Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

10695 lines
495 KiB

Attribute VB_Name = "Const"
Option Explicit
'+---------------------------------------------------------------------------
'
' Microsoft Windows
'
' File: wincrypt.h
'
' Contents: Cryptographic API Prototypes and Definitions
'
'----------------------------------------------------------------------------
'
' Algorithm IDs and Flags
'
' ALG_ID crackers
' Algorithm classes
Public Const ALG_CLASS_ANY As Long = 0
' Algorithm types
Public Const ALG_TYPE_ANY As Long = 0
' Generic sub-ids
Public Const ALG_SID_ANY As Long = 0
' Some RSA sub-ids
Public Const ALG_SID_RSA_ANY As Long = 0
Public Const ALG_SID_RSA_PKCS As Long = 1
Public Const ALG_SID_RSA_MSATWORK As Long = 2
Public Const ALG_SID_RSA_ENTRUST As Long = 3
Public Const ALG_SID_RSA_PGP As Long = 4
' Some DSS sub-ids
'
Public Const ALG_SID_DSS_ANY As Long = 0
Public Const ALG_SID_DSS_PKCS As Long = 1
Public Const ALG_SID_DSS_DMS As Long = 2
' Block cipher sub ids
' DES sub_ids
Public Const ALG_SID_DES As Long = 1
Public Const ALG_SID_3DES As Long = 3
Public Const ALG_SID_DESX As Long = 4
Public Const ALG_SID_IDEA As Long = 5
Public Const ALG_SID_CAST As Long = 6
Public Const ALG_SID_SAFERSK64 As Long = 7
Public Const ALG_SID_SAFERSK128 As Long = 8
Public Const ALG_SID_3DES_112 As Long = 9
Public Const ALG_SID_CYLINK_MEK As Long = 12
Public Const ALG_SID_RC5 As Long = 13
' Fortezza sub-ids
Public Const ALG_SID_SKIPJACK As Long = 10
Public Const ALG_SID_TEK As Long = 11
' KP_MODE
Public Const CRYPT_MODE_CBCI As Long = 6
Public Const CRYPT_MODE_CFBP As Long = 7
Public Const CRYPT_MODE_OFBP As Long = 8
Public Const CRYPT_MODE_CBCOFM As Long = 9
Public Const CRYPT_MODE_CBCOFMI As Long = 10
' RC2 sub-ids
Public Const ALG_SID_RC2 As Long = 2
' Stream cipher sub-ids
Public Const ALG_SID_RC4 As Long = 1
Public Const ALG_SID_SEAL As Long = 2
' Diffie-Hellman sub-ids
Public Const ALG_SID_DH_SANDF As Long = 1
Public Const ALG_SID_DH_EPHEM As Long = 2
Public Const ALG_SID_AGREED_KEY_ANY As Long = 3
Public Const ALG_SID_KEA As Long = 4
' Hash sub ids
Public Const ALG_SID_MD2 As Long = 1
Public Const ALG_SID_MD4 As Long = 2
Public Const ALG_SID_MD5 As Long = 3
Public Const ALG_SID_SHA As Long = 4
Public Const ALG_SID_SHA1 As Long = 4
Public Const ALG_SID_MAC As Long = 5
Public Const ALG_SID_RIPEMD As Long = 6
Public Const ALG_SID_RIPEMD160 As Long = 7
Public Const ALG_SID_SSL3SHAMD5 As Long = 8
Public Const ALG_SID_HMAC As Long = 9
Public Const ALG_SID_TLS1PRF As Long = 10
' secure channel sub ids
Public Const ALG_SID_SSL3_MASTER As Long = 1
Public Const ALG_SID_SCHANNEL_MASTER_HASH As Long = 2
Public Const ALG_SID_SCHANNEL_MAC_KEY As Long = 3
Public Const ALG_SID_PCT1_MASTER As Long = 4
Public Const ALG_SID_SSL2_MASTER As Long = 5
Public Const ALG_SID_TLS1_MASTER As Long = 6
Public Const ALG_SID_SCHANNEL_ENC_KEY As Long = 7
' Our silly example sub-id
Public Const ALG_SID_EXAMPLE As Long = 80
' algorithm identifier definitions
' resource number for signatures in the CSP
Public Const SIGNATURE_RESOURCE_NUMBER As Long = &H29A
' dwFlags definitions for CryptAcquireContext
Public Const CRYPT_VERIFYCONTEXT As Long = &HF0000000
Public Const CRYPT_NEWKEYSET As Long = &H00000008
Public Const CRYPT_DELETEKEYSET As Long = &H00000010
Public Const CRYPT_MACHINE_KEYSET As Long = &H00000020
Public Const CRYPT_SILENT As Long = &H00000040
' dwFlag definitions for CryptGenKey
Public Const CRYPT_EXPORTABLE As Long = &H00000001
Public Const CRYPT_USER_PROTECTED As Long = &H00000002
Public Const CRYPT_CREATE_SALT As Long = &H00000004
Public Const CRYPT_UPDATE_KEY As Long = &H00000008
Public Const CRYPT_NO_SALT As Long = &H00000010
Public Const CRYPT_PREGEN As Long = &H00000040
Public Const CRYPT_RECIPIENT As Long = &H00000010
Public Const CRYPT_INITIATOR As Long = &H00000040
Public Const CRYPT_ONLINE As Long = &H00000080
Public Const CRYPT_SF As Long = &H00000100
Public Const CRYPT_CREATE_IV As Long = &H00000200
Public Const CRYPT_KEK As Long = &H00000400
Public Const CRYPT_DATA_KEY As Long = &H00000800
Public Const CRYPT_VOLATILE As Long = &H00001000
Public Const CRYPT_SGCKEY As Long = &H00002000
Public Const RSA1024BIT_KEY As Long = &H04000000
' dwFlags definitions for CryptDeriveKey
Public Const CRYPT_SERVER As Long = &H00000400
Public Const KEY_LENGTH_MASK As Long = &HFFFF0000
' dwFlag definitions for CryptExportKey
Public Const CRYPT_Y_ONLY As Long = &H00000001
Public Const CRYPT_SSL2_FALLBACK As Long = &H00000002
Public Const CRYPT_DESTROYKEY As Long = &H00000004
Public Const CRYPT_OAEP As Long = &H00000040
Public Const CRYPT_BLOB_VER3 As Long = &H00000080
' dwFlags definitions for CryptCreateHash
Public Const CRYPT_SECRETDIGEST As Long = &H00000001
' dwFlags definitions for CryptHashSessionKey
Public Const CRYPT_LITTLE_ENDIAN As Long = &H00000001
' dwFlags definitions for CryptSignHash and CryptVerifySignature
Public Const CRYPT_NOHASHOID As Long = &H00000001
Public Const CRYPT_TYPE2_FORMAT As Long = &H00000002
Public Const CRYPT_X931_FORMAT As Long = &H00000004
' dwFlag definitions for CryptSetProviderEx and CryptGetDefaultProvider
Public Const CRYPT_MACHINE_DEFAULT As Long = &H00000001
Public Const CRYPT_USER_DEFAULT As Long = &H00000002
Public Const CRYPT_DELETE_DEFAULT As Long = &H00000004
' exported key blob definitions
Public Const SIMPLEBLOB As Long = &H1
Public Const PUBLICKEYBLOB As Long = &H6
Public Const PRIVATEKEYBLOB As Long = &H7
Public Const PLAINTEXTKEYBLOB As Long = &H8
Public Const OPAQUEKEYBLOB As Long = &H9
Public Const PUBLICKEYBLOBEX As Long = &HA
Public Const SYMMETRICWRAPKEYBLOB As Long = &HB
Public Const AT_KEYEXCHANGE As Long = 1
Public Const AT_SIGNATURE As Long = 2
Public Const CRYPT_USERDATA As Long = 1
' dwParam
Public Const KP_IV As Long = 1
Public Const KP_SALT As Long = 2
Public Const KP_PADDING As Long = 3
Public Const KP_MODE As Long = 4
Public Const KP_MODE_BITS As Long = 5
Public Const KP_PERMISSIONS As Long = 6
Public Const KP_ALGID As Long = 7
Public Const KP_BLOCKLEN As Long = 8
Public Const KP_KEYLEN As Long = 9
Public Const KP_SALT_EX As Long = 10
Public Const KP_P As Long = 11
Public Const KP_G As Long = 12
Public Const KP_Q As Long = 13
Public Const KP_X As Long = 14
Public Const KP_Y As Long = 15
Public Const KP_RA As Long = 16
Public Const KP_RB As Long = 17
Public Const KP_INFO As Long = 18
Public Const KP_EFFECTIVE_KEYLEN As Long = 19
Public Const KP_SCHANNEL_ALG As Long = 20
Public Const KP_CLIENT_RANDOM As Long = 21
Public Const KP_SERVER_RANDOM As Long = 22
Public Const KP_RP As Long = 23
Public Const KP_PRECOMP_MD5 As Long = 24
Public Const KP_PRECOMP_SHA As Long = 25
Public Const KP_CERTIFICATE As Long = 26
Public Const KP_CLEAR_KEY As Long = 27
Public Const KP_PUB_EX_LEN As Long = 28
Public Const KP_PUB_EX_VAL As Long = 29
Public Const KP_KEYVAL As Long = 30
Public Const KP_ADMIN_PIN As Long = 31
Public Const KP_KEYEXCHANGE_PIN As Long = 32
Public Const KP_SIGNATURE_PIN As Long = 33
Public Const KP_PREHASH As Long = 34
Public Const KP_OAEP_PARAMS As Long = 36
Public Const KP_CMS_KEY_INFO As Long = 37
Public Const KP_CMS_DH_KEY_INFO As Long = 38
Public Const KP_PUB_PARAMS As Long = 39
Public Const KP_VERIFY_PARAMS As Long = 40
Public Const KP_HIGHEST_VERSION As Long = 41
' KP_PADDING
Public Const PKCS5_PADDING As Long = 1
Public Const RANDOM_PADDING As Long = 2
Public Const ZERO_PADDING As Long = 3
' KP_MODE
Public Const CRYPT_MODE_CBC As Long = 1
Public Const CRYPT_MODE_ECB As Long = 2
Public Const CRYPT_MODE_OFB As Long = 3
Public Const CRYPT_MODE_CFB As Long = 4
Public Const CRYPT_MODE_CTS As Long = 5
' KP_PERMISSIONS
Public Const CRYPT_ENCRYPT As Long = &H0001
Public Const CRYPT_DECRYPT As Long = &H0002
Public Const CRYPT_EXPORT As Long = &H0004
Public Const CRYPT_READ As Long = &H0008
Public Const CRYPT_WRITE As Long = &H0010
Public Const CRYPT_MAC As Long = &H0020
Public Const CRYPT_EXPORT_KEY As Long = &H0040
Public Const CRYPT_IMPORT_KEY As Long = &H0080
Public Const HP_ALGID As Long = &H0001
Public Const HP_HASHVAL As Long = &H0002
Public Const HP_HASHSIZE As Long = &H0004
Public Const HP_HMAC_INFO As Long = &H0005
Public Const HP_TLS1PRF_LABEL As Long = &H0006
Public Const HP_TLS1PRF_SEED As Long = &H0007
'
' CryptGetProvParam
'
Public Const PP_ENUMALGS As Long = 1
Public Const PP_ENUMCONTAINERS As Long = 2
Public Const PP_IMPTYPE As Long = 3
Public Const PP_NAME As Long = 4
Public Const PP_VERSION As Long = 5
Public Const PP_CONTAINER As Long = 6
Public Const PP_CHANGE_PASSWORD As Long = 7
Public Const PP_KEYSET_SEC_DESCR As Long = 8
Public Const PP_CERTCHAIN As Long = 9
Public Const PP_KEY_TYPE_SUBTYPE As Long = 10
Public Const PP_PROVTYPE As Long = 16
Public Const PP_KEYSTORAGE As Long = 17
Public Const PP_APPLI_CERT As Long = 18
Public Const PP_SYM_KEYSIZE As Long = 19
Public Const PP_SESSION_KEYSIZE As Long = 20
Public Const PP_UI_PROMPT As Long = 21
Public Const PP_ENUMALGS_EX As Long = 22
Public Const PP_ENUMMANDROOTS As Long = 25
Public Const PP_ENUMELECTROOTS As Long = 26
Public Const PP_KEYSET_TYPE As Long = 27
Public Const PP_ADMIN_PIN As Long = 31
Public Const PP_KEYEXCHANGE_PIN As Long = 32
Public Const PP_SIGNATURE_PIN As Long = 33
Public Const PP_SIG_KEYSIZE_INC As Long = 34
Public Const PP_KEYX_KEYSIZE_INC As Long = 35
Public Const PP_UNIQUE_CONTAINER As Long = 36
Public Const PP_SGC_INFO As Long = 37
Public Const PP_USE_HARDWARE_RNG As Long = 38
Public Const PP_KEYSPEC As Long = 39
Public Const PP_ENUMEX_SIGNING_PROT As Long = 40
Public Const CRYPT_FIRST As Long = 1
Public Const CRYPT_NEXT As Long = 2
Public Const CRYPT_SGC_ENUM As Long = 4
Public Const CRYPT_IMPL_HARDWARE As Long = 1
Public Const CRYPT_IMPL_SOFTWARE As Long = 2
Public Const CRYPT_IMPL_MIXED As Long = 3
Public Const CRYPT_IMPL_UNKNOWN As Long = 4
Public Const CRYPT_IMPL_REMOVABLE As Long = 8
' key storage flags
Public Const CRYPT_SEC_DESCR As Long = &H00000001
Public Const CRYPT_PSTORE As Long = &H00000002
Public Const CRYPT_UI_PROMPT As Long = &H00000004
' protocol flags
Public Const CRYPT_FLAG_PCT1 As Long = &H0001
Public Const CRYPT_FLAG_SSL2 As Long = &H0002
Public Const CRYPT_FLAG_SSL3 As Long = &H0004
Public Const CRYPT_FLAG_TLS1 As Long = &H0008
Public Const CRYPT_FLAG_IPSEC As Long = &H0010
Public Const CRYPT_FLAG_SIGNING As Long = &H0020
' SGC flags
Public Const CRYPT_SGC As Long = &H0001
Public Const CRYPT_FASTSGC As Long = &H0002
'
' CryptSetProvParam
'
Public Const PP_CLIENT_HWND As Long = 1
Public Const PP_CONTEXT_INFO As Long = 11
Public Const PP_KEYEXCHANGE_KEYSIZE As Long = 12
Public Const PP_SIGNATURE_KEYSIZE As Long = 13
Public Const PP_KEYEXCHANGE_ALG As Long = 14
Public Const PP_SIGNATURE_ALG As Long = 15
Public Const PP_DELETEKEY As Long = 24
Public Const PROV_RSA_FULL As Long = 1
Public Const PROV_RSA_SIG As Long = 2
Public Const PROV_DSS As Long = 3
Public Const PROV_FORTEZZA As Long = 4
Public Const PROV_MS_EXCHANGE As Long = 5
Public Const PROV_SSL As Long = 6
Public Const PROV_RSA_SCHANNEL As Long = 12
Public Const PROV_DSS_DH As Long = 13
Public Const PROV_EC_ECDSA_SIG As Long = 14
Public Const PROV_EC_ECNRA_SIG As Long = 15
Public Const PROV_EC_ECDSA_FULL As Long = 16
Public Const PROV_EC_ECNRA_FULL As Long = 17
Public Const PROV_DH_SCHANNEL As Long = 18
Public Const PROV_SPYRUS_LYNKS As Long = 20
Public Const PROV_RNG As Long = 21
Public Const PROV_INTEL_SEC As Long = 22
'
' STT defined Providers
'
Public Const PROV_STT_MER As Long = 7
Public Const PROV_STT_ACQ As Long = 8
Public Const PROV_STT_BRND As Long = 9
Public Const PROV_STT_ROOT As Long = 10
Public Const PROV_STT_ISS As Long = 11
'
' Provider friendly names
'
Public Const MS_DEF_PROV_A As String = "Microsoft Base Cryptographic Provider v1.0"
Public Const MS_DEF_PROV_W As String = "Microsoft Base Cryptographic Provider v1.0"
Public Const MS_ENHANCED_PROV_A As String = "Microsoft Enhanced Cryptographic Provider v1.0"
Public Const MS_ENHANCED_PROV_W As String = "Microsoft Enhanced Cryptographic Provider v1.0"
Public Const MS_STRONG_PROV_A As String = "Microsoft Strong Cryptographic Provider"
Public Const MS_STRONG_PROV_W As String = "Microsoft Strong Cryptographic Provider"
Public Const MS_DEF_RSA_SIG_PROV_A As String = "Microsoft RSA Signature Cryptographic Provider"
Public Const MS_DEF_RSA_SIG_PROV_W As String = "Microsoft RSA Signature Cryptographic Provider"
Public Const MS_DEF_RSA_SCHANNEL_PROV_A As String = "Microsoft RSA SChannel Cryptographic Provider"
Public Const MS_DEF_RSA_SCHANNEL_PROV_W As String = "Microsoft RSA SChannel Cryptographic Provider"
Public Const MS_DEF_DSS_PROV_A As String = "Microsoft Base DSS Cryptographic Provider"
Public Const MS_DEF_DSS_PROV_W As String = "Microsoft Base DSS Cryptographic Provider"
Public Const MS_DEF_DSS_DH_PROV_A As String = "Microsoft Base DSS and Diffie-Hellman Cryptographic Provider"
Public Const MS_DEF_DSS_DH_PROV_W As String = "Microsoft Base DSS and Diffie-Hellman Cryptographic Provider"
Public Const MS_ENH_DSS_DH_PROV_A As String = "Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider"
Public Const MS_ENH_DSS_DH_PROV_W As String = "Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider"
Public Const MS_DEF_DH_SCHANNEL_PROV_A As String = "Microsoft DH SChannel Cryptographic Provider"
Public Const MS_DEF_DH_SCHANNEL_PROV_W As String = "Microsoft DH SChannel Cryptographic Provider"
Public Const MS_SCARD_PROV_A As String = "Microsoft Base Smart Card Crypto Provider"
Public Const MS_SCARD_PROV_W As String = "Microsoft Base Smart Card Crypto Provider"
Public Const MAXUIDLEN As Long = 64
' Exponentiation Offload Reg Location
Public Const EXPO_OFFLOAD_REG_VALUE As String = "ExpoOffload"
Public Const EXPO_OFFLOAD_FUNC_NAME As String = "OffloadModExpo"
Public Const CUR_BLOB_VERSION As Long = 2
' structure for use with CryptSetKeyParam for CMS keys
' DO NOT USE THIS STRUCTURE!!!!!
' structure for use with CryptSetHashParam with CALG_HMAC
' structure for use with CryptSetKeyParam with KP_SCHANNEL_ALG
' uses of algortihms for SCHANNEL_ALG structure
Public Const SCHANNEL_MAC_KEY As Long = &H00000000
Public Const SCHANNEL_ENC_KEY As Long = &H00000001
' uses of dwFlags SCHANNEL_ALG structure
Public Const INTERNATIONAL_USAGE As Long = &H00000001
'+-------------------------------------------------------------------------
' CRYPTOAPI BLOB definitions
'--------------------------------------------------------------------------
' structure for use with CryptSetKeyParam for CMS keys
'+-------------------------------------------------------------------------
' In a CRYPT_BIT_BLOB the last byte may contain 0-7 unused bits. Therefore, the
' overall bit length is cbData * 8 - cUnusedBits.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Type used for any algorithm
'
' Where the Parameters CRYPT_OBJID_BLOB is in its encoded representation. For most
'--------------------------------------------------------------------------
' Following are the definitions of various algorithm object identifiers
' RSA
Public Const szOID_RSA As String = "1.2.840.113549"
Public Const szOID_PKCS As String = "1.2.840.113549.1"
Public Const szOID_RSA_HASH As String = "1.2.840.113549.2"
Public Const szOID_RSA_ENCRYPT As String = "1.2.840.113549.3"
Public Const szOID_PKCS_1 As String = "1.2.840.113549.1.1"
Public Const szOID_PKCS_2 As String = "1.2.840.113549.1.2"
Public Const szOID_PKCS_3 As String = "1.2.840.113549.1.3"
Public Const szOID_PKCS_4 As String = "1.2.840.113549.1.4"
Public Const szOID_PKCS_5 As String = "1.2.840.113549.1.5"
Public Const szOID_PKCS_6 As String = "1.2.840.113549.1.6"
Public Const szOID_PKCS_7 As String = "1.2.840.113549.1.7"
Public Const szOID_PKCS_8 As String = "1.2.840.113549.1.8"
Public Const szOID_PKCS_9 As String = "1.2.840.113549.1.9"
Public Const szOID_PKCS_10 As String = "1.2.840.113549.1.10"
Public Const szOID_PKCS_12 As String = "1.2.840.113549.1.12"
Public Const szOID_RSA_RSA As String = "1.2.840.113549.1.1.1"
Public Const szOID_RSA_MD2RSA As String = "1.2.840.113549.1.1.2"
Public Const szOID_RSA_MD4RSA As String = "1.2.840.113549.1.1.3"
Public Const szOID_RSA_MD5RSA As String = "1.2.840.113549.1.1.4"
Public Const szOID_RSA_SHA1RSA As String = "1.2.840.113549.1.1.5"
Public Const szOID_RSA_SETOAEP_RSA As String = "1.2.840.113549.1.1.6"
Public Const szOID_RSA_DH As String = "1.2.840.113549.1.3.1"
Public Const szOID_RSA_data As String = "1.2.840.113549.1.7.1"
Public Const szOID_RSA_signedData As String = "1.2.840.113549.1.7.2"
Public Const szOID_RSA_envelopedData As String = "1.2.840.113549.1.7.3"
Public Const szOID_RSA_signEnvData As String = "1.2.840.113549.1.7.4"
Public Const szOID_RSA_digestedData As String = "1.2.840.113549.1.7.5"
Public Const szOID_RSA_hashedData As String = "1.2.840.113549.1.7.5"
Public Const szOID_RSA_encryptedData As String = "1.2.840.113549.1.7.6"
Public Const szOID_RSA_emailAddr As String = "1.2.840.113549.1.9.1"
Public Const szOID_RSA_unstructName As String = "1.2.840.113549.1.9.2"
Public Const szOID_RSA_contentType As String = "1.2.840.113549.1.9.3"
Public Const szOID_RSA_messageDigest As String = "1.2.840.113549.1.9.4"
Public Const szOID_RSA_signingTime As String = "1.2.840.113549.1.9.5"
Public Const szOID_RSA_counterSign As String = "1.2.840.113549.1.9.6"
Public Const szOID_RSA_challengePwd As String = "1.2.840.113549.1.9.7"
Public Const szOID_RSA_unstructAddr As String = "1.2.840.113549.1.9.8"
Public Const szOID_RSA_extCertAttrs As String = "1.2.840.113549.1.9.9"
Public Const szOID_RSA_certExtensions As String = "1.2.840.113549.1.9.14"
Public Const szOID_RSA_SMIMECapabilities As String = "1.2.840.113549.1.9.15"
Public Const szOID_RSA_preferSignedData As String = "1.2.840.113549.1.9.15.1"
Public Const szOID_RSA_SMIMEalg As String = "1.2.840.113549.1.9.16.3"
Public Const szOID_RSA_SMIMEalgESDH As String = "1.2.840.113549.1.9.16.3.5"
Public Const szOID_RSA_SMIMEalgCMS3DESwrap As String = "1.2.840.113549.1.9.16.3.6"
Public Const szOID_RSA_SMIMEalgCMSRC2wrap As String = "1.2.840.113549.1.9.16.3.7"
Public Const szOID_RSA_MD2 As String = "1.2.840.113549.2.2"
Public Const szOID_RSA_MD4 As String = "1.2.840.113549.2.4"
Public Const szOID_RSA_MD5 As String = "1.2.840.113549.2.5"
Public Const szOID_RSA_RC2CBC As String = "1.2.840.113549.3.2"
Public Const szOID_RSA_RC4 As String = "1.2.840.113549.3.4"
Public Const szOID_RSA_DES_EDE3_CBC As String = "1.2.840.113549.3.7"
Public Const szOID_RSA_RC5_CBCPad As String = "1.2.840.113549.3.9"
Public Const szOID_ANSI_X942 As String = "1.2.840.10046"
Public Const szOID_ANSI_X942_DH As String = "1.2.840.10046.2.1"
Public Const szOID_X957 As String = "1.2.840.10040"
Public Const szOID_X957_DSA As String = "1.2.840.10040.4.1"
Public Const szOID_X957_SHA1DSA As String = "1.2.840.10040.4.3"
' ITU-T UsefulDefinitions
Public Const szOID_DS As String = "2.5"
Public Const szOID_DSALG As String = "2.5.8"
Public Const szOID_DSALG_CRPT As String = "2.5.8.1"
Public Const szOID_DSALG_HASH As String = "2.5.8.2"
Public Const szOID_DSALG_SIGN As String = "2.5.8.3"
Public Const szOID_DSALG_RSA As String = "2.5.8.1.1"
' http:
' http:
Public Const szOID_OIW As String = "1.3.14"
Public Const szOID_OIWSEC As String = "1.3.14.3.2"
Public Const szOID_OIWSEC_md4RSA As String = "1.3.14.3.2.2"
Public Const szOID_OIWSEC_md5RSA As String = "1.3.14.3.2.3"
Public Const szOID_OIWSEC_md4RSA2 As String = "1.3.14.3.2.4"
Public Const szOID_OIWSEC_desECB As String = "1.3.14.3.2.6"
Public Const szOID_OIWSEC_desCBC As String = "1.3.14.3.2.7"
Public Const szOID_OIWSEC_desOFB As String = "1.3.14.3.2.8"
Public Const szOID_OIWSEC_desCFB As String = "1.3.14.3.2.9"
Public Const szOID_OIWSEC_desMAC As String = "1.3.14.3.2.10"
Public Const szOID_OIWSEC_rsaSign As String = "1.3.14.3.2.11"
Public Const szOID_OIWSEC_dsa As String = "1.3.14.3.2.12"
Public Const szOID_OIWSEC_shaDSA As String = "1.3.14.3.2.13"
Public Const szOID_OIWSEC_mdc2RSA As String = "1.3.14.3.2.14"
Public Const szOID_OIWSEC_shaRSA As String = "1.3.14.3.2.15"
Public Const szOID_OIWSEC_dhCommMod As String = "1.3.14.3.2.16"
Public Const szOID_OIWSEC_desEDE As String = "1.3.14.3.2.17"
Public Const szOID_OIWSEC_sha As String = "1.3.14.3.2.18"
Public Const szOID_OIWSEC_mdc2 As String = "1.3.14.3.2.19"
Public Const szOID_OIWSEC_dsaComm As String = "1.3.14.3.2.20"
Public Const szOID_OIWSEC_dsaCommSHA As String = "1.3.14.3.2.21"
Public Const szOID_OIWSEC_rsaXchg As String = "1.3.14.3.2.22"
Public Const szOID_OIWSEC_keyHashSeal As String = "1.3.14.3.2.23"
Public Const szOID_OIWSEC_md2RSASign As String = "1.3.14.3.2.24"
Public Const szOID_OIWSEC_md5RSASign As String = "1.3.14.3.2.25"
Public Const szOID_OIWSEC_sha1 As String = "1.3.14.3.2.26"
Public Const szOID_OIWSEC_dsaSHA1 As String = "1.3.14.3.2.27"
Public Const szOID_OIWSEC_dsaCommSHA1 As String = "1.3.14.3.2.28"
Public Const szOID_OIWSEC_sha1RSASign As String = "1.3.14.3.2.29"
Public Const szOID_OIWDIR As String = "1.3.14.7.2"
Public Const szOID_OIWDIR_CRPT As String = "1.3.14.7.2.1"
Public Const szOID_OIWDIR_HASH As String = "1.3.14.7.2.2"
Public Const szOID_OIWDIR_SIGN As String = "1.3.14.7.2.3"
Public Const szOID_OIWDIR_md2 As String = "1.3.14.7.2.2.1"
Public Const szOID_OIWDIR_md2RSA As String = "1.3.14.7.2.3.1"
' INFOSEC Algorithms
Public Const szOID_INFOSEC As String = "2.16.840.1.101.2.1"
Public Const szOID_INFOSEC_sdnsSignature As String = "2.16.840.1.101.2.1.1.1"
Public Const szOID_INFOSEC_mosaicSignature As String = "2.16.840.1.101.2.1.1.2"
Public Const szOID_INFOSEC_sdnsConfidentiality As String = "2.16.840.1.101.2.1.1.3"
Public Const szOID_INFOSEC_mosaicConfidentiality As String = "2.16.840.1.101.2.1.1.4"
Public Const szOID_INFOSEC_sdnsIntegrity As String = "2.16.840.1.101.2.1.1.5"
Public Const szOID_INFOSEC_mosaicIntegrity As String = "2.16.840.1.101.2.1.1.6"
Public Const szOID_INFOSEC_sdnsTokenProtection As String = "2.16.840.1.101.2.1.1.7"
Public Const szOID_INFOSEC_mosaicTokenProtection As String = "2.16.840.1.101.2.1.1.8"
Public Const szOID_INFOSEC_sdnsKeyManagement As String = "2.16.840.1.101.2.1.1.9"
Public Const szOID_INFOSEC_mosaicKeyManagement As String = "2.16.840.1.101.2.1.1.10"
Public Const szOID_INFOSEC_sdnsKMandSig As String = "2.16.840.1.101.2.1.1.11"
Public Const szOID_INFOSEC_mosaicKMandSig As String = "2.16.840.1.101.2.1.1.12"
Public Const szOID_INFOSEC_SuiteASignature As String = "2.16.840.1.101.2.1.1.13"
Public Const szOID_INFOSEC_SuiteAConfidentiality As String = "2.16.840.1.101.2.1.1.14"
Public Const szOID_INFOSEC_SuiteAIntegrity As String = "2.16.840.1.101.2.1.1.15"
Public Const szOID_INFOSEC_SuiteATokenProtection As String = "2.16.840.1.101.2.1.1.16"
Public Const szOID_INFOSEC_SuiteAKeyManagement As String = "2.16.840.1.101.2.1.1.17"
Public Const szOID_INFOSEC_SuiteAKMandSig As String = "2.16.840.1.101.2.1.1.18"
Public Const szOID_INFOSEC_mosaicUpdatedSig As String = "2.16.840.1.101.2.1.1.19"
Public Const szOID_INFOSEC_mosaicKMandUpdSig As String = "2.16.840.1.101.2.1.1.20"
Public Const szOID_INFOSEC_mosaicUpdatedInteg As String = "2.16.840.1.101.2.1.1.21"
'+-------------------------------------------------------------------------
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Type used for an extension to an encoded content
'
' Where the Value's CRYPT_OBJID_BLOB is in its encoded representation.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' AttributeTypeValue
'
' Where the Value's CRYPT_OBJID_BLOB is in its encoded representation.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Attributes
'
' Where the Value's PATTR_BLOBs are in their encoded representation.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
'
' The interpretation of the Value depends on the dwValueType.
' See below for a list of the types.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_RDN attribute Object Identifiers
'--------------------------------------------------------------------------
' Labeling attribute types:
Public Const szOID_COMMON_NAME As String = "2.5.4.3"
Public Const szOID_SUR_NAME As String = "2.5.4.4"
Public Const szOID_DEVICE_SERIAL_NUMBER As String = "2.5.4.5"
' Geographic attribute types:
Public Const szOID_COUNTRY_NAME As String = "2.5.4.6"
Public Const szOID_LOCALITY_NAME As String = "2.5.4.7"
Public Const szOID_STATE_OR_PROVINCE_NAME As String = "2.5.4.8"
Public Const szOID_STREET_ADDRESS As String = "2.5.4.9"
' Organizational attribute types:
Public Const szOID_ORGANIZATION_NAME As String = "2.5.4.10"
Public Const szOID_ORGANIZATIONAL_UNIT_NAME As String = "2.5.4.11"
Public Const szOID_TITLE As String = "2.5.4.12"
' Explanatory attribute types:
Public Const szOID_DESCRIPTION As String = "2.5.4.13"
Public Const szOID_SEARCH_GUIDE As String = "2.5.4.14"
Public Const szOID_BUSINESS_CATEGORY As String = "2.5.4.15"
' Postal addressing attribute types:
Public Const szOID_POSTAL_ADDRESS As String = "2.5.4.16"
Public Const szOID_POSTAL_CODE As String = "2.5.4.17"
Public Const szOID_POST_OFFICE_BOX As String = "2.5.4.18"
Public Const szOID_PHYSICAL_DELIVERY_OFFICE_NAME As String = "2.5.4.19"
' Telecommunications addressing attribute types:
Public Const szOID_TELEPHONE_NUMBER As String = "2.5.4.20"
Public Const szOID_TELEX_NUMBER As String = "2.5.4.21"
Public Const szOID_TELETEXT_TERMINAL_IDENTIFIER As String = "2.5.4.22"
Public Const szOID_FACSIMILE_TELEPHONE_NUMBER As String = "2.5.4.23"
Public Const szOID_X21_ADDRESS As String = "2.5.4.24"
Public Const szOID_INTERNATIONAL_ISDN_NUMBER As String = "2.5.4.25"
Public Const szOID_REGISTERED_ADDRESS As String = "2.5.4.26"
Public Const szOID_DESTINATION_INDICATOR As String = "2.5.4.27"
' Preference attribute types:
Public Const szOID_PREFERRED_DELIVERY_METHOD As String = "2.5.4.28"
' OSI application attribute types:
Public Const szOID_PRESENTATION_ADDRESS As String = "2.5.4.29"
Public Const szOID_SUPPORTED_APPLICATION_CONTEXT As String = "2.5.4.30"
' Relational application attribute types:
Public Const szOID_MEMBER As String = "2.5.4.31"
Public Const szOID_OWNER As String = "2.5.4.32"
Public Const szOID_ROLE_OCCUPANT As String = "2.5.4.33"
Public Const szOID_SEE_ALSO As String = "2.5.4.34"
' Security attribute types:
Public Const szOID_USER_PASSWORD As String = "2.5.4.35"
Public Const szOID_USER_CERTIFICATE As String = "2.5.4.36"
Public Const szOID_CA_CERTIFICATE As String = "2.5.4.37"
Public Const szOID_AUTHORITY_REVOCATION_LIST As String = "2.5.4.38"
Public Const szOID_CERTIFICATE_REVOCATION_LIST As String = "2.5.4.39"
Public Const szOID_CROSS_CERTIFICATE_PAIR As String = "2.5.4.40"
' Undocumented attribute types???
'#define szOID_??? "2.5.4.41"
Public Const szOID_GIVEN_NAME As String = "2.5.4.42"
Public Const szOID_INITIALS As String = "2.5.4.43"
' The DN Qualifier attribute type specifies disambiguating information to add
' to the relative distinguished name of an entry. It is intended to be used
' for entries held in multiple DSAs which would otherwise have the same name,
' and that its value be the same in a given DSA for all entries to which
' the information has been added.
Public Const szOID_DN_QUALIFIER As String = "2.5.4.46"
' Pilot user attribute types:
Public Const szOID_DOMAIN_COMPONENT As String = "0.9.2342.19200300.100.1.25"
' used for PKCS 12 attributes
Public Const szOID_PKCS_12_FRIENDLY_NAME_ATTR As String = "1.2.840.113549.1.9.20"
Public Const szOID_PKCS_12_LOCAL_KEY_ID As String = "1.2.840.113549.1.9.21"
Public Const szOID_PKCS_12_KEY_PROVIDER_NAME_ATTR As String = "1.3.6.1.4.1.311.17.1"
Public Const szOID_LOCAL_MACHINE_KEYSET As String = "1.3.6.1.4.1.311.17.2"
'+-------------------------------------------------------------------------
' Microsoft CERT_RDN attribute Object Identifiers
'--------------------------------------------------------------------------
' Special RDN containing the KEY_ID. Its value type is CERT_RDN_OCTET_STRING.
Public Const szOID_KEYID_RDN As String = "1.3.6.1.4.1.311.10.7.1"
'+-------------------------------------------------------------------------
' CERT_RDN Attribute Value Types
'
' For RDN_ENCODED_BLOB, the Value's CERT_RDN_VALUE_BLOB is in its encoded
' representation. Otherwise, its an array of bytes.
'
' For all CERT_RDN types, Value.cbData is always the number of bytes, not
' necessarily the number of elements in the string. For instance,
'
' These UNICODE characters are encoded as UTF8 8 bit characters.
'
' For CertDecodeName, two 0 bytes are always appended to the end of the
' These added 0 bytes are't included in the BLOB.cbData.
'--------------------------------------------------------------------------
Public Const CERT_RDN_ANY_TYPE As Long = 0
Public Const CERT_RDN_ENCODED_BLOB As Long = 1
Public Const CERT_RDN_OCTET_STRING As Long = 2
Public Const CERT_RDN_NUMERIC_STRING As Long = 3
Public Const CERT_RDN_PRINTABLE_STRING As Long = 4
Public Const CERT_RDN_TELETEX_STRING As Long = 5
Public Const CERT_RDN_T61_STRING As Long = 5
Public Const CERT_RDN_VIDEOTEX_STRING As Long = 6
Public Const CERT_RDN_IA5_STRING As Long = 7
Public Const CERT_RDN_GRAPHIC_STRING As Long = 8
Public Const CERT_RDN_VISIBLE_STRING As Long = 9
Public Const CERT_RDN_ISO646_STRING As Long = 9
Public Const CERT_RDN_GENERAL_STRING As Long = 10
Public Const CERT_RDN_UNIVERSAL_STRING As Long = 11
Public Const CERT_RDN_INT4_STRING As Long = 11
Public Const CERT_RDN_BMP_STRING As Long = 12
Public Const CERT_RDN_UNICODE_STRING As Long = 12
Public Const CERT_RDN_UTF8_STRING As Long = 13
Public Const CERT_RDN_TYPE_MASK As Long = &H000000FF
Public Const CERT_RDN_FLAGS_MASK As Long = &HFF000000
'+-------------------------------------------------------------------------
' Flags that can be or'ed with the above Value Type when encoding/decoding
'--------------------------------------------------------------------------
' For encoding: when set, CERT_RDN_T61_STRING is selected instead of
' CERT_RDN_UNICODE_STRING if all the unicode characters are <= 0xFF
Public Const CERT_RDN_ENABLE_T61_UNICODE_FLAG As Long = &H80000000
' For encoding: when set, CERT_RDN_UTF8_STRING is selected instead of
' CERT_RDN_UNICODE_STRING.
Public Const CERT_RDN_ENABLE_UTF8_UNICODE_FLAG As Long = &H20000000
' For encoding: when set, the characters aren't checked to see if they
' are valid for the Value Type.
Public Const CERT_RDN_DISABLE_CHECK_TYPE_FLAG As Long = &H40000000
' For decoding: by default, CERT_RDN_T61_STRING values are initially decoded
' as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
' Setting this flag skips the initial attempt to decode as UTF8.
Public Const CERT_RDN_DISABLE_IE4_UTF8_FLAG As Long = &H01000000
' Macro to check that the dwValueType is a character string and not an
' encoded blob or octet string
'+-------------------------------------------------------------------------
' A CERT_RDN consists of an array of the above attributes
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Information stored in a subject's or issuer's name. The information
' is represented as an array of the above RDNs.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Name attribute value without the Object Identifier
'
' The interpretation of the Value depends on the dwValueType.
' See above for a list of the types.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Public Key Info
'
' The PublicKey is the encoded representation of the information as it is
' stored in the bit string
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' structure that contains all the information in a PKCS#8 PrivateKeyInfo
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' structure that contains all the information in a PKCS#8
' EncryptedPrivateKeyInfo
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' this callback is given when an EncryptedProvateKeyInfo structure is
' encountered during ImportPKCS8. the caller is then expected to decrypt
' the private key and hand back the decrypted contents.
'
' the parameters are:
' Algorithm - the algorithm used to encrypt the PrivateKeyInfo
' EncryptedPrivateKey - the encrypted private key blob
' pClearTextKey - a buffer to receive the clear text
' cbClearTextKey - the number of bytes of the pClearTextKey buffer
' note the if this is zero then this should be
' filled in with the size required to decrypt the
' key into, and pClearTextKey should be ignored
' pVoidDecryptFunc - this is the pVoid that was passed into the call
' and is preserved and passed back as context
'+-------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' this callback is given when creating a PKCS8 EncryptedPrivateKeyInfo.
' The caller is then expected to encrypt the private key and hand back
' the encrypted contents.
'
' the parameters are:
' Algorithm - the algorithm used to encrypt the PrivateKeyInfo
' pClearTextPrivateKey - the cleartext private key to be encrypted
' pbEncryptedKey - the output encrypted private key blob
' cbEncryptedKey - the number of bytes of the pbEncryptedKey buffer
' note the if this is zero then this should be
' filled in with the size required to encrypt the
' key into, and pbEncryptedKey should be ignored
' pVoidEncryptFunc - this is the pVoid that was passed into the call
' and is preserved and passed back as context
'+-------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' this callback is given from the context of a ImportPKCS8 calls. the caller
' is then expected to hand back an HCRYPTPROV to receive the key being imported
'
' the parameters are:
' pPrivateKeyInfo - pointer to a CRYPT_PRIVATE_KEY_INFO structure which
' describes the key being imported
' EncryptedPrivateKey - the encrypted private key blob
' phCryptProv - a pointer to a HCRRYPTPROV to be filled in
' pVoidResolveFunc - this is the pVoidResolveFunc passed in by the caller in the
' CRYPT_PRIVATE_KEY_BLOB_AND_PARAMS struct
'+-------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' this struct contains a PKCS8 private key and two pointers to callback
' functions, with a corresponding pVoids. the first callback is used to give
' the caller the opportunity to specify where the key is imported to. the callback
' passes the caller the algoroithm OID and key size to use in making the decision.
' the other callback is used to decrypt the private key if the PKCS8 contains an
' EncryptedPrivateKeyInfo. both pVoids are preserved and passed back to the caller
' in the respective callback
'+-------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' this struct contains information identifying a private key and a pointer
' to a callback function, with a corresponding pVoid. The callback is used
' to encrypt the private key. If the pEncryptPrivateKeyFunc is NULL, the
' key will not be encrypted and an EncryptedPrivateKeyInfo will not be generated.
' The pVoid is preserved and passed back to the caller in the respective callback
'+-------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Information stored in a certificate
'
' The Issuer, Subject, Algorithm, PublicKey and Extension BLOBs are the
' encoded representation of the information.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate versions
'--------------------------------------------------------------------------
Public Const CERT_V1 As Long = 0
Public Const CERT_V2 As Long = 1
Public Const CERT_V3 As Long = 2
'+-------------------------------------------------------------------------
' Certificate Information Flags
'--------------------------------------------------------------------------
Public Const CERT_INFO_VERSION_FLAG As Long = 1
Public Const CERT_INFO_SERIAL_NUMBER_FLAG As Long = 2
Public Const CERT_INFO_SIGNATURE_ALGORITHM_FLAG As Long = 3
Public Const CERT_INFO_ISSUER_FLAG As Long = 4
Public Const CERT_INFO_NOT_BEFORE_FLAG As Long = 5
Public Const CERT_INFO_NOT_AFTER_FLAG As Long = 6
Public Const CERT_INFO_SUBJECT_FLAG As Long = 7
Public Const CERT_INFO_SUBJECT_PUBLIC_KEY_INFO_FLAG As Long = 8
Public Const CERT_INFO_ISSUER_UNIQUE_ID_FLAG As Long = 9
Public Const CERT_INFO_SUBJECT_UNIQUE_ID_FLAG As Long = 10
Public Const CERT_INFO_EXTENSION_FLAG As Long = 11
'+-------------------------------------------------------------------------
' An entry in a CRL
'
' The Extension BLOBs are the encoded representation of the information.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Information stored in a CRL
'
' The Issuer, Algorithm and Extension BLOBs are the encoded
' representation of the information.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CRL versions
'--------------------------------------------------------------------------
Public Const CRL_V1 As Long = 0
Public Const CRL_V2 As Long = 1
'+-------------------------------------------------------------------------
' Information stored in a certificate request
'
' The Subject, Algorithm, PublicKey and Attribute BLOBs are the encoded
' representation of the information.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate Request versions
'--------------------------------------------------------------------------
Public Const CERT_REQUEST_V1 As Long = 0
'+-------------------------------------------------------------------------
' Information stored in Netscape's Keygen request
'--------------------------------------------------------------------------
Public Const CERT_KEYGEN_REQUEST_V1 As Long = 0
'+-------------------------------------------------------------------------
' Certificate, CRL, Certificate Request or Keygen Request Signed Content
'
' The "to be signed" encoded content plus its signature. The ToBeSigned
' is the encoded CERT_INFO, CRL_INFO, CERT_REQUEST_INFO or
' CERT_KEYGEN_REQUEST_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CTL Usage. Also used for EnhancedKeyUsage extension.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' An entry in a CTL
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Information stored in a CTL
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CTL versions
'--------------------------------------------------------------------------
Public Const CTL_V1 As Long = 0
'+-------------------------------------------------------------------------
' TimeStamp Request
'
' The pszTimeStamp is the OID for the Time type requested
' The pszContentType is the Content Type OID for the content, usually DATA
' The Content is a un-decoded blob
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Name Value Attribute
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CSP Provider
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate and Message encoding types
'
' The encoding type is a DWORD containing both the certificate and message
' encoding types. The certificate encoding type is stored in the LOWORD.
' The message encoding type is stored in the HIWORD. Some functions or
' structure fields require only one of the encoding types. The following
' required:
'
' Its always acceptable to specify both.
'--------------------------------------------------------------------------
Public Const CERT_ENCODING_TYPE_MASK As Long = &H0000FFFF
Public Const CMSG_ENCODING_TYPE_MASK As Long = &HFFFF0000
Public Const CRYPT_ASN_ENCODING As Long = &H00000001
Public Const CRYPT_NDR_ENCODING As Long = &H00000002
Public Const X509_ASN_ENCODING As Long = &H00000001
Public Const X509_NDR_ENCODING As Long = &H00000002
Public Const PKCS_7_ASN_ENCODING As Long = &H00010000
Public Const PKCS_7_NDR_ENCODING As Long = &H00020000
'+-------------------------------------------------------------------------
' format the specified data structure according to the certificate
' encoding type.
'
' The default behavior of CryptFormatObject is to return single line
' display of the encoded data, that is, each subfield will be concatenated with
' a ", " on one line. If user prefers to display the data in multiple line,
' set the flag CRYPT_FORMAT_STR_MULTI_LINE, that is, each subfield will be displayed
' on a seperate line.
'
' If there is no formatting routine installed or registered
' for the lpszStructType, the hex dump of the encoded BLOB will be returned.
' User can set the flag CRYPT_FORMAT_STR_NO_HEX to disable the hex dump.
'--------------------------------------------------------------------------
'-------------------------------------------------------------------------
' constants for dwFormatStrType of function CryptFormatObject
'-------------------------------------------------------------------------
Public Const CRYPT_FORMAT_STR_MULTI_LINE As Long = &H0001
Public Const CRYPT_FORMAT_STR_NO_HEX As Long = &H0010
'-------------------------------------------------------------------------
' constants for dwFormatType of function CryptFormatObject
' when format X509_NAME or X509_UNICODE_NAME
'-------------------------------------------------------------------------
' Just get the simple string
Public Const CRYPT_FORMAT_SIMPLE As Long = &H0001
'Put an attribute name infront of the attribute
'such as "O=Microsoft,DN=xiaohs"
Public Const CRYPT_FORMAT_X509 As Long = &H0002
'Put an OID infront of the simple string, such as
'"2.5.4.22=Microsoft,2.5.4.3=xiaohs"
Public Const CRYPT_FORMAT_OID As Long = &H0004
'Put a ";" between each RDN. The default is ","
Public Const CRYPT_FORMAT_RDN_SEMICOLON As Long = &H0100
'Put a "\n" between each RDN.
Public Const CRYPT_FORMAT_RDN_CRLF As Long = &H0200
'Unquote the DN value, which is quoated by default va the following
'rules: if the DN contains leading or trailing
'white space or one of the following characters: ",", "+", "=",
'""", "\n", "<", ">", "#" or ";". The quoting character is ".
Public Const CRYPT_FORMAT_RDN_UNQUOTE As Long = &H0400
'reverse the order of the RDNs before converting to the string
Public Const CRYPT_FORMAT_RDN_REVERSE As Long = &H0800
'-------------------------------------------------------------------------
' contants dwFormatType of function CryptFormatObject when format a DN.:
'
' The following three values are defined in the section above:
' CRYPT_FORMAT_SIMPLE: Just a simple string
' such as "Microsoft+xiaohs+NT"
' CRYPT_FORMAT_X509 Put an attribute name infront of the attribute
' such as "O=Microsoft+xiaohs+NT"
'
' CRYPT_FORMAT_OID Put an OID infront of the simple string,
' such as "2.5.4.22=Microsoft+xiaohs+NT"
'
' Additional values are defined as following:
'----------------------------------------------------------------------------
'Put a "," between each value. Default is "+"
Public Const CRYPT_FORMAT_COMMA As Long = &H1000
'Put a ";" between each value
'Put a "\n" between each value
'+-------------------------------------------------------------------------
' Encode / decode the specified data structure according to the certificate
' encoding type.
'
' See below for a list of the predefined data structures.
'--------------------------------------------------------------------------
' By default the signature bytes are reversed. The following flag can
' be set to inhibit the byte reversal.
'
' This flag is applicable to
' X509_CERT_TO_BE_SIGNED
Public Const CRYPT_ENCODE_NO_SIGNATURE_BYTE_REVERSAL_FLAG As Long = &H8
' When the following flag is set the called encode function allocates
' memory for the encoded bytes. A pointer to the allocated bytes
' is returned in pvEncoded. If pEncodePara or pEncodePara->pfnAlloc is
' NULL, then, LocalAlloc is called for the allocation and LocalFree must
' be called to do the free. Otherwise, pEncodePara->pfnAlloc is called
' for the allocation.
'
' *pcbEncoded is ignored on input and updated with the length of the
' allocated, encoded bytes.
'
' If pfnAlloc is set, then, pfnFree should also be set.
Public Const CRYPT_ENCODE_ALLOC_FLAG As Long = &H8000
' The following flag is applicable when encoding X509_UNICODE_NAME.
' When set, CERT_RDN_T61_STRING is selected instead of
' CERT_RDN_UNICODE_STRING if all the unicode characters are <= 0xFF
' The following flag is applicable when encoding X509_UNICODE_NAME.
' When set, CERT_RDN_UTF8_STRING is selected instead of
' CERT_RDN_UNICODE_STRING.
' The following flag is applicable when encoding X509_UNICODE_NAME,
' X509_UNICODE_NAME_VALUE or X509_UNICODE_ANY_STRING.
' When set, the characters aren't checked to see if they
' are valid for the specified Value Type.
' The following flag is applicable when encoding the PKCS_SORTED_CTL. This
' flag should be set if the identifier for the TrustedSubjects is a hash,
' such as, MD5 or SHA1.
Public Const CRYPT_SORTED_CTL_ENCODE_HASHED_SUBJECT_IDENTIFIER_FLAG As Long = &H10000
' When the following flag is set the nocopy optimization is enabled.
' This optimization where appropriate, updates the pvStructInfo fields
' to point to content residing within pbEncoded instead of making a copy
' of and appending to pvStructInfo.
'
' Note, when set, pbEncoded can't be freed until pvStructInfo is freed.
Public Const CRYPT_DECODE_NOCOPY_FLAG As Long = &H1
' plus its signature. Set the following flag, if pbEncoded points to only
' the "to be signed".
'
' This flag is applicable to
' X509_CERT_TO_BE_SIGNED
' X509_CERT_CRL_TO_BE_SIGNED
' X509_CERT_REQUEST_TO_BE_SIGNED
' X509_KEYGEN_REQUEST_TO_BE_SIGNED
Public Const CRYPT_DECODE_TO_BE_SIGNED_FLAG As Long = &H2
' When the following flag is set, the OID strings are allocated in
' crypt32.dll and shared instead of being copied into the returned
' data structure. This flag may be set if crypt32.dll isn't unloaded
' before the caller is unloaded.
Public Const CRYPT_DECODE_SHARE_OID_STRING_FLAG As Long = &H4
' By default the signature bytes are reversed. The following flag can
' be set to inhibit the byte reversal.
'
' This flag is applicable to
' X509_CERT_TO_BE_SIGNED
Public Const CRYPT_DECODE_NO_SIGNATURE_BYTE_REVERSAL_FLAG As Long = &H8
' When the following flag is set the called decode function allocates
' memory for the decoded structure. A pointer to the allocated structure
' is returned in pvStructInfo. If pDecodePara or pDecodePara->pfnAlloc is
' NULL, then, LocalAlloc is called for the allocation and LocalFree must
' be called to do the free. Otherwise, pDecodePara->pfnAlloc is called
' for the allocation.
'
' *pcbStructInfo is ignored on input and updated with the length of the
' allocated, decoded structure.
'
' This flag may also be set in the CryptDecodeObject API. Since
' CryptDecodeObject doesn't take a pDecodePara, LocalAlloc is always
' called for the allocation which must be freed by calling LocalFree.
Public Const CRYPT_DECODE_ALLOC_FLAG As Long = &H8000
' The following flag is applicable when decoding X509_UNICODE_NAME,
' X509_UNICODE_NAME_VALUE or X509_UNICODE_ANY_STRING.
' By default, CERT_RDN_T61_STRING values are initially decoded
' as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
' Setting this flag skips the initial attempt to decode as UTF8.
'+-------------------------------------------------------------------------
' Predefined X509 certificate data structures that can be encoded / decoded.
'--------------------------------------------------------------------------
Public Const CRYPT_ENCODE_DECODE_NONE As Long = 0
'+-------------------------------------------------------------------------
' Predefined X509 certificate extension data structures that can be
' encoded / decoded.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Additional predefined data structures that can be encoded / decoded.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Predefined primitive data structures that can be encoded / decoded.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' More predefined X509 certificate extension data structures that can be
' encoded / decoded.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' data structures for private keys
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' certificate policy qualifier
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Diffie-Hellman Key Exchange
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X942 Diffie-Hellman
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' The following is the same as X509_BITS, except before encoding,
' the bit length is decremented to exclude trailing zero bits.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X942 Diffie-Hellman Other Info
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Predefined PKCS #7 data structures that can be encoded / decoded.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Predefined PKCS #7 data structures that can be encoded / decoded.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' can be encoded / decoded.
'
' Predefined values: 2000 .. 2999
'
' See spc.h for value and data structure definitions.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Extension Object Identifiers
'--------------------------------------------------------------------------
Public Const szOID_AUTHORITY_KEY_IDENTIFIER As String = "2.5.29.1"
Public Const szOID_KEY_ATTRIBUTES As String = "2.5.29.2"
Public Const szOID_CERT_POLICIES_95 As String = "2.5.29.3"
Public Const szOID_KEY_USAGE_RESTRICTION As String = "2.5.29.4"
Public Const szOID_SUBJECT_ALT_NAME As String = "2.5.29.7"
Public Const szOID_ISSUER_ALT_NAME As String = "2.5.29.8"
Public Const szOID_BASIC_CONSTRAINTS As String = "2.5.29.10"
Public Const szOID_KEY_USAGE As String = "2.5.29.15"
Public Const szOID_PRIVATEKEY_USAGE_PERIOD As String = "2.5.29.16"
Public Const szOID_BASIC_CONSTRAINTS2 As String = "2.5.29.19"
Public Const szOID_CERT_POLICIES As String = "2.5.29.32"
Public Const szOID_ANY_CERT_POLICY As String = "2.5.29.32.0"
Public Const szOID_AUTHORITY_KEY_IDENTIFIER2 As String = "2.5.29.35"
Public Const szOID_SUBJECT_KEY_IDENTIFIER As String = "2.5.29.14"
Public Const szOID_SUBJECT_ALT_NAME2 As String = "2.5.29.17"
Public Const szOID_ISSUER_ALT_NAME2 As String = "2.5.29.18"
Public Const szOID_CRL_REASON_CODE As String = "2.5.29.21"
Public Const szOID_CRL_DIST_POINTS As String = "2.5.29.31"
Public Const szOID_ENHANCED_KEY_USAGE As String = "2.5.29.37"
' szOID_CRL_NUMBER -- Base CRLs only. Monotonically increasing sequence
' number for each CRL issued by a CA.
Public Const szOID_CRL_NUMBER As String = "2.5.29.20"
' szOID_DELTA_CRL_INDICATOR -- Delta CRLs only. Marked critical.
' Contains the minimum base CRL Number that can be used with a delta CRL.
Public Const szOID_DELTA_CRL_INDICATOR As String = "2.5.29.27"
Public Const szOID_ISSUING_DIST_POINT As String = "2.5.29.28"
' szOID_FRESHEST_CRL -- Base CRLs only. Formatted identically to a CDP
' extension that holds URLs to fetch the delta CRL.
