Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

15594 lines
612 KiB

  1. //+---------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1992-1999.
  5. //
  6. // File: wincrypt.h
  7. //
  8. // Contents: Cryptographic API Prototypes and Definitions
  9. //
  10. //----------------------------------------------------------------------------
  11. #ifndef __WINCRYPT_H__
  12. #define __WINCRYPT_H__
  13. #if defined (_MSC_VER)
  14. #if ( _MSC_VER >= 800 )
  15. #if _MSC_VER >= 1200
  16. #pragma warning(push)
  17. #endif
  18. #pragma warning(disable:4201) /* Nameless struct/union */
  19. #endif
  20. #if (_MSC_VER > 1020)
  21. #pragma once
  22. #endif
  23. #endif
  24. #ifdef __cplusplus
  25. extern "C" {
  26. #endif
  27. #ifndef _HRESULT_DEFINED
  28. #define _HRESULT_DEFINED
  29. typedef LONG HRESULT;
  30. #endif // !_HRESULT_DEFINED
  31. #ifndef WINADVAPI
  32. #define WINADVAPI
  33. #endif
  34. #ifndef WINAPI
  35. #define WINAPI __stdcall
  36. #endif
  37. #ifndef CALLBACK
  38. #define CALLBACK __stdcall
  39. #endif
  40. #ifndef DECLSPEC_IMPORT
  41. #define DECLSPEC_IMPORT
  42. #endif
  43. #ifndef CONST
  44. #define CONST const
  45. #endif
  46. #ifndef IN
  47. #define IN
  48. #endif
  49. #ifndef OUT
  50. #define OUT
  51. #endif
  52. #ifndef OPTIONAL
  53. #define OPTIONAL
  54. #endif
  55. #if !defined(_CRYPT32_)
  56. #define WINCRYPT32API DECLSPEC_IMPORT
  57. #else
  58. #define WINCRYPT32API
  59. #endif
  60. #if !defined(_CRYPT32STRING_)
  61. # define WINCRYPT32STRINGAPI WINCRYPT32API
  62. #else
  63. # define WINCRYPT32STRINGAPI
  64. #endif
  65. //
  66. // Algorithm IDs and Flags
  67. //
  68. // ALG_ID crackers
  69. #define GET_ALG_CLASS(x) (x & (7 << 13))
  70. #define GET_ALG_TYPE(x) (x & (15 << 9))
  71. #define GET_ALG_SID(x) (x & (511))
  72. // Algorithm classes
  73. #define ALG_CLASS_ANY (0)
  74. #define ALG_CLASS_SIGNATURE (1 << 13)
  75. #define ALG_CLASS_MSG_ENCRYPT (2 << 13)
  76. #define ALG_CLASS_DATA_ENCRYPT (3 << 13)
  77. #define ALG_CLASS_HASH (4 << 13)
  78. #define ALG_CLASS_KEY_EXCHANGE (5 << 13)
  79. #define ALG_CLASS_ALL (7 << 13)
  80. // Algorithm types
  81. #define ALG_TYPE_ANY (0)
  82. #define ALG_TYPE_DSS (1 << 9)
  83. #define ALG_TYPE_RSA (2 << 9)
  84. #define ALG_TYPE_BLOCK (3 << 9)
  85. #define ALG_TYPE_STREAM (4 << 9)
  86. #define ALG_TYPE_DH (5 << 9)
  87. #define ALG_TYPE_SECURECHANNEL (6 << 9)
  88. // Generic sub-ids
  89. #define ALG_SID_ANY (0)
  90. // Some RSA sub-ids
  91. #define ALG_SID_RSA_ANY 0
  92. #define ALG_SID_RSA_PKCS 1
  93. #define ALG_SID_RSA_MSATWORK 2
  94. #define ALG_SID_RSA_ENTRUST 3
  95. #define ALG_SID_RSA_PGP 4
  96. // Some DSS sub-ids
  97. //
  98. #define ALG_SID_DSS_ANY 0
  99. #define ALG_SID_DSS_PKCS 1
  100. #define ALG_SID_DSS_DMS 2
  101. // Block cipher sub ids
  102. // DES sub_ids
  103. #define ALG_SID_DES 1
  104. #define ALG_SID_3DES 3
  105. #define ALG_SID_DESX 4
  106. #define ALG_SID_IDEA 5
  107. #define ALG_SID_CAST 6
  108. #define ALG_SID_SAFERSK64 7
  109. #define ALG_SID_SAFERSK128 8
  110. #define ALG_SID_3DES_112 9
  111. #define ALG_SID_CYLINK_MEK 12
  112. #define ALG_SID_RC5 13
  113. #define ALG_SID_AES_128 14
  114. #define ALG_SID_AES_192 15
  115. #define ALG_SID_AES_256 16
  116. #define ALG_SID_AES 17
  117. // Fortezza sub-ids
  118. #define ALG_SID_SKIPJACK 10
  119. #define ALG_SID_TEK 11
  120. // KP_MODE
  121. #define CRYPT_MODE_CBCI 6 // ANSI CBC Interleaved
  122. #define CRYPT_MODE_CFBP 7 // ANSI CFB Pipelined
  123. #define CRYPT_MODE_OFBP 8 // ANSI OFB Pipelined
  124. #define CRYPT_MODE_CBCOFM 9 // ANSI CBC + OF Masking
  125. #define CRYPT_MODE_CBCOFMI 10 // ANSI CBC + OFM Interleaved
  126. // RC2 sub-ids
  127. #define ALG_SID_RC2 2
  128. // Stream cipher sub-ids
  129. #define ALG_SID_RC4 1
  130. #define ALG_SID_SEAL 2
  131. // Diffie-Hellman sub-ids
  132. #define ALG_SID_DH_SANDF 1
  133. #define ALG_SID_DH_EPHEM 2
  134. #define ALG_SID_AGREED_KEY_ANY 3
  135. #define ALG_SID_KEA 4
  136. // Hash sub ids
  137. #define ALG_SID_MD2 1
  138. #define ALG_SID_MD4 2
  139. #define ALG_SID_MD5 3
  140. #define ALG_SID_SHA 4
  141. #define ALG_SID_SHA1 4
  142. #define ALG_SID_MAC 5
  143. #define ALG_SID_RIPEMD 6
  144. #define ALG_SID_RIPEMD160 7
  145. #define ALG_SID_SSL3SHAMD5 8
  146. #define ALG_SID_HMAC 9
  147. #define ALG_SID_TLS1PRF 10
  148. #define ALG_SID_HASH_REPLACE_OWF 11
  149. // secure channel sub ids
  150. #define ALG_SID_SSL3_MASTER 1
  151. #define ALG_SID_SCHANNEL_MASTER_HASH 2
  152. #define ALG_SID_SCHANNEL_MAC_KEY 3
  153. #define ALG_SID_PCT1_MASTER 4
  154. #define ALG_SID_SSL2_MASTER 5
  155. #define ALG_SID_TLS1_MASTER 6
  156. #define ALG_SID_SCHANNEL_ENC_KEY 7
  157. // Our silly example sub-id
  158. #define ALG_SID_EXAMPLE 80
  159. #ifndef ALGIDDEF
  160. #define ALGIDDEF
  161. typedef unsigned int ALG_ID;
  162. #endif
  163. // algorithm identifier definitions
  164. #define CALG_MD2 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_MD2)
  165. #define CALG_MD4 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_MD4)
  166. #define CALG_MD5 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_MD5)
  167. #define CALG_SHA (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA)
  168. #define CALG_SHA1 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA1)
  169. #define CALG_MAC (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_MAC)
  170. #define CALG_RSA_SIGN (ALG_CLASS_SIGNATURE | ALG_TYPE_RSA | ALG_SID_RSA_ANY)
  171. #define CALG_DSS_SIGN (ALG_CLASS_SIGNATURE | ALG_TYPE_DSS | ALG_SID_DSS_ANY)
  172. #define CALG_NO_SIGN (ALG_CLASS_SIGNATURE | ALG_TYPE_ANY | ALG_SID_ANY)
  173. #define CALG_RSA_KEYX (ALG_CLASS_KEY_EXCHANGE|ALG_TYPE_RSA|ALG_SID_RSA_ANY)
  174. #define CALG_DES (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_DES)
  175. #define CALG_3DES_112 (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_3DES_112)
  176. #define CALG_3DES (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_3DES)
  177. #define CALG_DESX (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_DESX)
  178. #define CALG_RC2 (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_RC2)
  179. #define CALG_RC4 (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_STREAM|ALG_SID_RC4)
  180. #define CALG_SEAL (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_STREAM|ALG_SID_SEAL)
  181. #define CALG_DH_SF (ALG_CLASS_KEY_EXCHANGE|ALG_TYPE_DH|ALG_SID_DH_SANDF)
  182. #define CALG_DH_EPHEM (ALG_CLASS_KEY_EXCHANGE|ALG_TYPE_DH|ALG_SID_DH_EPHEM)
  183. #define CALG_AGREEDKEY_ANY (ALG_CLASS_KEY_EXCHANGE|ALG_TYPE_DH|ALG_SID_AGREED_KEY_ANY)
  184. #define CALG_KEA_KEYX (ALG_CLASS_KEY_EXCHANGE|ALG_TYPE_DH|ALG_SID_KEA)
  185. #define CALG_HUGHES_MD5 (ALG_CLASS_KEY_EXCHANGE|ALG_TYPE_ANY|ALG_SID_MD5)
  186. #define CALG_SKIPJACK (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_SKIPJACK)
  187. #define CALG_TEK (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_TEK)
  188. #define CALG_CYLINK_MEK (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_CYLINK_MEK)
  189. #define CALG_SSL3_SHAMD5 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SSL3SHAMD5)
  190. #define CALG_SSL3_MASTER (ALG_CLASS_MSG_ENCRYPT|ALG_TYPE_SECURECHANNEL|ALG_SID_SSL3_MASTER)
  191. #define CALG_SCHANNEL_MASTER_HASH (ALG_CLASS_MSG_ENCRYPT|ALG_TYPE_SECURECHANNEL|ALG_SID_SCHANNEL_MASTER_HASH)
  192. #define CALG_SCHANNEL_MAC_KEY (ALG_CLASS_MSG_ENCRYPT|ALG_TYPE_SECURECHANNEL|ALG_SID_SCHANNEL_MAC_KEY)
  193. #define CALG_SCHANNEL_ENC_KEY (ALG_CLASS_MSG_ENCRYPT|ALG_TYPE_SECURECHANNEL|ALG_SID_SCHANNEL_ENC_KEY)
  194. #define CALG_PCT1_MASTER (ALG_CLASS_MSG_ENCRYPT|ALG_TYPE_SECURECHANNEL|ALG_SID_PCT1_MASTER)
  195. #define CALG_SSL2_MASTER (ALG_CLASS_MSG_ENCRYPT|ALG_TYPE_SECURECHANNEL|ALG_SID_SSL2_MASTER)
  196. #define CALG_TLS1_MASTER (ALG_CLASS_MSG_ENCRYPT|ALG_TYPE_SECURECHANNEL|ALG_SID_TLS1_MASTER)
  197. #define CALG_RC5 (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_RC5)
  198. #define CALG_HMAC (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_HMAC)
  199. #define CALG_TLS1PRF (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_TLS1PRF)
  200. #define CALG_HASH_REPLACE_OWF (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_HASH_REPLACE_OWF)
  201. #define CALG_AES_128 (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_AES_128)
  202. #define CALG_AES_192 (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_AES_192)
  203. #define CALG_AES_256 (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_AES_256)
  204. #define CALG_AES (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_AES)
  205. typedef ULONG_PTR HCRYPTPROV;
  206. typedef ULONG_PTR HCRYPTKEY;
  207. typedef ULONG_PTR HCRYPTHASH;
  208. // dwFlags definitions for CryptAcquireContext
  209. #define CRYPT_VERIFYCONTEXT 0xF0000000
  210. #define CRYPT_NEWKEYSET 0x00000008
  211. #define CRYPT_DELETEKEYSET 0x00000010
  212. #define CRYPT_MACHINE_KEYSET 0x00000020
  213. #define CRYPT_SILENT 0x00000040
  214. // dwFlag definitions for CryptGenKey
  215. #define CRYPT_EXPORTABLE 0x00000001
  216. #define CRYPT_USER_PROTECTED 0x00000002
  217. #define CRYPT_CREATE_SALT 0x00000004
  218. #define CRYPT_UPDATE_KEY 0x00000008
  219. #define CRYPT_NO_SALT 0x00000010
  220. #define CRYPT_PREGEN 0x00000040
  221. #define CRYPT_RECIPIENT 0x00000010
  222. #define CRYPT_INITIATOR 0x00000040
  223. #define CRYPT_ONLINE 0x00000080
  224. #define CRYPT_SF 0x00000100
  225. #define CRYPT_CREATE_IV 0x00000200
  226. #define CRYPT_KEK 0x00000400
  227. #define CRYPT_DATA_KEY 0x00000800
  228. #define CRYPT_VOLATILE 0x00001000
  229. #define CRYPT_SGCKEY 0x00002000
  230. #define CRYPT_ARCHIVABLE 0x00004000
  231. #define RSA1024BIT_KEY 0x04000000
  232. // dwFlags definitions for CryptDeriveKey
  233. #define CRYPT_SERVER 0x00000400
  234. #define KEY_LENGTH_MASK 0xFFFF0000
  235. // dwFlag definitions for CryptExportKey
  236. #define CRYPT_Y_ONLY 0x00000001
  237. #define CRYPT_SSL2_FALLBACK 0x00000002
  238. #define CRYPT_DESTROYKEY 0x00000004
  239. #define CRYPT_OAEP 0x00000040 // used with RSA encryptions/decryptions
  240. // CryptExportKey, CryptImportKey,
  241. // CryptEncrypt and CryptDecrypt
  242. #define CRYPT_BLOB_VER3 0x00000080 // export version 3 of a blob type
  243. #define CRYPT_IPSEC_HMAC_KEY 0x00000100 // CryptImportKey only
  244. // dwFlags definitions for CryptCreateHash
  245. #define CRYPT_SECRETDIGEST 0x00000001
  246. // dwFlags definitions for CryptHashData
  247. #define CRYPT_OWF_REPL_LM_HASH 0x00000001 // this is only for the OWF replacement CSP
  248. // dwFlags definitions for CryptHashSessionKey
  249. #define CRYPT_LITTLE_ENDIAN 0x00000001
  250. // dwFlags definitions for CryptSignHash and CryptVerifySignature
  251. #define CRYPT_NOHASHOID 0x00000001
  252. #define CRYPT_TYPE2_FORMAT 0x00000002
  253. #define CRYPT_X931_FORMAT 0x00000004
  254. // dwFlag definitions for CryptSetProviderEx and CryptGetDefaultProvider
  255. #define CRYPT_MACHINE_DEFAULT 0x00000001
  256. #define CRYPT_USER_DEFAULT 0x00000002
  257. #define CRYPT_DELETE_DEFAULT 0x00000004
  258. // exported key blob definitions
  259. #define SIMPLEBLOB 0x1
  260. #define PUBLICKEYBLOB 0x6
  261. #define PRIVATEKEYBLOB 0x7
  262. #define PLAINTEXTKEYBLOB 0x8
  263. #define OPAQUEKEYBLOB 0x9
  264. #define PUBLICKEYBLOBEX 0xA
  265. #define SYMMETRICWRAPKEYBLOB 0xB
  266. #define AT_KEYEXCHANGE 1
  267. #define AT_SIGNATURE 2
  268. #define CRYPT_USERDATA 1
  269. // dwParam
  270. #define KP_IV 1 // Initialization vector
  271. #define KP_SALT 2 // Salt value
  272. #define KP_PADDING 3 // Padding values
  273. #define KP_MODE 4 // Mode of the cipher
  274. #define KP_MODE_BITS 5 // Number of bits to feedback
  275. #define KP_PERMISSIONS 6 // Key permissions DWORD
  276. #define KP_ALGID 7 // Key algorithm
  277. #define KP_BLOCKLEN 8 // Block size of the cipher
  278. #define KP_KEYLEN 9 // Length of key in bits
  279. #define KP_SALT_EX 10 // Length of salt in bytes
  280. #define KP_P 11 // DSS/Diffie-Hellman P value
  281. #define KP_G 12 // DSS/Diffie-Hellman G value
  282. #define KP_Q 13 // DSS Q value
  283. #define KP_X 14 // Diffie-Hellman X value
  284. #define KP_Y 15 // Y value
  285. #define KP_RA 16 // Fortezza RA value
  286. #define KP_RB 17 // Fortezza RB value
  287. #define KP_INFO 18 // for putting information into an RSA envelope
  288. #define KP_EFFECTIVE_KEYLEN 19 // setting and getting RC2 effective key length
  289. #define KP_SCHANNEL_ALG 20 // for setting the Secure Channel algorithms
  290. #define KP_CLIENT_RANDOM 21 // for setting the Secure Channel client random data
  291. #define KP_SERVER_RANDOM 22 // for setting the Secure Channel server random data
  292. #define KP_RP 23
  293. #define KP_PRECOMP_MD5 24
  294. #define KP_PRECOMP_SHA 25
  295. #define KP_CERTIFICATE 26 // for setting Secure Channel certificate data (PCT1)
  296. #define KP_CLEAR_KEY 27 // for setting Secure Channel clear key data (PCT1)
  297. #define KP_PUB_EX_LEN 28
  298. #define KP_PUB_EX_VAL 29
  299. #define KP_KEYVAL 30
  300. #define KP_ADMIN_PIN 31
  301. #define KP_KEYEXCHANGE_PIN 32
  302. #define KP_SIGNATURE_PIN 33
  303. #define KP_PREHASH 34
  304. #define KP_OAEP_PARAMS 36 // for setting OAEP params on RSA keys
  305. #define KP_CMS_KEY_INFO 37
  306. #define KP_CMS_DH_KEY_INFO 38
  307. #define KP_PUB_PARAMS 39 // for setting public parameters
  308. #define KP_VERIFY_PARAMS 40 // for verifying DSA and DH parameters
  309. #define KP_HIGHEST_VERSION 41 // for TLS protocol version setting
  310. // KP_PADDING
  311. #define PKCS5_PADDING 1 // PKCS 5 (sec 6.2) padding method
  312. #define RANDOM_PADDING 2
  313. #define ZERO_PADDING 3
  314. // KP_MODE
  315. #define CRYPT_MODE_CBC 1 // Cipher block chaining
  316. #define CRYPT_MODE_ECB 2 // Electronic code book
  317. #define CRYPT_MODE_OFB 3 // Output feedback mode
  318. #define CRYPT_MODE_CFB 4 // Cipher feedback mode
  319. #define CRYPT_MODE_CTS 5 // Ciphertext stealing mode
  320. // KP_PERMISSIONS
  321. #define CRYPT_ENCRYPT 0x0001 // Allow encryption
  322. #define CRYPT_DECRYPT 0x0002 // Allow decryption
  323. #define CRYPT_EXPORT 0x0004 // Allow key to be exported
  324. #define CRYPT_READ 0x0008 // Allow parameters to be read
  325. #define CRYPT_WRITE 0x0010 // Allow parameters to be set
  326. #define CRYPT_MAC 0x0020 // Allow MACs to be used with key
  327. #define CRYPT_EXPORT_KEY 0x0040 // Allow key to be used for exporting keys
  328. #define CRYPT_IMPORT_KEY 0x0080 // Allow key to be used for importing keys
  329. #define CRYPT_ARCHIVE 0x0100 // Allow key to be exported at creation only
  330. #define HP_ALGID 0x0001 // Hash algorithm
  331. #define HP_HASHVAL 0x0002 // Hash value
  332. #define HP_HASHSIZE 0x0004 // Hash value size
  333. #define HP_HMAC_INFO 0x0005 // information for creating an HMAC
  334. #define HP_TLS1PRF_LABEL 0x0006 // label for TLS1 PRF
  335. #define HP_TLS1PRF_SEED 0x0007 // seed for TLS1 PRF
  336. #define CRYPT_FAILED FALSE
  337. #define CRYPT_SUCCEED TRUE
  338. #define RCRYPT_SUCCEEDED(rt) ((rt) == CRYPT_SUCCEED)
  339. #define RCRYPT_FAILED(rt) ((rt) == CRYPT_FAILED)
  340. //
  341. // CryptGetProvParam
  342. //
  343. #define PP_ENUMALGS 1
  344. #define PP_ENUMCONTAINERS 2
  345. #define PP_IMPTYPE 3
  346. #define PP_NAME 4
  347. #define PP_VERSION 5
  348. #define PP_CONTAINER 6
  349. #define PP_CHANGE_PASSWORD 7
  350. #define PP_KEYSET_SEC_DESCR 8 // get/set security descriptor of keyset
  351. #define PP_CERTCHAIN 9 // for retrieving certificates from tokens
  352. #define PP_KEY_TYPE_SUBTYPE 10
  353. #define PP_PROVTYPE 16
  354. #define PP_KEYSTORAGE 17
  355. #define PP_APPLI_CERT 18
  356. #define PP_SYM_KEYSIZE 19
  357. #define PP_SESSION_KEYSIZE 20
  358. #define PP_UI_PROMPT 21
  359. #define PP_ENUMALGS_EX 22
  360. #define PP_ENUMMANDROOTS 25
  361. #define PP_ENUMELECTROOTS 26
  362. #define PP_KEYSET_TYPE 27
  363. #define PP_ADMIN_PIN 31
  364. #define PP_KEYEXCHANGE_PIN 32
  365. #define PP_SIGNATURE_PIN 33
  366. #define PP_SIG_KEYSIZE_INC 34
  367. #define PP_KEYX_KEYSIZE_INC 35
  368. #define PP_UNIQUE_CONTAINER 36
  369. #define PP_SGC_INFO 37
  370. #define PP_USE_HARDWARE_RNG 38
  371. #define PP_KEYSPEC 39
  372. #define PP_ENUMEX_SIGNING_PROT 40
  373. #define CRYPT_FIRST 1
  374. #define CRYPT_NEXT 2
  375. #define CRYPT_SGC_ENUM 4
  376. #define CRYPT_IMPL_HARDWARE 1
  377. #define CRYPT_IMPL_SOFTWARE 2
  378. #define CRYPT_IMPL_MIXED 3
  379. #define CRYPT_IMPL_UNKNOWN 4
  380. #define CRYPT_IMPL_REMOVABLE 8
  381. // key storage flags
  382. #define CRYPT_SEC_DESCR 0x00000001
  383. #define CRYPT_PSTORE 0x00000002
  384. #define CRYPT_UI_PROMPT 0x00000004
  385. // protocol flags
  386. #define CRYPT_FLAG_PCT1 0x0001
  387. #define CRYPT_FLAG_SSL2 0x0002
  388. #define CRYPT_FLAG_SSL3 0x0004
  389. #define CRYPT_FLAG_TLS1 0x0008
  390. #define CRYPT_FLAG_IPSEC 0x0010
  391. #define CRYPT_FLAG_SIGNING 0x0020
  392. // SGC flags
  393. #define CRYPT_SGC 0x0001
  394. #define CRYPT_FASTSGC 0x0002
  395. //
  396. // CryptSetProvParam
  397. //
  398. #define PP_CLIENT_HWND 1
  399. #define PP_CONTEXT_INFO 11
  400. #define PP_KEYEXCHANGE_KEYSIZE 12
  401. #define PP_SIGNATURE_KEYSIZE 13
  402. #define PP_KEYEXCHANGE_ALG 14
  403. #define PP_SIGNATURE_ALG 15
  404. #define PP_DELETEKEY 24
  405. #define PROV_RSA_FULL 1
  406. #define PROV_RSA_SIG 2
  407. #define PROV_DSS 3
  408. #define PROV_FORTEZZA 4
  409. #define PROV_MS_EXCHANGE 5
  410. #define PROV_SSL 6
  411. #define PROV_RSA_SCHANNEL 12
  412. #define PROV_DSS_DH 13
  413. #define PROV_EC_ECDSA_SIG 14
  414. #define PROV_EC_ECNRA_SIG 15
  415. #define PROV_EC_ECDSA_FULL 16
  416. #define PROV_EC_ECNRA_FULL 17
  417. #define PROV_DH_SCHANNEL 18
  418. #define PROV_SPYRUS_LYNKS 20
  419. #define PROV_RNG 21
  420. #define PROV_INTEL_SEC 22
  421. #define PROV_REPLACE_OWF 23
  422. #define PROV_RSA_AES 24
  423. //
  424. // STT defined Providers
  425. //
  426. #define PROV_STT_MER 7
  427. #define PROV_STT_ACQ 8
  428. #define PROV_STT_BRND 9
  429. #define PROV_STT_ROOT 10
  430. #define PROV_STT_ISS 11
  431. //
  432. // Provider friendly names
  433. //
  434. #define MS_DEF_PROV_A "Microsoft Base Cryptographic Provider v1.0"
  435. #define MS_DEF_PROV_W L"Microsoft Base Cryptographic Provider v1.0"
  436. #ifdef UNICODE
  437. #define MS_DEF_PROV MS_DEF_PROV_W
  438. #else
  439. #define MS_DEF_PROV MS_DEF_PROV_A
  440. #endif
  441. #define MS_ENHANCED_PROV_A "Microsoft Enhanced Cryptographic Provider v1.0"
  442. #define MS_ENHANCED_PROV_W L"Microsoft Enhanced Cryptographic Provider v1.0"
  443. #ifdef UNICODE
  444. #define MS_ENHANCED_PROV MS_ENHANCED_PROV_W
  445. #else
  446. #define MS_ENHANCED_PROV MS_ENHANCED_PROV_A
  447. #endif
  448. #define MS_STRONG_PROV_A "Microsoft Strong Cryptographic Provider"
  449. #define MS_STRONG_PROV_W L"Microsoft Strong Cryptographic Provider"
  450. #ifdef UNICODE
  451. #define MS_STRONG_PROV MS_STRONG_PROV_W
  452. #else
  453. #define MS_STRONG_PROV MS_STRONG_PROV_A
  454. #endif
  455. #define MS_DEF_RSA_SIG_PROV_A "Microsoft RSA Signature Cryptographic Provider"
  456. #define MS_DEF_RSA_SIG_PROV_W L"Microsoft RSA Signature Cryptographic Provider"
  457. #ifdef UNICODE
  458. #define MS_DEF_RSA_SIG_PROV MS_DEF_RSA_SIG_PROV_W
  459. #else
  460. #define MS_DEF_RSA_SIG_PROV MS_DEF_RSA_SIG_PROV_A
  461. #endif
  462. #define MS_DEF_RSA_SCHANNEL_PROV_A "Microsoft RSA SChannel Cryptographic Provider"
  463. #define MS_DEF_RSA_SCHANNEL_PROV_W L"Microsoft RSA SChannel Cryptographic Provider"
  464. #ifdef UNICODE
  465. #define MS_DEF_RSA_SCHANNEL_PROV MS_DEF_RSA_SCHANNEL_PROV_W
  466. #else
  467. #define MS_DEF_RSA_SCHANNEL_PROV MS_DEF_RSA_SCHANNEL_PROV_A
  468. #endif
  469. #define MS_DEF_DSS_PROV_A "Microsoft Base DSS Cryptographic Provider"
  470. #define MS_DEF_DSS_PROV_W L"Microsoft Base DSS Cryptographic Provider"
  471. #ifdef UNICODE
  472. #define MS_DEF_DSS_PROV MS_DEF_DSS_PROV_W
  473. #else
  474. #define MS_DEF_DSS_PROV MS_DEF_DSS_PROV_A
  475. #endif
  476. #define MS_DEF_DSS_DH_PROV_A "Microsoft Base DSS and Diffie-Hellman Cryptographic Provider"
  477. #define MS_DEF_DSS_DH_PROV_W L"Microsoft Base DSS and Diffie-Hellman Cryptographic Provider"
  478. #ifdef UNICODE
  479. #define MS_DEF_DSS_DH_PROV MS_DEF_DSS_DH_PROV_W
  480. #else
  481. #define MS_DEF_DSS_DH_PROV MS_DEF_DSS_DH_PROV_A
  482. #endif
  483. #define MS_ENH_DSS_DH_PROV_A "Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider"
  484. #define MS_ENH_DSS_DH_PROV_W L"Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider"
  485. #ifdef UNICODE
  486. #define MS_ENH_DSS_DH_PROV MS_ENH_DSS_DH_PROV_W
  487. #else
  488. #define MS_ENH_DSS_DH_PROV MS_ENH_DSS_DH_PROV_A
  489. #endif
  490. #define MS_DEF_DH_SCHANNEL_PROV_A "Microsoft DH SChannel Cryptographic Provider"
  491. #define MS_DEF_DH_SCHANNEL_PROV_W L"Microsoft DH SChannel Cryptographic Provider"
  492. #ifdef UNICODE
  493. #define MS_DEF_DH_SCHANNEL_PROV MS_DEF_DH_SCHANNEL_PROV_W
  494. #else
  495. #define MS_DEF_DH_SCHANNEL_PROV MS_DEF_DH_SCHANNEL_PROV_A
  496. #endif
  497. #define MS_SCARD_PROV_A "Microsoft Base Smart Card Crypto Provider"
  498. #define MS_SCARD_PROV_W L"Microsoft Base Smart Card Crypto Provider"
  499. #ifdef UNICODE
  500. #define MS_SCARD_PROV MS_SCARD_PROV_W
  501. #else
  502. #define MS_SCARD_PROV MS_SCARD_PROV_A
  503. #endif
  504. #define MS_ENH_RSA_AES_PROV_A "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
  505. #define MS_ENH_RSA_AES_PROV_W L"Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
  506. #ifdef UNICODE
  507. #define MS_ENH_RSA_AES_PROV MS_ENH_RSA_AES_PROV_W
  508. #else
  509. #define MS_ENH_RSA_AES_PROV MS_ENH_RSA_AES_PROV_A
  510. #endif
  511. #define MAXUIDLEN 64
  512. // Exponentiation Offload Reg Location
  513. #define EXPO_OFFLOAD_REG_VALUE "ExpoOffload"
  514. #define EXPO_OFFLOAD_FUNC_NAME "OffloadModExpo"
  515. //
  516. // Registry key in which the following private key-related
  517. // values are created.
  518. //
  519. #define szKEY_CRYPTOAPI_PRIVATE_KEY_OPTIONS \
  520. "Software\\Policies\\Microsoft\\Cryptography"
  521. //
  522. // Registry value for controlling Data Protection API (DPAPI) UI settings.
  523. //
  524. #define szFORCE_KEY_PROTECTION "ForceKeyProtection"
  525. #define dwFORCE_KEY_PROTECTION_DISABLED 0x0
  526. #define dwFORCE_KEY_PROTECTION_USER_SELECT 0x1
  527. #define dwFORCE_KEY_PROTECTION_HIGH 0x2
  528. //
  529. // Registry values for enabling and controlling the caching (and timeout)
  530. // of private keys. This feature is useful only for UI-protected private
  531. // keys.
  532. //
  533. // Note that in Windows 2000 and later, private keys, once read from storage,
  534. // are cached in the associated HCRYPTPROV structure for subsequent use.
  535. //
  536. // In .NET Server and XP SP1, new key caching behavior is available. Keys
  537. // that have been read from storage and cached may now be considered "stale"
  538. // if a period of time has elapsed since the key was last used. This forces
  539. // the key to be re-read from storage (which will make the DPAPI UI appear
  540. // again).
  541. //
  542. // To enable the new behavior, create the registry DWORD value
  543. // szKEY_CACHE_ENABLED and set it to 1. The registry DWORD value
  544. // szKEY_CACHE_SECONDS must also be created and set to the number of seconds
  545. // that a cached private key may still be considered usable.
  546. //
  547. #define szKEY_CACHE_ENABLED "CachePrivateKeys"
  548. #define szKEY_CACHE_SECONDS "PrivateKeyLifetimeSeconds"
  549. #define CUR_BLOB_VERSION 2
  550. // structure for use with CryptSetKeyParam for CMS keys
  551. // DO NOT USE THIS STRUCTURE!!!!!
  552. typedef struct _CMS_KEY_INFO {
  553. DWORD dwVersion; // sizeof(CMS_KEY_INFO)
  554. ALG_ID Algid; // algorithmm id for the key to be converted
  555. BYTE *pbOID; // pointer to OID to hash in with Z
  556. DWORD cbOID; // length of OID to hash in with Z
  557. } CMS_KEY_INFO, *PCMS_KEY_INFO;
  558. // structure for use with CryptSetHashParam with CALG_HMAC
  559. typedef struct _HMAC_Info {
  560. ALG_ID HashAlgid;
  561. BYTE *pbInnerString;
  562. DWORD cbInnerString;
  563. BYTE *pbOuterString;
  564. DWORD cbOuterString;
  565. } HMAC_INFO, *PHMAC_INFO;
  566. // structure for use with CryptSetKeyParam with KP_SCHANNEL_ALG
  567. typedef struct _SCHANNEL_ALG {
  568. DWORD dwUse;
  569. ALG_ID Algid;
  570. DWORD cBits;
  571. DWORD dwFlags;
  572. DWORD dwReserved;
  573. } SCHANNEL_ALG, *PSCHANNEL_ALG;
  574. // uses of algortihms for SCHANNEL_ALG structure
  575. #define SCHANNEL_MAC_KEY 0x00000000
  576. #define SCHANNEL_ENC_KEY 0x00000001
  577. // uses of dwFlags SCHANNEL_ALG structure
  578. #define INTERNATIONAL_USAGE 0x00000001
  579. typedef struct _PROV_ENUMALGS {
  580. ALG_ID aiAlgid;
  581. DWORD dwBitLen;
  582. DWORD dwNameLen;
  583. CHAR szName[20];
  584. } PROV_ENUMALGS;
  585. typedef struct _PROV_ENUMALGS_EX {
  586. ALG_ID aiAlgid;
  587. DWORD dwDefaultLen;
  588. DWORD dwMinLen;
  589. DWORD dwMaxLen;
  590. DWORD dwProtocols;
  591. DWORD dwNameLen;
  592. CHAR szName[20];
  593. DWORD dwLongNameLen;
  594. CHAR szLongName[40];
  595. } PROV_ENUMALGS_EX;
  596. typedef struct _PUBLICKEYSTRUC {
  597. BYTE bType;
  598. BYTE bVersion;
  599. WORD reserved;
  600. ALG_ID aiKeyAlg;
  601. } BLOBHEADER, PUBLICKEYSTRUC;
  602. typedef struct _RSAPUBKEY {
  603. DWORD magic; // Has to be RSA1
  604. DWORD bitlen; // # of bits in modulus
  605. DWORD pubexp; // public exponent
  606. // Modulus data follows
  607. } RSAPUBKEY;
  608. typedef struct _PUBKEY {
  609. DWORD magic;
  610. DWORD bitlen; // # of bits in modulus
  611. } DHPUBKEY, DSSPUBKEY, KEAPUBKEY, TEKPUBKEY;
  612. typedef struct _DSSSEED {
  613. DWORD counter;
  614. BYTE seed[20];
  615. } DSSSEED;
  616. typedef struct _PUBKEYVER3 {
  617. DWORD magic;
  618. DWORD bitlenP; // # of bits in prime modulus
  619. DWORD bitlenQ; // # of bits in prime q, 0 if not available
  620. DWORD bitlenJ; // # of bits in (p-1)/q, 0 if not available
  621. DSSSEED DSSSeed;
  622. } DHPUBKEY_VER3, DSSPUBKEY_VER3;
  623. typedef struct _PRIVKEYVER3 {
  624. DWORD magic;
  625. DWORD bitlenP; // # of bits in prime modulus
  626. DWORD bitlenQ; // # of bits in prime q, 0 if not available
  627. DWORD bitlenJ; // # of bits in (p-1)/q, 0 if not available
  628. DWORD bitlenX; // # of bits in X
  629. DSSSEED DSSSeed;
  630. } DHPRIVKEY_VER3, DSSPRIVKEY_VER3;
  631. typedef struct _KEY_TYPE_SUBTYPE {
  632. DWORD dwKeySpec;
  633. GUID Type;
  634. GUID Subtype;
  635. } KEY_TYPE_SUBTYPE, *PKEY_TYPE_SUBTYPE;
  636. typedef struct _CERT_FORTEZZA_DATA_PROP {
  637. unsigned char SerialNumber[8];
  638. int CertIndex;
  639. unsigned char CertLabel[36];
  640. } CERT_FORTEZZA_DATA_PROP;
  641. //+-------------------------------------------------------------------------
  642. // CRYPTOAPI BLOB definitions
  643. //--------------------------------------------------------------------------
  644. typedef struct _CRYPTOAPI_BLOB {
  645. DWORD cbData;
  646. BYTE *pbData;
  647. } CRYPT_INTEGER_BLOB, *PCRYPT_INTEGER_BLOB,
  648. CRYPT_UINT_BLOB, *PCRYPT_UINT_BLOB,
  649. CRYPT_OBJID_BLOB, *PCRYPT_OBJID_BLOB,
  650. CERT_NAME_BLOB, *PCERT_NAME_BLOB,
  651. CERT_RDN_VALUE_BLOB, *PCERT_RDN_VALUE_BLOB,
  652. CERT_BLOB, *PCERT_BLOB,
  653. CRL_BLOB, *PCRL_BLOB,
  654. DATA_BLOB, *PDATA_BLOB,
  655. CRYPT_DATA_BLOB, *PCRYPT_DATA_BLOB,
  656. CRYPT_HASH_BLOB, *PCRYPT_HASH_BLOB,
  657. CRYPT_DIGEST_BLOB, *PCRYPT_DIGEST_BLOB,
  658. CRYPT_DER_BLOB, *PCRYPT_DER_BLOB,
  659. CRYPT_ATTR_BLOB, *PCRYPT_ATTR_BLOB;
  660. // structure for use with CryptSetKeyParam for CMS keys
  661. typedef struct _CMS_DH_KEY_INFO {
  662. DWORD dwVersion; // sizeof(CMS_DH_KEY_INFO)
  663. ALG_ID Algid; // algorithmm id for the key to be converted
  664. LPSTR pszContentEncObjId; // pointer to OID to hash in with Z
  665. CRYPT_DATA_BLOB PubInfo; // OPTIONAL - public information
  666. void *pReserved; // reserved - should be NULL
  667. } CMS_DH_KEY_INFO, *PCMS_DH_KEY_INFO;
  668. WINADVAPI
  669. BOOL
  670. WINAPI
  671. CryptAcquireContext%(
  672. HCRYPTPROV *phProv,
  673. LPCTSTR% szContainer,
  674. LPCTSTR% szProvider,
  675. DWORD dwProvType,
  676. DWORD dwFlags
  677. );
  678. WINADVAPI
  679. BOOL
  680. WINAPI
  681. CryptReleaseContext(
  682. HCRYPTPROV hProv,
  683. DWORD dwFlags
  684. );
  685. WINADVAPI
  686. BOOL
  687. WINAPI
  688. CryptGenKey(
  689. HCRYPTPROV hProv,
  690. ALG_ID Algid,
  691. DWORD dwFlags,
  692. HCRYPTKEY *phKey
  693. );
  694. WINADVAPI
  695. BOOL
  696. WINAPI
  697. CryptDeriveKey(
  698. HCRYPTPROV hProv,
  699. ALG_ID Algid,
  700. HCRYPTHASH hBaseData,
  701. DWORD dwFlags,
  702. HCRYPTKEY *phKey
  703. );
  704. WINADVAPI
  705. BOOL
  706. WINAPI
  707. CryptDestroyKey(
  708. HCRYPTKEY hKey
  709. );
  710. WINADVAPI
  711. BOOL
  712. WINAPI
  713. CryptSetKeyParam(
  714. HCRYPTKEY hKey,
  715. DWORD dwParam,
  716. CONST BYTE *pbData,
  717. DWORD dwFlags
  718. );
  719. WINADVAPI
  720. BOOL
  721. WINAPI
  722. CryptGetKeyParam(
  723. HCRYPTKEY hKey,
  724. DWORD dwParam,
  725. BYTE *pbData,
  726. DWORD *pdwDataLen,
  727. DWORD dwFlags
  728. );
  729. WINADVAPI
  730. BOOL
  731. WINAPI
  732. CryptSetHashParam(
  733. HCRYPTHASH hHash,
  734. DWORD dwParam,
  735. CONST BYTE *pbData,
  736. DWORD dwFlags
  737. );
  738. WINADVAPI
  739. BOOL
  740. WINAPI
  741. CryptGetHashParam(
  742. HCRYPTHASH hHash,
  743. DWORD dwParam,
  744. BYTE *pbData,
  745. DWORD *pdwDataLen,
  746. DWORD dwFlags
  747. );
  748. WINADVAPI
  749. BOOL
  750. WINAPI
  751. CryptSetProvParam(
  752. HCRYPTPROV hProv,
  753. DWORD dwParam,
  754. CONST BYTE *pbData,
  755. DWORD dwFlags
  756. );
  757. WINADVAPI
  758. BOOL
  759. WINAPI
  760. CryptGetProvParam(
  761. HCRYPTPROV hProv,
  762. DWORD dwParam,
  763. BYTE *pbData,
  764. DWORD *pdwDataLen,
  765. DWORD dwFlags
  766. );
  767. WINADVAPI
  768. BOOL
  769. WINAPI
  770. CryptGenRandom(
  771. HCRYPTPROV hProv,
  772. DWORD dwLen,
  773. BYTE *pbBuffer
  774. );
  775. WINADVAPI
  776. BOOL
  777. WINAPI
  778. CryptGetUserKey(
  779. HCRYPTPROV hProv,
  780. DWORD dwKeySpec,
  781. HCRYPTKEY *phUserKey
  782. );
  783. WINADVAPI
  784. BOOL
  785. WINAPI
  786. CryptExportKey(
  787. HCRYPTKEY hKey,
  788. HCRYPTKEY hExpKey,
  789. DWORD dwBlobType,
  790. DWORD dwFlags,
  791. BYTE *pbData,
  792. DWORD *pdwDataLen
  793. );
  794. WINADVAPI
  795. BOOL
  796. WINAPI
  797. CryptImportKey(
  798. HCRYPTPROV hProv,
  799. CONST BYTE *pbData,
  800. DWORD dwDataLen,
  801. HCRYPTKEY hPubKey,
  802. DWORD dwFlags,
  803. HCRYPTKEY *phKey
  804. );
  805. WINADVAPI
  806. BOOL
  807. WINAPI
  808. CryptEncrypt(
  809. HCRYPTKEY hKey,
  810. HCRYPTHASH hHash,
  811. BOOL Final,
  812. DWORD dwFlags,
  813. BYTE *pbData,
  814. DWORD *pdwDataLen,
  815. DWORD dwBufLen
  816. );
  817. WINADVAPI
  818. BOOL
  819. WINAPI
  820. CryptDecrypt(
  821. HCRYPTKEY hKey,
  822. HCRYPTHASH hHash,
  823. BOOL Final,
  824. DWORD dwFlags,
  825. BYTE *pbData,
  826. DWORD *pdwDataLen
  827. );
  828. WINADVAPI
  829. BOOL
  830. WINAPI
  831. CryptCreateHash(
  832. HCRYPTPROV hProv,
  833. ALG_ID Algid,
  834. HCRYPTKEY hKey,
  835. DWORD dwFlags,
  836. HCRYPTHASH *phHash
  837. );
  838. WINADVAPI
  839. BOOL
  840. WINAPI
  841. CryptHashData(
  842. HCRYPTHASH hHash,
  843. CONST BYTE *pbData,
  844. DWORD dwDataLen,
  845. DWORD dwFlags
  846. );
  847. WINADVAPI
  848. BOOL
  849. WINAPI
  850. CryptHashSessionKey(
  851. HCRYPTHASH hHash,
  852. HCRYPTKEY hKey,
  853. DWORD dwFlags
  854. );
  855. WINADVAPI
  856. BOOL
  857. WINAPI
  858. CryptDestroyHash(
  859. HCRYPTHASH hHash
  860. );
  861. WINADVAPI
  862. BOOL
  863. WINAPI
  864. CryptSignHash%(
  865. HCRYPTHASH hHash,
  866. DWORD dwKeySpec,
  867. LPCTSTR% szDescription,
  868. DWORD dwFlags,
  869. BYTE *pbSignature,
  870. DWORD *pdwSigLen
  871. );
  872. WINADVAPI
  873. BOOL
  874. WINAPI
  875. CryptVerifySignature%(
  876. HCRYPTHASH hHash,
  877. CONST BYTE *pbSignature,
  878. DWORD dwSigLen,
  879. HCRYPTKEY hPubKey,
  880. LPCTSTR% szDescription,
  881. DWORD dwFlags
  882. );
  883. WINADVAPI
  884. BOOL
  885. WINAPI
  886. CryptSetProvider%(
  887. LPCTSTR% pszProvName,
  888. DWORD dwProvType
  889. );
  890. WINADVAPI
  891. BOOL
  892. WINAPI
  893. CryptSetProviderEx%(
  894. LPCTSTR% pszProvName,
  895. DWORD dwProvType,
  896. DWORD *pdwReserved,
  897. DWORD dwFlags
  898. );
  899. WINADVAPI
  900. BOOL
  901. WINAPI
  902. CryptGetDefaultProvider%(
  903. DWORD dwProvType,
  904. DWORD *pdwReserved,
  905. DWORD dwFlags,
  906. LPTSTR% pszProvName,
  907. DWORD *pcbProvName
  908. );
  909. WINADVAPI
  910. BOOL
  911. WINAPI
  912. CryptEnumProviderTypes%(
  913. DWORD dwIndex,
  914. DWORD *pdwReserved,
  915. DWORD dwFlags,
  916. DWORD *pdwProvType,
  917. LPTSTR% szTypeName,
  918. DWORD *pcbTypeName
  919. );
  920. WINADVAPI
  921. BOOL
  922. WINAPI
  923. CryptEnumProviders%(
  924. DWORD dwIndex,
  925. DWORD *pdwReserved,
  926. DWORD dwFlags,
  927. DWORD *pdwProvType,
  928. LPTSTR% szProvName,
  929. DWORD *pcbProvName
  930. );
  931. WINADVAPI
  932. BOOL
  933. WINAPI
  934. CryptContextAddRef(
  935. HCRYPTPROV hProv,
  936. DWORD *pdwReserved,
  937. DWORD dwFlags
  938. );
  939. WINADVAPI
  940. BOOL
  941. WINAPI
  942. CryptDuplicateKey(
  943. HCRYPTKEY hKey,
  944. DWORD *pdwReserved,
  945. DWORD dwFlags,
  946. HCRYPTKEY *phKey
  947. );
  948. WINADVAPI
  949. BOOL
  950. WINAPI
  951. CryptDuplicateHash(
  952. HCRYPTHASH hHash,
  953. DWORD *pdwReserved,
  954. DWORD dwFlags,
  955. HCRYPTHASH *phHash
  956. );
  957. typedef struct {
  958. DWORD dwVersion;
  959. ALG_ID algId;
  960. DWORD dwMinKeyLength;
  961. DWORD dwMaxKeyLength;
  962. DWORD dwRequiredFlags;
  963. DWORD dwDisallowedFlags;
  964. } _CRYPT_KEY_LIMITS_V01;
  965. typedef _CRYPT_KEY_LIMITS_V01 CRYPT_KEY_LIMITS, *PCRYPT_KEY_LIMITS;
  966. // Request Flag definitions
  967. #define CRYPTLIMIT_USING_PCT 0x0001
  968. #define CRYPTLIMIT_USING_SGC 0x0002
  969. WINADVAPI
  970. BOOL
  971. WINAPI
  972. CryptGetLocalKeyLimits(
  973. IN ALG_ID algId,
  974. IN DWORD dwFlags,
  975. OUT PCRYPT_KEY_LIMITS pLimits,
  976. IN OUT LPDWORD cbLimitLength);
  977. //+-------------------------------------------------------------------------
  978. // In a CRYPT_BIT_BLOB the last byte may contain 0-7 unused bits. Therefore, the
  979. // overall bit length is cbData * 8 - cUnusedBits.
  980. //--------------------------------------------------------------------------
  981. typedef struct _CRYPT_BIT_BLOB {
  982. DWORD cbData;
  983. BYTE *pbData;
  984. DWORD cUnusedBits;
  985. } CRYPT_BIT_BLOB, *PCRYPT_BIT_BLOB;
  986. //+-------------------------------------------------------------------------
  987. // Type used for any algorithm
  988. //
  989. // Where the Parameters CRYPT_OBJID_BLOB is in its encoded representation. For most
  990. // algorithm types, the Parameters CRYPT_OBJID_BLOB is NULL (Parameters.cbData = 0).
  991. //--------------------------------------------------------------------------
  992. typedef struct _CRYPT_ALGORITHM_IDENTIFIER {
  993. LPSTR pszObjId;
  994. CRYPT_OBJID_BLOB Parameters;
  995. } CRYPT_ALGORITHM_IDENTIFIER, *PCRYPT_ALGORITHM_IDENTIFIER;
  996. // Following are the definitions of various algorithm object identifiers
  997. // RSA
  998. #define szOID_RSA "1.2.840.113549"
  999. #define szOID_PKCS "1.2.840.113549.1"
  1000. #define szOID_RSA_HASH "1.2.840.113549.2"
  1001. #define szOID_RSA_ENCRYPT "1.2.840.113549.3"
  1002. #define szOID_PKCS_1 "1.2.840.113549.1.1"
  1003. #define szOID_PKCS_2 "1.2.840.113549.1.2"
  1004. #define szOID_PKCS_3 "1.2.840.113549.1.3"
  1005. #define szOID_PKCS_4 "1.2.840.113549.1.4"
  1006. #define szOID_PKCS_5 "1.2.840.113549.1.5"
  1007. #define szOID_PKCS_6 "1.2.840.113549.1.6"
  1008. #define szOID_PKCS_7 "1.2.840.113549.1.7"
  1009. #define szOID_PKCS_8 "1.2.840.113549.1.8"
  1010. #define szOID_PKCS_9 "1.2.840.113549.1.9"
  1011. #define szOID_PKCS_10 "1.2.840.113549.1.10"
  1012. #define szOID_PKCS_12 "1.2.840.113549.1.12"
  1013. #define szOID_RSA_RSA "1.2.840.113549.1.1.1"
  1014. #define szOID_RSA_MD2RSA "1.2.840.113549.1.1.2"
  1015. #define szOID_RSA_MD4RSA "1.2.840.113549.1.1.3"
  1016. #define szOID_RSA_MD5RSA "1.2.840.113549.1.1.4"
  1017. #define szOID_RSA_SHA1RSA "1.2.840.113549.1.1.5"
  1018. #define szOID_RSA_SETOAEP_RSA "1.2.840.113549.1.1.6"
  1019. #define szOID_RSA_DH "1.2.840.113549.1.3.1"
  1020. #define szOID_RSA_data "1.2.840.113549.1.7.1"
  1021. #define szOID_RSA_signedData "1.2.840.113549.1.7.2"
  1022. #define szOID_RSA_envelopedData "1.2.840.113549.1.7.3"
  1023. #define szOID_RSA_signEnvData "1.2.840.113549.1.7.4"
  1024. #define szOID_RSA_digestedData "1.2.840.113549.1.7.5"
  1025. #define szOID_RSA_hashedData "1.2.840.113549.1.7.5"
  1026. #define szOID_RSA_encryptedData "1.2.840.113549.1.7.6"
  1027. #define szOID_RSA_emailAddr "1.2.840.113549.1.9.1"
  1028. #define szOID_RSA_unstructName "1.2.840.113549.1.9.2"
  1029. #define szOID_RSA_contentType "1.2.840.113549.1.9.3"
  1030. #define szOID_RSA_messageDigest "1.2.840.113549.1.9.4"
  1031. #define szOID_RSA_signingTime "1.2.840.113549.1.9.5"
  1032. #define szOID_RSA_counterSign "1.2.840.113549.1.9.6"
  1033. #define szOID_RSA_challengePwd "1.2.840.113549.1.9.7"
  1034. #define szOID_RSA_unstructAddr "1.2.840.113549.1.9.8"
  1035. #define szOID_RSA_extCertAttrs "1.2.840.113549.1.9.9"
  1036. #define szOID_RSA_certExtensions "1.2.840.113549.1.9.14"
  1037. #define szOID_RSA_SMIMECapabilities "1.2.840.113549.1.9.15"
  1038. #define szOID_RSA_preferSignedData "1.2.840.113549.1.9.15.1"
  1039. #define szOID_RSA_SMIMEalg "1.2.840.113549.1.9.16.3"
  1040. #define szOID_RSA_SMIMEalgESDH "1.2.840.113549.1.9.16.3.5"
  1041. #define szOID_RSA_SMIMEalgCMS3DESwrap "1.2.840.113549.1.9.16.3.6"
  1042. #define szOID_RSA_SMIMEalgCMSRC2wrap "1.2.840.113549.1.9.16.3.7"
  1043. #define szOID_RSA_MD2 "1.2.840.113549.2.2"
  1044. #define szOID_RSA_MD4 "1.2.840.113549.2.4"
  1045. #define szOID_RSA_MD5 "1.2.840.113549.2.5"
  1046. #define szOID_RSA_RC2CBC "1.2.840.113549.3.2"
  1047. #define szOID_RSA_RC4 "1.2.840.113549.3.4"
  1048. #define szOID_RSA_DES_EDE3_CBC "1.2.840.113549.3.7"
  1049. #define szOID_RSA_RC5_CBCPad "1.2.840.113549.3.9"
  1050. #define szOID_ANSI_X942 "1.2.840.10046"
  1051. #define szOID_ANSI_X942_DH "1.2.840.10046.2.1"
  1052. #define szOID_X957 "1.2.840.10040"
  1053. #define szOID_X957_DSA "1.2.840.10040.4.1"
  1054. #define szOID_X957_SHA1DSA "1.2.840.10040.4.3"
  1055. // ITU-T UsefulDefinitions
  1056. #define szOID_DS "2.5"
  1057. #define szOID_DSALG "2.5.8"
  1058. #define szOID_DSALG_CRPT "2.5.8.1"
  1059. #define szOID_DSALG_HASH "2.5.8.2"
  1060. #define szOID_DSALG_SIGN "2.5.8.3"
  1061. #define szOID_DSALG_RSA "2.5.8.1.1"
  1062. // NIST OSE Implementors' Workshop (OIW)
  1063. // http://nemo.ncsl.nist.gov/oiw/agreements/stable/OSI/12s_9506.w51
  1064. // http://nemo.ncsl.nist.gov/oiw/agreements/working/OSI/12w_9503.w51
  1065. #define szOID_OIW "1.3.14"
  1066. // NIST OSE Implementors' Workshop (OIW) Security SIG algorithm identifiers
  1067. #define szOID_OIWSEC "1.3.14.3.2"
  1068. #define szOID_OIWSEC_md4RSA "1.3.14.3.2.2"
  1069. #define szOID_OIWSEC_md5RSA "1.3.14.3.2.3"
  1070. #define szOID_OIWSEC_md4RSA2 "1.3.14.3.2.4"
  1071. #define szOID_OIWSEC_desECB "1.3.14.3.2.6"
  1072. #define szOID_OIWSEC_desCBC "1.3.14.3.2.7"
  1073. #define szOID_OIWSEC_desOFB "1.3.14.3.2.8"
  1074. #define szOID_OIWSEC_desCFB "1.3.14.3.2.9"
  1075. #define szOID_OIWSEC_desMAC "1.3.14.3.2.10"
  1076. #define szOID_OIWSEC_rsaSign "1.3.14.3.2.11"
  1077. #define szOID_OIWSEC_dsa "1.3.14.3.2.12"
  1078. #define szOID_OIWSEC_shaDSA "1.3.14.3.2.13"
  1079. #define szOID_OIWSEC_mdc2RSA "1.3.14.3.2.14"
  1080. #define szOID_OIWSEC_shaRSA "1.3.14.3.2.15"
  1081. #define szOID_OIWSEC_dhCommMod "1.3.14.3.2.16"
  1082. #define szOID_OIWSEC_desEDE "1.3.14.3.2.17"
  1083. #define szOID_OIWSEC_sha "1.3.14.3.2.18"
  1084. #define szOID_OIWSEC_mdc2 "1.3.14.3.2.19"
  1085. #define szOID_OIWSEC_dsaComm "1.3.14.3.2.20"
  1086. #define szOID_OIWSEC_dsaCommSHA "1.3.14.3.2.21"
  1087. #define szOID_OIWSEC_rsaXchg "1.3.14.3.2.22"
  1088. #define szOID_OIWSEC_keyHashSeal "1.3.14.3.2.23"
  1089. #define szOID_OIWSEC_md2RSASign "1.3.14.3.2.24"
  1090. #define szOID_OIWSEC_md5RSASign "1.3.14.3.2.25"
  1091. #define szOID_OIWSEC_sha1 "1.3.14.3.2.26"
  1092. #define szOID_OIWSEC_dsaSHA1 "1.3.14.3.2.27"
  1093. #define szOID_OIWSEC_dsaCommSHA1 "1.3.14.3.2.28"
  1094. #define szOID_OIWSEC_sha1RSASign "1.3.14.3.2.29"
  1095. // NIST OSE Implementors' Workshop (OIW) Directory SIG algorithm identifiers
  1096. #define szOID_OIWDIR "1.3.14.7.2"
  1097. #define szOID_OIWDIR_CRPT "1.3.14.7.2.1"
  1098. #define szOID_OIWDIR_HASH "1.3.14.7.2.2"
  1099. #define szOID_OIWDIR_SIGN "1.3.14.7.2.3"
  1100. #define szOID_OIWDIR_md2 "1.3.14.7.2.2.1"
  1101. #define szOID_OIWDIR_md2RSA "1.3.14.7.2.3.1"
  1102. // INFOSEC Algorithms
  1103. // joint-iso-ccitt(2) country(16) us(840) organization(1) us-government(101) dod(2) id-infosec(1)
  1104. #define szOID_INFOSEC "2.16.840.1.101.2.1"
  1105. #define szOID_INFOSEC_sdnsSignature "2.16.840.1.101.2.1.1.1"
  1106. #define szOID_INFOSEC_mosaicSignature "2.16.840.1.101.2.1.1.2"
  1107. #define szOID_INFOSEC_sdnsConfidentiality "2.16.840.1.101.2.1.1.3"
  1108. #define szOID_INFOSEC_mosaicConfidentiality "2.16.840.1.101.2.1.1.4"
  1109. #define szOID_INFOSEC_sdnsIntegrity "2.16.840.1.101.2.1.1.5"
  1110. #define szOID_INFOSEC_mosaicIntegrity "2.16.840.1.101.2.1.1.6"
  1111. #define szOID_INFOSEC_sdnsTokenProtection "2.16.840.1.101.2.1.1.7"
  1112. #define szOID_INFOSEC_mosaicTokenProtection "2.16.840.1.101.2.1.1.8"
  1113. #define szOID_INFOSEC_sdnsKeyManagement "2.16.840.1.101.2.1.1.9"
  1114. #define szOID_INFOSEC_mosaicKeyManagement "2.16.840.1.101.2.1.1.10"
  1115. #define szOID_INFOSEC_sdnsKMandSig "2.16.840.1.101.2.1.1.11"
  1116. #define szOID_INFOSEC_mosaicKMandSig "2.16.840.1.101.2.1.1.12"
  1117. #define szOID_INFOSEC_SuiteASignature "2.16.840.1.101.2.1.1.13"
  1118. #define szOID_INFOSEC_SuiteAConfidentiality "2.16.840.1.101.2.1.1.14"
  1119. #define szOID_INFOSEC_SuiteAIntegrity "2.16.840.1.101.2.1.1.15"
  1120. #define szOID_INFOSEC_SuiteATokenProtection "2.16.840.1.101.2.1.1.16"
  1121. #define szOID_INFOSEC_SuiteAKeyManagement "2.16.840.1.101.2.1.1.17"
  1122. #define szOID_INFOSEC_SuiteAKMandSig "2.16.840.1.101.2.1.1.18"
  1123. #define szOID_INFOSEC_mosaicUpdatedSig "2.16.840.1.101.2.1.1.19"
  1124. #define szOID_INFOSEC_mosaicKMandUpdSig "2.16.840.1.101.2.1.1.20"
  1125. #define szOID_INFOSEC_mosaicUpdatedInteg "2.16.840.1.101.2.1.1.21"
  1126. typedef struct _CRYPT_OBJID_TABLE {
  1127. DWORD dwAlgId;
  1128. LPCSTR pszObjId;
  1129. } CRYPT_OBJID_TABLE, *PCRYPT_OBJID_TABLE;
  1130. //+-------------------------------------------------------------------------
  1131. // PKCS #1 HashInfo (DigestInfo)
  1132. //--------------------------------------------------------------------------
  1133. typedef struct _CRYPT_HASH_INFO {
  1134. CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
  1135. CRYPT_HASH_BLOB Hash;
  1136. } CRYPT_HASH_INFO, *PCRYPT_HASH_INFO;
  1137. //+-------------------------------------------------------------------------
  1138. // Type used for an extension to an encoded content
  1139. //
  1140. // Where the Value's CRYPT_OBJID_BLOB is in its encoded representation.
  1141. //--------------------------------------------------------------------------
  1142. typedef struct _CERT_EXTENSION {
  1143. LPSTR pszObjId;
  1144. BOOL fCritical;
  1145. CRYPT_OBJID_BLOB Value;
  1146. } CERT_EXTENSION, *PCERT_EXTENSION;
  1147. //+-------------------------------------------------------------------------
  1148. // AttributeTypeValue
  1149. //
  1150. // Where the Value's CRYPT_OBJID_BLOB is in its encoded representation.
  1151. //--------------------------------------------------------------------------
  1152. typedef struct _CRYPT_ATTRIBUTE_TYPE_VALUE {
  1153. LPSTR pszObjId;
  1154. CRYPT_OBJID_BLOB Value;
  1155. } CRYPT_ATTRIBUTE_TYPE_VALUE, *PCRYPT_ATTRIBUTE_TYPE_VALUE;
  1156. //+-------------------------------------------------------------------------
  1157. // Attributes
  1158. //
  1159. // Where the Value's PATTR_BLOBs are in their encoded representation.
  1160. //--------------------------------------------------------------------------
  1161. typedef struct _CRYPT_ATTRIBUTE {
  1162. LPSTR pszObjId;
  1163. DWORD cValue;
  1164. PCRYPT_ATTR_BLOB rgValue;
  1165. } CRYPT_ATTRIBUTE, *PCRYPT_ATTRIBUTE;
  1166. typedef struct _CRYPT_ATTRIBUTES {
  1167. IN DWORD cAttr;
  1168. IN PCRYPT_ATTRIBUTE rgAttr;
  1169. } CRYPT_ATTRIBUTES, *PCRYPT_ATTRIBUTES;
  1170. //+-------------------------------------------------------------------------
  1171. // Attributes making up a Relative Distinguished Name (CERT_RDN)
  1172. //
  1173. // The interpretation of the Value depends on the dwValueType.
  1174. // See below for a list of the types.
  1175. //--------------------------------------------------------------------------
  1176. typedef struct _CERT_RDN_ATTR {
  1177. LPSTR pszObjId;
  1178. DWORD dwValueType;
  1179. CERT_RDN_VALUE_BLOB Value;
  1180. } CERT_RDN_ATTR, *PCERT_RDN_ATTR;
  1181. //+-------------------------------------------------------------------------
  1182. // CERT_RDN attribute Object Identifiers
  1183. //--------------------------------------------------------------------------
  1184. // Labeling attribute types:
  1185. #define szOID_COMMON_NAME "2.5.4.3" // case-ignore string
  1186. #define szOID_SUR_NAME "2.5.4.4" // case-ignore string
  1187. #define szOID_DEVICE_SERIAL_NUMBER "2.5.4.5" // printable string
  1188. // Geographic attribute types:
  1189. #define szOID_COUNTRY_NAME "2.5.4.6" // printable 2char string
  1190. #define szOID_LOCALITY_NAME "2.5.4.7" // case-ignore string
  1191. #define szOID_STATE_OR_PROVINCE_NAME "2.5.4.8" // case-ignore string
  1192. #define szOID_STREET_ADDRESS "2.5.4.9" // case-ignore string
  1193. // Organizational attribute types:
  1194. #define szOID_ORGANIZATION_NAME "2.5.4.10" // case-ignore string
  1195. #define szOID_ORGANIZATIONAL_UNIT_NAME "2.5.4.11" // case-ignore string
  1196. #define szOID_TITLE "2.5.4.12" // case-ignore string
  1197. // Explanatory attribute types:
  1198. #define szOID_DESCRIPTION "2.5.4.13" // case-ignore string
  1199. #define szOID_SEARCH_GUIDE "2.5.4.14"
  1200. #define szOID_BUSINESS_CATEGORY "2.5.4.15" // case-ignore string
  1201. // Postal addressing attribute types:
  1202. #define szOID_POSTAL_ADDRESS "2.5.4.16"
  1203. #define szOID_POSTAL_CODE "2.5.4.17" // case-ignore string
  1204. #define szOID_POST_OFFICE_BOX "2.5.4.18" // case-ignore string
  1205. #define szOID_PHYSICAL_DELIVERY_OFFICE_NAME "2.5.4.19" // case-ignore string
  1206. // Telecommunications addressing attribute types:
  1207. #define szOID_TELEPHONE_NUMBER "2.5.4.20" // telephone number
  1208. #define szOID_TELEX_NUMBER "2.5.4.21"
  1209. #define szOID_TELETEXT_TERMINAL_IDENTIFIER "2.5.4.22"
  1210. #define szOID_FACSIMILE_TELEPHONE_NUMBER "2.5.4.23"
  1211. #define szOID_X21_ADDRESS "2.5.4.24" // numeric string
  1212. #define szOID_INTERNATIONAL_ISDN_NUMBER "2.5.4.25" // numeric string
  1213. #define szOID_REGISTERED_ADDRESS "2.5.4.26"
  1214. #define szOID_DESTINATION_INDICATOR "2.5.4.27" // printable string
  1215. // Preference attribute types:
  1216. #define szOID_PREFERRED_DELIVERY_METHOD "2.5.4.28"
  1217. // OSI application attribute types:
  1218. #define szOID_PRESENTATION_ADDRESS "2.5.4.29"
  1219. #define szOID_SUPPORTED_APPLICATION_CONTEXT "2.5.4.30"
  1220. // Relational application attribute types:
  1221. #define szOID_MEMBER "2.5.4.31"
  1222. #define szOID_OWNER "2.5.4.32"
  1223. #define szOID_ROLE_OCCUPANT "2.5.4.33"
  1224. #define szOID_SEE_ALSO "2.5.4.34"
  1225. // Security attribute types:
  1226. #define szOID_USER_PASSWORD "2.5.4.35"
  1227. #define szOID_USER_CERTIFICATE "2.5.4.36"
  1228. #define szOID_CA_CERTIFICATE "2.5.4.37"
  1229. #define szOID_AUTHORITY_REVOCATION_LIST "2.5.4.38"
  1230. #define szOID_CERTIFICATE_REVOCATION_LIST "2.5.4.39"
  1231. #define szOID_CROSS_CERTIFICATE_PAIR "2.5.4.40"
  1232. // Undocumented attribute types???
  1233. //#define szOID_??? "2.5.4.41"
  1234. #define szOID_GIVEN_NAME "2.5.4.42" // case-ignore string
  1235. #define szOID_INITIALS "2.5.4.43" // case-ignore string
  1236. // The DN Qualifier attribute type specifies disambiguating information to add
  1237. // to the relative distinguished name of an entry. It is intended to be used
  1238. // for entries held in multiple DSAs which would otherwise have the same name,
  1239. // and that its value be the same in a given DSA for all entries to which
  1240. // the information has been added.
  1241. #define szOID_DN_QUALIFIER "2.5.4.46"
  1242. // Pilot user attribute types:
  1243. #define szOID_DOMAIN_COMPONENT "0.9.2342.19200300.100.1.25" // IA5, UTF8 string
  1244. // used for PKCS 12 attributes
  1245. #define szOID_PKCS_12_FRIENDLY_NAME_ATTR "1.2.840.113549.1.9.20"
  1246. #define szOID_PKCS_12_LOCAL_KEY_ID "1.2.840.113549.1.9.21"
  1247. #define szOID_PKCS_12_KEY_PROVIDER_NAME_ATTR "1.3.6.1.4.1.311.17.1"
  1248. #define szOID_LOCAL_MACHINE_KEYSET "1.3.6.1.4.1.311.17.2"
  1249. //+-------------------------------------------------------------------------
  1250. // Microsoft CERT_RDN attribute Object Identifiers
  1251. //--------------------------------------------------------------------------
  1252. // Special RDN containing the KEY_ID. Its value type is CERT_RDN_OCTET_STRING.
  1253. #define szOID_KEYID_RDN "1.3.6.1.4.1.311.10.7.1"
  1254. //+-------------------------------------------------------------------------
  1255. // CERT_RDN Attribute Value Types
  1256. //
  1257. // For RDN_ENCODED_BLOB, the Value's CERT_RDN_VALUE_BLOB is in its encoded
  1258. // representation. Otherwise, its an array of bytes.
  1259. //
  1260. // For all CERT_RDN types, Value.cbData is always the number of bytes, not
  1261. // necessarily the number of elements in the string. For instance,
  1262. // RDN_UNIVERSAL_STRING is an array of ints (cbData == intCnt * 4) and
  1263. // RDN_BMP_STRING is an array of unsigned shorts (cbData == ushortCnt * 2).
  1264. //
  1265. // A RDN_UTF8_STRING is an array of UNICODE characters (cbData == charCnt *2).
  1266. // These UNICODE characters are encoded as UTF8 8 bit characters.
  1267. //
  1268. // For CertDecodeName, two 0 bytes are always appended to the end of the
  1269. // string (ensures a CHAR or WCHAR string is null terminated).
  1270. // These added 0 bytes are't included in the BLOB.cbData.
  1271. //--------------------------------------------------------------------------
  1272. #define CERT_RDN_ANY_TYPE 0
  1273. #define CERT_RDN_ENCODED_BLOB 1
  1274. #define CERT_RDN_OCTET_STRING 2
  1275. #define CERT_RDN_NUMERIC_STRING 3
  1276. #define CERT_RDN_PRINTABLE_STRING 4
  1277. #define CERT_RDN_TELETEX_STRING 5
  1278. #define CERT_RDN_T61_STRING 5
  1279. #define CERT_RDN_VIDEOTEX_STRING 6
  1280. #define CERT_RDN_IA5_STRING 7
  1281. #define CERT_RDN_GRAPHIC_STRING 8
  1282. #define CERT_RDN_VISIBLE_STRING 9
  1283. #define CERT_RDN_ISO646_STRING 9
  1284. #define CERT_RDN_GENERAL_STRING 10
  1285. #define CERT_RDN_UNIVERSAL_STRING 11
  1286. #define CERT_RDN_INT4_STRING 11
  1287. #define CERT_RDN_BMP_STRING 12
  1288. #define CERT_RDN_UNICODE_STRING 12
  1289. #define CERT_RDN_UTF8_STRING 13
  1290. #define CERT_RDN_TYPE_MASK 0x000000FF
  1291. #define CERT_RDN_FLAGS_MASK 0xFF000000
  1292. //+-------------------------------------------------------------------------
  1293. // Flags that can be or'ed with the above Value Type when encoding/decoding
  1294. //--------------------------------------------------------------------------
  1295. // For encoding: when set, CERT_RDN_T61_STRING is selected instead of
  1296. // CERT_RDN_UNICODE_STRING if all the unicode characters are <= 0xFF
  1297. #define CERT_RDN_ENABLE_T61_UNICODE_FLAG 0x80000000
  1298. // For encoding: when set, CERT_RDN_UTF8_STRING is selected instead of
  1299. // CERT_RDN_UNICODE_STRING.
  1300. #define CERT_RDN_ENABLE_UTF8_UNICODE_FLAG 0x20000000
  1301. // For encoding: when set, the characters aren't checked to see if they
  1302. // are valid for the Value Type.
  1303. #define CERT_RDN_DISABLE_CHECK_TYPE_FLAG 0x40000000
  1304. // For decoding: by default, CERT_RDN_T61_STRING values are initially decoded
  1305. // as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
  1306. // Setting this flag skips the initial attempt to decode as UTF8.
  1307. #define CERT_RDN_DISABLE_IE4_UTF8_FLAG 0x01000000
  1308. // Macro to check that the dwValueType is a character string and not an
  1309. // encoded blob or octet string
  1310. #define IS_CERT_RDN_CHAR_STRING(X) \
  1311. (((X) & CERT_RDN_TYPE_MASK) >= CERT_RDN_NUMERIC_STRING)
  1312. //+-------------------------------------------------------------------------
  1313. // A CERT_RDN consists of an array of the above attributes
  1314. //--------------------------------------------------------------------------
  1315. typedef struct _CERT_RDN {
  1316. DWORD cRDNAttr;
  1317. PCERT_RDN_ATTR rgRDNAttr;
  1318. } CERT_RDN, *PCERT_RDN;
  1319. //+-------------------------------------------------------------------------
  1320. // Information stored in a subject's or issuer's name. The information
  1321. // is represented as an array of the above RDNs.
  1322. //--------------------------------------------------------------------------
  1323. typedef struct _CERT_NAME_INFO {
  1324. DWORD cRDN;
  1325. PCERT_RDN rgRDN;
  1326. } CERT_NAME_INFO, *PCERT_NAME_INFO;
  1327. //+-------------------------------------------------------------------------
  1328. // Name attribute value without the Object Identifier
  1329. //
  1330. // The interpretation of the Value depends on the dwValueType.
  1331. // See above for a list of the types.
  1332. //--------------------------------------------------------------------------
  1333. typedef struct _CERT_NAME_VALUE {
  1334. DWORD dwValueType;
  1335. CERT_RDN_VALUE_BLOB Value;
  1336. } CERT_NAME_VALUE, *PCERT_NAME_VALUE;
  1337. //+-------------------------------------------------------------------------
  1338. // Public Key Info
  1339. //
  1340. // The PublicKey is the encoded representation of the information as it is
  1341. // stored in the bit string
  1342. //--------------------------------------------------------------------------
  1343. typedef struct _CERT_PUBLIC_KEY_INFO {
  1344. CRYPT_ALGORITHM_IDENTIFIER Algorithm;
  1345. CRYPT_BIT_BLOB PublicKey;
  1346. } CERT_PUBLIC_KEY_INFO, *PCERT_PUBLIC_KEY_INFO;
  1347. #define CERT_RSA_PUBLIC_KEY_OBJID szOID_RSA_RSA
  1348. #define CERT_DEFAULT_OID_PUBLIC_KEY_SIGN szOID_RSA_RSA
  1349. #define CERT_DEFAULT_OID_PUBLIC_KEY_XCHG szOID_RSA_RSA
  1350. //+-------------------------------------------------------------------------
  1351. // structure that contains all the information in a PKCS#8 PrivateKeyInfo
  1352. //--------------------------------------------------------------------------
  1353. typedef struct _CRYPT_PRIVATE_KEY_INFO{
  1354. DWORD Version;
  1355. CRYPT_ALGORITHM_IDENTIFIER Algorithm;
  1356. CRYPT_DER_BLOB PrivateKey;
  1357. PCRYPT_ATTRIBUTES pAttributes;
  1358. } CRYPT_PRIVATE_KEY_INFO, *PCRYPT_PRIVATE_KEY_INFO;
  1359. //+-------------------------------------------------------------------------
  1360. // structure that contains all the information in a PKCS#8
  1361. // EncryptedPrivateKeyInfo
  1362. //--------------------------------------------------------------------------
  1363. typedef struct _CRYPT_ENCRYPTED_PRIVATE_KEY_INFO{
  1364. CRYPT_ALGORITHM_IDENTIFIER EncryptionAlgorithm;
  1365. CRYPT_DATA_BLOB EncryptedPrivateKey;
  1366. } CRYPT_ENCRYPTED_PRIVATE_KEY_INFO, *PCRYPT_ENCRYPTED_PRIVATE_KEY_INFO;
  1367. //+-------------------------------------------------------------------------
  1368. // this callback is given when an EncryptedProvateKeyInfo structure is
  1369. // encountered during ImportPKCS8. the caller is then expected to decrypt
  1370. // the private key and hand back the decrypted contents.
  1371. //
  1372. // the parameters are:
  1373. // Algorithm - the algorithm used to encrypt the PrivateKeyInfo
  1374. // EncryptedPrivateKey - the encrypted private key blob
  1375. // pClearTextKey - a buffer to receive the clear text
  1376. // cbClearTextKey - the number of bytes of the pClearTextKey buffer
  1377. // note the if this is zero then this should be
  1378. // filled in with the size required to decrypt the
  1379. // key into, and pClearTextKey should be ignored
  1380. // pVoidDecryptFunc - this is the pVoid that was passed into the call
  1381. // and is preserved and passed back as context
  1382. //+-------------------------------------------------------------------------
  1383. typedef BOOL (CALLBACK *PCRYPT_DECRYPT_PRIVATE_KEY_FUNC)(
  1384. CRYPT_ALGORITHM_IDENTIFIER Algorithm,
  1385. CRYPT_DATA_BLOB EncryptedPrivateKey,
  1386. BYTE *pbClearTextKey,
  1387. DWORD *pcbClearTextKey,
  1388. LPVOID pVoidDecryptFunc);
  1389. //+-------------------------------------------------------------------------
  1390. // this callback is given when creating a PKCS8 EncryptedPrivateKeyInfo.
  1391. // The caller is then expected to encrypt the private key and hand back
  1392. // the encrypted contents.
  1393. //
  1394. // the parameters are:
  1395. // Algorithm - the algorithm used to encrypt the PrivateKeyInfo
  1396. // pClearTextPrivateKey - the cleartext private key to be encrypted
  1397. // pbEncryptedKey - the output encrypted private key blob
  1398. // cbEncryptedKey - the number of bytes of the pbEncryptedKey buffer
  1399. // note the if this is zero then this should be
  1400. // filled in with the size required to encrypt the
  1401. // key into, and pbEncryptedKey should be ignored
  1402. // pVoidEncryptFunc - this is the pVoid that was passed into the call
  1403. // and is preserved and passed back as context
  1404. //+-------------------------------------------------------------------------
  1405. typedef BOOL (CALLBACK *PCRYPT_ENCRYPT_PRIVATE_KEY_FUNC)(
  1406. CRYPT_ALGORITHM_IDENTIFIER* pAlgorithm,
  1407. CRYPT_DATA_BLOB* pClearTextPrivateKey,
  1408. BYTE *pbEncryptedKey,
  1409. DWORD *pcbEncryptedKey,
  1410. LPVOID pVoidEncryptFunc);
  1411. //+-------------------------------------------------------------------------
  1412. // this callback is given from the context of a ImportPKCS8 calls. the caller
  1413. // is then expected to hand back an HCRYPTPROV to receive the key being imported
  1414. //
  1415. // the parameters are:
  1416. // pPrivateKeyInfo - pointer to a CRYPT_PRIVATE_KEY_INFO structure which
  1417. // describes the key being imported
  1418. // EncryptedPrivateKey - the encrypted private key blob
  1419. // phCryptProv - a pointer to a HCRRYPTPROV to be filled in
  1420. // pVoidResolveFunc - this is the pVoidResolveFunc passed in by the caller in the
  1421. // CRYPT_PRIVATE_KEY_BLOB_AND_PARAMS struct
  1422. //+-------------------------------------------------------------------------
  1423. typedef BOOL (CALLBACK *PCRYPT_RESOLVE_HCRYPTPROV_FUNC)(
  1424. CRYPT_PRIVATE_KEY_INFO *pPrivateKeyInfo,
  1425. HCRYPTPROV *phCryptProv,
  1426. LPVOID pVoidResolveFunc);
  1427. //+-------------------------------------------------------------------------
  1428. // this struct contains a PKCS8 private key and two pointers to callback
  1429. // functions, with a corresponding pVoids. the first callback is used to give
  1430. // the caller the opportunity to specify where the key is imported to. the callback
  1431. // passes the caller the algoroithm OID and key size to use in making the decision.
