  6047. '
  6048. '
  6049. ' Takes an array of certs and returns an array of usages
  6050. ' which consists of the intersection of the valid usages for each cert.
  6051. ' If each cert is good for all possible usages then the cNumOIDs is set to -1.
  6052. '
  6053. '----------------------------------------------------------------------------
  6054. '+=========================================================================
  6055. ' Cryptographic Message helper functions for verifying and signing a
  6056. ' CTL.
  6057. '==========================================================================
  6058. '+-------------------------------------------------------------------------
  6059. ' Get and verify the signer of a cryptographic message.
  6060. '
  6061. ' To verify a CTL, the hCryptMsg is obtained from the CTL_CONTEXT's
  6062. ' hCryptMsg field.
  6063. '
  6064. ' If CMSG_TRUSTED_SIGNER_FLAG is set, then, treat the Signer stores as being
  6065. ' trusted and only search them to find the certificate corresponding to the
  6066. ' signer's issuer and serial number. Otherwise, the SignerStores are
  6067. ' optionally provided to supplement the message's store of certificates.
  6068. ' If a signer certificate is found, its public key is used to verify
  6069. ' the message signature. The CMSG_SIGNER_ONLY_FLAG can be set to
  6070. ' return the signer without doing the signature verify.
  6071. '
  6072. ' If CMSG_USE_SIGNER_INDEX_FLAG is set, then, only get the signer specified
  6073. ' by *pdwSignerIndex. Otherwise, iterate through all the signers
  6074. ' until a signer verifies or no more signers.
  6075. '
  6076. ' For a verified signature, *ppSigner is updated with certificate context
  6077. ' of the signer and *pdwSignerIndex is updated with the index of the signer.
  6078. ' ppSigner and/or pdwSignerIndex can be NULL, indicating the caller isn't
  6079. ' interested in getting the CertContext and/or index of the signer.
  6080. '--------------------------------------------------------------------------
  6081. Public Const CMSG_TRUSTED_SIGNER_FLAG As Long = &H1
  6082. Public Const CMSG_SIGNER_ONLY_FLAG As Long = &H2
  6083. Public Const CMSG_USE_SIGNER_INDEX_FLAG As Long = &H4
  6084. '+-------------------------------------------------------------------------
  6085. ' Sign an encoded CTL.
  6086. '
  6087. ' The pbCtlContent can be obtained via a CTL_CONTEXT's pbCtlContent
  6088. '
  6089. ' CMSG_CMS_ENCAPSULATED_CTL_FLAG can be set to encode a CMS compatible
  6090. ' V3 SignedData message.
  6091. '--------------------------------------------------------------------------
  6092. ' When set, CTL inner content is encapsulated within an OCTET STRING
  6093. Public Const CMSG_CMS_ENCAPSULATED_CTL_FLAG As Long = &H00008000
  6094. '+-------------------------------------------------------------------------
  6095. ' Encode the CTL and create a signed message containing the encoded CTL.
  6096. '
  6097. ' Set CMSG_ENCODE_SORTED_CTL_FLAG if the CTL entries are to be sorted
  6098. ' before encoding. This flag should be set, if the
  6099. ' CertFindSubjectInSortedCTL or CertEnumSubjectInSortedCTL APIs will
  6100. ' be called. If the identifier for the CTL entries is a hash, such as,
  6101. ' MD5 or SHA1, then, CMSG_ENCODE_HASHED_SUBJECT_IDENTIFIER_FLAG should
  6102. ' also be set.
  6103. '
  6104. ' CMSG_CMS_ENCAPSULATED_CTL_FLAG can be set to encode a CMS compatible
  6105. ' V3 SignedData message.
  6106. '--------------------------------------------------------------------------
  6107. ' The following flag is set if the CTL is to be encoded with sorted
  6108. ' trusted subjects and the szOID_SORTED_CTL extension is inserted containing
  6109. ' sorted offsets to the encoded subjects.
  6110. Public Const CMSG_ENCODE_SORTED_CTL_FLAG As Long = &H1
  6111. ' If the above sorted flag is set, then, the following flag should also
  6112. ' be set if the identifier for the TrustedSubjects is a hash,
  6113. ' such as, MD5 or SHA1.
  6114. Public Const CMSG_ENCODE_HASHED_SUBJECT_IDENTIFIER_FLAG As Long = &H2
  6115. '+-------------------------------------------------------------------------
  6116. ' Returns TRUE if the SubjectIdentifier exists in the CTL. Optionally
  6117. ' returns a pointer to and byte count of the Subject's encoded attributes.
  6118. '--------------------------------------------------------------------------
  6119. '+-------------------------------------------------------------------------
  6120. ' Enumerates through the sequence of TrustedSubjects in a CTL context
  6121. ' created with CERT_CREATE_CONTEXT_SORTED_FLAG set.
  6122. '
  6123. ' To start the enumeration, *ppvNextSubject must be NULL. Upon return,
  6124. ' *ppvNextSubject is updated to point to the next TrustedSubject in
  6125. ' the encoded sequence.
  6126. '
  6127. ' Returns FALSE for no more subjects or invalid arguments.
  6128. '
  6129. ' Note, the returned DER_BLOBs point directly into the encoded
  6130. '--------------------------------------------------------------------------
  6131. '+=========================================================================
  6132. ' Certificate Verify CTL Usage Data Structures and APIs
  6133. '==========================================================================
  6134. Public Const CERT_VERIFY_INHIBIT_CTL_UPDATE_FLAG As Long = &H1
  6135. Public Const CERT_VERIFY_TRUSTED_SIGNERS_FLAG As Long = &H2
  6136. Public Const CERT_VERIFY_NO_TIME_CHECK_FLAG As Long = &H4
  6137. Public Const CERT_VERIFY_ALLOW_MORE_USAGE_FLAG As Long = &H8
  6138. Public Const CERT_VERIFY_UPDATED_CTL_FLAG As Long = &H1
  6139. '+-------------------------------------------------------------------------
  6140. ' Verify that a subject is trusted for the specified usage by finding a
  6141. ' signed and time valid CTL with the usage identifiers and containing the
  6142. ' the subject. A subject can be identified by either its certificate context
  6143. ' or any identifier such as its SHA1 hash.
  6144. '
  6145. ' See CertFindSubjectInCTL for definition of dwSubjectType and pvSubject
  6146. ' parameters.
  6147. '
  6148. ' Via pVerifyUsagePara, the caller can specify the stores to be searched
  6149. ' to find the CTL. The caller can also specify the stores containing
  6150. ' acceptable CTL signers. By setting the ListIdentifier, the caller
  6151. ' can also restrict to a particular signer CTL list.
  6152. '
  6153. ' Via pVerifyUsageStatus, the CTL containing the subject, the subject's
  6154. ' index into the CTL's array of entries, and the signer of the CTL
  6155. ' are returned. If the caller is not interested, ppCtl and ppSigner can be set
  6156. ' to NULL. Returned contexts must be freed via the store's free context APIs.
  6157. '
  6158. ' If the CERT_VERIFY_INHIBIT_CTL_UPDATE_FLAG isn't set, then, a time
  6159. ' invalid CTL in one of the CtlStores may be replaced. When replaced, the
  6160. ' CERT_VERIFY_UPDATED_CTL_FLAG is set in pVerifyUsageStatus->dwFlags.
  6161. '
  6162. ' If the CERT_VERIFY_TRUSTED_SIGNERS_FLAG is set, then, only the
  6163. ' SignerStores specified in pVerifyUsageStatus are searched to find
  6164. ' the signer. Otherwise, the SignerStores provide additional sources
  6165. ' to find the signer's certificate.
  6166. '
  6167. ' If CERT_VERIFY_NO_TIME_CHECK_FLAG is set, then, the CTLs aren't checked
  6168. ' for time validity.
  6169. '
  6170. ' If CERT_VERIFY_ALLOW_MORE_USAGE_FLAG is set, then, the CTL may contain
  6171. ' additional usage identifiers than specified by pSubjectUsage. Otherwise,
  6172. ' the found CTL will contain the same usage identifers and no more.
  6173. '
  6174. ' CertVerifyCTLUsage will be implemented as a dispatcher to OID installable
  6175. ' functions. First, it will try to find an OID function matching the first
  6176. ' usage object identifier in the pUsage sequence. Next, it will dispatch
  6177. ' to the default CertDllVerifyCTLUsage functions.
  6178. '
  6179. ' If the subject is trusted for the specified usage, then, TRUE is
  6180. ' returned. Otherwise, FALSE is returned with dwError set to one of the
  6181. ' following:
  6182. ' CRYPT_E_NO_VERIFY_USAGE_DLL
  6183. ' CRYPT_E_NO_VERIFY_USAGE_CHECK
  6184. ' CRYPT_E_VERIFY_USAGE_OFFLINE
  6185. ' CRYPT_E_NOT_IN_CTL
  6186. ' CRYPT_E_NO_TRUSTED_SIGNER
  6187. '--------------------------------------------------------------------------
  6188. '+=========================================================================
  6189. ' Certificate Revocation Data Structures and APIs
  6190. '==========================================================================
  6191. '+-------------------------------------------------------------------------
  6192. ' The following data structure may be passed to CertVerifyRevocation to
  6193. ' assist in finding the issuer of the context to be verified.
  6194. '
  6195. ' When pIssuerCert is specified, pIssuerCert is the issuer of
  6196. ' rgpvContext[cContext - 1].
  6197. '
  6198. ' When cCertStore and rgCertStore are specified, these stores may contain
  6199. ' an issuer certificate.
  6200. '
  6201. ' When hCrlStore is specified then a handler which uses CRLs can search this
  6202. ' store for them
  6203. '
  6204. ' revocation status relative to the time given otherwise the answer may be
  6205. ' independent of time or relative to current time
  6206. '--------------------------------------------------------------------------
  6207. '+-------------------------------------------------------------------------
  6208. ' The following data structure is returned by CertVerifyRevocation to
  6209. ' specify the status of the revoked or unchecked context. Review the
  6210. ' following CertVerifyRevocation comments for details.
  6211. '
  6212. ' Upon input to CertVerifyRevocation, cbSize must be set to a size
  6213. ' returns FALSE and sets LastError to E_INVALIDARG.
  6214. '
  6215. ' Upon input to the installed or registered CRYPT_OID_VERIFY_REVOCATION_FUNC
  6216. ' functions, the dwIndex, dwError and dwReason have been zero'ed.
  6217. '--------------------------------------------------------------------------
  6218. '+-------------------------------------------------------------------------
  6219. ' Verifies the array of contexts for revocation. The dwRevType parameter
  6220. ' indicates the type of the context data structure passed in rgpvContext.
  6221. ' Currently only the revocation of certificates is defined.
  6222. '
  6223. ' If the CERT_VERIFY_REV_CHAIN_FLAG flag is set, then, CertVerifyRevocation
  6224. ' is verifying a chain of certs where, rgpvContext[i + 1] is the issuer
  6225. ' of rgpvContext[i]. Otherwise, CertVerifyRevocation makes no assumptions
  6226. ' about the order of the contexts.
  6227. '
  6228. ' To assist in finding the issuer, the pRevPara may optionally be set. See
  6229. ' the CERT_REVOCATION_PARA data structure for details.
  6230. '
  6231. ' The contexts must contain enough information to allow the
  6232. ' installable or registered revocation DLLs to find the revocation server. For
  6233. ' certificates, this information would normally be conveyed in an
  6234. ' extension such as the IETF's AuthorityInfoAccess extension.
  6235. '
  6236. ' CertVerifyRevocation returns TRUE if all of the contexts were successfully
  6237. ' checked and none were revoked. Otherwise, returns FALSE and updates the
  6238. ' returned pRevStatus data structure as follows:
  6239. ' dwIndex
  6240. ' Index of the first context that was revoked or unable to
  6241. ' be checked for revocation
  6242. ' dwError
  6243. ' Error status. LastError is also set to this error status.
  6244. ' dwError can be set to one of the following error codes defined
  6245. ' in winerror.h:
  6246. ' ERROR_SUCCESS - good context
  6247. ' CRYPT_E_REVOKED - context was revoked. dwReason contains the
  6248. ' reason for revocation
  6249. ' CRYPT_E_REVOCATION_OFFLINE - unable to connect to the
  6250. ' revocation server
  6251. ' CRYPT_E_NOT_IN_REVOCATION_DATABASE - the context to be checked
  6252. ' was not found in the revocation server's database.
  6253. ' CRYPT_E_NO_REVOCATION_CHECK - the called revocation function
  6254. ' wasn't able to do a revocation check on the context
  6255. ' CRYPT_E_NO_REVOCATION_DLL - no installed or registered Dll was
  6256. ' found to verify revocation
  6257. ' dwReason
  6258. ' The dwReason is currently only set for CRYPT_E_REVOKED and contains
  6259. ' the reason why the context was revoked. May be one of the following
  6260. ' CRL_REASON_UNSPECIFIED 0
  6261. ' CRL_REASON_KEY_COMPROMISE 1
  6262. ' CRL_REASON_CA_COMPROMISE 2
  6263. ' CRL_REASON_AFFILIATION_CHANGED 3
  6264. ' CRL_REASON_SUPERSEDED 4
  6265. ' CRL_REASON_CESSATION_OF_OPERATION 5
  6266. ' CRL_REASON_CERTIFICATE_HOLD 6
  6267. '
  6268. ' For each entry in rgpvContext, CertVerifyRevocation iterates
  6269. ' through the CRYPT_OID_VERIFY_REVOCATION_FUNC
  6270. ' function set's list of installed DEFAULT functions.
  6271. ' CryptGetDefaultOIDFunctionAddress is called with pwszDll = NULL. If no
  6272. ' installed functions are found capable of doing the revocation verification,
  6273. ' CryptVerifyRevocation iterates through CRYPT_OID_VERIFY_REVOCATION_FUNC's
  6274. ' list of registered DEFAULT Dlls. CryptGetDefaultOIDDllList is called to
  6275. ' get the list. CryptGetDefaultOIDFunctionAddress is called to load the Dll.
  6276. '
  6277. ' The called functions have the same signature as CertVerifyRevocation. A
  6278. ' called function returns TRUE if it was able to successfully check all of
  6279. ' the contexts and none were revoked. Otherwise, the called function returns
  6280. ' FALSE and updates pRevStatus. dwIndex is set to the index of
  6281. ' the first context that was found to be revoked or unable to be checked.
  6282. ' dwError and LastError are updated. For CRYPT_E_REVOKED, dwReason
  6283. ' is updated. Upon input to the called function, dwIndex, dwError and
  6284. ' dwReason have been zero'ed. cbSize has been checked to be >=
  6285. '
  6286. ' If the called function returns FALSE, and dwError isn't set to
  6287. ' CRYPT_E_REVOKED, then, CertVerifyRevocation either continues on to the
  6288. ' next DLL in the list for a returned dwIndex of 0 or for a returned
  6289. ' dwIndex > 0, restarts the process of finding a verify function by
  6290. ' advancing the start of the context array to the returned dwIndex and
  6291. ' decrementing the count of remaining contexts.
  6292. '--------------------------------------------------------------------------
  6293. '+-------------------------------------------------------------------------
  6294. ' Revocation types
  6295. '--------------------------------------------------------------------------
  6296. Public Const CERT_CONTEXT_REVOCATION_TYPE As Long = 1
  6297. '+-------------------------------------------------------------------------
  6298. ' When the following flag is set, rgpvContext[] consists of a chain
  6299. ' of certificates, where rgpvContext[i + 1] is the issuer of rgpvContext[i].
  6300. '--------------------------------------------------------------------------
  6301. Public Const CERT_VERIFY_REV_CHAIN_FLAG As Long = &H00000001
  6302. '+-------------------------------------------------------------------------
  6303. ' CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION prevents the revocation handler from
  6304. ' accessing any network based resources for revocation checking
  6305. '--------------------------------------------------------------------------
  6306. Public Const CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION As Long = &H00000002
  6307. '+-------------------------------------------------------------------------
  6308. ' CERT_CONTEXT_REVOCATION_TYPE
  6309. '
  6310. ' pvContext points to a const CERT_CONTEXT.
  6311. '--------------------------------------------------------------------------
  6312. '+=========================================================================
  6313. ' Certificate Helper APIs
  6314. '==========================================================================
  6315. '+-------------------------------------------------------------------------
  6316. ' Compare two multiple byte integer blobs to see if they are identical.
  6317. '
  6318. ' Before doing the comparison, leading zero bytes are removed from a
  6319. ' positive number and leading 0xFF bytes are removed from a negative
  6320. ' number.
  6321. '
  6322. ' The multiple byte integers are treated as Little Endian. pbData[0] is the
  6323. ' least significant byte and pbData[cbData - 1] is the most significant
  6324. ' byte.
  6325. '
  6326. ' Returns TRUE if the integer blobs are identical after removing leading
  6327. ' 0 or 0xFF bytes.
  6328. '--------------------------------------------------------------------------
  6329. '+-------------------------------------------------------------------------
  6330. ' Compare two certificates to see if they are identical.
  6331. '
  6332. ' Since a certificate is uniquely identified by its Issuer and SerialNumber,
  6333. ' these are the only fields needing to be compared.
  6334. '
  6335. ' Returns TRUE if the certificates are identical.
  6336. '--------------------------------------------------------------------------
  6337. '+-------------------------------------------------------------------------
  6338. ' Compare two certificate names to see if they are identical.
  6339. '
  6340. ' Returns TRUE if the names are identical.
  6341. '--------------------------------------------------------------------------
  6342. '+-------------------------------------------------------------------------
  6343. ' Compare the attributes in the certificate name with the specified
  6344. ' The comparison iterates through the CERT_RDN attributes and looks for an
  6345. ' attribute match in any of the certificate name's RDNs.
  6346. ' Returns TRUE if all the attributes are found and match.
  6347. '
  6348. ' The CERT_RDN_ATTR fields can have the following special values:
  6349. ' pszObjId == NULL - ignore the attribute object identifier
  6350. ' dwValueType == RDN_ANY_TYPE - ignore the value type
  6351. '
  6352. ' CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG should be set to do
  6353. ' a case insensitive match. Otherwise, defaults to an exact, case sensitive
  6354. ' match.
  6355. '
  6356. ' CERT_UNICODE_IS_RDN_ATTRS_FLAG should be set if the pRDN was initialized
  6357. '--------------------------------------------------------------------------
  6358. Public Const CERT_UNICODE_IS_RDN_ATTRS_FLAG As Long = &H1
  6359. Public Const CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG As Long = &H2
  6360. '+-------------------------------------------------------------------------
  6361. ' Compare two public keys to see if they are identical.
  6362. '
  6363. ' Returns TRUE if the keys are identical.
  6364. '--------------------------------------------------------------------------
  6365. '+-------------------------------------------------------------------------
  6366. ' Get the public/private key's bit length.
  6367. '
  6368. ' Returns 0 if unable to determine the key's length.
  6369. '--------------------------------------------------------------------------
  6370. '+-------------------------------------------------------------------------
  6371. ' Verify the signature of a subject certificate or a CRL using the
  6372. ' public key info
  6373. '
  6374. ' Returns TRUE for a valid signature.
  6375. '
  6376. ' hCryptProv specifies the crypto provider to use to verify the signature.
  6377. ' It doesn't need to use a private key.
  6378. '--------------------------------------------------------------------------
  6379. '+-------------------------------------------------------------------------
  6380. ' Verify the signature of a subject certificate, CRL, certificate request
  6381. ' or keygen request using the issuer's public key.
  6382. '
  6383. ' Returns TRUE for a valid signature.
  6384. '
  6385. ' The subject can be an encoded blob or a context for a certificate or CRL.
  6386. ' For a subject certificate context, if the certificate is missing
  6387. ' inheritable PublicKey Algorithm Parameters, the context's
  6388. ' CERT_PUBKEY_ALG_PARA_PROP_ID is updated with the issuer's public key
  6389. ' algorithm parameters for a valid signature.
  6390. '
  6391. ' The issuer can be a pointer to a CERT_PUBLIC_KEY_INFO, certificate
  6392. ' context or a chain context.
  6393. '
  6394. ' hCryptProv specifies the crypto provider to use to verify the signature.
  6395. ' Its private key isn't used. If hCryptProv is NULL, a default
  6396. ' provider is picked according to the PublicKey Algorithm OID.
  6397. '--------------------------------------------------------------------------
  6398. ' Subject Types
  6399. Public Const CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB As Long = 1
  6400. Public Const CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT As Long = 2
  6401. Public Const CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL As Long = 3
  6402. ' Issuer Types
  6403. Public Const CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY As Long = 1
  6404. Public Const CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT As Long = 2
  6405. Public Const CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN As Long = 3
  6406. '+-------------------------------------------------------------------------
  6407. ' Compute the hash of the "to be signed" information in the encoded
  6408. '
  6409. ' hCryptProv specifies the crypto provider to use to compute the hash.
  6410. ' It doesn't need to use a private key.
  6411. '--------------------------------------------------------------------------
  6412. '+-------------------------------------------------------------------------
  6413. ' Hash the encoded content.
  6414. '
  6415. ' hCryptProv specifies the crypto provider to use to compute the hash.
  6416. ' It doesn't need to use a private key.
  6417. '
  6418. ' Algid specifies the CAPI hash algorithm to use. If Algid is 0, then, the
  6419. '--------------------------------------------------------------------------
  6420. '+-------------------------------------------------------------------------
  6421. ' Sign the "to be signed" information in the encoded signed content.
  6422. '
  6423. ' hCryptProv specifies the crypto provider to use to do the signature.
  6424. ' It uses the specified private key.
  6425. '--------------------------------------------------------------------------
  6426. '+-------------------------------------------------------------------------
  6427. ' Encode the "to be signed" information. Sign the encoded "to be signed".
  6428. ' Encode the "to be signed" and the signature.
  6429. '
  6430. ' hCryptProv specifies the crypto provider to use to do the signature.
  6431. ' It uses the specified private key.
  6432. '--------------------------------------------------------------------------
  6433. '+-------------------------------------------------------------------------
  6434. ' Verify the time validity of a certificate.
  6435. '
  6436. ' Returns -1 if before NotBefore, +1 if after NotAfter and otherwise 0 for
  6437. ' a valid certificate
  6438. '
  6439. ' If pTimeToVerify is NULL, uses the current time.
  6440. '--------------------------------------------------------------------------
  6441. '+-------------------------------------------------------------------------
  6442. ' Verify the time validity of a CRL.
  6443. '
  6444. ' Returns -1 if before ThisUpdate, +1 if after NextUpdate and otherwise 0 for
  6445. ' a valid CRL
  6446. '
  6447. ' If pTimeToVerify is NULL, uses the current time.
  6448. '--------------------------------------------------------------------------
  6449. '+-------------------------------------------------------------------------
  6450. ' Verify that the subject's time validity nests within the issuer's time
  6451. ' validity.
  6452. '
  6453. ' Returns TRUE if it nests. Otherwise, returns FALSE.
  6454. '--------------------------------------------------------------------------
  6455. '+-------------------------------------------------------------------------
  6456. ' Verify that the subject certificate isn't on its issuer CRL.
  6457. '
  6458. ' Returns true if the certificate isn't on the CRL.
  6459. '--------------------------------------------------------------------------
  6460. '+-------------------------------------------------------------------------
  6461. ' Convert the CAPI AlgId to the ASN.1 Object Identifier string
  6462. '
  6463. ' Returns NULL if there isn't an ObjId corresponding to the AlgId.
  6464. '--------------------------------------------------------------------------
  6465. '+-------------------------------------------------------------------------
  6466. ' Convert the ASN.1 Object Identifier string to the CAPI AlgId.
  6467. '
  6468. ' Returns 0 if there isn't an AlgId corresponding to the ObjId.
  6469. '--------------------------------------------------------------------------
  6470. '+-------------------------------------------------------------------------
  6471. ' Find an extension identified by its Object Identifier.
  6472. '
  6473. ' If found, returns pointer to the extension. Otherwise, returns NULL.
  6474. '--------------------------------------------------------------------------
  6475. '+-------------------------------------------------------------------------
  6476. ' Find the first attribute identified by its Object Identifier.
  6477. '
  6478. ' If found, returns pointer to the attribute. Otherwise, returns NULL.
  6479. '--------------------------------------------------------------------------
  6480. '+-------------------------------------------------------------------------
  6481. ' Find the first CERT_RDN attribute identified by its Object Identifier in
  6482. ' the name's list of Relative Distinguished Names.
  6483. '
  6484. ' If found, returns pointer to the attribute. Otherwise, returns NULL.
  6485. '--------------------------------------------------------------------------
  6486. '+-------------------------------------------------------------------------
  6487. ' Get the intended key usage bytes from the certificate.
  6488. '
  6489. ' If the certificate doesn't have any intended key usage bytes, returns FALSE
  6490. ' and *pbKeyUsage is zeroed. Otherwise, returns TRUE and up through
  6491. ' cbKeyUsage bytes are copied into *pbKeyUsage. Any remaining uncopied
  6492. ' bytes are zeroed.
  6493. '--------------------------------------------------------------------------
  6494. '+-------------------------------------------------------------------------
  6495. ' Install a previously CryptAcquiredContext'ed HCRYPTPROV to be used as
  6496. ' a default context.
  6497. '
  6498. ' dwDefaultType and pvDefaultPara specify where the default context is used.
  6499. ' For example, install the HCRYPTPROV to be used to verify certificate's
  6500. ' having szOID_OIWSEC_md5RSA signatures.
  6501. '
  6502. ' By default, the installed HCRYPTPROV is only applicable to the current
  6503. ' thread. Set CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG to allow the HCRYPTPROV
  6504. ' to be used by all threads in the current process.
  6505. '
  6506. ' For a successful install, TRUE is returned and *phDefaultContext is
  6507. ' updated with the HANDLE to be passed to CryptUninstallDefaultContext.
  6508. '
  6509. ' HCRYPTPROV is checked first). All thread installed HCRYPTPROVs are
  6510. ' checked before any process HCRYPTPROVs.
  6511. '
  6512. ' The installed HCRYPTPROV remains available for default usage until
  6513. ' CryptUninstallDefaultContext is called or the thread or process exits.
  6514. '
  6515. ' If CRYPT_DEFAULT_CONTEXT_AUTO_RELEASE_FLAG is set, then, the HCRYPTPROV
  6516. ' is CryptReleaseContext'ed at thread or process exit. However,
  6517. ' not CryptReleaseContext'ed if CryptUninstallDefaultContext is
  6518. ' called.
  6519. '--------------------------------------------------------------------------
  6520. ' dwFlags
  6521. Public Const CRYPT_DEFAULT_CONTEXT_AUTO_RELEASE_FLAG As Long = &H00000001
  6522. Public Const CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG As Long = &H00000002
  6523. ' List of dwDefaultType's
  6524. Public Const CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID As Long = 1
  6525. Public Const CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID As Long = 2
  6526. '+-------------------------------------------------------------------------
  6527. ' CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID
  6528. '
  6529. ' Install a default HCRYPTPROV used to verify a certificate
  6530. ' signature. pvDefaultPara points to the szOID of the certificate
  6531. ' signature algorithm, for example, szOID_OIWSEC_md5RSA. If
  6532. ' pvDefaultPara is NULL, then, the HCRYPTPROV is used to verify all
  6533. ' certificate signatures. Note, pvDefaultPara can't be NULL when
  6534. ' CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG is set.
  6535. '--------------------------------------------------------------------------
  6536. '+-------------------------------------------------------------------------
  6537. ' CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID
  6538. '
  6539. ' Same as CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID. However, the default
  6540. ' HCRYPTPROV is to be used for multiple signature szOIDs. pvDefaultPara
  6541. ' points to a CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA structure containing
  6542. ' an array of szOID pointers.
  6543. '--------------------------------------------------------------------------
  6544. '+-------------------------------------------------------------------------
  6545. ' Uninstall a default context previously installed by
  6546. ' CryptInstallDefaultContext.
  6547. '
  6548. ' For a default context installed with CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG
  6549. ' set, if any other threads are currently using this context,
  6550. ' this function will block until they finish.
  6551. '--------------------------------------------------------------------------
  6552. '+-------------------------------------------------------------------------
  6553. ' Export the public key info associated with the provider's corresponding
  6554. ' private key.
  6555. '
  6556. ' Calls CryptExportPublicKeyInfo with pszPublicKeyObjId = szOID_RSA_RSA,
  6557. ' dwFlags = 0 and pvAuxInfo = NULL.
  6558. '--------------------------------------------------------------------------
  6559. '+-------------------------------------------------------------------------
  6560. ' Export the public key info associated with the provider's corresponding
  6561. ' private key.
  6562. '
  6563. ' Uses the dwCertEncodingType and pszPublicKeyObjId to call the
  6564. ' installable CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC. The called function
  6565. ' has the same signature as CryptExportPublicKeyInfoEx.
  6566. '
  6567. ' If unable to find an installable OID function for the pszPublicKeyObjId,
  6568. '
  6569. ' The dwFlags and pvAuxInfo aren't used for szOID_RSA_RSA.
  6570. '--------------------------------------------------------------------------
  6571. Public Const CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC As String = "CryptDllExportPublicKeyInfoEx"
  6572. '+-------------------------------------------------------------------------
  6573. ' Convert and import the public key info into the provider and return a
  6574. ' handle to the public key.
  6575. '
  6576. ' Calls CryptImportPublicKeyInfoEx with aiKeyAlg = 0, dwFlags = 0 and
  6577. ' pvAuxInfo = NULL.
  6578. '--------------------------------------------------------------------------
  6579. '+-------------------------------------------------------------------------
  6580. ' Convert and import the public key info into the provider and return a
  6581. ' handle to the public key.
  6582. '
  6583. ' Uses the dwCertEncodingType and pInfo->Algorithm.pszObjId to call the
  6584. ' installable CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC. The called function
  6585. ' has the same signature as CryptImportPublicKeyInfoEx.
  6586. '
  6587. ' If unable to find an installable OID function for the pszObjId,
  6588. '
  6589. ' For szOID_RSA_RSA: aiKeyAlg may be set to CALG_RSA_SIGN or CALG_RSA_KEYX.
  6590. ' Defaults to CALG_RSA_KEYX. The dwFlags and pvAuxInfo aren't used.
  6591. '--------------------------------------------------------------------------
  6592. Public Const CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC As String = "CryptDllImportPublicKeyInfoEx"
  6593. '+-------------------------------------------------------------------------
  6594. ' Acquire a HCRYPTPROV handle and dwKeySpec for the specified certificate
  6595. ' context. Uses the certificate's CERT_KEY_PROV_INFO_PROP_ID property.
  6596. ' The returned HCRYPTPROV handle may optionally be cached using the
  6597. ' certificate's CERT_KEY_CONTEXT_PROP_ID property.
  6598. '
  6599. ' If CRYPT_ACQUIRE_CACHE_FLAG is set, then, if an already acquired and
  6600. ' cached HCRYPTPROV exists for the certificate, its returned. Otherwise,
  6601. ' a HCRYPTPROV is acquired and then cached via the certificate's
  6602. ' CERT_KEY_CONTEXT_PROP_ID.
  6603. '
  6604. ' The CRYPT_ACQUIRE_USE_PROV_INFO_FLAG can be set to use the dwFlags field of
  6605. ' the certificate's CERT_KEY_PROV_INFO_PROP_ID property's CRYPT_KEY_PROV_INFO
  6606. ' data structure to determine if the returned HCRYPTPROV should be cached.
  6607. ' HCRYPTPROV caching is enabled if the CERT_SET_KEY_CONTEXT_PROP_ID flag was
  6608. ' set.
  6609. '
  6610. ' If CRYPT_ACQUIRE_COMPARE_KEY_FLAG is set, then,
  6611. ' the public key in the certificate is compared with the public
  6612. ' key returned by the cryptographic provider. If the keys don't match, the
  6613. ' acquire fails and LastError is set to NTE_BAD_PUBLIC_KEY. Note, if
  6614. ' a cached HCRYPTPROV is returned, the comparison isn't done. We assume the
  6615. ' comparison was done on the initial acquire.