Public Const szOID_FRESHEST_CRL As String = "2.5.29.46"
Public Const szOID_NAME_CONSTRAINTS As String = "2.5.29.30"
' Note on 1/1/2000 szOID_POLICY_MAPPINGS was changed from "2.5.29.5"
Public Const szOID_POLICY_MAPPINGS As String = "2.5.29.33"
Public Const szOID_LEGACY_POLICY_MAPPINGS As String = "2.5.29.5"
Public Const szOID_POLICY_CONSTRAINTS As String = "2.5.29.36"
' Microsoft PKCS10 Attributes
Public Const szOID_RENEWAL_CERTIFICATE As String = "1.3.6.1.4.1.311.13.1"
Public Const szOID_ENROLLMENT_NAME_VALUE_PAIR As String = "1.3.6.1.4.1.311.13.2.1"
Public Const szOID_ENROLLMENT_CSP_PROVIDER As String = "1.3.6.1.4.1.311.13.2.2"
Public Const szOID_OS_VERSION As String = "1.3.6.1.4.1.311.13.2.3"
'
' Extension contain certificate type
Public Const szOID_ENROLLMENT_AGENT As String = "1.3.6.1.4.1.311.20.2.1"
Public Const szOID_PKIX As String = "1.3.6.1.5.5.7"
Public Const szOID_PKIX_PE As String = "1.3.6.1.5.5.7.1"
Public Const szOID_AUTHORITY_INFO_ACCESS As String = "1.3.6.1.5.5.7.1.1"
' Microsoft extensions or attributes
Public Const szOID_CERT_EXTENSIONS As String = "1.3.6.1.4.1.311.2.1.14"
Public Const szOID_NEXT_UPDATE_LOCATION As String = "1.3.6.1.4.1.311.10.2"
Public Const szOID_REMOVE_CERTIFICATE As String = "1.3.6.1.4.1.311.10.8.1"
Public Const szOID_CROSS_CERT_DIST_POINTS As String = "1.3.6.1.4.1.311.10.9.1"
' Microsoft PKCS #7 ContentType Object Identifiers
Public Const szOID_CTL As String = "1.3.6.1.4.1.311.10.1"
' Microsoft Sorted CTL Extension Object Identifier
Public Const szOID_SORTED_CTL As String = "1.3.6.1.4.1.311.10.1.1"
' serialized serial numbers for PRS
Public Const szOID_SERIALIZED As String = "1.3.6.1.4.1.311.10.3.3.1"
' UPN principal name in SubjectAltName
Public Const szOID_NT_PRINCIPAL_NAME As String = "1.3.6.1.4.1.311.20.2.3"
' Windows product update unauthenticated attribute
Public Const szOID_PRODUCT_UPDATE As String = "1.3.6.1.4.1.311.31.1"
'+-------------------------------------------------------------------------
' Object Identifiers for use with Auto Enrollment
'--------------------------------------------------------------------------
Public Const szOID_AUTO_ENROLL_CTL_USAGE As String = "1.3.6.1.4.1.311.20.1"
' Extension contain certificate type
Public Const szOID_ENROLL_CERTTYPE_EXTENSION As String = "1.3.6.1.4.1.311.20.2"
Public Const szOID_CERT_MANIFOLD As String = "1.3.6.1.4.1.311.20.3"
'+-------------------------------------------------------------------------
' Object Identifiers for use with the MS Certificate Server
'--------------------------------------------------------------------------
Public Const szOID_CERTSRV_CA_VERSION As String = "1.3.6.1.4.1.311.21.1"
' szOID_CERTSRV_PREVIOUS_CERT_HASH -- Contains the sha1 hash of the previous
' version of the CA certificate.
Public Const szOID_CERTSRV_PREVIOUS_CERT_HASH As String = "1.3.6.1.4.1.311.21.2"
' szOID_CRL_VIRTUAL_BASE -- Delta CRLs only. Contains the base CRL Number
' of the corresponding base CRL.
Public Const szOID_CRL_VIRTUAL_BASE As String = "1.3.6.1.4.1.311.21.3"
' szOID_CRL_NEXT_PUBLISH -- Contains the time when the next CRL is expected
' to be published. This may be sooner than the CRL's NextUpdate field.
Public Const szOID_CRL_NEXT_PUBLISH As String = "1.3.6.1.4.1.311.21.4"
' Enhanced Key Usage for CA encryption certificate
Public Const szOID_KP_CA_EXCHANGE As String = "1.3.6.1.4.1.311.21.5"
' Enhanced Key Usage for key recovery agent certificate
Public Const szOID_KP_KEY_RECOVERY_AGENT As String = "1.3.6.1.4.1.311.21.6"
Public Const szOID_CERTIFICATE_TEMPLATE As String = "1.3.6.1.4.1.311.21.7"
' The root oid for all enterprise specific oids
Public Const szOID_ENTERPRISE_OID_ROOT As String = "1.3.6.1.4.1.311.21.8"
' Dummy signing Subject RDN
Public Const szOID_RDN_DUMMY_SIGNER As String = "1.3.6.1.4.1.311.21.9"
' Application Policies extension -- same encoding as szOID_CERT_POLICIES
Public Const szOID_APPLICATION_CERT_POLICIES As String = "1.3.6.1.4.1.311.21.10"
' Application Policy Mappings -- same encoding as szOID_POLICY_MAPPINGS
Public Const szOID_APPLICATION_POLICY_MAPPINGS As String = "1.3.6.1.4.1.311.21.11"
' Application Policy Constraints -- same encoding as szOID_POLICY_CONSTRAINTS
Public Const szOID_APPLICATION_POLICY_CONSTRAINTS As String = "1.3.6.1.4.1.311.21.12"
Public Const szOID_ARCHIVED_KEY_ATTR As String = "1.3.6.1.4.1.311.21.13"
Public Const szOID_CRL_SELF_CDP As String = "1.3.6.1.4.1.311.21.14"
' Requires all certificates below the root to have a non-empty intersecting
' issuance certificate policy usage.
Public Const szOID_REQUIRE_CERT_CHAIN_POLICY As String = "1.3.6.1.4.1.311.21.15"
'+-------------------------------------------------------------------------
' Object Identifiers for use with the MS Directory Service
'--------------------------------------------------------------------------
Public Const szOID_NTDS_REPLICATION As String = "1.3.6.1.4.1.311.25.1"
'+-------------------------------------------------------------------------
'--------------------------------------------------------------------------
Public Const szOID_SUBJECT_DIR_ATTRS As String = "2.5.29.9"
'+-------------------------------------------------------------------------
'--------------------------------------------------------------------------
Public Const szOID_PKIX_KP As String = "1.3.6.1.5.5.7.3"
' Consistent key usage bits: DIGITAL_SIGNATURE, KEY_ENCIPHERMENT
' or KEY_AGREEMENT
Public Const szOID_PKIX_KP_SERVER_AUTH As String = "1.3.6.1.5.5.7.3.1"
' Consistent key usage bits: DIGITAL_SIGNATURE
Public Const szOID_PKIX_KP_CLIENT_AUTH As String = "1.3.6.1.5.5.7.3.2"
' Consistent key usage bits: DIGITAL_SIGNATURE
Public Const szOID_PKIX_KP_CODE_SIGNING As String = "1.3.6.1.5.5.7.3.3"
' Consistent key usage bits: DIGITAL_SIGNATURE, NON_REPUDIATION and/or
Public Const szOID_PKIX_KP_EMAIL_PROTECTION As String = "1.3.6.1.5.5.7.3.4"
' Consistent key usage bits: DIGITAL_SIGNATURE and/or
Public Const szOID_PKIX_KP_IPSEC_END_SYSTEM As String = "1.3.6.1.5.5.7.3.5"
' Consistent key usage bits: DIGITAL_SIGNATURE and/or
Public Const szOID_PKIX_KP_IPSEC_TUNNEL As String = "1.3.6.1.5.5.7.3.6"
' Consistent key usage bits: DIGITAL_SIGNATURE and/or
Public Const szOID_PKIX_KP_IPSEC_USER As String = "1.3.6.1.5.5.7.3.7"
' Consistent key usage bits: DIGITAL_SIGNATURE or NON_REPUDIATION
Public Const szOID_PKIX_KP_TIMESTAMP_SIGNING As String = "1.3.6.1.5.5.7.3.8"
'+-------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Signer of CTLs
Public Const szOID_KP_CTL_USAGE_SIGNING As String = "1.3.6.1.4.1.311.10.3.1"
' Signer of TimeStamps
Public Const szOID_KP_TIME_STAMP_SIGNING As String = "1.3.6.1.4.1.311.10.3.2"
Public Const szOID_SERVER_GATED_CRYPTO As String = "1.3.6.1.4.1.311.10.3.3"
Public Const szOID_SGC_NETSCAPE As String = "2.16.840.1.113730.4.1"
Public Const szOID_KP_EFS As String = "1.3.6.1.4.1.311.10.3.4"
Public Const szOID_WHQL_CRYPTO As String = "1.3.6.1.4.1.311.10.3.5"
' Signed by the NT5 build lab
Public Const szOID_NT5_CRYPTO As String = "1.3.6.1.4.1.311.10.3.6"
' Signed by and OEM of WHQL
Public Const szOID_OEM_WHQL_CRYPTO As String = "1.3.6.1.4.1.311.10.3.7"
' Signed by the Embedded NT
Public Const szOID_EMBEDDED_NT_CRYPTO As String = "1.3.6.1.4.1.311.10.3.8"
' Signer of a CTL containing trusted roots
Public Const szOID_ROOT_LIST_SIGNER As String = "1.3.6.1.4.1.311.10.3.9"
' Can sign cross-cert and subordinate CA requests with qualified
Public Const szOID_KP_QUALIFIED_SUBORDINATION As String = "1.3.6.1.4.1.311.10.3.10"
' Can be used to encrypt/recover escrowed keys
Public Const szOID_KP_KEY_RECOVERY As String = "1.3.6.1.4.1.311.10.3.11"
Public Const szOID_DRM As String = "1.3.6.1.4.1.311.10.5.1"
Public Const szOID_LICENSES As String = "1.3.6.1.4.1.311.10.6.1"
Public Const szOID_LICENSE_SERVER As String = "1.3.6.1.4.1.311.10.6.2"
Public Const szOID_KP_SMARTCARD_LOGON As String = "1.3.6.1.4.1.311.20.2.2"
'+-------------------------------------------------------------------------
' Microsoft Attribute Object Identifiers
'+-------------------------------------------------------------------------
Public Const szOID_YESNO_TRUST_ATTR As String = "1.3.6.1.4.1.311.10.4.1"
'+-------------------------------------------------------------------------
' Qualifiers that may be part of the szOID_CERT_POLICIES and
' szOID_CERT_POLICIES95 extensions
'+-------------------------------------------------------------------------
Public Const szOID_PKIX_POLICY_QUALIFIER_CPS As String = "1.3.6.1.5.5.7.2.1"
Public Const szOID_PKIX_POLICY_QUALIFIER_USERNOTICE As String = "1.3.6.1.5.5.7.2.2"
' OID for old qualifer
Public Const szOID_CERT_POLICIES_95_QUALIFIER1 As String = "2.16.840.1.113733.1.7.1.1"
'+-------------------------------------------------------------------------
' X509_CERT
'
' The "to be signed" encoded content plus its signature. The ToBeSigned
' X509_CERT_TO_BE_SIGNED, X509_CERT_CRL_TO_BE_SIGNED or
' X509_CERT_REQUEST_TO_BE_SIGNED.
'
' pvStructInfo points to CERT_SIGNED_CONTENT_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_CERT_TO_BE_SIGNED
'
' pvStructInfo points to CERT_INFO.
'
'
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_CERT_CRL_TO_BE_SIGNED
'
' pvStructInfo points to CRL_INFO.
'
'
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_CERT_REQUEST_TO_BE_SIGNED
'
' pvStructInfo points to CERT_REQUEST_INFO.
'
'
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_EXTENSIONS
' szOID_CERT_EXTENSIONS
'
' pvStructInfo points to following CERT_EXTENSIONS.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_NAME_VALUE
' X509_ANY_STRING
'
' pvStructInfo points to CERT_NAME_VALUE.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_UNICODE_NAME_VALUE
' X509_UNICODE_ANY_STRING
'
' pvStructInfo points to CERT_NAME_VALUE.
'
' The name values are unicode strings.
'
' For CryptEncodeObject:
' Value.pbData points to the unicode string.
' If Value.cbData = 0, then, the unicode string is NULL terminated.
' Otherwise, Value.cbData is the unicode string byte count. The byte count
' is twice the character count.
'
' If the unicode string contains an invalid character for the specified
' dwValueType, then, *pcbEncoded is updated with the unicode character
' index of the first invalid character. LastError is set to:
' CRYPT_E_INVALID_NUMERIC_STRING, CRYPT_E_INVALID_PRINTABLE_STRING or
' CRYPT_E_INVALID_IA5_STRING.
'
' To disable the above check, either set CERT_RDN_DISABLE_CHECK_TYPE_FLAG
' in dwValueType or set CRYPT_UNICODE_NAME_ENCODE_DISABLE_CHECK_TYPE_FLAG
' in dwFlags passed to CryptEncodeObjectEx.
'
' The unicode string is converted before being encoded according to
' the specified dwValueType. If dwValueType is set to 0, LastError
' is set to E_INVALIDARG.
'
' CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING), then, CryptEncodeObject
' will return FALSE with LastError set to CRYPT_E_NOT_CHAR_STRING.
'
' For CryptDecodeObject:
' Value.pbData points to a NULL terminated unicode string. Value.cbData
' contains the byte count of the unicode string excluding the NULL
' terminator. dwValueType contains the type used in the encoded object.
' Its not forced to CERT_RDN_UNICODE_STRING. The encoded value is
' converted to the unicode string according to the dwValueType.
'
' If the encoded object isn't one of the character string types, then,
' CryptDecodeObject will return FALSE with LastError set to
' CRYPT_E_NOT_CHAR_STRING. For a non character string, decode using
' X509_NAME_VALUE or X509_ANY_STRING.
'
' By default, CERT_RDN_T61_STRING values are initially decoded
' as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
' Set CRYPT_UNICODE_NAME_DECODE_DISABLE_IE4_UTF8_FLAG in dwFlags
' passed to either CryptDecodeObject or CryptDecodeObjectEx to
' skip the initial attempt to decode as UTF8.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_NAME
'
' pvStructInfo points to CERT_NAME_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_UNICODE_NAME
'
' pvStructInfo points to CERT_NAME_INFO.
'
' The RDN attribute values are unicode strings except for the dwValueTypes of
' CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING. These dwValueTypes are
' the same as for a X509_NAME. Their values aren't converted to/from unicode.
'
' For CryptEncodeObject:
' Value.pbData points to the unicode string.
' If Value.cbData = 0, then, the unicode string is NULL terminated.
' Otherwise, Value.cbData is the unicode string byte count. The byte count
' is twice the character count.
'
' an acceptable dwValueType. If the unicode string contains an
' invalid character for the found or specified dwValueType, then,
' *pcbEncoded is updated with the error location of the invalid character.
' See below for details. LastError is set to:
' CRYPT_E_INVALID_NUMERIC_STRING, CRYPT_E_INVALID_PRINTABLE_STRING or
' CRYPT_E_INVALID_IA5_STRING.
'
' To disable the above check, either set CERT_RDN_DISABLE_CHECK_TYPE_FLAG
' in dwValueType or set CRYPT_UNICODE_NAME_ENCODE_DISABLE_CHECK_TYPE_FLAG
' in dwFlags passed to CryptEncodeObjectEx.
'
' Set CERT_RDN_UNICODE_STRING in dwValueType or set
' CRYPT_UNICODE_NAME_ENCODE_ENABLE_T61_UNICODE_FLAG in dwFlags passed
' to CryptEncodeObjectEx to select CERT_RDN_T61_STRING instead of
' CERT_RDN_UNICODE_STRING if all the unicode characters are <= 0xFF.
'
' Set CERT_RDN_ENABLE_UTF8_UNICODE_STRING in dwValueType or set
' CRYPT_UNICODE_NAME_ENCODE_ENABLE_UTF8_UNICODE_FLAG in dwFlags passed
' to CryptEncodeObjectEx to select CERT_RDN_UTF8_STRING instead of
' CERT_RDN_UNICODE_STRING.
'
' The unicode string is converted before being encoded according to
' the specified or ObjId matching dwValueType.
'
' For CryptDecodeObject:
' Value.pbData points to a NULL terminated unicode string. Value.cbData
' contains the byte count of the unicode string excluding the NULL
' terminator. dwValueType contains the type used in the encoded object.
' Its not forced to CERT_RDN_UNICODE_STRING. The encoded value is
' converted to the unicode string according to the dwValueType.
'
' If the dwValueType of the encoded value isn't a character string
' type, then, it isn't converted to UNICODE. Use the
' that Value.pbData points to a converted unicode string.
'
' By default, CERT_RDN_T61_STRING values are initially decoded
' as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
' Set CRYPT_UNICODE_NAME_DECODE_DISABLE_IE4_UTF8_FLAG in dwFlags
' passed to either CryptDecodeObject or CryptDecodeObjectEx to
' skip the initial attempt to decode as UTF8.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Unicode Name Value Error Location Definitions
'
' Error location is returned in *pcbEncoded by
'
' Error location consists of:
' RDN_INDEX - 10 bits << 22
' ATTR_INDEX - 6 bits << 16
'--------------------------------------------------------------------------
Public Const CERT_UNICODE_RDN_ERR_INDEX_MASK As Long = &H3FF
Public Const CERT_UNICODE_RDN_ERR_INDEX_SHIFT As Long = 22
Public Const CERT_UNICODE_ATTR_ERR_INDEX_MASK As Long = &H003F
Public Const CERT_UNICODE_ATTR_ERR_INDEX_SHIFT As Long = 16
Public Const CERT_UNICODE_VALUE_ERR_INDEX_MASK As Long = &H0000FFFF
Public Const CERT_UNICODE_VALUE_ERR_INDEX_SHIFT As Long = 0
'+-------------------------------------------------------------------------
' X509_PUBLIC_KEY_INFO
'
' pvStructInfo points to CERT_PUBLIC_KEY_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_AUTHORITY_KEY_ID
' szOID_AUTHORITY_KEY_IDENTIFIER
'
' pvStructInfo points to following CERT_AUTHORITY_KEY_ID_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_KEY_ATTRIBUTES
' szOID_KEY_ATTRIBUTES
'
' pvStructInfo points to following CERT_KEY_ATTRIBUTES_INFO.
'--------------------------------------------------------------------------
' Byte[0]
Public Const CERT_DIGITAL_SIGNATURE_KEY_USAGE As Long = &H80
Public Const CERT_NON_REPUDIATION_KEY_USAGE As Long = &H40
Public Const CERT_KEY_ENCIPHERMENT_KEY_USAGE As Long = &H20
Public Const CERT_DATA_ENCIPHERMENT_KEY_USAGE As Long = &H10
Public Const CERT_KEY_AGREEMENT_KEY_USAGE As Long = &H08
Public Const CERT_KEY_CERT_SIGN_KEY_USAGE As Long = &H04
Public Const CERT_OFFLINE_CRL_SIGN_KEY_USAGE As Long = &H02
Public Const CERT_CRL_SIGN_KEY_USAGE As Long = &H02
Public Const CERT_ENCIPHER_ONLY_KEY_USAGE As Long = &H01
' Byte[1]
Public Const CERT_DECIPHER_ONLY_KEY_USAGE As Long = &H80
'+-------------------------------------------------------------------------
' X509_KEY_USAGE_RESTRICTION
' szOID_KEY_USAGE_RESTRICTION
'
' pvStructInfo points to following CERT_KEY_USAGE_RESTRICTION_INFO.
'--------------------------------------------------------------------------
' See CERT_KEY_ATTRIBUTES_INFO for definition of the RestrictedKeyUsage bits
'+-------------------------------------------------------------------------
' X509_ALTERNATE_NAME
' szOID_SUBJECT_ALT_NAME
' szOID_ISSUER_ALT_NAME
' szOID_SUBJECT_ALT_NAME2
' szOID_ISSUER_ALT_NAME2
'
' pvStructInfo points to following CERT_ALT_NAME_INFO.
'--------------------------------------------------------------------------
Public Const CERT_ALT_NAME_OTHER_NAME As Long = 1
Public Const CERT_ALT_NAME_RFC822_NAME As Long = 2
Public Const CERT_ALT_NAME_DNS_NAME As Long = 3
Public Const CERT_ALT_NAME_X400_ADDRESS As Long = 4
Public Const CERT_ALT_NAME_DIRECTORY_NAME As Long = 5
Public Const CERT_ALT_NAME_EDI_PARTY_NAME As Long = 6
Public Const CERT_ALT_NAME_URL As Long = 7
Public Const CERT_ALT_NAME_IP_ADDRESS As Long = 8
Public Const CERT_ALT_NAME_REGISTERED_ID As Long = 9
'+-------------------------------------------------------------------------
' Alternate name IA5 Error Location Definitions for
' CRYPT_E_INVALID_IA5_STRING.
'
' Error location is returned in *pcbEncoded by
'
' Error location consists of:
' ENTRY_INDEX - 8 bits << 16
'--------------------------------------------------------------------------
Public Const CERT_ALT_NAME_ENTRY_ERR_INDEX_MASK As Long = &HFF
Public Const CERT_ALT_NAME_ENTRY_ERR_INDEX_SHIFT As Long = 16
Public Const CERT_ALT_NAME_VALUE_ERR_INDEX_MASK As Long = &H0000FFFF
Public Const CERT_ALT_NAME_VALUE_ERR_INDEX_SHIFT As Long = 0
'+-------------------------------------------------------------------------
' X509_BASIC_CONSTRAINTS
' szOID_BASIC_CONSTRAINTS
'
' pvStructInfo points to following CERT_BASIC_CONSTRAINTS_INFO.
'--------------------------------------------------------------------------
Public Const CERT_CA_SUBJECT_FLAG As Long = &H80
Public Const CERT_END_ENTITY_SUBJECT_FLAG As Long = &H40
'+-------------------------------------------------------------------------
' X509_BASIC_CONSTRAINTS2
' szOID_BASIC_CONSTRAINTS2
'
' pvStructInfo points to following CERT_BASIC_CONSTRAINTS2_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_KEY_USAGE
' szOID_KEY_USAGE
'
' pvStructInfo points to a CRYPT_BIT_BLOB. Has same bit definitions as
' CERT_KEY_ATTRIBUTES_INFO's IntendedKeyUsage.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_CERT_POLICIES
' szOID_CERT_POLICIES
' szOID_CERT_POLICIES_95 NOTE--Only allowed for decoding!!!
'
' pvStructInfo points to following CERT_POLICIES_INFO.
'
' NOTE: when decoding using szOID_CERT_POLICIES_95 the pszPolicyIdentifier
' may contain an empty string
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_PKIX_POLICY_QUALIFIER_USERNOTICE
' szOID_PKIX_POLICY_QUALIFIER_USERNOTICE
'
' pvStructInfo points to following CERT_POLICY_QUALIFIER_USER_NOTICE.
'
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_CERT_POLICIES_95_QUALIFIER1 - Decode Only!!!!
'
' pvStructInfo points to following CERT_POLICY95_QUALIFIER1.
'
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_POLICY_MAPPINGS
' szOID_POLICY_MAPPINGS
' szOID_LEGACY_POLICY_MAPPINGS
'
' pvStructInfo points to following CERT_POLICY_MAPPINGS_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_POLICY_CONSTRAINTS
' szOID_POLICY_CONSTRAINTS
'
' pvStructInfo points to following CERT_POLICY_CONSTRAINTS_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' RSA_CSP_PUBLICKEYBLOB
'
' pvStructInfo points to a PUBLICKEYSTRUC immediately followed by a
' RSAPUBKEY and the modulus bytes.
'
' CryptExportKey outputs the above StructInfo for a dwBlobType of
' PUBLICKEYBLOB. CryptImportKey expects the above StructInfo when
' importing a public key.
'
' For dwCertEncodingType = X509_ASN_ENCODING, the RSA_CSP_PUBLICKEYBLOB is
' encoded as a PKCS #1 RSAPublicKey consisting of a SEQUENCE of a
' modulus INTEGER and a publicExponent INTEGER. The modulus is encoded
' as being a unsigned integer. When decoded, if the modulus was encoded
' as unsigned integer with a leading 0 byte, the 0 byte is removed before
' converting to the CSP modulus bytes.
'
' For decode, the aiKeyAlg field of PUBLICKEYSTRUC is always set to
' CALG_RSA_KEYX.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_KEYGEN_REQUEST_TO_BE_SIGNED
'
' pvStructInfo points to CERT_KEYGEN_REQUEST_INFO.
'
'
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' PKCS_ATTRIBUTE data structure
'
' pvStructInfo points to a CRYPT_ATTRIBUTE.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' PKCS_ATTRIBUTES data structure
'
' pvStructInfo points to a CRYPT_ATTRIBUTES.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' PKCS_CONTENT_INFO_SEQUENCE_OF_ANY data structure
'
' pvStructInfo points to following CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY.
'
' For X509_ASN_ENCODING: encoded as a PKCS#7 ContentInfo structure wrapping
' a sequence of ANY. The value of the contentType field is pszObjId,
' while the content field is the following structure:
' SequenceOfAny ::= SEQUENCE OF ANY
'
' The CRYPT_DER_BLOBs point to the already encoded ANY content.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' PKCS_CONTENT_INFO data structure
'
' pvStructInfo points to following CRYPT_CONTENT_INFO.
'
' For X509_ASN_ENCODING: encoded as a PKCS#7 ContentInfo structure.
' The CRYPT_DER_BLOB points to the already encoded ANY content.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_OCTET_STRING data structure
'
' pvStructInfo points to a CRYPT_DATA_BLOB.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_BITS data structure
'
' pvStructInfo points to a CRYPT_BIT_BLOB.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_BITS_WITHOUT_TRAILING_ZEROES data structure
'
' pvStructInfo points to a CRYPT_BIT_BLOB.
'
' The same as X509_BITS, except before encoding, the bit length is
' decremented to exclude trailing zero bits.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_INTEGER data structure
'
' pvStructInfo points to an int.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_MULTI_BYTE_INTEGER data structure
'
' pvStructInfo points to a CRYPT_INTEGER_BLOB.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_ENUMERATED data structure
'
' pvStructInfo points to an int containing the enumerated value
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_CHOICE_OF_TIME data structure
'
' pvStructInfo points to a FILETIME.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_SEQUENCE_OF_ANY data structure
'
' pvStructInfo points to following CRYPT_SEQUENCE_OF_ANY.
'
' The CRYPT_DER_BLOBs point to the already encoded ANY content.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_AUTHORITY_KEY_ID2
' szOID_AUTHORITY_KEY_IDENTIFIER2
'
' pvStructInfo points to following CERT_AUTHORITY_KEY_ID2_INFO.
'
' For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
'
' See X509_ALTERNATE_NAME for error location defines.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_SUBJECT_KEY_IDENTIFIER
'
' pvStructInfo points to a CRYPT_DATA_BLOB.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_AUTHORITY_INFO_ACCESS
' szOID_AUTHORITY_INFO_ACCESS
'
' pvStructInfo points to following CERT_AUTHORITY_INFO_ACCESS.
'
' For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
'
' Error location consists of:
' ENTRY_INDEX - 8 bits << 16
'
' See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
' defines.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' PKIX Access Description: Access Method Object Identifiers
'--------------------------------------------------------------------------
Public Const szOID_PKIX_ACC_DESCR As String = "1.3.6.1.5.5.7.48"
Public Const szOID_PKIX_OCSP As String = "1.3.6.1.5.5.7.48.1"
Public Const szOID_PKIX_CA_ISSUERS As String = "1.3.6.1.5.5.7.48.2"
'+-------------------------------------------------------------------------
' X509_CRL_REASON_CODE
' szOID_CRL_REASON_CODE
'
' pvStructInfo points to an int which can be set to one of the following
' enumerated values:
'--------------------------------------------------------------------------
Public Const CRL_REASON_UNSPECIFIED As Long = 0
Public Const CRL_REASON_KEY_COMPROMISE As Long = 1
Public Const CRL_REASON_CA_COMPROMISE As Long = 2
Public Const CRL_REASON_AFFILIATION_CHANGED As Long = 3
Public Const CRL_REASON_SUPERSEDED As Long = 4
Public Const CRL_REASON_CESSATION_OF_OPERATION As Long = 5
Public Const CRL_REASON_CERTIFICATE_HOLD As Long = 6
Public Const CRL_REASON_REMOVE_FROM_CRL As Long = 8
'+-------------------------------------------------------------------------
' X509_CRL_DIST_POINTS
' szOID_CRL_DIST_POINTS
'
' pvStructInfo points to following CRL_DIST_POINTS_INFO.
'
' For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
'
' Error location consists of:
' POINT_INDEX - 7 bits << 24
' ENTRY_INDEX - 8 bits << 16
'
' See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
' defines.
'--------------------------------------------------------------------------
Public Const CRL_DIST_POINT_NO_NAME As Long = 0
Public Const CRL_DIST_POINT_FULL_NAME As Long = 1
Public Const CRL_DIST_POINT_ISSUER_RDN_NAME As Long = 2
Public Const CRL_REASON_UNUSED_FLAG As Long = &H80
Public Const CRL_REASON_KEY_COMPROMISE_FLAG As Long = &H40
Public Const CRL_REASON_CA_COMPROMISE_FLAG As Long = &H20
Public Const CRL_REASON_AFFILIATION_CHANGED_FLAG As Long = &H10
Public Const CRL_REASON_SUPERSEDED_FLAG As Long = &H08
Public Const CRL_REASON_CESSATION_OF_OPERATION_FLAG As Long = &H04
Public Const CRL_REASON_CERTIFICATE_HOLD_FLAG As Long = &H02
Public Const CRL_DIST_POINT_ERR_INDEX_MASK As Long = &H7F
Public Const CRL_DIST_POINT_ERR_INDEX_SHIFT As Long = 24
'+-------------------------------------------------------------------------
' X509_CROSS_CERT_DIST_POINTS
' szOID_CROSS_CERT_DIST_POINTS
'
' pvStructInfo points to following CROSS_CERT_DIST_POINTS_INFO.
'
' For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
'
' Error location consists of:
' POINT_INDEX - 8 bits << 24
' ENTRY_INDEX - 8 bits << 16
'
' See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
' defines.
'--------------------------------------------------------------------------
Public Const CROSS_CERT_DIST_POINT_ERR_INDEX_MASK As Long = &HFF
Public Const CROSS_CERT_DIST_POINT_ERR_INDEX_SHIFT As Long = 24
'+-------------------------------------------------------------------------
' X509_ENHANCED_KEY_USAGE
' szOID_ENHANCED_KEY_USAGE
'
' pvStructInfo points to a CERT_ENHKEY_USAGE, CTL_USAGE.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_CERT_PAIR
'
' pvStructInfo points to the following CERT_PAIR.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_CRL_NUMBER
'
' pvStructInfo points to an int.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_DELTA_CRL_INDICATOR
'
' pvStructInfo points to an int.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_ISSUING_DIST_POINT
' X509_ISSUING_DIST_POINT
'
' pvStructInfo points to the following CRL_ISSUING_DIST_POINT.
'
' For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
'
' Error location consists of:
' ENTRY_INDEX - 8 bits << 16
'
' See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
' defines.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_FRESHEST_CRL
'
' pvStructInfo points to CRL_DIST_POINTS_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_NAME_CONSTRAINTS
' X509_NAME_CONSTRAINTS
'
' pvStructInfo points to the following CERT_NAME_CONSTRAINTS_INFO
'
' For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
'
' Error location consists of:
' ENTRY_INDEX - 8 bits << 16
'
' See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
' defines.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_NEXT_UPDATE_LOCATION
'
' pvStructInfo points to a CERT_ALT_NAME_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_REMOVE_CERTIFICATE
'
' pvStructInfo points to an int which can be set to one of the following
' 0 - Add certificate
' 1 - Remove certificate
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' PKCS_CTL
' szOID_CTL
'
' pvStructInfo points to a CTL_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' PKCS_SORTED_CTL
'
' pvStructInfo points to a CTL_INFO.
'
' Same as for PKCS_CTL, except, the CTL entries are sorted. The following
' extension containing the sort information is inserted as the first
' extension in the encoded CTL.
'
' Only supported for Encoding. CRYPT_ENCODE_ALLOC_FLAG flag must be
' set.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Sorted CTL TrustedSubjects extension
'
' Array of little endian DWORDs:
' [0] - Flags
' [1] - Count of HashBucket entry offsets
' [2] - Maximum HashBucket entry collision count
'
' When this extension is present in the CTL,
' the ASN.1 encoded sequence of TrustedSubjects are HashBucket ordered.
'
' The entry offsets point to the start of the first encoded TrustedSubject
' sequence for the HashBucket. The encoded TrustedSubjects for a HashBucket
' continue until the encoded offset of the next HashBucket. A HashBucket has
' no entries if HashBucket[N] == HashBucket[N + 1].
'
' The HashBucket offsets are from the start of the ASN.1 encoded CTL_INFO.
'--------------------------------------------------------------------------
' If the SubjectIdentifiers are a MD5 or SHA1 hash, the following flag is
' set. When set, the first 4 bytes of the SubjectIdentifier are used as
' the dwhash. Otherwise, the SubjectIdentifier bytes are hashed into dwHash.
' In either case the HashBucket index = dwHash % cHashBucket.
Public Const SORTED_CTL_EXT_HASHED_SUBJECT_IDENTIFIER_FLAG As Long = &H1
'+-------------------------------------------------------------------------
' X509_MULTI_BYTE_UINT
'
' pvStructInfo points to a CRYPT_UINT_BLOB. Before encoding, inserts a
' leading 0x00. After decoding, removes a leading 0x00.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_DSS_PUBLICKEY
'
' pvStructInfo points to a CRYPT_UINT_BLOB.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_DSS_PARAMETERS
'
' pvStructInfo points to following CERT_DSS_PARAMETERS data structure.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_DSS_SIGNATURE
'
' pvStructInfo is a BYTE rgbSignature[CERT_DSS_SIGNATURE_LEN]. The
'--------------------------------------------------------------------------
Public Const CERT_DSS_R_LEN As Long = 20
Public Const CERT_DSS_S_LEN As Long = 20
' 0x00 to make the integer unsigned)
'+-------------------------------------------------------------------------
' X509_DH_PUBLICKEY
'
' pvStructInfo points to a CRYPT_UINT_BLOB.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X509_DH_PARAMETERS
'
' pvStructInfo points to following CERT_DH_PARAMETERS data structure.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X942_DH_PARAMETERS
'
' pvStructInfo points to following CERT_X942_DH_PARAMETERS data structure.
'
' If q.cbData == 0, then, the following fields are zero'ed.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' X942_OTHER_INFO
'
' pvStructInfo points to following CRYPT_X942_OTHER_INFO data structure.
'
' rgbCounter and rgbKeyLength are in Little Endian order.
'--------------------------------------------------------------------------
Public Const CRYPT_X942_COUNTER_BYTE_LENGTH As Long = 4
Public Const CRYPT_X942_KEY_LENGTH_BYTE_LENGTH As Long = 4
'+-------------------------------------------------------------------------
' PKCS_RC2_CBC_PARAMETERS
' szOID_RSA_RC2CBC
'
' pvStructInfo points to following CRYPT_RC2_CBC_PARAMETERS data structure.
'--------------------------------------------------------------------------
Public Const CRYPT_RC2_40BIT_VERSION As Long = 160
Public Const CRYPT_RC2_56BIT_VERSION As Long = 52
Public Const CRYPT_RC2_64BIT_VERSION As Long = 120
Public Const CRYPT_RC2_128BIT_VERSION As Long = 58
'+-------------------------------------------------------------------------
' PKCS_SMIME_CAPABILITIES
' szOID_RSA_SMIMECapabilities
'
' pvStructInfo points to following CRYPT_SMIME_CAPABILITIES data structure.
'
' causes the encoded parameters to be omitted and not encoded as a NULL
' is per the SMIME specification for encoding capabilities.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' PKCS7_SIGNER_INFO
'
' pvStructInfo points to CMSG_SIGNER_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMS_SIGNER_INFO
'
' pvStructInfo points to CMSG_CMS_SIGNER_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Netscape Certificate Extension Object Identifiers
'--------------------------------------------------------------------------
Public Const szOID_NETSCAPE As String = "2.16.840.1.113730"
Public Const szOID_NETSCAPE_CERT_EXTENSION As String = "2.16.840.1.113730.1"
Public Const szOID_NETSCAPE_CERT_TYPE As String = "2.16.840.1.113730.1.1"
Public Const szOID_NETSCAPE_BASE_URL As String = "2.16.840.1.113730.1.2"
Public Const szOID_NETSCAPE_REVOCATION_URL As String = "2.16.840.1.113730.1.3"
Public Const szOID_NETSCAPE_CA_REVOCATION_URL As String = "2.16.840.1.113730.1.4"
Public Const szOID_NETSCAPE_CERT_RENEWAL_URL As String = "2.16.840.1.113730.1.7"
Public Const szOID_NETSCAPE_CA_POLICY_URL As String = "2.16.840.1.113730.1.8"
Public Const szOID_NETSCAPE_SSL_SERVER_NAME As String = "2.16.840.1.113730.1.12"
Public Const szOID_NETSCAPE_COMMENT As String = "2.16.840.1.113730.1.13"
'+-------------------------------------------------------------------------
' Netscape Certificate Data Type Object Identifiers
'--------------------------------------------------------------------------
Public Const szOID_NETSCAPE_DATA_TYPE As String = "2.16.840.1.113730.2"
Public Const szOID_NETSCAPE_CERT_SEQUENCE As String = "2.16.840.1.113730.2.5"
'+-------------------------------------------------------------------------
' szOID_NETSCAPE_CERT_TYPE extension
'
' Its value is a bit string. CryptDecodeObject/CryptEncodeObject using
' X509_BITS or X509_BITS_WITHOUT_TRAILING_ZEROES.
'
' The following bits are defined:
'--------------------------------------------------------------------------
Public Const NETSCAPE_SSL_CLIENT_AUTH_CERT_TYPE As Long = &H80
Public Const NETSCAPE_SSL_SERVER_AUTH_CERT_TYPE As Long = &H40
Public Const NETSCAPE_SMIME_CERT_TYPE As Long = &H20
Public Const NETSCAPE_SIGN_CERT_TYPE As Long = &H10
Public Const NETSCAPE_SSL_CA_CERT_TYPE As Long = &H04
Public Const NETSCAPE_SMIME_CA_CERT_TYPE As Long = &H02
Public Const NETSCAPE_SIGN_CA_CERT_TYPE As Long = &H01
'+-------------------------------------------------------------------------
' szOID_NETSCAPE_BASE_URL extension
'
' Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
' X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
' dwValueType = CERT_RDN_IA5_STRING.
'
' When present this string is added to the beginning of all relative URLs
' in the certificate. This extension can be considered an optimization
' to reduce the size of the URL extensions.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_NETSCAPE_REVOCATION_URL extension
'
' Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
' X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
' dwValueType = CERT_RDN_IA5_STRING.
'
' It is a relative or absolute URL that can be used to check the
' revocation status of a certificate. The revocation check will be
' performed as an HTTP GET method using a url that is the concatenation of
' revocation-url and certificate-serial-number.
' Where the certificate-serial-number is encoded as a string of
' ascii hexadecimal digits. For example, if the netscape-base-url is
' https:
' cgi-bin/check-rev.cgi?, and the certificate serial number is 173420,
' the resulting URL would be:
' https:
'
' The server should return a document with a Content-Type of
' application/x-netscape-revocation. The document should contain
' a single ascii digit, '1' if the certificate is not curently valid,
' and '0' if it is curently valid.
'
' Note: for all of the URLs that include the certificate serial number,
' the serial number will be encoded as a string which consists of an even
' number of hexadecimal digits. If the number of significant digits is odd,
' the string will have a single leading zero to ensure an even number of
' digits is generated.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_NETSCAPE_CA_REVOCATION_URL extension
'
' Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
' X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
' dwValueType = CERT_RDN_IA5_STRING.
'
' It is a relative or absolute URL that can be used to check the
' revocation status of any certificates that are signed by the CA that
' this certificate belongs to. This extension is only valid in CA
' certificates. The use of this extension is the same as the above
' szOID_NETSCAPE_REVOCATION_URL extension.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_NETSCAPE_CERT_RENEWAL_URL extension
'
' Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
' X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
' dwValueType = CERT_RDN_IA5_STRING.
'
' It is a relative or absolute URL that points to a certificate renewal
' form. The renewal form will be accessed with an HTTP GET method using a
' url that is the concatenation of renewal-url and
' certificate-serial-number. Where the certificate-serial-number is
' encoded as a string of ascii hexadecimal digits. For example, if the
' netscape-base-url is https:
' netscape-cert-renewal-url is cgi-bin/check-renew.cgi?, and the
' certificate serial number is 173420, the resulting URL would be:
' https:
' The document returned should be an HTML form that will allow the user
' to request a renewal of their certificate.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_NETSCAPE_CA_POLICY_URL extension
'
' Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
' X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
' dwValueType = CERT_RDN_IA5_STRING.
'
' It is a relative or absolute URL that points to a web page that
' describes the policies under which the certificate was issued.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_NETSCAPE_SSL_SERVER_NAME extension
'
' Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
' X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
' dwValueType = CERT_RDN_IA5_STRING.
'
' It is a "shell expression" that can be used to match the hostname of the
' SSL server that is using this certificate. It is recommended that if
' the server's hostname does not match this pattern the user be notified
' and given the option to terminate the SSL connection. If this extension
' is not present then the CommonName in the certificate subject's
' distinguished name is used for the same purpose.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_NETSCAPE_COMMENT extension
'
' Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
' X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
' dwValueType = CERT_RDN_IA5_STRING.
'
' It is a comment that may be displayed to the user when the certificate
' is viewed.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' szOID_NETSCAPE_CERT_SEQUENCE
'
' Its value is a PKCS#7 ContentInfo structure wrapping a sequence of
' certificates. The value of the contentType field is
' szOID_NETSCAPE_CERT_SEQUENCE, while the content field is the following
' structure:
' CertificateSequence ::= SEQUENCE OF Certificate.
'
' CryptDecodeObject/CryptEncodeObject using
' PKCS_CONTENT_INFO_SEQUENCE_OF_ANY, where,
' pszObjId = szOID_NETSCAPE_CERT_SEQUENCE and the CRYPT_DER_BLOBs point
' to encoded X509 certificates.
'--------------------------------------------------------------------------
'+=========================================================================
'==========================================================================
Public Const szOID_CT_PKI_DATA As String = "1.3.6.1.5.5.7.5.2"
Public Const szOID_CT_PKI_RESPONSE As String = "1.3.6.1.5.5.7.5.3"
Public Const szOID_CMC As String = "1.3.6.1.5.5.7.7"
Public Const szOID_CMC_STATUS_INFO As String = "1.3.6.1.5.5.7.7.1"
Public Const szOID_CMC_ADD_EXTENSIONS As String = "1.3.6.1.5.5.7.7.8"
Public Const szOID_CMC_ADD_ATTRIBUTES As String = "1.3.6.1.4.1.311.10.10.1"
'+-------------------------------------------------------------------------
' CMC_DATA
' CMC_RESPONSE
'
' messages.
'
' For CMC_DATA, pvStructInfo points to a CMC_DATA_INFO.
' CMC_DATA_INFO contains optional arrays of tagged attributes, requests,
' content info and/or arbitrary other messages.
'
' For CMC_RESPONSE, pvStructInfo points to a CMC_RESPONSE_INFO.
' CMC_RESPONSE_INFO is the same as CMC_DATA_INFO without the tagged
' requests.
'--------------------------------------------------------------------------
Public Const CMC_TAGGED_CERT_REQUEST_CHOICE As Long = 1
' All the tagged arrays are optional
' All the tagged arrays are optional
'+-------------------------------------------------------------------------
' CMC_STATUS
'
'
' pvStructInfo points to a CMC_STATUS_INFO.
'--------------------------------------------------------------------------
Public Const CMC_OTHER_INFO_NO_CHOICE As Long = 0
Public Const CMC_OTHER_INFO_FAIL_CHOICE As Long = 1
Public Const CMC_OTHER_INFO_PEND_CHOICE As Long = 2
'
' dwStatus values
'
' Request was granted
Public Const CMC_STATUS_SUCCESS As Long = 0
' Request failed, more information elsewhere in the message
Public Const CMC_STATUS_FAILED As Long = 2
' The request body part has not yet been processed. Requester is responsible
' to poll back. May only be returned for certificate request operations.
Public Const CMC_STATUS_PENDING As Long = 3
' The requested operation is not supported
Public Const CMC_STATUS_NO_SUPPORT As Long = 4
' Confirmation using the idConfirmCertAcceptance control is required
' before use of certificate
Public Const CMC_STATUS_CONFIRM_REQUIRED As Long = 5
'
' dwFailInfo values
'
' Unrecognized or unsupported algorithm
Public Const CMC_FAIL_BAD_ALG As Long = 0
' Integrity check failed
Public Const CMC_FAIL_BAD_MESSAGE_CHECK As Long = 1
' Transaction not permitted or supported
Public Const CMC_FAIL_BAD_REQUEST As Long = 2
' Message time field was not sufficiently close to the system time
Public Const CMC_FAIL_BAD_TIME As Long = 3
' No certificate could be identified matching the provided criteria
Public Const CMC_FAIL_BAD_CERT_ID As Long = 4
' A requested X.509 extension is not supported by the recipient CA.
Public Const CMC_FAIL_UNSUPORTED_EXT As Long = 5
' Private key material must be supplied
Public Const CMC_FAIL_MUST_ARCHIVE_KEYS As Long = 6
' Identification Attribute failed to verify
Public Const CMC_FAIL_BAD_IDENTITY As Long = 7
' Server requires a POP proof before issuing certificate
Public Const CMC_FAIL_POP_REQUIRED As Long = 8
' POP processing failed
Public Const CMC_FAIL_POP_FAILED As Long = 9
' Server policy does not allow key re-use
Public Const CMC_FAIL_NO_KEY_REUSE As Long = 10
Public Const CMC_FAIL_INTERNAL_CA_ERROR As Long = 11
Public Const CMC_FAIL_TRY_LATER As Long = 12
'+-------------------------------------------------------------------------
' CMC_ADD_EXTENSIONS
'
' attribute.
'
' pvStructInfo points to a CMC_ADD_EXTENSIONS_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMC_ADD_ATTRIBUTES
'
' attribute.
'
' pvStructInfo points to a CMC_ADD_ATTRIBUTES_INFO.
'--------------------------------------------------------------------------
'+=========================================================================
'==========================================================================
' Predefined OID Function Names
Public Const CRYPT_OID_ENCODE_OBJECT_FUNC As String = "CryptDllEncodeObject"
Public Const CRYPT_OID_DECODE_OBJECT_FUNC As String = "CryptDllDecodeObject"
Public Const CRYPT_OID_ENCODE_OBJECT_EX_FUNC As String = "CryptDllEncodeObjectEx"
Public Const CRYPT_OID_DECODE_OBJECT_EX_FUNC As String = "CryptDllDecodeObjectEx"
Public Const CRYPT_OID_CREATE_COM_OBJECT_FUNC As String = "CryptDllCreateCOMObject"
Public Const CRYPT_OID_VERIFY_REVOCATION_FUNC As String = "CertDllVerifyRevocation"
Public Const CRYPT_OID_VERIFY_CTL_USAGE_FUNC As String = "CertDllVerifyCTLUsage"
Public Const CRYPT_OID_FORMAT_OBJECT_FUNC As String = "CryptDllFormatObject"
Public Const CRYPT_OID_FIND_OID_INFO_FUNC As String = "CryptDllFindOIDInfo"
Public Const CRYPT_OID_FIND_LOCALIZED_NAME_FUNC As String = "CryptDllFindLocalizedName"
' CryptDllEncodeObject has same function signature as CryptEncodeObject.
' CryptDllDecodeObject has same function signature as CryptDecodeObject.
' CryptDllEncodeObjectEx has same function signature as CryptEncodeObjectEx.
' The Ex version MUST support the CRYPT_ENCODE_ALLOC_FLAG option.
'
' If an Ex function isn't installed or registered, then, attempts to find
' a non-EX version. If the ALLOC flag is set, then, CryptEncodeObjectEx,
' does the allocation and calls the non-EX version twice.
' CryptDllDecodeObjectEx has same function signature as CryptDecodeObjectEx.
' The Ex version MUST support the CRYPT_DECODE_ALLOC_FLAG option.
'
' If an Ex function isn't installed or registered, then, attempts to find
' a non-EX version. If the ALLOC flag is set, then, CryptDecodeObjectEx,
' does the allocation and calls the non-EX version twice.
' CryptDllCreateCOMObject has the following signature:
' IN DWORD dwEncodingType,
' IN LPCSTR pszOID,
' IN PCRYPT_DATA_BLOB pEncodedContent,
' IN DWORD dwFlags,
' IN REFIID riid,
' OUT void **ppvObj);
' CertDllVerifyRevocation has the same signature as CertVerifyRevocation
' CertDllVerifyCTLUsage has the same signature as CertVerifyCTLUsage
' CryptDllFindOIDInfo currently is only used to store values used by
' CryptDllFindLocalizedName is only used to store localized string
' more details.
' Example of a complete OID Function Registry Name:
' HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
' Encoding Type 1\CryptDllEncodeObject\1.2.3
'
' The key's L"Dll" value contains the name of the Dll.
' The key's L"FuncName" value overrides the default function name
Public Const CRYPT_OID_REGPATH As String = "Software\\Microsoft\\Cryptography\\OID"
Public Const CRYPT_OID_REG_ENCODING_TYPE_PREFIX As String = "EncodingType "
Public Const CRYPT_OID_REG_DLL_VALUE_NAME As String = "Dll"
Public Const CRYPT_OID_REG_FUNC_NAME_VALUE_NAME As String = "FuncName"
Public Const CRYPT_OID_REG_FUNC_NAME_VALUE_NAME_A As String = "FuncName"
' CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG can be set in the key's L"CryptFlags"
' value to register the functions before the installed functions.
'
' CryptSetOIDFunctionValue must be called to set this value. L"CryptFlags"
' must be set using a dwValueType of REG_DWORD.
Public Const CRYPT_OID_REG_FLAGS_VALUE_NAME As String = "CryptFlags"
' OID used for Default OID functions
Public Const CRYPT_DEFAULT_OID As String = "DEFAULT"
Public Const CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG As Long = 1
'+-------------------------------------------------------------------------
' Install a set of callable OID function addresses.
'
' By default the functions are installed at end of the list.
' Set CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG to install at beginning of list.
'
' hModule should be updated with the hModule passed to DllMain to prevent
' the Dll containing the function addresses from being unloaded by
' CryptGetOIDFuncAddress/CryptFreeOIDFunctionAddress. This would be the
' case when the Dll has also regsvr32'ed OID functions via
' CryptRegisterOIDFunction.
'
' DEFAULT functions are installed by setting rgFuncEntry[].pszOID =
' CRYPT_DEFAULT_OID.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Initialize and return handle to the OID function set identified by its
' function name.
'
' If the set already exists, a handle to the existing set is returned.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Search the list of installed functions for an encoding type and OID match.
' If not found, search the registry.
'
' For success, returns TRUE with *ppvFuncAddr updated with the function's
' address and *phFuncAddr updated with the function address's handle.
' The function's handle is AddRef'ed. CryptFreeOIDFunctionAddress needs to
' be called to release it.
'
' For a registry match, the Dll containing the function is loaded.
'
' By default, both the registered and installed function lists are searched.
' Set CRYPT_GET_INSTALLED_OID_FUNC_FLAG to only search the installed list
' of functions. This flag would be set by a registered function to get
' the address of a pre-installed function it was replacing. For example,
' the registered function might handle a new special case and call the
' pre-installed function to handle the remaining cases.
'--------------------------------------------------------------------------
Public Const CRYPT_GET_INSTALLED_OID_FUNC_FLAG As Long = &H1
'+-------------------------------------------------------------------------
' Get the list of registered default Dll entries for the specified
' function set and encoding type.
'
' The returned list consists of none, one or more null terminated Dll file
' For example: L"first.dll" L"\0" L"second.dll" L"\0" L"\0"
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Either: get the first or next installed DEFAULT function OR
' load the Dll containing the DEFAULT function.
'
' If pwszDll is NULL, search the list of installed DEFAULT functions.
' *phFuncAddr must be set to NULL to get the first installed function.
' Successive installed functions are returned by setting *phFuncAddr
' to the hFuncAddr returned by the previous call.
'
' If pwszDll is NULL, the input *phFuncAddr
' is always CryptFreeOIDFunctionAddress'ed by this function, even for
' an error.
'
' If pwszDll isn't NULL, then, attempts to load the Dll and the DEFAULT
' function. *phFuncAddr is ignored upon entry and isn't
' CryptFreeOIDFunctionAddress'ed.
'
' For success, returns TRUE with *ppvFuncAddr updated with the function's
' address and *phFuncAddr updated with the function address's handle.
' The function's handle is AddRef'ed. CryptFreeOIDFunctionAddress needs to
' be called to release it or CryptGetDefaultOIDFunctionAddress can also
' be called for a NULL pwszDll.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Releases the handle AddRef'ed and returned by CryptGetOIDFunctionAddress
' or CryptGetDefaultOIDFunctionAddress.
'
' If a Dll was loaded for the function its unloaded. However, before doing
' the unload, the DllCanUnloadNow function exported by the loaded Dll is
' called. It should return S_FALSE to inhibit the unload or S_TRUE to enable
' the unload. If the Dll doesn't export DllCanUnloadNow, the Dll is unloaded.
'
' DllCanUnloadNow has the following signature:
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Register the Dll containing the function to be called for the specified
' encoding type, function name and OID.
'
' pwszDll may contain environment-variable strings
'
' In addition to registering the DLL, you may override the
' name of the function to be called. For example,
' pszFuncName = "CryptDllEncodeObject",
' pszOverrideFuncName = "MyEncodeXyz".
' This allows a Dll to export multiple OID functions for the same
' function name without needing to interpose its own OID dispatcher function.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Unregister the Dll containing the function to be called for the specified
' encoding type, function name and OID.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Register the Dll containing the default function to be called for the
' specified encoding type and function name.
'
' Unlike CryptRegisterOIDFunction, you can't override the function name
' needing to be exported by the Dll.
'
' The Dll is inserted before the entry specified by dwIndex.
' dwIndex == 0, inserts at the beginning.
' dwIndex == CRYPT_REGISTER_LAST_INDEX, appends at the end.
'
' pwszDll may contain environment-variable strings
'--------------------------------------------------------------------------
Public Const CRYPT_REGISTER_FIRST_INDEX As Long = 0
Public Const CRYPT_REGISTER_LAST_INDEX As Long = &HFFFFFFFF
'+-------------------------------------------------------------------------
' Unregister the Dll containing the default function to be called for
' the specified encoding type and function name.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Set the value for the specified encoding type, function name, OID and
' value name.
'
' See RegSetValueEx for the possible value types.
'
' String types are UNICODE.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Get the value for the specified encoding type, function name, OID and
' value name.
'
' See RegEnumValue for the possible value types.
'
' String types are UNICODE.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Enumerate the OID functions identified by their encoding type,
' function name and OID.
'
' pfnEnumOIDFunc is called for each registry key matching the input
' parameters. Setting dwEncodingType to CRYPT_MATCH_ANY_ENCODING_TYPE matches
' any. Setting pszFuncName or pszOID to NULL matches any.
'
' Set pszOID == CRYPT_DEFAULT_OID to restrict the enumeration to only the
' DEFAULT functions
'
' String types are UNICODE.
'--------------------------------------------------------------------------
Public Const CRYPT_MATCH_ANY_ENCODING_TYPE As Long = &HFFFFFFFF
'+=========================================================================
'==========================================================================
'+-------------------------------------------------------------------------
' OID Information
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' OID Group IDs
'--------------------------------------------------------------------------
Public Const CRYPT_HASH_ALG_OID_GROUP_ID As Long = 1
Public Const CRYPT_ENCRYPT_ALG_OID_GROUP_ID As Long = 2
Public Const CRYPT_PUBKEY_ALG_OID_GROUP_ID As Long = 3
Public Const CRYPT_SIGN_ALG_OID_GROUP_ID As Long = 4
Public Const CRYPT_RDN_ATTR_OID_GROUP_ID As Long = 5
Public Const CRYPT_EXT_OR_ATTR_OID_GROUP_ID As Long = 6
Public Const CRYPT_ENHKEY_USAGE_OID_GROUP_ID As Long = 7
Public Const CRYPT_POLICY_OID_GROUP_ID As Long = 8
Public Const CRYPT_LAST_OID_GROUP_ID As Long = 8
' The CRYPT_*_ALG_OID_GROUP_ID's have an Algid. The CRYPT_RDN_ATTR_OID_GROUP_ID
' has a dwLength. The CRYPT_EXT_OR_ATTR_OID_GROUP_ID,
' CRYPT_ENHKEY_USAGE_OID_GROUP_ID or CRYPT_POLICY_OID_GROUP_ID don't have a
' dwValue.
'
' CRYPT_PUBKEY_ALG_OID_GROUP_ID has the following optional ExtraInfo:
' DWORD[0] - Flags. CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG can be set to
' inhibit the reformatting of the signature before
' CryptVerifySignature is called or after CryptSignHash
' is called. CRYPT_OID_USE_PUBKEY_PARA_FOR_PKCS7_FLAG can
' be set to include the public key algorithm's parameters
' in the PKCS7's digestEncryptionAlgorithm's parameters.
' CRYPT_OID_NO_NULL_ALGORITHM_PARA_FLAG can be set to omit
' NULL parameters when encoding.
Public Const CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG As Long = &H1
Public Const CRYPT_OID_USE_PUBKEY_PARA_FOR_PKCS7_FLAG As Long = &H2
Public Const CRYPT_OID_NO_NULL_ALGORITHM_PARA_FLAG As Long = &H4
' CRYPT_SIGN_ALG_OID_GROUP_ID has the following optional ExtraInfo:
' DWORD[0] - Public Key Algid.
' DWORD[1] - Flags. Same as above for CRYPT_PUBKEY_ALG_OID_GROUP_ID.
' If omitted or 0, uses Public Key Algid to select
' appropriate dwProvType for signature verification.
' CRYPT_RDN_ATTR_OID_GROUP_ID has the following optional ExtraInfo:
' Array of DWORDs:
' [0 ..] - Null terminated list of acceptable RDN attribute
' value types. An empty list implies CERT_RDN_PRINTABLE_STRING,
' CERT_RDN_UNICODE_STRING, 0.
'+-------------------------------------------------------------------------
' Find OID information. Returns NULL if unable to find any information
' for the specified key and group. Note, returns a pointer to a constant
' data structure. The returned pointer MUST NOT be freed.
'
' dwKeyType's:
' CRYPT_OID_INFO_OID_KEY, pvKey points to a szOID
' CRYPT_OID_INFO_NAME_KEY, pvKey points to a wszName
' CRYPT_OID_INFO_ALGID_KEY, pvKey points to an ALG_ID
' CRYPT_OID_INFO_SIGN_KEY, pvKey points to an array of two ALG_ID's:
' ALG_ID[0] - Hash Algid
' ALG_ID[1] - PubKey Algid
'
' Setting dwGroupId to 0, searches all groups according to the dwKeyType.