  1432. // the other callback is used to decrypt the private key if the PKCS8 contains an
  1433. // EncryptedPrivateKeyInfo. both pVoids are preserved and passed back to the caller
  1434. // in the respective callback
  1435. //+-------------------------------------------------------------------------
  1436. typedef struct _CRYPT_PKCS8_IMPORT_PARAMS{
  1437. CRYPT_DIGEST_BLOB PrivateKey; // PKCS8 blob
  1438. PCRYPT_RESOLVE_HCRYPTPROV_FUNC pResolvehCryptProvFunc; // optional
  1439. LPVOID pVoidResolveFunc; // optional
  1440. PCRYPT_DECRYPT_PRIVATE_KEY_FUNC pDecryptPrivateKeyFunc;
  1441. LPVOID pVoidDecryptFunc;
  1442. } CRYPT_PKCS8_IMPORT_PARAMS, *PCRYPT_PKCS8_IMPORT_PARAMS, CRYPT_PRIVATE_KEY_BLOB_AND_PARAMS, *PCRYPT_PRIVATE_KEY_BLOB_AND_PARAMS;
  1443. //+-------------------------------------------------------------------------
  1444. // this struct contains information identifying a private key and a pointer
  1445. // to a callback function, with a corresponding pVoid. The callback is used
  1446. // to encrypt the private key. If the pEncryptPrivateKeyFunc is NULL, the
  1447. // key will not be encrypted and an EncryptedPrivateKeyInfo will not be generated.
  1448. // The pVoid is preserved and passed back to the caller in the respective callback
  1449. //+-------------------------------------------------------------------------
  1450. typedef struct _CRYPT_PKCS8_EXPORT_PARAMS{
  1451. HCRYPTPROV hCryptProv;
  1452. DWORD dwKeySpec;
  1453. LPSTR pszPrivateKeyObjId;
  1454. PCRYPT_ENCRYPT_PRIVATE_KEY_FUNC pEncryptPrivateKeyFunc;
  1455. LPVOID pVoidEncryptFunc;
  1456. } CRYPT_PKCS8_EXPORT_PARAMS, *PCRYPT_PKCS8_EXPORT_PARAMS;
  1457. //+-------------------------------------------------------------------------
  1458. // Information stored in a certificate
  1459. //
  1460. // The Issuer, Subject, Algorithm, PublicKey and Extension BLOBs are the
  1461. // encoded representation of the information.
  1462. //--------------------------------------------------------------------------
  1463. typedef struct _CERT_INFO {
  1464. DWORD dwVersion;
  1465. CRYPT_INTEGER_BLOB SerialNumber;
  1466. CRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithm;
  1467. CERT_NAME_BLOB Issuer;
  1468. FILETIME NotBefore;
  1469. FILETIME NotAfter;
  1470. CERT_NAME_BLOB Subject;
  1471. CERT_PUBLIC_KEY_INFO SubjectPublicKeyInfo;
  1472. CRYPT_BIT_BLOB IssuerUniqueId;
  1473. CRYPT_BIT_BLOB SubjectUniqueId;
  1474. DWORD cExtension;
  1475. PCERT_EXTENSION rgExtension;
  1476. } CERT_INFO, *PCERT_INFO;
  1477. //+-------------------------------------------------------------------------
  1478. // Certificate versions
  1479. //--------------------------------------------------------------------------
  1480. #define CERT_V1 0
  1481. #define CERT_V2 1
  1482. #define CERT_V3 2
  1483. //+-------------------------------------------------------------------------
  1484. // Certificate Information Flags
  1485. //--------------------------------------------------------------------------
  1486. #define CERT_INFO_VERSION_FLAG 1
  1487. #define CERT_INFO_SERIAL_NUMBER_FLAG 2
  1488. #define CERT_INFO_SIGNATURE_ALGORITHM_FLAG 3
  1489. #define CERT_INFO_ISSUER_FLAG 4
  1490. #define CERT_INFO_NOT_BEFORE_FLAG 5
  1491. #define CERT_INFO_NOT_AFTER_FLAG 6
  1492. #define CERT_INFO_SUBJECT_FLAG 7
  1493. #define CERT_INFO_SUBJECT_PUBLIC_KEY_INFO_FLAG 8
  1494. #define CERT_INFO_ISSUER_UNIQUE_ID_FLAG 9
  1495. #define CERT_INFO_SUBJECT_UNIQUE_ID_FLAG 10
  1496. #define CERT_INFO_EXTENSION_FLAG 11
  1497. //+-------------------------------------------------------------------------
  1498. // An entry in a CRL
  1499. //
  1500. // The Extension BLOBs are the encoded representation of the information.
  1501. //--------------------------------------------------------------------------
  1502. typedef struct _CRL_ENTRY {
  1503. CRYPT_INTEGER_BLOB SerialNumber;
  1504. FILETIME RevocationDate;
  1505. DWORD cExtension;
  1506. PCERT_EXTENSION rgExtension;
  1507. } CRL_ENTRY, *PCRL_ENTRY;
  1508. //+-------------------------------------------------------------------------
  1509. // Information stored in a CRL
  1510. //
  1511. // The Issuer, Algorithm and Extension BLOBs are the encoded
  1512. // representation of the information.
  1513. //--------------------------------------------------------------------------
  1514. typedef struct _CRL_INFO {
  1515. DWORD dwVersion;
  1516. CRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithm;
  1517. CERT_NAME_BLOB Issuer;
  1518. FILETIME ThisUpdate;
  1519. FILETIME NextUpdate;
  1520. DWORD cCRLEntry;
  1521. PCRL_ENTRY rgCRLEntry;
  1522. DWORD cExtension;
  1523. PCERT_EXTENSION rgExtension;
  1524. } CRL_INFO, *PCRL_INFO;
  1525. //+-------------------------------------------------------------------------
  1526. // CRL versions
  1527. //--------------------------------------------------------------------------
  1528. #define CRL_V1 0
  1529. #define CRL_V2 1
  1530. //+-------------------------------------------------------------------------
  1531. // Information stored in a certificate request
  1532. //
  1533. // The Subject, Algorithm, PublicKey and Attribute BLOBs are the encoded
  1534. // representation of the information.
  1535. //--------------------------------------------------------------------------
  1536. typedef struct _CERT_REQUEST_INFO {
  1537. DWORD dwVersion;
  1538. CERT_NAME_BLOB Subject;
  1539. CERT_PUBLIC_KEY_INFO SubjectPublicKeyInfo;
  1540. DWORD cAttribute;
  1541. PCRYPT_ATTRIBUTE rgAttribute;
  1542. } CERT_REQUEST_INFO, *PCERT_REQUEST_INFO;
  1543. //+-------------------------------------------------------------------------
  1544. // Certificate Request versions
  1545. //--------------------------------------------------------------------------
  1546. #define CERT_REQUEST_V1 0
  1547. //+-------------------------------------------------------------------------
  1548. // Information stored in Netscape's Keygen request
  1549. //--------------------------------------------------------------------------
  1550. typedef struct _CERT_KEYGEN_REQUEST_INFO {
  1551. DWORD dwVersion;
  1552. CERT_PUBLIC_KEY_INFO SubjectPublicKeyInfo;
  1553. LPWSTR pwszChallengeString; // encoded as IA5
  1554. } CERT_KEYGEN_REQUEST_INFO, *PCERT_KEYGEN_REQUEST_INFO;
  1555. #define CERT_KEYGEN_REQUEST_V1 0
  1556. //+-------------------------------------------------------------------------
  1557. // Certificate, CRL, Certificate Request or Keygen Request Signed Content
  1558. //
  1559. // The "to be signed" encoded content plus its signature. The ToBeSigned
  1560. // is the encoded CERT_INFO, CRL_INFO, CERT_REQUEST_INFO or
  1561. // CERT_KEYGEN_REQUEST_INFO.
  1562. //--------------------------------------------------------------------------
  1563. typedef struct _CERT_SIGNED_CONTENT_INFO {
  1564. CRYPT_DER_BLOB ToBeSigned;
  1565. CRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithm;
  1566. CRYPT_BIT_BLOB Signature;
  1567. } CERT_SIGNED_CONTENT_INFO, *PCERT_SIGNED_CONTENT_INFO;
  1568. //+-------------------------------------------------------------------------
  1569. // Certificate Trust List (CTL)
  1570. //--------------------------------------------------------------------------
  1571. //+-------------------------------------------------------------------------
  1572. // CTL Usage. Also used for EnhancedKeyUsage extension.
  1573. //--------------------------------------------------------------------------
  1574. typedef struct _CTL_USAGE {
  1575. DWORD cUsageIdentifier;
  1576. LPSTR *rgpszUsageIdentifier; // array of pszObjId
  1577. } CTL_USAGE, *PCTL_USAGE,
  1578. CERT_ENHKEY_USAGE, *PCERT_ENHKEY_USAGE;
  1579. //+-------------------------------------------------------------------------
  1580. // An entry in a CTL
  1581. //--------------------------------------------------------------------------
  1582. typedef struct _CTL_ENTRY {
  1583. CRYPT_DATA_BLOB SubjectIdentifier; // For example, its hash
  1584. DWORD cAttribute;
  1585. PCRYPT_ATTRIBUTE rgAttribute; // OPTIONAL
  1586. } CTL_ENTRY, *PCTL_ENTRY;
  1587. //+-------------------------------------------------------------------------
  1588. // Information stored in a CTL
  1589. //--------------------------------------------------------------------------
  1590. typedef struct _CTL_INFO {
  1591. DWORD dwVersion;
  1592. CTL_USAGE SubjectUsage;
  1593. CRYPT_DATA_BLOB ListIdentifier; // OPTIONAL
  1594. CRYPT_INTEGER_BLOB SequenceNumber; // OPTIONAL
  1595. FILETIME ThisUpdate;
  1596. FILETIME NextUpdate; // OPTIONAL
  1597. CRYPT_ALGORITHM_IDENTIFIER SubjectAlgorithm;
  1598. DWORD cCTLEntry;
  1599. PCTL_ENTRY rgCTLEntry; // OPTIONAL
  1600. DWORD cExtension;
  1601. PCERT_EXTENSION rgExtension; // OPTIONAL
  1602. } CTL_INFO, *PCTL_INFO;
  1603. //+-------------------------------------------------------------------------
  1604. // CTL versions
  1605. //--------------------------------------------------------------------------
  1606. #define CTL_V1 0
  1607. //+-------------------------------------------------------------------------
  1608. // TimeStamp Request
  1609. //
  1610. // The pszTimeStamp is the OID for the Time type requested
  1611. // The pszContentType is the Content Type OID for the content, usually DATA
  1612. // The Content is a un-decoded blob
  1613. //--------------------------------------------------------------------------
  1614. typedef struct _CRYPT_TIME_STAMP_REQUEST_INFO {
  1615. LPSTR pszTimeStampAlgorithm; // pszObjId
  1616. LPSTR pszContentType; // pszObjId
  1617. CRYPT_OBJID_BLOB Content;
  1618. DWORD cAttribute;
  1619. PCRYPT_ATTRIBUTE rgAttribute;
  1620. } CRYPT_TIME_STAMP_REQUEST_INFO, *PCRYPT_TIME_STAMP_REQUEST_INFO;
  1621. //+-------------------------------------------------------------------------
  1622. // Name Value Attribute
  1623. //--------------------------------------------------------------------------
  1624. typedef struct _CRYPT_ENROLLMENT_NAME_VALUE_PAIR {
  1625. LPWSTR pwszName;
  1626. LPWSTR pwszValue;
  1627. } CRYPT_ENROLLMENT_NAME_VALUE_PAIR, * PCRYPT_ENROLLMENT_NAME_VALUE_PAIR;
  1628. //+-------------------------------------------------------------------------
  1629. // CSP Provider
  1630. //--------------------------------------------------------------------------
  1631. typedef struct _CRYPT_CSP_PROVIDER {
  1632. DWORD dwKeySpec;
  1633. LPWSTR pwszProviderName;
  1634. CRYPT_BIT_BLOB Signature;
  1635. } CRYPT_CSP_PROVIDER, * PCRYPT_CSP_PROVIDER;
  1636. //+-------------------------------------------------------------------------
  1637. // Certificate and Message encoding types
  1638. //
  1639. // The encoding type is a DWORD containing both the certificate and message
  1640. // encoding types. The certificate encoding type is stored in the LOWORD.
  1641. // The message encoding type is stored in the HIWORD. Some functions or
  1642. // structure fields require only one of the encoding types. The following
  1643. // naming convention is used to indicate which encoding type(s) are
  1644. // required:
  1645. // dwEncodingType (both encoding types are required)
  1646. // dwMsgAndCertEncodingType (both encoding types are required)
  1647. // dwMsgEncodingType (only msg encoding type is required)
  1648. // dwCertEncodingType (only cert encoding type is required)
  1649. //
  1650. // Its always acceptable to specify both.
  1651. //--------------------------------------------------------------------------
  1652. #define CERT_ENCODING_TYPE_MASK 0x0000FFFF
  1653. #define CMSG_ENCODING_TYPE_MASK 0xFFFF0000
  1654. #define GET_CERT_ENCODING_TYPE(X) (X & CERT_ENCODING_TYPE_MASK)
  1655. #define GET_CMSG_ENCODING_TYPE(X) (X & CMSG_ENCODING_TYPE_MASK)
  1656. #define CRYPT_ASN_ENCODING 0x00000001
  1657. #define CRYPT_NDR_ENCODING 0x00000002
  1658. #define X509_ASN_ENCODING 0x00000001
  1659. #define X509_NDR_ENCODING 0x00000002
  1660. #define PKCS_7_ASN_ENCODING 0x00010000
  1661. #define PKCS_7_NDR_ENCODING 0x00020000
  1662. //+-------------------------------------------------------------------------
  1663. // format the specified data structure according to the certificate
  1664. // encoding type.
  1665. //
  1666. // The default behavior of CryptFormatObject is to return single line
  1667. // display of the encoded data, that is, each subfield will be concatenated with
  1668. // a ", " on one line. If user prefers to display the data in multiple line,
  1669. // set the flag CRYPT_FORMAT_STR_MULTI_LINE, that is, each subfield will be displayed
  1670. // on a seperate line.
  1671. //
  1672. // If there is no formatting routine installed or registered
  1673. // for the lpszStructType, the hex dump of the encoded BLOB will be returned.
  1674. // User can set the flag CRYPT_FORMAT_STR_NO_HEX to disable the hex dump.
  1675. //--------------------------------------------------------------------------
  1676. WINCRYPT32API
  1677. BOOL
  1678. WINAPI
  1679. CryptFormatObject(
  1680. IN DWORD dwCertEncodingType,
  1681. IN DWORD dwFormatType,
  1682. IN DWORD dwFormatStrType,
  1683. IN void *pFormatStruct,
  1684. IN LPCSTR lpszStructType,
  1685. IN const BYTE *pbEncoded,
  1686. IN DWORD cbEncoded,
  1687. OUT void *pbFormat,
  1688. IN OUT DWORD *pcbFormat
  1689. );
  1690. //-------------------------------------------------------------------------
  1691. // constants for dwFormatStrType of function CryptFormatObject
  1692. //-------------------------------------------------------------------------
  1693. #define CRYPT_FORMAT_STR_MULTI_LINE 0x0001
  1694. #define CRYPT_FORMAT_STR_NO_HEX 0x0010
  1695. //-------------------------------------------------------------------------
  1696. // constants for dwFormatType of function CryptFormatObject
  1697. // when format X509_NAME or X509_UNICODE_NAME
  1698. //-------------------------------------------------------------------------
  1699. // Just get the simple string
  1700. #define CRYPT_FORMAT_SIMPLE 0x0001
  1701. //Put an attribute name infront of the attribute
  1702. //such as "O=Microsoft,DN=xiaohs"
  1703. #define CRYPT_FORMAT_X509 0x0002
  1704. //Put an OID infront of the simple string, such as
  1705. //"2.5.4.22=Microsoft,2.5.4.3=xiaohs"
  1706. #define CRYPT_FORMAT_OID 0x0004
  1707. //Put a ";" between each RDN. The default is ","
  1708. #define CRYPT_FORMAT_RDN_SEMICOLON 0x0100
  1709. //Put a "\n" between each RDN.
  1710. #define CRYPT_FORMAT_RDN_CRLF 0x0200
  1711. //Unquote the DN value, which is quoated by default va the following
  1712. //rules: if the DN contains leading or trailing
  1713. //white space or one of the following characters: ",", "+", "=",
  1714. //""", "\n", "<", ">", "#" or ";". The quoting character is ".
  1715. //If the DN Value contains a " it is double quoted ("").
  1716. #define CRYPT_FORMAT_RDN_UNQUOTE 0x0400
  1717. //reverse the order of the RDNs before converting to the string
  1718. #define CRYPT_FORMAT_RDN_REVERSE 0x0800
  1719. //-------------------------------------------------------------------------
  1720. // contants dwFormatType of function CryptFormatObject when format a DN.:
  1721. //
  1722. // The following three values are defined in the section above:
  1723. // CRYPT_FORMAT_SIMPLE: Just a simple string
  1724. // such as "Microsoft+xiaohs+NT"
  1725. // CRYPT_FORMAT_X509 Put an attribute name infront of the attribute
  1726. // such as "O=Microsoft+xiaohs+NT"
  1727. //
  1728. // CRYPT_FORMAT_OID Put an OID infront of the simple string,
  1729. // such as "2.5.4.22=Microsoft+xiaohs+NT"
  1730. //
  1731. // Additional values are defined as following:
  1732. //----------------------------------------------------------------------------
  1733. //Put a "," between each value. Default is "+"
  1734. #define CRYPT_FORMAT_COMMA 0x1000
  1735. //Put a ";" between each value
  1736. #define CRYPT_FORMAT_SEMICOLON CRYPT_FORMAT_RDN_SEMICOLON
  1737. //Put a "\n" between each value
  1738. #define CRYPT_FORMAT_CRLF CRYPT_FORMAT_RDN_CRLF
  1739. //+-------------------------------------------------------------------------
  1740. // Encode / decode the specified data structure according to the certificate
  1741. // encoding type.
  1742. //
  1743. // See below for a list of the predefined data structures.
  1744. //--------------------------------------------------------------------------
  1745. typedef LPVOID (WINAPI *PFN_CRYPT_ALLOC)(
  1746. IN size_t cbSize
  1747. );
  1748. typedef VOID (WINAPI *PFN_CRYPT_FREE)(
  1749. IN LPVOID pv
  1750. );
  1751. typedef struct _CRYPT_ENCODE_PARA {
  1752. DWORD cbSize;
  1753. PFN_CRYPT_ALLOC pfnAlloc; // OPTIONAL
  1754. PFN_CRYPT_FREE pfnFree; // OPTIONAL
  1755. } CRYPT_ENCODE_PARA, *PCRYPT_ENCODE_PARA;
  1756. WINCRYPT32API
  1757. BOOL
  1758. WINAPI
  1759. CryptEncodeObjectEx(
  1760. IN DWORD dwCertEncodingType,
  1761. IN LPCSTR lpszStructType,
  1762. IN const void *pvStructInfo,
  1763. IN DWORD dwFlags,
  1764. IN OPTIONAL PCRYPT_ENCODE_PARA pEncodePara,
  1765. OUT void *pvEncoded,
  1766. IN OUT DWORD *pcbEncoded
  1767. );
  1768. WINCRYPT32API
  1769. BOOL
  1770. WINAPI
  1771. CryptEncodeObject(
  1772. IN DWORD dwCertEncodingType,
  1773. IN LPCSTR lpszStructType,
  1774. IN const void *pvStructInfo,
  1775. OUT BYTE *pbEncoded,
  1776. IN OUT DWORD *pcbEncoded
  1777. );
  1778. // By default the signature bytes are reversed. The following flag can
  1779. // be set to inhibit the byte reversal.
  1780. //
  1781. // This flag is applicable to
  1782. // X509_CERT_TO_BE_SIGNED
  1783. #define CRYPT_ENCODE_NO_SIGNATURE_BYTE_REVERSAL_FLAG 0x8
  1784. // When the following flag is set the called encode function allocates
  1785. // memory for the encoded bytes. A pointer to the allocated bytes
  1786. // is returned in pvEncoded. If pEncodePara or pEncodePara->pfnAlloc is
  1787. // NULL, then, LocalAlloc is called for the allocation and LocalFree must
  1788. // be called to do the free. Otherwise, pEncodePara->pfnAlloc is called
  1789. // for the allocation.
  1790. //
  1791. // *pcbEncoded is ignored on input and updated with the length of the
  1792. // allocated, encoded bytes.
  1793. //
  1794. // If pfnAlloc is set, then, pfnFree should also be set.
  1795. #define CRYPT_ENCODE_ALLOC_FLAG 0x8000
  1796. // The following flag is applicable when encoding X509_UNICODE_NAME.
  1797. // When set, CERT_RDN_T61_STRING is selected instead of
  1798. // CERT_RDN_UNICODE_STRING if all the unicode characters are <= 0xFF
  1799. #define CRYPT_UNICODE_NAME_ENCODE_ENABLE_T61_UNICODE_FLAG \
  1800. CERT_RDN_ENABLE_T61_UNICODE_FLAG
  1801. // The following flag is applicable when encoding X509_UNICODE_NAME.
  1802. // When set, CERT_RDN_UTF8_STRING is selected instead of
  1803. // CERT_RDN_UNICODE_STRING.
  1804. #define CRYPT_UNICODE_NAME_ENCODE_ENABLE_UTF8_UNICODE_FLAG \
  1805. CERT_RDN_ENABLE_UTF8_UNICODE_FLAG
  1806. // The following flag is applicable when encoding X509_UNICODE_NAME,
  1807. // X509_UNICODE_NAME_VALUE or X509_UNICODE_ANY_STRING.
  1808. // When set, the characters aren't checked to see if they
  1809. // are valid for the specified Value Type.
  1810. #define CRYPT_UNICODE_NAME_ENCODE_DISABLE_CHECK_TYPE_FLAG \
  1811. CERT_RDN_DISABLE_CHECK_TYPE_FLAG
  1812. // The following flag is applicable when encoding the PKCS_SORTED_CTL. This
  1813. // flag should be set if the identifier for the TrustedSubjects is a hash,
  1814. // such as, MD5 or SHA1.
  1815. #define CRYPT_SORTED_CTL_ENCODE_HASHED_SUBJECT_IDENTIFIER_FLAG 0x10000
  1816. typedef struct _CRYPT_DECODE_PARA {
  1817. DWORD cbSize;
  1818. PFN_CRYPT_ALLOC pfnAlloc; // OPTIONAL
  1819. PFN_CRYPT_FREE pfnFree; // OPTIONAL
  1820. } CRYPT_DECODE_PARA, *PCRYPT_DECODE_PARA;
  1821. WINCRYPT32API
  1822. BOOL
  1823. WINAPI
  1824. CryptDecodeObjectEx(
  1825. IN DWORD dwCertEncodingType,
  1826. IN LPCSTR lpszStructType,
  1827. IN const BYTE *pbEncoded,
  1828. IN DWORD cbEncoded,
  1829. IN DWORD dwFlags,
  1830. IN OPTIONAL PCRYPT_DECODE_PARA pDecodePara,
  1831. OUT OPTIONAL void *pvStructInfo,
  1832. IN OUT DWORD *pcbStructInfo
  1833. );
  1834. WINCRYPT32API
  1835. BOOL
  1836. WINAPI
  1837. CryptDecodeObject(
  1838. IN DWORD dwCertEncodingType,
  1839. IN LPCSTR lpszStructType,
  1840. IN const BYTE *pbEncoded,
  1841. IN DWORD cbEncoded,
  1842. IN DWORD dwFlags,
  1843. OUT void *pvStructInfo,
  1844. IN OUT DWORD *pcbStructInfo
  1845. );
  1846. // When the following flag is set the nocopy optimization is enabled.
  1847. // This optimization where appropriate, updates the pvStructInfo fields
  1848. // to point to content residing within pbEncoded instead of making a copy
  1849. // of and appending to pvStructInfo.
  1850. //
  1851. // Note, when set, pbEncoded can't be freed until pvStructInfo is freed.
  1852. #define CRYPT_DECODE_NOCOPY_FLAG 0x1
  1853. // For CryptDecodeObject(), by default the pbEncoded is the "to be signed"
  1854. // plus its signature. Set the following flag, if pbEncoded points to only
  1855. // the "to be signed".
  1856. //
  1857. // This flag is applicable to
  1858. // X509_CERT_TO_BE_SIGNED
  1859. // X509_CERT_CRL_TO_BE_SIGNED
  1860. // X509_CERT_REQUEST_TO_BE_SIGNED
  1861. // X509_KEYGEN_REQUEST_TO_BE_SIGNED
  1862. #define CRYPT_DECODE_TO_BE_SIGNED_FLAG 0x2
  1863. // When the following flag is set, the OID strings are allocated in
  1864. // crypt32.dll and shared instead of being copied into the returned
  1865. // data structure. This flag may be set if crypt32.dll isn't unloaded
  1866. // before the caller is unloaded.
  1867. #define CRYPT_DECODE_SHARE_OID_STRING_FLAG 0x4
  1868. // By default the signature bytes are reversed. The following flag can
  1869. // be set to inhibit the byte reversal.
  1870. //
  1871. // This flag is applicable to
  1872. // X509_CERT_TO_BE_SIGNED
  1873. #define CRYPT_DECODE_NO_SIGNATURE_BYTE_REVERSAL_FLAG 0x8
  1874. // When the following flag is set the called decode function allocates
  1875. // memory for the decoded structure. A pointer to the allocated structure
  1876. // is returned in pvStructInfo. If pDecodePara or pDecodePara->pfnAlloc is
  1877. // NULL, then, LocalAlloc is called for the allocation and LocalFree must
  1878. // be called to do the free. Otherwise, pDecodePara->pfnAlloc is called
  1879. // for the allocation.
  1880. //
  1881. // *pcbStructInfo is ignored on input and updated with the length of the
  1882. // allocated, decoded structure.
  1883. //
  1884. // This flag may also be set in the CryptDecodeObject API. Since
  1885. // CryptDecodeObject doesn't take a pDecodePara, LocalAlloc is always
  1886. // called for the allocation which must be freed by calling LocalFree.
  1887. #define CRYPT_DECODE_ALLOC_FLAG 0x8000
  1888. // The following flag is applicable when decoding X509_UNICODE_NAME,
  1889. // X509_UNICODE_NAME_VALUE or X509_UNICODE_ANY_STRING.
  1890. // By default, CERT_RDN_T61_STRING values are initially decoded
  1891. // as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
  1892. // Setting this flag skips the initial attempt to decode as UTF8.
  1893. #define CRYPT_UNICODE_NAME_DECODE_DISABLE_IE4_UTF8_FLAG \
  1894. CERT_RDN_DISABLE_IE4_UTF8_FLAG
  1895. //+-------------------------------------------------------------------------
  1896. // Predefined X509 certificate data structures that can be encoded / decoded.
  1897. //--------------------------------------------------------------------------
  1898. #define CRYPT_ENCODE_DECODE_NONE 0
  1899. #define X509_CERT ((LPCSTR) 1)
  1900. #define X509_CERT_TO_BE_SIGNED ((LPCSTR) 2)
  1901. #define X509_CERT_CRL_TO_BE_SIGNED ((LPCSTR) 3)
  1902. #define X509_CERT_REQUEST_TO_BE_SIGNED ((LPCSTR) 4)
  1903. #define X509_EXTENSIONS ((LPCSTR) 5)
  1904. #define X509_NAME_VALUE ((LPCSTR) 6)
  1905. #define X509_NAME ((LPCSTR) 7)
  1906. #define X509_PUBLIC_KEY_INFO ((LPCSTR) 8)
  1907. //+-------------------------------------------------------------------------
  1908. // Predefined X509 certificate extension data structures that can be
  1909. // encoded / decoded.
  1910. //--------------------------------------------------------------------------
  1911. #define X509_AUTHORITY_KEY_ID ((LPCSTR) 9)
  1912. #define X509_KEY_ATTRIBUTES ((LPCSTR) 10)
  1913. #define X509_KEY_USAGE_RESTRICTION ((LPCSTR) 11)
  1914. #define X509_ALTERNATE_NAME ((LPCSTR) 12)
  1915. #define X509_BASIC_CONSTRAINTS ((LPCSTR) 13)
  1916. #define X509_KEY_USAGE ((LPCSTR) 14)
  1917. #define X509_BASIC_CONSTRAINTS2 ((LPCSTR) 15)
  1918. #define X509_CERT_POLICIES ((LPCSTR) 16)
  1919. //+-------------------------------------------------------------------------
  1920. // Additional predefined data structures that can be encoded / decoded.
  1921. //--------------------------------------------------------------------------
  1922. #define PKCS_UTC_TIME ((LPCSTR) 17)
  1923. #define PKCS_TIME_REQUEST ((LPCSTR) 18)
  1924. #define RSA_CSP_PUBLICKEYBLOB ((LPCSTR) 19)
  1925. #define X509_UNICODE_NAME ((LPCSTR) 20)
  1926. #define X509_KEYGEN_REQUEST_TO_BE_SIGNED ((LPCSTR) 21)
  1927. #define PKCS_ATTRIBUTE ((LPCSTR) 22)
  1928. #define PKCS_CONTENT_INFO_SEQUENCE_OF_ANY ((LPCSTR) 23)
  1929. //+-------------------------------------------------------------------------
  1930. // Predefined primitive data structures that can be encoded / decoded.
  1931. //--------------------------------------------------------------------------
  1932. #define X509_UNICODE_NAME_VALUE ((LPCSTR) 24)
  1933. #define X509_ANY_STRING X509_NAME_VALUE
  1934. #define X509_UNICODE_ANY_STRING X509_UNICODE_NAME_VALUE
  1935. #define X509_OCTET_STRING ((LPCSTR) 25)
  1936. #define X509_BITS ((LPCSTR) 26)
  1937. #define X509_INTEGER ((LPCSTR) 27)
  1938. #define X509_MULTI_BYTE_INTEGER ((LPCSTR) 28)
  1939. #define X509_ENUMERATED ((LPCSTR) 29)
  1940. #define X509_CHOICE_OF_TIME ((LPCSTR) 30)
  1941. //+-------------------------------------------------------------------------
  1942. // More predefined X509 certificate extension data structures that can be
  1943. // encoded / decoded.
  1944. //--------------------------------------------------------------------------
  1945. #define X509_AUTHORITY_KEY_ID2 ((LPCSTR) 31)
  1946. #define X509_AUTHORITY_INFO_ACCESS ((LPCSTR) 32)
  1947. #define X509_CRL_REASON_CODE X509_ENUMERATED
  1948. #define PKCS_CONTENT_INFO ((LPCSTR) 33)
  1949. #define X509_SEQUENCE_OF_ANY ((LPCSTR) 34)
  1950. #define X509_CRL_DIST_POINTS ((LPCSTR) 35)
  1951. #define X509_ENHANCED_KEY_USAGE ((LPCSTR) 36)
  1952. #define PKCS_CTL ((LPCSTR) 37)
  1953. #define X509_MULTI_BYTE_UINT ((LPCSTR) 38)
  1954. #define X509_DSS_PUBLICKEY X509_MULTI_BYTE_UINT
  1955. #define X509_DSS_PARAMETERS ((LPCSTR) 39)
  1956. #define X509_DSS_SIGNATURE ((LPCSTR) 40)
  1957. #define PKCS_RC2_CBC_PARAMETERS ((LPCSTR) 41)
  1958. #define PKCS_SMIME_CAPABILITIES ((LPCSTR) 42)
  1959. //+-------------------------------------------------------------------------
  1960. // data structures for private keys
  1961. //--------------------------------------------------------------------------
  1962. #define PKCS_RSA_PRIVATE_KEY ((LPCSTR) 43)
  1963. #define PKCS_PRIVATE_KEY_INFO ((LPCSTR) 44)
  1964. #define PKCS_ENCRYPTED_PRIVATE_KEY_INFO ((LPCSTR) 45)
  1965. //+-------------------------------------------------------------------------
  1966. // certificate policy qualifier
  1967. //--------------------------------------------------------------------------
  1968. #define X509_PKIX_POLICY_QUALIFIER_USERNOTICE ((LPCSTR) 46)
  1969. //+-------------------------------------------------------------------------
  1970. // Diffie-Hellman Key Exchange
  1971. //--------------------------------------------------------------------------
  1972. #define X509_DH_PUBLICKEY X509_MULTI_BYTE_UINT
  1973. #define X509_DH_PARAMETERS ((LPCSTR) 47)
  1974. #define PKCS_ATTRIBUTES ((LPCSTR) 48)
  1975. #define PKCS_SORTED_CTL ((LPCSTR) 49)
  1976. //+-------------------------------------------------------------------------
  1977. // X942 Diffie-Hellman
  1978. //--------------------------------------------------------------------------
  1979. #define X942_DH_PARAMETERS ((LPCSTR) 50)
  1980. //+-------------------------------------------------------------------------
  1981. // The following is the same as X509_BITS, except before encoding,
  1982. // the bit length is decremented to exclude trailing zero bits.
  1983. //--------------------------------------------------------------------------
  1984. #define X509_BITS_WITHOUT_TRAILING_ZEROES ((LPCSTR) 51)
  1985. //+-------------------------------------------------------------------------
  1986. // X942 Diffie-Hellman Other Info
  1987. //--------------------------------------------------------------------------
  1988. #define X942_OTHER_INFO ((LPCSTR) 52)
  1989. #define X509_CERT_PAIR ((LPCSTR) 53)
  1990. #define X509_ISSUING_DIST_POINT ((LPCSTR) 54)
  1991. #define X509_NAME_CONSTRAINTS ((LPCSTR) 55)
  1992. #define X509_POLICY_MAPPINGS ((LPCSTR) 56)
  1993. #define X509_POLICY_CONSTRAINTS ((LPCSTR) 57)
  1994. #define X509_CROSS_CERT_DIST_POINTS ((LPCSTR) 58)
  1995. //+-------------------------------------------------------------------------
  1996. // Certificate Management Messages over CMS (CMC) Data Structures
  1997. //--------------------------------------------------------------------------
  1998. #define CMC_DATA ((LPCSTR) 59)
  1999. #define CMC_RESPONSE ((LPCSTR) 60)
  2000. #define CMC_STATUS ((LPCSTR) 61)
  2001. #define CMC_ADD_EXTENSIONS ((LPCSTR) 62)
  2002. #define CMC_ADD_ATTRIBUTES ((LPCSTR) 63)
  2003. //+-------------------------------------------------------------------------
  2004. // Certificate Template
  2005. //--------------------------------------------------------------------------
  2006. #define X509_CERTIFICATE_TEMPLATE ((LPCSTR) 64)
  2007. //+-------------------------------------------------------------------------
  2008. // Predefined PKCS #7 data structures that can be encoded / decoded.
  2009. //--------------------------------------------------------------------------
  2010. #define PKCS7_SIGNER_INFO ((LPCSTR) 500)
  2011. //+-------------------------------------------------------------------------
  2012. // Predefined PKCS #7 data structures that can be encoded / decoded.
  2013. //--------------------------------------------------------------------------
  2014. #define CMS_SIGNER_INFO ((LPCSTR) 501)
  2015. //+-------------------------------------------------------------------------
  2016. // Predefined Software Publishing Credential (SPC) data structures that
  2017. // can be encoded / decoded.
  2018. //
  2019. // Predefined values: 2000 .. 2999
  2020. //
  2021. // See spc.h for value and data structure definitions.
  2022. //--------------------------------------------------------------------------
  2023. //+-------------------------------------------------------------------------
  2024. // Extension Object Identifiers
  2025. //--------------------------------------------------------------------------
  2026. #define szOID_AUTHORITY_KEY_IDENTIFIER "2.5.29.1"
  2027. #define szOID_KEY_ATTRIBUTES "2.5.29.2"
  2028. #define szOID_CERT_POLICIES_95 "2.5.29.3"
  2029. #define szOID_KEY_USAGE_RESTRICTION "2.5.29.4"
  2030. #define szOID_SUBJECT_ALT_NAME "2.5.29.7"
  2031. #define szOID_ISSUER_ALT_NAME "2.5.29.8"
  2032. #define szOID_BASIC_CONSTRAINTS "2.5.29.10"
  2033. #define szOID_KEY_USAGE "2.5.29.15"
  2034. #define szOID_PRIVATEKEY_USAGE_PERIOD "2.5.29.16"
  2035. #define szOID_BASIC_CONSTRAINTS2 "2.5.29.19"
  2036. #define szOID_CERT_POLICIES "2.5.29.32"
  2037. #define szOID_ANY_CERT_POLICY "2.5.29.32.0"
  2038. #define szOID_AUTHORITY_KEY_IDENTIFIER2 "2.5.29.35"
  2039. #define szOID_SUBJECT_KEY_IDENTIFIER "2.5.29.14"
  2040. #define szOID_SUBJECT_ALT_NAME2 "2.5.29.17"
  2041. #define szOID_ISSUER_ALT_NAME2 "2.5.29.18"
  2042. #define szOID_CRL_REASON_CODE "2.5.29.21"
  2043. #define szOID_REASON_CODE_HOLD "2.5.29.23"
  2044. #define szOID_CRL_DIST_POINTS "2.5.29.31"
  2045. #define szOID_ENHANCED_KEY_USAGE "2.5.29.37"
  2046. // szOID_CRL_NUMBER -- Base CRLs only. Monotonically increasing sequence
  2047. // number for each CRL issued by a CA.
  2048. #define szOID_CRL_NUMBER "2.5.29.20"
  2049. // szOID_DELTA_CRL_INDICATOR -- Delta CRLs only. Marked critical.
  2050. // Contains the minimum base CRL Number that can be used with a delta CRL.
  2051. #define szOID_DELTA_CRL_INDICATOR "2.5.29.27"
  2052. #define szOID_ISSUING_DIST_POINT "2.5.29.28"
  2053. // szOID_FRESHEST_CRL -- Base CRLs only. Formatted identically to a CDP
  2054. // extension that holds URLs to fetch the delta CRL.
  2055. #define szOID_FRESHEST_CRL "2.5.29.46"
  2056. #define szOID_NAME_CONSTRAINTS "2.5.29.30"
  2057. // Note on 1/1/2000 szOID_POLICY_MAPPINGS was changed from "2.5.29.5"
  2058. #define szOID_POLICY_MAPPINGS "2.5.29.33"
  2059. #define szOID_LEGACY_POLICY_MAPPINGS "2.5.29.5"
  2060. #define szOID_POLICY_CONSTRAINTS "2.5.29.36"
  2061. // Microsoft PKCS10 Attributes
  2062. #define szOID_RENEWAL_CERTIFICATE "1.3.6.1.4.1.311.13.1"
  2063. #define szOID_ENROLLMENT_NAME_VALUE_PAIR "1.3.6.1.4.1.311.13.2.1"
  2064. #define szOID_ENROLLMENT_CSP_PROVIDER "1.3.6.1.4.1.311.13.2.2"
  2065. #define szOID_OS_VERSION "1.3.6.1.4.1.311.13.2.3"
  2066. //
  2067. // Extension contain certificate type
  2068. #define szOID_ENROLLMENT_AGENT "1.3.6.1.4.1.311.20.2.1"
  2069. // Internet Public Key Infrastructure (PKIX)
  2070. #define szOID_PKIX "1.3.6.1.5.5.7"
  2071. #define szOID_PKIX_PE "1.3.6.1.5.5.7.1"
  2072. #define szOID_AUTHORITY_INFO_ACCESS "1.3.6.1.5.5.7.1.1"
  2073. // Microsoft extensions or attributes
  2074. #define szOID_CERT_EXTENSIONS "1.3.6.1.4.1.311.2.1.14"
  2075. #define szOID_NEXT_UPDATE_LOCATION "1.3.6.1.4.1.311.10.2"
  2076. #define szOID_REMOVE_CERTIFICATE "1.3.6.1.4.1.311.10.8.1"
  2077. #define szOID_CROSS_CERT_DIST_POINTS "1.3.6.1.4.1.311.10.9.1"
  2078. // Microsoft PKCS #7 ContentType Object Identifiers
  2079. #define szOID_CTL "1.3.6.1.4.1.311.10.1"
  2080. // Microsoft Sorted CTL Extension Object Identifier
  2081. #define szOID_SORTED_CTL "1.3.6.1.4.1.311.10.1.1"
  2082. // serialized serial numbers for PRS
  2083. #ifndef szOID_SERIALIZED
  2084. #define szOID_SERIALIZED "1.3.6.1.4.1.311.10.3.3.1"
  2085. #endif
  2086. // UPN principal name in SubjectAltName
  2087. #ifndef szOID_NT_PRINCIPAL_NAME
  2088. #define szOID_NT_PRINCIPAL_NAME "1.3.6.1.4.1.311.20.2.3"
  2089. #endif
  2090. // Windows product update unauthenticated attribute
  2091. #ifndef szOID_PRODUCT_UPDATE
  2092. #define szOID_PRODUCT_UPDATE "1.3.6.1.4.1.311.31.1"
  2093. #endif
  2094. // CryptUI
  2095. #define szOID_ANY_APPLICATION_POLICY "1.3.6.1.4.1.311.10.12.1"
  2096. //+-------------------------------------------------------------------------
  2097. // Object Identifiers for use with Auto Enrollment
  2098. //--------------------------------------------------------------------------
  2099. #define szOID_AUTO_ENROLL_CTL_USAGE "1.3.6.1.4.1.311.20.1"
  2100. // Extension contain certificate type
  2101. #define szOID_ENROLL_CERTTYPE_EXTENSION "1.3.6.1.4.1.311.20.2"
  2102. #define szOID_CERT_MANIFOLD "1.3.6.1.4.1.311.20.3"
  2103. //+-------------------------------------------------------------------------
  2104. // Object Identifiers for use with the MS Certificate Server
  2105. //--------------------------------------------------------------------------
  2106. #ifndef szOID_CERTSRV_CA_VERSION
  2107. #define szOID_CERTSRV_CA_VERSION "1.3.6.1.4.1.311.21.1"
  2108. #endif
  2109. // szOID_CERTSRV_PREVIOUS_CERT_HASH -- Contains the sha1 hash of the previous
  2110. // version of the CA certificate.
  2111. #define szOID_CERTSRV_PREVIOUS_CERT_HASH "1.3.6.1.4.1.311.21.2"
  2112. // szOID_CRL_VIRTUAL_BASE -- Delta CRLs only. Contains the base CRL Number
  2113. // of the corresponding base CRL.
  2114. #define szOID_CRL_VIRTUAL_BASE "1.3.6.1.4.1.311.21.3"
  2115. // szOID_CRL_NEXT_PUBLISH -- Contains the time when the next CRL is expected
  2116. // to be published. This may be sooner than the CRL's NextUpdate field.
  2117. #define szOID_CRL_NEXT_PUBLISH "1.3.6.1.4.1.311.21.4"
  2118. // Enhanced Key Usage for CA encryption certificate
  2119. #define szOID_KP_CA_EXCHANGE "1.3.6.1.4.1.311.21.5"
  2120. // Enhanced Key Usage for key recovery agent certificate
  2121. #define szOID_KP_KEY_RECOVERY_AGENT "1.3.6.1.4.1.311.21.6"
  2122. // Certificate template extension (v2)
  2123. #define szOID_CERTIFICATE_TEMPLATE "1.3.6.1.4.1.311.21.7"
  2124. // The root oid for all enterprise specific oids
  2125. #define szOID_ENTERPRISE_OID_ROOT "1.3.6.1.4.1.311.21.8"
  2126. // Dummy signing Subject RDN
  2127. #define szOID_RDN_DUMMY_SIGNER "1.3.6.1.4.1.311.21.9"
  2128. // Application Policies extension -- same encoding as szOID_CERT_POLICIES
  2129. #define szOID_APPLICATION_CERT_POLICIES "1.3.6.1.4.1.311.21.10"
  2130. // Application Policy Mappings -- same encoding as szOID_POLICY_MAPPINGS
  2131. #define szOID_APPLICATION_POLICY_MAPPINGS "1.3.6.1.4.1.311.21.11"
  2132. // Application Policy Constraints -- same encoding as szOID_POLICY_CONSTRAINTS
  2133. #define szOID_APPLICATION_POLICY_CONSTRAINTS "1.3.6.1.4.1.311.21.12"
  2134. #define szOID_ARCHIVED_KEY_ATTR "1.3.6.1.4.1.311.21.13"
  2135. #define szOID_CRL_SELF_CDP "1.3.6.1.4.1.311.21.14"
  2136. // Requires all certificates below the root to have a non-empty intersecting
  2137. // issuance certificate policy usage.
  2138. #define szOID_REQUIRE_CERT_CHAIN_POLICY "1.3.6.1.4.1.311.21.15"
  2139. #define szOID_ARCHIVED_KEY_CERT_HASH "1.3.6.1.4.1.311.21.16"
  2140. #define szOID_ISSUED_CERT_HASH "1.3.6.1.4.1.311.21.17"
  2141. // Enhanced key usage for DS email replication
  2142. #define szOID_DS_EMAIL_REPLICATION "1.3.6.1.4.1.311.21.19"
  2143. #define szOID_REQUEST_CLIENT_INFO "1.3.6.1.4.1.311.21.20"
  2144. #define szOID_ENCRYPTED_KEY_HASH "1.3.6.1.4.1.311.21.21"
  2145. //+-------------------------------------------------------------------------
  2146. // Object Identifiers for use with the MS Directory Service
  2147. //--------------------------------------------------------------------------
  2148. #define szOID_NTDS_REPLICATION "1.3.6.1.4.1.311.25.1"
  2149. //+-------------------------------------------------------------------------
  2150. // Extension Object Identifiers (currently not implemented)
  2151. //--------------------------------------------------------------------------
  2152. #define szOID_SUBJECT_DIR_ATTRS "2.5.29.9"
  2153. //+-------------------------------------------------------------------------
  2154. // Enhanced Key Usage (Purpose) Object Identifiers
  2155. //--------------------------------------------------------------------------
  2156. #define szOID_PKIX_KP "1.3.6.1.5.5.7.3"
  2157. // Consistent key usage bits: DIGITAL_SIGNATURE, KEY_ENCIPHERMENT
  2158. // or KEY_AGREEMENT
  2159. #define szOID_PKIX_KP_SERVER_AUTH "1.3.6.1.5.5.7.3.1"
  2160. // Consistent key usage bits: DIGITAL_SIGNATURE
  2161. #define szOID_PKIX_KP_CLIENT_AUTH "1.3.6.1.5.5.7.3.2"
  2162. // Consistent key usage bits: DIGITAL_SIGNATURE
  2163. #define szOID_PKIX_KP_CODE_SIGNING "1.3.6.1.5.5.7.3.3"
  2164. // Consistent key usage bits: DIGITAL_SIGNATURE, NON_REPUDIATION and/or
  2165. // (KEY_ENCIPHERMENT or KEY_AGREEMENT)
  2166. #define szOID_PKIX_KP_EMAIL_PROTECTION "1.3.6.1.5.5.7.3.4"
  2167. // Consistent key usage bits: DIGITAL_SIGNATURE and/or
  2168. // (KEY_ENCIPHERMENT or KEY_AGREEMENT)
  2169. #define szOID_PKIX_KP_IPSEC_END_SYSTEM "1.3.6.1.5.5.7.3.5"
  2170. // Consistent key usage bits: DIGITAL_SIGNATURE and/or
  2171. // (KEY_ENCIPHERMENT or KEY_AGREEMENT)
  2172. #define szOID_PKIX_KP_IPSEC_TUNNEL "1.3.6.1.5.5.7.3.6"
  2173. // Consistent key usage bits: DIGITAL_SIGNATURE and/or
  2174. // (KEY_ENCIPHERMENT or KEY_AGREEMENT)
  2175. #define szOID_PKIX_KP_IPSEC_USER "1.3.6.1.5.5.7.3.7"
  2176. // Consistent key usage bits: DIGITAL_SIGNATURE or NON_REPUDIATION
  2177. #define szOID_PKIX_KP_TIMESTAMP_SIGNING "1.3.6.1.5.5.7.3.8"
  2178. // IKE (Internet Key Exchange) Intermediate KP for an IPsec end entity.
  2179. // Defined in draft-ietf-ipsec-pki-req-04.txt, December 14, 1999.
  2180. #define szOID_IPSEC_KP_IKE_INTERMEDIATE "1.3.6.1.5.5.8.2.2"
  2181. //+-------------------------------------------------------------------------
  2182. // Microsoft Enhanced Key Usage (Purpose) Object Identifiers
  2183. //+-------------------------------------------------------------------------
  2184. // Signer of CTLs
  2185. #define szOID_KP_CTL_USAGE_SIGNING "1.3.6.1.4.1.311.10.3.1"
  2186. // Signer of TimeStamps
  2187. #define szOID_KP_TIME_STAMP_SIGNING "1.3.6.1.4.1.311.10.3.2"
  2188. #ifndef szOID_SERVER_GATED_CRYPTO
  2189. #define szOID_SERVER_GATED_CRYPTO "1.3.6.1.4.1.311.10.3.3"
  2190. #endif
  2191. #ifndef szOID_SGC_NETSCAPE
  2192. #define szOID_SGC_NETSCAPE "2.16.840.1.113730.4.1"
  2193. #endif
  2194. #define szOID_KP_EFS "1.3.6.1.4.1.311.10.3.4"
  2195. #define szOID_EFS_RECOVERY "1.3.6.1.4.1.311.10.3.4.1"
  2196. // Can use Windows Hardware Compatible (WHQL)
  2197. #define szOID_WHQL_CRYPTO "1.3.6.1.4.1.311.10.3.5"
  2198. // Signed by the NT5 build lab
  2199. #define szOID_NT5_CRYPTO "1.3.6.1.4.1.311.10.3.6"
  2200. // Signed by and OEM of WHQL
  2201. #define szOID_OEM_WHQL_CRYPTO "1.3.6.1.4.1.311.10.3.7"
  2202. // Signed by the Embedded NT
  2203. #define szOID_EMBEDDED_NT_CRYPTO "1.3.6.1.4.1.311.10.3.8"
  2204. // Signer of a CTL containing trusted roots
  2205. #define szOID_ROOT_LIST_SIGNER "1.3.6.1.4.1.311.10.3.9"
  2206. // Can sign cross-cert and subordinate CA requests with qualified
  2207. // subordination (name constraints, policy mapping, etc.)
  2208. #define szOID_KP_QUALIFIED_SUBORDINATION "1.3.6.1.4.1.311.10.3.10"
  2209. // Can be used to encrypt/recover escrowed keys
  2210. #define szOID_KP_KEY_RECOVERY "1.3.6.1.4.1.311.10.3.11"
  2211. // Signer of documents
  2212. #define szOID_KP_DOCUMENT_SIGNING "1.3.6.1.4.1.311.10.3.12"
  2213. // The default WinVerifyTrust Authenticode policy is to treat all time stamped
  2214. // signatures as being valid forever. This OID limits the valid lifetime of the
  2215. // signature to the lifetime of the certificate. This allows timestamped
  2216. // signatures to expire. Normally this OID will be used in conjunction with
  2217. // szOID_PKIX_KP_CODE_SIGNING to indicate new time stamp semantics should be
  2218. // used. Support for this OID was added in WXP.
  2219. #define szOID_KP_LIFETIME_SIGNING "1.3.6.1.4.1.311.10.3.13"
  2220. #ifndef szOID_DRM
  2221. #define szOID_DRM "1.3.6.1.4.1.311.10.5.1"
  2222. #endif
  2223. // Microsoft DRM EKU
  2224. #ifndef szOID_DRM_INDIVIDUALIZATION
  2225. #define szOID_DRM_INDIVIDUALIZATION "1.3.6.1.4.1.311.10.5.2"
  2226. #endif
  2227. #ifndef szOID_LICENSES
  2228. #define szOID_LICENSES "1.3.6.1.4.1.311.10.6.1"
  2229. #endif
  2230. #ifndef szOID_LICENSE_SERVER
  2231. #define szOID_LICENSE_SERVER "1.3.6.1.4.1.311.10.6.2"
  2232. #endif
  2233. #ifndef szOID_KP_SMARTCARD_LOGON
  2234. #define szOID_KP_SMARTCARD_LOGON "1.3.6.1.4.1.311.20.2.2"
  2235. #endif
  2236. //+-------------------------------------------------------------------------
  2237. // Microsoft Attribute Object Identifiers
  2238. //+-------------------------------------------------------------------------
  2239. #define szOID_YESNO_TRUST_ATTR "1.3.6.1.4.1.311.10.4.1"
  2240. //+-------------------------------------------------------------------------
  2241. // Qualifiers that may be part of the szOID_CERT_POLICIES and
  2242. // szOID_CERT_POLICIES95 extensions
  2243. //+-------------------------------------------------------------------------
  2244. #define szOID_PKIX_POLICY_QUALIFIER_CPS "1.3.6.1.5.5.7.2.1"
  2245. #define szOID_PKIX_POLICY_QUALIFIER_USERNOTICE "1.3.6.1.5.5.7.2.2"
  2246. // OID for old qualifer
  2247. #define szOID_CERT_POLICIES_95_QUALIFIER1 "2.16.840.1.113733.1.7.1.1"
  2248. //+-------------------------------------------------------------------------
  2249. // X509_CERT
  2250. //
  2251. // The "to be signed" encoded content plus its signature. The ToBeSigned
  2252. // content is the CryptEncodeObject() output for one of the following:
  2253. // X509_CERT_TO_BE_SIGNED, X509_CERT_CRL_TO_BE_SIGNED or
  2254. // X509_CERT_REQUEST_TO_BE_SIGNED.
  2255. //
  2256. // pvStructInfo points to CERT_SIGNED_CONTENT_INFO.
  2257. //--------------------------------------------------------------------------
  2258. //+-------------------------------------------------------------------------
  2259. // X509_CERT_TO_BE_SIGNED
  2260. //
  2261. // pvStructInfo points to CERT_INFO.
  2262. //
  2263. // For CryptDecodeObject(), the pbEncoded is the "to be signed" plus its
  2264. // signature (output of a X509_CERT CryptEncodeObject()).
  2265. //
  2266. // For CryptEncodeObject(), the pbEncoded is just the "to be signed".
  2267. //--------------------------------------------------------------------------
  2268. //+-------------------------------------------------------------------------
  2269. // X509_CERT_CRL_TO_BE_SIGNED
  2270. //
  2271. // pvStructInfo points to CRL_INFO.
  2272. //
  2273. // For CryptDecodeObject(), the pbEncoded is the "to be signed" plus its
  2274. // signature (output of a X509_CERT CryptEncodeObject()).
  2275. //
  2276. // For CryptEncodeObject(), the pbEncoded is just the "to be signed".
  2277. //--------------------------------------------------------------------------
  2278. //+-------------------------------------------------------------------------
  2279. // X509_CERT_REQUEST_TO_BE_SIGNED
  2280. //
  2281. // pvStructInfo points to CERT_REQUEST_INFO.
  2282. //
  2283. // For CryptDecodeObject(), the pbEncoded is the "to be signed" plus its
  2284. // signature (output of a X509_CERT CryptEncodeObject()).
  2285. //
  2286. // For CryptEncodeObject(), the pbEncoded is just the "to be signed".
  2287. //--------------------------------------------------------------------------
  2288. //+-------------------------------------------------------------------------
  2289. // X509_EXTENSIONS
  2290. // szOID_CERT_EXTENSIONS
  2291. //
  2292. // pvStructInfo points to following CERT_EXTENSIONS.
  2293. //--------------------------------------------------------------------------
  2294. typedef struct _CERT_EXTENSIONS {
  2295. DWORD cExtension;
  2296. PCERT_EXTENSION rgExtension;
  2297. } CERT_EXTENSIONS, *PCERT_EXTENSIONS;
  2298. //+-------------------------------------------------------------------------
  2299. // X509_NAME_VALUE
  2300. // X509_ANY_STRING
  2301. //
  2302. // pvStructInfo points to CERT_NAME_VALUE.
  2303. //--------------------------------------------------------------------------
  2304. //+-------------------------------------------------------------------------
  2305. // X509_UNICODE_NAME_VALUE
  2306. // X509_UNICODE_ANY_STRING
  2307. //
  2308. // pvStructInfo points to CERT_NAME_VALUE.
  2309. //
  2310. // The name values are unicode strings.
  2311. //
  2312. // For CryptEncodeObject:
  2313. // Value.pbData points to the unicode string.
  2314. // If Value.cbData = 0, then, the unicode string is NULL terminated.
  2315. // Otherwise, Value.cbData is the unicode string byte count. The byte count
  2316. // is twice the character count.
  2317. //
  2318. // If the unicode string contains an invalid character for the specified
  2319. // dwValueType, then, *pcbEncoded is updated with the unicode character
  2320. // index of the first invalid character. LastError is set to:
  2321. // CRYPT_E_INVALID_NUMERIC_STRING, CRYPT_E_INVALID_PRINTABLE_STRING or
  2322. // CRYPT_E_INVALID_IA5_STRING.
  2323. //
  2324. // To disable the above check, either set CERT_RDN_DISABLE_CHECK_TYPE_FLAG
  2325. // in dwValueType or set CRYPT_UNICODE_NAME_ENCODE_DISABLE_CHECK_TYPE_FLAG
  2326. // in dwFlags passed to CryptEncodeObjectEx.
  2327. //
  2328. // The unicode string is converted before being encoded according to
  2329. // the specified dwValueType. If dwValueType is set to 0, LastError
  2330. // is set to E_INVALIDARG.
  2331. //
  2332. // If the dwValueType isn't one of the character strings (its a
  2333. // CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING), then, CryptEncodeObject
  2334. // will return FALSE with LastError set to CRYPT_E_NOT_CHAR_STRING.
  2335. //
  2336. // For CryptDecodeObject:
  2337. // Value.pbData points to a NULL terminated unicode string. Value.cbData
  2338. // contains the byte count of the unicode string excluding the NULL
  2339. // terminator. dwValueType contains the type used in the encoded object.
  2340. // Its not forced to CERT_RDN_UNICODE_STRING. The encoded value is
  2341. // converted to the unicode string according to the dwValueType.
  2342. //
  2343. // If the encoded object isn't one of the character string types, then,
  2344. // CryptDecodeObject will return FALSE with LastError set to
  2345. // CRYPT_E_NOT_CHAR_STRING. For a non character string, decode using
  2346. // X509_NAME_VALUE or X509_ANY_STRING.
  2347. //
  2348. // By default, CERT_RDN_T61_STRING values are initially decoded
  2349. // as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
  2350. // Set CRYPT_UNICODE_NAME_DECODE_DISABLE_IE4_UTF8_FLAG in dwFlags
  2351. // passed to either CryptDecodeObject or CryptDecodeObjectEx to
  2352. // skip the initial attempt to decode as UTF8.
  2353. //--------------------------------------------------------------------------
  2354. //+-------------------------------------------------------------------------
  2355. // X509_NAME
  2356. //
  2357. // pvStructInfo points to CERT_NAME_INFO.
  2358. //--------------------------------------------------------------------------
  2359. //+-------------------------------------------------------------------------
  2360. // X509_UNICODE_NAME
  2361. //
  2362. // pvStructInfo points to CERT_NAME_INFO.
  2363. //
  2364. // The RDN attribute values are unicode strings except for the dwValueTypes of
  2365. // CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING. These dwValueTypes are
  2366. // the same as for a X509_NAME. Their values aren't converted to/from unicode.
  2367. //
  2368. // For CryptEncodeObject:
  2369. // Value.pbData points to the unicode string.
  2370. // If Value.cbData = 0, then, the unicode string is NULL terminated.
  2371. // Otherwise, Value.cbData is the unicode string byte count. The byte count
  2372. // is twice the character count.
  2373. //
  2374. // If dwValueType = 0 (CERT_RDN_ANY_TYPE), the pszObjId is used to find
  2375. // an acceptable dwValueType. If the unicode string contains an
  2376. // invalid character for the found or specified dwValueType, then,
  2377. // *pcbEncoded is updated with the error location of the invalid character.
  2378. // See below for details. LastError is set to:
  2379. // CRYPT_E_INVALID_NUMERIC_STRING, CRYPT_E_INVALID_PRINTABLE_STRING or
  2380. // CRYPT_E_INVALID_IA5_STRING.
  2381. //
  2382. // To disable the above check, either set CERT_RDN_DISABLE_CHECK_TYPE_FLAG
  2383. // in dwValueType or set CRYPT_UNICODE_NAME_ENCODE_DISABLE_CHECK_TYPE_FLAG
  2384. // in dwFlags passed to CryptEncodeObjectEx.
  2385. //
  2386. // Set CERT_RDN_UNICODE_STRING in dwValueType or set
  2387. // CRYPT_UNICODE_NAME_ENCODE_ENABLE_T61_UNICODE_FLAG in dwFlags passed
  2388. // to CryptEncodeObjectEx to select CERT_RDN_T61_STRING instead of
  2389. // CERT_RDN_UNICODE_STRING if all the unicode characters are <= 0xFF.
  2390. //
  2391. // Set CERT_RDN_ENABLE_UTF8_UNICODE_STRING in dwValueType or set
  2392. // CRYPT_UNICODE_NAME_ENCODE_ENABLE_UTF8_UNICODE_FLAG in dwFlags passed
  2393. // to CryptEncodeObjectEx to select CERT_RDN_UTF8_STRING instead of
  2394. // CERT_RDN_UNICODE_STRING.
  2395. //
  2396. // The unicode string is converted before being encoded according to
  2397. // the specified or ObjId matching dwValueType.
  2398. //
  2399. // For CryptDecodeObject:
  2400. // Value.pbData points to a NULL terminated unicode string. Value.cbData
  2401. // contains the byte count of the unicode string excluding the NULL
  2402. // terminator. dwValueType contains the type used in the encoded object.
  2403. // Its not forced to CERT_RDN_UNICODE_STRING. The encoded value is
  2404. // converted to the unicode string according to the dwValueType.
  2405. //
  2406. // If the dwValueType of the encoded value isn't a character string
  2407. // type, then, it isn't converted to UNICODE. Use the
  2408. // IS_CERT_RDN_CHAR_STRING() macro on the dwValueType to check
  2409. // that Value.pbData points to a converted unicode string.
  2410. //
  2411. // By default, CERT_RDN_T61_STRING values are initially decoded
  2412. // as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
  2413. // Set CRYPT_UNICODE_NAME_DECODE_DISABLE_IE4_UTF8_FLAG in dwFlags
  2414. // passed to either CryptDecodeObject or CryptDecodeObjectEx to
  2415. // skip the initial attempt to decode as UTF8.
  2416. //--------------------------------------------------------------------------
  2417. //+-------------------------------------------------------------------------
  2418. // Unicode Name Value Error Location Definitions
  2419. //
  2420. // Error location is returned in *pcbEncoded by
  2421. // CryptEncodeObject(X509_UNICODE_NAME)
  2422. //
  2423. // Error location consists of:
  2424. // RDN_INDEX - 10 bits << 22
  2425. // ATTR_INDEX - 6 bits << 16
  2426. // VALUE_INDEX - 16 bits (unicode character index)
  2427. //--------------------------------------------------------------------------
  2428. #define CERT_UNICODE_RDN_ERR_INDEX_MASK 0x3FF
  2429. #define CERT_UNICODE_RDN_ERR_INDEX_SHIFT 22
  2430. #define CERT_UNICODE_ATTR_ERR_INDEX_MASK 0x003F
  2431. #define CERT_UNICODE_ATTR_ERR_INDEX_SHIFT 16
  2432. #define CERT_UNICODE_VALUE_ERR_INDEX_MASK 0x0000FFFF
  2433. #define CERT_UNICODE_VALUE_ERR_INDEX_SHIFT 0
  2434. #define GET_CERT_UNICODE_RDN_ERR_INDEX(X) \
  2435. ((X >> CERT_UNICODE_RDN_ERR_INDEX_SHIFT) & CERT_UNICODE_RDN_ERR_INDEX_MASK)
  2436. #define GET_CERT_UNICODE_ATTR_ERR_INDEX(X) \
  2437. ((X >> CERT_UNICODE_ATTR_ERR_INDEX_SHIFT) & CERT_UNICODE_ATTR_ERR_INDEX_MASK)
  2438. #define GET_CERT_UNICODE_VALUE_ERR_INDEX(X) \
  2439. (X & CERT_UNICODE_VALUE_ERR_INDEX_MASK)
  2440. //+-------------------------------------------------------------------------
  2441. // X509_PUBLIC_KEY_INFO
  2442. //
  2443. // pvStructInfo points to CERT_PUBLIC_KEY_INFO.
  2444. //--------------------------------------------------------------------------
  2445. //+-------------------------------------------------------------------------
  2446. // X509_AUTHORITY_KEY_ID
  2447. // szOID_AUTHORITY_KEY_IDENTIFIER
  2448. //
  2449. // pvStructInfo points to following CERT_AUTHORITY_KEY_ID_INFO.
  2450. //--------------------------------------------------------------------------
  2451. typedef struct _CERT_AUTHORITY_KEY_ID_INFO {
  2452. CRYPT_DATA_BLOB KeyId;
  2453. CERT_NAME_BLOB CertIssuer;
  2454. CRYPT_INTEGER_BLOB CertSerialNumber;
  2455. } CERT_AUTHORITY_KEY_ID_INFO, *PCERT_AUTHORITY_KEY_ID_INFO;
  2456. //+-------------------------------------------------------------------------
  2457. // X509_KEY_ATTRIBUTES
  2458. // szOID_KEY_ATTRIBUTES
  2459. //
  2460. // pvStructInfo points to following CERT_KEY_ATTRIBUTES_INFO.
  2461. //--------------------------------------------------------------------------
  2462. typedef struct _CERT_PRIVATE_KEY_VALIDITY {
  2463. FILETIME NotBefore;
  2464. FILETIME NotAfter;
  2465. } CERT_PRIVATE_KEY_VALIDITY, *PCERT_PRIVATE_KEY_VALIDITY;
  2466. typedef struct _CERT_KEY_ATTRIBUTES_INFO {
  2467. CRYPT_DATA_BLOB KeyId;
  2468. CRYPT_BIT_BLOB IntendedKeyUsage;
  2469. PCERT_PRIVATE_KEY_VALIDITY pPrivateKeyUsagePeriod; // OPTIONAL
  2470. } CERT_KEY_ATTRIBUTES_INFO, *PCERT_KEY_ATTRIBUTES_INFO;
  2471. // Byte[0]
  2472. #define CERT_DIGITAL_SIGNATURE_KEY_USAGE 0x80
  2473. #define CERT_NON_REPUDIATION_KEY_USAGE 0x40
  2474. #define CERT_KEY_ENCIPHERMENT_KEY_USAGE 0x20
  2475. #define CERT_DATA_ENCIPHERMENT_KEY_USAGE 0x10
  2476. #define CERT_KEY_AGREEMENT_KEY_USAGE 0x08
  2477. #define CERT_KEY_CERT_SIGN_KEY_USAGE 0x04
  2478. #define CERT_OFFLINE_CRL_SIGN_KEY_USAGE 0x02
  2479. #define CERT_CRL_SIGN_KEY_USAGE 0x02
  2480. #define CERT_ENCIPHER_ONLY_KEY_USAGE 0x01
  2481. // Byte[1]
  2482. #define CERT_DECIPHER_ONLY_KEY_USAGE 0x80
  2483. //+-------------------------------------------------------------------------
  2484. // X509_KEY_USAGE_RESTRICTION
  2485. // szOID_KEY_USAGE_RESTRICTION
  2486. //
  2487. // pvStructInfo points to following CERT_KEY_USAGE_RESTRICTION_INFO.
  2488. //--------------------------------------------------------------------------
  2489. typedef struct _CERT_POLICY_ID {
  2490. DWORD cCertPolicyElementId;
  2491. LPSTR *rgpszCertPolicyElementId; // pszObjId
  2492. } CERT_POLICY_ID, *PCERT_POLICY_ID;
  2493. typedef struct _CERT_KEY_USAGE_RESTRICTION_INFO {
  2494. DWORD cCertPolicyId;
  2495. PCERT_POLICY_ID rgCertPolicyId;
  2496. CRYPT_BIT_BLOB RestrictedKeyUsage;
  2497. } CERT_KEY_USAGE_RESTRICTION_INFO, *PCERT_KEY_USAGE_RESTRICTION_INFO;
  2498. // See CERT_KEY_ATTRIBUTES_INFO for definition of the RestrictedKeyUsage bits
  2499. //+-------------------------------------------------------------------------
  2500. // X509_ALTERNATE_NAME
  2501. // szOID_SUBJECT_ALT_NAME
  2502. // szOID_ISSUER_ALT_NAME
  2503. // szOID_SUBJECT_ALT_NAME2
  2504. // szOID_ISSUER_ALT_NAME2
  2505. //
  2506. // pvStructInfo points to following CERT_ALT_NAME_INFO.
  2507. //--------------------------------------------------------------------------
  2508. typedef struct _CERT_OTHER_NAME {
  2509. LPSTR pszObjId;
  2510. CRYPT_OBJID_BLOB Value;
  2511. } CERT_OTHER_NAME, *PCERT_OTHER_NAME;
  2512. typedef struct _CERT_ALT_NAME_ENTRY {
  2513. DWORD dwAltNameChoice;
  2514. union {
  2515. PCERT_OTHER_NAME pOtherName; // 1
  2516. LPWSTR pwszRfc822Name; // 2 (encoded IA5)
  2517. LPWSTR pwszDNSName; // 3 (encoded IA5)
  2518. // Not implemented x400Address; // 4
  2519. CERT_NAME_BLOB DirectoryName; // 5
  2520. // Not implemented pEdiPartyName; // 6
  2521. LPWSTR pwszURL; // 7 (encoded IA5)
  2522. CRYPT_DATA_BLOB IPAddress; // 8 (Octet String)
  2523. LPSTR pszRegisteredID; // 9 (Object Identifer)
  2524. };
  2525. } CERT_ALT_NAME_ENTRY, *PCERT_ALT_NAME_ENTRY;
  2526. #define CERT_ALT_NAME_OTHER_NAME 1
  2527. #define CERT_ALT_NAME_RFC822_NAME 2
  2528. #define CERT_ALT_NAME_DNS_NAME 3
  2529. #define CERT_ALT_NAME_X400_ADDRESS 4
  2530. #define CERT_ALT_NAME_DIRECTORY_NAME 5
  2531. #define CERT_ALT_NAME_EDI_PARTY_NAME 6
  2532. #define CERT_ALT_NAME_URL 7
  2533. #define CERT_ALT_NAME_IP_ADDRESS 8
  2534. #define CERT_ALT_NAME_REGISTERED_ID 9
  2535. typedef struct _CERT_ALT_NAME_INFO {
  2536. DWORD cAltEntry;
  2537. PCERT_ALT_NAME_ENTRY rgAltEntry;
  2538. } CERT_ALT_NAME_INFO, *PCERT_ALT_NAME_INFO;
  2539. //+-------------------------------------------------------------------------
  2540. // Alternate name IA5 Error Location Definitions for
  2541. // CRYPT_E_INVALID_IA5_STRING.
  2542. //
  2543. // Error location is returned in *pcbEncoded by
  2544. // CryptEncodeObject(X509_ALTERNATE_NAME)
  2545. //
  2546. // Error location consists of:
  2547. // ENTRY_INDEX - 8 bits << 16
  2548. // VALUE_INDEX - 16 bits (unicode character index)
  2549. //--------------------------------------------------------------------------
  2550. #define CERT_ALT_NAME_ENTRY_ERR_INDEX_MASK 0xFF
  2551. #define CERT_ALT_NAME_ENTRY_ERR_INDEX_SHIFT 16
  2552. #define CERT_ALT_NAME_VALUE_ERR_INDEX_MASK 0x0000FFFF
  2553. #define CERT_ALT_NAME_VALUE_ERR_INDEX_SHIFT 0
  2554. #define GET_CERT_ALT_NAME_ENTRY_ERR_INDEX(X) \
  2555. ((X >> CERT_ALT_NAME_ENTRY_ERR_INDEX_SHIFT) & \
  2556. CERT_ALT_NAME_ENTRY_ERR_INDEX_MASK)
  2557. #define GET_CERT_ALT_NAME_VALUE_ERR_INDEX(X) \
  2558. (X & CERT_ALT_NAME_VALUE_ERR_INDEX_MASK)
  2559. //+-------------------------------------------------------------------------
  2560. // X509_BASIC_CONSTRAINTS
  2561. // szOID_BASIC_CONSTRAINTS
  2562. //
  2563. // pvStructInfo points to following CERT_BASIC_CONSTRAINTS_INFO.
  2564. //--------------------------------------------------------------------------
  2565. typedef struct _CERT_BASIC_CONSTRAINTS_INFO {
  2566. CRYPT_BIT_BLOB SubjectType;
  2567. BOOL fPathLenConstraint;
  2568. DWORD dwPathLenConstraint;
  2569. DWORD cSubtreesConstraint;
  2570. CERT_NAME_BLOB *rgSubtreesConstraint;
  2571. } CERT_BASIC_CONSTRAINTS_INFO, *PCERT_BASIC_CONSTRAINTS_INFO;
  2572. #define CERT_CA_SUBJECT_FLAG 0x80
  2573. #define CERT_END_ENTITY_SUBJECT_FLAG 0x40
  2574. //+-------------------------------------------------------------------------
  2575. // X509_BASIC_CONSTRAINTS2
  2576. // szOID_BASIC_CONSTRAINTS2
  2577. //
  2578. // pvStructInfo points to following CERT_BASIC_CONSTRAINTS2_INFO.
  2579. //--------------------------------------------------------------------------
  2580. typedef struct _CERT_BASIC_CONSTRAINTS2_INFO {
  2581. BOOL fCA;
  2582. BOOL fPathLenConstraint;
  2583. DWORD dwPathLenConstraint;
  2584. } CERT_BASIC_CONSTRAINTS2_INFO, *PCERT_BASIC_CONSTRAINTS2_INFO;
  2585. //+-------------------------------------------------------------------------
  2586. // X509_KEY_USAGE
  2587. // szOID_KEY_USAGE
  2588. //
  2589. // pvStructInfo points to a CRYPT_BIT_BLOB. Has same bit definitions as
  2590. // CERT_KEY_ATTRIBUTES_INFO's IntendedKeyUsage.
  2591. //--------------------------------------------------------------------------
  2592. //+-------------------------------------------------------------------------
  2593. // X509_CERT_POLICIES
  2594. // szOID_CERT_POLICIES
  2595. // szOID_CERT_POLICIES_95 NOTE--Only allowed for decoding!!!
  2596. //
  2597. // pvStructInfo points to following CERT_POLICIES_INFO.
  2598. //
  2599. // NOTE: when decoding using szOID_CERT_POLICIES_95 the pszPolicyIdentifier
  2600. // may contain an empty string
  2601. //--------------------------------------------------------------------------
  2602. typedef struct _CERT_POLICY_QUALIFIER_INFO {
  2603. LPSTR pszPolicyQualifierId; // pszObjId
  2604. CRYPT_OBJID_BLOB Qualifier; // optional
  2605. } CERT_POLICY_QUALIFIER_INFO, *PCERT_POLICY_QUALIFIER_INFO;
  2606. typedef struct _CERT_POLICY_INFO {
  2607. LPSTR pszPolicyIdentifier; // pszObjId
  2608. DWORD cPolicyQualifier; // optional
  2609. CERT_POLICY_QUALIFIER_INFO *rgPolicyQualifier;
  2610. } CERT_POLICY_INFO, *PCERT_POLICY_INFO;
  2611. typedef struct _CERT_POLICIES_INFO {
  2612. DWORD cPolicyInfo;
  2613. CERT_POLICY_INFO *rgPolicyInfo;
  2614. } CERT_POLICIES_INFO, *PCERT_POLICIES_INFO;
  2615. //+-------------------------------------------------------------------------
  2616. // X509_PKIX_POLICY_QUALIFIER_USERNOTICE
  2617. // szOID_PKIX_POLICY_QUALIFIER_USERNOTICE
  2618. //
  2619. // pvStructInfo points to following CERT_POLICY_QUALIFIER_USER_NOTICE.
  2620. //
  2621. //--------------------------------------------------------------------------
  2622. typedef struct _CERT_POLICY_QUALIFIER_NOTICE_REFERENCE {
  2623. LPSTR pszOrganization;
  2624. DWORD cNoticeNumbers;
  2625. int *rgNoticeNumbers;
  2626. } CERT_POLICY_QUALIFIER_NOTICE_REFERENCE, *PCERT_POLICY_QUALIFIER_NOTICE_REFERENCE;
  2627. typedef struct _CERT_POLICY_QUALIFIER_USER_NOTICE {
  2628. CERT_POLICY_QUALIFIER_NOTICE_REFERENCE *pNoticeReference; // optional
  2629. LPWSTR pszDisplayText; // optional
  2630. } CERT_POLICY_QUALIFIER_USER_NOTICE, *PCERT_POLICY_QUALIFIER_USER_NOTICE;
  2631. //+-------------------------------------------------------------------------
  2632. // szOID_CERT_POLICIES_95_QUALIFIER1 - Decode Only!!!!
  2633. //
  2634. // pvStructInfo points to following CERT_POLICY95_QUALIFIER1.
  2635. //
  2636. //--------------------------------------------------------------------------
  2637. typedef struct _CPS_URLS {
  2638. LPWSTR pszURL;
  2639. CRYPT_ALGORITHM_IDENTIFIER *pAlgorithm; // optional
  2640. CRYPT_DATA_BLOB *pDigest; // optional
  2641. } CPS_URLS, *PCPS_URLS;
  2642. typedef struct _CERT_POLICY95_QUALIFIER1 {
  2643. LPWSTR pszPracticesReference; // optional
  2644. LPSTR pszNoticeIdentifier; // optional
  2645. LPSTR pszNSINoticeIdentifier; // optional
  2646. DWORD cCPSURLs;
  2647. CPS_URLS *rgCPSURLs; // optional
  2648. } CERT_POLICY95_QUALIFIER1, *PCERT_POLICY95_QUALIFIER1;
  2649. //+-------------------------------------------------------------------------
  2650. // X509_POLICY_MAPPINGS
  2651. // szOID_POLICY_MAPPINGS
  2652. // szOID_LEGACY_POLICY_MAPPINGS
  2653. //
  2654. // pvStructInfo points to following CERT_POLICY_MAPPINGS_INFO.