  6616. '
  6617. ' *pfCallerFreeProv is returned set to FALSE for:
  6618. ' - Acquire or public key comparison fails.
  6619. ' - CRYPT_ACQUIRE_CACHE_FLAG is set.
  6620. ' - CRYPT_ACQUIRE_USE_PROV_INFO_FLAG is set AND
  6621. ' CERT_SET_KEY_CONTEXT_PROP_ID flag is set in the dwFlags field of the
  6622. ' certificate's CERT_KEY_PROV_INFO_PROP_ID property's
  6623. ' CRYPT_KEY_PROV_INFO data structure.
  6624. ' When *pfCallerFreeProv is FALSE, the caller must not release. The
  6625. ' returned HCRYPTPROV will be released on the last free of the certificate
  6626. ' context.
  6627. '
  6628. ' Otherwise, *pfCallerFreeProv is TRUE and the returned HCRYPTPROV must
  6629. ' be released by the caller by calling CryptReleaseContext.
  6630. '--------------------------------------------------------------------------
  6631. Public Const CRYPT_ACQUIRE_CACHE_FLAG As Long = &H1
  6632. Public Const CRYPT_ACQUIRE_USE_PROV_INFO_FLAG As Long = &H2
  6633. Public Const CRYPT_ACQUIRE_COMPARE_KEY_FLAG As Long = &H4
  6634. '+-------------------------------------------------------------------------
  6635. ' Enumerates the cryptographic providers and their containers to find the
  6636. ' private key corresponding to the certificate's public key. For a match,
  6637. ' the certificate's CERT_KEY_PROV_INFO_PROP_ID property is updated.
  6638. '
  6639. ' If the CERT_KEY_PROV_INFO_PROP_ID is already set, then, its checked to
  6640. ' see if it matches the provider's public key. For a match, the above
  6641. ' enumeration is skipped.
  6642. '
  6643. ' By default both the user and machine key containers are searched.
  6644. ' The CRYPT_FIND_USER_KEYSET_FLAG or CRYPT_FIND_MACHINE_KEYSET_FLAG
  6645. ' can be set in dwFlags to restrict the search to either of the containers.
  6646. '
  6647. ' If a container isn't found, returns FALSE with LastError set to
  6648. ' NTE_NO_KEY.
  6649. '--------------------------------------------------------------------------
  6650. Public Const CRYPT_FIND_USER_KEYSET_FLAG As Long = &H1
  6651. Public Const CRYPT_FIND_MACHINE_KEYSET_FLAG As Long = &H2
  6652. '+-------------------------------------------------------------------------
  6653. ' This is the prototype for the installable function which is called to
  6654. ' actually import a key into a CSP. an installable of this type is called
  6655. ' from CryptImportPKCS8. the algorithm OID of the private key is used
  6656. ' to look up the proper installable function to call.
  6657. '
  6658. ' hCryptProv - the provider to import the key to
  6659. ' pPrivateKeyInfo - describes the key to be imported
  6660. ' dwFlags - The available flags are:
  6661. ' CRYPT_EXPORTABLE
  6662. ' this flag is used when importing private keys, for a full
  6663. ' explanation please see the documentation for CryptImportKey.
  6664. ' pvAuxInfo - reserved for future, must be NULL
  6665. '--------------------------------------------------------------------------
  6666. Public Const CRYPT_OID_IMPORT_PRIVATE_KEY_INFO_FUNC As String = "CryptDllImportPrivateKeyInfoEx"
  6667. '+-------------------------------------------------------------------------
  6668. ' and return a handle to the provider as well as the KeySpec used to import to.
  6669. '
  6670. ' This function will call the PRESOLVE_HCRYPTPROV_FUNC in the
  6671. ' privateKeyAndParams to obtain a handle of provider to import the key to.
  6672. ' if the PRESOLVE_HCRYPTPROV_FUNC is NULL then the default provider will be used.
  6673. '
  6674. ' privateKeyAndParams - private key blob and corresponding parameters
  6675. ' dwFlags - The available flags are:
  6676. ' CRYPT_EXPORTABLE
  6677. ' this flag is used when importing private keys, for a full
  6678. ' explanation please see the documentation for CryptImportKey.
  6679. ' phCryptProv - filled in with the handle of the provider the key was
  6680. ' imported to, the caller is responsible for freeing it
  6681. ' pvAuxInfo - This parameter is reserved for future use and should be set
  6682. ' to NULL in the interim.
  6683. '--------------------------------------------------------------------------
  6684. '+-------------------------------------------------------------------------
  6685. ' this is the prototype for installable functions for exporting the private key
  6686. '--------------------------------------------------------------------------
  6687. Public Const CRYPT_OID_EXPORT_PRIVATE_KEY_INFO_FUNC As String = "CryptDllExportPrivateKeyInfoEx"
  6688. Public Const CRYPT_DELETE_KEYSET As Long = &H0001
  6689. '+-------------------------------------------------------------------------
  6690. ' CryptExportPKCS8 -- superseded by CryptExportPKCS8Ex
  6691. '
  6692. ' Export the private key in PKCS8 format
  6693. '--------------------------------------------------------------------------
  6694. '+-------------------------------------------------------------------------
  6695. ' CryptExportPKCS8Ex
  6696. '
  6697. ' Export the private key in PKCS8 format
  6698. '
  6699. '
  6700. ' Uses the pszPrivateKeyObjId to call the
  6701. ' installable CRYPT_OID_EXPORT_PRIVATE_KEY_INFO_FUNC. The called function
  6702. ' has the signature defined by PFN_EXPORT_PRIV_KEY_FUNC.
  6703. '
  6704. ' If unable to find an installable OID function for the pszPrivateKeyObjId,
  6705. '
  6706. ' psExportParams - specifies information about the key to export
  6707. ' dwFlags - The flag values. None currently supported
  6708. ' pvAuxInfo - This parameter is reserved for future use and should be set to
  6709. ' NULL in the interim.
  6710. ' pbPrivateKeyBlob - A pointer to the private key blob. It will be encoded
  6711. ' as a PKCS8 PrivateKeyInfo.
  6712. ' pcbPrivateKeyBlob - A pointer to a DWORD that contains the size, in bytes,
  6713. ' of the private key blob being exported.
  6714. '+-------------------------------------------------------------------------
  6715. '+-------------------------------------------------------------------------
  6716. ' Compute the hash of the encoded public key info.
  6717. '
  6718. ' The public key info is encoded and then hashed.
  6719. '--------------------------------------------------------------------------
  6720. '+-------------------------------------------------------------------------
  6721. ' Convert a Name Value to a null terminated char string
  6722. '
  6723. ' Returns the number of characters converted including the terminating null
  6724. ' character. If psz is NULL or csz is 0, returns the required size of the
  6725. '
  6726. ' If psz != NULL && csz != 0, returned psz is always NULL terminated.
  6727. '
  6728. ' Note: csz includes the NULL char.
  6729. '--------------------------------------------------------------------------
  6730. '+-------------------------------------------------------------------------
  6731. ' Convert a Name Value to a null terminated char string
  6732. '
  6733. ' Returns the number of characters converted including the terminating null
  6734. ' character. If psz is NULL or csz is 0, returns the required size of the
  6735. '
  6736. ' If psz != NULL && csz != 0, returned psz is always NULL terminated.
  6737. '
  6738. ' Note: csz includes the NULL char.
  6739. '--------------------------------------------------------------------------
  6740. '+-------------------------------------------------------------------------
  6741. ' Convert the certificate name blob to a null terminated char string.
  6742. '
  6743. ' Follows the string representation of distinguished names specified in
  6744. ' empty strings and don't quote strings containing consecutive spaces).
  6745. ' RDN values of type CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING are
  6746. '
  6747. ' The name string is formatted according to the dwStrType:
  6748. ' CERT_SIMPLE_NAME_STR
  6749. ' The object identifiers are discarded. CERT_RDN entries are separated
  6750. ' by ", ". Multiple attributes per CERT_RDN are separated by " + ".
  6751. ' For example:
  6752. ' Microsoft, Joe Cool + Programmer
  6753. ' CERT_OID_NAME_STR
  6754. ' The object identifiers are included with a "=" separator from their
  6755. ' attribute value. CERT_RDN entries are separated by ", ".
  6756. ' Multiple attributes per CERT_RDN are separated by " + ". For example:
  6757. ' 2.5.4.11=Microsoft, 2.5.4.3=Joe Cool + 2.5.4.12=Programmer
  6758. ' CERT_X500_NAME_STR
  6759. ' The object identifiers are converted to their X500 key name. Otherwise,
  6760. ' same as CERT_OID_NAME_STR. If the object identifier doesn't have
  6761. ' a corresponding X500 key name, then, the object identifier is used with
  6762. ' a "OID." prefix. For example:
  6763. ' OU=Microsoft, CN=Joe Cool + T=Programmer, OID.1.2.3.4.5.6=Unknown
  6764. '
  6765. ' We quote the RDN value if it contains leading or trailing whitespace
  6766. ' or one of the following characters: ",", "+", "=", """, "\n", "<", ">",
  6767. ' "#" or ";". The quoting character is ". If the the RDN Value contains
  6768. ' OU=" Microsoft", CN="Joe ""Cool""" + T="Programmer, Manager"
  6769. '
  6770. ' CERT_NAME_STR_SEMICOLON_FLAG can be or'ed into dwStrType to replace
  6771. ' the ", " separator with a "; " separator.
  6772. '
  6773. ' CERT_NAME_STR_CRLF_FLAG can be or'ed into dwStrType to replace
  6774. ' the ", " separator with a "\r\n" separator.
  6775. '
  6776. ' CERT_NAME_STR_NO_PLUS_FLAG can be or'ed into dwStrType to replace the
  6777. ' " + " separator with a single space, " ".
  6778. '
  6779. ' CERT_NAME_STR_NO_QUOTING_FLAG can be or'ed into dwStrType to inhibit
  6780. ' the above quoting.
  6781. '
  6782. ' CERT_NAME_STR_REVERSE_FLAG can be or'ed into dwStrType to reverse the
  6783. ' order of the RDNs before converting to the string.
  6784. '
  6785. ' By default, CERT_RDN_T61_STRING encoded values are initially decoded
  6786. ' as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
  6787. ' CERT_NAME_STR_DISABLE_IE4_UTF8_FLAG can be or'ed into dwStrType to
  6788. ' skip the initial attempt to decode as UTF8.
  6789. '
  6790. ' Returns the number of characters converted including the terminating null
  6791. ' character. If psz is NULL or csz is 0, returns the required size of the
  6792. '
  6793. ' If psz != NULL && csz != 0, returned psz is always NULL terminated.
  6794. '
  6795. ' Note: csz includes the NULL char.
  6796. '--------------------------------------------------------------------------
  6797. '+-------------------------------------------------------------------------
  6798. '--------------------------------------------------------------------------
  6799. '+-------------------------------------------------------------------------
  6800. '--------------------------------------------------------------------------
  6801. '+-------------------------------------------------------------------------
  6802. ' Certificate name string types
  6803. '--------------------------------------------------------------------------
  6804. Public Const CERT_SIMPLE_NAME_STR As Long = 1
  6805. Public Const CERT_OID_NAME_STR As Long = 2
  6806. Public Const CERT_X500_NAME_STR As Long = 3
  6807. '+-------------------------------------------------------------------------
  6808. ' Certificate name string type flags OR'ed with the above types
  6809. '--------------------------------------------------------------------------
  6810. Public Const CERT_NAME_STR_SEMICOLON_FLAG As Long = &H40000000
  6811. Public Const CERT_NAME_STR_NO_PLUS_FLAG As Long = &H20000000
  6812. Public Const CERT_NAME_STR_NO_QUOTING_FLAG As Long = &H10000000
  6813. Public Const CERT_NAME_STR_CRLF_FLAG As Long = &H08000000
  6814. Public Const CERT_NAME_STR_COMMA_FLAG As Long = &H04000000
  6815. Public Const CERT_NAME_STR_REVERSE_FLAG As Long = &H02000000
  6816. Public Const CERT_NAME_STR_DISABLE_IE4_UTF8_FLAG As Long = &H00010000
  6817. Public Const CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG As Long = &H00020000
  6818. Public Const CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG As Long = &H00040000
  6819. '+-------------------------------------------------------------------------
  6820. ' Convert the null terminated X500 string to an encoded certificate name.
  6821. '
  6822. ' The input string is expected to be formatted the same as the output
  6823. ' from the above CertNameToStr API.
  6824. '
  6825. ' The CERT_SIMPLE_NAME_STR type isn't supported. Otherwise, when dwStrType
  6826. ' is set to 0, CERT_OID_NAME_STR or CERT_X500_NAME_STR, allow either a
  6827. '
  6828. ' If no flags are OR'ed into dwStrType, then, allow "," or ";" as RDN
  6829. ' separators and "+" as the multiple RDN value separator. Quoting is
  6830. ' supported. A quote may be included in a quoted value by double quoting,
  6831. ' as ascii hex and converted to a CERT_RDN_OCTET_STRING. Embedded whitespace
  6832. '
  6833. ' Whitespace surrounding the keys, object identifers and values is removed.
  6834. '
  6835. ' CERT_NAME_STR_COMMA_FLAG can be or'ed into dwStrType to only allow the
  6836. ' "," as the RDN separator.
  6837. '
  6838. ' CERT_NAME_STR_SEMICOLON_FLAG can be or'ed into dwStrType to only allow the
  6839. ' ";" as the RDN separator.
  6840. '
  6841. ' CERT_NAME_STR_CRLF_FLAG can be or'ed into dwStrType to only allow
  6842. ' "\r" or "\n" as the RDN separator.
  6843. '
  6844. ' CERT_NAME_STR_NO_PLUS_FLAG can be or'ed into dwStrType to ignore "+"
  6845. ' as a separator and not allow multiple values per RDN.
  6846. '
  6847. ' CERT_NAME_STR_NO_QUOTING_FLAG can be or'ed into dwStrType to inhibit
  6848. ' quoting.
  6849. '
  6850. ' CERT_NAME_STR_REVERSE_FLAG can be or'ed into dwStrType to reverse the
  6851. ' order of the RDNs after converting from the string and before encoding.
  6852. '
  6853. ' CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG can be or'ed into dwStrType to
  6854. ' to select the CERT_RDN_T61_STRING encoded value type instead of
  6855. ' CERT_RDN_UNICODE_STRING if all the UNICODE characters are <= 0xFF.
  6856. '
  6857. ' CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG can be or'ed into dwStrType to
  6858. ' to select the CERT_RDN_UTF8_STRING encoded value type instead of
  6859. ' CERT_RDN_UNICODE_STRING.
  6860. '
  6861. ' Support the following X500 Keys:
  6862. '
  6863. ' --- ----------------- -----------------
  6864. ' CN szOID_COMMON_NAME Printable, Unicode
  6865. ' L szOID_LOCALITY_NAME Printable, Unicode
  6866. ' O szOID_ORGANIZATION_NAME Printable, Unicode
  6867. ' OU szOID_ORGANIZATIONAL_UNIT_NAME Printable, Unicode
  6868. ' E szOID_RSA_emailAddr Only IA5
  6869. ' Email szOID_RSA_emailAddr Only IA5
  6870. ' C szOID_COUNTRY_NAME Only Printable
  6871. ' S szOID_STATE_OR_PROVINCE_NAME Printable, Unicode
  6872. ' ST szOID_STATE_OR_PROVINCE_NAME Printable, Unicode
  6873. ' STREET szOID_STREET_ADDRESS Printable, Unicode
  6874. ' T szOID_TITLE Printable, Unicode
  6875. ' Title szOID_TITLE Printable, Unicode
  6876. ' G szOID_GIVEN_NAME Printable, Unicode
  6877. ' GivenName szOID_GIVEN_NAME Printable, Unicode
  6878. ' I szOID_INITIALS Printable, Unicode
  6879. ' Initials szOID_INITIALS Printable, Unicode
  6880. ' SN szOID_SUR_NAME Printable, Unicode
  6881. ' DC szOID_DOMAIN_COMPONENT IA5, UTF8
  6882. '
  6883. ' Note, T61 is selected instead of Unicode if
  6884. ' CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG is set and all the unicode
  6885. ' characters are <= 0xFF.
  6886. '
  6887. ' Note, UTF8 is selected instead of Unicode if
  6888. ' CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG is set.
  6889. '
  6890. ' Returns TRUE if successfully parsed the input string and encoded
  6891. ' the name.
  6892. '
  6893. ' If the input string is detected to be invalid, *ppszError is updated
  6894. ' to point to the beginning of the invalid character sequence. Otherwise,
  6895. ' *ppszError is set to NULL. *ppszError is updated with a non-NULL pointer
  6896. ' for the following errors:
  6897. ' CRYPT_E_INVALID_X500_STRING
  6898. ' CRYPT_E_INVALID_NUMERIC_STRING
  6899. ' CRYPT_E_INVALID_PRINTABLE_STRING
  6900. ' CRYPT_E_INVALID_IA5_STRING
  6901. '
  6902. ' ppszError can be set to NULL if not interested in getting a pointer
  6903. ' to the invalid character sequence.
  6904. '--------------------------------------------------------------------------
  6905. '+-------------------------------------------------------------------------
  6906. '--------------------------------------------------------------------------
  6907. '+-------------------------------------------------------------------------
  6908. '--------------------------------------------------------------------------
  6909. '+-------------------------------------------------------------------------
  6910. ' Get the subject or issuer name from the certificate and
  6911. ' according to the specified format type, convert to a null terminated
  6912. ' character string.
  6913. '
  6914. ' CERT_NAME_ISSUER_FLAG can be set to get the issuer's name. Otherwise,
  6915. ' gets the subject's name.
  6916. '
  6917. ' By default, CERT_RDN_T61_STRING encoded values are initially decoded
  6918. ' as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
  6919. ' CERT_NAME_DISABLE_IE4_UTF8_FLAG can be set in dwFlags to
  6920. ' skip the initial attempt to decode as UTF8.
  6921. '
  6922. ' The name string is formatted according to the dwType:
  6923. ' CERT_NAME_EMAIL_TYPE
  6924. ' issuer, Issuer Alternative Name), searches for first rfc822Name choice.
  6925. ' If the rfc822Name choice isn't found in the extension, searches the
  6926. ' Subject Name field for the Email OID, "1.2.840.113549.1.9.1".
  6927. ' If the rfc822Name or Email OID is found, returns the string. Otherwise,
  6928. ' CERT_NAME_RDN_TYPE
  6929. ' Converts the Subject Name blob by calling CertNameToStr. pvTypePara
  6930. ' points to a DWORD containing the dwStrType passed to CertNameToStr.
  6931. ' If the Subject Name field is empty and the certificate has a
  6932. ' Subject Alternative Name extension, searches for and converts
  6933. ' the first directoryName choice.
  6934. ' CERT_NAME_ATTR_TYPE
  6935. ' pvTypePara points to the Object Identifier specifying the name attribute
  6936. ' to be returned. For example, to get the CN,
  6937. ' field for the attribute.
  6938. ' If the Subject Name field is empty and the certificate has a
  6939. ' Subject Alternative Name extension, checks for
  6940. ' the first directoryName choice and searches it.
  6941. '
  6942. ' Note, searches the RDNs in reverse order.
  6943. '
  6944. ' CERT_NAME_SIMPLE_DISPLAY_TYPE
  6945. ' Iterates through the following list of name attributes and searches
  6946. ' the Subject Name and then the Subject Alternative Name extension
  6947. ' for the first occurrence of:
  6948. '
  6949. ' If none of the above attributes is found, then, searches the
  6950. ' Subject Alternative Name extension for a rfc822Name choice.
  6951. '
  6952. ' If still no match, then, returns the first attribute.
  6953. '
  6954. ' Note, like CERT_NAME_ATTR_TYPE, searches the RDNs in reverse order.
  6955. '
  6956. ' CERT_NAME_FRIENDLY_DISPLAY_TYPE
  6957. ' First checks if the certificate has a CERT_FRIENDLY_NAME_PROP_ID
  6958. ' property. If it does, then, this property is returned. Otherwise,
  6959. ' returns the above CERT_NAME_SIMPLE_DISPLAY_TYPE.
  6960. '
  6961. ' Returns the number of characters converted including the terminating null
  6962. ' character. If pwszNameString is NULL or cchNameString is 0, returns the
  6963. ' char). If the specified name type isn't found. returns an empty string
  6964. ' with a returned character count of 1.
  6965. '
  6966. ' If pwszNameString != NULL && cwszNameString != 0, returned pwszNameString
  6967. ' is always NULL terminated.
  6968. '
  6969. ' Note: cchNameString includes the NULL char.
  6970. '--------------------------------------------------------------------------
  6971. '+-------------------------------------------------------------------------
  6972. '--------------------------------------------------------------------------
  6973. '+-------------------------------------------------------------------------
  6974. '--------------------------------------------------------------------------
  6975. '+-------------------------------------------------------------------------
  6976. ' Certificate name types
  6977. '--------------------------------------------------------------------------
  6978. Public Const CERT_NAME_EMAIL_TYPE As Long = 1
  6979. Public Const CERT_NAME_RDN_TYPE As Long = 2
  6980. Public Const CERT_NAME_ATTR_TYPE As Long = 3
  6981. Public Const CERT_NAME_SIMPLE_DISPLAY_TYPE As Long = 4
  6982. Public Const CERT_NAME_FRIENDLY_DISPLAY_TYPE As Long = 5
  6983. '+-------------------------------------------------------------------------
  6984. ' Certificate name flags
  6985. '--------------------------------------------------------------------------
  6986. Public Const CERT_NAME_ISSUER_FLAG As Long = &H1
  6987. Public Const CERT_NAME_DISABLE_IE4_UTF8_FLAG As Long = &H00010000
  6988. '+=========================================================================
  6989. ' Simplified Cryptographic Message Data Structures and APIs
  6990. '==========================================================================
  6991. '+-------------------------------------------------------------------------
  6992. ' Conventions for the *pb and *pcb output parameters:
  6993. '
  6994. ' Upon entry to the function:
  6995. ' if pcb is OPTIONAL && pcb == NULL, then,
  6996. ' No output is returned
  6997. ' else if pb == NULL && pcb != NULL, then,
  6998. ' Length only determination. No length error is
  6999. ' returned.
  7000. ' Output is returned. If *pcb isn't big enough a
  7001. ' length error is returned. In all cases *pcb is updated
  7002. ' with the actual length needed/returned.
  7003. '--------------------------------------------------------------------------
  7004. '+-------------------------------------------------------------------------
  7005. ' Type definitions of the parameters used for doing the cryptographic
  7006. ' operations.
  7007. '--------------------------------------------------------------------------
  7008. '+-------------------------------------------------------------------------
  7009. ' Callback to get and verify the signer's certificate.
  7010. '
  7011. ' handle to its cryptographic signed message's cert store.
  7012. '
  7013. ' For CRYPT_E_NO_SIGNER, called with pSignerId == NULL.
  7014. '
  7015. ' For a valid signer certificate, returns a pointer to a read only
  7016. ' CERT_CONTEXT. The returned CERT_CONTEXT is either obtained from a
  7017. ' cert store or was created via CertCreateCertificateContext. For either case,
  7018. ' its freed via CertFreeCertificateContext.
  7019. '
  7020. ' If a valid certificate isn't found, this callback returns NULL with
  7021. '
  7022. ' The NULL implementation tries to get the Signer certificate from the
  7023. ' message cert store. It doesn't verify the certificate.
  7024. '
  7025. ' Note, if the KEYID choice was selected for a CMS SignerId, then, the
  7026. ' SerialNumber is 0 and the Issuer is encoded containing a single RDN with a
  7027. ' single Attribute whose OID is szOID_KEYID_RDN, value type is
  7028. ' CERT_RDN_OCTET_STRING and value is the KEYID. When the
  7029. ' CertGetSubjectCertificateFromStore and
  7030. ' special KEYID Issuer and SerialNumber, they do a KEYID match.
  7031. '--------------------------------------------------------------------------
  7032. '+-------------------------------------------------------------------------
  7033. ' The CRYPT_SIGN_MESSAGE_PARA are used for signing messages using the
  7034. ' specified signing certificate context.
  7035. '
  7036. ' Either the CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID must
  7037. ' be set for each rgpSigningCert[]. Either one specifies the private
  7038. ' signature key to use.
  7039. '
  7040. ' If any certificates and/or CRLs are to be included in the signed message,
  7041. ' then, the MsgCert and MsgCrl parameters need to be updated. If the
  7042. ' rgpSigningCerts are to be included, then, they must also be in the
  7043. ' rgpMsgCert array.
  7044. '
  7045. ' LastError will be updated with E_INVALIDARG.
  7046. '
  7047. ' pvHashAuxInfo currently isn't used and must be set to NULL.
  7048. '
  7049. ' dwFlags normally is set to 0. However, if the encoded output
  7050. ' is to be a CMSG_SIGNED inner content of an outer cryptographic message,
  7051. ' such as a CMSG_ENVELOPED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
  7052. ' should be set. If not set, then it would be encoded as an inner content
  7053. ' type of CMSG_DATA.
  7054. '
  7055. ' dwInnerContentType is normally set to 0. It needs to be set if the
  7056. ' ToBeSigned input is the encoded output of another cryptographic
  7057. ' message, such as, an CMSG_ENVELOPED. When set, it's one of the cryptographic
  7058. ' message types, for example, CMSG_ENVELOPED.
  7059. '
  7060. ' the default), then, neither dwFlags or dwInnerContentType need to be set.
  7061. '
  7062. ' For CMS messages, CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG may be
  7063. ' set to encapsulate nonData inner content within an OCTET STRING.
  7064. '
  7065. ' For CMS messages, CRYPT_MESSAGE_KEYID_SIGNER_FLAG may be set to identify
  7066. ' signers by their Key Identifier and not their Issuer and Serial Number.
  7067. '
  7068. ' If HashEncryptionAlgorithm is present and not NULL its used instead of
  7069. ' the SigningCert's PublicKeyInfo.Algorithm.
  7070. '
  7071. ' Note, for RSA, the hash encryption algorithm is normally the same as
  7072. ' the public key algorithm. For DSA, the hash encryption algorithm is
  7073. ' normally a DSS signature algorithm.
  7074. '
  7075. ' pvHashEncryptionAuxInfo currently isn't used and must be set to NULL if
  7076. ' present in the data structure.
  7077. '--------------------------------------------------------------------------
  7078. Public Const CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG As Long = &H1
  7079. ' When set, nonData type inner content is encapsulated within an
  7080. ' OCTET STRING
  7081. Public Const CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG As Long = &H2
  7082. ' When set, signers are identified by their Key Identifier and not
  7083. ' their Issuer and Serial Number.
  7084. Public Const CRYPT_MESSAGE_KEYID_SIGNER_FLAG As Long = &H4
  7085. '+-------------------------------------------------------------------------
  7086. ' The CRYPT_VERIFY_MESSAGE_PARA are used to verify signed messages.
  7087. '
  7088. ' hCryptProv is used to do hashing and signature verification.
  7089. '
  7090. ' The dwCertEncodingType specifies the encoding type of the certificates
  7091. ' and/or CRLs in the message.
  7092. '
  7093. ' pfnGetSignerCertificate is called to get and verify the message signer's
  7094. ' certificate.
  7095. '
  7096. ' LastError will be updated with E_INVALIDARG.
  7097. '--------------------------------------------------------------------------
  7098. '+-------------------------------------------------------------------------
  7099. ' The CRYPT_ENCRYPT_MESSAGE_PARA are used for encrypting messages.
  7100. '
  7101. ' hCryptProv is used to do content encryption, recipient key
  7102. ' encryption, and recipient key export. Its private key
  7103. ' isn't used.
  7104. '
  7105. ' Currently, pvEncryptionAuxInfo is only defined for RC2 or RC4 encryption
  7106. ' algorithms. Otherwise, its not used and must be set to NULL.
  7107. ' See CMSG_RC2_AUX_INFO for the RC2 encryption algorithms.
  7108. ' See CMSG_RC4_AUX_INFO for the RC4 encryption algorithms.
  7109. '
  7110. ' To enable SP3 compatible encryption, pvEncryptionAuxInfo should point to
  7111. ' a CMSG_SP3_COMPATIBLE_AUX_INFO data structure.
  7112. '
  7113. ' LastError will be updated with E_INVALIDARG.
  7114. '
  7115. ' dwFlags normally is set to 0. However, if the encoded output
  7116. ' is to be a CMSG_ENVELOPED inner content of an outer cryptographic message,
  7117. ' such as a CMSG_SIGNED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
  7118. ' should be set. If not set, then it would be encoded as an inner content
  7119. ' type of CMSG_DATA.
  7120. '
  7121. ' dwInnerContentType is normally set to 0. It needs to be set if the
  7122. ' ToBeEncrypted input is the encoded output of another cryptographic
  7123. ' message, such as, an CMSG_SIGNED. When set, it's one of the cryptographic
  7124. ' message types, for example, CMSG_SIGNED.
  7125. '
  7126. ' the default), then, neither dwFlags or dwInnerContentType need to be set.
  7127. '
  7128. ' For CMS messages, CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG may be
  7129. ' set to encapsulate nonData inner content within an OCTET STRING before
  7130. ' encrypting.
  7131. '
  7132. ' For CMS messages, CRYPT_MESSAGE_KEYID_RECIPIENT_FLAG may be set to identify
  7133. ' recipients by their Key Identifier and not their Issuer and Serial Number.
  7134. '--------------------------------------------------------------------------
  7135. ' When set, recipients are identified by their Key Identifier and not
  7136. ' their Issuer and Serial Number.
  7137. Public Const CRYPT_MESSAGE_KEYID_RECIPIENT_FLAG As Long = &H4
  7138. '+-------------------------------------------------------------------------
  7139. ' The CRYPT_DECRYPT_MESSAGE_PARA are used for decrypting messages.
  7140. '
  7141. ' The CertContext to use for decrypting a message is obtained from one
  7142. ' of the specified cert stores. An encrypted message can have one or
  7143. ' and SerialNumber). The cert stores are searched to find the CertContext
  7144. ' corresponding to the CertId.
  7145. '
  7146. ' For CMS, the recipients may also be identified by their KeyId.
  7147. '
  7148. ' Only CertContexts in the store with either
  7149. ' the CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID set
  7150. ' can be used. Either property specifies the private exchange key to use.
  7151. '
  7152. ' LastError will be updated with E_INVALIDARG.
  7153. '--------------------------------------------------------------------------
  7154. '+-------------------------------------------------------------------------
  7155. ' The CRYPT_HASH_MESSAGE_PARA are used for hashing or unhashing
  7156. ' messages.
  7157. '
  7158. ' hCryptProv is used to compute the hash.
  7159. '
  7160. ' pvHashAuxInfo currently isn't used and must be set to NULL.
  7161. '
  7162. ' LastError will be updated with E_INVALIDARG.
  7163. '--------------------------------------------------------------------------
  7164. '+-------------------------------------------------------------------------
  7165. ' The CRYPT_KEY_SIGN_MESSAGE_PARA are used for signing messages until a
  7166. ' certificate has been created for the signature key.
  7167. '
  7168. ' pvHashAuxInfo currently isn't used and must be set to NULL.
  7169. '
  7170. ' If PubKeyAlgorithm isn't set, defaults to szOID_RSA_RSA.
  7171. '
  7172. ' LastError will be updated with E_INVALIDARG.
  7173. '--------------------------------------------------------------------------
  7174. '+-------------------------------------------------------------------------
  7175. ' The CRYPT_KEY_VERIFY_MESSAGE_PARA are used to verify signed messages without
  7176. ' a certificate for the signer.
  7177. '
  7178. ' Normally used until a certificate has been created for the key.
  7179. '
  7180. ' hCryptProv is used to do hashing and signature verification.