' Otherwise, only the dwGroupId is searched.
'--------------------------------------------------------------------------
Public Const CRYPT_OID_INFO_OID_KEY As Long = 1
Public Const CRYPT_OID_INFO_NAME_KEY As Long = 2
Public Const CRYPT_OID_INFO_ALGID_KEY As Long = 3
Public Const CRYPT_OID_INFO_SIGN_KEY As Long = 4
'+-------------------------------------------------------------------------
' Register OID information. The OID information specified in the
' CCRYPT_OID_INFO structure is persisted to the registry.
'
' crypt32.dll contains information for the commonly known OIDs. This function
' allows applications to augment crypt32.dll's OID information. During
' CryptFindOIDInfo's first call, the registered OID information is installed.
'
' By default the registered OID information is installed after crypt32.dll's
' OID entries. Set CRYPT_INSTALL_OID_INFO_BEFORE_FLAG to install before.
'--------------------------------------------------------------------------
Public Const CRYPT_INSTALL_OID_INFO_BEFORE_FLAG As Long = 1
'+-------------------------------------------------------------------------
' Unregister OID information. Only the pszOID and dwGroupId fields are
' used to identify the OID information to be unregistered.
'--------------------------------------------------------------------------
' If the callback returns FALSE, stops the enumeration.
'+-------------------------------------------------------------------------
' Enumerate the OID information.
'
' pfnEnumOIDInfo is called for each OID information entry.
'
' Setting dwGroupId to 0 matches all groups. Otherwise, only enumerates
' entries in the specified group.
'
' dwFlags currently isn't used and must be set to 0.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Find the localized name for the specified name. For example, find the
' localized name for the "Root" system store name. A case insensitive
' string comparison is done.
'
' Returns NULL if unable to find the the specified name.
'
' as resource strings in crypt32.dll. CryptSetOIDFunctionValue can be called
' as follows to register additional localized strings:
' dwEncodingType = CRYPT_LOCALIZED_NAME_ENCODING_TYPE
' pszFuncName = CRYPT_OID_FIND_LOCALIZED_NAME_FUNC
' pszOID = CRYPT_LOCALIZED_NAME_OID
' pwszValueName = Name to be localized, for example, L"ApplicationStore"
' dwValueType = REG_SZ
' pbValueData = pointer to the UNICODE localized string
'
' To unregister, set pbValueData to NULL and cbValueData to 0.
'
' The registered names are searched before the pre-installed names.
'--------------------------------------------------------------------------
Public Const CRYPT_LOCALIZED_NAME_ENCODING_TYPE As Long = 0
Public Const CRYPT_LOCALIZED_NAME_OID As String = "LocalizedNames"
'+=========================================================================
' Low Level Cryptographic Message Data Structures and APIs
'==========================================================================
Public Const szOID_PKCS_7_DATA As String = "1.2.840.113549.1.7.1"
Public Const szOID_PKCS_7_SIGNED As String = "1.2.840.113549.1.7.2"
Public Const szOID_PKCS_7_ENVELOPED As String = "1.2.840.113549.1.7.3"
Public Const szOID_PKCS_7_SIGNEDANDENVELOPED As String = "1.2.840.113549.1.7.4"
Public Const szOID_PKCS_7_DIGESTED As String = "1.2.840.113549.1.7.5"
Public Const szOID_PKCS_7_ENCRYPTED As String = "1.2.840.113549.1.7.6"
Public Const szOID_PKCS_9_CONTENT_TYPE As String = "1.2.840.113549.1.9.3"
Public Const szOID_PKCS_9_MESSAGE_DIGEST As String = "1.2.840.113549.1.9.4"
'+-------------------------------------------------------------------------
' Message types
'--------------------------------------------------------------------------
Public Const CMSG_DATA As Long = 1
Public Const CMSG_SIGNED As Long = 2
Public Const CMSG_ENVELOPED As Long = 3
Public Const CMSG_SIGNED_AND_ENVELOPED As Long = 4
Public Const CMSG_HASHED As Long = 5
Public Const CMSG_ENCRYPTED As Long = 6
'+-------------------------------------------------------------------------
' Message Type Bit Flags
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate Issuer and SerialNumber
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate Identifier
'--------------------------------------------------------------------------
Public Const CERT_ID_ISSUER_SERIAL_NUMBER As Long = 1
Public Const CERT_ID_KEY_IDENTIFIER As Long = 2
Public Const CERT_ID_SHA1_HASH As Long = 3
'+-------------------------------------------------------------------------
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_DATA: pvMsgEncodeInfo = NULL
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_SIGNED
'
' The pCertInfo in the CMSG_SIGNER_ENCODE_INFO provides the Issuer, SerialNumber
' and PublicKeyInfo.Algorithm. The PublicKeyInfo.Algorithm implicitly
' specifies the HashEncryptionAlgorithm to be used.
'
' If the SignerId is present with a nonzero dwIdChoice its used instead
' of the Issuer and SerialNumber in pCertInfo.
'
' CMS supports the KEY_IDENTIFIER and ISSUER_SERIAL_NUMBER CERT_IDs. PKCS #7
' version 1.5 only supports the ISSUER_SERIAL_NUMBER CERT_ID choice.
'
' If HashEncryptionAlgorithm is present and not NULL its used instead of
' the PublicKeyInfo.Algorithm.
'
' Note, for RSA, the hash encryption algorithm is normally the same as
' the public key algorithm. For DSA, the hash encryption algorithm is
' normally a DSS signature algorithm.
'
' pvHashEncryptionAuxInfo currently isn't used and must be set to NULL if
' present in the data structure.
'
' The hCryptProv and dwKeySpec specify the private key to use. If dwKeySpec
' == 0, then, defaults to AT_SIGNATURE.
'
' If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
'
' pvHashAuxInfo currently isn't used and must be set to NULL.
'
' CMS signed messages allow the inclusion of Attribute Certs.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_ENVELOPED
'
' The PCERT_INFO for the rgRecipients provides the Issuer, SerialNumber
' and PublicKeyInfo. The PublicKeyInfo.Algorithm implicitly
' specifies the KeyEncryptionAlgorithm to be used.
'
' The PublicKeyInfo.PublicKey in PCERT_INFO is used to encrypt the content
' encryption key for the recipient.
'
' hCryptProv is used to do the content encryption, recipient key encryption
' and export. The hCryptProv's private keys aren't used. If hCryptProv
' is NULL, a default hCryptProv is chosen according to the
' ContentEncryptionAlgorithm and the first recipient KeyEncryptionAlgorithm.
'
' If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
'
' Note: CAPI currently doesn't support more than one KeyEncryptionAlgorithm
' per provider. This will need to be fixed.
'
' Currently, pvEncryptionAuxInfo is only defined for RC2 or RC4 encryption
' algorithms. Otherwise, its not used and must be set to NULL.
' See CMSG_RC2_AUX_INFO for the RC2 encryption algorithms.
' See CMSG_RC4_AUX_INFO for the RC4 encryption algorithms.
'
' To enable SP3 compatible encryption, pvEncryptionAuxInfo should point to
' a CMSG_SP3_COMPATIBLE_AUX_INFO data structure.
'
' To enable the CMS envelope enhancements, rgpRecipients must be set to
' NULL, and rgCmsRecipients updated to point to an array of
' CMSG_RECIPIENT_ENCODE_INFO's.
'
' Also, CMS envelope enhancements support the inclusion of a bag of
' Certs, CRLs, Attribute Certs and/or Unprotected Attributes.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Key Transport Recipient Encode Info
'
' hCryptProv is used to do the recipient key encryption
' and export. The hCryptProv's private keys aren't used.
'
' If hCryptProv is NULL, then, the hCryptProv specified in
' CMSG_ENVELOPED_ENCODE_INFO is used.
'
' Note, even if CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
'
' CMS supports the KEY_IDENTIFIER and ISSUER_SERIAL_NUMBER CERT_IDs. PKCS #7
' version 1.5 only supports the ISSUER_SERIAL_NUMBER CERT_ID choice.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Key Agreement Recipient Encode Info
'
' If hCryptProv is NULL, then, the hCryptProv specified in
' CMSG_ENVELOPED_ENCODE_INFO is used.
'
' For the CMSG_KEY_AGREE_STATIC_KEY_CHOICE, both the hCryptProv and
' dwKeySpec must be specified to select the sender's private key.
'
' Note, even if CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
'
' CMS supports the KEY_IDENTIFIER and ISSUER_SERIAL_NUMBER CERT_IDs.
'
' There is 1 key choice, ephemeral originator. The originator's ephemeral
' key is generated using the public key algorithm parameters shared
' amongst all the recipients.
'
' There are 2 key choices: ephemeral originator or static sender. The
' originator's ephemeral key is generated using the public key algorithm
' parameters shared amongst all the recipients. For the static sender its
' private key is used. The hCryptProv and dwKeySpec specify the private key.
' The pSenderId identifies the certificate containing the sender's public key.
'
' Currently, pvKeyEncryptionAuxInfo isn't used and must be set to NULL.
'
' If KeyEncryptionAlgorithm.Parameters.cbData == 0, then, its Parameters
' are updated with the encoded KeyWrapAlgorithm.
'
' Currently, pvKeyWrapAuxInfo is only defined for algorithms with
' RC2. Otherwise, its not used and must be set to NULL.
' When set for RC2 algorithms, points to a CMSG_RC2_AUX_INFO containing
' the RC2 effective key length.
'
' Note, key agreement recipients are not supported in PKCS #7 version 1.5.
'--------------------------------------------------------------------------
Public Const CMSG_KEY_AGREE_EPHEMERAL_KEY_CHOICE As Long = 1
Public Const CMSG_KEY_AGREE_STATIC_KEY_CHOICE As Long = 2
'+-------------------------------------------------------------------------
' Mail List Recipient Encode Info
'
' There is 1 choice for the KeyEncryptionKey: an already created CSP key
' handle. For the key handle choice, hCryptProv must be nonzero. This key
' handle isn't destroyed.
'
' Note, even if CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
'
' Currently, pvKeyEncryptionAuxInfo is only defined for RC2 key wrap
' algorithms. Otherwise, its not used and must be set to NULL.
' When set for RC2 algorithms, points to a CMSG_RC2_AUX_INFO containing
' the RC2 effective key length.
'
' Note, mail list recipients are not supported in PKCS #7 version 1.5.
'--------------------------------------------------------------------------
Public Const CMSG_MAIL_LIST_HANDLE_KEY_CHOICE As Long = 1
'+-------------------------------------------------------------------------
' Recipient Encode Info
'
' Note, only key transport recipients are supported in PKCS #7 version 1.5.
'--------------------------------------------------------------------------
Public Const CMSG_KEY_TRANS_RECIPIENT As Long = 1
Public Const CMSG_KEY_AGREE_RECIPIENT As Long = 2
Public Const CMSG_MAIL_LIST_RECIPIENT As Long = 3
'+-------------------------------------------------------------------------
' CMSG_RC2_AUX_INFO
'
' AuxInfo for RC2 encryption algorithms. The pvEncryptionAuxInfo field
' in CMSG_ENCRYPTED_ENCODE_INFO should be updated to point to this
' structure. If not specified, defaults to 40 bit.
'
' Note, this AuxInfo is only used when, the ContentEncryptionAlgorithm's
' Parameter.cbData is zero. Otherwise, the Parameters is decoded to
' get the bit length.
'
' If CMSG_SP3_COMPATIBLE_ENCRYPT_FLAG is set in dwBitLen, then, SP3
' compatible encryption is done and the bit length is ignored.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_SP3_COMPATIBLE_AUX_INFO
'
' AuxInfo for enabling SP3 compatible encryption.
'
' The CMSG_SP3_COMPATIBLE_ENCRYPT_FLAG is set in dwFlags to enable SP3
' compatible encryption. When set, uses zero salt instead of no salt,
' the encryption algorithm parameters are NULL instead of containing the
' encoded RC2 parameters or encoded IV octet string and the encrypted
' symmetric key is encoded little endian instead of big endian.
'--------------------------------------------------------------------------
Public Const CMSG_SP3_COMPATIBLE_ENCRYPT_FLAG As Long = &H80000000
'+-------------------------------------------------------------------------
' CMSG_RC4_AUX_INFO
'
' AuxInfo for RC4 encryption algorithms. The pvEncryptionAuxInfo field
' in CMSG_ENCRYPTED_ENCODE_INFO should be updated to point to this
' structure. If not specified, uses the CSP's default bit length with no
' salt. Note, the base CSP has a 40 bit default and the enhanced CSP has
' a 128 bit default.
'
' If CMSG_RC4_NO_SALT_FLAG is set in dwBitLen, then, no salt is generated.
' as an OCTET STRING in the algorithm parameters field.
'--------------------------------------------------------------------------
Public Const CMSG_RC4_NO_SALT_FLAG As Long = &H40000000
'+-------------------------------------------------------------------------
' CMSG_SIGNED_AND_ENVELOPED
'
' For PKCS #7, a signed and enveloped message doesn't have the
' signer's authenticated or unauthenticated attributes. Otherwise, a
' combination of the CMSG_SIGNED_ENCODE_INFO and CMSG_ENVELOPED_ENCODE_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_HASHED
'
' hCryptProv is used to do the hash. Doesn't need to use a private key.
'
' If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
'
' If fDetachedHash is set, then, the encoded message doesn't contain
'
' pvHashAuxInfo currently isn't used and must be set to NULL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_ENCRYPTED
'
' The key used to encrypt the message is identified outside of the message
'
' The content input to CryptMsgUpdate has already been encrypted.
'
' pvEncryptionAuxInfo currently isn't used and must be set to NULL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' This parameter allows messages to be of variable length with streamed
' output.
'
' By default, messages are of a definite length and
' called to get the cryptographically processed content. Until closed,
' the handle keeps a copy of the processed content.
'
' With streamed output, the processed content can be freed as its streamed.
'
' If the length of the content to be updated is known at the time of the
' open, then, ContentLength should be set to that length. Otherwise, it
' should be set to CMSG_INDEFINITE_LENGTH.
'--------------------------------------------------------------------------
Public Const CMSG_INDEFINITE_LENGTH As Long = &HFFFFFFFF
'+-------------------------------------------------------------------------
' Open dwFlags
'--------------------------------------------------------------------------
Public Const CMSG_BARE_CONTENT_FLAG As Long = &H00000001
Public Const CMSG_LENGTH_ONLY_FLAG As Long = &H00000002
Public Const CMSG_DETACHED_FLAG As Long = &H00000004
Public Const CMSG_AUTHENTICATED_ATTRIBUTES_FLAG As Long = &H00000008
Public Const CMSG_CONTENTS_OCTETS_FLAG As Long = &H00000010
Public Const CMSG_MAX_LENGTH_FLAG As Long = &H00000020
' When set, nonData type inner content is encapsulated within an
' OCTET STRING. Applicable to both Signed and Enveloped messages.
Public Const CMSG_CMS_ENCAPSULATED_CONTENT_FLAG As Long = &H00000040
' If set, then, the hCryptProv passed to CryptMsgOpenToEncode or
' CryptMsgOpenToDecode is released on the final CryptMsgClose.
' Not released if CryptMsgOpenToEncode or CryptMsgOpenToDecode fails.
'
' Note, the envelope recipient hCryptProv's aren't released.
Public Const CMSG_CRYPT_RELEASE_CONTEXT_FLAG As Long = &H00008000
'+-------------------------------------------------------------------------
' Open a cryptographic message for encoding
'
' For PKCS #7:
' If the content to be passed to CryptMsgUpdate has already
' from another message encode), then, the CMSG_ENCODED_CONTENT_INFO_FLAG should
' be set in dwFlags. If not set, then, the inner ContentType is Data and
' the input to CryptMsgUpdate is treated as the inner Data type's Content,
' a string of bytes.
' If CMSG_BARE_CONTENT_FLAG is specified for a streamed message,
' the streamed output will not have an outer ContentInfo wrapper. This
' makes it suitable to be streamed into an enclosing message.
'
' The pStreamInfo parameter needs to be set to stream the encoded message
' output.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Calculate the length of an encoded cryptographic message.
'
' Calculates the length of the encoded message given the
' message type, encoding parameters and total length of
' the data to be updated. Note, this might not be the exact length. However,
' it will always be greater than or equal to the actual length.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Open a cryptographic message for decoding
'
' hCryptProv specifies the crypto provider to use for hashing and/or
' decrypting the message. If hCryptProv is NULL, a default crypt provider
' is used.
'
' Currently pRecipientInfo isn't used and should be set to NULL.
'
' The pStreamInfo parameter needs to be set to stream the decoded content
' output.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Duplicate a cryptographic message handle
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Close a cryptographic message handle
'
' LastError is preserved unless FALSE is returned.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Update the content of a cryptographic message. Depending on how the
' message was opened, the content is either encoded or decoded.
'
' This function is repetitively called to append to the message content.
' fFinal is set to identify the last update. On fFinal, the encode/decode
' is completed. The encoded/decoded content and the decoded parameters
' are valid until the open and all duplicated handles are closed.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Get a parameter after encoding/decoding a cryptographic message. Called
' after the final CryptMsgUpdate. Only the CMSG_CONTENT_PARAM and
' CMSG_COMPUTED_HASH_PARAM are valid for an encoded message.
'
' For an encoded HASHED message, the CMSG_COMPUTED_HASH_PARAM can be got
' before any CryptMsgUpdates to get its length.
'
' The pvData type definition depends on the dwParamType value.
'
' Elements pointed to by fields in the pvData structure follow the
' structure. Therefore, *pcbData may exceed the size of the structure.
'
' Upon input, if *pcbData == 0, then, *pcbData is updated with the length
' of the data and the pvData parameter is ignored.
'
' Upon return, *pcbData is updated with the length of the data.
'
' The OBJID BLOBs returned in the pvData structures point to
' their still encoded representation. The appropriate functions
' must be called to decode the information.
'
' See below for a list of the parameters to get.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Get parameter types and their corresponding data structure definitions.
'--------------------------------------------------------------------------
Public Const CMSG_TYPE_PARAM As Long = 1
Public Const CMSG_CONTENT_PARAM As Long = 2
Public Const CMSG_BARE_CONTENT_PARAM As Long = 3
Public Const CMSG_INNER_CONTENT_TYPE_PARAM As Long = 4
Public Const CMSG_SIGNER_COUNT_PARAM As Long = 5
Public Const CMSG_SIGNER_INFO_PARAM As Long = 6
Public Const CMSG_SIGNER_CERT_INFO_PARAM As Long = 7
Public Const CMSG_SIGNER_HASH_ALGORITHM_PARAM As Long = 8
Public Const CMSG_SIGNER_AUTH_ATTR_PARAM As Long = 9
Public Const CMSG_SIGNER_UNAUTH_ATTR_PARAM As Long = 10
Public Const CMSG_CERT_COUNT_PARAM As Long = 11
Public Const CMSG_CERT_PARAM As Long = 12
Public Const CMSG_CRL_COUNT_PARAM As Long = 13
Public Const CMSG_CRL_PARAM As Long = 14
Public Const CMSG_ENVELOPE_ALGORITHM_PARAM As Long = 15
Public Const CMSG_RECIPIENT_COUNT_PARAM As Long = 17
Public Const CMSG_RECIPIENT_INDEX_PARAM As Long = 18
Public Const CMSG_RECIPIENT_INFO_PARAM As Long = 19
Public Const CMSG_HASH_ALGORITHM_PARAM As Long = 20
Public Const CMSG_HASH_DATA_PARAM As Long = 21
Public Const CMSG_COMPUTED_HASH_PARAM As Long = 22
Public Const CMSG_ENCRYPT_PARAM As Long = 26
Public Const CMSG_ENCRYPTED_DIGEST As Long = 27
Public Const CMSG_ENCODED_SIGNER As Long = 28
Public Const CMSG_ENCODED_MESSAGE As Long = 29
Public Const CMSG_VERSION_PARAM As Long = 30
Public Const CMSG_ATTR_CERT_COUNT_PARAM As Long = 31
Public Const CMSG_ATTR_CERT_PARAM As Long = 32
Public Const CMSG_CMS_RECIPIENT_COUNT_PARAM As Long = 33
Public Const CMSG_CMS_RECIPIENT_INDEX_PARAM As Long = 34
Public Const CMSG_CMS_RECIPIENT_ENCRYPTED_KEY_INDEX_PARAM As Long = 35
Public Const CMSG_CMS_RECIPIENT_INFO_PARAM As Long = 36
Public Const CMSG_UNPROTECTED_ATTR_PARAM As Long = 37
Public Const CMSG_SIGNER_CERT_ID_PARAM As Long = 38
Public Const CMSG_CMS_SIGNER_INFO_PARAM As Long = 39
'+-------------------------------------------------------------------------
' CMSG_TYPE_PARAM
'
' The type of the decoded message.
'
' pvData points to a DWORD
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CONTENT_PARAM
'
' The encoded content of a cryptographic message. Depending on how the
' message was opened, the content is either the whole PKCS#7
' In the decode case, the decrypted content is returned, if enveloped.
' If not enveloped, and if the inner content is of type DATA, the returned
' data is the contents octets of the inner content.
'
' pvData points to the buffer receiving the content bytes
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_BARE_CONTENT_PARAM
'
' The encoded content of an encoded cryptographic message, without the
' outer layer of ContentInfo. That is, only the encoding of the
' ContentInfo.content field is returned.
'
' pvData points to the buffer receiving the content bytes
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_INNER_CONTENT_TYPE_PARAM
'
' The type of the inner content of a decoded cryptographic message,
' in the form of a NULL-terminated object identifier string
'
' pvData points to the buffer receiving the object identifier string
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_SIGNER_COUNT_PARAM
'
' Count of signers in a SIGNED or SIGNED_AND_ENVELOPED message
'
' pvData points to a DWORD
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_SIGNER_CERT_INFO_PARAM
'
' To get all the signers, repetitively call CryptMsgGetParam, with
' dwIndex set to 0 .. SignerCount - 1.
'
' pvData points to a CERT_INFO struct.
'
' Only the following fields have been updated in the CERT_INFO struct:
' Issuer and SerialNumber.
'
' Note, if the KEYID choice was selected for a CMS SignerId, then, the
' SerialNumber is 0 and the Issuer is encoded containing a single RDN with a
' single Attribute whose OID is szOID_KEYID_RDN, value type is
' CERT_RDN_OCTET_STRING and value is the KEYID. When the
' CertGetSubjectCertificateFromStore and
' special KEYID Issuer and SerialNumber, they do a KEYID match.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_SIGNER_INFO_PARAM
'
' To get all the signers, repetitively call CryptMsgGetParam, with
' dwIndex set to 0 .. SignerCount - 1.
'
' pvData points to a CMSG_SIGNER_INFO struct.
'
' Note, if the KEYID choice was selected for a CMS SignerId, then, the
' SerialNumber is 0 and the Issuer is encoded containing a single RDN with a
' single Attribute whose OID is szOID_KEYID_RDN, value type is
' CERT_RDN_OCTET_STRING and value is the KEYID. When the
' CertGetSubjectCertificateFromStore and
' special KEYID Issuer and SerialNumber, they do a KEYID match.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_SIGNER_CERT_ID_PARAM
'
' To get all the signers, repetitively call CryptMsgGetParam, with
' dwIndex set to 0 .. SignerCount - 1.
'
' pvData points to a CERT_ID struct.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CMS_SIGNER_INFO_PARAM
'
' Same as CMSG_SIGNER_INFO_PARAM, except, contains SignerId instead of
' Issuer and SerialNumber.
'
' To get all the signers, repetitively call CryptMsgGetParam, with
' dwIndex set to 0 .. SignerCount - 1.
'
' pvData points to a CMSG_CMS_SIGNER_INFO struct.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_SIGNER_HASH_ALGORITHM_PARAM
'
' This parameter specifies the HashAlgorithm that was used for the signer.
'
' Set dwIndex to iterate through all the signers.
'
' pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_SIGNER_AUTH_ATTR_PARAM
'
' The authenticated attributes for the signer.
'
' Set dwIndex to iterate through all the signers.
'
' pvData points to a CMSG_ATTR struct.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_SIGNER_UNAUTH_ATTR_PARAM
'
' The unauthenticated attributes for the signer.
'
' Set dwIndex to iterate through all the signers.
'
' pvData points to a CMSG_ATTR struct.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CERT_COUNT_PARAM
'
' Count of certificates in a SIGNED or SIGNED_AND_ENVELOPED message.
'
' CMS, also supports certificates in an ENVELOPED message.
'
' pvData points to a DWORD
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CERT_PARAM
'
' To get all the certificates, repetitively call CryptMsgGetParam, with
' dwIndex set to 0 .. CertCount - 1.
'
' pvData points to an array of the certificate's encoded bytes.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CRL_COUNT_PARAM
'
' Count of CRLs in a SIGNED or SIGNED_AND_ENVELOPED message.
'
' CMS, also supports CRLs in an ENVELOPED message.
'
' pvData points to a DWORD
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CRL_PARAM
'
' To get all the CRLs, repetitively call CryptMsgGetParam, with
' dwIndex set to 0 .. CrlCount - 1.
'
' pvData points to an array of the CRL's encoded bytes.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_ENVELOPE_ALGORITHM_PARAM
'
' The ContentEncryptionAlgorithm that was used in
' an ENVELOPED or SIGNED_AND_ENVELOPED message.
'
' For streaming you must be able to successfully get this parameter before
' doing a CryptMsgControl decrypt.
'
' pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_RECIPIENT_COUNT_PARAM
'
' Count of recipients in an ENVELOPED or SIGNED_AND_ENVELOPED message.
'
' Count of key transport recepients.
'
' The CMSG_CMS_RECIPIENT_COUNT_PARAM has the total count of
'
' pvData points to a DWORD
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_RECIPIENT_INDEX_PARAM
'
' Index of the recipient used to decrypt an ENVELOPED or SIGNED_AND_ENVELOPED
' message.
'
' Index of a key transport recipient. If a non key transport
' recipient was used to decrypt, fails with LastError set to
' CRYPT_E_INVALID_INDEX.
'
' pvData points to a DWORD
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_RECIPIENT_INFO_PARAM
'
' To get all the recipients, repetitively call CryptMsgGetParam, with
' dwIndex set to 0 .. RecipientCount - 1.
'
' Only returns the key transport recepients.
'
' The CMSG_CMS_RECIPIENT_INFO_PARAM returns all recipients.
'
' pvData points to a CERT_INFO struct.
'
' Only the following fields have been updated in the CERT_INFO struct:
' Issuer, SerialNumber and PublicKeyAlgorithm. The PublicKeyAlgorithm
' specifies the KeyEncryptionAlgorithm that was used.
'
' Note, if the KEYID choice was selected for a key transport recipient, then,
' the SerialNumber is 0 and the Issuer is encoded containing a single RDN
' with a single Attribute whose OID is szOID_KEYID_RDN, value type is
' CERT_RDN_OCTET_STRING and value is the KEYID. When the
' CertGetSubjectCertificateFromStore and
' special KEYID Issuer and SerialNumber, they do a KEYID match.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_HASH_ALGORITHM_PARAM
'
' The HashAlgorithm in a HASHED message.
'
' pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_HASH_DATA_PARAM
'
' The hash in a HASHED message.
'
' pvData points to an array of bytes.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_COMPUTED_HASH_PARAM
'
' The computed hash for a HASHED message.
' This may be called for either an encoded or decoded message.
'
' Also, the computed hash for one of the signer's in a SIGNED message.
' It may be called for either an encoded or decoded message after the
' final update. Set dwIndex to iterate through all the signers.
'
' pvData points to an array of bytes.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_ENCRYPT_PARAM
'
' The ContentEncryptionAlgorithm that was used in an ENCRYPTED message.
'
' pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_ENCODED_MESSAGE
'
' The full encoded message. This is useful in the case of a decoded
' signed-and-enveloped-data message which has been countersigned).
'
' pvData points to an array of the message's encoded bytes.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_VERSION_PARAM
'
' The version of the decoded message.
'
' pvData points to a DWORD
'--------------------------------------------------------------------------
Public Const CMSG_SIGNED_DATA_V1 As Long = 1
Public Const CMSG_SIGNED_DATA_V3 As Long = 3
Public Const CMSG_SIGNER_INFO_V1 As Long = 1
Public Const CMSG_SIGNER_INFO_V3 As Long = 3
Public Const CMSG_HASHED_DATA_V0 As Long = 0
Public Const CMSG_HASHED_DATA_V2 As Long = 2
Public Const CMSG_ENVELOPED_DATA_V0 As Long = 0
Public Const CMSG_ENVELOPED_DATA_V2 As Long = 2
'+-------------------------------------------------------------------------
' CMSG_ATTR_CERT_COUNT_PARAM
'
' Count of attribute certificates in a SIGNED or ENVELOPED message.
'
' pvData points to a DWORD
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_ATTR_CERT_PARAM
'
' To get all the attribute certificates, repetitively call CryptMsgGetParam,
' with dwIndex set to 0 .. AttrCertCount - 1.
'
' pvData points to an array of the attribute certificate's encoded bytes.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CMS_RECIPIENT_COUNT_PARAM
'
' Count of all CMS recipients in an ENVELOPED message.
'
' pvData points to a DWORD
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CMS_RECIPIENT_INDEX_PARAM
'
' Index of the CMS recipient used to decrypt an ENVELOPED message.
'
' pvData points to a DWORD
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CMS_RECIPIENT_ENCRYPTED_KEY_INDEX_PARAM
'
' For a CMS key agreement recipient, the index of the encrypted key
' used to decrypt an ENVELOPED message.
'
' pvData points to a DWORD
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CMS_RECIPIENT_INFO_PARAM
'
' To get all the CMS recipients, repetitively call CryptMsgGetParam, with
' dwIndex set to 0 .. CmsRecipientCount - 1.
'
' pvData points to a CMSG_CMS_RECIPIENT_INFO struct.
'--------------------------------------------------------------------------
Public Const CMSG_KEY_AGREE_ORIGINATOR_CERT As Long = 1
Public Const CMSG_KEY_AGREE_ORIGINATOR_PUBLIC_KEY As Long = 2
' dwVersion numbers for the KeyTrans, KeyAgree and MailList recipients
Public Const CMSG_ENVELOPED_RECIPIENT_V0 As Long = 0
Public Const CMSG_ENVELOPED_RECIPIENT_V2 As Long = 2
Public Const CMSG_ENVELOPED_RECIPIENT_V3 As Long = 3
Public Const CMSG_ENVELOPED_RECIPIENT_V4 As Long = 4
'+-------------------------------------------------------------------------
' CMSG_UNPROTECTED_ATTR_PARAM
'
' The unprotected attributes in the envelped message.
'
' pvData points to a CMSG_ATTR struct.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Perform a special "control" function after the final CryptMsgUpdate of a
' encoded/decoded cryptographic message.
'
' The dwCtrlType parameter specifies the type of operation to be performed.
'
' The pvCtrlPara definition depends on the dwCtrlType value.
'
' See below for a list of the control operations and their pvCtrlPara
' type definition.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Message control types
'--------------------------------------------------------------------------
Public Const CMSG_CTRL_VERIFY_SIGNATURE As Long = 1
Public Const CMSG_CTRL_DECRYPT As Long = 2
Public Const CMSG_CTRL_VERIFY_HASH As Long = 5
Public Const CMSG_CTRL_ADD_SIGNER As Long = 6
Public Const CMSG_CTRL_DEL_SIGNER As Long = 7
Public Const CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR As Long = 8
Public Const CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR As Long = 9
Public Const CMSG_CTRL_ADD_CERT As Long = 10
Public Const CMSG_CTRL_DEL_CERT As Long = 11
Public Const CMSG_CTRL_ADD_CRL As Long = 12
Public Const CMSG_CTRL_DEL_CRL As Long = 13
Public Const CMSG_CTRL_ADD_ATTR_CERT As Long = 14
Public Const CMSG_CTRL_DEL_ATTR_CERT As Long = 15
Public Const CMSG_CTRL_KEY_TRANS_DECRYPT As Long = 16
Public Const CMSG_CTRL_KEY_AGREE_DECRYPT As Long = 17
Public Const CMSG_CTRL_MAIL_LIST_DECRYPT As Long = 18
Public Const CMSG_CTRL_VERIFY_SIGNATURE_EX As Long = 19
Public Const CMSG_CTRL_ADD_CMS_SIGNER_INFO As Long = 20
'+-------------------------------------------------------------------------
' CMSG_CTRL_VERIFY_SIGNATURE
'
' Verify the signature of a SIGNED or SIGNED_AND_ENVELOPED
' message after it has been decoded.
'
' For a SIGNED_AND_ENVELOPED message, called after
' with a NULL pRecipientInfo.
'
' pvCtrlPara points to a CERT_INFO struct.
'
' The CERT_INFO contains the Issuer and SerialNumber identifying
' the Signer of the message. The CERT_INFO also contains the
' PublicKeyInfo
' used to verify the signature. The cryptographic provider specified
' in CryptMsgOpenToDecode is used.
'
' Note, if the message contains CMS signers identified by KEYID, then,
' the CERT_INFO's Issuer and SerialNumber is ignored and only the public
' key is used to find a signer whose signature verifies.
'
' The following CMSG_CTRL_VERIFY_SIGNATURE_EX should be used instead.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_VERIFY_SIGNATURE_EX
'
' Verify the signature of a SIGNED message after it has been decoded.
'
' pvCtrlPara points to the following CMSG_CTRL_VERIFY_SIGNATURE_EX_PARA.
'
' If hCryptProv is NULL, uses the cryptographic provider specified in
' CryptMsgOpenToDecode. If CryptMsgOpenToDecode's hCryptProv is also NULL,
' gets default provider according to the signer's public key OID.
'
' dwSignerIndex is the index of the signer to use to verify the signature.
'
' The signer can be a pointer to a CERT_PUBLIC_KEY_INFO, certificate
' context or a chain context.
'--------------------------------------------------------------------------
' Signer Types
Public Const CMSG_VERIFY_SIGNER_PUBKEY As Long = 1
Public Const CMSG_VERIFY_SIGNER_CERT As Long = 2
Public Const CMSG_VERIFY_SIGNER_CHAIN As Long = 3
'+-------------------------------------------------------------------------
' CMSG_CTRL_DECRYPT
'
' Decrypt an ENVELOPED or SIGNED_AND_ENVELOPED message after it has been
' decoded.
'
' This decrypt is only applicable to key transport recipients.
'
' hCryptProv and dwKeySpec specify the private key to use. For dwKeySpec ==
' 0, defaults to AT_KEYEXCHANGE.
'
' If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
' to CryptMsgControl, then, the hCryptProv is released on the final
' CryptMsgClose. Not released if CryptMsgControl fails.
'
' dwRecipientIndex is the index of the recipient in the message associated
' with the hCryptProv's private key.
'
' The dwRecipientIndex is the index of a key transport recipient.
'
' Note, the message can only be decrypted once.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_KEY_TRANS_DECRYPT
'
' Decrypt an ENVELOPED message after it has been decoded for a key
' transport recipient.
'
' hCryptProv and dwKeySpec specify the private key to use. For dwKeySpec ==
' 0, defaults to AT_KEYEXCHANGE.
'
' If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
' to CryptMsgControl, then, the hCryptProv is released on the final
' CryptMsgClose. Not released if CryptMsgControl fails.
'
' pKeyTrans points to the CMSG_KEY_TRANS_RECIPIENT_INFO obtained via
'
' dwRecipientIndex is the index of the recipient in the message associated
' with the hCryptProv's private key.
'
' Note, the message can only be decrypted once.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_KEY_AGREE_DECRYPT
'
' Decrypt an ENVELOPED message after it has been decoded for a key
' agreement recipient.
'
' hCryptProv and dwKeySpec specify the private key to use. For dwKeySpec ==
' 0, defaults to AT_KEYEXCHANGE.
'
' If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
' to CryptMsgControl, then, the hCryptProv is released on the final
' CryptMsgClose. Not released if CryptMsgControl fails.
'
' pKeyAgree points to the CMSG_KEY_AGREE_RECIPIENT_INFO obtained via
'
' dwRecipientIndex, dwRecipientEncryptedKeyIndex are the indices of the
' recipient's encrypted key in the message associated with the hCryptProv's
' private key.
'
' OriginatorPublicKey is the originator's public key obtained from either
' the originator's certificate or the CMSG_KEY_AGREE_RECIPIENT_INFO obtained
' via the CMSG_CMS_RECIPIENT_INFO_PARAM.
'
' Note, the message can only be decrypted once.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_MAIL_LIST_DECRYPT
'
' Decrypt an ENVELOPED message after it has been decoded for a mail
' list recipient.
'
' pMailList points to the CMSG_MAIL_LIST_RECIPIENT_INFO obtained via
'
' There is 1 choice for the KeyEncryptionKey: an already created CSP key
' handle. For the key handle choice, hCryptProv must be nonzero. This key
' handle isn't destroyed.
'
' If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
' to CryptMsgControl, then, the hCryptProv is released on the final
' CryptMsgClose. Not released if CryptMsgControl fails.
'
' For RC2 wrap, the effective key length is obtained from the
' KeyEncryptionAlgorithm parameters and set on the hKeyEncryptionKey before
' decrypting.
'
' Note, the message can only be decrypted once.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_VERIFY_HASH
'
' Verify the hash of a HASHED message after it has been decoded.
'
' Only the hCryptMsg parameter is used, to specify the message whose
' hash is being verified.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_ADD_SIGNER
'
' Add a signer to a signed-data message.
'
' pvCtrlPara points to a CMSG_SIGNER_ENCODE_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_ADD_CMS_SIGNER_INFO
'
' Add a signer to a signed-data message.
'
' Differs from the above, CMSG_CTRL_ADD_SIGNER, wherein, the signer info
' already contains the signature.
'
' pvCtrlPara points to a CMSG_CMS_SIGNER_INFO.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_DEL_SIGNER
'
' Remove a signer from a signed-data or signed-and-enveloped-data message.
'
' pvCtrlPara points to a DWORD containing the 0-based index of the
' signer to be removed.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR
'
' Add an unauthenticated attribute to the SignerInfo of a signed-data or
' signed-and-enveloped-data message.
'
' The unauthenticated attribute is input in the form of an encoded blob.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR
'
' Delete an unauthenticated attribute from the SignerInfo of a signed-data
' or signed-and-enveloped-data message.
'
' The unauthenticated attribute to be removed is specified by
' a 0-based index.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_ADD_CERT
'
' Add a certificate to a signed-data or signed-and-enveloped-data message.
'
' pvCtrlPara points to a CRYPT_DATA_BLOB containing the certificate's
' encoded bytes.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_DEL_CERT
'
' Delete a certificate from a signed-data or signed-and-enveloped-data
' message.
'
' pvCtrlPara points to a DWORD containing the 0-based index of the
' certificate to be removed.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_ADD_CRL
'
' Add a CRL to a signed-data or signed-and-enveloped-data message.
'
' pvCtrlPara points to a CRYPT_DATA_BLOB containing the CRL's
' encoded bytes.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_DEL_CRL
'
' Delete a CRL from a signed-data or signed-and-enveloped-data message.
'
' pvCtrlPara points to a DWORD containing the 0-based index of the CRL
' to be removed.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_ADD_ATTR_CERT
'
' Add an attribute certificate to a signed-data message.
'
' pvCtrlPara points to a CRYPT_DATA_BLOB containing the attribute
' certificate's encoded bytes.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CMSG_CTRL_DEL_ATTR_CERT
'
' Delete an attribute certificate from a signed-data message.
'
' pvCtrlPara points to a DWORD containing the 0-based index of the
' attribute certificate to be removed.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Verify a countersignature, at the SignerInfo level.
' ie. verify that pbSignerInfoCountersignature contains the encrypted
' hash of the encryptedDigest field of pbSignerInfo.
'
' hCryptProv is used to hash the encryptedDigest field of pbSignerInfo.
' The only fields referenced from pciCountersigner are SerialNumber, Issuer,
' and SubjectPublicKeyInfo.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Verify a countersignature, at the SignerInfo level.
' ie. verify that pbSignerInfoCountersignature contains the encrypted
' hash of the encryptedDigest field of pbSignerInfo.
'
' hCryptProv is used to hash the encryptedDigest field of pbSignerInfo.
'
' The signer can be a CERT_PUBLIC_KEY_INFO, certificate context or a
' chain context.
'--------------------------------------------------------------------------
' See CMSG_CTRL_VERIFY_SIGNATURE_EX_PARA for dwSignerType definitions
'+-------------------------------------------------------------------------
' Countersign an already-existing signature in a message
'
' dwIndex is a zero-based index of the SignerInfo to be countersigned.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Output an encoded SignerInfo blob, suitable for use as a countersignature
' attribute in the unauthenticated attributes of a signed-data or
' signed-and-enveloped-data message.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CryptMsg OID installable functions
'--------------------------------------------------------------------------
' Note, the following 3 installable functions are obsolete and have been
' replaced with GenContentEncryptKey, ExportKeyTrans, ExportKeyAgree,
' ExportMailList, ImportKeyTrans, ImportKeyAgree and ImportMailList
' installable functions.
' If *phCryptProv is NULL upon entry, then, if supported, the installable
' function should acquire a default provider and return. Note, its up
' to the installable function to release at process detach.
'
' If paiEncrypt->Parameters.cbData is 0, then, the callback may optionally
' return default encoded parameters in *ppbEncryptParameters and
' *pcbEncryptParameters. pfnAlloc must be called for the allocation.
Public Const CMSG_OID_GEN_ENCRYPT_KEY_FUNC As String = "CryptMsgDllGenEncryptKey"
Public Const CMSG_OID_EXPORT_ENCRYPT_KEY_FUNC As String = "CryptMsgDllExportEncryptKey"
Public Const CMSG_OID_IMPORT_ENCRYPT_KEY_FUNC As String = "CryptMsgDllImportEncryptKey"
' To get the default installable function for GenContentEncryptKey,
' ExportKeyTrans, ExportKeyAgree, ExportMailList, ImportKeyTrans,
' with the pszOID argument set to the following constant. dwEncodingType
' should be set to CRYPT_ASN_ENCODING or X509_ASN_ENCODING.
'+-------------------------------------------------------------------------
' Content Encrypt Info
'
' The following data structure contains the information shared between
' the GenContentEncryptKey and the ExportKeyTrans, ExportKeyAgree and
' ExportMailList installable functions.
'--------------------------------------------------------------------------
Public Const CMSG_CONTENT_ENCRYPT_PAD_ENCODED_LEN_FLAG As Long = &H00000001
Public Const CMSG_CONTENT_ENCRYPT_FREE_PARA_FLAG As Long = &H00000001
Public Const CMSG_CONTENT_ENCRYPT_RELEASE_CONTEXT_FLAG As Long = &H00008000
'+-------------------------------------------------------------------------
' Upon input, ContentEncryptInfo has been initialized from the
' EnvelopedEncodeInfo.
'
' Note, if rgpRecipients instead of rgCmsRecipients are set in the
' EnvelopedEncodeInfo, then, the rgpRecipients have been converted
' to rgCmsRecipients in the ContentEncryptInfo.
'
' The following fields may be changed in ContentEncryptInfo:
' hContentEncryptKey
' hCryptProv
' ContentEncryptionAlgorithm.Parameters
' dwFlags
'
' All other fields in the ContentEncryptInfo are READONLY.
'
' If CMSG_CONTENT_ENCRYPT_PAD_ENCODED_LEN_FLAG is set upon entry
' in dwEncryptFlags, then, any potentially variable length encoded
' output should be padded with zeroes to always obtain the
' same maximum encoded length. This is necessary for
' definite length streaming.
'
' The hContentEncryptKey must be updated.
'
' If hCryptProv is NULL upon input, then, it must be updated.
' If a HCRYPTPROV is acquired that must be released, then, the
' CMSG_CONTENT_ENCRYPT_RELEASE_CONTEXT_FLAG must be set in dwFlags.
'
' If ContentEncryptionAlgorithm.Parameters is updated, then, the
' CMSG_CONTENT_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags. pfnAlloc and
' pfnFree must be used for doing the allocation.
'
' ContentEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
'--------------------------------------------------------------------------
Public Const CMSG_OID_GEN_CONTENT_ENCRYPT_KEY_FUNC As String = "CryptMsgDllGenContentEncryptKey"
'+-------------------------------------------------------------------------
' Key Transport Encrypt Info
'
' The following data structure contains the information updated by the
' ExportKeyTrans installable function.
'--------------------------------------------------------------------------
Public Const CMSG_KEY_TRANS_ENCRYPT_FREE_PARA_FLAG As Long = &H00000001
'+-------------------------------------------------------------------------
' Upon input, KeyTransEncryptInfo has been initialized from the
' KeyTransEncodeInfo.
'
' The following fields may be changed in KeyTransEncryptInfo:
' EncryptedKey
' KeyEncryptionAlgorithm.Parameters
' dwFlags
'
' All other fields in the KeyTransEncryptInfo are READONLY.
'
' The EncryptedKey must be updated. The pfnAlloc and pfnFree specified in
' ContentEncryptInfo must be used for doing the allocation.
'
' If the KeyEncryptionAlgorithm.Parameters is updated, then, the
' CMSG_KEY_TRANS_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags.
' The pfnAlloc and pfnFree specified in ContentEncryptInfo must be used
' for doing the allocation.
'
' KeyEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
'--------------------------------------------------------------------------
Public Const CMSG_OID_EXPORT_KEY_TRANS_FUNC As String = "CryptMsgDllExportKeyTrans"
'+-------------------------------------------------------------------------
' Key Agree Key Encrypt Info
'
' The following data structure contains the information updated by the
' ExportKeyAgree installable function for each encrypted key agree
' recipient.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Key Agree Encrypt Info
'
' The following data structure contains the information applicable to
' all recipients. Its updated by the ExportKeyAgree installable function.
'--------------------------------------------------------------------------
Public Const CMSG_KEY_AGREE_ENCRYPT_FREE_PARA_FLAG As Long = &H00000001
Public Const CMSG_KEY_AGREE_ENCRYPT_FREE_MATERIAL_FLAG As Long = &H00000002
Public Const CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_ALG_FLAG As Long = &H00000004
Public Const CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_PARA_FLAG As Long = &H00000008
Public Const CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_BITS_FLAG As Long = &H00000010
'+-------------------------------------------------------------------------
' Upon input, KeyAgreeEncryptInfo has been initialized from the
' KeyAgreeEncodeInfo.
'
' The following fields may be changed in KeyAgreeEncryptInfo:
' KeyEncryptionAlgorithm.Parameters
' UserKeyingMaterial
' dwOriginatorChoice
' OriginatorCertId
' OriginatorPublicKeyInfo
' dwFlags
'
' All other fields in the KeyAgreeEncryptInfo are READONLY.
'
' If the KeyEncryptionAlgorithm.Parameters is updated, then, the
' CMSG_KEY_AGREE_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags.
' The pfnAlloc and pfnFree specified in ContentEncryptInfo must be used
' for doing the allocation.
'
' If the UserKeyingMaterial is updated, then, the
' CMSG_KEY_AGREE_ENCRYPT_FREE_MATERIAL_FLAG must be set in dwFlags.
' pfnAlloc and pfnFree must be used for doing the allocation.
'
' The dwOriginatorChoice must be updated to either
' CMSG_KEY_AGREE_ORIGINATOR_CERT or CMSG_KEY_AGREE_ORIGINATOR_PUBLIC_KEY.
'
' If the OriginatorPublicKeyInfo is updated, then, the appropriate
' CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_*_FLAG must be set in dwFlags and
' pfnAlloc and pfnFree must be used for doing the allocation.
'
' If CMSG_CONTENT_ENCRYPT_PAD_ENCODED_LEN_FLAG is set upon entry
' in pContentEncryptInfo->dwEncryptFlags, then, the OriginatorPublicKeyInfo's
' Ephemeral PublicKey should be padded with zeroes to always obtain the
' same maximum encoded length. Note, the length of the generated ephemeral Y
' public key can vary depending on the number of leading zero bits.
'
' Upon input, the array of *rgpKeyAgreeKeyEncryptInfo has been initialized.
' The EncryptedKey must be updated for each recipient key.
' The pfnAlloc and pfnFree specified in
' ContentEncryptInfo must be used for doing the allocation.
'
' KeyEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
'--------------------------------------------------------------------------
Public Const CMSG_OID_EXPORT_KEY_AGREE_FUNC As String = "CryptMsgDllExportKeyAgree"
'+-------------------------------------------------------------------------
' Mail List Encrypt Info
'
' The following data structure contains the information updated by the
' ExportMailList installable function.
'--------------------------------------------------------------------------
Public Const CMSG_MAIL_LIST_ENCRYPT_FREE_PARA_FLAG As Long = &H00000001
'+-------------------------------------------------------------------------
' Upon input, MailListEncryptInfo has been initialized from the
' MailListEncodeInfo.
'
' The following fields may be changed in MailListEncryptInfo:
' EncryptedKey
' KeyEncryptionAlgorithm.Parameters
' dwFlags
'
' All other fields in the MailListEncryptInfo are READONLY.
'
' The EncryptedKey must be updated. The pfnAlloc and pfnFree specified in
' ContentEncryptInfo must be used for doing the allocation.
'
' If the KeyEncryptionAlgorithm.Parameters is updated, then, the
' CMSG_MAIL_LIST_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags.
' The pfnAlloc and pfnFree specified in ContentEncryptInfo must be used
' for doing the allocation.
'
' KeyEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
'--------------------------------------------------------------------------
Public Const CMSG_OID_EXPORT_MAIL_LIST_FUNC As String = "CryptMsgDllExportMailList"
'+-------------------------------------------------------------------------
' OID Installable functions for importing an encoded and encrypted content
' encryption key.
'
' There's a different installable function for each CMS Recipient choice:
' ImportKeyTrans
' ImportKeyAgree
' ImportMailList
'
' Iterates through the following OIDs to get the OID installable function:
' KeyEncryptionOID!ContentEncryptionOID
' KeyEncryptionOID
' ContentEncryptionOID
'
' If the OID installable function doesn't support the specified
' KeyEncryption and ContentEncryption OIDs, then, return FALSE with
' LastError set to E_NOTIMPL.
'--------------------------------------------------------------------------
Public Const CMSG_OID_IMPORT_KEY_TRANS_FUNC As String = "CryptMsgDllImportKeyTrans"
Public Const CMSG_OID_IMPORT_KEY_AGREE_FUNC As String = "CryptMsgDllImportKeyAgree"
Public Const CMSG_OID_IMPORT_MAIL_LIST_FUNC As String = "CryptMsgDllImportMailList"
'+=========================================================================
' Certificate Store Data Structures and APIs
'==========================================================================
'+-------------------------------------------------------------------------
' In its most basic implementation, a cert store is simply a
' collection of certificates and/or CRLs. This is the case when
' a cert store is opened with all of its certificates and CRLs
' coming from a PKCS #7 encoded cryptographic message.
'
' Nonetheless, all cert stores have the following properties:
' - A public key may have more than one certificate in the store.
' For example, a private/public key used for signing may have a
' certificate issued for VISA and another issued for
' Mastercard. Also, when a certificate is renewed there might
' be more than one certificate with the same subject and
' issuer.
' - However, each certificate in the store is uniquely
' identified by its Issuer and SerialNumber.
' - There's an issuer of subject certificate relationship. A
' certificate's issuer is found by doing a match of
' pSubjectCert->Issuer with pIssuerCert->Subject.
' The relationship is verified by using
' the issuer's public key to verify the subject certificate's
' signature. Note, there might be X.509 v3 extensions
' to assist in finding the issuer certificate.
' - Since issuer certificates might be renewed, a subject
' certificate might have more than one issuer certificate.
' - There's an issuer of CRL relationship. An
' issuer's CRL is found by doing a match of
' pIssuerCert->Subject with pCrl->Issuer.
' The relationship is verified by using
' the issuer's public key to verify the CRL's
' signature. Note, there might be X.509 v3 extensions
' to assist in finding the CRL.
' - Since some issuers might support the X.509 v3 delta CRL
' extensions, an issuer might have more than one CRL.
' - The store shouldn't have any redundant certificates or
' CRLs. There shouldn't be two certificates with the same
' Issuer and SerialNumber. There shouldn't be two CRLs with
' the same Issuer, ThisUpdate and NextUpdate.
' - The store has NO policy or trust information. No
' certificates are tagged as being "root". Its up to
' SerialNumber) for certificates it trusts.
' - The store might contain bad certificates and/or CRLs.
' The issuer's signature of a subject certificate or CRL may
' not verify. Certificates or CRLs may not satisfy their
' time validity requirements. Certificates may be
' revoked.
'
' In addition to the certificates and CRLs, properties can be
' stored. There are two predefined property IDs for a user
' certificate: CERT_KEY_PROV_HANDLE_PROP_ID and
' CERT_KEY_PROV_INFO_PROP_ID. The CERT_KEY_PROV_HANDLE_PROP_ID
' is a HCRYPTPROV handle to the private key assoicated
' with the certificate. The CERT_KEY_PROV_INFO_PROP_ID contains
' information to be used to call
' CryptAcquireContext and CryptSetProvParam to get a handle
' to the private key associated with the certificate.
'
' There exists two more predefined property IDs for certificates
' and CRLs, CERT_SHA1_HASH_PROP_ID and CERT_MD5_HASH_PROP_ID.
' If these properties don't already exist, then, a hash of the
' hash algorithm, currently, CERT_SHA1_HASH_PROP_ID).
'
' There are additional APIs for creating certificate and CRL
' CertCreateCRLContext).
'
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate context.
'
' A certificate context contains both the encoded and decoded representation
' of a certificate. A certificate context returned by a cert store function
' must be freed by calling the CertFreeCertificateContext function. The
' CertDuplicateCertificateContext function can be called to make a duplicate
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CRL context.
'
' A CRL context contains both the encoded and decoded representation
' of a CRL. A CRL context returned by a cert store function
' must be freed by calling the CertFreeCRLContext function. The
' CertDuplicateCRLContext function can be called to make a duplicate
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
'
' A CTL context contains both the encoded and decoded representation
' of a CTL. Also contains an opened HCRYPTMSG handle to the decoded
' cryptographic signed message containing the CTL_INFO as its inner content.
' pbCtlContent is the encoded inner content of the signed message.
'
' The CryptMsg APIs can be used to extract additional signer information.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate, CRL and CTL property IDs
'
' See CertSetCertificateContextProperty or CertGetCertificateContextProperty
' for usage information.
'--------------------------------------------------------------------------
Public Const CERT_KEY_PROV_HANDLE_PROP_ID As Long = 1
Public Const CERT_KEY_PROV_INFO_PROP_ID As Long = 2
Public Const CERT_SHA1_HASH_PROP_ID As Long = 3
Public Const CERT_MD5_HASH_PROP_ID As Long = 4
Public Const CERT_KEY_CONTEXT_PROP_ID As Long = 5
Public Const CERT_KEY_SPEC_PROP_ID As Long = 6
Public Const CERT_IE30_RESERVED_PROP_ID As Long = 7
Public Const CERT_PUBKEY_HASH_RESERVED_PROP_ID As Long = 8
Public Const CERT_ENHKEY_USAGE_PROP_ID As Long = 9
Public Const CERT_NEXT_UPDATE_LOCATION_PROP_ID As Long = 10
Public Const CERT_FRIENDLY_NAME_PROP_ID As Long = 11
Public Const CERT_PVK_FILE_PROP_ID As Long = 12
Public Const CERT_DESCRIPTION_PROP_ID As Long = 13
Public Const CERT_ACCESS_STATE_PROP_ID As Long = 14
Public Const CERT_SIGNATURE_HASH_PROP_ID As Long = 15
Public Const CERT_SMART_CARD_DATA_PROP_ID As Long = 16
Public Const CERT_EFS_PROP_ID As Long = 17
Public Const CERT_FORTEZZA_DATA_PROP_ID As Long = 18
Public Const CERT_ARCHIVED_PROP_ID As Long = 19
Public Const CERT_KEY_IDENTIFIER_PROP_ID As Long = 20
Public Const CERT_AUTO_ENROLL_PROP_ID As Long = 21
Public Const CERT_PUBKEY_ALG_PARA_PROP_ID As Long = 22
Public Const CERT_CROSS_CERT_DIST_POINTS_PROP_ID As Long = 23
Public Const CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID As Long = 24
Public Const CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID As Long = 25
Public Const CERT_ENROLLMENT_PROP_ID As Long = 26
Public Const CERT_FIRST_RESERVED_PROP_ID As Long = 27
' Note, 32 - 35 are reserved for the CERT, CRL, CTL and KeyId file element IDs.
Public Const CERT_LAST_RESERVED_PROP_ID As Long = &H00007FFF
Public Const CERT_FIRST_USER_PROP_ID As Long = &H00008000
Public Const CERT_LAST_USER_PROP_ID As Long = &H0000FFFF
'+-------------------------------------------------------------------------
' Access State flags returned by CERT_ACCESS_STATE_PROP_ID. Note,
' CERT_ACCESS_PROP_ID is read only.
'--------------------------------------------------------------------------
' Set if context property writes are persisted. For instance, not set for
' memory store contexts. Set for registry based stores opened as read or write.
' Not set for registry based stores opened as read only.
Public Const CERT_ACCESS_STATE_WRITE_PERSIST_FLAG As Long = &H1
' Set if context resides in a SYSTEM or SYSTEM_REGISTRY store.
Public Const CERT_ACCESS_STATE_SYSTEM_STORE_FLAG As Long = &H2
'+-------------------------------------------------------------------------
' Cryptographic Key Provider Information
'
' CRYPT_KEY_PROV_INFO defines the CERT_KEY_PROV_INFO_PROP_ID's pvData.
'
' The CRYPT_KEY_PROV_INFO fields are passed to CryptAcquireContext
' to get a HCRYPTPROV handle. The optional CRYPT_KEY_PROV_PARAM fields are
' passed to CryptSetProvParam to further initialize the provider.
'
' The dwKeySpec field identifies the private key to use from the container
' For example, AT_KEYEXCHANGE or AT_SIGNATURE.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' The following flag should be set in the above dwFlags to enable
' CryptAcquireContext is done in the Sign or Decrypt Message functions.