  2655. //--------------------------------------------------------------------------
  2656. typedef struct _CERT_POLICY_MAPPING {
  2657. LPSTR pszIssuerDomainPolicy; // pszObjId
  2658. LPSTR pszSubjectDomainPolicy; // pszObjId
  2659. } CERT_POLICY_MAPPING, *PCERT_POLICY_MAPPING;
  2660. typedef struct _CERT_POLICY_MAPPINGS_INFO {
  2661. DWORD cPolicyMapping;
  2662. PCERT_POLICY_MAPPING rgPolicyMapping;
  2663. } CERT_POLICY_MAPPINGS_INFO, *PCERT_POLICY_MAPPINGS_INFO;
  2664. //+-------------------------------------------------------------------------
  2665. // X509_POLICY_CONSTRAINTS
  2666. // szOID_POLICY_CONSTRAINTS
  2667. //
  2668. // pvStructInfo points to following CERT_POLICY_CONSTRAINTS_INFO.
  2669. //--------------------------------------------------------------------------
  2670. typedef struct _CERT_POLICY_CONSTRAINTS_INFO {
  2671. BOOL fRequireExplicitPolicy;
  2672. DWORD dwRequireExplicitPolicySkipCerts;
  2673. BOOL fInhibitPolicyMapping;
  2674. DWORD dwInhibitPolicyMappingSkipCerts;
  2675. } CERT_POLICY_CONSTRAINTS_INFO, *PCERT_POLICY_CONSTRAINTS_INFO;
  2676. //+-------------------------------------------------------------------------
  2677. // RSA_CSP_PUBLICKEYBLOB
  2678. //
  2679. // pvStructInfo points to a PUBLICKEYSTRUC immediately followed by a
  2680. // RSAPUBKEY and the modulus bytes.
  2681. //
  2682. // CryptExportKey outputs the above StructInfo for a dwBlobType of
  2683. // PUBLICKEYBLOB. CryptImportKey expects the above StructInfo when
  2684. // importing a public key.
  2685. //
  2686. // For dwCertEncodingType = X509_ASN_ENCODING, the RSA_CSP_PUBLICKEYBLOB is
  2687. // encoded as a PKCS #1 RSAPublicKey consisting of a SEQUENCE of a
  2688. // modulus INTEGER and a publicExponent INTEGER. The modulus is encoded
  2689. // as being a unsigned integer. When decoded, if the modulus was encoded
  2690. // as unsigned integer with a leading 0 byte, the 0 byte is removed before
  2691. // converting to the CSP modulus bytes.
  2692. //
  2693. // For decode, the aiKeyAlg field of PUBLICKEYSTRUC is always set to
  2694. // CALG_RSA_KEYX.
  2695. //--------------------------------------------------------------------------
  2696. //+-------------------------------------------------------------------------
  2697. // X509_KEYGEN_REQUEST_TO_BE_SIGNED
  2698. //
  2699. // pvStructInfo points to CERT_KEYGEN_REQUEST_INFO.
  2700. //
  2701. // For CryptDecodeObject(), the pbEncoded is the "to be signed" plus its
  2702. // signature (output of a X509_CERT CryptEncodeObject()).
  2703. //
  2704. // For CryptEncodeObject(), the pbEncoded is just the "to be signed".
  2705. //--------------------------------------------------------------------------
  2706. //+-------------------------------------------------------------------------
  2707. // PKCS_ATTRIBUTE data structure
  2708. //
  2709. // pvStructInfo points to a CRYPT_ATTRIBUTE.
  2710. //--------------------------------------------------------------------------
  2711. //+-------------------------------------------------------------------------
  2712. // PKCS_ATTRIBUTES data structure
  2713. //
  2714. // pvStructInfo points to a CRYPT_ATTRIBUTES.
  2715. //--------------------------------------------------------------------------
  2716. //+-------------------------------------------------------------------------
  2717. // PKCS_CONTENT_INFO_SEQUENCE_OF_ANY data structure
  2718. //
  2719. // pvStructInfo points to following CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY.
  2720. //
  2721. // For X509_ASN_ENCODING: encoded as a PKCS#7 ContentInfo structure wrapping
  2722. // a sequence of ANY. The value of the contentType field is pszObjId,
  2723. // while the content field is the following structure:
  2724. // SequenceOfAny ::= SEQUENCE OF ANY
  2725. //
  2726. // The CRYPT_DER_BLOBs point to the already encoded ANY content.
  2727. //--------------------------------------------------------------------------
  2728. typedef struct _CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY {
  2729. LPSTR pszObjId;
  2730. DWORD cValue;
  2731. PCRYPT_DER_BLOB rgValue;
  2732. } CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY, *PCRYPT_CONTENT_INFO_SEQUENCE_OF_ANY;
  2733. //+-------------------------------------------------------------------------
  2734. // PKCS_CONTENT_INFO data structure
  2735. //
  2736. // pvStructInfo points to following CRYPT_CONTENT_INFO.
  2737. //
  2738. // For X509_ASN_ENCODING: encoded as a PKCS#7 ContentInfo structure.
  2739. // The CRYPT_DER_BLOB points to the already encoded ANY content.
  2740. //--------------------------------------------------------------------------
  2741. typedef struct _CRYPT_CONTENT_INFO {
  2742. LPSTR pszObjId;
  2743. CRYPT_DER_BLOB Content;
  2744. } CRYPT_CONTENT_INFO, *PCRYPT_CONTENT_INFO;
  2745. //+-------------------------------------------------------------------------
  2746. // X509_OCTET_STRING data structure
  2747. //
  2748. // pvStructInfo points to a CRYPT_DATA_BLOB.
  2749. //--------------------------------------------------------------------------
  2750. //+-------------------------------------------------------------------------
  2751. // X509_BITS data structure
  2752. //
  2753. // pvStructInfo points to a CRYPT_BIT_BLOB.
  2754. //--------------------------------------------------------------------------
  2755. //+-------------------------------------------------------------------------
  2756. // X509_BITS_WITHOUT_TRAILING_ZEROES data structure
  2757. //
  2758. // pvStructInfo points to a CRYPT_BIT_BLOB.
  2759. //
  2760. // The same as X509_BITS, except before encoding, the bit length is
  2761. // decremented to exclude trailing zero bits.
  2762. //--------------------------------------------------------------------------
  2763. //+-------------------------------------------------------------------------
  2764. // X509_INTEGER data structure
  2765. //
  2766. // pvStructInfo points to an int.
  2767. //--------------------------------------------------------------------------
  2768. //+-------------------------------------------------------------------------
  2769. // X509_MULTI_BYTE_INTEGER data structure
  2770. //
  2771. // pvStructInfo points to a CRYPT_INTEGER_BLOB.
  2772. //--------------------------------------------------------------------------
  2773. //+-------------------------------------------------------------------------
  2774. // X509_ENUMERATED data structure
  2775. //
  2776. // pvStructInfo points to an int containing the enumerated value
  2777. //--------------------------------------------------------------------------
  2778. //+-------------------------------------------------------------------------
  2779. // X509_CHOICE_OF_TIME data structure
  2780. //
  2781. // pvStructInfo points to a FILETIME.
  2782. //--------------------------------------------------------------------------
  2783. //+-------------------------------------------------------------------------
  2784. // X509_SEQUENCE_OF_ANY data structure
  2785. //
  2786. // pvStructInfo points to following CRYPT_SEQUENCE_OF_ANY.
  2787. //
  2788. // The CRYPT_DER_BLOBs point to the already encoded ANY content.
  2789. //--------------------------------------------------------------------------
  2790. typedef struct _CRYPT_SEQUENCE_OF_ANY {
  2791. DWORD cValue;
  2792. PCRYPT_DER_BLOB rgValue;
  2793. } CRYPT_SEQUENCE_OF_ANY, *PCRYPT_SEQUENCE_OF_ANY;
  2794. //+-------------------------------------------------------------------------
  2795. // X509_AUTHORITY_KEY_ID2
  2796. // szOID_AUTHORITY_KEY_IDENTIFIER2
  2797. //
  2798. // pvStructInfo points to following CERT_AUTHORITY_KEY_ID2_INFO.
  2799. //
  2800. // For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
  2801. // *pcbEncoded by CryptEncodeObject(X509_AUTHORITY_KEY_ID2)
  2802. //
  2803. // See X509_ALTERNATE_NAME for error location defines.
  2804. //--------------------------------------------------------------------------
  2805. typedef struct _CERT_AUTHORITY_KEY_ID2_INFO {
  2806. CRYPT_DATA_BLOB KeyId;
  2807. CERT_ALT_NAME_INFO AuthorityCertIssuer; // Optional, set cAltEntry
  2808. // to 0 to omit.
  2809. CRYPT_INTEGER_BLOB AuthorityCertSerialNumber;
  2810. } CERT_AUTHORITY_KEY_ID2_INFO, *PCERT_AUTHORITY_KEY_ID2_INFO;
  2811. //+-------------------------------------------------------------------------
  2812. // szOID_SUBJECT_KEY_IDENTIFIER
  2813. //
  2814. // pvStructInfo points to a CRYPT_DATA_BLOB.
  2815. //--------------------------------------------------------------------------
  2816. //+-------------------------------------------------------------------------
  2817. // X509_AUTHORITY_INFO_ACCESS
  2818. // szOID_AUTHORITY_INFO_ACCESS
  2819. //
  2820. // pvStructInfo points to following CERT_AUTHORITY_INFO_ACCESS.
  2821. //
  2822. // For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
  2823. // *pcbEncoded by CryptEncodeObject(X509_AUTHORITY_INFO_ACCESS)
  2824. //
  2825. // Error location consists of:
  2826. // ENTRY_INDEX - 8 bits << 16
  2827. // VALUE_INDEX - 16 bits (unicode character index)
  2828. //
  2829. // See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
  2830. // defines.
  2831. //--------------------------------------------------------------------------
  2832. typedef struct _CERT_ACCESS_DESCRIPTION {
  2833. LPSTR pszAccessMethod; // pszObjId
  2834. CERT_ALT_NAME_ENTRY AccessLocation;
  2835. } CERT_ACCESS_DESCRIPTION, *PCERT_ACCESS_DESCRIPTION;
  2836. typedef struct _CERT_AUTHORITY_INFO_ACCESS {
  2837. DWORD cAccDescr;
  2838. PCERT_ACCESS_DESCRIPTION rgAccDescr;
  2839. } CERT_AUTHORITY_INFO_ACCESS, *PCERT_AUTHORITY_INFO_ACCESS;
  2840. //+-------------------------------------------------------------------------
  2841. // PKIX Access Description: Access Method Object Identifiers
  2842. //--------------------------------------------------------------------------
  2843. #define szOID_PKIX_ACC_DESCR "1.3.6.1.5.5.7.48"
  2844. #define szOID_PKIX_OCSP "1.3.6.1.5.5.7.48.1"
  2845. #define szOID_PKIX_CA_ISSUERS "1.3.6.1.5.5.7.48.2"
  2846. //+-------------------------------------------------------------------------
  2847. // X509_CRL_REASON_CODE
  2848. // szOID_CRL_REASON_CODE
  2849. //
  2850. // pvStructInfo points to an int which can be set to one of the following
  2851. // enumerated values:
  2852. //--------------------------------------------------------------------------
  2853. #define CRL_REASON_UNSPECIFIED 0
  2854. #define CRL_REASON_KEY_COMPROMISE 1
  2855. #define CRL_REASON_CA_COMPROMISE 2
  2856. #define CRL_REASON_AFFILIATION_CHANGED 3
  2857. #define CRL_REASON_SUPERSEDED 4
  2858. #define CRL_REASON_CESSATION_OF_OPERATION 5
  2859. #define CRL_REASON_CERTIFICATE_HOLD 6
  2860. #define CRL_REASON_REMOVE_FROM_CRL 8
  2861. //+-------------------------------------------------------------------------
  2862. // X509_CRL_DIST_POINTS
  2863. // szOID_CRL_DIST_POINTS
  2864. //
  2865. // pvStructInfo points to following CRL_DIST_POINTS_INFO.
  2866. //
  2867. // For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
  2868. // *pcbEncoded by CryptEncodeObject(X509_CRL_DIST_POINTS)
  2869. //
  2870. // Error location consists of:
  2871. // CRL_ISSUER_BIT - 1 bit << 31 (0 for FullName, 1 for CRLIssuer)
  2872. // POINT_INDEX - 7 bits << 24
  2873. // ENTRY_INDEX - 8 bits << 16
  2874. // VALUE_INDEX - 16 bits (unicode character index)
  2875. //
  2876. // See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
  2877. // defines.
  2878. //--------------------------------------------------------------------------
  2879. typedef struct _CRL_DIST_POINT_NAME {
  2880. DWORD dwDistPointNameChoice;
  2881. union {
  2882. CERT_ALT_NAME_INFO FullName; // 1
  2883. // Not implemented IssuerRDN; // 2
  2884. };
  2885. } CRL_DIST_POINT_NAME, *PCRL_DIST_POINT_NAME;
  2886. #define CRL_DIST_POINT_NO_NAME 0
  2887. #define CRL_DIST_POINT_FULL_NAME 1
  2888. #define CRL_DIST_POINT_ISSUER_RDN_NAME 2
  2889. typedef struct _CRL_DIST_POINT {
  2890. CRL_DIST_POINT_NAME DistPointName; // OPTIONAL
  2891. CRYPT_BIT_BLOB ReasonFlags; // OPTIONAL
  2892. CERT_ALT_NAME_INFO CRLIssuer; // OPTIONAL
  2893. } CRL_DIST_POINT, *PCRL_DIST_POINT;
  2894. #define CRL_REASON_UNUSED_FLAG 0x80
  2895. #define CRL_REASON_KEY_COMPROMISE_FLAG 0x40
  2896. #define CRL_REASON_CA_COMPROMISE_FLAG 0x20
  2897. #define CRL_REASON_AFFILIATION_CHANGED_FLAG 0x10
  2898. #define CRL_REASON_SUPERSEDED_FLAG 0x08
  2899. #define CRL_REASON_CESSATION_OF_OPERATION_FLAG 0x04
  2900. #define CRL_REASON_CERTIFICATE_HOLD_FLAG 0x02
  2901. typedef struct _CRL_DIST_POINTS_INFO {
  2902. DWORD cDistPoint;
  2903. PCRL_DIST_POINT rgDistPoint;
  2904. } CRL_DIST_POINTS_INFO, *PCRL_DIST_POINTS_INFO;
  2905. #define CRL_DIST_POINT_ERR_INDEX_MASK 0x7F
  2906. #define CRL_DIST_POINT_ERR_INDEX_SHIFT 24
  2907. #define GET_CRL_DIST_POINT_ERR_INDEX(X) \
  2908. ((X >> CRL_DIST_POINT_ERR_INDEX_SHIFT) & CRL_DIST_POINT_ERR_INDEX_MASK)
  2909. #define CRL_DIST_POINT_ERR_CRL_ISSUER_BIT 0x80000000L
  2910. #define IS_CRL_DIST_POINT_ERR_CRL_ISSUER(X) \
  2911. (0 != (X & CRL_DIST_POINT_ERR_CRL_ISSUER_BIT))
  2912. //+-------------------------------------------------------------------------
  2913. // X509_CROSS_CERT_DIST_POINTS
  2914. // szOID_CROSS_CERT_DIST_POINTS
  2915. //
  2916. // pvStructInfo points to following CROSS_CERT_DIST_POINTS_INFO.
  2917. //
  2918. // For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
  2919. // *pcbEncoded by CryptEncodeObject(X509_CRL_DIST_POINTS)
  2920. //
  2921. // Error location consists of:
  2922. // POINT_INDEX - 8 bits << 24
  2923. // ENTRY_INDEX - 8 bits << 16
  2924. // VALUE_INDEX - 16 bits (unicode character index)
  2925. //
  2926. // See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
  2927. // defines.
  2928. //--------------------------------------------------------------------------
  2929. typedef struct _CROSS_CERT_DIST_POINTS_INFO {
  2930. // Seconds between syncs. 0 implies use client default.
  2931. DWORD dwSyncDeltaTime;
  2932. DWORD cDistPoint;
  2933. PCERT_ALT_NAME_INFO rgDistPoint;
  2934. } CROSS_CERT_DIST_POINTS_INFO, *PCROSS_CERT_DIST_POINTS_INFO;
  2935. #define CROSS_CERT_DIST_POINT_ERR_INDEX_MASK 0xFF
  2936. #define CROSS_CERT_DIST_POINT_ERR_INDEX_SHIFT 24
  2937. #define GET_CROSS_CERT_DIST_POINT_ERR_INDEX(X) \
  2938. ((X >> CROSS_CERT_DIST_POINT_ERR_INDEX_SHIFT) & \
  2939. CROSS_CERT_DIST_POINT_ERR_INDEX_MASK)
  2940. //+-------------------------------------------------------------------------
  2941. // X509_ENHANCED_KEY_USAGE
  2942. // szOID_ENHANCED_KEY_USAGE
  2943. //
  2944. // pvStructInfo points to a CERT_ENHKEY_USAGE, CTL_USAGE.
  2945. //--------------------------------------------------------------------------
  2946. //+-------------------------------------------------------------------------
  2947. // X509_CERT_PAIR
  2948. //
  2949. // pvStructInfo points to the following CERT_PAIR.
  2950. //--------------------------------------------------------------------------
  2951. typedef struct _CERT_PAIR {
  2952. CERT_BLOB Forward; // OPTIONAL, if Forward.cbData == 0, omitted
  2953. CERT_BLOB Reverse; // OPTIONAL, if Reverse.cbData == 0, omitted
  2954. } CERT_PAIR, *PCERT_PAIR;
  2955. //+-------------------------------------------------------------------------
  2956. // szOID_CRL_NUMBER
  2957. //
  2958. // pvStructInfo points to an int.
  2959. //--------------------------------------------------------------------------
  2960. //+-------------------------------------------------------------------------
  2961. // szOID_DELTA_CRL_INDICATOR
  2962. //
  2963. // pvStructInfo points to an int.
  2964. //--------------------------------------------------------------------------
  2965. //+-------------------------------------------------------------------------
  2966. // szOID_ISSUING_DIST_POINT
  2967. // X509_ISSUING_DIST_POINT
  2968. //
  2969. // pvStructInfo points to the following CRL_ISSUING_DIST_POINT.
  2970. //
  2971. // For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
  2972. // *pcbEncoded by CryptEncodeObject(X509_ISSUING_DIST_POINT)
  2973. //
  2974. // Error location consists of:
  2975. // ENTRY_INDEX - 8 bits << 16
  2976. // VALUE_INDEX - 16 bits (unicode character index)
  2977. //
  2978. // See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
  2979. // defines.
  2980. //--------------------------------------------------------------------------
  2981. typedef struct _CRL_ISSUING_DIST_POINT {
  2982. CRL_DIST_POINT_NAME DistPointName; // OPTIONAL
  2983. BOOL fOnlyContainsUserCerts;
  2984. BOOL fOnlyContainsCACerts;
  2985. CRYPT_BIT_BLOB OnlySomeReasonFlags; // OPTIONAL
  2986. BOOL fIndirectCRL;
  2987. } CRL_ISSUING_DIST_POINT, *PCRL_ISSUING_DIST_POINT;
  2988. //+-------------------------------------------------------------------------
  2989. // szOID_FRESHEST_CRL
  2990. //
  2991. // pvStructInfo points to CRL_DIST_POINTS_INFO.
  2992. //--------------------------------------------------------------------------
  2993. //+-------------------------------------------------------------------------
  2994. // szOID_NAME_CONSTRAINTS
  2995. // X509_NAME_CONSTRAINTS
  2996. //
  2997. // pvStructInfo points to the following CERT_NAME_CONSTRAINTS_INFO
  2998. //
  2999. // For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
  3000. // *pcbEncoded by CryptEncodeObject(X509_NAME_CONSTRAINTS)
  3001. //
  3002. // Error location consists of:
  3003. // EXCLUDED_SUBTREE_BIT - 1 bit << 31 (0 for permitted, 1 for excluded)
  3004. // ENTRY_INDEX - 8 bits << 16
  3005. // VALUE_INDEX - 16 bits (unicode character index)
  3006. //
  3007. // See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
  3008. // defines.
  3009. //--------------------------------------------------------------------------
  3010. typedef struct _CERT_GENERAL_SUBTREE {
  3011. CERT_ALT_NAME_ENTRY Base;
  3012. DWORD dwMinimum;
  3013. BOOL fMaximum;
  3014. DWORD dwMaximum;
  3015. } CERT_GENERAL_SUBTREE, *PCERT_GENERAL_SUBTREE;
  3016. typedef struct _CERT_NAME_CONSTRAINTS_INFO {
  3017. DWORD cPermittedSubtree;
  3018. PCERT_GENERAL_SUBTREE rgPermittedSubtree;
  3019. DWORD cExcludedSubtree;
  3020. PCERT_GENERAL_SUBTREE rgExcludedSubtree;
  3021. } CERT_NAME_CONSTRAINTS_INFO, *PCERT_NAME_CONSTRAINTS_INFO;
  3022. #define CERT_EXCLUDED_SUBTREE_BIT 0x80000000L
  3023. #define IS_CERT_EXCLUDED_SUBTREE(X) \
  3024. (0 != (X & CERT_EXCLUDED_SUBTREE_BIT))
  3025. //+-------------------------------------------------------------------------
  3026. // szOID_NEXT_UPDATE_LOCATION
  3027. //
  3028. // pvStructInfo points to a CERT_ALT_NAME_INFO.
  3029. //--------------------------------------------------------------------------
  3030. //+-------------------------------------------------------------------------
  3031. // szOID_REMOVE_CERTIFICATE
  3032. //
  3033. // pvStructInfo points to an int which can be set to one of the following
  3034. // 0 - Add certificate
  3035. // 1 - Remove certificate
  3036. //--------------------------------------------------------------------------
  3037. //+-------------------------------------------------------------------------
  3038. // PKCS_CTL
  3039. // szOID_CTL
  3040. //
  3041. // pvStructInfo points to a CTL_INFO.
  3042. //--------------------------------------------------------------------------
  3043. //+-------------------------------------------------------------------------
  3044. // PKCS_SORTED_CTL
  3045. //
  3046. // pvStructInfo points to a CTL_INFO.
  3047. //
  3048. // Same as for PKCS_CTL, except, the CTL entries are sorted. The following
  3049. // extension containing the sort information is inserted as the first
  3050. // extension in the encoded CTL.
  3051. //
  3052. // Only supported for Encoding. CRYPT_ENCODE_ALLOC_FLAG flag must be
  3053. // set.
  3054. //--------------------------------------------------------------------------
  3055. //+-------------------------------------------------------------------------
  3056. // Sorted CTL TrustedSubjects extension
  3057. //
  3058. // Array of little endian DWORDs:
  3059. // [0] - Flags
  3060. // [1] - Count of HashBucket entry offsets
  3061. // [2] - Maximum HashBucket entry collision count
  3062. // [3 ..] (Count + 1) HashBucket entry offsets
  3063. //
  3064. // When this extension is present in the CTL,
  3065. // the ASN.1 encoded sequence of TrustedSubjects are HashBucket ordered.
  3066. //
  3067. // The entry offsets point to the start of the first encoded TrustedSubject
  3068. // sequence for the HashBucket. The encoded TrustedSubjects for a HashBucket
  3069. // continue until the encoded offset of the next HashBucket. A HashBucket has
  3070. // no entries if HashBucket[N] == HashBucket[N + 1].
  3071. //
  3072. // The HashBucket offsets are from the start of the ASN.1 encoded CTL_INFO.
  3073. //--------------------------------------------------------------------------
  3074. #define SORTED_CTL_EXT_FLAGS_OFFSET (0*4)
  3075. #define SORTED_CTL_EXT_COUNT_OFFSET (1*4)
  3076. #define SORTED_CTL_EXT_MAX_COLLISION_OFFSET (2*4)
  3077. #define SORTED_CTL_EXT_HASH_BUCKET_OFFSET (3*4)
  3078. // If the SubjectIdentifiers are a MD5 or SHA1 hash, the following flag is
  3079. // set. When set, the first 4 bytes of the SubjectIdentifier are used as
  3080. // the dwhash. Otherwise, the SubjectIdentifier bytes are hashed into dwHash.
  3081. // In either case the HashBucket index = dwHash % cHashBucket.
  3082. #define SORTED_CTL_EXT_HASHED_SUBJECT_IDENTIFIER_FLAG 0x1
  3083. //+-------------------------------------------------------------------------
  3084. // X509_MULTI_BYTE_UINT
  3085. //
  3086. // pvStructInfo points to a CRYPT_UINT_BLOB. Before encoding, inserts a
  3087. // leading 0x00. After decoding, removes a leading 0x00.
  3088. //--------------------------------------------------------------------------
  3089. //+-------------------------------------------------------------------------
  3090. // X509_DSS_PUBLICKEY
  3091. //
  3092. // pvStructInfo points to a CRYPT_UINT_BLOB.
  3093. //--------------------------------------------------------------------------
  3094. //+-------------------------------------------------------------------------
  3095. // X509_DSS_PARAMETERS
  3096. //
  3097. // pvStructInfo points to following CERT_DSS_PARAMETERS data structure.
  3098. //--------------------------------------------------------------------------
  3099. typedef struct _CERT_DSS_PARAMETERS {
  3100. CRYPT_UINT_BLOB p;
  3101. CRYPT_UINT_BLOB q;
  3102. CRYPT_UINT_BLOB g;
  3103. } CERT_DSS_PARAMETERS, *PCERT_DSS_PARAMETERS;
  3104. //+-------------------------------------------------------------------------
  3105. // X509_DSS_SIGNATURE
  3106. //
  3107. // pvStructInfo is a BYTE rgbSignature[CERT_DSS_SIGNATURE_LEN]. The
  3108. // bytes are ordered as output by the DSS CSP's CryptSignHash().
  3109. //--------------------------------------------------------------------------
  3110. #define CERT_DSS_R_LEN 20
  3111. #define CERT_DSS_S_LEN 20
  3112. #define CERT_DSS_SIGNATURE_LEN (CERT_DSS_R_LEN + CERT_DSS_S_LEN)
  3113. // Sequence of 2 unsigned integers (the extra +1 is for a potential leading
  3114. // 0x00 to make the integer unsigned)
  3115. #define CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN (2 + 2*(2 + 20 +1))
  3116. //+-------------------------------------------------------------------------
  3117. // X509_DH_PUBLICKEY
  3118. //
  3119. // pvStructInfo points to a CRYPT_UINT_BLOB.
  3120. //--------------------------------------------------------------------------
  3121. //+-------------------------------------------------------------------------
  3122. // X509_DH_PARAMETERS
  3123. //
  3124. // pvStructInfo points to following CERT_DH_PARAMETERS data structure.
  3125. //--------------------------------------------------------------------------
  3126. typedef struct _CERT_DH_PARAMETERS {
  3127. CRYPT_UINT_BLOB p;
  3128. CRYPT_UINT_BLOB g;
  3129. } CERT_DH_PARAMETERS, *PCERT_DH_PARAMETERS;
  3130. //+-------------------------------------------------------------------------
  3131. // X942_DH_PARAMETERS
  3132. //
  3133. // pvStructInfo points to following CERT_X942_DH_PARAMETERS data structure.
  3134. //
  3135. // If q.cbData == 0, then, the following fields are zero'ed.
  3136. //--------------------------------------------------------------------------
  3137. typedef struct _CERT_X942_DH_VALIDATION_PARAMS {
  3138. CRYPT_BIT_BLOB seed;
  3139. DWORD pgenCounter;
  3140. } CERT_X942_DH_VALIDATION_PARAMS, *PCERT_X942_DH_VALIDATION_PARAMS;
  3141. typedef struct _CERT_X942_DH_PARAMETERS {
  3142. CRYPT_UINT_BLOB p; // odd prime, p = jq + 1
  3143. CRYPT_UINT_BLOB g; // generator, g
  3144. CRYPT_UINT_BLOB q; // factor of p - 1, OPTIONAL
  3145. CRYPT_UINT_BLOB j; // subgroup factor, OPTIONAL
  3146. PCERT_X942_DH_VALIDATION_PARAMS pValidationParams; // OPTIONAL
  3147. } CERT_X942_DH_PARAMETERS, *PCERT_X942_DH_PARAMETERS;
  3148. //+-------------------------------------------------------------------------
  3149. // X942_OTHER_INFO
  3150. //
  3151. // pvStructInfo points to following CRYPT_X942_OTHER_INFO data structure.
  3152. //
  3153. // rgbCounter and rgbKeyLength are in Little Endian order.
  3154. //--------------------------------------------------------------------------
  3155. #define CRYPT_X942_COUNTER_BYTE_LENGTH 4
  3156. #define CRYPT_X942_KEY_LENGTH_BYTE_LENGTH 4
  3157. #define CRYPT_X942_PUB_INFO_BYTE_LENGTH (512/8)
  3158. typedef struct _CRYPT_X942_OTHER_INFO {
  3159. LPSTR pszContentEncryptionObjId;
  3160. BYTE rgbCounter[CRYPT_X942_COUNTER_BYTE_LENGTH];
  3161. BYTE rgbKeyLength[CRYPT_X942_KEY_LENGTH_BYTE_LENGTH];
  3162. CRYPT_DATA_BLOB PubInfo; // OPTIONAL
  3163. } CRYPT_X942_OTHER_INFO, *PCRYPT_X942_OTHER_INFO;
  3164. //+-------------------------------------------------------------------------
  3165. // PKCS_RC2_CBC_PARAMETERS
  3166. // szOID_RSA_RC2CBC
  3167. //
  3168. // pvStructInfo points to following CRYPT_RC2_CBC_PARAMETERS data structure.
  3169. //--------------------------------------------------------------------------
  3170. typedef struct _CRYPT_RC2_CBC_PARAMETERS {
  3171. DWORD dwVersion;
  3172. BOOL fIV; // set if has following IV
  3173. BYTE rgbIV[8];
  3174. } CRYPT_RC2_CBC_PARAMETERS, *PCRYPT_RC2_CBC_PARAMETERS;
  3175. #define CRYPT_RC2_40BIT_VERSION 160
  3176. #define CRYPT_RC2_56BIT_VERSION 52
  3177. #define CRYPT_RC2_64BIT_VERSION 120
  3178. #define CRYPT_RC2_128BIT_VERSION 58
  3179. //+-------------------------------------------------------------------------
  3180. // PKCS_SMIME_CAPABILITIES
  3181. // szOID_RSA_SMIMECapabilities
  3182. //
  3183. // pvStructInfo points to following CRYPT_SMIME_CAPABILITIES data structure.
  3184. //
  3185. // Note, for CryptEncodeObject(X509_ASN_ENCODING), Parameters.cbData == 0
  3186. // causes the encoded parameters to be omitted and not encoded as a NULL
  3187. // (05 00) as is done when encoding a CRYPT_ALGORITHM_IDENTIFIER. This
  3188. // is per the SMIME specification for encoding capabilities.
  3189. //--------------------------------------------------------------------------
  3190. typedef struct _CRYPT_SMIME_CAPABILITY {
  3191. LPSTR pszObjId;
  3192. CRYPT_OBJID_BLOB Parameters;
  3193. } CRYPT_SMIME_CAPABILITY, *PCRYPT_SMIME_CAPABILITY;
  3194. typedef struct _CRYPT_SMIME_CAPABILITIES {
  3195. DWORD cCapability;
  3196. PCRYPT_SMIME_CAPABILITY rgCapability;
  3197. } CRYPT_SMIME_CAPABILITIES, *PCRYPT_SMIME_CAPABILITIES;
  3198. //+-------------------------------------------------------------------------
  3199. // PKCS7_SIGNER_INFO
  3200. //
  3201. // pvStructInfo points to CMSG_SIGNER_INFO.
  3202. //--------------------------------------------------------------------------
  3203. //+-------------------------------------------------------------------------
  3204. // CMS_SIGNER_INFO
  3205. //
  3206. // pvStructInfo points to CMSG_CMS_SIGNER_INFO.
  3207. //--------------------------------------------------------------------------
  3208. //+-------------------------------------------------------------------------
  3209. // Verisign Certificate Extension Object Identifiers
  3210. //--------------------------------------------------------------------------
  3211. // Octet String containing Boolean
  3212. #define szOID_VERISIGN_PRIVATE_6_9 "2.16.840.1.113733.1.6.9"
  3213. // Octet String containing IA5 string: lower case 32 char hex string
  3214. #define szOID_VERISIGN_ONSITE_JURISDICTION_HASH "2.16.840.1.113733.1.6.11"
  3215. // Octet String containing Bit string
  3216. #define szOID_VERISIGN_BITSTRING_6_13 "2.16.840.1.113733.1.6.13"
  3217. // EKU
  3218. #define szOID_VERISIGN_ISS_STRONG_CRYPTO "2.16.840.1.113733.1.8.1"
  3219. //+-------------------------------------------------------------------------
  3220. // Netscape Certificate Extension Object Identifiers
  3221. //--------------------------------------------------------------------------
  3222. #define szOID_NETSCAPE "2.16.840.1.113730"
  3223. #define szOID_NETSCAPE_CERT_EXTENSION "2.16.840.1.113730.1"
  3224. #define szOID_NETSCAPE_CERT_TYPE "2.16.840.1.113730.1.1"
  3225. #define szOID_NETSCAPE_BASE_URL "2.16.840.1.113730.1.2"
  3226. #define szOID_NETSCAPE_REVOCATION_URL "2.16.840.1.113730.1.3"
  3227. #define szOID_NETSCAPE_CA_REVOCATION_URL "2.16.840.1.113730.1.4"
  3228. #define szOID_NETSCAPE_CERT_RENEWAL_URL "2.16.840.1.113730.1.7"
  3229. #define szOID_NETSCAPE_CA_POLICY_URL "2.16.840.1.113730.1.8"
  3230. #define szOID_NETSCAPE_SSL_SERVER_NAME "2.16.840.1.113730.1.12"
  3231. #define szOID_NETSCAPE_COMMENT "2.16.840.1.113730.1.13"
  3232. //+-------------------------------------------------------------------------
  3233. // Netscape Certificate Data Type Object Identifiers
  3234. //--------------------------------------------------------------------------
  3235. #define szOID_NETSCAPE_DATA_TYPE "2.16.840.1.113730.2"
  3236. #define szOID_NETSCAPE_CERT_SEQUENCE "2.16.840.1.113730.2.5"
  3237. //+-------------------------------------------------------------------------
  3238. // szOID_NETSCAPE_CERT_TYPE extension
  3239. //
  3240. // Its value is a bit string. CryptDecodeObject/CryptEncodeObject using
  3241. // X509_BITS or X509_BITS_WITHOUT_TRAILING_ZEROES.
  3242. //
  3243. // The following bits are defined:
  3244. //--------------------------------------------------------------------------
  3245. #define NETSCAPE_SSL_CLIENT_AUTH_CERT_TYPE 0x80
  3246. #define NETSCAPE_SSL_SERVER_AUTH_CERT_TYPE 0x40
  3247. #define NETSCAPE_SMIME_CERT_TYPE 0x20
  3248. #define NETSCAPE_SIGN_CERT_TYPE 0x10
  3249. #define NETSCAPE_SSL_CA_CERT_TYPE 0x04
  3250. #define NETSCAPE_SMIME_CA_CERT_TYPE 0x02
  3251. #define NETSCAPE_SIGN_CA_CERT_TYPE 0x01
  3252. //+-------------------------------------------------------------------------
  3253. // szOID_NETSCAPE_BASE_URL extension
  3254. //
  3255. // Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
  3256. // X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
  3257. // dwValueType = CERT_RDN_IA5_STRING.
  3258. //
  3259. // When present this string is added to the beginning of all relative URLs
  3260. // in the certificate. This extension can be considered an optimization
  3261. // to reduce the size of the URL extensions.
  3262. //--------------------------------------------------------------------------
  3263. //+-------------------------------------------------------------------------
  3264. // szOID_NETSCAPE_REVOCATION_URL extension
  3265. //
  3266. // Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
  3267. // X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
  3268. // dwValueType = CERT_RDN_IA5_STRING.
  3269. //
  3270. // It is a relative or absolute URL that can be used to check the
  3271. // revocation status of a certificate. The revocation check will be
  3272. // performed as an HTTP GET method using a url that is the concatenation of
  3273. // revocation-url and certificate-serial-number.
  3274. // Where the certificate-serial-number is encoded as a string of
  3275. // ascii hexadecimal digits. For example, if the netscape-base-url is
  3276. // https://www.certs-r-us.com/, the netscape-revocation-url is
  3277. // cgi-bin/check-rev.cgi?, and the certificate serial number is 173420,
  3278. // the resulting URL would be:
  3279. // https://www.certs-r-us.com/cgi-bin/check-rev.cgi?02a56c
  3280. //
  3281. // The server should return a document with a Content-Type of
  3282. // application/x-netscape-revocation. The document should contain
  3283. // a single ascii digit, '1' if the certificate is not curently valid,
  3284. // and '0' if it is curently valid.
  3285. //
  3286. // Note: for all of the URLs that include the certificate serial number,
  3287. // the serial number will be encoded as a string which consists of an even
  3288. // number of hexadecimal digits. If the number of significant digits is odd,
  3289. // the string will have a single leading zero to ensure an even number of
  3290. // digits is generated.
  3291. //--------------------------------------------------------------------------
  3292. //+-------------------------------------------------------------------------
  3293. // szOID_NETSCAPE_CA_REVOCATION_URL extension
  3294. //
  3295. // Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
  3296. // X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
  3297. // dwValueType = CERT_RDN_IA5_STRING.
  3298. //
  3299. // It is a relative or absolute URL that can be used to check the
  3300. // revocation status of any certificates that are signed by the CA that
  3301. // this certificate belongs to. This extension is only valid in CA
  3302. // certificates. The use of this extension is the same as the above
  3303. // szOID_NETSCAPE_REVOCATION_URL extension.
  3304. //--------------------------------------------------------------------------
  3305. //+-------------------------------------------------------------------------
  3306. // szOID_NETSCAPE_CERT_RENEWAL_URL extension
  3307. //
  3308. // Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
  3309. // X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
  3310. // dwValueType = CERT_RDN_IA5_STRING.
  3311. //
  3312. // It is a relative or absolute URL that points to a certificate renewal
  3313. // form. The renewal form will be accessed with an HTTP GET method using a
  3314. // url that is the concatenation of renewal-url and
  3315. // certificate-serial-number. Where the certificate-serial-number is
  3316. // encoded as a string of ascii hexadecimal digits. For example, if the
  3317. // netscape-base-url is https://www.certs-r-us.com/, the
  3318. // netscape-cert-renewal-url is cgi-bin/check-renew.cgi?, and the
  3319. // certificate serial number is 173420, the resulting URL would be:
  3320. // https://www.certs-r-us.com/cgi-bin/check-renew.cgi?02a56c
  3321. // The document returned should be an HTML form that will allow the user
  3322. // to request a renewal of their certificate.
  3323. //--------------------------------------------------------------------------
  3324. //+-------------------------------------------------------------------------
  3325. // szOID_NETSCAPE_CA_POLICY_URL extension
  3326. //
  3327. // Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
  3328. // X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
  3329. // dwValueType = CERT_RDN_IA5_STRING.
  3330. //
  3331. // It is a relative or absolute URL that points to a web page that
  3332. // describes the policies under which the certificate was issued.
  3333. //--------------------------------------------------------------------------
  3334. //+-------------------------------------------------------------------------
  3335. // szOID_NETSCAPE_SSL_SERVER_NAME extension
  3336. //
  3337. // Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
  3338. // X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
  3339. // dwValueType = CERT_RDN_IA5_STRING.
  3340. //
  3341. // It is a "shell expression" that can be used to match the hostname of the
  3342. // SSL server that is using this certificate. It is recommended that if
  3343. // the server's hostname does not match this pattern the user be notified
  3344. // and given the option to terminate the SSL connection. If this extension
  3345. // is not present then the CommonName in the certificate subject's
  3346. // distinguished name is used for the same purpose.
  3347. //--------------------------------------------------------------------------
  3348. //+-------------------------------------------------------------------------
  3349. // szOID_NETSCAPE_COMMENT extension
  3350. //
  3351. // Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
  3352. // X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
  3353. // dwValueType = CERT_RDN_IA5_STRING.
  3354. //
  3355. // It is a comment that may be displayed to the user when the certificate
  3356. // is viewed.
  3357. //--------------------------------------------------------------------------
  3358. //+-------------------------------------------------------------------------
  3359. // szOID_NETSCAPE_CERT_SEQUENCE
  3360. //
  3361. // Its value is a PKCS#7 ContentInfo structure wrapping a sequence of
  3362. // certificates. The value of the contentType field is
  3363. // szOID_NETSCAPE_CERT_SEQUENCE, while the content field is the following
  3364. // structure:
  3365. // CertificateSequence ::= SEQUENCE OF Certificate.
  3366. //
  3367. // CryptDecodeObject/CryptEncodeObject using
  3368. // PKCS_CONTENT_INFO_SEQUENCE_OF_ANY, where,
  3369. // pszObjId = szOID_NETSCAPE_CERT_SEQUENCE and the CRYPT_DER_BLOBs point
  3370. // to encoded X509 certificates.
  3371. //--------------------------------------------------------------------------
  3372. //+=========================================================================
  3373. // Certificate Management Messages over CMS (CMC) Data Structures
  3374. //==========================================================================
  3375. // Content Type (request)
  3376. #define szOID_CT_PKI_DATA "1.3.6.1.5.5.7.12.2"
  3377. // Content Type (response)
  3378. #define szOID_CT_PKI_RESPONSE "1.3.6.1.5.5.7.12.3"
  3379. // Signature value that only contains the hash octets. The parameters for
  3380. // this algorithm must be present and must be encoded as NULL.
  3381. #define szOID_PKIX_NO_SIGNATURE "1.3.6.1.5.5.7.6.2"
  3382. #define szOID_CMC "1.3.6.1.5.5.7.7"
  3383. #define szOID_CMC_STATUS_INFO "1.3.6.1.5.5.7.7.1"
  3384. #define szOID_CMC_IDENTIFICATION "1.3.6.1.5.5.7.7.2"
  3385. #define szOID_CMC_IDENTITY_PROOF "1.3.6.1.5.5.7.7.3"
  3386. #define szOID_CMC_DATA_RETURN "1.3.6.1.5.5.7.7.4"
  3387. // Transaction Id (integer)
  3388. #define szOID_CMC_TRANSACTION_ID "1.3.6.1.5.5.7.7.5"
  3389. // Sender Nonce (octet string)
  3390. #define szOID_CMC_SENDER_NONCE "1.3.6.1.5.5.7.7.6"
  3391. // Recipient Nonce (octet string)
  3392. #define szOID_CMC_RECIPIENT_NONCE "1.3.6.1.5.5.7.7.7"
  3393. #define szOID_CMC_ADD_EXTENSIONS "1.3.6.1.5.5.7.7.8"
  3394. #define szOID_CMC_ENCRYPTED_POP "1.3.6.1.5.5.7.7.9"
  3395. #define szOID_CMC_DECRYPTED_POP "1.3.6.1.5.5.7.7.10"
  3396. #define szOID_CMC_LRA_POP_WITNESS "1.3.6.1.5.5.7.7.11"
  3397. // Issuer Name + Serial
  3398. #define szOID_CMC_GET_CERT "1.3.6.1.5.5.7.7.15"
  3399. // Issuer Name [+ CRL Name] + Time [+ Reasons]
  3400. #define szOID_CMC_GET_CRL "1.3.6.1.5.5.7.7.16"
  3401. // Issuer Name + Serial [+ Reason] [+ Effective Time] [+ Secret] [+ Comment]
  3402. #define szOID_CMC_REVOKE_REQUEST "1.3.6.1.5.5.7.7.17"
  3403. // (octet string) URL-style parameter list (IA5?)
  3404. #define szOID_CMC_REG_INFO "1.3.6.1.5.5.7.7.18"
  3405. #define szOID_CMC_RESPONSE_INFO "1.3.6.1.5.5.7.7.19"
  3406. // (octet string)
  3407. #define szOID_CMC_QUERY_PENDING "1.3.6.1.5.5.7.7.21"
  3408. #define szOID_CMC_ID_POP_LINK_RANDOM "1.3.6.1.5.5.7.7.22"
  3409. #define szOID_CMC_ID_POP_LINK_WITNESS "1.3.6.1.5.5.7.7.23"
  3410. // optional Name + Integer
  3411. #define szOID_CMC_ID_CONFIRM_CERT_ACCEPTANCE "1.3.6.1.5.5.7.7.24"
  3412. #define szOID_CMC_ADD_ATTRIBUTES "1.3.6.1.4.1.311.10.10.1"
  3413. //+-------------------------------------------------------------------------
  3414. // CMC_DATA
  3415. // CMC_RESPONSE
  3416. //
  3417. // Certificate Management Messages over CMS (CMC) PKIData and Response
  3418. // messages.
  3419. //
  3420. // For CMC_DATA, pvStructInfo points to a CMC_DATA_INFO.
  3421. // CMC_DATA_INFO contains optional arrays of tagged attributes, requests,
  3422. // content info and/or arbitrary other messages.
  3423. //
  3424. // For CMC_RESPONSE, pvStructInfo points to a CMC_RESPONSE_INFO.
  3425. // CMC_RESPONSE_INFO is the same as CMC_DATA_INFO without the tagged
  3426. // requests.
  3427. //--------------------------------------------------------------------------
  3428. typedef struct _CMC_TAGGED_ATTRIBUTE {
  3429. DWORD dwBodyPartID;
  3430. CRYPT_ATTRIBUTE Attribute;
  3431. } CMC_TAGGED_ATTRIBUTE, *PCMC_TAGGED_ATTRIBUTE;
  3432. typedef struct _CMC_TAGGED_CERT_REQUEST {
  3433. DWORD dwBodyPartID;
  3434. CRYPT_DER_BLOB SignedCertRequest;
  3435. } CMC_TAGGED_CERT_REQUEST, *PCMC_TAGGED_CERT_REQUEST;
  3436. typedef struct _CMC_TAGGED_REQUEST {
  3437. DWORD dwTaggedRequestChoice;
  3438. union {
  3439. // CMC_TAGGED_CERT_REQUEST_CHOICE
  3440. PCMC_TAGGED_CERT_REQUEST pTaggedCertRequest;
  3441. };
  3442. } CMC_TAGGED_REQUEST, *PCMC_TAGGED_REQUEST;
  3443. #define CMC_TAGGED_CERT_REQUEST_CHOICE 1
  3444. typedef struct _CMC_TAGGED_CONTENT_INFO {
  3445. DWORD dwBodyPartID;
  3446. CRYPT_DER_BLOB EncodedContentInfo;
  3447. } CMC_TAGGED_CONTENT_INFO, *PCMC_TAGGED_CONTENT_INFO;
  3448. typedef struct _CMC_TAGGED_OTHER_MSG {
  3449. DWORD dwBodyPartID;
  3450. LPSTR pszObjId;
  3451. CRYPT_OBJID_BLOB Value;
  3452. } CMC_TAGGED_OTHER_MSG, *PCMC_TAGGED_OTHER_MSG;
  3453. // All the tagged arrays are optional
  3454. typedef struct _CMC_DATA_INFO {
  3455. DWORD cTaggedAttribute;
  3456. PCMC_TAGGED_ATTRIBUTE rgTaggedAttribute;
  3457. DWORD cTaggedRequest;
  3458. PCMC_TAGGED_REQUEST rgTaggedRequest;
  3459. DWORD cTaggedContentInfo;
  3460. PCMC_TAGGED_CONTENT_INFO rgTaggedContentInfo;
  3461. DWORD cTaggedOtherMsg;
  3462. PCMC_TAGGED_OTHER_MSG rgTaggedOtherMsg;
  3463. } CMC_DATA_INFO, *PCMC_DATA_INFO;
  3464. // All the tagged arrays are optional
  3465. typedef struct _CMC_RESPONSE_INFO {
  3466. DWORD cTaggedAttribute;
  3467. PCMC_TAGGED_ATTRIBUTE rgTaggedAttribute;
  3468. DWORD cTaggedContentInfo;
  3469. PCMC_TAGGED_CONTENT_INFO rgTaggedContentInfo;
  3470. DWORD cTaggedOtherMsg;
  3471. PCMC_TAGGED_OTHER_MSG rgTaggedOtherMsg;
  3472. } CMC_RESPONSE_INFO, *PCMC_RESPONSE_INFO;
  3473. //+-------------------------------------------------------------------------
  3474. // CMC_STATUS
  3475. //
  3476. // Certificate Management Messages over CMS (CMC) Status.
  3477. //
  3478. // pvStructInfo points to a CMC_STATUS_INFO.
  3479. //--------------------------------------------------------------------------
  3480. typedef struct _CMC_PEND_INFO {
  3481. CRYPT_DATA_BLOB PendToken;
  3482. FILETIME PendTime;
  3483. } CMC_PEND_INFO, *PCMC_PEND_INFO;
  3484. typedef struct _CMC_STATUS_INFO {
  3485. DWORD dwStatus;
  3486. DWORD cBodyList;
  3487. DWORD *rgdwBodyList;
  3488. LPWSTR pwszStatusString; // OPTIONAL
  3489. DWORD dwOtherInfoChoice;
  3490. union {
  3491. // CMC_OTHER_INFO_NO_CHOICE
  3492. // none
  3493. // CMC_OTHER_INFO_FAIL_CHOICE
  3494. DWORD dwFailInfo;
  3495. // CMC_OTHER_INFO_PEND_CHOICE
  3496. PCMC_PEND_INFO pPendInfo;
  3497. };
  3498. } CMC_STATUS_INFO, *PCMC_STATUS_INFO;
  3499. #define CMC_OTHER_INFO_NO_CHOICE 0
  3500. #define CMC_OTHER_INFO_FAIL_CHOICE 1
  3501. #define CMC_OTHER_INFO_PEND_CHOICE 2
  3502. //
  3503. // dwStatus values
  3504. //
  3505. // Request was granted
  3506. #define CMC_STATUS_SUCCESS 0
  3507. // Request failed, more information elsewhere in the message
  3508. #define CMC_STATUS_FAILED 2
  3509. // The request body part has not yet been processed. Requester is responsible
  3510. // to poll back. May only be returned for certificate request operations.
  3511. #define CMC_STATUS_PENDING 3
  3512. // The requested operation is not supported
  3513. #define CMC_STATUS_NO_SUPPORT 4
  3514. // Confirmation using the idConfirmCertAcceptance control is required
  3515. // before use of certificate
  3516. #define CMC_STATUS_CONFIRM_REQUIRED 5
  3517. //
  3518. // dwFailInfo values
  3519. //
  3520. // Unrecognized or unsupported algorithm
  3521. #define CMC_FAIL_BAD_ALG 0
  3522. // Integrity check failed
  3523. #define CMC_FAIL_BAD_MESSAGE_CHECK 1
  3524. // Transaction not permitted or supported
  3525. #define CMC_FAIL_BAD_REQUEST 2
  3526. // Message time field was not sufficiently close to the system time
  3527. #define CMC_FAIL_BAD_TIME 3
  3528. // No certificate could be identified matching the provided criteria
  3529. #define CMC_FAIL_BAD_CERT_ID 4
  3530. // A requested X.509 extension is not supported by the recipient CA.
  3531. #define CMC_FAIL_UNSUPORTED_EXT 5
  3532. // Private key material must be supplied
  3533. #define CMC_FAIL_MUST_ARCHIVE_KEYS 6
  3534. // Identification Attribute failed to verify
  3535. #define CMC_FAIL_BAD_IDENTITY 7
  3536. // Server requires a POP proof before issuing certificate
  3537. #define CMC_FAIL_POP_REQUIRED 8
  3538. // POP processing failed
  3539. #define CMC_FAIL_POP_FAILED 9
  3540. // Server policy does not allow key re-use
  3541. #define CMC_FAIL_NO_KEY_REUSE 10
  3542. #define CMC_FAIL_INTERNAL_CA_ERROR 11
  3543. #define CMC_FAIL_TRY_LATER 12
  3544. //+-------------------------------------------------------------------------
  3545. // CMC_ADD_EXTENSIONS
  3546. //
  3547. // Certificate Management Messages over CMS (CMC) Add Extensions control
  3548. // attribute.
  3549. //
  3550. // pvStructInfo points to a CMC_ADD_EXTENSIONS_INFO.
  3551. //--------------------------------------------------------------------------
  3552. typedef struct _CMC_ADD_EXTENSIONS_INFO {
  3553. DWORD dwCmcDataReference;
  3554. DWORD cCertReference;
  3555. DWORD *rgdwCertReference;
  3556. DWORD cExtension;
  3557. PCERT_EXTENSION rgExtension;
  3558. } CMC_ADD_EXTENSIONS_INFO, *PCMC_ADD_EXTENSIONS_INFO;
  3559. //+-------------------------------------------------------------------------
  3560. // CMC_ADD_ATTRIBUTES
  3561. //
  3562. // Certificate Management Messages over CMS (CMC) Add Attributes control
  3563. // attribute.
  3564. //
  3565. // pvStructInfo points to a CMC_ADD_ATTRIBUTES_INFO.
  3566. //--------------------------------------------------------------------------
  3567. typedef struct _CMC_ADD_ATTRIBUTES_INFO {
  3568. DWORD dwCmcDataReference;
  3569. DWORD cCertReference;
  3570. DWORD *rgdwCertReference;
  3571. DWORD cAttribute;
  3572. PCRYPT_ATTRIBUTE rgAttribute;
  3573. } CMC_ADD_ATTRIBUTES_INFO, *PCMC_ADD_ATTRIBUTES_INFO;
  3574. //+-------------------------------------------------------------------------
  3575. // X509_CERTIFICATE_TEMPLATE
  3576. // szOID_CERTIFICATE_TEMPLATE
  3577. //
  3578. // pvStructInfo points to following CERT_TEMPLATE_EXT data structure.
  3579. //
  3580. //--------------------------------------------------------------------------
  3581. typedef struct _CERT_TEMPLATE_EXT {
  3582. LPSTR pszObjId;
  3583. DWORD dwMajorVersion;
  3584. BOOL fMinorVersion; // TRUE for a minor version
  3585. DWORD dwMinorVersion;
  3586. } CERT_TEMPLATE_EXT, *PCERT_TEMPLATE_EXT;
  3587. //+=========================================================================
  3588. // Object IDentifier (OID) Installable Functions: Data Structures and APIs
  3589. //==========================================================================
  3590. typedef void *HCRYPTOIDFUNCSET;
  3591. typedef void *HCRYPTOIDFUNCADDR;
  3592. // Predefined OID Function Names
  3593. #define CRYPT_OID_ENCODE_OBJECT_FUNC "CryptDllEncodeObject"
  3594. #define CRYPT_OID_DECODE_OBJECT_FUNC "CryptDllDecodeObject"
  3595. #define CRYPT_OID_ENCODE_OBJECT_EX_FUNC "CryptDllEncodeObjectEx"
  3596. #define CRYPT_OID_DECODE_OBJECT_EX_FUNC "CryptDllDecodeObjectEx"
  3597. #define CRYPT_OID_CREATE_COM_OBJECT_FUNC "CryptDllCreateCOMObject"
  3598. #define CRYPT_OID_VERIFY_REVOCATION_FUNC "CertDllVerifyRevocation"
  3599. #define CRYPT_OID_VERIFY_CTL_USAGE_FUNC "CertDllVerifyCTLUsage"
  3600. #define CRYPT_OID_FORMAT_OBJECT_FUNC "CryptDllFormatObject"
  3601. #define CRYPT_OID_FIND_OID_INFO_FUNC "CryptDllFindOIDInfo"
  3602. #define CRYPT_OID_FIND_LOCALIZED_NAME_FUNC "CryptDllFindLocalizedName"
  3603. // CryptDllEncodeObject has same function signature as CryptEncodeObject.
  3604. // CryptDllDecodeObject has same function signature as CryptDecodeObject.
  3605. // CryptDllEncodeObjectEx has same function signature as CryptEncodeObjectEx.
  3606. // The Ex version MUST support the CRYPT_ENCODE_ALLOC_FLAG option.
  3607. //
  3608. // If an Ex function isn't installed or registered, then, attempts to find
  3609. // a non-EX version. If the ALLOC flag is set, then, CryptEncodeObjectEx,
  3610. // does the allocation and calls the non-EX version twice.
  3611. // CryptDllDecodeObjectEx has same function signature as CryptDecodeObjectEx.
  3612. // The Ex version MUST support the CRYPT_DECODE_ALLOC_FLAG option.
  3613. //
  3614. // If an Ex function isn't installed or registered, then, attempts to find
  3615. // a non-EX version. If the ALLOC flag is set, then, CryptDecodeObjectEx,
  3616. // does the allocation and calls the non-EX version twice.
  3617. // CryptDllCreateCOMObject has the following signature:
  3618. // BOOL WINAPI CryptDllCreateCOMObject(
  3619. // IN DWORD dwEncodingType,
  3620. // IN LPCSTR pszOID,
  3621. // IN PCRYPT_DATA_BLOB pEncodedContent,
  3622. // IN DWORD dwFlags,
  3623. // IN REFIID riid,
  3624. // OUT void **ppvObj);
  3625. // CertDllVerifyRevocation has the same signature as CertVerifyRevocation
  3626. // (See CertVerifyRevocation for details on when called)
  3627. // CertDllVerifyCTLUsage has the same signature as CertVerifyCTLUsage
  3628. // CryptDllFindOIDInfo currently is only used to store values used by
  3629. // CryptFindOIDInfo. See CryptFindOIDInfo() for more details.
  3630. // CryptDllFindLocalizedName is only used to store localized string
  3631. // values used by CryptFindLocalizedName. See CryptFindLocalizedName() for
  3632. // more details.
  3633. // Example of a complete OID Function Registry Name:
  3634. // HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
  3635. // Encoding Type 1\CryptDllEncodeObject\1.2.3
  3636. //
  3637. // The key's L"Dll" value contains the name of the Dll.
  3638. // The key's L"FuncName" value overrides the default function name
  3639. #define CRYPT_OID_REGPATH "Software\\Microsoft\\Cryptography\\OID"
  3640. #define CRYPT_OID_REG_ENCODING_TYPE_PREFIX "EncodingType "
  3641. #define CRYPT_OID_REG_DLL_VALUE_NAME L"Dll"
  3642. #define CRYPT_OID_REG_FUNC_NAME_VALUE_NAME L"FuncName"
  3643. #define CRYPT_OID_REG_FUNC_NAME_VALUE_NAME_A "FuncName"
  3644. // CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG can be set in the key's L"CryptFlags"
  3645. // value to register the functions before the installed functions.
  3646. //
  3647. // CryptSetOIDFunctionValue must be called to set this value. L"CryptFlags"
  3648. // must be set using a dwValueType of REG_DWORD.
  3649. #define CRYPT_OID_REG_FLAGS_VALUE_NAME L"CryptFlags"
  3650. // OID used for Default OID functions
  3651. #define CRYPT_DEFAULT_OID "DEFAULT"
  3652. typedef struct _CRYPT_OID_FUNC_ENTRY {
  3653. LPCSTR pszOID;
  3654. void *pvFuncAddr;
  3655. } CRYPT_OID_FUNC_ENTRY, *PCRYPT_OID_FUNC_ENTRY;
  3656. #define CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG 1
  3657. //+-------------------------------------------------------------------------
  3658. // Install a set of callable OID function addresses.
  3659. //
  3660. // By default the functions are installed at end of the list.
  3661. // Set CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG to install at beginning of list.
  3662. //
  3663. // hModule should be updated with the hModule passed to DllMain to prevent
  3664. // the Dll containing the function addresses from being unloaded by
  3665. // CryptGetOIDFuncAddress/CryptFreeOIDFunctionAddress. This would be the
  3666. // case when the Dll has also regsvr32'ed OID functions via
  3667. // CryptRegisterOIDFunction.
  3668. //
  3669. // DEFAULT functions are installed by setting rgFuncEntry[].pszOID =
  3670. // CRYPT_DEFAULT_OID.
  3671. //--------------------------------------------------------------------------
  3672. WINCRYPT32API
  3673. BOOL
  3674. WINAPI
  3675. CryptInstallOIDFunctionAddress(
  3676. IN HMODULE hModule, // hModule passed to DllMain
  3677. IN DWORD dwEncodingType,
  3678. IN LPCSTR pszFuncName,
  3679. IN DWORD cFuncEntry,
  3680. IN const CRYPT_OID_FUNC_ENTRY rgFuncEntry[],
  3681. IN DWORD dwFlags
  3682. );
  3683. //+-------------------------------------------------------------------------
  3684. // Initialize and return handle to the OID function set identified by its
  3685. // function name.
  3686. //
  3687. // If the set already exists, a handle to the existing set is returned.
  3688. //--------------------------------------------------------------------------
  3689. WINCRYPT32API
  3690. HCRYPTOIDFUNCSET
  3691. WINAPI
  3692. CryptInitOIDFunctionSet(
  3693. IN LPCSTR pszFuncName,
  3694. IN DWORD dwFlags
  3695. );
  3696. //+-------------------------------------------------------------------------
  3697. // Search the list of installed functions for an encoding type and OID match.
  3698. // If not found, search the registry.
  3699. //
  3700. // For success, returns TRUE with *ppvFuncAddr updated with the function's
  3701. // address and *phFuncAddr updated with the function address's handle.
  3702. // The function's handle is AddRef'ed. CryptFreeOIDFunctionAddress needs to
  3703. // be called to release it.
  3704. //
  3705. // For a registry match, the Dll containing the function is loaded.
  3706. //
  3707. // By default, both the registered and installed function lists are searched.
  3708. // Set CRYPT_GET_INSTALLED_OID_FUNC_FLAG to only search the installed list
  3709. // of functions. This flag would be set by a registered function to get
  3710. // the address of a pre-installed function it was replacing. For example,
  3711. // the registered function might handle a new special case and call the
  3712. // pre-installed function to handle the remaining cases.
  3713. //--------------------------------------------------------------------------
  3714. WINCRYPT32API
  3715. BOOL
  3716. WINAPI
  3717. CryptGetOIDFunctionAddress(
  3718. IN HCRYPTOIDFUNCSET hFuncSet,
  3719. IN DWORD dwEncodingType,
  3720. IN LPCSTR pszOID,
  3721. IN DWORD dwFlags,
  3722. OUT void **ppvFuncAddr,
  3723. OUT HCRYPTOIDFUNCADDR *phFuncAddr
  3724. );
  3725. #define CRYPT_GET_INSTALLED_OID_FUNC_FLAG 0x1
  3726. //+-------------------------------------------------------------------------
  3727. // Get the list of registered default Dll entries for the specified
  3728. // function set and encoding type.
  3729. //
  3730. // The returned list consists of none, one or more null terminated Dll file
  3731. // names. The list is terminated with an empty (L"\0") Dll file name.
  3732. // For example: L"first.dll" L"\0" L"second.dll" L"\0" L"\0"
  3733. //--------------------------------------------------------------------------
  3734. WINCRYPT32API
  3735. BOOL
  3736. WINAPI
  3737. CryptGetDefaultOIDDllList(
  3738. IN HCRYPTOIDFUNCSET hFuncSet,
  3739. IN DWORD dwEncodingType,
  3740. OUT LPWSTR pwszDllList,
  3741. IN OUT DWORD *pcchDllList
  3742. );
  3743. //+-------------------------------------------------------------------------
  3744. // Either: get the first or next installed DEFAULT function OR
  3745. // load the Dll containing the DEFAULT function.
  3746. //
  3747. // If pwszDll is NULL, search the list of installed DEFAULT functions.
  3748. // *phFuncAddr must be set to NULL to get the first installed function.
  3749. // Successive installed functions are returned by setting *phFuncAddr
  3750. // to the hFuncAddr returned by the previous call.
  3751. //
  3752. // If pwszDll is NULL, the input *phFuncAddr
  3753. // is always CryptFreeOIDFunctionAddress'ed by this function, even for
  3754. // an error.
  3755. //
  3756. // If pwszDll isn't NULL, then, attempts to load the Dll and the DEFAULT
  3757. // function. *phFuncAddr is ignored upon entry and isn't
  3758. // CryptFreeOIDFunctionAddress'ed.
  3759. //
  3760. // For success, returns TRUE with *ppvFuncAddr updated with the function's
  3761. // address and *phFuncAddr updated with the function address's handle.
  3762. // The function's handle is AddRef'ed. CryptFreeOIDFunctionAddress needs to
  3763. // be called to release it or CryptGetDefaultOIDFunctionAddress can also
  3764. // be called for a NULL pwszDll.
  3765. //--------------------------------------------------------------------------
  3766. WINCRYPT32API
  3767. BOOL
  3768. WINAPI
  3769. CryptGetDefaultOIDFunctionAddress(
  3770. IN HCRYPTOIDFUNCSET hFuncSet,
  3771. IN DWORD dwEncodingType,
  3772. IN OPTIONAL LPCWSTR pwszDll,
  3773. IN DWORD dwFlags,
  3774. OUT void **ppvFuncAddr,
  3775. IN OUT HCRYPTOIDFUNCADDR *phFuncAddr
  3776. );
  3777. //+-------------------------------------------------------------------------
  3778. // Releases the handle AddRef'ed and returned by CryptGetOIDFunctionAddress
  3779. // or CryptGetDefaultOIDFunctionAddress.
  3780. //
  3781. // If a Dll was loaded for the function its unloaded. However, before doing
  3782. // the unload, the DllCanUnloadNow function exported by the loaded Dll is
  3783. // called. It should return S_FALSE to inhibit the unload or S_TRUE to enable
  3784. // the unload. If the Dll doesn't export DllCanUnloadNow, the Dll is unloaded.
  3785. //
  3786. // DllCanUnloadNow has the following signature:
  3787. // STDAPI DllCanUnloadNow(void);
  3788. //--------------------------------------------------------------------------
  3789. WINCRYPT32API
  3790. BOOL
  3791. WINAPI
  3792. CryptFreeOIDFunctionAddress(
  3793. IN HCRYPTOIDFUNCADDR hFuncAddr,
  3794. IN DWORD dwFlags
  3795. );
  3796. //+-------------------------------------------------------------------------
  3797. // Register the Dll containing the function to be called for the specified
  3798. // encoding type, function name and OID.
  3799. //
  3800. // pwszDll may contain environment-variable strings
  3801. // which are ExpandEnvironmentStrings()'ed before loading the Dll.
  3802. //
  3803. // In addition to registering the DLL, you may override the
  3804. // name of the function to be called. For example,
  3805. // pszFuncName = "CryptDllEncodeObject",
  3806. // pszOverrideFuncName = "MyEncodeXyz".
  3807. // This allows a Dll to export multiple OID functions for the same
  3808. // function name without needing to interpose its own OID dispatcher function.
  3809. //--------------------------------------------------------------------------
  3810. WINCRYPT32API
  3811. BOOL
  3812. WINAPI
  3813. CryptRegisterOIDFunction(
  3814. IN DWORD dwEncodingType,
  3815. IN LPCSTR pszFuncName,
  3816. IN LPCSTR pszOID,
  3817. IN OPTIONAL LPCWSTR pwszDll,
  3818. IN OPTIONAL LPCSTR pszOverrideFuncName
  3819. );
  3820. //+-------------------------------------------------------------------------
  3821. // Unregister the Dll containing the function to be called for the specified
  3822. // encoding type, function name and OID.
  3823. //--------------------------------------------------------------------------
  3824. WINCRYPT32API
  3825. BOOL
  3826. WINAPI
  3827. CryptUnregisterOIDFunction(
  3828. IN DWORD dwEncodingType,
  3829. IN LPCSTR pszFuncName,
  3830. IN LPCSTR pszOID
  3831. );
  3832. //+-------------------------------------------------------------------------
  3833. // Register the Dll containing the default function to be called for the
  3834. // specified encoding type and function name.
  3835. //
  3836. // Unlike CryptRegisterOIDFunction, you can't override the function name
  3837. // needing to be exported by the Dll.
  3838. //
  3839. // The Dll is inserted before the entry specified by dwIndex.
  3840. // dwIndex == 0, inserts at the beginning.
  3841. // dwIndex == CRYPT_REGISTER_LAST_INDEX, appends at the end.
  3842. //
  3843. // pwszDll may contain environment-variable strings
  3844. // which are ExpandEnvironmentStrings()'ed before loading the Dll.
  3845. //--------------------------------------------------------------------------
  3846. WINCRYPT32API
  3847. BOOL
  3848. WINAPI
  3849. CryptRegisterDefaultOIDFunction(
  3850. IN DWORD dwEncodingType,
  3851. IN LPCSTR pszFuncName,
  3852. IN DWORD dwIndex,
  3853. IN LPCWSTR pwszDll
  3854. );
  3855. #define CRYPT_REGISTER_FIRST_INDEX 0
  3856. #define CRYPT_REGISTER_LAST_INDEX 0xFFFFFFFF
  3857. //+-------------------------------------------------------------------------
  3858. // Unregister the Dll containing the default function to be called for
  3859. // the specified encoding type and function name.
  3860. //--------------------------------------------------------------------------
  3861. WINCRYPT32API
  3862. BOOL
  3863. WINAPI
  3864. CryptUnregisterDefaultOIDFunction(
  3865. IN DWORD dwEncodingType,
  3866. IN LPCSTR pszFuncName,
  3867. IN LPCWSTR pwszDll
  3868. );
  3869. //+-------------------------------------------------------------------------
  3870. // Set the value for the specified encoding type, function name, OID and
  3871. // value name.
  3872. //
  3873. // See RegSetValueEx for the possible value types.
  3874. //
  3875. // String types are UNICODE.
  3876. //--------------------------------------------------------------------------
  3877. WINCRYPT32API
  3878. BOOL
  3879. WINAPI
  3880. CryptSetOIDFunctionValue(
  3881. IN DWORD dwEncodingType,
  3882. IN LPCSTR pszFuncName,
  3883. IN LPCSTR pszOID,
  3884. IN LPCWSTR pwszValueName,
  3885. IN DWORD dwValueType,
  3886. IN const BYTE *pbValueData,
  3887. IN DWORD cbValueData
  3888. );
  3889. //+-------------------------------------------------------------------------
  3890. // Get the value for the specified encoding type, function name, OID and
  3891. // value name.
  3892. //
  3893. // See RegEnumValue for the possible value types.
  3894. //
  3895. // String types are UNICODE.
  3896. //--------------------------------------------------------------------------
  3897. WINCRYPT32API
  3898. BOOL
  3899. WINAPI
  3900. CryptGetOIDFunctionValue(
  3901. IN DWORD dwEncodingType,
  3902. IN LPCSTR pszFuncName,
  3903. IN LPCSTR pszOID,
  3904. IN LPCWSTR pwszValueName,
  3905. OUT DWORD *pdwValueType,
  3906. OUT BYTE *pbValueData,
  3907. IN OUT DWORD *pcbValueData
  3908. );
  3909. typedef BOOL (WINAPI *PFN_CRYPT_ENUM_OID_FUNC)(
  3910. IN DWORD dwEncodingType,
  3911. IN LPCSTR pszFuncName,
  3912. IN LPCSTR pszOID,
  3913. IN DWORD cValue,
  3914. IN const DWORD rgdwValueType[],
  3915. IN LPCWSTR const rgpwszValueName[],
  3916. IN const BYTE * const rgpbValueData[],
  3917. IN const DWORD rgcbValueData[],
  3918. IN void *pvArg
  3919. );
  3920. //+-------------------------------------------------------------------------
  3921. // Enumerate the OID functions identified by their encoding type,
  3922. // function name and OID.
  3923. //
  3924. // pfnEnumOIDFunc is called for each registry key matching the input
  3925. // parameters. Setting dwEncodingType to CRYPT_MATCH_ANY_ENCODING_TYPE matches
  3926. // any. Setting pszFuncName or pszOID to NULL matches any.
  3927. //
  3928. // Set pszOID == CRYPT_DEFAULT_OID to restrict the enumeration to only the
  3929. // DEFAULT functions
  3930. //
  3931. // String types are UNICODE.
  3932. //--------------------------------------------------------------------------
  3933. WINCRYPT32API
  3934. BOOL
  3935. WINAPI
  3936. CryptEnumOIDFunction(
  3937. IN DWORD dwEncodingType,
  3938. IN OPTIONAL LPCSTR pszFuncName,
  3939. IN OPTIONAL LPCSTR pszOID,
  3940. IN DWORD dwFlags,
  3941. IN void *pvArg,
  3942. IN PFN_CRYPT_ENUM_OID_FUNC pfnEnumOIDFunc
  3943. );
  3944. #define CRYPT_MATCH_ANY_ENCODING_TYPE 0xFFFFFFFF
  3945. //+=========================================================================
  3946. // Object IDentifier (OID) Information: Data Structures and APIs
  3947. //==========================================================================
  3948. //+-------------------------------------------------------------------------
  3949. // OID Information
  3950. //--------------------------------------------------------------------------
  3951. typedef struct _CRYPT_OID_INFO {
  3952. DWORD cbSize;
  3953. LPCSTR pszOID;
  3954. LPCWSTR pwszName;
  3955. DWORD dwGroupId;
  3956. union {
  3957. DWORD dwValue;
  3958. ALG_ID Algid;
  3959. DWORD dwLength;
  3960. };
  3961. CRYPT_DATA_BLOB ExtraInfo;
  3962. } CRYPT_OID_INFO, *PCRYPT_OID_INFO;
  3963. typedef const CRYPT_OID_INFO CCRYPT_OID_INFO, *PCCRYPT_OID_INFO;
  3964. //+-------------------------------------------------------------------------
  3965. // OID Group IDs
  3966. //--------------------------------------------------------------------------
  3967. #define CRYPT_HASH_ALG_OID_GROUP_ID 1
  3968. #define CRYPT_ENCRYPT_ALG_OID_GROUP_ID 2
  3969. #define CRYPT_PUBKEY_ALG_OID_GROUP_ID 3
  3970. #define CRYPT_SIGN_ALG_OID_GROUP_ID 4
  3971. #define CRYPT_RDN_ATTR_OID_GROUP_ID 5
  3972. #define CRYPT_EXT_OR_ATTR_OID_GROUP_ID 6
  3973. #define CRYPT_ENHKEY_USAGE_OID_GROUP_ID 7
  3974. #define CRYPT_POLICY_OID_GROUP_ID 8
  3975. #define CRYPT_TEMPLATE_OID_GROUP_ID 9
  3976. #define CRYPT_LAST_OID_GROUP_ID 9
  3977. #define CRYPT_FIRST_ALG_OID_GROUP_ID CRYPT_HASH_ALG_OID_GROUP_ID
  3978. #define CRYPT_LAST_ALG_OID_GROUP_ID CRYPT_SIGN_ALG_OID_GROUP_ID
  3979. // The CRYPT_*_ALG_OID_GROUP_ID's have an Algid. The CRYPT_RDN_ATTR_OID_GROUP_ID
  3980. // has a dwLength. The CRYPT_EXT_OR_ATTR_OID_GROUP_ID,
  3981. // CRYPT_ENHKEY_USAGE_OID_GROUP_ID, CRYPT_POLICY_OID_GROUP_ID or
  3982. // CRYPT_TEMPLATE_OID_GROUP_ID don't have a dwValue.
  3983. //
  3984. // CRYPT_PUBKEY_ALG_OID_GROUP_ID has the following optional ExtraInfo:
  3985. // DWORD[0] - Flags. CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG can be set to
  3986. // inhibit the reformatting of the signature before
  3987. // CryptVerifySignature is called or after CryptSignHash
  3988. // is called. CRYPT_OID_USE_PUBKEY_PARA_FOR_PKCS7_FLAG can
  3989. // be set to include the public key algorithm's parameters
  3990. // in the PKCS7's digestEncryptionAlgorithm's parameters.
  3991. // CRYPT_OID_NO_NULL_ALGORITHM_PARA_FLAG can be set to omit
  3992. // NULL parameters when encoding.
  3993. #define CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG 0x1
  3994. #define CRYPT_OID_USE_PUBKEY_PARA_FOR_PKCS7_FLAG 0x2
  3995. #define CRYPT_OID_NO_NULL_ALGORITHM_PARA_FLAG 0x4
  3996. // CRYPT_SIGN_ALG_OID_GROUP_ID has the following optional ExtraInfo:
  3997. // DWORD[0] - Public Key Algid.
  3998. // DWORD[1] - Flags. Same as above for CRYPT_PUBKEY_ALG_OID_GROUP_ID.
  3999. // DWORD[2] - Optional CryptAcquireContext(CRYPT_VERIFYCONTEXT)'s dwProvType.
  4000. // If omitted or 0, uses Public Key Algid to select
  4001. // appropriate dwProvType for signature verification.
  4002. // CRYPT_RDN_ATTR_OID_GROUP_ID has the following optional ExtraInfo:
  4003. // Array of DWORDs:
  4004. // [0 ..] - Null terminated list of acceptable RDN attribute
  4005. // value types. An empty list implies CERT_RDN_PRINTABLE_STRING,
  4006. // CERT_RDN_UNICODE_STRING, 0.
  4007. //+-------------------------------------------------------------------------
  4008. // Find OID information. Returns NULL if unable to find any information
  4009. // for the specified key and group. Note, returns a pointer to a constant
  4010. // data structure. The returned pointer MUST NOT be freed.
  4011. //
  4012. // dwKeyType's:
  4013. // CRYPT_OID_INFO_OID_KEY, pvKey points to a szOID
  4014. // CRYPT_OID_INFO_NAME_KEY, pvKey points to a wszName
  4015. // CRYPT_OID_INFO_ALGID_KEY, pvKey points to an ALG_ID
  4016. // CRYPT_OID_INFO_SIGN_KEY, pvKey points to an array of two ALG_ID's:
  4017. // ALG_ID[0] - Hash Algid
  4018. // ALG_ID[1] - PubKey Algid
  4019. //
  4020. // Setting dwGroupId to 0, searches all groups according to the dwKeyType.
  4021. // Otherwise, only the dwGroupId is searched.
  4022. //--------------------------------------------------------------------------
  4023. WINCRYPT32API
  4024. PCCRYPT_OID_INFO
  4025. WINAPI
  4026. CryptFindOIDInfo(
  4027. IN DWORD dwKeyType,
  4028. IN void *pvKey,
  4029. IN DWORD dwGroupId
  4030. );
  4031. #define CRYPT_OID_INFO_OID_KEY 1
  4032. #define CRYPT_OID_INFO_NAME_KEY 2
  4033. #define CRYPT_OID_INFO_ALGID_KEY 3
  4034. #define CRYPT_OID_INFO_SIGN_KEY 4
  4035. //+-------------------------------------------------------------------------
  4036. // Register OID information. The OID information specified in the
  4037. // CCRYPT_OID_INFO structure is persisted to the registry.