  7181. '
  7182. ' LastError will be updated with E_INVALIDARG.
  7183. '--------------------------------------------------------------------------
  7184. '+-------------------------------------------------------------------------
  7185. ' Sign the message.
  7186. '
  7187. ' If fDetachedSignature is TRUE, the "to be signed" content isn't included
  7188. ' in the encoded signed blob.
  7189. '--------------------------------------------------------------------------
  7190. '+-------------------------------------------------------------------------
  7191. ' Verify a signed message.
  7192. '
  7193. ' If pbDecoded == NULL, then, *pcbDecoded is implicitly set to 0 on input.
  7194. ' For *pcbDecoded == 0 && ppSignerCert == NULL on input, the signer isn't
  7195. ' verified.
  7196. '
  7197. ' A message might have more than one signer. Set dwSignerIndex to iterate
  7198. ' through all the signers. dwSignerIndex == 0 selects the first signer.
  7199. '
  7200. ' pVerifyPara's pfnGetSignerCertificate is called to get the signer's
  7201. ' certificate.
  7202. '
  7203. ' For a verified signer and message, *ppSignerCert is updated
  7204. ' with the CertContext of the signer. It must be freed by calling
  7205. ' CertFreeCertificateContext. Otherwise, *ppSignerCert is set to NULL.
  7206. '
  7207. ' ppSignerCert can be NULL, indicating the caller isn't interested
  7208. ' in getting the CertContext of the signer.
  7209. '
  7210. ' pcbDecoded can be NULL, indicating the caller isn't interested in getting
  7211. ' the decoded content. Furthermore, if the message doesn't contain any
  7212. ' content or signers, then, pcbDecoded must be set to NULL, to allow the
  7213. ' pVerifyPara->pfnGetCertificate to be called. Normally, this would be
  7214. ' the case when the signed message contains only certficates and CRLs.
  7215. ' If pcbDecoded is NULL and the message doesn't have the indicated signer,
  7216. ' pfnGetCertificate is called with pSignerId set to NULL.
  7217. '
  7218. ' If the message doesn't contain any signers || dwSignerIndex > message's
  7219. ' SignerCount, then, an error is returned with LastError set to
  7220. ' CRYPT_E_NO_SIGNER. Also, for CRYPT_E_NO_SIGNER, pfnGetSignerCertificate
  7221. ' is still called with pSignerId set to NULL.
  7222. '
  7223. ' Note, an alternative way to get the certificates and CRLs from a
  7224. ' signed message is to call CryptGetMessageCertificates.
  7225. '--------------------------------------------------------------------------
  7226. '+-------------------------------------------------------------------------
  7227. ' Returns the count of signers in the signed message. For no signers, returns
  7228. ' 0. For an error returns -1 with LastError updated accordingly.
  7229. '--------------------------------------------------------------------------
  7230. '+-------------------------------------------------------------------------
  7231. ' Returns the cert store containing the message's certs and CRLs.
  7232. ' For an error, returns NULL with LastError updated.
  7233. '--------------------------------------------------------------------------
  7234. '+-------------------------------------------------------------------------
  7235. ' The "to be signed" content is passed in separately. No
  7236. ' decoded output. Otherwise, identical to CryptVerifyMessageSignature.
  7237. '--------------------------------------------------------------------------
  7238. '+-------------------------------------------------------------------------
  7239. '--------------------------------------------------------------------------
  7240. '+-------------------------------------------------------------------------
  7241. ' Decrypts the message.
  7242. '
  7243. ' If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
  7244. ' For *pcbDecrypted == 0 && ppXchgCert == NULL on input, the message isn't
  7245. ' decrypted.
  7246. '
  7247. ' For a successfully decrypted message, *ppXchgCert is updated
  7248. ' with the CertContext used to decrypt. It must be freed by calling
  7249. ' CertStoreFreeCert. Otherwise, *ppXchgCert is set to NULL.
  7250. '
  7251. ' ppXchgCert can be NULL, indicating the caller isn't interested
  7252. ' in getting the CertContext used to decrypt.
  7253. '--------------------------------------------------------------------------
  7254. '+-------------------------------------------------------------------------
  7255. ' followed with a CryptEncryptMessage.
  7256. '
  7257. ' Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
  7258. ' inside of an CMSG_ENVELOPED.
  7259. '--------------------------------------------------------------------------
  7260. '+-------------------------------------------------------------------------
  7261. ' Decrypts the message and verifies the signer. Does a CryptDecryptMessage
  7262. ' followed with a CryptVerifyMessageSignature.
  7263. '
  7264. ' If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
  7265. ' For *pcbDecrypted == 0 && ppSignerCert == NULL on input, the signer isn't
  7266. ' verified.
  7267. '
  7268. ' A message might have more than one signer. Set dwSignerIndex to iterate
  7269. ' through all the signers. dwSignerIndex == 0 selects the first signer.
  7270. '
  7271. ' The pVerifyPara's VerifySignerPolicy is called to verify the signer's
  7272. ' certificate.
  7273. '
  7274. ' For a successfully decrypted and verified message, *ppXchgCert and
  7275. ' *ppSignerCert are updated. They must be freed by calling
  7276. ' CertStoreFreeCert. Otherwise, they are set to NULL.
  7277. '
  7278. ' ppXchgCert and/or ppSignerCert can be NULL, indicating the
  7279. ' caller isn't interested in getting the CertContext.
  7280. '
  7281. ' Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
  7282. ' inside of an CMSG_ENVELOPED.
  7283. '
  7284. ' The message always needs to be decrypted to allow access to the
  7285. ' signed message. Therefore, if ppXchgCert != NULL, its always updated.
  7286. '--------------------------------------------------------------------------
  7287. '+-------------------------------------------------------------------------
  7288. ' Decodes a cryptographic message which may be one of the following types:
  7289. ' CMSG_DATA
  7290. ' CMSG_SIGNED
  7291. ' CMSG_ENVELOPED
  7292. ' CMSG_SIGNED_AND_ENVELOPED
  7293. ' CMSG_HASHED
  7294. '
  7295. ' dwMsgTypeFlags specifies the set of allowable messages. For example, to
  7296. ' decode either SIGNED or ENVELOPED messages, set dwMsgTypeFlags to:
  7297. ' CMSG_SIGNED_FLAG | CMSG_ENVELOPED_FLAG.
  7298. '
  7299. ' dwProvInnerContentType is only applicable when processing nested
  7300. ' crytographic messages. When processing an outer crytographic message
  7301. ' it must be set to 0. When decoding a nested cryptographic message
  7302. ' its the dwInnerContentType returned by a previous CryptDecodeMessage
  7303. ' of the outer message. The InnerContentType can be any of the CMSG types,
  7304. ' for example, CMSG_DATA, CMSG_SIGNED, ...
  7305. '
  7306. ' The optional *pdwMsgType is updated with the type of message.
  7307. '
  7308. ' The optional *pdwInnerContentType is updated with the type of the inner
  7309. ' message. Unless there is cryptographic message nesting, CMSG_DATA
  7310. ' is returned.
  7311. '
  7312. ' For CMSG_DATA: returns decoded content.
  7313. ' For CMSG_SIGNED: same as CryptVerifyMessageSignature.
  7314. ' For CMSG_ENVELOPED: same as CryptDecryptMessage.
  7315. ' For CMSG_SIGNED_AND_ENVELOPED: same as CryptDecryptMessage plus
  7316. ' CryptVerifyMessageSignature.
  7317. ' For CMSG_HASHED: verifies the hash and returns decoded content.
  7318. '--------------------------------------------------------------------------
  7319. '+-------------------------------------------------------------------------
  7320. ' Hash the message.
  7321. '
  7322. ' If fDetachedHash is TRUE, only the ComputedHash is encoded in the
  7323. ' pbHashedBlob. Otherwise, both the ToBeHashed and ComputedHash
  7324. ' are encoded.
  7325. '
  7326. ' pcbHashedBlob or pcbComputedHash can be NULL, indicating the caller
  7327. ' isn't interested in getting the output.
  7328. '--------------------------------------------------------------------------
  7329. '+-------------------------------------------------------------------------
  7330. ' Verify a hashed message.
  7331. '
  7332. ' pcbToBeHashed or pcbComputedHash can be NULL,
  7333. ' indicating the caller isn't interested in getting the output.
  7334. '--------------------------------------------------------------------------
  7335. '+-------------------------------------------------------------------------
  7336. ' Verify a hashed message containing a detached hash.
  7337. ' The "to be hashed" content is passed in separately. No
  7338. ' decoded output. Otherwise, identical to CryptVerifyMessageHash.
  7339. '
  7340. ' pcbComputedHash can be NULL, indicating the caller isn't interested
  7341. ' in getting the output.
  7342. '--------------------------------------------------------------------------
  7343. '+-------------------------------------------------------------------------
  7344. ' Sign the message using the provider's private key specified in the
  7345. ' parameters. A dummy SignerId is created and stored in the message.
  7346. '
  7347. ' Normally used until a certificate has been created for the key.
  7348. '--------------------------------------------------------------------------
  7349. '+-------------------------------------------------------------------------
  7350. ' Verify a signed message using the specified public key info.
  7351. '
  7352. ' Normally called by a CA until it has created a certificate for the
  7353. ' key.
  7354. '
  7355. ' pPublicKeyInfo contains the public key to use to verify the signed
  7356. ' content may contain the PublicKeyInfo).
  7357. '
  7358. ' pcbDecoded can be NULL, indicating the caller isn't interested
  7359. ' in getting the decoded content.
  7360. '--------------------------------------------------------------------------
  7361. '+=========================================================================
  7362. ' System Certificate Store Data Structures and APIs
  7363. '==========================================================================
  7364. '+-------------------------------------------------------------------------
  7365. ' Get a system certificate store based on a subsystem protocol.
  7366. '
  7367. ' Current examples of subsystems protocols are:
  7368. ' "MY" Cert Store hold certs with associated Private Keys
  7369. ' "CA" Certifying Authority certs
  7370. ' "ROOT" Root Certs
  7371. ' "SPC" Software publisher certs
  7372. '
  7373. '
  7374. ' If hProv is NULL the default provider "1" is opened for you.
  7375. ' When the store is closed the provider is release. Otherwise
  7376. ' if hProv is not NULL, no provider is created or released.
  7377. '
  7378. ' The returned Cert Store can be searched for an appropriate Cert
  7379. '
  7380. ' When done, the cert store should be closed using CertStoreClose
  7381. '--------------------------------------------------------------------------
  7382. '+-------------------------------------------------------------------------
  7383. ' Find all certificate chains tying the given issuer name to any certificate
  7384. ' that the current user has a private key for.
  7385. '
  7386. ' If no certificate chain is found, FALSE is returned with LastError set
  7387. ' to CRYPT_E_NOT_FOUND and the counts zeroed.
  7388. '
  7389. ' IE 3.0 ASSUMPTION:
  7390. ' The client certificates are in the "My" system store. The issuer
  7391. ' cerificates may be in the "Root", "CA" or "My" system stores.
  7392. '--------------------------------------------------------------------------
  7393. ' WINCRYPT32API This is not exported by crypt32, it is exported by softpub
  7394. '-------------------------------------------------------------------------
  7395. '
  7396. ' CryptQueryObject takes a CERT_BLOB or a file name and returns the
  7397. ' information about the content in the blob or in the file.
  7398. '
  7399. ' Parameters:
  7400. ' INPUT dwObjectType:
  7401. ' Indicate the type of the object. Should be one of the
  7402. ' following:
  7403. ' CERT_QUERY_OBJECT_FILE
  7404. ' CERT_QUERY_OBJECT_BLOB
  7405. '
  7406. ' INPUT pvObject:
  7407. ' If dwObjectType == CERT_QUERY_OBJECT_FILE, it is a
  7408. ' LPWSTR, that is, the pointer to a wchar file name
  7409. ' if dwObjectType == CERT_QUERY_OBJECT_BLOB, it is a
  7410. ' PCERT_BLOB, that is, a pointer to a CERT_BLOB
  7411. '
  7412. ' INPUT dwExpectedContentTypeFlags:
  7413. ' Indicate the expected contenet type.
  7414. ' Can be one of the following:
  7415. ' CERT_QUERY_CONTENT_FLAG_CERT
  7416. ' CERT_QUERY_CONTENT_FLAG_CTL
  7417. ' CERT_QUERY_CONTENT_FLAG_CRL
  7418. ' CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE
  7419. ' CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT
  7420. ' CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL
  7421. ' CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL
  7422. ' CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED
  7423. ' CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED
  7424. ' CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED
  7425. ' CERT_QUERY_CONTENT_FLAG_PKCS10
  7426. ' CERT_QUERY_CONTENT_FLAG_PFX
  7427. ' CERT_QUERY_CONTENT_FLAG_CERT_PAIR
  7428. '
  7429. ' INPUT dwExpectedFormatTypeFlags:
  7430. ' Indicate the expected format type.
  7431. ' Can be one of the following:
  7432. ' CERT_QUERY_FORMAT_FLAG_BINARY
  7433. ' CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED
  7434. ' CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED
  7435. '
  7436. '
  7437. ' INPUT dwFlags
  7438. ' Reserved flag. Should always set to 0
  7439. '
  7440. ' OUTPUT pdwMsgAndCertEncodingType
  7441. ' Optional output. If NULL != pdwMsgAndCertEncodingType,
  7442. ' it contains the encoding type of the content as any
  7443. ' combination of the following:
  7444. ' X509_ASN_ENCODING
  7445. ' PKCS_7_ASN_ENCODING
  7446. '
  7447. ' OUTPUT pdwContentType
  7448. ' Optional output. If NULL!=pdwContentType, it contains
  7449. ' the content type as one of the the following:
  7450. ' CERT_QUERY_CONTENT_CERT
  7451. ' CERT_QUERY_CONTENT_CTL
  7452. ' CERT_QUERY_CONTENT_CRL
  7453. ' CERT_QUERY_CONTENT_SERIALIZED_STORE
  7454. ' CERT_QUERY_CONTENT_SERIALIZED_CERT
  7455. ' CERT_QUERY_CONTENT_SERIALIZED_CTL
  7456. ' CERT_QUERY_CONTENT_SERIALIZED_CRL
  7457. ' CERT_QUERY_CONTENT_PKCS7_SIGNED
  7458. ' CERT_QUERY_CONTENT_PKCS7_UNSIGNED
  7459. ' CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
  7460. ' CERT_QUERY_CONTENT_PKCS10
  7461. ' CERT_QUERY_CONTENT_PFX
  7462. ' CERT_QUERY_CONTENT_CERT_PAIR
  7463. '
  7464. ' OUTPUT pdwFormatType
  7465. ' Optional output. If NULL !=pdwFormatType, it
  7466. ' contains the format type of the content as one of the
  7467. ' following:
  7468. ' CERT_QUERY_FORMAT_BINARY
  7469. ' CERT_QUERY_FORMAT_BASE64_ENCODED
  7470. ' CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED
  7471. '
  7472. '
  7473. ' OUTPUT phCertStore
  7474. ' Optional output. If NULL !=phStore,
  7475. ' it contains a cert store that includes all of certificates,
  7476. ' CRL, and CTL in the object if the object content type is
  7477. ' one of the following:
  7478. ' CERT_QUERY_CONTENT_CERT
  7479. ' CERT_QUERY_CONTENT_CTL
  7480. ' CERT_QUERY_CONTENT_CRL
  7481. ' CERT_QUERY_CONTENT_SERIALIZED_STORE
  7482. ' CERT_QUERY_CONTENT_SERIALIZED_CERT
  7483. ' CERT_QUERY_CONTENT_SERIALIZED_CTL
  7484. ' CERT_QUERY_CONTENT_SERIALIZED_CRL
  7485. ' CERT_QUERY_CONTENT_PKCS7_SIGNED
  7486. ' CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
  7487. ' CERT_QUERY_CONTENT_CERT_PAIR
  7488. '
  7489. ' Caller should free *phCertStore via CertCloseStore.
  7490. '
  7491. '
  7492. ' OUTPUT phMsg Optional output. If NULL != phMsg,
  7493. ' it contains a handle to a opened message if
  7494. ' the content type is one of the following:
  7495. ' CERT_QUERY_CONTENT_PKCS7_SIGNED
  7496. ' CERT_QUERY_CONTENT_PKCS7_UNSIGNED
  7497. ' CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
  7498. '
  7499. ' Caller should free *phMsg via CryptMsgClose.
  7500. '
  7501. ' OUTPUT pContext Optional output. If NULL != pContext,
  7502. ' it contains either a PCCERT_CONTEXT or PCCRL_CONTEXT,
  7503. ' or PCCTL_CONTEXT based on the content type.
  7504. '
  7505. ' If the content type is CERT_QUERY_CONTENT_CERT or
  7506. ' CERT_QUERY_CONTENT_SERIALIZED_CERT, it is a PCCERT_CONTEXT;
  7507. ' Caller should free the pContext via CertFreeCertificateContext.
  7508. '
  7509. ' If the content type is CERT_QUERY_CONTENT_CRL or
  7510. ' CERT_QUERY_CONTENT_SERIALIZED_CRL, it is a PCCRL_CONTEXT;
  7511. ' Caller should free the pContext via CertFreeCRLContext.
  7512. '
  7513. ' If the content type is CERT_QUERY_CONTENT_CTL or
  7514. ' CERT_QUERY_CONTENT_SERIALIZED_CTL, it is a PCCTL_CONTEXT;
  7515. ' Caller should free the pContext via CertFreeCTLContext.
  7516. '
  7517. ' If the *pbObject is of type CERT_QUERY_CONTENT_PKCS10 or CERT_QUERY_CONTENT_PFX, CryptQueryObject
  7518. ' will not return anything in *phCertstore, *phMsg, or *ppvContext.
  7519. '--------------------------------------------------------------------------
  7520. '-------------------------------------------------------------------------
  7521. 'dwObjectType for CryptQueryObject
  7522. '-------------------------------------------------------------------------
  7523. Public Const CERT_QUERY_OBJECT_FILE As Long = &H00000001
  7524. Public Const CERT_QUERY_OBJECT_BLOB As Long = &H00000002
  7525. '-------------------------------------------------------------------------
  7526. 'dwContentType for CryptQueryObject
  7527. '-------------------------------------------------------------------------
  7528. 'encoded single certificate
  7529. Public Const CERT_QUERY_CONTENT_CERT As Long = 1
  7530. 'encoded single CTL
  7531. Public Const CERT_QUERY_CONTENT_CTL As Long = 2
  7532. 'encoded single CRL
  7533. Public Const CERT_QUERY_CONTENT_CRL As Long = 3
  7534. 'serialized store
  7535. Public Const CERT_QUERY_CONTENT_SERIALIZED_STORE As Long = 4
  7536. 'serialized single certificate
  7537. Public Const CERT_QUERY_CONTENT_SERIALIZED_CERT As Long = 5
  7538. 'serialized single CTL
  7539. Public Const CERT_QUERY_CONTENT_SERIALIZED_CTL As Long = 6
  7540. 'serialized single CRL
  7541. Public Const CERT_QUERY_CONTENT_SERIALIZED_CRL As Long = 7
  7542. 'a PKCS#7 signed message
  7543. Public Const CERT_QUERY_CONTENT_PKCS7_SIGNED As Long = 8
  7544. 'a PKCS#7 message, such as enveloped message. But it is not a signed message,
  7545. Public Const CERT_QUERY_CONTENT_PKCS7_UNSIGNED As Long = 9
  7546. 'a PKCS7 signed message embedded in a file
  7547. Public Const CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED As Long = 10
  7548. 'an encoded PKCS#10
  7549. Public Const CERT_QUERY_CONTENT_PKCS10 As Long = 11
  7550. 'an encoded PKX BLOB
  7551. Public Const CERT_QUERY_CONTENT_PFX As Long = 12
  7552. Public Const CERT_QUERY_CONTENT_CERT_PAIR As Long = 13
  7553. '-------------------------------------------------------------------------
  7554. 'dwExpectedConentTypeFlags for CryptQueryObject
  7555. '-------------------------------------------------------------------------
  7556. 'encoded single certificate
  7557. 'encoded single CTL
  7558. 'encoded single CRL
  7559. 'serialized store
  7560. 'serialized single certificate
  7561. 'serialized single CTL
  7562. 'serialized single CRL
  7563. 'an encoded PKCS#7 signed message
  7564. 'an encoded PKCS#7 message. But it is not a signed message
  7565. 'the content includes an embedded PKCS7 signed message
  7566. 'an encoded PKCS#10
  7567. 'an encoded PFX BLOB
  7568. 'content can be any type
  7569. '-------------------------------------------------------------------------
  7570. 'dwFormatType for CryptQueryObject
  7571. '-------------------------------------------------------------------------
  7572. 'the content is in binary format
  7573. Public Const CERT_QUERY_FORMAT_BINARY As Long = 1
  7574. 'the content is base64 encoded
  7575. Public Const CERT_QUERY_FORMAT_BASE64_ENCODED As Long = 2
  7576. 'the content is ascii hex encoded with "{ASN}" prefix
  7577. Public Const CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED As Long = 3
  7578. '-------------------------------------------------------------------------
  7579. 'dwExpectedFormatTypeFlags for CryptQueryObject
  7580. '-------------------------------------------------------------------------
  7581. 'the content is in binary format
  7582. 'the content is base64 encoded
  7583. 'the content is ascii hex encoded with "{ASN}" prefix
  7584. 'the content can be of any format
  7585. '
  7586. ' Crypt32 Memory Management Routines. All Crypt32 API which return allocated
  7587. ' buffers will do so via CryptMemAlloc, CryptMemRealloc. Clients can free
  7588. ' those buffers using CryptMemFree. Also included is CryptMemSize
  7589. '
  7590. '
  7591. ' Crypt32 Asynchronous Parameter Management Routines. All Crypt32 API which
  7592. ' expose asynchronous mode operation use a Crypt32 Async Handle to pass
  7593. ' around information about the operation e.g. callback routines. The
  7594. ' following API are used for manipulation of the async handle
  7595. '
  7596. '
  7597. ' Crypt32 Remote Object Retrieval Routines. This API allows retrieval of
  7598. ' remote PKI objects where the location is given by an URL. The remote
  7599. ' object retrieval manager exposes two provider models. One is the "Scheme
  7600. ' Provider" model which allows for installable protocol providers as defined
  7601. ' by the URL scheme e.g. ldap, http, ftp. The scheme provider entry point is
  7602. ' the same as the CryptRetrieveObjectByUrl however the *ppvObject returned
  7603. ' second provider model is the "Context Provider" model which allows for
  7604. ' retrieved encoded bits. These are dispatched based on the object OID given
  7605. ' in the call to CryptRetrieveObjectByUrl.
  7606. '
  7607. '
  7608. ' Scheme Provider Signatures
  7609. '
  7610. Public Const SCHEME_OID_RETRIEVE_ENCODED_OBJECT_FUNC As String = "SchemeDllRetrieveEncodedObject"
  7611. '
  7612. ' SchemeDllRetrieveEncodedObject has the following signature:
  7613. '
  7614. ' IN LPCSTR pszUrl,
  7615. ' IN LPCSTR pszObjectOid,
  7616. ' IN DWORD dwRetrievalFlags,
  7617. ' IN DWORD dwTimeout,
  7618. ' OUT PCRYPT_BLOB_ARRAY pObject,
  7619. ' OUT PFN_FREE_ENCODED_OBJECT_FUNC* ppfnFreeObject,
  7620. ' OUT LPVOID* ppvFreeContext,
  7621. ' IN HCRYPTASYNC hAsyncRetrieve,
  7622. ' IN PCRYPT_CREDENTIALS pCredentials,
  7623. ' IN PCRYPT_RETRIEVE_AUX_INFO pAuxInfo
  7624. ' )
  7625. '
  7626. '
  7627. ' Context Provider Signatures
  7628. '
  7629. Public Const CONTEXT_OID_CREATE_OBJECT_CONTEXT_FUNC As String = "ContextDllCreateObjectContext"
  7630. '
  7631. ' ContextDllCreateObjectContext has the following signature:
  7632. '
  7633. ' IN LPCSTR pszObjectOid,
  7634. ' IN DWORD dwRetrievalFlags,
  7635. ' IN PCRYPT_BLOB_ARRAY pObject,
  7636. ' OUT LPVOID* ppvContext
  7637. ' )
  7638. '
  7639. '
  7640. ' Remote Object Retrieval API
  7641. '
  7642. '
  7643. ' Retrieval flags
  7644. '
  7645. Public Const CRYPT_RETRIEVE_MULTIPLE_OBJECTS As Long = &H00000001
  7646. Public Const CRYPT_CACHE_ONLY_RETRIEVAL As Long = &H00000002
  7647. Public Const CRYPT_WIRE_ONLY_RETRIEVAL As Long = &H00000004
  7648. Public Const CRYPT_DONT_CACHE_RESULT As Long = &H00000008
  7649. Public Const CRYPT_ASYNC_RETRIEVAL As Long = &H00000010
  7650. Public Const CRYPT_STICKY_CACHE_RETRIEVAL As Long = &H00001000
  7651. Public Const CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL As Long = &H00002000
  7652. Public Const CRYPT_OFFLINE_CHECK_RETRIEVAL As Long = &H00004000
  7653. '
  7654. ' Data verification retrieval flags
  7655. '
  7656. ' CRYPT_VERIFY_CONTEXT_SIGNATURE is used to get signature verification
  7657. ' on the context created. In this case pszObjectOid must be non-NULL and
  7658. ' pvVerify points to the signer certificate context
  7659. '
  7660. ' CRYPT_VERIFY_DATA_HASH is used to get verification of the blob data
  7661. ' retrieved by the protocol. The pvVerify points to an URL_DATA_HASH
  7662. '
  7663. Public Const CRYPT_VERIFY_CONTEXT_SIGNATURE As Long = &H00000020
  7664. Public Const CRYPT_VERIFY_DATA_HASH As Long = &H00000040
  7665. '
  7666. ' Time Valid Object flags
  7667. '
  7668. Public Const CRYPT_KEEP_TIME_VALID As Long = &H00000080
  7669. Public Const CRYPT_DONT_VERIFY_SIGNATURE As Long = &H00000100
  7670. Public Const CRYPT_DONT_CHECK_TIME_VALIDITY As Long = &H00000200
  7671. '
  7672. ' Call back function to cancel object retrieval
  7673. '
  7674. ' The function can be installed on a per thread basis.
  7675. ' If CryptInstallCancelRetrieval is called for multiple times, only the most recent
  7676. ' installation will be kept.
  7677. '
  7678. ' This is only effective for http, https, gopher, and ftp protocol.
  7679. ' It is ignored by the rest of the protocols.
  7680. '
  7681. ' PFN_CRYPT_CANCEL_RETRIEVAL
  7682. '
  7683. ' This function should return FALSE when the object retrieval should be continued
  7684. ' and return TRUE when the object retrieval should be cancelled.
  7685. '
  7686. '
  7687. ' Remote Object Async Retrieval parameters
  7688. '
  7689. '
  7690. ' A client that wants to be notified of asynchronous object retrieval
  7691. ' completion sets this parameter on the async handle
  7692. '
  7693. '
  7694. ' This function is set on the async handle by a scheme provider that
  7695. ' supports asynchronous retrieval
  7696. '
  7697. '
  7698. ' Get the locator for a CAPI object
  7699. '
  7700. Public Const CRYPT_GET_URL_FROM_PROPERTY As Long = &H00000001
  7701. Public Const CRYPT_GET_URL_FROM_EXTENSION As Long = &H00000002
  7702. Public Const CRYPT_GET_URL_FROM_UNAUTH_ATTRIBUTE As Long = &H00000004
  7703. Public Const CRYPT_GET_URL_FROM_AUTH_ATTRIBUTE As Long = &H00000008
  7704. Public Const URL_OID_GET_OBJECT_URL_FUNC As String = "UrlDllGetObjectUrl"
  7705. '
  7706. ' UrlDllGetObjectUrl has the same signature as CryptGetObjectUrl
  7707. '
  7708. '
  7709. ' URL_OID_CERTIFICATE_ISSUER
  7710. '
  7711. ' pvPara == PCCERT_CONTEXT, certificate whose issuer's URL is being requested
  7712. '
  7713. ' This will be retrieved from the authority info access extension or property
  7714. ' on the certificate
  7715. '
  7716. ' URL_OID_CERTIFICATE_CRL_DIST_POINT
  7717. '
  7718. ' pvPara == PCCERT_CONTEXT, certificate whose CRL distribution point is being
  7719. ' requested
  7720. '
  7721. ' This will be retrieved from the CRL distribution point extension or property
  7722. ' on the certificate
  7723. '
  7724. ' URL_OID_CTL_ISSUER
  7725. '
  7726. ' by the signer index) is being requested
  7727. '
  7728. ' This will be retrieved from an authority info access attribute method encoded
  7729. '
  7730. ' URL_OID_CTL_NEXT_UPDATE
  7731. '
  7732. ' pvPara == PCCTL_CONTEXT, Signer Index, CTL whose next update URL is being
  7733. ' requested and an optional signer index in case we need to check signer
  7734. ' info attributes
  7735. '
  7736. ' This will be retrieved from an authority info access CTL extension, property,
  7737. ' or signer info attribute method
  7738. '
  7739. ' URL_OID_CRL_ISSUER
  7740. '
  7741. ' pvPara == PCCRL_CONTEXT, CRL whose issuer's URL is being requested
  7742. '
  7743. ' This will be retrieved from a property on the CRL which has been inherited
  7744. ' cert distribution point extension). It will be encoded as an authority
  7745. ' info access extension method.
  7746. '
  7747. ' URL_OID_CERTIFICATE_FRESHEST_CRL
  7748. '
  7749. ' pvPara == PCCERT_CONTEXT, certificate whose freshest CRL distribution point
  7750. ' is being requested
  7751. '
  7752. ' This will be retrieved from the freshest CRL extension or property
  7753. ' on the certificate
  7754. '
  7755. ' URL_OID_CRL_FRESHEST_CRL
  7756. '
  7757. ' pvPara == PCCERT_CRL_CONTEXT_PAIR, certificate's base CRL whose
  7758. ' freshest CRL distribution point is being requested
  7759. '
  7760. ' This will be retrieved from the freshest CRL extension or property
  7761. ' on the CRL
  7762. '
  7763. ' URL_OID_CROSS_CERT_DIST_POINT
  7764. '
  7765. ' pvPara == PCCERT_CONTEXT, certificate whose cross certificate distribution
  7766. ' point is being requested
  7767. '
  7768. ' This will be retrieved from the cross certificate distribution point
  7769. ' extension or property on the certificate
  7770. '
  7771. '
  7772. ' Get a time valid CAPI2 object
  7773. '
  7774. Public Const TIME_VALID_OID_GET_OBJECT_FUNC As String = "TimeValidDllGetObject"
  7775. '
  7776. ' TimeValidDllGetObject has the same signature as CryptGetTimeValidObject
  7777. '
  7778. '
  7779. ' TIME_VALID_OID_GET_CTL
  7780. '
  7781. ' pvPara == PCCTL_CONTEXT, the current CTL
  7782. '
  7783. ' TIME_VALID_OID_GET_CRL
  7784. '
  7785. ' pvPara == PCCRL_CONTEXT, the current CRL
  7786. '
  7787. ' TIME_VALID_OID_GET_CRL_FROM_CERT
  7788. '
  7789. ' pvPara == PCCERT_CONTEXT, the subject cert
  7790. '
  7791. ' TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CERT
  7792. '
  7793. ' pvPara == PCCERT_CONTEXT, the subject cert
  7794. '
  7795. ' TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CRL
  7796. '
  7797. ' pvPara == PCCERT_CRL_CONTEXT_PAIR, the subject cert and its base CRL
  7798. '
  7799. Public Const TIME_VALID_OID_FLUSH_OBJECT_FUNC As String = "TimeValidDllFlushObject"
  7800. '
  7801. ' TimeValidDllFlushObject has the same signature as CryptFlushTimeValidObject
  7802. '
  7803. '
  7804. ' TIME_VALID_OID_FLUSH_CTL
  7805. '
  7806. ' pvPara == PCCTL_CONTEXT, the CTL to flush
  7807. '
  7808. ' TIME_VALID_OID_FLUSH_CRL
  7809. '
  7810. ' pvPara == PCCRL_CONTEXT, the CRL to flush
  7811. '
  7812. ' TIME_VALID_OID_FLUSH_CRL_FROM_CERT
  7813. '
  7814. ' pvPara == PCCERT_CONTEXT, the subject cert's CRL to flush
  7815. '
  7816. ' TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CERT
  7817. '
  7818. ' pvPara == PCCERT_CONTEXT, the subject cert's freshest CRL to flush
  7819. '
  7820. ' TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CRL
  7821. '
  7822. ' pvPara == PCCERT_CRL_CONTEXT_PAIR, the subject cert and its base CRL's
  7823. ' freshest CRL to flush
  7824. '
  7825. '-------------------------------------------------------------------------
  7826. ' Data Protection APIs
  7827. '-------------------------------------------------------------------------
  7828. '
  7829. ' Data protection APIs enable applications to easily secure data.