'
' The following define must not collide with any of the
' CryptAcquireContext dwFlag defines.
'--------------------------------------------------------------------------
Public Const CERT_SET_KEY_PROV_HANDLE_PROP_ID As Long = &H00000001
Public Const CERT_SET_KEY_CONTEXT_PROP_ID As Long = &H00000001
'+-------------------------------------------------------------------------
' Certificate Key Context
'
' CERT_KEY_CONTEXT defines the CERT_KEY_CONTEXT_PROP_ID's pvData.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate Store Provider Types
'--------------------------------------------------------------------------
Public Const sz_CERT_STORE_PROV_MEMORY As String = "Memory"
Public Const sz_CERT_STORE_PROV_FILENAME_W As String = "File"
Public Const sz_CERT_STORE_PROV_SYSTEM_W As String = "System"
Public Const sz_CERT_STORE_PROV_PKCS7 As String = "PKCS7"
Public Const sz_CERT_STORE_PROV_SERIALIZED As String = "Serialized"
Public Const sz_CERT_STORE_PROV_COLLECTION As String = "Collection"
Public Const sz_CERT_STORE_PROV_SYSTEM_REGISTRY_W As String = "SystemRegistry"
Public Const sz_CERT_STORE_PROV_PHYSICAL_W As String = "Physical"
Public Const sz_CERT_STORE_PROV_SMART_CARD_W As String = "SmartCard"
Public Const sz_CERT_STORE_PROV_LDAP_W As String = "Ldap"
'+-------------------------------------------------------------------------
' Certificate Store verify/results flags
'--------------------------------------------------------------------------
Public Const CERT_STORE_SIGNATURE_FLAG As Long = &H00000001
Public Const CERT_STORE_TIME_VALIDITY_FLAG As Long = &H00000002
Public Const CERT_STORE_REVOCATION_FLAG As Long = &H00000004
Public Const CERT_STORE_NO_CRL_FLAG As Long = &H00010000
Public Const CERT_STORE_NO_ISSUER_FLAG As Long = &H00020000
Public Const CERT_STORE_BASE_CRL_FLAG As Long = &H00000100
Public Const CERT_STORE_DELTA_CRL_FLAG As Long = &H00000200
'+-------------------------------------------------------------------------
' Certificate Store open/property flags
'--------------------------------------------------------------------------
Public Const CERT_STORE_NO_CRYPT_RELEASE_FLAG As Long = &H00000001
Public Const CERT_STORE_SET_LOCALIZED_NAME_FLAG As Long = &H00000002
Public Const CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG As Long = &H00000004
Public Const CERT_STORE_DELETE_FLAG As Long = &H00000010
Public Const CERT_STORE_SHARE_STORE_FLAG As Long = &H00000040
Public Const CERT_STORE_SHARE_CONTEXT_FLAG As Long = &H00000080
Public Const CERT_STORE_MANIFOLD_FLAG As Long = &H00000100
Public Const CERT_STORE_ENUM_ARCHIVED_FLAG As Long = &H00000200
Public Const CERT_STORE_UPDATE_KEYID_FLAG As Long = &H00000400
Public Const CERT_STORE_READONLY_FLAG As Long = &H00008000
Public Const CERT_STORE_OPEN_EXISTING_FLAG As Long = &H00004000
Public Const CERT_STORE_CREATE_NEW_FLAG As Long = &H00002000
Public Const CERT_STORE_MAXIMUM_ALLOWED_FLAG As Long = &H00001000
'+-------------------------------------------------------------------------
' Certificate Store Provider flags are in the HiWord 0xFFFF0000
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate System Store Flag Values
'--------------------------------------------------------------------------
' Includes flags and location
Public Const CERT_SYSTEM_STORE_MASK As Long = &HFFFF0000
' Set if pvPara points to a CERT_SYSTEM_STORE_RELOCATE_PARA structure
Public Const CERT_SYSTEM_STORE_RELOCATE_FLAG As Long = &H80000000
' By default, when the CurrentUser "Root" store is opened, any SystemRegistry
' roots not also on the protected root list are deleted from the cache before
' in the SystemRegistry without checking the protected root list.
Public Const CERT_SYSTEM_STORE_UNPROTECTED_FLAG As Long = &H40000000
' Location of the system store:
Public Const CERT_SYSTEM_STORE_LOCATION_MASK As Long = &H00FF0000
Public Const CERT_SYSTEM_STORE_LOCATION_SHIFT As Long = 16
' Registry: HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE
Public Const CERT_SYSTEM_STORE_CURRENT_USER_ID As Long = 1
Public Const CERT_SYSTEM_STORE_LOCAL_MACHINE_ID As Long = 2
' Registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Services
Public Const CERT_SYSTEM_STORE_CURRENT_SERVICE_ID As Long = 4
Public Const CERT_SYSTEM_STORE_SERVICES_ID As Long = 5
' Registry: HKEY_USERS
Public Const CERT_SYSTEM_STORE_USERS_ID As Long = 6
' Registry: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
Public Const CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY_ID As Long = 7
' Registry: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
Public Const CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY_ID As Long = 8
' Registry: HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates
Public Const CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE_ID As Long = 9
'+-------------------------------------------------------------------------
' Group Policy Store Defines
'--------------------------------------------------------------------------
' Registry path to the Group Policy system stores
'+-------------------------------------------------------------------------
' EFS Defines
'--------------------------------------------------------------------------
' Registry path to the EFS EFSBlob SubKey - Value type is REG_BINARY
Public Const CERT_EFSBLOB_VALUE_NAME As String = "EFSBlob"
'+-------------------------------------------------------------------------
' Protected Root Defines
'--------------------------------------------------------------------------
' Registry path to the Protected Roots Flags SubKey
Public Const CERT_PROT_ROOT_FLAGS_VALUE_NAME As String = "Flags"
' Set the following flag to inhibit the opening of the CurrentUser's
' .Default physical store when opening the CurrentUser's "Root" system store.
' The .Default physical store open's the CurrentUser SystemRegistry "Root"
' store.
Public Const CERT_PROT_ROOT_DISABLE_CURRENT_USER_FLAG As Long = &H1
' Set the following flag to inhibit the adding of roots from the
' CurrentUser SystemRegistry "Root" store to the protected root list
' when the "Root" store is initially protected.
Public Const CERT_PROT_ROOT_INHIBIT_ADD_AT_INIT_FLAG As Long = &H2
' Set the following flag to inhibit the purging of protected roots from the
' CurrentUser SystemRegistry "Root" store that are
' also in the LocalMachine SystemRegistry "Root" store. Note, when not
' disabled, the purging is done silently without UI.
Public Const CERT_PROT_ROOT_INHIBIT_PURGE_LM_FLAG As Long = &H4
' Set the following flag to only open the .LocalMachineGroupPolicy
' physical store when opening the CurrentUser's "Root" system store.
Public Const CERT_PROT_ROOT_ONLY_LM_GPT_FLAG As Long = &H8
'+-------------------------------------------------------------------------
'--------------------------------------------------------------------------
' Set this flag if the HKEY passed in pvPara points to a remote computer
' registry key.
Public Const CERT_REGISTRY_STORE_REMOTE_FLAG As Long = &H10000
' Set this flag if the contexts are to be persisted as a single serialized
' store in the registry. Mainly used for stores downloaded from the GPT.
' Such as the CurrentUserGroupPolicy or LocalMachineGroupPolicy stores.
Public Const CERT_REGISTRY_STORE_SERIALIZED_FLAG As Long = &H20000
' The following flags are for internal use. When set, the
' pvPara parameter passed to CertOpenStore is a pointer to the following
' data structure and not the HKEY. The above CERT_REGISTRY_STORE_REMOTE_FLAG
Public Const CERT_REGISTRY_STORE_CLIENT_GPT_FLAG As Long = &H80000000
Public Const CERT_REGISTRY_STORE_LM_GPT_FLAG As Long = &H01000000
' The following flag is for internal use. When set, the contexts are
' persisted into roaming files instead of the registry. Such as, the
' CurrentUser "My" store. When this flag is set, the following data structure
' is passed to CertOpenStore instead of HKEY.
Public Const CERT_REGISTRY_STORE_ROAMING_FLAG As Long = &H40000
' hKey may be NULL or non-NULL. When non-NULL, existing contexts are
' moved from the registry to roaming files.
' The following flag is for internal use. When set, the "My" DWORD value
' at HKLM\Software\Microsoft\Cryptography\IEDirtyFlags is set to 0x1
' whenever a certificate is added to the registry store.
Public Const CERT_REGISTRY_STORE_MY_IE_DIRTY_FLAG As Long = &H80000
' Registry path to the subkey containing the "My" DWORD value to be set
'+-------------------------------------------------------------------------
' Certificate File Store Flag Values for the providers:
' CERT_STORE_PROV_FILE
' CERT_STORE_PROV_FILENAME
' CERT_STORE_PROV_FILENAME_A
' CERT_STORE_PROV_FILENAME_W
' sz_CERT_STORE_PROV_FILENAME_W
'--------------------------------------------------------------------------
' Set this flag if any store changes are to be committed to the file.
' The changes are committed at CertCloseStore or by calling
'
' The open fails with E_INVALIDARG if both CERT_FILE_STORE_COMMIT_ENABLE_FLAG
' and CERT_STORE_READONLY_FLAG are set in dwFlags.
'
' For the FILENAME providers: if the file contains an X509 encoded
' certificate, the open fails with ERROR_ACCESS_DENIED.
'
' For the FILENAME providers: if CERT_STORE_CREATE_NEW_FLAG is set, the
' CreateFile uses CREATE_NEW. If CERT_STORE_OPEN_EXISTING is set, uses
' OPEN_EXISTING. Otherwise, defaults to OPEN_ALWAYS.
'
' For the FILENAME providers: the file is committed as either a PKCS7 or
' serialized store depending on the type read at open. However, if the
' file is empty then, if the filename has either a ".p7c" or ".spc"
' extension its committed as a PKCS7. Otherwise, its committed as a
' serialized store.
'
' For CERT_STORE_PROV_FILE, the file handle is duplicated. Its always
' committed as a serialized store.
'
Public Const CERT_FILE_STORE_COMMIT_ENABLE_FLAG As Long = &H10000
'+-------------------------------------------------------------------------
' Open the cert store using the specified store provider.
'
' If CERT_STORE_DELETE_FLAG is set, then, the store is deleted. NULL is
' for success and nonzero for failure.
'
' If CERT_STORE_SET_LOCALIZED_NAME_FLAG is set, then, if supported, the
' provider sets the store's CERT_STORE_LOCALIZED_NAME_PROP_ID property.
' The store's localized name can be retrieved by calling
' equivalent):
' CERT_STORE_PROV_FILENAME_A
' CERT_STORE_PROV_FILENAME_W
' CERT_STORE_PROV_SYSTEM_A
' CERT_STORE_PROV_SYSTEM_W
' CERT_STORE_PROV_SYSTEM_REGISTRY_A
' CERT_STORE_PROV_SYSTEM_REGISTRY_W
' CERT_STORE_PROV_PHYSICAL_W
'
' If CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG is set, then, the
' closing of the store's provider is deferred until all certificate,
' CRL and CTL contexts obtained from the store are freed. Also,
' if a non NULL HCRYPTPROV was passed, then, it will continue to be used.
' By default, the store's provider is closed on the final CertCloseStore.
' If this flag isn't set, then, any property changes made to previously
' duplicated contexts after the final CertCloseStore will not be persisted.
' By setting this flag, property changes made
' after the CertCloseStore will be persisted. Note, setting this flag
' causes extra overhead in doing context duplicates and frees.
' If CertCloseStore is called with CERT_CLOSE_STORE_FORCE_FLAG, then,
' the CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG flag is ignored.
'
' CERT_STORE_MANIFOLD_FLAG can be set to check for certificates having the
' manifold extension and archive the "older" certificates with the same
' manifold extension value. A certificate is archived by setting the
' CERT_ARCHIVED_PROP_ID.
'
' By default, contexts having the CERT_ARCHIVED_PROP_ID, are skipped
' during enumeration. CERT_STORE_ENUM_ARCHIVED_FLAG can be set to include
' archived contexts when enumerating. Note, contexts having the
' CERT_ARCHIVED_PROP_ID are still found for explicit finds, such as,
' finding a context with a specific hash or finding a certificate having
' a specific issuer and serial number.
'
' CERT_STORE_UPDATE_KEYID_FLAG can be set to also update the Key Identifier's
' CERT_KEY_PROV_INFO_PROP_ID property whenever a certificate's
' CERT_KEY_IDENTIFIER_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID property is set
' and the other property already exists. If the Key Identifier's
' CERT_KEY_PROV_INFO_PROP_ID already exists, it isn't updated. Any
' errors encountered are silently ignored.
'
' By default, this flag is implicitly set for the "My\.Default" CurrentUser
' and LocalMachine physical stores.
'
' CERT_STORE_READONLY_FLAG can be set to open the store as read only.
' Otherwise, the store is opened as read/write.
'
' CERT_STORE_OPEN_EXISTING_FLAG can be set to only open an existing
' store. CERT_STORE_CREATE_NEW_FLAG can be set to create a new store and
' fail if the store already exists. Otherwise, the default is to open
' an existing store or create a new store if it doesn't already exist.
'
' hCryptProv specifies the crypto provider to use to create the hash
' properties or verify the signature of a subject certificate or CRL.
' The store doesn't need to use a private
' key. If the CERT_STORE_NO_CRYPT_RELEASE_FLAG isn't set, hCryptProv is
' CryptReleaseContext'ed on the final CertCloseStore.
'
' Note, if the open fails, hCryptProv is released if it would have been
' released when the store was closed.
'
' If hCryptProv is zero, then, the default provider and container for the
' PROV_RSA_FULL provider type is CryptAcquireContext'ed with
' CRYPT_VERIFYCONTEXT access. The CryptAcquireContext is deferred until
' the first create hash or verify signature. In addition, once acquired,
' the default provider isn't released until process exit when crypt32.dll
' is unloaded. The acquired default provider is shared across all stores
' and threads.
'
' After initializing the store's data structures and optionally acquiring a
' default crypt provider, CertOpenStore calls CryptGetOIDFunctionAddress to
' get the address of the CRYPT_OID_OPEN_STORE_PROV_FUNC specified by
' lpszStoreProvider. Since a store can contain certificates with different
' encoding types, CryptGetOIDFunctionAddress is called with dwEncodingType
' set to 0 and not the dwEncodingType passed to CertOpenStore.
' PFN_CERT_DLL_OPEN_STORE_FUNC specifies the signature of the provider's
' open function. This provider open function is called to load the
' store's certificates and CRLs. Optionally, the provider may return an
' array of functions called before a certificate or CRL is added or deleted
' or has a property that is set.
'
' Use of the dwEncodingType parameter is provider dependent. The type
' definition for pvPara also depends on the provider.
'
' Store providers are installed or registered via
' CryptInstallOIDFunctionAddress or CryptRegisterOIDFunction, where,
' dwEncodingType is 0 and pszFuncName is CRYPT_OID_OPEN_STORE_PROV_FUNC.
'
'
' CERT_STORE_PROV_MSG:
' Gets the certificates and CRLs from the specified cryptographic message.
' dwEncodingType contains the message and certificate encoding types.
' The message's handle is passed in pvPara. Given,
'
' CERT_STORE_PROV_MEMORY
' sz_CERT_STORE_PROV_MEMORY:
' Opens a store without any initial certificates or CRLs. pvPara
' isn't used.
'
' CERT_STORE_PROV_FILE:
' Reads the certificates and CRLs from the specified file. The file's
' handle is passed in pvPara. Given,
'
' For a successful open, the file pointer is advanced past
' the certificates and CRLs and their properties read from the file.
' Note, only expects a serialized store and not a file containing
' either a PKCS #7 signed message or a single encoded certificate.
'
' The hFile isn't closed.
'
' CERT_STORE_PROV_REG:
' Reads the certificates and CRLs from the registry. The registry's
' key handle is passed in pvPara. Given,
'
' The input hKey isn't closed by the provider. Before returning, the
' provider opens it own copy of the hKey.
'
' If CERT_STORE_READONLY_FLAG is set, then, the registry subkeys are
' RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry subkeys
' are RegCreateKey'ed with KEY_ALL_ACCESS.
'
' This provider returns the array of functions for reading, writing,
' deleting and property setting certificates and CRLs.
' Any changes to the opened store are immediately pushed through to
' the registry. However, if CERT_STORE_READONLY_FLAG is set, then,
' writing, deleting or property setting results in a
'
' Note, all the certificates and CRLs are read from the registry
' when the store is opened. The opened store serves as a write through
' cache.
'
' If CERT_REGISTRY_STORE_SERIALIZED_FLAG is set, then, the
' contexts are persisted as a single serialized store subkey in the
' registry.
'
' CERT_STORE_PROV_PKCS7:
' sz_CERT_STORE_PROV_PKCS7:
' Gets the certificates and CRLs from the encoded PKCS #7 signed message.
' dwEncodingType specifies the message and certificate encoding types.
' The pointer to the encoded message's blob is passed in pvPara. Given,
'
' Note, also supports the IE3.0 special version of a
' PKCS #7 signed message referred to as a "SPC" formatted message.
'
' CERT_STORE_PROV_SERIALIZED:
' sz_CERT_STORE_PROV_SERIALIZED:
' Gets the certificates and CRLs from memory containing a serialized
' store. The pointer to the serialized memory blob is passed in pvPara.
' Given,
'
' CERT_STORE_PROV_FILENAME_A:
' CERT_STORE_PROV_FILENAME_W:
' CERT_STORE_PROV_FILENAME:
' sz_CERT_STORE_PROV_FILENAME_W:
' sz_CERT_STORE_PROV_FILENAME:
' Opens the file and first attempts to read as a serialized store. Then,
' as a PKCS #7 signed message. Finally, as a single encoded certificate.
' The filename is passed in pvPara. The filename is UNICODE for the
' "_W" provider and ASCII for the "_A" provider. For "_W": given,
' For "_A": given,
'
'
' Note, also supports the reading of the IE3.0 special version of a
' PKCS #7 signed message file referred to as a "SPC" formatted file.
'
' CERT_STORE_PROV_SYSTEM_A:
' CERT_STORE_PROV_SYSTEM_W:
' CERT_STORE_PROV_SYSTEM:
' sz_CERT_STORE_PROV_SYSTEM_W:
' sz_CERT_STORE_PROV_SYSTEM:
' Opens the specified logical "System" store. The upper word of the
' dwFlags parameter is used to specify the location of the system store.
'
' A "System" store is a collection consisting of one or more "Physical"
' stores. A "Physical" store is registered via the
' CertRegisterPhysicalStore API. Each of the registered physical stores
' is CertStoreOpen'ed and added to the collection via
' CertAddStoreToCollection.
'
' The CERT_SYSTEM_STORE_CURRENT_USER, CERT_SYSTEM_STORE_LOCAL_MACHINE,
' CERT_SYSTEM_STORE_CURRENT_SERVICE, CERT_SYSTEM_STORE_SERVICES,
' CERT_SYSTEM_STORE_USERS, CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY,
' CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and
' CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRSE
' system stores by default have a "SystemRegistry" store that is
' opened and added to the collection.
'
' The system store name is passed in pvPara. The name is UNICODE for the
' "_W" provider and ASCII for the "_A" provider. For "_W": given,
' For "_A": given,
'
'
' The system store name can't contain any backslashes.
'
' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvPara
' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure instead
' of pointing to a null terminated UNICODE or ASCII string.
' Sibling physical stores are also opened as relocated using
' pvPara's hKeyBase.
'
' The CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS system
' store name must be prefixed with the ServiceName or UserName.
' For example, "ServiceName\Trust".
'
' Stores on remote computers can be accessed for the
' CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_SERVICES,
' CERT_SYSTEM_STORE_USERS, CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
' or CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
' locations by prepending the computer name. For example, a remote
' local machine store is accessed via "\\ComputerName\Trust" or
' "ComputerName\Trust". A remote service store is accessed via
' "\\ComputerName\ServiceName\Trust". The leading "\\" backslashes are
' optional in the ComputerName.
'
' If CERT_STORE_READONLY_FLAG is set, then, the registry is
' RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry is
' RegCreateKey'ed with KEY_ALL_ACCESS.
'
' The "root" store is treated differently from the other system
' stores. Before a certificate is added to or deleted from the "root"
' store, a pop up message box is displayed. The certificate's subject,
' issuer, serial number, time validity, sha1 and md5 thumbprints are
' displayed. The user is given the option to do the add or delete.
' If they don't allow the operation, LastError is set to E_ACCESSDENIED.
'
' CERT_STORE_PROV_SYSTEM_REGISTRY_A
' CERT_STORE_PROV_SYSTEM_REGISTRY_W
' CERT_STORE_PROV_SYSTEM_REGISTRY
' sz_CERT_STORE_PROV_SYSTEM_REGISTRY_W
' sz_CERT_STORE_PROV_SYSTEM_REGISTRY
' Opens the "System" store's default "Physical" store residing in the
' registry. The upper word of the dwFlags
' parameter is used to specify the location of the system store.
'
' After opening the registry key associated with the system name,
' the CERT_STORE_PROV_REG provider is called to complete the open.
'
' The system store name is passed in pvPara. The name is UNICODE for the
' "_W" provider and ASCII for the "_A" provider. For "_W": given,
' For "_A": given,
'
'
' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvPara
' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure instead
' of pointing to a null terminated UNICODE or ASCII string.
'
' See above for details on prepending a ServiceName and/or ComputerName
' to the store name.
'
' If CERT_STORE_READONLY_FLAG is set, then, the registry is
' RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry is
' RegCreateKey'ed with KEY_ALL_ACCESS.
'
' The "root" store is treated differently from the other system
' stores. Before a certificate is added to or deleted from the "root"
' store, a pop up message box is displayed. The certificate's subject,
' issuer, serial number, time validity, sha1 and md5 thumbprints are
' displayed. The user is given the option to do the add or delete.
' If they don't allow the operation, LastError is set to E_ACCESSDENIED.
'
' CERT_STORE_PROV_PHYSICAL_W
' CERT_STORE_PROV_PHYSICAL
' sz_CERT_STORE_PROV_PHYSICAL_W
' sz_CERT_STORE_PROV_PHYSICAL
' Opens the specified "Physical" store in the "System" store.
'
' Both the system store and physical names are passed in pvPara. The
' names are separated with an intervening "\". For example,
' "Root\.Default". The string is UNICODE.
'
' The system and physical store names can't contain any backslashes.
'
' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvPara
' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure instead
' of pointing to a null terminated UNICODE string.
' The specified physical store is opened as relocated using pvPara's
' hKeyBase.
'
' For CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS,
' the system and physical store names
' must be prefixed with the ServiceName or UserName. For example,
' "ServiceName\Root\.Default".
'
' Physical stores on remote computers can be accessed for the
' CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_SERVICES,
' CERT_SYSTEM_STORE_USERS, CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
' or CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
' locations by prepending the computer name. For example, a remote
' local machine store is accessed via "\\ComputerName\Root\.Default"
' or "ComputerName\Root\.Default". A remote service store is
' accessed via "\\ComputerName\ServiceName\Root\.Default". The
' leading "\\" backslashes are optional in the ComputerName.
'
' CERT_STORE_PROV_COLLECTION
' sz_CERT_STORE_PROV_COLLECTION
' Opens a store that is a collection of other stores. Stores are
' added or removed to/from the collection via the CertAddStoreToCollection
' and CertRemoveStoreFromCollection APIs.
'
' CERT_STORE_PROV_SMART_CARD_W
' CERT_STORE_PROV_SMART_CARD
' sz_CERT_STORE_PROV_SMART_CARD_W
' sz_CERT_STORE_PROV_SMART_CARD
' Opens a store instantiated over a particular smart card storage. pvPara
' identifies where on the card the store is located and is of the
' following format:
'
' Card Name\Provider Name\Provider Type[\Container Name]
'
' Container Name is optional and if NOT specified the Card Name is used
' as the Container Name. Future versions of the provider will support
' instantiating the store over the entire card in which case just
'
' cryptnet.dll):
'
' CERT_STORE_PROV_LDAP_W
' CERT_STORE_PROV_LDAP
' sz_CERT_STORE_PROV_LDAP_W
' sz_CERT_STORE_PROV_LDAP
' Opens a store over the results of the query specified by and LDAP
' URL which is passed in via pvPara. In order to do writes to the
' store the URL must specify a BASE query, no filter and a single
' attribute.
'
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' OID Installable Certificate Store Provider Data Structures
'--------------------------------------------------------------------------
' Handle returned by the store provider when opened.
' Store Provider OID function's pszFuncName.
Public Const CRYPT_OID_OPEN_STORE_PROV_FUNC As String = "CertDllOpenStoreProv"
' Note, the Store Provider OID function's dwEncodingType is always 0.
' The following information is returned by the provider when opened. Its
' zeroed with cbSize set before the provider is called. If the provider
' doesn't need to be called again after the open it doesn't need to
' make any updates to the CERT_STORE_PROV_INFO.
' Definition of the store provider's open function.
'
' *pStoreProvInfo has been zeroed before the call.
'
' Note, pStoreProvInfo->cStoreProvFunc should be set last. Once set,
' all subsequent store calls, such as CertAddSerializedElementToStore will
' call the appropriate provider callback function.
' The open callback sets the following flag, if it maintains its
' contexts externally and not in the cached store.
Public Const CERT_STORE_PROV_EXTERNAL_FLAG As Long = &H1
' The open callback sets the following flag for a successful delete.
' When set, the close callback isn't called.
Public Const CERT_STORE_PROV_DELETED_FLAG As Long = &H2
' The open callback sets the following flag if it doesn't persist store
' changes.
Public Const CERT_STORE_PROV_NO_PERSIST_FLAG As Long = &H4
' The open callback sets the following flag if the contexts are persisted
' to a system store.
Public Const CERT_STORE_PROV_SYSTEM_STORE_FLAG As Long = &H8
' Indices into the store provider's array of callback functions.
'
' The provider can implement any subset of the following functions. It
' sets pStoreProvInfo->cStoreProvFunc to the last index + 1 and any
' preceding not implemented functions to NULL.
Public Const CERT_STORE_PROV_CLOSE_FUNC As Long = 0
Public Const CERT_STORE_PROV_READ_CERT_FUNC As Long = 1
Public Const CERT_STORE_PROV_WRITE_CERT_FUNC As Long = 2
Public Const CERT_STORE_PROV_DELETE_CERT_FUNC As Long = 3
Public Const CERT_STORE_PROV_SET_CERT_PROPERTY_FUNC As Long = 4
Public Const CERT_STORE_PROV_READ_CRL_FUNC As Long = 5
Public Const CERT_STORE_PROV_WRITE_CRL_FUNC As Long = 6
Public Const CERT_STORE_PROV_DELETE_CRL_FUNC As Long = 7
Public Const CERT_STORE_PROV_SET_CRL_PROPERTY_FUNC As Long = 8
Public Const CERT_STORE_PROV_READ_CTL_FUNC As Long = 9
Public Const CERT_STORE_PROV_WRITE_CTL_FUNC As Long = 10
Public Const CERT_STORE_PROV_DELETE_CTL_FUNC As Long = 11
Public Const CERT_STORE_PROV_SET_CTL_PROPERTY_FUNC As Long = 12
Public Const CERT_STORE_PROV_CONTROL_FUNC As Long = 13
Public Const CERT_STORE_PROV_FIND_CERT_FUNC As Long = 14
Public Const CERT_STORE_PROV_FREE_FIND_CERT_FUNC As Long = 15
Public Const CERT_STORE_PROV_GET_CERT_PROPERTY_FUNC As Long = 16
Public Const CERT_STORE_PROV_FIND_CRL_FUNC As Long = 17
Public Const CERT_STORE_PROV_FREE_FIND_CRL_FUNC As Long = 18
Public Const CERT_STORE_PROV_GET_CRL_PROPERTY_FUNC As Long = 19
Public Const CERT_STORE_PROV_FIND_CTL_FUNC As Long = 20
Public Const CERT_STORE_PROV_FREE_FIND_CTL_FUNC As Long = 21
Public Const CERT_STORE_PROV_GET_CTL_PROPERTY_FUNC As Long = 22
' Called by CertCloseStore when the store's reference count is
' decremented to 0.
' Currently not called directly by the store APIs. However, may be exported
' to support other providers based on it.
'
' Reads the provider's copy of the certificate context. If it exists,
' creates a new certificate context.
Public Const CERT_STORE_PROV_WRITE_ADD_FLAG As Long = &H1
' Called by CertAddEncodedCertificateToStore,
' CertAddCertificateContextToStore or CertAddSerializedElementToStore before
' adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
' addition to the encoded certificate, the added pCertContext might also
' have properties.
'
' Returns TRUE if its OK to update the the store.
' Called by CertDeleteCertificateFromStore before deleting from the
' store.
'
' Returns TRUE if its OK to delete from the store.
' Called by CertSetCertificateContextProperty before setting the
' certificate's property. Also called by CertGetCertificateContextProperty,
' when getting a hash property that needs to be created and then persisted
' via the set.
'
' Upon input, the property hasn't been set for the pCertContext parameter.
'
' Returns TRUE if its OK to set the property.
' Currently not called directly by the store APIs. However, may be exported
' to support other providers based on it.
'
' Reads the provider's copy of the CRL context. If it exists,
' creates a new CRL context.
' Called by CertAddEncodedCRLToStore,
' CertAddCRLContextToStore or CertAddSerializedElementToStore before
' adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
' addition to the encoded CRL, the added pCertContext might also
' have properties.
'
' Returns TRUE if its OK to update the the store.
' Called by CertDeleteCRLFromStore before deleting from the store.
'
' Returns TRUE if its OK to delete from the store.
' Called by CertSetCRLContextProperty before setting the
' CRL's property. Also called by CertGetCRLContextProperty,
' when getting a hash property that needs to be created and then persisted
' via the set.
'
' Upon input, the property hasn't been set for the pCrlContext parameter.
'
' Returns TRUE if its OK to set the property.
' Currently not called directly by the store APIs. However, may be exported
' to support other providers based on it.
'
' Reads the provider's copy of the CTL context. If it exists,
' creates a new CTL context.
' Called by CertAddEncodedCTLToStore,
' CertAddCTLContextToStore or CertAddSerializedElementToStore before
' adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
' addition to the encoded CTL, the added pCertContext might also
' have properties.
'
' Returns TRUE if its OK to update the the store.
' Called by CertDeleteCTLFromStore before deleting from the store.
'
' Returns TRUE if its OK to delete from the store.
' Called by CertSetCTLContextProperty before setting the
' CTL's property. Also called by CertGetCTLContextProperty,
' when getting a hash property that needs to be created and then persisted
' via the set.
'
' Upon input, the property hasn't been set for the pCtlContext parameter.
'
' Returns TRUE if its OK to set the property.
'+-------------------------------------------------------------------------
' Duplicate a cert store handle
'--------------------------------------------------------------------------
Public Const CERT_STORE_SAVE_AS_STORE As Long = 1
Public Const CERT_STORE_SAVE_AS_PKCS7 As Long = 2
Public Const CERT_STORE_SAVE_TO_FILE As Long = 1
Public Const CERT_STORE_SAVE_TO_MEMORY As Long = 2
Public Const CERT_STORE_SAVE_TO_FILENAME_A As Long = 3
Public Const CERT_STORE_SAVE_TO_FILENAME_W As Long = 4
'+-------------------------------------------------------------------------
' Save the cert store. Extended version with lots of options.
'
' According to the dwSaveAs parameter, the store can be saved as a
' addition to encoded certificates, CRLs and CTLs or the store can be saved
' include the properties or CTLs.
'
' CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't saved into
' a serialized store.
'
' For CERT_STORE_SAVE_AS_PKCS7, the dwEncodingType specifies the message
' encoding type. The dwEncodingType parameter isn't used for
' CERT_STORE_SAVE_AS_STORE.
'
' The dwFlags parameter currently isn't used and should be set to 0.
'
' The dwSaveTo and pvSaveToPara parameters specify where to save the
' store as follows:
' CERT_STORE_SAVE_TO_FILE:
' Saves to the specified file. The file's handle is passed in
' pvSaveToPara. Given,
'
' For a successful save, the file pointer is positioned after the
' last write.
'
' CERT_STORE_SAVE_TO_MEMORY:
' Saves to the specified memory blob. The pointer to
' the memory blob is passed in pvSaveToPara. Given,
' Upon entry, the SaveBlob's pbData and cbData need to be initialized.
' Upon return, cbData is updated with the actual length.
' For a length only calculation, pbData should be set to NULL. If
' pbData is non-NULL and cbData isn't large enough, FALSE is returned
' with a last error of ERRROR_MORE_DATA.
'
' CERT_STORE_SAVE_TO_FILENAME_A:
' CERT_STORE_SAVE_TO_FILENAME_W:
' CERT_STORE_SAVE_TO_FILENAME:
' Opens the file and saves to it. The filename is passed in pvSaveToPara.
' The filename is UNICODE for the "_W" option and ASCII for the "_A"
' option. For "_W": given,
' For "_A": given,
'
'
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate Store close flags
'--------------------------------------------------------------------------
Public Const CERT_CLOSE_STORE_FORCE_FLAG As Long = &H00000001
Public Const CERT_CLOSE_STORE_CHECK_FLAG As Long = &H00000002
'+-------------------------------------------------------------------------
' Close a cert store handle.
'
' There needs to be a corresponding close for each open and duplicate.
'
' Even on the final close, the cert store isn't freed until all of its
' certificate and CRL contexts have also been freed.
'
' On the final close, the hCryptProv passed to CertStoreOpen is
' CryptReleaseContext'ed.
'
' To force the closure of the store with all of its memory freed, set the
' CERT_STORE_CLOSE_FORCE_FLAG. This flag should be set when the caller does
' its own reference counting and wants everything to vanish.
'
' To check if all the store's certificates and CRLs have been freed and that
' this is the last CertCloseStore, set the CERT_CLOSE_STORE_CHECK_FLAG. If
' set and certs, CRLs or stores still need to be freed/closed, FALSE is
' returned with LastError set to CRYPT_E_PENDING_CLOSE. Note, for FALSE,
' the store is still closed. This is a diagnostic flag.
'
' LastError is preserved unless CERT_CLOSE_STORE_CHECK_FLAG is set and FALSE
' is returned.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Get the subject certificate context uniquely identified by its Issuer and
' SerialNumber from the store.
'
' If the certificate isn't found, NULL is returned. Otherwise, a pointer to
' a read only CERT_CONTEXT is returned. CERT_CONTEXT must be freed by calling
' CertFreeCertificateContext. CertDuplicateCertificateContext can be called to make a
' duplicate.
'
' The returned certificate might not be valid. Normally, it would be
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Enumerate the certificate contexts in the store.
'
' If a certificate isn't found, NULL is returned.
' Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
' must be freed by calling CertFreeCertificateContext or is freed when passed as the
' pPrevCertContext on a subsequent call. CertDuplicateCertificateContext
' can be called to make a duplicate.
'
' pPrevCertContext MUST BE NULL to enumerate the first
' certificate in the store. Successive certificates are enumerated by setting
' pPrevCertContext to the CERT_CONTEXT returned by a previous call.
'
' NOTE: a NON-NULL pPrevCertContext is always CertFreeCertificateContext'ed by
' this function, even for an error.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Find the first or next certificate context in the store.
'
' The certificate is found according to the dwFindType and its pvFindPara.
' See below for a list of the find types and its parameters.
'
' Currently dwFindFlags is only used for CERT_FIND_SUBJECT_ATTR,
' CERT_FIND_ISSUER_ATTR or CERT_FIND_CTL_USAGE. Otherwise, must be set to 0.
'
' Usage of dwCertEncodingType depends on the dwFindType.
'
' If the first or next certificate isn't found, NULL is returned.
' Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
' must be freed by calling CertFreeCertificateContext or is freed when passed as the
' pPrevCertContext on a subsequent call. CertDuplicateCertificateContext
' can be called to make a duplicate.
'
' pPrevCertContext MUST BE NULL on the first
' call to find the certificate. To find the next certificate, the
' pPrevCertContext is set to the CERT_CONTEXT returned by a previous call.
'
' NOTE: a NON-NULL pPrevCertContext is always CertFreeCertificateContext'ed by
' this function, even for an error.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate comparison functions
'--------------------------------------------------------------------------
Public Const CERT_COMPARE_MASK As Long = &HFFFF
Public Const CERT_COMPARE_SHIFT As Long = 16
Public Const CERT_COMPARE_ANY As Long = 0
Public Const CERT_COMPARE_SHA1_HASH As Long = 1
Public Const CERT_COMPARE_NAME As Long = 2
Public Const CERT_COMPARE_ATTR As Long = 3
Public Const CERT_COMPARE_MD5_HASH As Long = 4
Public Const CERT_COMPARE_PROPERTY As Long = 5
Public Const CERT_COMPARE_PUBLIC_KEY As Long = 6
Public Const CERT_COMPARE_NAME_STR_A As Long = 7
Public Const CERT_COMPARE_NAME_STR_W As Long = 8
Public Const CERT_COMPARE_KEY_SPEC As Long = 9
Public Const CERT_COMPARE_ENHKEY_USAGE As Long = 10
Public Const CERT_COMPARE_SUBJECT_CERT As Long = 11
Public Const CERT_COMPARE_ISSUER_OF As Long = 12
Public Const CERT_COMPARE_EXISTING As Long = 13
Public Const CERT_COMPARE_SIGNATURE_HASH As Long = 14
Public Const CERT_COMPARE_KEY_IDENTIFIER As Long = 15
Public Const CERT_COMPARE_CERT_ID As Long = 16
Public Const CERT_COMPARE_CROSS_CERT_DIST_POINTS As Long = 17
Public Const CERT_COMPARE_PUBKEY_MD5_HASH As Long = 18
'+-------------------------------------------------------------------------
' dwFindType
'
' The dwFindType definition consists of two components:
' - comparison function
' - certificate information flag
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_FIND_ANY
'
' Find any certificate.
'
' pvFindPara isn't used.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_FIND_HASH
'
' Find a certificate with the specified hash.
'
' pvFindPara points to a CRYPT_HASH_BLOB.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_FIND_KEY_IDENTIFIER
'
' Find a certificate with the specified KeyIdentifier. Gets the
' CERT_KEY_IDENTIFIER_PROP_ID property and compares with the input
' CRYPT_HASH_BLOB.
'
' pvFindPara points to a CRYPT_HASH_BLOB.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_FIND_PROPERTY
'
' Find a certificate having the specified property.
'
' pvFindPara points to a DWORD containing the PROP_ID
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_FIND_PUBLIC_KEY
'
' Find a certificate matching the specified public key.
'
' pvFindPara points to a CERT_PUBLIC_KEY_INFO containing the public key
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_FIND_SUBJECT_NAME
' CERT_FIND_ISSUER_NAME
'
' Find a certificate with the specified subject/issuer name. Does an exact
' match of the entire name.
'
' Restricts search to certificates matching the dwCertEncodingType.
'
' pvFindPara points to a CERT_NAME_BLOB.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_FIND_SUBJECT_ATTR
' CERT_FIND_ISSUER_ATTR
'
' Find a certificate with the specified subject/issuer attributes.
'
' Compares the attributes in the subject/issuer name with the
' pvFindPara. The comparison iterates through the CERT_RDN attributes and looks
' for an attribute match in any of the subject/issuer's RDNs.
'
' The CERT_RDN_ATTR fields can have the following special values:
' pszObjId == NULL - ignore the attribute object identifier
' dwValueType == RDN_ANY_TYPE - ignore the value type
' Value.pbData == NULL - match any value
'
' CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG should be set in dwFindFlags to do
' a case insensitive match. Otherwise, defaults to an exact, case sensitive
' match.
'
' CERT_UNICODE_IS_RDN_ATTRS_FLAG should be set in dwFindFlags if the RDN was
' initialized with unicode strings as for
'
' Restricts search to certificates matching the dwCertEncodingType.
'
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_FIND_SUBJECT_STR_A
' CERT_FIND_SUBJECT_STR_W | CERT_FIND_SUBJECT_STR
' CERT_FIND_ISSUER_STR_A
' CERT_FIND_ISSUER_STR_W | CERT_FIND_ISSUER_STR
'
' Find a certificate containing the specified subject/issuer name string.
'
' First, the certificate's subject/issuer is converted to a name string
' case insensitive substring within string match is performed.
'
' Restricts search to certificates matching the dwCertEncodingType.
'
' For *_STR_A, pvFindPara points to a null terminated character string.
' For *_STR_W, pvFindPara points to a null terminated wide character string.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_FIND_KEY_SPEC
'
' Find a certificate having a CERT_KEY_SPEC_PROP_ID property matching
' the specified KeySpec.
'
' pvFindPara points to a DWORD containing the KeySpec.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_FIND_ENHKEY_USAGE
'
' Find a certificate having the szOID_ENHANCED_KEY_USAGE extension or
' the CERT_ENHKEY_USAGE_PROP_ID and matching the specified pszUsageIdentifers.
'
' pvFindPara points to a CERT_ENHKEY_USAGE data structure. If pvFindPara
' is NULL or CERT_ENHKEY_USAGE's cUsageIdentifier is 0, then, matches any
' certificate having enhanced key usage.
'
' If the CERT_FIND_VALID_ENHKEY_USAGE_FLAG is set, then, only does a match
' for certificates that are valid for the specified usages. By default,
' the ceriticate must be valid for all usages. CERT_FIND_OR_ENHKEY_USAGE_FLAG
' can be set, if the certificate only needs to be valid for one of the
' certificate's list of valid usages. Only the CERT_FIND_OR_ENHKEY_USAGE_FLAG
' is applicable when this flag is set.
'
' The CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG can be set in dwFindFlags to
' also match a certificate without either the extension or property.
'
' If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set in dwFindFlags, finds
' certificates without the key usage extension or property. Setting this
' flag takes precedence over pvFindPara being NULL.
'
' If the CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG is set, then, only does a match
' using the extension. If pvFindPara is NULL or cUsageIdentifier is set to
' 0, finds certificates having the extension. If
' CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set, also matches a certificate
' without the extension. If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set, finds
' certificates without the extension.
'
' If the CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG is set, then, only does a match
' using the property. If pvFindPara is NULL or cUsageIdentifier is set to
' 0, finds certificates having the property. If
' CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set, also matches a certificate
' without the property. If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set, finds
' certificates without the property.
'
' If CERT_FIND_OR_ENHKEY_USAGE_FLAG is set, does an "OR" match of any of
' the specified pszUsageIdentifiers. If not set, then, does an "AND" match
' of all of the specified pszUsageIdentifiers.
'--------------------------------------------------------------------------
Public Const CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG As Long = &H1
Public Const CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG As Long = &H2
Public Const CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG As Long = &H4
Public Const CERT_FIND_NO_ENHKEY_USAGE_FLAG As Long = &H8
Public Const CERT_FIND_OR_ENHKEY_USAGE_FLAG As Long = &H10
Public Const CERT_FIND_VALID_ENHKEY_USAGE_FLAG As Long = &H20
'+-------------------------------------------------------------------------
' CERT_FIND_CERT_ID
'
' Find a certificate with the specified CERT_ID.
'
' pvFindPara points to a CERT_ID.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_FIND_CROSS_CERT_DIST_POINTS
'
' Find a certificate having either a cross certificate distribution
' point extension or property.
'
' pvFindPara isn't used.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Get the certificate context from the store for the first or next issuer
' of the specified subject certificate. Perform the enabled
' using the returned issuer certificate.)
'
' If the first or next issuer certificate isn't found, NULL is returned.
' Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
' must be freed by calling CertFreeCertificateContext or is freed when passed as the
' pPrevIssuerContext on a subsequent call. CertDuplicateCertificateContext
' can be called to make a duplicate.
'
' For a self signed subject certificate, NULL is returned with LastError set
' to CERT_STORE_SELF_SIGNED. The enabled verification checks are still done.
'
' The pSubjectContext may have been obtained from this store, another store
' or created by the caller application. When created by the caller, the
' CertCreateCertificateContext function must have been called.
'
' An issuer may have multiple certificates. This may occur when the validity
' period is about to change. pPrevIssuerContext MUST BE NULL on the first
' call to get the issuer. To get the next certificate for the issuer, the
' pPrevIssuerContext is set to the CERT_CONTEXT returned by a previous call.
'
' NOTE: a NON-NULL pPrevIssuerContext is always CertFreeCertificateContext'ed by
' this function, even for an error.
'
' The following flags can be set in *pdwFlags to enable verification checks
' on the subject certificate context:
' CERT_STORE_SIGNATURE_FLAG - use the public key in the returned
' issuer certificate to verify the
' signature on the subject certificate.
' Note, if pSubjectContext->hCertStore ==
' hCertStore, the store provider might
' be able to eliminate a redo of
' the signature verify.
' CERT_STORE_TIME_VALIDITY_FLAG - get the current time and verify that
' its within the subject certificate's
' validity period
' CERT_STORE_REVOCATION_FLAG - check if the subject certificate is on
' the issuer's revocation list
'
' If an enabled verification check fails, then, its flag is set upon return.
' If CERT_STORE_REVOCATION_FLAG was enabled and the issuer doesn't have a
' CRL in the store, then, CERT_STORE_NO_CRL_FLAG is set in addition to
' the CERT_STORE_REVOCATION_FLAG.
'
' If CERT_STORE_SIGNATURE_FLAG or CERT_STORE_REVOCATION_FLAG is set, then,
' CERT_STORE_NO_ISSUER_FLAG is set if it doesn't have an issuer certificate
' in the store.
'
' For a verification check failure, a pointer to the issuer's CERT_CONTEXT
' is still returned and SetLastError isn't updated.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Perform the enabled verification checks on the subject certificate
' using the issuer. Same checks and flags definitions as for the above
' CertGetIssuerCertificateFromStore.
'
' If you are only checking CERT_STORE_TIME_VALIDITY_FLAG, then, the
' issuer can be NULL.
'
' For a verification check failure, SUCCESS is still returned.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Duplicate a certificate context
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Create a certificate context from the encoded certificate. The created
' context isn't put in a store.
'
' Makes a copy of the encoded certificate in the created context.
'
' If unable to decode and create the certificate context, NULL is returned.
' Otherwise, a pointer to a read only CERT_CONTEXT is returned.
' CERT_CONTEXT must be freed by calling CertFreeCertificateContext.
' CertDuplicateCertificateContext can be called to make a duplicate.
'
' CertSetCertificateContextProperty and CertGetCertificateContextProperty can be called
' to store properties for the certificate.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Free a certificate context
'
' There needs to be a corresponding free for each context obtained by a
' get, find, duplicate or create.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Set the property for the specified certificate context.
'
' The type definition for pvData depends on the dwPropId value. There are
' five predefined types:
' CERT_KEY_PROV_HANDLE_PROP_ID - a HCRYPTPROV for the certificate's
' private key is passed in pvData. Updates the hCryptProv field
' of the CERT_KEY_CONTEXT_PROP_ID. If the CERT_KEY_CONTEXT_PROP_ID
' doesn't exist, its created with all the other fields zeroed out. If
' CERT_STORE_NO_CRYPT_RELEASE_FLAG isn't set, HCRYPTPROV is implicitly
' released when either the property is set to NULL or on the final
' free of the CertContext.
'
' CERT_KEY_PROV_INFO_PROP_ID - a PCRYPT_KEY_PROV_INFO for the certificate's
' private key is passed in pvData.
'
' CERT_SHA1_HASH_PROP_ID -
' CERT_MD5_HASH_PROP_ID -
' CERT_SIGNATURE_HASH_PROP_ID - normally, a hash property is implicitly
' set by doing a CertGetCertificateContextProperty. pvData points to a
' CRYPT_HASH_BLOB.
'
' CERT_KEY_CONTEXT_PROP_ID - a PCERT_KEY_CONTEXT for the certificate's
' private key is passed in pvData. The CERT_KEY_CONTEXT contains both the
' hCryptProv and dwKeySpec for the private key.
' See the CERT_KEY_PROV_HANDLE_PROP_ID for more information about
' the hCryptProv field and dwFlags settings. Note, more fields may
' be added for this property. The cbSize field value will be adjusted
' accordingly.
'
' CERT_KEY_SPEC_PROP_ID - the dwKeySpec for the private key. pvData
' points to a DWORD containing the KeySpec
'
' CERT_ENHKEY_USAGE_PROP_ID - enhanced key usage definition for the
' certificate. pvData points to a CRYPT_DATA_BLOB containing an
'
' CERT_NEXT_UPDATE_LOCATION_PROP_ID - location of the next update.
' Currently only applicable to CTLs. pvData points to a CRYPT_DATA_BLOB
'
' CERT_FRIENDLY_NAME_PROP_ID - friendly name for the cert, CRL or CTL.
' pvData points to a CRYPT_DATA_BLOB. pbData is a pointer to a NULL
' terminated unicode, wide character string.
'
' CERT_DESCRIPTION_PROP_ID - description for the cert, CRL or CTL.
' pvData points to a CRYPT_DATA_BLOB. pbData is a pointer to a NULL
' terminated unicode, wide character string.
'
' CERT_ARCHIVED_PROP_ID - when this property is set, the certificate
' is skipped during enumeration. Note, certificates having this property
' are still found for explicit finds, such as, finding a certificate
' with a specific hash or finding a certificate having a specific issuer
' and serial number. pvData points to a CRYPT_DATA_BLOB. This blob
'
' CERT_PUBKEY_ALG_PARA_PROP_ID - for public keys supporting
' algorithm parameter inheritance. pvData points to a CRYPT_OBJID_BLOB
' containing the ASN.1 encoded PublicKey Algorithm Parameters. For
' DSS this would be the parameters encoded via
'
' CERT_CROSS_CERT_DIST_POINTS_PROP_ID - location of the cross certs.
' Currently only applicable to certs. pvData points to a CRYPT_DATA_BLOB
'
' CERT_ENROLLMENT_PROP_ID - enrollment information of the pending request.
' It contains RequestID, CADNSName, CAName, and FriendlyName.
' The data format is defined as, the first 4 bytes - pending request ID,
' next 4 bytes - CADNSName size in characters including null-terminator
' followed by CADNSName string with null-terminator,
' next 4 bytes - CAName size in characters including null-terminator
' followed by CAName string with null-terminator,
' next 4 bytes - FriendlyName size in characters including null-terminator
' followed by FriendlyName string with null-terminator.
'
' For all the other PROP_IDs: an encoded PCRYPT_DATA_BLOB is passed in pvData.
'
' If the property already exists, then, the old value is deleted and silently
' replaced. Setting, pvData to NULL, deletes the property.
'
' CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG can be set to ignore any
' provider write errors and always update the cached context's property.
'--------------------------------------------------------------------------
' Set this flag to ignore any store provider write errors and always update
' the cached context's property
Public Const CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG As Long = &H80000000
'+-------------------------------------------------------------------------
' Get the property for the specified certificate context.
'
' For CERT_KEY_PROV_HANDLE_PROP_ID, pvData points to a HCRYPTPROV.
'
' For CERT_KEY_PROV_INFO_PROP_ID, pvData points to a CRYPT_KEY_PROV_INFO structure.
' Elements pointed to by fields in the pvData structure follow the
' structure. Therefore, *pcbData may exceed the size of the structure.
'
' For CERT_KEY_CONTEXT_PROP_ID, pvData points to a CERT_KEY_CONTEXT structure.
'
' For CERT_KEY_SPEC_PROP_ID, pvData points to a DWORD containing the KeySpec.
' If the CERT_KEY_CONTEXT_PROP_ID exists, the KeySpec is obtained from there.
' Otherwise, if the CERT_KEY_PROV_INFO_PROP_ID exists, its the source
' of the KeySpec.
'
' For CERT_SHA1_HASH_PROP_ID or CERT_MD5_HASH_PROP_ID, if the hash
' and then set. pvData points to the computed hash. Normally, the length
' is 20 bytes for SHA and 16 for MD5.
'
' For CERT_SIGNATURE_HASH_PROP_ID, if the hash
' and then set. pvData points to the computed hash. Normally, the length
' is 20 bytes for SHA and 16 for MD5.
'
' For CERT_ACCESS_STATE_PROP_ID, pvData points to a DWORD containing the
' access state flags. The appropriate CERT_ACCESS_STATE_*_FLAG's are set
' in the returned DWORD. See the CERT_ACCESS_STATE_*_FLAG definitions
' above. Note, this property is read only. It can't be set.
'
' For CERT_KEY_IDENTIFIER_PROP_ID, if property doesn't already exist,
' first searches for the szOID_SUBJECT_KEY_IDENTIFIER extension. Next,
' does SHA1 hash of the certficate's SubjectPublicKeyInfo. pvData
' points to the key identifier bytes. Normally, the length is 20 bytes.
'
' For CERT_PUBKEY_ALG_PARA_PROP_ID, pvPara points to the ASN.1 encoded
' PublicKey Algorithm Parameters. This property will only be set
' for public keys supporting algorithm parameter inheritance and when the
' parameters have been omitted from the encoded and signed certificate.
'
' For all other PROP_IDs, pvData points to an encoded array of bytes.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Enumerate the properties for the specified certificate context.
'
' To get the first property, set dwPropId to 0. The ID of the first
' property is returned. To get the next property, set dwPropId to the
' ID returned by the last call. To enumerate all the properties continue
' until 0 is returned.
'
' CertGetCertificateContextProperty is called to get the property's data.
'
' Note, since, the CERT_KEY_PROV_HANDLE_PROP_ID and CERT_KEY_SPEC_PROP_ID
' properties are stored as fields in the CERT_KEY_CONTEXT_PROP_ID
' property, they aren't enumerated individually.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Get the first or next CRL context from the store for the specified
' issuer certificate. Perform the enabled verification checks on the CRL.
'
' If the first or next CRL isn't found, NULL is returned.
' Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT
' must be freed by calling CertFreeCRLContext. However, the free must be
' pPrevCrlContext on a subsequent call. CertDuplicateCRLContext
' can be called to make a duplicate.
'
' The pIssuerContext may have been obtained from this store, another store
' or created by the caller application. When created by the caller, the
' CertCreateCertificateContext function must have been called.
'
' If pIssuerContext == NULL, finds all the CRLs in the store.
'
' An issuer may have multiple CRLs. For example, it generates delta CRLs
' using a X.509 v3 extension. pPrevCrlContext MUST BE NULL on the first
' call to get the CRL. To get the next CRL for the issuer, the
' pPrevCrlContext is set to the CRL_CONTEXT returned by a previous call.
'
' NOTE: a NON-NULL pPrevCrlContext is always CertFreeCRLContext'ed by
' this function, even for an error.
'
' The following flags can be set in *pdwFlags to enable verification checks
' on the returned CRL:
' CERT_STORE_SIGNATURE_FLAG - use the public key in the
' issuer's certificate to verify the
' signature on the returned CRL.
' Note, if pIssuerContext->hCertStore ==
' hCertStore, the store provider might
' be able to eliminate a redo of
' the signature verify.
' CERT_STORE_TIME_VALIDITY_FLAG - get the current time and verify that
' its within the CRL's ThisUpdate and
' NextUpdate validity period.
' CERT_STORE_BASE_CRL_FLAG - get base CRL.
' CERT_STORE_DELTA_CRL_FLAG - get delta CRL.
'
' If only one of CERT_STORE_BASE_CRL_FLAG or CERT_STORE_DELTA_CRL_FLAG is
' set, then, only returns either a base or delta CRL. In any case, the
' appropriate base or delta flag will be cleared upon returned. If both
' flags are set, then, only one of flags will be cleared.
'
' If an enabled verification check fails, then, its flag is set upon return.
'
' If pIssuerContext == NULL, then, an enabled CERT_STORE_SIGNATURE_FLAG
' always fails and the CERT_STORE_NO_ISSUER_FLAG is also set.
'
' For a verification check failure, a pointer to the first or next
' CRL_CONTEXT is still returned and SetLastError isn't updated.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Enumerate the CRL contexts in the store.
'
' If a CRL isn't found, NULL is returned.
' Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT
' must be freed by calling CertFreeCRLContext or is freed when passed as the
' pPrevCrlContext on a subsequent call. CertDuplicateCRLContext
' can be called to make a duplicate.
'
' pPrevCrlContext MUST BE NULL to enumerate the first
' CRL in the store. Successive CRLs are enumerated by setting
' pPrevCrlContext to the CRL_CONTEXT returned by a previous call.
'
' NOTE: a NON-NULL pPrevCrlContext is always CertFreeCRLContext'ed by
' this function, even for an error.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Find the first or next CRL context in the store.
'
' The CRL is found according to the dwFindType and its pvFindPara.
' See below for a list of the find types and its parameters.
'
' Currently dwFindFlags isn't used and must be set to 0.
'
' Usage of dwCertEncodingType depends on the dwFindType.
'
' If the first or next CRL isn't found, NULL is returned.
' Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT
' must be freed by calling CertFreeCRLContext or is freed when passed as the
' pPrevCrlContext on a subsequent call. CertDuplicateCRLContext
' can be called to make a duplicate.
'
' pPrevCrlContext MUST BE NULL on the first
' call to find the CRL. To find the next CRL, the
' pPrevCrlContext is set to the CRL_CONTEXT returned by a previous call.
'
' NOTE: a NON-NULL pPrevCrlContext is always CertFreeCRLContext'ed by
' this function, even for an error.
'--------------------------------------------------------------------------
Public Const CRL_FIND_ANY As Long = 0
Public Const CRL_FIND_ISSUED_BY As Long = 1
Public Const CRL_FIND_EXISTING As Long = 2
'+-------------------------------------------------------------------------
' CRL_FIND_ANY
'
' Find any CRL.
'
' pvFindPara isn't used.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CRL_FIND_ISSUED_BY
'
' Find CRL matching the specified issuer.
'
' pvFindPara is the PCCERT_CONTEXT of the CRL issuer.
'
' By default, only does issuer name matching. The following flags can be
' set in dwFindFlags to do additional filtering.
'
' If CRL_FIND_ISSUED_BY_AKI_FLAG is set in dwFindFlags, then, checks if the
' AKI, then, only returns a CRL whose AKI matches the issuer.