  4038. //
  4039. // crypt32.dll contains information for the commonly known OIDs. This function
  4040. // allows applications to augment crypt32.dll's OID information. During
  4041. // CryptFindOIDInfo's first call, the registered OID information is installed.
  4042. //
  4043. // By default the registered OID information is installed after crypt32.dll's
  4044. // OID entries. Set CRYPT_INSTALL_OID_INFO_BEFORE_FLAG to install before.
  4045. //--------------------------------------------------------------------------
  4046. WINCRYPT32API
  4047. BOOL
  4048. WINAPI
  4049. CryptRegisterOIDInfo(
  4050. IN PCCRYPT_OID_INFO pInfo,
  4051. IN DWORD dwFlags
  4052. );
  4053. #define CRYPT_INSTALL_OID_INFO_BEFORE_FLAG 1
  4054. //+-------------------------------------------------------------------------
  4055. // Unregister OID information. Only the pszOID and dwGroupId fields are
  4056. // used to identify the OID information to be unregistered.
  4057. //--------------------------------------------------------------------------
  4058. WINCRYPT32API
  4059. BOOL
  4060. WINAPI
  4061. CryptUnregisterOIDInfo(
  4062. IN PCCRYPT_OID_INFO pInfo
  4063. );
  4064. // If the callback returns FALSE, stops the enumeration.
  4065. typedef BOOL (WINAPI *PFN_CRYPT_ENUM_OID_INFO)(
  4066. IN PCCRYPT_OID_INFO pInfo,
  4067. IN void *pvArg
  4068. );
  4069. //+-------------------------------------------------------------------------
  4070. // Enumerate the OID information.
  4071. //
  4072. // pfnEnumOIDInfo is called for each OID information entry.
  4073. //
  4074. // Setting dwGroupId to 0 matches all groups. Otherwise, only enumerates
  4075. // entries in the specified group.
  4076. //
  4077. // dwFlags currently isn't used and must be set to 0.
  4078. //--------------------------------------------------------------------------
  4079. WINCRYPT32API
  4080. BOOL
  4081. WINAPI
  4082. CryptEnumOIDInfo(
  4083. IN DWORD dwGroupId,
  4084. IN DWORD dwFlags,
  4085. IN void *pvArg,
  4086. IN PFN_CRYPT_ENUM_OID_INFO pfnEnumOIDInfo
  4087. );
  4088. //+-------------------------------------------------------------------------
  4089. // Find the localized name for the specified name. For example, find the
  4090. // localized name for the "Root" system store name. A case insensitive
  4091. // string comparison is done.
  4092. //
  4093. // Returns NULL if unable to find the the specified name.
  4094. //
  4095. // Localized names for the predefined system stores ("Root", "My") and
  4096. // predefined physical stores (".Default", ".LocalMachine") are pre-installed
  4097. // as resource strings in crypt32.dll. CryptSetOIDFunctionValue can be called
  4098. // as follows to register additional localized strings:
  4099. // dwEncodingType = CRYPT_LOCALIZED_NAME_ENCODING_TYPE
  4100. // pszFuncName = CRYPT_OID_FIND_LOCALIZED_NAME_FUNC
  4101. // pszOID = CRYPT_LOCALIZED_NAME_OID
  4102. // pwszValueName = Name to be localized, for example, L"ApplicationStore"
  4103. // dwValueType = REG_SZ
  4104. // pbValueData = pointer to the UNICODE localized string
  4105. // cbValueData = (wcslen(UNICODE localized string) + 1) * sizeof(WCHAR)
  4106. //
  4107. // To unregister, set pbValueData to NULL and cbValueData to 0.
  4108. //
  4109. // The registered names are searched before the pre-installed names.
  4110. //--------------------------------------------------------------------------
  4111. WINCRYPT32API
  4112. LPCWSTR
  4113. WINAPI
  4114. CryptFindLocalizedName(
  4115. IN LPCWSTR pwszCryptName
  4116. );
  4117. #define CRYPT_LOCALIZED_NAME_ENCODING_TYPE 0
  4118. #define CRYPT_LOCALIZED_NAME_OID "LocalizedNames"
  4119. //+=========================================================================
  4120. // Low Level Cryptographic Message Data Structures and APIs
  4121. //==========================================================================
  4122. typedef void *HCRYPTMSG;
  4123. #define szOID_PKCS_7_DATA "1.2.840.113549.1.7.1"
  4124. #define szOID_PKCS_7_SIGNED "1.2.840.113549.1.7.2"
  4125. #define szOID_PKCS_7_ENVELOPED "1.2.840.113549.1.7.3"
  4126. #define szOID_PKCS_7_SIGNEDANDENVELOPED "1.2.840.113549.1.7.4"
  4127. #define szOID_PKCS_7_DIGESTED "1.2.840.113549.1.7.5"
  4128. #define szOID_PKCS_7_ENCRYPTED "1.2.840.113549.1.7.6"
  4129. #define szOID_PKCS_9_CONTENT_TYPE "1.2.840.113549.1.9.3"
  4130. #define szOID_PKCS_9_MESSAGE_DIGEST "1.2.840.113549.1.9.4"
  4131. //+-------------------------------------------------------------------------
  4132. // Message types
  4133. //--------------------------------------------------------------------------
  4134. #define CMSG_DATA 1
  4135. #define CMSG_SIGNED 2
  4136. #define CMSG_ENVELOPED 3
  4137. #define CMSG_SIGNED_AND_ENVELOPED 4
  4138. #define CMSG_HASHED 5
  4139. #define CMSG_ENCRYPTED 6
  4140. //+-------------------------------------------------------------------------
  4141. // Message Type Bit Flags
  4142. //--------------------------------------------------------------------------
  4143. #define CMSG_ALL_FLAGS (~0UL)
  4144. #define CMSG_DATA_FLAG (1 << CMSG_DATA)
  4145. #define CMSG_SIGNED_FLAG (1 << CMSG_SIGNED)
  4146. #define CMSG_ENVELOPED_FLAG (1 << CMSG_ENVELOPED)
  4147. #define CMSG_SIGNED_AND_ENVELOPED_FLAG (1 << CMSG_SIGNED_AND_ENVELOPED)
  4148. #define CMSG_HASHED_FLAG (1 << CMSG_HASHED)
  4149. #define CMSG_ENCRYPTED_FLAG (1 << CMSG_ENCRYPTED)
  4150. //+-------------------------------------------------------------------------
  4151. // Certificate Issuer and SerialNumber
  4152. //--------------------------------------------------------------------------
  4153. typedef struct _CERT_ISSUER_SERIAL_NUMBER {
  4154. CERT_NAME_BLOB Issuer;
  4155. CRYPT_INTEGER_BLOB SerialNumber;
  4156. } CERT_ISSUER_SERIAL_NUMBER, *PCERT_ISSUER_SERIAL_NUMBER;
  4157. //+-------------------------------------------------------------------------
  4158. // Certificate Identifier
  4159. //--------------------------------------------------------------------------
  4160. typedef struct _CERT_ID {
  4161. DWORD dwIdChoice;
  4162. union {
  4163. // CERT_ID_ISSUER_SERIAL_NUMBER
  4164. CERT_ISSUER_SERIAL_NUMBER IssuerSerialNumber;
  4165. // CERT_ID_KEY_IDENTIFIER
  4166. CRYPT_HASH_BLOB KeyId;
  4167. // CERT_ID_SHA1_HASH
  4168. CRYPT_HASH_BLOB HashId;
  4169. };
  4170. } CERT_ID, *PCERT_ID;
  4171. #define CERT_ID_ISSUER_SERIAL_NUMBER 1
  4172. #define CERT_ID_KEY_IDENTIFIER 2
  4173. #define CERT_ID_SHA1_HASH 3
  4174. //+-------------------------------------------------------------------------
  4175. // The message encode information (pvMsgEncodeInfo) is message type dependent
  4176. //--------------------------------------------------------------------------
  4177. //+-------------------------------------------------------------------------
  4178. // CMSG_DATA: pvMsgEncodeInfo = NULL
  4179. //--------------------------------------------------------------------------
  4180. //+-------------------------------------------------------------------------
  4181. // CMSG_SIGNED
  4182. //
  4183. // The pCertInfo in the CMSG_SIGNER_ENCODE_INFO provides the Issuer, SerialNumber
  4184. // and PublicKeyInfo.Algorithm. The PublicKeyInfo.Algorithm implicitly
  4185. // specifies the HashEncryptionAlgorithm to be used.
  4186. //
  4187. // If the SignerId is present with a nonzero dwIdChoice its used instead
  4188. // of the Issuer and SerialNumber in pCertInfo.
  4189. //
  4190. // CMS supports the KEY_IDENTIFIER and ISSUER_SERIAL_NUMBER CERT_IDs. PKCS #7
  4191. // version 1.5 only supports the ISSUER_SERIAL_NUMBER CERT_ID choice.
  4192. //
  4193. // If HashEncryptionAlgorithm is present and not NULL its used instead of
  4194. // the PublicKeyInfo.Algorithm.
  4195. //
  4196. // Note, for RSA, the hash encryption algorithm is normally the same as
  4197. // the public key algorithm. For DSA, the hash encryption algorithm is
  4198. // normally a DSS signature algorithm.
  4199. //
  4200. // pvHashEncryptionAuxInfo currently isn't used and must be set to NULL if
  4201. // present in the data structure.
  4202. //
  4203. // The hCryptProv and dwKeySpec specify the private key to use. If dwKeySpec
  4204. // == 0, then, defaults to AT_SIGNATURE.
  4205. //
  4206. // If the HashEncryptionAlgorithm is set to szOID_PKIX_NO_SIGNATURE, then,
  4207. // the signature value only contains the hash octets. hCryptProv must still
  4208. // be specified. However, since a private key isn't used the hCryptProv can be
  4209. // acquired using CRYPT_VERIFYCONTEXT.
  4210. //
  4211. // If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
  4212. // passed to CryptMsgOpenToEncode(), the signer hCryptProv's are released.
  4213. //
  4214. // pvHashAuxInfo currently isn't used and must be set to NULL.
  4215. //
  4216. // CMS signed messages allow the inclusion of Attribute Certs.
  4217. //--------------------------------------------------------------------------
  4218. typedef struct _CMSG_SIGNER_ENCODE_INFO {
  4219. DWORD cbSize;
  4220. PCERT_INFO pCertInfo;
  4221. HCRYPTPROV hCryptProv;
  4222. DWORD dwKeySpec;
  4223. CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
  4224. void *pvHashAuxInfo;
  4225. DWORD cAuthAttr;
  4226. PCRYPT_ATTRIBUTE rgAuthAttr;
  4227. DWORD cUnauthAttr;
  4228. PCRYPT_ATTRIBUTE rgUnauthAttr;
  4229. #ifdef CMSG_SIGNER_ENCODE_INFO_HAS_CMS_FIELDS
  4230. CERT_ID SignerId;
  4231. CRYPT_ALGORITHM_IDENTIFIER HashEncryptionAlgorithm;
  4232. void *pvHashEncryptionAuxInfo;
  4233. #endif
  4234. } CMSG_SIGNER_ENCODE_INFO, *PCMSG_SIGNER_ENCODE_INFO;
  4235. typedef struct _CMSG_SIGNED_ENCODE_INFO {
  4236. DWORD cbSize;
  4237. DWORD cSigners;
  4238. PCMSG_SIGNER_ENCODE_INFO rgSigners;
  4239. DWORD cCertEncoded;
  4240. PCERT_BLOB rgCertEncoded;
  4241. DWORD cCrlEncoded;
  4242. PCRL_BLOB rgCrlEncoded;
  4243. #ifdef CMSG_SIGNED_ENCODE_INFO_HAS_CMS_FIELDS
  4244. DWORD cAttrCertEncoded;
  4245. PCERT_BLOB rgAttrCertEncoded;
  4246. #endif
  4247. } CMSG_SIGNED_ENCODE_INFO, *PCMSG_SIGNED_ENCODE_INFO;
  4248. //+-------------------------------------------------------------------------
  4249. // CMSG_ENVELOPED
  4250. //
  4251. // The PCERT_INFO for the rgRecipients provides the Issuer, SerialNumber
  4252. // and PublicKeyInfo. The PublicKeyInfo.Algorithm implicitly
  4253. // specifies the KeyEncryptionAlgorithm to be used.
  4254. //
  4255. // The PublicKeyInfo.PublicKey in PCERT_INFO is used to encrypt the content
  4256. // encryption key for the recipient.
  4257. //
  4258. // hCryptProv is used to do the content encryption, recipient key encryption
  4259. // and export. The hCryptProv's private keys aren't used. If hCryptProv
  4260. // is NULL, a default hCryptProv is chosen according to the
  4261. // ContentEncryptionAlgorithm and the first recipient KeyEncryptionAlgorithm.
  4262. //
  4263. // If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
  4264. // passed to CryptMsgOpenToEncode(), the envelope's hCryptProv is released.
  4265. //
  4266. // Note: CAPI currently doesn't support more than one KeyEncryptionAlgorithm
  4267. // per provider. This will need to be fixed.
  4268. //
  4269. // Currently, pvEncryptionAuxInfo is only defined for RC2 or RC4 encryption
  4270. // algorithms. Otherwise, its not used and must be set to NULL.
  4271. // See CMSG_RC2_AUX_INFO for the RC2 encryption algorithms.
  4272. // See CMSG_RC4_AUX_INFO for the RC4 encryption algorithms.
  4273. //
  4274. // To enable SP3 compatible encryption, pvEncryptionAuxInfo should point to
  4275. // a CMSG_SP3_COMPATIBLE_AUX_INFO data structure.
  4276. //
  4277. // To enable the CMS envelope enhancements, rgpRecipients must be set to
  4278. // NULL, and rgCmsRecipients updated to point to an array of
  4279. // CMSG_RECIPIENT_ENCODE_INFO's.
  4280. //
  4281. // Also, CMS envelope enhancements support the inclusion of a bag of
  4282. // Certs, CRLs, Attribute Certs and/or Unprotected Attributes.
  4283. //--------------------------------------------------------------------------
  4284. typedef struct _CMSG_RECIPIENT_ENCODE_INFO CMSG_RECIPIENT_ENCODE_INFO,
  4285. *PCMSG_RECIPIENT_ENCODE_INFO;
  4286. typedef struct _CMSG_ENVELOPED_ENCODE_INFO {
  4287. DWORD cbSize;
  4288. HCRYPTPROV hCryptProv;
  4289. CRYPT_ALGORITHM_IDENTIFIER ContentEncryptionAlgorithm;
  4290. void *pvEncryptionAuxInfo;
  4291. DWORD cRecipients;
  4292. // The following array may only be used for transport recipients identified
  4293. // by their IssuereAndSerialNumber. If rgpRecipients != NULL, then,
  4294. // the rgCmsRecipients must be NULL.
  4295. PCERT_INFO *rgpRecipients;
  4296. #ifdef CMSG_ENVELOPED_ENCODE_INFO_HAS_CMS_FIELDS
  4297. // If rgCmsRecipients != NULL, then, the above rgpRecipients must be
  4298. // NULL.
  4299. PCMSG_RECIPIENT_ENCODE_INFO rgCmsRecipients;
  4300. DWORD cCertEncoded;
  4301. PCERT_BLOB rgCertEncoded;
  4302. DWORD cCrlEncoded;
  4303. PCRL_BLOB rgCrlEncoded;
  4304. DWORD cAttrCertEncoded;
  4305. PCERT_BLOB rgAttrCertEncoded;
  4306. DWORD cUnprotectedAttr;
  4307. PCRYPT_ATTRIBUTE rgUnprotectedAttr;
  4308. #endif
  4309. } CMSG_ENVELOPED_ENCODE_INFO, *PCMSG_ENVELOPED_ENCODE_INFO;
  4310. //+-------------------------------------------------------------------------
  4311. // Key Transport Recipient Encode Info
  4312. //
  4313. // hCryptProv is used to do the recipient key encryption
  4314. // and export. The hCryptProv's private keys aren't used.
  4315. //
  4316. // If hCryptProv is NULL, then, the hCryptProv specified in
  4317. // CMSG_ENVELOPED_ENCODE_INFO is used.
  4318. //
  4319. // Note, even if CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
  4320. // passed to CryptMsgOpenToEncode(), this hCryptProv isn't released.
  4321. //
  4322. // CMS supports the KEY_IDENTIFIER and ISSUER_SERIAL_NUMBER CERT_IDs. PKCS #7
  4323. // version 1.5 only supports the ISSUER_SERIAL_NUMBER CERT_ID choice.
  4324. //--------------------------------------------------------------------------
  4325. typedef struct _CMSG_KEY_TRANS_RECIPIENT_ENCODE_INFO {
  4326. DWORD cbSize;
  4327. CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
  4328. void *pvKeyEncryptionAuxInfo;
  4329. HCRYPTPROV hCryptProv;
  4330. CRYPT_BIT_BLOB RecipientPublicKey;
  4331. CERT_ID RecipientId;
  4332. } CMSG_KEY_TRANS_RECIPIENT_ENCODE_INFO, *PCMSG_KEY_TRANS_RECIPIENT_ENCODE_INFO;
  4333. //+-------------------------------------------------------------------------
  4334. // Key Agreement Recipient Encode Info
  4335. //
  4336. // If hCryptProv is NULL, then, the hCryptProv specified in
  4337. // CMSG_ENVELOPED_ENCODE_INFO is used.
  4338. //
  4339. // For the CMSG_KEY_AGREE_STATIC_KEY_CHOICE, both the hCryptProv and
  4340. // dwKeySpec must be specified to select the sender's private key.
  4341. //
  4342. // Note, even if CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
  4343. // passed to CryptMsgOpenToEncode(), this hCryptProv isn't released.
  4344. //
  4345. // CMS supports the KEY_IDENTIFIER and ISSUER_SERIAL_NUMBER CERT_IDs.
  4346. //
  4347. // There is 1 key choice, ephemeral originator. The originator's ephemeral
  4348. // key is generated using the public key algorithm parameters shared
  4349. // amongst all the recipients.
  4350. //
  4351. // There are 2 key choices: ephemeral originator or static sender. The
  4352. // originator's ephemeral key is generated using the public key algorithm
  4353. // parameters shared amongst all the recipients. For the static sender its
  4354. // private key is used. The hCryptProv and dwKeySpec specify the private key.
  4355. // The pSenderId identifies the certificate containing the sender's public key.
  4356. //
  4357. // Currently, pvKeyEncryptionAuxInfo isn't used and must be set to NULL.
  4358. //
  4359. // If KeyEncryptionAlgorithm.Parameters.cbData == 0, then, its Parameters
  4360. // are updated with the encoded KeyWrapAlgorithm.
  4361. //
  4362. // Currently, pvKeyWrapAuxInfo is only defined for algorithms with
  4363. // RC2. Otherwise, its not used and must be set to NULL.
  4364. // When set for RC2 algorithms, points to a CMSG_RC2_AUX_INFO containing
  4365. // the RC2 effective key length.
  4366. //
  4367. // Note, key agreement recipients are not supported in PKCS #7 version 1.5.
  4368. //--------------------------------------------------------------------------
  4369. typedef struct _CMSG_RECIPIENT_ENCRYPTED_KEY_ENCODE_INFO {
  4370. DWORD cbSize;
  4371. CRYPT_BIT_BLOB RecipientPublicKey;
  4372. CERT_ID RecipientId;
  4373. // Following fields are optional and only applicable to KEY_IDENTIFIER
  4374. // CERT_IDs.
  4375. FILETIME Date;
  4376. PCRYPT_ATTRIBUTE_TYPE_VALUE pOtherAttr;
  4377. } CMSG_RECIPIENT_ENCRYPTED_KEY_ENCODE_INFO,
  4378. *PCMSG_RECIPIENT_ENCRYPTED_KEY_ENCODE_INFO;
  4379. typedef struct _CMSG_KEY_AGREE_RECIPIENT_ENCODE_INFO {
  4380. DWORD cbSize;
  4381. CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
  4382. void *pvKeyEncryptionAuxInfo;
  4383. CRYPT_ALGORITHM_IDENTIFIER KeyWrapAlgorithm;
  4384. void *pvKeyWrapAuxInfo;
  4385. // The following hCryptProv and dwKeySpec must be specified for the
  4386. // CMSG_KEY_AGREE_STATIC_KEY_CHOICE.
  4387. //
  4388. // For CMSG_KEY_AGREE_EPHEMERAL_KEY_CHOICE, dwKeySpec isn't applicable
  4389. // and hCryptProv is optional.
  4390. HCRYPTPROV hCryptProv;
  4391. DWORD dwKeySpec;
  4392. DWORD dwKeyChoice;
  4393. union {
  4394. // CMSG_KEY_AGREE_EPHEMERAL_KEY_CHOICE
  4395. //
  4396. // The ephemeral public key algorithm and parameters.
  4397. PCRYPT_ALGORITHM_IDENTIFIER pEphemeralAlgorithm;
  4398. // CMSG_KEY_AGREE_STATIC_KEY_CHOICE
  4399. //
  4400. // The CertId of the sender's certificate
  4401. PCERT_ID pSenderId;
  4402. };
  4403. CRYPT_DATA_BLOB UserKeyingMaterial; // OPTIONAL
  4404. DWORD cRecipientEncryptedKeys;
  4405. PCMSG_RECIPIENT_ENCRYPTED_KEY_ENCODE_INFO *rgpRecipientEncryptedKeys;
  4406. } CMSG_KEY_AGREE_RECIPIENT_ENCODE_INFO, *PCMSG_KEY_AGREE_RECIPIENT_ENCODE_INFO;
  4407. #define CMSG_KEY_AGREE_EPHEMERAL_KEY_CHOICE 1
  4408. #define CMSG_KEY_AGREE_STATIC_KEY_CHOICE 2
  4409. //+-------------------------------------------------------------------------
  4410. // Mail List Recipient Encode Info
  4411. //
  4412. // There is 1 choice for the KeyEncryptionKey: an already created CSP key
  4413. // handle. For the key handle choice, hCryptProv must be nonzero. This key
  4414. // handle isn't destroyed.
  4415. //
  4416. // Note, even if CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
  4417. // passed to CryptMsgOpenToEncode(), this hCryptProv isn't released.
  4418. //
  4419. // Currently, pvKeyEncryptionAuxInfo is only defined for RC2 key wrap
  4420. // algorithms. Otherwise, its not used and must be set to NULL.
  4421. // When set for RC2 algorithms, points to a CMSG_RC2_AUX_INFO containing
  4422. // the RC2 effective key length.
  4423. //
  4424. // Note, mail list recipients are not supported in PKCS #7 version 1.5.
  4425. //--------------------------------------------------------------------------
  4426. typedef struct _CMSG_MAIL_LIST_RECIPIENT_ENCODE_INFO {
  4427. DWORD cbSize;
  4428. CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
  4429. void *pvKeyEncryptionAuxInfo;
  4430. HCRYPTPROV hCryptProv;
  4431. DWORD dwKeyChoice;
  4432. union {
  4433. // CMSG_MAIL_LIST_HANDLE_KEY_CHOICE
  4434. HCRYPTKEY hKeyEncryptionKey;
  4435. // Reserve space for a potential pointer choice
  4436. void *pvKeyEncryptionKey;
  4437. };
  4438. CRYPT_DATA_BLOB KeyId;
  4439. // Following fields are optional.
  4440. FILETIME Date;
  4441. PCRYPT_ATTRIBUTE_TYPE_VALUE pOtherAttr;
  4442. } CMSG_MAIL_LIST_RECIPIENT_ENCODE_INFO, *PCMSG_MAIL_LIST_RECIPIENT_ENCODE_INFO;
  4443. #define CMSG_MAIL_LIST_HANDLE_KEY_CHOICE 1
  4444. //+-------------------------------------------------------------------------
  4445. // Recipient Encode Info
  4446. //
  4447. // Note, only key transport recipients are supported in PKCS #7 version 1.5.
  4448. //--------------------------------------------------------------------------
  4449. struct _CMSG_RECIPIENT_ENCODE_INFO {
  4450. DWORD dwRecipientChoice;
  4451. union {
  4452. // CMSG_KEY_TRANS_RECIPIENT
  4453. PCMSG_KEY_TRANS_RECIPIENT_ENCODE_INFO pKeyTrans;
  4454. // CMSG_KEY_AGREE_RECIPIENT
  4455. PCMSG_KEY_AGREE_RECIPIENT_ENCODE_INFO pKeyAgree;
  4456. // CMSG_MAIL_LIST_RECIPIENT
  4457. PCMSG_MAIL_LIST_RECIPIENT_ENCODE_INFO pMailList;
  4458. };
  4459. };
  4460. #define CMSG_KEY_TRANS_RECIPIENT 1
  4461. #define CMSG_KEY_AGREE_RECIPIENT 2
  4462. #define CMSG_MAIL_LIST_RECIPIENT 3
  4463. //+-------------------------------------------------------------------------
  4464. // CMSG_RC2_AUX_INFO
  4465. //
  4466. // AuxInfo for RC2 encryption algorithms. The pvEncryptionAuxInfo field
  4467. // in CMSG_ENCRYPTED_ENCODE_INFO should be updated to point to this
  4468. // structure. If not specified, defaults to 40 bit.
  4469. //
  4470. // Note, this AuxInfo is only used when, the ContentEncryptionAlgorithm's
  4471. // Parameter.cbData is zero. Otherwise, the Parameters is decoded to
  4472. // get the bit length.
  4473. //
  4474. // If CMSG_SP3_COMPATIBLE_ENCRYPT_FLAG is set in dwBitLen, then, SP3
  4475. // compatible encryption is done and the bit length is ignored.
  4476. //--------------------------------------------------------------------------
  4477. typedef struct _CMSG_RC2_AUX_INFO {
  4478. DWORD cbSize;
  4479. DWORD dwBitLen;
  4480. } CMSG_RC2_AUX_INFO, *PCMSG_RC2_AUX_INFO;
  4481. //+-------------------------------------------------------------------------
  4482. // CMSG_SP3_COMPATIBLE_AUX_INFO
  4483. //
  4484. // AuxInfo for enabling SP3 compatible encryption.
  4485. //
  4486. // The CMSG_SP3_COMPATIBLE_ENCRYPT_FLAG is set in dwFlags to enable SP3
  4487. // compatible encryption. When set, uses zero salt instead of no salt,
  4488. // the encryption algorithm parameters are NULL instead of containing the
  4489. // encoded RC2 parameters or encoded IV octet string and the encrypted
  4490. // symmetric key is encoded little endian instead of big endian.
  4491. //--------------------------------------------------------------------------
  4492. typedef struct _CMSG_SP3_COMPATIBLE_AUX_INFO {
  4493. DWORD cbSize;
  4494. DWORD dwFlags;
  4495. } CMSG_SP3_COMPATIBLE_AUX_INFO, *PCMSG_SP3_COMPATIBLE_AUX_INFO;
  4496. #define CMSG_SP3_COMPATIBLE_ENCRYPT_FLAG 0x80000000
  4497. //+-------------------------------------------------------------------------
  4498. // CMSG_RC4_AUX_INFO
  4499. //
  4500. // AuxInfo for RC4 encryption algorithms. The pvEncryptionAuxInfo field
  4501. // in CMSG_ENCRYPTED_ENCODE_INFO should be updated to point to this
  4502. // structure. If not specified, uses the CSP's default bit length with no
  4503. // salt. Note, the base CSP has a 40 bit default and the enhanced CSP has
  4504. // a 128 bit default.
  4505. //
  4506. // If CMSG_RC4_NO_SALT_FLAG is set in dwBitLen, then, no salt is generated.
  4507. // Otherwise, (128 - dwBitLen)/8 bytes of salt are generated and encoded
  4508. // as an OCTET STRING in the algorithm parameters field.
  4509. //--------------------------------------------------------------------------
  4510. typedef struct _CMSG_RC4_AUX_INFO {
  4511. DWORD cbSize;
  4512. DWORD dwBitLen;
  4513. } CMSG_RC4_AUX_INFO, *PCMSG_RC4_AUX_INFO;
  4514. #define CMSG_RC4_NO_SALT_FLAG 0x40000000
  4515. //+-------------------------------------------------------------------------
  4516. // CMSG_SIGNED_AND_ENVELOPED
  4517. //
  4518. // For PKCS #7, a signed and enveloped message doesn't have the
  4519. // signer's authenticated or unauthenticated attributes. Otherwise, a
  4520. // combination of the CMSG_SIGNED_ENCODE_INFO and CMSG_ENVELOPED_ENCODE_INFO.
  4521. //--------------------------------------------------------------------------
  4522. typedef struct _CMSG_SIGNED_AND_ENVELOPED_ENCODE_INFO {
  4523. DWORD cbSize;
  4524. CMSG_SIGNED_ENCODE_INFO SignedInfo;
  4525. CMSG_ENVELOPED_ENCODE_INFO EnvelopedInfo;
  4526. } CMSG_SIGNED_AND_ENVELOPED_ENCODE_INFO, *PCMSG_SIGNED_AND_ENVELOPED_ENCODE_INFO;
  4527. //+-------------------------------------------------------------------------
  4528. // CMSG_HASHED
  4529. //
  4530. // hCryptProv is used to do the hash. Doesn't need to use a private key.
  4531. //
  4532. // If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags
  4533. // passed to CryptMsgOpenToEncode(), the hCryptProv is released.
  4534. //
  4535. // If fDetachedHash is set, then, the encoded message doesn't contain
  4536. // any content (its treated as NULL Data)
  4537. //
  4538. // pvHashAuxInfo currently isn't used and must be set to NULL.
  4539. //--------------------------------------------------------------------------
  4540. typedef struct _CMSG_HASHED_ENCODE_INFO {
  4541. DWORD cbSize;
  4542. HCRYPTPROV hCryptProv;
  4543. CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
  4544. void *pvHashAuxInfo;
  4545. } CMSG_HASHED_ENCODE_INFO, *PCMSG_HASHED_ENCODE_INFO;
  4546. //+-------------------------------------------------------------------------
  4547. // CMSG_ENCRYPTED
  4548. //
  4549. // The key used to encrypt the message is identified outside of the message
  4550. // content (for example, password).
  4551. //
  4552. // The content input to CryptMsgUpdate has already been encrypted.
  4553. //
  4554. // pvEncryptionAuxInfo currently isn't used and must be set to NULL.
  4555. //--------------------------------------------------------------------------
  4556. typedef struct _CMSG_ENCRYPTED_ENCODE_INFO {
  4557. DWORD cbSize;
  4558. CRYPT_ALGORITHM_IDENTIFIER ContentEncryptionAlgorithm;
  4559. void *pvEncryptionAuxInfo;
  4560. } CMSG_ENCRYPTED_ENCODE_INFO, *PCMSG_ENCRYPTED_ENCODE_INFO;
  4561. //+-------------------------------------------------------------------------
  4562. // This parameter allows messages to be of variable length with streamed
  4563. // output.
  4564. //
  4565. // By default, messages are of a definite length and
  4566. // CryptMsgGetParam(CMSG_CONTENT_PARAM) is
  4567. // called to get the cryptographically processed content. Until closed,
  4568. // the handle keeps a copy of the processed content.
  4569. //
  4570. // With streamed output, the processed content can be freed as its streamed.
  4571. //
  4572. // If the length of the content to be updated is known at the time of the
  4573. // open, then, ContentLength should be set to that length. Otherwise, it
  4574. // should be set to CMSG_INDEFINITE_LENGTH.
  4575. //--------------------------------------------------------------------------
  4576. typedef BOOL (WINAPI *PFN_CMSG_STREAM_OUTPUT)(
  4577. IN const void *pvArg,
  4578. IN BYTE *pbData,
  4579. IN DWORD cbData,
  4580. IN BOOL fFinal
  4581. );
  4582. #define CMSG_INDEFINITE_LENGTH (0xFFFFFFFF)
  4583. typedef struct _CMSG_STREAM_INFO {
  4584. DWORD cbContent;
  4585. PFN_CMSG_STREAM_OUTPUT pfnStreamOutput;
  4586. void *pvArg;
  4587. } CMSG_STREAM_INFO, *PCMSG_STREAM_INFO;
  4588. //+-------------------------------------------------------------------------
  4589. // Open dwFlags
  4590. //--------------------------------------------------------------------------
  4591. #define CMSG_BARE_CONTENT_FLAG 0x00000001
  4592. #define CMSG_LENGTH_ONLY_FLAG 0x00000002
  4593. #define CMSG_DETACHED_FLAG 0x00000004
  4594. #define CMSG_AUTHENTICATED_ATTRIBUTES_FLAG 0x00000008
  4595. #define CMSG_CONTENTS_OCTETS_FLAG 0x00000010
  4596. #define CMSG_MAX_LENGTH_FLAG 0x00000020
  4597. // When set, nonData type inner content is encapsulated within an
  4598. // OCTET STRING. Applicable to both Signed and Enveloped messages.
  4599. #define CMSG_CMS_ENCAPSULATED_CONTENT_FLAG 0x00000040
  4600. // If set, then, the hCryptProv passed to CryptMsgOpenToEncode or
  4601. // CryptMsgOpenToDecode is released on the final CryptMsgClose.
  4602. // Not released if CryptMsgOpenToEncode or CryptMsgOpenToDecode fails.
  4603. //
  4604. // Note, the envelope recipient hCryptProv's aren't released.
  4605. #define CMSG_CRYPT_RELEASE_CONTEXT_FLAG 0x00008000
  4606. //+-------------------------------------------------------------------------
  4607. // Open a cryptographic message for encoding
  4608. //
  4609. // If CMSG_BARE_CONTENT_FLAG is specified for a streamed message,
  4610. // the streamed output will not have an outer ContentInfo wrapper. This
  4611. // makes it suitable to be streamed into an enclosing message.
  4612. //
  4613. // The pStreamInfo parameter needs to be set to stream the encoded message
  4614. // output.
  4615. //--------------------------------------------------------------------------
  4616. WINCRYPT32API
  4617. HCRYPTMSG
  4618. WINAPI
  4619. CryptMsgOpenToEncode(
  4620. IN DWORD dwMsgEncodingType,
  4621. IN DWORD dwFlags,
  4622. IN DWORD dwMsgType,
  4623. IN void const *pvMsgEncodeInfo,
  4624. IN OPTIONAL LPSTR pszInnerContentObjID,
  4625. IN OPTIONAL PCMSG_STREAM_INFO pStreamInfo
  4626. );
  4627. //+-------------------------------------------------------------------------
  4628. // Calculate the length of an encoded cryptographic message.
  4629. //
  4630. // Calculates the length of the encoded message given the
  4631. // message type, encoding parameters and total length of
  4632. // the data to be updated. Note, this might not be the exact length. However,
  4633. // it will always be greater than or equal to the actual length.
  4634. //--------------------------------------------------------------------------
  4635. WINCRYPT32API
  4636. DWORD
  4637. WINAPI
  4638. CryptMsgCalculateEncodedLength(
  4639. IN DWORD dwMsgEncodingType,
  4640. IN DWORD dwFlags,
  4641. IN DWORD dwMsgType,
  4642. IN void const *pvMsgEncodeInfo,
  4643. IN OPTIONAL LPSTR pszInnerContentObjID,
  4644. IN DWORD cbData
  4645. );
  4646. //+-------------------------------------------------------------------------
  4647. // Open a cryptographic message for decoding
  4648. //
  4649. // hCryptProv specifies the crypto provider to use for hashing and/or
  4650. // decrypting the message. If hCryptProv is NULL, a default crypt provider
  4651. // is used.
  4652. //
  4653. // Currently pRecipientInfo isn't used and should be set to NULL.
  4654. //
  4655. // The pStreamInfo parameter needs to be set to stream the decoded content
  4656. // output.
  4657. //--------------------------------------------------------------------------
  4658. WINCRYPT32API
  4659. HCRYPTMSG
  4660. WINAPI
  4661. CryptMsgOpenToDecode(
  4662. IN DWORD dwMsgEncodingType,
  4663. IN DWORD dwFlags,
  4664. IN DWORD dwMsgType,
  4665. IN HCRYPTPROV hCryptProv,
  4666. IN OPTIONAL PCERT_INFO pRecipientInfo,
  4667. IN OPTIONAL PCMSG_STREAM_INFO pStreamInfo
  4668. );
  4669. //+-------------------------------------------------------------------------
  4670. // Duplicate a cryptographic message handle
  4671. //--------------------------------------------------------------------------
  4672. WINCRYPT32API
  4673. HCRYPTMSG
  4674. WINAPI
  4675. CryptMsgDuplicate(
  4676. IN HCRYPTMSG hCryptMsg
  4677. );
  4678. //+-------------------------------------------------------------------------
  4679. // Close a cryptographic message handle
  4680. //
  4681. // LastError is preserved unless FALSE is returned.
  4682. //--------------------------------------------------------------------------
  4683. WINCRYPT32API
  4684. BOOL
  4685. WINAPI
  4686. CryptMsgClose(
  4687. IN HCRYPTMSG hCryptMsg
  4688. );
  4689. //+-------------------------------------------------------------------------
  4690. // Update the content of a cryptographic message. Depending on how the
  4691. // message was opened, the content is either encoded or decoded.
  4692. //
  4693. // This function is repetitively called to append to the message content.
  4694. // fFinal is set to identify the last update. On fFinal, the encode/decode
  4695. // is completed. The encoded/decoded content and the decoded parameters
  4696. // are valid until the open and all duplicated handles are closed.
  4697. //--------------------------------------------------------------------------
  4698. WINCRYPT32API
  4699. BOOL
  4700. WINAPI
  4701. CryptMsgUpdate(
  4702. IN HCRYPTMSG hCryptMsg,
  4703. IN const BYTE *pbData,
  4704. IN DWORD cbData,
  4705. IN BOOL fFinal
  4706. );
  4707. //+-------------------------------------------------------------------------
  4708. // Get a parameter after encoding/decoding a cryptographic message. Called
  4709. // after the final CryptMsgUpdate. Only the CMSG_CONTENT_PARAM and
  4710. // CMSG_COMPUTED_HASH_PARAM are valid for an encoded message.
  4711. //
  4712. // For an encoded HASHED message, the CMSG_COMPUTED_HASH_PARAM can be got
  4713. // before any CryptMsgUpdates to get its length.
  4714. //
  4715. // The pvData type definition depends on the dwParamType value.
  4716. //
  4717. // Elements pointed to by fields in the pvData structure follow the
  4718. // structure. Therefore, *pcbData may exceed the size of the structure.
  4719. //
  4720. // Upon input, if *pcbData == 0, then, *pcbData is updated with the length
  4721. // of the data and the pvData parameter is ignored.
  4722. //
  4723. // Upon return, *pcbData is updated with the length of the data.
  4724. //
  4725. // The OBJID BLOBs returned in the pvData structures point to
  4726. // their still encoded representation. The appropriate functions
  4727. // must be called to decode the information.
  4728. //
  4729. // See below for a list of the parameters to get.
  4730. //--------------------------------------------------------------------------
  4731. WINCRYPT32API
  4732. BOOL
  4733. WINAPI
  4734. CryptMsgGetParam(
  4735. IN HCRYPTMSG hCryptMsg,
  4736. IN DWORD dwParamType,
  4737. IN DWORD dwIndex,
  4738. OUT void *pvData,
  4739. IN OUT DWORD *pcbData
  4740. );
  4741. //+-------------------------------------------------------------------------
  4742. // Get parameter types and their corresponding data structure definitions.
  4743. //--------------------------------------------------------------------------
  4744. #define CMSG_TYPE_PARAM 1
  4745. #define CMSG_CONTENT_PARAM 2
  4746. #define CMSG_BARE_CONTENT_PARAM 3
  4747. #define CMSG_INNER_CONTENT_TYPE_PARAM 4
  4748. #define CMSG_SIGNER_COUNT_PARAM 5
  4749. #define CMSG_SIGNER_INFO_PARAM 6
  4750. #define CMSG_SIGNER_CERT_INFO_PARAM 7
  4751. #define CMSG_SIGNER_HASH_ALGORITHM_PARAM 8
  4752. #define CMSG_SIGNER_AUTH_ATTR_PARAM 9
  4753. #define CMSG_SIGNER_UNAUTH_ATTR_PARAM 10
  4754. #define CMSG_CERT_COUNT_PARAM 11
  4755. #define CMSG_CERT_PARAM 12
  4756. #define CMSG_CRL_COUNT_PARAM 13
  4757. #define CMSG_CRL_PARAM 14
  4758. #define CMSG_ENVELOPE_ALGORITHM_PARAM 15
  4759. #define CMSG_RECIPIENT_COUNT_PARAM 17
  4760. #define CMSG_RECIPIENT_INDEX_PARAM 18
  4761. #define CMSG_RECIPIENT_INFO_PARAM 19
  4762. #define CMSG_HASH_ALGORITHM_PARAM 20
  4763. #define CMSG_HASH_DATA_PARAM 21
  4764. #define CMSG_COMPUTED_HASH_PARAM 22
  4765. #define CMSG_ENCRYPT_PARAM 26
  4766. #define CMSG_ENCRYPTED_DIGEST 27
  4767. #define CMSG_ENCODED_SIGNER 28
  4768. #define CMSG_ENCODED_MESSAGE 29
  4769. #define CMSG_VERSION_PARAM 30
  4770. #define CMSG_ATTR_CERT_COUNT_PARAM 31
  4771. #define CMSG_ATTR_CERT_PARAM 32
  4772. #define CMSG_CMS_RECIPIENT_COUNT_PARAM 33
  4773. #define CMSG_CMS_RECIPIENT_INDEX_PARAM 34
  4774. #define CMSG_CMS_RECIPIENT_ENCRYPTED_KEY_INDEX_PARAM 35
  4775. #define CMSG_CMS_RECIPIENT_INFO_PARAM 36
  4776. #define CMSG_UNPROTECTED_ATTR_PARAM 37
  4777. #define CMSG_SIGNER_CERT_ID_PARAM 38
  4778. #define CMSG_CMS_SIGNER_INFO_PARAM 39
  4779. //+-------------------------------------------------------------------------
  4780. // CMSG_TYPE_PARAM
  4781. //
  4782. // The type of the decoded message.
  4783. //
  4784. // pvData points to a DWORD
  4785. //--------------------------------------------------------------------------
  4786. //+-------------------------------------------------------------------------
  4787. // CMSG_CONTENT_PARAM
  4788. //
  4789. // The encoded content of a cryptographic message. Depending on how the
  4790. // message was opened, the content is either the whole PKCS#7
  4791. // message (opened to encode) or the inner content (opened to decode).
  4792. // In the decode case, the decrypted content is returned, if enveloped.
  4793. // If not enveloped, and if the inner content is of type DATA, the returned
  4794. // data is the contents octets of the inner content.
  4795. //
  4796. // pvData points to the buffer receiving the content bytes
  4797. //--------------------------------------------------------------------------
  4798. //+-------------------------------------------------------------------------
  4799. // CMSG_BARE_CONTENT_PARAM
  4800. //
  4801. // The encoded content of an encoded cryptographic message, without the
  4802. // outer layer of ContentInfo. That is, only the encoding of the
  4803. // ContentInfo.content field is returned.
  4804. //
  4805. // pvData points to the buffer receiving the content bytes
  4806. //--------------------------------------------------------------------------
  4807. //+-------------------------------------------------------------------------
  4808. // CMSG_INNER_CONTENT_TYPE_PARAM
  4809. //
  4810. // The type of the inner content of a decoded cryptographic message,
  4811. // in the form of a NULL-terminated object identifier string
  4812. // (eg. "1.2.840.113549.1.7.1").
  4813. //
  4814. // pvData points to the buffer receiving the object identifier string
  4815. //--------------------------------------------------------------------------
  4816. //+-------------------------------------------------------------------------
  4817. // CMSG_SIGNER_COUNT_PARAM
  4818. //
  4819. // Count of signers in a SIGNED or SIGNED_AND_ENVELOPED message
  4820. //
  4821. // pvData points to a DWORD
  4822. //--------------------------------------------------------------------------
  4823. //+-------------------------------------------------------------------------
  4824. // CMSG_SIGNER_CERT_INFO_PARAM
  4825. //
  4826. // To get all the signers, repetitively call CryptMsgGetParam, with
  4827. // dwIndex set to 0 .. SignerCount - 1.
  4828. //
  4829. // pvData points to a CERT_INFO struct.
  4830. //
  4831. // Only the following fields have been updated in the CERT_INFO struct:
  4832. // Issuer and SerialNumber.
  4833. //
  4834. // Note, if the KEYID choice was selected for a CMS SignerId, then, the
  4835. // SerialNumber is 0 and the Issuer is encoded containing a single RDN with a
  4836. // single Attribute whose OID is szOID_KEYID_RDN, value type is
  4837. // CERT_RDN_OCTET_STRING and value is the KEYID. When the
  4838. // CertGetSubjectCertificateFromStore and
  4839. // CertFindCertificateInStore(CERT_FIND_SUBJECT_CERT) APIs see this
  4840. // special KEYID Issuer and SerialNumber, they do a KEYID match.
  4841. //--------------------------------------------------------------------------
  4842. //+-------------------------------------------------------------------------
  4843. // CMSG_SIGNER_INFO_PARAM
  4844. //
  4845. // To get all the signers, repetitively call CryptMsgGetParam, with
  4846. // dwIndex set to 0 .. SignerCount - 1.
  4847. //
  4848. // pvData points to a CMSG_SIGNER_INFO struct.
  4849. //
  4850. // Note, if the KEYID choice was selected for a CMS SignerId, then, the
  4851. // SerialNumber is 0 and the Issuer is encoded containing a single RDN with a
  4852. // single Attribute whose OID is szOID_KEYID_RDN, value type is
  4853. // CERT_RDN_OCTET_STRING and value is the KEYID. When the
  4854. // CertGetSubjectCertificateFromStore and
  4855. // CertFindCertificateInStore(CERT_FIND_SUBJECT_CERT) APIs see this
  4856. // special KEYID Issuer and SerialNumber, they do a KEYID match.
  4857. //--------------------------------------------------------------------------
  4858. typedef struct _CMSG_SIGNER_INFO {
  4859. DWORD dwVersion;
  4860. CERT_NAME_BLOB Issuer;
  4861. CRYPT_INTEGER_BLOB SerialNumber;
  4862. CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
  4863. CRYPT_ALGORITHM_IDENTIFIER HashEncryptionAlgorithm;
  4864. CRYPT_DATA_BLOB EncryptedHash;
  4865. CRYPT_ATTRIBUTES AuthAttrs;
  4866. CRYPT_ATTRIBUTES UnauthAttrs;
  4867. } CMSG_SIGNER_INFO, *PCMSG_SIGNER_INFO;
  4868. //+-------------------------------------------------------------------------
  4869. // CMSG_SIGNER_CERT_ID_PARAM
  4870. //
  4871. // To get all the signers, repetitively call CryptMsgGetParam, with
  4872. // dwIndex set to 0 .. SignerCount - 1.
  4873. //
  4874. // pvData points to a CERT_ID struct.
  4875. //--------------------------------------------------------------------------
  4876. //+-------------------------------------------------------------------------
  4877. // CMSG_CMS_SIGNER_INFO_PARAM
  4878. //
  4879. // Same as CMSG_SIGNER_INFO_PARAM, except, contains SignerId instead of
  4880. // Issuer and SerialNumber.
  4881. //
  4882. // To get all the signers, repetitively call CryptMsgGetParam, with
  4883. // dwIndex set to 0 .. SignerCount - 1.
  4884. //
  4885. // pvData points to a CMSG_CMS_SIGNER_INFO struct.
  4886. //--------------------------------------------------------------------------
  4887. typedef struct _CMSG_CMS_SIGNER_INFO {
  4888. DWORD dwVersion;
  4889. CERT_ID SignerId;
  4890. CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
  4891. CRYPT_ALGORITHM_IDENTIFIER HashEncryptionAlgorithm;
  4892. CRYPT_DATA_BLOB EncryptedHash;
  4893. CRYPT_ATTRIBUTES AuthAttrs;
  4894. CRYPT_ATTRIBUTES UnauthAttrs;
  4895. } CMSG_CMS_SIGNER_INFO, *PCMSG_CMS_SIGNER_INFO;
  4896. //+-------------------------------------------------------------------------
  4897. // CMSG_SIGNER_HASH_ALGORITHM_PARAM
  4898. //
  4899. // This parameter specifies the HashAlgorithm that was used for the signer.
  4900. //
  4901. // Set dwIndex to iterate through all the signers.
  4902. //
  4903. // pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
  4904. //--------------------------------------------------------------------------
  4905. //+-------------------------------------------------------------------------
  4906. // CMSG_SIGNER_AUTH_ATTR_PARAM
  4907. //
  4908. // The authenticated attributes for the signer.
  4909. //
  4910. // Set dwIndex to iterate through all the signers.
  4911. //
  4912. // pvData points to a CMSG_ATTR struct.
  4913. //--------------------------------------------------------------------------
  4914. typedef CRYPT_ATTRIBUTES CMSG_ATTR;
  4915. typedef CRYPT_ATTRIBUTES *PCMSG_ATTR;
  4916. //+-------------------------------------------------------------------------
  4917. // CMSG_SIGNER_UNAUTH_ATTR_PARAM
  4918. //
  4919. // The unauthenticated attributes for the signer.
  4920. //
  4921. // Set dwIndex to iterate through all the signers.
  4922. //
  4923. // pvData points to a CMSG_ATTR struct.
  4924. //--------------------------------------------------------------------------
  4925. //+-------------------------------------------------------------------------
  4926. // CMSG_CERT_COUNT_PARAM
  4927. //
  4928. // Count of certificates in a SIGNED or SIGNED_AND_ENVELOPED message.
  4929. //
  4930. // CMS, also supports certificates in an ENVELOPED message.
  4931. //
  4932. // pvData points to a DWORD
  4933. //--------------------------------------------------------------------------
  4934. //+-------------------------------------------------------------------------
  4935. // CMSG_CERT_PARAM
  4936. //
  4937. // To get all the certificates, repetitively call CryptMsgGetParam, with
  4938. // dwIndex set to 0 .. CertCount - 1.
  4939. //
  4940. // pvData points to an array of the certificate's encoded bytes.
  4941. //--------------------------------------------------------------------------
  4942. //+-------------------------------------------------------------------------
  4943. // CMSG_CRL_COUNT_PARAM
  4944. //
  4945. // Count of CRLs in a SIGNED or SIGNED_AND_ENVELOPED message.
  4946. //
  4947. // CMS, also supports CRLs in an ENVELOPED message.
  4948. //
  4949. // pvData points to a DWORD
  4950. //--------------------------------------------------------------------------
  4951. //+-------------------------------------------------------------------------
  4952. // CMSG_CRL_PARAM
  4953. //
  4954. // To get all the CRLs, repetitively call CryptMsgGetParam, with
  4955. // dwIndex set to 0 .. CrlCount - 1.
  4956. //
  4957. // pvData points to an array of the CRL's encoded bytes.
  4958. //--------------------------------------------------------------------------
  4959. //+-------------------------------------------------------------------------
  4960. // CMSG_ENVELOPE_ALGORITHM_PARAM
  4961. //
  4962. // The ContentEncryptionAlgorithm that was used in
  4963. // an ENVELOPED or SIGNED_AND_ENVELOPED message.
  4964. //
  4965. // For streaming you must be able to successfully get this parameter before
  4966. // doing a CryptMsgControl decrypt.
  4967. //
  4968. // pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
  4969. //--------------------------------------------------------------------------
  4970. //+-------------------------------------------------------------------------
  4971. // CMSG_RECIPIENT_COUNT_PARAM
  4972. //
  4973. // Count of recipients in an ENVELOPED or SIGNED_AND_ENVELOPED message.
  4974. //
  4975. // Count of key transport recepients.
  4976. //
  4977. // The CMSG_CMS_RECIPIENT_COUNT_PARAM has the total count of
  4978. // recipients (it also includes key agree and mail list recipients).
  4979. //
  4980. // pvData points to a DWORD
  4981. //--------------------------------------------------------------------------
  4982. //+-------------------------------------------------------------------------
  4983. // CMSG_RECIPIENT_INDEX_PARAM
  4984. //
  4985. // Index of the recipient used to decrypt an ENVELOPED or SIGNED_AND_ENVELOPED
  4986. // message.
  4987. //
  4988. // Index of a key transport recipient. If a non key transport
  4989. // recipient was used to decrypt, fails with LastError set to
  4990. // CRYPT_E_INVALID_INDEX.
  4991. //
  4992. // pvData points to a DWORD
  4993. //--------------------------------------------------------------------------
  4994. //+-------------------------------------------------------------------------
  4995. // CMSG_RECIPIENT_INFO_PARAM
  4996. //
  4997. // To get all the recipients, repetitively call CryptMsgGetParam, with
  4998. // dwIndex set to 0 .. RecipientCount - 1.
  4999. //
  5000. // Only returns the key transport recepients.
  5001. //
  5002. // The CMSG_CMS_RECIPIENT_INFO_PARAM returns all recipients.
  5003. //
  5004. // pvData points to a CERT_INFO struct.
  5005. //
  5006. // Only the following fields have been updated in the CERT_INFO struct:
  5007. // Issuer, SerialNumber and PublicKeyAlgorithm. The PublicKeyAlgorithm
  5008. // specifies the KeyEncryptionAlgorithm that was used.
  5009. //
  5010. // Note, if the KEYID choice was selected for a key transport recipient, then,
  5011. // the SerialNumber is 0 and the Issuer is encoded containing a single RDN
  5012. // with a single Attribute whose OID is szOID_KEYID_RDN, value type is
  5013. // CERT_RDN_OCTET_STRING and value is the KEYID. When the
  5014. // CertGetSubjectCertificateFromStore and
  5015. // CertFindCertificateInStore(CERT_FIND_SUBJECT_CERT) APIs see this
  5016. // special KEYID Issuer and SerialNumber, they do a KEYID match.
  5017. //--------------------------------------------------------------------------
  5018. //+-------------------------------------------------------------------------
  5019. // CMSG_HASH_ALGORITHM_PARAM
  5020. //
  5021. // The HashAlgorithm in a HASHED message.
  5022. //
  5023. // pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
  5024. //--------------------------------------------------------------------------
  5025. //+-------------------------------------------------------------------------
  5026. // CMSG_HASH_DATA_PARAM
  5027. //
  5028. // The hash in a HASHED message.
  5029. //
  5030. // pvData points to an array of bytes.
  5031. //--------------------------------------------------------------------------
  5032. //+-------------------------------------------------------------------------
  5033. // CMSG_COMPUTED_HASH_PARAM
  5034. //
  5035. // The computed hash for a HASHED message.
  5036. // This may be called for either an encoded or decoded message.
  5037. //
  5038. // Also, the computed hash for one of the signer's in a SIGNED message.
  5039. // It may be called for either an encoded or decoded message after the
  5040. // final update. Set dwIndex to iterate through all the signers.
  5041. //
  5042. // pvData points to an array of bytes.
  5043. //--------------------------------------------------------------------------
  5044. //+-------------------------------------------------------------------------
  5045. // CMSG_ENCRYPT_PARAM
  5046. //
  5047. // The ContentEncryptionAlgorithm that was used in an ENCRYPTED message.
  5048. //
  5049. // pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
  5050. //--------------------------------------------------------------------------
  5051. //+-------------------------------------------------------------------------
  5052. // CMSG_ENCODED_MESSAGE
  5053. //
  5054. // The full encoded message. This is useful in the case of a decoded
  5055. // message which has been modified (eg. a signed-data or
  5056. // signed-and-enveloped-data message which has been countersigned).
  5057. //
  5058. // pvData points to an array of the message's encoded bytes.
  5059. //--------------------------------------------------------------------------
  5060. //+-------------------------------------------------------------------------
  5061. // CMSG_VERSION_PARAM
  5062. //
  5063. // The version of the decoded message.
  5064. //
  5065. // pvData points to a DWORD
  5066. //--------------------------------------------------------------------------
  5067. #define CMSG_SIGNED_DATA_V1 1
  5068. #define CMSG_SIGNED_DATA_V3 3
  5069. #define CMSG_SIGNED_DATA_PKCS_1_5_VERSION CMSG_SIGNED_DATA_V1
  5070. #define CMSG_SIGNED_DATA_CMS_VERSION CMSG_SIGNED_DATA_V3
  5071. #define CMSG_SIGNER_INFO_V1 1
  5072. #define CMSG_SIGNER_INFO_V3 3
  5073. #define CMSG_SIGNER_INFO_PKCS_1_5_VERSION CMSG_SIGNER_INFO_V1
  5074. #define CMSG_SIGNER_INFO_CMS_VERSION CMSG_SIGNER_INFO_V3
  5075. #define CMSG_HASHED_DATA_V0 0
  5076. #define CMSG_HASHED_DATA_V2 2
  5077. #define CMSG_HASHED_DATA_PKCS_1_5_VERSION CMSG_HASHED_DATA_V0
  5078. #define CMSG_HASHED_DATA_CMS_VERSION CMSG_HASHED_DATA_V2
  5079. #define CMSG_ENVELOPED_DATA_V0 0
  5080. #define CMSG_ENVELOPED_DATA_V2 2
  5081. #define CMSG_ENVELOPED_DATA_PKCS_1_5_VERSION CMSG_ENVELOPED_DATA_V0
  5082. #define CMSG_ENVELOPED_DATA_CMS_VERSION CMSG_ENVELOPED_DATA_V2
  5083. //+-------------------------------------------------------------------------
  5084. // CMSG_ATTR_CERT_COUNT_PARAM
  5085. //
  5086. // Count of attribute certificates in a SIGNED or ENVELOPED message.
  5087. //
  5088. // pvData points to a DWORD
  5089. //--------------------------------------------------------------------------
  5090. //+-------------------------------------------------------------------------
  5091. // CMSG_ATTR_CERT_PARAM
  5092. //
  5093. // To get all the attribute certificates, repetitively call CryptMsgGetParam,
  5094. // with dwIndex set to 0 .. AttrCertCount - 1.
  5095. //
  5096. // pvData points to an array of the attribute certificate's encoded bytes.
  5097. //--------------------------------------------------------------------------
  5098. //+-------------------------------------------------------------------------
  5099. // CMSG_CMS_RECIPIENT_COUNT_PARAM
  5100. //
  5101. // Count of all CMS recipients in an ENVELOPED message.
  5102. //
  5103. // pvData points to a DWORD
  5104. //--------------------------------------------------------------------------
  5105. //+-------------------------------------------------------------------------
  5106. // CMSG_CMS_RECIPIENT_INDEX_PARAM
  5107. //
  5108. // Index of the CMS recipient used to decrypt an ENVELOPED message.
  5109. //
  5110. // pvData points to a DWORD
  5111. //--------------------------------------------------------------------------
  5112. //+-------------------------------------------------------------------------
  5113. // CMSG_CMS_RECIPIENT_ENCRYPTED_KEY_INDEX_PARAM
  5114. //
  5115. // For a CMS key agreement recipient, the index of the encrypted key
  5116. // used to decrypt an ENVELOPED message.
  5117. //
  5118. // pvData points to a DWORD
  5119. //--------------------------------------------------------------------------
  5120. //+-------------------------------------------------------------------------
  5121. // CMSG_CMS_RECIPIENT_INFO_PARAM
  5122. //
  5123. // To get all the CMS recipients, repetitively call CryptMsgGetParam, with
  5124. // dwIndex set to 0 .. CmsRecipientCount - 1.
  5125. //
  5126. // pvData points to a CMSG_CMS_RECIPIENT_INFO struct.
  5127. //--------------------------------------------------------------------------
  5128. typedef struct _CMSG_KEY_TRANS_RECIPIENT_INFO {
  5129. DWORD dwVersion;
  5130. // Currently, only ISSUER_SERIAL_NUMBER or KEYID choices
  5131. CERT_ID RecipientId;
  5132. CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
  5133. CRYPT_DATA_BLOB EncryptedKey;
  5134. } CMSG_KEY_TRANS_RECIPIENT_INFO, *PCMSG_KEY_TRANS_RECIPIENT_INFO;
  5135. typedef struct _CMSG_RECIPIENT_ENCRYPTED_KEY_INFO {
  5136. // Currently, only ISSUER_SERIAL_NUMBER or KEYID choices
  5137. CERT_ID RecipientId;
  5138. CRYPT_DATA_BLOB EncryptedKey;
  5139. // The following optional fields are only applicable to KEYID choice
  5140. FILETIME Date;
  5141. PCRYPT_ATTRIBUTE_TYPE_VALUE pOtherAttr;
  5142. } CMSG_RECIPIENT_ENCRYPTED_KEY_INFO, *PCMSG_RECIPIENT_ENCRYPTED_KEY_INFO;
  5143. typedef struct _CMSG_KEY_AGREE_RECIPIENT_INFO {
  5144. DWORD dwVersion;
  5145. DWORD dwOriginatorChoice;
  5146. union {
  5147. // CMSG_KEY_AGREE_ORIGINATOR_CERT
  5148. CERT_ID OriginatorCertId;
  5149. // CMSG_KEY_AGREE_ORIGINATOR_PUBLIC_KEY
  5150. CERT_PUBLIC_KEY_INFO OriginatorPublicKeyInfo;
  5151. };
  5152. CRYPT_DATA_BLOB UserKeyingMaterial;
  5153. CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
  5154. DWORD cRecipientEncryptedKeys;
  5155. PCMSG_RECIPIENT_ENCRYPTED_KEY_INFO *rgpRecipientEncryptedKeys;
  5156. } CMSG_KEY_AGREE_RECIPIENT_INFO, *PCMSG_KEY_AGREE_RECIPIENT_INFO;
  5157. #define CMSG_KEY_AGREE_ORIGINATOR_CERT 1
  5158. #define CMSG_KEY_AGREE_ORIGINATOR_PUBLIC_KEY 2
  5159. typedef struct _CMSG_MAIL_LIST_RECIPIENT_INFO {
  5160. DWORD dwVersion;
  5161. CRYPT_DATA_BLOB KeyId;
  5162. CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
  5163. CRYPT_DATA_BLOB EncryptedKey;
  5164. // The following fields are optional
  5165. FILETIME Date;
  5166. PCRYPT_ATTRIBUTE_TYPE_VALUE pOtherAttr;
  5167. } CMSG_MAIL_LIST_RECIPIENT_INFO, *PCMSG_MAIL_LIST_RECIPIENT_INFO;
  5168. typedef struct _CMSG_CMS_RECIPIENT_INFO {
  5169. DWORD dwRecipientChoice;
  5170. union {
  5171. // CMSG_KEY_TRANS_RECIPIENT
  5172. PCMSG_KEY_TRANS_RECIPIENT_INFO pKeyTrans;
  5173. // CMSG_KEY_AGREE_RECIPIENT
  5174. PCMSG_KEY_AGREE_RECIPIENT_INFO pKeyAgree;
  5175. // CMSG_MAIL_LIST_RECIPIENT
  5176. PCMSG_MAIL_LIST_RECIPIENT_INFO pMailList;
  5177. };
  5178. } CMSG_CMS_RECIPIENT_INFO, *PCMSG_CMS_RECIPIENT_INFO;
  5179. // dwVersion numbers for the KeyTrans, KeyAgree and MailList recipients
  5180. #define CMSG_ENVELOPED_RECIPIENT_V0 0
  5181. #define CMSG_ENVELOPED_RECIPIENT_V2 2
  5182. #define CMSG_ENVELOPED_RECIPIENT_V3 3
  5183. #define CMSG_ENVELOPED_RECIPIENT_V4 4
  5184. #define CMSG_KEY_TRANS_PKCS_1_5_VERSION CMSG_ENVELOPED_RECIPIENT_V0
  5185. #define CMSG_KEY_TRANS_CMS_VERSION CMSG_ENVELOPED_RECIPIENT_V2
  5186. #define CMSG_KEY_AGREE_VERSION CMSG_ENVELOPED_RECIPIENT_V3
  5187. #define CMSG_MAIL_LIST_VERSION CMSG_ENVELOPED_RECIPIENT_V4
  5188. //+-------------------------------------------------------------------------
  5189. // CMSG_UNPROTECTED_ATTR_PARAM
  5190. //
  5191. // The unprotected attributes in the envelped message.
  5192. //
  5193. // pvData points to a CMSG_ATTR struct.
  5194. //--------------------------------------------------------------------------
  5195. //+-------------------------------------------------------------------------
  5196. // Perform a special "control" function after the final CryptMsgUpdate of a
  5197. // encoded/decoded cryptographic message.
  5198. //
  5199. // The dwCtrlType parameter specifies the type of operation to be performed.
  5200. //
  5201. // The pvCtrlPara definition depends on the dwCtrlType value.
  5202. //
  5203. // See below for a list of the control operations and their pvCtrlPara
  5204. // type definition.
  5205. //--------------------------------------------------------------------------
  5206. WINCRYPT32API
  5207. BOOL
  5208. WINAPI
  5209. CryptMsgControl(
  5210. IN HCRYPTMSG hCryptMsg,
  5211. IN DWORD dwFlags,
  5212. IN DWORD dwCtrlType,
  5213. IN void const *pvCtrlPara
  5214. );
  5215. //+-------------------------------------------------------------------------
  5216. // Message control types
  5217. //--------------------------------------------------------------------------
  5218. #define CMSG_CTRL_VERIFY_SIGNATURE 1
  5219. #define CMSG_CTRL_DECRYPT 2
  5220. #define CMSG_CTRL_VERIFY_HASH 5
  5221. #define CMSG_CTRL_ADD_SIGNER 6
  5222. #define CMSG_CTRL_DEL_SIGNER 7
  5223. #define CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR 8
  5224. #define CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR 9
  5225. #define CMSG_CTRL_ADD_CERT 10
  5226. #define CMSG_CTRL_DEL_CERT 11
  5227. #define CMSG_CTRL_ADD_CRL 12
  5228. #define CMSG_CTRL_DEL_CRL 13
  5229. #define CMSG_CTRL_ADD_ATTR_CERT 14
  5230. #define CMSG_CTRL_DEL_ATTR_CERT 15
  5231. #define CMSG_CTRL_KEY_TRANS_DECRYPT 16
  5232. #define CMSG_CTRL_KEY_AGREE_DECRYPT 17
  5233. #define CMSG_CTRL_MAIL_LIST_DECRYPT 18
  5234. #define CMSG_CTRL_VERIFY_SIGNATURE_EX 19
  5235. #define CMSG_CTRL_ADD_CMS_SIGNER_INFO 20
  5236. //+-------------------------------------------------------------------------
  5237. // CMSG_CTRL_VERIFY_SIGNATURE
  5238. //
  5239. // Verify the signature of a SIGNED or SIGNED_AND_ENVELOPED
  5240. // message after it has been decoded.
  5241. //
  5242. // For a SIGNED_AND_ENVELOPED message, called after
  5243. // CryptMsgControl(CMSG_CTRL_DECRYPT), if CryptMsgOpenToDecode was called
  5244. // with a NULL pRecipientInfo.
  5245. //
  5246. // pvCtrlPara points to a CERT_INFO struct.
  5247. //
  5248. // The CERT_INFO contains the Issuer and SerialNumber identifying
  5249. // the Signer of the message. The CERT_INFO also contains the
  5250. // PublicKeyInfo
  5251. // used to verify the signature. The cryptographic provider specified
  5252. // in CryptMsgOpenToDecode is used.
  5253. //
  5254. // Note, if the message contains CMS signers identified by KEYID, then,
  5255. // the CERT_INFO's Issuer and SerialNumber is ignored and only the public
  5256. // key is used to find a signer whose signature verifies.
  5257. //
  5258. // The following CMSG_CTRL_VERIFY_SIGNATURE_EX should be used instead.
  5259. //--------------------------------------------------------------------------
  5260. //+-------------------------------------------------------------------------
  5261. // CMSG_CTRL_VERIFY_SIGNATURE_EX
  5262. //
  5263. // Verify the signature of a SIGNED message after it has been decoded.
  5264. //
  5265. // pvCtrlPara points to the following CMSG_CTRL_VERIFY_SIGNATURE_EX_PARA.
  5266. //
  5267. // If hCryptProv is NULL, uses the cryptographic provider specified in
  5268. // CryptMsgOpenToDecode. If CryptMsgOpenToDecode's hCryptProv is also NULL,
  5269. // gets default provider according to the signer's public key OID.
  5270. //
  5271. // dwSignerIndex is the index of the signer to use to verify the signature.
  5272. //
  5273. // The signer can be a pointer to a CERT_PUBLIC_KEY_INFO, certificate
  5274. // context or a chain context.
  5275. //
  5276. // If the signer's HashEncryptionAlgorithm is szOID_PKIX_NO_SIGNATURE, then,
  5277. // the signature is expected to contain the hash octets. Only dwSignerType
  5278. // of CMSG_VERIFY_SIGNER_NULL may be specified to verify this no signature
  5279. // case.
  5280. //--------------------------------------------------------------------------
  5281. typedef struct _CMSG_CTRL_VERIFY_SIGNATURE_EX_PARA {
  5282. DWORD cbSize;
  5283. HCRYPTPROV hCryptProv;
  5284. DWORD dwSignerIndex;
  5285. DWORD dwSignerType;
  5286. void *pvSigner;
  5287. } CMSG_CTRL_VERIFY_SIGNATURE_EX_PARA, *PCMSG_CTRL_VERIFY_SIGNATURE_EX_PARA;
  5288. // Signer Types
  5289. #define CMSG_VERIFY_SIGNER_PUBKEY 1
  5290. // pvSigner :: PCERT_PUBLIC_KEY_INFO
  5291. #define CMSG_VERIFY_SIGNER_CERT 2
  5292. // pvSigner :: PCCERT_CONTEXT
  5293. #define CMSG_VERIFY_SIGNER_CHAIN 3
  5294. // pvSigner :: PCCERT_CHAIN_CONTEXT
  5295. #define CMSG_VERIFY_SIGNER_NULL 4
  5296. // pvSigner :: NULL
  5297. //+-------------------------------------------------------------------------
  5298. // CMSG_CTRL_DECRYPT
  5299. //
  5300. // Decrypt an ENVELOPED or SIGNED_AND_ENVELOPED message after it has been
  5301. // decoded.
  5302. //
  5303. // This decrypt is only applicable to key transport recipients.
  5304. //
  5305. // hCryptProv and dwKeySpec specify the private key to use. For dwKeySpec ==
  5306. // 0, defaults to AT_KEYEXCHANGE.
  5307. //
  5308. // If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
  5309. // to CryptMsgControl, then, the hCryptProv is released on the final
  5310. // CryptMsgClose. Not released if CryptMsgControl fails.
  5311. //
  5312. // dwRecipientIndex is the index of the recipient in the message associated
  5313. // with the hCryptProv's private key.
  5314. //
  5315. // The dwRecipientIndex is the index of a key transport recipient.
  5316. //
  5317. // Note, the message can only be decrypted once.
  5318. //--------------------------------------------------------------------------
  5319. typedef struct _CMSG_CTRL_DECRYPT_PARA {
  5320. DWORD cbSize;
  5321. HCRYPTPROV hCryptProv;
  5322. DWORD dwKeySpec;
  5323. DWORD dwRecipientIndex;
  5324. } CMSG_CTRL_DECRYPT_PARA, *PCMSG_CTRL_DECRYPT_PARA;
  5325. //+-------------------------------------------------------------------------
  5326. // CMSG_CTRL_KEY_TRANS_DECRYPT
  5327. //
  5328. // Decrypt an ENVELOPED message after it has been decoded for a key
  5329. // transport recipient.
  5330. //
  5331. // hCryptProv and dwKeySpec specify the private key to use. For dwKeySpec ==
  5332. // 0, defaults to AT_KEYEXCHANGE.
  5333. //
  5334. // If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
  5335. // to CryptMsgControl, then, the hCryptProv is released on the final
  5336. // CryptMsgClose. Not released if CryptMsgControl fails.
  5337. //
  5338. // pKeyTrans points to the CMSG_KEY_TRANS_RECIPIENT_INFO obtained via
  5339. // CryptMsgGetParam(CMSG_CMS_RECIPIENT_INFO_PARAM)
  5340. //
  5341. // dwRecipientIndex is the index of the recipient in the message associated
  5342. // with the hCryptProv's private key.
  5343. //
  5344. // Note, the message can only be decrypted once.
  5345. //--------------------------------------------------------------------------
  5346. typedef struct _CMSG_CTRL_KEY_TRANS_DECRYPT_PARA {
  5347. DWORD cbSize;
  5348. HCRYPTPROV hCryptProv;
  5349. DWORD dwKeySpec;
  5350. PCMSG_KEY_TRANS_RECIPIENT_INFO pKeyTrans;
  5351. DWORD dwRecipientIndex;
  5352. } CMSG_CTRL_KEY_TRANS_DECRYPT_PARA, *PCMSG_CTRL_KEY_TRANS_DECRYPT_PARA;
  5353. //+-------------------------------------------------------------------------
  5354. // CMSG_CTRL_KEY_AGREE_DECRYPT
  5355. //
  5356. // Decrypt an ENVELOPED message after it has been decoded for a key
  5357. // agreement recipient.
  5358. //
  5359. // hCryptProv and dwKeySpec specify the private key to use. For dwKeySpec ==
  5360. // 0, defaults to AT_KEYEXCHANGE.
  5361. //
  5362. // If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
  5363. // to CryptMsgControl, then, the hCryptProv is released on the final
  5364. // CryptMsgClose. Not released if CryptMsgControl fails.
  5365. //
  5366. // pKeyAgree points to the CMSG_KEY_AGREE_RECIPIENT_INFO obtained via
  5367. // CryptMsgGetParam(CMSG_CMS_RECIPIENT_INFO_PARAM) for dwRecipientIndex.
  5368. //
  5369. // dwRecipientIndex, dwRecipientEncryptedKeyIndex are the indices of the
  5370. // recipient's encrypted key in the message associated with the hCryptProv's
  5371. // private key.
  5372. //
  5373. // OriginatorPublicKey is the originator's public key obtained from either
  5374. // the originator's certificate or the CMSG_KEY_AGREE_RECIPIENT_INFO obtained
  5375. // via the CMSG_CMS_RECIPIENT_INFO_PARAM.
  5376. //
  5377. // Note, the message can only be decrypted once.
  5378. //--------------------------------------------------------------------------
  5379. typedef struct _CMSG_CTRL_KEY_AGREE_DECRYPT_PARA {
  5380. DWORD cbSize;
  5381. HCRYPTPROV hCryptProv;
  5382. DWORD dwKeySpec;
  5383. PCMSG_KEY_AGREE_RECIPIENT_INFO pKeyAgree;
  5384. DWORD dwRecipientIndex;
  5385. DWORD dwRecipientEncryptedKeyIndex;
  5386. CRYPT_BIT_BLOB OriginatorPublicKey;
  5387. } CMSG_CTRL_KEY_AGREE_DECRYPT_PARA, *PCMSG_CTRL_KEY_AGREE_DECRYPT_PARA;
  5388. //+-------------------------------------------------------------------------
  5389. // CMSG_CTRL_MAIL_LIST_DECRYPT
  5390. //
  5391. // Decrypt an ENVELOPED message after it has been decoded for a mail
  5392. // list recipient.
  5393. //
  5394. // pMailList points to the CMSG_MAIL_LIST_RECIPIENT_INFO obtained via
  5395. // CryptMsgGetParam(CMSG_CMS_RECIPIENT_INFO_PARAM) for dwRecipientIndex.
  5396. //
  5397. // There is 1 choice for the KeyEncryptionKey: an already created CSP key
  5398. // handle. For the key handle choice, hCryptProv must be nonzero. This key
  5399. // handle isn't destroyed.
  5400. //
  5401. // If CMSG_CRYPT_RELEASE_CONTEXT_FLAG is set in the dwFlags passed
  5402. // to CryptMsgControl, then, the hCryptProv is released on the final
  5403. // CryptMsgClose. Not released if CryptMsgControl fails.
  5404. //
  5405. // For RC2 wrap, the effective key length is obtained from the
  5406. // KeyEncryptionAlgorithm parameters and set on the hKeyEncryptionKey before
  5407. // decrypting.
  5408. //
  5409. // Note, the message can only be decrypted once.
  5410. //--------------------------------------------------------------------------
  5411. typedef struct _CMSG_CTRL_MAIL_LIST_DECRYPT_PARA {
  5412. DWORD cbSize;
  5413. HCRYPTPROV hCryptProv;
  5414. PCMSG_MAIL_LIST_RECIPIENT_INFO pMailList;
  5415. DWORD dwRecipientIndex;
  5416. DWORD dwKeyChoice;
  5417. union {
  5418. // CMSG_MAIL_LIST_HANDLE_KEY_CHOICE
  5419. HCRYPTKEY hKeyEncryptionKey;
  5420. // Reserve space for a potential pointer choice
  5421. void *pvKeyEncryptionKey;
  5422. };
  5423. } CMSG_CTRL_MAIL_LIST_DECRYPT_PARA, *PCMSG_CTRL_MAIL_LIST_DECRYPT_PARA;
  5424. //+-------------------------------------------------------------------------
  5425. // CMSG_CTRL_VERIFY_HASH
  5426. //
  5427. // Verify the hash of a HASHED message after it has been decoded.
  5428. //
  5429. // Only the hCryptMsg parameter is used, to specify the message whose
  5430. // hash is being verified.
  5431. //--------------------------------------------------------------------------
  5432. //+-------------------------------------------------------------------------
  5433. // CMSG_CTRL_ADD_SIGNER
  5434. //
  5435. // Add a signer to a signed-data message.
  5436. //
  5437. // pvCtrlPara points to a CMSG_SIGNER_ENCODE_INFO.
  5438. //--------------------------------------------------------------------------
  5439. //+-------------------------------------------------------------------------
  5440. // CMSG_CTRL_ADD_CMS_SIGNER_INFO
  5441. //
  5442. // Add a signer to a signed-data message.
  5443. //
  5444. // Differs from the above, CMSG_CTRL_ADD_SIGNER, wherein, the signer info
  5445. // already contains the signature.
  5446. //
  5447. // pvCtrlPara points to a CMSG_CMS_SIGNER_INFO.
  5448. //--------------------------------------------------------------------------
  5449. //+-------------------------------------------------------------------------
  5450. // CMSG_CTRL_DEL_SIGNER
  5451. //
  5452. // Remove a signer from a signed-data or signed-and-enveloped-data message.
  5453. //
  5454. // pvCtrlPara points to a DWORD containing the 0-based index of the
  5455. // signer to be removed.
  5456. //--------------------------------------------------------------------------
  5457. //+-------------------------------------------------------------------------
  5458. // CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR
  5459. //
  5460. // Add an unauthenticated attribute to the SignerInfo of a signed-data or
  5461. // signed-and-enveloped-data message.
  5462. //
  5463. // The unauthenticated attribute is input in the form of an encoded blob.
  5464. //--------------------------------------------------------------------------
  5465. typedef struct _CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR_PARA {
  5466. DWORD cbSize;
  5467. DWORD dwSignerIndex;
  5468. CRYPT_DATA_BLOB blob;
  5469. } CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR_PARA, *PCMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR_PARA;
  5470. //+-------------------------------------------------------------------------
  5471. // CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR
  5472. //
  5473. // Delete an unauthenticated attribute from the SignerInfo of a signed-data
  5474. // or signed-and-enveloped-data message.