  7830. '
  7831. ' The base provider provides protection based on the users' logon
  7832. ' credentials. The data secured with these APIs follow the same
  7833. ' roaming characteristics as HKCU -- if HKCU roams, the data
  7834. ' protected by the base provider may roam as well. This makes
  7835. ' the API ideal for the munging of data stored in the registry.
  7836. '
  7837. '
  7838. ' Prompt struct -- what to tell users about the access
  7839. '
  7840. '
  7841. ' base provider action
  7842. '
  7843. '
  7844. ' CryptProtect PromptStruct dwPromtFlags
  7845. '
  7846. '
  7847. ' prompt on unprotect
  7848. Public Const CRYPTPROTECT_PROMPT_ON_UNPROTECT As Long = &H1
  7849. '
  7850. ' prompt on protect
  7851. Public Const CRYPTPROTECT_PROMPT_ON_PROTECT As Long = &H2
  7852. Public Const CRYPTPROTECT_PROMPT_RESERVED As Long = &H04
  7853. '
  7854. Public Const CRYPTPROTECT_PROMPT_STRONG As Long = &H08
  7855. '
  7856. ' CryptProtectData and CryptUnprotectData dwFlags
  7857. '
  7858. ' for remote-access situations where ui is not an option
  7859. ' if UI was specified on protect or unprotect operation, the call
  7860. Public Const CRYPTPROTECT_UI_FORBIDDEN As Long = &H1
  7861. '
  7862. ' per machine protected data -- any user on machine where CryptProtectData
  7863. ' took place may CryptUnprotectData
  7864. Public Const CRYPTPROTECT_LOCAL_MACHINE As Long = &H4
  7865. '
  7866. ' Synchronize is only operation that occurs during this operation
  7867. Public Const CRYPTPROTECT_CRED_SYNC As Long = &H8
  7868. '
  7869. ' Generate an Audit on protect and unprotect operations
  7870. '
  7871. Public Const CRYPTPROTECT_AUDIT As Long = &H10
  7872. '
  7873. ' Protect data with a non-recoverable key
  7874. '
  7875. Public Const CRYPTPROTECT_NO_RECOVERY As Long = &H20
  7876. ' flags reserved for system use
  7877. Public Const CRYPTPROTECT_FIRST_RESERVED_FLAGVAL As Long = &H0FFFFFFF
  7878. Public Const CRYPTPROTECT_LAST_RESERVED_FLAGVAL As Long = &HFFFFFFFF
  7879. '
  7880. ' flags specific to base provider
  7881. '
  7882. '+=========================================================================
  7883. ' Helper functions to build certificates
  7884. '==========================================================================
  7885. '+-------------------------------------------------------------------------
  7886. '
  7887. ' Builds a self-signed certificate and returns a PCCERT_CONTEXT representing
  7888. ' the certificate. A hProv must be specified to build the cert context.
  7889. '
  7890. ' pSubjectIssuerBlob is the DN for the certifcate. If an alternate subject
  7891. ' name is desired it must be specified as an extension in the pExtensions
  7892. ' parameter. pSubjectIssuerBlob can NOT be NULL, so minimually an empty DN
  7893. ' must be specified.
  7894. '
  7895. ' By default:
  7896. ' pKeyProvInfo - The CSP is queried for the KeyProvInfo parameters. Only the Provider,
  7897. ' Provider Type and Container is queried. Many CSPs don't support these
  7898. ' queries and will cause a failure. In such cases the pKeyProvInfo
  7899. '
  7900. ' pSignatureAlgorithm - will default to SHA1RSA
  7901. ' pStartTime will default to the current time
  7902. ' pEndTime will default to 1 year
  7903. ' pEntensions will be empty.
  7904. '
  7905. ' The returned PCCERT_CONTEXT will reference the private keys by setting the
  7906. ' CERT_KEY_PROV_INFO_PROP_ID. However, if this property is not desired specify the
  7907. ' CERT_CREATE_SELFSIGN_NO_KEY_INFO in dwFlags.
  7908. '
  7909. ' If the cert being built is only a dummy placeholder cert for speed it may not
  7910. ' need to be signed. Signing of the cert is skipped if CERT_CREATE_SELFSIGN_NO_SIGN
  7911. ' is specified in dwFlags.
  7912. '
  7913. '--------------------------------------------------------------------------
  7914. Public Const CERT_CREATE_SELFSIGN_NO_SIGN As Long = 1
  7915. Public Const CERT_CREATE_SELFSIGN_NO_KEY_INFO As Long = 2
  7916. '+=========================================================================
  7917. ' Key Identifier Property Data Structures and APIs
  7918. '==========================================================================
  7919. '+-------------------------------------------------------------------------
  7920. ' Get the property for the specified Key Identifier.
  7921. '
  7922. ' The Key Identifier is the SHA1 hash of the encoded CERT_PUBLIC_KEY_INFO.
  7923. ' The Key Identifier for a certificate can be obtained by getting the
  7924. ' certificate's CERT_KEY_IDENTIFIER_PROP_ID. The
  7925. ' CryptCreateKeyIdentifierFromCSP API can be called to create the Key
  7926. ' Identifier from a CSP Public Key Blob.
  7927. '
  7928. ' A Key Identifier can have the same properties as a certificate context.
  7929. ' CERT_KEY_PROV_INFO_PROP_ID is the property of most interest.
  7930. ' For CERT_KEY_PROV_INFO_PROP_ID, pvData points to a CRYPT_KEY_PROV_INFO
  7931. ' structure. Elements pointed to by fields in the pvData structure follow the
  7932. ' structure. Therefore, *pcbData will exceed the size of the structure.
  7933. '
  7934. ' If CRYPT_KEYID_ALLOC_FLAG is set, then, *pvData is updated with a
  7935. ' allocated memory.
  7936. '
  7937. ' By default, searches the CurrentUser's list of Key Identifiers.
  7938. ' CRYPT_KEYID_MACHINE_FLAG can be set to search the LocalMachine's list
  7939. ' of Key Identifiers. When CRYPT_KEYID_MACHINE_FLAG is set, pwszComputerName
  7940. ' can also be set to specify the name of a remote computer to be searched
  7941. ' instead of the local machine.
  7942. '--------------------------------------------------------------------------
  7943. ' When the following flag is set, searches the LocalMachine instead of the
  7944. ' CurrentUser. This flag is applicable to all the KeyIdentifierProperty APIs.
  7945. Public Const CRYPT_KEYID_MACHINE_FLAG As Long = &H00000020
  7946. ' When the following flag is set, *pvData is updated with a pointer to
  7947. Public Const CRYPT_KEYID_ALLOC_FLAG As Long = &H00008000
  7948. '+-------------------------------------------------------------------------
  7949. ' Set the property for the specified Key Identifier.
  7950. '
  7951. ' For CERT_KEY_PROV_INFO_PROP_ID pvData points to the
  7952. ' CRYPT_KEY_PROV_INFO data structure. For all other properties, pvData
  7953. ' points to a CRYPT_DATA_BLOB.
  7954. '
  7955. ' Setting pvData == NULL, deletes the property.
  7956. '
  7957. ' Set CRYPT_KEYID_MACHINE_FLAG to set the property for a LocalMachine
  7958. ' Key Identifier. Set pwszComputerName, to select a remote computer.
  7959. '
  7960. ' If CRYPT_KEYID_DELETE_FLAG is set, the Key Identifier and all its
  7961. ' properties is deleted.
  7962. '
  7963. ' If CRYPT_KEYID_SET_NEW_FLAG is set, the set fails if the property already
  7964. ' exists. For an existing property, FALSE is returned with LastError set to
  7965. ' CRYPT_E_EXISTS.
  7966. '--------------------------------------------------------------------------
  7967. ' When the following flag is set, the Key Identifier and all its properties
  7968. ' are deleted.
  7969. Public Const CRYPT_KEYID_DELETE_FLAG As Long = &H00000010
  7970. ' When the following flag is set, the set fails if the property already
  7971. ' exists.
  7972. Public Const CRYPT_KEYID_SET_NEW_FLAG As Long = &H00002000
  7973. '+-------------------------------------------------------------------------
  7974. ' For CERT_KEY_PROV_INFO_PROP_ID, rgppvData[] points to a
  7975. ' CRYPT_KEY_PROV_INFO.
  7976. '
  7977. ' Return FALSE to stop the enumeration.
  7978. '--------------------------------------------------------------------------
  7979. '+-------------------------------------------------------------------------
  7980. ' Enumerate the Key Identifiers.
  7981. '
  7982. ' If pKeyIdentifier is NULL, enumerates all Key Identifers. Otherwise,
  7983. ' calls the callback for the specified KeyIdentifier. If dwPropId is
  7984. ' 0, calls the callback with all the properties. Otherwise, only calls
  7985. ' Furthermore, when dwPropId is specified, skips KeyIdentifiers not
  7986. ' having the property.
  7987. '
  7988. ' Set CRYPT_KEYID_MACHINE_FLAG to enumerate the LocalMachine
  7989. ' Key Identifiers. Set pwszComputerName, to enumerate Key Identifiers on
  7990. ' a remote computer.
  7991. '--------------------------------------------------------------------------
  7992. '+-------------------------------------------------------------------------
  7993. ' Create a KeyIdentifier from the CSP Public Key Blob.
  7994. '
  7995. ' Converts the CSP PUBLICKEYSTRUC into a X.509 CERT_PUBLIC_KEY_INFO and
  7996. ' encodes. The encoded CERT_PUBLIC_KEY_INFO is SHA1 hashed to obtain
  7997. ' the Key Identifier.
  7998. '
  7999. ' By default, the pPubKeyStruc->aiKeyAlg is used to find the appropriate
  8000. ' public key Object Identifier. pszPubKeyOID can be set to override
  8001. ' the default OID obtained from the aiKeyAlg.
  8002. '--------------------------------------------------------------------------
  8003. '+=========================================================================
  8004. ' Certificate Chaining Infrastructure
  8005. '==========================================================================
  8006. '
  8007. ' The chain engine defines the store namespace and cache partitioning for
  8008. ' the Certificate Chaining infrastructure. A default chain engine
  8009. ' is defined for the process which uses all default system stores e.g.
  8010. ' Root, CA, Trust, for chain building and caching. If an application
  8011. ' wishes to define its own store namespace or have its own partitioned
  8012. ' cache then it can create its own chain engine. It is advisable to create
  8013. ' a chain engine at application startup and use it throughout the lifetime
  8014. ' of the application in order to get optimal caching behavior
  8015. '
  8016. '
  8017. ' Create a certificate chain engine.
  8018. '
  8019. '
  8020. ' Configuration parameters for the certificate chain engine
  8021. '
  8022. '
  8023. ' hRestrictedTrust - restrict the store for CTLs
  8024. '
  8025. ' hRestrictedOther - restrict the store for certs and CRLs
  8026. '
  8027. ' cAdditionalStore, rghAdditionalStore - additional stores
  8028. '
  8029. ' NOTE: The algorithm used to define the stores for the engine is as
  8030. ' follows:
  8031. '
  8032. ' hRoot = hRestrictedRoot or System Store "Root"
  8033. '
  8034. '
  8035. ' hRestrictedTrust + hWorld
  8036. '
  8037. ' hWorld = hRoot + "CA" + "My" + "Trust" + rghAdditionalStore
  8038. '
  8039. ' dwFlags - flags
  8040. '
  8041. ' CERT_CHAIN_CACHE_END_CERT - information will be cached on
  8042. ' the end cert as well as the other
  8043. ' certs in the chain
  8044. '
  8045. ' CERT_CHAIN_THREAD_STORE_SYNC - use separate thread for store syncs
  8046. ' and related cache updates
  8047. '
  8048. ' CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL - don't hit the wire to get
  8049. ' URL based objects
  8050. '
  8051. ' dwUrlRetrievalTimeout - timeout for wire based URL object retrievals
  8052. '
  8053. Public Const CERT_CHAIN_CACHE_END_CERT As Long = &H00000001
  8054. Public Const CERT_CHAIN_THREAD_STORE_SYNC As Long = &H00000002
  8055. Public Const CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL As Long = &H00000004
  8056. Public Const CERT_CHAIN_USE_LOCAL_MACHINE_STORE As Long = &H00000008
  8057. Public Const CERT_CHAIN_ENABLE_CACHE_AUTO_UPDATE As Long = &H00000010
  8058. Public Const CERT_CHAIN_ENABLE_SHARE_STORE As Long = &H00000020
  8059. '
  8060. ' Free a certificate trust engine
  8061. '
  8062. '
  8063. ' Resync the certificate chain engine. This resync's the stores backing
  8064. ' the engine and updates the engine caches.
  8065. '
  8066. '
  8067. ' When an application requests a certificate chain, the data structure
  8068. ' returned is in the form of a CERT_CHAIN_CONTEXT. This contains
  8069. ' an array of CERT_SIMPLE_CHAIN where each simple chain goes from
  8070. ' an end cert to a self signed cert and the chain context connects simple
  8071. ' chains via trust lists. Each simple chain contains the chain of
  8072. ' certificates, summary trust information about the chain and trust information
  8073. ' about each certificate element in the chain.
  8074. '
  8075. '
  8076. ' Trust status bits
  8077. '
  8078. '
  8079. ' The following are error status bits
  8080. '
  8081. ' These can be applied to certificates and chains
  8082. Public Const CERT_TRUST_NO_ERROR As Long = &H00000000
  8083. Public Const CERT_TRUST_IS_NOT_TIME_VALID As Long = &H00000001
  8084. Public Const CERT_TRUST_IS_NOT_TIME_NESTED As Long = &H00000002
  8085. Public Const CERT_TRUST_IS_REVOKED As Long = &H00000004
  8086. Public Const CERT_TRUST_IS_NOT_SIGNATURE_VALID As Long = &H00000008
  8087. Public Const CERT_TRUST_IS_NOT_VALID_FOR_USAGE As Long = &H00000010
  8088. Public Const CERT_TRUST_IS_UNTRUSTED_ROOT As Long = &H00000020
  8089. Public Const CERT_TRUST_REVOCATION_STATUS_UNKNOWN As Long = &H00000040
  8090. Public Const CERT_TRUST_IS_CYCLIC As Long = &H00000080
  8091. Public Const CERT_TRUST_INVALID_EXTENSION As Long = &H00000100
  8092. Public Const CERT_TRUST_INVALID_POLICY_CONSTRAINTS As Long = &H00000200
  8093. Public Const CERT_TRUST_INVALID_BASIC_CONSTRAINTS As Long = &H00000400
  8094. Public Const CERT_TRUST_INVALID_NAME_CONSTRAINTS As Long = &H00000800
  8095. Public Const CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT As Long = &H00001000
  8096. Public Const CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT As Long = &H00002000
  8097. Public Const CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT As Long = &H00004000
  8098. Public Const CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT As Long = &H00008000
  8099. Public Const CERT_TRUST_IS_OFFLINE_REVOCATION As Long = &H01000000
  8100. Public Const CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY As Long = &H02000000
  8101. ' These can be applied to chains only
  8102. Public Const CERT_TRUST_IS_PARTIAL_CHAIN As Long = &H00010000
  8103. Public Const CERT_TRUST_CTL_IS_NOT_TIME_VALID As Long = &H00020000
  8104. Public Const CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID As Long = &H00040000
  8105. Public Const CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE As Long = &H00080000
  8106. '
  8107. ' The following are info status bits
  8108. '
  8109. ' These can be applied to certificates only
  8110. Public Const CERT_TRUST_HAS_EXACT_MATCH_ISSUER As Long = &H00000001
  8111. Public Const CERT_TRUST_HAS_KEY_MATCH_ISSUER As Long = &H00000002
  8112. Public Const CERT_TRUST_HAS_NAME_MATCH_ISSUER As Long = &H00000004
  8113. Public Const CERT_TRUST_IS_SELF_SIGNED As Long = &H00000008
  8114. ' These can be applied to certificates and chains
  8115. Public Const CERT_TRUST_HAS_PREFERRED_ISSUER As Long = &H00000100
  8116. Public Const CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY As Long = &H00000200
  8117. Public Const CERT_TRUST_HAS_NAME_CONSTRAINTS As Long = &H00000400
  8118. ' These can be applied to chains only
  8119. Public Const CERT_TRUST_IS_COMPLEX_CHAIN As Long = &H00010000
  8120. '
  8121. ' Each certificate context in a simple chain has a corresponding chain element
  8122. ' in the simple chain context
  8123. '
  8124. ' dwErrorStatus has CERT_TRUST_IS_REVOKED, pRevocationInfo set
  8125. ' dwErrorStatus has CERT_TRUST_REVOCATION_STATUS_UNKNOWN, pRevocationInfo set
  8126. '
  8127. ' Note that the post processing revocation supported in the first
  8128. ' version only sets cbSize and dwRevocationResult. Everything else
  8129. ' is NULL
  8130. '
  8131. '
  8132. ' Revocation Information
  8133. '
  8134. '
  8135. ' Trust List Information
  8136. '
  8137. '
  8138. ' Chain Element
  8139. '
  8140. '
  8141. ' The simple chain is an array of chain elements and a summary trust status
  8142. ' for the chain
  8143. '
  8144. ' rgpElements[0] is the end certificate chain element
  8145. '
  8146. ' rgpElements[cElement-1] is the self-signed "root" certificate chain element
  8147. '
  8148. '
  8149. ' And the chain context contains an array of simple chains and summary trust
  8150. ' status for all the connected simple chains
  8151. '
  8152. ' rgpChains[0] is the end certificate simple chain
  8153. '
  8154. ' ends in a certificate which is contained in the root store
  8155. '
  8156. '
  8157. ' When building a chain, the there are various parameters used for finding
  8158. ' issuing certificates and trust lists. They are identified in the
  8159. ' following structure
  8160. '
  8161. ' Default usage match type is AND with value zero
  8162. Public Const USAGE_MATCH_TYPE_AND As Long = &H00000000
  8163. Public Const USAGE_MATCH_TYPE_OR As Long = &H00000001
  8164. '
  8165. ' The following API is used for retrieving certificate chains
  8166. '
  8167. ' Parameters:
  8168. '
  8169. ' mean use the default chain engine
  8170. '
  8171. ' pCertContext - the context we are retrieving the chain for, it
  8172. ' will be the zero index element in the chain
  8173. '
  8174. ' pTime - the point in time that we want the chain validated
  8175. ' for. Note that the time does not affect trust list,
  8176. ' revocation, or root store checking. NULL means use
  8177. ' the current system time
  8178. '
  8179. ' hAdditionalStore - additional store to use when looking up objects
  8180. '
  8181. ' pChainPara - parameters for chain building
  8182. '
  8183. ' dwFlags - flags such as should revocation checking be done
  8184. ' on the chain?
  8185. '
  8186. ' pvReserved - reserved parameter, must be NULL
  8187. '
  8188. ' ppChainContext - chain context returned
  8189. '
  8190. ' CERT_CHAIN_CACHE_END_CERT can be used here as well
  8191. ' Revocation flags are in the high nibble
  8192. Public Const CERT_CHAIN_REVOCATION_CHECK_END_CERT As Long = &H10000000
  8193. Public Const CERT_CHAIN_REVOCATION_CHECK_CHAIN As Long = &H20000000
  8194. Public Const CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT As Long = &H40000000
  8195. Public Const CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY As Long = &H80000000
  8196. ' First pass determines highest quality based upon:
  8197. ' - Complete chain
  8198. ' By default, second pass only considers paths >= highest first pass quality
  8199. Public Const CERT_CHAIN_DISABLE_PASS1_QUALITY_FILTERING As Long = &H00000040
  8200. Public Const CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS As Long = &H00000080
  8201. '
  8202. ' Free a certificate chain
  8203. '
  8204. '
  8205. '
  8206. '
  8207. ' Specific Revocation Type OID and structure definitions
  8208. '
  8209. '
  8210. ' CRL Revocation OID
  8211. '
  8212. '
  8213. ' For the CRL revocation OID the pvRevocationPara is NULL
  8214. '
  8215. '
  8216. ' CRL Revocation Info
  8217. '
  8218. '+-------------------------------------------------------------------------
  8219. ' Find the first or next certificate chain context in the store.
  8220. '
  8221. ' The chain context is found according to the dwFindFlags, dwFindType and
  8222. ' its pvFindPara. See below for a list of the find types and its parameters.
  8223. '
  8224. ' If the first or next chain context isn't found, NULL is returned.
  8225. ' Otherwise, a pointer to a read only CERT_CHAIN_CONTEXT is returned.
  8226. ' CERT_CHAIN_CONTEXT must be freed by calling CertFreeCertificateChain
  8227. ' or is freed when passed as the
  8228. ' pPrevChainContext on a subsequent call. CertDuplicateCertificateChain
  8229. ' can be called to make a duplicate.
  8230. '
  8231. ' pPrevChainContext MUST BE NULL on the first
  8232. ' call to find the chain context. To find the next chain context, the
  8233. ' pPrevChainContext is set to the CERT_CHAIN_CONTEXT returned by a previous
  8234. ' call.
  8235. '
  8236. ' NOTE: a NON-NULL pPrevChainContext is always CertFreeCertificateChain'ed by
  8237. ' this function, even for an error.
  8238. '--------------------------------------------------------------------------
  8239. Public Const CERT_CHAIN_FIND_BY_ISSUER As Long = 1
  8240. '+-------------------------------------------------------------------------
  8241. ' CERT_CHAIN_FIND_BY_ISSUER
  8242. '
  8243. ' Find a certificate chain having a private key for the end certificate and
  8244. ' matching one of the given issuer names. A matching dwKeySpec and
  8245. ' enhanced key usage can also be specified. Additionally a callback can
  8246. ' be provided for even more caller provided filtering before building the
  8247. ' chain.
  8248. '
  8249. ' By default, only the issuers in the first simple chain are compared
  8250. ' for a name match. CERT_CHAIN_FIND_BY_ISSUER_COMPLEX_CHAIN_FLAG can
  8251. ' be set in dwFindFlags to match issuers in all the simple chains.
  8252. '
  8253. ' CERT_CHAIN_FIND_BY_ISSUER_NO_KEY_FLAG can be set in dwFindFlags to
  8254. ' not check if the end certificate has a private key.
  8255. '
  8256. ' CERT_CHAIN_FIND_BY_ISSUER_COMPARE_KEY_FLAG can be set in dwFindFlags
  8257. ' to compare the public key in the end certificate with the crypto
  8258. ' provider's public key. The dwAcquirePrivateKeyFlags can be set
  8259. ' in CERT_CHAIN_FIND_BY_ISSUER_PARA to enable caching of the private key's
  8260. ' HKEY returned by the CSP.
  8261. '
  8262. ' If dwCertEncodingType == 0, defaults to X509_ASN_ENCODING for the
  8263. ' array of encoded issuer names.
  8264. '
  8265. ' By default, the hCertStore passed to CertFindChainInStore, is passed
  8266. ' as an additional store to CertGetCertificateChain.
  8267. ' CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_FLAG can be set in dwFindFlags
  8268. ' to improve performance by only searching the cached system stores
  8269. ' a find in the "my" system store, than, this flag should be set to
  8270. ' improve performance.
  8271. '
  8272. ' Setting CERT_CHAIN_FIND_BY_ISSUER_LOCAL_MACHINE_FLAG in dwFindFlags
  8273. ' restricts CertGetCertificateChain to search the Local Machine
  8274. ' cached system stores instead of the Current User's.
  8275. '
  8276. ' Setting CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG in dwFindFlags
  8277. ' restricts CertGetCertificateChain to only search the URL cache
  8278. ' and not hit the wire.
  8279. '--------------------------------------------------------------------------
  8280. ' Returns FALSE to skip this certificate. Otherwise, returns TRUE to
  8281. ' build a chain for this certificate.
  8282. ' The following dwFindFlags can be set for CERT_CHAIN_FIND_BY_ISSUER
  8283. ' If set, compares the public key in the end certificate with the crypto
  8284. ' provider's public key. This comparison is the last check made on the
  8285. ' build chain.
  8286. Public Const CERT_CHAIN_FIND_BY_ISSUER_COMPARE_KEY_FLAG As Long = &H0001
  8287. ' If not set, only checks the first simple chain for an issuer name match.
  8288. ' When set, also checks second and subsequent simple chains.
  8289. Public Const CERT_CHAIN_FIND_BY_ISSUER_COMPLEX_CHAIN_FLAG As Long = &H0002
  8290. ' If set, CertGetCertificateChain only searches the URL cache and
  8291. ' doesn't hit the wire.
  8292. Public Const CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG As Long = &H0004
  8293. ' If set, CertGetCertificateChain only opens the Local Machine
  8294. ' certificate stores instead of the Current User's.
  8295. Public Const CERT_CHAIN_FIND_BY_ISSUER_LOCAL_MACHINE_FLAG As Long = &H0008
  8296. ' If set, no check is made to see if the end certificate has a private
  8297. ' key associated with it.
  8298. Public Const CERT_CHAIN_FIND_BY_ISSUER_NO_KEY_FLAG As Long = &H4000
  8299. ' By default, the hCertStore passed to CertFindChainInStore, is passed
  8300. ' as the additional store to CertGetCertificateChain. This flag can be
  8301. ' set to improve performance by only searching the cached system stores
  8302. ' the hCertStore is always searched in addition to the cached system
  8303. ' stores.
  8304. Public Const CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_FLAG As Long = &H8000
  8305. '+=========================================================================
  8306. ' Certificate Chain Policy Data Structures and APIs
  8307. '==========================================================================
  8308. ' If both lChainIndex and lElementIndex are set to -1, the dwError applies
  8309. ' to the whole chain context. If only lElementIndex is set to -1, the
  8310. ' dwError applies to the lChainIndex'ed chain. Otherwise, the dwError applies
  8311. ' to the certificate element at
  8312. ' pChainContext->rgpChain[lChainIndex]->rgpElement[lElementIndex].
  8313. ' Common chain policy flags
  8314. Public Const CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG As Long = &H00000001
  8315. Public Const CERT_CHAIN_POLICY_IGNORE_CTL_NOT_TIME_VALID_FLAG As Long = &H00000002
  8316. Public Const CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG As Long = &H00000004
  8317. Public Const CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG As Long = &H00000010
  8318. Public Const CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG As Long = &H00000020
  8319. Public Const CERT_CHAIN_POLICY_IGNORE_END_REV_UNKNOWN_FLAG As Long = &H00000100
  8320. Public Const CERT_CHAIN_POLICY_IGNORE_CTL_SIGNER_REV_UNKNOWN_FLAG As Long = &H00000200
  8321. Public Const CERT_CHAIN_POLICY_IGNORE_CA_REV_UNKNOWN_FLAG As Long = &H00000400
  8322. Public Const CERT_CHAIN_POLICY_IGNORE_ROOT_REV_UNKNOWN_FLAG As Long = &H00000800
  8323. Public Const CERT_CHAIN_POLICY_ALLOW_TESTROOT_FLAG As Long = &H00008000
  8324. Public Const CERT_CHAIN_POLICY_TRUST_TESTROOT_FLAG As Long = &H00004000
  8325. '+-------------------------------------------------------------------------
  8326. ' Verify that the certificate chain satisfies the specified policy
  8327. ' requirements. If we were able to verify the chain policy, TRUE is returned
  8328. ' and the dwError field of the pPolicyStatus is updated. A dwError of 0
  8329. '
  8330. ' If dwError applies to the entire chain context, both lChainIndex and
  8331. ' lElementIndex are set to -1. If dwError applies to a simple chain,
  8332. ' lElementIndex is set to -1 and lChainIndex is set to the index of the
  8333. ' first offending chain having the error. If dwError applies to a
  8334. ' certificate element, lChainIndex and lElementIndex are updated to
  8335. ' index the first offending certificate having the error, where, the
  8336. ' the certificate element is at:
  8337. ' pChainContext->rgpChain[lChainIndex]->rgpElement[lElementIndex].
  8338. '
  8339. ' The dwFlags in pPolicyPara can be set to change the default policy checking
  8340. ' behaviour. In addition, policy specific parameters can be passed in
  8341. ' the pvExtraPolicyPara field of pPolicyPara.
  8342. '
  8343. ' In addition to returning dwError, in pPolicyStatus, policy OID specific
  8344. ' extra status may be returned via pvExtraPolicyStatus.
  8345. '--------------------------------------------------------------------------
  8346. ' Predefined OID Function Names
  8347. ' CertDllVerifyCertificateChainPolicy has same function signature as
  8348. ' CertVerifyCertificateChainPolicy.
  8349. '+-------------------------------------------------------------------------
  8350. ' Predefined verify chain policies
  8351. '--------------------------------------------------------------------------
  8352. '+-------------------------------------------------------------------------
  8353. ' CERT_CHAIN_POLICY_BASE
  8354. '
  8355. ' Implements the base chain policy verification checks. dwFlags can
  8356. ' be set in pPolicyPara to alter the default policy checking behaviour.
  8357. '--------------------------------------------------------------------------
  8358. '+-------------------------------------------------------------------------
  8359. ' CERT_CHAIN_POLICY_AUTHENTICODE
  8360. '
  8361. ' Implements the Authenticode chain policy verification checks.
  8362. '
  8363. ' pvExtraPolicyPara may optionally be set to point to the following
  8364. ' AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA.
  8365. '
  8366. ' pvExtraPolicyStatus may optionally be set to point to the following
  8367. ' AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS.
  8368. '--------------------------------------------------------------------------
  8369. ' dwRegPolicySettings are defined in wintrust.h
  8370. '+-------------------------------------------------------------------------
  8371. ' CERT_CHAIN_POLICY_AUTHENTICODE_TS
  8372. '
  8373. ' Implements the Authenticode Time Stamp chain policy verification checks.
  8374. '
  8375. ' pvExtraPolicyPara may optionally be set to point to the following
  8376. ' AUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA.
  8377. '
  8378. ' pvExtraPolicyStatus isn't used and must be set to NULL.
  8379. '--------------------------------------------------------------------------
  8380. ' dwRegPolicySettings are defined in wintrust.h
  8381. '+-------------------------------------------------------------------------
  8382. ' CERT_CHAIN_POLICY_SSL
  8383. '
  8384. ' Implements the SSL client/server chain policy verification checks.
  8385. '
  8386. ' pvExtraPolicyPara may optionally be set to point to the following
  8387. ' SSL_EXTRA_CERT_CHAIN_POLICY_PARA data structure
  8388. '--------------------------------------------------------------------------
  8389. ' fdwChecks flags are defined in wininet.h
  8390. '+-------------------------------------------------------------------------
  8391. ' CERT_CHAIN_POLICY_BASIC_CONSTRAINTS
  8392. '
  8393. ' Implements the basic constraints chain policy.