'
' Note, the AKI extension has the following OID:
' szOID_AUTHORITY_KEY_IDENTIFIER2 and its corresponding data structure.
'
' If CRL_FIND_ISSUED_BY_SIGNATURE_FLAG is set in dwFindFlags, then,
' uses the public key in the issuer's certificate to verify the
' signature on the CRL. Only returns a CRL having a valid signature.
'
' If CRL_FIND_ISSUED_BY_DELTA_FLAG is set in dwFindFlags, then, only
' returns a delta CRL.
'
' If CRL_FIND_ISSUED_BY_BASE_FLAG is set in dwFindFlags, then, only
' returns a base CRL.
'--------------------------------------------------------------------------
Public Const CRL_FIND_ISSUED_BY_AKI_FLAG As Long = &H1
Public Const CRL_FIND_ISSUED_BY_SIGNATURE_FLAG As Long = &H2
Public Const CRL_FIND_ISSUED_BY_DELTA_FLAG As Long = &H4
Public Const CRL_FIND_ISSUED_BY_BASE_FLAG As Long = &H8
'+-------------------------------------------------------------------------
' CRL_FIND_EXISTING
'
' Find existing CRL in the store.
'
' pvFindPara is the PCCRL_CONTEXT of the CRL to check if it already
' exists in the store.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Duplicate a CRL context
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Create a CRL context from the encoded CRL. The created
' context isn't put in a store.
'
' Makes a copy of the encoded CRL in the created context.
'
' If unable to decode and create the CRL context, NULL is returned.
' Otherwise, a pointer to a read only CRL_CONTEXT is returned.
' CRL_CONTEXT must be freed by calling CertFreeCRLContext.
' CertDuplicateCRLContext can be called to make a duplicate.
'
' CertSetCRLContextProperty and CertGetCRLContextProperty can be called
' to store properties for the CRL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Free a CRL context
'
' There needs to be a corresponding free for each context obtained by a
' get, duplicate or create.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Set the property for the specified CRL context.
'
' Same Property Ids and semantics as CertSetCertificateContextProperty.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Get the property for the specified CRL context.
'
' Same Property Ids and semantics as CertGetCertificateContextProperty.
'
' CERT_SHA1_HASH_PROP_ID, CERT_MD5_HASH_PROP_ID or
' CERT_SIGNATURE_HASH_PROP_ID is the predefined property of most interest.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Enumerate the properties for the specified CRL context.
'
' To get the first property, set dwPropId to 0. The ID of the first
' property is returned. To get the next property, set dwPropId to the
' ID returned by the last call. To enumerate all the properties continue
' until 0 is returned.
'
' CertGetCRLContextProperty is called to get the property's data.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Search the CRL's list of entries for the specified certificate.
'
' TRUE is returned if we were able to search the list. Otherwise, FALSE is
' returned,
'
' For success, if the certificate was found in the list, *ppCrlEntry is
' updated with a pointer to the entry. Otherwise, *ppCrlEntry is set to NULL.
' The returned entry isn't allocated and must not be freed.
'
' dwFlags and pvReserved currently aren't used and must be set to 0 or NULL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Is the specified CRL valid for the certificate.
'
' Returns TRUE if the CRL's list of entries would contain the certificate
' if it was revoked. Note, doesn't check that the certificate is in the
' list of entries.
'
' that it's valid for the subject certificate.
'
' dwFlags and pvReserved currently aren't used and must be set to 0 and NULL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Add certificate/CRL, encoded, context or element disposition values.
'--------------------------------------------------------------------------
Public Const CERT_STORE_ADD_NEW As Long = 1
Public Const CERT_STORE_ADD_USE_EXISTING As Long = 2
Public Const CERT_STORE_ADD_REPLACE_EXISTING As Long = 3
Public Const CERT_STORE_ADD_ALWAYS As Long = 4
Public Const CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES As Long = 5
Public Const CERT_STORE_ADD_NEWER As Long = 6
Public Const CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES As Long = 7
'+-------------------------------------------------------------------------
' Add the encoded certificate to the store according to the specified
' disposition action.
'
' Makes a copy of the encoded certificate before adding to the store.
'
' dwAddDispostion specifies the action to take if the certificate
' already exists in the store. This parameter must be one of the following
' values:
' CERT_STORE_ADD_NEW
' Fails if the certificate already exists in the store. LastError
' is set to CRYPT_E_EXISTS.
' CERT_STORE_ADD_USE_EXISTING
' If the certifcate already exists, then, its used and if ppCertContext
' is non-NULL, the existing context is duplicated.
' CERT_STORE_ADD_REPLACE_EXISTING
' If the certificate already exists, then, the existing certificate
' context is deleted before creating and adding the new context.
' CERT_STORE_ADD_ALWAYS
' No check is made to see if the certificate already exists. A
' new certificate context is always created. This may lead to
' duplicates in the store.
' CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES
' If the certificate already exists, then, its used.
' CERT_STORE_ADD_NEWER
' Fails if the certificate already exists in the store AND the NotBefore
' time of the existing certificate is equal to or greater than the
' NotBefore time of the new certificate being added. LastError
' is set to CRYPT_E_EXISTS.
'
' If an older certificate is replaced, same as
' CERT_STORE_ADD_REPLACE_EXISTING.
'
' For CRLs or CTLs compares the ThisUpdate times.
'
' CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES
' Same as CERT_STORE_ADD_NEWER. However, if an older certificate is
' replaced, same as CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES.
'
' CertGetSubjectCertificateFromStore is called to determine if the
' certificate already exists in the store.
'
' ppCertContext can be NULL, indicating the caller isn't interested
' in getting the CERT_CONTEXT of the added or existing certificate.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Add the certificate context to the store according to the specified
' disposition action.
'
' In addition to the encoded certificate, the context's properties are
' CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't copied.
'
' Makes a copy of the certificate context before adding to the store.
'
' dwAddDispostion specifies the action to take if the certificate
' already exists in the store. This parameter must be one of the following
' values:
' CERT_STORE_ADD_NEW
' Fails if the certificate already exists in the store. LastError
' is set to CRYPT_E_EXISTS.
' CERT_STORE_ADD_USE_EXISTING
' If the certifcate already exists, then, its used and if ppStoreContext
' is non-NULL, the existing context is duplicated. Iterates
' through pCertContext's properties and only copies the properties
' that don't already exist. The SHA1 and MD5 hash properties aren't
' copied.
' CERT_STORE_ADD_REPLACE_EXISTING
' If the certificate already exists, then, the existing certificate
' context is deleted before creating and adding a new context.
' Properties are copied before doing the add.
' CERT_STORE_ADD_ALWAYS
' No check is made to see if the certificate already exists. A
' new certificate context is always created and added. This may lead to
' duplicates in the store. Properties are
' copied before doing the add.
' CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES
' If the certificate already exists, then, the existing certificate
' context is used. Properties from the added context are copied and
' replace existing properties. However, any existing properties not
' in the added context remain and aren't deleted.
' CERT_STORE_ADD_NEWER
' Fails if the certificate already exists in the store AND the NotBefore
' time of the existing context is equal to or greater than the
' NotBefore time of the new context being added. LastError
' is set to CRYPT_E_EXISTS.
'
' If an older context is replaced, same as
' CERT_STORE_ADD_REPLACE_EXISTING.
'
' For CRLs or CTLs compares the ThisUpdate times.
'
' CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES
' Same as CERT_STORE_ADD_NEWER. However, if an older context is
' replaced, same as CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES.
'
' CertGetSubjectCertificateFromStore is called to determine if the
' certificate already exists in the store.
'
' ppStoreContext can be NULL, indicating the caller isn't interested
' in getting the CERT_CONTEXT of the added or existing certificate.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate Store Context Types
'--------------------------------------------------------------------------
Public Const CERT_STORE_CERTIFICATE_CONTEXT As Long = 1
Public Const CERT_STORE_CRL_CONTEXT As Long = 2
Public Const CERT_STORE_CTL_CONTEXT As Long = 3
'+-------------------------------------------------------------------------
' Certificate Store Context Bit Flags
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Add the serialized certificate or CRL element to the store.
'
' The serialized element contains the encoded certificate, CRL or CTL and
' its properties, such as, CERT_KEY_PROV_INFO_PROP_ID.
'
' If hCertStore is NULL, creates a certificate, CRL or CTL context not
' residing in any store.
'
' dwAddDispostion specifies the action to take if the certificate or CRL
' already exists in the store. See CertAddCertificateContextToStore for a
' list of and actions taken.
'
' dwFlags currently isn't used and should be set to 0.
'
' dwContextTypeFlags specifies the set of allowable contexts. For example, to
' add either a certificate or CRL, set dwContextTypeFlags to:
' CERT_STORE_CERTIFICATE_CONTEXT_FLAG | CERT_STORE_CRL_CONTEXT_FLAG
'
' *pdwContextType is updated with the type of the context returned in
' *ppvContxt. pdwContextType or ppvContext can be NULL, indicating the
' caller isn't interested in getting the output. If *ppvContext is
' returned it must be freed by calling CertFreeCertificateContext or
' CertFreeCRLContext.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Delete the specified certificate from the store.
'
' All subsequent gets or finds for the certificate will fail. However,
' memory allocated for the certificate isn't freed until all of its contexts
' have also been freed.
'
' The pCertContext is obtained from a get, enum, find or duplicate.
'
' Some store provider implementations might also delete the issuer's CRLs
' if this is the last certificate for the issuer in the store.
'
' NOTE: the pCertContext is always CertFreeCertificateContext'ed by
' this function, even for an error.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Add the encoded CRL to the store according to the specified
' disposition option.
'
' Makes a copy of the encoded CRL before adding to the store.
'
' dwAddDispostion specifies the action to take if the CRL
' already exists in the store. See CertAddEncodedCertificateToStore for a
' list of and actions taken.
'
' Compares the CRL's Issuer to determine if the CRL already exists in the
' store.
'
' ppCrlContext can be NULL, indicating the caller isn't interested
' in getting the CRL_CONTEXT of the added or existing CRL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Add the CRL context to the store according to the specified
' disposition option.
'
' In addition to the encoded CRL, the context's properties are
' CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't copied.
'
' Makes a copy of the encoded CRL before adding to the store.
'
' dwAddDispostion specifies the action to take if the CRL
' already exists in the store. See CertAddCertificateContextToStore for a
' list of and actions taken.
'
' Compares the CRL's Issuer, ThisUpdate and NextUpdate to determine
' if the CRL already exists in the store.
'
' ppStoreContext can be NULL, indicating the caller isn't interested
' in getting the CRL_CONTEXT of the added or existing CRL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Delete the specified CRL from the store.
'
' All subsequent gets for the CRL will fail. However,
' memory allocated for the CRL isn't freed until all of its contexts
' have also been freed.
'
' The pCrlContext is obtained from a get or duplicate.
'
' NOTE: the pCrlContext is always CertFreeCRLContext'ed by
' this function, even for an error.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Serialize the certificate context's encoded certificate and its
' properties.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Serialize the CRL context's encoded CRL and its properties.
'--------------------------------------------------------------------------
'+=========================================================================
'==========================================================================
'+-------------------------------------------------------------------------
' Duplicate a CTL context
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Create a CTL context from the encoded CTL. The created
' context isn't put in a store.
'
' Makes a copy of the encoded CTL in the created context.
'
' If unable to decode and create the CTL context, NULL is returned.
' Otherwise, a pointer to a read only CTL_CONTEXT is returned.
' CTL_CONTEXT must be freed by calling CertFreeCTLContext.
' CertDuplicateCTLContext can be called to make a duplicate.
'
' CertSetCTLContextProperty and CertGetCTLContextProperty can be called
' to store properties for the CTL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Free a CTL context
'
' There needs to be a corresponding free for each context obtained by a
' get, duplicate or create.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Set the property for the specified CTL context.
'
' Same Property Ids and semantics as CertSetCertificateContextProperty.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Get the property for the specified CTL context.
'
' Same Property Ids and semantics as CertGetCertificateContextProperty.
'
' CERT_SHA1_HASH_PROP_ID or CERT_NEXT_UPDATE_LOCATION_PROP_ID are the
' predefined properties of most interest.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Enumerate the properties for the specified CTL context.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Enumerate the CTL contexts in the store.
'
' If a CTL isn't found, NULL is returned.
' Otherwise, a pointer to a read only CTL_CONTEXT is returned. CTL_CONTEXT
' must be freed by calling CertFreeCTLContext or is freed when passed as the
' pPrevCtlContext on a subsequent call. CertDuplicateCTLContext
' can be called to make a duplicate.
'
' pPrevCtlContext MUST BE NULL to enumerate the first
' CTL in the store. Successive CTLs are enumerated by setting
' pPrevCtlContext to the CTL_CONTEXT returned by a previous call.
'
' NOTE: a NON-NULL pPrevCtlContext is always CertFreeCTLContext'ed by
' this function, even for an error.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Attempt to find the specified subject in the CTL.
'
' For CTL_CERT_SUBJECT_TYPE, pvSubject points to a CERT_CONTEXT. The CTL's
' SubjectAlgorithm is examined to determine the representation of the
' subject's identity. Initially, only SHA1 or MD5 hash will be supported.
' The appropriate hash property is obtained from the CERT_CONTEXT.
'
' For CTL_ANY_SUBJECT_TYPE, pvSubject points to the CTL_ANY_SUBJECT_INFO
' structure which contains the SubjectAlgorithm to be matched in the CTL
' and the SubjectIdentifer to be matched in one of the CTL entries.
'
' The certificate's hash or the CTL_ANY_SUBJECT_INFO's SubjectIdentifier
' is used as the key in searching the subject entries. A binary
' memory comparison is done between the key and the entry's SubjectIdentifer.
'
' dwEncodingType isn't used for either of the above SubjectTypes.
'--------------------------------------------------------------------------
' Subject Types:
' CTL_ANY_SUBJECT_TYPE, pvSubject points to following CTL_ANY_SUBJECT_INFO.
' CTL_CERT_SUBJECT_TYPE, pvSubject points to CERT_CONTEXT.
Public Const CTL_ANY_SUBJECT_TYPE As Long = 1
Public Const CTL_CERT_SUBJECT_TYPE As Long = 2
'+-------------------------------------------------------------------------
' Find the first or next CTL context in the store.
'
' The CTL is found according to the dwFindType and its pvFindPara.
' See below for a list of the find types and its parameters.
'
' Currently dwFindFlags isn't used and must be set to 0.
'
' Usage of dwMsgAndCertEncodingType depends on the dwFindType.
'
' If the first or next CTL isn't found, NULL is returned.
' Otherwise, a pointer to a read only CTL_CONTEXT is returned. CTL_CONTEXT
' must be freed by calling CertFreeCTLContext or is freed when passed as the
' pPrevCtlContext on a subsequent call. CertDuplicateCTLContext
' can be called to make a duplicate.
'
' pPrevCtlContext MUST BE NULL on the first
' call to find the CTL. To find the next CTL, the
' pPrevCtlContext is set to the CTL_CONTEXT returned by a previous call.
'
' NOTE: a NON-NULL pPrevCtlContext is always CertFreeCTLContext'ed by
' this function, even for an error.
'--------------------------------------------------------------------------
Public Const CTL_FIND_ANY As Long = 0
Public Const CTL_FIND_SHA1_HASH As Long = 1
Public Const CTL_FIND_MD5_HASH As Long = 2
Public Const CTL_FIND_USAGE As Long = 3
Public Const CTL_FIND_SUBJECT As Long = 4
Public Const CTL_FIND_EXISTING As Long = 5
Public Const CTL_FIND_NO_LIST_ID_CBDATA As Long = &HFFFFFFFF
Public Const CTL_FIND_SAME_USAGE_FLAG As Long = &H1
'+-------------------------------------------------------------------------
' CTL_FIND_ANY
'
' Find any CTL.
'
' pvFindPara isn't used.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CTL_FIND_SHA1_HASH
' CTL_FIND_MD5_HASH
'
' Find a CTL with the specified hash.
'
' pvFindPara points to a CRYPT_HASH_BLOB.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CTL_FIND_USAGE
'
' Find a CTL having the specified usage identifiers, list identifier or
' signer. The CertEncodingType of the signer is obtained from the
' dwMsgAndCertEncodingType parameter.
'
' pvFindPara points to a CTL_FIND_USAGE_PARA data structure. The
' SubjectUsage.cUsageIdentifer can be 0 to match any usage. The
' ListIdentifier.cbData can be 0 to match any list identifier. To only match
' CTLs without a ListIdentifier, cbData must be set to
' CTL_FIND_NO_LIST_ID_CBDATA. pSigner can be NULL to match any signer. Only
' the Issuer and SerialNumber fields of the pSigner's PCERT_INFO are used.
' To only match CTLs without a signer, pSigner must be set to
' CTL_FIND_NO_SIGNER_PTR.
'
' The CTL_FIND_SAME_USAGE_FLAG can be set in dwFindFlags to
' only match CTLs with the same usage identifiers. CTLs having additional
' usage identifiers aren't matched. For example, if only "1.2.3" is specified
' in CTL_FIND_USAGE_PARA, then, for a match, the CTL must only contain
' "1.2.3" and not any additional usage identifers.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CTL_FIND_SUBJECT
'
' Find a CTL having the specified subject. CertFindSubjectInCTL can be
' called to get a pointer to the subject's entry in the CTL. pUsagePara can
' optionally be set to enable the above CTL_FIND_USAGE matching.
'
' pvFindPara points to a CTL_FIND_SUBJECT_PARA data structure.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Add the encoded CTL to the store according to the specified
' disposition option.
'
' Makes a copy of the encoded CTL before adding to the store.
'
' dwAddDispostion specifies the action to take if the CTL
' already exists in the store. See CertAddEncodedCertificateToStore for a
' list of and actions taken.
'
' Compares the CTL's SubjectUsage, ListIdentifier and any of its signers
' to determine if the CTL already exists in the store.
'
' ppCtlContext can be NULL, indicating the caller isn't interested
' in getting the CTL_CONTEXT of the added or existing CTL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Add the CTL context to the store according to the specified
' disposition option.
'
' In addition to the encoded CTL, the context's properties are
' CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't copied.
'
' Makes a copy of the encoded CTL before adding to the store.
'
' dwAddDispostion specifies the action to take if the CTL
' already exists in the store. See CertAddCertificateContextToStore for a
' list of and actions taken.
'
' Compares the CTL's SubjectUsage, ListIdentifier and any of its signers
' to determine if the CTL already exists in the store.
'
' ppStoreContext can be NULL, indicating the caller isn't interested
' in getting the CTL_CONTEXT of the added or existing CTL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Serialize the CTL context's encoded CTL and its properties.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Delete the specified CTL from the store.
'
' All subsequent gets for the CTL will fail. However,
' memory allocated for the CTL isn't freed until all of its contexts
' have also been freed.
'
' The pCtlContext is obtained from a get or duplicate.
'
' NOTE: the pCtlContext is always CertFreeCTLContext'ed by
' this function, even for an error.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate Store control types
'--------------------------------------------------------------------------
Public Const CERT_STORE_CTRL_RESYNC As Long = 1
Public Const CERT_STORE_CTRL_NOTIFY_CHANGE As Long = 2
Public Const CERT_STORE_CTRL_COMMIT As Long = 3
Public Const CERT_STORE_CTRL_AUTO_RESYNC As Long = 4
Public Const CERT_STORE_CTRL_CANCEL_NOTIFY As Long = 5
Public Const CERT_STORE_CTRL_INHIBIT_DUPLICATE_HANDLE_FLAG As Long = &H1
'+-------------------------------------------------------------------------
' CERT_STORE_CTRL_RESYNC
'
' Re-synchronize the store.
'
' The pvCtrlPara points to the event HANDLE to be signaled on
' the next store change. Normally, this would be the same
' event HANDLE passed to CERT_STORE_CTRL_NOTIFY_CHANGE during initialization.
'
' If pvCtrlPara is NULL, no events are re-armed.
'
' By default the event HANDLE is DuplicateHandle'd.
' CERT_STORE_CTRL_INHIBIT_DUPLICATE_HANDLE_FLAG can be set in dwFlags
' to inhibit a DupicateHandle of the event HANDLE. If this flag
' called for this event HANDLE before closing the hCertStore.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_STORE_CTRL_NOTIFY_CHANGE
'
' Signal the event when the underlying store is changed.
'
' pvCtrlPara points to the event HANDLE to be signaled.
'
' pvCtrlPara can be NULL to inform the store of a subsequent
' CERT_STORE_CTRL_RESYNC and allow it to optimize by only doing a resync
' if the store has changed. For the registry based stores, an internal
' notify change event is created and registered to be signaled.
'
' Recommend calling CERT_STORE_CTRL_NOTIFY_CHANGE once for each event to
' be passed to CERT_STORE_CTRL_RESYNC. This should only happen after
' the event has been created. Not after each time the event is signaled.
'
' By default the event HANDLE is DuplicateHandle'd.
' CERT_STORE_CTRL_INHIBIT_DUPLICATE_HANDLE_FLAG can be set in dwFlags
' to inhibit a DupicateHandle of the event HANDLE. If this flag
' called for this event HANDLE before closing the hCertStore.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_STORE_CTRL_CANCEL_NOTIFY
'
' Cancel notification signaling of the event HANDLE passed in a previous
' CERT_STORE_CTRL_NOTIFY_CHANGE or CERT_STORE_CTRL_RESYNC.
'
' pvCtrlPara points to the event HANDLE to be canceled.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_STORE_CTRL_AUTO_RESYNC
'
' At the start of every enumeration or find store API call, check if the
' underlying store has changed. If it has changed, re-synchronize.
'
' This check is only done in the enumeration or find APIs when the
' pPrevContext is NULL.
'
' The pvCtrlPara isn't used and must be set to NULL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_STORE_CTRL_COMMIT
'
' If any changes have been to the cached store, they are committed to
' persisted storage. If no changes have been made since the store was
' opened or the last commit, this call is ignored. May also be ignored by
' store providers that persist changes immediately.
'
' CERT_STORE_CTRL_COMMIT_FORCE_FLAG can be set to force the store
' to be committed even if it hasn't been touched.
'
' CERT_STORE_CTRL_COMMIT_CLEAR_FLAG can be set to inhibit a commit on
' store close.
'--------------------------------------------------------------------------
Public Const CERT_STORE_CTRL_COMMIT_FORCE_FLAG As Long = &H1
Public Const CERT_STORE_CTRL_COMMIT_CLEAR_FLAG As Long = &H2
'+=========================================================================
' Cert Store Property Defines and APIs
'==========================================================================
'+-------------------------------------------------------------------------
' Store property IDs. This is a property applicable to the entire store.
' Its not a property on an individual certificate, CRL or CTL context.
'
' most context properties which are persisted.)
'
' See CertSetStoreProperty or CertGetStoreProperty for usage information.
'
' Note, the range for predefined store properties should be outside
' the range of predefined context properties. We will start at 4096.
'--------------------------------------------------------------------------
Public Const CERT_STORE_LOCALIZED_NAME_PROP_ID As Long = &H1000
'+-------------------------------------------------------------------------
' Set a store property.
'
' The type definition for pvData depends on the dwPropId value.
' CERT_STORE_LOCALIZED_NAME_PROP_ID - localized name of the store.
' pvData points to a CRYPT_DATA_BLOB. pbData is a pointer to a NULL
' terminated unicode, wide character string.
'
' For all the other PROP_IDs: an encoded PCRYPT_DATA_BLOB is passed in pvData.
'
' If the property already exists, then, the old value is deleted and silently
' replaced. Setting, pvData to NULL, deletes the property.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Get a store property.
'
' The type definition for pvData depends on the dwPropId value.
' CERT_STORE_LOCALIZED_NAME_PROP_ID - localized name of the store.
' pvData points to a NULL terminated unicode, wide character string.
'
' For all other PROP_IDs, pvData points to an array of bytes.
'
' If the property doesn't exist, returns FALSE and sets LastError to
' CRYPT_E_NOT_FOUND.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Creates the specified context from the encoded bytes. The created
' context isn't put in a store.
'
' dwContextType values:
' CERT_STORE_CERTIFICATE_CONTEXT
' CERT_STORE_CRL_CONTEXT
' CERT_STORE_CTL_CONTEXT
'
' If CERT_CREATE_CONTEXT_NOCOPY_FLAG is set, the created context points
' directly to the pbEncoded instead of an allocated copy. See flag
' definition for more details.
'
' If CERT_CREATE_CONTEXT_SORTED_FLAG is set, the context is created
' with sorted entries. This flag may only be set for CERT_STORE_CTL_CONTEXT.
' Setting this flag implicitly sets CERT_CREATE_CONTEXT_NO_HCRYPTMSG_FLAG and
' CERT_CREATE_CONTEXT_NO_ENTRY_FLAG. See flag definition for
' more details.
'
' If CERT_CREATE_CONTEXT_NO_HCRYPTMSG_FLAG is set, the context is created
' without creating a HCRYPTMSG handle for the context. This flag may only be
' set for CERT_STORE_CTL_CONTEXT. See flag definition for more details.
'
' If CERT_CREATE_CONTEXT_NO_ENTRY_FLAG is set, the context is created
' without decoding the entries. This flag may only be set for
' CERT_STORE_CTL_CONTEXT. See flag definition for more details.
'
' If unable to decode and create the context, NULL is returned.
' Otherwise, a pointer to a read only CERT_CONTEXT, CRL_CONTEXT or
' CTL_CONTEXT is returned. The context must be freed by the appropriate
' free context API. The context can be duplicated by calling the
' appropriate duplicate context API.
'--------------------------------------------------------------------------
' When the following flag is set, the created context points directly to the
' pbEncoded instead of an allocated copy. If pCreatePara and
' pCreatePara->pfnFree are non-NULL, then, pfnFree is called to free
' the pbEncoded when the context is last freed. Otherwise, no attempt is
' made to free the pbEncoded. If pCreatePara->pvFree is non-NULL, then its
' passed to pfnFree instead of pbEncoded.
'
' Note, if CertCreateContext fails, pfnFree is still called.
Public Const CERT_CREATE_CONTEXT_NOCOPY_FLAG As Long = &H1
' When the following flag is set, a context with sorted entries is created.
' Currently only applicable to a CTL context.
'
' For CTLs: the cCTLEntry in the returned CTL_INFO is always
' 0. CertFindSubjectInSortedCTL and CertEnumSubjectInSortedCTL must be called
' to find or enumerate the CTL entries.
'
' The Sorted CTL TrustedSubjects extension isn't returned in the created
' context's CTL_INFO.
Public Const CERT_CREATE_CONTEXT_SORTED_FLAG As Long = &H2
' By default when a CTL context is created, a HCRYPTMSG handle to its
' SignedData message is created. This flag can be set to improve performance
' by not creating the HCRYPTMSG handle.
'
' This flag is only applicable to a CTL context.
Public Const CERT_CREATE_CONTEXT_NO_HCRYPTMSG_FLAG As Long = &H4
' By default when a CTL context is created, its entries are decoded.
' This flag can be set to improve performance by not decoding the
' entries.
'
' This flag is only applicable to a CTL context.
Public Const CERT_CREATE_CONTEXT_NO_ENTRY_FLAG As Long = &H8
'+=========================================================================
' Certificate System Store Data Structures and APIs
'==========================================================================
'+-------------------------------------------------------------------------
' System Store Information
'
' Currently, no system store information is persisted.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Physical Store Information
'
' the physical store.
'
' By default all system stores located in the registry have an
' implicit SystemRegistry physical store that is opened. To disable the
' opening of this store, the SystemRegistry
' physical store corresponding to the System store must be registered with
' CERT_PHYSICAL_STORE_OPEN_DISABLE_FLAG set in dwFlags. Alternatively,
' a physical store with the name of ".Default" may be registered.
'
' Depending on the store location and store name, additional predefined
' physical stores may be opened. For example, system stores in
' CURRENT_USER have the predefined physical store, .LocalMachine.
' To disable the opening of these predefined physical stores, the
' corresponding physical store must be registered with
' CERT_PHYSICAL_STORE_OPEN_DISABLE_FLAG set in dwFlags.
'
' The CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG must be set in dwFlags
' to enable the adding of a context to the store.
'
' When a system store is opened via the SERVICES or USERS store location,
' the ServiceName\ is prepended to the OpenParameters
' for CERT_SYSTEM_STORE_CURRENT_USER or CERT_SYSTEM_STORE_CURRENT_SERVICE
' physical stores and the dwOpenFlags store location is changed to
' CERT_SYSTEM_STORE_USERS or CERT_SYSTEM_STORE_SERVICES.
'
' By default the SYSTEM, SYSTEM_REGISTRY and PHYSICAL provider
' stores are also opened remotely when the outer system store is opened.
' The CERT_PHYSICAL_STORE_REMOTE_OPEN_DISABLE_FLAG may be set in dwFlags
' to disable remote opens.
'
' When opened remotely, the \\ComputerName is implicitly prepended to the
' OpenParameters for the SYSTEM, SYSTEM_REGISTRY and PHYSICAL provider types.
' To also prepend the \\ComputerName to other provider types, set the
' CERT_PHYSICAL_STORE_INSERT_COMPUTER_NAME_ENABLE_FLAG in dwFlags.
'
' When the system store is opened, its physical stores are ordered
' according to the dwPriority. A larger dwPriority indicates higher priority.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Physical Store Information dwFlags
'--------------------------------------------------------------------------
Public Const CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG As Long = &H1
Public Const CERT_PHYSICAL_STORE_OPEN_DISABLE_FLAG As Long = &H2
Public Const CERT_PHYSICAL_STORE_REMOTE_OPEN_DISABLE_FLAG As Long = &H4
Public Const CERT_PHYSICAL_STORE_INSERT_COMPUTER_NAME_ENABLE_FLAG As Long = &H8
'+-------------------------------------------------------------------------
' Register a system store.
'
' The upper word of the dwFlags parameter is used to specify the location of
' the system store.
'
' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
' pvSystemStore points to a null terminated UNICODE string.
'
' The CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS system store
' name must be prefixed with the ServiceName or UserName. For example,
' "ServiceName\Trust".
'
' Stores on remote computers can be registered for the
' CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_SERVICES,
' CERT_SYSTEM_STORE_USERS, CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
' or CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
' locations by prepending the computer name. For example, a remote
' local machine store is registered via "\\ComputerName\Trust" or
' "ComputerName\Trust". A remote service store is registered via
' "\\ComputerName\ServiceName\Trust". The leading "\\" backslashes are
' optional in the ComputerName.
'
' Set CERT_STORE_CREATE_NEW_FLAG to cause a failure if the system store
' already exists in the store location.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Register a physical store for the specified system store.
'
' The upper word of the dwFlags parameter is used to specify the location of
' the system store.
'
' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
' pvSystemStore points to a null terminated UNICODE string.
'
' See CertRegisterSystemStore for details on prepending a ServiceName
' and/or ComputerName to the system store name.
'
' Set CERT_STORE_CREATE_NEW_FLAG to cause a failure if the physical store
' already exists in the system store.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Unregister the specified system store.
'
' The upper word of the dwFlags parameter is used to specify the location of
' the system store.
'
' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
' pvSystemStore points to a null terminated UNICODE string.
'
' See CertRegisterSystemStore for details on prepending a ServiceName
' and/or ComputerName to the system store name.
'
' CERT_STORE_DELETE_FLAG can optionally be set in dwFlags.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Unregister the physical store from the specified system store.
'
' The upper word of the dwFlags parameter is used to specify the location of
' the system store.
'
' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
' pvSystemStore points to a null terminated UNICODE string.
'
' See CertRegisterSystemStore for details on prepending a ServiceName
' and/or ComputerName to the system store name.
'
' CERT_STORE_DELETE_FLAG can optionally be set in dwFlags.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Enum callbacks
'
' The CERT_SYSTEM_STORE_LOCATION_MASK bits in the dwFlags parameter
' specifies the location of the system store
'
' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
' pvSystemStore points to a null terminated UNICODE string.
'
' The callback returns FALSE and sets LAST_ERROR to stop the enumeration.
' The LAST_ERROR is returned to the caller of the enumeration.
'
' The pvSystemStore passed to the callback has leading ComputerName and/or
' ServiceName prefixes where appropriate.
'--------------------------------------------------------------------------
' In the PFN_CERT_ENUM_PHYSICAL_STORE callback the following flag is
' set if the physical store wasn't registered and is an implicitly created
' predefined physical store.
Public Const CERT_PHYSICAL_STORE_PREDEFINED_ENUM_FLAG As Long = &H1
' Names of implicitly created predefined physical stores
Public Const CERT_PHYSICAL_STORE_DEFAULT_NAME As String = ".Default"
Public Const CERT_PHYSICAL_STORE_GROUP_POLICY_NAME As String = ".GroupPolicy"
Public Const CERT_PHYSICAL_STORE_LOCAL_MACHINE_NAME As String = ".LocalMachine"
Public Const CERT_PHYSICAL_STORE_DS_USER_CERTIFICATE_NAME As String = ".UserCertificate"
Public Const CERT_PHYSICAL_STORE_ENTERPRISE_NAME As String = ".Enterprise"
'+-------------------------------------------------------------------------
' Enumerate the system store locations.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Enumerate the system stores.
'
' The upper word of the dwFlags parameter is used to specify the location of
' the system store.
'
' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags,
' pvSystemStoreLocationPara points to a CERT_SYSTEM_STORE_RELOCATE_PARA
' data structure. Otherwise, pvSystemStoreLocationPara points to a null
' terminated UNICODE string.
'
' For CERT_SYSTEM_STORE_LOCAL_MACHINE,
' CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY or
' CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, pvSystemStoreLocationPara can
' optionally be set to a unicode computer name for enumerating local machine
' stores on a remote computer. For example, "\\ComputerName" or
' "ComputerName". The leading "\\" backslashes are optional in the
' ComputerName.
'
' For CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS,
' if pvSystemStoreLocationPara is NULL, then,
' enumerates both the service/user names and the stores for each service/user
' name. Otherwise, pvSystemStoreLocationPara is a unicode string specifying a
' remote computer name and/or service/user name. For example:
' "ServiceName"
' "\\ComputerName" or "ComputerName\"
' "ComputerName\ServiceName"
' Note, if only the ComputerName is specified, then, it must have either
' the leading "\\" backslashes or a trailing backslash. Otherwise, its
' interpretted as the ServiceName or UserName.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Enumerate the physical stores for the specified system store.
'
' The upper word of the dwFlags parameter is used to specify the location of
' the system store.
'
' If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
' points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
' pvSystemStore points to a null terminated UNICODE string.
'
' See CertRegisterSystemStore for details on prepending a ServiceName
' and/or ComputerName to the system store name.
'
' If the system store location only supports system stores and doesn't
' support physical stores, LastError is set to ERROR_CALL_NOT_IMPLEMENTED.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate System Store Installable Functions
'
' The CERT_SYSTEM_STORE_LOCATION_MASK bits in the dwFlags parameter passed
' Provider), CertRegisterSystemStore,
' CertUnregisterSystemStore, CertEnumSystemStore, CertRegisterPhysicalStore,
' CertUnregisterPhysicalStore and CertEnumPhysicalStore APIs is used as the
' constant pszOID value passed to the OID installable functions.
'
' The EncodingType is 0.
'--------------------------------------------------------------------------
' Installable System Store Provider OID pszFuncNames.
Public Const CRYPT_OID_OPEN_SYSTEM_STORE_PROV_FUNC As String = "CertDllOpenSystemStoreProv"
Public Const CRYPT_OID_REGISTER_SYSTEM_STORE_FUNC As String = "CertDllRegisterSystemStore"
Public Const CRYPT_OID_UNREGISTER_SYSTEM_STORE_FUNC As String = "CertDllUnregisterSystemStore"
Public Const CRYPT_OID_ENUM_SYSTEM_STORE_FUNC As String = "CertDllEnumSystemStore"
Public Const CRYPT_OID_REGISTER_PHYSICAL_STORE_FUNC As String = "CertDllRegisterPhysicalStore"
Public Const CRYPT_OID_UNREGISTER_PHYSICAL_STORE_FUNC As String = "CertDllUnregisterPhysicalStore"
Public Const CRYPT_OID_ENUM_PHYSICAL_STORE_FUNC As String = "CertDllEnumPhysicalStore"
' CertDllOpenSystemStoreProv has the same function signature as the
' installable "CertDllOpenStoreProv" function. See CertOpenStore for
' more details.
' CertDllRegisterSystemStore has the same function signature as
' CertRegisterSystemStore.
'
' The "SystemStoreLocation" REG_SZ value must also be set for registered
' CertDllEnumSystemStore OID functions.
Public Const CRYPT_OID_SYSTEM_STORE_LOCATION_VALUE_NAME As String = "SystemStoreLocation"
' The remaining Register, Enum and Unregister OID installable functions
' have the same signature as their Cert Store API counterpart.
'+=========================================================================
' Enhanced Key Usage Helper Functions
'==========================================================================
'+-------------------------------------------------------------------------
' Get the enhanced key usage extension or property from the certificate
' and decode.
'
' If the CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG is set, then, only get the
' extension.
'
' If the CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG is set, then, only get the
' property.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Set the enhanced key usage property for the certificate.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Add the usage identifier to the certificate's enhanced key usage property.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Remove the usage identifier from the certificate's enhanced key usage
' property.
'--------------------------------------------------------------------------
'+---------------------------------------------------------------------------
'
'
' Takes an array of certs and returns an array of usages
' which consists of the intersection of the valid usages for each cert.
' If each cert is good for all possible usages then the cNumOIDs is set to -1.
'
'----------------------------------------------------------------------------
'+=========================================================================
' Cryptographic Message helper functions for verifying and signing a
' CTL.
'==========================================================================
'+-------------------------------------------------------------------------
' Get and verify the signer of a cryptographic message.
'
' To verify a CTL, the hCryptMsg is obtained from the CTL_CONTEXT's
' hCryptMsg field.
'
' If CMSG_TRUSTED_SIGNER_FLAG is set, then, treat the Signer stores as being
' trusted and only search them to find the certificate corresponding to the
' signer's issuer and serial number. Otherwise, the SignerStores are
' optionally provided to supplement the message's store of certificates.
' If a signer certificate is found, its public key is used to verify
' the message signature. The CMSG_SIGNER_ONLY_FLAG can be set to
' return the signer without doing the signature verify.
'
' If CMSG_USE_SIGNER_INDEX_FLAG is set, then, only get the signer specified
' by *pdwSignerIndex. Otherwise, iterate through all the signers
' until a signer verifies or no more signers.
'
' For a verified signature, *ppSigner is updated with certificate context
' of the signer and *pdwSignerIndex is updated with the index of the signer.
' ppSigner and/or pdwSignerIndex can be NULL, indicating the caller isn't
' interested in getting the CertContext and/or index of the signer.
'--------------------------------------------------------------------------
Public Const CMSG_TRUSTED_SIGNER_FLAG As Long = &H1
Public Const CMSG_SIGNER_ONLY_FLAG As Long = &H2
Public Const CMSG_USE_SIGNER_INDEX_FLAG As Long = &H4
'+-------------------------------------------------------------------------
' Sign an encoded CTL.
'
' The pbCtlContent can be obtained via a CTL_CONTEXT's pbCtlContent
'
' CMSG_CMS_ENCAPSULATED_CTL_FLAG can be set to encode a CMS compatible
' V3 SignedData message.
'--------------------------------------------------------------------------
' When set, CTL inner content is encapsulated within an OCTET STRING
Public Const CMSG_CMS_ENCAPSULATED_CTL_FLAG As Long = &H00008000
'+-------------------------------------------------------------------------
' Encode the CTL and create a signed message containing the encoded CTL.
'
' Set CMSG_ENCODE_SORTED_CTL_FLAG if the CTL entries are to be sorted
' before encoding. This flag should be set, if the
' CertFindSubjectInSortedCTL or CertEnumSubjectInSortedCTL APIs will
' be called. If the identifier for the CTL entries is a hash, such as,
' MD5 or SHA1, then, CMSG_ENCODE_HASHED_SUBJECT_IDENTIFIER_FLAG should
' also be set.
'
' CMSG_CMS_ENCAPSULATED_CTL_FLAG can be set to encode a CMS compatible
' V3 SignedData message.
'--------------------------------------------------------------------------
' The following flag is set if the CTL is to be encoded with sorted
' trusted subjects and the szOID_SORTED_CTL extension is inserted containing
' sorted offsets to the encoded subjects.
Public Const CMSG_ENCODE_SORTED_CTL_FLAG As Long = &H1
' If the above sorted flag is set, then, the following flag should also
' be set if the identifier for the TrustedSubjects is a hash,
' such as, MD5 or SHA1.
Public Const CMSG_ENCODE_HASHED_SUBJECT_IDENTIFIER_FLAG As Long = &H2
'+-------------------------------------------------------------------------
' Returns TRUE if the SubjectIdentifier exists in the CTL. Optionally
' returns a pointer to and byte count of the Subject's encoded attributes.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Enumerates through the sequence of TrustedSubjects in a CTL context
' created with CERT_CREATE_CONTEXT_SORTED_FLAG set.
'
' To start the enumeration, *ppvNextSubject must be NULL. Upon return,
' *ppvNextSubject is updated to point to the next TrustedSubject in
' the encoded sequence.
'
' Returns FALSE for no more subjects or invalid arguments.
'
' Note, the returned DER_BLOBs point directly into the encoded
'--------------------------------------------------------------------------
'+=========================================================================
' Certificate Verify CTL Usage Data Structures and APIs
'==========================================================================
Public Const CERT_VERIFY_INHIBIT_CTL_UPDATE_FLAG As Long = &H1
Public Const CERT_VERIFY_TRUSTED_SIGNERS_FLAG As Long = &H2
Public Const CERT_VERIFY_NO_TIME_CHECK_FLAG As Long = &H4
Public Const CERT_VERIFY_ALLOW_MORE_USAGE_FLAG As Long = &H8
Public Const CERT_VERIFY_UPDATED_CTL_FLAG As Long = &H1
'+-------------------------------------------------------------------------
' Verify that a subject is trusted for the specified usage by finding a
' signed and time valid CTL with the usage identifiers and containing the
' the subject. A subject can be identified by either its certificate context
' or any identifier such as its SHA1 hash.
'
' See CertFindSubjectInCTL for definition of dwSubjectType and pvSubject
' parameters.
'
' Via pVerifyUsagePara, the caller can specify the stores to be searched
' to find the CTL. The caller can also specify the stores containing
' acceptable CTL signers. By setting the ListIdentifier, the caller
' can also restrict to a particular signer CTL list.
'
' Via pVerifyUsageStatus, the CTL containing the subject, the subject's
' index into the CTL's array of entries, and the signer of the CTL
' are returned. If the caller is not interested, ppCtl and ppSigner can be set
' to NULL. Returned contexts must be freed via the store's free context APIs.
'
' If the CERT_VERIFY_INHIBIT_CTL_UPDATE_FLAG isn't set, then, a time
' invalid CTL in one of the CtlStores may be replaced. When replaced, the
' CERT_VERIFY_UPDATED_CTL_FLAG is set in pVerifyUsageStatus->dwFlags.
'
' If the CERT_VERIFY_TRUSTED_SIGNERS_FLAG is set, then, only the
' SignerStores specified in pVerifyUsageStatus are searched to find
' the signer. Otherwise, the SignerStores provide additional sources
' to find the signer's certificate.
'
' If CERT_VERIFY_NO_TIME_CHECK_FLAG is set, then, the CTLs aren't checked
' for time validity.
'
' If CERT_VERIFY_ALLOW_MORE_USAGE_FLAG is set, then, the CTL may contain
' additional usage identifiers than specified by pSubjectUsage. Otherwise,
' the found CTL will contain the same usage identifers and no more.
'
' CertVerifyCTLUsage will be implemented as a dispatcher to OID installable
' functions. First, it will try to find an OID function matching the first
' usage object identifier in the pUsage sequence. Next, it will dispatch
' to the default CertDllVerifyCTLUsage functions.
'
' If the subject is trusted for the specified usage, then, TRUE is
' returned. Otherwise, FALSE is returned with dwError set to one of the
' following:
' CRYPT_E_NO_VERIFY_USAGE_DLL
' CRYPT_E_NO_VERIFY_USAGE_CHECK
' CRYPT_E_VERIFY_USAGE_OFFLINE
' CRYPT_E_NOT_IN_CTL
' CRYPT_E_NO_TRUSTED_SIGNER
'--------------------------------------------------------------------------
'+=========================================================================
' Certificate Revocation Data Structures and APIs
'==========================================================================
'+-------------------------------------------------------------------------
' The following data structure may be passed to CertVerifyRevocation to
' assist in finding the issuer of the context to be verified.
'
' When pIssuerCert is specified, pIssuerCert is the issuer of
' rgpvContext[cContext - 1].
'
' When cCertStore and rgCertStore are specified, these stores may contain
' an issuer certificate.
'
' When hCrlStore is specified then a handler which uses CRLs can search this
' store for them
'
' revocation status relative to the time given otherwise the answer may be
' independent of time or relative to current time
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' The following data structure is returned by CertVerifyRevocation to
' specify the status of the revoked or unchecked context. Review the
' following CertVerifyRevocation comments for details.
'
' Upon input to CertVerifyRevocation, cbSize must be set to a size
' returns FALSE and sets LastError to E_INVALIDARG.
'
' Upon input to the installed or registered CRYPT_OID_VERIFY_REVOCATION_FUNC
' functions, the dwIndex, dwError and dwReason have been zero'ed.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Verifies the array of contexts for revocation. The dwRevType parameter
' indicates the type of the context data structure passed in rgpvContext.
' Currently only the revocation of certificates is defined.
'
' If the CERT_VERIFY_REV_CHAIN_FLAG flag is set, then, CertVerifyRevocation
' is verifying a chain of certs where, rgpvContext[i + 1] is the issuer
' of rgpvContext[i]. Otherwise, CertVerifyRevocation makes no assumptions
' about the order of the contexts.
'
' To assist in finding the issuer, the pRevPara may optionally be set. See
' the CERT_REVOCATION_PARA data structure for details.
'
' The contexts must contain enough information to allow the
' installable or registered revocation DLLs to find the revocation server. For
' certificates, this information would normally be conveyed in an
' extension such as the IETF's AuthorityInfoAccess extension.
'
' CertVerifyRevocation returns TRUE if all of the contexts were successfully
' checked and none were revoked. Otherwise, returns FALSE and updates the
' returned pRevStatus data structure as follows:
' dwIndex
' Index of the first context that was revoked or unable to
' be checked for revocation
' dwError
' Error status. LastError is also set to this error status.
' dwError can be set to one of the following error codes defined
' in winerror.h:
' ERROR_SUCCESS - good context
' CRYPT_E_REVOKED - context was revoked. dwReason contains the
' reason for revocation
' CRYPT_E_REVOCATION_OFFLINE - unable to connect to the
' revocation server
' CRYPT_E_NOT_IN_REVOCATION_DATABASE - the context to be checked
' was not found in the revocation server's database.
' CRYPT_E_NO_REVOCATION_CHECK - the called revocation function
' wasn't able to do a revocation check on the context
' CRYPT_E_NO_REVOCATION_DLL - no installed or registered Dll was
' found to verify revocation
' dwReason
' The dwReason is currently only set for CRYPT_E_REVOKED and contains
' the reason why the context was revoked. May be one of the following
' CRL_REASON_UNSPECIFIED 0
' CRL_REASON_KEY_COMPROMISE 1
' CRL_REASON_CA_COMPROMISE 2
' CRL_REASON_AFFILIATION_CHANGED 3
' CRL_REASON_SUPERSEDED 4
' CRL_REASON_CESSATION_OF_OPERATION 5
' CRL_REASON_CERTIFICATE_HOLD 6
'
' For each entry in rgpvContext, CertVerifyRevocation iterates
' through the CRYPT_OID_VERIFY_REVOCATION_FUNC
' function set's list of installed DEFAULT functions.
' CryptGetDefaultOIDFunctionAddress is called with pwszDll = NULL. If no
' installed functions are found capable of doing the revocation verification,
' CryptVerifyRevocation iterates through CRYPT_OID_VERIFY_REVOCATION_FUNC's
' list of registered DEFAULT Dlls. CryptGetDefaultOIDDllList is called to
' get the list. CryptGetDefaultOIDFunctionAddress is called to load the Dll.
'
' The called functions have the same signature as CertVerifyRevocation. A
' called function returns TRUE if it was able to successfully check all of
' the contexts and none were revoked. Otherwise, the called function returns
' FALSE and updates pRevStatus. dwIndex is set to the index of
' the first context that was found to be revoked or unable to be checked.
' dwError and LastError are updated. For CRYPT_E_REVOKED, dwReason
' is updated. Upon input to the called function, dwIndex, dwError and
' dwReason have been zero'ed. cbSize has been checked to be >=
'
' If the called function returns FALSE, and dwError isn't set to
' CRYPT_E_REVOKED, then, CertVerifyRevocation either continues on to the
' next DLL in the list for a returned dwIndex of 0 or for a returned
' dwIndex > 0, restarts the process of finding a verify function by
' advancing the start of the context array to the returned dwIndex and
' decrementing the count of remaining contexts.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Revocation types
'--------------------------------------------------------------------------
Public Const CERT_CONTEXT_REVOCATION_TYPE As Long = 1
'+-------------------------------------------------------------------------
' When the following flag is set, rgpvContext[] consists of a chain
' of certificates, where rgpvContext[i + 1] is the issuer of rgpvContext[i].
'--------------------------------------------------------------------------
Public Const CERT_VERIFY_REV_CHAIN_FLAG As Long = &H00000001
'+-------------------------------------------------------------------------
' CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION prevents the revocation handler from
' accessing any network based resources for revocation checking
'--------------------------------------------------------------------------
Public Const CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION As Long = &H00000002
'+-------------------------------------------------------------------------
' CERT_CONTEXT_REVOCATION_TYPE
'
' pvContext points to a const CERT_CONTEXT.
'--------------------------------------------------------------------------
'+=========================================================================
' Certificate Helper APIs
'==========================================================================
'+-------------------------------------------------------------------------
' Compare two multiple byte integer blobs to see if they are identical.
'
' Before doing the comparison, leading zero bytes are removed from a
' positive number and leading 0xFF bytes are removed from a negative
' number.
'
' The multiple byte integers are treated as Little Endian. pbData[0] is the
' least significant byte and pbData[cbData - 1] is the most significant
' byte.
'
' Returns TRUE if the integer blobs are identical after removing leading
' 0 or 0xFF bytes.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Compare two certificates to see if they are identical.
'
' Since a certificate is uniquely identified by its Issuer and SerialNumber,
' these are the only fields needing to be compared.
'
' Returns TRUE if the certificates are identical.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Compare two certificate names to see if they are identical.
'
' Returns TRUE if the names are identical.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Compare the attributes in the certificate name with the specified
' The comparison iterates through the CERT_RDN attributes and looks for an
' attribute match in any of the certificate name's RDNs.
' Returns TRUE if all the attributes are found and match.
'
' The CERT_RDN_ATTR fields can have the following special values:
' pszObjId == NULL - ignore the attribute object identifier
' dwValueType == RDN_ANY_TYPE - ignore the value type
'
' CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG should be set to do
' a case insensitive match. Otherwise, defaults to an exact, case sensitive
' match.
'
' CERT_UNICODE_IS_RDN_ATTRS_FLAG should be set if the pRDN was initialized
'--------------------------------------------------------------------------
Public Const CERT_UNICODE_IS_RDN_ATTRS_FLAG As Long = &H1
Public Const CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG As Long = &H2
'+-------------------------------------------------------------------------
' Compare two public keys to see if they are identical.
'
' Returns TRUE if the keys are identical.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Get the public/private key's bit length.
'
' Returns 0 if unable to determine the key's length.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Verify the signature of a subject certificate or a CRL using the
' public key info
'
' Returns TRUE for a valid signature.
'
' hCryptProv specifies the crypto provider to use to verify the signature.
' It doesn't need to use a private key.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Verify the signature of a subject certificate, CRL, certificate request
' or keygen request using the issuer's public key.
'
' Returns TRUE for a valid signature.
'
' The subject can be an encoded blob or a context for a certificate or CRL.
' For a subject certificate context, if the certificate is missing
' inheritable PublicKey Algorithm Parameters, the context's
' CERT_PUBKEY_ALG_PARA_PROP_ID is updated with the issuer's public key
' algorithm parameters for a valid signature.
'
' The issuer can be a pointer to a CERT_PUBLIC_KEY_INFO, certificate
' context or a chain context.
'
' hCryptProv specifies the crypto provider to use to verify the signature.
' Its private key isn't used. If hCryptProv is NULL, a default
' provider is picked according to the PublicKey Algorithm OID.
'--------------------------------------------------------------------------
' Subject Types
Public Const CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB As Long = 1
Public Const CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT As Long = 2
Public Const CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL As Long = 3
' Issuer Types
Public Const CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY As Long = 1
Public Const CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT As Long = 2
Public Const CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN As Long = 3
'+-------------------------------------------------------------------------
' Compute the hash of the "to be signed" information in the encoded
'
' hCryptProv specifies the crypto provider to use to compute the hash.
' It doesn't need to use a private key.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Hash the encoded content.
'
' hCryptProv specifies the crypto provider to use to compute the hash.
' It doesn't need to use a private key.
'
' Algid specifies the CAPI hash algorithm to use. If Algid is 0, then, the
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Sign the "to be signed" information in the encoded signed content.
'
' hCryptProv specifies the crypto provider to use to do the signature.
' It uses the specified private key.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Encode the "to be signed" information. Sign the encoded "to be signed".
' Encode the "to be signed" and the signature.
'
' hCryptProv specifies the crypto provider to use to do the signature.
' It uses the specified private key.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Verify the time validity of a certificate.
'
' Returns -1 if before NotBefore, +1 if after NotAfter and otherwise 0 for
' a valid certificate
'
' If pTimeToVerify is NULL, uses the current time.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Verify the time validity of a CRL.
'
' Returns -1 if before ThisUpdate, +1 if after NextUpdate and otherwise 0 for
' a valid CRL
'
' If pTimeToVerify is NULL, uses the current time.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Verify that the subject's time validity nests within the issuer's time
' validity.
'
' Returns TRUE if it nests. Otherwise, returns FALSE.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Verify that the subject certificate isn't on its issuer CRL.
'
' Returns true if the certificate isn't on the CRL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Convert the CAPI AlgId to the ASN.1 Object Identifier string
'
' Returns NULL if there isn't an ObjId corresponding to the AlgId.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Convert the ASN.1 Object Identifier string to the CAPI AlgId.
'
' Returns 0 if there isn't an AlgId corresponding to the ObjId.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Find an extension identified by its Object Identifier.
'
' If found, returns pointer to the extension. Otherwise, returns NULL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Find the first attribute identified by its Object Identifier.
'
' If found, returns pointer to the attribute. Otherwise, returns NULL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Find the first CERT_RDN attribute identified by its Object Identifier in
' the name's list of Relative Distinguished Names.
'
' If found, returns pointer to the attribute. Otherwise, returns NULL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Get the intended key usage bytes from the certificate.
'
' If the certificate doesn't have any intended key usage bytes, returns FALSE
' and *pbKeyUsage is zeroed. Otherwise, returns TRUE and up through
' cbKeyUsage bytes are copied into *pbKeyUsage. Any remaining uncopied
' bytes are zeroed.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Install a previously CryptAcquiredContext'ed HCRYPTPROV to be used as
' a default context.
'
' dwDefaultType and pvDefaultPara specify where the default context is used.
' For example, install the HCRYPTPROV to be used to verify certificate's
' having szOID_OIWSEC_md5RSA signatures.
'
' By default, the installed HCRYPTPROV is only applicable to the current
' thread. Set CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG to allow the HCRYPTPROV
' to be used by all threads in the current process.
'
' For a successful install, TRUE is returned and *phDefaultContext is
' updated with the HANDLE to be passed to CryptUninstallDefaultContext.
'
' HCRYPTPROV is checked first). All thread installed HCRYPTPROVs are
' checked before any process HCRYPTPROVs.
'
' The installed HCRYPTPROV remains available for default usage until
' CryptUninstallDefaultContext is called or the thread or process exits.
'
' If CRYPT_DEFAULT_CONTEXT_AUTO_RELEASE_FLAG is set, then, the HCRYPTPROV
' is CryptReleaseContext'ed at thread or process exit. However,
' not CryptReleaseContext'ed if CryptUninstallDefaultContext is
' called.
'--------------------------------------------------------------------------
' dwFlags
Public Const CRYPT_DEFAULT_CONTEXT_AUTO_RELEASE_FLAG As Long = &H00000001
Public Const CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG As Long = &H00000002
' List of dwDefaultType's
Public Const CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID As Long = 1
Public Const CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID As Long = 2
'+-------------------------------------------------------------------------
' CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID
'
' Install a default HCRYPTPROV used to verify a certificate
' signature. pvDefaultPara points to the szOID of the certificate
' signature algorithm, for example, szOID_OIWSEC_md5RSA. If
' pvDefaultPara is NULL, then, the HCRYPTPROV is used to verify all
' certificate signatures. Note, pvDefaultPara can't be NULL when
' CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG is set.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID
'
' Same as CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID. However, the default
' HCRYPTPROV is to be used for multiple signature szOIDs. pvDefaultPara
' points to a CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA structure containing
' an array of szOID pointers.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Uninstall a default context previously installed by
' CryptInstallDefaultContext.
'
' For a default context installed with CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG
' set, if any other threads are currently using this context,
' this function will block until they finish.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Export the public key info associated with the provider's corresponding
' private key.
'
' Calls CryptExportPublicKeyInfo with pszPublicKeyObjId = szOID_RSA_RSA,
' dwFlags = 0 and pvAuxInfo = NULL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Export the public key info associated with the provider's corresponding
' private key.
'
' Uses the dwCertEncodingType and pszPublicKeyObjId to call the
' installable CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC. The called function
' has the same signature as CryptExportPublicKeyInfoEx.
'
' If unable to find an installable OID function for the pszPublicKeyObjId,
'
' The dwFlags and pvAuxInfo aren't used for szOID_RSA_RSA.