  5475. //
  5476. // The unauthenticated attribute to be removed is specified by
  5477. // a 0-based index.
  5478. //--------------------------------------------------------------------------
  5479. typedef struct _CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR_PARA {
  5480. DWORD cbSize;
  5481. DWORD dwSignerIndex;
  5482. DWORD dwUnauthAttrIndex;
  5483. } CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR_PARA, *PCMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR_PARA;
  5484. //+-------------------------------------------------------------------------
  5485. // CMSG_CTRL_ADD_CERT
  5486. //
  5487. // Add a certificate to a signed-data or signed-and-enveloped-data message.
  5488. //
  5489. // pvCtrlPara points to a CRYPT_DATA_BLOB containing the certificate's
  5490. // encoded bytes.
  5491. //--------------------------------------------------------------------------
  5492. //+-------------------------------------------------------------------------
  5493. // CMSG_CTRL_DEL_CERT
  5494. //
  5495. // Delete a certificate from a signed-data or signed-and-enveloped-data
  5496. // message.
  5497. //
  5498. // pvCtrlPara points to a DWORD containing the 0-based index of the
  5499. // certificate to be removed.
  5500. //--------------------------------------------------------------------------
  5501. //+-------------------------------------------------------------------------
  5502. // CMSG_CTRL_ADD_CRL
  5503. //
  5504. // Add a CRL to a signed-data or signed-and-enveloped-data message.
  5505. //
  5506. // pvCtrlPara points to a CRYPT_DATA_BLOB containing the CRL's
  5507. // encoded bytes.
  5508. //--------------------------------------------------------------------------
  5509. //+-------------------------------------------------------------------------
  5510. // CMSG_CTRL_DEL_CRL
  5511. //
  5512. // Delete a CRL from a signed-data or signed-and-enveloped-data message.
  5513. //
  5514. // pvCtrlPara points to a DWORD containing the 0-based index of the CRL
  5515. // to be removed.
  5516. //--------------------------------------------------------------------------
  5517. //+-------------------------------------------------------------------------
  5518. // CMSG_CTRL_ADD_ATTR_CERT
  5519. //
  5520. // Add an attribute certificate to a signed-data message.
  5521. //
  5522. // pvCtrlPara points to a CRYPT_DATA_BLOB containing the attribute
  5523. // certificate's encoded bytes.
  5524. //--------------------------------------------------------------------------
  5525. //+-------------------------------------------------------------------------
  5526. // CMSG_CTRL_DEL_ATTR_CERT
  5527. //
  5528. // Delete an attribute certificate from a signed-data message.
  5529. //
  5530. // pvCtrlPara points to a DWORD containing the 0-based index of the
  5531. // attribute certificate to be removed.
  5532. //--------------------------------------------------------------------------
  5533. //+-------------------------------------------------------------------------
  5534. // Verify a countersignature, at the SignerInfo level.
  5535. // ie. verify that pbSignerInfoCountersignature contains the encrypted
  5536. // hash of the encryptedDigest field of pbSignerInfo.
  5537. //
  5538. // hCryptProv is used to hash the encryptedDigest field of pbSignerInfo.
  5539. // The only fields referenced from pciCountersigner are SerialNumber, Issuer,
  5540. // and SubjectPublicKeyInfo.
  5541. //--------------------------------------------------------------------------
  5542. BOOL
  5543. WINAPI
  5544. CryptMsgVerifyCountersignatureEncoded(
  5545. IN HCRYPTPROV hCryptProv,
  5546. IN DWORD dwEncodingType,
  5547. IN PBYTE pbSignerInfo,
  5548. IN DWORD cbSignerInfo,
  5549. IN PBYTE pbSignerInfoCountersignature,
  5550. IN DWORD cbSignerInfoCountersignature,
  5551. IN PCERT_INFO pciCountersigner
  5552. );
  5553. //+-------------------------------------------------------------------------
  5554. // Verify a countersignature, at the SignerInfo level.
  5555. // ie. verify that pbSignerInfoCountersignature contains the encrypted
  5556. // hash of the encryptedDigest field of pbSignerInfo.
  5557. //
  5558. // hCryptProv is used to hash the encryptedDigest field of pbSignerInfo.
  5559. //
  5560. // The signer can be a CERT_PUBLIC_KEY_INFO, certificate context or a
  5561. // chain context.
  5562. //--------------------------------------------------------------------------
  5563. BOOL
  5564. WINAPI
  5565. CryptMsgVerifyCountersignatureEncodedEx(
  5566. IN HCRYPTPROV hCryptProv,
  5567. IN DWORD dwEncodingType,
  5568. IN PBYTE pbSignerInfo,
  5569. IN DWORD cbSignerInfo,
  5570. IN PBYTE pbSignerInfoCountersignature,
  5571. IN DWORD cbSignerInfoCountersignature,
  5572. IN DWORD dwSignerType,
  5573. IN void *pvSigner,
  5574. IN DWORD dwFlags,
  5575. IN OPTIONAL void *pvReserved
  5576. );
  5577. // See CMSG_CTRL_VERIFY_SIGNATURE_EX_PARA for dwSignerType definitions
  5578. //+-------------------------------------------------------------------------
  5579. // Countersign an already-existing signature in a message
  5580. //
  5581. // dwIndex is a zero-based index of the SignerInfo to be countersigned.
  5582. //--------------------------------------------------------------------------
  5583. BOOL
  5584. WINAPI
  5585. CryptMsgCountersign(
  5586. IN OUT HCRYPTMSG hCryptMsg,
  5587. IN DWORD dwIndex,
  5588. IN DWORD cCountersigners,
  5589. IN PCMSG_SIGNER_ENCODE_INFO rgCountersigners
  5590. );
  5591. //+-------------------------------------------------------------------------
  5592. // Countersign an already-existing signature (encoded SignerInfo).
  5593. // Output an encoded SignerInfo blob, suitable for use as a countersignature
  5594. // attribute in the unauthenticated attributes of a signed-data or
  5595. // signed-and-enveloped-data message.
  5596. //--------------------------------------------------------------------------
  5597. BOOL
  5598. WINAPI
  5599. CryptMsgCountersignEncoded(
  5600. IN DWORD dwEncodingType,
  5601. IN PBYTE pbSignerInfo,
  5602. IN DWORD cbSignerInfo,
  5603. IN DWORD cCountersigners,
  5604. IN PCMSG_SIGNER_ENCODE_INFO rgCountersigners,
  5605. OUT PBYTE pbCountersignature,
  5606. IN OUT PDWORD pcbCountersignature
  5607. );
  5608. //+-------------------------------------------------------------------------
  5609. // CryptMsg OID installable functions
  5610. //--------------------------------------------------------------------------
  5611. typedef void * (WINAPI *PFN_CMSG_ALLOC) (
  5612. IN size_t cb
  5613. );
  5614. typedef void (WINAPI *PFN_CMSG_FREE)(
  5615. IN void *pv
  5616. );
  5617. // Note, the following 3 installable functions are obsolete and have been
  5618. // replaced with GenContentEncryptKey, ExportKeyTrans, ExportKeyAgree,
  5619. // ExportMailList, ImportKeyTrans, ImportKeyAgree and ImportMailList
  5620. // installable functions.
  5621. // If *phCryptProv is NULL upon entry, then, if supported, the installable
  5622. // function should acquire a default provider and return. Note, its up
  5623. // to the installable function to release at process detach.
  5624. //
  5625. // If paiEncrypt->Parameters.cbData is 0, then, the callback may optionally
  5626. // return default encoded parameters in *ppbEncryptParameters and
  5627. // *pcbEncryptParameters. pfnAlloc must be called for the allocation.
  5628. #define CMSG_OID_GEN_ENCRYPT_KEY_FUNC "CryptMsgDllGenEncryptKey"
  5629. typedef BOOL (WINAPI *PFN_CMSG_GEN_ENCRYPT_KEY) (
  5630. IN OUT HCRYPTPROV *phCryptProv,
  5631. IN PCRYPT_ALGORITHM_IDENTIFIER paiEncrypt,
  5632. IN PVOID pvEncryptAuxInfo,
  5633. IN PCERT_PUBLIC_KEY_INFO pPublicKeyInfo,
  5634. IN PFN_CMSG_ALLOC pfnAlloc,
  5635. OUT HCRYPTKEY *phEncryptKey,
  5636. OUT PBYTE *ppbEncryptParameters,
  5637. OUT PDWORD pcbEncryptParameters
  5638. );
  5639. #define CMSG_OID_EXPORT_ENCRYPT_KEY_FUNC "CryptMsgDllExportEncryptKey"
  5640. typedef BOOL (WINAPI *PFN_CMSG_EXPORT_ENCRYPT_KEY) (
  5641. IN HCRYPTPROV hCryptProv,
  5642. IN HCRYPTKEY hEncryptKey,
  5643. IN PCERT_PUBLIC_KEY_INFO pPublicKeyInfo,
  5644. OUT PBYTE pbData,
  5645. IN OUT PDWORD pcbData
  5646. );
  5647. #define CMSG_OID_IMPORT_ENCRYPT_KEY_FUNC "CryptMsgDllImportEncryptKey"
  5648. typedef BOOL (WINAPI *PFN_CMSG_IMPORT_ENCRYPT_KEY) (
  5649. IN HCRYPTPROV hCryptProv,
  5650. IN DWORD dwKeySpec,
  5651. IN PCRYPT_ALGORITHM_IDENTIFIER paiEncrypt,
  5652. IN PCRYPT_ALGORITHM_IDENTIFIER paiPubKey,
  5653. IN PBYTE pbEncodedKey,
  5654. IN DWORD cbEncodedKey,
  5655. OUT HCRYPTKEY *phEncryptKey
  5656. );
  5657. // To get the default installable function for GenContentEncryptKey,
  5658. // ExportKeyTrans, ExportKeyAgree, ExportMailList, ImportKeyTrans,
  5659. // ImportKeyAgree or ImportMailList call CryptGetOIDFunctionAddress()
  5660. // with the pszOID argument set to the following constant. dwEncodingType
  5661. // should be set to CRYPT_ASN_ENCODING or X509_ASN_ENCODING.
  5662. #define CMSG_DEFAULT_INSTALLABLE_FUNC_OID ((LPCSTR) 1)
  5663. //+-------------------------------------------------------------------------
  5664. // Content Encrypt Info
  5665. //
  5666. // The following data structure contains the information shared between
  5667. // the GenContentEncryptKey and the ExportKeyTrans, ExportKeyAgree and
  5668. // ExportMailList installable functions.
  5669. //--------------------------------------------------------------------------
  5670. typedef struct _CMSG_CONTENT_ENCRYPT_INFO {
  5671. DWORD cbSize;
  5672. HCRYPTPROV hCryptProv;
  5673. CRYPT_ALGORITHM_IDENTIFIER ContentEncryptionAlgorithm;
  5674. void *pvEncryptionAuxInfo;
  5675. DWORD cRecipients;
  5676. PCMSG_RECIPIENT_ENCODE_INFO rgCmsRecipients;
  5677. PFN_CMSG_ALLOC pfnAlloc;
  5678. PFN_CMSG_FREE pfnFree;
  5679. DWORD dwEncryptFlags;
  5680. HCRYPTKEY hContentEncryptKey;
  5681. DWORD dwFlags;
  5682. } CMSG_CONTENT_ENCRYPT_INFO, *PCMSG_CONTENT_ENCRYPT_INFO;
  5683. #define CMSG_CONTENT_ENCRYPT_PAD_ENCODED_LEN_FLAG 0x00000001
  5684. #define CMSG_CONTENT_ENCRYPT_FREE_PARA_FLAG 0x00000001
  5685. #define CMSG_CONTENT_ENCRYPT_RELEASE_CONTEXT_FLAG 0x00008000
  5686. //+-------------------------------------------------------------------------
  5687. // Upon input, ContentEncryptInfo has been initialized from the
  5688. // EnvelopedEncodeInfo.
  5689. //
  5690. // Note, if rgpRecipients instead of rgCmsRecipients are set in the
  5691. // EnvelopedEncodeInfo, then, the rgpRecipients have been converted
  5692. // to rgCmsRecipients in the ContentEncryptInfo.
  5693. //
  5694. // The following fields may be changed in ContentEncryptInfo:
  5695. // hContentEncryptKey
  5696. // hCryptProv
  5697. // ContentEncryptionAlgorithm.Parameters
  5698. // dwFlags
  5699. //
  5700. // All other fields in the ContentEncryptInfo are READONLY.
  5701. //
  5702. // If CMSG_CONTENT_ENCRYPT_PAD_ENCODED_LEN_FLAG is set upon entry
  5703. // in dwEncryptFlags, then, any potentially variable length encoded
  5704. // output should be padded with zeroes to always obtain the
  5705. // same maximum encoded length. This is necessary for
  5706. // CryptMsgCalculateEncodedLength() or CryptMsgOpenToEncode() with
  5707. // definite length streaming.
  5708. //
  5709. // The hContentEncryptKey must be updated.
  5710. //
  5711. // If hCryptProv is NULL upon input, then, it must be updated.
  5712. // If a HCRYPTPROV is acquired that must be released, then, the
  5713. // CMSG_CONTENT_ENCRYPT_RELEASE_CONTEXT_FLAG must be set in dwFlags.
  5714. //
  5715. // If ContentEncryptionAlgorithm.Parameters is updated, then, the
  5716. // CMSG_CONTENT_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags. pfnAlloc and
  5717. // pfnFree must be used for doing the allocation.
  5718. //
  5719. // ContentEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
  5720. //--------------------------------------------------------------------------
  5721. #define CMSG_OID_GEN_CONTENT_ENCRYPT_KEY_FUNC "CryptMsgDllGenContentEncryptKey"
  5722. typedef BOOL (WINAPI *PFN_CMSG_GEN_CONTENT_ENCRYPT_KEY) (
  5723. IN OUT PCMSG_CONTENT_ENCRYPT_INFO pContentEncryptInfo,
  5724. IN DWORD dwFlags,
  5725. IN OPTIONAL void *pvReserved
  5726. );
  5727. //+-------------------------------------------------------------------------
  5728. // Key Transport Encrypt Info
  5729. //
  5730. // The following data structure contains the information updated by the
  5731. // ExportKeyTrans installable function.
  5732. //--------------------------------------------------------------------------
  5733. typedef struct _CMSG_KEY_TRANS_ENCRYPT_INFO {
  5734. DWORD cbSize;
  5735. DWORD dwRecipientIndex;
  5736. CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
  5737. CRYPT_DATA_BLOB EncryptedKey;
  5738. DWORD dwFlags;
  5739. } CMSG_KEY_TRANS_ENCRYPT_INFO, *PCMSG_KEY_TRANS_ENCRYPT_INFO;
  5740. #define CMSG_KEY_TRANS_ENCRYPT_FREE_PARA_FLAG 0x00000001
  5741. //+-------------------------------------------------------------------------
  5742. // Upon input, KeyTransEncryptInfo has been initialized from the
  5743. // KeyTransEncodeInfo.
  5744. //
  5745. // The following fields may be changed in KeyTransEncryptInfo:
  5746. // EncryptedKey
  5747. // KeyEncryptionAlgorithm.Parameters
  5748. // dwFlags
  5749. //
  5750. // All other fields in the KeyTransEncryptInfo are READONLY.
  5751. //
  5752. // The EncryptedKey must be updated. The pfnAlloc and pfnFree specified in
  5753. // ContentEncryptInfo must be used for doing the allocation.
  5754. //
  5755. // If the KeyEncryptionAlgorithm.Parameters is updated, then, the
  5756. // CMSG_KEY_TRANS_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags.
  5757. // The pfnAlloc and pfnFree specified in ContentEncryptInfo must be used
  5758. // for doing the allocation.
  5759. //
  5760. // KeyEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
  5761. //--------------------------------------------------------------------------
  5762. #define CMSG_OID_EXPORT_KEY_TRANS_FUNC "CryptMsgDllExportKeyTrans"
  5763. typedef BOOL (WINAPI *PFN_CMSG_EXPORT_KEY_TRANS) (
  5764. IN PCMSG_CONTENT_ENCRYPT_INFO pContentEncryptInfo,
  5765. IN PCMSG_KEY_TRANS_RECIPIENT_ENCODE_INFO pKeyTransEncodeInfo,
  5766. IN OUT PCMSG_KEY_TRANS_ENCRYPT_INFO pKeyTransEncryptInfo,
  5767. IN DWORD dwFlags,
  5768. IN OPTIONAL void *pvReserved
  5769. );
  5770. //+-------------------------------------------------------------------------
  5771. // Key Agree Key Encrypt Info
  5772. //
  5773. // The following data structure contains the information updated by the
  5774. // ExportKeyAgree installable function for each encrypted key agree
  5775. // recipient.
  5776. //--------------------------------------------------------------------------
  5777. typedef struct _CMSG_KEY_AGREE_KEY_ENCRYPT_INFO {
  5778. DWORD cbSize;
  5779. CRYPT_DATA_BLOB EncryptedKey;
  5780. } CMSG_KEY_AGREE_KEY_ENCRYPT_INFO, *PCMSG_KEY_AGREE_KEY_ENCRYPT_INFO;
  5781. //+-------------------------------------------------------------------------
  5782. // Key Agree Encrypt Info
  5783. //
  5784. // The following data structure contains the information applicable to
  5785. // all recipients. Its updated by the ExportKeyAgree installable function.
  5786. //--------------------------------------------------------------------------
  5787. typedef struct _CMSG_KEY_AGREE_ENCRYPT_INFO {
  5788. DWORD cbSize;
  5789. DWORD dwRecipientIndex;
  5790. CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
  5791. CRYPT_DATA_BLOB UserKeyingMaterial;
  5792. DWORD dwOriginatorChoice;
  5793. union {
  5794. // CMSG_KEY_AGREE_ORIGINATOR_CERT
  5795. CERT_ID OriginatorCertId;
  5796. // CMSG_KEY_AGREE_ORIGINATOR_PUBLIC_KEY
  5797. CERT_PUBLIC_KEY_INFO OriginatorPublicKeyInfo;
  5798. };
  5799. DWORD cKeyAgreeKeyEncryptInfo;
  5800. PCMSG_KEY_AGREE_KEY_ENCRYPT_INFO *rgpKeyAgreeKeyEncryptInfo;
  5801. DWORD dwFlags;
  5802. } CMSG_KEY_AGREE_ENCRYPT_INFO, *PCMSG_KEY_AGREE_ENCRYPT_INFO;
  5803. #define CMSG_KEY_AGREE_ENCRYPT_FREE_PARA_FLAG 0x00000001
  5804. #define CMSG_KEY_AGREE_ENCRYPT_FREE_MATERIAL_FLAG 0x00000002
  5805. #define CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_ALG_FLAG 0x00000004
  5806. #define CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_PARA_FLAG 0x00000008
  5807. #define CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_BITS_FLAG 0x00000010
  5808. //+-------------------------------------------------------------------------
  5809. // Upon input, KeyAgreeEncryptInfo has been initialized from the
  5810. // KeyAgreeEncodeInfo.
  5811. //
  5812. // The following fields may be changed in KeyAgreeEncryptInfo:
  5813. // KeyEncryptionAlgorithm.Parameters
  5814. // UserKeyingMaterial
  5815. // dwOriginatorChoice
  5816. // OriginatorCertId
  5817. // OriginatorPublicKeyInfo
  5818. // dwFlags
  5819. //
  5820. // All other fields in the KeyAgreeEncryptInfo are READONLY.
  5821. //
  5822. // If the KeyEncryptionAlgorithm.Parameters is updated, then, the
  5823. // CMSG_KEY_AGREE_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags.
  5824. // The pfnAlloc and pfnFree specified in ContentEncryptInfo must be used
  5825. // for doing the allocation.
  5826. //
  5827. // If the UserKeyingMaterial is updated, then, the
  5828. // CMSG_KEY_AGREE_ENCRYPT_FREE_MATERIAL_FLAG must be set in dwFlags.
  5829. // pfnAlloc and pfnFree must be used for doing the allocation.
  5830. //
  5831. // The dwOriginatorChoice must be updated to either
  5832. // CMSG_KEY_AGREE_ORIGINATOR_CERT or CMSG_KEY_AGREE_ORIGINATOR_PUBLIC_KEY.
  5833. //
  5834. // If the OriginatorPublicKeyInfo is updated, then, the appropriate
  5835. // CMSG_KEY_AGREE_ENCRYPT_FREE_PUBKEY_*_FLAG must be set in dwFlags and
  5836. // pfnAlloc and pfnFree must be used for doing the allocation.
  5837. //
  5838. // If CMSG_CONTENT_ENCRYPT_PAD_ENCODED_LEN_FLAG is set upon entry
  5839. // in pContentEncryptInfo->dwEncryptFlags, then, the OriginatorPublicKeyInfo's
  5840. // Ephemeral PublicKey should be padded with zeroes to always obtain the
  5841. // same maximum encoded length. Note, the length of the generated ephemeral Y
  5842. // public key can vary depending on the number of leading zero bits.
  5843. //
  5844. // Upon input, the array of *rgpKeyAgreeKeyEncryptInfo has been initialized.
  5845. // The EncryptedKey must be updated for each recipient key.
  5846. // The pfnAlloc and pfnFree specified in
  5847. // ContentEncryptInfo must be used for doing the allocation.
  5848. //
  5849. // KeyEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
  5850. //--------------------------------------------------------------------------
  5851. #define CMSG_OID_EXPORT_KEY_AGREE_FUNC "CryptMsgDllExportKeyAgree"
  5852. typedef BOOL (WINAPI *PFN_CMSG_EXPORT_KEY_AGREE) (
  5853. IN PCMSG_CONTENT_ENCRYPT_INFO pContentEncryptInfo,
  5854. IN PCMSG_KEY_AGREE_RECIPIENT_ENCODE_INFO pKeyAgreeEncodeInfo,
  5855. IN OUT PCMSG_KEY_AGREE_ENCRYPT_INFO pKeyAgreeEncryptInfo,
  5856. IN DWORD dwFlags,
  5857. IN OPTIONAL void *pvReserved
  5858. );
  5859. //+-------------------------------------------------------------------------
  5860. // Mail List Encrypt Info
  5861. //
  5862. // The following data structure contains the information updated by the
  5863. // ExportMailList installable function.
  5864. //--------------------------------------------------------------------------
  5865. typedef struct _CMSG_MAIL_LIST_ENCRYPT_INFO {
  5866. DWORD cbSize;
  5867. DWORD dwRecipientIndex;
  5868. CRYPT_ALGORITHM_IDENTIFIER KeyEncryptionAlgorithm;
  5869. CRYPT_DATA_BLOB EncryptedKey;
  5870. DWORD dwFlags;
  5871. } CMSG_MAIL_LIST_ENCRYPT_INFO, *PCMSG_MAIL_LIST_ENCRYPT_INFO;
  5872. #define CMSG_MAIL_LIST_ENCRYPT_FREE_PARA_FLAG 0x00000001
  5873. //+-------------------------------------------------------------------------
  5874. // Upon input, MailListEncryptInfo has been initialized from the
  5875. // MailListEncodeInfo.
  5876. //
  5877. // The following fields may be changed in MailListEncryptInfo:
  5878. // EncryptedKey
  5879. // KeyEncryptionAlgorithm.Parameters
  5880. // dwFlags
  5881. //
  5882. // All other fields in the MailListEncryptInfo are READONLY.
  5883. //
  5884. // The EncryptedKey must be updated. The pfnAlloc and pfnFree specified in
  5885. // ContentEncryptInfo must be used for doing the allocation.
  5886. //
  5887. // If the KeyEncryptionAlgorithm.Parameters is updated, then, the
  5888. // CMSG_MAIL_LIST_ENCRYPT_FREE_PARA_FLAG must be set in dwFlags.
  5889. // The pfnAlloc and pfnFree specified in ContentEncryptInfo must be used
  5890. // for doing the allocation.
  5891. //
  5892. // KeyEncryptionAlgorithm.pszObjId is used to get the OIDFunctionAddress.
  5893. //--------------------------------------------------------------------------
  5894. #define CMSG_OID_EXPORT_MAIL_LIST_FUNC "CryptMsgDllExportMailList"
  5895. typedef BOOL (WINAPI *PFN_CMSG_EXPORT_MAIL_LIST) (
  5896. IN PCMSG_CONTENT_ENCRYPT_INFO pContentEncryptInfo,
  5897. IN PCMSG_MAIL_LIST_RECIPIENT_ENCODE_INFO pMailListEncodeInfo,
  5898. IN OUT PCMSG_MAIL_LIST_ENCRYPT_INFO pMailListEncryptInfo,
  5899. IN DWORD dwFlags,
  5900. IN OPTIONAL void *pvReserved
  5901. );
  5902. //+-------------------------------------------------------------------------
  5903. // OID Installable functions for importing an encoded and encrypted content
  5904. // encryption key.
  5905. //
  5906. // There's a different installable function for each CMS Recipient choice:
  5907. // ImportKeyTrans
  5908. // ImportKeyAgree
  5909. // ImportMailList
  5910. //
  5911. // Iterates through the following OIDs to get the OID installable function:
  5912. // KeyEncryptionOID!ContentEncryptionOID
  5913. // KeyEncryptionOID
  5914. // ContentEncryptionOID
  5915. //
  5916. // If the OID installable function doesn't support the specified
  5917. // KeyEncryption and ContentEncryption OIDs, then, return FALSE with
  5918. // LastError set to E_NOTIMPL.
  5919. //--------------------------------------------------------------------------
  5920. #define CMSG_OID_IMPORT_KEY_TRANS_FUNC "CryptMsgDllImportKeyTrans"
  5921. typedef BOOL (WINAPI *PFN_CMSG_IMPORT_KEY_TRANS) (
  5922. IN PCRYPT_ALGORITHM_IDENTIFIER pContentEncryptionAlgorithm,
  5923. IN PCMSG_CTRL_KEY_TRANS_DECRYPT_PARA pKeyTransDecryptPara,
  5924. IN DWORD dwFlags,
  5925. IN OPTIONAL void *pvReserved,
  5926. OUT HCRYPTKEY *phContentEncryptKey
  5927. );
  5928. #define CMSG_OID_IMPORT_KEY_AGREE_FUNC "CryptMsgDllImportKeyAgree"
  5929. typedef BOOL (WINAPI *PFN_CMSG_IMPORT_KEY_AGREE) (
  5930. IN PCRYPT_ALGORITHM_IDENTIFIER pContentEncryptionAlgorithm,
  5931. IN PCMSG_CTRL_KEY_AGREE_DECRYPT_PARA pKeyAgreeDecryptPara,
  5932. IN DWORD dwFlags,
  5933. IN OPTIONAL void *pvReserved,
  5934. OUT HCRYPTKEY *phContentEncryptKey
  5935. );
  5936. #define CMSG_OID_IMPORT_MAIL_LIST_FUNC "CryptMsgDllImportMailList"
  5937. typedef BOOL (WINAPI *PFN_CMSG_IMPORT_MAIL_LIST) (
  5938. IN PCRYPT_ALGORITHM_IDENTIFIER pContentEncryptionAlgorithm,
  5939. IN PCMSG_CTRL_MAIL_LIST_DECRYPT_PARA pMailListDecryptPara,
  5940. IN DWORD dwFlags,
  5941. IN OPTIONAL void *pvReserved,
  5942. OUT HCRYPTKEY *phContentEncryptKey
  5943. );
  5944. //+=========================================================================
  5945. // Certificate Store Data Structures and APIs
  5946. //==========================================================================
  5947. //+-------------------------------------------------------------------------
  5948. // In its most basic implementation, a cert store is simply a
  5949. // collection of certificates and/or CRLs. This is the case when
  5950. // a cert store is opened with all of its certificates and CRLs
  5951. // coming from a PKCS #7 encoded cryptographic message.
  5952. //
  5953. // Nonetheless, all cert stores have the following properties:
  5954. // - A public key may have more than one certificate in the store.
  5955. // For example, a private/public key used for signing may have a
  5956. // certificate issued for VISA and another issued for
  5957. // Mastercard. Also, when a certificate is renewed there might
  5958. // be more than one certificate with the same subject and
  5959. // issuer.
  5960. // - However, each certificate in the store is uniquely
  5961. // identified by its Issuer and SerialNumber.
  5962. // - There's an issuer of subject certificate relationship. A
  5963. // certificate's issuer is found by doing a match of
  5964. // pSubjectCert->Issuer with pIssuerCert->Subject.
  5965. // The relationship is verified by using
  5966. // the issuer's public key to verify the subject certificate's
  5967. // signature. Note, there might be X.509 v3 extensions
  5968. // to assist in finding the issuer certificate.
  5969. // - Since issuer certificates might be renewed, a subject
  5970. // certificate might have more than one issuer certificate.
  5971. // - There's an issuer of CRL relationship. An
  5972. // issuer's CRL is found by doing a match of
  5973. // pIssuerCert->Subject with pCrl->Issuer.
  5974. // The relationship is verified by using
  5975. // the issuer's public key to verify the CRL's
  5976. // signature. Note, there might be X.509 v3 extensions
  5977. // to assist in finding the CRL.
  5978. // - Since some issuers might support the X.509 v3 delta CRL
  5979. // extensions, an issuer might have more than one CRL.
  5980. // - The store shouldn't have any redundant certificates or
  5981. // CRLs. There shouldn't be two certificates with the same
  5982. // Issuer and SerialNumber. There shouldn't be two CRLs with
  5983. // the same Issuer, ThisUpdate and NextUpdate.
  5984. // - The store has NO policy or trust information. No
  5985. // certificates are tagged as being "root". Its up to
  5986. // the application to maintain a list of CertIds (Issuer +
  5987. // SerialNumber) for certificates it trusts.
  5988. // - The store might contain bad certificates and/or CRLs.
  5989. // The issuer's signature of a subject certificate or CRL may
  5990. // not verify. Certificates or CRLs may not satisfy their
  5991. // time validity requirements. Certificates may be
  5992. // revoked.
  5993. //
  5994. // In addition to the certificates and CRLs, properties can be
  5995. // stored. There are two predefined property IDs for a user
  5996. // certificate: CERT_KEY_PROV_HANDLE_PROP_ID and
  5997. // CERT_KEY_PROV_INFO_PROP_ID. The CERT_KEY_PROV_HANDLE_PROP_ID
  5998. // is a HCRYPTPROV handle to the private key assoicated
  5999. // with the certificate. The CERT_KEY_PROV_INFO_PROP_ID contains
  6000. // information to be used to call
  6001. // CryptAcquireContext and CryptSetProvParam to get a handle
  6002. // to the private key associated with the certificate.
  6003. //
  6004. // There exists two more predefined property IDs for certificates
  6005. // and CRLs, CERT_SHA1_HASH_PROP_ID and CERT_MD5_HASH_PROP_ID.
  6006. // If these properties don't already exist, then, a hash of the
  6007. // content is computed. (CERT_HASH_PROP_ID maps to the default
  6008. // hash algorithm, currently, CERT_SHA1_HASH_PROP_ID).
  6009. //
  6010. // There are additional APIs for creating certificate and CRL
  6011. // contexts not in a store (CertCreateCertificateContext and
  6012. // CertCreateCRLContext).
  6013. //
  6014. //--------------------------------------------------------------------------
  6015. typedef void *HCERTSTORE;
  6016. //+-------------------------------------------------------------------------
  6017. // Certificate context.
  6018. //
  6019. // A certificate context contains both the encoded and decoded representation
  6020. // of a certificate. A certificate context returned by a cert store function
  6021. // must be freed by calling the CertFreeCertificateContext function. The
  6022. // CertDuplicateCertificateContext function can be called to make a duplicate
  6023. // copy (which also must be freed by calling CertFreeCertificateContext).
  6024. //--------------------------------------------------------------------------
  6025. typedef struct _CERT_CONTEXT {
  6026. DWORD dwCertEncodingType;
  6027. BYTE *pbCertEncoded;
  6028. DWORD cbCertEncoded;
  6029. PCERT_INFO pCertInfo;
  6030. HCERTSTORE hCertStore;
  6031. } CERT_CONTEXT, *PCERT_CONTEXT;
  6032. typedef const CERT_CONTEXT *PCCERT_CONTEXT;
  6033. //+-------------------------------------------------------------------------
  6034. // CRL context.
  6035. //
  6036. // A CRL context contains both the encoded and decoded representation
  6037. // of a CRL. A CRL context returned by a cert store function
  6038. // must be freed by calling the CertFreeCRLContext function. The
  6039. // CertDuplicateCRLContext function can be called to make a duplicate
  6040. // copy (which also must be freed by calling CertFreeCRLContext).
  6041. //--------------------------------------------------------------------------
  6042. typedef struct _CRL_CONTEXT {
  6043. DWORD dwCertEncodingType;
  6044. BYTE *pbCrlEncoded;
  6045. DWORD cbCrlEncoded;
  6046. PCRL_INFO pCrlInfo;
  6047. HCERTSTORE hCertStore;
  6048. } CRL_CONTEXT, *PCRL_CONTEXT;
  6049. typedef const CRL_CONTEXT *PCCRL_CONTEXT;
  6050. //+-------------------------------------------------------------------------
  6051. // Certificate Trust List (CTL) context.
  6052. //
  6053. // A CTL context contains both the encoded and decoded representation
  6054. // of a CTL. Also contains an opened HCRYPTMSG handle to the decoded
  6055. // cryptographic signed message containing the CTL_INFO as its inner content.
  6056. // pbCtlContent is the encoded inner content of the signed message.
  6057. //
  6058. // The CryptMsg APIs can be used to extract additional signer information.
  6059. //--------------------------------------------------------------------------
  6060. typedef struct _CTL_CONTEXT {
  6061. DWORD dwMsgAndCertEncodingType;
  6062. BYTE *pbCtlEncoded;
  6063. DWORD cbCtlEncoded;
  6064. PCTL_INFO pCtlInfo;
  6065. HCERTSTORE hCertStore;
  6066. HCRYPTMSG hCryptMsg;
  6067. BYTE *pbCtlContent;
  6068. DWORD cbCtlContent;
  6069. } CTL_CONTEXT, *PCTL_CONTEXT;
  6070. typedef const CTL_CONTEXT *PCCTL_CONTEXT;
  6071. //+-------------------------------------------------------------------------
  6072. // Certificate, CRL and CTL property IDs
  6073. //
  6074. // See CertSetCertificateContextProperty or CertGetCertificateContextProperty
  6075. // for usage information.
  6076. //--------------------------------------------------------------------------
  6077. #define CERT_KEY_PROV_HANDLE_PROP_ID 1
  6078. #define CERT_KEY_PROV_INFO_PROP_ID 2
  6079. #define CERT_SHA1_HASH_PROP_ID 3
  6080. #define CERT_MD5_HASH_PROP_ID 4
  6081. #define CERT_HASH_PROP_ID CERT_SHA1_HASH_PROP_ID
  6082. #define CERT_KEY_CONTEXT_PROP_ID 5
  6083. #define CERT_KEY_SPEC_PROP_ID 6
  6084. #define CERT_IE30_RESERVED_PROP_ID 7
  6085. #define CERT_PUBKEY_HASH_RESERVED_PROP_ID 8
  6086. #define CERT_ENHKEY_USAGE_PROP_ID 9
  6087. #define CERT_CTL_USAGE_PROP_ID CERT_ENHKEY_USAGE_PROP_ID
  6088. #define CERT_NEXT_UPDATE_LOCATION_PROP_ID 10
  6089. #define CERT_FRIENDLY_NAME_PROP_ID 11
  6090. #define CERT_PVK_FILE_PROP_ID 12
  6091. #define CERT_DESCRIPTION_PROP_ID 13
  6092. #define CERT_ACCESS_STATE_PROP_ID 14
  6093. #define CERT_SIGNATURE_HASH_PROP_ID 15
  6094. #define CERT_SMART_CARD_DATA_PROP_ID 16
  6095. #define CERT_EFS_PROP_ID 17
  6096. #define CERT_FORTEZZA_DATA_PROP_ID 18
  6097. #define CERT_ARCHIVED_PROP_ID 19
  6098. #define CERT_KEY_IDENTIFIER_PROP_ID 20
  6099. #define CERT_AUTO_ENROLL_PROP_ID 21
  6100. #define CERT_PUBKEY_ALG_PARA_PROP_ID 22
  6101. #define CERT_CROSS_CERT_DIST_POINTS_PROP_ID 23
  6102. #define CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID 24
  6103. #define CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID 25
  6104. #define CERT_ENROLLMENT_PROP_ID 26
  6105. #define CERT_DATE_STAMP_PROP_ID 27
  6106. #define CERT_ISSUER_SERIAL_NUMBER_MD5_HASH_PROP_ID 28
  6107. #define CERT_SUBJECT_NAME_MD5_HASH_PROP_ID 29
  6108. #define CERT_EXTENDED_ERROR_INFO_PROP_ID 30
  6109. // Note, 32 - 35 are reserved for the CERT, CRL, CTL and KeyId file element IDs.
  6110. // 36 - 63 are reserved for future element IDs.
  6111. #define CERT_RENEWAL_PROP_ID 64
  6112. #define CERT_ARCHIVED_KEY_HASH_PROP_ID 65
  6113. #define CERT_FIRST_RESERVED_PROP_ID 66
  6114. #define CERT_LAST_RESERVED_PROP_ID 0x00007FFF
  6115. #define CERT_FIRST_USER_PROP_ID 0x00008000
  6116. #define CERT_LAST_USER_PROP_ID 0x0000FFFF
  6117. #define IS_CERT_HASH_PROP_ID(X) (CERT_SHA1_HASH_PROP_ID == (X) || \
  6118. CERT_MD5_HASH_PROP_ID == (X) || \
  6119. CERT_SIGNATURE_HASH_PROP_ID == (X))
  6120. #define IS_PUBKEY_HASH_PROP_ID(X) (CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID == (X) || \
  6121. CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID == (X))
  6122. #define IS_CHAIN_HASH_PROP_ID(X) (CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID == (X) || \
  6123. CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID == (X) || \
  6124. CERT_ISSUER_SERIAL_NUMBER_MD5_HASH_PROP_ID == (X) || \
  6125. CERT_SUBJECT_NAME_MD5_HASH_PROP_ID == (X))
  6126. //+-------------------------------------------------------------------------
  6127. // Property OIDs
  6128. //--------------------------------------------------------------------------
  6129. // The OID component following the prefix contains the PROP_ID (decimal)
  6130. #define szOID_CERT_PROP_ID_PREFIX "1.3.6.1.4.1.311.10.11."
  6131. #define szOID_CERT_KEY_IDENTIFIER_PROP_ID "1.3.6.1.4.1.311.10.11.20"
  6132. #define szOID_CERT_ISSUER_SERIAL_NUMBER_MD5_HASH_PROP_ID \
  6133. "1.3.6.1.4.1.311.10.11.28"
  6134. #define szOID_CERT_SUBJECT_NAME_MD5_HASH_PROP_ID \
  6135. "1.3.6.1.4.1.311.10.11.29"
  6136. //+-------------------------------------------------------------------------
  6137. // Access State flags returned by CERT_ACCESS_STATE_PROP_ID. Note,
  6138. // CERT_ACCESS_PROP_ID is read only.
  6139. //--------------------------------------------------------------------------
  6140. // Set if context property writes are persisted. For instance, not set for
  6141. // memory store contexts. Set for registry based stores opened as read or write.
  6142. // Not set for registry based stores opened as read only.
  6143. #define CERT_ACCESS_STATE_WRITE_PERSIST_FLAG 0x1
  6144. // Set if context resides in a SYSTEM or SYSTEM_REGISTRY store.
  6145. #define CERT_ACCESS_STATE_SYSTEM_STORE_FLAG 0x2
  6146. //+-------------------------------------------------------------------------
  6147. // Cryptographic Key Provider Information
  6148. //
  6149. // CRYPT_KEY_PROV_INFO defines the CERT_KEY_PROV_INFO_PROP_ID's pvData.
  6150. //
  6151. // The CRYPT_KEY_PROV_INFO fields are passed to CryptAcquireContext
  6152. // to get a HCRYPTPROV handle. The optional CRYPT_KEY_PROV_PARAM fields are
  6153. // passed to CryptSetProvParam to further initialize the provider.
  6154. //
  6155. // The dwKeySpec field identifies the private key to use from the container
  6156. // For example, AT_KEYEXCHANGE or AT_SIGNATURE.
  6157. //--------------------------------------------------------------------------
  6158. typedef struct _CRYPT_KEY_PROV_PARAM {
  6159. DWORD dwParam;
  6160. BYTE *pbData;
  6161. DWORD cbData;
  6162. DWORD dwFlags;
  6163. } CRYPT_KEY_PROV_PARAM, *PCRYPT_KEY_PROV_PARAM;
  6164. typedef struct _CRYPT_KEY_PROV_INFO {
  6165. LPWSTR pwszContainerName;
  6166. LPWSTR pwszProvName;
  6167. DWORD dwProvType;
  6168. DWORD dwFlags;
  6169. DWORD cProvParam;
  6170. PCRYPT_KEY_PROV_PARAM rgProvParam;
  6171. DWORD dwKeySpec;
  6172. } CRYPT_KEY_PROV_INFO, *PCRYPT_KEY_PROV_INFO;
  6173. //+-------------------------------------------------------------------------
  6174. // The following flag should be set in the above dwFlags to enable
  6175. // a CertSetCertificateContextProperty(CERT_KEY_CONTEXT_PROP_ID) after a
  6176. // CryptAcquireContext is done in the Sign or Decrypt Message functions.
  6177. //
  6178. // The following define must not collide with any of the
  6179. // CryptAcquireContext dwFlag defines.
  6180. //--------------------------------------------------------------------------
  6181. #define CERT_SET_KEY_PROV_HANDLE_PROP_ID 0x00000001
  6182. #define CERT_SET_KEY_CONTEXT_PROP_ID 0x00000001
  6183. //+-------------------------------------------------------------------------
  6184. // Certificate Key Context
  6185. //
  6186. // CERT_KEY_CONTEXT defines the CERT_KEY_CONTEXT_PROP_ID's pvData.
  6187. //--------------------------------------------------------------------------
  6188. typedef struct _CERT_KEY_CONTEXT {
  6189. DWORD cbSize; // sizeof(CERT_KEY_CONTEXT)
  6190. HCRYPTPROV hCryptProv;
  6191. DWORD dwKeySpec;
  6192. } CERT_KEY_CONTEXT, *PCERT_KEY_CONTEXT;
  6193. //+-------------------------------------------------------------------------
  6194. // Certificate Store Provider Types
  6195. //--------------------------------------------------------------------------
  6196. #define CERT_STORE_PROV_MSG ((LPCSTR) 1)
  6197. #define CERT_STORE_PROV_MEMORY ((LPCSTR) 2)
  6198. #define CERT_STORE_PROV_FILE ((LPCSTR) 3)
  6199. #define CERT_STORE_PROV_REG ((LPCSTR) 4)
  6200. #define CERT_STORE_PROV_PKCS7 ((LPCSTR) 5)
  6201. #define CERT_STORE_PROV_SERIALIZED ((LPCSTR) 6)
  6202. #define CERT_STORE_PROV_FILENAME_A ((LPCSTR) 7)
  6203. #define CERT_STORE_PROV_FILENAME_W ((LPCSTR) 8)
  6204. #define CERT_STORE_PROV_FILENAME CERT_STORE_PROV_FILENAME_W
  6205. #define CERT_STORE_PROV_SYSTEM_A ((LPCSTR) 9)
  6206. #define CERT_STORE_PROV_SYSTEM_W ((LPCSTR) 10)
  6207. #define CERT_STORE_PROV_SYSTEM CERT_STORE_PROV_SYSTEM_W
  6208. #define CERT_STORE_PROV_COLLECTION ((LPCSTR) 11)
  6209. #define CERT_STORE_PROV_SYSTEM_REGISTRY_A ((LPCSTR) 12)
  6210. #define CERT_STORE_PROV_SYSTEM_REGISTRY_W ((LPCSTR) 13)
  6211. #define CERT_STORE_PROV_SYSTEM_REGISTRY CERT_STORE_PROV_SYSTEM_REGISTRY_W
  6212. #define CERT_STORE_PROV_PHYSICAL_W ((LPCSTR) 14)
  6213. #define CERT_STORE_PROV_PHYSICAL CERT_STORE_PROV_PHYSICAL_W
  6214. #define CERT_STORE_PROV_SMART_CARD_W ((LPCSTR) 15)
  6215. #define CERT_STORE_PROV_SMART_CARD CERT_STORE_PROV_SMART_CARD_W
  6216. #define CERT_STORE_PROV_LDAP_W ((LPCSTR) 16)
  6217. #define CERT_STORE_PROV_LDAP CERT_STORE_PROV_LDAP_W
  6218. #define sz_CERT_STORE_PROV_MEMORY "Memory"
  6219. #define sz_CERT_STORE_PROV_FILENAME_W "File"
  6220. #define sz_CERT_STORE_PROV_FILENAME sz_CERT_STORE_PROV_FILENAME_W
  6221. #define sz_CERT_STORE_PROV_SYSTEM_W "System"
  6222. #define sz_CERT_STORE_PROV_SYSTEM sz_CERT_STORE_PROV_SYSTEM_W
  6223. #define sz_CERT_STORE_PROV_PKCS7 "PKCS7"
  6224. #define sz_CERT_STORE_PROV_SERIALIZED "Serialized"
  6225. #define sz_CERT_STORE_PROV_COLLECTION "Collection"
  6226. #define sz_CERT_STORE_PROV_SYSTEM_REGISTRY_W "SystemRegistry"
  6227. #define sz_CERT_STORE_PROV_SYSTEM_REGISTRY sz_CERT_STORE_PROV_SYSTEM_REGISTRY_W
  6228. #define sz_CERT_STORE_PROV_PHYSICAL_W "Physical"
  6229. #define sz_CERT_STORE_PROV_PHYSICAL sz_CERT_STORE_PROV_PHYSICAL_W
  6230. #define sz_CERT_STORE_PROV_SMART_CARD_W "SmartCard"
  6231. #define sz_CERT_STORE_PROV_SMART_CARD sz_CERT_STORE_PROV_SMART_CARD_W
  6232. #define sz_CERT_STORE_PROV_LDAP_W "Ldap"
  6233. #define sz_CERT_STORE_PROV_LDAP sz_CERT_STORE_PROV_LDAP_W
  6234. //+-------------------------------------------------------------------------
  6235. // Certificate Store verify/results flags
  6236. //--------------------------------------------------------------------------
  6237. #define CERT_STORE_SIGNATURE_FLAG 0x00000001
  6238. #define CERT_STORE_TIME_VALIDITY_FLAG 0x00000002
  6239. #define CERT_STORE_REVOCATION_FLAG 0x00000004
  6240. #define CERT_STORE_NO_CRL_FLAG 0x00010000
  6241. #define CERT_STORE_NO_ISSUER_FLAG 0x00020000
  6242. #define CERT_STORE_BASE_CRL_FLAG 0x00000100
  6243. #define CERT_STORE_DELTA_CRL_FLAG 0x00000200
  6244. //+-------------------------------------------------------------------------
  6245. // Certificate Store open/property flags
  6246. //--------------------------------------------------------------------------
  6247. #define CERT_STORE_NO_CRYPT_RELEASE_FLAG 0x00000001
  6248. #define CERT_STORE_SET_LOCALIZED_NAME_FLAG 0x00000002
  6249. #define CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG 0x00000004
  6250. #define CERT_STORE_DELETE_FLAG 0x00000010
  6251. #define CERT_STORE_SHARE_STORE_FLAG 0x00000040
  6252. #define CERT_STORE_SHARE_CONTEXT_FLAG 0x00000080
  6253. #define CERT_STORE_MANIFOLD_FLAG 0x00000100
  6254. #define CERT_STORE_ENUM_ARCHIVED_FLAG 0x00000200
  6255. #define CERT_STORE_UPDATE_KEYID_FLAG 0x00000400
  6256. #define CERT_STORE_BACKUP_RESTORE_FLAG 0x00000800
  6257. #define CERT_STORE_READONLY_FLAG 0x00008000
  6258. #define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000
  6259. #define CERT_STORE_CREATE_NEW_FLAG 0x00002000
  6260. #define CERT_STORE_MAXIMUM_ALLOWED_FLAG 0x00001000
  6261. //+-------------------------------------------------------------------------
  6262. // Certificate Store Provider flags are in the HiWord (0xFFFF0000)
  6263. //--------------------------------------------------------------------------
  6264. //+-------------------------------------------------------------------------
  6265. // Certificate System Store Flag Values
  6266. //--------------------------------------------------------------------------
  6267. // Includes flags and location
  6268. #define CERT_SYSTEM_STORE_MASK 0xFFFF0000
  6269. // Set if pvPara points to a CERT_SYSTEM_STORE_RELOCATE_PARA structure
  6270. #define CERT_SYSTEM_STORE_RELOCATE_FLAG 0x80000000
  6271. typedef struct _CERT_SYSTEM_STORE_RELOCATE_PARA {
  6272. union {
  6273. HKEY hKeyBase;
  6274. void *pvBase;
  6275. };
  6276. union {
  6277. void *pvSystemStore;
  6278. LPCSTR pszSystemStore;
  6279. LPCWSTR pwszSystemStore;
  6280. };
  6281. } CERT_SYSTEM_STORE_RELOCATE_PARA, *PCERT_SYSTEM_STORE_RELOCATE_PARA;
  6282. // By default, when the CurrentUser "Root" store is opened, any SystemRegistry
  6283. // roots not also on the protected root list are deleted from the cache before
  6284. // CertOpenStore() returns. Set the following flag to return all the roots
  6285. // in the SystemRegistry without checking the protected root list.
  6286. #define CERT_SYSTEM_STORE_UNPROTECTED_FLAG 0x40000000
  6287. // Location of the system store:
  6288. #define CERT_SYSTEM_STORE_LOCATION_MASK 0x00FF0000
  6289. #define CERT_SYSTEM_STORE_LOCATION_SHIFT 16
  6290. // Registry: HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE
  6291. #define CERT_SYSTEM_STORE_CURRENT_USER_ID 1
  6292. #define CERT_SYSTEM_STORE_LOCAL_MACHINE_ID 2
  6293. // Registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Services
  6294. #define CERT_SYSTEM_STORE_CURRENT_SERVICE_ID 4
  6295. #define CERT_SYSTEM_STORE_SERVICES_ID 5
  6296. // Registry: HKEY_USERS
  6297. #define CERT_SYSTEM_STORE_USERS_ID 6
  6298. // Registry: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
  6299. #define CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY_ID 7
  6300. // Registry: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
  6301. #define CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY_ID 8
  6302. // Registry: HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates
  6303. #define CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE_ID 9
  6304. #define CERT_SYSTEM_STORE_CURRENT_USER \
  6305. (CERT_SYSTEM_STORE_CURRENT_USER_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
  6306. #define CERT_SYSTEM_STORE_LOCAL_MACHINE \
  6307. (CERT_SYSTEM_STORE_LOCAL_MACHINE_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
  6308. #define CERT_SYSTEM_STORE_CURRENT_SERVICE \
  6309. (CERT_SYSTEM_STORE_CURRENT_SERVICE_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
  6310. #define CERT_SYSTEM_STORE_SERVICES \
  6311. (CERT_SYSTEM_STORE_SERVICES_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
  6312. #define CERT_SYSTEM_STORE_USERS \
  6313. (CERT_SYSTEM_STORE_USERS_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
  6314. #define CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY \
  6315. (CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY_ID << \
  6316. CERT_SYSTEM_STORE_LOCATION_SHIFT)
  6317. #define CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY \
  6318. (CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY_ID << \
  6319. CERT_SYSTEM_STORE_LOCATION_SHIFT)
  6320. #define CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE \
  6321. (CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE_ID << \
  6322. CERT_SYSTEM_STORE_LOCATION_SHIFT)
  6323. //+-------------------------------------------------------------------------
  6324. // Group Policy Store Defines
  6325. //--------------------------------------------------------------------------
  6326. // Registry path to the Group Policy system stores
  6327. #define CERT_GROUP_POLICY_SYSTEM_STORE_REGPATH \
  6328. L"Software\\Policies\\Microsoft\\SystemCertificates"
  6329. //+-------------------------------------------------------------------------
  6330. // EFS Defines
  6331. //--------------------------------------------------------------------------
  6332. // Registry path to the EFS EFSBlob SubKey - Value type is REG_BINARY
  6333. #define CERT_EFSBLOB_REGPATH \
  6334. CERT_GROUP_POLICY_SYSTEM_STORE_REGPATH L"\\EFS"
  6335. #define CERT_EFSBLOB_VALUE_NAME L"EFSBlob"
  6336. //+-------------------------------------------------------------------------
  6337. // Protected Root Defines
  6338. //--------------------------------------------------------------------------
  6339. // Registry path to the Protected Roots Flags SubKey
  6340. #define CERT_PROT_ROOT_FLAGS_REGPATH \
  6341. CERT_GROUP_POLICY_SYSTEM_STORE_REGPATH L"\\Root\\ProtectedRoots"
  6342. #define CERT_PROT_ROOT_FLAGS_VALUE_NAME L"Flags"
  6343. // Set the following flag to inhibit the opening of the CurrentUser's
  6344. // .Default physical store when opening the CurrentUser's "Root" system store.
  6345. // The .Default physical store open's the CurrentUser SystemRegistry "Root"
  6346. // store.
  6347. #define CERT_PROT_ROOT_DISABLE_CURRENT_USER_FLAG 0x1
  6348. // Set the following flag to inhibit the adding of roots from the
  6349. // CurrentUser SystemRegistry "Root" store to the protected root list
  6350. // when the "Root" store is initially protected.
  6351. #define CERT_PROT_ROOT_INHIBIT_ADD_AT_INIT_FLAG 0x2
  6352. // Set the following flag to inhibit the purging of protected roots from the
  6353. // CurrentUser SystemRegistry "Root" store that are
  6354. // also in the LocalMachine SystemRegistry "Root" store. Note, when not
  6355. // disabled, the purging is done silently without UI.
  6356. #define CERT_PROT_ROOT_INHIBIT_PURGE_LM_FLAG 0x4
  6357. // Set the following flag to inhibit the opening of the LocalMachine's
  6358. // .AuthRoot physical store when opening the LocalMachine's "Root" system store.
  6359. // The .AuthRoot physical store open's the LocalMachine SystemRegistry
  6360. // "AuthRoot" store. The "AuthRoot" store contains the pre-installed
  6361. // SSL ServerAuth and the ActiveX Authenticode "root" certificates.
  6362. #define CERT_PROT_ROOT_DISABLE_LM_AUTH_FLAG 0x8
  6363. // The semantics for the following legacy definition has been changed to be
  6364. // the same as for the CERT_PROT_ROOT_DISABLE_LM_AUTH_FLAG.
  6365. #define CERT_PROT_ROOT_ONLY_LM_GPT_FLAG 0x8
  6366. // Set the following flag to disable the requiring of the issuing CA
  6367. // certificate being in the "NTAuth" system registry store found in the
  6368. // CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE store location.
  6369. //
  6370. // When set, CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_NT_AUTH)
  6371. // will check that the chain has a valid name constraint for all name
  6372. // spaces, including UPN if the issuing CA isn't in the "NTAuth" store.
  6373. #define CERT_PROT_ROOT_DISABLE_NT_AUTH_REQUIRED_FLAG 0x10
  6374. //+-------------------------------------------------------------------------
  6375. // Trusted Publisher Definitions
  6376. //--------------------------------------------------------------------------
  6377. // Registry path to the trusted publisher "Safer" group policy subkey
  6378. #define CERT_TRUST_PUB_SAFER_GROUP_POLICY_REGPATH \
  6379. CERT_GROUP_POLICY_SYSTEM_STORE_REGPATH L"\\TrustedPublisher\\Safer"
  6380. // Registry path to the Local Machine system stores
  6381. #define CERT_LOCAL_MACHINE_SYSTEM_STORE_REGPATH \
  6382. L"Software\\Microsoft\\SystemCertificates"
  6383. // Registry path to the trusted publisher "Safer" local machine subkey
  6384. #define CERT_TRUST_PUB_SAFER_LOCAL_MACHINE_REGPATH \
  6385. CERT_LOCAL_MACHINE_SYSTEM_STORE_REGPATH L"\\TrustedPublisher\\Safer"
  6386. // "Safer" subkey value names. All values are DWORDs.
  6387. #define CERT_TRUST_PUB_AUTHENTICODE_FLAGS_VALUE_NAME L"AuthenticodeFlags"
  6388. // AuthenticodeFlags definitions
  6389. // Definition of who is allowed to trust publishers
  6390. //
  6391. // Setting allowed trust to MACHINE_ADMIN or ENTERPRISE_ADMIN disables UI,
  6392. // only trusts publishers in the "TrustedPublisher" system store and
  6393. // inhibits the opening of the CurrentUser's .Default physical store when
  6394. // opening the CurrentUsers's "TrustedPublisher" system store.
  6395. //
  6396. // The .Default physical store open's the CurrentUser SystemRegistry
  6397. // "TrustedPublisher" store.
  6398. //
  6399. // Setting allowed trust to ENTERPRISE_ADMIN only opens the
  6400. // LocalMachine's .GroupPolicy and .Enterprise physical stores when opening
  6401. // the CurrentUser's "TrustedPublisher" system store or when opening the
  6402. // LocalMachine's "TrustedPublisher" system store.
  6403. #define CERT_TRUST_PUB_ALLOW_TRUST_MASK 0x00000003
  6404. #define CERT_TRUST_PUB_ALLOW_END_USER_TRUST 0x00000000
  6405. #define CERT_TRUST_PUB_ALLOW_MACHINE_ADMIN_TRUST 0x00000001
  6406. #define CERT_TRUST_PUB_ALLOW_ENTERPRISE_ADMIN_TRUST 0x00000002
  6407. // Set the following flag to enable revocation checking of the publisher
  6408. // chain.
  6409. #define CERT_TRUST_PUB_CHECK_PUBLISHER_REV_FLAG 0x00000100
  6410. // Set the following flag to enable revocation checking of the time stamp
  6411. // chain.
  6412. #define CERT_TRUST_PUB_CHECK_TIMESTAMP_REV_FLAG 0x00000200
  6413. //+-------------------------------------------------------------------------
  6414. // OCM Subcomponents Definitions
  6415. //--------------------------------------------------------------------------
  6416. // Registry path to the OCM Subcomponents local machine subkey
  6417. #define CERT_OCM_SUBCOMPONENTS_LOCAL_MACHINE_REGPATH \
  6418. L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\OC Manager\\Subcomponents"
  6419. // REG_DWORD, 1 is installed, 0 is NOT installed
  6420. #define CERT_OCM_SUBCOMPONENTS_ROOT_AUTO_UPDATE_VALUE_NAME L"RootAutoUpdate"
  6421. //+-------------------------------------------------------------------------
  6422. // AuthRoot Auto Update Definitions
  6423. //--------------------------------------------------------------------------
  6424. // Registry path to the AuthRoot "Auto Update" local machine subkey
  6425. #define CERT_AUTH_ROOT_AUTO_UPDATE_LOCAL_MACHINE_REGPATH \
  6426. CERT_LOCAL_MACHINE_SYSTEM_STORE_REGPATH L"\\AuthRoot\\AutoUpdate"
  6427. // AuthRoot Auto Update subkey value names.
  6428. // REG_SZ, URL to the directory containing the AuthRoots, CTL and Seq files
  6429. #define CERT_AUTH_ROOT_AUTO_UPDATE_ROOT_DIR_URL_VALUE_NAME L"RootDirUrl"
  6430. // REG_DWORD, seconds between syncs. 0 implies use default.
  6431. #define CERT_AUTH_ROOT_AUTO_UPDATE_SYNC_DELTA_TIME_VALUE_NAME L"SyncDeltaTime"
  6432. // REG_DWORD, misc flags
  6433. #define CERT_AUTH_ROOT_AUTO_UPDATE_FLAGS_VALUE_NAME L"Flags"
  6434. #define CERT_AUTH_ROOT_AUTO_UPDATE_DISABLE_UNTRUSTED_ROOT_LOGGING_FLAG 0x1
  6435. #define CERT_AUTH_ROOT_AUTO_UPDATE_DISABLE_PARTIAL_CHAIN_LOGGING_FLAG 0x2
  6436. // AuthRoot Auto Update filenames
  6437. // CTL containing the list of certs in the AuthRoot store
  6438. #define CERT_AUTH_ROOT_CTL_FILENAME L"authroot.stl"
  6439. #define CERT_AUTH_ROOT_CTL_FILENAME_A "authroot.stl"
  6440. // Cab containing the above CTL
  6441. #define CERT_AUTH_ROOT_CAB_FILENAME L"authrootstl.cab"
  6442. // SequenceNumber (Formatted as big endian ascii hex)
  6443. #define CERT_AUTH_ROOT_SEQ_FILENAME L"authrootseq.txt"
  6444. // Root certs extension
  6445. #define CERT_AUTH_ROOT_CERT_EXT L".crt"
  6446. //+-------------------------------------------------------------------------
  6447. // Certificate Registry Store Flag Values (CERT_STORE_REG)
  6448. //--------------------------------------------------------------------------
  6449. // Set this flag if the HKEY passed in pvPara points to a remote computer
  6450. // registry key.
  6451. #define CERT_REGISTRY_STORE_REMOTE_FLAG 0x10000
  6452. // Set this flag if the contexts are to be persisted as a single serialized
  6453. // store in the registry. Mainly used for stores downloaded from the GPT.
  6454. // Such as the CurrentUserGroupPolicy or LocalMachineGroupPolicy stores.
  6455. #define CERT_REGISTRY_STORE_SERIALIZED_FLAG 0x20000
  6456. // The following flags are for internal use. When set, the
  6457. // pvPara parameter passed to CertOpenStore is a pointer to the following
  6458. // data structure and not the HKEY. The above CERT_REGISTRY_STORE_REMOTE_FLAG
  6459. // is also set if hKeyBase was obtained via RegConnectRegistry().
  6460. #define CERT_REGISTRY_STORE_CLIENT_GPT_FLAG 0x80000000
  6461. #define CERT_REGISTRY_STORE_LM_GPT_FLAG 0x01000000
  6462. typedef struct _CERT_REGISTRY_STORE_CLIENT_GPT_PARA {
  6463. HKEY hKeyBase;
  6464. LPWSTR pwszRegPath;
  6465. } CERT_REGISTRY_STORE_CLIENT_GPT_PARA, *PCERT_REGISTRY_STORE_CLIENT_GPT_PARA;
  6466. // The following flag is for internal use. When set, the contexts are
  6467. // persisted into roaming files instead of the registry. Such as, the
  6468. // CurrentUser "My" store. When this flag is set, the following data structure
  6469. // is passed to CertOpenStore instead of HKEY.
  6470. #define CERT_REGISTRY_STORE_ROAMING_FLAG 0x40000
  6471. // hKey may be NULL or non-NULL. When non-NULL, existing contexts are
  6472. // moved from the registry to roaming files.
  6473. typedef struct _CERT_REGISTRY_STORE_ROAMING_PARA {
  6474. HKEY hKey;
  6475. LPWSTR pwszStoreDirectory;
  6476. } CERT_REGISTRY_STORE_ROAMING_PARA, *PCERT_REGISTRY_STORE_ROAMING_PARA;
  6477. // The following flag is for internal use. When set, the "My" DWORD value
  6478. // at HKLM\Software\Microsoft\Cryptography\IEDirtyFlags is set to 0x1
  6479. // whenever a certificate is added to the registry store.
  6480. #define CERT_REGISTRY_STORE_MY_IE_DIRTY_FLAG 0x80000
  6481. // Registry path to the subkey containing the "My" DWORD value to be set
  6482. #define CERT_IE_DIRTY_FLAGS_REGPATH \
  6483. L"Software\\Microsoft\\Cryptography\\IEDirtyFlags"
  6484. //+-------------------------------------------------------------------------
  6485. // Certificate File Store Flag Values for the providers:
  6486. // CERT_STORE_PROV_FILE
  6487. // CERT_STORE_PROV_FILENAME
  6488. // CERT_STORE_PROV_FILENAME_A
  6489. // CERT_STORE_PROV_FILENAME_W
  6490. // sz_CERT_STORE_PROV_FILENAME_W
  6491. //--------------------------------------------------------------------------
  6492. // Set this flag if any store changes are to be committed to the file.
  6493. // The changes are committed at CertCloseStore or by calling
  6494. // CertControlStore(CERT_STORE_CTRL_COMMIT).
  6495. //
  6496. // The open fails with E_INVALIDARG if both CERT_FILE_STORE_COMMIT_ENABLE_FLAG
  6497. // and CERT_STORE_READONLY_FLAG are set in dwFlags.
  6498. //
  6499. // For the FILENAME providers: if the file contains an X509 encoded
  6500. // certificate, the open fails with ERROR_ACCESS_DENIED.
  6501. //
  6502. // For the FILENAME providers: if CERT_STORE_CREATE_NEW_FLAG is set, the
  6503. // CreateFile uses CREATE_NEW. If CERT_STORE_OPEN_EXISTING is set, uses
  6504. // OPEN_EXISTING. Otherwise, defaults to OPEN_ALWAYS.
  6505. //
  6506. // For the FILENAME providers: the file is committed as either a PKCS7 or
  6507. // serialized store depending on the type read at open. However, if the
  6508. // file is empty then, if the filename has either a ".p7c" or ".spc"
  6509. // extension its committed as a PKCS7. Otherwise, its committed as a
  6510. // serialized store.
  6511. //
  6512. // For CERT_STORE_PROV_FILE, the file handle is duplicated. Its always
  6513. // committed as a serialized store.
  6514. //
  6515. #define CERT_FILE_STORE_COMMIT_ENABLE_FLAG 0x10000
  6516. //+-------------------------------------------------------------------------
  6517. // Certificate LDAP Store Flag Values for the providers:
  6518. // CERT_STORE_PROV_LDAP
  6519. // CERT_STORE_PROV_LDAP_W
  6520. // sz_CERT_STORE_PROV_LDAP_W
  6521. // sz_CERT_STORE_PROV_LDAP
  6522. //--------------------------------------------------------------------------
  6523. // Set this flag to digitally sign all of the ldap traffic to and from a
  6524. // Windows 2000 LDAP server using the Kerberos authentication protocol.
  6525. // This feature provides integrity required by some applications.
  6526. //
  6527. #define CERT_LDAP_STORE_SIGN_FLAG 0x10000
  6528. // Performs an A-Record only DNS lookup on the supplied host string.
  6529. // This prevents bogus DNS queries from being generated when resolving host
  6530. // names. Use this flag whenever passing a hostname as opposed to a
  6531. // domain name for the hostname parameter.
  6532. //
  6533. // See LDAP_OPT_AREC_EXCLUSIVE defined in winldap.h for more details.
  6534. #define CERT_LDAP_STORE_AREC_EXCLUSIVE_FLAG 0x20000
  6535. //+-------------------------------------------------------------------------
  6536. // Open the cert store using the specified store provider.
  6537. //
  6538. // If CERT_STORE_DELETE_FLAG is set, then, the store is deleted. NULL is
  6539. // returned for both success and failure. However, GetLastError() returns 0
  6540. // for success and nonzero for failure.
  6541. //
  6542. // If CERT_STORE_SET_LOCALIZED_NAME_FLAG is set, then, if supported, the
  6543. // provider sets the store's CERT_STORE_LOCALIZED_NAME_PROP_ID property.
  6544. // The store's localized name can be retrieved by calling
  6545. // CertSetStoreProperty(dwPropID = CERT_STORE_LOCALIZED_NAME_PROP_ID).
  6546. // This flag is supported by the following providers (and their sz_
  6547. // equivalent):
  6548. // CERT_STORE_PROV_FILENAME_A
  6549. // CERT_STORE_PROV_FILENAME_W
  6550. // CERT_STORE_PROV_SYSTEM_A
  6551. // CERT_STORE_PROV_SYSTEM_W
  6552. // CERT_STORE_PROV_SYSTEM_REGISTRY_A
  6553. // CERT_STORE_PROV_SYSTEM_REGISTRY_W
  6554. // CERT_STORE_PROV_PHYSICAL_W
  6555. //
  6556. // If CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG is set, then, the
  6557. // closing of the store's provider is deferred until all certificate,
  6558. // CRL and CTL contexts obtained from the store are freed. Also,
  6559. // if a non NULL HCRYPTPROV was passed, then, it will continue to be used.
  6560. // By default, the store's provider is closed on the final CertCloseStore.
  6561. // If this flag isn't set, then, any property changes made to previously
  6562. // duplicated contexts after the final CertCloseStore will not be persisted.
  6563. // By setting this flag, property changes made
  6564. // after the CertCloseStore will be persisted. Note, setting this flag
  6565. // causes extra overhead in doing context duplicates and frees.
  6566. // If CertCloseStore is called with CERT_CLOSE_STORE_FORCE_FLAG, then,
  6567. // the CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG flag is ignored.
  6568. //
  6569. // CERT_STORE_MANIFOLD_FLAG can be set to check for certificates having the
  6570. // manifold extension and archive the "older" certificates with the same
  6571. // manifold extension value. A certificate is archived by setting the
  6572. // CERT_ARCHIVED_PROP_ID.
  6573. //
  6574. // By default, contexts having the CERT_ARCHIVED_PROP_ID, are skipped
  6575. // during enumeration. CERT_STORE_ENUM_ARCHIVED_FLAG can be set to include
  6576. // archived contexts when enumerating. Note, contexts having the
  6577. // CERT_ARCHIVED_PROP_ID are still found for explicit finds, such as,
  6578. // finding a context with a specific hash or finding a certificate having
  6579. // a specific issuer and serial number.
  6580. //
  6581. // CERT_STORE_UPDATE_KEYID_FLAG can be set to also update the Key Identifier's
  6582. // CERT_KEY_PROV_INFO_PROP_ID property whenever a certificate's
  6583. // CERT_KEY_IDENTIFIER_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID property is set
  6584. // and the other property already exists. If the Key Identifier's
  6585. // CERT_KEY_PROV_INFO_PROP_ID already exists, it isn't updated. Any
  6586. // errors encountered are silently ignored.
  6587. //
  6588. // By default, this flag is implicitly set for the "My\.Default" CurrentUser
  6589. // and LocalMachine physical stores.
  6590. //
  6591. // CERT_STORE_READONLY_FLAG can be set to open the store as read only.
  6592. // Otherwise, the store is opened as read/write.
  6593. //
  6594. // CERT_STORE_OPEN_EXISTING_FLAG can be set to only open an existing
  6595. // store. CERT_STORE_CREATE_NEW_FLAG can be set to create a new store and
  6596. // fail if the store already exists. Otherwise, the default is to open
  6597. // an existing store or create a new store if it doesn't already exist.
  6598. //
  6599. // hCryptProv specifies the crypto provider to use to create the hash
  6600. // properties or verify the signature of a subject certificate or CRL.
  6601. // The store doesn't need to use a private
  6602. // key. If the CERT_STORE_NO_CRYPT_RELEASE_FLAG isn't set, hCryptProv is
  6603. // CryptReleaseContext'ed on the final CertCloseStore.
  6604. //
  6605. // Note, if the open fails, hCryptProv is released if it would have been
  6606. // released when the store was closed.
  6607. //
  6608. // If hCryptProv is zero, then, the default provider and container for the
  6609. // PROV_RSA_FULL provider type is CryptAcquireContext'ed with
  6610. // CRYPT_VERIFYCONTEXT access. The CryptAcquireContext is deferred until
  6611. // the first create hash or verify signature. In addition, once acquired,
  6612. // the default provider isn't released until process exit when crypt32.dll
  6613. // is unloaded. The acquired default provider is shared across all stores
  6614. // and threads.
  6615. //
  6616. // After initializing the store's data structures and optionally acquiring a
  6617. // default crypt provider, CertOpenStore calls CryptGetOIDFunctionAddress to
  6618. // get the address of the CRYPT_OID_OPEN_STORE_PROV_FUNC specified by
  6619. // lpszStoreProvider. Since a store can contain certificates with different
  6620. // encoding types, CryptGetOIDFunctionAddress is called with dwEncodingType
  6621. // set to 0 and not the dwEncodingType passed to CertOpenStore.
  6622. // PFN_CERT_DLL_OPEN_STORE_FUNC specifies the signature of the provider's
  6623. // open function. This provider open function is called to load the
  6624. // store's certificates and CRLs. Optionally, the provider may return an
  6625. // array of functions called before a certificate or CRL is added or deleted
  6626. // or has a property that is set.
  6627. //
  6628. // Use of the dwEncodingType parameter is provider dependent. The type
  6629. // definition for pvPara also depends on the provider.
  6630. //
  6631. // Store providers are installed or registered via
  6632. // CryptInstallOIDFunctionAddress or CryptRegisterOIDFunction, where,
  6633. // dwEncodingType is 0 and pszFuncName is CRYPT_OID_OPEN_STORE_PROV_FUNC.
  6634. //
  6635. // Here's a list of the predefined provider types (implemented in crypt32.dll):
  6636. //
  6637. // CERT_STORE_PROV_MSG:
  6638. // Gets the certificates and CRLs from the specified cryptographic message.
  6639. // dwEncodingType contains the message and certificate encoding types.
  6640. // The message's handle is passed in pvPara. Given,
  6641. // HCRYPTMSG hCryptMsg; pvPara = (const void *) hCryptMsg;
  6642. //
  6643. // CERT_STORE_PROV_MEMORY
  6644. // sz_CERT_STORE_PROV_MEMORY:
  6645. // Opens a store without any initial certificates or CRLs. pvPara
  6646. // isn't used.
  6647. //
  6648. // CERT_STORE_PROV_FILE:
  6649. // Reads the certificates and CRLs from the specified file. The file's
  6650. // handle is passed in pvPara. Given,
  6651. // HANDLE hFile; pvPara = (const void *) hFile;
  6652. //
  6653. // For a successful open, the file pointer is advanced past
  6654. // the certificates and CRLs and their properties read from the file.
  6655. // Note, only expects a serialized store and not a file containing
  6656. // either a PKCS #7 signed message or a single encoded certificate.
  6657. //
  6658. // The hFile isn't closed.
  6659. //
  6660. // CERT_STORE_PROV_REG:
  6661. // Reads the certificates and CRLs from the registry. The registry's
  6662. // key handle is passed in pvPara. Given,
  6663. // HKEY hKey; pvPara = (const void *) hKey;
  6664. //
  6665. // The input hKey isn't closed by the provider. Before returning, the
  6666. // provider opens it own copy of the hKey.
  6667. //
  6668. // If CERT_STORE_READONLY_FLAG is set, then, the registry subkeys are
  6669. // RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry subkeys
  6670. // are RegCreateKey'ed with KEY_ALL_ACCESS.
  6671. //
  6672. // This provider returns the array of functions for reading, writing,
  6673. // deleting and property setting certificates and CRLs.
  6674. // Any changes to the opened store are immediately pushed through to
  6675. // the registry. However, if CERT_STORE_READONLY_FLAG is set, then,
  6676. // writing, deleting or property setting results in a
  6677. // SetLastError(E_ACCESSDENIED).
  6678. //
  6679. // Note, all the certificates and CRLs are read from the registry
  6680. // when the store is opened. The opened store serves as a write through
  6681. // cache.
  6682. //
  6683. // If CERT_REGISTRY_STORE_SERIALIZED_FLAG is set, then, the
  6684. // contexts are persisted as a single serialized store subkey in the
  6685. // registry.
  6686. //
  6687. // CERT_STORE_PROV_PKCS7:
  6688. // sz_CERT_STORE_PROV_PKCS7:
  6689. // Gets the certificates and CRLs from the encoded PKCS #7 signed message.
  6690. // dwEncodingType specifies the message and certificate encoding types.
  6691. // The pointer to the encoded message's blob is passed in pvPara. Given,
  6692. // CRYPT_DATA_BLOB EncodedMsg; pvPara = (const void *) &EncodedMsg;
  6693. //
  6694. // Note, also supports the IE3.0 special version of a
  6695. // PKCS #7 signed message referred to as a "SPC" formatted message.
  6696. //
  6697. // CERT_STORE_PROV_SERIALIZED:
  6698. // sz_CERT_STORE_PROV_SERIALIZED:
  6699. // Gets the certificates and CRLs from memory containing a serialized
  6700. // store. The pointer to the serialized memory blob is passed in pvPara.
  6701. // Given,
  6702. // CRYPT_DATA_BLOB Serialized; pvPara = (const void *) &Serialized;
  6703. //
  6704. // CERT_STORE_PROV_FILENAME_A:
  6705. // CERT_STORE_PROV_FILENAME_W:
  6706. // CERT_STORE_PROV_FILENAME:
  6707. // sz_CERT_STORE_PROV_FILENAME_W:
  6708. // sz_CERT_STORE_PROV_FILENAME:
  6709. // Opens the file and first attempts to read as a serialized store. Then,
  6710. // as a PKCS #7 signed message. Finally, as a single encoded certificate.
  6711. // The filename is passed in pvPara. The filename is UNICODE for the
  6712. // "_W" provider and ASCII for the "_A" provider. For "_W": given,
  6713. // LPCWSTR pwszFilename; pvPara = (const void *) pwszFilename;
  6714. // For "_A": given,
  6715. // LPCSTR pszFilename; pvPara = (const void *) pszFilename;
  6716. //
  6717. // Note, the default (without "_A" or "_W") is unicode.
  6718. //
  6719. // Note, also supports the reading of the IE3.0 special version of a
  6720. // PKCS #7 signed message file referred to as a "SPC" formatted file.
  6721. //
  6722. // CERT_STORE_PROV_SYSTEM_A:
  6723. // CERT_STORE_PROV_SYSTEM_W:
  6724. // CERT_STORE_PROV_SYSTEM:
  6725. // sz_CERT_STORE_PROV_SYSTEM_W:
  6726. // sz_CERT_STORE_PROV_SYSTEM:
  6727. // Opens the specified logical "System" store. The upper word of the
  6728. // dwFlags parameter is used to specify the location of the system store.
  6729. //
  6730. // A "System" store is a collection consisting of one or more "Physical"
  6731. // stores. A "Physical" store is registered via the
  6732. // CertRegisterPhysicalStore API. Each of the registered physical stores
  6733. // is CertStoreOpen'ed and added to the collection via
  6734. // CertAddStoreToCollection.
  6735. //
  6736. // The CERT_SYSTEM_STORE_CURRENT_USER, CERT_SYSTEM_STORE_LOCAL_MACHINE,
  6737. // CERT_SYSTEM_STORE_CURRENT_SERVICE, CERT_SYSTEM_STORE_SERVICES,
  6738. // CERT_SYSTEM_STORE_USERS, CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY,
  6739. // CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and
  6740. // CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRSE
  6741. // system stores by default have a "SystemRegistry" store that is
  6742. // opened and added to the collection.