  8394. '
  8395. ' Iterates through all the certificates in the chain checking for either
  8396. ' a szOID_BASIC_CONSTRAINTS or a szOID_BASIC_CONSTRAINTS2 extension. If
  8397. ' neither extension is present, the certificate is assumed to have
  8398. ' valid policy. Otherwise, for the first certificate element, checks if
  8399. ' it matches the expected CA_FLAG or END_ENTITY_FLAG specified in
  8400. ' pPolicyPara->dwFlags. If neither or both flags are set, then, the first
  8401. ' element can be either a CA or END_ENTITY. All other elements must be
  8402. ' a CA. If the PathLenConstraint is present in the extension, its
  8403. ' checked.
  8404. '
  8405. ' used to sign the CTL) are checked to be an END_ENTITY.
  8406. '
  8407. ' If this verification fails, dwError will be set to
  8408. ' TRUST_E_BASIC_CONSTRAINTS.
  8409. '--------------------------------------------------------------------------
  8410. Public Const BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_CA_FLAG As Long = &H80000000
  8411. Public Const BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_END_ENTITY_FLAG As Long = &H40000000
  8412. '+-------------------------------------------------------------------------
  8413. ' CERT_CHAIN_POLICY_NT_AUTH
  8414. '
  8415. ' Implements the NT Authentication chain policy.
  8416. '
  8417. ' The NT Authentication chain policy consists of 3 distinct chain
  8418. ' verifications in the following order:
  8419. ' [1] CERT_CHAIN_POLICY_BASE - Implements the base chain policy
  8420. ' verification checks. The LOWORD of dwFlags can be set in
  8421. ' pPolicyPara to alter the default policy checking behaviour. See
  8422. ' CERT_CHAIN_POLICY_BASE for more details.
  8423. '
  8424. ' [2] CERT_CHAIN_POLICY_BASIC_CONSTRAINTS - Implements the basic
  8425. ' constraints chain policy. The HIWORD of dwFlags can be set
  8426. ' to specify if the first element must be either a CA or END_ENTITY.
  8427. ' See CERT_CHAIN_POLICY_BASIC_CONSTRAINTS for more details.
  8428. '
  8429. ' [3] Checks if the second element in the chain, the CA that issued
  8430. ' the end certificate, is a trusted CA for NT
  8431. ' Authentication. A CA is considered to be trusted if it exists in
  8432. ' the "NTAuth" system registry store found in the
  8433. ' CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE store location.
  8434. ' If this verification fails, whereby the CA isn't trusted,
  8435. ' dwError is set to CERT_E_UNTRUSTEDCA.
  8436. '--------------------------------------------------------------------------
  8437. '+=========================================================================
  8438. ' Helper functions to install certificates
  8439. '==========================================================================
  8440. '+-------------------------------------------------------------------------
  8441. ' Install a signed list of trusted certificates.
  8442. '
  8443. ' A CTL is used for the list. The dwFormat and pvList parameters are used
  8444. ' to pass in the CTL. Two dwFormat types are supported:
  8445. ' - CERT_INSTALL_SIGNED_LIST_FORMAT_BLOB
  8446. ' pvList is a PCRYPT_DATA_BLOB
  8447. ' - CERT_INSTALL_SIGNED_LIST_FORMAT_URL
  8448. ' pvList is a LPCWSTR
  8449. '
  8450. ' encoded CTL.)
  8451. '
  8452. ' Currently only support a dwMsgAndCertEncodingType of:
  8453. ' X509_ASN_ENCODING | PKCS_7_ASN_ENCODING
  8454. '
  8455. ' dwFlags isn't used and must be set to 0. pvReserved isn't used and must
  8456. ' be set to NULL.
  8457. '
  8458. ' If the list of certificates was successfully installed, TRUE is returned.
  8459. ' Otherwise, FALSE is returned with LastError updated with the failure
  8460. ' reason.
  8461. '
  8462. ' Currently only support a signed list of trusted roots. dwPurpose must be
  8463. ' set to: CERT_INSTALL_SIGNED_LIST_PURPOSE_TRUSTED_ROOTS.
  8464. '
  8465. ' The CTL is processed as follows for TRUSTED_ROOTS:
  8466. ' The signature of the CTL is verified. The signer of the CTL is verified
  8467. ' up to a trusted root containing the predefined Microsoft public key.
  8468. ' The signer and intermediate certificates must have the
  8469. ' szOID_ROOT_LIST_SIGNER enhanced key usage extension.
  8470. '
  8471. ' The CTL fields are validated as follows:
  8472. ' usage)
  8473. ' - If NextUpdate isn't NULL, check that the CTL is still time valid
  8474. ' - Only allow roots identified by their sha1 hash
  8475. '
  8476. ' The following CTL extensions are processed:
  8477. ' - szOID_ENHANCED_KEY_USAGE - if present, must contain
  8478. ' szOID_ROOT_LIST_SIGNER usage
  8479. ' - szOID_CERT_POLICIES - ignored
  8480. '
  8481. ' If the CTL contains any other critical extensions, then, the
  8482. ' CTL verification fails.
  8483. '
  8484. ' If the CTL is valid according to the above checks, then, the user
  8485. ' is given a dialog box to accept or cancel. If the user accepts, then,
  8486. ' the certificates are added to the CurrentUser "root" store. Since,
  8487. ' the root list was signed up through a trusted Microsoft root, the user
  8488. ' isn't prompted again to accept each root as they are added to the
  8489. ' protected root list.
  8490. '
  8491. ' If the szOID_REMOVE_CERTIFICATE extension is present with removal
  8492. ' set, then, instead of adding, the certificates are removed from
  8493. ' both the CurrentUser and LocalMachine "root" stores.
  8494. '--------------------------------------------------------------------------
  8495. ' dwPurpose values
  8496. Public Const CERT_INSTALL_SIGNED_LIST_PURPOSE_TRUSTED_ROOTS As Long = 1
  8497. ' dwFormat values
  8498. Public Const CERT_INSTALL_SIGNED_LIST_FORMAT_BLOB As Long = 1
  8499. Public Const CERT_INSTALL_SIGNED_LIST_FORMAT_URL As Long = 2
  8500. ' For CERT_INSTALL_SIGNED_LIST_FORMAT_BLOB
  8501. ' pvList is a PCRYPT_DATA_BLOB
  8502. ' For CERT_INSTALL_SIGNED_LIST_FORMAT_URL
  8503. ' pvList is a LPCWSTR
  8504. '+-------------------------------------------------------------------------
  8505. ' Install one or more intermediate CA certificates.
  8506. '
  8507. ' The CA certificates can be in any content or format type supported
  8508. '
  8509. ' The dwFormat and pvCAs parameters are used to pass in the CA
  8510. ' - CERT_INSTALL_CA_FORMAT_BLOB
  8511. ' pvCAs is a PCRYPT_DATA_BLOB
  8512. ' - CERT_INSTALL_CA_FORMAT_URL
  8513. ' pvCAs is a LPCWSTR
  8514. '
  8515. ' Currently only support a dwMsgAndCertEncodingType of:
  8516. ' X509_ASN_ENCODING | PKCS_7_ASN_ENCODING
  8517. '
  8518. ' dwFlags isn't used and must be set to 0. pvReserved isn't used and must
  8519. ' be set to NULL.
  8520. '
  8521. ' If the CA certificates were successfully installed, TRUE is returned.
  8522. ' Otherwise, FALSE is returned with LastError updated with the failure
  8523. ' reason.
  8524. '--------------------------------------------------------------------------
  8525. Public Const CERT_INSTALL_CA_FORMAT_BLOB As Long = 1
  8526. Public Const CERT_INSTALL_CA_FORMAT_URL As Long = 2
  8527. ' For CERT_INSTALL_CA_FORMAT_BLOB
  8528. ' pvCAs is a PCRYPT_DATA_BLOB
  8529. ' For CERT_INSTALL_CA_FORMAT_URL
  8530. ' pvCAs is a LPCWSTR
  8531. '+-------------------------------------------------------------------------
  8532. ' convert formatted string to binary
  8533. ' If cchString is 0, then pszString is NULL terminated and
  8534. ' dwFlags defines string format
  8535. ' if ppbBinary is NULL, *pcbBinary returns the size of required memory
  8536. ' *pdwSkip returns the character count of skipped strings, optional
  8537. ' *pdwFlags returns the actual format used in the conversion, optional
  8538. '--------------------------------------------------------------------------
  8539. 'WINCRYPT32API
  8540. '+-------------------------------------------------------------------------
  8541. ' convert formatted string to binary
  8542. ' If cchString is 0, then pszString is NULL terminated and
  8543. ' dwFlags defines string format
  8544. ' if ppbBinary is NULL, *pcbBinary returns the size of required memory
  8545. ' *pdwSkip returns the character count of skipped strings, optional
  8546. ' *pdwFlags returns the actual format used in the conversion, optional
  8547. '--------------------------------------------------------------------------
  8548. 'WINCRYPT32API
  8549. '+-------------------------------------------------------------------------
  8550. ' convert binary to formatted string
  8551. ' dwFlags defines string format
  8552. ' if pszString is NULL, *pcchString returns the size of required memory in byte
  8553. '--------------------------------------------------------------------------
  8554. 'WINCRYPT32API
  8555. '+-------------------------------------------------------------------------
  8556. ' convert binary to formatted string
  8557. ' dwFlags defines string format
  8558. ' if pszString is NULL, *pcchString returns the size of required memory in byte
  8559. '--------------------------------------------------------------------------
  8560. 'WINCRYPT32API
  8561. ' dwFlags has the following defines
  8562. Public Const CRYPT_STRING_BASE64HEADER As Long = &H00000000
  8563. Public Const CRYPT_STRING_BASE64 As Long = &H00000001
  8564. Public Const CRYPT_STRING_BINARY As Long = &H00000002
  8565. Public Const CRYPT_STRING_BASE64REQUESTHEADER As Long = &H00000003
  8566. Public Const CRYPT_STRING_HEX As Long = &H00000004
  8567. Public Const CRYPT_STRING_HEXASCII As Long = &H00000005
  8568. Public Const CRYPT_STRING_BASE64_ANY As Long = &H00000006
  8569. Public Const CRYPT_STRING_ANY As Long = &H00000007
  8570. Public Const CRYPT_STRING_HEX_ANY As Long = &H00000008
  8571. Public Const CRYPT_STRING_BASE64X509CRLHEADER As Long = &H00000009
  8572. Public Const CRYPT_STRING_HEXADDR As Long = &H0000000a
  8573. Public Const CRYPT_STRING_HEXASCIIADDR As Long = &H0000000b
  8574. ' CryptBinaryToString uses the following flags
  8575. ' CRYPT_STRING_BASE64HEADER - base64 format with certificate begin
  8576. ' and end headers
  8577. ' CRYPT_STRING_BASE64 - only base64 without headers
  8578. ' CRYPT_STRING_BINARY - pure binary copy
  8579. ' CRYPT_STRING_BASE64REQUESTHEADER - base64 format with request begin
  8580. ' and end headers
  8581. ' CRYPT_STRING_BASE64X509CRLHEADER - base64 format with x509 crl begin
  8582. ' and end headers
  8583. ' CRYPT_STRING_HEX - only hex format
  8584. ' CRYPT_STRING_HEXASCII - hex format with ascii char display
  8585. ' CRYPT_STRING_HEXADDR - hex format with address display
  8586. ' CRYPT_STRING_HEXASCIIADDR - hex format with ascii char and address display
  8587. ' CryptStringToBinary uses the following flags
  8588. ' CRYPT_STRING_BASE64_ANY tries the following, in order:
  8589. ' CRYPT_STRING_BASE64HEADER
  8590. ' CRYPT_STRING_BASE64
  8591. ' CRYPT_STRING_ANY tries the following, in order:
  8592. ' CRYPT_STRING_BASE64_ANY
  8593. ' CRYPT_STRING_BINARY -- should always succeed
  8594. ' CRYPT_STRING_HEX_ANY tries the following, in order:
  8595. ' CRYPT_STRING_HEXADDR
  8596. ' CRYPT_STRING_HEXASCIIADDR
  8597. ' CRYPT_STRING_HEXASCII
  8598. ' CRYPT_STRING_HEX
  8599. '+---------------------------------------------------------------------------
  8600. '
  8601. ' Microsoft Windows
  8602. '
  8603. ' File: CertSrv.h
  8604. ' Contents: Main Certificate Server header
  8605. ' Also includes .h files for the COM interfaces
  8606. '
  8607. '----------------------------------------------------------------------------
  8608. Public Const wszSERVICE_NAME As String = "CertSvc"
  8609. '======================================================================
  8610. ' Full path to "CertSvc\Configuration\":
  8611. '======================================================================
  8612. ' Full path to "CertSvc\Configuration\RestoreInProgress":
  8613. '======================================================================
  8614. ' Key Under "CertSvc":
  8615. Public Const wszREGKEYCONFIG As String = "Configuration"
  8616. '======================================================================
  8617. ' Values Under "CertSvc\Configuration":
  8618. Public Const wszREGACTIVE As String = "Active"
  8619. Public Const wszREGDIRECTORY As String = "ConfigurationDirectory"
  8620. Public Const wszREGDBDIRECTORY As String = "DBDirectory"
  8621. Public Const wszREGDBLOGDIRECTORY As String = "DBLogDirectory"
  8622. Public Const wszREGDBSYSDIRECTORY As String = "DBSystemDirectory"
  8623. Public Const wszREGDBTEMPDIRECTORY As String = "DBTempDirectory"
  8624. Public Const wszREGDBSESSIONCOUNT As String = "DBSessionCount"
  8625. Public Const wszREGWEBCLIENTCAMACHINE As String = "WebClientCAMachine"
  8626. Public Const wszREGVERSION As String = "Version"
  8627. Public Const wszREGWEBCLIENTCANAME As String = "WebClientCAName"
  8628. Public Const wszREGWEBCLIENTCATYPE As String = "WebClientCAType"
  8629. ' Default value for wszREGDBSESSIONCOUNT
  8630. Public Const DBSESSIONCOUNTDEFAULT As Long = 20
  8631. ' Value for wszREGVERSION:
  8632. Public Const CSVER_MAJOR As Long = 2
  8633. Public Const CSVER_MINOR As Long = 1
  8634. ' Keys Under "CertSvc\Configuration":
  8635. Public Const wszREGKEYRESTOREINPROGRESS As String = "RestoreInProgress"
  8636. '======================================================================
  8637. ' Values Under "CertSvc\Configuration\<CAName>":
  8638. Public Const wszREGCADESCRIPTION As String = "CADescription"
  8639. Public Const wszREGCACERTHASH As String = "CACertHash"
  8640. Public Const wszREGCASERIALNUMBER As String = "CACertSerialNumber"
  8641. Public Const wszREGCAXCHGCERTHASH As String = "CAXchgCertHash"
  8642. Public Const wszREGKRACERTHASH As String = "KRACertHash"
  8643. Public Const wszREGCATYPE As String = "CAType"
  8644. Public Const wszREGCERTENROLLCOMPATIBLE As String = "CertEnrollCompatible"
  8645. Public Const wszREGENFORCEX500NAMELENGTHS As String = "EnforceX500NameLengths"
  8646. Public Const wszREGCOMMONNAME As String = "CommonName"
  8647. Public Const wszREGCLOCKSKEWMINUTES As String = "ClockSkewMinutes"
  8648. Public Const wszREGCRLNEXTPUBLISH As String = "CRLNextPublish"
  8649. Public Const wszREGCRLPERIODSTRING As String = "CRLPeriod"
  8650. Public Const wszREGCRLPERIODCOUNT As String = "CRLPeriodUnits"
  8651. Public Const wszREGCRLOVERLAPPERIODSTRING As String = "CRLOverlapPeriod"
  8652. Public Const wszREGCRLOVERLAPPERIODCOUNT As String = "CRLOverlapUnits"
  8653. Public Const wszREGCRLDELTANEXTPUBLISH As String = "CRLDeltaNextPublish"
  8654. Public Const wszREGCRLDELTAPERIODSTRING As String = "CRLDeltaPeriod"
  8655. Public Const wszREGCRLDELTAPERIODCOUNT As String = "CRLDeltaPeriodUnits"
  8656. Public Const wszREGCRLDELTAOVERLAPPERIODSTRING As String = "CRLDeltaOverlapPeriod"
  8657. Public Const wszREGCRLDELTAOVERLAPPERIODCOUNT As String = "CRLDeltaOverlapUnits"
  8658. Public Const wszREGCRLPUBLICATIONURLS As String = "CRLPublicationURLs"
  8659. Public Const wszREGCACERTPUBLICATIONURLS As String = "CACertPublicationURLs"
  8660. Public Const wszREGCAXCHGVALIDITYPERIODSTRING As String = "CAXchgValidityPeriod"
  8661. Public Const wszREGCAXCHGVALIDITYPERIODCOUNT As String = "CAXchgValidityPeriodUnits"
  8662. Public Const wszREGCAXCHGOVERLAPPERIODSTRING As String = "CAXchgOverlapPeriod"
  8663. Public Const wszREGCAXCHGOVERLAPPERIODCOUNT As String = "CAXchgOverlapPeriodUnits"
  8664. Public Const wszREGCRLPATH_OLD As String = "CRLPath"
  8665. Public Const wszREGCRLEDITFLAGS As String = "CRLEditFlags"
  8666. Public Const wszREGCRLFLAGS As String = "CRLFlags"
  8667. Public Const wszREGCRLATTEMPTREPUBLISH As String = "CRLAttemptRepublish"
  8668. Public Const wszREGENABLED As String = "Enabled"
  8669. Public Const wszREGFORCETELETEX As String = "ForceTeletex"
  8670. Public Const wszREGLOGLEVEL As String = "LogLevel"
  8671. Public Const wszREGPOLICYFLAGS As String = "PolicyFlags"
  8672. Public Const wszREGNAMESEPARATOR As String = "SubjectNameSeparator"
  8673. Public Const wszREGSUBJECTTEMPLATE As String = "SubjectTemplate"
  8674. Public Const wszREGCAUSEDS As String = "UseDS"
  8675. Public Const wszREGVALIDITYPERIODSTRING As String = "ValidityPeriod"
  8676. Public Const wszREGVALIDITYPERIODCOUNT As String = "ValidityPeriodUnits"
  8677. Public Const wszREGPARENTCAMACHINE As String = "ParentCAMachine"
  8678. Public Const wszREGPARENTCANAME As String = "ParentCAName"
  8679. Public Const wszREGREQUESTFILENAME As String = "RequestFileName"
  8680. Public Const wszREGREQUESTID As String = "RequestId"
  8681. Public Const wszREGREQUESTKEYCONTAINER As String = "RequestKeyContainer"
  8682. Public Const wszREGREQUESTKEYINDEX As String = "RequestKeyIndex"
  8683. Public Const wszREGCASERVERNAME As String = "CAServerName"
  8684. Public Const wszREGCACERTFILENAME As String = "CACertFileName"
  8685. Public Const wszREGCASECURITY As String = "Security"
  8686. Public Const wszREGSETUPSTATUS As String = "SetupStatus"
  8687. Public Const wszPFXFILENAMEEXT As String = ".p12"
  8688. Public Const wszDATFILENAMEEXT As String = ".dat"
  8689. Public Const wszLOGFILENAMEEXT As String = ".log"
  8690. Public Const wszPATFILENAMEEXT As String = ".pat"
  8691. Public Const wszDBFILENAMEEXT As String = ".edb"
  8692. Public Const szDBBASENAMEPARM As String = "edb"
  8693. Public Const wszLOGPATH As String = "CertLog"
  8694. Public Const wszDBBACKUPSUBDIR As String = "DataBase"
  8695. Public Const wszDBBACKUPCERTBACKDAT As String = "certback.dat"
  8696. ' Values for wszREGCATYPE:
  8697. ' Default value for wszREGCLOCKSKEWMINUTES
  8698. Public Const CCLOCKSKEWMINUTESDEFAULT As Long = 10
  8699. Public Const dwVALIDITYPERIODCOUNTDEFAULT_ENTERPRISE As Long = 2
  8700. Public Const dwVALIDITYPERIODCOUNTDEFAULT_STANDALONE As Long = 1
  8701. Public Const dwCAXCHGVALIDITYPERIODCOUNTDEFAULT As Long = 1
  8702. Public Const dwCAXCHGOVERLAPPERIODCOUNTDEFAULT As Long = 1
  8703. Public Const dwCRLPERIODCOUNTDEFAULT As Long = 1
  8704. Public Const dwCRLOVERLAPPERIODCOUNTDEFAULT As Long = 0
  8705. Public Const dwCRLDELTAPERIODCOUNTDEFAULT As Long = 1
  8706. Public Const dwCRLDELTAOVERLAPPERIODCOUNTDEFAULT As Long = 0
  8707. ' Values for wszREGLOGLEVEL:
  8708. ' Values for wszREGSETUPSTATUS:
  8709. Public Const SETUP_SERVER_FLAG As Long = &H00000001
  8710. Public Const SETUP_CLIENT_FLAG As Long = &H00000002
  8711. Public Const SETUP_SUSPEND_FLAG As Long = &H00000004
  8712. Public Const SETUP_REQUEST_FLAG As Long = &H00000008
  8713. Public Const SETUP_ONLINE_FLAG As Long = &H00000010
  8714. Public Const SETUP_DENIED_FLAG As Long = &H00000020
  8715. Public Const SETUP_CREATEDB_FLAG As Long = &H00000040
  8716. Public Const SETUP_ATTEMPT_VROOT_CREATE As Long = &H00000080
  8717. Public Const SETUP_FORCECRL_FLAG As Long = &H00000100
  8718. ' Values for wszREGCRLFLAGS:
  8719. Public Const CRLF_DELTA_USE_OLDEST_UNEXPIRED_BASE As Long = &H00000001
  8720. ' else use newest base CRL that satisfies base CRL propagation delay
  8721. Public Const CRLF_DELETE_EXPIRED_CRLS As Long = &H00000002
  8722. Public Const CRLF_CRLNUMBER_CRITICAL As Long = &H00000004
  8723. ' Values for numeric prefixes for
  8724. ' wszREGCRLPUBLICATIONURLS and wszREGCACERTPUBLICATIONURLS:
  8725. '
  8726. ' URL publication template Flags values, encoded as a decimal prefix for URL
  8727. ' publication templates in the registry:
  8728. ' "1:c:\winnt\System32\CertSrv\CertEnroll\MyCA.crl"
  8729. Public Const CSURL_SERVERPUBLISH As Long = &H00000001
  8730. Public Const CSURL_ADDTOCERTCDP As Long = &H00000002
  8731. Public Const CSURL_ADDTOFRESHESTCRL As Long = &H00000004
  8732. Public Const CSURL_ADDTOCRLCDP As Long = &H00000008
  8733. Public Const CSURL_PUBLISHRETRY As Long = &H00000010
  8734. '======================================================================
  8735. ' Keys Under "CertSvc\Configuration\<CAName>":
  8736. Public Const wszREGKEYCSP As String = "CSP"
  8737. Public Const wszREGKEYEXITMODULES As String = "ExitModules"
  8738. Public Const wszREGKEYPOLICYMODULES As String = "PolicyModules"
  8739. Public Const wszSECUREDATTRIBUTES As String = "SignedAttributes"
  8740. '======================================================================
  8741. ' Values Under "CertSvc\Configuration\RestoreInProgress":
  8742. Public Const wszREGBACKUPLOGDIRECTORY As String = "BackupLogDirectory"
  8743. Public Const wszREGCHECKPOINTFILE As String = "CheckPointFile"
  8744. Public Const wszREGHIGHLOGNUMBER As String = "HighLogNumber"
  8745. Public Const wszREGLOWLOGNUMBER As String = "LowLogNumber"
  8746. Public Const wszREGLOGPATH As String = "LogPath"
  8747. Public Const wszREGRESTOREMAPCOUNT As String = "RestoreMapCount"
  8748. Public Const wszREGRESTOREMAP As String = "RestoreMap"
  8749. Public Const wszREGDATABASERECOVERED As String = "DatabaseRecovered"
  8750. Public Const wszREGRESTORESTATUS As String = "RestoreStatus"
  8751. ' values under \Configuration\PolicyModules in nt5 beta 2
  8752. Public Const wszREGB2ICERTMANAGEMODULE As String = "ICertManageModule"
  8753. ' values under \Configuration in nt4 sp4
  8754. Public Const wszREGSP4DEFAULTCONFIGURATION As String = "DefaultConfiguration"
  8755. ' values under ca in nt4 sp4
  8756. Public Const wszREGSP4KEYSETNAME As String = "KeySetName"
  8757. Public Const wszREGSP4SUBJECTNAMESEPARATOR As String = "SubjectNameSeparator"
  8758. Public Const wszREGSP4NAMES As String = "Names"
  8759. Public Const wszREGSP4QUERIES As String = "Queries"
  8760. ' both nt4 sp4 and nt5 beta 2
  8761. Public Const wszREGNETSCAPECERTTYPE As String = "NetscapeCertType"
  8762. Public Const wszNETSCAPEREVOCATIONTYPE As String = "Netscape"
  8763. '======================================================================
  8764. ' Values Under "CertSvc\Configuration\<CAName>\CSP":
  8765. Public Const wszREGPROVIDERTYPE As String = "ProviderType"
  8766. Public Const wszREGPROVIDER As String = "Provider"
  8767. Public Const wszHASHALGORITHM As String = "HashAlgorithm"
  8768. Public Const wszMACHINEKEYSET As String = "MachineKeyset"
  8769. '======================================================================
  8770. ' Value strings for "CertSvc\Configuration\<CAName>\SubjectNameSeparator":
  8771. Public Const szNAMESEPARATORDEFAULT As String = "\n"
  8772. '======================================================================
  8773. ' Value strings for "CertSvc\Configuration\<CAName>\ValidityPeriod", etc.:
  8774. Public Const wszPERIODYEARS As String = "Years"
  8775. Public Const wszPERIODMONTHS As String = "Months"
  8776. Public Const wszPERIODWEEKS As String = "Weeks"
  8777. Public Const wszPERIODDAYS As String = "Days"
  8778. Public Const wszPERIODHOURS As String = "Hours"
  8779. Public Const wszPERIODMINUTES As String = "Minutes"
  8780. Public Const wszPERIODSECONDS As String = "Seconds"
  8781. '======================================================================
  8782. ' Values Under "CertSvc\Configuration\<CAName>\PolicyModules\<ProgId>":
  8783. Public Const wszREGISSUERCERTURLFLAGS As String = "IssuerCertURLFlags"
  8784. Public Const wszREGEDITFLAGS As String = "EditFlags"
  8785. Public Const wszREGSUBJECTALTNAME As String = "SubjectAltName"
  8786. Public Const wszREGSUBJECTALTNAME2 As String = "SubjectAltName2"
  8787. Public Const wszREGREQUESTDISPOSITION As String = "RequestDisposition"
  8788. Public Const wszREGCAPATHLENGTH As String = "CAPathLength"
  8789. Public Const wszREGREVOCATIONTYPE As String = "RevocationType"
  8790. Public Const wszREGLDAPREVOCATIONCRLURL_OLD As String = "LDAPRevocationCRLURL"
  8791. Public Const wszREGREVOCATIONCRLURL_OLD As String = "RevocationCRLURL"
  8792. Public Const wszREGFTPREVOCATIONCRLURL_OLD As String = "FTPRevocationCRLURL"
  8793. Public Const wszREGFILEREVOCATIONCRLURL_OLD As String = "FileRevocationCRLURL"
  8794. Public Const wszREGREVOCATIONURL As String = "RevocationURL"
  8795. Public Const wszREGLDAPISSUERCERTURL_OLD As String = "LDAPIssuerCertURL"
  8796. Public Const wszREGISSUERCERTURL_OLD As String = "IssuerCertURL"
  8797. Public Const wszREGFTPISSUERCERTURL_OLD As String = "FTPIssuerCertURL"
  8798. Public Const wszREGFILEISSUERCERTURL_OLD As String = "FileIssuerCertURL"
  8799. Public Const wszREGENABLEREQUESTEXTENSIONLIST As String = "EnableRequestExtensionList"
  8800. Public Const wszREGDISABLEEXTENSIONLIST As String = "DisableExtensionList"
  8801. ' wszREGCAPATHLENGTH Values:
  8802. Public Const CAPATHLENGTH_INFINITE As Long = &Hffffffff
  8803. ' wszREGREQUESTDISPOSITION Values:
  8804. Public Const REQDISP_PENDING As Long = &H00000000
  8805. Public Const REQDISP_ISSUE As Long = &H00000001
  8806. Public Const REQDISP_DENY As Long = &H00000002
  8807. Public Const REQDISP_USEREQUESTATTRIBUTE As Long = &H00000003
  8808. Public Const REQDISP_MASK As Long = &H000000ff
  8809. Public Const REQDISP_PENDINGFIRST As Long = &H00000100
  8810. ' wszREGREVOCATIONTYPE Values:
  8811. Public Const REVEXT_CDPLDAPURL_OLD As Long = &H00000001
  8812. Public Const REVEXT_CDPHTTPURL_OLD As Long = &H00000002
  8813. Public Const REVEXT_CDPFTPURL_OLD As Long = &H00000004
  8814. Public Const REVEXT_CDPFILEURL_OLD As Long = &H00000008
  8815. Public Const REVEXT_CDPURLMASK_OLD As Long = &H000000ff
  8816. Public Const REVEXT_CDPENABLE As Long = &H00000100
  8817. Public Const REVEXT_ASPENABLE As Long = &H00000200
  8818. ' wszREGISSUERCERTURLFLAGS Values:
  8819. Public Const ISSCERT_LDAPURL_OLD As Long = &H00000001
  8820. Public Const ISSCERT_HTTPURL_OLD As Long = &H00000002
  8821. Public Const ISSCERT_FTPURL_OLD As Long = &H00000004
  8822. Public Const ISSCERT_FILEURL_OLD As Long = &H00000008
  8823. Public Const ISSCERT_URLMASK_OLD As Long = &H000000ff
  8824. Public Const ISSCERT_ENABLE As Long = &H00000100
  8825. ' wszREGEDITFLAGS Values: Defaults:
  8826. Public Const EDITF_ENABLEREQUESTEXTENSIONS As Long = &H00000001
  8827. Public Const EDITF_REQUESTEXTENSIONLIST As Long = &H00000002
  8828. Public Const EDITF_DISABLEEXTENSIONLIST As Long = &H00000004
  8829. Public Const EDITF_ADDOLDKEYUSAGE As Long = &H00000008
  8830. Public Const EDITF_ADDOLDCERTTYPE As Long = &H00000010
  8831. Public Const EDITF_ATTRIBUTEENDDATE As Long = &H00000020
  8832. Public Const EDITF_BASICCONSTRAINTSCRITICAL As Long = &H00000040
  8833. Public Const EDITF_BASICCONSTRAINTSCA As Long = &H00000080
  8834. Public Const EDITF_ENABLEAKIKEYID As Long = &H00000100
  8835. Public Const EDITF_ATTRIBUTECA As Long = &H00000200
  8836. Public Const EDITF_IGNOREREQUESTERGROUP As Long = &H00000400
  8837. Public Const EDITF_ENABLEAKIISSUERNAME As Long = &H00000800
  8838. Public Const EDITF_ENABLEAKIISSUERSERIAL As Long = &H00001000
  8839. Public Const EDITF_ENABLEAKICRITICAL As Long = &H00002000
  8840. '======================================================================
  8841. ' Values Under "CertSvc\Configuration\<CAName>\ExitModules\<ProgId>":
  8842. ' LDAP based CRL and URL issuance
  8843. Public Const wszREGLDAPREVOCATIONDN_OLD As String = "LDAPRevocationDN"
  8844. Public Const wszREGLDAPREVOCATIONDNTEMPLATE_OLD As String = "LDAPRevocationDNTemplate"
  8845. Public Const wszCRLPUBLISHRETRYCOUNT As String = "CRLPublishRetryCount"
  8846. Public Const wszREGCERTPUBLISHFLAGS As String = "PublishCertFlags"
  8847. ' wszREGCERTPUBLISHFLAGS Values:
  8848. Public Const EXITPUB_FILE As Long = &H00000001
  8849. Public Const EXITPUB_ACTIVEDIRECTORY As Long = &H00000002
  8850. Public Const EXITPUB_EMAILNOTIFYALL As Long = &H00000004
  8851. Public Const EXITPUB_EMAILNOTIFYSMARTCARD As Long = &H00000008
  8852. Public Const EXITPUB_REMOVEOLDCERTS As Long = &H00000010
  8853. Public Const wszCLASS_CERTADMIN As String = "CertificateAuthority.Admin"
  8854. Public Const wszCLASS_CERTCONFIG As String = "CertificateAuthority.Config"
  8855. Public Const wszCLASS_CERTGETCONFIG As String = "CertificateAuthority.GetConfig"
  8856. Public Const wszCLASS_CERTENCODE As String = "CertificateAuthority.Encode"
  8857. Public Const wszCLASS_CERTREQUEST As String = "CertificateAuthority.Request"
  8858. Public Const wszCLASS_CERTSERVEREXIT As String = "CertificateAuthority.ServerExit"
  8859. Public Const wszCLASS_CERTSERVERPOLICY As String = "CertificateAuthority.ServerPolicy"
  8860. Public Const wszCLASS_CERTVIEW As String = "CertificateAuthority.View"
  8861. ' class name templates
  8862. Public Const wszMICROSOFTCERTMODULE_PREFIX As String = "CertificateAuthority_MicrosoftDefault"
  8863. Public Const wszCERTEXITMODULE_POSTFIX As String = ".Exit"
  8864. Public Const wszCERTMANAGEEXIT_POSTFIX As String = ".ExitManage"
  8865. Public Const wszCERTPOLICYMODULE_POSTFIX As String = ".Policy"
  8866. Public Const wszCERTMANAGEPOLICY_POSTFIX As String = ".PolicyManage"
  8867. ' actual policy/exit manage class names
  8868. ' actual policy/exit class names
  8869. '+--------------------------------------------------------------------------
  8870. ' Name properties:
  8871. Public Const wszPROPDISTINGUISHEDNAME As String = "DistinguishedName"
  8872. Public Const wszPROPRAWNAME As String = "RawName"
  8873. Public Const wszPROPNAMETYPE As String = "NameType"
  8874. Public Const wszPROPCOUNTRY As String = "Country"
  8875. Public Const wszPROPORGANIZATION As String = "Organization"
  8876. Public Const wszPROPORGUNIT As String = "OrgUnit"
  8877. Public Const wszPROPCOMMONNAME As String = "CommonName"
  8878. Public Const wszPROPLOCALITY As String = "Locality"
  8879. Public Const wszPROPSTATE As String = "State"
  8880. Public Const wszPROPTITLE As String = "Title"
  8881. Public Const wszPROPGIVENNAME As String = "GivenName"
  8882. Public Const wszPROPINITIALS As String = "Initials"
  8883. Public Const wszPROPSURNAME As String = "SurName"
  8884. Public Const wszPROPDOMAINCOMPONENT As String = "DomainComponent"
  8885. Public Const wszPROPEMAIL As String = "EMail"
  8886. Public Const wszPROPSTREETADDRESS As String = "StreetAddress"
  8887. Public Const wszPROPUNSTRUCTUREDNAME As String = "UnstructuredName"
  8888. Public Const wszPROPUNSTRUCTUREDADDRESS As String = "UnstructuredAddress"
  8889. Public Const wszPROPDEVICESERIALNUMBER As String = "DeviceSerialNumber"
  8890. '+--------------------------------------------------------------------------
  8891. ' Subject Name properties:
  8892. Public Const wszPROPSUBJECTDOT As String = "Subject."
  8893. '+--------------------------------------------------------------------------
  8894. ' Request properties:
  8895. Public Const wszPROPREQUESTDOT As String = "Request."
  8896. Public Const wszPROPREQUESTREQUESTID As String = "RequestID"
  8897. Public Const wszPROPREQUESTRAWREQUEST As String = "RawRequest"
  8898. Public Const wszPROPREQUESTRAWARCHIVEDKEY As String = "RawArchivedKey"
  8899. Public Const wszPROPREQUESTKEYRECOVERYHASHES As String = "KeyRecoveryHashes"
  8900. Public Const wszPROPREQUESTRAWOLDCERTIFICATE As String = "RawOldCertificate"
  8901. Public Const wszPROPREQUESTATTRIBUTES As String = "RequestAttributes"
  8902. Public Const wszPROPREQUESTTYPE As String = "RequestType"
  8903. Public Const wszPROPREQUESTFLAGS As String = "RequestFlags"
  8904. Public Const wszPROPREQUESTSTATUSCODE As String = "StatusCode"
  8905. Public Const wszPROPREQUESTDISPOSITION As String = "Disposition"
  8906. Public Const wszPROPREQUESTDISPOSITIONMESSAGE As String = "DispositionMessage"
  8907. Public Const wszPROPREQUESTSUBMITTEDWHEN As String = "SubmittedWhen"
  8908. Public Const wszPROPREQUESTRESOLVEDWHEN As String = "ResolvedWhen"
  8909. Public Const wszPROPREQUESTREVOKEDWHEN As String = "RevokedWhen"
  8910. Public Const wszPROPREQUESTREVOKEDEFFECTIVEWHEN As String = "RevokedEffectiveWhen"
  8911. Public Const wszPROPREQUESTREVOKEDREASON As String = "RevokedReason"
  8912. Public Const wszPROPREQUESTERNAME As String = "RequesterName"
  8913. '+--------------------------------------------------------------------------
  8914. ' Request attribute properties:
  8915. Public Const wszPROPCHALLENGE As String = "Challenge"
  8916. Public Const wszPROPEXPECTEDCHALLENGE As String = "ExpectedChallenge"
  8917. Public Const wszPROPDISPOSITION As String = "Disposition"
  8918. Public Const wszPROPDISPOSITIONDENY As String = "Deny"
  8919. Public Const wszPROPDISPOSITIONPENDING As String = "Pending"
  8920. Public Const wszPROPVALIDITYPERIODSTRING As String = "ValidityPeriod"
  8921. Public Const wszPROPVALIDITYPERIODCOUNT As String = "ValidityPeriodUnits"
  8922. Public Const wszPROPCERTTYPE As String = "CertType"
  8923. Public Const wszPROPCERTTEMPLATE As String = "CertificateTemplate"
  8924. Public Const wszPROPREQUESTOSVERSION As String = "RequestOSVersion"
  8925. Public Const wszPROPREQUESTCSPPROVIDER As String = "RequestCSPProvider"
  8926. Public Const wszPROPEXITCERTFILE As String = "CertFile"
  8927. '+--------------------------------------------------------------------------
  8928. ' Hardcoded properties
  8929. ' ".#" means ".0", ".1", ".2" ... may be appended to the property name to
  8930. ' collect context specific values. For some properties, the suffix selects
  8931. ' the CA certificate context. For others, it selects the the CA CRL context.
  8932. Public Const wszPROPCATYPE As String = "CAType"
  8933. Public Const wszPROPSANITIZEDCANAME As String = "SanitizedCAName"
  8934. Public Const wszPROPSANITIZEDSHORTNAME As String = "SanitizedShortName"
  8935. Public Const wszPROPMACHINEDNSNAME As String = "MachineDNSName"
  8936. Public Const wszPROPMODULEREGLOC As String = "ModuleRegistryLocation"
  8937. Public Const wszPROPREQUESTERCAACCESS As String = "RequesterCAAccess"
  8938. Public Const wszPROPUSEDS As String = "fUseDS"
  8939. Public Const wszPROPCONFIGDN As String = "ConfigDN"
  8940. Public Const wszPROPDOMAINDN As String = "DomainDN"
  8941. Public Const wszPROPCERTCOUNT As String = "CertCount"
  8942. Public Const wszPROPRAWCACERTIFICATE As String = "RawCACertificate"
  8943. Public Const wszPROPCERTSTATE As String = "CertState"
  8944. Public Const wszPROPCERTSUFFIX As String = "CertSuffix"
  8945. Public Const wszPROPRAWCRL As String = "RawCRL"
  8946. Public Const wszPROPRAWDELTACRL As String = "RawDeltaCRL"
  8947. Public Const wszPROPCRLINDEX As String = "CRLIndex"
  8948. Public Const wszPROPCRLSTATE As String = "CRLState"
  8949. Public Const wszPROPCRLSUFFIX As String = "CRLSuffix"
  8950. ' CA_DISP_REVOKED
  8951. ' CA_DISP_VALID
  8952. ' CA_DISP_INVALID
  8953. ' CA_DISP_ERROR
  8954. ' CA_DISP_REVOKED
  8955. '
  8956. ' CA_DISP_VALID
  8957. ' CA_DISP_INVALID
  8958. ' CA_DISP_ERROR
  8959. '+--------------------------------------------------------------------------
  8960. ' Certificate properties:
  8961. Public Const wszPROPCERTIFICATEREQUESTID As String = "RequestID"
  8962. Public Const wszPROPRAWCERTIFICATE As String = "RawCertificate"
  8963. Public Const wszPROPCERTIFICATEHASH As String = "CertificateHash"
  8964. Public Const wszPROPCERTIFICATETYPE As String = "CertificateType"
  8965. Public Const wszPROPCERTIFICATESERIALNUMBER As String = "SerialNumber"
  8966. Public Const wszPROPCERTIFICATENOTBEFOREDATE As String = "NotBefore"
  8967. Public Const wszPROPCERTIFICATENOTAFTERDATE As String = "NotAfter"
  8968. Public Const wszPROPCERTIFICATESUBJECTKEYIDENTIFIER As String = "SubjectKeyIdentifier"
  8969. Public Const wszPROPCERTIFICATERAWPUBLICKEY As String = "RawPublicKey"
  8970. Public Const wszPROPCERTIFICATEPUBLICKEYALGORITHM As String = "PublicKeyAlgorithm"
  8971. Public Const wszPROPCERTIFICATERAWSMIMECAPABILITIES As String = "RawSMIMECapabilities"
  8972. '+--------------------------------------------------------------------------
  8973. ' Certificate extension properties:
  8974. Public Const EXTENSION_CRITICAL_FLAG As Long = &H00000001
  8975. Public Const EXTENSION_DISABLE_FLAG As Long = &H00000002
  8976. Public Const EXTENSION_POLICY_MASK As Long = &H0000ffff
  8977. Public Const EXTENSION_ORIGIN_REQUEST As Long = &H00010000
  8978. Public Const EXTENSION_ORIGIN_POLICY As Long = &H00020000
  8979. Public Const EXTENSION_ORIGIN_ADMIN As Long = &H00030000
  8980. Public Const EXTENSION_ORIGIN_SERVER As Long = &H00040000
  8981. Public Const EXTENSION_ORIGIN_RENEWALCERT As Long = &H00050000
  8982. Public Const EXTENSION_ORIGIN_IMPORTEDCERT As Long = &H00060000
  8983. Public Const EXTENSION_ORIGIN_PKCS7 As Long = &H00070000
  8984. Public Const EXTENSION_ORIGIN_CMC As Long = &H00080000
  8985. Public Const EXTENSION_ORIGIN_MASK As Long = &H000f0000
  8986. '+--------------------------------------------------------------------------
  8987. ' Extension properties:
  8988. Public Const wszPROPEXTREQUESTID As String = "ExtensionRequestId"
  8989. Public Const wszPROPEXTNAME As String = "ExtensionName"
  8990. Public Const wszPROPEXTFLAGS As String = "ExtensionFlags"
  8991. Public Const wszPROPEXTRAWVALUE As String = "ExtensionRawValue"
  8992. '+--------------------------------------------------------------------------
  8993. ' Attribute properties:
  8994. Public Const wszPROPATTRIBREQUESTID As String = "AttributeRequestId"
  8995. Public Const wszPROPATTRIBNAME As String = "AttributeName"
  8996. Public Const wszPROPATTRIBVALUE As String = "AttributeValue"
  8997. '+--------------------------------------------------------------------------
  8998. ' CRL properties:
  8999. Public Const wszPROPCRLROWID As String = "CRLRowId"
  9000. Public Const wszPROPCRLNUMBER As String = "CRLNumber"
  9001. Public Const wszPROPCRLMINBASE As String = "CRLMinBase"
  9002. Public Const wszPROPCRLNAMEID As String = "CRLNameId"
  9003. Public Const wszPROPCRLCOUNT As String = "CRLCount"
  9004. Public Const wszPROPCRLTHISUPDATE As String = "CRLThisUpdate"
  9005. Public Const wszPROPCRLNEXTUPDATE As String = "CRLNextUpdate"
  9006. Public Const wszPROPCRLTHISPUBLISH As String = "CRLThisPublish"
  9007. Public Const wszPROPCRLNEXTPUBLISH As String = "CRLNextPublish"
  9008. Public Const wszPROPCRLEFFECTIVE As String = "CRLEffective"
  9009. Public Const wszPROPCRLPROPAGATIONCOMPLETE As String = "CRLPropagationComplete"
  9010. Public Const wszPROPCRLRAWCRL As String = "CRLRawCRL"
  9011. '+--------------------------------------------------------------------------
  9012. ' GetProperty/SetProperty Flags:
  9013. '
  9014. ' Choose one Type
  9015. Public Const PROPTYPE_LONG As Long = &H00000001
  9016. Public Const PROPTYPE_DATE As Long = &H00000002
  9017. Public Const PROPTYPE_BINARY As Long = &H00000003
  9018. Public Const PROPTYPE_STRING As Long = &H00000004
  9019. Public Const PROPTYPE_MASK As Long = &H000000ff
  9020. ' Choose one Caller:
  9021. Public Const PROPCALLER_SERVER As Long = &H00000100
  9022. Public Const PROPCALLER_POLICY As Long = &H00000200
  9023. Public Const PROPCALLER_EXIT As Long = &H00000300
  9024. Public Const PROPCALLER_ADMIN As Long = &H00000400
  9025. Public Const PROPCALLER_REQUEST As Long = &H00000500
  9026. Public Const PROPCALLER_MASK As Long = &H00000f00
  9027. Public Const PROPFLAGS_INDEXED As Long = &H00010000
  9028. ' RequestFlags definitions:
  9029. Public Const CR_FLG_FORCETELETEX As Long = &H00000001
  9030. Public Const CR_FLG_RENEWAL As Long = &H00000002
  9031. Public Const CR_FLG_FORCEUTF8 As Long = &H00000004
  9032. Public Const CR_FLG_CAXCHGCERT As Long = &H00000008
  9033. ' Disposition property values:
  9034. ' Disposition values for requests in the queue:
  9035. Public Const DB_DISP_ACTIVE As Long = 8
  9036. Public Const DB_DISP_PENDING As Long = 9
  9037. Public Const DB_DISP_QUEUE_MAX As Long = 9
  9038. Public Const DB_DISP_CA_CERT As Long = 15
  9039. Public Const DB_DISP_CA_CERT_CHAIN As Long = 16
  9040. ' Disposition values for requests in the log:
  9041. Public Const DB_DISP_LOG_MIN As Long = 20
  9042. Public Const DB_DISP_ISSUED As Long = 20
  9043. Public Const DB_DISP_REVOKED As Long = 21
  9044. ' Disposition values for failed requests in the log:
  9045. Public Const DB_DISP_LOG_FAILED_MIN As Long = 30
  9046. Public Const DB_DISP_ERROR As Long = 30
  9047. Public Const DB_DISP_DENIED As Long = 31
  9048. Public Const VR_PENDING As Long = 0
  9049. Public Const VR_INSTANT_OK As Long = 1
  9050. Public Const VR_INSTANT_BAD As Long = 2
  9051. '+--------------------------------------------------------------------------
  9052. ' Known request Attribute names and Value strings
  9053. ' RequestType attribute name:
  9054. Public Const wszCERT_TYPE As String = "RequestType"
  9055. ' RequestType attribute values:
  9056. ' Not specified:
  9057. Public Const wszCERT_TYPE_CLIENT As String = "Client"
  9058. Public Const wszCERT_TYPE_SERVER As String = "Server"
  9059. Public Const wszCERT_TYPE_CODESIGN As String = "CodeSign"
  9060. Public Const wszCERT_TYPE_CUSTOMER As String = "SetCustomer"
  9061. Public Const wszCERT_TYPE_MERCHANT As String = "SetMerchant"
  9062. Public Const wszCERT_TYPE_PAYMENT As String = "SetPayment"
  9063. ' Version attribute name:
  9064. Public Const wszCERT_VERSION As String = "Version"
  9065. ' Version attribute values:
  9066. ' Not specified:
  9067. Public Const wszCERT_VERSION_1 As String = "1"
  9068. Public Const wszCERT_VERSION_2 As String = "2"
  9069. Public Const wszCERT_VERSION_3 As String = "3"
  9070. Public Const CA_DISP_INCOMPLETE As Long = 0
  9071. Public Const CA_DISP_ERROR As Long = &H1
  9072. Public Const CA_DISP_REVOKED As Long = &H2
  9073. Public Const CA_DISP_VALID As Long = &H3
  9074. Public Const CA_DISP_INVALID As Long = &H4
  9075. Public Const CA_DISP_UNDER_SUBMISSION As Long = &H5
  9076. Public Const CA_CRL_BASE As Long = &H1
  9077. Public Const CA_CRL_DELTA As Long = &H2
  9078. '+--------------------------------------------------------------------------
  9079. '
  9080. ' Microsoft Windows
  9081. '
  9082. ' File: certbcli.h
  9083. '
  9084. ' Contents: Cert Server backup client APIs
  9085. '
  9086. '---------------------------------------------------------------------------
  9087. Public Const szBACKUPANNOTATION As String = "Cert Server Backup Interface"
  9088. Public Const szRESTOREANNOTATION As String = "Cert Server Restore Interface"
  9089. ' Type of Backup passed to CertSrvBackupPrepare:
  9090. ' CSBACKUP_TYPE_LOGS_ONLY: Requesting backup of only the log files
  9091. ' CSBACKUP_TYPE_INCREMENTAL: Requesting incremental backup
  9092. ' CertSrvBackupPrepare flags:
  9093. Public Const CSBACKUP_TYPE_FULL As Long = &H00000001
  9094. Public Const CSBACKUP_TYPE_LOGS_ONLY As Long = &H00000002
  9095. '#define CSBACKUP_TYPE_INCREMENTAL 0x00000004
  9096. Public Const CSBACKUP_TYPE_MASK As Long = &H00000003
  9097. ' Type of Restore passed to CertSrvRestorePrepare:
  9098. ' CSRESTORE_TYPE_ONLINE: Restoration is done when Cert Server is online.
  9099. Public Const CSRESTORE_TYPE_FULL As Long = &H00000001
  9100. Public Const CSRESTORE_TYPE_ONLINE As Long = &H00000002
  9101. Public Const CSRESTORE_TYPE_CATCHUP As Long = &H00000004
  9102. Public Const CSRESTORE_TYPE_MASK As Long = &H00000005
  9103. ' Setting the current log # to this value would disable incremental backup
  9104. Public Const CSBACKUP_DISABLE_INCREMENTAL As Long = &Hffffffff
  9105. ' We keep them as a character so that we can append/prepend them to the actual
  9106. ' file path. The code in the Backup API's rely on the fact that values 0-256
  9107. ' in 8 bit ascii map to the values 0-256 in unicode.
  9108. ' Bit flags:
  9109. ' CSBFT_DIRECTORY - path specified is a directory
  9110. ' CSBFT_DATABASE_DIRECTORY - that file goes into database directory
  9111. ' CSBFT_LOG_DIRECTORY - that the file goes into log directory
  9112. Public Const CSBFT_DIRECTORY As Long = &H80
  9113. Public Const CSBFT_DATABASE_DIRECTORY As Long = &H40
  9114. Public Const CSBFT_LOG_DIRECTORY As Long = &H20
  9115. ' Following combinations are defined for easy use of the filetype and the
  9116. ' directory into into which it goes
  9117. ' Backup Context Handle
  9118. ' For all the functions in this interface that have at least one string
  9119. ' parameter, provide macros to invoke the appropriate version of the
  9120. ' corresponding function.
  9121. '+--------------------------------------------------------------------------
  9122. ' CertSrvIsServerOnline -- check to see if the Cert Server is Online on the
  9123. ' given server. This call is guaranteed to return quickly.
  9124. '
  9125. ' Parameters:
  9126. ' [in] pwszServerName - name or config string of the server to check
  9127. ' [out] pfServerOnline - pointer to receive the bool result
  9128. ' Returns:
  9129. ' S_OK if the call executed successfully;
  9130. ' Failure code otherwise.
  9131. '+--------------------------------------------------------------------------
  9132. '+--------------------------------------------------------------------------
  9133. ' CertSrvBackupGetDynamicFileList -- return the list of dynamic files that
  9134. ' need to be backed up in addition to database files.
  9135. '
  9136. ' Parameters:
  9137. ' [in] hbc - backup context handle
  9138. ' [out] ppwszzFileList - pointer to receive the pointer to the file list;
  9139. ' by the caller when it is no longer needed; The file list info
  9140. ' is an array of null-terminated filenames and the list is
  9141. ' terminated by two L'\0's.
  9142. ' [out] pcbSize - will receive the number of bytes returned
  9143. '
  9144. ' Returns:
  9145. ' S_OK if the call executed successfully;
  9146. ' Failure code otherwise.
  9147. '---------------------------------------------------------------------------
  9148. '+--------------------------------------------------------------------------
  9149. ' CertSrvBackupPrepare -- prepare the DB for the online backup and return a
  9150. ' Backup Context Handle to be used for subsequent calls to backup
  9151. ' functions.
  9152. '
  9153. ' Parameters:
  9154. ' [in] pwszServerName - name or config string of the server to check
  9155. ' [in] grbitJet - flag to be passed to jet while backing up dbs
  9156. ' [in] dwBackupFlags - CSBACKUP_TYPE_FULL or CSBACKUP_TYPE_LOGS_ONLY
  9157. ' [out] phbc - pointer that will receive the backup context handle
  9158. '
  9159. ' Returns:
  9160. ' S_OK if the call executed successfully;
  9161. ' Failure code otherwise.
  9162. '---------------------------------------------------------------------------
  9163. '+--------------------------------------------------------------------------
  9164. ' CertSrvBackupGetDatabaseNames -- return the list of data bases that need to
  9165. ' be backed up for the given backup context
  9166. '
  9167. ' Parameters:
  9168. ' [in] hbc - backup context handle
  9169. ' [out] ppwszzAttachmentInformation - pointer to receive the pointer to
  9170. ' the attachment info; allocated memory should be freed using
  9171. ' needed; Attachment info is an array of null-terminated
  9172. ' filenames and the list is terminated by two L'\0's.
  9173. ' [out] pcbSize - will receive the number of bytes returned
  9174. '
  9175. ' Returns:
  9176. ' S_OK if the call executed successfully;
  9177. ' Failure code otherwise.
  9178. '---------------------------------------------------------------------------
  9179. '+--------------------------------------------------------------------------
  9180. ' CertSrvBackupOpenFile -- open the given attachment for read.
  9181. '
  9182. ' Parameters:
  9183. ' [in] hbc - backup context handle
  9184. ' [in] pwszAttachmentName - name of the attachment to be opened for read
  9185. ' [in] cbReadHintSize - suggested size in bytes that might be used
  9186. ' during the subsequent reads on this attachment
  9187. ' [out] pliFileSize - pointer to a large integer that would receive the
  9188. ' size in bytes of the given attachment
  9189. ' Returns:
  9190. ' S_OK if the call executed successfully;
  9191. ' Failure code otherwise.
  9192. '---------------------------------------------------------------------------
  9193. '+--------------------------------------------------------------------------
  9194. ' CertSrvBackupRead -- read the currently open attachment bytes into the given
  9195. ' buffer. The client application is expected to call this function
  9196. ' received the file size through the CertSrvBackupOpenFile call before.
  9197. '
  9198. ' Parameters:
  9199. ' [in] hbc - backup context handle
  9200. ' [out] pvBuffer - pointer to the buffer that would receive the read data.
  9201. ' [in] cbBuffer - specifies the size of the above buffer
  9202. ' [out] pcbRead - pointer to receive the actual number of bytes read.
  9203. '
  9204. ' Returns:
  9205. ' S_OK if the call executed successfully;
  9206. ' Failure code otherwise.
  9207. '---------------------------------------------------------------------------
  9208. '+--------------------------------------------------------------------------
  9209. ' CertSrvBackupClose -- called by the application after it completes reading all
  9210. ' the data in the currently opened attachement.
  9211. '
  9212. ' Parameters:
  9213. ' [in] hbc - backup context handle
  9214. '
  9215. ' Returns:
  9216. ' S_OK if the call executed successfully;
  9217. ' Failure code otherwise.
  9218. '---------------------------------------------------------------------------
  9219. '+--------------------------------------------------------------------------
  9220. ' CertSrvBackupGetBackupLogs -- return the list of log files that need to be
  9221. ' backed up for the given backup context
  9222. '
  9223. ' Parameters:
  9224. ' [in] hbc - backup context handle
  9225. ' [out] pwszzBackupLogFiles - pointer that will receive the pointer to
  9226. ' the list of log files; allocated memory should be freed using
  9227. ' longer needed; Log files are returned in an array of
  9228. ' null-terminated filenames and the list is terminated by two
  9229. ' L'\0's
  9230. ' [out] pcbSize - will receive the number of bytes returned
  9231. '
  9232. ' Returns:
  9233. ' S_OK if the call executed successfully;
  9234. ' Failure code otherwise.
  9235. '---------------------------------------------------------------------------
  9236. '+--------------------------------------------------------------------------
  9237. ' CertSrvBackupTruncateLogs -- called to truncate the already read backup logs.
  9238. '
  9239. ' Parameters:
  9240. ' [in] hbc - backup context handle
  9241. '
  9242. ' Returns:
  9243. ' S_OK if the call executed successfully;
  9244. ' Failure code otherwise.
  9245. '---------------------------------------------------------------------------
  9246. '+--------------------------------------------------------------------------
  9247. ' CertSrvBackupEnd -- called to end the current backup session.
  9248. '
  9249. ' Parameters:
  9250. ' [in] hbc - backup context handle of the backup session
  9251. '
  9252. ' Returns:
  9253. ' S_OK if the call executed successfully;
  9254. ' Failure code otherwise.
  9255. '---------------------------------------------------------------------------
  9256. '+--------------------------------------------------------------------------
  9257. ' CertSrvBackupFree -- free any buffer allocated by certbcli.dll APIs.
  9258. '
  9259. ' Parameters:
  9260. ' [in] pv - pointer to the buffer that is to be freed.
  9261. '
  9262. ' Returns:
  9263. ' None.
  9264. '---------------------------------------------------------------------------
  9265. '+--------------------------------------------------------------------------
  9266. ' CertSrvRestoreGetDatabaseLocations -- called both at backup time as well as
  9267. ' at restorate time to get data base locations for different types of
  9268. ' files.
  9269. '
  9270. ' Parameters:
  9271. ' [in] hbc - backup context handle which would have been obtained
  9272. ' through CertSrvBackupPrepare in the backup case and through
  9273. ' CertSrvRestorePrepare in the restore case.
  9274. ' [out] ppwszzDatabaseLocationList - pointer that will receive the
  9275. ' pointer to the list of database locations; allocated memory
  9276. ' when it is no longer needed; locations are returned in an array
  9277. ' of null-terminated names and and the list is terminated by
  9278. ' two L'\0's. The first character of each name is the BFT
  9279. ' character that indicates the type of the file and the rest of
  9280. ' the name tells gives the path into which that particular type
  9281. ' of file should be restored.
  9282. ' [out] pcbSize - will receive the number of bytes returned
  9283. '
  9284. ' Returns:
  9285. ' S_OK if the call executed successfully;
  9286. ' Failure code otherwise.
  9287. '---------------------------------------------------------------------------
  9288. '+--------------------------------------------------------------------------
  9289. ' CertSrvRestorePrepare -- indicate beginning of a restore session.
  9290. '
  9291. ' Parameters:
  9292. ' [in] pwszServerName - name or config string of the server into which
  9293. ' the restore operation is going to be performed.
  9294. ' [in] dwRestoreFlags - Or'ed combination of CSRESTORE_TYPE_* flags;
  9295. ' 0 if no special flags are to be specified
  9296. ' [out] phbc - pointer to receive the backup context handle which is to
  9297. ' be passed to the subsequent restore APIs
  9298. '
  9299. ' Returns:
  9300. ' S_OK if the call executed successfully;
  9301. ' Failure code otherwise.
  9302. '---------------------------------------------------------------------------
  9303. '+--------------------------------------------------------------------------
  9304. ' CertSrvRestoreRegister -- register a restore operation. It will interlock
  9305. ' all subsequent restore operations, and will prevent the restore target
  9306. ' from starting until the call to CertSrvRestoreRegisterComplete is made.
  9307. '
  9308. ' Parameters:
  9309. ' [in] hbc - backup context handle for the restore session.
  9310. ' [in] pwszCheckPointFilePath - path to restore the check point files
  9311. ' [in] pwszLogPath - path where the log files are restored
  9312. ' [in] rgrstmap - restore map
  9313. ' [in] crstmap - tells if there is a new restore map
  9314. ' [in] pwszBackupLogPath - path where the backup logs are located
  9315. ' [in] genLow - Lowest log# that was restored in this restore session
  9316. ' [in] genHigh - Highest log# that was restored in this restore session
  9317. '
  9318. ' Returns:
  9319. ' S_OK if the call executed successfully;
  9320. ' Failure code otherwise.
  9321. '---------------------------------------------------------------------------
  9322. '+--------------------------------------------------------------------------
  9323. ' CertSrvRestoreRegisterComplete -- indicate that a previously registered
  9324. ' restore is complete.
  9325. '
  9326. ' Parameters:
  9327. ' [in] hbc - backup context handle
  9328. ' [in] hrRestoreState - success code if the restore was successful
  9329. '
  9330. ' Returns:
  9331. ' S_OK if the call executed successfully;
  9332. ' Failure code otherwise.
  9333. '---------------------------------------------------------------------------
  9334. '+--------------------------------------------------------------------------
  9335. ' CertSrvRestoreEnd -- end a restore session
  9336. '
  9337. ' Parameters:
  9338. ' [in] hbc - backup context handle
  9339. '
  9340. ' Returns:
  9341. ' S_OK if the call executed successfully;
  9342. ' Failure code otherwise.
  9343. '---------------------------------------------------------------------------
  9344. '+--------------------------------------------------------------------------
  9345. ' CertSrvServerControl -- send a control command to the cert server.
  9346. '
  9347. ' Parameters:
  9348. ' [in] pwszServerName - name or config string of the server to control
  9349. ' [in] dwControlFlags - control command and flags
  9350. ' [out] pcbOut - pointer to receive the size of command output data
  9351. ' [out] ppbOut - pointer to receive command output data. Use the
  9352. '
  9353. ' Returns:
  9354. ' S_OK if the call executed successfully;
  9355. ' Failure code otherwise.