'--------------------------------------------------------------------------
Public Const CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC As String = "CryptDllExportPublicKeyInfoEx"
'+-------------------------------------------------------------------------
' Convert and import the public key info into the provider and return a
' handle to the public key.
'
' Calls CryptImportPublicKeyInfoEx with aiKeyAlg = 0, dwFlags = 0 and
' pvAuxInfo = NULL.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Convert and import the public key info into the provider and return a
' handle to the public key.
'
' Uses the dwCertEncodingType and pInfo->Algorithm.pszObjId to call the
' installable CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC. The called function
' has the same signature as CryptImportPublicKeyInfoEx.
'
' If unable to find an installable OID function for the pszObjId,
'
' For szOID_RSA_RSA: aiKeyAlg may be set to CALG_RSA_SIGN or CALG_RSA_KEYX.
' Defaults to CALG_RSA_KEYX. The dwFlags and pvAuxInfo aren't used.
'--------------------------------------------------------------------------
Public Const CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC As String = "CryptDllImportPublicKeyInfoEx"
'+-------------------------------------------------------------------------
' Acquire a HCRYPTPROV handle and dwKeySpec for the specified certificate
' context. Uses the certificate's CERT_KEY_PROV_INFO_PROP_ID property.
' The returned HCRYPTPROV handle may optionally be cached using the
' certificate's CERT_KEY_CONTEXT_PROP_ID property.
'
' If CRYPT_ACQUIRE_CACHE_FLAG is set, then, if an already acquired and
' cached HCRYPTPROV exists for the certificate, its returned. Otherwise,
' a HCRYPTPROV is acquired and then cached via the certificate's
' CERT_KEY_CONTEXT_PROP_ID.
'
' The CRYPT_ACQUIRE_USE_PROV_INFO_FLAG can be set to use the dwFlags field of
' the certificate's CERT_KEY_PROV_INFO_PROP_ID property's CRYPT_KEY_PROV_INFO
' data structure to determine if the returned HCRYPTPROV should be cached.
' HCRYPTPROV caching is enabled if the CERT_SET_KEY_CONTEXT_PROP_ID flag was
' set.
'
' If CRYPT_ACQUIRE_COMPARE_KEY_FLAG is set, then,
' the public key in the certificate is compared with the public
' key returned by the cryptographic provider. If the keys don't match, the
' acquire fails and LastError is set to NTE_BAD_PUBLIC_KEY. Note, if
' a cached HCRYPTPROV is returned, the comparison isn't done. We assume the
' comparison was done on the initial acquire.
'
' *pfCallerFreeProv is returned set to FALSE for:
' - Acquire or public key comparison fails.
' - CRYPT_ACQUIRE_CACHE_FLAG is set.
' - CRYPT_ACQUIRE_USE_PROV_INFO_FLAG is set AND
' CERT_SET_KEY_CONTEXT_PROP_ID flag is set in the dwFlags field of the
' certificate's CERT_KEY_PROV_INFO_PROP_ID property's
' CRYPT_KEY_PROV_INFO data structure.
' When *pfCallerFreeProv is FALSE, the caller must not release. The
' returned HCRYPTPROV will be released on the last free of the certificate
' context.
'
' Otherwise, *pfCallerFreeProv is TRUE and the returned HCRYPTPROV must
' be released by the caller by calling CryptReleaseContext.
'--------------------------------------------------------------------------
Public Const CRYPT_ACQUIRE_CACHE_FLAG As Long = &H1
Public Const CRYPT_ACQUIRE_USE_PROV_INFO_FLAG As Long = &H2
Public Const CRYPT_ACQUIRE_COMPARE_KEY_FLAG As Long = &H4
'+-------------------------------------------------------------------------
' Enumerates the cryptographic providers and their containers to find the
' private key corresponding to the certificate's public key. For a match,
' the certificate's CERT_KEY_PROV_INFO_PROP_ID property is updated.
'
' If the CERT_KEY_PROV_INFO_PROP_ID is already set, then, its checked to
' see if it matches the provider's public key. For a match, the above
' enumeration is skipped.
'
' By default both the user and machine key containers are searched.
' The CRYPT_FIND_USER_KEYSET_FLAG or CRYPT_FIND_MACHINE_KEYSET_FLAG
' can be set in dwFlags to restrict the search to either of the containers.
'
' If a container isn't found, returns FALSE with LastError set to
' NTE_NO_KEY.
'--------------------------------------------------------------------------
Public Const CRYPT_FIND_USER_KEYSET_FLAG As Long = &H1
Public Const CRYPT_FIND_MACHINE_KEYSET_FLAG As Long = &H2
'+-------------------------------------------------------------------------
' This is the prototype for the installable function which is called to
' actually import a key into a CSP. an installable of this type is called
' from CryptImportPKCS8. the algorithm OID of the private key is used
' to look up the proper installable function to call.
'
' hCryptProv - the provider to import the key to
' pPrivateKeyInfo - describes the key to be imported
' dwFlags - The available flags are:
' CRYPT_EXPORTABLE
' this flag is used when importing private keys, for a full
' explanation please see the documentation for CryptImportKey.
' pvAuxInfo - reserved for future, must be NULL
'--------------------------------------------------------------------------
Public Const CRYPT_OID_IMPORT_PRIVATE_KEY_INFO_FUNC As String = "CryptDllImportPrivateKeyInfoEx"
'+-------------------------------------------------------------------------
' and return a handle to the provider as well as the KeySpec used to import to.
'
' This function will call the PRESOLVE_HCRYPTPROV_FUNC in the
' privateKeyAndParams to obtain a handle of provider to import the key to.
' if the PRESOLVE_HCRYPTPROV_FUNC is NULL then the default provider will be used.
'
' privateKeyAndParams - private key blob and corresponding parameters
' dwFlags - The available flags are:
' CRYPT_EXPORTABLE
' this flag is used when importing private keys, for a full
' explanation please see the documentation for CryptImportKey.
' phCryptProv - filled in with the handle of the provider the key was
' imported to, the caller is responsible for freeing it
' pvAuxInfo - This parameter is reserved for future use and should be set
' to NULL in the interim.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' this is the prototype for installable functions for exporting the private key
'--------------------------------------------------------------------------
Public Const CRYPT_OID_EXPORT_PRIVATE_KEY_INFO_FUNC As String = "CryptDllExportPrivateKeyInfoEx"
Public Const CRYPT_DELETE_KEYSET As Long = &H0001
'+-------------------------------------------------------------------------
' CryptExportPKCS8 -- superseded by CryptExportPKCS8Ex
'
' Export the private key in PKCS8 format
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CryptExportPKCS8Ex
'
' Export the private key in PKCS8 format
'
'
' Uses the pszPrivateKeyObjId to call the
' installable CRYPT_OID_EXPORT_PRIVATE_KEY_INFO_FUNC. The called function
' has the signature defined by PFN_EXPORT_PRIV_KEY_FUNC.
'
' If unable to find an installable OID function for the pszPrivateKeyObjId,
'
' psExportParams - specifies information about the key to export
' dwFlags - The flag values. None currently supported
' pvAuxInfo - This parameter is reserved for future use and should be set to
' NULL in the interim.
' pbPrivateKeyBlob - A pointer to the private key blob. It will be encoded
' as a PKCS8 PrivateKeyInfo.
' pcbPrivateKeyBlob - A pointer to a DWORD that contains the size, in bytes,
' of the private key blob being exported.
'+-------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Compute the hash of the encoded public key info.
'
' The public key info is encoded and then hashed.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Convert a Name Value to a null terminated char string
'
' Returns the number of characters converted including the terminating null
' character. If psz is NULL or csz is 0, returns the required size of the
'
' If psz != NULL && csz != 0, returned psz is always NULL terminated.
'
' Note: csz includes the NULL char.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Convert a Name Value to a null terminated char string
'
' Returns the number of characters converted including the terminating null
' character. If psz is NULL or csz is 0, returns the required size of the
'
' If psz != NULL && csz != 0, returned psz is always NULL terminated.
'
' Note: csz includes the NULL char.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Convert the certificate name blob to a null terminated char string.
'
' Follows the string representation of distinguished names specified in
' empty strings and don't quote strings containing consecutive spaces).
' RDN values of type CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING are
'
' The name string is formatted according to the dwStrType:
' CERT_SIMPLE_NAME_STR
' The object identifiers are discarded. CERT_RDN entries are separated
' by ", ". Multiple attributes per CERT_RDN are separated by " + ".
' For example:
' Microsoft, Joe Cool + Programmer
' CERT_OID_NAME_STR
' The object identifiers are included with a "=" separator from their
' attribute value. CERT_RDN entries are separated by ", ".
' Multiple attributes per CERT_RDN are separated by " + ". For example:
' 2.5.4.11=Microsoft, 2.5.4.3=Joe Cool + 2.5.4.12=Programmer
' CERT_X500_NAME_STR
' The object identifiers are converted to their X500 key name. Otherwise,
' same as CERT_OID_NAME_STR. If the object identifier doesn't have
' a corresponding X500 key name, then, the object identifier is used with
' a "OID." prefix. For example:
' OU=Microsoft, CN=Joe Cool + T=Programmer, OID.1.2.3.4.5.6=Unknown
'
' We quote the RDN value if it contains leading or trailing whitespace
' or one of the following characters: ",", "+", "=", """, "\n", "<", ">",
' "#" or ";". The quoting character is ". If the the RDN Value contains
' OU=" Microsoft", CN="Joe ""Cool""" + T="Programmer, Manager"
'
' CERT_NAME_STR_SEMICOLON_FLAG can be or'ed into dwStrType to replace
' the ", " separator with a "; " separator.
'
' CERT_NAME_STR_CRLF_FLAG can be or'ed into dwStrType to replace
' the ", " separator with a "\r\n" separator.
'
' CERT_NAME_STR_NO_PLUS_FLAG can be or'ed into dwStrType to replace the
' " + " separator with a single space, " ".
'
' CERT_NAME_STR_NO_QUOTING_FLAG can be or'ed into dwStrType to inhibit
' the above quoting.
'
' CERT_NAME_STR_REVERSE_FLAG can be or'ed into dwStrType to reverse the
' order of the RDNs before converting to the string.
'
' By default, CERT_RDN_T61_STRING encoded values are initially decoded
' as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
' CERT_NAME_STR_DISABLE_IE4_UTF8_FLAG can be or'ed into dwStrType to
' skip the initial attempt to decode as UTF8.
'
' Returns the number of characters converted including the terminating null
' character. If psz is NULL or csz is 0, returns the required size of the
'
' If psz != NULL && csz != 0, returned psz is always NULL terminated.
'
' Note: csz includes the NULL char.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate name string types
'--------------------------------------------------------------------------
Public Const CERT_SIMPLE_NAME_STR As Long = 1
Public Const CERT_OID_NAME_STR As Long = 2
Public Const CERT_X500_NAME_STR As Long = 3
'+-------------------------------------------------------------------------
' Certificate name string type flags OR'ed with the above types
'--------------------------------------------------------------------------
Public Const CERT_NAME_STR_SEMICOLON_FLAG As Long = &H40000000
Public Const CERT_NAME_STR_NO_PLUS_FLAG As Long = &H20000000
Public Const CERT_NAME_STR_NO_QUOTING_FLAG As Long = &H10000000
Public Const CERT_NAME_STR_CRLF_FLAG As Long = &H08000000
Public Const CERT_NAME_STR_COMMA_FLAG As Long = &H04000000
Public Const CERT_NAME_STR_REVERSE_FLAG As Long = &H02000000
Public Const CERT_NAME_STR_DISABLE_IE4_UTF8_FLAG As Long = &H00010000
Public Const CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG As Long = &H00020000
Public Const CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG As Long = &H00040000
'+-------------------------------------------------------------------------
' Convert the null terminated X500 string to an encoded certificate name.
'
' The input string is expected to be formatted the same as the output
' from the above CertNameToStr API.
'
' The CERT_SIMPLE_NAME_STR type isn't supported. Otherwise, when dwStrType
' is set to 0, CERT_OID_NAME_STR or CERT_X500_NAME_STR, allow either a
'
' If no flags are OR'ed into dwStrType, then, allow "," or ";" as RDN
' separators and "+" as the multiple RDN value separator. Quoting is
' supported. A quote may be included in a quoted value by double quoting,
' as ascii hex and converted to a CERT_RDN_OCTET_STRING. Embedded whitespace
'
' Whitespace surrounding the keys, object identifers and values is removed.
'
' CERT_NAME_STR_COMMA_FLAG can be or'ed into dwStrType to only allow the
' "," as the RDN separator.
'
' CERT_NAME_STR_SEMICOLON_FLAG can be or'ed into dwStrType to only allow the
' ";" as the RDN separator.
'
' CERT_NAME_STR_CRLF_FLAG can be or'ed into dwStrType to only allow
' "\r" or "\n" as the RDN separator.
'
' CERT_NAME_STR_NO_PLUS_FLAG can be or'ed into dwStrType to ignore "+"
' as a separator and not allow multiple values per RDN.
'
' CERT_NAME_STR_NO_QUOTING_FLAG can be or'ed into dwStrType to inhibit
' quoting.
'
' CERT_NAME_STR_REVERSE_FLAG can be or'ed into dwStrType to reverse the
' order of the RDNs after converting from the string and before encoding.
'
' CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG can be or'ed into dwStrType to
' to select the CERT_RDN_T61_STRING encoded value type instead of
' CERT_RDN_UNICODE_STRING if all the UNICODE characters are <= 0xFF.
'
' CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG can be or'ed into dwStrType to
' to select the CERT_RDN_UTF8_STRING encoded value type instead of
' CERT_RDN_UNICODE_STRING.
'
' Support the following X500 Keys:
'
' --- ----------------- -----------------
' CN szOID_COMMON_NAME Printable, Unicode
' L szOID_LOCALITY_NAME Printable, Unicode
' O szOID_ORGANIZATION_NAME Printable, Unicode
' OU szOID_ORGANIZATIONAL_UNIT_NAME Printable, Unicode
' E szOID_RSA_emailAddr Only IA5
' Email szOID_RSA_emailAddr Only IA5
' C szOID_COUNTRY_NAME Only Printable
' S szOID_STATE_OR_PROVINCE_NAME Printable, Unicode
' ST szOID_STATE_OR_PROVINCE_NAME Printable, Unicode
' STREET szOID_STREET_ADDRESS Printable, Unicode
' T szOID_TITLE Printable, Unicode
' Title szOID_TITLE Printable, Unicode
' G szOID_GIVEN_NAME Printable, Unicode
' GivenName szOID_GIVEN_NAME Printable, Unicode
' I szOID_INITIALS Printable, Unicode
' Initials szOID_INITIALS Printable, Unicode
' SN szOID_SUR_NAME Printable, Unicode
' DC szOID_DOMAIN_COMPONENT IA5, UTF8
'
' Note, T61 is selected instead of Unicode if
' CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG is set and all the unicode
' characters are <= 0xFF.
'
' Note, UTF8 is selected instead of Unicode if
' CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG is set.
'
' Returns TRUE if successfully parsed the input string and encoded
' the name.
'
' If the input string is detected to be invalid, *ppszError is updated
' to point to the beginning of the invalid character sequence. Otherwise,
' *ppszError is set to NULL. *ppszError is updated with a non-NULL pointer
' for the following errors:
' CRYPT_E_INVALID_X500_STRING
' CRYPT_E_INVALID_NUMERIC_STRING
' CRYPT_E_INVALID_PRINTABLE_STRING
' CRYPT_E_INVALID_IA5_STRING
'
' ppszError can be set to NULL if not interested in getting a pointer
' to the invalid character sequence.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Get the subject or issuer name from the certificate and
' according to the specified format type, convert to a null terminated
' character string.
'
' CERT_NAME_ISSUER_FLAG can be set to get the issuer's name. Otherwise,
' gets the subject's name.
'
' By default, CERT_RDN_T61_STRING encoded values are initially decoded
' as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
' CERT_NAME_DISABLE_IE4_UTF8_FLAG can be set in dwFlags to
' skip the initial attempt to decode as UTF8.
'
' The name string is formatted according to the dwType:
' CERT_NAME_EMAIL_TYPE
' issuer, Issuer Alternative Name), searches for first rfc822Name choice.
' If the rfc822Name choice isn't found in the extension, searches the
' Subject Name field for the Email OID, "1.2.840.113549.1.9.1".
' If the rfc822Name or Email OID is found, returns the string. Otherwise,
' CERT_NAME_RDN_TYPE
' Converts the Subject Name blob by calling CertNameToStr. pvTypePara
' points to a DWORD containing the dwStrType passed to CertNameToStr.
' If the Subject Name field is empty and the certificate has a
' Subject Alternative Name extension, searches for and converts
' the first directoryName choice.
' CERT_NAME_ATTR_TYPE
' pvTypePara points to the Object Identifier specifying the name attribute
' to be returned. For example, to get the CN,
' field for the attribute.
' If the Subject Name field is empty and the certificate has a
' Subject Alternative Name extension, checks for
' the first directoryName choice and searches it.
'
' Note, searches the RDNs in reverse order.
'
' CERT_NAME_SIMPLE_DISPLAY_TYPE
' Iterates through the following list of name attributes and searches
' the Subject Name and then the Subject Alternative Name extension
' for the first occurrence of:
'
' If none of the above attributes is found, then, searches the
' Subject Alternative Name extension for a rfc822Name choice.
'
' If still no match, then, returns the first attribute.
'
' Note, like CERT_NAME_ATTR_TYPE, searches the RDNs in reverse order.
'
' CERT_NAME_FRIENDLY_DISPLAY_TYPE
' First checks if the certificate has a CERT_FRIENDLY_NAME_PROP_ID
' property. If it does, then, this property is returned. Otherwise,
' returns the above CERT_NAME_SIMPLE_DISPLAY_TYPE.
'
' Returns the number of characters converted including the terminating null
' character. If pwszNameString is NULL or cchNameString is 0, returns the
' char). If the specified name type isn't found. returns an empty string
' with a returned character count of 1.
'
' If pwszNameString != NULL && cwszNameString != 0, returned pwszNameString
' is always NULL terminated.
'
' Note: cchNameString includes the NULL char.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Certificate name types
'--------------------------------------------------------------------------
Public Const CERT_NAME_EMAIL_TYPE As Long = 1
Public Const CERT_NAME_RDN_TYPE As Long = 2
Public Const CERT_NAME_ATTR_TYPE As Long = 3
Public Const CERT_NAME_SIMPLE_DISPLAY_TYPE As Long = 4
Public Const CERT_NAME_FRIENDLY_DISPLAY_TYPE As Long = 5
'+-------------------------------------------------------------------------
' Certificate name flags
'--------------------------------------------------------------------------
Public Const CERT_NAME_ISSUER_FLAG As Long = &H1
Public Const CERT_NAME_DISABLE_IE4_UTF8_FLAG As Long = &H00010000
'+=========================================================================
' Simplified Cryptographic Message Data Structures and APIs
'==========================================================================
'+-------------------------------------------------------------------------
' Conventions for the *pb and *pcb output parameters:
'
' Upon entry to the function:
' if pcb is OPTIONAL && pcb == NULL, then,
' No output is returned
' else if pb == NULL && pcb != NULL, then,
' Length only determination. No length error is
' returned.
' Output is returned. If *pcb isn't big enough a
' length error is returned. In all cases *pcb is updated
' with the actual length needed/returned.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Type definitions of the parameters used for doing the cryptographic
' operations.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Callback to get and verify the signer's certificate.
'
' handle to its cryptographic signed message's cert store.
'
' For CRYPT_E_NO_SIGNER, called with pSignerId == NULL.
'
' For a valid signer certificate, returns a pointer to a read only
' CERT_CONTEXT. The returned CERT_CONTEXT is either obtained from a
' cert store or was created via CertCreateCertificateContext. For either case,
' its freed via CertFreeCertificateContext.
'
' If a valid certificate isn't found, this callback returns NULL with
'
' The NULL implementation tries to get the Signer certificate from the
' message cert store. It doesn't verify the certificate.
'
' Note, if the KEYID choice was selected for a CMS SignerId, then, the
' SerialNumber is 0 and the Issuer is encoded containing a single RDN with a
' single Attribute whose OID is szOID_KEYID_RDN, value type is
' CERT_RDN_OCTET_STRING and value is the KEYID. When the
' CertGetSubjectCertificateFromStore and
' special KEYID Issuer and SerialNumber, they do a KEYID match.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' The CRYPT_SIGN_MESSAGE_PARA are used for signing messages using the
' specified signing certificate context.
'
' Either the CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID must
' be set for each rgpSigningCert[]. Either one specifies the private
' signature key to use.
'
' If any certificates and/or CRLs are to be included in the signed message,
' then, the MsgCert and MsgCrl parameters need to be updated. If the
' rgpSigningCerts are to be included, then, they must also be in the
' rgpMsgCert array.
'
' LastError will be updated with E_INVALIDARG.
'
' pvHashAuxInfo currently isn't used and must be set to NULL.
'
' dwFlags normally is set to 0. However, if the encoded output
' is to be a CMSG_SIGNED inner content of an outer cryptographic message,
' such as a CMSG_ENVELOPED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
' should be set. If not set, then it would be encoded as an inner content
' type of CMSG_DATA.
'
' dwInnerContentType is normally set to 0. It needs to be set if the
' ToBeSigned input is the encoded output of another cryptographic
' message, such as, an CMSG_ENVELOPED. When set, it's one of the cryptographic
' message types, for example, CMSG_ENVELOPED.
'
' the default), then, neither dwFlags or dwInnerContentType need to be set.
'
' For CMS messages, CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG may be
' set to encapsulate nonData inner content within an OCTET STRING.
'
' For CMS messages, CRYPT_MESSAGE_KEYID_SIGNER_FLAG may be set to identify
' signers by their Key Identifier and not their Issuer and Serial Number.
'
' If HashEncryptionAlgorithm is present and not NULL its used instead of
' the SigningCert's PublicKeyInfo.Algorithm.
'
' Note, for RSA, the hash encryption algorithm is normally the same as
' the public key algorithm. For DSA, the hash encryption algorithm is
' normally a DSS signature algorithm.
'
' pvHashEncryptionAuxInfo currently isn't used and must be set to NULL if
' present in the data structure.
'--------------------------------------------------------------------------
Public Const CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG As Long = &H1
' When set, nonData type inner content is encapsulated within an
' OCTET STRING
Public Const CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG As Long = &H2
' When set, signers are identified by their Key Identifier and not
' their Issuer and Serial Number.
Public Const CRYPT_MESSAGE_KEYID_SIGNER_FLAG As Long = &H4
'+-------------------------------------------------------------------------
' The CRYPT_VERIFY_MESSAGE_PARA are used to verify signed messages.
'
' hCryptProv is used to do hashing and signature verification.
'
' The dwCertEncodingType specifies the encoding type of the certificates
' and/or CRLs in the message.
'
' pfnGetSignerCertificate is called to get and verify the message signer's
' certificate.
'
' LastError will be updated with E_INVALIDARG.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' The CRYPT_ENCRYPT_MESSAGE_PARA are used for encrypting messages.
'
' hCryptProv is used to do content encryption, recipient key
' encryption, and recipient key export. Its private key
' isn't used.
'
' Currently, pvEncryptionAuxInfo is only defined for RC2 or RC4 encryption
' algorithms. Otherwise, its not used and must be set to NULL.
' See CMSG_RC2_AUX_INFO for the RC2 encryption algorithms.
' See CMSG_RC4_AUX_INFO for the RC4 encryption algorithms.
'
' To enable SP3 compatible encryption, pvEncryptionAuxInfo should point to
' a CMSG_SP3_COMPATIBLE_AUX_INFO data structure.
'
' LastError will be updated with E_INVALIDARG.
'
' dwFlags normally is set to 0. However, if the encoded output
' is to be a CMSG_ENVELOPED inner content of an outer cryptographic message,
' such as a CMSG_SIGNED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
' should be set. If not set, then it would be encoded as an inner content
' type of CMSG_DATA.
'
' dwInnerContentType is normally set to 0. It needs to be set if the
' ToBeEncrypted input is the encoded output of another cryptographic
' message, such as, an CMSG_SIGNED. When set, it's one of the cryptographic
' message types, for example, CMSG_SIGNED.
'
' the default), then, neither dwFlags or dwInnerContentType need to be set.
'
' For CMS messages, CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG may be
' set to encapsulate nonData inner content within an OCTET STRING before
' encrypting.
'
' For CMS messages, CRYPT_MESSAGE_KEYID_RECIPIENT_FLAG may be set to identify
' recipients by their Key Identifier and not their Issuer and Serial Number.
'--------------------------------------------------------------------------
' When set, recipients are identified by their Key Identifier and not
' their Issuer and Serial Number.
Public Const CRYPT_MESSAGE_KEYID_RECIPIENT_FLAG As Long = &H4
'+-------------------------------------------------------------------------
' The CRYPT_DECRYPT_MESSAGE_PARA are used for decrypting messages.
'
' The CertContext to use for decrypting a message is obtained from one
' of the specified cert stores. An encrypted message can have one or
' and SerialNumber). The cert stores are searched to find the CertContext
' corresponding to the CertId.
'
' For CMS, the recipients may also be identified by their KeyId.
'
' Only CertContexts in the store with either
' the CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID set
' can be used. Either property specifies the private exchange key to use.
'
' LastError will be updated with E_INVALIDARG.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' The CRYPT_HASH_MESSAGE_PARA are used for hashing or unhashing
' messages.
'
' hCryptProv is used to compute the hash.
'
' pvHashAuxInfo currently isn't used and must be set to NULL.
'
' LastError will be updated with E_INVALIDARG.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' The CRYPT_KEY_SIGN_MESSAGE_PARA are used for signing messages until a
' certificate has been created for the signature key.
'
' pvHashAuxInfo currently isn't used and must be set to NULL.
'
' If PubKeyAlgorithm isn't set, defaults to szOID_RSA_RSA.
'
' LastError will be updated with E_INVALIDARG.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' The CRYPT_KEY_VERIFY_MESSAGE_PARA are used to verify signed messages without
' a certificate for the signer.
'
' Normally used until a certificate has been created for the key.
'
' hCryptProv is used to do hashing and signature verification.
'
' LastError will be updated with E_INVALIDARG.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Sign the message.
'
' If fDetachedSignature is TRUE, the "to be signed" content isn't included
' in the encoded signed blob.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Verify a signed message.
'
' If pbDecoded == NULL, then, *pcbDecoded is implicitly set to 0 on input.
' For *pcbDecoded == 0 && ppSignerCert == NULL on input, the signer isn't
' verified.
'
' A message might have more than one signer. Set dwSignerIndex to iterate
' through all the signers. dwSignerIndex == 0 selects the first signer.
'
' pVerifyPara's pfnGetSignerCertificate is called to get the signer's
' certificate.
'
' For a verified signer and message, *ppSignerCert is updated
' with the CertContext of the signer. It must be freed by calling
' CertFreeCertificateContext. Otherwise, *ppSignerCert is set to NULL.
'
' ppSignerCert can be NULL, indicating the caller isn't interested
' in getting the CertContext of the signer.
'
' pcbDecoded can be NULL, indicating the caller isn't interested in getting
' the decoded content. Furthermore, if the message doesn't contain any
' content or signers, then, pcbDecoded must be set to NULL, to allow the
' pVerifyPara->pfnGetCertificate to be called. Normally, this would be
' the case when the signed message contains only certficates and CRLs.
' If pcbDecoded is NULL and the message doesn't have the indicated signer,
' pfnGetCertificate is called with pSignerId set to NULL.
'
' If the message doesn't contain any signers || dwSignerIndex > message's
' SignerCount, then, an error is returned with LastError set to
' CRYPT_E_NO_SIGNER. Also, for CRYPT_E_NO_SIGNER, pfnGetSignerCertificate
' is still called with pSignerId set to NULL.
'
' Note, an alternative way to get the certificates and CRLs from a
' signed message is to call CryptGetMessageCertificates.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Returns the count of signers in the signed message. For no signers, returns
' 0. For an error returns -1 with LastError updated accordingly.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Returns the cert store containing the message's certs and CRLs.
' For an error, returns NULL with LastError updated.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' The "to be signed" content is passed in separately. No
' decoded output. Otherwise, identical to CryptVerifyMessageSignature.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Decrypts the message.
'
' If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
' For *pcbDecrypted == 0 && ppXchgCert == NULL on input, the message isn't
' decrypted.
'
' For a successfully decrypted message, *ppXchgCert is updated
' with the CertContext used to decrypt. It must be freed by calling
' CertStoreFreeCert. Otherwise, *ppXchgCert is set to NULL.
'
' ppXchgCert can be NULL, indicating the caller isn't interested
' in getting the CertContext used to decrypt.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' followed with a CryptEncryptMessage.
'
' Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
' inside of an CMSG_ENVELOPED.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Decrypts the message and verifies the signer. Does a CryptDecryptMessage
' followed with a CryptVerifyMessageSignature.
'
' If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
' For *pcbDecrypted == 0 && ppSignerCert == NULL on input, the signer isn't
' verified.
'
' A message might have more than one signer. Set dwSignerIndex to iterate
' through all the signers. dwSignerIndex == 0 selects the first signer.
'
' The pVerifyPara's VerifySignerPolicy is called to verify the signer's
' certificate.
'
' For a successfully decrypted and verified message, *ppXchgCert and
' *ppSignerCert are updated. They must be freed by calling
' CertStoreFreeCert. Otherwise, they are set to NULL.
'
' ppXchgCert and/or ppSignerCert can be NULL, indicating the
' caller isn't interested in getting the CertContext.
'
' Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
' inside of an CMSG_ENVELOPED.
'
' The message always needs to be decrypted to allow access to the
' signed message. Therefore, if ppXchgCert != NULL, its always updated.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Decodes a cryptographic message which may be one of the following types:
' CMSG_DATA
' CMSG_SIGNED
' CMSG_ENVELOPED
' CMSG_SIGNED_AND_ENVELOPED
' CMSG_HASHED
'
' dwMsgTypeFlags specifies the set of allowable messages. For example, to
' decode either SIGNED or ENVELOPED messages, set dwMsgTypeFlags to:
' CMSG_SIGNED_FLAG | CMSG_ENVELOPED_FLAG.
'
' dwProvInnerContentType is only applicable when processing nested
' crytographic messages. When processing an outer crytographic message
' it must be set to 0. When decoding a nested cryptographic message
' its the dwInnerContentType returned by a previous CryptDecodeMessage
' of the outer message. The InnerContentType can be any of the CMSG types,
' for example, CMSG_DATA, CMSG_SIGNED, ...
'
' The optional *pdwMsgType is updated with the type of message.
'
' The optional *pdwInnerContentType is updated with the type of the inner
' message. Unless there is cryptographic message nesting, CMSG_DATA
' is returned.
'
' For CMSG_DATA: returns decoded content.
' For CMSG_SIGNED: same as CryptVerifyMessageSignature.
' For CMSG_ENVELOPED: same as CryptDecryptMessage.
' For CMSG_SIGNED_AND_ENVELOPED: same as CryptDecryptMessage plus
' CryptVerifyMessageSignature.
' For CMSG_HASHED: verifies the hash and returns decoded content.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Hash the message.
'
' If fDetachedHash is TRUE, only the ComputedHash is encoded in the
' pbHashedBlob. Otherwise, both the ToBeHashed and ComputedHash
' are encoded.
'
' pcbHashedBlob or pcbComputedHash can be NULL, indicating the caller
' isn't interested in getting the output.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Verify a hashed message.
'
' pcbToBeHashed or pcbComputedHash can be NULL,
' indicating the caller isn't interested in getting the output.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Verify a hashed message containing a detached hash.
' The "to be hashed" content is passed in separately. No
' decoded output. Otherwise, identical to CryptVerifyMessageHash.
'
' pcbComputedHash can be NULL, indicating the caller isn't interested
' in getting the output.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Sign the message using the provider's private key specified in the
' parameters. A dummy SignerId is created and stored in the message.
'
' Normally used until a certificate has been created for the key.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Verify a signed message using the specified public key info.
'
' Normally called by a CA until it has created a certificate for the
' key.
'
' pPublicKeyInfo contains the public key to use to verify the signed
' content may contain the PublicKeyInfo).
'
' pcbDecoded can be NULL, indicating the caller isn't interested
' in getting the decoded content.
'--------------------------------------------------------------------------
'+=========================================================================
' System Certificate Store Data Structures and APIs
'==========================================================================
'+-------------------------------------------------------------------------
' Get a system certificate store based on a subsystem protocol.
'
' Current examples of subsystems protocols are:
' "MY" Cert Store hold certs with associated Private Keys
' "CA" Certifying Authority certs
' "ROOT" Root Certs
' "SPC" Software publisher certs
'
'
' If hProv is NULL the default provider "1" is opened for you.
' When the store is closed the provider is release. Otherwise
' if hProv is not NULL, no provider is created or released.
'
' The returned Cert Store can be searched for an appropriate Cert
'
' When done, the cert store should be closed using CertStoreClose
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Find all certificate chains tying the given issuer name to any certificate
' that the current user has a private key for.
'
' If no certificate chain is found, FALSE is returned with LastError set
' to CRYPT_E_NOT_FOUND and the counts zeroed.
'
' IE 3.0 ASSUMPTION:
' The client certificates are in the "My" system store. The issuer
' cerificates may be in the "Root", "CA" or "My" system stores.
'--------------------------------------------------------------------------
' WINCRYPT32API This is not exported by crypt32, it is exported by softpub
'-------------------------------------------------------------------------
'
' CryptQueryObject takes a CERT_BLOB or a file name and returns the
' information about the content in the blob or in the file.
'
' Parameters:
' INPUT dwObjectType:
' Indicate the type of the object. Should be one of the
' following:
' CERT_QUERY_OBJECT_FILE
' CERT_QUERY_OBJECT_BLOB
'
' INPUT pvObject:
' If dwObjectType == CERT_QUERY_OBJECT_FILE, it is a
' LPWSTR, that is, the pointer to a wchar file name
' if dwObjectType == CERT_QUERY_OBJECT_BLOB, it is a
' PCERT_BLOB, that is, a pointer to a CERT_BLOB
'
' INPUT dwExpectedContentTypeFlags:
' Indicate the expected contenet type.
' Can be one of the following:
' CERT_QUERY_CONTENT_FLAG_CERT
' CERT_QUERY_CONTENT_FLAG_CTL
' CERT_QUERY_CONTENT_FLAG_CRL
' CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE
' CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT
' CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL
' CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL
' CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED
' CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED
' CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED
' CERT_QUERY_CONTENT_FLAG_PKCS10
' CERT_QUERY_CONTENT_FLAG_PFX
' CERT_QUERY_CONTENT_FLAG_CERT_PAIR
'
' INPUT dwExpectedFormatTypeFlags:
' Indicate the expected format type.
' Can be one of the following:
' CERT_QUERY_FORMAT_FLAG_BINARY
' CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED
' CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED
'
'
' INPUT dwFlags
' Reserved flag. Should always set to 0
'
' OUTPUT pdwMsgAndCertEncodingType
' Optional output. If NULL != pdwMsgAndCertEncodingType,
' it contains the encoding type of the content as any
' combination of the following:
' X509_ASN_ENCODING
' PKCS_7_ASN_ENCODING
'
' OUTPUT pdwContentType
' Optional output. If NULL!=pdwContentType, it contains
' the content type as one of the the following:
' CERT_QUERY_CONTENT_CERT
' CERT_QUERY_CONTENT_CTL
' CERT_QUERY_CONTENT_CRL
' CERT_QUERY_CONTENT_SERIALIZED_STORE
' CERT_QUERY_CONTENT_SERIALIZED_CERT
' CERT_QUERY_CONTENT_SERIALIZED_CTL
' CERT_QUERY_CONTENT_SERIALIZED_CRL
' CERT_QUERY_CONTENT_PKCS7_SIGNED
' CERT_QUERY_CONTENT_PKCS7_UNSIGNED
' CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
' CERT_QUERY_CONTENT_PKCS10
' CERT_QUERY_CONTENT_PFX
' CERT_QUERY_CONTENT_CERT_PAIR
'
' OUTPUT pdwFormatType
' Optional output. If NULL !=pdwFormatType, it
' contains the format type of the content as one of the
' following:
' CERT_QUERY_FORMAT_BINARY
' CERT_QUERY_FORMAT_BASE64_ENCODED
' CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED
'
'
' OUTPUT phCertStore
' Optional output. If NULL !=phStore,
' it contains a cert store that includes all of certificates,
' CRL, and CTL in the object if the object content type is
' one of the following:
' CERT_QUERY_CONTENT_CERT
' CERT_QUERY_CONTENT_CTL
' CERT_QUERY_CONTENT_CRL
' CERT_QUERY_CONTENT_SERIALIZED_STORE
' CERT_QUERY_CONTENT_SERIALIZED_CERT
' CERT_QUERY_CONTENT_SERIALIZED_CTL
' CERT_QUERY_CONTENT_SERIALIZED_CRL
' CERT_QUERY_CONTENT_PKCS7_SIGNED
' CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
' CERT_QUERY_CONTENT_CERT_PAIR
'
' Caller should free *phCertStore via CertCloseStore.
'
'
' OUTPUT phMsg Optional output. If NULL != phMsg,
' it contains a handle to a opened message if
' the content type is one of the following:
' CERT_QUERY_CONTENT_PKCS7_SIGNED
' CERT_QUERY_CONTENT_PKCS7_UNSIGNED
' CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
'
' Caller should free *phMsg via CryptMsgClose.
'
' OUTPUT pContext Optional output. If NULL != pContext,
' it contains either a PCCERT_CONTEXT or PCCRL_CONTEXT,
' or PCCTL_CONTEXT based on the content type.
'
' If the content type is CERT_QUERY_CONTENT_CERT or
' CERT_QUERY_CONTENT_SERIALIZED_CERT, it is a PCCERT_CONTEXT;
' Caller should free the pContext via CertFreeCertificateContext.
'
' If the content type is CERT_QUERY_CONTENT_CRL or
' CERT_QUERY_CONTENT_SERIALIZED_CRL, it is a PCCRL_CONTEXT;
' Caller should free the pContext via CertFreeCRLContext.
'
' If the content type is CERT_QUERY_CONTENT_CTL or
' CERT_QUERY_CONTENT_SERIALIZED_CTL, it is a PCCTL_CONTEXT;
' Caller should free the pContext via CertFreeCTLContext.
'
' If the *pbObject is of type CERT_QUERY_CONTENT_PKCS10 or CERT_QUERY_CONTENT_PFX, CryptQueryObject
' will not return anything in *phCertstore, *phMsg, or *ppvContext.
'--------------------------------------------------------------------------
'-------------------------------------------------------------------------
'dwObjectType for CryptQueryObject
'-------------------------------------------------------------------------
Public Const CERT_QUERY_OBJECT_FILE As Long = &H00000001
Public Const CERT_QUERY_OBJECT_BLOB As Long = &H00000002
'-------------------------------------------------------------------------
'dwContentType for CryptQueryObject
'-------------------------------------------------------------------------
'encoded single certificate
Public Const CERT_QUERY_CONTENT_CERT As Long = 1
'encoded single CTL
Public Const CERT_QUERY_CONTENT_CTL As Long = 2
'encoded single CRL
Public Const CERT_QUERY_CONTENT_CRL As Long = 3
'serialized store
Public Const CERT_QUERY_CONTENT_SERIALIZED_STORE As Long = 4
'serialized single certificate
Public Const CERT_QUERY_CONTENT_SERIALIZED_CERT As Long = 5
'serialized single CTL
Public Const CERT_QUERY_CONTENT_SERIALIZED_CTL As Long = 6
'serialized single CRL
Public Const CERT_QUERY_CONTENT_SERIALIZED_CRL As Long = 7
'a PKCS#7 signed message
Public Const CERT_QUERY_CONTENT_PKCS7_SIGNED As Long = 8
'a PKCS#7 message, such as enveloped message. But it is not a signed message,
Public Const CERT_QUERY_CONTENT_PKCS7_UNSIGNED As Long = 9
'a PKCS7 signed message embedded in a file
Public Const CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED As Long = 10
'an encoded PKCS#10
Public Const CERT_QUERY_CONTENT_PKCS10 As Long = 11
'an encoded PKX BLOB
Public Const CERT_QUERY_CONTENT_PFX As Long = 12
Public Const CERT_QUERY_CONTENT_CERT_PAIR As Long = 13
'-------------------------------------------------------------------------
'dwExpectedConentTypeFlags for CryptQueryObject
'-------------------------------------------------------------------------
'encoded single certificate
'encoded single CTL
'encoded single CRL
'serialized store
'serialized single certificate
'serialized single CTL
'serialized single CRL
'an encoded PKCS#7 signed message
'an encoded PKCS#7 message. But it is not a signed message
'the content includes an embedded PKCS7 signed message
'an encoded PKCS#10
'an encoded PFX BLOB
'content can be any type
'-------------------------------------------------------------------------
'dwFormatType for CryptQueryObject
'-------------------------------------------------------------------------
'the content is in binary format
Public Const CERT_QUERY_FORMAT_BINARY As Long = 1
'the content is base64 encoded
Public Const CERT_QUERY_FORMAT_BASE64_ENCODED As Long = 2
'the content is ascii hex encoded with "{ASN}" prefix
Public Const CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED As Long = 3
'-------------------------------------------------------------------------
'dwExpectedFormatTypeFlags for CryptQueryObject
'-------------------------------------------------------------------------
'the content is in binary format
'the content is base64 encoded
'the content is ascii hex encoded with "{ASN}" prefix
'the content can be of any format
'
' Crypt32 Memory Management Routines. All Crypt32 API which return allocated
' buffers will do so via CryptMemAlloc, CryptMemRealloc. Clients can free
' those buffers using CryptMemFree. Also included is CryptMemSize
'
'
' Crypt32 Asynchronous Parameter Management Routines. All Crypt32 API which
' expose asynchronous mode operation use a Crypt32 Async Handle to pass
' around information about the operation e.g. callback routines. The
' following API are used for manipulation of the async handle
'
'
' Crypt32 Remote Object Retrieval Routines. This API allows retrieval of
' remote PKI objects where the location is given by an URL. The remote
' object retrieval manager exposes two provider models. One is the "Scheme
' Provider" model which allows for installable protocol providers as defined
' by the URL scheme e.g. ldap, http, ftp. The scheme provider entry point is
' the same as the CryptRetrieveObjectByUrl however the *ppvObject returned
' second provider model is the "Context Provider" model which allows for
' retrieved encoded bits. These are dispatched based on the object OID given
' in the call to CryptRetrieveObjectByUrl.
'
'
' Scheme Provider Signatures
'
Public Const SCHEME_OID_RETRIEVE_ENCODED_OBJECT_FUNC As String = "SchemeDllRetrieveEncodedObject"
'
' SchemeDllRetrieveEncodedObject has the following signature:
'
' IN LPCSTR pszUrl,
' IN LPCSTR pszObjectOid,
' IN DWORD dwRetrievalFlags,
' IN DWORD dwTimeout,
' OUT PCRYPT_BLOB_ARRAY pObject,
' OUT PFN_FREE_ENCODED_OBJECT_FUNC* ppfnFreeObject,
' OUT LPVOID* ppvFreeContext,
' IN HCRYPTASYNC hAsyncRetrieve,
' IN PCRYPT_CREDENTIALS pCredentials,
' IN PCRYPT_RETRIEVE_AUX_INFO pAuxInfo
' )
'
'
' Context Provider Signatures
'
Public Const CONTEXT_OID_CREATE_OBJECT_CONTEXT_FUNC As String = "ContextDllCreateObjectContext"
'
' ContextDllCreateObjectContext has the following signature:
'
' IN LPCSTR pszObjectOid,
' IN DWORD dwRetrievalFlags,
' IN PCRYPT_BLOB_ARRAY pObject,
' OUT LPVOID* ppvContext
' )
'
'
' Remote Object Retrieval API
'
'
' Retrieval flags
'
Public Const CRYPT_RETRIEVE_MULTIPLE_OBJECTS As Long = &H00000001
Public Const CRYPT_CACHE_ONLY_RETRIEVAL As Long = &H00000002
Public Const CRYPT_WIRE_ONLY_RETRIEVAL As Long = &H00000004
Public Const CRYPT_DONT_CACHE_RESULT As Long = &H00000008
Public Const CRYPT_ASYNC_RETRIEVAL As Long = &H00000010
Public Const CRYPT_STICKY_CACHE_RETRIEVAL As Long = &H00001000
Public Const CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL As Long = &H00002000
Public Const CRYPT_OFFLINE_CHECK_RETRIEVAL As Long = &H00004000
'
' Data verification retrieval flags
'
' CRYPT_VERIFY_CONTEXT_SIGNATURE is used to get signature verification
' on the context created. In this case pszObjectOid must be non-NULL and
' pvVerify points to the signer certificate context
'
' CRYPT_VERIFY_DATA_HASH is used to get verification of the blob data
' retrieved by the protocol. The pvVerify points to an URL_DATA_HASH
'
Public Const CRYPT_VERIFY_CONTEXT_SIGNATURE As Long = &H00000020
Public Const CRYPT_VERIFY_DATA_HASH As Long = &H00000040
'
' Time Valid Object flags
'
Public Const CRYPT_KEEP_TIME_VALID As Long = &H00000080
Public Const CRYPT_DONT_VERIFY_SIGNATURE As Long = &H00000100
Public Const CRYPT_DONT_CHECK_TIME_VALIDITY As Long = &H00000200
'
' Call back function to cancel object retrieval
'
' The function can be installed on a per thread basis.
' If CryptInstallCancelRetrieval is called for multiple times, only the most recent
' installation will be kept.
'
' This is only effective for http, https, gopher, and ftp protocol.
' It is ignored by the rest of the protocols.
'
' PFN_CRYPT_CANCEL_RETRIEVAL
'
' This function should return FALSE when the object retrieval should be continued
' and return TRUE when the object retrieval should be cancelled.
'
'
' Remote Object Async Retrieval parameters
'
'
' A client that wants to be notified of asynchronous object retrieval
' completion sets this parameter on the async handle
'
'
' This function is set on the async handle by a scheme provider that
' supports asynchronous retrieval
'
'
' Get the locator for a CAPI object
'
Public Const CRYPT_GET_URL_FROM_PROPERTY As Long = &H00000001
Public Const CRYPT_GET_URL_FROM_EXTENSION As Long = &H00000002
Public Const CRYPT_GET_URL_FROM_UNAUTH_ATTRIBUTE As Long = &H00000004
Public Const CRYPT_GET_URL_FROM_AUTH_ATTRIBUTE As Long = &H00000008
Public Const URL_OID_GET_OBJECT_URL_FUNC As String = "UrlDllGetObjectUrl"
'
' UrlDllGetObjectUrl has the same signature as CryptGetObjectUrl
'
'
' URL_OID_CERTIFICATE_ISSUER
'
' pvPara == PCCERT_CONTEXT, certificate whose issuer's URL is being requested
'
' This will be retrieved from the authority info access extension or property
' on the certificate
'
' URL_OID_CERTIFICATE_CRL_DIST_POINT
'
' pvPara == PCCERT_CONTEXT, certificate whose CRL distribution point is being
' requested
'
' This will be retrieved from the CRL distribution point extension or property
' on the certificate
'
' URL_OID_CTL_ISSUER
'
' by the signer index) is being requested
'
' This will be retrieved from an authority info access attribute method encoded
'
' URL_OID_CTL_NEXT_UPDATE
'
' pvPara == PCCTL_CONTEXT, Signer Index, CTL whose next update URL is being
' requested and an optional signer index in case we need to check signer
' info attributes
'
' This will be retrieved from an authority info access CTL extension, property,
' or signer info attribute method
'
' URL_OID_CRL_ISSUER
'
' pvPara == PCCRL_CONTEXT, CRL whose issuer's URL is being requested
'
' This will be retrieved from a property on the CRL which has been inherited
' cert distribution point extension). It will be encoded as an authority
' info access extension method.
'
' URL_OID_CERTIFICATE_FRESHEST_CRL
'
' pvPara == PCCERT_CONTEXT, certificate whose freshest CRL distribution point
' is being requested
'
' This will be retrieved from the freshest CRL extension or property
' on the certificate
'
' URL_OID_CRL_FRESHEST_CRL
'
' pvPara == PCCERT_CRL_CONTEXT_PAIR, certificate's base CRL whose
' freshest CRL distribution point is being requested
'
' This will be retrieved from the freshest CRL extension or property
' on the CRL
'
' URL_OID_CROSS_CERT_DIST_POINT
'
' pvPara == PCCERT_CONTEXT, certificate whose cross certificate distribution
' point is being requested
'
' This will be retrieved from the cross certificate distribution point
' extension or property on the certificate
'
'
' Get a time valid CAPI2 object
'
Public Const TIME_VALID_OID_GET_OBJECT_FUNC As String = "TimeValidDllGetObject"
'
' TimeValidDllGetObject has the same signature as CryptGetTimeValidObject
'
'
' TIME_VALID_OID_GET_CTL
'
' pvPara == PCCTL_CONTEXT, the current CTL
'
' TIME_VALID_OID_GET_CRL
'
' pvPara == PCCRL_CONTEXT, the current CRL
'
' TIME_VALID_OID_GET_CRL_FROM_CERT
'
' pvPara == PCCERT_CONTEXT, the subject cert
'
' TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CERT
'
' pvPara == PCCERT_CONTEXT, the subject cert
'
' TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CRL
'
' pvPara == PCCERT_CRL_CONTEXT_PAIR, the subject cert and its base CRL
'
Public Const TIME_VALID_OID_FLUSH_OBJECT_FUNC As String = "TimeValidDllFlushObject"
'
' TimeValidDllFlushObject has the same signature as CryptFlushTimeValidObject
'
'
' TIME_VALID_OID_FLUSH_CTL
'
' pvPara == PCCTL_CONTEXT, the CTL to flush
'
' TIME_VALID_OID_FLUSH_CRL
'
' pvPara == PCCRL_CONTEXT, the CRL to flush
'
' TIME_VALID_OID_FLUSH_CRL_FROM_CERT
'
' pvPara == PCCERT_CONTEXT, the subject cert's CRL to flush
'
' TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CERT
'
' pvPara == PCCERT_CONTEXT, the subject cert's freshest CRL to flush
'
' TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CRL
'
' pvPara == PCCERT_CRL_CONTEXT_PAIR, the subject cert and its base CRL's
' freshest CRL to flush
'
'-------------------------------------------------------------------------
' Data Protection APIs
'-------------------------------------------------------------------------
'
' Data protection APIs enable applications to easily secure data.
'
' The base provider provides protection based on the users' logon
' credentials. The data secured with these APIs follow the same
' roaming characteristics as HKCU -- if HKCU roams, the data
' protected by the base provider may roam as well. This makes
' the API ideal for the munging of data stored in the registry.
'
'
' Prompt struct -- what to tell users about the access
'
'
' base provider action
'
'
' CryptProtect PromptStruct dwPromtFlags
'
'
' prompt on unprotect
Public Const CRYPTPROTECT_PROMPT_ON_UNPROTECT As Long = &H1
'
' prompt on protect
Public Const CRYPTPROTECT_PROMPT_ON_PROTECT As Long = &H2
Public Const CRYPTPROTECT_PROMPT_RESERVED As Long = &H04
'
Public Const CRYPTPROTECT_PROMPT_STRONG As Long = &H08
'
' CryptProtectData and CryptUnprotectData dwFlags
'
' for remote-access situations where ui is not an option
' if UI was specified on protect or unprotect operation, the call
Public Const CRYPTPROTECT_UI_FORBIDDEN As Long = &H1
'
' per machine protected data -- any user on machine where CryptProtectData
' took place may CryptUnprotectData
Public Const CRYPTPROTECT_LOCAL_MACHINE As Long = &H4
'
' Synchronize is only operation that occurs during this operation
Public Const CRYPTPROTECT_CRED_SYNC As Long = &H8
'
' Generate an Audit on protect and unprotect operations
'
Public Const CRYPTPROTECT_AUDIT As Long = &H10
'
' Protect data with a non-recoverable key
'
Public Const CRYPTPROTECT_NO_RECOVERY As Long = &H20
' flags reserved for system use
Public Const CRYPTPROTECT_FIRST_RESERVED_FLAGVAL As Long = &H0FFFFFFF
Public Const CRYPTPROTECT_LAST_RESERVED_FLAGVAL As Long = &HFFFFFFFF
'
' flags specific to base provider
'
'+=========================================================================
' Helper functions to build certificates
'==========================================================================
'+-------------------------------------------------------------------------
'
' Builds a self-signed certificate and returns a PCCERT_CONTEXT representing
' the certificate. A hProv must be specified to build the cert context.
'
' pSubjectIssuerBlob is the DN for the certifcate. If an alternate subject
' name is desired it must be specified as an extension in the pExtensions
' parameter. pSubjectIssuerBlob can NOT be NULL, so minimually an empty DN
' must be specified.
'
' By default:
' pKeyProvInfo - The CSP is queried for the KeyProvInfo parameters. Only the Provider,
' Provider Type and Container is queried. Many CSPs don't support these
' queries and will cause a failure. In such cases the pKeyProvInfo
'
' pSignatureAlgorithm - will default to SHA1RSA
' pStartTime will default to the current time
' pEndTime will default to 1 year
' pEntensions will be empty.
'
' The returned PCCERT_CONTEXT will reference the private keys by setting the
' CERT_KEY_PROV_INFO_PROP_ID. However, if this property is not desired specify the
' CERT_CREATE_SELFSIGN_NO_KEY_INFO in dwFlags.
'
' If the cert being built is only a dummy placeholder cert for speed it may not
' need to be signed. Signing of the cert is skipped if CERT_CREATE_SELFSIGN_NO_SIGN
' is specified in dwFlags.
'
'--------------------------------------------------------------------------
Public Const CERT_CREATE_SELFSIGN_NO_SIGN As Long = 1
Public Const CERT_CREATE_SELFSIGN_NO_KEY_INFO As Long = 2
'+=========================================================================
' Key Identifier Property Data Structures and APIs
'==========================================================================
'+-------------------------------------------------------------------------
' Get the property for the specified Key Identifier.
'
' The Key Identifier is the SHA1 hash of the encoded CERT_PUBLIC_KEY_INFO.
' The Key Identifier for a certificate can be obtained by getting the
' certificate's CERT_KEY_IDENTIFIER_PROP_ID. The
' CryptCreateKeyIdentifierFromCSP API can be called to create the Key
' Identifier from a CSP Public Key Blob.
'
' A Key Identifier can have the same properties as a certificate context.
' CERT_KEY_PROV_INFO_PROP_ID is the property of most interest.
' For CERT_KEY_PROV_INFO_PROP_ID, pvData points to a CRYPT_KEY_PROV_INFO
' structure. Elements pointed to by fields in the pvData structure follow the
' structure. Therefore, *pcbData will exceed the size of the structure.
'
' If CRYPT_KEYID_ALLOC_FLAG is set, then, *pvData is updated with a
' allocated memory.
'
' By default, searches the CurrentUser's list of Key Identifiers.
' CRYPT_KEYID_MACHINE_FLAG can be set to search the LocalMachine's list
' of Key Identifiers. When CRYPT_KEYID_MACHINE_FLAG is set, pwszComputerName
' can also be set to specify the name of a remote computer to be searched
' instead of the local machine.
'--------------------------------------------------------------------------
' When the following flag is set, searches the LocalMachine instead of the
' CurrentUser. This flag is applicable to all the KeyIdentifierProperty APIs.
Public Const CRYPT_KEYID_MACHINE_FLAG As Long = &H00000020
' When the following flag is set, *pvData is updated with a pointer to
Public Const CRYPT_KEYID_ALLOC_FLAG As Long = &H00008000
'+-------------------------------------------------------------------------
' Set the property for the specified Key Identifier.
'
' For CERT_KEY_PROV_INFO_PROP_ID pvData points to the
' CRYPT_KEY_PROV_INFO data structure. For all other properties, pvData
' points to a CRYPT_DATA_BLOB.
'
' Setting pvData == NULL, deletes the property.
'
' Set CRYPT_KEYID_MACHINE_FLAG to set the property for a LocalMachine
' Key Identifier. Set pwszComputerName, to select a remote computer.
'
' If CRYPT_KEYID_DELETE_FLAG is set, the Key Identifier and all its
' properties is deleted.
'
' If CRYPT_KEYID_SET_NEW_FLAG is set, the set fails if the property already
' exists. For an existing property, FALSE is returned with LastError set to
' CRYPT_E_EXISTS.
'--------------------------------------------------------------------------
' When the following flag is set, the Key Identifier and all its properties
' are deleted.
Public Const CRYPT_KEYID_DELETE_FLAG As Long = &H00000010
' When the following flag is set, the set fails if the property already
' exists.
Public Const CRYPT_KEYID_SET_NEW_FLAG As Long = &H00002000
'+-------------------------------------------------------------------------
' For CERT_KEY_PROV_INFO_PROP_ID, rgppvData[] points to a
' CRYPT_KEY_PROV_INFO.
'
' Return FALSE to stop the enumeration.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Enumerate the Key Identifiers.
'
' If pKeyIdentifier is NULL, enumerates all Key Identifers. Otherwise,
' calls the callback for the specified KeyIdentifier. If dwPropId is
' 0, calls the callback with all the properties. Otherwise, only calls
' Furthermore, when dwPropId is specified, skips KeyIdentifiers not
' having the property.
'
' Set CRYPT_KEYID_MACHINE_FLAG to enumerate the LocalMachine
' Key Identifiers. Set pwszComputerName, to enumerate Key Identifiers on
' a remote computer.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' Create a KeyIdentifier from the CSP Public Key Blob.
'
' Converts the CSP PUBLICKEYSTRUC into a X.509 CERT_PUBLIC_KEY_INFO and
' encodes. The encoded CERT_PUBLIC_KEY_INFO is SHA1 hashed to obtain
' the Key Identifier.
'
' By default, the pPubKeyStruc->aiKeyAlg is used to find the appropriate
' public key Object Identifier. pszPubKeyOID can be set to override
' the default OID obtained from the aiKeyAlg.