  6743. //
  6744. // The system store name is passed in pvPara. The name is UNICODE for the
  6745. // "_W" provider and ASCII for the "_A" provider. For "_W": given,
  6746. // LPCWSTR pwszSystemName; pvPara = (const void *) pwszSystemName;
  6747. // For "_A": given,
  6748. // LPCSTR pszSystemName; pvPara = (const void *) pszSystemName;
  6749. //
  6750. // Note, the default (without "_A" or "_W") is UNICODE.
  6751. //
  6752. // The system store name can't contain any backslashes.
  6753. //
  6754. // If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvPara
  6755. // points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure instead
  6756. // of pointing to a null terminated UNICODE or ASCII string.
  6757. // Sibling physical stores are also opened as relocated using
  6758. // pvPara's hKeyBase.
  6759. //
  6760. // The CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS system
  6761. // store name must be prefixed with the ServiceName or UserName.
  6762. // For example, "ServiceName\Trust".
  6763. //
  6764. // Stores on remote computers can be accessed for the
  6765. // CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_SERVICES,
  6766. // CERT_SYSTEM_STORE_USERS, CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
  6767. // or CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
  6768. // locations by prepending the computer name. For example, a remote
  6769. // local machine store is accessed via "\\ComputerName\Trust" or
  6770. // "ComputerName\Trust". A remote service store is accessed via
  6771. // "\\ComputerName\ServiceName\Trust". The leading "\\" backslashes are
  6772. // optional in the ComputerName.
  6773. //
  6774. // If CERT_STORE_READONLY_FLAG is set, then, the registry is
  6775. // RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry is
  6776. // RegCreateKey'ed with KEY_ALL_ACCESS.
  6777. //
  6778. // The "root" store is treated differently from the other system
  6779. // stores. Before a certificate is added to or deleted from the "root"
  6780. // store, a pop up message box is displayed. The certificate's subject,
  6781. // issuer, serial number, time validity, sha1 and md5 thumbprints are
  6782. // displayed. The user is given the option to do the add or delete.
  6783. // If they don't allow the operation, LastError is set to E_ACCESSDENIED.
  6784. //
  6785. // CERT_STORE_PROV_SYSTEM_REGISTRY_A
  6786. // CERT_STORE_PROV_SYSTEM_REGISTRY_W
  6787. // CERT_STORE_PROV_SYSTEM_REGISTRY
  6788. // sz_CERT_STORE_PROV_SYSTEM_REGISTRY_W
  6789. // sz_CERT_STORE_PROV_SYSTEM_REGISTRY
  6790. // Opens the "System" store's default "Physical" store residing in the
  6791. // registry. The upper word of the dwFlags
  6792. // parameter is used to specify the location of the system store.
  6793. //
  6794. // After opening the registry key associated with the system name,
  6795. // the CERT_STORE_PROV_REG provider is called to complete the open.
  6796. //
  6797. // The system store name is passed in pvPara. The name is UNICODE for the
  6798. // "_W" provider and ASCII for the "_A" provider. For "_W": given,
  6799. // LPCWSTR pwszSystemName; pvPara = (const void *) pwszSystemName;
  6800. // For "_A": given,
  6801. // LPCSTR pszSystemName; pvPara = (const void *) pszSystemName;
  6802. //
  6803. // Note, the default (without "_A" or "_W") is UNICODE.
  6804. //
  6805. // If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvPara
  6806. // points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure instead
  6807. // of pointing to a null terminated UNICODE or ASCII string.
  6808. //
  6809. // See above for details on prepending a ServiceName and/or ComputerName
  6810. // to the store name.
  6811. //
  6812. // If CERT_STORE_READONLY_FLAG is set, then, the registry is
  6813. // RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry is
  6814. // RegCreateKey'ed with KEY_ALL_ACCESS.
  6815. //
  6816. // The "root" store is treated differently from the other system
  6817. // stores. Before a certificate is added to or deleted from the "root"
  6818. // store, a pop up message box is displayed. The certificate's subject,
  6819. // issuer, serial number, time validity, sha1 and md5 thumbprints are
  6820. // displayed. The user is given the option to do the add or delete.
  6821. // If they don't allow the operation, LastError is set to E_ACCESSDENIED.
  6822. //
  6823. // CERT_STORE_PROV_PHYSICAL_W
  6824. // CERT_STORE_PROV_PHYSICAL
  6825. // sz_CERT_STORE_PROV_PHYSICAL_W
  6826. // sz_CERT_STORE_PROV_PHYSICAL
  6827. // Opens the specified "Physical" store in the "System" store.
  6828. //
  6829. // Both the system store and physical names are passed in pvPara. The
  6830. // names are separated with an intervening "\". For example,
  6831. // "Root\.Default". The string is UNICODE.
  6832. //
  6833. // The system and physical store names can't contain any backslashes.
  6834. //
  6835. // If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvPara
  6836. // points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure instead
  6837. // of pointing to a null terminated UNICODE string.
  6838. // The specified physical store is opened as relocated using pvPara's
  6839. // hKeyBase.
  6840. //
  6841. // For CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS,
  6842. // the system and physical store names
  6843. // must be prefixed with the ServiceName or UserName. For example,
  6844. // "ServiceName\Root\.Default".
  6845. //
  6846. // Physical stores on remote computers can be accessed for the
  6847. // CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_SERVICES,
  6848. // CERT_SYSTEM_STORE_USERS, CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
  6849. // or CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
  6850. // locations by prepending the computer name. For example, a remote
  6851. // local machine store is accessed via "\\ComputerName\Root\.Default"
  6852. // or "ComputerName\Root\.Default". A remote service store is
  6853. // accessed via "\\ComputerName\ServiceName\Root\.Default". The
  6854. // leading "\\" backslashes are optional in the ComputerName.
  6855. //
  6856. // CERT_STORE_PROV_COLLECTION
  6857. // sz_CERT_STORE_PROV_COLLECTION
  6858. // Opens a store that is a collection of other stores. Stores are
  6859. // added or removed to/from the collection via the CertAddStoreToCollection
  6860. // and CertRemoveStoreFromCollection APIs.
  6861. //
  6862. // CERT_STORE_PROV_SMART_CARD_W
  6863. // CERT_STORE_PROV_SMART_CARD
  6864. // sz_CERT_STORE_PROV_SMART_CARD_W
  6865. // sz_CERT_STORE_PROV_SMART_CARD
  6866. // Opens a store instantiated over a particular smart card storage. pvPara
  6867. // identifies where on the card the store is located and is of the
  6868. // following format:
  6869. //
  6870. // Card Name\Provider Name\Provider Type[\Container Name]
  6871. //
  6872. // Container Name is optional and if NOT specified the Card Name is used
  6873. // as the Container Name. Future versions of the provider will support
  6874. // instantiating the store over the entire card in which case just
  6875. // Card Name ( or id ) will be sufficient.
  6876. //
  6877. // Here's a list of the predefined provider types (implemented in
  6878. // cryptnet.dll):
  6879. //
  6880. // CERT_STORE_PROV_LDAP_W
  6881. // CERT_STORE_PROV_LDAP
  6882. // sz_CERT_STORE_PROV_LDAP_W
  6883. // sz_CERT_STORE_PROV_LDAP
  6884. // Opens a store over the results of the query specified by and LDAP
  6885. // URL which is passed in via pvPara. In order to do writes to the
  6886. // store the URL must specify a BASE query, no filter and a single
  6887. // attribute.
  6888. //
  6889. //--------------------------------------------------------------------------
  6890. WINCRYPT32API
  6891. HCERTSTORE
  6892. WINAPI
  6893. CertOpenStore(
  6894. IN LPCSTR lpszStoreProvider,
  6895. IN DWORD dwEncodingType,
  6896. IN HCRYPTPROV hCryptProv,
  6897. IN DWORD dwFlags,
  6898. IN const void *pvPara
  6899. );
  6900. //+-------------------------------------------------------------------------
  6901. // OID Installable Certificate Store Provider Data Structures
  6902. //--------------------------------------------------------------------------
  6903. // Handle returned by the store provider when opened.
  6904. typedef void *HCERTSTOREPROV;
  6905. // Store Provider OID function's pszFuncName.
  6906. #define CRYPT_OID_OPEN_STORE_PROV_FUNC "CertDllOpenStoreProv"
  6907. // Note, the Store Provider OID function's dwEncodingType is always 0.
  6908. // The following information is returned by the provider when opened. Its
  6909. // zeroed with cbSize set before the provider is called. If the provider
  6910. // doesn't need to be called again after the open it doesn't need to
  6911. // make any updates to the CERT_STORE_PROV_INFO.
  6912. typedef struct _CERT_STORE_PROV_INFO {
  6913. DWORD cbSize;
  6914. DWORD cStoreProvFunc;
  6915. void **rgpvStoreProvFunc;
  6916. HCERTSTOREPROV hStoreProv;
  6917. DWORD dwStoreProvFlags;
  6918. HCRYPTOIDFUNCADDR hStoreProvFuncAddr2;
  6919. } CERT_STORE_PROV_INFO, *PCERT_STORE_PROV_INFO;
  6920. // Definition of the store provider's open function.
  6921. //
  6922. // *pStoreProvInfo has been zeroed before the call.
  6923. //
  6924. // Note, pStoreProvInfo->cStoreProvFunc should be set last. Once set,
  6925. // all subsequent store calls, such as CertAddSerializedElementToStore will
  6926. // call the appropriate provider callback function.
  6927. typedef BOOL (WINAPI *PFN_CERT_DLL_OPEN_STORE_PROV_FUNC)(
  6928. IN LPCSTR lpszStoreProvider,
  6929. IN DWORD dwEncodingType,
  6930. IN HCRYPTPROV hCryptProv,
  6931. IN DWORD dwFlags,
  6932. IN const void *pvPara,
  6933. IN HCERTSTORE hCertStore,
  6934. IN OUT PCERT_STORE_PROV_INFO pStoreProvInfo
  6935. );
  6936. // The open callback sets the following flag, if it maintains its
  6937. // contexts externally and not in the cached store.
  6938. #define CERT_STORE_PROV_EXTERNAL_FLAG 0x1
  6939. // The open callback sets the following flag for a successful delete.
  6940. // When set, the close callback isn't called.
  6941. #define CERT_STORE_PROV_DELETED_FLAG 0x2
  6942. // The open callback sets the following flag if it doesn't persist store
  6943. // changes.
  6944. #define CERT_STORE_PROV_NO_PERSIST_FLAG 0x4
  6945. // The open callback sets the following flag if the contexts are persisted
  6946. // to a system store.
  6947. #define CERT_STORE_PROV_SYSTEM_STORE_FLAG 0x8
  6948. // Indices into the store provider's array of callback functions.
  6949. //
  6950. // The provider can implement any subset of the following functions. It
  6951. // sets pStoreProvInfo->cStoreProvFunc to the last index + 1 and any
  6952. // preceding not implemented functions to NULL.
  6953. #define CERT_STORE_PROV_CLOSE_FUNC 0
  6954. #define CERT_STORE_PROV_READ_CERT_FUNC 1
  6955. #define CERT_STORE_PROV_WRITE_CERT_FUNC 2
  6956. #define CERT_STORE_PROV_DELETE_CERT_FUNC 3
  6957. #define CERT_STORE_PROV_SET_CERT_PROPERTY_FUNC 4
  6958. #define CERT_STORE_PROV_READ_CRL_FUNC 5
  6959. #define CERT_STORE_PROV_WRITE_CRL_FUNC 6
  6960. #define CERT_STORE_PROV_DELETE_CRL_FUNC 7
  6961. #define CERT_STORE_PROV_SET_CRL_PROPERTY_FUNC 8
  6962. #define CERT_STORE_PROV_READ_CTL_FUNC 9
  6963. #define CERT_STORE_PROV_WRITE_CTL_FUNC 10
  6964. #define CERT_STORE_PROV_DELETE_CTL_FUNC 11
  6965. #define CERT_STORE_PROV_SET_CTL_PROPERTY_FUNC 12
  6966. #define CERT_STORE_PROV_CONTROL_FUNC 13
  6967. #define CERT_STORE_PROV_FIND_CERT_FUNC 14
  6968. #define CERT_STORE_PROV_FREE_FIND_CERT_FUNC 15
  6969. #define CERT_STORE_PROV_GET_CERT_PROPERTY_FUNC 16
  6970. #define CERT_STORE_PROV_FIND_CRL_FUNC 17
  6971. #define CERT_STORE_PROV_FREE_FIND_CRL_FUNC 18
  6972. #define CERT_STORE_PROV_GET_CRL_PROPERTY_FUNC 19
  6973. #define CERT_STORE_PROV_FIND_CTL_FUNC 20
  6974. #define CERT_STORE_PROV_FREE_FIND_CTL_FUNC 21
  6975. #define CERT_STORE_PROV_GET_CTL_PROPERTY_FUNC 22
  6976. // Called by CertCloseStore when the store's reference count is
  6977. // decremented to 0.
  6978. typedef void (WINAPI *PFN_CERT_STORE_PROV_CLOSE)(
  6979. IN HCERTSTOREPROV hStoreProv,
  6980. IN DWORD dwFlags
  6981. );
  6982. // Currently not called directly by the store APIs. However, may be exported
  6983. // to support other providers based on it.
  6984. //
  6985. // Reads the provider's copy of the certificate context. If it exists,
  6986. // creates a new certificate context.
  6987. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_READ_CERT)(
  6988. IN HCERTSTOREPROV hStoreProv,
  6989. IN PCCERT_CONTEXT pStoreCertContext,
  6990. IN DWORD dwFlags,
  6991. OUT PCCERT_CONTEXT *ppProvCertContext
  6992. );
  6993. #define CERT_STORE_PROV_WRITE_ADD_FLAG 0x1
  6994. // Called by CertAddEncodedCertificateToStore,
  6995. // CertAddCertificateContextToStore or CertAddSerializedElementToStore before
  6996. // adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
  6997. // addition to the encoded certificate, the added pCertContext might also
  6998. // have properties.
  6999. //
  7000. // Returns TRUE if its OK to update the the store.
  7001. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_WRITE_CERT)(
  7002. IN HCERTSTOREPROV hStoreProv,
  7003. IN PCCERT_CONTEXT pCertContext,
  7004. IN DWORD dwFlags
  7005. );
  7006. // Called by CertDeleteCertificateFromStore before deleting from the
  7007. // store.
  7008. //
  7009. // Returns TRUE if its OK to delete from the store.
  7010. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_DELETE_CERT)(
  7011. IN HCERTSTOREPROV hStoreProv,
  7012. IN PCCERT_CONTEXT pCertContext,
  7013. IN DWORD dwFlags
  7014. );
  7015. // Called by CertSetCertificateContextProperty before setting the
  7016. // certificate's property. Also called by CertGetCertificateContextProperty,
  7017. // when getting a hash property that needs to be created and then persisted
  7018. // via the set.
  7019. //
  7020. // Upon input, the property hasn't been set for the pCertContext parameter.
  7021. //
  7022. // Returns TRUE if its OK to set the property.
  7023. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_SET_CERT_PROPERTY)(
  7024. IN HCERTSTOREPROV hStoreProv,
  7025. IN PCCERT_CONTEXT pCertContext,
  7026. IN DWORD dwPropId,
  7027. IN DWORD dwFlags,
  7028. IN const void *pvData
  7029. );
  7030. // Currently not called directly by the store APIs. However, may be exported
  7031. // to support other providers based on it.
  7032. //
  7033. // Reads the provider's copy of the CRL context. If it exists,
  7034. // creates a new CRL context.
  7035. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_READ_CRL)(
  7036. IN HCERTSTOREPROV hStoreProv,
  7037. IN PCCRL_CONTEXT pStoreCrlContext,
  7038. IN DWORD dwFlags,
  7039. OUT PCCRL_CONTEXT *ppProvCrlContext
  7040. );
  7041. // Called by CertAddEncodedCRLToStore,
  7042. // CertAddCRLContextToStore or CertAddSerializedElementToStore before
  7043. // adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
  7044. // addition to the encoded CRL, the added pCertContext might also
  7045. // have properties.
  7046. //
  7047. // Returns TRUE if its OK to update the the store.
  7048. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_WRITE_CRL)(
  7049. IN HCERTSTOREPROV hStoreProv,
  7050. IN PCCRL_CONTEXT pCrlContext,
  7051. IN DWORD dwFlags
  7052. );
  7053. // Called by CertDeleteCRLFromStore before deleting from the store.
  7054. //
  7055. // Returns TRUE if its OK to delete from the store.
  7056. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_DELETE_CRL)(
  7057. IN HCERTSTOREPROV hStoreProv,
  7058. IN PCCRL_CONTEXT pCrlContext,
  7059. IN DWORD dwFlags
  7060. );
  7061. // Called by CertSetCRLContextProperty before setting the
  7062. // CRL's property. Also called by CertGetCRLContextProperty,
  7063. // when getting a hash property that needs to be created and then persisted
  7064. // via the set.
  7065. //
  7066. // Upon input, the property hasn't been set for the pCrlContext parameter.
  7067. //
  7068. // Returns TRUE if its OK to set the property.
  7069. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_SET_CRL_PROPERTY)(
  7070. IN HCERTSTOREPROV hStoreProv,
  7071. IN PCCRL_CONTEXT pCrlContext,
  7072. IN DWORD dwPropId,
  7073. IN DWORD dwFlags,
  7074. IN const void *pvData
  7075. );
  7076. // Currently not called directly by the store APIs. However, may be exported
  7077. // to support other providers based on it.
  7078. //
  7079. // Reads the provider's copy of the CTL context. If it exists,
  7080. // creates a new CTL context.
  7081. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_READ_CTL)(
  7082. IN HCERTSTOREPROV hStoreProv,
  7083. IN PCCTL_CONTEXT pStoreCtlContext,
  7084. IN DWORD dwFlags,
  7085. OUT PCCTL_CONTEXT *ppProvCtlContext
  7086. );
  7087. // Called by CertAddEncodedCTLToStore,
  7088. // CertAddCTLContextToStore or CertAddSerializedElementToStore before
  7089. // adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
  7090. // addition to the encoded CTL, the added pCertContext might also
  7091. // have properties.
  7092. //
  7093. // Returns TRUE if its OK to update the the store.
  7094. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_WRITE_CTL)(
  7095. IN HCERTSTOREPROV hStoreProv,
  7096. IN PCCTL_CONTEXT pCtlContext,
  7097. IN DWORD dwFlags
  7098. );
  7099. // Called by CertDeleteCTLFromStore before deleting from the store.
  7100. //
  7101. // Returns TRUE if its OK to delete from the store.
  7102. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_DELETE_CTL)(
  7103. IN HCERTSTOREPROV hStoreProv,
  7104. IN PCCTL_CONTEXT pCtlContext,
  7105. IN DWORD dwFlags
  7106. );
  7107. // Called by CertSetCTLContextProperty before setting the
  7108. // CTL's property. Also called by CertGetCTLContextProperty,
  7109. // when getting a hash property that needs to be created and then persisted
  7110. // via the set.
  7111. //
  7112. // Upon input, the property hasn't been set for the pCtlContext parameter.
  7113. //
  7114. // Returns TRUE if its OK to set the property.
  7115. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_SET_CTL_PROPERTY)(
  7116. IN HCERTSTOREPROV hStoreProv,
  7117. IN PCCTL_CONTEXT pCtlContext,
  7118. IN DWORD dwPropId,
  7119. IN DWORD dwFlags,
  7120. IN const void *pvData
  7121. );
  7122. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_CONTROL)(
  7123. IN HCERTSTOREPROV hStoreProv,
  7124. IN DWORD dwFlags,
  7125. IN DWORD dwCtrlType,
  7126. IN void const *pvCtrlPara
  7127. );
  7128. typedef struct _CERT_STORE_PROV_FIND_INFO {
  7129. DWORD cbSize;
  7130. DWORD dwMsgAndCertEncodingType;
  7131. DWORD dwFindFlags;
  7132. DWORD dwFindType;
  7133. const void *pvFindPara;
  7134. } CERT_STORE_PROV_FIND_INFO, *PCERT_STORE_PROV_FIND_INFO;
  7135. typedef const CERT_STORE_PROV_FIND_INFO CCERT_STORE_PROV_FIND_INFO,
  7136. *PCCERT_STORE_PROV_FIND_INFO;
  7137. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_FIND_CERT)(
  7138. IN HCERTSTOREPROV hStoreProv,
  7139. IN PCCERT_STORE_PROV_FIND_INFO pFindInfo,
  7140. IN PCCERT_CONTEXT pPrevCertContext,
  7141. IN DWORD dwFlags,
  7142. IN OUT void **ppvStoreProvFindInfo,
  7143. OUT PCCERT_CONTEXT *ppProvCertContext
  7144. );
  7145. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_FREE_FIND_CERT)(
  7146. IN HCERTSTOREPROV hStoreProv,
  7147. IN PCCERT_CONTEXT pCertContext,
  7148. IN void *pvStoreProvFindInfo,
  7149. IN DWORD dwFlags
  7150. );
  7151. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_GET_CERT_PROPERTY)(
  7152. IN HCERTSTOREPROV hStoreProv,
  7153. IN PCCERT_CONTEXT pCertContext,
  7154. IN DWORD dwPropId,
  7155. IN DWORD dwFlags,
  7156. OUT void *pvData,
  7157. IN OUT DWORD *pcbData
  7158. );
  7159. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_FIND_CRL)(
  7160. IN HCERTSTOREPROV hStoreProv,
  7161. IN PCCERT_STORE_PROV_FIND_INFO pFindInfo,
  7162. IN PCCRL_CONTEXT pPrevCrlContext,
  7163. IN DWORD dwFlags,
  7164. IN OUT void **ppvStoreProvFindInfo,
  7165. OUT PCCRL_CONTEXT *ppProvCrlContext
  7166. );
  7167. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_FREE_FIND_CRL)(
  7168. IN HCERTSTOREPROV hStoreProv,
  7169. IN PCCRL_CONTEXT pCrlContext,
  7170. IN void *pvStoreProvFindInfo,
  7171. IN DWORD dwFlags
  7172. );
  7173. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_GET_CRL_PROPERTY)(
  7174. IN HCERTSTOREPROV hStoreProv,
  7175. IN PCCRL_CONTEXT pCrlContext,
  7176. IN DWORD dwPropId,
  7177. IN DWORD dwFlags,
  7178. OUT void *pvData,
  7179. IN OUT DWORD *pcbData
  7180. );
  7181. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_FIND_CTL)(
  7182. IN HCERTSTOREPROV hStoreProv,
  7183. IN PCCERT_STORE_PROV_FIND_INFO pFindInfo,
  7184. IN PCCTL_CONTEXT pPrevCtlContext,
  7185. IN DWORD dwFlags,
  7186. IN OUT void **ppvStoreProvFindInfo,
  7187. OUT PCCTL_CONTEXT *ppProvCtlContext
  7188. );
  7189. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_FREE_FIND_CTL)(
  7190. IN HCERTSTOREPROV hStoreProv,
  7191. IN PCCTL_CONTEXT pCtlContext,
  7192. IN void *pvStoreProvFindInfo,
  7193. IN DWORD dwFlags
  7194. );
  7195. typedef BOOL (WINAPI *PFN_CERT_STORE_PROV_GET_CTL_PROPERTY)(
  7196. IN HCERTSTOREPROV hStoreProv,
  7197. IN PCCTL_CONTEXT pCtlContext,
  7198. IN DWORD dwPropId,
  7199. IN DWORD dwFlags,
  7200. OUT void *pvData,
  7201. IN OUT DWORD *pcbData
  7202. );
  7203. //+-------------------------------------------------------------------------
  7204. // Duplicate a cert store handle
  7205. //--------------------------------------------------------------------------
  7206. WINCRYPT32API
  7207. HCERTSTORE
  7208. WINAPI
  7209. CertDuplicateStore(
  7210. IN HCERTSTORE hCertStore
  7211. );
  7212. #define CERT_STORE_SAVE_AS_STORE 1
  7213. #define CERT_STORE_SAVE_AS_PKCS7 2
  7214. #define CERT_STORE_SAVE_TO_FILE 1
  7215. #define CERT_STORE_SAVE_TO_MEMORY 2
  7216. #define CERT_STORE_SAVE_TO_FILENAME_A 3
  7217. #define CERT_STORE_SAVE_TO_FILENAME_W 4
  7218. #define CERT_STORE_SAVE_TO_FILENAME CERT_STORE_SAVE_TO_FILENAME_W
  7219. //+-------------------------------------------------------------------------
  7220. // Save the cert store. Extended version with lots of options.
  7221. //
  7222. // According to the dwSaveAs parameter, the store can be saved as a
  7223. // serialized store (CERT_STORE_SAVE_AS_STORE) containing properties in
  7224. // addition to encoded certificates, CRLs and CTLs or the store can be saved
  7225. // as a PKCS #7 signed message (CERT_STORE_SAVE_AS_PKCS7) which doesn't
  7226. // include the properties or CTLs.
  7227. //
  7228. // Note, the CERT_KEY_CONTEXT_PROP_ID property (and its
  7229. // CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't saved into
  7230. // a serialized store.
  7231. //
  7232. // For CERT_STORE_SAVE_AS_PKCS7, the dwEncodingType specifies the message
  7233. // encoding type. The dwEncodingType parameter isn't used for
  7234. // CERT_STORE_SAVE_AS_STORE.
  7235. //
  7236. // The dwFlags parameter currently isn't used and should be set to 0.
  7237. //
  7238. // The dwSaveTo and pvSaveToPara parameters specify where to save the
  7239. // store as follows:
  7240. // CERT_STORE_SAVE_TO_FILE:
  7241. // Saves to the specified file. The file's handle is passed in
  7242. // pvSaveToPara. Given,
  7243. // HANDLE hFile; pvSaveToPara = (void *) hFile;
  7244. //
  7245. // For a successful save, the file pointer is positioned after the
  7246. // last write.
  7247. //
  7248. // CERT_STORE_SAVE_TO_MEMORY:
  7249. // Saves to the specified memory blob. The pointer to
  7250. // the memory blob is passed in pvSaveToPara. Given,
  7251. // CRYPT_DATA_BLOB SaveBlob; pvSaveToPara = (void *) &SaveBlob;
  7252. // Upon entry, the SaveBlob's pbData and cbData need to be initialized.
  7253. // Upon return, cbData is updated with the actual length.
  7254. // For a length only calculation, pbData should be set to NULL. If
  7255. // pbData is non-NULL and cbData isn't large enough, FALSE is returned
  7256. // with a last error of ERRROR_MORE_DATA.
  7257. //
  7258. // CERT_STORE_SAVE_TO_FILENAME_A:
  7259. // CERT_STORE_SAVE_TO_FILENAME_W:
  7260. // CERT_STORE_SAVE_TO_FILENAME:
  7261. // Opens the file and saves to it. The filename is passed in pvSaveToPara.
  7262. // The filename is UNICODE for the "_W" option and ASCII for the "_A"
  7263. // option. For "_W": given,
  7264. // LPCWSTR pwszFilename; pvSaveToPara = (void *) pwszFilename;
  7265. // For "_A": given,
  7266. // LPCSTR pszFilename; pvSaveToPara = (void *) pszFilename;
  7267. //
  7268. // Note, the default (without "_A" or "_W") is UNICODE.
  7269. //
  7270. //--------------------------------------------------------------------------
  7271. WINCRYPT32API
  7272. BOOL
  7273. WINAPI
  7274. CertSaveStore(
  7275. IN HCERTSTORE hCertStore,
  7276. IN DWORD dwEncodingType,
  7277. IN DWORD dwSaveAs,
  7278. IN DWORD dwSaveTo,
  7279. IN OUT void *pvSaveToPara,
  7280. IN DWORD dwFlags
  7281. );
  7282. //+-------------------------------------------------------------------------
  7283. // Certificate Store close flags
  7284. //--------------------------------------------------------------------------
  7285. #define CERT_CLOSE_STORE_FORCE_FLAG 0x00000001
  7286. #define CERT_CLOSE_STORE_CHECK_FLAG 0x00000002
  7287. //+-------------------------------------------------------------------------
  7288. // Close a cert store handle.
  7289. //
  7290. // There needs to be a corresponding close for each open and duplicate.
  7291. //
  7292. // Even on the final close, the cert store isn't freed until all of its
  7293. // certificate and CRL contexts have also been freed.
  7294. //
  7295. // On the final close, the hCryptProv passed to CertStoreOpen is
  7296. // CryptReleaseContext'ed.
  7297. //
  7298. // To force the closure of the store with all of its memory freed, set the
  7299. // CERT_STORE_CLOSE_FORCE_FLAG. This flag should be set when the caller does
  7300. // its own reference counting and wants everything to vanish.
  7301. //
  7302. // To check if all the store's certificates and CRLs have been freed and that
  7303. // this is the last CertCloseStore, set the CERT_CLOSE_STORE_CHECK_FLAG. If
  7304. // set and certs, CRLs or stores still need to be freed/closed, FALSE is
  7305. // returned with LastError set to CRYPT_E_PENDING_CLOSE. Note, for FALSE,
  7306. // the store is still closed. This is a diagnostic flag.
  7307. //
  7308. // LastError is preserved unless CERT_CLOSE_STORE_CHECK_FLAG is set and FALSE
  7309. // is returned.
  7310. //--------------------------------------------------------------------------
  7311. WINCRYPT32API
  7312. BOOL
  7313. WINAPI
  7314. CertCloseStore(
  7315. IN HCERTSTORE hCertStore,
  7316. DWORD dwFlags
  7317. );
  7318. //+-------------------------------------------------------------------------
  7319. // Get the subject certificate context uniquely identified by its Issuer and
  7320. // SerialNumber from the store.
  7321. //
  7322. // If the certificate isn't found, NULL is returned. Otherwise, a pointer to
  7323. // a read only CERT_CONTEXT is returned. CERT_CONTEXT must be freed by calling
  7324. // CertFreeCertificateContext. CertDuplicateCertificateContext can be called to make a
  7325. // duplicate.
  7326. //
  7327. // The returned certificate might not be valid. Normally, it would be
  7328. // verified when getting its issuer certificate (CertGetIssuerCertificateFromStore).
  7329. //--------------------------------------------------------------------------
  7330. WINCRYPT32API
  7331. PCCERT_CONTEXT
  7332. WINAPI
  7333. CertGetSubjectCertificateFromStore(
  7334. IN HCERTSTORE hCertStore,
  7335. IN DWORD dwCertEncodingType,
  7336. IN PCERT_INFO pCertId // Only the Issuer and SerialNumber
  7337. // fields are used
  7338. );
  7339. //+-------------------------------------------------------------------------
  7340. // Enumerate the certificate contexts in the store.
  7341. //
  7342. // If a certificate isn't found, NULL is returned.
  7343. // Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
  7344. // must be freed by calling CertFreeCertificateContext or is freed when passed as the
  7345. // pPrevCertContext on a subsequent call. CertDuplicateCertificateContext
  7346. // can be called to make a duplicate.
  7347. //
  7348. // pPrevCertContext MUST BE NULL to enumerate the first
  7349. // certificate in the store. Successive certificates are enumerated by setting
  7350. // pPrevCertContext to the CERT_CONTEXT returned by a previous call.
  7351. //
  7352. // NOTE: a NON-NULL pPrevCertContext is always CertFreeCertificateContext'ed by
  7353. // this function, even for an error.
  7354. //--------------------------------------------------------------------------
  7355. WINCRYPT32API
  7356. PCCERT_CONTEXT
  7357. WINAPI
  7358. CertEnumCertificatesInStore(
  7359. IN HCERTSTORE hCertStore,
  7360. IN PCCERT_CONTEXT pPrevCertContext
  7361. );
  7362. //+-------------------------------------------------------------------------
  7363. // Find the first or next certificate context in the store.
  7364. //
  7365. // The certificate is found according to the dwFindType and its pvFindPara.
  7366. // See below for a list of the find types and its parameters.
  7367. //
  7368. // Currently dwFindFlags is only used for CERT_FIND_SUBJECT_ATTR,
  7369. // CERT_FIND_ISSUER_ATTR or CERT_FIND_CTL_USAGE. Otherwise, must be set to 0.
  7370. //
  7371. // Usage of dwCertEncodingType depends on the dwFindType.
  7372. //
  7373. // If the first or next certificate isn't found, NULL is returned.
  7374. // Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
  7375. // must be freed by calling CertFreeCertificateContext or is freed when passed as the
  7376. // pPrevCertContext on a subsequent call. CertDuplicateCertificateContext
  7377. // can be called to make a duplicate.
  7378. //
  7379. // pPrevCertContext MUST BE NULL on the first
  7380. // call to find the certificate. To find the next certificate, the
  7381. // pPrevCertContext is set to the CERT_CONTEXT returned by a previous call.
  7382. //
  7383. // NOTE: a NON-NULL pPrevCertContext is always CertFreeCertificateContext'ed by
  7384. // this function, even for an error.
  7385. //--------------------------------------------------------------------------
  7386. WINCRYPT32API
  7387. PCCERT_CONTEXT
  7388. WINAPI
  7389. CertFindCertificateInStore(
  7390. IN HCERTSTORE hCertStore,
  7391. IN DWORD dwCertEncodingType,
  7392. IN DWORD dwFindFlags,
  7393. IN DWORD dwFindType,
  7394. IN const void *pvFindPara,
  7395. IN PCCERT_CONTEXT pPrevCertContext
  7396. );
  7397. //+-------------------------------------------------------------------------
  7398. // Certificate comparison functions
  7399. //--------------------------------------------------------------------------
  7400. #define CERT_COMPARE_MASK 0xFFFF
  7401. #define CERT_COMPARE_SHIFT 16
  7402. #define CERT_COMPARE_ANY 0
  7403. #define CERT_COMPARE_SHA1_HASH 1
  7404. #define CERT_COMPARE_NAME 2
  7405. #define CERT_COMPARE_ATTR 3
  7406. #define CERT_COMPARE_MD5_HASH 4
  7407. #define CERT_COMPARE_PROPERTY 5
  7408. #define CERT_COMPARE_PUBLIC_KEY 6
  7409. #define CERT_COMPARE_HASH CERT_COMPARE_SHA1_HASH
  7410. #define CERT_COMPARE_NAME_STR_A 7
  7411. #define CERT_COMPARE_NAME_STR_W 8
  7412. #define CERT_COMPARE_KEY_SPEC 9
  7413. #define CERT_COMPARE_ENHKEY_USAGE 10
  7414. #define CERT_COMPARE_CTL_USAGE CERT_COMPARE_ENHKEY_USAGE
  7415. #define CERT_COMPARE_SUBJECT_CERT 11
  7416. #define CERT_COMPARE_ISSUER_OF 12
  7417. #define CERT_COMPARE_EXISTING 13
  7418. #define CERT_COMPARE_SIGNATURE_HASH 14
  7419. #define CERT_COMPARE_KEY_IDENTIFIER 15
  7420. #define CERT_COMPARE_CERT_ID 16
  7421. #define CERT_COMPARE_CROSS_CERT_DIST_POINTS 17
  7422. #define CERT_COMPARE_PUBKEY_MD5_HASH 18
  7423. //+-------------------------------------------------------------------------
  7424. // dwFindType
  7425. //
  7426. // The dwFindType definition consists of two components:
  7427. // - comparison function
  7428. // - certificate information flag
  7429. //--------------------------------------------------------------------------
  7430. #define CERT_FIND_ANY (CERT_COMPARE_ANY << CERT_COMPARE_SHIFT)
  7431. #define CERT_FIND_SHA1_HASH (CERT_COMPARE_SHA1_HASH << CERT_COMPARE_SHIFT)
  7432. #define CERT_FIND_MD5_HASH (CERT_COMPARE_MD5_HASH << CERT_COMPARE_SHIFT)
  7433. #define CERT_FIND_SIGNATURE_HASH (CERT_COMPARE_SIGNATURE_HASH << CERT_COMPARE_SHIFT)
  7434. #define CERT_FIND_KEY_IDENTIFIER (CERT_COMPARE_KEY_IDENTIFIER << CERT_COMPARE_SHIFT)
  7435. #define CERT_FIND_HASH CERT_FIND_SHA1_HASH
  7436. #define CERT_FIND_PROPERTY (CERT_COMPARE_PROPERTY << CERT_COMPARE_SHIFT)
  7437. #define CERT_FIND_PUBLIC_KEY (CERT_COMPARE_PUBLIC_KEY << CERT_COMPARE_SHIFT)
  7438. #define CERT_FIND_SUBJECT_NAME (CERT_COMPARE_NAME << CERT_COMPARE_SHIFT | \
  7439. CERT_INFO_SUBJECT_FLAG)
  7440. #define CERT_FIND_SUBJECT_ATTR (CERT_COMPARE_ATTR << CERT_COMPARE_SHIFT | \
  7441. CERT_INFO_SUBJECT_FLAG)
  7442. #define CERT_FIND_ISSUER_NAME (CERT_COMPARE_NAME << CERT_COMPARE_SHIFT | \
  7443. CERT_INFO_ISSUER_FLAG)
  7444. #define CERT_FIND_ISSUER_ATTR (CERT_COMPARE_ATTR << CERT_COMPARE_SHIFT | \
  7445. CERT_INFO_ISSUER_FLAG)
  7446. #define CERT_FIND_SUBJECT_STR_A (CERT_COMPARE_NAME_STR_A << CERT_COMPARE_SHIFT | \
  7447. CERT_INFO_SUBJECT_FLAG)
  7448. #define CERT_FIND_SUBJECT_STR_W (CERT_COMPARE_NAME_STR_W << CERT_COMPARE_SHIFT | \
  7449. CERT_INFO_SUBJECT_FLAG)
  7450. #define CERT_FIND_SUBJECT_STR CERT_FIND_SUBJECT_STR_W
  7451. #define CERT_FIND_ISSUER_STR_A (CERT_COMPARE_NAME_STR_A << CERT_COMPARE_SHIFT | \
  7452. CERT_INFO_ISSUER_FLAG)
  7453. #define CERT_FIND_ISSUER_STR_W (CERT_COMPARE_NAME_STR_W << CERT_COMPARE_SHIFT | \
  7454. CERT_INFO_ISSUER_FLAG)
  7455. #define CERT_FIND_ISSUER_STR CERT_FIND_ISSUER_STR_W
  7456. #define CERT_FIND_KEY_SPEC (CERT_COMPARE_KEY_SPEC << CERT_COMPARE_SHIFT)
  7457. #define CERT_FIND_ENHKEY_USAGE (CERT_COMPARE_ENHKEY_USAGE << CERT_COMPARE_SHIFT)
  7458. #define CERT_FIND_CTL_USAGE CERT_FIND_ENHKEY_USAGE
  7459. #define CERT_FIND_SUBJECT_CERT (CERT_COMPARE_SUBJECT_CERT << CERT_COMPARE_SHIFT)
  7460. #define CERT_FIND_ISSUER_OF (CERT_COMPARE_ISSUER_OF << CERT_COMPARE_SHIFT)
  7461. #define CERT_FIND_EXISTING (CERT_COMPARE_EXISTING << CERT_COMPARE_SHIFT)
  7462. #define CERT_FIND_CERT_ID (CERT_COMPARE_CERT_ID << CERT_COMPARE_SHIFT)
  7463. #define CERT_FIND_CROSS_CERT_DIST_POINTS \
  7464. (CERT_COMPARE_CROSS_CERT_DIST_POINTS << CERT_COMPARE_SHIFT)
  7465. #define CERT_FIND_PUBKEY_MD5_HASH \
  7466. (CERT_COMPARE_PUBKEY_MD5_HASH << CERT_COMPARE_SHIFT)
  7467. //+-------------------------------------------------------------------------
  7468. // CERT_FIND_ANY
  7469. //
  7470. // Find any certificate.
  7471. //
  7472. // pvFindPara isn't used.
  7473. //--------------------------------------------------------------------------
  7474. //+-------------------------------------------------------------------------
  7475. // CERT_FIND_HASH
  7476. //
  7477. // Find a certificate with the specified hash.
  7478. //
  7479. // pvFindPara points to a CRYPT_HASH_BLOB.
  7480. //--------------------------------------------------------------------------
  7481. //+-------------------------------------------------------------------------
  7482. // CERT_FIND_KEY_IDENTIFIER
  7483. //
  7484. // Find a certificate with the specified KeyIdentifier. Gets the
  7485. // CERT_KEY_IDENTIFIER_PROP_ID property and compares with the input
  7486. // CRYPT_HASH_BLOB.
  7487. //
  7488. // pvFindPara points to a CRYPT_HASH_BLOB.
  7489. //--------------------------------------------------------------------------
  7490. //+-------------------------------------------------------------------------
  7491. // CERT_FIND_PROPERTY
  7492. //
  7493. // Find a certificate having the specified property.
  7494. //
  7495. // pvFindPara points to a DWORD containing the PROP_ID
  7496. //--------------------------------------------------------------------------
  7497. //+-------------------------------------------------------------------------
  7498. // CERT_FIND_PUBLIC_KEY
  7499. //
  7500. // Find a certificate matching the specified public key.
  7501. //
  7502. // pvFindPara points to a CERT_PUBLIC_KEY_INFO containing the public key
  7503. //--------------------------------------------------------------------------
  7504. //+-------------------------------------------------------------------------
  7505. // CERT_FIND_SUBJECT_NAME
  7506. // CERT_FIND_ISSUER_NAME
  7507. //
  7508. // Find a certificate with the specified subject/issuer name. Does an exact
  7509. // match of the entire name.
  7510. //
  7511. // Restricts search to certificates matching the dwCertEncodingType.
  7512. //
  7513. // pvFindPara points to a CERT_NAME_BLOB.
  7514. //--------------------------------------------------------------------------
  7515. //+-------------------------------------------------------------------------
  7516. // CERT_FIND_SUBJECT_ATTR
  7517. // CERT_FIND_ISSUER_ATTR
  7518. //
  7519. // Find a certificate with the specified subject/issuer attributes.
  7520. //
  7521. // Compares the attributes in the subject/issuer name with the
  7522. // Relative Distinguished Name's (CERT_RDN) array of attributes specified in
  7523. // pvFindPara. The comparison iterates through the CERT_RDN attributes and looks
  7524. // for an attribute match in any of the subject/issuer's RDNs.
  7525. //
  7526. // The CERT_RDN_ATTR fields can have the following special values:
  7527. // pszObjId == NULL - ignore the attribute object identifier
  7528. // dwValueType == RDN_ANY_TYPE - ignore the value type
  7529. // Value.pbData == NULL - match any value
  7530. //
  7531. // CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG should be set in dwFindFlags to do
  7532. // a case insensitive match. Otherwise, defaults to an exact, case sensitive
  7533. // match.
  7534. //
  7535. // CERT_UNICODE_IS_RDN_ATTRS_FLAG should be set in dwFindFlags if the RDN was
  7536. // initialized with unicode strings as for
  7537. // CryptEncodeObject(X509_UNICODE_NAME).
  7538. //
  7539. // Restricts search to certificates matching the dwCertEncodingType.
  7540. //
  7541. // pvFindPara points to a CERT_RDN (defined in wincert.h).
  7542. //--------------------------------------------------------------------------
  7543. //+-------------------------------------------------------------------------
  7544. // CERT_FIND_SUBJECT_STR_A
  7545. // CERT_FIND_SUBJECT_STR_W | CERT_FIND_SUBJECT_STR
  7546. // CERT_FIND_ISSUER_STR_A
  7547. // CERT_FIND_ISSUER_STR_W | CERT_FIND_ISSUER_STR
  7548. //
  7549. // Find a certificate containing the specified subject/issuer name string.
  7550. //
  7551. // First, the certificate's subject/issuer is converted to a name string
  7552. // via CertNameToStrA/CertNameToStrW(CERT_SIMPLE_NAME_STR). Then, a
  7553. // case insensitive substring within string match is performed.
  7554. //
  7555. // Restricts search to certificates matching the dwCertEncodingType.
  7556. //
  7557. // For *_STR_A, pvFindPara points to a null terminated character string.
  7558. // For *_STR_W, pvFindPara points to a null terminated wide character string.
  7559. //--------------------------------------------------------------------------
  7560. //+-------------------------------------------------------------------------
  7561. // CERT_FIND_KEY_SPEC
  7562. //
  7563. // Find a certificate having a CERT_KEY_SPEC_PROP_ID property matching
  7564. // the specified KeySpec.
  7565. //
  7566. // pvFindPara points to a DWORD containing the KeySpec.
  7567. //--------------------------------------------------------------------------
  7568. //+-------------------------------------------------------------------------
  7569. // CERT_FIND_ENHKEY_USAGE
  7570. //
  7571. // Find a certificate having the szOID_ENHANCED_KEY_USAGE extension or
  7572. // the CERT_ENHKEY_USAGE_PROP_ID and matching the specified pszUsageIdentifers.
  7573. //
  7574. // pvFindPara points to a CERT_ENHKEY_USAGE data structure. If pvFindPara
  7575. // is NULL or CERT_ENHKEY_USAGE's cUsageIdentifier is 0, then, matches any
  7576. // certificate having enhanced key usage.
  7577. //
  7578. // If the CERT_FIND_VALID_ENHKEY_USAGE_FLAG is set, then, only does a match
  7579. // for certificates that are valid for the specified usages. By default,
  7580. // the ceriticate must be valid for all usages. CERT_FIND_OR_ENHKEY_USAGE_FLAG
  7581. // can be set, if the certificate only needs to be valid for one of the
  7582. // specified usages. Note, CertGetValidUsages() is called to get the
  7583. // certificate's list of valid usages. Only the CERT_FIND_OR_ENHKEY_USAGE_FLAG
  7584. // is applicable when this flag is set.
  7585. //
  7586. // The CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG can be set in dwFindFlags to
  7587. // also match a certificate without either the extension or property.
  7588. //
  7589. // If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set in dwFindFlags, finds
  7590. // certificates without the key usage extension or property. Setting this
  7591. // flag takes precedence over pvFindPara being NULL.
  7592. //
  7593. // If the CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG is set, then, only does a match
  7594. // using the extension. If pvFindPara is NULL or cUsageIdentifier is set to
  7595. // 0, finds certificates having the extension. If
  7596. // CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set, also matches a certificate
  7597. // without the extension. If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set, finds
  7598. // certificates without the extension.
  7599. //
  7600. // If the CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG is set, then, only does a match
  7601. // using the property. If pvFindPara is NULL or cUsageIdentifier is set to
  7602. // 0, finds certificates having the property. If
  7603. // CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set, also matches a certificate
  7604. // without the property. If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set, finds
  7605. // certificates without the property.
  7606. //
  7607. // If CERT_FIND_OR_ENHKEY_USAGE_FLAG is set, does an "OR" match of any of
  7608. // the specified pszUsageIdentifiers. If not set, then, does an "AND" match
  7609. // of all of the specified pszUsageIdentifiers.
  7610. //--------------------------------------------------------------------------
  7611. #define CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG 0x1
  7612. #define CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG 0x2
  7613. #define CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG 0x4
  7614. #define CERT_FIND_NO_ENHKEY_USAGE_FLAG 0x8
  7615. #define CERT_FIND_OR_ENHKEY_USAGE_FLAG 0x10
  7616. #define CERT_FIND_VALID_ENHKEY_USAGE_FLAG 0x20
  7617. #define CERT_FIND_OPTIONAL_CTL_USAGE_FLAG CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG
  7618. #define CERT_FIND_EXT_ONLY_CTL_USAGE_FLAG \
  7619. CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG
  7620. #define CERT_FIND_PROP_ONLY_CTL_USAGE_FLAG \
  7621. CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG
  7622. #define CERT_FIND_NO_CTL_USAGE_FLAG CERT_FIND_NO_ENHKEY_USAGE_FLAG
  7623. #define CERT_FIND_OR_CTL_USAGE_FLAG CERT_FIND_OR_ENHKEY_USAGE_FLAG
  7624. #define CERT_FIND_VALID_CTL_USAGE_FLAG CERT_FIND_VALID_ENHKEY_USAGE_FLAG
  7625. //+-------------------------------------------------------------------------
  7626. // CERT_FIND_CERT_ID
  7627. //
  7628. // Find a certificate with the specified CERT_ID.
  7629. //
  7630. // pvFindPara points to a CERT_ID.
  7631. //--------------------------------------------------------------------------
  7632. //+-------------------------------------------------------------------------
  7633. // CERT_FIND_CROSS_CERT_DIST_POINTS
  7634. //
  7635. // Find a certificate having either a cross certificate distribution
  7636. // point extension or property.
  7637. //
  7638. // pvFindPara isn't used.
  7639. //--------------------------------------------------------------------------
  7640. //+-------------------------------------------------------------------------
  7641. // Get the certificate context from the store for the first or next issuer
  7642. // of the specified subject certificate. Perform the enabled
  7643. // verification checks on the subject. (Note, the checks are on the subject
  7644. // using the returned issuer certificate.)
  7645. //
  7646. // If the first or next issuer certificate isn't found, NULL is returned.
  7647. // Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
  7648. // must be freed by calling CertFreeCertificateContext or is freed when passed as the
  7649. // pPrevIssuerContext on a subsequent call. CertDuplicateCertificateContext
  7650. // can be called to make a duplicate.
  7651. //
  7652. // For a self signed subject certificate, NULL is returned with LastError set
  7653. // to CERT_STORE_SELF_SIGNED. The enabled verification checks are still done.
  7654. //
  7655. // The pSubjectContext may have been obtained from this store, another store
  7656. // or created by the caller application. When created by the caller, the
  7657. // CertCreateCertificateContext function must have been called.
  7658. //
  7659. // An issuer may have multiple certificates. This may occur when the validity
  7660. // period is about to change. pPrevIssuerContext MUST BE NULL on the first
  7661. // call to get the issuer. To get the next certificate for the issuer, the
  7662. // pPrevIssuerContext is set to the CERT_CONTEXT returned by a previous call.
  7663. //
  7664. // NOTE: a NON-NULL pPrevIssuerContext is always CertFreeCertificateContext'ed by
  7665. // this function, even for an error.
  7666. //
  7667. // The following flags can be set in *pdwFlags to enable verification checks
  7668. // on the subject certificate context:
  7669. // CERT_STORE_SIGNATURE_FLAG - use the public key in the returned
  7670. // issuer certificate to verify the
  7671. // signature on the subject certificate.
  7672. // Note, if pSubjectContext->hCertStore ==
  7673. // hCertStore, the store provider might
  7674. // be able to eliminate a redo of
  7675. // the signature verify.
  7676. // CERT_STORE_TIME_VALIDITY_FLAG - get the current time and verify that
  7677. // its within the subject certificate's
  7678. // validity period
  7679. // CERT_STORE_REVOCATION_FLAG - check if the subject certificate is on
  7680. // the issuer's revocation list
  7681. //
  7682. // If an enabled verification check fails, then, its flag is set upon return.
  7683. // If CERT_STORE_REVOCATION_FLAG was enabled and the issuer doesn't have a
  7684. // CRL in the store, then, CERT_STORE_NO_CRL_FLAG is set in addition to
  7685. // the CERT_STORE_REVOCATION_FLAG.
  7686. //
  7687. // If CERT_STORE_SIGNATURE_FLAG or CERT_STORE_REVOCATION_FLAG is set, then,
  7688. // CERT_STORE_NO_ISSUER_FLAG is set if it doesn't have an issuer certificate
  7689. // in the store.
  7690. //
  7691. // For a verification check failure, a pointer to the issuer's CERT_CONTEXT
  7692. // is still returned and SetLastError isn't updated.
  7693. //--------------------------------------------------------------------------
  7694. WINCRYPT32API
  7695. PCCERT_CONTEXT
  7696. WINAPI
  7697. CertGetIssuerCertificateFromStore(
  7698. IN HCERTSTORE hCertStore,
  7699. IN PCCERT_CONTEXT pSubjectContext,
  7700. IN OPTIONAL PCCERT_CONTEXT pPrevIssuerContext,
  7701. IN OUT DWORD *pdwFlags
  7702. );
  7703. //+-------------------------------------------------------------------------
  7704. // Perform the enabled verification checks on the subject certificate
  7705. // using the issuer. Same checks and flags definitions as for the above
  7706. // CertGetIssuerCertificateFromStore.
  7707. //
  7708. // If you are only checking CERT_STORE_TIME_VALIDITY_FLAG, then, the
  7709. // issuer can be NULL.
  7710. //
  7711. // For a verification check failure, SUCCESS is still returned.
  7712. //--------------------------------------------------------------------------
  7713. WINCRYPT32API
  7714. BOOL
  7715. WINAPI
  7716. CertVerifySubjectCertificateContext(
  7717. IN PCCERT_CONTEXT pSubject,
  7718. IN OPTIONAL PCCERT_CONTEXT pIssuer,
  7719. IN OUT DWORD *pdwFlags
  7720. );
  7721. //+-------------------------------------------------------------------------
  7722. // Duplicate a certificate context
  7723. //--------------------------------------------------------------------------
  7724. WINCRYPT32API
  7725. PCCERT_CONTEXT
  7726. WINAPI
  7727. CertDuplicateCertificateContext(
  7728. IN PCCERT_CONTEXT pCertContext
  7729. );
  7730. //+-------------------------------------------------------------------------
  7731. // Create a certificate context from the encoded certificate. The created
  7732. // context isn't put in a store.
  7733. //
  7734. // Makes a copy of the encoded certificate in the created context.
  7735. //
  7736. // If unable to decode and create the certificate context, NULL is returned.
  7737. // Otherwise, a pointer to a read only CERT_CONTEXT is returned.
  7738. // CERT_CONTEXT must be freed by calling CertFreeCertificateContext.
  7739. // CertDuplicateCertificateContext can be called to make a duplicate.
  7740. //
  7741. // CertSetCertificateContextProperty and CertGetCertificateContextProperty can be called
  7742. // to store properties for the certificate.
  7743. //--------------------------------------------------------------------------
  7744. WINCRYPT32API
  7745. PCCERT_CONTEXT
  7746. WINAPI
  7747. CertCreateCertificateContext(
  7748. IN DWORD dwCertEncodingType,
  7749. IN const BYTE *pbCertEncoded,
  7750. IN DWORD cbCertEncoded
  7751. );
  7752. //+-------------------------------------------------------------------------
  7753. // Free a certificate context
  7754. //
  7755. // There needs to be a corresponding free for each context obtained by a
  7756. // get, find, duplicate or create.
  7757. //--------------------------------------------------------------------------
  7758. WINCRYPT32API
  7759. BOOL
  7760. WINAPI
  7761. CertFreeCertificateContext(
  7762. IN PCCERT_CONTEXT pCertContext
  7763. );
  7764. //+-------------------------------------------------------------------------
  7765. // Set the property for the specified certificate context.
  7766. //
  7767. // The type definition for pvData depends on the dwPropId value. There are
  7768. // five predefined types:
  7769. // CERT_KEY_PROV_HANDLE_PROP_ID - a HCRYPTPROV for the certificate's
  7770. // private key is passed in pvData. Updates the hCryptProv field
  7771. // of the CERT_KEY_CONTEXT_PROP_ID. If the CERT_KEY_CONTEXT_PROP_ID
  7772. // doesn't exist, its created with all the other fields zeroed out. If
  7773. // CERT_STORE_NO_CRYPT_RELEASE_FLAG isn't set, HCRYPTPROV is implicitly
  7774. // released when either the property is set to NULL or on the final
  7775. // free of the CertContext.
  7776. //
  7777. // CERT_KEY_PROV_INFO_PROP_ID - a PCRYPT_KEY_PROV_INFO for the certificate's
  7778. // private key is passed in pvData.
  7779. //
  7780. // CERT_SHA1_HASH_PROP_ID -
  7781. // CERT_MD5_HASH_PROP_ID -
  7782. // CERT_SIGNATURE_HASH_PROP_ID - normally, a hash property is implicitly
  7783. // set by doing a CertGetCertificateContextProperty. pvData points to a
  7784. // CRYPT_HASH_BLOB.
  7785. //
  7786. // CERT_KEY_CONTEXT_PROP_ID - a PCERT_KEY_CONTEXT for the certificate's
  7787. // private key is passed in pvData. The CERT_KEY_CONTEXT contains both the
  7788. // hCryptProv and dwKeySpec for the private key.
  7789. // See the CERT_KEY_PROV_HANDLE_PROP_ID for more information about
  7790. // the hCryptProv field and dwFlags settings. Note, more fields may
  7791. // be added for this property. The cbSize field value will be adjusted
  7792. // accordingly.
  7793. //
  7794. // CERT_KEY_SPEC_PROP_ID - the dwKeySpec for the private key. pvData
  7795. // points to a DWORD containing the KeySpec
  7796. //
  7797. // CERT_ENHKEY_USAGE_PROP_ID - enhanced key usage definition for the
  7798. // certificate. pvData points to a CRYPT_DATA_BLOB containing an
  7799. // ASN.1 encoded CERT_ENHKEY_USAGE (encoded via
  7800. // CryptEncodeObject(X509_ENHANCED_KEY_USAGE).
  7801. //
  7802. // CERT_NEXT_UPDATE_LOCATION_PROP_ID - location of the next update.
  7803. // Currently only applicable to CTLs. pvData points to a CRYPT_DATA_BLOB
  7804. // containing an ASN.1 encoded CERT_ALT_NAME_INFO (encoded via
  7805. // CryptEncodeObject(X509_ALTERNATE_NAME)).
  7806. //
  7807. // CERT_FRIENDLY_NAME_PROP_ID - friendly name for the cert, CRL or CTL.
  7808. // pvData points to a CRYPT_DATA_BLOB. pbData is a pointer to a NULL
  7809. // terminated unicode, wide character string.
  7810. // cbData = (wcslen((LPWSTR) pbData) + 1) * sizeof(WCHAR).
  7811. //
  7812. // CERT_DESCRIPTION_PROP_ID - description for the cert, CRL or CTL.
  7813. // pvData points to a CRYPT_DATA_BLOB. pbData is a pointer to a NULL
  7814. // terminated unicode, wide character string.
  7815. // cbData = (wcslen((LPWSTR) pbData) + 1) * sizeof(WCHAR).
  7816. //
  7817. // CERT_ARCHIVED_PROP_ID - when this property is set, the certificate
  7818. // is skipped during enumeration. Note, certificates having this property
  7819. // are still found for explicit finds, such as, finding a certificate
  7820. // with a specific hash or finding a certificate having a specific issuer
  7821. // and serial number. pvData points to a CRYPT_DATA_BLOB. This blob
  7822. // can be NULL (pbData = NULL, cbData = 0).
  7823. //
  7824. // CERT_PUBKEY_ALG_PARA_PROP_ID - for public keys supporting
  7825. // algorithm parameter inheritance. pvData points to a CRYPT_OBJID_BLOB
  7826. // containing the ASN.1 encoded PublicKey Algorithm Parameters. For
  7827. // DSS this would be the parameters encoded via
  7828. // CryptEncodeObject(X509_DSS_PARAMETERS). This property may be set
  7829. // by CryptVerifyCertificateSignatureEx().
  7830. //
  7831. // CERT_CROSS_CERT_DIST_POINTS_PROP_ID - location of the cross certs.
  7832. // Currently only applicable to certs. pvData points to a CRYPT_DATA_BLOB
  7833. // containing an ASN.1 encoded CROSS_CERT_DIST_POINTS_INFO (encoded via
  7834. // CryptEncodeObject(X509_CROSS_CERT_DIST_POINTS)).
  7835. //
  7836. // CERT_ENROLLMENT_PROP_ID - enrollment information of the pending request.
  7837. // It contains RequestID, CADNSName, CAName, and FriendlyName.
  7838. // The data format is defined as, the first 4 bytes - pending request ID,
  7839. // next 4 bytes - CADNSName size in characters including null-terminator
  7840. // followed by CADNSName string with null-terminator,
  7841. // next 4 bytes - CAName size in characters including null-terminator
  7842. // followed by CAName string with null-terminator,
  7843. // next 4 bytes - FriendlyName size in characters including null-terminator
  7844. // followed by FriendlyName string with null-terminator.
  7845. //
  7846. // CERT_DATE_STAMP_PROP_ID - contains the time when added to the store
  7847. // by an admin tool. pvData points to a CRYPT_DATA_BLOB containing
  7848. // the FILETIME.
  7849. //
  7850. // CERT_RENEWAL_PROP_ID - contains the hash of renewed certificate
  7851. //
  7852. // For all the other PROP_IDs: an encoded PCRYPT_DATA_BLOB is passed in pvData.
  7853. //
  7854. // If the property already exists, then, the old value is deleted and silently
  7855. // replaced. Setting, pvData to NULL, deletes the property.
  7856. //
  7857. // CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG can be set to ignore any
  7858. // provider write errors and always update the cached context's property.
  7859. //--------------------------------------------------------------------------
  7860. WINCRYPT32API
  7861. BOOL
  7862. WINAPI
  7863. CertSetCertificateContextProperty(
  7864. IN PCCERT_CONTEXT pCertContext,
  7865. IN DWORD dwPropId,
  7866. IN DWORD dwFlags,
  7867. IN const void *pvData
  7868. );
  7869. // Set this flag to ignore any store provider write errors and always update
  7870. // the cached context's property
  7871. #define CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG 0x80000000
  7872. // Set this flag to inhibit the persisting of this property
  7873. #define CERT_SET_PROPERTY_INHIBIT_PERSIST_FLAG 0x40000000
  7874. //+-------------------------------------------------------------------------
  7875. // Get the property for the specified certificate context.
  7876. //
  7877. // For CERT_KEY_PROV_HANDLE_PROP_ID, pvData points to a HCRYPTPROV.
  7878. //
  7879. // For CERT_KEY_PROV_INFO_PROP_ID, pvData points to a CRYPT_KEY_PROV_INFO structure.
  7880. // Elements pointed to by fields in the pvData structure follow the
  7881. // structure. Therefore, *pcbData may exceed the size of the structure.
  7882. //
  7883. // For CERT_KEY_CONTEXT_PROP_ID, pvData points to a CERT_KEY_CONTEXT structure.
  7884. //
  7885. // For CERT_KEY_SPEC_PROP_ID, pvData points to a DWORD containing the KeySpec.
  7886. // If the CERT_KEY_CONTEXT_PROP_ID exists, the KeySpec is obtained from there.
  7887. // Otherwise, if the CERT_KEY_PROV_INFO_PROP_ID exists, its the source
  7888. // of the KeySpec.
  7889. //
  7890. // For CERT_SHA1_HASH_PROP_ID or CERT_MD5_HASH_PROP_ID, if the hash
  7891. // doesn't already exist, then, its computed via CryptHashCertificate()
  7892. // and then set. pvData points to the computed hash. Normally, the length
  7893. // is 20 bytes for SHA and 16 for MD5.
  7894. //
  7895. // For CERT_SIGNATURE_HASH_PROP_ID, if the hash
  7896. // doesn't already exist, then, its computed via CryptHashToBeSigned()
  7897. // and then set. pvData points to the computed hash. Normally, the length
  7898. // is 20 bytes for SHA and 16 for MD5.
  7899. //
  7900. // For CERT_ACCESS_STATE_PROP_ID, pvData points to a DWORD containing the
  7901. // access state flags. The appropriate CERT_ACCESS_STATE_*_FLAG's are set
  7902. // in the returned DWORD. See the CERT_ACCESS_STATE_*_FLAG definitions
  7903. // above. Note, this property is read only. It can't be set.
  7904. //
  7905. // For CERT_KEY_IDENTIFIER_PROP_ID, if property doesn't already exist,
  7906. // first searches for the szOID_SUBJECT_KEY_IDENTIFIER extension. Next,
  7907. // does SHA1 hash of the certficate's SubjectPublicKeyInfo. pvData
  7908. // points to the key identifier bytes. Normally, the length is 20 bytes.
  7909. //
  7910. // For CERT_PUBKEY_ALG_PARA_PROP_ID, pvPara points to the ASN.1 encoded
  7911. // PublicKey Algorithm Parameters. This property will only be set
  7912. // for public keys supporting algorithm parameter inheritance and when the
  7913. // parameters have been omitted from the encoded and signed certificate.
  7914. //
  7915. // For CERT_DATE_STAMP_PROP_ID, pvPara points to a FILETIME updated by
  7916. // an admin tool to indicate when the certificate was added to the store.
  7917. //
  7918. // For all other PROP_IDs, pvData points to an encoded array of bytes.
  7919. //--------------------------------------------------------------------------
  7920. WINCRYPT32API
  7921. BOOL
  7922. WINAPI
  7923. CertGetCertificateContextProperty(
  7924. IN PCCERT_CONTEXT pCertContext,
  7925. IN DWORD dwPropId,
  7926. OUT void *pvData,
  7927. IN OUT DWORD *pcbData
  7928. );
  7929. //+-------------------------------------------------------------------------
  7930. // Enumerate the properties for the specified certificate context.
  7931. //
  7932. // To get the first property, set dwPropId to 0. The ID of the first
  7933. // property is returned. To get the next property, set dwPropId to the
  7934. // ID returned by the last call. To enumerate all the properties continue
  7935. // until 0 is returned.
  7936. //
  7937. // CertGetCertificateContextProperty is called to get the property's data.
  7938. //
  7939. // Note, since, the CERT_KEY_PROV_HANDLE_PROP_ID and CERT_KEY_SPEC_PROP_ID
  7940. // properties are stored as fields in the CERT_KEY_CONTEXT_PROP_ID
  7941. // property, they aren't enumerated individually.
  7942. //--------------------------------------------------------------------------
  7943. WINCRYPT32API
  7944. DWORD
  7945. WINAPI
  7946. CertEnumCertificateContextProperties(
  7947. IN PCCERT_CONTEXT pCertContext,
  7948. IN DWORD dwPropId
  7949. );
  7950. //+-------------------------------------------------------------------------
  7951. // Creates a CTL entry whose attributes are the certificate context's
  7952. // properties.
  7953. //
  7954. // The SubjectIdentifier in the CTL entry is the SHA1 hash of the certificate.
  7955. //
  7956. // The certificate properties are added as attributes. The property attribute
  7957. // OID is the decimal PROP_ID preceded by szOID_CERT_PROP_ID_PREFIX. Each
  7958. // property value is copied as a single attribute value.
  7959. //
  7960. // Any additional attributes to be included in the CTL entry can be passed
  7961. // in via the cOptAttr and rgOptAttr parameters.
  7962. //
  7963. // CTL_ENTRY_FROM_PROP_CHAIN_FLAG can be set in dwFlags, to force the
  7964. // inclusion of the chain building hash properties as attributes.
  7965. //--------------------------------------------------------------------------
  7966. WINCRYPT32API
  7967. BOOL
  7968. WINAPI
  7969. CertCreateCTLEntryFromCertificateContextProperties(
  7970. IN PCCERT_CONTEXT pCertContext,
  7971. IN DWORD cOptAttr,
  7972. IN OPTIONAL PCRYPT_ATTRIBUTE rgOptAttr,
  7973. IN DWORD dwFlags,
  7974. IN OPTIONAL void *pvReserved,
  7975. OUT OPTIONAL PCTL_ENTRY pCtlEntry,
  7976. IN OUT DWORD *pcbCtlEntry
  7977. );
  7978. // Set this flag to get and include the chain building hash properties
  7979. // as attributes in the CTL entry
  7980. #define CTL_ENTRY_FROM_PROP_CHAIN_FLAG 0x1
  7981. //+-------------------------------------------------------------------------
  7982. // Sets properties on the certificate context using the attributes in
  7983. // the CTL entry.
  7984. //
  7985. // The property attribute OID is the decimal PROP_ID preceded by
  7986. // szOID_CERT_PROP_ID_PREFIX. Only attributes containing such an OID are
  7987. // copied.
  7988. //
  7989. // CERT_SET_PROPERTY_IGNORE_PERSIST_ERROR_FLAG may be set in dwFlags.
  7990. //--------------------------------------------------------------------------
  7991. WINCRYPT32API
  7992. BOOL
  7993. WINAPI
  7994. CertSetCertificateContextPropertiesFromCTLEntry(
  7995. IN PCCERT_CONTEXT pCertContext,
  7996. IN PCTL_ENTRY pCtlEntry,
  7997. IN DWORD dwFlags
  7998. );
  7999. //+-------------------------------------------------------------------------
  8000. // Get the first or next CRL context from the store for the specified
  8001. // issuer certificate. Perform the enabled verification checks on the CRL.
  8002. //
  8003. // If the first or next CRL isn't found, NULL is returned.
  8004. // Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT
  8005. // must be freed by calling CertFreeCRLContext. However, the free must be
  8006. // pPrevCrlContext on a subsequent call. CertDuplicateCRLContext
  8007. // can be called to make a duplicate.
  8008. //
  8009. // The pIssuerContext may have been obtained from this store, another store
  8010. // or created by the caller application. When created by the caller, the
  8011. // CertCreateCertificateContext function must have been called.
  8012. //
  8013. // If pIssuerContext == NULL, finds all the CRLs in the store.
  8014. //
  8015. // An issuer may have multiple CRLs. For example, it generates delta CRLs
  8016. // using a X.509 v3 extension. pPrevCrlContext MUST BE NULL on the first
  8017. // call to get the CRL. To get the next CRL for the issuer, the
  8018. // pPrevCrlContext is set to the CRL_CONTEXT returned by a previous call.
  8019. //
  8020. // NOTE: a NON-NULL pPrevCrlContext is always CertFreeCRLContext'ed by
  8021. // this function, even for an error.
  8022. //
  8023. // The following flags can be set in *pdwFlags to enable verification checks
  8024. // on the returned CRL:
  8025. // CERT_STORE_SIGNATURE_FLAG - use the public key in the
  8026. // issuer's certificate to verify the
  8027. // signature on the returned CRL.
  8028. // Note, if pIssuerContext->hCertStore ==
  8029. // hCertStore, the store provider might
  8030. // be able to eliminate a redo of
  8031. // the signature verify.
  8032. // CERT_STORE_TIME_VALIDITY_FLAG - get the current time and verify that
  8033. // its within the CRL's ThisUpdate and
  8034. // NextUpdate validity period.
  8035. // CERT_STORE_BASE_CRL_FLAG - get base CRL.
  8036. // CERT_STORE_DELTA_CRL_FLAG - get delta CRL.
  8037. //
  8038. // If only one of CERT_STORE_BASE_CRL_FLAG or CERT_STORE_DELTA_CRL_FLAG is
  8039. // set, then, only returns either a base or delta CRL. In any case, the
  8040. // appropriate base or delta flag will be cleared upon returned. If both
  8041. // flags are set, then, only one of flags will be cleared.
  8042. //
  8043. // If an enabled verification check fails, then, its flag is set upon return.
  8044. //
  8045. // If pIssuerContext == NULL, then, an enabled CERT_STORE_SIGNATURE_FLAG
  8046. // always fails and the CERT_STORE_NO_ISSUER_FLAG is also set.
  8047. //
  8048. // For a verification check failure, a pointer to the first or next
  8049. // CRL_CONTEXT is still returned and SetLastError isn't updated.
  8050. //--------------------------------------------------------------------------
  8051. WINCRYPT32API
  8052. PCCRL_CONTEXT
  8053. WINAPI
  8054. CertGetCRLFromStore(
  8055. IN HCERTSTORE hCertStore,
  8056. IN OPTIONAL PCCERT_CONTEXT pIssuerContext,
  8057. IN PCCRL_CONTEXT pPrevCrlContext,
  8058. IN OUT DWORD *pdwFlags
  8059. );
  8060. //+-------------------------------------------------------------------------
  8061. // Enumerate the CRL contexts in the store.
  8062. //
  8063. // If a CRL isn't found, NULL is returned.
  8064. // Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT
  8065. // must be freed by calling CertFreeCRLContext or is freed when passed as the
  8066. // pPrevCrlContext on a subsequent call. CertDuplicateCRLContext
  8067. // can be called to make a duplicate.
  8068. //
  8069. // pPrevCrlContext MUST BE NULL to enumerate the first
  8070. // CRL in the store. Successive CRLs are enumerated by setting
  8071. // pPrevCrlContext to the CRL_CONTEXT returned by a previous call.
  8072. //
  8073. // NOTE: a NON-NULL pPrevCrlContext is always CertFreeCRLContext'ed by
  8074. // this function, even for an error.
  8075. //--------------------------------------------------------------------------
  8076. WINCRYPT32API
  8077. PCCRL_CONTEXT
  8078. WINAPI
  8079. CertEnumCRLsInStore(
  8080. IN HCERTSTORE hCertStore,
  8081. IN PCCRL_CONTEXT pPrevCrlContext
  8082. );
  8083. //+-------------------------------------------------------------------------
  8084. // Find the first or next CRL context in the store.
  8085. //
  8086. // The CRL is found according to the dwFindType and its pvFindPara.
  8087. // See below for a list of the find types and its parameters.
  8088. //
  8089. // Currently dwFindFlags isn't used and must be set to 0.
  8090. //
  8091. // Usage of dwCertEncodingType depends on the dwFindType.
  8092. //
  8093. // If the first or next CRL isn't found, NULL is returned.
  8094. // Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT
  8095. // must be freed by calling CertFreeCRLContext or is freed when passed as the
  8096. // pPrevCrlContext on a subsequent call. CertDuplicateCRLContext
  8097. // can be called to make a duplicate.
  8098. //
  8099. // pPrevCrlContext MUST BE NULL on the first
  8100. // call to find the CRL. To find the next CRL, the
  8101. // pPrevCrlContext is set to the CRL_CONTEXT returned by a previous call.
  8102. //
  8103. // NOTE: a NON-NULL pPrevCrlContext is always CertFreeCRLContext'ed by
  8104. // this function, even for an error.
  8105. //--------------------------------------------------------------------------
  8106. WINCRYPT32API
  8107. PCCRL_CONTEXT
  8108. WINAPI
  8109. CertFindCRLInStore(
  8110. IN HCERTSTORE hCertStore,
  8111. IN DWORD dwCertEncodingType,
  8112. IN DWORD dwFindFlags,
  8113. IN DWORD dwFindType,
  8114. IN const void *pvFindPara,
  8115. IN PCCRL_CONTEXT pPrevCrlContext
  8116. );
  8117. #define CRL_FIND_ANY 0
  8118. #define CRL_FIND_ISSUED_BY 1
  8119. #define CRL_FIND_EXISTING 2
  8120. #define CRL_FIND_ISSUED_FOR 3
  8121. //+-------------------------------------------------------------------------
  8122. // CRL_FIND_ANY
  8123. //
  8124. // Find any CRL.
  8125. //
  8126. // pvFindPara isn't used.
  8127. //--------------------------------------------------------------------------
  8128. //+-------------------------------------------------------------------------
  8129. // CRL_FIND_ISSUED_BY
  8130. //
  8131. // Find CRL matching the specified issuer.
  8132. //
  8133. // pvFindPara is the PCCERT_CONTEXT of the CRL issuer. May be NULL to
  8134. // match any issuer.
  8135. //
  8136. // By default, only does issuer name matching. The following flags can be
  8137. // set in dwFindFlags to do additional filtering.
  8138. //
  8139. // If CRL_FIND_ISSUED_BY_AKI_FLAG is set in dwFindFlags, then, checks if the
  8140. // CRL has an Authority Key Identifier (AKI) extension. If the CRL has an
  8141. // AKI, then, only returns a CRL whose AKI matches the issuer.
  8142. //
  8143. // Note, the AKI extension has the following OID:
  8144. // szOID_AUTHORITY_KEY_IDENTIFIER2 and its corresponding data structure.
  8145. //
  8146. // If CRL_FIND_ISSUED_BY_SIGNATURE_FLAG is set in dwFindFlags, then,
  8147. // uses the public key in the issuer's certificate to verify the
  8148. // signature on the CRL. Only returns a CRL having a valid signature.
  8149. //
  8150. // If CRL_FIND_ISSUED_BY_DELTA_FLAG is set in dwFindFlags, then, only
  8151. // returns a delta CRL.
  8152. //
  8153. // If CRL_FIND_ISSUED_BY_BASE_FLAG is set in dwFindFlags, then, only
  8154. // returns a base CRL.
  8155. //--------------------------------------------------------------------------
  8156. #define CRL_FIND_ISSUED_BY_AKI_FLAG 0x1
  8157. #define CRL_FIND_ISSUED_BY_SIGNATURE_FLAG 0x2
  8158. #define CRL_FIND_ISSUED_BY_DELTA_FLAG 0x4
  8159. #define CRL_FIND_ISSUED_BY_BASE_FLAG 0x8
  8160. //+-------------------------------------------------------------------------
  8161. // CRL_FIND_EXISTING
  8162. //
  8163. // Find existing CRL in the store.
  8164. //
  8165. // pvFindPara is the PCCRL_CONTEXT of the CRL to check if it already
  8166. // exists in the store.
  8167. //--------------------------------------------------------------------------
  8168. //+-------------------------------------------------------------------------
  8169. // CRL_FIND_ISSUED_FOR
  8170. //
  8171. // Find CRL for the specified subject and its issuer.
  8172. //
  8173. // pvFindPara points to the following CRL_FIND_ISSUED_FOR_PARA which contains
  8174. // both the subject and issuer certificates. Not optional.
  8175. //
  8176. // The subject's issuer name is used to match the CRL's issuer name. Otherwise,
  8177. // the issuer's certificate is used the same as in the above
  8178. // CRL_FIND_ISSUED_BY.
  8179. //
  8180. // Note, when cross certificates are used, the subject name in the issuer's
  8181. // certificate may not match the issuer name in the subject certificate and
  8182. // its corresponding CRL.
  8183. //
  8184. // All of the above CRL_FIND_ISSUED_BY_*_FLAGS apply to this find type.
  8185. //--------------------------------------------------------------------------
  8186. typedef struct _CRL_FIND_ISSUED_FOR_PARA {
  8187. PCCERT_CONTEXT pSubjectCert;
  8188. PCCERT_CONTEXT pIssuerCert;
  8189. } CRL_FIND_ISSUED_FOR_PARA, *PCRL_FIND_ISSUED_FOR_PARA;
  8190. //+-------------------------------------------------------------------------
  8191. // Duplicate a CRL context
  8192. //--------------------------------------------------------------------------
  8193. WINCRYPT32API
  8194. PCCRL_CONTEXT
  8195. WINAPI
  8196. CertDuplicateCRLContext(
  8197. IN PCCRL_CONTEXT pCrlContext
  8198. );
  8199. //+-------------------------------------------------------------------------
  8200. // Create a CRL context from the encoded CRL. The created
  8201. // context isn't put in a store.
  8202. //
  8203. // Makes a copy of the encoded CRL in the created context.
  8204. //
  8205. // If unable to decode and create the CRL context, NULL is returned.
  8206. // Otherwise, a pointer to a read only CRL_CONTEXT is returned.
  8207. // CRL_CONTEXT must be freed by calling CertFreeCRLContext.
  8208. // CertDuplicateCRLContext can be called to make a duplicate.
  8209. //
  8210. // CertSetCRLContextProperty and CertGetCRLContextProperty can be called
  8211. // to store properties for the CRL.
  8212. //--------------------------------------------------------------------------
  8213. WINCRYPT32API
  8214. PCCRL_CONTEXT
  8215. WINAPI
  8216. CertCreateCRLContext(
  8217. IN DWORD dwCertEncodingType,
  8218. IN const BYTE *pbCrlEncoded,
  8219. IN DWORD cbCrlEncoded
  8220. );
  8221. //+-------------------------------------------------------------------------
  8222. // Free a CRL context
  8223. //
  8224. // There needs to be a corresponding free for each context obtained by a
  8225. // get, duplicate or create.