  9356. '---------------------------------------------------------------------------
  9357. Public Const CSCONTROL_SHUTDOWN As Long = &H000000001
  9358. Public Const CSCONTROL_SUSPEND As Long = &H000000002
  9359. Public Const CSCONTROL_RESTART As Long = &H000000003
  9360. Public Const wszCONFIG_COMMONNAME As String = "CommonName"
  9361. Public Const wszCONFIG_ORGUNIT As String = "OrgUnit"
  9362. Public Const wszCONFIG_ORGANIZATION As String = "Organization"
  9363. Public Const wszCONFIG_LOCALITY As String = "Locality"
  9364. Public Const wszCONFIG_STATE As String = "State"
  9365. Public Const wszCONFIG_COUNTRY As String = "Country"
  9366. Public Const wszCONFIG_CONFIG As String = "Config"
  9367. Public Const wszCONFIG_EXCHANGECERTIFICATE As String = "ExchangeCertificate"
  9368. Public Const wszCONFIG_SIGNATURECERTIFICATE As String = "SignatureCertificate"
  9369. Public Const wszCONFIG_DESCRIPTION As String = "Description"
  9370. Public Const wszCONFIG_COMMENT As String = "Comment"
  9371. Public Const wszCONFIG_SERVER As String = "Server"
  9372. Public Const wszCONFIG_AUTHORITY As String = "Authority"
  9373. Public Const wszCONFIG_SANITIZEDNAME As String = "SanitizedName"
  9374. Public Const wszCONFIG_SHORTNAME As String = "ShortName"
  9375. Public Const wszCONFIG_SANITIZEDSHORTNAME As String = "SanitizedShortName"
  9376. Public Const wszCONFIG_FLAGS As String = "Flags"
  9377. Public Const CAIF_DSENTRY As Long = &H1
  9378. Public Const CAIF_SHAREDFOLDERENTRY As Long = &H2
  9379. Public Const CAIF_REGISTRY As Long = &H4
  9380. Public Const CAIF_LOCAL As Long = &H8
  9381. Public Const CR_IN_BASE64HEADER As Long = 0
  9382. Public Const CR_IN_BASE64 As Long = &H1
  9383. Public Const CR_IN_BINARY As Long = &H2
  9384. Public Const CR_IN_ENCODEANY As Long = &Hff
  9385. Public Const CR_IN_ENCODEMASK As Long = &Hff
  9386. Public Const CR_IN_FORMATANY As Long = 0
  9387. Public Const CR_IN_PKCS10 As Long = &H100
  9388. Public Const CR_IN_KEYGEN As Long = &H200
  9389. Public Const CR_IN_PKCS7 As Long = &H300
  9390. Public Const CR_IN_CMC As Long = &H400
  9391. Public Const CR_IN_FORMATMASK As Long = &Hff00
  9392. Public Const CR_IN_RPC As Long = &H20000
  9393. Public Const CC_DEFAULTCONFIG As Long = 0
  9394. Public Const CC_UIPICKCONFIG As Long = &H1
  9395. Public Const CC_FIRSTCONFIG As Long = &H2
  9396. Public Const CC_LOCALCONFIG As Long = &H3
  9397. Public Const CC_LOCALACTIVECONFIG As Long = &H4
  9398. Public Const CR_DISP_INCOMPLETE As Long = 0
  9399. Public Const CR_DISP_ERROR As Long = &H1
  9400. Public Const CR_DISP_DENIED As Long = &H2
  9401. Public Const CR_DISP_ISSUED As Long = &H3
  9402. Public Const CR_DISP_ISSUED_OUT_OF_BAND As Long = &H4
  9403. Public Const CR_DISP_UNDER_SUBMISSION As Long = &H5
  9404. Public Const CR_DISP_REVOKED As Long = &H6
  9405. Public Const CR_OUT_BASE64HEADER As Long = 0
  9406. Public Const CR_OUT_BASE64 As Long = &H1
  9407. Public Const CR_OUT_BINARY As Long = &H2
  9408. Public Const CR_OUT_ENCODEMASK As Long = &Hff
  9409. Public Const CR_OUT_CHAIN As Long = &H100
  9410. Public Const CR_GEMT_HRESULT_STRING As Long = &H1
  9411. Public Const CR_PROP_NONE As Long = 0
  9412. Public Const CR_PROP_FILEVERSION As Long = 1
  9413. Public Const CR_PROP_PRODUCTVERSION As Long = 2
  9414. Public Const CR_PROP_EXITCOUNT As Long = 3
  9415. Public Const CR_PROP_EXITDESCRIPTION As Long = 4
  9416. Public Const CR_PROP_POLICYDESCRIPTION As Long = 5
  9417. Public Const CR_PROP_CANAME As Long = 6
  9418. Public Const CR_PROP_SANITIZEDCANAME As Long = 7
  9419. Public Const CR_PROP_SHAREDFOLDER As Long = 8
  9420. Public Const CR_PROP_PARENTCA As Long = 9
  9421. Public Const CR_PROP_CATYPE As Long = 10
  9422. Public Const CR_PROP_CASIGCERTCOUNT As Long = 11
  9423. Public Const CR_PROP_CASIGCERT As Long = 12
  9424. Public Const CR_PROP_CASIGCERTCHAIN As Long = 13
  9425. Public Const CR_PROP_CAXCHGCERTCOUNT As Long = 14
  9426. Public Const CR_PROP_CAXCHGCERT As Long = 15
  9427. Public Const CR_PROP_CAXCHGCERTCHAIN As Long = 16
  9428. Public Const CR_PROP_BASECRL As Long = 17
  9429. Public Const CR_PROP_DELTACRL As Long = 18
  9430. Public Const CR_PROP_CACERTSTATE As Long = 19
  9431. Public Const CR_PROP_CRLSTATE As Long = 20
  9432. Public Const CR_PROP_CAPROPIDMAX As Long = 21
  9433. Public Const CR_PROP_DNSNAME As Long = 22
  9434. Public Const EAN_NAMEOBJECTID As Long = &H80000000
  9435. Public Const EXITEVENT_INVALID As Long = 0
  9436. Public Const EXITEVENT_CERTISSUED As Long = &H1
  9437. Public Const EXITEVENT_CERTPENDING As Long = &H2
  9438. Public Const EXITEVENT_CERTDENIED As Long = &H4
  9439. Public Const EXITEVENT_CERTREVOKED As Long = &H8
  9440. Public Const EXITEVENT_CERTRETRIEVEPENDING As Long = &H10
  9441. Public Const EXITEVENT_CRLISSUED As Long = &H20
  9442. Public Const EXITEVENT_SHUTDOWN As Long = &H40
  9443. Public Const ENUMEXT_OBJECTID As Long = &H1
  9444. Public Const CMM_REFRESHONLY As Long = &H1
  9445. Public Const wszCMM_PROP_NAME As String = "Name"
  9446. Public Const wszCMM_PROP_DESCRIPTION As String = "Description"
  9447. Public Const wszCMM_PROP_COPYRIGHT As String = "Copyright"
  9448. Public Const wszCMM_PROP_FILEVER As String = "File Version"
  9449. Public Const wszCMM_PROP_PRODUCTVER As String = "Product Version"
  9450. Public Const wszCMM_PROP_DISPLAY_HWND As String = "HWND"
  9451. Public Const CV_OUT_BASE64HEADER As Long = 0
  9452. Public Const CV_OUT_BASE64 As Long = &H1
  9453. Public Const CV_OUT_BINARY As Long = &H2
  9454. Public Const CV_OUT_BASE64REQUESTHEADER As Long = &H3
  9455. Public Const CV_OUT_HEX As Long = &H4
  9456. Public Const CV_OUT_HEXASCII As Long = &H5
  9457. Public Const CV_OUT_BASE64X509CRLHEADER As Long = &H9
  9458. Public Const CV_OUT_HEXADDR As Long = &Ha
  9459. Public Const CV_OUT_HEXASCIIADDR As Long = &Hb
  9460. Public Const CV_OUT_ENCODEMASK As Long = &Hff
  9461. Public Const CVR_SEEK_NONE As Long = 0
  9462. Public Const CVR_SEEK_EQ As Long = &H1
  9463. Public Const CVR_SEEK_LT As Long = &H2
  9464. Public Const CVR_SEEK_LE As Long = &H4
  9465. Public Const CVR_SEEK_GE As Long = &H8
  9466. Public Const CVR_SEEK_GT As Long = &H10
  9467. Public Const CVR_SEEK_MASK As Long = &Hff
  9468. Public Const CVR_SEEK_NODELTA As Long = &H1000
  9469. Public Const CVR_SORT_NONE As Long = 0
  9470. Public Const CVR_SORT_ASCEND As Long = &H1
  9471. Public Const CVR_SORT_DESCEND As Long = &H2
  9472. Public Const CV_COLUMN_QUEUE_DEFAULT As Long = -1
  9473. Public Const CV_COLUMN_LOG_DEFAULT As Long = -2
  9474. Public Const CV_COLUMN_LOG_FAILED_DEFAULT As Long = -3
  9475. Public Const CV_COLUMN_EXTENSION_DEFAULT As Long = -4
  9476. Public Const CV_COLUMN_ATTRIBUTE_DEFAULT As Long = -5
  9477. Public Const CV_COLUMN_CRL_DEFAULT As Long = -6
  9478. Public Const CVRC_COLUMN_SCHEMA As Long = 0
  9479. Public Const CVRC_COLUMN_RESULT As Long = &H1
  9480. Public Const CVRC_COLUMN_VALUE As Long = &H2
  9481. Public Const CVRC_COLUMN_MASK As Long = &Hfff
  9482. Public Const CVRC_TABLE_REQCERT As Long = 0
  9483. Public Const CVRC_TABLE_EXTENSIONS As Long = &H3000
  9484. Public Const CVRC_TABLE_ATTRIBUTES As Long = &H4000
  9485. Public Const CVRC_TABLE_CRL As Long = &H5000
  9486. Public Const CVRC_TABLE_MASK As Long = &Hf000
  9487. Public Const CVRC_TABLE_SHIFT As Long = 12
  9488. '+--------------------------------------------------------------------------
  9489. '
  9490. ' Microsoft Windows
  9491. '
  9492. ' File: certca.h
  9493. '
  9494. ' Contents: Definition of the CA Info API
  9495. '
  9496. ' History: 12-dec-97 petesk created
  9497. ' 28-Jan-2000 xiaohs updated
  9498. '
  9499. '---------------------------------------------------------------------------
  9500. '************************************************************************************
  9501. '
  9502. ' Flags used by CAFindByName, CAFindByCertType, CAFindByIssuerDN and CAEnumFirstCA
  9503. '
  9504. ' See comments on each API for a list of applicable flags
  9505. '
  9506. '************************************************************************************
  9507. 'the wszScope supplied is a domain location in the DNS format
  9508. Public Const CA_FLAG_SCOPE_DNS As Long = &H00000001
  9509. ' include untrusted CA
  9510. Public Const CA_FIND_INCLUDE_UNTRUSTED As Long = &H00000010
  9511. ' running as local system. Used to verify ca certificate chain
  9512. Public Const CA_FIND_LOCAL_SYSTEM As Long = &H00000020
  9513. ' Include Ca's that do not support templates
  9514. Public Const CA_FIND_INCLUDE_NON_TEMPLATE_CA As Long = &H00000040
  9515. ' The value passed in for scope is an LDAP binding handle to use during finds
  9516. Public Const CA_FLAG_SCOPE_IS_LDAP_HANDLE As Long = &H00000800
  9517. '************************************************************************************
  9518. '
  9519. ' Flags used by CAEnumCertTypesForCA, CAEnumCertTypes, and CAFindCertTypeByName
  9520. '
  9521. ' See comments on each API for a list of applicable flags
  9522. '
  9523. '************************************************************************************
  9524. ' Instead of enumerating the certificate types suppoerted by the CA, enumerate ALL
  9525. ' certificate types which the CA may choose to support.
  9526. Public Const CA_FLAG_ENUM_ALL_TYPES As Long = &H00000004
  9527. ' running as local system. Used to find cached information in the registry.
  9528. ' Return machine types, as opposed to user types
  9529. Public Const CT_ENUM_MACHINE_TYPES As Long = &H00000040
  9530. ' Return user types, as opposed to user types
  9531. Public Const CT_ENUM_USER_TYPES As Long = &H00000080
  9532. ' Disable the cache expiration check
  9533. Public Const CT_FLAG_NO_CACHE_LOOKUP As Long = &H00000400
  9534. ' The value passed in for scope is an LDAP binding handle to use during finds
  9535. '************************************************************************************
  9536. '
  9537. ' Certification Authority manipulation API's
  9538. '
  9539. '************************************************************************************
  9540. ' CAFindCAByName
  9541. '
  9542. ' the given domain and return the given phCAInfo structure.
  9543. '
  9544. ' wszCAName - Common name of the CA
  9545. '
  9546. ' Equivalent of the "base" parameter of the ldap_search_sxxx APIs.
  9547. ' NULL if use the current domain.
  9548. ' If CA_FLAG_SCOPE_DNS is set, wszScope is in the DNS format.
  9549. ' If CA_FLAG_SCOPE_IS_LDAP_HANDLE is set, wszScope is the an LDAP
  9550. ' binding handle to use during finds
  9551. '
  9552. ' dwFlags - Oring of the following flags:
  9553. ' CA_FLAG_SCOPE_DNS
  9554. ' CA_FIND_INCLUDE_UNTRUSTED
  9555. ' CA_FIND_LOCAL_SYSTEM
  9556. ' CA_FIND_INCLUDE_NON_TEMPLATE_CA
  9557. ' CA_FLAG_SCOPE_IS_LDAP_HANDLE
  9558. '
  9559. ' phCAInfo - Handle to the returned CA.
  9560. '
  9561. '
  9562. '
  9563. ' Return: Returns S_OK if CA was found.
  9564. '
  9565. '
  9566. ' CAFindByCertType
  9567. '
  9568. ' Given the Name of a Cert Type, find all the CAs within
  9569. ' the given domain and return the given phCAInfo structure.
  9570. '
  9571. ' wszCertType - Common Name of the cert type
  9572. '
  9573. ' Equivalent of the "base" parameter of the ldap_search_sxxx APIs.
  9574. ' NULL if use the current domain.
  9575. ' If CA_FLAG_SCOPE_DNS is set, wszScope is in the DNS format.
  9576. ' If CA_FLAG_SCOPE_IS_LDAP_HANDLE is set, wszScope is the an LDAP
  9577. ' binding handle to use during finds
  9578. '
  9579. ' dwFlags - Oring of the following flags:
  9580. ' CA_FLAG_SCOPE_DNS
  9581. ' CA_FIND_INCLUDE_UNTRUSTED
  9582. ' CA_FIND_LOCAL_SYSTEM
  9583. ' CA_FIND_INCLUDE_NON_TEMPLATE_CA
  9584. ' CA_FLAG_SCOPE_IS_LDAP_HANDLE
  9585. '
  9586. ' phCAInfo - Handle to enumeration of CA's supporting
  9587. ' - cert type.
  9588. '
  9589. '
  9590. ' Return: Returns S_OK on success.
  9591. ' Will return S_OK if none are found.
  9592. ' *phCAInfo will contain NULL
  9593. '
  9594. '
  9595. ' CAFindByIssuerDN
  9596. ' Given the DN of a CA, find the CA within
  9597. ' the given domain and return the given phCAInfo handle.
  9598. '
  9599. ' pIssuerDN - a cert name blob from the CA's certificate.
  9600. '
  9601. ' Equivalent of the "base" parameter of the ldap_search_sxxx APIs.
  9602. ' NULL if use the current domain.
  9603. ' If CA_FLAG_SCOPE_DNS is set, wszScope is in the DNS format.
  9604. ' If CA_FLAG_SCOPE_IS_LDAP_HANDLE is set, wszScope is the an LDAP
  9605. ' binding handle to use during finds
  9606. '
  9607. ' dwFlags - Oring of the following flags:
  9608. ' CA_FLAG_SCOPE_DNS
  9609. ' CA_FIND_INCLUDE_UNTRUSTED
  9610. ' CA_FIND_LOCAL_SYSTEM
  9611. ' CA_FIND_INCLUDE_NON_TEMPLATE_CA
  9612. ' CA_FLAG_SCOPE_IS_LDAP_HANDLE
  9613. '
  9614. '
  9615. ' Return: Returns S_OK if CA was found.
  9616. '
  9617. '
  9618. ' CAEnumFirstCA
  9619. ' Enumerate the CA's in a scope
  9620. '
  9621. ' Equivalent of the "base" parameter of the ldap_search_sxxx APIs.
  9622. ' NULL if use the current domain.
  9623. ' If CA_FLAG_SCOPE_DNS is set, wszScope is in the DNS format.
  9624. ' If CA_FLAG_SCOPE_IS_LDAP_HANDLE is set, wszScope is the an LDAP
  9625. ' binding handle to use during finds
  9626. '
  9627. ' dwFlags - Oring of the following flags:
  9628. ' CA_FLAG_SCOPE_DNS
  9629. ' CA_FIND_INCLUDE_UNTRUSTED
  9630. ' CA_FIND_LOCAL_SYSTEM
  9631. ' CA_FIND_INCLUDE_NON_TEMPLATE_CA
  9632. ' CA_FLAG_SCOPE_IS_LDAP_HANDLE
  9633. '
  9634. ' phCAInfo - Handle to enumeration of CA's supporting
  9635. ' - cert type.
  9636. '
  9637. '
  9638. ' Return: Returns S_OK on success.
  9639. ' Will return S_OK if none are found.
  9640. ' *phCAInfo will contain NULL
  9641. '
  9642. '
  9643. ' CAEnumNextCA
  9644. ' Find the Next CA in an enumeration.
  9645. '
  9646. ' hPrevCA - Current ca in an enumeration.
  9647. '
  9648. ' phCAInfo - next ca in an enumeration.
  9649. '
  9650. ' Return: Returns S_OK on success.
  9651. ' Will return S_OK if none are found.
  9652. ' *phCAInfo will contain NULL
  9653. '
  9654. '
  9655. ' CACreateNewCA
  9656. ' Create a new CA of given name.
  9657. '
  9658. ' wszCAName - Common name of the CA
  9659. '
  9660. ' CA object. We will add the "CN=...,..,CN=Services" after the DN.
  9661. ' NULL if use the current domain.
  9662. ' If CA_FLAG_SCOPE_DNS is set, wszScope is in the DNS format.
  9663. '
  9664. ' dwFlags - Oring of the following flags:
  9665. ' CA_FLAG_SCOPE_DNS
  9666. '
  9667. ' phCAInfo - Handle to the returned CA.
  9668. '
  9669. ' See above for other parameter definitions
  9670. '
  9671. ' Return: Returns S_OK if CA was created.
  9672. '
  9673. ' NOTE: Actual updates to the CA object may not occur
  9674. ' until CAUpdateCA is called.
  9675. ' In order to successfully update a created CA,
  9676. ' the Certificate must be set, as well as the
  9677. ' Certificate Types property.
  9678. '
  9679. '
  9680. ' CAUpdateCA
  9681. ' Write any changes made to the CA back to the CA object.
  9682. '
  9683. ' hCAInfo - Handle to an open CA object.
  9684. '
  9685. '
  9686. ' CADeleteCA
  9687. ' Delete the CA object from the DS.
  9688. '
  9689. ' hCAInfo - Handle to an open CA object.
  9690. '
  9691. '
  9692. ' CACountCAs
  9693. ' return the number of CAs in this enumeration
  9694. '
  9695. '
  9696. ' CACloseCA
  9697. ' Close an open CA handle
  9698. '
  9699. ' hCAInfo - Handle to an open CA object.
  9700. '
  9701. '
  9702. ' CAGetCAProperty - Given a property name, retrieve a
  9703. ' property from a CAInfo.
  9704. '
  9705. ' hCAInfo - Handle to an open CA object.
  9706. '
  9707. ' wszPropertyName - Name of the CA property
  9708. '
  9709. ' pawszPropertyValue - A pointer into which an array
  9710. ' of WCHAR strings is written, containing
  9711. ' the values of the property. The last
  9712. ' element of the array points to NULL.
  9713. ' If the property is single valued, then
  9714. ' the array returned contains 2 elements,
  9715. ' the first pointing to the value, the second
  9716. ' pointing to NULL. This pointer must be
  9717. ' freed by CAFreeCAProperty.
  9718. '
  9719. '
  9720. ' Returns - S_OK on success.
  9721. '
  9722. '
  9723. ' CAFreeProperty
  9724. ' Free's a previously retrieved property value.
  9725. '
  9726. ' hCAInfo - Handle to an open CA object.
  9727. '
  9728. ' awszPropertyValue - pointer to the previously retrieved
  9729. ' - property value.
  9730. '
  9731. '
  9732. ' CASetCAProperty - Given a property name, set it's value.
  9733. '
  9734. ' hCAInfo - Handle to an open CA object.
  9735. '
  9736. ' wszPropertyName - Name of the CA property
  9737. '
  9738. ' awszPropertyValue - An array of values to set
  9739. ' - for this property. The last element of this
  9740. ' - array should be NULL.
  9741. ' - For single valued properties, the values beyond thie
  9742. ' - first will be ignored upon update.
  9743. '
  9744. ' Returns - S_OK on success.
  9745. '
  9746. '************************************************************************************
  9747. ' CA Properties
  9748. '
  9749. '************************************************************************************
  9750. ' simple name of the CA
  9751. Public Const CA_PROP_NAME As String = "cn"
  9752. ' display name of the CA object
  9753. Public Const CA_PROP_DISPLAY_NAME As String = "displayName"
  9754. ' dns name of the machine
  9755. Public Const CA_PROP_DNSNAME As String = "dNSHostName"
  9756. Public Const CA_PROP_DSLOCATION As String = "distinguishedName"
  9757. ' Supported cert types
  9758. Public Const CA_PROP_CERT_TYPES As String = "certificateTemplates"
  9759. ' Supported signature algs
  9760. Public Const CA_PROP_SIGNATURE_ALGS As String = "signatureAlgorithms"
  9761. ' DN of the CA's cert
  9762. Public Const CA_PROP_CERT_DN As String = "cACertificateDN"
  9763. ' DN of the CA's cert
  9764. Public Const CA_PROP_ENROLLMENT_PROVIDERS As String = "enrollmentProviders"
  9765. ' CA's description
  9766. Public Const CA_PROP_DESCRIPTION As String = "Description"
  9767. '
  9768. ' CAGetCACertificate - Return the current certificate for
  9769. ' this ca.
  9770. '
  9771. ' hCAInfo - Handle to an open CA object.
  9772. '
  9773. ' ppCert - Pointer into which a certificate
  9774. ' - is written. This certificate must
  9775. ' - be freed via CertFreeCertificateContext.
  9776. ' - This value will be NULL if no certificate
  9777. ' - is set for this CA.
  9778. '
  9779. '
  9780. ' CAGetCertTypeFlags
  9781. ' Retrieve cert type flags
  9782. '
  9783. ' hCertType - handle to the CertType
  9784. '
  9785. ' pdwFlags - pointer to DWORD receiving flags
  9786. '
  9787. '************************************************************************************
  9788. '
  9789. ' CA Flags
  9790. '
  9791. '************************************************************************************
  9792. ' The CA supports certificate templates
  9793. Public Const CA_FLAG_NO_TEMPLATE_SUPPORT As Long = &H00000001
  9794. ' The CA supports NT authentication for requests
  9795. Public Const CA_FLAG_SUPPORTS_NT_AUTHENTICATION As Long = &H00000002
  9796. ' The cert requests may be pended
  9797. Public Const CA_FLAG_CA_SUPPORTS_MANUAL_AUTHENTICATION As Long = &H00000004
  9798. Public Const CA_MASK_SETTABLE_FLAGS As Long = &H0000ffff
  9799. '
  9800. ' CASetCAFlags
  9801. ' Sets the Flags of a cert type
  9802. '
  9803. ' hCertType - handle to the CertType
  9804. '
  9805. ' dwFlags - Flags to be set
  9806. '
  9807. '
  9808. ' CASetCACertificate - Set the certificate for a CA
  9809. ' this ca.
  9810. '
  9811. ' hCAInfo - Handle to an open CA object.
  9812. '
  9813. ' pCert - Pointer to a certificat to set as the CA's certificte.
  9814. '
  9815. '
  9816. ' CAGetCAExpiration
  9817. ' Get the expirations period for a CA.
  9818. '
  9819. ' hCAInfo - Handle to an open CA handle.
  9820. '
  9821. ' pdwExpiration - expiration period in dwUnits time
  9822. '
  9823. ' pdwUnits - Units identifier
  9824. '
  9825. Public Const CA_UNITS_DAYS As Long = 1
  9826. Public Const CA_UNITS_WEEKS As Long = 2
  9827. Public Const CA_UNITS_MONTHS As Long = 3
  9828. Public Const CA_UNITS_YEARS As Long = 4
  9829. '
  9830. ' CASetCAExpiration
  9831. ' Set the expirations period for a CA.
  9832. '
  9833. ' hCAInfo - Handle to an open CA handle.
  9834. '
  9835. ' dwExpiration -
  9836. '
  9837. ' dwUnits - Units identifier
  9838. '
  9839. '
  9840. ' CASetCASecurity
  9841. ' Set the list of Users, Groups, and Machines allowed
  9842. ' to access this CA.
  9843. '
  9844. ' hCAInfo - Handle to an open CA handle.
  9845. '
  9846. ' pSD - Security descriptor for this CA
  9847. '
  9848. '
  9849. ' CAGetCASecurity
  9850. ' Get the list of Users, Groups, and Machines allowed
  9851. ' to access this CA.
  9852. '
  9853. ' hCAInfo - Handle to an open CA handle.
  9854. '
  9855. ' ppSD - Pointer to a location receiving
  9856. ' - the pointer to the security descriptor
  9857. ' - Free via LocalFree
  9858. '
  9859. '
  9860. '
  9861. ' CAAccessCheck
  9862. ' Determine whether the principal specified by
  9863. ' ClientToken can get a cert from the CA.
  9864. '
  9865. ' hCAInfo - Handle to the CA
  9866. '
  9867. ' ClientToken - Handle to an impersonation token
  9868. ' - that represents the client attempting
  9869. ' - request this cert type. The handle must
  9870. ' - have TOKEN_QUERY access to the token;
  9871. ' - otherwise, the function fails with
  9872. ' - ERROR_ACCESS_DENIED.
  9873. '
  9874. ' Return: S_OK on success
  9875. '
  9876. '
  9877. ' CAEnumCertTypesForCA - Given a HCAINFO, retrieve handle to
  9878. ' the cert types supported, or known by this CA.
  9879. ' CAEnumNextCertType can be used to enumerate through the
  9880. ' cert types.
  9881. '
  9882. ' hCAInfo - Handle to an open CA handle or NULL if CT_FLAG_ENUM_ALL_TYPES is set
  9883. ' in dwFlags.
  9884. '
  9885. ' dwFlags - The following flags may be or'd together
  9886. ' CA_FLAG_ENUM_ALL_TYPES
  9887. ' CT_FIND_LOCAL_SYSTEM
  9888. ' CT_ENUM_MACHINE_TYPES
  9889. ' CT_ENUM_USER_TYPES
  9890. ' CT_FLAG_NO_CACHE_LOOKUP
  9891. '
  9892. '
  9893. ' phCertType - Enumeration of certificate types.
  9894. '
  9895. '
  9896. ' CAAddCACertificateType
  9897. ' Add a certificate type to a CA.
  9898. ' If the cert type has already been added to the
  9899. ' ca, it will not be added again.
  9900. '
  9901. ' hCAInfo - Handle to an open CA.
  9902. '
  9903. ' hCertType - Cert type to add to CA.
  9904. '
  9905. '
  9906. ' CADeleteCACertificateType
  9907. ' Remove a certificate type from a CA.
  9908. ' If the CA does not include this cert type.
  9909. ' This call does nothing.
  9910. '
  9911. ' hCAInfo - Handle to an open CA.
  9912. '
  9913. ' hCertType - Cert type to delete from CA.
  9914. '
  9915. '************************************************************************************
  9916. '
  9917. ' Certificate Type API's
  9918. '
  9919. '************************************************************************************
  9920. '
  9921. ' CAEnumCertTypes - Retrieve a handle to all known cert types
  9922. ' CAEnumNextCertType can be used to enumerate through the
  9923. ' cert types.
  9924. '
  9925. '
  9926. ' dwFlags - an oring of the following:
  9927. '
  9928. ' CT_FIND_LOCAL_SYSTEM
  9929. ' CT_ENUM_MACHINE_TYPES
  9930. ' CT_ENUM_USER_TYPES
  9931. ' CT_FLAG_NO_CACHE_LOOKUP
  9932. '
  9933. ' phCertType - Enumeration of certificate types.
  9934. '
  9935. '
  9936. ' CAFindCertTypeByName
  9937. ' Find a cert type given a Name.
  9938. '
  9939. ' wszCertType - Name of the cert type
  9940. '
  9941. ' hCAInfo - NULL unless CT_FLAG_SCOPE_IS_LDAP_HANDLE is set in the dwFlags
  9942. '
  9943. ' dwFlags - an oring of the following
  9944. '
  9945. ' CT_FIND_LOCAL_SYSTEM
  9946. ' CT_ENUM_MACHINE_TYPES
  9947. ' CT_ENUM_USER_TYPES
  9948. ' CT_FLAG_NO_CACHE_LOOKUP
  9949. ' CT_FLAG_SCOPE_IS_LDAP_HANDLE -- If this flag is set, hCAInfo
  9950. ' is an LDAP handle to use during finds
  9951. ' phCertType - Poiter to a cert type in which result is returned.
  9952. '
  9953. '************************************************************************************
  9954. '
  9955. ' Default cert type names
  9956. '
  9957. '************************************************************************************
  9958. Public Const wszCERTTYPE_USER As String = "User"
  9959. Public Const wszCERTTYPE_USER_SIGNATURE As String = "UserSignature"
  9960. Public Const wszCERTTYPE_SMARTCARD_USER As String = "SmartcardUser"
  9961. Public Const wszCERTTYPE_USER_AS As String = "ClientAuth"
  9962. Public Const wszCERTTYPE_USER_SMARTCARD_LOGON As String = "SmartcardLogon"
  9963. Public Const wszCERTTYPE_EFS As String = "EFS"
  9964. Public Const wszCERTTYPE_ADMIN As String = "Administrator"
  9965. Public Const wszCERTTYPE_EFS_RECOVERY As String = "EFSRecovery"
  9966. Public Const wszCERTTYPE_CODE_SIGNING As String = "CodeSigning"
  9967. Public Const wszCERTTYPE_CTL_SIGNING As String = "CTLSigning"
  9968. Public Const wszCERTTYPE_ENROLLMENT_AGENT As String = "EnrollmentAgent"
  9969. Public Const wszCERTTYPE_MACHINE As String = "Machine"
  9970. Public Const wszCERTTYPE_DC As String = "DomainController"
  9971. Public Const wszCERTTYPE_WEBSERVER As String = "WebServer"
  9972. Public Const wszCERTTYPE_KDC As String = "KDC"
  9973. Public Const wszCERTTYPE_CA As String = "CA"
  9974. Public Const wszCERTTYPE_SUBORDINATE_CA As String = "SubCA"
  9975. Public Const wszCERTTYPE_CROSS_CA As String = "CrossCA"
  9976. Public Const wszCERTTYPE_KEY_RECOVERY_AGENT As String = "KeyRecoveryAgent"
  9977. Public Const wszCERTTYPE_CA_EXCHANGE As String = "CAExchange"
  9978. Public Const wszCERTTYPE_IPSEC_ENDENTITY_ONLINE As String = "IPSECEndEntityOnline"
  9979. Public Const wszCERTTYPE_IPSEC_ENDENTITY_OFFLINE As String = "IPSECEndEntityOffline"
  9980. Public Const wszCERTTYPE_IPSEC_INTERMEDIATE_ONLINE As String = "IPSECIntermediateOnline"
  9981. Public Const wszCERTTYPE_IPSEC_INTERMEDIATE_OFFLINE As String = "IPSECIntermediateOffline"
  9982. Public Const wszCERTTYPE_ROUTER_OFFLINE As String = "OfflineRouter"
  9983. Public Const wszCERTTYPE_ENROLLMENT_AGENT_OFFLINE As String = "EnrollmentAgentOffline"
  9984. Public Const wszCERTTYPE_EXCHANGE_USER As String = "ExchangeUser"
  9985. Public Const wszCERTTYPE_EXCHANGE_USER_SIGNATURE As String = "ExchangeUserSignature"
  9986. Public Const wszCERTTYPE_MACHINE_ENROLLMENT_AGENT As String = "MachineEnrollmentAgent"
  9987. Public Const wszCERTTYPE_CEP_ENCRYPTION As String = "CEPEncryption"
  9988. '
  9989. ' CAUpdateCertType
  9990. ' Write any changes made to the cert type back to the type store
  9991. '
  9992. '
  9993. ' CADeleteCertType
  9994. ' Delete a CertType
  9995. '
  9996. ' hCertType - Cert type to delete.