'--------------------------------------------------------------------------
'+=========================================================================
' Certificate Chaining Infrastructure
'==========================================================================
'
' The chain engine defines the store namespace and cache partitioning for
' the Certificate Chaining infrastructure. A default chain engine
' is defined for the process which uses all default system stores e.g.
' Root, CA, Trust, for chain building and caching. If an application
' wishes to define its own store namespace or have its own partitioned
' cache then it can create its own chain engine. It is advisable to create
' a chain engine at application startup and use it throughout the lifetime
' of the application in order to get optimal caching behavior
'
'
' Create a certificate chain engine.
'
'
' Configuration parameters for the certificate chain engine
'
'
' hRestrictedTrust - restrict the store for CTLs
'
' hRestrictedOther - restrict the store for certs and CRLs
'
' cAdditionalStore, rghAdditionalStore - additional stores
'
' NOTE: The algorithm used to define the stores for the engine is as
' follows:
'
' hRoot = hRestrictedRoot or System Store "Root"
'
'
' hRestrictedTrust + hWorld
'
' hWorld = hRoot + "CA" + "My" + "Trust" + rghAdditionalStore
'
' dwFlags - flags
'
' CERT_CHAIN_CACHE_END_CERT - information will be cached on
' the end cert as well as the other
' certs in the chain
'
' CERT_CHAIN_THREAD_STORE_SYNC - use separate thread for store syncs
' and related cache updates
'
' CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL - don't hit the wire to get
' URL based objects
'
' dwUrlRetrievalTimeout - timeout for wire based URL object retrievals
'
Public Const CERT_CHAIN_CACHE_END_CERT As Long = &H00000001
Public Const CERT_CHAIN_THREAD_STORE_SYNC As Long = &H00000002
Public Const CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL As Long = &H00000004
Public Const CERT_CHAIN_USE_LOCAL_MACHINE_STORE As Long = &H00000008
Public Const CERT_CHAIN_ENABLE_CACHE_AUTO_UPDATE As Long = &H00000010
Public Const CERT_CHAIN_ENABLE_SHARE_STORE As Long = &H00000020
'
' Free a certificate trust engine
'
'
' Resync the certificate chain engine. This resync's the stores backing
' the engine and updates the engine caches.
'
'
' When an application requests a certificate chain, the data structure
' returned is in the form of a CERT_CHAIN_CONTEXT. This contains
' an array of CERT_SIMPLE_CHAIN where each simple chain goes from
' an end cert to a self signed cert and the chain context connects simple
' chains via trust lists. Each simple chain contains the chain of
' certificates, summary trust information about the chain and trust information
' about each certificate element in the chain.
'
'
' Trust status bits
'
'
' The following are error status bits
'
' These can be applied to certificates and chains
Public Const CERT_TRUST_NO_ERROR As Long = &H00000000
Public Const CERT_TRUST_IS_NOT_TIME_VALID As Long = &H00000001
Public Const CERT_TRUST_IS_NOT_TIME_NESTED As Long = &H00000002
Public Const CERT_TRUST_IS_REVOKED As Long = &H00000004
Public Const CERT_TRUST_IS_NOT_SIGNATURE_VALID As Long = &H00000008
Public Const CERT_TRUST_IS_NOT_VALID_FOR_USAGE As Long = &H00000010
Public Const CERT_TRUST_IS_UNTRUSTED_ROOT As Long = &H00000020
Public Const CERT_TRUST_REVOCATION_STATUS_UNKNOWN As Long = &H00000040
Public Const CERT_TRUST_IS_CYCLIC As Long = &H00000080
Public Const CERT_TRUST_INVALID_EXTENSION As Long = &H00000100
Public Const CERT_TRUST_INVALID_POLICY_CONSTRAINTS As Long = &H00000200
Public Const CERT_TRUST_INVALID_BASIC_CONSTRAINTS As Long = &H00000400
Public Const CERT_TRUST_INVALID_NAME_CONSTRAINTS As Long = &H00000800
Public Const CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT As Long = &H00001000
Public Const CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT As Long = &H00002000
Public Const CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT As Long = &H00004000
Public Const CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT As Long = &H00008000
Public Const CERT_TRUST_IS_OFFLINE_REVOCATION As Long = &H01000000
Public Const CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY As Long = &H02000000
' These can be applied to chains only
Public Const CERT_TRUST_IS_PARTIAL_CHAIN As Long = &H00010000
Public Const CERT_TRUST_CTL_IS_NOT_TIME_VALID As Long = &H00020000
Public Const CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID As Long = &H00040000
Public Const CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE As Long = &H00080000
'
' The following are info status bits
'
' These can be applied to certificates only
Public Const CERT_TRUST_HAS_EXACT_MATCH_ISSUER As Long = &H00000001
Public Const CERT_TRUST_HAS_KEY_MATCH_ISSUER As Long = &H00000002
Public Const CERT_TRUST_HAS_NAME_MATCH_ISSUER As Long = &H00000004
Public Const CERT_TRUST_IS_SELF_SIGNED As Long = &H00000008
' These can be applied to certificates and chains
Public Const CERT_TRUST_HAS_PREFERRED_ISSUER As Long = &H00000100
Public Const CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY As Long = &H00000200
Public Const CERT_TRUST_HAS_NAME_CONSTRAINTS As Long = &H00000400
' These can be applied to chains only
Public Const CERT_TRUST_IS_COMPLEX_CHAIN As Long = &H00010000
'
' Each certificate context in a simple chain has a corresponding chain element
' in the simple chain context
'
' dwErrorStatus has CERT_TRUST_IS_REVOKED, pRevocationInfo set
' dwErrorStatus has CERT_TRUST_REVOCATION_STATUS_UNKNOWN, pRevocationInfo set
'
' Note that the post processing revocation supported in the first
' version only sets cbSize and dwRevocationResult. Everything else
' is NULL
'
'
' Revocation Information
'
'
' Trust List Information
'
'
' Chain Element
'
'
' The simple chain is an array of chain elements and a summary trust status
' for the chain
'
' rgpElements[0] is the end certificate chain element
'
' rgpElements[cElement-1] is the self-signed "root" certificate chain element
'
'
' And the chain context contains an array of simple chains and summary trust
' status for all the connected simple chains
'
' rgpChains[0] is the end certificate simple chain
'
' ends in a certificate which is contained in the root store
'
'
' When building a chain, the there are various parameters used for finding
' issuing certificates and trust lists. They are identified in the
' following structure
'
' Default usage match type is AND with value zero
Public Const USAGE_MATCH_TYPE_AND As Long = &H00000000
Public Const USAGE_MATCH_TYPE_OR As Long = &H00000001
'
' The following API is used for retrieving certificate chains
'
' Parameters:
'
' mean use the default chain engine
'
' pCertContext - the context we are retrieving the chain for, it
' will be the zero index element in the chain
'
' pTime - the point in time that we want the chain validated
' for. Note that the time does not affect trust list,
' revocation, or root store checking. NULL means use
' the current system time
'
' hAdditionalStore - additional store to use when looking up objects
'
' pChainPara - parameters for chain building
'
' dwFlags - flags such as should revocation checking be done
' on the chain?
'
' pvReserved - reserved parameter, must be NULL
'
' ppChainContext - chain context returned
'
' CERT_CHAIN_CACHE_END_CERT can be used here as well
' Revocation flags are in the high nibble
Public Const CERT_CHAIN_REVOCATION_CHECK_END_CERT As Long = &H10000000
Public Const CERT_CHAIN_REVOCATION_CHECK_CHAIN As Long = &H20000000
Public Const CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT As Long = &H40000000
Public Const CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY As Long = &H80000000
' First pass determines highest quality based upon:
' - Complete chain
' By default, second pass only considers paths >= highest first pass quality
Public Const CERT_CHAIN_DISABLE_PASS1_QUALITY_FILTERING As Long = &H00000040
Public Const CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS As Long = &H00000080
'
' Free a certificate chain
'
'
'
'
' Specific Revocation Type OID and structure definitions
'
'
' CRL Revocation OID
'
'
' For the CRL revocation OID the pvRevocationPara is NULL
'
'
' CRL Revocation Info
'
'+-------------------------------------------------------------------------
' Find the first or next certificate chain context in the store.
'
' The chain context is found according to the dwFindFlags, dwFindType and
' its pvFindPara. See below for a list of the find types and its parameters.
'
' If the first or next chain context isn't found, NULL is returned.
' Otherwise, a pointer to a read only CERT_CHAIN_CONTEXT is returned.
' CERT_CHAIN_CONTEXT must be freed by calling CertFreeCertificateChain
' or is freed when passed as the
' pPrevChainContext on a subsequent call. CertDuplicateCertificateChain
' can be called to make a duplicate.
'
' pPrevChainContext MUST BE NULL on the first
' call to find the chain context. To find the next chain context, the
' pPrevChainContext is set to the CERT_CHAIN_CONTEXT returned by a previous
' call.
'
' NOTE: a NON-NULL pPrevChainContext is always CertFreeCertificateChain'ed by
' this function, even for an error.
'--------------------------------------------------------------------------
Public Const CERT_CHAIN_FIND_BY_ISSUER As Long = 1
'+-------------------------------------------------------------------------
' CERT_CHAIN_FIND_BY_ISSUER
'
' Find a certificate chain having a private key for the end certificate and
' matching one of the given issuer names. A matching dwKeySpec and
' enhanced key usage can also be specified. Additionally a callback can
' be provided for even more caller provided filtering before building the
' chain.
'
' By default, only the issuers in the first simple chain are compared
' for a name match. CERT_CHAIN_FIND_BY_ISSUER_COMPLEX_CHAIN_FLAG can
' be set in dwFindFlags to match issuers in all the simple chains.
'
' CERT_CHAIN_FIND_BY_ISSUER_NO_KEY_FLAG can be set in dwFindFlags to
' not check if the end certificate has a private key.
'
' CERT_CHAIN_FIND_BY_ISSUER_COMPARE_KEY_FLAG can be set in dwFindFlags
' to compare the public key in the end certificate with the crypto
' provider's public key. The dwAcquirePrivateKeyFlags can be set
' in CERT_CHAIN_FIND_BY_ISSUER_PARA to enable caching of the private key's
' HKEY returned by the CSP.
'
' If dwCertEncodingType == 0, defaults to X509_ASN_ENCODING for the
' array of encoded issuer names.
'
' By default, the hCertStore passed to CertFindChainInStore, is passed
' as an additional store to CertGetCertificateChain.
' CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_FLAG can be set in dwFindFlags
' to improve performance by only searching the cached system stores
' a find in the "my" system store, than, this flag should be set to
' improve performance.
'
' Setting CERT_CHAIN_FIND_BY_ISSUER_LOCAL_MACHINE_FLAG in dwFindFlags
' restricts CertGetCertificateChain to search the Local Machine
' cached system stores instead of the Current User's.
'
' Setting CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG in dwFindFlags
' restricts CertGetCertificateChain to only search the URL cache
' and not hit the wire.
'--------------------------------------------------------------------------
' Returns FALSE to skip this certificate. Otherwise, returns TRUE to
' build a chain for this certificate.
' The following dwFindFlags can be set for CERT_CHAIN_FIND_BY_ISSUER
' If set, compares the public key in the end certificate with the crypto
' provider's public key. This comparison is the last check made on the
' build chain.
Public Const CERT_CHAIN_FIND_BY_ISSUER_COMPARE_KEY_FLAG As Long = &H0001
' If not set, only checks the first simple chain for an issuer name match.
' When set, also checks second and subsequent simple chains.
Public Const CERT_CHAIN_FIND_BY_ISSUER_COMPLEX_CHAIN_FLAG As Long = &H0002
' If set, CertGetCertificateChain only searches the URL cache and
' doesn't hit the wire.
Public Const CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG As Long = &H0004
' If set, CertGetCertificateChain only opens the Local Machine
' certificate stores instead of the Current User's.
Public Const CERT_CHAIN_FIND_BY_ISSUER_LOCAL_MACHINE_FLAG As Long = &H0008
' If set, no check is made to see if the end certificate has a private
' key associated with it.
Public Const CERT_CHAIN_FIND_BY_ISSUER_NO_KEY_FLAG As Long = &H4000
' By default, the hCertStore passed to CertFindChainInStore, is passed
' as the additional store to CertGetCertificateChain. This flag can be
' set to improve performance by only searching the cached system stores
' the hCertStore is always searched in addition to the cached system
' stores.
Public Const CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_FLAG As Long = &H8000
'+=========================================================================
' Certificate Chain Policy Data Structures and APIs
'==========================================================================
' If both lChainIndex and lElementIndex are set to -1, the dwError applies
' to the whole chain context. If only lElementIndex is set to -1, the
' dwError applies to the lChainIndex'ed chain. Otherwise, the dwError applies
' to the certificate element at
' pChainContext->rgpChain[lChainIndex]->rgpElement[lElementIndex].
' Common chain policy flags
Public Const CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG As Long = &H00000001
Public Const CERT_CHAIN_POLICY_IGNORE_CTL_NOT_TIME_VALID_FLAG As Long = &H00000002
Public Const CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG As Long = &H00000004
Public Const CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG As Long = &H00000010
Public Const CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG As Long = &H00000020
Public Const CERT_CHAIN_POLICY_IGNORE_END_REV_UNKNOWN_FLAG As Long = &H00000100
Public Const CERT_CHAIN_POLICY_IGNORE_CTL_SIGNER_REV_UNKNOWN_FLAG As Long = &H00000200
Public Const CERT_CHAIN_POLICY_IGNORE_CA_REV_UNKNOWN_FLAG As Long = &H00000400
Public Const CERT_CHAIN_POLICY_IGNORE_ROOT_REV_UNKNOWN_FLAG As Long = &H00000800
Public Const CERT_CHAIN_POLICY_ALLOW_TESTROOT_FLAG As Long = &H00008000
Public Const CERT_CHAIN_POLICY_TRUST_TESTROOT_FLAG As Long = &H00004000
'+-------------------------------------------------------------------------
' Verify that the certificate chain satisfies the specified policy
' requirements. If we were able to verify the chain policy, TRUE is returned
' and the dwError field of the pPolicyStatus is updated. A dwError of 0
'
' If dwError applies to the entire chain context, both lChainIndex and
' lElementIndex are set to -1. If dwError applies to a simple chain,
' lElementIndex is set to -1 and lChainIndex is set to the index of the
' first offending chain having the error. If dwError applies to a
' certificate element, lChainIndex and lElementIndex are updated to
' index the first offending certificate having the error, where, the
' the certificate element is at:
' pChainContext->rgpChain[lChainIndex]->rgpElement[lElementIndex].
'
' The dwFlags in pPolicyPara can be set to change the default policy checking
' behaviour. In addition, policy specific parameters can be passed in
' the pvExtraPolicyPara field of pPolicyPara.
'
' In addition to returning dwError, in pPolicyStatus, policy OID specific
' extra status may be returned via pvExtraPolicyStatus.
'--------------------------------------------------------------------------
' Predefined OID Function Names
' CertDllVerifyCertificateChainPolicy has same function signature as
' CertVerifyCertificateChainPolicy.
'+-------------------------------------------------------------------------
' Predefined verify chain policies
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_CHAIN_POLICY_BASE
'
' Implements the base chain policy verification checks. dwFlags can
' be set in pPolicyPara to alter the default policy checking behaviour.
'--------------------------------------------------------------------------
'+-------------------------------------------------------------------------
' CERT_CHAIN_POLICY_AUTHENTICODE
'
' Implements the Authenticode chain policy verification checks.
'
' pvExtraPolicyPara may optionally be set to point to the following
' AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA.
'
' pvExtraPolicyStatus may optionally be set to point to the following
' AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS.
'--------------------------------------------------------------------------
' dwRegPolicySettings are defined in wintrust.h
'+-------------------------------------------------------------------------
' CERT_CHAIN_POLICY_AUTHENTICODE_TS
'
' Implements the Authenticode Time Stamp chain policy verification checks.
'
' pvExtraPolicyPara may optionally be set to point to the following
' AUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA.
'
' pvExtraPolicyStatus isn't used and must be set to NULL.
'--------------------------------------------------------------------------
' dwRegPolicySettings are defined in wintrust.h
'+-------------------------------------------------------------------------
' CERT_CHAIN_POLICY_SSL
'
' Implements the SSL client/server chain policy verification checks.
'
' pvExtraPolicyPara may optionally be set to point to the following
' SSL_EXTRA_CERT_CHAIN_POLICY_PARA data structure
'--------------------------------------------------------------------------
' fdwChecks flags are defined in wininet.h
'+-------------------------------------------------------------------------
' CERT_CHAIN_POLICY_BASIC_CONSTRAINTS
'
' Implements the basic constraints chain policy.
'
' Iterates through all the certificates in the chain checking for either
' a szOID_BASIC_CONSTRAINTS or a szOID_BASIC_CONSTRAINTS2 extension. If
' neither extension is present, the certificate is assumed to have
' valid policy. Otherwise, for the first certificate element, checks if
' it matches the expected CA_FLAG or END_ENTITY_FLAG specified in
' pPolicyPara->dwFlags. If neither or both flags are set, then, the first
' element can be either a CA or END_ENTITY. All other elements must be
' a CA. If the PathLenConstraint is present in the extension, its
' checked.
'
' used to sign the CTL) are checked to be an END_ENTITY.
'
' If this verification fails, dwError will be set to
' TRUST_E_BASIC_CONSTRAINTS.
'--------------------------------------------------------------------------
Public Const BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_CA_FLAG As Long = &H80000000
Public Const BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_END_ENTITY_FLAG As Long = &H40000000
'+-------------------------------------------------------------------------
' CERT_CHAIN_POLICY_NT_AUTH
'
' Implements the NT Authentication chain policy.
'
' The NT Authentication chain policy consists of 3 distinct chain
' verifications in the following order:
' [1] CERT_CHAIN_POLICY_BASE - Implements the base chain policy
' verification checks. The LOWORD of dwFlags can be set in
' pPolicyPara to alter the default policy checking behaviour. See
' CERT_CHAIN_POLICY_BASE for more details.
'
' [2] CERT_CHAIN_POLICY_BASIC_CONSTRAINTS - Implements the basic
' constraints chain policy. The HIWORD of dwFlags can be set
' to specify if the first element must be either a CA or END_ENTITY.
' See CERT_CHAIN_POLICY_BASIC_CONSTRAINTS for more details.
'
' [3] Checks if the second element in the chain, the CA that issued
' the end certificate, is a trusted CA for NT
' Authentication. A CA is considered to be trusted if it exists in
' the "NTAuth" system registry store found in the
' CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE store location.
' If this verification fails, whereby the CA isn't trusted,
' dwError is set to CERT_E_UNTRUSTEDCA.
'--------------------------------------------------------------------------
'+=========================================================================
' Helper functions to install certificates
'==========================================================================
'+-------------------------------------------------------------------------
' Install a signed list of trusted certificates.
'
' A CTL is used for the list. The dwFormat and pvList parameters are used
' to pass in the CTL. Two dwFormat types are supported:
' - CERT_INSTALL_SIGNED_LIST_FORMAT_BLOB
' pvList is a PCRYPT_DATA_BLOB
' - CERT_INSTALL_SIGNED_LIST_FORMAT_URL
' pvList is a LPCWSTR
'
' encoded CTL.)
'
' Currently only support a dwMsgAndCertEncodingType of:
' X509_ASN_ENCODING | PKCS_7_ASN_ENCODING
'
' dwFlags isn't used and must be set to 0. pvReserved isn't used and must
' be set to NULL.
'
' If the list of certificates was successfully installed, TRUE is returned.
' Otherwise, FALSE is returned with LastError updated with the failure
' reason.
'
' Currently only support a signed list of trusted roots. dwPurpose must be
' set to: CERT_INSTALL_SIGNED_LIST_PURPOSE_TRUSTED_ROOTS.
'
' The CTL is processed as follows for TRUSTED_ROOTS:
' The signature of the CTL is verified. The signer of the CTL is verified
' up to a trusted root containing the predefined Microsoft public key.
' The signer and intermediate certificates must have the
' szOID_ROOT_LIST_SIGNER enhanced key usage extension.
'
' The CTL fields are validated as follows:
' usage)
' - If NextUpdate isn't NULL, check that the CTL is still time valid
' - Only allow roots identified by their sha1 hash
'
' The following CTL extensions are processed:
' - szOID_ENHANCED_KEY_USAGE - if present, must contain
' szOID_ROOT_LIST_SIGNER usage
' - szOID_CERT_POLICIES - ignored
'
' If the CTL contains any other critical extensions, then, the
' CTL verification fails.
'
' If the CTL is valid according to the above checks, then, the user
' is given a dialog box to accept or cancel. If the user accepts, then,
' the certificates are added to the CurrentUser "root" store. Since,
' the root list was signed up through a trusted Microsoft root, the user
' isn't prompted again to accept each root as they are added to the
' protected root list.
'
' If the szOID_REMOVE_CERTIFICATE extension is present with removal
' set, then, instead of adding, the certificates are removed from
' both the CurrentUser and LocalMachine "root" stores.
'--------------------------------------------------------------------------
' dwPurpose values
Public Const CERT_INSTALL_SIGNED_LIST_PURPOSE_TRUSTED_ROOTS As Long = 1
' dwFormat values
Public Const CERT_INSTALL_SIGNED_LIST_FORMAT_BLOB As Long = 1
Public Const CERT_INSTALL_SIGNED_LIST_FORMAT_URL As Long = 2
' For CERT_INSTALL_SIGNED_LIST_FORMAT_BLOB
' pvList is a PCRYPT_DATA_BLOB
' For CERT_INSTALL_SIGNED_LIST_FORMAT_URL
' pvList is a LPCWSTR
'+-------------------------------------------------------------------------
' Install one or more intermediate CA certificates.
'
' The CA certificates can be in any content or format type supported
'
' The dwFormat and pvCAs parameters are used to pass in the CA
' - CERT_INSTALL_CA_FORMAT_BLOB
' pvCAs is a PCRYPT_DATA_BLOB
' - CERT_INSTALL_CA_FORMAT_URL
' pvCAs is a LPCWSTR
'
' Currently only support a dwMsgAndCertEncodingType of:
' X509_ASN_ENCODING | PKCS_7_ASN_ENCODING
'
' dwFlags isn't used and must be set to 0. pvReserved isn't used and must
' be set to NULL.
'
' If the CA certificates were successfully installed, TRUE is returned.
' Otherwise, FALSE is returned with LastError updated with the failure
' reason.
'--------------------------------------------------------------------------
Public Const CERT_INSTALL_CA_FORMAT_BLOB As Long = 1
Public Const CERT_INSTALL_CA_FORMAT_URL As Long = 2
' For CERT_INSTALL_CA_FORMAT_BLOB
' pvCAs is a PCRYPT_DATA_BLOB
' For CERT_INSTALL_CA_FORMAT_URL
' pvCAs is a LPCWSTR
'+-------------------------------------------------------------------------
' convert formatted string to binary
' If cchString is 0, then pszString is NULL terminated and
' dwFlags defines string format
' if ppbBinary is NULL, *pcbBinary returns the size of required memory
' *pdwSkip returns the character count of skipped strings, optional
' *pdwFlags returns the actual format used in the conversion, optional
'--------------------------------------------------------------------------
'WINCRYPT32API
'+-------------------------------------------------------------------------
' convert formatted string to binary
' If cchString is 0, then pszString is NULL terminated and
' dwFlags defines string format
' if ppbBinary is NULL, *pcbBinary returns the size of required memory
' *pdwSkip returns the character count of skipped strings, optional
' *pdwFlags returns the actual format used in the conversion, optional
'--------------------------------------------------------------------------
'WINCRYPT32API
'+-------------------------------------------------------------------------
' convert binary to formatted string
' dwFlags defines string format
' if pszString is NULL, *pcchString returns the size of required memory in byte
'--------------------------------------------------------------------------
'WINCRYPT32API
'+-------------------------------------------------------------------------
' convert binary to formatted string
' dwFlags defines string format
' if pszString is NULL, *pcchString returns the size of required memory in byte
'--------------------------------------------------------------------------
'WINCRYPT32API
' dwFlags has the following defines
Public Const CRYPT_STRING_BASE64HEADER As Long = &H00000000
Public Const CRYPT_STRING_BASE64 As Long = &H00000001
Public Const CRYPT_STRING_BINARY As Long = &H00000002
Public Const CRYPT_STRING_BASE64REQUESTHEADER As Long = &H00000003
Public Const CRYPT_STRING_HEX As Long = &H00000004
Public Const CRYPT_STRING_HEXASCII As Long = &H00000005
Public Const CRYPT_STRING_BASE64_ANY As Long = &H00000006
Public Const CRYPT_STRING_ANY As Long = &H00000007
Public Const CRYPT_STRING_HEX_ANY As Long = &H00000008
Public Const CRYPT_STRING_BASE64X509CRLHEADER As Long = &H00000009
Public Const CRYPT_STRING_HEXADDR As Long = &H0000000a
Public Const CRYPT_STRING_HEXASCIIADDR As Long = &H0000000b
' CryptBinaryToString uses the following flags
' CRYPT_STRING_BASE64HEADER - base64 format with certificate begin
' and end headers
' CRYPT_STRING_BASE64 - only base64 without headers
' CRYPT_STRING_BINARY - pure binary copy
' CRYPT_STRING_BASE64REQUESTHEADER - base64 format with request begin
' and end headers
' CRYPT_STRING_BASE64X509CRLHEADER - base64 format with x509 crl begin
' and end headers
' CRYPT_STRING_HEX - only hex format
' CRYPT_STRING_HEXASCII - hex format with ascii char display
' CRYPT_STRING_HEXADDR - hex format with address display
' CRYPT_STRING_HEXASCIIADDR - hex format with ascii char and address display
' CryptStringToBinary uses the following flags
' CRYPT_STRING_BASE64_ANY tries the following, in order:
' CRYPT_STRING_BASE64HEADER
' CRYPT_STRING_BASE64
' CRYPT_STRING_ANY tries the following, in order:
' CRYPT_STRING_BASE64_ANY
' CRYPT_STRING_BINARY -- should always succeed
' CRYPT_STRING_HEX_ANY tries the following, in order:
' CRYPT_STRING_HEXADDR
' CRYPT_STRING_HEXASCIIADDR
' CRYPT_STRING_HEXASCII
' CRYPT_STRING_HEX
'+---------------------------------------------------------------------------
'
' Microsoft Windows
'
' File: CertSrv.h
' Contents: Main Certificate Server header
' Also includes .h files for the COM interfaces
'
'----------------------------------------------------------------------------
Public Const wszSERVICE_NAME As String = "CertSvc"
'======================================================================
' Full path to "CertSvc\Configuration\":
'======================================================================
' Full path to "CertSvc\Configuration\RestoreInProgress":
'======================================================================
' Key Under "CertSvc":
Public Const wszREGKEYCONFIG As String = "Configuration"
'======================================================================
' Values Under "CertSvc\Configuration":
Public Const wszREGACTIVE As String = "Active"
Public Const wszREGDIRECTORY As String = "ConfigurationDirectory"
Public Const wszREGDBDIRECTORY As String = "DBDirectory"
Public Const wszREGDBLOGDIRECTORY As String = "DBLogDirectory"
Public Const wszREGDBSYSDIRECTORY As String = "DBSystemDirectory"
Public Const wszREGDBTEMPDIRECTORY As String = "DBTempDirectory"
Public Const wszREGDBSESSIONCOUNT As String = "DBSessionCount"
Public Const wszREGWEBCLIENTCAMACHINE As String = "WebClientCAMachine"
Public Const wszREGVERSION As String = "Version"
Public Const wszREGWEBCLIENTCANAME As String = "WebClientCAName"
Public Const wszREGWEBCLIENTCATYPE As String = "WebClientCAType"
' Default value for wszREGDBSESSIONCOUNT
Public Const DBSESSIONCOUNTDEFAULT As Long = 20
' Value for wszREGVERSION:
Public Const CSVER_MAJOR As Long = 2
Public Const CSVER_MINOR As Long = 1
' Keys Under "CertSvc\Configuration":
Public Const wszREGKEYRESTOREINPROGRESS As String = "RestoreInProgress"
'======================================================================
' Values Under "CertSvc\Configuration\<CAName>":
Public Const wszREGCADESCRIPTION As String = "CADescription"
Public Const wszREGCACERTHASH As String = "CACertHash"
Public Const wszREGCASERIALNUMBER As String = "CACertSerialNumber"
Public Const wszREGCAXCHGCERTHASH As String = "CAXchgCertHash"
Public Const wszREGKRACERTHASH As String = "KRACertHash"
Public Const wszREGCATYPE As String = "CAType"
Public Const wszREGCERTENROLLCOMPATIBLE As String = "CertEnrollCompatible"
Public Const wszREGENFORCEX500NAMELENGTHS As String = "EnforceX500NameLengths"
Public Const wszREGCOMMONNAME As String = "CommonName"
Public Const wszREGCLOCKSKEWMINUTES As String = "ClockSkewMinutes"
Public Const wszREGCRLNEXTPUBLISH As String = "CRLNextPublish"
Public Const wszREGCRLPERIODSTRING As String = "CRLPeriod"
Public Const wszREGCRLPERIODCOUNT As String = "CRLPeriodUnits"
Public Const wszREGCRLOVERLAPPERIODSTRING As String = "CRLOverlapPeriod"
Public Const wszREGCRLOVERLAPPERIODCOUNT As String = "CRLOverlapUnits"
Public Const wszREGCRLDELTANEXTPUBLISH As String = "CRLDeltaNextPublish"
Public Const wszREGCRLDELTAPERIODSTRING As String = "CRLDeltaPeriod"
Public Const wszREGCRLDELTAPERIODCOUNT As String = "CRLDeltaPeriodUnits"
Public Const wszREGCRLDELTAOVERLAPPERIODSTRING As String = "CRLDeltaOverlapPeriod"
Public Const wszREGCRLDELTAOVERLAPPERIODCOUNT As String = "CRLDeltaOverlapUnits"
Public Const wszREGCRLPUBLICATIONURLS As String = "CRLPublicationURLs"
Public Const wszREGCACERTPUBLICATIONURLS As String = "CACertPublicationURLs"
Public Const wszREGCAXCHGVALIDITYPERIODSTRING As String = "CAXchgValidityPeriod"
Public Const wszREGCAXCHGVALIDITYPERIODCOUNT As String = "CAXchgValidityPeriodUnits"
Public Const wszREGCAXCHGOVERLAPPERIODSTRING As String = "CAXchgOverlapPeriod"
Public Const wszREGCAXCHGOVERLAPPERIODCOUNT As String = "CAXchgOverlapPeriodUnits"
Public Const wszREGCRLPATH_OLD As String = "CRLPath"
Public Const wszREGCRLEDITFLAGS As String = "CRLEditFlags"
Public Const wszREGCRLFLAGS As String = "CRLFlags"
Public Const wszREGCRLATTEMPTREPUBLISH As String = "CRLAttemptRepublish"
Public Const wszREGENABLED As String = "Enabled"
Public Const wszREGFORCETELETEX As String = "ForceTeletex"
Public Const wszREGLOGLEVEL As String = "LogLevel"
Public Const wszREGPOLICYFLAGS As String = "PolicyFlags"
Public Const wszREGNAMESEPARATOR As String = "SubjectNameSeparator"
Public Const wszREGSUBJECTTEMPLATE As String = "SubjectTemplate"
Public Const wszREGCAUSEDS As String = "UseDS"
Public Const wszREGVALIDITYPERIODSTRING As String = "ValidityPeriod"
Public Const wszREGVALIDITYPERIODCOUNT As String = "ValidityPeriodUnits"
Public Const wszREGPARENTCAMACHINE As String = "ParentCAMachine"
Public Const wszREGPARENTCANAME As String = "ParentCAName"
Public Const wszREGREQUESTFILENAME As String = "RequestFileName"
Public Const wszREGREQUESTID As String = "RequestId"
Public Const wszREGREQUESTKEYCONTAINER As String = "RequestKeyContainer"
Public Const wszREGREQUESTKEYINDEX As String = "RequestKeyIndex"
Public Const wszREGCASERVERNAME As String = "CAServerName"
Public Const wszREGCACERTFILENAME As String = "CACertFileName"
Public Const wszREGCASECURITY As String = "Security"
Public Const wszREGSETUPSTATUS As String = "SetupStatus"
Public Const wszPFXFILENAMEEXT As String = ".p12"
Public Const wszDATFILENAMEEXT As String = ".dat"
Public Const wszLOGFILENAMEEXT As String = ".log"
Public Const wszPATFILENAMEEXT As String = ".pat"
Public Const wszDBFILENAMEEXT As String = ".edb"
Public Const szDBBASENAMEPARM As String = "edb"
Public Const wszLOGPATH As String = "CertLog"
Public Const wszDBBACKUPSUBDIR As String = "DataBase"
Public Const wszDBBACKUPCERTBACKDAT As String = "certback.dat"
' Values for wszREGCATYPE:
' Default value for wszREGCLOCKSKEWMINUTES
Public Const CCLOCKSKEWMINUTESDEFAULT As Long = 10
Public Const dwVALIDITYPERIODCOUNTDEFAULT_ENTERPRISE As Long = 2
Public Const dwVALIDITYPERIODCOUNTDEFAULT_STANDALONE As Long = 1
Public Const dwCAXCHGVALIDITYPERIODCOUNTDEFAULT As Long = 1
Public Const dwCAXCHGOVERLAPPERIODCOUNTDEFAULT As Long = 1
Public Const dwCRLPERIODCOUNTDEFAULT As Long = 1
Public Const dwCRLOVERLAPPERIODCOUNTDEFAULT As Long = 0
Public Const dwCRLDELTAPERIODCOUNTDEFAULT As Long = 1
Public Const dwCRLDELTAOVERLAPPERIODCOUNTDEFAULT As Long = 0
' Values for wszREGLOGLEVEL:
' Values for wszREGSETUPSTATUS:
Public Const SETUP_SERVER_FLAG As Long = &H00000001
Public Const SETUP_CLIENT_FLAG As Long = &H00000002
Public Const SETUP_SUSPEND_FLAG As Long = &H00000004
Public Const SETUP_REQUEST_FLAG As Long = &H00000008
Public Const SETUP_ONLINE_FLAG As Long = &H00000010
Public Const SETUP_DENIED_FLAG As Long = &H00000020
Public Const SETUP_CREATEDB_FLAG As Long = &H00000040
Public Const SETUP_ATTEMPT_VROOT_CREATE As Long = &H00000080
Public Const SETUP_FORCECRL_FLAG As Long = &H00000100
' Values for wszREGCRLFLAGS:
Public Const CRLF_DELTA_USE_OLDEST_UNEXPIRED_BASE As Long = &H00000001
' else use newest base CRL that satisfies base CRL propagation delay
Public Const CRLF_DELETE_EXPIRED_CRLS As Long = &H00000002
Public Const CRLF_CRLNUMBER_CRITICAL As Long = &H00000004
' Values for numeric prefixes for
' wszREGCRLPUBLICATIONURLS and wszREGCACERTPUBLICATIONURLS:
'
' URL publication template Flags values, encoded as a decimal prefix for URL
' publication templates in the registry:
' "1:c:\winnt\System32\CertSrv\CertEnroll\MyCA.crl"
Public Const CSURL_SERVERPUBLISH As Long = &H00000001
Public Const CSURL_ADDTOCERTCDP As Long = &H00000002
Public Const CSURL_ADDTOFRESHESTCRL As Long = &H00000004
Public Const CSURL_ADDTOCRLCDP As Long = &H00000008
Public Const CSURL_PUBLISHRETRY As Long = &H00000010
'======================================================================
' Keys Under "CertSvc\Configuration\<CAName>":
Public Const wszREGKEYCSP As String = "CSP"
Public Const wszREGKEYEXITMODULES As String = "ExitModules"
Public Const wszREGKEYPOLICYMODULES As String = "PolicyModules"
Public Const wszSECUREDATTRIBUTES As String = "SignedAttributes"
'======================================================================
' Values Under "CertSvc\Configuration\RestoreInProgress":
Public Const wszREGBACKUPLOGDIRECTORY As String = "BackupLogDirectory"
Public Const wszREGCHECKPOINTFILE As String = "CheckPointFile"
Public Const wszREGHIGHLOGNUMBER As String = "HighLogNumber"
Public Const wszREGLOWLOGNUMBER As String = "LowLogNumber"
Public Const wszREGLOGPATH As String = "LogPath"
Public Const wszREGRESTOREMAPCOUNT As String = "RestoreMapCount"
Public Const wszREGRESTOREMAP As String = "RestoreMap"
Public Const wszREGDATABASERECOVERED As String = "DatabaseRecovered"
Public Const wszREGRESTORESTATUS As String = "RestoreStatus"
' values under \Configuration\PolicyModules in nt5 beta 2
Public Const wszREGB2ICERTMANAGEMODULE As String = "ICertManageModule"
' values under \Configuration in nt4 sp4
Public Const wszREGSP4DEFAULTCONFIGURATION As String = "DefaultConfiguration"
' values under ca in nt4 sp4
Public Const wszREGSP4KEYSETNAME As String = "KeySetName"
Public Const wszREGSP4SUBJECTNAMESEPARATOR As String = "SubjectNameSeparator"
Public Const wszREGSP4NAMES As String = "Names"
Public Const wszREGSP4QUERIES As String = "Queries"
' both nt4 sp4 and nt5 beta 2
Public Const wszREGNETSCAPECERTTYPE As String = "NetscapeCertType"
Public Const wszNETSCAPEREVOCATIONTYPE As String = "Netscape"
'======================================================================
' Values Under "CertSvc\Configuration\<CAName>\CSP":
Public Const wszREGPROVIDERTYPE As String = "ProviderType"
Public Const wszREGPROVIDER As String = "Provider"
Public Const wszHASHALGORITHM As String = "HashAlgorithm"
Public Const wszMACHINEKEYSET As String = "MachineKeyset"
'======================================================================
' Value strings for "CertSvc\Configuration\<CAName>\SubjectNameSeparator":
Public Const szNAMESEPARATORDEFAULT As String = "\n"
'======================================================================
' Value strings for "CertSvc\Configuration\<CAName>\ValidityPeriod", etc.:
Public Const wszPERIODYEARS As String = "Years"
Public Const wszPERIODMONTHS As String = "Months"
Public Const wszPERIODWEEKS As String = "Weeks"
Public Const wszPERIODDAYS As String = "Days"
Public Const wszPERIODHOURS As String = "Hours"
Public Const wszPERIODMINUTES As String = "Minutes"
Public Const wszPERIODSECONDS As String = "Seconds"
'======================================================================
' Values Under "CertSvc\Configuration\<CAName>\PolicyModules\<ProgId>":
Public Const wszREGISSUERCERTURLFLAGS As String = "IssuerCertURLFlags"
Public Const wszREGEDITFLAGS As String = "EditFlags"
Public Const wszREGSUBJECTALTNAME As String = "SubjectAltName"
Public Const wszREGSUBJECTALTNAME2 As String = "SubjectAltName2"
Public Const wszREGREQUESTDISPOSITION As String = "RequestDisposition"
Public Const wszREGCAPATHLENGTH As String = "CAPathLength"
Public Const wszREGREVOCATIONTYPE As String = "RevocationType"
Public Const wszREGLDAPREVOCATIONCRLURL_OLD As String = "LDAPRevocationCRLURL"
Public Const wszREGREVOCATIONCRLURL_OLD As String = "RevocationCRLURL"
Public Const wszREGFTPREVOCATIONCRLURL_OLD As String = "FTPRevocationCRLURL"
Public Const wszREGFILEREVOCATIONCRLURL_OLD As String = "FileRevocationCRLURL"
Public Const wszREGREVOCATIONURL As String = "RevocationURL"
Public Const wszREGLDAPISSUERCERTURL_OLD As String = "LDAPIssuerCertURL"
Public Const wszREGISSUERCERTURL_OLD As String = "IssuerCertURL"
Public Const wszREGFTPISSUERCERTURL_OLD As String = "FTPIssuerCertURL"
Public Const wszREGFILEISSUERCERTURL_OLD As String = "FileIssuerCertURL"
Public Const wszREGENABLEREQUESTEXTENSIONLIST As String = "EnableRequestExtensionList"
Public Const wszREGDISABLEEXTENSIONLIST As String = "DisableExtensionList"
' wszREGCAPATHLENGTH Values:
Public Const CAPATHLENGTH_INFINITE As Long = &Hffffffff
' wszREGREQUESTDISPOSITION Values:
Public Const REQDISP_PENDING As Long = &H00000000
Public Const REQDISP_ISSUE As Long = &H00000001
Public Const REQDISP_DENY As Long = &H00000002
Public Const REQDISP_USEREQUESTATTRIBUTE As Long = &H00000003
Public Const REQDISP_MASK As Long = &H000000ff
Public Const REQDISP_PENDINGFIRST As Long = &H00000100
' wszREGREVOCATIONTYPE Values:
Public Const REVEXT_CDPLDAPURL_OLD As Long = &H00000001
Public Const REVEXT_CDPHTTPURL_OLD As Long = &H00000002
Public Const REVEXT_CDPFTPURL_OLD As Long = &H00000004
Public Const REVEXT_CDPFILEURL_OLD As Long = &H00000008
Public Const REVEXT_CDPURLMASK_OLD As Long = &H000000ff
Public Const REVEXT_CDPENABLE As Long = &H00000100
Public Const REVEXT_ASPENABLE As Long = &H00000200
' wszREGISSUERCERTURLFLAGS Values:
Public Const ISSCERT_LDAPURL_OLD As Long = &H00000001
Public Const ISSCERT_HTTPURL_OLD As Long = &H00000002
Public Const ISSCERT_FTPURL_OLD As Long = &H00000004
Public Const ISSCERT_FILEURL_OLD As Long = &H00000008
Public Const ISSCERT_URLMASK_OLD As Long = &H000000ff
Public Const ISSCERT_ENABLE As Long = &H00000100
' wszREGEDITFLAGS Values: Defaults:
Public Const EDITF_ENABLEREQUESTEXTENSIONS As Long = &H00000001
Public Const EDITF_REQUESTEXTENSIONLIST As Long = &H00000002
Public Const EDITF_DISABLEEXTENSIONLIST As Long = &H00000004
Public Const EDITF_ADDOLDKEYUSAGE As Long = &H00000008
Public Const EDITF_ADDOLDCERTTYPE As Long = &H00000010
Public Const EDITF_ATTRIBUTEENDDATE As Long = &H00000020
Public Const EDITF_BASICCONSTRAINTSCRITICAL As Long = &H00000040
Public Const EDITF_BASICCONSTRAINTSCA As Long = &H00000080
Public Const EDITF_ENABLEAKIKEYID As Long = &H00000100
Public Const EDITF_ATTRIBUTECA As Long = &H00000200
Public Const EDITF_IGNOREREQUESTERGROUP As Long = &H00000400
Public Const EDITF_ENABLEAKIISSUERNAME As Long = &H00000800
Public Const EDITF_ENABLEAKIISSUERSERIAL As Long = &H00001000
Public Const EDITF_ENABLEAKICRITICAL As Long = &H00002000
'======================================================================
' Values Under "CertSvc\Configuration\<CAName>\ExitModules\<ProgId>":
' LDAP based CRL and URL issuance
Public Const wszREGLDAPREVOCATIONDN_OLD As String = "LDAPRevocationDN"
Public Const wszREGLDAPREVOCATIONDNTEMPLATE_OLD As String = "LDAPRevocationDNTemplate"
Public Const wszCRLPUBLISHRETRYCOUNT As String = "CRLPublishRetryCount"
Public Const wszREGCERTPUBLISHFLAGS As String = "PublishCertFlags"
' wszREGCERTPUBLISHFLAGS Values:
Public Const EXITPUB_FILE As Long = &H00000001
Public Const EXITPUB_ACTIVEDIRECTORY As Long = &H00000002
Public Const EXITPUB_EMAILNOTIFYALL As Long = &H00000004
Public Const EXITPUB_EMAILNOTIFYSMARTCARD As Long = &H00000008
Public Const EXITPUB_REMOVEOLDCERTS As Long = &H00000010
Public Const wszCLASS_CERTADMIN As String = "CertificateAuthority.Admin"
Public Const wszCLASS_CERTCONFIG As String = "CertificateAuthority.Config"
Public Const wszCLASS_CERTGETCONFIG As String = "CertificateAuthority.GetConfig"
Public Const wszCLASS_CERTENCODE As String = "CertificateAuthority.Encode"
Public Const wszCLASS_CERTREQUEST As String = "CertificateAuthority.Request"
Public Const wszCLASS_CERTSERVEREXIT As String = "CertificateAuthority.ServerExit"
Public Const wszCLASS_CERTSERVERPOLICY As String = "CertificateAuthority.ServerPolicy"
Public Const wszCLASS_CERTVIEW As String = "CertificateAuthority.View"
' class name templates
Public Const wszMICROSOFTCERTMODULE_PREFIX As String = "CertificateAuthority_MicrosoftDefault"
Public Const wszCERTEXITMODULE_POSTFIX As String = ".Exit"
Public Const wszCERTMANAGEEXIT_POSTFIX As String = ".ExitManage"
Public Const wszCERTPOLICYMODULE_POSTFIX As String = ".Policy"
Public Const wszCERTMANAGEPOLICY_POSTFIX As String = ".PolicyManage"
' actual policy/exit manage class names
' actual policy/exit class names
'+--------------------------------------------------------------------------
' Name properties:
Public Const wszPROPDISTINGUISHEDNAME As String = "DistinguishedName"
Public Const wszPROPRAWNAME As String = "RawName"
Public Const wszPROPNAMETYPE As String = "NameType"
Public Const wszPROPCOUNTRY As String = "Country"
Public Const wszPROPORGANIZATION As String = "Organization"
Public Const wszPROPORGUNIT As String = "OrgUnit"
Public Const wszPROPCOMMONNAME As String = "CommonName"
Public Const wszPROPLOCALITY As String = "Locality"
Public Const wszPROPSTATE As String = "State"
Public Const wszPROPTITLE As String = "Title"
Public Const wszPROPGIVENNAME As String = "GivenName"
Public Const wszPROPINITIALS As String = "Initials"
Public Const wszPROPSURNAME As String = "SurName"
Public Const wszPROPDOMAINCOMPONENT As String = "DomainComponent"
Public Const wszPROPEMAIL As String = "EMail"
Public Const wszPROPSTREETADDRESS As String = "StreetAddress"
Public Const wszPROPUNSTRUCTUREDNAME As String = "UnstructuredName"
Public Const wszPROPUNSTRUCTUREDADDRESS As String = "UnstructuredAddress"
Public Const wszPROPDEVICESERIALNUMBER As String = "DeviceSerialNumber"
'+--------------------------------------------------------------------------
' Subject Name properties:
Public Const wszPROPSUBJECTDOT As String = "Subject."
'+--------------------------------------------------------------------------
' Request properties:
Public Const wszPROPREQUESTDOT As String = "Request."
Public Const wszPROPREQUESTREQUESTID As String = "RequestID"
Public Const wszPROPREQUESTRAWREQUEST As String = "RawRequest"
Public Const wszPROPREQUESTRAWARCHIVEDKEY As String = "RawArchivedKey"
Public Const wszPROPREQUESTKEYRECOVERYHASHES As String = "KeyRecoveryHashes"
Public Const wszPROPREQUESTRAWOLDCERTIFICATE As String = "RawOldCertificate"
Public Const wszPROPREQUESTATTRIBUTES As String = "RequestAttributes"
Public Const wszPROPREQUESTTYPE As String = "RequestType"
Public Const wszPROPREQUESTFLAGS As String = "RequestFlags"
Public Const wszPROPREQUESTSTATUSCODE As String = "StatusCode"
Public Const wszPROPREQUESTDISPOSITION As String = "Disposition"
Public Const wszPROPREQUESTDISPOSITIONMESSAGE As String = "DispositionMessage"
Public Const wszPROPREQUESTSUBMITTEDWHEN As String = "SubmittedWhen"
Public Const wszPROPREQUESTRESOLVEDWHEN As String = "ResolvedWhen"
Public Const wszPROPREQUESTREVOKEDWHEN As String = "RevokedWhen"
Public Const wszPROPREQUESTREVOKEDEFFECTIVEWHEN As String = "RevokedEffectiveWhen"
Public Const wszPROPREQUESTREVOKEDREASON As String = "RevokedReason"
Public Const wszPROPREQUESTERNAME As String = "RequesterName"
'+--------------------------------------------------------------------------
' Request attribute properties:
Public Const wszPROPCHALLENGE As String = "Challenge"
Public Const wszPROPEXPECTEDCHALLENGE As String = "ExpectedChallenge"
Public Const wszPROPDISPOSITION As String = "Disposition"
Public Const wszPROPDISPOSITIONDENY As String = "Deny"
Public Const wszPROPDISPOSITIONPENDING As String = "Pending"
Public Const wszPROPVALIDITYPERIODSTRING As String = "ValidityPeriod"
Public Const wszPROPVALIDITYPERIODCOUNT As String = "ValidityPeriodUnits"
Public Const wszPROPCERTTYPE As String = "CertType"
Public Const wszPROPCERTTEMPLATE As String = "CertificateTemplate"
Public Const wszPROPREQUESTOSVERSION As String = "RequestOSVersion"
Public Const wszPROPREQUESTCSPPROVIDER As String = "RequestCSPProvider"
Public Const wszPROPEXITCERTFILE As String = "CertFile"
'+--------------------------------------------------------------------------
' Hardcoded properties
' ".#" means ".0", ".1", ".2" ... may be appended to the property name to
' collect context specific values. For some properties, the suffix selects
' the CA certificate context. For others, it selects the the CA CRL context.
Public Const wszPROPCATYPE As String = "CAType"
Public Const wszPROPSANITIZEDCANAME As String = "SanitizedCAName"
Public Const wszPROPSANITIZEDSHORTNAME As String = "SanitizedShortName"
Public Const wszPROPMACHINEDNSNAME As String = "MachineDNSName"
Public Const wszPROPMODULEREGLOC As String = "ModuleRegistryLocation"
Public Const wszPROPREQUESTERCAACCESS As String = "RequesterCAAccess"
Public Const wszPROPUSEDS As String = "fUseDS"
Public Const wszPROPCONFIGDN As String = "ConfigDN"
Public Const wszPROPDOMAINDN As String = "DomainDN"
Public Const wszPROPCERTCOUNT As String = "CertCount"
Public Const wszPROPRAWCACERTIFICATE As String = "RawCACertificate"
Public Const wszPROPCERTSTATE As String = "CertState"
Public Const wszPROPCERTSUFFIX As String = "CertSuffix"
Public Const wszPROPRAWCRL As String = "RawCRL"
Public Const wszPROPRAWDELTACRL As String = "RawDeltaCRL"
Public Const wszPROPCRLINDEX As String = "CRLIndex"
Public Const wszPROPCRLSTATE As String = "CRLState"
Public Const wszPROPCRLSUFFIX As String = "CRLSuffix"
' CA_DISP_REVOKED
' CA_DISP_VALID
' CA_DISP_INVALID
' CA_DISP_ERROR
' CA_DISP_REVOKED
'
' CA_DISP_VALID
' CA_DISP_INVALID
' CA_DISP_ERROR
'+--------------------------------------------------------------------------
' Certificate properties:
Public Const wszPROPCERTIFICATEREQUESTID As String = "RequestID"
Public Const wszPROPRAWCERTIFICATE As String = "RawCertificate"
Public Const wszPROPCERTIFICATEHASH As String = "CertificateHash"
Public Const wszPROPCERTIFICATETYPE As String = "CertificateType"
Public Const wszPROPCERTIFICATESERIALNUMBER As String = "SerialNumber"
Public Const wszPROPCERTIFICATENOTBEFOREDATE As String = "NotBefore"
Public Const wszPROPCERTIFICATENOTAFTERDATE As String = "NotAfter"
Public Const wszPROPCERTIFICATESUBJECTKEYIDENTIFIER As String = "SubjectKeyIdentifier"
Public Const wszPROPCERTIFICATERAWPUBLICKEY As String = "RawPublicKey"
Public Const wszPROPCERTIFICATEPUBLICKEYALGORITHM As String = "PublicKeyAlgorithm"
Public Const wszPROPCERTIFICATERAWSMIMECAPABILITIES As String = "RawSMIMECapabilities"
'+--------------------------------------------------------------------------
' Certificate extension properties:
Public Const EXTENSION_CRITICAL_FLAG As Long = &H00000001
Public Const EXTENSION_DISABLE_FLAG As Long = &H00000002
Public Const EXTENSION_POLICY_MASK As Long = &H0000ffff
Public Const EXTENSION_ORIGIN_REQUEST As Long = &H00010000
Public Const EXTENSION_ORIGIN_POLICY As Long = &H00020000
Public Const EXTENSION_ORIGIN_ADMIN As Long = &H00030000
Public Const EXTENSION_ORIGIN_SERVER As Long = &H00040000
Public Const EXTENSION_ORIGIN_RENEWALCERT As Long = &H00050000
Public Const EXTENSION_ORIGIN_IMPORTEDCERT As Long = &H00060000
Public Const EXTENSION_ORIGIN_PKCS7 As Long = &H00070000
Public Const EXTENSION_ORIGIN_CMC As Long = &H00080000
Public Const EXTENSION_ORIGIN_MASK As Long = &H000f0000
'+--------------------------------------------------------------------------
' Extension properties:
Public Const wszPROPEXTREQUESTID As String = "ExtensionRequestId"
Public Const wszPROPEXTNAME As String = "ExtensionName"
Public Const wszPROPEXTFLAGS As String = "ExtensionFlags"
Public Const wszPROPEXTRAWVALUE As String = "ExtensionRawValue"
'+--------------------------------------------------------------------------
' Attribute properties:
Public Const wszPROPATTRIBREQUESTID As String = "AttributeRequestId"
Public Const wszPROPATTRIBNAME As String = "AttributeName"
Public Const wszPROPATTRIBVALUE As String = "AttributeValue"
'+--------------------------------------------------------------------------
' CRL properties:
Public Const wszPROPCRLROWID As String = "CRLRowId"
Public Const wszPROPCRLNUMBER As String = "CRLNumber"
Public Const wszPROPCRLMINBASE As String = "CRLMinBase"
Public Const wszPROPCRLNAMEID As String = "CRLNameId"
Public Const wszPROPCRLCOUNT As String = "CRLCount"
Public Const wszPROPCRLTHISUPDATE As String = "CRLThisUpdate"
Public Const wszPROPCRLNEXTUPDATE As String = "CRLNextUpdate"
Public Const wszPROPCRLTHISPUBLISH As String = "CRLThisPublish"
Public Const wszPROPCRLNEXTPUBLISH As String = "CRLNextPublish"
Public Const wszPROPCRLEFFECTIVE As String = "CRLEffective"
Public Const wszPROPCRLPROPAGATIONCOMPLETE As String = "CRLPropagationComplete"
Public Const wszPROPCRLRAWCRL As String = "CRLRawCRL"
'+--------------------------------------------------------------------------
' GetProperty/SetProperty Flags:
'
' Choose one Type
Public Const PROPTYPE_LONG As Long = &H00000001
Public Const PROPTYPE_DATE As Long = &H00000002
Public Const PROPTYPE_BINARY As Long = &H00000003
Public Const PROPTYPE_STRING As Long = &H00000004
Public Const PROPTYPE_MASK As Long = &H000000ff
' Choose one Caller:
Public Const PROPCALLER_SERVER As Long = &H00000100
Public Const PROPCALLER_POLICY As Long = &H00000200
Public Const PROPCALLER_EXIT As Long = &H00000300
Public Const PROPCALLER_ADMIN As Long = &H00000400
Public Const PROPCALLER_REQUEST As Long = &H00000500
Public Const PROPCALLER_MASK As Long = &H00000f00
Public Const PROPFLAGS_INDEXED As Long = &H00010000
' RequestFlags definitions:
Public Const CR_FLG_FORCETELETEX As Long = &H00000001
Public Const CR_FLG_RENEWAL As Long = &H00000002
Public Const CR_FLG_FORCEUTF8 As Long = &H00000004
Public Const CR_FLG_CAXCHGCERT As Long = &H00000008
' Disposition property values:
' Disposition values for requests in the queue:
Public Const DB_DISP_ACTIVE As Long = 8
Public Const DB_DISP_PENDING As Long = 9
Public Const DB_DISP_QUEUE_MAX As Long = 9
Public Const DB_DISP_CA_CERT As Long = 15
Public Const DB_DISP_CA_CERT_CHAIN As Long = 16
' Disposition values for requests in the log:
Public Const DB_DISP_LOG_MIN As Long = 20
Public Const DB_DISP_ISSUED As Long = 20
Public Const DB_DISP_REVOKED As Long = 21
' Disposition values for failed requests in the log:
Public Const DB_DISP_LOG_FAILED_MIN As Long = 30
Public Const DB_DISP_ERROR As Long = 30
Public Const DB_DISP_DENIED As Long = 31
Public Const VR_PENDING As Long = 0
Public Const VR_INSTANT_OK As Long = 1
Public Const VR_INSTANT_BAD As Long = 2
'+--------------------------------------------------------------------------
' Known request Attribute names and Value strings
' RequestType attribute name:
Public Const wszCERT_TYPE As String = "RequestType"
' RequestType attribute values:
' Not specified:
Public Const wszCERT_TYPE_CLIENT As String = "Client"
Public Const wszCERT_TYPE_SERVER As String = "Server"
Public Const wszCERT_TYPE_CODESIGN As String = "CodeSign"
Public Const wszCERT_TYPE_CUSTOMER As String = "SetCustomer"
Public Const wszCERT_TYPE_MERCHANT As String = "SetMerchant"
Public Const wszCERT_TYPE_PAYMENT As String = "SetPayment"
' Version attribute name:
Public Const wszCERT_VERSION As String = "Version"
' Version attribute values:
' Not specified:
Public Const wszCERT_VERSION_1 As String = "1"
Public Const wszCERT_VERSION_2 As String = "2"
Public Const wszCERT_VERSION_3 As String = "3"
Public Const CA_DISP_INCOMPLETE As Long = 0
Public Const CA_DISP_ERROR As Long = &H1
Public Const CA_DISP_REVOKED As Long = &H2
Public Const CA_DISP_VALID As Long = &H3
Public Const CA_DISP_INVALID As Long = &H4
Public Const CA_DISP_UNDER_SUBMISSION As Long = &H5
Public Const CA_CRL_BASE As Long = &H1
Public Const CA_CRL_DELTA As Long = &H2
'+--------------------------------------------------------------------------
'
' Microsoft Windows
'
' File: certbcli.h
'
' Contents: Cert Server backup client APIs
'
'---------------------------------------------------------------------------
Public Const szBACKUPANNOTATION As String = "Cert Server Backup Interface"
Public Const szRESTOREANNOTATION As String = "Cert Server Restore Interface"
' Type of Backup passed to CertSrvBackupPrepare:
' CSBACKUP_TYPE_LOGS_ONLY: Requesting backup of only the log files
' CSBACKUP_TYPE_INCREMENTAL: Requesting incremental backup
' CertSrvBackupPrepare flags:
Public Const CSBACKUP_TYPE_FULL As Long = &H00000001
Public Const CSBACKUP_TYPE_LOGS_ONLY As Long = &H00000002
'#define CSBACKUP_TYPE_INCREMENTAL 0x00000004
Public Const CSBACKUP_TYPE_MASK As Long = &H00000003
' Type of Restore passed to CertSrvRestorePrepare:
' CSRESTORE_TYPE_ONLINE: Restoration is done when Cert Server is online.