  8226. //--------------------------------------------------------------------------
  8227. WINCRYPT32API
  8228. BOOL
  8229. WINAPI
  8230. CertFreeCRLContext(
  8231. IN PCCRL_CONTEXT pCrlContext
  8232. );
  8233. //+-------------------------------------------------------------------------
  8234. // Set the property for the specified CRL context.
  8235. //
  8236. // Same Property Ids and semantics as CertSetCertificateContextProperty.
  8237. //--------------------------------------------------------------------------
  8238. WINCRYPT32API
  8239. BOOL
  8240. WINAPI
  8241. CertSetCRLContextProperty(
  8242. IN PCCRL_CONTEXT pCrlContext,
  8243. IN DWORD dwPropId,
  8244. IN DWORD dwFlags,
  8245. IN const void *pvData
  8246. );
  8247. //+-------------------------------------------------------------------------
  8248. // Get the property for the specified CRL context.
  8249. //
  8250. // Same Property Ids and semantics as CertGetCertificateContextProperty.
  8251. //
  8252. // CERT_SHA1_HASH_PROP_ID, CERT_MD5_HASH_PROP_ID or
  8253. // CERT_SIGNATURE_HASH_PROP_ID is the predefined property of most interest.
  8254. //--------------------------------------------------------------------------
  8255. WINCRYPT32API
  8256. BOOL
  8257. WINAPI
  8258. CertGetCRLContextProperty(
  8259. IN PCCRL_CONTEXT pCrlContext,
  8260. IN DWORD dwPropId,
  8261. OUT void *pvData,
  8262. IN OUT DWORD *pcbData
  8263. );
  8264. //+-------------------------------------------------------------------------
  8265. // Enumerate the properties for the specified CRL context.
  8266. //
  8267. // To get the first property, set dwPropId to 0. The ID of the first
  8268. // property is returned. To get the next property, set dwPropId to the
  8269. // ID returned by the last call. To enumerate all the properties continue
  8270. // until 0 is returned.
  8271. //
  8272. // CertGetCRLContextProperty is called to get the property's data.
  8273. //--------------------------------------------------------------------------
  8274. WINCRYPT32API
  8275. DWORD
  8276. WINAPI
  8277. CertEnumCRLContextProperties(
  8278. IN PCCRL_CONTEXT pCrlContext,
  8279. IN DWORD dwPropId
  8280. );
  8281. //+-------------------------------------------------------------------------
  8282. // Search the CRL's list of entries for the specified certificate.
  8283. //
  8284. // TRUE is returned if we were able to search the list. Otherwise, FALSE is
  8285. // returned,
  8286. //
  8287. // For success, if the certificate was found in the list, *ppCrlEntry is
  8288. // updated with a pointer to the entry. Otherwise, *ppCrlEntry is set to NULL.
  8289. // The returned entry isn't allocated and must not be freed.
  8290. //
  8291. // dwFlags and pvReserved currently aren't used and must be set to 0 or NULL.
  8292. //--------------------------------------------------------------------------
  8293. WINCRYPT32API
  8294. BOOL
  8295. WINAPI
  8296. CertFindCertificateInCRL(
  8297. IN PCCERT_CONTEXT pCert,
  8298. IN PCCRL_CONTEXT pCrlContext,
  8299. IN DWORD dwFlags,
  8300. IN OPTIONAL void *pvReserved,
  8301. OUT PCRL_ENTRY *ppCrlEntry
  8302. );
  8303. //+-------------------------------------------------------------------------
  8304. // Is the specified CRL valid for the certificate.
  8305. //
  8306. // Returns TRUE if the CRL's list of entries would contain the certificate
  8307. // if it was revoked. Note, doesn't check that the certificate is in the
  8308. // list of entries.
  8309. //
  8310. // If the CRL has an Issuing Distribution Point (IDP) extension, checks
  8311. // that it's valid for the subject certificate.
  8312. //
  8313. // dwFlags and pvReserved currently aren't used and must be set to 0 and NULL.
  8314. //--------------------------------------------------------------------------
  8315. WINCRYPT32API
  8316. BOOL
  8317. WINAPI
  8318. CertIsValidCRLForCertificate(
  8319. IN PCCERT_CONTEXT pCert,
  8320. IN PCCRL_CONTEXT pCrl,
  8321. IN DWORD dwFlags,
  8322. IN void *pvReserved
  8323. );
  8324. //+-------------------------------------------------------------------------
  8325. // Add certificate/CRL, encoded, context or element disposition values.
  8326. //--------------------------------------------------------------------------
  8327. #define CERT_STORE_ADD_NEW 1
  8328. #define CERT_STORE_ADD_USE_EXISTING 2
  8329. #define CERT_STORE_ADD_REPLACE_EXISTING 3
  8330. #define CERT_STORE_ADD_ALWAYS 4
  8331. #define CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES 5
  8332. #define CERT_STORE_ADD_NEWER 6
  8333. #define CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES 7
  8334. //+-------------------------------------------------------------------------
  8335. // Add the encoded certificate to the store according to the specified
  8336. // disposition action.
  8337. //
  8338. // Makes a copy of the encoded certificate before adding to the store.
  8339. //
  8340. // dwAddDispostion specifies the action to take if the certificate
  8341. // already exists in the store. This parameter must be one of the following
  8342. // values:
  8343. // CERT_STORE_ADD_NEW
  8344. // Fails if the certificate already exists in the store. LastError
  8345. // is set to CRYPT_E_EXISTS.
  8346. // CERT_STORE_ADD_USE_EXISTING
  8347. // If the certifcate already exists, then, its used and if ppCertContext
  8348. // is non-NULL, the existing context is duplicated.
  8349. // CERT_STORE_ADD_REPLACE_EXISTING
  8350. // If the certificate already exists, then, the existing certificate
  8351. // context is deleted before creating and adding the new context.
  8352. // CERT_STORE_ADD_ALWAYS
  8353. // No check is made to see if the certificate already exists. A
  8354. // new certificate context is always created. This may lead to
  8355. // duplicates in the store.
  8356. // CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES
  8357. // If the certificate already exists, then, its used.
  8358. // CERT_STORE_ADD_NEWER
  8359. // Fails if the certificate already exists in the store AND the NotBefore
  8360. // time of the existing certificate is equal to or greater than the
  8361. // NotBefore time of the new certificate being added. LastError
  8362. // is set to CRYPT_E_EXISTS.
  8363. //
  8364. // If an older certificate is replaced, same as
  8365. // CERT_STORE_ADD_REPLACE_EXISTING.
  8366. //
  8367. // For CRLs or CTLs compares the ThisUpdate times.
  8368. //
  8369. // CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES
  8370. // Same as CERT_STORE_ADD_NEWER. However, if an older certificate is
  8371. // replaced, same as CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES.
  8372. //
  8373. // CertGetSubjectCertificateFromStore is called to determine if the
  8374. // certificate already exists in the store.
  8375. //
  8376. // ppCertContext can be NULL, indicating the caller isn't interested
  8377. // in getting the CERT_CONTEXT of the added or existing certificate.
  8378. //--------------------------------------------------------------------------
  8379. WINCRYPT32API
  8380. BOOL
  8381. WINAPI
  8382. CertAddEncodedCertificateToStore(
  8383. IN HCERTSTORE hCertStore,
  8384. IN DWORD dwCertEncodingType,
  8385. IN const BYTE *pbCertEncoded,
  8386. IN DWORD cbCertEncoded,
  8387. IN DWORD dwAddDisposition,
  8388. OUT OPTIONAL PCCERT_CONTEXT *ppCertContext
  8389. );
  8390. //+-------------------------------------------------------------------------
  8391. // Add the certificate context to the store according to the specified
  8392. // disposition action.
  8393. //
  8394. // In addition to the encoded certificate, the context's properties are
  8395. // also copied. Note, the CERT_KEY_CONTEXT_PROP_ID property (and its
  8396. // CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't copied.
  8397. //
  8398. // Makes a copy of the certificate context before adding to the store.
  8399. //
  8400. // dwAddDispostion specifies the action to take if the certificate
  8401. // already exists in the store. This parameter must be one of the following
  8402. // values:
  8403. // CERT_STORE_ADD_NEW
  8404. // Fails if the certificate already exists in the store. LastError
  8405. // is set to CRYPT_E_EXISTS.
  8406. // CERT_STORE_ADD_USE_EXISTING
  8407. // If the certifcate already exists, then, its used and if ppStoreContext
  8408. // is non-NULL, the existing context is duplicated. Iterates
  8409. // through pCertContext's properties and only copies the properties
  8410. // that don't already exist. The SHA1 and MD5 hash properties aren't
  8411. // copied.
  8412. // CERT_STORE_ADD_REPLACE_EXISTING
  8413. // If the certificate already exists, then, the existing certificate
  8414. // context is deleted before creating and adding a new context.
  8415. // Properties are copied before doing the add.
  8416. // CERT_STORE_ADD_ALWAYS
  8417. // No check is made to see if the certificate already exists. A
  8418. // new certificate context is always created and added. This may lead to
  8419. // duplicates in the store. Properties are
  8420. // copied before doing the add.
  8421. // CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES
  8422. // If the certificate already exists, then, the existing certificate
  8423. // context is used. Properties from the added context are copied and
  8424. // replace existing properties. However, any existing properties not
  8425. // in the added context remain and aren't deleted.
  8426. // CERT_STORE_ADD_NEWER
  8427. // Fails if the certificate already exists in the store AND the NotBefore
  8428. // time of the existing context is equal to or greater than the
  8429. // NotBefore time of the new context being added. LastError
  8430. // is set to CRYPT_E_EXISTS.
  8431. //
  8432. // If an older context is replaced, same as
  8433. // CERT_STORE_ADD_REPLACE_EXISTING.
  8434. //
  8435. // For CRLs or CTLs compares the ThisUpdate times.
  8436. //
  8437. // CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES
  8438. // Same as CERT_STORE_ADD_NEWER. However, if an older context is
  8439. // replaced, same as CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES.
  8440. //
  8441. // CertGetSubjectCertificateFromStore is called to determine if the
  8442. // certificate already exists in the store.
  8443. //
  8444. // ppStoreContext can be NULL, indicating the caller isn't interested
  8445. // in getting the CERT_CONTEXT of the added or existing certificate.
  8446. //--------------------------------------------------------------------------
  8447. WINCRYPT32API
  8448. BOOL
  8449. WINAPI
  8450. CertAddCertificateContextToStore(
  8451. IN HCERTSTORE hCertStore,
  8452. IN PCCERT_CONTEXT pCertContext,
  8453. IN DWORD dwAddDisposition,
  8454. OUT OPTIONAL PCCERT_CONTEXT *ppStoreContext
  8455. );
  8456. //+-------------------------------------------------------------------------
  8457. // Certificate Store Context Types
  8458. //--------------------------------------------------------------------------
  8459. #define CERT_STORE_CERTIFICATE_CONTEXT 1
  8460. #define CERT_STORE_CRL_CONTEXT 2
  8461. #define CERT_STORE_CTL_CONTEXT 3
  8462. //+-------------------------------------------------------------------------
  8463. // Certificate Store Context Bit Flags
  8464. //--------------------------------------------------------------------------
  8465. #define CERT_STORE_ALL_CONTEXT_FLAG (~0UL)
  8466. #define CERT_STORE_CERTIFICATE_CONTEXT_FLAG \
  8467. (1 << CERT_STORE_CERTIFICATE_CONTEXT)
  8468. #define CERT_STORE_CRL_CONTEXT_FLAG \
  8469. (1 << CERT_STORE_CRL_CONTEXT)
  8470. #define CERT_STORE_CTL_CONTEXT_FLAG \
  8471. (1 << CERT_STORE_CTL_CONTEXT)
  8472. //+-------------------------------------------------------------------------
  8473. // Add the serialized certificate or CRL element to the store.
  8474. //
  8475. // The serialized element contains the encoded certificate, CRL or CTL and
  8476. // its properties, such as, CERT_KEY_PROV_INFO_PROP_ID.
  8477. //
  8478. // If hCertStore is NULL, creates a certificate, CRL or CTL context not
  8479. // residing in any store.
  8480. //
  8481. // dwAddDispostion specifies the action to take if the certificate or CRL
  8482. // already exists in the store. See CertAddCertificateContextToStore for a
  8483. // list of and actions taken.
  8484. //
  8485. // dwFlags currently isn't used and should be set to 0.
  8486. //
  8487. // dwContextTypeFlags specifies the set of allowable contexts. For example, to
  8488. // add either a certificate or CRL, set dwContextTypeFlags to:
  8489. // CERT_STORE_CERTIFICATE_CONTEXT_FLAG | CERT_STORE_CRL_CONTEXT_FLAG
  8490. //
  8491. // *pdwContextType is updated with the type of the context returned in
  8492. // *ppvContxt. pdwContextType or ppvContext can be NULL, indicating the
  8493. // caller isn't interested in getting the output. If *ppvContext is
  8494. // returned it must be freed by calling CertFreeCertificateContext or
  8495. // CertFreeCRLContext.
  8496. //--------------------------------------------------------------------------
  8497. WINCRYPT32API
  8498. BOOL
  8499. WINAPI
  8500. CertAddSerializedElementToStore(
  8501. IN HCERTSTORE hCertStore,
  8502. IN const BYTE *pbElement,
  8503. IN DWORD cbElement,
  8504. IN DWORD dwAddDisposition,
  8505. IN DWORD dwFlags,
  8506. IN DWORD dwContextTypeFlags,
  8507. OUT OPTIONAL DWORD *pdwContextType,
  8508. OUT OPTIONAL const void **ppvContext
  8509. );
  8510. //+-------------------------------------------------------------------------
  8511. // Delete the specified certificate from the store.
  8512. //
  8513. // All subsequent gets or finds for the certificate will fail. However,
  8514. // memory allocated for the certificate isn't freed until all of its contexts
  8515. // have also been freed.
  8516. //
  8517. // The pCertContext is obtained from a get, enum, find or duplicate.
  8518. //
  8519. // Some store provider implementations might also delete the issuer's CRLs
  8520. // if this is the last certificate for the issuer in the store.
  8521. //
  8522. // NOTE: the pCertContext is always CertFreeCertificateContext'ed by
  8523. // this function, even for an error.
  8524. //--------------------------------------------------------------------------
  8525. WINCRYPT32API
  8526. BOOL
  8527. WINAPI
  8528. CertDeleteCertificateFromStore(
  8529. IN PCCERT_CONTEXT pCertContext
  8530. );
  8531. //+-------------------------------------------------------------------------
  8532. // Add the encoded CRL to the store according to the specified
  8533. // disposition option.
  8534. //
  8535. // Makes a copy of the encoded CRL before adding to the store.
  8536. //
  8537. // dwAddDispostion specifies the action to take if the CRL
  8538. // already exists in the store. See CertAddEncodedCertificateToStore for a
  8539. // list of and actions taken.
  8540. //
  8541. // Compares the CRL's Issuer to determine if the CRL already exists in the
  8542. // store.
  8543. //
  8544. // ppCrlContext can be NULL, indicating the caller isn't interested
  8545. // in getting the CRL_CONTEXT of the added or existing CRL.
  8546. //--------------------------------------------------------------------------
  8547. WINCRYPT32API
  8548. BOOL
  8549. WINAPI
  8550. CertAddEncodedCRLToStore(
  8551. IN HCERTSTORE hCertStore,
  8552. IN DWORD dwCertEncodingType,
  8553. IN const BYTE *pbCrlEncoded,
  8554. IN DWORD cbCrlEncoded,
  8555. IN DWORD dwAddDisposition,
  8556. OUT OPTIONAL PCCRL_CONTEXT *ppCrlContext
  8557. );
  8558. //+-------------------------------------------------------------------------
  8559. // Add the CRL context to the store according to the specified
  8560. // disposition option.
  8561. //
  8562. // In addition to the encoded CRL, the context's properties are
  8563. // also copied. Note, the CERT_KEY_CONTEXT_PROP_ID property (and its
  8564. // CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't copied.
  8565. //
  8566. // Makes a copy of the encoded CRL before adding to the store.
  8567. //
  8568. // dwAddDispostion specifies the action to take if the CRL
  8569. // already exists in the store. See CertAddCertificateContextToStore for a
  8570. // list of and actions taken.
  8571. //
  8572. // Compares the CRL's Issuer, ThisUpdate and NextUpdate to determine
  8573. // if the CRL already exists in the store.
  8574. //
  8575. // ppStoreContext can be NULL, indicating the caller isn't interested
  8576. // in getting the CRL_CONTEXT of the added or existing CRL.
  8577. //--------------------------------------------------------------------------
  8578. WINCRYPT32API
  8579. BOOL
  8580. WINAPI
  8581. CertAddCRLContextToStore(
  8582. IN HCERTSTORE hCertStore,
  8583. IN PCCRL_CONTEXT pCrlContext,
  8584. IN DWORD dwAddDisposition,
  8585. OUT OPTIONAL PCCRL_CONTEXT *ppStoreContext
  8586. );
  8587. //+-------------------------------------------------------------------------
  8588. // Delete the specified CRL from the store.
  8589. //
  8590. // All subsequent gets for the CRL will fail. However,
  8591. // memory allocated for the CRL isn't freed until all of its contexts
  8592. // have also been freed.
  8593. //
  8594. // The pCrlContext is obtained from a get or duplicate.
  8595. //
  8596. // NOTE: the pCrlContext is always CertFreeCRLContext'ed by
  8597. // this function, even for an error.
  8598. //--------------------------------------------------------------------------
  8599. WINCRYPT32API
  8600. BOOL
  8601. WINAPI
  8602. CertDeleteCRLFromStore(
  8603. IN PCCRL_CONTEXT pCrlContext
  8604. );
  8605. //+-------------------------------------------------------------------------
  8606. // Serialize the certificate context's encoded certificate and its
  8607. // properties.
  8608. //--------------------------------------------------------------------------
  8609. WINCRYPT32API
  8610. BOOL
  8611. WINAPI
  8612. CertSerializeCertificateStoreElement(
  8613. IN PCCERT_CONTEXT pCertContext,
  8614. IN DWORD dwFlags,
  8615. OUT BYTE *pbElement,
  8616. IN OUT DWORD *pcbElement
  8617. );
  8618. //+-------------------------------------------------------------------------
  8619. // Serialize the CRL context's encoded CRL and its properties.
  8620. //--------------------------------------------------------------------------
  8621. WINCRYPT32API
  8622. BOOL
  8623. WINAPI
  8624. CertSerializeCRLStoreElement(
  8625. IN PCCRL_CONTEXT pCrlContext,
  8626. IN DWORD dwFlags,
  8627. OUT BYTE *pbElement,
  8628. IN OUT DWORD *pcbElement
  8629. );
  8630. //+=========================================================================
  8631. // Certificate Trust List (CTL) Store Data Structures and APIs
  8632. //==========================================================================
  8633. //+-------------------------------------------------------------------------
  8634. // Duplicate a CTL context
  8635. //--------------------------------------------------------------------------
  8636. WINCRYPT32API
  8637. PCCTL_CONTEXT
  8638. WINAPI
  8639. CertDuplicateCTLContext(
  8640. IN PCCTL_CONTEXT pCtlContext
  8641. );
  8642. //+-------------------------------------------------------------------------
  8643. // Create a CTL context from the encoded CTL. The created
  8644. // context isn't put in a store.
  8645. //
  8646. // Makes a copy of the encoded CTL in the created context.
  8647. //
  8648. // If unable to decode and create the CTL context, NULL is returned.
  8649. // Otherwise, a pointer to a read only CTL_CONTEXT is returned.
  8650. // CTL_CONTEXT must be freed by calling CertFreeCTLContext.
  8651. // CertDuplicateCTLContext can be called to make a duplicate.
  8652. //
  8653. // CertSetCTLContextProperty and CertGetCTLContextProperty can be called
  8654. // to store properties for the CTL.
  8655. //--------------------------------------------------------------------------
  8656. WINCRYPT32API
  8657. PCCTL_CONTEXT
  8658. WINAPI
  8659. CertCreateCTLContext(
  8660. IN DWORD dwMsgAndCertEncodingType,
  8661. IN const BYTE *pbCtlEncoded,
  8662. IN DWORD cbCtlEncoded
  8663. );
  8664. //+-------------------------------------------------------------------------
  8665. // Free a CTL context
  8666. //
  8667. // There needs to be a corresponding free for each context obtained by a
  8668. // get, duplicate or create.
  8669. //--------------------------------------------------------------------------
  8670. WINCRYPT32API
  8671. BOOL
  8672. WINAPI
  8673. CertFreeCTLContext(
  8674. IN PCCTL_CONTEXT pCtlContext
  8675. );
  8676. //+-------------------------------------------------------------------------
  8677. // Set the property for the specified CTL context.
  8678. //
  8679. // Same Property Ids and semantics as CertSetCertificateContextProperty.
  8680. //--------------------------------------------------------------------------
  8681. WINCRYPT32API
  8682. BOOL
  8683. WINAPI
  8684. CertSetCTLContextProperty(
  8685. IN PCCTL_CONTEXT pCtlContext,
  8686. IN DWORD dwPropId,
  8687. IN DWORD dwFlags,
  8688. IN const void *pvData
  8689. );
  8690. //+-------------------------------------------------------------------------
  8691. // Get the property for the specified CTL context.
  8692. //
  8693. // Same Property Ids and semantics as CertGetCertificateContextProperty.
  8694. //
  8695. // CERT_SHA1_HASH_PROP_ID or CERT_NEXT_UPDATE_LOCATION_PROP_ID are the
  8696. // predefined properties of most interest.
  8697. //--------------------------------------------------------------------------
  8698. WINCRYPT32API
  8699. BOOL
  8700. WINAPI
  8701. CertGetCTLContextProperty(
  8702. IN PCCTL_CONTEXT pCtlContext,
  8703. IN DWORD dwPropId,
  8704. OUT void *pvData,
  8705. IN OUT DWORD *pcbData
  8706. );
  8707. //+-------------------------------------------------------------------------
  8708. // Enumerate the properties for the specified CTL context.
  8709. //--------------------------------------------------------------------------
  8710. WINCRYPT32API
  8711. DWORD
  8712. WINAPI
  8713. CertEnumCTLContextProperties(
  8714. IN PCCTL_CONTEXT pCtlContext,
  8715. IN DWORD dwPropId
  8716. );
  8717. //+-------------------------------------------------------------------------
  8718. // Enumerate the CTL contexts in the store.
  8719. //
  8720. // If a CTL isn't found, NULL is returned.
  8721. // Otherwise, a pointer to a read only CTL_CONTEXT is returned. CTL_CONTEXT
  8722. // must be freed by calling CertFreeCTLContext or is freed when passed as the
  8723. // pPrevCtlContext on a subsequent call. CertDuplicateCTLContext
  8724. // can be called to make a duplicate.
  8725. //
  8726. // pPrevCtlContext MUST BE NULL to enumerate the first
  8727. // CTL in the store. Successive CTLs are enumerated by setting
  8728. // pPrevCtlContext to the CTL_CONTEXT returned by a previous call.
  8729. //
  8730. // NOTE: a NON-NULL pPrevCtlContext is always CertFreeCTLContext'ed by
  8731. // this function, even for an error.
  8732. //--------------------------------------------------------------------------
  8733. WINCRYPT32API
  8734. PCCTL_CONTEXT
  8735. WINAPI
  8736. CertEnumCTLsInStore(
  8737. IN HCERTSTORE hCertStore,
  8738. IN PCCTL_CONTEXT pPrevCtlContext
  8739. );
  8740. //+-------------------------------------------------------------------------
  8741. // Attempt to find the specified subject in the CTL.
  8742. //
  8743. // For CTL_CERT_SUBJECT_TYPE, pvSubject points to a CERT_CONTEXT. The CTL's
  8744. // SubjectAlgorithm is examined to determine the representation of the
  8745. // subject's identity. Initially, only SHA1 or MD5 hash will be supported.
  8746. // The appropriate hash property is obtained from the CERT_CONTEXT.
  8747. //
  8748. // For CTL_ANY_SUBJECT_TYPE, pvSubject points to the CTL_ANY_SUBJECT_INFO
  8749. // structure which contains the SubjectAlgorithm to be matched in the CTL
  8750. // and the SubjectIdentifer to be matched in one of the CTL entries.
  8751. //
  8752. // The certificate's hash or the CTL_ANY_SUBJECT_INFO's SubjectIdentifier
  8753. // is used as the key in searching the subject entries. A binary
  8754. // memory comparison is done between the key and the entry's SubjectIdentifer.
  8755. //
  8756. // dwEncodingType isn't used for either of the above SubjectTypes.
  8757. //--------------------------------------------------------------------------
  8758. WINCRYPT32API
  8759. PCTL_ENTRY
  8760. WINAPI
  8761. CertFindSubjectInCTL(
  8762. IN DWORD dwEncodingType,
  8763. IN DWORD dwSubjectType,
  8764. IN void *pvSubject,
  8765. IN PCCTL_CONTEXT pCtlContext,
  8766. IN DWORD dwFlags
  8767. );
  8768. // Subject Types:
  8769. // CTL_ANY_SUBJECT_TYPE, pvSubject points to following CTL_ANY_SUBJECT_INFO.
  8770. // CTL_CERT_SUBJECT_TYPE, pvSubject points to CERT_CONTEXT.
  8771. #define CTL_ANY_SUBJECT_TYPE 1
  8772. #define CTL_CERT_SUBJECT_TYPE 2
  8773. typedef struct _CTL_ANY_SUBJECT_INFO {
  8774. CRYPT_ALGORITHM_IDENTIFIER SubjectAlgorithm;
  8775. CRYPT_DATA_BLOB SubjectIdentifier;
  8776. } CTL_ANY_SUBJECT_INFO, *PCTL_ANY_SUBJECT_INFO;
  8777. //+-------------------------------------------------------------------------
  8778. // Find the first or next CTL context in the store.
  8779. //
  8780. // The CTL is found according to the dwFindType and its pvFindPara.
  8781. // See below for a list of the find types and its parameters.
  8782. //
  8783. // Currently dwFindFlags isn't used and must be set to 0.
  8784. //
  8785. // Usage of dwMsgAndCertEncodingType depends on the dwFindType.
  8786. //
  8787. // If the first or next CTL isn't found, NULL is returned.
  8788. // Otherwise, a pointer to a read only CTL_CONTEXT is returned. CTL_CONTEXT
  8789. // must be freed by calling CertFreeCTLContext or is freed when passed as the
  8790. // pPrevCtlContext on a subsequent call. CertDuplicateCTLContext
  8791. // can be called to make a duplicate.
  8792. //
  8793. // pPrevCtlContext MUST BE NULL on the first
  8794. // call to find the CTL. To find the next CTL, the
  8795. // pPrevCtlContext is set to the CTL_CONTEXT returned by a previous call.
  8796. //
  8797. // NOTE: a NON-NULL pPrevCtlContext is always CertFreeCTLContext'ed by
  8798. // this function, even for an error.
  8799. //--------------------------------------------------------------------------
  8800. WINCRYPT32API
  8801. PCCTL_CONTEXT
  8802. WINAPI
  8803. CertFindCTLInStore(
  8804. IN HCERTSTORE hCertStore,
  8805. IN DWORD dwMsgAndCertEncodingType,
  8806. IN DWORD dwFindFlags,
  8807. IN DWORD dwFindType,
  8808. IN const void *pvFindPara,
  8809. IN PCCTL_CONTEXT pPrevCtlContext
  8810. );
  8811. #define CTL_FIND_ANY 0
  8812. #define CTL_FIND_SHA1_HASH 1
  8813. #define CTL_FIND_MD5_HASH 2
  8814. #define CTL_FIND_USAGE 3
  8815. #define CTL_FIND_SUBJECT 4
  8816. #define CTL_FIND_EXISTING 5
  8817. typedef struct _CTL_FIND_USAGE_PARA {
  8818. DWORD cbSize;
  8819. CTL_USAGE SubjectUsage; // optional
  8820. CRYPT_DATA_BLOB ListIdentifier; // optional
  8821. PCERT_INFO pSigner; // optional
  8822. } CTL_FIND_USAGE_PARA, *PCTL_FIND_USAGE_PARA;
  8823. #define CTL_FIND_NO_LIST_ID_CBDATA 0xFFFFFFFF
  8824. #define CTL_FIND_NO_SIGNER_PTR ((PCERT_INFO) -1)
  8825. #define CTL_FIND_SAME_USAGE_FLAG 0x1
  8826. typedef struct _CTL_FIND_SUBJECT_PARA {
  8827. DWORD cbSize;
  8828. PCTL_FIND_USAGE_PARA pUsagePara; // optional
  8829. DWORD dwSubjectType;
  8830. void *pvSubject;
  8831. } CTL_FIND_SUBJECT_PARA, *PCTL_FIND_SUBJECT_PARA;
  8832. //+-------------------------------------------------------------------------
  8833. // CTL_FIND_ANY
  8834. //
  8835. // Find any CTL.
  8836. //
  8837. // pvFindPara isn't used.
  8838. //--------------------------------------------------------------------------
  8839. //+-------------------------------------------------------------------------
  8840. // CTL_FIND_SHA1_HASH
  8841. // CTL_FIND_MD5_HASH
  8842. //
  8843. // Find a CTL with the specified hash.
  8844. //
  8845. // pvFindPara points to a CRYPT_HASH_BLOB.
  8846. //--------------------------------------------------------------------------
  8847. //+-------------------------------------------------------------------------
  8848. // CTL_FIND_USAGE
  8849. //
  8850. // Find a CTL having the specified usage identifiers, list identifier or
  8851. // signer. The CertEncodingType of the signer is obtained from the
  8852. // dwMsgAndCertEncodingType parameter.
  8853. //
  8854. // pvFindPara points to a CTL_FIND_USAGE_PARA data structure. The
  8855. // SubjectUsage.cUsageIdentifer can be 0 to match any usage. The
  8856. // ListIdentifier.cbData can be 0 to match any list identifier. To only match
  8857. // CTLs without a ListIdentifier, cbData must be set to
  8858. // CTL_FIND_NO_LIST_ID_CBDATA. pSigner can be NULL to match any signer. Only
  8859. // the Issuer and SerialNumber fields of the pSigner's PCERT_INFO are used.
  8860. // To only match CTLs without a signer, pSigner must be set to
  8861. // CTL_FIND_NO_SIGNER_PTR.
  8862. //
  8863. // The CTL_FIND_SAME_USAGE_FLAG can be set in dwFindFlags to
  8864. // only match CTLs with the same usage identifiers. CTLs having additional
  8865. // usage identifiers aren't matched. For example, if only "1.2.3" is specified
  8866. // in CTL_FIND_USAGE_PARA, then, for a match, the CTL must only contain
  8867. // "1.2.3" and not any additional usage identifers.
  8868. //--------------------------------------------------------------------------
  8869. //+-------------------------------------------------------------------------
  8870. // CTL_FIND_SUBJECT
  8871. //
  8872. // Find a CTL having the specified subject. CertFindSubjectInCTL can be
  8873. // called to get a pointer to the subject's entry in the CTL. pUsagePara can
  8874. // optionally be set to enable the above CTL_FIND_USAGE matching.
  8875. //
  8876. // pvFindPara points to a CTL_FIND_SUBJECT_PARA data structure.
  8877. //--------------------------------------------------------------------------
  8878. //+-------------------------------------------------------------------------
  8879. // Add the encoded CTL to the store according to the specified
  8880. // disposition option.
  8881. //
  8882. // Makes a copy of the encoded CTL before adding to the store.
  8883. //
  8884. // dwAddDispostion specifies the action to take if the CTL
  8885. // already exists in the store. See CertAddEncodedCertificateToStore for a
  8886. // list of and actions taken.
  8887. //
  8888. // Compares the CTL's SubjectUsage, ListIdentifier and any of its signers
  8889. // to determine if the CTL already exists in the store.
  8890. //
  8891. // ppCtlContext can be NULL, indicating the caller isn't interested
  8892. // in getting the CTL_CONTEXT of the added or existing CTL.
  8893. //--------------------------------------------------------------------------
  8894. WINCRYPT32API
  8895. BOOL
  8896. WINAPI
  8897. CertAddEncodedCTLToStore(
  8898. IN HCERTSTORE hCertStore,
  8899. IN DWORD dwMsgAndCertEncodingType,
  8900. IN const BYTE *pbCtlEncoded,
  8901. IN DWORD cbCtlEncoded,
  8902. IN DWORD dwAddDisposition,
  8903. OUT OPTIONAL PCCTL_CONTEXT *ppCtlContext
  8904. );
  8905. //+-------------------------------------------------------------------------
  8906. // Add the CTL context to the store according to the specified
  8907. // disposition option.
  8908. //
  8909. // In addition to the encoded CTL, the context's properties are
  8910. // also copied. Note, the CERT_KEY_CONTEXT_PROP_ID property (and its
  8911. // CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't copied.
  8912. //
  8913. // Makes a copy of the encoded CTL before adding to the store.
  8914. //
  8915. // dwAddDispostion specifies the action to take if the CTL
  8916. // already exists in the store. See CertAddCertificateContextToStore for a
  8917. // list of and actions taken.
  8918. //
  8919. // Compares the CTL's SubjectUsage, ListIdentifier and any of its signers
  8920. // to determine if the CTL already exists in the store.
  8921. //
  8922. // ppStoreContext can be NULL, indicating the caller isn't interested
  8923. // in getting the CTL_CONTEXT of the added or existing CTL.
  8924. //--------------------------------------------------------------------------
  8925. WINCRYPT32API
  8926. BOOL
  8927. WINAPI
  8928. CertAddCTLContextToStore(
  8929. IN HCERTSTORE hCertStore,
  8930. IN PCCTL_CONTEXT pCtlContext,
  8931. IN DWORD dwAddDisposition,
  8932. OUT OPTIONAL PCCTL_CONTEXT *ppStoreContext
  8933. );
  8934. //+-------------------------------------------------------------------------
  8935. // Serialize the CTL context's encoded CTL and its properties.
  8936. //--------------------------------------------------------------------------
  8937. WINCRYPT32API
  8938. BOOL
  8939. WINAPI
  8940. CertSerializeCTLStoreElement(
  8941. IN PCCTL_CONTEXT pCtlContext,
  8942. IN DWORD dwFlags,
  8943. OUT BYTE *pbElement,
  8944. IN OUT DWORD *pcbElement
  8945. );
  8946. //+-------------------------------------------------------------------------
  8947. // Delete the specified CTL from the store.
  8948. //
  8949. // All subsequent gets for the CTL will fail. However,
  8950. // memory allocated for the CTL isn't freed until all of its contexts
  8951. // have also been freed.
  8952. //
  8953. // The pCtlContext is obtained from a get or duplicate.
  8954. //
  8955. // NOTE: the pCtlContext is always CertFreeCTLContext'ed by
  8956. // this function, even for an error.
  8957. //--------------------------------------------------------------------------
  8958. WINCRYPT32API
  8959. BOOL
  8960. WINAPI
  8961. CertDeleteCTLFromStore(
  8962. IN PCCTL_CONTEXT pCtlContext
  8963. );
  8964. WINCRYPT32API
  8965. BOOL
  8966. WINAPI
  8967. CertAddCertificateLinkToStore(
  8968. IN HCERTSTORE hCertStore,
  8969. IN PCCERT_CONTEXT pCertContext,
  8970. IN DWORD dwAddDisposition,
  8971. OUT OPTIONAL PCCERT_CONTEXT *ppStoreContext
  8972. );
  8973. WINCRYPT32API
  8974. BOOL
  8975. WINAPI
  8976. CertAddCRLLinkToStore(
  8977. IN HCERTSTORE hCertStore,
  8978. IN PCCRL_CONTEXT pCrlContext,
  8979. IN DWORD dwAddDisposition,
  8980. OUT OPTIONAL PCCRL_CONTEXT *ppStoreContext
  8981. );
  8982. WINCRYPT32API
  8983. BOOL
  8984. WINAPI
  8985. CertAddCTLLinkToStore(
  8986. IN HCERTSTORE hCertStore,
  8987. IN PCCTL_CONTEXT pCtlContext,
  8988. IN DWORD dwAddDisposition,
  8989. OUT OPTIONAL PCCTL_CONTEXT *ppStoreContext
  8990. );
  8991. WINCRYPT32API
  8992. BOOL
  8993. WINAPI
  8994. CertAddStoreToCollection(
  8995. IN HCERTSTORE hCollectionStore,
  8996. IN OPTIONAL HCERTSTORE hSiblingStore,
  8997. IN DWORD dwUpdateFlags,
  8998. IN DWORD dwPriority
  8999. );
  9000. WINCRYPT32API
  9001. void
  9002. WINAPI
  9003. CertRemoveStoreFromCollection(
  9004. IN HCERTSTORE hCollectionStore,
  9005. IN HCERTSTORE hSiblingStore
  9006. );
  9007. WINCRYPT32API
  9008. BOOL
  9009. WINAPI
  9010. CertControlStore(
  9011. IN HCERTSTORE hCertStore,
  9012. IN DWORD dwFlags,
  9013. IN DWORD dwCtrlType,
  9014. IN void const *pvCtrlPara
  9015. );
  9016. //+-------------------------------------------------------------------------
  9017. // Certificate Store control types
  9018. //--------------------------------------------------------------------------
  9019. #define CERT_STORE_CTRL_RESYNC 1
  9020. #define CERT_STORE_CTRL_NOTIFY_CHANGE 2
  9021. #define CERT_STORE_CTRL_COMMIT 3
  9022. #define CERT_STORE_CTRL_AUTO_RESYNC 4
  9023. #define CERT_STORE_CTRL_CANCEL_NOTIFY 5
  9024. #define CERT_STORE_CTRL_INHIBIT_DUPLICATE_HANDLE_FLAG 0x1
  9025. //+-------------------------------------------------------------------------
  9026. // CERT_STORE_CTRL_RESYNC
  9027. //
  9028. // Re-synchronize the store.
  9029. //
  9030. // The pvCtrlPara points to the event HANDLE to be signaled on
  9031. // the next store change. Normally, this would be the same
  9032. // event HANDLE passed to CERT_STORE_CTRL_NOTIFY_CHANGE during initialization.
  9033. //
  9034. // If pvCtrlPara is NULL, no events are re-armed.
  9035. //
  9036. // By default the event HANDLE is DuplicateHandle'd.
  9037. // CERT_STORE_CTRL_INHIBIT_DUPLICATE_HANDLE_FLAG can be set in dwFlags
  9038. // to inhibit a DupicateHandle of the event HANDLE. If this flag
  9039. // is set, then, CertControlStore(CERT_STORE_CTRL_CANCEL_NOTIFY) must be
  9040. // called for this event HANDLE before closing the hCertStore.
  9041. //--------------------------------------------------------------------------
  9042. //+-------------------------------------------------------------------------
  9043. // CERT_STORE_CTRL_NOTIFY_CHANGE
  9044. //
  9045. // Signal the event when the underlying store is changed.
  9046. //
  9047. // pvCtrlPara points to the event HANDLE to be signaled.
  9048. //
  9049. // pvCtrlPara can be NULL to inform the store of a subsequent
  9050. // CERT_STORE_CTRL_RESYNC and allow it to optimize by only doing a resync
  9051. // if the store has changed. For the registry based stores, an internal
  9052. // notify change event is created and registered to be signaled.
  9053. //
  9054. // Recommend calling CERT_STORE_CTRL_NOTIFY_CHANGE once for each event to
  9055. // be passed to CERT_STORE_CTRL_RESYNC. This should only happen after
  9056. // the event has been created. Not after each time the event is signaled.
  9057. //
  9058. // By default the event HANDLE is DuplicateHandle'd.
  9059. // CERT_STORE_CTRL_INHIBIT_DUPLICATE_HANDLE_FLAG can be set in dwFlags
  9060. // to inhibit a DupicateHandle of the event HANDLE. If this flag
  9061. // is set, then, CertControlStore(CERT_STORE_CTRL_CANCEL_NOTIFY) must be
  9062. // called for this event HANDLE before closing the hCertStore.
  9063. //--------------------------------------------------------------------------
  9064. //+-------------------------------------------------------------------------
  9065. // CERT_STORE_CTRL_CANCEL_NOTIFY
  9066. //
  9067. // Cancel notification signaling of the event HANDLE passed in a previous
  9068. // CERT_STORE_CTRL_NOTIFY_CHANGE or CERT_STORE_CTRL_RESYNC.
  9069. //
  9070. // pvCtrlPara points to the event HANDLE to be canceled.
  9071. //--------------------------------------------------------------------------
  9072. //+-------------------------------------------------------------------------
  9073. // CERT_STORE_CTRL_AUTO_RESYNC
  9074. //
  9075. // At the start of every enumeration or find store API call, check if the
  9076. // underlying store has changed. If it has changed, re-synchronize.
  9077. //
  9078. // This check is only done in the enumeration or find APIs when the
  9079. // pPrevContext is NULL.
  9080. //
  9081. // The pvCtrlPara isn't used and must be set to NULL.
  9082. //--------------------------------------------------------------------------
  9083. //+-------------------------------------------------------------------------
  9084. // CERT_STORE_CTRL_COMMIT
  9085. //
  9086. // If any changes have been to the cached store, they are committed to
  9087. // persisted storage. If no changes have been made since the store was
  9088. // opened or the last commit, this call is ignored. May also be ignored by
  9089. // store providers that persist changes immediately.
  9090. //
  9091. // CERT_STORE_CTRL_COMMIT_FORCE_FLAG can be set to force the store
  9092. // to be committed even if it hasn't been touched.
  9093. //
  9094. // CERT_STORE_CTRL_COMMIT_CLEAR_FLAG can be set to inhibit a commit on
  9095. // store close.
  9096. //--------------------------------------------------------------------------
  9097. #define CERT_STORE_CTRL_COMMIT_FORCE_FLAG 0x1
  9098. #define CERT_STORE_CTRL_COMMIT_CLEAR_FLAG 0x2
  9099. //+=========================================================================
  9100. // Cert Store Property Defines and APIs
  9101. //==========================================================================
  9102. //+-------------------------------------------------------------------------
  9103. // Store property IDs. This is a property applicable to the entire store.
  9104. // Its not a property on an individual certificate, CRL or CTL context.
  9105. //
  9106. // Currently, no store properties are persisted. (This differs from
  9107. // most context properties which are persisted.)
  9108. //
  9109. // See CertSetStoreProperty or CertGetStoreProperty for usage information.
  9110. //
  9111. // Note, the range for predefined store properties should be outside
  9112. // the range of predefined context properties. We will start at 4096.
  9113. //--------------------------------------------------------------------------
  9114. #define CERT_STORE_LOCALIZED_NAME_PROP_ID 0x1000
  9115. //+-------------------------------------------------------------------------
  9116. // Set a store property.
  9117. //
  9118. // The type definition for pvData depends on the dwPropId value.
  9119. // CERT_STORE_LOCALIZED_NAME_PROP_ID - localized name of the store.
  9120. // pvData points to a CRYPT_DATA_BLOB. pbData is a pointer to a NULL
  9121. // terminated unicode, wide character string.
  9122. // cbData = (wcslen((LPWSTR) pbData) + 1) * sizeof(WCHAR).
  9123. //
  9124. // For all the other PROP_IDs: an encoded PCRYPT_DATA_BLOB is passed in pvData.
  9125. //
  9126. // If the property already exists, then, the old value is deleted and silently
  9127. // replaced. Setting, pvData to NULL, deletes the property.
  9128. //--------------------------------------------------------------------------
  9129. WINCRYPT32API
  9130. BOOL
  9131. WINAPI
  9132. CertSetStoreProperty(
  9133. IN HCERTSTORE hCertStore,
  9134. IN DWORD dwPropId,
  9135. IN DWORD dwFlags,
  9136. IN const void *pvData
  9137. );
  9138. //+-------------------------------------------------------------------------
  9139. // Get a store property.
  9140. //
  9141. // The type definition for pvData depends on the dwPropId value.
  9142. // CERT_STORE_LOCALIZED_NAME_PROP_ID - localized name of the store.
  9143. // pvData points to a NULL terminated unicode, wide character string.
  9144. // cbData = (wcslen((LPWSTR) pvData) + 1) * sizeof(WCHAR).
  9145. //
  9146. // For all other PROP_IDs, pvData points to an array of bytes.
  9147. //
  9148. // If the property doesn't exist, returns FALSE and sets LastError to
  9149. // CRYPT_E_NOT_FOUND.
  9150. //--------------------------------------------------------------------------
  9151. WINCRYPT32API
  9152. BOOL
  9153. WINAPI
  9154. CertGetStoreProperty(
  9155. IN HCERTSTORE hCertStore,
  9156. IN DWORD dwPropId,
  9157. OUT void *pvData,
  9158. IN OUT DWORD *pcbData
  9159. );
  9160. typedef struct _CERT_CREATE_CONTEXT_PARA {
  9161. DWORD cbSize;
  9162. PFN_CRYPT_FREE pfnFree; // OPTIONAL
  9163. void *pvFree; // OPTIONAL
  9164. } CERT_CREATE_CONTEXT_PARA, *PCERT_CREATE_CONTEXT_PARA;
  9165. //+-------------------------------------------------------------------------
  9166. // Creates the specified context from the encoded bytes. The created
  9167. // context isn't put in a store.
  9168. //
  9169. // dwContextType values:
  9170. // CERT_STORE_CERTIFICATE_CONTEXT
  9171. // CERT_STORE_CRL_CONTEXT
  9172. // CERT_STORE_CTL_CONTEXT
  9173. //
  9174. // If CERT_CREATE_CONTEXT_NOCOPY_FLAG is set, the created context points
  9175. // directly to the pbEncoded instead of an allocated copy. See flag
  9176. // definition for more details.
  9177. //
  9178. // If CERT_CREATE_CONTEXT_SORTED_FLAG is set, the context is created
  9179. // with sorted entries. This flag may only be set for CERT_STORE_CTL_CONTEXT.
  9180. // Setting this flag implicitly sets CERT_CREATE_CONTEXT_NO_HCRYPTMSG_FLAG and
  9181. // CERT_CREATE_CONTEXT_NO_ENTRY_FLAG. See flag definition for
  9182. // more details.
  9183. //
  9184. // If CERT_CREATE_CONTEXT_NO_HCRYPTMSG_FLAG is set, the context is created
  9185. // without creating a HCRYPTMSG handle for the context. This flag may only be
  9186. // set for CERT_STORE_CTL_CONTEXT. See flag definition for more details.
  9187. //
  9188. // If CERT_CREATE_CONTEXT_NO_ENTRY_FLAG is set, the context is created
  9189. // without decoding the entries. This flag may only be set for
  9190. // CERT_STORE_CTL_CONTEXT. See flag definition for more details.
  9191. //
  9192. // If unable to decode and create the context, NULL is returned.
  9193. // Otherwise, a pointer to a read only CERT_CONTEXT, CRL_CONTEXT or
  9194. // CTL_CONTEXT is returned. The context must be freed by the appropriate
  9195. // free context API. The context can be duplicated by calling the
  9196. // appropriate duplicate context API.
  9197. //--------------------------------------------------------------------------
  9198. WINCRYPT32API
  9199. const void *
  9200. WINAPI
  9201. CertCreateContext(
  9202. IN DWORD dwContextType,
  9203. IN DWORD dwEncodingType,
  9204. IN const BYTE *pbEncoded,
  9205. IN DWORD cbEncoded,
  9206. IN DWORD dwFlags,
  9207. IN OPTIONAL PCERT_CREATE_CONTEXT_PARA pCreatePara
  9208. );
  9209. // When the following flag is set, the created context points directly to the
  9210. // pbEncoded instead of an allocated copy. If pCreatePara and
  9211. // pCreatePara->pfnFree are non-NULL, then, pfnFree is called to free
  9212. // the pbEncoded when the context is last freed. Otherwise, no attempt is
  9213. // made to free the pbEncoded. If pCreatePara->pvFree is non-NULL, then its
  9214. // passed to pfnFree instead of pbEncoded.
  9215. //
  9216. // Note, if CertCreateContext fails, pfnFree is still called.
  9217. #define CERT_CREATE_CONTEXT_NOCOPY_FLAG 0x1
  9218. // When the following flag is set, a context with sorted entries is created.
  9219. // Currently only applicable to a CTL context.
  9220. //
  9221. // For CTLs: the cCTLEntry in the returned CTL_INFO is always
  9222. // 0. CertFindSubjectInSortedCTL and CertEnumSubjectInSortedCTL must be called
  9223. // to find or enumerate the CTL entries.
  9224. //
  9225. // The Sorted CTL TrustedSubjects extension isn't returned in the created
  9226. // context's CTL_INFO.
  9227. #define CERT_CREATE_CONTEXT_SORTED_FLAG 0x2
  9228. // By default when a CTL context is created, a HCRYPTMSG handle to its
  9229. // SignedData message is created. This flag can be set to improve performance
  9230. // by not creating the HCRYPTMSG handle.
  9231. //
  9232. // This flag is only applicable to a CTL context.
  9233. #define CERT_CREATE_CONTEXT_NO_HCRYPTMSG_FLAG 0x4
  9234. // By default when a CTL context is created, its entries are decoded.
  9235. // This flag can be set to improve performance by not decoding the
  9236. // entries.
  9237. //
  9238. // This flag is only applicable to a CTL context.
  9239. #define CERT_CREATE_CONTEXT_NO_ENTRY_FLAG 0x8
  9240. //+=========================================================================
  9241. // Certificate System Store Data Structures and APIs
  9242. //==========================================================================
  9243. //+-------------------------------------------------------------------------
  9244. // System Store Information
  9245. //
  9246. // Currently, no system store information is persisted.
  9247. //--------------------------------------------------------------------------
  9248. typedef struct _CERT_SYSTEM_STORE_INFO {
  9249. DWORD cbSize;
  9250. } CERT_SYSTEM_STORE_INFO, *PCERT_SYSTEM_STORE_INFO;
  9251. //+-------------------------------------------------------------------------
  9252. // Physical Store Information
  9253. //
  9254. // The Open fields are passed directly to CertOpenStore() to open
  9255. // the physical store.
  9256. //
  9257. // By default all system stores located in the registry have an
  9258. // implicit SystemRegistry physical store that is opened. To disable the
  9259. // opening of this store, the SystemRegistry
  9260. // physical store corresponding to the System store must be registered with
  9261. // CERT_PHYSICAL_STORE_OPEN_DISABLE_FLAG set in dwFlags. Alternatively,
  9262. // a physical store with the name of ".Default" may be registered.
  9263. //
  9264. // Depending on the store location and store name, additional predefined
  9265. // physical stores may be opened. For example, system stores in
  9266. // CURRENT_USER have the predefined physical store, .LocalMachine.
  9267. // To disable the opening of these predefined physical stores, the
  9268. // corresponding physical store must be registered with
  9269. // CERT_PHYSICAL_STORE_OPEN_DISABLE_FLAG set in dwFlags.
  9270. //
  9271. // The CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG must be set in dwFlags
  9272. // to enable the adding of a context to the store.
  9273. //
  9274. // When a system store is opened via the SERVICES or USERS store location,
  9275. // the ServiceName\ is prepended to the OpenParameters
  9276. // for CERT_SYSTEM_STORE_CURRENT_USER or CERT_SYSTEM_STORE_CURRENT_SERVICE
  9277. // physical stores and the dwOpenFlags store location is changed to
  9278. // CERT_SYSTEM_STORE_USERS or CERT_SYSTEM_STORE_SERVICES.
  9279. //
  9280. // By default the SYSTEM, SYSTEM_REGISTRY and PHYSICAL provider
  9281. // stores are also opened remotely when the outer system store is opened.
  9282. // The CERT_PHYSICAL_STORE_REMOTE_OPEN_DISABLE_FLAG may be set in dwFlags
  9283. // to disable remote opens.
  9284. //
  9285. // When opened remotely, the \\ComputerName is implicitly prepended to the
  9286. // OpenParameters for the SYSTEM, SYSTEM_REGISTRY and PHYSICAL provider types.
  9287. // To also prepend the \\ComputerName to other provider types, set the
  9288. // CERT_PHYSICAL_STORE_INSERT_COMPUTER_NAME_ENABLE_FLAG in dwFlags.
  9289. //
  9290. // When the system store is opened, its physical stores are ordered
  9291. // according to the dwPriority. A larger dwPriority indicates higher priority.
  9292. //--------------------------------------------------------------------------
  9293. typedef struct _CERT_PHYSICAL_STORE_INFO {
  9294. DWORD cbSize;
  9295. LPSTR pszOpenStoreProvider; // REG_SZ
  9296. DWORD dwOpenEncodingType; // REG_DWORD
  9297. DWORD dwOpenFlags; // REG_DWORD
  9298. CRYPT_DATA_BLOB OpenParameters; // REG_BINARY
  9299. DWORD dwFlags; // REG_DWORD
  9300. DWORD dwPriority; // REG_DWORD
  9301. } CERT_PHYSICAL_STORE_INFO, *PCERT_PHYSICAL_STORE_INFO;
  9302. //+-------------------------------------------------------------------------
  9303. // Physical Store Information dwFlags
  9304. //--------------------------------------------------------------------------
  9305. #define CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG 0x1
  9306. #define CERT_PHYSICAL_STORE_OPEN_DISABLE_FLAG 0x2
  9307. #define CERT_PHYSICAL_STORE_REMOTE_OPEN_DISABLE_FLAG 0x4
  9308. #define CERT_PHYSICAL_STORE_INSERT_COMPUTER_NAME_ENABLE_FLAG 0x8
  9309. //+-------------------------------------------------------------------------
  9310. // Register a system store.
  9311. //
  9312. // The upper word of the dwFlags parameter is used to specify the location of
  9313. // the system store.
  9314. //
  9315. // If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
  9316. // points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
  9317. // pvSystemStore points to a null terminated UNICODE string.
  9318. //
  9319. // The CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS system store
  9320. // name must be prefixed with the ServiceName or UserName. For example,
  9321. // "ServiceName\Trust".
  9322. //
  9323. // Stores on remote computers can be registered for the
  9324. // CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_SERVICES,
  9325. // CERT_SYSTEM_STORE_USERS, CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY
  9326. // or CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
  9327. // locations by prepending the computer name. For example, a remote
  9328. // local machine store is registered via "\\ComputerName\Trust" or
  9329. // "ComputerName\Trust". A remote service store is registered via
  9330. // "\\ComputerName\ServiceName\Trust". The leading "\\" backslashes are
  9331. // optional in the ComputerName.
  9332. //
  9333. // Set CERT_STORE_CREATE_NEW_FLAG to cause a failure if the system store
  9334. // already exists in the store location.
  9335. //--------------------------------------------------------------------------
  9336. WINCRYPT32API
  9337. BOOL
  9338. WINAPI
  9339. CertRegisterSystemStore(
  9340. IN const void *pvSystemStore,
  9341. IN DWORD dwFlags,
  9342. IN PCERT_SYSTEM_STORE_INFO pStoreInfo,
  9343. IN OPTIONAL void *pvReserved
  9344. );
  9345. //+-------------------------------------------------------------------------
  9346. // Register a physical store for the specified system store.
  9347. //
  9348. // The upper word of the dwFlags parameter is used to specify the location of
  9349. // the system store.
  9350. //
  9351. // If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
  9352. // points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
  9353. // pvSystemStore points to a null terminated UNICODE string.
  9354. //
  9355. // See CertRegisterSystemStore for details on prepending a ServiceName
  9356. // and/or ComputerName to the system store name.
  9357. //
  9358. // Set CERT_STORE_CREATE_NEW_FLAG to cause a failure if the physical store
  9359. // already exists in the system store.
  9360. //--------------------------------------------------------------------------
  9361. WINCRYPT32API
  9362. BOOL
  9363. WINAPI
  9364. CertRegisterPhysicalStore(
  9365. IN const void *pvSystemStore,
  9366. IN DWORD dwFlags,
  9367. IN LPCWSTR pwszStoreName,
  9368. IN PCERT_PHYSICAL_STORE_INFO pStoreInfo,
  9369. IN OPTIONAL void *pvReserved
  9370. );
  9371. //+-------------------------------------------------------------------------
  9372. // Unregister the specified system store.
  9373. //
  9374. // The upper word of the dwFlags parameter is used to specify the location of
  9375. // the system store.
  9376. //
  9377. // If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
  9378. // points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
  9379. // pvSystemStore points to a null terminated UNICODE string.
  9380. //
  9381. // See CertRegisterSystemStore for details on prepending a ServiceName
  9382. // and/or ComputerName to the system store name.
  9383. //
  9384. // CERT_STORE_DELETE_FLAG can optionally be set in dwFlags.
  9385. //--------------------------------------------------------------------------
  9386. WINCRYPT32API
  9387. BOOL
  9388. WINAPI
  9389. CertUnregisterSystemStore(
  9390. IN const void *pvSystemStore,
  9391. IN DWORD dwFlags
  9392. );
  9393. //+-------------------------------------------------------------------------
  9394. // Unregister the physical store from the specified system store.
  9395. //
  9396. // The upper word of the dwFlags parameter is used to specify the location of
  9397. // the system store.
  9398. //
  9399. // If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
  9400. // points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
  9401. // pvSystemStore points to a null terminated UNICODE string.
  9402. //
  9403. // See CertRegisterSystemStore for details on prepending a ServiceName
  9404. // and/or ComputerName to the system store name.
  9405. //
  9406. // CERT_STORE_DELETE_FLAG can optionally be set in dwFlags.
  9407. //--------------------------------------------------------------------------
  9408. WINCRYPT32API
  9409. BOOL
  9410. WINAPI
  9411. CertUnregisterPhysicalStore(
  9412. IN const void *pvSystemStore,
  9413. IN DWORD dwFlags,
  9414. IN LPCWSTR pwszStoreName
  9415. );
  9416. //+-------------------------------------------------------------------------
  9417. // Enum callbacks
  9418. //
  9419. // The CERT_SYSTEM_STORE_LOCATION_MASK bits in the dwFlags parameter
  9420. // specifies the location of the system store
  9421. //
  9422. // If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
  9423. // points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
  9424. // pvSystemStore points to a null terminated UNICODE string.
  9425. //
  9426. // The callback returns FALSE and sets LAST_ERROR to stop the enumeration.
  9427. // The LAST_ERROR is returned to the caller of the enumeration.
  9428. //
  9429. // The pvSystemStore passed to the callback has leading ComputerName and/or
  9430. // ServiceName prefixes where appropriate.
  9431. //--------------------------------------------------------------------------
  9432. typedef BOOL (WINAPI *PFN_CERT_ENUM_SYSTEM_STORE_LOCATION)(
  9433. IN LPCWSTR pwszStoreLocation,
  9434. IN DWORD dwFlags,
  9435. IN OPTIONAL void *pvReserved,
  9436. IN OPTIONAL void *pvArg
  9437. );
  9438. typedef BOOL (WINAPI *PFN_CERT_ENUM_SYSTEM_STORE)(
  9439. IN const void *pvSystemStore,
  9440. IN DWORD dwFlags,
  9441. IN PCERT_SYSTEM_STORE_INFO pStoreInfo,
  9442. IN OPTIONAL void *pvReserved,
  9443. IN OPTIONAL void *pvArg
  9444. );
  9445. typedef BOOL (WINAPI *PFN_CERT_ENUM_PHYSICAL_STORE)(
  9446. IN const void *pvSystemStore,
  9447. IN DWORD dwFlags,
  9448. IN LPCWSTR pwszStoreName,
  9449. IN PCERT_PHYSICAL_STORE_INFO pStoreInfo,
  9450. IN OPTIONAL void *pvReserved,
  9451. IN OPTIONAL void *pvArg
  9452. );
  9453. // In the PFN_CERT_ENUM_PHYSICAL_STORE callback the following flag is
  9454. // set if the physical store wasn't registered and is an implicitly created
  9455. // predefined physical store.
  9456. #define CERT_PHYSICAL_STORE_PREDEFINED_ENUM_FLAG 0x1
  9457. // Names of implicitly created predefined physical stores
  9458. #define CERT_PHYSICAL_STORE_DEFAULT_NAME L".Default"
  9459. #define CERT_PHYSICAL_STORE_GROUP_POLICY_NAME L".GroupPolicy"
  9460. #define CERT_PHYSICAL_STORE_LOCAL_MACHINE_NAME L".LocalMachine"
  9461. #define CERT_PHYSICAL_STORE_DS_USER_CERTIFICATE_NAME L".UserCertificate"
  9462. #define CERT_PHYSICAL_STORE_LOCAL_MACHINE_GROUP_POLICY_NAME \
  9463. L".LocalMachineGroupPolicy"
  9464. #define CERT_PHYSICAL_STORE_ENTERPRISE_NAME L".Enterprise"
  9465. #define CERT_PHYSICAL_STORE_AUTH_ROOT_NAME L".AuthRoot"
  9466. //+-------------------------------------------------------------------------
  9467. // Enumerate the system store locations.
  9468. //--------------------------------------------------------------------------
  9469. WINCRYPT32API
  9470. BOOL
  9471. WINAPI
  9472. CertEnumSystemStoreLocation(
  9473. IN DWORD dwFlags,
  9474. IN void *pvArg,
  9475. IN PFN_CERT_ENUM_SYSTEM_STORE_LOCATION pfnEnum
  9476. );
  9477. //+-------------------------------------------------------------------------
  9478. // Enumerate the system stores.
  9479. //
  9480. // The upper word of the dwFlags parameter is used to specify the location of
  9481. // the system store.
  9482. //
  9483. // If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags,
  9484. // pvSystemStoreLocationPara points to a CERT_SYSTEM_STORE_RELOCATE_PARA
  9485. // data structure. Otherwise, pvSystemStoreLocationPara points to a null
  9486. // terminated UNICODE string.
  9487. //
  9488. // For CERT_SYSTEM_STORE_LOCAL_MACHINE,
  9489. // CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY or
  9490. // CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, pvSystemStoreLocationPara can
  9491. // optionally be set to a unicode computer name for enumerating local machine
  9492. // stores on a remote computer. For example, "\\ComputerName" or
  9493. // "ComputerName". The leading "\\" backslashes are optional in the
  9494. // ComputerName.
  9495. //
  9496. // For CERT_SYSTEM_STORE_SERVICES or CERT_SYSTEM_STORE_USERS,
  9497. // if pvSystemStoreLocationPara is NULL, then,
  9498. // enumerates both the service/user names and the stores for each service/user
  9499. // name. Otherwise, pvSystemStoreLocationPara is a unicode string specifying a
  9500. // remote computer name and/or service/user name. For example:
  9501. // "ServiceName"
  9502. // "\\ComputerName" or "ComputerName\"
  9503. // "ComputerName\ServiceName"
  9504. // Note, if only the ComputerName is specified, then, it must have either
  9505. // the leading "\\" backslashes or a trailing backslash. Otherwise, its
  9506. // interpretted as the ServiceName or UserName.
  9507. //--------------------------------------------------------------------------
  9508. WINCRYPT32API
  9509. BOOL
  9510. WINAPI
  9511. CertEnumSystemStore(
  9512. IN DWORD dwFlags,
  9513. IN OPTIONAL void *pvSystemStoreLocationPara,
  9514. IN void *pvArg,
  9515. IN PFN_CERT_ENUM_SYSTEM_STORE pfnEnum
  9516. );
  9517. //+-------------------------------------------------------------------------
  9518. // Enumerate the physical stores for the specified system store.
  9519. //
  9520. // The upper word of the dwFlags parameter is used to specify the location of
  9521. // the system store.
  9522. //
  9523. // If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
  9524. // points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
  9525. // pvSystemStore points to a null terminated UNICODE string.
  9526. //
  9527. // See CertRegisterSystemStore for details on prepending a ServiceName
  9528. // and/or ComputerName to the system store name.
  9529. //
  9530. // If the system store location only supports system stores and doesn't
  9531. // support physical stores, LastError is set to ERROR_CALL_NOT_IMPLEMENTED.
  9532. //--------------------------------------------------------------------------
  9533. WINCRYPT32API
  9534. BOOL
  9535. WINAPI
  9536. CertEnumPhysicalStore(
  9537. IN const void *pvSystemStore,
  9538. IN DWORD dwFlags,
  9539. IN void *pvArg,
  9540. IN PFN_CERT_ENUM_PHYSICAL_STORE pfnEnum
  9541. );
  9542. //+-------------------------------------------------------------------------
  9543. // Certificate System Store Installable Functions
  9544. //
  9545. // The CERT_SYSTEM_STORE_LOCATION_MASK bits in the dwFlags parameter passed
  9546. // to the CertOpenStore(for "System", "SystemRegistry" or "Physical"
  9547. // Provider), CertRegisterSystemStore,
  9548. // CertUnregisterSystemStore, CertEnumSystemStore, CertRegisterPhysicalStore,
  9549. // CertUnregisterPhysicalStore and CertEnumPhysicalStore APIs is used as the
  9550. // constant pszOID value passed to the OID installable functions.
  9551. // Therefore, the pszOID is restricted to a constant <= (LPCSTR) 0x0FFF.
  9552. //
  9553. // The EncodingType is 0.
  9554. //--------------------------------------------------------------------------
  9555. // Installable System Store Provider OID pszFuncNames.
  9556. #define CRYPT_OID_OPEN_SYSTEM_STORE_PROV_FUNC "CertDllOpenSystemStoreProv"
  9557. #define CRYPT_OID_REGISTER_SYSTEM_STORE_FUNC "CertDllRegisterSystemStore"
  9558. #define CRYPT_OID_UNREGISTER_SYSTEM_STORE_FUNC "CertDllUnregisterSystemStore"
  9559. #define CRYPT_OID_ENUM_SYSTEM_STORE_FUNC "CertDllEnumSystemStore"
  9560. #define CRYPT_OID_REGISTER_PHYSICAL_STORE_FUNC "CertDllRegisterPhysicalStore"
  9561. #define CRYPT_OID_UNREGISTER_PHYSICAL_STORE_FUNC "CertDllUnregisterPhysicalStore"
  9562. #define CRYPT_OID_ENUM_PHYSICAL_STORE_FUNC "CertDllEnumPhysicalStore"
  9563. // CertDllOpenSystemStoreProv has the same function signature as the
  9564. // installable "CertDllOpenStoreProv" function. See CertOpenStore for
  9565. // more details.
  9566. // CertDllRegisterSystemStore has the same function signature as
  9567. // CertRegisterSystemStore.
  9568. //
  9569. // The "SystemStoreLocation" REG_SZ value must also be set for registered
  9570. // CertDllEnumSystemStore OID functions.
  9571. #define CRYPT_OID_SYSTEM_STORE_LOCATION_VALUE_NAME L"SystemStoreLocation"
  9572. // The remaining Register, Enum and Unregister OID installable functions
  9573. // have the same signature as their Cert Store API counterpart.
  9574. //+=========================================================================
  9575. // Enhanced Key Usage Helper Functions
  9576. //==========================================================================
  9577. //+-------------------------------------------------------------------------
  9578. // Get the enhanced key usage extension or property from the certificate
  9579. // and decode.
  9580. //
  9581. // If the CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG is set, then, only get the
  9582. // extension.
  9583. //
  9584. // If the CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG is set, then, only get the
  9585. // property.
  9586. //--------------------------------------------------------------------------
  9587. WINCRYPT32API
  9588. BOOL
  9589. WINAPI
  9590. CertGetEnhancedKeyUsage(
  9591. IN PCCERT_CONTEXT pCertContext,
  9592. IN DWORD dwFlags,
  9593. OUT PCERT_ENHKEY_USAGE pUsage,
  9594. IN OUT DWORD *pcbUsage
  9595. );
  9596. //+-------------------------------------------------------------------------
  9597. // Set the enhanced key usage property for the certificate.
  9598. //--------------------------------------------------------------------------
  9599. WINCRYPT32API
  9600. BOOL
  9601. WINAPI
  9602. CertSetEnhancedKeyUsage(
  9603. IN PCCERT_CONTEXT pCertContext,
  9604. IN PCERT_ENHKEY_USAGE pUsage
  9605. );
  9606. //+-------------------------------------------------------------------------
  9607. // Add the usage identifier to the certificate's enhanced key usage property.
  9608. //--------------------------------------------------------------------------
  9609. WINCRYPT32API
  9610. BOOL
  9611. WINAPI
  9612. CertAddEnhancedKeyUsageIdentifier(
  9613. IN PCCERT_CONTEXT pCertContext,
  9614. IN LPCSTR pszUsageIdentifier
  9615. );
  9616. //+-------------------------------------------------------------------------
  9617. // Remove the usage identifier from the certificate's enhanced key usage
  9618. // property.
  9619. //--------------------------------------------------------------------------
  9620. WINCRYPT32API
  9621. BOOL
  9622. WINAPI
  9623. CertRemoveEnhancedKeyUsageIdentifier(
  9624. IN PCCERT_CONTEXT pCertContext,
  9625. IN LPCSTR pszUsageIdentifier
  9626. );
  9627. //+---------------------------------------------------------------------------
  9628. //
  9629. //
  9630. // Takes an array of certs and returns an array of usages
  9631. // which consists of the intersection of the valid usages for each cert.
  9632. // If each cert is good for all possible usages then the cNumOIDs is set to -1.
  9633. //
  9634. //----------------------------------------------------------------------------
  9635. WINCRYPT32API
  9636. BOOL
  9637. WINAPI
  9638. CertGetValidUsages(
  9639. IN DWORD cCerts,
  9640. IN PCCERT_CONTEXT *rghCerts,
  9641. OUT int *cNumOIDs,
  9642. OUT LPSTR *rghOIDs,
  9643. IN OUT DWORD *pcbOIDs);
  9644. //+=========================================================================
  9645. // Cryptographic Message helper functions for verifying and signing a
  9646. // CTL.
  9647. //==========================================================================
  9648. //+-------------------------------------------------------------------------
  9649. // Get and verify the signer of a cryptographic message.
  9650. //
  9651. // To verify a CTL, the hCryptMsg is obtained from the CTL_CONTEXT's
  9652. // hCryptMsg field.
  9653. //
  9654. // If CMSG_TRUSTED_SIGNER_FLAG is set, then, treat the Signer stores as being
  9655. // trusted and only search them to find the certificate corresponding to the
  9656. // signer's issuer and serial number. Otherwise, the SignerStores are
  9657. // optionally provided to supplement the message's store of certificates.
  9658. // If a signer certificate is found, its public key is used to verify
  9659. // the message signature. The CMSG_SIGNER_ONLY_FLAG can be set to
  9660. // return the signer without doing the signature verify.
  9661. //
  9662. // If CMSG_USE_SIGNER_INDEX_FLAG is set, then, only get the signer specified
  9663. // by *pdwSignerIndex. Otherwise, iterate through all the signers
  9664. // until a signer verifies or no more signers.
  9665. //
  9666. // For a verified signature, *ppSigner is updated with certificate context
  9667. // of the signer and *pdwSignerIndex is updated with the index of the signer.
  9668. // ppSigner and/or pdwSignerIndex can be NULL, indicating the caller isn't
  9669. // interested in getting the CertContext and/or index of the signer.
  9670. //--------------------------------------------------------------------------
  9671. WINCRYPT32API
  9672. BOOL
  9673. WINAPI
  9674. CryptMsgGetAndVerifySigner(
  9675. IN HCRYPTMSG hCryptMsg,
  9676. IN DWORD cSignerStore,
  9677. IN OPTIONAL HCERTSTORE *rghSignerStore,
  9678. IN DWORD dwFlags,
  9679. OUT OPTIONAL PCCERT_CONTEXT *ppSigner,
  9680. IN OUT OPTIONAL DWORD *pdwSignerIndex
  9681. );
  9682. #define CMSG_TRUSTED_SIGNER_FLAG 0x1
  9683. #define CMSG_SIGNER_ONLY_FLAG 0x2
  9684. #define CMSG_USE_SIGNER_INDEX_FLAG 0x4
  9685. //+-------------------------------------------------------------------------
  9686. // Sign an encoded CTL.
  9687. //
  9688. // The pbCtlContent can be obtained via a CTL_CONTEXT's pbCtlContent
  9689. // field or via a CryptEncodeObject(PKCS_CTL or PKCS_SORTED_CTL).
  9690. //
  9691. // CMSG_CMS_ENCAPSULATED_CTL_FLAG can be set to encode a CMS compatible
  9692. // V3 SignedData message.
  9693. //--------------------------------------------------------------------------
  9694. WINCRYPT32API
  9695. BOOL
  9696. WINAPI
  9697. CryptMsgSignCTL(
  9698. IN DWORD dwMsgEncodingType,
  9699. IN BYTE *pbCtlContent,
  9700. IN DWORD cbCtlContent,
  9701. IN PCMSG_SIGNED_ENCODE_INFO pSignInfo,
  9702. IN DWORD dwFlags,
  9703. OUT BYTE *pbEncoded,
  9704. IN OUT DWORD *pcbEncoded
  9705. );
  9706. // When set, CTL inner content is encapsulated within an OCTET STRING
  9707. #define CMSG_CMS_ENCAPSULATED_CTL_FLAG 0x00008000
  9708. //+-------------------------------------------------------------------------
  9709. // Encode the CTL and create a signed message containing the encoded CTL.
  9710. //
  9711. // Set CMSG_ENCODE_SORTED_CTL_FLAG if the CTL entries are to be sorted
  9712. // before encoding. This flag should be set, if the
  9713. // CertFindSubjectInSortedCTL or CertEnumSubjectInSortedCTL APIs will
  9714. // be called. If the identifier for the CTL entries is a hash, such as,
  9715. // MD5 or SHA1, then, CMSG_ENCODE_HASHED_SUBJECT_IDENTIFIER_FLAG should
  9716. // also be set.
  9717. //
  9718. // CMSG_CMS_ENCAPSULATED_CTL_FLAG can be set to encode a CMS compatible
  9719. // V3 SignedData message.
  9720. //--------------------------------------------------------------------------
  9721. WINCRYPT32API
  9722. BOOL
  9723. WINAPI
  9724. CryptMsgEncodeAndSignCTL(
  9725. IN DWORD dwMsgEncodingType,
  9726. IN PCTL_INFO pCtlInfo,
  9727. IN PCMSG_SIGNED_ENCODE_INFO pSignInfo,
  9728. IN DWORD dwFlags,
  9729. OUT BYTE *pbEncoded,
  9730. IN OUT DWORD *pcbEncoded
  9731. );
  9732. // The following flag is set if the CTL is to be encoded with sorted
  9733. // trusted subjects and the szOID_SORTED_CTL extension is inserted containing
  9734. // sorted offsets to the encoded subjects.
  9735. #define CMSG_ENCODE_SORTED_CTL_FLAG 0x1
  9736. // If the above sorted flag is set, then, the following flag should also
  9737. // be set if the identifier for the TrustedSubjects is a hash,
  9738. // such as, MD5 or SHA1.
  9739. #define CMSG_ENCODE_HASHED_SUBJECT_IDENTIFIER_FLAG 0x2
  9740. //+-------------------------------------------------------------------------
  9741. // Returns TRUE if the SubjectIdentifier exists in the CTL. Optionally
  9742. // returns a pointer to and byte count of the Subject's encoded attributes.
  9743. //--------------------------------------------------------------------------
  9744. WINCRYPT32API
  9745. BOOL
  9746. WINAPI
  9747. CertFindSubjectInSortedCTL(
  9748. IN PCRYPT_DATA_BLOB pSubjectIdentifier,
  9749. IN PCCTL_CONTEXT pCtlContext,
  9750. IN DWORD dwFlags,
  9751. IN void *pvReserved,
  9752. OUT OPTIONAL PCRYPT_DER_BLOB pEncodedAttributes
  9753. );
  9754. //+-------------------------------------------------------------------------
  9755. // Enumerates through the sequence of TrustedSubjects in a CTL context
  9756. // created with CERT_CREATE_CONTEXT_SORTED_FLAG set.
  9757. //
  9758. // To start the enumeration, *ppvNextSubject must be NULL. Upon return,
  9759. // *ppvNextSubject is updated to point to the next TrustedSubject in
  9760. // the encoded sequence.
  9761. //
  9762. // Returns FALSE for no more subjects or invalid arguments.
  9763. //
  9764. // Note, the returned DER_BLOBs point directly into the encoded
  9765. // bytes (not allocated, and must not be freed).
  9766. //--------------------------------------------------------------------------
  9767. WINCRYPT32API
  9768. BOOL
  9769. WINAPI
  9770. CertEnumSubjectInSortedCTL(
  9771. IN PCCTL_CONTEXT pCtlContext,
  9772. IN OUT void **ppvNextSubject,
  9773. OUT OPTIONAL PCRYPT_DER_BLOB pSubjectIdentifier,
  9774. OUT OPTIONAL PCRYPT_DER_BLOB pEncodedAttributes
  9775. );
  9776. //+=========================================================================
  9777. // Certificate Verify CTL Usage Data Structures and APIs
  9778. //==========================================================================
  9779. typedef struct _CTL_VERIFY_USAGE_PARA {
  9780. DWORD cbSize;
  9781. CRYPT_DATA_BLOB ListIdentifier; // OPTIONAL
  9782. DWORD cCtlStore;
  9783. HCERTSTORE *rghCtlStore; // OPTIONAL
  9784. DWORD cSignerStore;
  9785. HCERTSTORE *rghSignerStore; // OPTIONAL
  9786. } CTL_VERIFY_USAGE_PARA, *PCTL_VERIFY_USAGE_PARA;
  9787. typedef struct _CTL_VERIFY_USAGE_STATUS {
  9788. DWORD cbSize;
  9789. DWORD dwError;
  9790. DWORD dwFlags;
  9791. PCCTL_CONTEXT *ppCtl; // IN OUT OPTIONAL
  9792. DWORD dwCtlEntryIndex;
  9793. PCCERT_CONTEXT *ppSigner; // IN OUT OPTIONAL
  9794. DWORD dwSignerIndex;
  9795. } CTL_VERIFY_USAGE_STATUS, *PCTL_VERIFY_USAGE_STATUS;
  9796. #define CERT_VERIFY_INHIBIT_CTL_UPDATE_FLAG 0x1
  9797. #define CERT_VERIFY_TRUSTED_SIGNERS_FLAG 0x2
  9798. #define CERT_VERIFY_NO_TIME_CHECK_FLAG 0x4
  9799. #define CERT_VERIFY_ALLOW_MORE_USAGE_FLAG 0x8
  9800. #define CERT_VERIFY_UPDATED_CTL_FLAG 0x1
  9801. //+-------------------------------------------------------------------------
  9802. // Verify that a subject is trusted for the specified usage by finding a
  9803. // signed and time valid CTL with the usage identifiers and containing the
  9804. // the subject. A subject can be identified by either its certificate context
  9805. // or any identifier such as its SHA1 hash.
  9806. //
  9807. // See CertFindSubjectInCTL for definition of dwSubjectType and pvSubject
  9808. // parameters.