  9997. '
  9998. ' NOTE: If this is called for a default cert type,
  9999. ' it will revert back to it's default attributes
  10000. '
  10001. '
  10002. ' CACreateCertType
  10003. ' Create a new cert type
  10004. '
  10005. ' wszCertType - Name of the cert type
  10006. '
  10007. ' wszScope - reserved. Must set to NULL.
  10008. '
  10009. ' dwFlags - reserved. Must set to NULL.
  10010. '
  10011. ' phCertType - returned cert type
  10012. '
  10013. '
  10014. ' CAEnumNextCertType
  10015. ' Find the Next Cert Type in an enumeration.
  10016. '
  10017. ' hPrevCertType - Previous cert type in enumeration
  10018. '
  10019. ' phCertType - Poiner to a handle into which
  10020. ' - result is placed. NULL if
  10021. ' - there are no more cert types in
  10022. ' - enumeration.
  10023. '
  10024. '
  10025. ' CACountCertTypes
  10026. ' return the number of cert types in this enumeration
  10027. '
  10028. '
  10029. ' CACloseCertType
  10030. ' Close an open CertType handle
  10031. '
  10032. '
  10033. ' CAGetCertTypeProperty
  10034. ' Retrieve a property from a certificate type. This function is obsolete.
  10035. ' Caller should use CAGetCertTypePropertyEx instead
  10036. '
  10037. ' hCertType - Handle to an open CertType object.
  10038. '
  10039. ' wszPropertyName - Name of the CertType property.
  10040. '
  10041. ' pawszPropertyValue - A pointer into which an array
  10042. ' of WCHAR strings is written, containing
  10043. ' the values of the property. The last
  10044. ' element of the array points to NULL.
  10045. ' If the property is single valued, then
  10046. ' the array returned contains 2 elements,
  10047. ' the first pointing to the value, the second
  10048. ' pointing to NULL. This pointer must be
  10049. ' freed by CAFreeCertTypeProperty.
  10050. '
  10051. '
  10052. ' Returns - S_OK on success.
  10053. '
  10054. '
  10055. ' CAGetCertTypePropertyEx
  10056. ' Retrieve a property from a certificate type.
  10057. '
  10058. ' hCertType - Handle to an open CertType object.
  10059. '
  10060. ' wszPropertyName - Name of the CertType property
  10061. '
  10062. ' pPropertyValue - Depending on the value of wszPropertyName, pPropertyValue
  10063. ' is either DWORD * or LPWSTR **.
  10064. '
  10065. ' It is a DWORD * for:
  10066. '
  10067. ' CERTTYPE_PROP_REVISION
  10068. ' CERTTYPE_PROP_SCHEMA_VERSION
  10069. ' CERTTYPE_PROP_MINOR_REVISION
  10070. ' CERTTYPE_PROP_RA_SIGNATURE
  10071. ' CERTTYPE_PROP_MIN_KEY_SIZE
  10072. '
  10073. '
  10074. ' It is a LPWSTR ** for:
  10075. '
  10076. ' CERTTYPE_PROP_CN
  10077. ' CERTTYPE_PROP_DN
  10078. ' CERTTYPE_PROP_FRIENDLY_NAME
  10079. ' CERTTYPE_PROP_EXTENDED_KEY_USAGE
  10080. ' CERTTYPE_PROP_CSP_LIST
  10081. ' CERTTYPE_PROP_CRITICAL_EXTENSIONS
  10082. ' CERTTYPE_PROP_OID
  10083. ' CERTTYPE_PROP_SUPERSEDE
  10084. ' CERTTYPE_PROP_RA_POLICY
  10085. ' CERTTYPE_PROP_POLICY
  10086. '
  10087. ' A pointer into which an array
  10088. ' of WCHAR strings is written, containing
  10089. ' the values of the property. The last
  10090. ' element of the array points to NULL.
  10091. ' If the property is single valued, then
  10092. ' the array returned contains 2 elements,
  10093. ' the first pointing to the value, the second
  10094. ' pointing to NULL. This pointer must be
  10095. ' freed by CAFreeCertTypeProperty.
  10096. '
  10097. '
  10098. ' Returns - S_OK on success.
  10099. '
  10100. '************************************************************************************
  10101. '
  10102. ' Certificate Type properties
  10103. '
  10104. '************************************************************************************
  10105. '************************************************************************************
  10106. '
  10107. ' The schema version one properties
  10108. '
  10109. '************************************************************************************
  10110. ' Common name of the certificate type
  10111. Public Const CERTTYPE_PROP_CN As String = "cn"
  10112. ' The common name of the certificate type. Same as CERTTYPE_PROP_CN
  10113. ' This property is not settable.
  10114. Public Const CERTTYPE_PROP_DN As String = "distinguishedName"
  10115. ' The display name of a cert type
  10116. Public Const CERTTYPE_PROP_FRIENDLY_NAME As String = "displayName"
  10117. ' An array of extended key usage OID's for a cert type
  10118. ' NOTE: This property can also be set by setting
  10119. ' the Extended Key Usage extension.
  10120. Public Const CERTTYPE_PROP_EXTENDED_KEY_USAGE As String = "pKIExtendedKeyUsage"
  10121. ' The list of default CSP's for this cert type
  10122. Public Const CERTTYPE_PROP_CSP_LIST As String = "pKIDefaultCSPs"
  10123. ' The list of critical extensions
  10124. Public Const CERTTYPE_PROP_CRITICAL_EXTENSIONS As String = "pKICriticalExtensions"
  10125. ' The major version of the templates
  10126. Public Const CERTTYPE_PROP_REVISION As String = "revision"
  10127. '************************************************************************************
  10128. '
  10129. ' The schema version two properties
  10130. '
  10131. '************************************************************************************
  10132. ' The schema version of the templates
  10133. ' This property is not settable
  10134. Public Const CERTTYPE_PROP_SCHEMA_VERSION As String = "msPKI-Template-Schema-Version"
  10135. ' The minor version of the templates
  10136. Public Const CERTTYPE_PROP_MINOR_REVISION As String = "msPKI-Template-Minor-Revision"
  10137. ' The number of RA signature required
  10138. Public Const CERTTYPE_PROP_RA_SIGNATURE As String = "msPKI-RA-Signature"
  10139. ' The minimal key size required
  10140. Public Const CERTTYPE_PROP_MIN_KEY_SIZE As String = "msPKI-Minimal-Key-Size"
  10141. ' The OID of the templates
  10142. Public Const CERTTYPE_PROP_OID As String = "msPKI-Cert-Template-OID"
  10143. ' The template Oids that supersede the templates
  10144. Public Const CERTTYPE_PROP_SUPERSEDE As String = "msPKI-Supersede-Templates"
  10145. ' The RA issuer policy oids required
  10146. Public Const CERTTYPE_PROP_RA_POLICY As String = "msPKI-RA-Policies"
  10147. ' The RA application policy oids required
  10148. Public Const CERTTYPE_PROP_RA_APPLICATION_POLICY As String = "msPKI-RA-Application-Policies"
  10149. ' The certificate issuer policy oids
  10150. Public Const CERTTYPE_PROP_POLICY As String = "msPKI-Certificate-Policy"
  10151. ' The certificate application policy oids
  10152. Public Const CERTTYPE_PROP_APPLICATION_POLICY As String = "msPKI-Certificate-Application-Policy"
  10153. Public Const CERTTYPE_SCHEMA_VERSION_1 As Long = 1
  10154. '
  10155. ' CASetCertTypeProperty
  10156. ' Set a property of a CertType. This function is obsolete.
  10157. ' Use CASetCertTypePropertyEx.
  10158. '
  10159. ' hCertType - Handle to an open CertType object.
  10160. '
  10161. ' wszPropertyName - Name of the CertType property
  10162. '
  10163. ' awszPropertyValue - An array of values to set
  10164. ' - for this property. The last element of this
  10165. ' - array should be NULL.
  10166. ' - For single valued properties, the values beyond thie
  10167. ' - first will be ignored upon update.
  10168. '
  10169. ' Returns - S_OK on success.
  10170. '
  10171. '
  10172. ' CASetCertTypePropertyEx
  10173. ' Set a property of a CertType
  10174. '
  10175. ' hCertType - Handle to an open CertType object.
  10176. '
  10177. ' wszPropertyName - Name of the CertType property
  10178. '
  10179. ' pPropertyValue - Depending on the value of wszPropertyName, pPropertyValue
  10180. ' is either DWORD * or LPWSTR *.
  10181. '
  10182. ' It is a DWORD * for:
  10183. ' CERTTYPE_PROP_REVISION
  10184. ' CERTTYPE_PROP_MINOR_REVISION
  10185. ' CERTTYPE_PROP_RA_SIGNATURE
  10186. ' CERTTYPE_PROP_MIN_KEY_SIZE
  10187. '
  10188. '
  10189. ' It is a LPWSTR * for:
  10190. '
  10191. ' CERTTYPE_PROP_CN
  10192. ' CERTTYPE_PROP_FRIENDLY_NAME
  10193. ' CERTTYPE_PROP_EXTENDED_KEY_USAGE
  10194. ' CERTTYPE_PROP_CSP_LIST
  10195. ' CERTTYPE_PROP_CRITICAL_EXTENSIONS
  10196. ' CERTTYPE_PROP_OID
  10197. ' CERTTYPE_PROP_SUPERSEDE
  10198. ' CERTTYPE_PROP_RA_POLICY
  10199. ' CERTTYPE_PROP_POLICY
  10200. '
  10201. ' - An array of values to set
  10202. ' - for this property. The last element of this
  10203. ' - array should be NULL.
  10204. ' - For single valued properties, the values beyond thie
  10205. ' - first will be ignored upon update.
  10206. '
  10207. ' - If CERTTYPE_PROP_CN is set to a new value,
  10208. ' the hCertType will be the clone of the existing certificate type.
  10209. '
  10210. ' - CertType of V1 schema can only set V1 properties.
  10211. '
  10212. ' Returns - S_OK on success.
  10213. '
  10214. '
  10215. ' CAFreeCertTypeProperty
  10216. ' Free's a previously retrieved property value.
  10217. '
  10218. ' hCertType - Handle to an open CertType object.
  10219. '
  10220. ' awszPropertyValue - The values to be freed.
  10221. '
  10222. '
  10223. ' CAGetCertTypeExtensions
  10224. ' Retrieves the extensions associated with this CertType.
  10225. '
  10226. ' hCertType - Handle to an open CertType object.
  10227. ' ppCertExtensions - Pointer to a PCERT_EXTENSIONS to receive
  10228. ' - the result of this call. Should be freed
  10229. ' - via a CAFreeCertTypeExtensions call.
  10230. '
  10231. '
  10232. ' CAFreeCertTypeExtensions
  10233. ' Free a PCERT_EXTENSIONS allocated by CAGetCertTypeExtensions
  10234. '
  10235. '
  10236. ' CASetCertTypeExtension
  10237. ' Set the value of an extension for this
  10238. ' cert type.
  10239. '
  10240. ' hCertType - handle to the CertType
  10241. '
  10242. ' wszExtensionId - OID for the extension
  10243. '
  10244. ' dwFlags - Mark the extension critical
  10245. '
  10246. ' pExtension - pointer to the appropriate extension structure
  10247. '
  10248. ' Supported extensions/structures
  10249. '
  10250. ' szOID_ENHANCED_KEY_USAGE CERT_ENHKEY_USAGE
  10251. ' szOID_KEY_USAGE CRYPT_BIT_BLOB
  10252. ' szOID_BASIC_CONSTRAINTS2 CERT_BASIC_CONSTRAINTS2_INFO
  10253. '
  10254. ' Returns S_OK if successful.
  10255. '
  10256. Public Const CA_EXT_FLAG_CRITICAL As Long = &H00000001
  10257. '
  10258. ' CAGetCertTypeFlags
  10259. ' Retrieve cert type flags.
  10260. ' This function is obsolete. Use CAGetCertTypeFlagsEx.
  10261. '
  10262. ' hCertType - handle to the CertType
  10263. '
  10264. ' pdwFlags - pointer to DWORD receiving flags
  10265. '
  10266. '
  10267. ' CAGetCertTypeFlagsEx
  10268. ' Retrieve cert type flags
  10269. '
  10270. ' hCertType - handle to the CertType
  10271. '
  10272. ' dwOption - Which flag to set
  10273. ' Can be one of the following:
  10274. ' CERTTYPE_ENROLLMENT_FLAG
  10275. ' CERTTYPE_SUBJECT_NAME_FLAG
  10276. ' CERTTYPE_PRIVATE_KEY_FLAG
  10277. ' CERTTYPE_GENERAL_FLAG
  10278. '
  10279. ' pdwFlags - pointer to DWORD receiving flags
  10280. '
  10281. '************************************************************************************
  10282. '
  10283. ' Cert Type Flags
  10284. '
  10285. ' The CertType flags are grouped into 4 categories:
  10286. '************************************************************************************
  10287. 'Enrollment Flags
  10288. Public Const CERTTYPE_ENROLLMENT_FLAG As Long = &H01
  10289. 'Certificate Subject Name Flags
  10290. Public Const CERTTYPE_SUBJECT_NAME_FLAG As Long = &H02
  10291. 'Private Key Flags
  10292. Public Const CERTTYPE_PRIVATE_KEY_FLAG As Long = &H03
  10293. 'General Flags
  10294. Public Const CERTTYPE_GENERAL_FLAG As Long = &H04
  10295. '******************************************************************************
  10296. '
  10297. ' Enrollment Flags:
  10298. '
  10299. '*******************************************************************************
  10300. ' Include the symmetric algorithms in the requests
  10301. Public Const CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS As Long = &H00000001
  10302. ' All certificate requests are pended
  10303. Public Const CT_FLAG_PEND_ALL_REQUESTS As Long = &H00000002
  10304. Public Const CT_FLAG_PUBLISH_TO_KRA_CONTAINER As Long = &H00000004
  10305. ' Publish the resultant cert to the userCertificate property in the DS
  10306. Public Const CT_FLAG_PUBLISH_TO_DS As Long = &H00000008
  10307. ' The autoenrollment will enroll for new certificate even user has a certificate
  10308. ' published on the DS with the same template name
  10309. Public Const CT_FLAG_AUTO_ENROLLMENT_IGNORE_DS_CERTIFICATE As Long = &H00000010
  10310. ' This cert is appropriate for auto-enrollment
  10311. Public Const CT_FLAG_AUTO_ENROLLMENT As Long = &H00000020
  10312. ' A previously issued certificate will valid subsequent enrollment requests
  10313. Public Const CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT As Long = &H00000040
  10314. ' Domain authentication is not required.
  10315. Public Const CT_FLAG_DOMAIN_AUTHENTICATION_NOT_REQUIRED As Long = &H00000080
  10316. ' This flag will ONLY be set on V1 certificate templates for W2K CA only.
  10317. Public Const CT_FLAG_ADD_TEMPLATE_NAME As Long = &H00000200
  10318. '******************************************************************************
  10319. '
  10320. ' Certificate Subject Name Flags:
  10321. '
  10322. '******************************************************************************
  10323. ' The enrolling application must supply the subject name.
  10324. Public Const CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT As Long = &H00000001
  10325. ' The enrolling application must supply the subjectAltName in request
  10326. Public Const CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME As Long = &H00010000
  10327. ' Subject name should be full DN
  10328. Public Const CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH As Long = &H80000000
  10329. ' Subject name should be the common name
  10330. Public Const CT_FLAG_SUBJECT_REQUIRE_COMMON_NAME As Long = &H40000000
  10331. ' Subject name includes the e-mail name
  10332. Public Const CT_FLAG_SUBJECT_REQUIRE_EMAIL As Long = &H20000000
  10333. ' Subject name includes the DNS name as the common name
  10334. Public Const CT_FLAG_SUBJECT_REQUIRE_DNS_AS_CN As Long = &H10000000
  10335. ' Subject alt name includes DNS name
  10336. Public Const CT_FLAG_SUBJECT_ALT_REQUIRE_DNS As Long = &H08000000
  10337. ' Subject alt name includes email name
  10338. Public Const CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL As Long = &H04000000
  10339. ' Subject alt name requires UPN
  10340. Public Const CT_FLAG_SUBJECT_ALT_REQUIRE_UPN As Long = &H02000000
  10341. ' Subject alt name requires directory GUID
  10342. Public Const CT_FLAG_SUBJECT_ALT_REQUIRE_DIRECTORY_GUID As Long = &H01000000
  10343. ' Subject alt name requires SPN
  10344. Public Const CT_FLAG_SUBJECT_ALT_REQUIRE_SPN As Long = &H00800000
  10345. '
  10346. ' Obsolete name
  10347. ' The following flags are obsolete. They are used by V1 templates in the general flags
  10348. '
  10349. ' The e-mail name of the principal will be added to the cert
  10350. Public Const CT_FLAG_ADD_EMAIL As Long = &H00000002
  10351. ' Add the object GUID for this principal
  10352. Public Const CT_FLAG_ADD_OBJ_GUID As Long = &H00000004
  10353. ' This flag is not SET in any of the V1 templates and is of no interests to
  10354. ' V2 templates since it is not present on the UI and will never be set.
  10355. Public Const CT_FLAG_ADD_DIRECTORY_PATH As Long = &H00000100
  10356. '******************************************************************************
  10357. '
  10358. ' Private Key Flags:
  10359. '
  10360. '******************************************************************************
  10361. ' Archival of the private key is allowed
  10362. Public Const CT_FLAG_ALLOW_PRIVATE_KEY_ARCHIVAL As Long = &H00000001
  10363. ' Make the key for this cert exportable.
  10364. Public Const CT_FLAG_EXPORTABLE_KEY As Long = &H00000010
  10365. '******************************************************************************
  10366. '
  10367. ' General Flags
  10368. '
  10369. ' More flags should start from 0x00000400
  10370. '
  10371. '******************************************************************************
  10372. ' This is a machine cert type
  10373. Public Const CT_FLAG_MACHINE_TYPE As Long = &H00000040
  10374. ' This is a CA cert type
  10375. Public Const CT_FLAG_IS_CA As Long = &H00000080
  10376. ' certificate templates. The templates can not be edited or deleted.
  10377. Public Const CT_FLAG_IS_DEFAULT As Long = &H00010000
  10378. Public Const CT_FLAG_IS_MODIFIED As Long = &H00020000
  10379. ' settable flags for general flags
  10380. Public Const CT_MASK_SETTABLE_FLAGS As Long = &H0000ffff
  10381. '
  10382. ' CASetCertTypeFlags
  10383. ' Sets the General Flags of a cert type.
  10384. ' This function is obsolete. Use CASetCertTypeFlagsEx.
  10385. '
  10386. ' hCertType - handle to the CertType
  10387. '
  10388. ' dwFlags - Flags to be set
  10389. '
  10390. '
  10391. ' CASetCertTypeFlagsEx
  10392. ' Sets the Flags of a cert type
  10393. '
  10394. ' hCertType - handle to the CertType
  10395. '
  10396. ' dwOption - Which flag to set
  10397. ' Can be one of the following:
  10398. ' CERTTYPE_ENROLLMENT_FLAG
  10399. ' CERTTYPE_SUBJECT_NAME_FLAG
  10400. ' CERTTYPE_PRIVATE_KEY_FLAG
  10401. ' CERTTYPE_GENERAL_FLAG
  10402. '
  10403. ' dwFlags - Values to be set
  10404. '
  10405. '
  10406. '
  10407. '
  10408. ' CAGetCertTypeKeySpec
  10409. ' Retrieve the CAPI Key Spec for this cert type
  10410. '
  10411. ' hCertType - handle to the CertType
  10412. '
  10413. ' pdwKeySpec - pointer to DWORD receiving key spec
  10414. '
  10415. '
  10416. ' CACertTypeSetKeySpec
  10417. ' Sets the CAPI1 Key Spec of a cert type
  10418. '
  10419. ' hCertType - handle to the CertType
  10420. '
  10421. ' dwKeySpec - KeySpec to be set
  10422. '
  10423. '
  10424. ' CAGetCertTypeExpiration
  10425. ' Retrieve the Expiration Info for this cert type
  10426. '
  10427. ' pftExpiration - pointer to the FILETIME structure receiving
  10428. ' the expiration period for this cert type.
  10429. '
  10430. ' pftOverlap - pointer to the FILETIME structure receiving
  10431. ' - the suggested renewal overlap period for this
  10432. ' - cert type.
  10433. '
  10434. '
  10435. ' CASetCertTypeExpiration
  10436. ' Set the Expiration Info for this cert type
  10437. '
  10438. ' pftExpiration - pointer to the FILETIME structure containing
  10439. ' the expiration period for this cert type.
  10440. '
  10441. ' pftOverlap - pointer to the FILETIME structure containing
  10442. ' - the suggested renewal overlap period for this
  10443. ' - cert type.
  10444. '
  10445. '
  10446. ' CACertTypeSetSecurity
  10447. ' Set the list of Users, Groups, and Machines allowed
  10448. ' to access this cert type.
  10449. '
  10450. ' hCertType - handle to the CertType
  10451. '
  10452. ' pSD - Security descriptor for this cert type
  10453. '
  10454. '
  10455. ' CACertTypeGetSecurity
  10456. ' Get the list of Users, Groups, and Machines allowed
  10457. ' to access this cert type.
  10458. '
  10459. ' hCertType - handle to the CertType
  10460. '
  10461. ' ppaSidList - Pointer to a location receiving
  10462. ' - the pointer to the security descriptor
  10463. ' - Free via LocalFree
  10464. '
  10465. '
  10466. '
  10467. ' CACertTypeAccessCheck
  10468. ' Determine whether the principal specified by
  10469. ' ClientToken can be issued this cert type.
  10470. '
  10471. ' hCertType - handle to the CertType
  10472. '
  10473. ' ClientToken - Handle to an impersonation token
  10474. ' - that represents the client attempting
  10475. ' - request this cert type. The handle must
  10476. ' - have TOKEN_QUERY access to the token;
  10477. ' - otherwise, the function fails with
  10478. ' - ERROR_ACCESS_DENIED.
  10479. '
  10480. ' Return: S_OK on success
  10481. '
  10482. '
  10483. '
  10484. ' CACertTypeAccessCheckEx
  10485. ' Determine whether the principal specified by
  10486. ' ClientToken can be issued this cert type.
  10487. '
  10488. ' hCertType - handle to the CertType
  10489. '
  10490. ' ClientToken - Handle to an impersonation token
  10491. ' - that represents the client attempting
  10492. ' - request this cert type. The handle must
  10493. ' - have TOKEN_QUERY access to the token;
  10494. ' - otherwise, the function fails with
  10495. ' - ERROR_ACCESS_DENIED.
  10496. '
  10497. ' dwOption Can be one of the following:
  10498. '
  10499. ' - CERTTYPE_ACCESS_CHECK_ENROLL
  10500. ' - CERTTYPE_ACCESS_CHECK_AUTO_ENROLL
  10501. '
  10502. ' Return: S_OK on success
  10503. '
  10504. Public Const CERTTYPE_ACCESS_CHECK_ENROLL As Long = &H01
  10505. Public Const CERTTYPE_ACCESS_CHECK_AUTO_ENROLL As Long = &H02
  10506. '#define szOID_ALT_NAME_OBJECT_GUID "1.3.6.1.4.1.311.25.1"
  10507. '************************************************************************************
  10508. '
  10509. ' OID management APIs
  10510. '
  10511. '************************************************************************************
  10512. '
  10513. ' CAOIDCreateNew
  10514. ' Create a new OID based on the enterprise base
  10515. '
  10516. ' dwType - Can be one of the following:
  10517. ' CERT_OID_TYPE_TEMPLATE
  10518. ' CERT_OID_TYPE_ISSUER_POLICY
  10519. ' CERT_OID_TYPE_APPLICATION_POLICY
  10520. '
  10521. ' dwFlag - Reserved. Must be 0.
  10522. '
  10523. '
  10524. ' Returns S_OK if successful.
  10525. '
  10526. Public Const CERT_OID_TYPE_TEMPLATE As Long = &H01
  10527. Public Const CERT_OID_TYPE_ISSUER_POLICY As Long = &H02
  10528. Public Const CERT_OID_TYPE_APPLICATION_POLICY As Long = &H03
  10529. '
  10530. ' CAOIDAdd
  10531. ' Add an OID to the DS repository
  10532. '
  10533. ' dwType - Can be one of the following:
  10534. ' CERT_OID_TYPE_TEMPLATE
  10535. ' CERT_OID_TYPE_ISSUER_POLICY
  10536. ' CERT_OID_TYPE_APPLICATION_POLICY
  10537. '
  10538. ' dwFlag - Reserved. Must be 0.
  10539. '
  10540. ' pwszOID - The OID to add.
  10541. '
  10542. ' Returns S_OK if successful.
  10543. ' Returns CRYPT_E_EXISTS if the OID alreay exits in the DS repository
  10544. '
  10545. '
  10546. ' CAOIDDelete
  10547. ' Delete the OID from the DS repository
  10548. '
  10549. ' pwszOID - The OID to delete.
  10550. '
  10551. ' Returns S_OK if successful.
  10552. '
  10553. '
  10554. ' CAOIDSetProperty
  10555. ' Set a property on an oid.
  10556. '
  10557. ' pwszOID - The oid whose value is set
  10558. ' dwProperty - The property name. Can be one of the following:
  10559. ' CERT_OID_PROPERTY_DISPLAY_NAME
  10560. ' CERT_OID_PROPERTY_CPS
  10561. '
  10562. ' pPropValue - The value of the property.
  10563. ' If dwProperty is CERT_OID_PROPERTY_DISPLAY_NAME,
  10564. ' pPropValue is LPWSTR.
  10565. ' if dwProperty is CERT_OID_PROPERTY_CPS,
  10566. ' pProValue is LPWSTR.
  10567. '
  10568. ' Returns S_OK if successful.
  10569. '
  10570. Public Const CERT_OID_PROPERTY_DISPLAY_NAME As Long = &H01
  10571. Public Const CERT_OID_PROPERTY_CPS As Long = &H02
  10572. Public Const CERT_OID_PROPERTY_TYPE As Long = &H03
  10573. '
  10574. ' CAOIDGetProperty
  10575. ' Get a property on an oid.
  10576. '
  10577. ' pwszOID - The oid whose value is queried
  10578. ' dwProperty - The property name. Can be one of the following:
  10579. ' CERT_OID_PROPERTY_DISPLAY_NAME
  10580. ' CERT_OID_PROPERTY_CPS
  10581. ' CERT_OID_PROPERTY_TYPE
  10582. '
  10583. ' pPropValue - The value of the property.
  10584. ' If dwProperty is CERT_OID_PROPERTY_DISPLAY_NAME,
  10585. ' pPropValue is LPWSTR *.
  10586. ' if dwProperty is CERT_OID_PROPERTY_CPS,
  10587. ' pProValue is LPWSTR *.
  10588. '
  10589. '
  10590. ' If dwProperty is CERT_OID_PROPERTY_TYPE,
  10591. ' pProValue is DWORD *.
  10592. '
  10593. ' Returns S_OK if successful.
  10594. '
  10595. '
  10596. ' CAOIDFreeProperty
  10597. ' Free a property returned from CAOIDGetProperty
  10598. '
  10599. ' pPropValue - The value of the property.
  10600. '
  10601. ' Returns S_OK if successful.
  10602. '
  10603. '
  10604. ' CAOIDGetLdapURL
  10605. '
  10606. ' Return the LDAP URL for OID repository. In the format of
  10607. ' LDAP:
  10608. ' is determined by dwType.
  10609. '
  10610. ' dwType - Can be one of the following:
  10611. ' CERT_OID_TYPE_TEMPLATE
  10612. ' CERT_OID_TYPE_ISSUER_POLICY
  10613. ' CERT_OID_TYPE_APPLICATION_POLICY
  10614. ' CERT_OID_TYPE_ALL
  10615. '
  10616. ' dwFlag - Reserved. Must be 0.
  10617. '
  10618. ' ppwszURL - Return the URL. Free memory via CAOIDFreeLdapURL.
  10619. '
  10620. ' Returns S_OK if successful.
  10621. '
  10622. Public Const CERT_OID_TYPE_ALL As Long = &H0
  10623. '
  10624. ' CAOIDFreeLDAPURL
  10625. ' Free the URL returned from CAOIDGetLdapURL
  10626. '
  10627. ' pwszURL - The URL returned from CAOIDGetLdapURL
  10628. '
  10629. ' Returns S_OK if successful.
  10630. '
  10631. 'the LDAP properties for OID class
  10632. Public Const OID_PROP_TYPE As String = "flags"
  10633. Public Const OID_PROP_OID As String = "msPKI-Cert-Template-OID"
  10634. Public Const OID_PROP_DISPLAY_NAME As String = "displayName"
  10635. Public Const OID_PROP_CPS As String = "msPKI-OID-CPS"
  10636. '************************************************************************************
  10637. '
  10638. ' Autoenrollment APIs
  10639. '
  10640. '************************************************************************************
  10641. '
  10642. ' CACreateLocalAutoEnrollmentObject
  10643. ' Create an auto-enrollment object on the local machine.
  10644. '
  10645. ' pwszCertType - The name of the certificate type for which to create the
  10646. ' auto-enrollment object
  10647. '
  10648. ' awszCAs - The list of CA's to add to the auto-enrollment object.
  10649. ' - with the last entry in the list being NULL
  10650. ' - if the list is NULL or empty, then it create an auto-enrollment
  10651. ' - object which instructs the system to enroll for a cert at any
  10652. ' - CA supporting the requested certificate type.
  10653. '
  10654. ' pSignerInfo - not used, must be NULL.
  10655. '
  10656. ' dwFlags - can be CERT_SYSTEM_STORE_CURRENT_USER, or CERT_SYSTEM_STORE_LOCAL_MACHINE, indicating
  10657. ' - auto-enrollment store in which the auto-enrollment object is created.
  10658. '
  10659. ' Return: S_OK on success.
  10660. '
  10661. '
  10662. '
  10663. ' CACreateAutoEnrollmentObjectEx
  10664. ' Create an auto-enrollment object in the indicated store.
  10665. '
  10666. ' pwszCertType - The name of the certificate type for which to create the
  10667. ' auto-enrollment object
  10668. '
  10669. ' pwszObjectID - An identifying string for this autoenrollment object.
  10670. ' NULL may be passed if this object is simply to be identified by
  10671. ' it's certificate template. An autoenrollment object is identified
  10672. ' by a combination of it's object id and it's cert type name.
  10673. '
  10674. ' awszCAs - The list of CA's to add to the auto-enrollment object.
  10675. ' - with the last entry in the list being NULL
  10676. ' - if the list is NULL or empty, then it create an auto-enrollment
  10677. ' - object which instructs the system to enroll for a cert at any
  10678. ' - CA supporting the requested certificate type.
  10679. '
  10680. ' pSignerInfo - not used, must be NULL.
  10681. '
  10682. ' StoreProvider - see CertOpenStore
  10683. '
  10684. ' dwFlags - see CertOpenStore
  10685. '
  10686. ' pvPara - see CertOpenStore
  10687. '
  10688. ' Return: S_OK on success.
  10689. '
  10690. '
  10691. '************************************************************************************
  10692. '
  10693. ' Cert Server RPC interfaces:
  10694. '
  10695. '************************************************************************************