Public Const CSRESTORE_TYPE_FULL As Long = &H00000001
Public Const CSRESTORE_TYPE_ONLINE As Long = &H00000002
Public Const CSRESTORE_TYPE_CATCHUP As Long = &H00000004
Public Const CSRESTORE_TYPE_MASK As Long = &H00000005
' Setting the current log # to this value would disable incremental backup
Public Const CSBACKUP_DISABLE_INCREMENTAL As Long = &Hffffffff
' We keep them as a character so that we can append/prepend them to the actual
' file path. The code in the Backup API's rely on the fact that values 0-256
' in 8 bit ascii map to the values 0-256 in unicode.
' Bit flags:
' CSBFT_DIRECTORY - path specified is a directory
' CSBFT_DATABASE_DIRECTORY - that file goes into database directory
' CSBFT_LOG_DIRECTORY - that the file goes into log directory
Public Const CSBFT_DIRECTORY As Long = &H80
Public Const CSBFT_DATABASE_DIRECTORY As Long = &H40
Public Const CSBFT_LOG_DIRECTORY As Long = &H20
' Following combinations are defined for easy use of the filetype and the
' directory into into which it goes
' Backup Context Handle
' For all the functions in this interface that have at least one string
' parameter, provide macros to invoke the appropriate version of the
' corresponding function.
'+--------------------------------------------------------------------------
' CertSrvIsServerOnline -- check to see if the Cert Server is Online on the
' given server. This call is guaranteed to return quickly.
'
' Parameters:
' [in] pwszServerName - name or config string of the server to check
' [out] pfServerOnline - pointer to receive the bool result
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'+--------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvBackupGetDynamicFileList -- return the list of dynamic files that
' need to be backed up in addition to database files.
'
' Parameters:
' [in] hbc - backup context handle
' [out] ppwszzFileList - pointer to receive the pointer to the file list;
' by the caller when it is no longer needed; The file list info
' is an array of null-terminated filenames and the list is
' terminated by two L'\0's.
' [out] pcbSize - will receive the number of bytes returned
'
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'---------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvBackupPrepare -- prepare the DB for the online backup and return a
' Backup Context Handle to be used for subsequent calls to backup
' functions.
'
' Parameters:
' [in] pwszServerName - name or config string of the server to check
' [in] grbitJet - flag to be passed to jet while backing up dbs
' [in] dwBackupFlags - CSBACKUP_TYPE_FULL or CSBACKUP_TYPE_LOGS_ONLY
' [out] phbc - pointer that will receive the backup context handle
'
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'---------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvBackupGetDatabaseNames -- return the list of data bases that need to
' be backed up for the given backup context
'
' Parameters:
' [in] hbc - backup context handle
' [out] ppwszzAttachmentInformation - pointer to receive the pointer to
' the attachment info; allocated memory should be freed using
' needed; Attachment info is an array of null-terminated
' filenames and the list is terminated by two L'\0's.
' [out] pcbSize - will receive the number of bytes returned
'
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'---------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvBackupOpenFile -- open the given attachment for read.
'
' Parameters:
' [in] hbc - backup context handle
' [in] pwszAttachmentName - name of the attachment to be opened for read
' [in] cbReadHintSize - suggested size in bytes that might be used
' during the subsequent reads on this attachment
' [out] pliFileSize - pointer to a large integer that would receive the
' size in bytes of the given attachment
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'---------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvBackupRead -- read the currently open attachment bytes into the given
' buffer. The client application is expected to call this function
' received the file size through the CertSrvBackupOpenFile call before.
'
' Parameters:
' [in] hbc - backup context handle
' [out] pvBuffer - pointer to the buffer that would receive the read data.
' [in] cbBuffer - specifies the size of the above buffer
' [out] pcbRead - pointer to receive the actual number of bytes read.
'
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'---------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvBackupClose -- called by the application after it completes reading all
' the data in the currently opened attachement.
'
' Parameters:
' [in] hbc - backup context handle
'
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'---------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvBackupGetBackupLogs -- return the list of log files that need to be
' backed up for the given backup context
'
' Parameters:
' [in] hbc - backup context handle
' [out] pwszzBackupLogFiles - pointer that will receive the pointer to
' the list of log files; allocated memory should be freed using
' longer needed; Log files are returned in an array of
' null-terminated filenames and the list is terminated by two
' L'\0's
' [out] pcbSize - will receive the number of bytes returned
'
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'---------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvBackupTruncateLogs -- called to truncate the already read backup logs.
'
' Parameters:
' [in] hbc - backup context handle
'
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'---------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvBackupEnd -- called to end the current backup session.
'
' Parameters:
' [in] hbc - backup context handle of the backup session
'
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'---------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvBackupFree -- free any buffer allocated by certbcli.dll APIs.
'
' Parameters:
' [in] pv - pointer to the buffer that is to be freed.
'
' Returns:
' None.
'---------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvRestoreGetDatabaseLocations -- called both at backup time as well as
' at restorate time to get data base locations for different types of
' files.
'
' Parameters:
' [in] hbc - backup context handle which would have been obtained
' through CertSrvBackupPrepare in the backup case and through
' CertSrvRestorePrepare in the restore case.
' [out] ppwszzDatabaseLocationList - pointer that will receive the
' pointer to the list of database locations; allocated memory
' when it is no longer needed; locations are returned in an array
' of null-terminated names and and the list is terminated by
' two L'\0's. The first character of each name is the BFT
' character that indicates the type of the file and the rest of
' the name tells gives the path into which that particular type
' of file should be restored.
' [out] pcbSize - will receive the number of bytes returned
'
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'---------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvRestorePrepare -- indicate beginning of a restore session.
'
' Parameters:
' [in] pwszServerName - name or config string of the server into which
' the restore operation is going to be performed.
' [in] dwRestoreFlags - Or'ed combination of CSRESTORE_TYPE_* flags;
' 0 if no special flags are to be specified
' [out] phbc - pointer to receive the backup context handle which is to
' be passed to the subsequent restore APIs
'
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'---------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvRestoreRegister -- register a restore operation. It will interlock
' all subsequent restore operations, and will prevent the restore target
' from starting until the call to CertSrvRestoreRegisterComplete is made.
'
' Parameters:
' [in] hbc - backup context handle for the restore session.
' [in] pwszCheckPointFilePath - path to restore the check point files
' [in] pwszLogPath - path where the log files are restored
' [in] rgrstmap - restore map
' [in] crstmap - tells if there is a new restore map
' [in] pwszBackupLogPath - path where the backup logs are located
' [in] genLow - Lowest log# that was restored in this restore session
' [in] genHigh - Highest log# that was restored in this restore session
'
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'---------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvRestoreRegisterComplete -- indicate that a previously registered
' restore is complete.
'
' Parameters:
' [in] hbc - backup context handle
' [in] hrRestoreState - success code if the restore was successful
'
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'---------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvRestoreEnd -- end a restore session
'
' Parameters:
' [in] hbc - backup context handle
'
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'---------------------------------------------------------------------------
'+--------------------------------------------------------------------------
' CertSrvServerControl -- send a control command to the cert server.
'
' Parameters:
' [in] pwszServerName - name or config string of the server to control
' [in] dwControlFlags - control command and flags
' [out] pcbOut - pointer to receive the size of command output data
' [out] ppbOut - pointer to receive command output data. Use the
'
' Returns:
' S_OK if the call executed successfully;
' Failure code otherwise.
'---------------------------------------------------------------------------
Public Const CSCONTROL_SHUTDOWN As Long = &H000000001
Public Const CSCONTROL_SUSPEND As Long = &H000000002
Public Const CSCONTROL_RESTART As Long = &H000000003
Public Const wszCONFIG_COMMONNAME As String = "CommonName"
Public Const wszCONFIG_ORGUNIT As String = "OrgUnit"
Public Const wszCONFIG_ORGANIZATION As String = "Organization"
Public Const wszCONFIG_LOCALITY As String = "Locality"
Public Const wszCONFIG_STATE As String = "State"
Public Const wszCONFIG_COUNTRY As String = "Country"
Public Const wszCONFIG_CONFIG As String = "Config"
Public Const wszCONFIG_EXCHANGECERTIFICATE As String = "ExchangeCertificate"
Public Const wszCONFIG_SIGNATURECERTIFICATE As String = "SignatureCertificate"
Public Const wszCONFIG_DESCRIPTION As String = "Description"
Public Const wszCONFIG_COMMENT As String = "Comment"
Public Const wszCONFIG_SERVER As String = "Server"
Public Const wszCONFIG_AUTHORITY As String = "Authority"
Public Const wszCONFIG_SANITIZEDNAME As String = "SanitizedName"
Public Const wszCONFIG_SHORTNAME As String = "ShortName"
Public Const wszCONFIG_SANITIZEDSHORTNAME As String = "SanitizedShortName"
Public Const wszCONFIG_FLAGS As String = "Flags"
Public Const CAIF_DSENTRY As Long = &H1
Public Const CAIF_SHAREDFOLDERENTRY As Long = &H2
Public Const CAIF_REGISTRY As Long = &H4
Public Const CAIF_LOCAL As Long = &H8
Public Const CR_IN_BASE64HEADER As Long = 0
Public Const CR_IN_BASE64 As Long = &H1
Public Const CR_IN_BINARY As Long = &H2
Public Const CR_IN_ENCODEANY As Long = &Hff
Public Const CR_IN_ENCODEMASK As Long = &Hff
Public Const CR_IN_FORMATANY As Long = 0
Public Const CR_IN_PKCS10 As Long = &H100
Public Const CR_IN_KEYGEN As Long = &H200
Public Const CR_IN_PKCS7 As Long = &H300
Public Const CR_IN_CMC As Long = &H400
Public Const CR_IN_FORMATMASK As Long = &Hff00
Public Const CR_IN_RPC As Long = &H20000
Public Const CC_DEFAULTCONFIG As Long = 0
Public Const CC_UIPICKCONFIG As Long = &H1
Public Const CC_FIRSTCONFIG As Long = &H2
Public Const CC_LOCALCONFIG As Long = &H3
Public Const CC_LOCALACTIVECONFIG As Long = &H4
Public Const CR_DISP_INCOMPLETE As Long = 0
Public Const CR_DISP_ERROR As Long = &H1
Public Const CR_DISP_DENIED As Long = &H2
Public Const CR_DISP_ISSUED As Long = &H3
Public Const CR_DISP_ISSUED_OUT_OF_BAND As Long = &H4
Public Const CR_DISP_UNDER_SUBMISSION As Long = &H5
Public Const CR_DISP_REVOKED As Long = &H6
Public Const CR_OUT_BASE64HEADER As Long = 0
Public Const CR_OUT_BASE64 As Long = &H1
Public Const CR_OUT_BINARY As Long = &H2
Public Const CR_OUT_ENCODEMASK As Long = &Hff
Public Const CR_OUT_CHAIN As Long = &H100
Public Const CR_GEMT_HRESULT_STRING As Long = &H1
Public Const CR_PROP_NONE As Long = 0
Public Const CR_PROP_FILEVERSION As Long = 1
Public Const CR_PROP_PRODUCTVERSION As Long = 2
Public Const CR_PROP_EXITCOUNT As Long = 3
Public Const CR_PROP_EXITDESCRIPTION As Long = 4
Public Const CR_PROP_POLICYDESCRIPTION As Long = 5
Public Const CR_PROP_CANAME As Long = 6
Public Const CR_PROP_SANITIZEDCANAME As Long = 7
Public Const CR_PROP_SHAREDFOLDER As Long = 8
Public Const CR_PROP_PARENTCA As Long = 9
Public Const CR_PROP_CATYPE As Long = 10
Public Const CR_PROP_CASIGCERTCOUNT As Long = 11
Public Const CR_PROP_CASIGCERT As Long = 12
Public Const CR_PROP_CASIGCERTCHAIN As Long = 13
Public Const CR_PROP_CAXCHGCERTCOUNT As Long = 14
Public Const CR_PROP_CAXCHGCERT As Long = 15
Public Const CR_PROP_CAXCHGCERTCHAIN As Long = 16
Public Const CR_PROP_BASECRL As Long = 17
Public Const CR_PROP_DELTACRL As Long = 18
Public Const CR_PROP_CACERTSTATE As Long = 19
Public Const CR_PROP_CRLSTATE As Long = 20
Public Const CR_PROP_CAPROPIDMAX As Long = 21
Public Const CR_PROP_DNSNAME As Long = 22
Public Const EAN_NAMEOBJECTID As Long = &H80000000
Public Const EXITEVENT_INVALID As Long = 0
Public Const EXITEVENT_CERTISSUED As Long = &H1
Public Const EXITEVENT_CERTPENDING As Long = &H2
Public Const EXITEVENT_CERTDENIED As Long = &H4
Public Const EXITEVENT_CERTREVOKED As Long = &H8
Public Const EXITEVENT_CERTRETRIEVEPENDING As Long = &H10
Public Const EXITEVENT_CRLISSUED As Long = &H20
Public Const EXITEVENT_SHUTDOWN As Long = &H40
Public Const ENUMEXT_OBJECTID As Long = &H1
Public Const CMM_REFRESHONLY As Long = &H1
Public Const wszCMM_PROP_NAME As String = "Name"
Public Const wszCMM_PROP_DESCRIPTION As String = "Description"
Public Const wszCMM_PROP_COPYRIGHT As String = "Copyright"
Public Const wszCMM_PROP_FILEVER As String = "File Version"
Public Const wszCMM_PROP_PRODUCTVER As String = "Product Version"
Public Const wszCMM_PROP_DISPLAY_HWND As String = "HWND"
Public Const CV_OUT_BASE64HEADER As Long = 0
Public Const CV_OUT_BASE64 As Long = &H1
Public Const CV_OUT_BINARY As Long = &H2
Public Const CV_OUT_BASE64REQUESTHEADER As Long = &H3
Public Const CV_OUT_HEX As Long = &H4
Public Const CV_OUT_HEXASCII As Long = &H5
Public Const CV_OUT_BASE64X509CRLHEADER As Long = &H9
Public Const CV_OUT_HEXADDR As Long = &Ha
Public Const CV_OUT_HEXASCIIADDR As Long = &Hb
Public Const CV_OUT_ENCODEMASK As Long = &Hff
Public Const CVR_SEEK_NONE As Long = 0
Public Const CVR_SEEK_EQ As Long = &H1
Public Const CVR_SEEK_LT As Long = &H2
Public Const CVR_SEEK_LE As Long = &H4
Public Const CVR_SEEK_GE As Long = &H8
Public Const CVR_SEEK_GT As Long = &H10
Public Const CVR_SEEK_MASK As Long = &Hff
Public Const CVR_SEEK_NODELTA As Long = &H1000
Public Const CVR_SORT_NONE As Long = 0
Public Const CVR_SORT_ASCEND As Long = &H1
Public Const CVR_SORT_DESCEND As Long = &H2
Public Const CV_COLUMN_QUEUE_DEFAULT As Long = -1
Public Const CV_COLUMN_LOG_DEFAULT As Long = -2
Public Const CV_COLUMN_LOG_FAILED_DEFAULT As Long = -3
Public Const CV_COLUMN_EXTENSION_DEFAULT As Long = -4
Public Const CV_COLUMN_ATTRIBUTE_DEFAULT As Long = -5
Public Const CV_COLUMN_CRL_DEFAULT As Long = -6
Public Const CVRC_COLUMN_SCHEMA As Long = 0
Public Const CVRC_COLUMN_RESULT As Long = &H1
Public Const CVRC_COLUMN_VALUE As Long = &H2
Public Const CVRC_COLUMN_MASK As Long = &Hfff
Public Const CVRC_TABLE_REQCERT As Long = 0
Public Const CVRC_TABLE_EXTENSIONS As Long = &H3000
Public Const CVRC_TABLE_ATTRIBUTES As Long = &H4000
Public Const CVRC_TABLE_CRL As Long = &H5000
Public Const CVRC_TABLE_MASK As Long = &Hf000
Public Const CVRC_TABLE_SHIFT As Long = 12
'+--------------------------------------------------------------------------
'
' Microsoft Windows
'
' File: certca.h
'
' Contents: Definition of the CA Info API
'
' History: 12-dec-97 petesk created
' 28-Jan-2000 xiaohs updated
'
'---------------------------------------------------------------------------
'************************************************************************************
'
' Flags used by CAFindByName, CAFindByCertType, CAFindByIssuerDN and CAEnumFirstCA
'
' See comments on each API for a list of applicable flags
'
'************************************************************************************
'the wszScope supplied is a domain location in the DNS format
Public Const CA_FLAG_SCOPE_DNS As Long = &H00000001
' include untrusted CA
Public Const CA_FIND_INCLUDE_UNTRUSTED As Long = &H00000010
' running as local system. Used to verify ca certificate chain
Public Const CA_FIND_LOCAL_SYSTEM As Long = &H00000020
' Include Ca's that do not support templates
Public Const CA_FIND_INCLUDE_NON_TEMPLATE_CA As Long = &H00000040
' The value passed in for scope is an LDAP binding handle to use during finds
Public Const CA_FLAG_SCOPE_IS_LDAP_HANDLE As Long = &H00000800
'************************************************************************************
'
' Flags used by CAEnumCertTypesForCA, CAEnumCertTypes, and CAFindCertTypeByName
'
' See comments on each API for a list of applicable flags
'
'************************************************************************************
' Instead of enumerating the certificate types suppoerted by the CA, enumerate ALL
' certificate types which the CA may choose to support.
Public Const CA_FLAG_ENUM_ALL_TYPES As Long = &H00000004
' running as local system. Used to find cached information in the registry.
' Return machine types, as opposed to user types
Public Const CT_ENUM_MACHINE_TYPES As Long = &H00000040
' Return user types, as opposed to user types
Public Const CT_ENUM_USER_TYPES As Long = &H00000080
' Disable the cache expiration check
Public Const CT_FLAG_NO_CACHE_LOOKUP As Long = &H00000400
' The value passed in for scope is an LDAP binding handle to use during finds
'************************************************************************************
'
' Certification Authority manipulation API's
'
'************************************************************************************
' CAFindCAByName
'
' the given domain and return the given phCAInfo structure.
'
' wszCAName - Common name of the CA
'
' Equivalent of the "base" parameter of the ldap_search_sxxx APIs.
' NULL if use the current domain.
' If CA_FLAG_SCOPE_DNS is set, wszScope is in the DNS format.
' If CA_FLAG_SCOPE_IS_LDAP_HANDLE is set, wszScope is the an LDAP
' binding handle to use during finds
'
' dwFlags - Oring of the following flags:
' CA_FLAG_SCOPE_DNS
' CA_FIND_INCLUDE_UNTRUSTED
' CA_FIND_LOCAL_SYSTEM
' CA_FIND_INCLUDE_NON_TEMPLATE_CA
' CA_FLAG_SCOPE_IS_LDAP_HANDLE
'
' phCAInfo - Handle to the returned CA.
'
'
'
' Return: Returns S_OK if CA was found.
'
'
' CAFindByCertType
'
' Given the Name of a Cert Type, find all the CAs within
' the given domain and return the given phCAInfo structure.
'
' wszCertType - Common Name of the cert type
'
' Equivalent of the "base" parameter of the ldap_search_sxxx APIs.
' NULL if use the current domain.
' If CA_FLAG_SCOPE_DNS is set, wszScope is in the DNS format.
' If CA_FLAG_SCOPE_IS_LDAP_HANDLE is set, wszScope is the an LDAP
' binding handle to use during finds
'
' dwFlags - Oring of the following flags:
' CA_FLAG_SCOPE_DNS
' CA_FIND_INCLUDE_UNTRUSTED
' CA_FIND_LOCAL_SYSTEM
' CA_FIND_INCLUDE_NON_TEMPLATE_CA
' CA_FLAG_SCOPE_IS_LDAP_HANDLE
'
' phCAInfo - Handle to enumeration of CA's supporting
' - cert type.
'
'
' Return: Returns S_OK on success.
' Will return S_OK if none are found.
' *phCAInfo will contain NULL
'
'
' CAFindByIssuerDN
' Given the DN of a CA, find the CA within
' the given domain and return the given phCAInfo handle.
'
' pIssuerDN - a cert name blob from the CA's certificate.
'
' Equivalent of the "base" parameter of the ldap_search_sxxx APIs.
' NULL if use the current domain.
' If CA_FLAG_SCOPE_DNS is set, wszScope is in the DNS format.
' If CA_FLAG_SCOPE_IS_LDAP_HANDLE is set, wszScope is the an LDAP
' binding handle to use during finds
'
' dwFlags - Oring of the following flags:
' CA_FLAG_SCOPE_DNS
' CA_FIND_INCLUDE_UNTRUSTED
' CA_FIND_LOCAL_SYSTEM
' CA_FIND_INCLUDE_NON_TEMPLATE_CA
' CA_FLAG_SCOPE_IS_LDAP_HANDLE
'
'
' Return: Returns S_OK if CA was found.
'
'
' CAEnumFirstCA
' Enumerate the CA's in a scope
'
' Equivalent of the "base" parameter of the ldap_search_sxxx APIs.
' NULL if use the current domain.
' If CA_FLAG_SCOPE_DNS is set, wszScope is in the DNS format.
' If CA_FLAG_SCOPE_IS_LDAP_HANDLE is set, wszScope is the an LDAP
' binding handle to use during finds
'
' dwFlags - Oring of the following flags:
' CA_FLAG_SCOPE_DNS
' CA_FIND_INCLUDE_UNTRUSTED
' CA_FIND_LOCAL_SYSTEM
' CA_FIND_INCLUDE_NON_TEMPLATE_CA
' CA_FLAG_SCOPE_IS_LDAP_HANDLE
'
' phCAInfo - Handle to enumeration of CA's supporting
' - cert type.
'
'
' Return: Returns S_OK on success.
' Will return S_OK if none are found.
' *phCAInfo will contain NULL
'
'
' CAEnumNextCA
' Find the Next CA in an enumeration.
'
' hPrevCA - Current ca in an enumeration.
'
' phCAInfo - next ca in an enumeration.
'
' Return: Returns S_OK on success.
' Will return S_OK if none are found.
' *phCAInfo will contain NULL
'
'
' CACreateNewCA
' Create a new CA of given name.
'
' wszCAName - Common name of the CA
'
' CA object. We will add the "CN=...,..,CN=Services" after the DN.
' NULL if use the current domain.
' If CA_FLAG_SCOPE_DNS is set, wszScope is in the DNS format.
'
' dwFlags - Oring of the following flags:
' CA_FLAG_SCOPE_DNS
'
' phCAInfo - Handle to the returned CA.
'
' See above for other parameter definitions
'
' Return: Returns S_OK if CA was created.
'
' NOTE: Actual updates to the CA object may not occur
' until CAUpdateCA is called.
' In order to successfully update a created CA,
' the Certificate must be set, as well as the
' Certificate Types property.
'
'
' CAUpdateCA
' Write any changes made to the CA back to the CA object.
'
' hCAInfo - Handle to an open CA object.
'
'
' CADeleteCA
' Delete the CA object from the DS.
'
' hCAInfo - Handle to an open CA object.
'
'
' CACountCAs
' return the number of CAs in this enumeration
'
'
' CACloseCA
' Close an open CA handle
'
' hCAInfo - Handle to an open CA object.
'
'
' CAGetCAProperty - Given a property name, retrieve a
' property from a CAInfo.
'
' hCAInfo - Handle to an open CA object.
'
' wszPropertyName - Name of the CA property
'
' pawszPropertyValue - A pointer into which an array
' of WCHAR strings is written, containing
' the values of the property. The last
' element of the array points to NULL.
' If the property is single valued, then
' the array returned contains 2 elements,
' the first pointing to the value, the second
' pointing to NULL. This pointer must be
' freed by CAFreeCAProperty.
'
'
' Returns - S_OK on success.
'
'
' CAFreeProperty
' Free's a previously retrieved property value.
'
' hCAInfo - Handle to an open CA object.
'
' awszPropertyValue - pointer to the previously retrieved
' - property value.
'
'
' CASetCAProperty - Given a property name, set it's value.
'
' hCAInfo - Handle to an open CA object.
'
' wszPropertyName - Name of the CA property
'
' awszPropertyValue - An array of values to set
' - for this property. The last element of this
' - array should be NULL.
' - For single valued properties, the values beyond thie
' - first will be ignored upon update.
'
' Returns - S_OK on success.
'
'************************************************************************************
' CA Properties
'
'************************************************************************************
' simple name of the CA
Public Const CA_PROP_NAME As String = "cn"
' display name of the CA object
Public Const CA_PROP_DISPLAY_NAME As String = "displayName"
' dns name of the machine
Public Const CA_PROP_DNSNAME As String = "dNSHostName"
Public Const CA_PROP_DSLOCATION As String = "distinguishedName"
' Supported cert types
Public Const CA_PROP_CERT_TYPES As String = "certificateTemplates"
' Supported signature algs
Public Const CA_PROP_SIGNATURE_ALGS As String = "signatureAlgorithms"
' DN of the CA's cert
Public Const CA_PROP_CERT_DN As String = "cACertificateDN"
' DN of the CA's cert
Public Const CA_PROP_ENROLLMENT_PROVIDERS As String = "enrollmentProviders"
' CA's description
Public Const CA_PROP_DESCRIPTION As String = "Description"
'
' CAGetCACertificate - Return the current certificate for
' this ca.
'
' hCAInfo - Handle to an open CA object.
'
' ppCert - Pointer into which a certificate
' - is written. This certificate must
' - be freed via CertFreeCertificateContext.
' - This value will be NULL if no certificate
' - is set for this CA.
'
'
' CAGetCertTypeFlags
' Retrieve cert type flags
'
' hCertType - handle to the CertType
'
' pdwFlags - pointer to DWORD receiving flags
'
'************************************************************************************
'
' CA Flags
'
'************************************************************************************
' The CA supports certificate templates
Public Const CA_FLAG_NO_TEMPLATE_SUPPORT As Long = &H00000001
' The CA supports NT authentication for requests
Public Const CA_FLAG_SUPPORTS_NT_AUTHENTICATION As Long = &H00000002
' The cert requests may be pended
Public Const CA_FLAG_CA_SUPPORTS_MANUAL_AUTHENTICATION As Long = &H00000004
Public Const CA_MASK_SETTABLE_FLAGS As Long = &H0000ffff
'
' CASetCAFlags
' Sets the Flags of a cert type
'
' hCertType - handle to the CertType
'
' dwFlags - Flags to be set
'
'
' CASetCACertificate - Set the certificate for a CA
' this ca.
'
' hCAInfo - Handle to an open CA object.
'
' pCert - Pointer to a certificat to set as the CA's certificte.
'
'
' CAGetCAExpiration
' Get the expirations period for a CA.
'
' hCAInfo - Handle to an open CA handle.
'
' pdwExpiration - expiration period in dwUnits time
'
' pdwUnits - Units identifier
'
Public Const CA_UNITS_DAYS As Long = 1
Public Const CA_UNITS_WEEKS As Long = 2
Public Const CA_UNITS_MONTHS As Long = 3
Public Const CA_UNITS_YEARS As Long = 4
'
' CASetCAExpiration
' Set the expirations period for a CA.
'
' hCAInfo - Handle to an open CA handle.
'
' dwExpiration -
'
' dwUnits - Units identifier
'
'
' CASetCASecurity
' Set the list of Users, Groups, and Machines allowed
' to access this CA.
'
' hCAInfo - Handle to an open CA handle.
'
' pSD - Security descriptor for this CA
'
'
' CAGetCASecurity
' Get the list of Users, Groups, and Machines allowed
' to access this CA.
'
' hCAInfo - Handle to an open CA handle.
'
' ppSD - Pointer to a location receiving
' - the pointer to the security descriptor
' - Free via LocalFree
'
'
'
' CAAccessCheck
' Determine whether the principal specified by
' ClientToken can get a cert from the CA.
'
' hCAInfo - Handle to the CA
'
' ClientToken - Handle to an impersonation token
' - that represents the client attempting
' - request this cert type. The handle must
' - have TOKEN_QUERY access to the token;
' - otherwise, the function fails with
' - ERROR_ACCESS_DENIED.
'
' Return: S_OK on success
'
'
' CAEnumCertTypesForCA - Given a HCAINFO, retrieve handle to
' the cert types supported, or known by this CA.
' CAEnumNextCertType can be used to enumerate through the
' cert types.
'
' hCAInfo - Handle to an open CA handle or NULL if CT_FLAG_ENUM_ALL_TYPES is set
' in dwFlags.
'
' dwFlags - The following flags may be or'd together
' CA_FLAG_ENUM_ALL_TYPES
' CT_FIND_LOCAL_SYSTEM
' CT_ENUM_MACHINE_TYPES
' CT_ENUM_USER_TYPES
' CT_FLAG_NO_CACHE_LOOKUP
'
'
' phCertType - Enumeration of certificate types.
'
'
' CAAddCACertificateType
' Add a certificate type to a CA.
' If the cert type has already been added to the
' ca, it will not be added again.
'
' hCAInfo - Handle to an open CA.
'
' hCertType - Cert type to add to CA.
'
'
' CADeleteCACertificateType
' Remove a certificate type from a CA.
' If the CA does not include this cert type.
' This call does nothing.
'
' hCAInfo - Handle to an open CA.
'
' hCertType - Cert type to delete from CA.
'
'************************************************************************************
'
' Certificate Type API's
'
'************************************************************************************
'
' CAEnumCertTypes - Retrieve a handle to all known cert types
' CAEnumNextCertType can be used to enumerate through the
' cert types.
'
'
' dwFlags - an oring of the following:
'
' CT_FIND_LOCAL_SYSTEM
' CT_ENUM_MACHINE_TYPES
' CT_ENUM_USER_TYPES
' CT_FLAG_NO_CACHE_LOOKUP
'
' phCertType - Enumeration of certificate types.
'
'
' CAFindCertTypeByName
' Find a cert type given a Name.
'
' wszCertType - Name of the cert type
'
' hCAInfo - NULL unless CT_FLAG_SCOPE_IS_LDAP_HANDLE is set in the dwFlags
'
' dwFlags - an oring of the following
'
' CT_FIND_LOCAL_SYSTEM
' CT_ENUM_MACHINE_TYPES
' CT_ENUM_USER_TYPES
' CT_FLAG_NO_CACHE_LOOKUP
' CT_FLAG_SCOPE_IS_LDAP_HANDLE -- If this flag is set, hCAInfo
' is an LDAP handle to use during finds
' phCertType - Poiter to a cert type in which result is returned.
'
'************************************************************************************
'
' Default cert type names
'
'************************************************************************************
Public Const wszCERTTYPE_USER As String = "User"
Public Const wszCERTTYPE_USER_SIGNATURE As String = "UserSignature"
Public Const wszCERTTYPE_SMARTCARD_USER As String = "SmartcardUser"
Public Const wszCERTTYPE_USER_AS As String = "ClientAuth"
Public Const wszCERTTYPE_USER_SMARTCARD_LOGON As String = "SmartcardLogon"
Public Const wszCERTTYPE_EFS As String = "EFS"
Public Const wszCERTTYPE_ADMIN As String = "Administrator"
Public Const wszCERTTYPE_EFS_RECOVERY As String = "EFSRecovery"
Public Const wszCERTTYPE_CODE_SIGNING As String = "CodeSigning"
Public Const wszCERTTYPE_CTL_SIGNING As String = "CTLSigning"
Public Const wszCERTTYPE_ENROLLMENT_AGENT As String = "EnrollmentAgent"
Public Const wszCERTTYPE_MACHINE As String = "Machine"
Public Const wszCERTTYPE_DC As String = "DomainController"
Public Const wszCERTTYPE_WEBSERVER As String = "WebServer"
Public Const wszCERTTYPE_KDC As String = "KDC"
Public Const wszCERTTYPE_CA As String = "CA"
Public Const wszCERTTYPE_SUBORDINATE_CA As String = "SubCA"
Public Const wszCERTTYPE_CROSS_CA As String = "CrossCA"
Public Const wszCERTTYPE_KEY_RECOVERY_AGENT As String = "KeyRecoveryAgent"
Public Const wszCERTTYPE_CA_EXCHANGE As String = "CAExchange"
Public Const wszCERTTYPE_IPSEC_ENDENTITY_ONLINE As String = "IPSECEndEntityOnline"
Public Const wszCERTTYPE_IPSEC_ENDENTITY_OFFLINE As String = "IPSECEndEntityOffline"
Public Const wszCERTTYPE_IPSEC_INTERMEDIATE_ONLINE As String = "IPSECIntermediateOnline"
Public Const wszCERTTYPE_IPSEC_INTERMEDIATE_OFFLINE As String = "IPSECIntermediateOffline"
Public Const wszCERTTYPE_ROUTER_OFFLINE As String = "OfflineRouter"
Public Const wszCERTTYPE_ENROLLMENT_AGENT_OFFLINE As String = "EnrollmentAgentOffline"
Public Const wszCERTTYPE_EXCHANGE_USER As String = "ExchangeUser"
Public Const wszCERTTYPE_EXCHANGE_USER_SIGNATURE As String = "ExchangeUserSignature"
Public Const wszCERTTYPE_MACHINE_ENROLLMENT_AGENT As String = "MachineEnrollmentAgent"
Public Const wszCERTTYPE_CEP_ENCRYPTION As String = "CEPEncryption"
'
' CAUpdateCertType
' Write any changes made to the cert type back to the type store
'
'
' CADeleteCertType
' Delete a CertType
'
' hCertType - Cert type to delete.
'
' NOTE: If this is called for a default cert type,
' it will revert back to it's default attributes
'
'
' CACreateCertType
' Create a new cert type
'
' wszCertType - Name of the cert type
'
' wszScope - reserved. Must set to NULL.
'
' dwFlags - reserved. Must set to NULL.
'
' phCertType - returned cert type
'
'
' CAEnumNextCertType
' Find the Next Cert Type in an enumeration.
'
' hPrevCertType - Previous cert type in enumeration
'
' phCertType - Poiner to a handle into which
' - result is placed. NULL if
' - there are no more cert types in
' - enumeration.
'
'
' CACountCertTypes
' return the number of cert types in this enumeration
'
'
' CACloseCertType
' Close an open CertType handle
'
'
' CAGetCertTypeProperty
' Retrieve a property from a certificate type. This function is obsolete.
' Caller should use CAGetCertTypePropertyEx instead
'
' hCertType - Handle to an open CertType object.
'
' wszPropertyName - Name of the CertType property.
'
' pawszPropertyValue - A pointer into which an array
' of WCHAR strings is written, containing
' the values of the property. The last
' element of the array points to NULL.
' If the property is single valued, then
' the array returned contains 2 elements,
' the first pointing to the value, the second
' pointing to NULL. This pointer must be
' freed by CAFreeCertTypeProperty.
'
'
' Returns - S_OK on success.
'
'
' CAGetCertTypePropertyEx
' Retrieve a property from a certificate type.
'
' hCertType - Handle to an open CertType object.
'
' wszPropertyName - Name of the CertType property
'
' pPropertyValue - Depending on the value of wszPropertyName, pPropertyValue
' is either DWORD * or LPWSTR **.
'
' It is a DWORD * for:
'
' CERTTYPE_PROP_REVISION
' CERTTYPE_PROP_SCHEMA_VERSION
' CERTTYPE_PROP_MINOR_REVISION
' CERTTYPE_PROP_RA_SIGNATURE
' CERTTYPE_PROP_MIN_KEY_SIZE
'
'
' It is a LPWSTR ** for:
'
' CERTTYPE_PROP_CN
' CERTTYPE_PROP_DN
' CERTTYPE_PROP_FRIENDLY_NAME
' CERTTYPE_PROP_EXTENDED_KEY_USAGE
' CERTTYPE_PROP_CSP_LIST
' CERTTYPE_PROP_CRITICAL_EXTENSIONS
' CERTTYPE_PROP_OID
' CERTTYPE_PROP_SUPERSEDE
' CERTTYPE_PROP_RA_POLICY
' CERTTYPE_PROP_POLICY
'
' A pointer into which an array
' of WCHAR strings is written, containing
' the values of the property. The last
' element of the array points to NULL.
' If the property is single valued, then
' the array returned contains 2 elements,
' the first pointing to the value, the second
' pointing to NULL. This pointer must be
' freed by CAFreeCertTypeProperty.
'
'
' Returns - S_OK on success.
'
'************************************************************************************
'
' Certificate Type properties
'
'************************************************************************************
'************************************************************************************
'
' The schema version one properties
'
'************************************************************************************
' Common name of the certificate type
Public Const CERTTYPE_PROP_CN As String = "cn"
' The common name of the certificate type. Same as CERTTYPE_PROP_CN
' This property is not settable.
Public Const CERTTYPE_PROP_DN As String = "distinguishedName"
' The display name of a cert type
Public Const CERTTYPE_PROP_FRIENDLY_NAME As String = "displayName"
' An array of extended key usage OID's for a cert type
' NOTE: This property can also be set by setting
' the Extended Key Usage extension.
Public Const CERTTYPE_PROP_EXTENDED_KEY_USAGE As String = "pKIExtendedKeyUsage"
' The list of default CSP's for this cert type
Public Const CERTTYPE_PROP_CSP_LIST As String = "pKIDefaultCSPs"
' The list of critical extensions
Public Const CERTTYPE_PROP_CRITICAL_EXTENSIONS As String = "pKICriticalExtensions"
' The major version of the templates
Public Const CERTTYPE_PROP_REVISION As String = "revision"
'************************************************************************************
'
' The schema version two properties
'
'************************************************************************************
' The schema version of the templates
' This property is not settable
Public Const CERTTYPE_PROP_SCHEMA_VERSION As String = "msPKI-Template-Schema-Version"
' The minor version of the templates
Public Const CERTTYPE_PROP_MINOR_REVISION As String = "msPKI-Template-Minor-Revision"
' The number of RA signature required
Public Const CERTTYPE_PROP_RA_SIGNATURE As String = "msPKI-RA-Signature"
' The minimal key size required
Public Const CERTTYPE_PROP_MIN_KEY_SIZE As String = "msPKI-Minimal-Key-Size"
' The OID of the templates
Public Const CERTTYPE_PROP_OID As String = "msPKI-Cert-Template-OID"
' The template Oids that supersede the templates
Public Const CERTTYPE_PROP_SUPERSEDE As String = "msPKI-Supersede-Templates"
' The RA issuer policy oids required
Public Const CERTTYPE_PROP_RA_POLICY As String = "msPKI-RA-Policies"
' The RA application policy oids required
Public Const CERTTYPE_PROP_RA_APPLICATION_POLICY As String = "msPKI-RA-Application-Policies"
' The certificate issuer policy oids
Public Const CERTTYPE_PROP_POLICY As String = "msPKI-Certificate-Policy"
' The certificate application policy oids
Public Const CERTTYPE_PROP_APPLICATION_POLICY As String = "msPKI-Certificate-Application-Policy"
Public Const CERTTYPE_SCHEMA_VERSION_1 As Long = 1
'
' CASetCertTypeProperty
' Set a property of a CertType. This function is obsolete.
' Use CASetCertTypePropertyEx.
'
' hCertType - Handle to an open CertType object.
'
' wszPropertyName - Name of the CertType property
'
' awszPropertyValue - An array of values to set
' - for this property. The last element of this
' - array should be NULL.
' - For single valued properties, the values beyond thie
' - first will be ignored upon update.
'
' Returns - S_OK on success.
'
'
' CASetCertTypePropertyEx
' Set a property of a CertType
'
' hCertType - Handle to an open CertType object.
'
' wszPropertyName - Name of the CertType property
'
' pPropertyValue - Depending on the value of wszPropertyName, pPropertyValue
' is either DWORD * or LPWSTR *.
'
' It is a DWORD * for:
' CERTTYPE_PROP_REVISION
' CERTTYPE_PROP_MINOR_REVISION
' CERTTYPE_PROP_RA_SIGNATURE
' CERTTYPE_PROP_MIN_KEY_SIZE
'
'
' It is a LPWSTR * for:
'
' CERTTYPE_PROP_CN
' CERTTYPE_PROP_FRIENDLY_NAME
' CERTTYPE_PROP_EXTENDED_KEY_USAGE
' CERTTYPE_PROP_CSP_LIST
' CERTTYPE_PROP_CRITICAL_EXTENSIONS
' CERTTYPE_PROP_OID
' CERTTYPE_PROP_SUPERSEDE
' CERTTYPE_PROP_RA_POLICY
' CERTTYPE_PROP_POLICY
'
' - An array of values to set
' - for this property. The last element of this
' - array should be NULL.
' - For single valued properties, the values beyond thie
' - first will be ignored upon update.
'
' - If CERTTYPE_PROP_CN is set to a new value,
' the hCertType will be the clone of the existing certificate type.
'
' - CertType of V1 schema can only set V1 properties.
'
' Returns - S_OK on success.
'
'
' CAFreeCertTypeProperty
' Free's a previously retrieved property value.
'
' hCertType - Handle to an open CertType object.
'
' awszPropertyValue - The values to be freed.
'
'
' CAGetCertTypeExtensions
' Retrieves the extensions associated with this CertType.
'
' hCertType - Handle to an open CertType object.
' ppCertExtensions - Pointer to a PCERT_EXTENSIONS to receive
' - the result of this call. Should be freed
' - via a CAFreeCertTypeExtensions call.
'
'
' CAFreeCertTypeExtensions
' Free a PCERT_EXTENSIONS allocated by CAGetCertTypeExtensions
'
'
' CASetCertTypeExtension
' Set the value of an extension for this
' cert type.
'
' hCertType - handle to the CertType
'
' wszExtensionId - OID for the extension
'
' dwFlags - Mark the extension critical
'
' pExtension - pointer to the appropriate extension structure
'
' Supported extensions/structures
'
' szOID_ENHANCED_KEY_USAGE CERT_ENHKEY_USAGE
' szOID_KEY_USAGE CRYPT_BIT_BLOB
' szOID_BASIC_CONSTRAINTS2 CERT_BASIC_CONSTRAINTS2_INFO
'
' Returns S_OK if successful.
'
Public Const CA_EXT_FLAG_CRITICAL As Long = &H00000001
'
' CAGetCertTypeFlags
' Retrieve cert type flags.
' This function is obsolete. Use CAGetCertTypeFlagsEx.
'
' hCertType - handle to the CertType
'
' pdwFlags - pointer to DWORD receiving flags
'
'
' CAGetCertTypeFlagsEx
' Retrieve cert type flags
'
' hCertType - handle to the CertType
'
' dwOption - Which flag to set
' Can be one of the following:
' CERTTYPE_ENROLLMENT_FLAG
' CERTTYPE_SUBJECT_NAME_FLAG
' CERTTYPE_PRIVATE_KEY_FLAG
' CERTTYPE_GENERAL_FLAG
'
' pdwFlags - pointer to DWORD receiving flags
'
'************************************************************************************
'
' Cert Type Flags
'
' The CertType flags are grouped into 4 categories:
'************************************************************************************
'Enrollment Flags
Public Const CERTTYPE_ENROLLMENT_FLAG As Long = &H01
'Certificate Subject Name Flags
Public Const CERTTYPE_SUBJECT_NAME_FLAG As Long = &H02
'Private Key Flags
Public Const CERTTYPE_PRIVATE_KEY_FLAG As Long = &H03
'General Flags
Public Const CERTTYPE_GENERAL_FLAG As Long = &H04
'******************************************************************************
'
' Enrollment Flags:
'
'*******************************************************************************
' Include the symmetric algorithms in the requests
Public Const CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS As Long = &H00000001
' All certificate requests are pended
Public Const CT_FLAG_PEND_ALL_REQUESTS As Long = &H00000002
Public Const CT_FLAG_PUBLISH_TO_KRA_CONTAINER As Long = &H00000004
' Publish the resultant cert to the userCertificate property in the DS
Public Const CT_FLAG_PUBLISH_TO_DS As Long = &H00000008
' The autoenrollment will enroll for new certificate even user has a certificate
' published on the DS with the same template name
Public Const CT_FLAG_AUTO_ENROLLMENT_IGNORE_DS_CERTIFICATE As Long = &H00000010
' This cert is appropriate for auto-enrollment
Public Const CT_FLAG_AUTO_ENROLLMENT As Long = &H00000020
' A previously issued certificate will valid subsequent enrollment requests
Public Const CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT As Long = &H00000040
' Domain authentication is not required.
Public Const CT_FLAG_DOMAIN_AUTHENTICATION_NOT_REQUIRED As Long = &H00000080
' This flag will ONLY be set on V1 certificate templates for W2K CA only.
Public Const CT_FLAG_ADD_TEMPLATE_NAME As Long = &H00000200
'******************************************************************************
'
' Certificate Subject Name Flags:
'
'******************************************************************************
' The enrolling application must supply the subject name.
Public Const CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT As Long = &H00000001
' The enrolling application must supply the subjectAltName in request
Public Const CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME As Long = &H00010000
' Subject name should be full DN
Public Const CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH As Long = &H80000000
' Subject name should be the common name
Public Const CT_FLAG_SUBJECT_REQUIRE_COMMON_NAME As Long = &H40000000
' Subject name includes the e-mail name
Public Const CT_FLAG_SUBJECT_REQUIRE_EMAIL As Long = &H20000000
' Subject name includes the DNS name as the common name
Public Const CT_FLAG_SUBJECT_REQUIRE_DNS_AS_CN As Long = &H10000000
' Subject alt name includes DNS name
Public Const CT_FLAG_SUBJECT_ALT_REQUIRE_DNS As Long = &H08000000
' Subject alt name includes email name
Public Const CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL As Long = &H04000000
' Subject alt name requires UPN
Public Const CT_FLAG_SUBJECT_ALT_REQUIRE_UPN As Long = &H02000000
' Subject alt name requires directory GUID
Public Const CT_FLAG_SUBJECT_ALT_REQUIRE_DIRECTORY_GUID As Long = &H01000000
' Subject alt name requires SPN
Public Const CT_FLAG_SUBJECT_ALT_REQUIRE_SPN As Long = &H00800000
'
' Obsolete name
' The following flags are obsolete. They are used by V1 templates in the general flags
'
' The e-mail name of the principal will be added to the cert
Public Const CT_FLAG_ADD_EMAIL As Long = &H00000002
' Add the object GUID for this principal
Public Const CT_FLAG_ADD_OBJ_GUID As Long = &H00000004
' This flag is not SET in any of the V1 templates and is of no interests to
' V2 templates since it is not present on the UI and will never be set.
Public Const CT_FLAG_ADD_DIRECTORY_PATH As Long = &H00000100
'******************************************************************************
'
' Private Key Flags:
'
'******************************************************************************
' Archival of the private key is allowed
Public Const CT_FLAG_ALLOW_PRIVATE_KEY_ARCHIVAL As Long = &H00000001
' Make the key for this cert exportable.
Public Const CT_FLAG_EXPORTABLE_KEY As Long = &H00000010
'******************************************************************************
'
' General Flags
'
' More flags should start from 0x00000400
'
'******************************************************************************
' This is a machine cert type
Public Const CT_FLAG_MACHINE_TYPE As Long = &H00000040
' This is a CA cert type
Public Const CT_FLAG_IS_CA As Long = &H00000080
' certificate templates. The templates can not be edited or deleted.
Public Const CT_FLAG_IS_DEFAULT As Long = &H00010000
Public Const CT_FLAG_IS_MODIFIED As Long = &H00020000
' settable flags for general flags
Public Const CT_MASK_SETTABLE_FLAGS As Long = &H0000ffff
'
' CASetCertTypeFlags
' Sets the General Flags of a cert type.
' This function is obsolete. Use CASetCertTypeFlagsEx.
'
' hCertType - handle to the CertType
'
' dwFlags - Flags to be set
'
'
' CASetCertTypeFlagsEx
' Sets the Flags of a cert type
'
' hCertType - handle to the CertType
'
' dwOption - Which flag to set
' Can be one of the following:
' CERTTYPE_ENROLLMENT_FLAG
' CERTTYPE_SUBJECT_NAME_FLAG
' CERTTYPE_PRIVATE_KEY_FLAG
' CERTTYPE_GENERAL_FLAG
'
' dwFlags - Values to be set
'
'
'
'
' CAGetCertTypeKeySpec
' Retrieve the CAPI Key Spec for this cert type
'
' hCertType - handle to the CertType
'
' pdwKeySpec - pointer to DWORD receiving key spec
'
'
' CACertTypeSetKeySpec
' Sets the CAPI1 Key Spec of a cert type
'
' hCertType - handle to the CertType
'
' dwKeySpec - KeySpec to be set
'
'
' CAGetCertTypeExpiration
' Retrieve the Expiration Info for this cert type
'
' pftExpiration - pointer to the FILETIME structure receiving
' the expiration period for this cert type.
'
' pftOverlap - pointer to the FILETIME structure receiving
' - the suggested renewal overlap period for this
' - cert type.
'
'
' CASetCertTypeExpiration
' Set the Expiration Info for this cert type
'
' pftExpiration - pointer to the FILETIME structure containing
' the expiration period for this cert type.
'
' pftOverlap - pointer to the FILETIME structure containing
' - the suggested renewal overlap period for this
' - cert type.
'
'
' CACertTypeSetSecurity
' Set the list of Users, Groups, and Machines allowed
' to access this cert type.
'
' hCertType - handle to the CertType
'
' pSD - Security descriptor for this cert type
'
'
' CACertTypeGetSecurity
' Get the list of Users, Groups, and Machines allowed
' to access this cert type.
'
' hCertType - handle to the CertType
'
' ppaSidList - Pointer to a location receiving
' - the pointer to the security descriptor
' - Free via LocalFree
'
'
'
' CACertTypeAccessCheck
' Determine whether the principal specified by
' ClientToken can be issued this cert type.
'
' hCertType - handle to the CertType
'
' ClientToken - Handle to an impersonation token
' - that represents the client attempting
' - request this cert type. The handle must
' - have TOKEN_QUERY access to the token;
' - otherwise, the function fails with
' - ERROR_ACCESS_DENIED.
'
' Return: S_OK on success
'
'
'
' CACertTypeAccessCheckEx
' Determine whether the principal specified by
' ClientToken can be issued this cert type.
'
' hCertType - handle to the CertType
'
' ClientToken - Handle to an impersonation token
' - that represents the client attempting
' - request this cert type. The handle must
' - have TOKEN_QUERY access to the token;
' - otherwise, the function fails with
' - ERROR_ACCESS_DENIED.
'
' dwOption Can be one of the following:
'
' - CERTTYPE_ACCESS_CHECK_ENROLL
' - CERTTYPE_ACCESS_CHECK_AUTO_ENROLL
'
' Return: S_OK on success
'
Public Const CERTTYPE_ACCESS_CHECK_ENROLL As Long = &H01
Public Const CERTTYPE_ACCESS_CHECK_AUTO_ENROLL As Long = &H02
'#define szOID_ALT_NAME_OBJECT_GUID "1.3.6.1.4.1.311.25.1"
'************************************************************************************
'
' OID management APIs
'
'************************************************************************************
'
' CAOIDCreateNew
' Create a new OID based on the enterprise base
'
' dwType - Can be one of the following:
' CERT_OID_TYPE_TEMPLATE
' CERT_OID_TYPE_ISSUER_POLICY
' CERT_OID_TYPE_APPLICATION_POLICY
'
' dwFlag - Reserved. Must be 0.
'
'
' Returns S_OK if successful.
'
Public Const CERT_OID_TYPE_TEMPLATE As Long = &H01
Public Const CERT_OID_TYPE_ISSUER_POLICY As Long = &H02
Public Const CERT_OID_TYPE_APPLICATION_POLICY As Long = &H03
'
' CAOIDAdd
' Add an OID to the DS repository
'
' dwType - Can be one of the following:
' CERT_OID_TYPE_TEMPLATE
' CERT_OID_TYPE_ISSUER_POLICY
' CERT_OID_TYPE_APPLICATION_POLICY
'
' dwFlag - Reserved. Must be 0.
'
' pwszOID - The OID to add.
'
' Returns S_OK if successful.
' Returns CRYPT_E_EXISTS if the OID alreay exits in the DS repository
'
'
' CAOIDDelete
' Delete the OID from the DS repository
'
' pwszOID - The OID to delete.
'
' Returns S_OK if successful.
'
'
' CAOIDSetProperty
' Set a property on an oid.
'
' pwszOID - The oid whose value is set
' dwProperty - The property name. Can be one of the following:
' CERT_OID_PROPERTY_DISPLAY_NAME
' CERT_OID_PROPERTY_CPS
'
' pPropValue - The value of the property.
' If dwProperty is CERT_OID_PROPERTY_DISPLAY_NAME,
' pPropValue is LPWSTR.
' if dwProperty is CERT_OID_PROPERTY_CPS,
' pProValue is LPWSTR.
'
' Returns S_OK if successful.
'
Public Const CERT_OID_PROPERTY_DISPLAY_NAME As Long = &H01
Public Const CERT_OID_PROPERTY_CPS As Long = &H02
Public Const CERT_OID_PROPERTY_TYPE As Long = &H03
'
' CAOIDGetProperty
' Get a property on an oid.
'
' pwszOID - The oid whose value is queried
' dwProperty - The property name. Can be one of the following:
' CERT_OID_PROPERTY_DISPLAY_NAME
' CERT_OID_PROPERTY_CPS
' CERT_OID_PROPERTY_TYPE
'
' pPropValue - The value of the property.
' If dwProperty is CERT_OID_PROPERTY_DISPLAY_NAME,
' pPropValue is LPWSTR *.
' if dwProperty is CERT_OID_PROPERTY_CPS,
' pProValue is LPWSTR *.
'
'
' If dwProperty is CERT_OID_PROPERTY_TYPE,
' pProValue is DWORD *.
'
' Returns S_OK if successful.
'
'
' CAOIDFreeProperty
' Free a property returned from CAOIDGetProperty
'
' pPropValue - The value of the property.
'
' Returns S_OK if successful.
'
'
' CAOIDGetLdapURL
'
' Return the LDAP URL for OID repository. In the format of
' LDAP:
' is determined by dwType.
'
' dwType - Can be one of the following:
' CERT_OID_TYPE_TEMPLATE
' CERT_OID_TYPE_ISSUER_POLICY
' CERT_OID_TYPE_APPLICATION_POLICY
' CERT_OID_TYPE_ALL
'
' dwFlag - Reserved. Must be 0.
'
' ppwszURL - Return the URL. Free memory via CAOIDFreeLdapURL.
'
' Returns S_OK if successful.
'
Public Const CERT_OID_TYPE_ALL As Long = &H0
'
' CAOIDFreeLDAPURL
' Free the URL returned from CAOIDGetLdapURL
'
' pwszURL - The URL returned from CAOIDGetLdapURL
'
' Returns S_OK if successful.
'
'the LDAP properties for OID class
Public Const OID_PROP_TYPE As String = "flags"
Public Const OID_PROP_OID As String = "msPKI-Cert-Template-OID"
Public Const OID_PROP_DISPLAY_NAME As String = "displayName"
Public Const OID_PROP_CPS As String = "msPKI-OID-CPS"
'************************************************************************************
'
' Autoenrollment APIs
'
'************************************************************************************
'
' CACreateLocalAutoEnrollmentObject
' Create an auto-enrollment object on the local machine.
'
' pwszCertType - The name of the certificate type for which to create the
' auto-enrollment object
'
' awszCAs - The list of CA's to add to the auto-enrollment object.
' - with the last entry in the list being NULL
' - if the list is NULL or empty, then it create an auto-enrollment
' - object which instructs the system to enroll for a cert at any
' - CA supporting the requested certificate type.
'
' pSignerInfo - not used, must be NULL.
'
' dwFlags - can be CERT_SYSTEM_STORE_CURRENT_USER, or CERT_SYSTEM_STORE_LOCAL_MACHINE, indicating
' - auto-enrollment store in which the auto-enrollment object is created.
'
' Return: S_OK on success.
'
'
'
' CACreateAutoEnrollmentObjectEx
' Create an auto-enrollment object in the indicated store.
'
' pwszCertType - The name of the certificate type for which to create the
' auto-enrollment object
'
' pwszObjectID - An identifying string for this autoenrollment object.
' NULL may be passed if this object is simply to be identified by
' it's certificate template. An autoenrollment object is identified
' by a combination of it's object id and it's cert type name.
'
' awszCAs - The list of CA's to add to the auto-enrollment object.
' - with the last entry in the list being NULL
' - if the list is NULL or empty, then it create an auto-enrollment
' - object which instructs the system to enroll for a cert at any
' - CA supporting the requested certificate type.
'
' pSignerInfo - not used, must be NULL.
'
' StoreProvider - see CertOpenStore
'
' dwFlags - see CertOpenStore
'
' pvPara - see CertOpenStore
'
' Return: S_OK on success.
'
'
'************************************************************************************
'
' Cert Server RPC interfaces:
'
'************************************************************************************