  9809. //
  9810. // Via pVerifyUsagePara, the caller can specify the stores to be searched
  9811. // to find the CTL. The caller can also specify the stores containing
  9812. // acceptable CTL signers. By setting the ListIdentifier, the caller
  9813. // can also restrict to a particular signer CTL list.
  9814. //
  9815. // Via pVerifyUsageStatus, the CTL containing the subject, the subject's
  9816. // index into the CTL's array of entries, and the signer of the CTL
  9817. // are returned. If the caller is not interested, ppCtl and ppSigner can be set
  9818. // to NULL. Returned contexts must be freed via the store's free context APIs.
  9819. //
  9820. // If the CERT_VERIFY_INHIBIT_CTL_UPDATE_FLAG isn't set, then, a time
  9821. // invalid CTL in one of the CtlStores may be replaced. When replaced, the
  9822. // CERT_VERIFY_UPDATED_CTL_FLAG is set in pVerifyUsageStatus->dwFlags.
  9823. //
  9824. // If the CERT_VERIFY_TRUSTED_SIGNERS_FLAG is set, then, only the
  9825. // SignerStores specified in pVerifyUsageStatus are searched to find
  9826. // the signer. Otherwise, the SignerStores provide additional sources
  9827. // to find the signer's certificate.
  9828. //
  9829. // If CERT_VERIFY_NO_TIME_CHECK_FLAG is set, then, the CTLs aren't checked
  9830. // for time validity.
  9831. //
  9832. // If CERT_VERIFY_ALLOW_MORE_USAGE_FLAG is set, then, the CTL may contain
  9833. // additional usage identifiers than specified by pSubjectUsage. Otherwise,
  9834. // the found CTL will contain the same usage identifers and no more.
  9835. //
  9836. // CertVerifyCTLUsage will be implemented as a dispatcher to OID installable
  9837. // functions. First, it will try to find an OID function matching the first
  9838. // usage object identifier in the pUsage sequence. Next, it will dispatch
  9839. // to the default CertDllVerifyCTLUsage functions.
  9840. //
  9841. // If the subject is trusted for the specified usage, then, TRUE is
  9842. // returned. Otherwise, FALSE is returned with dwError set to one of the
  9843. // following:
  9844. // CRYPT_E_NO_VERIFY_USAGE_DLL
  9845. // CRYPT_E_NO_VERIFY_USAGE_CHECK
  9846. // CRYPT_E_VERIFY_USAGE_OFFLINE
  9847. // CRYPT_E_NOT_IN_CTL
  9848. // CRYPT_E_NO_TRUSTED_SIGNER
  9849. //--------------------------------------------------------------------------
  9850. WINCRYPT32API
  9851. BOOL
  9852. WINAPI
  9853. CertVerifyCTLUsage(
  9854. IN DWORD dwEncodingType,
  9855. IN DWORD dwSubjectType,
  9856. IN void *pvSubject,
  9857. IN PCTL_USAGE pSubjectUsage,
  9858. IN DWORD dwFlags,
  9859. IN OPTIONAL PCTL_VERIFY_USAGE_PARA pVerifyUsagePara,
  9860. IN OUT PCTL_VERIFY_USAGE_STATUS pVerifyUsageStatus
  9861. );
  9862. //+=========================================================================
  9863. // Certificate Revocation Data Structures and APIs
  9864. //==========================================================================
  9865. //+-------------------------------------------------------------------------
  9866. // This data structure is updated by a CRL revocation type handler
  9867. // with the base and possibly the delta CRL used.
  9868. //--------------------------------------------------------------------------
  9869. typedef struct _CERT_REVOCATION_CRL_INFO {
  9870. DWORD cbSize;
  9871. PCCRL_CONTEXT pBaseCrlContext;
  9872. PCCRL_CONTEXT pDeltaCrlContext;
  9873. // When revoked, points to entry in either of the above CRL contexts.
  9874. // Don't free.
  9875. PCRL_ENTRY pCrlEntry;
  9876. BOOL fDeltaCrlEntry; // TRUE if in pDeltaCrlContext
  9877. } CERT_REVOCATION_CRL_INFO, *PCERT_REVOCATION_CRL_INFO;
  9878. //+-------------------------------------------------------------------------
  9879. // The following data structure may be passed to CertVerifyRevocation to
  9880. // assist in finding the issuer of the context to be verified.
  9881. //
  9882. // When pIssuerCert is specified, pIssuerCert is the issuer of
  9883. // rgpvContext[cContext - 1].
  9884. //
  9885. // When cCertStore and rgCertStore are specified, these stores may contain
  9886. // an issuer certificate.
  9887. //
  9888. // When hCrlStore is specified then a handler which uses CRLs can search this
  9889. // store for them
  9890. //
  9891. // When pftTimeToUse is specified then the handler (if possible) must determine
  9892. // revocation status relative to the time given otherwise the answer may be
  9893. // independent of time or relative to current time
  9894. //--------------------------------------------------------------------------
  9895. typedef struct _CERT_REVOCATION_PARA {
  9896. DWORD cbSize;
  9897. PCCERT_CONTEXT pIssuerCert;
  9898. DWORD cCertStore;
  9899. HCERTSTORE *rgCertStore;
  9900. HCERTSTORE hCrlStore;
  9901. LPFILETIME pftTimeToUse;
  9902. #ifdef CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS
  9903. // Note, if you #define CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS, then, you
  9904. // must zero all unused fields in this data structure.
  9905. // More fields could be added in a future release.
  9906. // 0 uses revocation handler's default timeout.
  9907. DWORD dwUrlRetrievalTimeout; // milliseconds
  9908. // When set, checks and attempts to retrieve a CRL where
  9909. // ThisUpdate >= (CurrentTime - dwFreshnessTime). Otherwise, defaults
  9910. // to using the CRL's NextUpdate.
  9911. BOOL fCheckFreshnessTime;
  9912. DWORD dwFreshnessTime; // seconds
  9913. // If NULL, revocation handler gets the current time
  9914. LPFILETIME pftCurrentTime;
  9915. // If nonNULL, a CRL revocation type handler updates with the base and
  9916. // possibly the delta CRL used. Note, *pCrlInfo must be initialized
  9917. // by the caller. Any nonNULL CRL contexts are freed. Any updated
  9918. // CRL contexts must be freed by the caller.
  9919. //
  9920. // The CRL info is only applicable to the last context checked. If
  9921. // interested in this information, then, CertVerifyRevocation should be
  9922. // called with cContext = 1.
  9923. PCERT_REVOCATION_CRL_INFO pCrlInfo;
  9924. #endif
  9925. } CERT_REVOCATION_PARA, *PCERT_REVOCATION_PARA;
  9926. //+-------------------------------------------------------------------------
  9927. // The following data structure is returned by CertVerifyRevocation to
  9928. // specify the status of the revoked or unchecked context. Review the
  9929. // following CertVerifyRevocation comments for details.
  9930. //
  9931. // Upon input to CertVerifyRevocation, cbSize must be set to a size
  9932. // >= (offsetof(CERT_REVOCATION_STATUS, dwReason) + sizeof(DWORD) ).
  9933. // Otherwise, CertVerifyRevocation returns FALSE and sets LastError to
  9934. // E_INVALIDARG.
  9935. //
  9936. // Upon input to the installed or registered CRYPT_OID_VERIFY_REVOCATION_FUNC
  9937. // functions, the dwIndex, dwError and dwReason have been zero'ed.
  9938. // If present, fHasFreshnessTime and dwFreshnessTime have been zero'ed.
  9939. //--------------------------------------------------------------------------
  9940. typedef struct _CERT_REVOCATION_STATUS {
  9941. DWORD cbSize;
  9942. DWORD dwIndex;
  9943. DWORD dwError;
  9944. DWORD dwReason;
  9945. // Depending on cbSize, the following fields may optionally be returned.
  9946. // The Freshness time is only applicable to the last context checked. If
  9947. // interested in this information, then, CertVerifyRevocation should be
  9948. // called with cContext = 1.
  9949. //
  9950. // fHasFreshnessTime is only set if we are able to retrieve revocation
  9951. // information. For a CRL its CurrentTime - ThisUpdate.
  9952. BOOL fHasFreshnessTime;
  9953. DWORD dwFreshnessTime; // seconds
  9954. } CERT_REVOCATION_STATUS, *PCERT_REVOCATION_STATUS;
  9955. //+-------------------------------------------------------------------------
  9956. // Verifies the array of contexts for revocation. The dwRevType parameter
  9957. // indicates the type of the context data structure passed in rgpvContext.
  9958. // Currently only the revocation of certificates is defined.
  9959. //
  9960. // If the CERT_VERIFY_REV_CHAIN_FLAG flag is set, then, CertVerifyRevocation
  9961. // is verifying a chain of certs where, rgpvContext[i + 1] is the issuer
  9962. // of rgpvContext[i]. Otherwise, CertVerifyRevocation makes no assumptions
  9963. // about the order of the contexts.
  9964. //
  9965. // To assist in finding the issuer, the pRevPara may optionally be set. See
  9966. // the CERT_REVOCATION_PARA data structure for details.
  9967. //
  9968. // The contexts must contain enough information to allow the
  9969. // installable or registered revocation DLLs to find the revocation server. For
  9970. // certificates, this information would normally be conveyed in an
  9971. // extension such as the IETF's AuthorityInfoAccess extension.
  9972. //
  9973. // CertVerifyRevocation returns TRUE if all of the contexts were successfully
  9974. // checked and none were revoked. Otherwise, returns FALSE and updates the
  9975. // returned pRevStatus data structure as follows:
  9976. // dwIndex
  9977. // Index of the first context that was revoked or unable to
  9978. // be checked for revocation
  9979. // dwError
  9980. // Error status. LastError is also set to this error status.
  9981. // dwError can be set to one of the following error codes defined
  9982. // in winerror.h:
  9983. // ERROR_SUCCESS - good context
  9984. // CRYPT_E_REVOKED - context was revoked. dwReason contains the
  9985. // reason for revocation
  9986. // CRYPT_E_REVOCATION_OFFLINE - unable to connect to the
  9987. // revocation server
  9988. // CRYPT_E_NOT_IN_REVOCATION_DATABASE - the context to be checked
  9989. // was not found in the revocation server's database.
  9990. // CRYPT_E_NO_REVOCATION_CHECK - the called revocation function
  9991. // wasn't able to do a revocation check on the context
  9992. // CRYPT_E_NO_REVOCATION_DLL - no installed or registered Dll was
  9993. // found to verify revocation
  9994. // dwReason
  9995. // The dwReason is currently only set for CRYPT_E_REVOKED and contains
  9996. // the reason why the context was revoked. May be one of the following
  9997. // CRL reasons defined by the CRL Reason Code extension ("2.5.29.21")
  9998. // CRL_REASON_UNSPECIFIED 0
  9999. // CRL_REASON_KEY_COMPROMISE 1
  10000. // CRL_REASON_CA_COMPROMISE 2
  10001. // CRL_REASON_AFFILIATION_CHANGED 3
  10002. // CRL_REASON_SUPERSEDED 4
  10003. // CRL_REASON_CESSATION_OF_OPERATION 5
  10004. // CRL_REASON_CERTIFICATE_HOLD 6
  10005. //
  10006. // For each entry in rgpvContext, CertVerifyRevocation iterates
  10007. // through the CRYPT_OID_VERIFY_REVOCATION_FUNC
  10008. // function set's list of installed DEFAULT functions.
  10009. // CryptGetDefaultOIDFunctionAddress is called with pwszDll = NULL. If no
  10010. // installed functions are found capable of doing the revocation verification,
  10011. // CryptVerifyRevocation iterates through CRYPT_OID_VERIFY_REVOCATION_FUNC's
  10012. // list of registered DEFAULT Dlls. CryptGetDefaultOIDDllList is called to
  10013. // get the list. CryptGetDefaultOIDFunctionAddress is called to load the Dll.
  10014. //
  10015. // The called functions have the same signature as CertVerifyRevocation. A
  10016. // called function returns TRUE if it was able to successfully check all of
  10017. // the contexts and none were revoked. Otherwise, the called function returns
  10018. // FALSE and updates pRevStatus. dwIndex is set to the index of
  10019. // the first context that was found to be revoked or unable to be checked.
  10020. // dwError and LastError are updated. For CRYPT_E_REVOKED, dwReason
  10021. // is updated. Upon input to the called function, dwIndex, dwError and
  10022. // dwReason have been zero'ed. cbSize has been checked to be >=
  10023. // sizeof(CERT_REVOCATION_STATUS).
  10024. //
  10025. // If the called function returns FALSE, and dwError isn't set to
  10026. // CRYPT_E_REVOKED, then, CertVerifyRevocation either continues on to the
  10027. // next DLL in the list for a returned dwIndex of 0 or for a returned
  10028. // dwIndex > 0, restarts the process of finding a verify function by
  10029. // advancing the start of the context array to the returned dwIndex and
  10030. // decrementing the count of remaining contexts.
  10031. //--------------------------------------------------------------------------
  10032. WINCRYPT32API
  10033. BOOL
  10034. WINAPI
  10035. CertVerifyRevocation(
  10036. IN DWORD dwEncodingType,
  10037. IN DWORD dwRevType,
  10038. IN DWORD cContext,
  10039. IN PVOID rgpvContext[],
  10040. IN DWORD dwFlags,
  10041. IN OPTIONAL PCERT_REVOCATION_PARA pRevPara,
  10042. IN OUT PCERT_REVOCATION_STATUS pRevStatus
  10043. );
  10044. //+-------------------------------------------------------------------------
  10045. // Revocation types
  10046. //--------------------------------------------------------------------------
  10047. #define CERT_CONTEXT_REVOCATION_TYPE 1
  10048. //+-------------------------------------------------------------------------
  10049. // When the following flag is set, rgpvContext[] consists of a chain
  10050. // of certificates, where rgpvContext[i + 1] is the issuer of rgpvContext[i].
  10051. //--------------------------------------------------------------------------
  10052. #define CERT_VERIFY_REV_CHAIN_FLAG 0x00000001
  10053. //+-------------------------------------------------------------------------
  10054. // CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION prevents the revocation handler from
  10055. // accessing any network based resources for revocation checking
  10056. //--------------------------------------------------------------------------
  10057. #define CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION 0x00000002
  10058. //+-------------------------------------------------------------------------
  10059. // By default, the dwUrlRetrievalTimeout in pRevPara is the timeout used
  10060. // for each URL wire retrieval. When the following flag is set,
  10061. // dwUrlRetrievalTimeout is the accumulative timeout across all URL wire
  10062. // retrievals.
  10063. //--------------------------------------------------------------------------
  10064. #define CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG 0x00000004
  10065. //+-------------------------------------------------------------------------
  10066. // CERT_CONTEXT_REVOCATION_TYPE
  10067. //
  10068. // pvContext points to a const CERT_CONTEXT.
  10069. //--------------------------------------------------------------------------
  10070. //+=========================================================================
  10071. // Certificate Helper APIs
  10072. //==========================================================================
  10073. //+-------------------------------------------------------------------------
  10074. // Compare two multiple byte integer blobs to see if they are identical.
  10075. //
  10076. // Before doing the comparison, leading zero bytes are removed from a
  10077. // positive number and leading 0xFF bytes are removed from a negative
  10078. // number.
  10079. //
  10080. // The multiple byte integers are treated as Little Endian. pbData[0] is the
  10081. // least significant byte and pbData[cbData - 1] is the most significant
  10082. // byte.
  10083. //
  10084. // Returns TRUE if the integer blobs are identical after removing leading
  10085. // 0 or 0xFF bytes.
  10086. //--------------------------------------------------------------------------
  10087. BOOL
  10088. WINAPI
  10089. CertCompareIntegerBlob(
  10090. IN PCRYPT_INTEGER_BLOB pInt1,
  10091. IN PCRYPT_INTEGER_BLOB pInt2
  10092. );
  10093. //+-------------------------------------------------------------------------
  10094. // Compare two certificates to see if they are identical.
  10095. //
  10096. // Since a certificate is uniquely identified by its Issuer and SerialNumber,
  10097. // these are the only fields needing to be compared.
  10098. //
  10099. // Returns TRUE if the certificates are identical.
  10100. //--------------------------------------------------------------------------
  10101. WINCRYPT32API
  10102. BOOL
  10103. WINAPI
  10104. CertCompareCertificate(
  10105. IN DWORD dwCertEncodingType,
  10106. IN PCERT_INFO pCertId1,
  10107. IN PCERT_INFO pCertId2
  10108. );
  10109. //+-------------------------------------------------------------------------
  10110. // Compare two certificate names to see if they are identical.
  10111. //
  10112. // Returns TRUE if the names are identical.
  10113. //--------------------------------------------------------------------------
  10114. WINCRYPT32API
  10115. BOOL
  10116. WINAPI
  10117. CertCompareCertificateName(
  10118. IN DWORD dwCertEncodingType,
  10119. IN PCERT_NAME_BLOB pCertName1,
  10120. IN PCERT_NAME_BLOB pCertName2
  10121. );
  10122. //+-------------------------------------------------------------------------
  10123. // Compare the attributes in the certificate name with the specified
  10124. // Relative Distinguished Name's (CERT_RDN) array of attributes.
  10125. // The comparison iterates through the CERT_RDN attributes and looks for an
  10126. // attribute match in any of the certificate name's RDNs.
  10127. // Returns TRUE if all the attributes are found and match.
  10128. //
  10129. // The CERT_RDN_ATTR fields can have the following special values:
  10130. // pszObjId == NULL - ignore the attribute object identifier
  10131. // dwValueType == RDN_ANY_TYPE - ignore the value type
  10132. //
  10133. // CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG should be set to do
  10134. // a case insensitive match. Otherwise, defaults to an exact, case sensitive
  10135. // match.
  10136. //
  10137. // CERT_UNICODE_IS_RDN_ATTRS_FLAG should be set if the pRDN was initialized
  10138. // with unicode strings as for CryptEncodeObject(X509_UNICODE_NAME).
  10139. //--------------------------------------------------------------------------
  10140. WINCRYPT32API
  10141. BOOL
  10142. WINAPI
  10143. CertIsRDNAttrsInCertificateName(
  10144. IN DWORD dwCertEncodingType,
  10145. IN DWORD dwFlags,
  10146. IN PCERT_NAME_BLOB pCertName,
  10147. IN PCERT_RDN pRDN
  10148. );
  10149. #define CERT_UNICODE_IS_RDN_ATTRS_FLAG 0x1
  10150. #define CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG 0x2
  10151. //+-------------------------------------------------------------------------
  10152. // Compare two public keys to see if they are identical.
  10153. //
  10154. // Returns TRUE if the keys are identical.
  10155. //--------------------------------------------------------------------------
  10156. WINCRYPT32API
  10157. BOOL
  10158. WINAPI
  10159. CertComparePublicKeyInfo(
  10160. IN DWORD dwCertEncodingType,
  10161. IN PCERT_PUBLIC_KEY_INFO pPublicKey1,
  10162. IN PCERT_PUBLIC_KEY_INFO pPublicKey2
  10163. );
  10164. //+-------------------------------------------------------------------------
  10165. // Get the public/private key's bit length.
  10166. //
  10167. // Returns 0 if unable to determine the key's length.
  10168. //--------------------------------------------------------------------------
  10169. WINCRYPT32API
  10170. DWORD
  10171. WINAPI
  10172. CertGetPublicKeyLength(
  10173. IN DWORD dwCertEncodingType,
  10174. IN PCERT_PUBLIC_KEY_INFO pPublicKey
  10175. );
  10176. //+-------------------------------------------------------------------------
  10177. // Verify the signature of a subject certificate or a CRL using the
  10178. // public key info
  10179. //
  10180. // Returns TRUE for a valid signature.
  10181. //
  10182. // hCryptProv specifies the crypto provider to use to verify the signature.
  10183. // It doesn't need to use a private key.
  10184. //--------------------------------------------------------------------------
  10185. WINCRYPT32API
  10186. BOOL
  10187. WINAPI
  10188. CryptVerifyCertificateSignature(
  10189. IN HCRYPTPROV hCryptProv,
  10190. IN DWORD dwCertEncodingType,
  10191. IN const BYTE * pbEncoded,
  10192. IN DWORD cbEncoded,
  10193. IN PCERT_PUBLIC_KEY_INFO pPublicKey
  10194. );
  10195. //+-------------------------------------------------------------------------
  10196. // Verify the signature of a subject certificate, CRL, certificate request
  10197. // or keygen request using the issuer's public key.
  10198. //
  10199. // Returns TRUE for a valid signature.
  10200. //
  10201. // The subject can be an encoded blob or a context for a certificate or CRL.
  10202. // For a subject certificate context, if the certificate is missing
  10203. // inheritable PublicKey Algorithm Parameters, the context's
  10204. // CERT_PUBKEY_ALG_PARA_PROP_ID is updated with the issuer's public key
  10205. // algorithm parameters for a valid signature.
  10206. //
  10207. // The issuer can be a pointer to a CERT_PUBLIC_KEY_INFO, certificate
  10208. // context or a chain context.
  10209. //
  10210. // hCryptProv specifies the crypto provider to use to verify the signature.
  10211. // Its private key isn't used. If hCryptProv is NULL, a default
  10212. // provider is picked according to the PublicKey Algorithm OID.
  10213. //
  10214. // If the signature algorithm is a hashing algorithm, then, the
  10215. // signature is expected to contain the hash octets. Only dwIssuerType
  10216. // of CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL may be specified
  10217. // to verify this no signature case. If any other dwIssuerType is
  10218. // specified, the verify will fail with LastError set to E_INVALIDARG.
  10219. //--------------------------------------------------------------------------
  10220. WINCRYPT32API
  10221. BOOL
  10222. WINAPI
  10223. CryptVerifyCertificateSignatureEx(
  10224. IN OPTIONAL HCRYPTPROV hCryptProv,
  10225. IN DWORD dwCertEncodingType,
  10226. IN DWORD dwSubjectType,
  10227. IN void *pvSubject,
  10228. IN DWORD dwIssuerType,
  10229. IN void *pvIssuer,
  10230. IN DWORD dwFlags,
  10231. IN OPTIONAL void *pvReserved
  10232. );
  10233. // Subject Types
  10234. #define CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB 1
  10235. // pvSubject :: PCRYPT_DATA_BLOB
  10236. #define CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT 2
  10237. // pvSubject :: PCCERT_CONTEXT
  10238. #define CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL 3
  10239. // pvSubject :: PCCRL_CONTEXT
  10240. // Issuer Types
  10241. #define CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY 1
  10242. // pvIssuer :: PCERT_PUBLIC_KEY_INFO
  10243. #define CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT 2
  10244. // pvIssuer :: PCCERT_CONTEXT
  10245. #define CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN 3
  10246. // pvIssuer :: PCCERT_CHAIN_CONTEXT
  10247. #define CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL 4
  10248. // pvIssuer :: NULL
  10249. //+-------------------------------------------------------------------------
  10250. // Compute the hash of the "to be signed" information in the encoded
  10251. // signed content (CERT_SIGNED_CONTENT_INFO).
  10252. //
  10253. // hCryptProv specifies the crypto provider to use to compute the hash.
  10254. // It doesn't need to use a private key.
  10255. //--------------------------------------------------------------------------
  10256. WINCRYPT32API
  10257. BOOL
  10258. WINAPI
  10259. CryptHashToBeSigned(
  10260. IN HCRYPTPROV hCryptProv,
  10261. IN DWORD dwCertEncodingType,
  10262. IN const BYTE *pbEncoded,
  10263. IN DWORD cbEncoded,
  10264. OUT BYTE *pbComputedHash,
  10265. IN OUT DWORD *pcbComputedHash
  10266. );
  10267. //+-------------------------------------------------------------------------
  10268. // Hash the encoded content.
  10269. //
  10270. // hCryptProv specifies the crypto provider to use to compute the hash.
  10271. // It doesn't need to use a private key.
  10272. //
  10273. // Algid specifies the CAPI hash algorithm to use. If Algid is 0, then, the
  10274. // default hash algorithm (currently SHA1) is used.
  10275. //--------------------------------------------------------------------------
  10276. WINCRYPT32API
  10277. BOOL
  10278. WINAPI
  10279. CryptHashCertificate(
  10280. IN HCRYPTPROV hCryptProv,
  10281. IN ALG_ID Algid,
  10282. IN DWORD dwFlags,
  10283. IN const BYTE *pbEncoded,
  10284. IN DWORD cbEncoded,
  10285. OUT BYTE *pbComputedHash,
  10286. IN OUT DWORD *pcbComputedHash
  10287. );
  10288. //+-------------------------------------------------------------------------
  10289. // Sign the "to be signed" information in the encoded signed content.
  10290. //
  10291. // hCryptProv specifies the crypto provider to use to do the signature.
  10292. // It uses the specified private key.
  10293. //
  10294. // If the SignatureAlgorithm is a hash algorithm, then, the signature
  10295. // contains the hash octets. A private key isn't used to encrypt the hash.
  10296. // dwKeySpec isn't used and hCryptProv can be NULL where an appropriate
  10297. // default provider will be used for hashing.
  10298. //--------------------------------------------------------------------------
  10299. WINCRYPT32API
  10300. BOOL
  10301. WINAPI
  10302. CryptSignCertificate(
  10303. IN HCRYPTPROV hCryptProv,
  10304. IN DWORD dwKeySpec,
  10305. IN DWORD dwCertEncodingType,
  10306. IN const BYTE *pbEncodedToBeSigned,
  10307. IN DWORD cbEncodedToBeSigned,
  10308. IN PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
  10309. IN OPTIONAL const void *pvHashAuxInfo,
  10310. OUT BYTE *pbSignature,
  10311. IN OUT DWORD *pcbSignature
  10312. );
  10313. //+-------------------------------------------------------------------------
  10314. // Encode the "to be signed" information. Sign the encoded "to be signed".
  10315. // Encode the "to be signed" and the signature.
  10316. //
  10317. // hCryptProv specifies the crypto provider to use to do the signature.
  10318. // It uses the specified private key.
  10319. //
  10320. // If the SignatureAlgorithm is a hash algorithm, then, the signature
  10321. // contains the hash octets. A private key isn't used to encrypt the hash.
  10322. // dwKeySpec isn't used and hCryptProv can be NULL where an appropriate
  10323. // default provider will be used for hashing.
  10324. //--------------------------------------------------------------------------
  10325. WINCRYPT32API
  10326. BOOL
  10327. WINAPI
  10328. CryptSignAndEncodeCertificate(
  10329. IN HCRYPTPROV hCryptProv,
  10330. IN DWORD dwKeySpec,
  10331. IN DWORD dwCertEncodingType,
  10332. IN LPCSTR lpszStructType, // "to be signed"
  10333. IN const void *pvStructInfo,
  10334. IN PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
  10335. IN OPTIONAL const void *pvHashAuxInfo,
  10336. OUT PBYTE pbEncoded,
  10337. IN OUT DWORD *pcbEncoded
  10338. );
  10339. //+-------------------------------------------------------------------------
  10340. // Verify the time validity of a certificate.
  10341. //
  10342. // Returns -1 if before NotBefore, +1 if after NotAfter and otherwise 0 for
  10343. // a valid certificate
  10344. //
  10345. // If pTimeToVerify is NULL, uses the current time.
  10346. //--------------------------------------------------------------------------
  10347. WINCRYPT32API
  10348. LONG
  10349. WINAPI
  10350. CertVerifyTimeValidity(
  10351. IN LPFILETIME pTimeToVerify,
  10352. IN PCERT_INFO pCertInfo
  10353. );
  10354. //+-------------------------------------------------------------------------
  10355. // Verify the time validity of a CRL.
  10356. //
  10357. // Returns -1 if before ThisUpdate, +1 if after NextUpdate and otherwise 0 for
  10358. // a valid CRL
  10359. //
  10360. // If pTimeToVerify is NULL, uses the current time.
  10361. //--------------------------------------------------------------------------
  10362. WINCRYPT32API
  10363. LONG
  10364. WINAPI
  10365. CertVerifyCRLTimeValidity(
  10366. IN LPFILETIME pTimeToVerify,
  10367. IN PCRL_INFO pCrlInfo
  10368. );
  10369. //+-------------------------------------------------------------------------
  10370. // Verify that the subject's time validity nests within the issuer's time
  10371. // validity.
  10372. //
  10373. // Returns TRUE if it nests. Otherwise, returns FALSE.
  10374. //--------------------------------------------------------------------------
  10375. WINCRYPT32API
  10376. BOOL
  10377. WINAPI
  10378. CertVerifyValidityNesting(
  10379. IN PCERT_INFO pSubjectInfo,
  10380. IN PCERT_INFO pIssuerInfo
  10381. );
  10382. //+-------------------------------------------------------------------------
  10383. // Verify that the subject certificate isn't on its issuer CRL.
  10384. //
  10385. // Returns true if the certificate isn't on the CRL.
  10386. //--------------------------------------------------------------------------
  10387. WINCRYPT32API
  10388. BOOL
  10389. WINAPI
  10390. CertVerifyCRLRevocation(
  10391. IN DWORD dwCertEncodingType,
  10392. IN PCERT_INFO pCertId, // Only the Issuer and SerialNumber
  10393. // fields are used
  10394. IN DWORD cCrlInfo,
  10395. IN PCRL_INFO rgpCrlInfo[]
  10396. );
  10397. //+-------------------------------------------------------------------------
  10398. // Convert the CAPI AlgId to the ASN.1 Object Identifier string
  10399. //
  10400. // Returns NULL if there isn't an ObjId corresponding to the AlgId.
  10401. //--------------------------------------------------------------------------
  10402. WINCRYPT32API
  10403. LPCSTR
  10404. WINAPI
  10405. CertAlgIdToOID(
  10406. IN DWORD dwAlgId
  10407. );
  10408. //+-------------------------------------------------------------------------
  10409. // Convert the ASN.1 Object Identifier string to the CAPI AlgId.
  10410. //
  10411. // Returns 0 if there isn't an AlgId corresponding to the ObjId.
  10412. //--------------------------------------------------------------------------
  10413. WINCRYPT32API
  10414. DWORD
  10415. WINAPI
  10416. CertOIDToAlgId(
  10417. IN LPCSTR pszObjId
  10418. );
  10419. //+-------------------------------------------------------------------------
  10420. // Find an extension identified by its Object Identifier.
  10421. //
  10422. // If found, returns pointer to the extension. Otherwise, returns NULL.
  10423. //--------------------------------------------------------------------------
  10424. WINCRYPT32API
  10425. PCERT_EXTENSION
  10426. WINAPI
  10427. CertFindExtension(
  10428. IN LPCSTR pszObjId,
  10429. IN DWORD cExtensions,
  10430. IN CERT_EXTENSION rgExtensions[]
  10431. );
  10432. //+-------------------------------------------------------------------------
  10433. // Find the first attribute identified by its Object Identifier.
  10434. //
  10435. // If found, returns pointer to the attribute. Otherwise, returns NULL.
  10436. //--------------------------------------------------------------------------
  10437. WINCRYPT32API
  10438. PCRYPT_ATTRIBUTE
  10439. WINAPI
  10440. CertFindAttribute(
  10441. IN LPCSTR pszObjId,
  10442. IN DWORD cAttr,
  10443. IN CRYPT_ATTRIBUTE rgAttr[]
  10444. );
  10445. //+-------------------------------------------------------------------------
  10446. // Find the first CERT_RDN attribute identified by its Object Identifier in
  10447. // the name's list of Relative Distinguished Names.
  10448. //
  10449. // If found, returns pointer to the attribute. Otherwise, returns NULL.
  10450. //--------------------------------------------------------------------------
  10451. WINCRYPT32API
  10452. PCERT_RDN_ATTR
  10453. WINAPI
  10454. CertFindRDNAttr(
  10455. IN LPCSTR pszObjId,
  10456. IN PCERT_NAME_INFO pName
  10457. );
  10458. //+-------------------------------------------------------------------------
  10459. // Get the intended key usage bytes from the certificate.
  10460. //
  10461. // If the certificate doesn't have any intended key usage bytes, returns FALSE
  10462. // and *pbKeyUsage is zeroed. Otherwise, returns TRUE and up through
  10463. // cbKeyUsage bytes are copied into *pbKeyUsage. Any remaining uncopied
  10464. // bytes are zeroed.
  10465. //--------------------------------------------------------------------------
  10466. WINCRYPT32API
  10467. BOOL
  10468. WINAPI
  10469. CertGetIntendedKeyUsage(
  10470. IN DWORD dwCertEncodingType,
  10471. IN PCERT_INFO pCertInfo,
  10472. OUT BYTE *pbKeyUsage,
  10473. IN DWORD cbKeyUsage
  10474. );
  10475. typedef void *HCRYPTDEFAULTCONTEXT;
  10476. //+-------------------------------------------------------------------------
  10477. // Install a previously CryptAcquiredContext'ed HCRYPTPROV to be used as
  10478. // a default context.
  10479. //
  10480. // dwDefaultType and pvDefaultPara specify where the default context is used.
  10481. // For example, install the HCRYPTPROV to be used to verify certificate's
  10482. // having szOID_OIWSEC_md5RSA signatures.
  10483. //
  10484. // By default, the installed HCRYPTPROV is only applicable to the current
  10485. // thread. Set CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG to allow the HCRYPTPROV
  10486. // to be used by all threads in the current process.
  10487. //
  10488. // For a successful install, TRUE is returned and *phDefaultContext is
  10489. // updated with the HANDLE to be passed to CryptUninstallDefaultContext.
  10490. //
  10491. // The installed HCRYPTPROVs are stack ordered (the last installed
  10492. // HCRYPTPROV is checked first). All thread installed HCRYPTPROVs are
  10493. // checked before any process HCRYPTPROVs.
  10494. //
  10495. // The installed HCRYPTPROV remains available for default usage until
  10496. // CryptUninstallDefaultContext is called or the thread or process exits.
  10497. //
  10498. // If CRYPT_DEFAULT_CONTEXT_AUTO_RELEASE_FLAG is set, then, the HCRYPTPROV
  10499. // is CryptReleaseContext'ed at thread or process exit. However,
  10500. // not CryptReleaseContext'ed if CryptUninstallDefaultContext is
  10501. // called.
  10502. //--------------------------------------------------------------------------
  10503. WINCRYPT32API
  10504. BOOL
  10505. WINAPI
  10506. CryptInstallDefaultContext(
  10507. IN HCRYPTPROV hCryptProv,
  10508. IN DWORD dwDefaultType,
  10509. IN const void *pvDefaultPara,
  10510. IN DWORD dwFlags,
  10511. IN void *pvReserved,
  10512. OUT HCRYPTDEFAULTCONTEXT *phDefaultContext
  10513. );
  10514. // dwFlags
  10515. #define CRYPT_DEFAULT_CONTEXT_AUTO_RELEASE_FLAG 0x00000001
  10516. #define CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG 0x00000002
  10517. // List of dwDefaultType's
  10518. #define CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID 1
  10519. #define CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID 2
  10520. //+-------------------------------------------------------------------------
  10521. // CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID
  10522. //
  10523. // Install a default HCRYPTPROV used to verify a certificate
  10524. // signature. pvDefaultPara points to the szOID of the certificate
  10525. // signature algorithm, for example, szOID_OIWSEC_md5RSA. If
  10526. // pvDefaultPara is NULL, then, the HCRYPTPROV is used to verify all
  10527. // certificate signatures. Note, pvDefaultPara can't be NULL when
  10528. // CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG is set.
  10529. //--------------------------------------------------------------------------
  10530. //+-------------------------------------------------------------------------
  10531. // CRYPT_DEFAULT_CONTEXT_MULTI_CERT_SIGN_OID
  10532. //
  10533. // Same as CRYPT_DEFAULT_CONTEXT_CERT_SIGN_OID. However, the default
  10534. // HCRYPTPROV is to be used for multiple signature szOIDs. pvDefaultPara
  10535. // points to a CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA structure containing
  10536. // an array of szOID pointers.
  10537. //--------------------------------------------------------------------------
  10538. typedef struct _CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA {
  10539. DWORD cOID;
  10540. LPSTR *rgpszOID;
  10541. } CRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA, *PCRYPT_DEFAULT_CONTEXT_MULTI_OID_PARA;
  10542. //+-------------------------------------------------------------------------
  10543. // Uninstall a default context previously installed by
  10544. // CryptInstallDefaultContext.
  10545. //
  10546. // For a default context installed with CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG
  10547. // set, if any other threads are currently using this context,
  10548. // this function will block until they finish.
  10549. //--------------------------------------------------------------------------
  10550. WINCRYPT32API
  10551. BOOL
  10552. WINAPI
  10553. CryptUninstallDefaultContext(
  10554. HCRYPTDEFAULTCONTEXT hDefaultContext,
  10555. IN DWORD dwFlags,
  10556. IN void *pvReserved
  10557. );
  10558. //+-------------------------------------------------------------------------
  10559. // Export the public key info associated with the provider's corresponding
  10560. // private key.
  10561. //
  10562. // Calls CryptExportPublicKeyInfoEx with pszPublicKeyObjId = NULL,
  10563. // dwFlags = 0 and pvAuxInfo = NULL.
  10564. //--------------------------------------------------------------------------
  10565. WINCRYPT32API
  10566. BOOL
  10567. WINAPI
  10568. CryptExportPublicKeyInfo(
  10569. IN HCRYPTPROV hCryptProv,
  10570. IN DWORD dwKeySpec,
  10571. IN DWORD dwCertEncodingType,
  10572. OUT PCERT_PUBLIC_KEY_INFO pInfo,
  10573. IN OUT DWORD *pcbInfo
  10574. );
  10575. //+-------------------------------------------------------------------------
  10576. // Export the public key info associated with the provider's corresponding
  10577. // private key.
  10578. //
  10579. // Uses the dwCertEncodingType and pszPublicKeyObjId to call the
  10580. // installable CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC. The called function
  10581. // has the same signature as CryptExportPublicKeyInfoEx.
  10582. //
  10583. // If unable to find an installable OID function for the pszPublicKeyObjId,
  10584. // attempts to export as a RSA Public Key (szOID_RSA_RSA).
  10585. //
  10586. // The dwFlags and pvAuxInfo aren't used for szOID_RSA_RSA.
  10587. //--------------------------------------------------------------------------
  10588. #define CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC "CryptDllExportPublicKeyInfoEx"
  10589. WINCRYPT32API
  10590. BOOL
  10591. WINAPI
  10592. CryptExportPublicKeyInfoEx(
  10593. IN HCRYPTPROV hCryptProv,
  10594. IN DWORD dwKeySpec,
  10595. IN DWORD dwCertEncodingType,
  10596. IN LPSTR pszPublicKeyObjId,
  10597. IN DWORD dwFlags,
  10598. IN OPTIONAL void *pvAuxInfo,
  10599. OUT PCERT_PUBLIC_KEY_INFO pInfo,
  10600. IN OUT DWORD *pcbInfo
  10601. );
  10602. //+-------------------------------------------------------------------------
  10603. // Convert and import the public key info into the provider and return a
  10604. // handle to the public key.
  10605. //
  10606. // Calls CryptImportPublicKeyInfoEx with aiKeyAlg = 0, dwFlags = 0 and
  10607. // pvAuxInfo = NULL.
  10608. //--------------------------------------------------------------------------
  10609. WINCRYPT32API
  10610. BOOL
  10611. WINAPI
  10612. CryptImportPublicKeyInfo(
  10613. IN HCRYPTPROV hCryptProv,
  10614. IN DWORD dwCertEncodingType,
  10615. IN PCERT_PUBLIC_KEY_INFO pInfo,
  10616. OUT HCRYPTKEY *phKey
  10617. );
  10618. //+-------------------------------------------------------------------------
  10619. // Convert and import the public key info into the provider and return a
  10620. // handle to the public key.
  10621. //
  10622. // Uses the dwCertEncodingType and pInfo->Algorithm.pszObjId to call the
  10623. // installable CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC. The called function
  10624. // has the same signature as CryptImportPublicKeyInfoEx.
  10625. //
  10626. // If unable to find an installable OID function for the pszObjId,
  10627. // attempts to import as a RSA Public Key (szOID_RSA_RSA).
  10628. //
  10629. // For szOID_RSA_RSA: aiKeyAlg may be set to CALG_RSA_SIGN or CALG_RSA_KEYX.
  10630. // Defaults to CALG_RSA_KEYX. The dwFlags and pvAuxInfo aren't used.
  10631. //--------------------------------------------------------------------------
  10632. #define CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC "CryptDllImportPublicKeyInfoEx"
  10633. WINCRYPT32API
  10634. BOOL
  10635. WINAPI
  10636. CryptImportPublicKeyInfoEx(
  10637. IN HCRYPTPROV hCryptProv,
  10638. IN DWORD dwCertEncodingType,
  10639. IN PCERT_PUBLIC_KEY_INFO pInfo,
  10640. IN ALG_ID aiKeyAlg,
  10641. IN DWORD dwFlags,
  10642. IN OPTIONAL void *pvAuxInfo,
  10643. OUT HCRYPTKEY *phKey
  10644. );
  10645. //+-------------------------------------------------------------------------
  10646. // Acquire a HCRYPTPROV handle and dwKeySpec for the specified certificate
  10647. // context. Uses the certificate's CERT_KEY_PROV_INFO_PROP_ID property.
  10648. // The returned HCRYPTPROV handle may optionally be cached using the
  10649. // certificate's CERT_KEY_CONTEXT_PROP_ID property.
  10650. //
  10651. // If CRYPT_ACQUIRE_CACHE_FLAG is set, then, if an already acquired and
  10652. // cached HCRYPTPROV exists for the certificate, its returned. Otherwise,
  10653. // a HCRYPTPROV is acquired and then cached via the certificate's
  10654. // CERT_KEY_CONTEXT_PROP_ID.
  10655. //
  10656. // The CRYPT_ACQUIRE_USE_PROV_INFO_FLAG can be set to use the dwFlags field of
  10657. // the certificate's CERT_KEY_PROV_INFO_PROP_ID property's CRYPT_KEY_PROV_INFO
  10658. // data structure to determine if the returned HCRYPTPROV should be cached.
  10659. // HCRYPTPROV caching is enabled if the CERT_SET_KEY_CONTEXT_PROP_ID flag was
  10660. // set.
  10661. //
  10662. // If CRYPT_ACQUIRE_COMPARE_KEY_FLAG is set, then,
  10663. // the public key in the certificate is compared with the public
  10664. // key returned by the cryptographic provider. If the keys don't match, the
  10665. // acquire fails and LastError is set to NTE_BAD_PUBLIC_KEY. Note, if
  10666. // a cached HCRYPTPROV is returned, the comparison isn't done. We assume the
  10667. // comparison was done on the initial acquire.
  10668. //
  10669. // The CRYPT_ACQUIRE_SILENT_FLAG can be set to suppress any UI by the CSP.
  10670. // See CryptAcquireContext's CRYPT_SILENT flag for more details.
  10671. //
  10672. // *pfCallerFreeProv is returned set to FALSE for:
  10673. // - Acquire or public key comparison fails.
  10674. // - CRYPT_ACQUIRE_CACHE_FLAG is set.
  10675. // - CRYPT_ACQUIRE_USE_PROV_INFO_FLAG is set AND
  10676. // CERT_SET_KEY_CONTEXT_PROP_ID flag is set in the dwFlags field of the
  10677. // certificate's CERT_KEY_PROV_INFO_PROP_ID property's
  10678. // CRYPT_KEY_PROV_INFO data structure.
  10679. // When *pfCallerFreeProv is FALSE, the caller must not release. The
  10680. // returned HCRYPTPROV will be released on the last free of the certificate
  10681. // context.
  10682. //
  10683. // Otherwise, *pfCallerFreeProv is TRUE and the returned HCRYPTPROV must
  10684. // be released by the caller by calling CryptReleaseContext.
  10685. //--------------------------------------------------------------------------
  10686. WINCRYPT32API
  10687. BOOL
  10688. WINAPI
  10689. CryptAcquireCertificatePrivateKey(
  10690. IN PCCERT_CONTEXT pCert,
  10691. IN DWORD dwFlags,
  10692. IN void *pvReserved,
  10693. OUT HCRYPTPROV *phCryptProv,
  10694. OUT OPTIONAL DWORD *pdwKeySpec,
  10695. OUT OPTIONAL BOOL *pfCallerFreeProv
  10696. );
  10697. #define CRYPT_ACQUIRE_CACHE_FLAG 0x00000001
  10698. #define CRYPT_ACQUIRE_USE_PROV_INFO_FLAG 0x00000002
  10699. #define CRYPT_ACQUIRE_COMPARE_KEY_FLAG 0x00000004
  10700. #define CRYPT_ACQUIRE_SILENT_FLAG 0x00000040
  10701. //+-------------------------------------------------------------------------
  10702. // Enumerates the cryptographic providers and their containers to find the
  10703. // private key corresponding to the certificate's public key. For a match,
  10704. // the certificate's CERT_KEY_PROV_INFO_PROP_ID property is updated.
  10705. //
  10706. // If the CERT_KEY_PROV_INFO_PROP_ID is already set, then, its checked to
  10707. // see if it matches the provider's public key. For a match, the above
  10708. // enumeration is skipped.
  10709. //
  10710. // By default both the user and machine key containers are searched.
  10711. // The CRYPT_FIND_USER_KEYSET_FLAG or CRYPT_FIND_MACHINE_KEYSET_FLAG
  10712. // can be set in dwFlags to restrict the search to either of the containers.
  10713. //
  10714. // The CRYPT_FIND_SILENT_KEYSET_FLAG can be set to suppress any UI by the CSP.
  10715. // See CryptAcquireContext's CRYPT_SILENT flag for more details.
  10716. //
  10717. // If a container isn't found, returns FALSE with LastError set to
  10718. // NTE_NO_KEY.
  10719. //--------------------------------------------------------------------------
  10720. WINCRYPT32API
  10721. BOOL
  10722. WINAPI
  10723. CryptFindCertificateKeyProvInfo(
  10724. IN PCCERT_CONTEXT pCert,
  10725. IN DWORD dwFlags,
  10726. IN void *pvReserved
  10727. );
  10728. #define CRYPT_FIND_USER_KEYSET_FLAG 0x00000001
  10729. #define CRYPT_FIND_MACHINE_KEYSET_FLAG 0x00000002
  10730. #define CRYPT_FIND_SILENT_KEYSET_FLAG 0x00000040
  10731. //+-------------------------------------------------------------------------
  10732. // This is the prototype for the installable function which is called to
  10733. // actually import a key into a CSP. an installable of this type is called
  10734. // from CryptImportPKCS8. the algorithm OID of the private key is used
  10735. // to look up the proper installable function to call.
  10736. //
  10737. // hCryptProv - the provider to import the key to
  10738. // pPrivateKeyInfo - describes the key to be imported
  10739. // dwFlags - The available flags are:
  10740. // CRYPT_EXPORTABLE
  10741. // this flag is used when importing private keys, for a full
  10742. // explanation please see the documentation for CryptImportKey.
  10743. // pvAuxInfo - reserved for future, must be NULL
  10744. //--------------------------------------------------------------------------
  10745. typedef BOOL (WINAPI *PFN_IMPORT_PRIV_KEY_FUNC) (
  10746. HCRYPTPROV hCryptProv, // in
  10747. CRYPT_PRIVATE_KEY_INFO *pPrivateKeyInfo, // in
  10748. DWORD dwFlags, // in, optional
  10749. void *pvAuxInfo // in, optional
  10750. );
  10751. #define CRYPT_OID_IMPORT_PRIVATE_KEY_INFO_FUNC "CryptDllImportPrivateKeyInfoEx"
  10752. //+-------------------------------------------------------------------------
  10753. // Convert (from PKCS8 format) and import the private key into a provider
  10754. // and return a handle to the provider as well as the KeySpec used to import to.
  10755. //
  10756. // This function will call the PRESOLVE_HCRYPTPROV_FUNC in the
  10757. // privateKeyAndParams to obtain a handle of provider to import the key to.
  10758. // if the PRESOLVE_HCRYPTPROV_FUNC is NULL then the default provider will be used.
  10759. //
  10760. // privateKeyAndParams - private key blob and corresponding parameters
  10761. // dwFlags - The available flags are:
  10762. // CRYPT_EXPORTABLE
  10763. // this flag is used when importing private keys, for a full
  10764. // explanation please see the documentation for CryptImportKey.
  10765. // phCryptProv - filled in with the handle of the provider the key was
  10766. // imported to, the caller is responsible for freeing it
  10767. // pvAuxInfo - This parameter is reserved for future use and should be set
  10768. // to NULL in the interim.
  10769. //--------------------------------------------------------------------------
  10770. WINCRYPT32API
  10771. BOOL
  10772. WINAPI
  10773. CryptImportPKCS8(
  10774. CRYPT_PKCS8_IMPORT_PARAMS sImportParams, // in
  10775. DWORD dwFlags, // in, optional
  10776. HCRYPTPROV *phCryptProv, // out, optional
  10777. void *pvAuxInfo // in, optional
  10778. );
  10779. //+-------------------------------------------------------------------------
  10780. // this is the prototype for installable functions for exporting the private key
  10781. //--------------------------------------------------------------------------
  10782. typedef BOOL (WINAPI *PFN_EXPORT_PRIV_KEY_FUNC) (
  10783. HCRYPTPROV hCryptProv, // in
  10784. DWORD dwKeySpec, // in
  10785. LPSTR pszPrivateKeyObjId, // in
  10786. DWORD dwFlags, // in
  10787. void *pvAuxInfo, // in
  10788. CRYPT_PRIVATE_KEY_INFO *pPrivateKeyInfo, // out
  10789. DWORD *pcbPrivateKeyBlob // in, out
  10790. );
  10791. #define CRYPT_OID_EXPORT_PRIVATE_KEY_INFO_FUNC "CryptDllExportPrivateKeyInfoEx"
  10792. #define CRYPT_DELETE_KEYSET 0x0001
  10793. //+-------------------------------------------------------------------------
  10794. // CryptExportPKCS8 -- superseded by CryptExportPKCS8Ex
  10795. //
  10796. // Export the private key in PKCS8 format
  10797. //--------------------------------------------------------------------------
  10798. WINCRYPT32API
  10799. BOOL
  10800. WINAPI
  10801. CryptExportPKCS8(
  10802. HCRYPTPROV hCryptProv, // in
  10803. DWORD dwKeySpec, // in
  10804. LPSTR pszPrivateKeyObjId, // in
  10805. DWORD dwFlags, // in
  10806. void *pvAuxInfo, // in
  10807. BYTE *pbPrivateKeyBlob, // out
  10808. DWORD *pcbPrivateKeyBlob // in, out
  10809. );
  10810. //+-------------------------------------------------------------------------
  10811. // CryptExportPKCS8Ex
  10812. //
  10813. // Export the private key in PKCS8 format
  10814. //
  10815. //
  10816. // Uses the pszPrivateKeyObjId to call the
  10817. // installable CRYPT_OID_EXPORT_PRIVATE_KEY_INFO_FUNC. The called function
  10818. // has the signature defined by PFN_EXPORT_PRIV_KEY_FUNC.
  10819. //
  10820. // If unable to find an installable OID function for the pszPrivateKeyObjId,
  10821. // attempts to export as a RSA Private Key (szOID_RSA_RSA).
  10822. //
  10823. // psExportParams - specifies information about the key to export
  10824. // dwFlags - The flag values. None currently supported
  10825. // pvAuxInfo - This parameter is reserved for future use and should be set to
  10826. // NULL in the interim.
  10827. // pbPrivateKeyBlob - A pointer to the private key blob. It will be encoded
  10828. // as a PKCS8 PrivateKeyInfo.
  10829. // pcbPrivateKeyBlob - A pointer to a DWORD that contains the size, in bytes,
  10830. // of the private key blob being exported.
  10831. //+-------------------------------------------------------------------------
  10832. WINCRYPT32API
  10833. BOOL
  10834. WINAPI
  10835. CryptExportPKCS8Ex(
  10836. CRYPT_PKCS8_EXPORT_PARAMS* psExportParams, // in
  10837. DWORD dwFlags, // in
  10838. void *pvAuxInfo, // in
  10839. BYTE *pbPrivateKeyBlob, // out
  10840. DWORD *pcbPrivateKeyBlob // in, out
  10841. );
  10842. //+-------------------------------------------------------------------------
  10843. // Compute the hash of the encoded public key info.
  10844. //
  10845. // The public key info is encoded and then hashed.
  10846. //--------------------------------------------------------------------------
  10847. WINCRYPT32API
  10848. BOOL
  10849. WINAPI
  10850. CryptHashPublicKeyInfo(
  10851. IN HCRYPTPROV hCryptProv,
  10852. IN ALG_ID Algid,
  10853. IN DWORD dwFlags,
  10854. IN DWORD dwCertEncodingType,
  10855. IN PCERT_PUBLIC_KEY_INFO pInfo,
  10856. OUT BYTE *pbComputedHash,
  10857. IN OUT DWORD *pcbComputedHash
  10858. );
  10859. //+-------------------------------------------------------------------------
  10860. // Convert a Name Value to a null terminated char string
  10861. //
  10862. // Returns the number of characters converted including the terminating null
  10863. // character. If psz is NULL or csz is 0, returns the required size of the
  10864. // destination string (including the terminating null char).
  10865. //
  10866. // If psz != NULL && csz != 0, returned psz is always NULL terminated.
  10867. //
  10868. // Note: csz includes the NULL char.
  10869. //--------------------------------------------------------------------------
  10870. WINCRYPT32API
  10871. DWORD
  10872. WINAPI
  10873. CertRDNValueToStr%(
  10874. IN DWORD dwValueType,
  10875. IN PCERT_RDN_VALUE_BLOB pValue,
  10876. OUT OPTIONAL LPTSTR% psz,
  10877. IN DWORD csz
  10878. );
  10879. //+-------------------------------------------------------------------------
  10880. // Convert the certificate name blob to a null terminated char string.
  10881. //
  10882. // Follows the string representation of distinguished names specified in
  10883. // RFC 1779. (Note, added double quoting "" for embedded quotes, quote
  10884. // empty strings and don't quote strings containing consecutive spaces).
  10885. // RDN values of type CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING are
  10886. // formatted in hexadecimal (e.g. #0A56CF).
  10887. //
  10888. // The name string is formatted according to the dwStrType:
  10889. // CERT_SIMPLE_NAME_STR
  10890. // The object identifiers are discarded. CERT_RDN entries are separated
  10891. // by ", ". Multiple attributes per CERT_RDN are separated by " + ".
  10892. // For example:
  10893. // Microsoft, Joe Cool + Programmer
  10894. // CERT_OID_NAME_STR
  10895. // The object identifiers are included with a "=" separator from their
  10896. // attribute value. CERT_RDN entries are separated by ", ".
  10897. // Multiple attributes per CERT_RDN are separated by " + ". For example:
  10898. // 2.5.4.11=Microsoft, 2.5.4.3=Joe Cool + 2.5.4.12=Programmer
  10899. // CERT_X500_NAME_STR
  10900. // The object identifiers are converted to their X500 key name. Otherwise,
  10901. // same as CERT_OID_NAME_STR. If the object identifier doesn't have
  10902. // a corresponding X500 key name, then, the object identifier is used with
  10903. // a "OID." prefix. For example:
  10904. // OU=Microsoft, CN=Joe Cool + T=Programmer, OID.1.2.3.4.5.6=Unknown
  10905. //
  10906. // We quote the RDN value if it contains leading or trailing whitespace
  10907. // or one of the following characters: ",", "+", "=", """, "\n", "<", ">",
  10908. // "#" or ";". The quoting character is ". If the the RDN Value contains
  10909. // a " it is double quoted (""). For example:
  10910. // OU=" Microsoft", CN="Joe ""Cool""" + T="Programmer, Manager"
  10911. //
  10912. // CERT_NAME_STR_SEMICOLON_FLAG can be or'ed into dwStrType to replace
  10913. // the ", " separator with a "; " separator.
  10914. //
  10915. // CERT_NAME_STR_CRLF_FLAG can be or'ed into dwStrType to replace
  10916. // the ", " separator with a "\r\n" separator.
  10917. //
  10918. // CERT_NAME_STR_NO_PLUS_FLAG can be or'ed into dwStrType to replace the
  10919. // " + " separator with a single space, " ".
  10920. //
  10921. // CERT_NAME_STR_NO_QUOTING_FLAG can be or'ed into dwStrType to inhibit
  10922. // the above quoting.
  10923. //
  10924. // CERT_NAME_STR_REVERSE_FLAG can be or'ed into dwStrType to reverse the
  10925. // order of the RDNs before converting to the string.
  10926. //
  10927. // By default, CERT_RDN_T61_STRING encoded values are initially decoded
  10928. // as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
  10929. // CERT_NAME_STR_DISABLE_IE4_UTF8_FLAG can be or'ed into dwStrType to
  10930. // skip the initial attempt to decode as UTF8.
  10931. //
  10932. // Returns the number of characters converted including the terminating null
  10933. // character. If psz is NULL or csz is 0, returns the required size of the
  10934. // destination string (including the terminating null char).
  10935. //
  10936. // If psz != NULL && csz != 0, returned psz is always NULL terminated.
  10937. //
  10938. // Note: csz includes the NULL char.
  10939. //--------------------------------------------------------------------------
  10940. //+-------------------------------------------------------------------------
  10941. //--------------------------------------------------------------------------
  10942. WINCRYPT32API
  10943. DWORD
  10944. WINAPI
  10945. CertNameToStr%(
  10946. IN DWORD dwCertEncodingType,
  10947. IN PCERT_NAME_BLOB pName,
  10948. IN DWORD dwStrType,
  10949. OUT OPTIONAL LPTSTR% psz,
  10950. IN DWORD csz
  10951. );
  10952. //+-------------------------------------------------------------------------
  10953. // Certificate name string types
  10954. //--------------------------------------------------------------------------
  10955. #define CERT_SIMPLE_NAME_STR 1
  10956. #define CERT_OID_NAME_STR 2
  10957. #define CERT_X500_NAME_STR 3
  10958. //+-------------------------------------------------------------------------
  10959. // Certificate name string type flags OR'ed with the above types
  10960. //--------------------------------------------------------------------------
  10961. #define CERT_NAME_STR_SEMICOLON_FLAG 0x40000000
  10962. #define CERT_NAME_STR_NO_PLUS_FLAG 0x20000000
  10963. #define CERT_NAME_STR_NO_QUOTING_FLAG 0x10000000
  10964. #define CERT_NAME_STR_CRLF_FLAG 0x08000000
  10965. #define CERT_NAME_STR_COMMA_FLAG 0x04000000
  10966. #define CERT_NAME_STR_REVERSE_FLAG 0x02000000
  10967. #define CERT_NAME_STR_DISABLE_IE4_UTF8_FLAG 0x00010000
  10968. #define CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG 0x00020000
  10969. #define CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG 0x00040000
  10970. //+-------------------------------------------------------------------------
  10971. // Convert the null terminated X500 string to an encoded certificate name.
  10972. //
  10973. // The input string is expected to be formatted the same as the output
  10974. // from the above CertNameToStr API.
  10975. //
  10976. // The CERT_SIMPLE_NAME_STR type isn't supported. Otherwise, when dwStrType
  10977. // is set to 0, CERT_OID_NAME_STR or CERT_X500_NAME_STR, allow either a
  10978. // case insensitive X500 key (CN=), case insensitive "OID." prefixed
  10979. // object identifier (OID.1.2.3.4.5.6=) or an object identifier (1.2.3.4=).
  10980. //
  10981. // If no flags are OR'ed into dwStrType, then, allow "," or ";" as RDN
  10982. // separators and "+" as the multiple RDN value separator. Quoting is
  10983. // supported. A quote may be included in a quoted value by double quoting,
  10984. // for example (CN="Joe ""Cool"""). A value starting with a "#" is treated
  10985. // as ascii hex and converted to a CERT_RDN_OCTET_STRING. Embedded whitespace
  10986. // is skipped (1.2.3 = # AB CD 01 is the same as 1.2.3=#ABCD01).
  10987. //
  10988. // Whitespace surrounding the keys, object identifers and values is removed.
  10989. //
  10990. // CERT_NAME_STR_COMMA_FLAG can be or'ed into dwStrType to only allow the
  10991. // "," as the RDN separator.
  10992. //
  10993. // CERT_NAME_STR_SEMICOLON_FLAG can be or'ed into dwStrType to only allow the
  10994. // ";" as the RDN separator.
  10995. //
  10996. // CERT_NAME_STR_CRLF_FLAG can be or'ed into dwStrType to only allow
  10997. // "\r" or "\n" as the RDN separator.
  10998. //
  10999. // CERT_NAME_STR_NO_PLUS_FLAG can be or'ed into dwStrType to ignore "+"
  11000. // as a separator and not allow multiple values per RDN.
  11001. //
  11002. // CERT_NAME_STR_NO_QUOTING_FLAG can be or'ed into dwStrType to inhibit
  11003. // quoting.
  11004. //
  11005. // CERT_NAME_STR_REVERSE_FLAG can be or'ed into dwStrType to reverse the
  11006. // order of the RDNs after converting from the string and before encoding.
  11007. //
  11008. // CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG can be or'ed into dwStrType to
  11009. // to select the CERT_RDN_T61_STRING encoded value type instead of
  11010. // CERT_RDN_UNICODE_STRING if all the UNICODE characters are <= 0xFF.
  11011. //
  11012. // CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG can be or'ed into dwStrType to
  11013. // to select the CERT_RDN_UTF8_STRING encoded value type instead of
  11014. // CERT_RDN_UNICODE_STRING.
  11015. //
  11016. // Support the following X500 Keys:
  11017. //
  11018. // Key Object Identifier RDN Value Type(s)
  11019. // --- ----------------- -----------------
  11020. // CN szOID_COMMON_NAME Printable, Unicode
  11021. // L szOID_LOCALITY_NAME Printable, Unicode
  11022. // O szOID_ORGANIZATION_NAME Printable, Unicode
  11023. // OU szOID_ORGANIZATIONAL_UNIT_NAME Printable, Unicode
  11024. // E szOID_RSA_emailAddr Only IA5
  11025. // Email szOID_RSA_emailAddr Only IA5
  11026. // C szOID_COUNTRY_NAME Only Printable
  11027. // S szOID_STATE_OR_PROVINCE_NAME Printable, Unicode
  11028. // ST szOID_STATE_OR_PROVINCE_NAME Printable, Unicode
  11029. // STREET szOID_STREET_ADDRESS Printable, Unicode
  11030. // T szOID_TITLE Printable, Unicode
  11031. // Title szOID_TITLE Printable, Unicode
  11032. // G szOID_GIVEN_NAME Printable, Unicode
  11033. // GivenName szOID_GIVEN_NAME Printable, Unicode
  11034. // I szOID_INITIALS Printable, Unicode
  11035. // Initials szOID_INITIALS Printable, Unicode
  11036. // SN szOID_SUR_NAME Printable, Unicode
  11037. // DC szOID_DOMAIN_COMPONENT IA5, UTF8
  11038. //
  11039. // Note, T61 is selected instead of Unicode if
  11040. // CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG is set and all the unicode
  11041. // characters are <= 0xFF.
  11042. //
  11043. // Note, UTF8 is selected instead of Unicode if
  11044. // CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG is set.
  11045. //
  11046. // Returns TRUE if successfully parsed the input string and encoded
  11047. // the name.
  11048. //
  11049. // If the input string is detected to be invalid, *ppszError is updated
  11050. // to point to the beginning of the invalid character sequence. Otherwise,
  11051. // *ppszError is set to NULL. *ppszError is updated with a non-NULL pointer
  11052. // for the following errors:
  11053. // CRYPT_E_INVALID_X500_STRING
  11054. // CRYPT_E_INVALID_NUMERIC_STRING
  11055. // CRYPT_E_INVALID_PRINTABLE_STRING
  11056. // CRYPT_E_INVALID_IA5_STRING
  11057. //
  11058. // ppszError can be set to NULL if not interested in getting a pointer
  11059. // to the invalid character sequence.
  11060. //--------------------------------------------------------------------------
  11061. //+-------------------------------------------------------------------------
  11062. //--------------------------------------------------------------------------
  11063. WINCRYPT32API
  11064. BOOL
  11065. WINAPI
  11066. CertStrToName%(
  11067. IN DWORD dwCertEncodingType,
  11068. IN LPCTSTR% pszX500,
  11069. IN DWORD dwStrType,
  11070. IN OPTIONAL void *pvReserved,
  11071. OUT BYTE *pbEncoded,
  11072. IN OUT DWORD *pcbEncoded,
  11073. OUT OPTIONAL LPCTSTR% *ppszError
  11074. );
  11075. //+-------------------------------------------------------------------------
  11076. // Get the subject or issuer name from the certificate and
  11077. // according to the specified format type, convert to a null terminated
  11078. // character string.
  11079. //
  11080. // CERT_NAME_ISSUER_FLAG can be set to get the issuer's name. Otherwise,
  11081. // gets the subject's name.
  11082. //
  11083. // By default, CERT_RDN_T61_STRING encoded values are initially decoded
  11084. // as UTF8. If the UTF8 decoding fails, then, decoded as 8 bit characters.
  11085. // CERT_NAME_DISABLE_IE4_UTF8_FLAG can be set in dwFlags to
  11086. // skip the initial attempt to decode as UTF8.
  11087. //
  11088. // The name string is formatted according to the dwType:
  11089. // CERT_NAME_EMAIL_TYPE
  11090. // If the certificate has a Subject Alternative Name extension (for
  11091. // issuer, Issuer Alternative Name), searches for first rfc822Name choice.
  11092. // If the rfc822Name choice isn't found in the extension, searches the
  11093. // Subject Name field for the Email OID, "1.2.840.113549.1.9.1".
  11094. // If the rfc822Name or Email OID is found, returns the string. Otherwise,
  11095. // returns an empty string (returned character count is 1).
  11096. // CERT_NAME_DNS_TYPE
  11097. // If the certificate has a Subject Alternative Name extension (for
  11098. // issuer, Issuer Alternative Name), searches for first DNSName choice.
  11099. // If the DNSName choice isn't found in the extension, searches the
  11100. // Subject Name field for the CN OID, "2.5.4.3".
  11101. // If the DNSName or CN OID is found, returns the string. Otherwise,
  11102. // returns an empty string.
  11103. // CERT_NAME_URL_TYPE
  11104. // If the certificate has a Subject Alternative Name extension (for
  11105. // issuer, Issuer Alternative Name), searches for first URL choice.
  11106. // If the URL choice is found, returns the string. Otherwise,
  11107. // returns an empty string.
  11108. // CERT_NAME_UPN_TYPE
  11109. // If the certificate has a Subject Alternative Name extension,
  11110. // searches the OtherName choices looking for a
  11111. // pszObjId == szOID_NT_PRINCIPAL_NAME, "1.3.6.1.4.1.311.20.2.3".
  11112. // If the UPN OID is found, the blob is decoded as a
  11113. // X509_UNICODE_ANY_STRING and the decoded string is returned.
  11114. // Otherwise, returns an empty string.
  11115. // CERT_NAME_RDN_TYPE
  11116. // Converts the Subject Name blob by calling CertNameToStr. pvTypePara
  11117. // points to a DWORD containing the dwStrType passed to CertNameToStr.
  11118. // If the Subject Name field is empty and the certificate has a
  11119. // Subject Alternative Name extension, searches for and converts
  11120. // the first directoryName choice.
  11121. // CERT_NAME_ATTR_TYPE
  11122. // pvTypePara points to the Object Identifier specifying the name attribute
  11123. // to be returned. For example, to get the CN,
  11124. // pvTypePara = szOID_COMMON_NAME ("2.5.4.3"). Searches, the Subject Name
  11125. // field for the attribute.
  11126. // If the Subject Name field is empty and the certificate has a
  11127. // Subject Alternative Name extension, checks for
  11128. // the first directoryName choice and searches it.
  11129. //
  11130. // Note, searches the RDNs in reverse order.
  11131. //
  11132. // CERT_NAME_SIMPLE_DISPLAY_TYPE
  11133. // Iterates through the following list of name attributes and searches
  11134. // the Subject Name and then the Subject Alternative Name extension
  11135. // for the first occurrence of:
  11136. // szOID_COMMON_NAME ("2.5.4.3")
  11137. // szOID_ORGANIZATIONAL_UNIT_NAME ("2.5.4.11")
  11138. // szOID_ORGANIZATION_NAME ("2.5.4.10")
  11139. // szOID_RSA_emailAddr ("1.2.840.113549.1.9.1")
  11140. //
  11141. // If none of the above attributes is found, then, searches the
  11142. // Subject Alternative Name extension for a rfc822Name choice.
  11143. //
  11144. // If still no match, then, returns the first attribute.
  11145. //
  11146. // Note, like CERT_NAME_ATTR_TYPE, searches the RDNs in reverse order.
  11147. //
  11148. // CERT_NAME_FRIENDLY_DISPLAY_TYPE
  11149. // First checks if the certificate has a CERT_FRIENDLY_NAME_PROP_ID
  11150. // property. If it does, then, this property is returned. Otherwise,
  11151. // returns the above CERT_NAME_SIMPLE_DISPLAY_TYPE.
  11152. //
  11153. // Returns the number of characters converted including the terminating null
  11154. // character. If pwszNameString is NULL or cchNameString is 0, returns the
  11155. // required size of the destination string (including the terminating null
  11156. // char). If the specified name type isn't found. returns an empty string
  11157. // with a returned character count of 1.
  11158. //
  11159. // If pwszNameString != NULL && cwszNameString != 0, returned pwszNameString
  11160. // is always NULL terminated.
  11161. //
  11162. // Note: cchNameString includes the NULL char.
  11163. //--------------------------------------------------------------------------
  11164. //+-------------------------------------------------------------------------
  11165. //--------------------------------------------------------------------------
  11166. WINCRYPT32API
  11167. DWORD
  11168. WINAPI
  11169. CertGetNameString%(
  11170. IN PCCERT_CONTEXT pCertContext,
  11171. IN DWORD dwType,
  11172. IN DWORD dwFlags,
  11173. IN void *pvTypePara,
  11174. OUT OPTIONAL LPTSTR% pszNameString,
  11175. IN DWORD cchNameString
  11176. );
  11177. //+-------------------------------------------------------------------------
  11178. // Certificate name types
  11179. //--------------------------------------------------------------------------
  11180. #define CERT_NAME_EMAIL_TYPE 1
  11181. #define CERT_NAME_RDN_TYPE 2
  11182. #define CERT_NAME_ATTR_TYPE 3
  11183. #define CERT_NAME_SIMPLE_DISPLAY_TYPE 4
  11184. #define CERT_NAME_FRIENDLY_DISPLAY_TYPE 5
  11185. #define CERT_NAME_DNS_TYPE 6
  11186. #define CERT_NAME_URL_TYPE 7
  11187. #define CERT_NAME_UPN_TYPE 8
  11188. //+-------------------------------------------------------------------------
  11189. // Certificate name flags
  11190. //--------------------------------------------------------------------------
  11191. #define CERT_NAME_ISSUER_FLAG 0x1
  11192. #define CERT_NAME_DISABLE_IE4_UTF8_FLAG 0x00010000
  11193. //+=========================================================================
  11194. // Simplified Cryptographic Message Data Structures and APIs
  11195. //==========================================================================
  11196. //+-------------------------------------------------------------------------
  11197. // Conventions for the *pb and *pcb output parameters:
  11198. //
  11199. // Upon entry to the function:
  11200. // if pcb is OPTIONAL && pcb == NULL, then,
  11201. // No output is returned
  11202. // else if pb == NULL && pcb != NULL, then,
  11203. // Length only determination. No length error is
  11204. // returned.
  11205. // otherwise where (pb != NULL && pcb != NULL && *pcb != 0)
  11206. // Output is returned. If *pcb isn't big enough a
  11207. // length error is returned. In all cases *pcb is updated
  11208. // with the actual length needed/returned.
  11209. //--------------------------------------------------------------------------
  11210. //+-------------------------------------------------------------------------
  11211. // Type definitions of the parameters used for doing the cryptographic
  11212. // operations.
  11213. //--------------------------------------------------------------------------
  11214. //+-------------------------------------------------------------------------
  11215. // Callback to get and verify the signer's certificate.
  11216. //
  11217. // Passed the CertId of the signer (its Issuer and SerialNumber) and a
  11218. // handle to its cryptographic signed message's cert store.
  11219. //
  11220. // For CRYPT_E_NO_SIGNER, called with pSignerId == NULL.
  11221. //
  11222. // For a valid signer certificate, returns a pointer to a read only
  11223. // CERT_CONTEXT. The returned CERT_CONTEXT is either obtained from a
  11224. // cert store or was created via CertCreateCertificateContext. For either case,
  11225. // its freed via CertFreeCertificateContext.
  11226. //
  11227. // If a valid certificate isn't found, this callback returns NULL with
  11228. // LastError set via SetLastError().
  11229. //
  11230. // The NULL implementation tries to get the Signer certificate from the
  11231. // message cert store. It doesn't verify the certificate.
  11232. //
  11233. // Note, if the KEYID choice was selected for a CMS SignerId, then, the
  11234. // SerialNumber is 0 and the Issuer is encoded containing a single RDN with a
  11235. // single Attribute whose OID is szOID_KEYID_RDN, value type is
  11236. // CERT_RDN_OCTET_STRING and value is the KEYID. When the
  11237. // CertGetSubjectCertificateFromStore and
  11238. // CertFindCertificateInStore(CERT_FIND_SUBJECT_CERT) APIs see this
  11239. // special KEYID Issuer and SerialNumber, they do a KEYID match.
  11240. //--------------------------------------------------------------------------
  11241. typedef PCCERT_CONTEXT (WINAPI *PFN_CRYPT_GET_SIGNER_CERTIFICATE)(
  11242. IN void *pvGetArg,
  11243. IN DWORD dwCertEncodingType,
  11244. IN PCERT_INFO pSignerId, // Only the Issuer and SerialNumber
  11245. // fields have been updated
  11246. IN HCERTSTORE hMsgCertStore
  11247. );
  11248. //+-------------------------------------------------------------------------
  11249. // The CRYPT_SIGN_MESSAGE_PARA are used for signing messages using the
  11250. // specified signing certificate context.
  11251. //
  11252. // Either the CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID must
  11253. // be set for each rgpSigningCert[]. Either one specifies the private
  11254. // signature key to use.
  11255. //
  11256. // If any certificates and/or CRLs are to be included in the signed message,
  11257. // then, the MsgCert and MsgCrl parameters need to be updated. If the
  11258. // rgpSigningCerts are to be included, then, they must also be in the
  11259. // rgpMsgCert array.
  11260. //
  11261. // cbSize must be set to the sizeof(CRYPT_SIGN_MESSAGE_PARA) or else
  11262. // LastError will be updated with E_INVALIDARG.
  11263. //
  11264. // pvHashAuxInfo currently isn't used and must be set to NULL.
  11265. //
  11266. // dwFlags normally is set to 0. However, if the encoded output
  11267. // is to be a CMSG_SIGNED inner content of an outer cryptographic message,
  11268. // such as a CMSG_ENVELOPED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
  11269. // should be set. If not set, then it would be encoded as an inner content
  11270. // type of CMSG_DATA.
  11271. //
  11272. // dwInnerContentType is normally set to 0. It needs to be set if the
  11273. // ToBeSigned input is the encoded output of another cryptographic
  11274. // message, such as, an CMSG_ENVELOPED. When set, it's one of the cryptographic
  11275. // message types, for example, CMSG_ENVELOPED.
  11276. //
  11277. // If the inner content of a nested cryptographic message is data (CMSG_DATA
  11278. // the default), then, neither dwFlags or dwInnerContentType need to be set.
  11279. //
  11280. // For CMS messages, CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG may be
  11281. // set to encapsulate nonData inner content within an OCTET STRING.
  11282. //
  11283. // For CMS messages, CRYPT_MESSAGE_KEYID_SIGNER_FLAG may be set to identify
  11284. // signers by their Key Identifier and not their Issuer and Serial Number.
  11285. //
  11286. // The CRYPT_MESSAGE_SILENT_KEYSET_FLAG can be set to suppress any UI by the
  11287. // CSP. See CryptAcquireContext's CRYPT_SILENT flag for more details.
  11288. //
  11289. // If HashEncryptionAlgorithm is present and not NULL its used instead of
  11290. // the SigningCert's PublicKeyInfo.Algorithm.
  11291. //
  11292. // Note, for RSA, the hash encryption algorithm is normally the same as
  11293. // the public key algorithm. For DSA, the hash encryption algorithm is
  11294. // normally a DSS signature algorithm.
  11295. //
  11296. // pvHashEncryptionAuxInfo currently isn't used and must be set to NULL if
  11297. // present in the data structure.
  11298. //--------------------------------------------------------------------------
  11299. typedef struct _CRYPT_SIGN_MESSAGE_PARA {
  11300. DWORD cbSize;
  11301. DWORD dwMsgEncodingType;
  11302. PCCERT_CONTEXT pSigningCert;
  11303. CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
  11304. void *pvHashAuxInfo;
  11305. DWORD cMsgCert;
  11306. PCCERT_CONTEXT *rgpMsgCert;
  11307. DWORD cMsgCrl;
  11308. PCCRL_CONTEXT *rgpMsgCrl;
  11309. DWORD cAuthAttr;
  11310. PCRYPT_ATTRIBUTE rgAuthAttr;
  11311. DWORD cUnauthAttr;
  11312. PCRYPT_ATTRIBUTE rgUnauthAttr;
  11313. DWORD dwFlags;
  11314. DWORD dwInnerContentType;
  11315. #ifdef CRYPT_SIGN_MESSAGE_PARA_HAS_CMS_FIELDS
  11316. CRYPT_ALGORITHM_IDENTIFIER HashEncryptionAlgorithm;
  11317. void *pvHashEncryptionAuxInfo;
  11318. #endif
  11319. } CRYPT_SIGN_MESSAGE_PARA, *PCRYPT_SIGN_MESSAGE_PARA;
  11320. #define CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG 0x00000001
  11321. // When set, nonData type inner content is encapsulated within an
  11322. // OCTET STRING
  11323. #define CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG 0x00000002
  11324. // When set, signers are identified by their Key Identifier and not
  11325. // their Issuer and Serial Number.
  11326. #define CRYPT_MESSAGE_KEYID_SIGNER_FLAG 0x00000004
  11327. // When set, suppresses any UI by the CSP.
  11328. // See CryptAcquireContext's CRYPT_SILENT flag for more details.
  11329. #define CRYPT_MESSAGE_SILENT_KEYSET_FLAG 0x00000040
  11330. //+-------------------------------------------------------------------------
  11331. // The CRYPT_VERIFY_MESSAGE_PARA are used to verify signed messages.
  11332. //
  11333. // hCryptProv is used to do hashing and signature verification.
  11334. //
  11335. // The dwCertEncodingType specifies the encoding type of the certificates
  11336. // and/or CRLs in the message.
  11337. //
  11338. // pfnGetSignerCertificate is called to get and verify the message signer's
  11339. // certificate.
  11340. //
  11341. // cbSize must be set to the sizeof(CRYPT_VERIFY_MESSAGE_PARA) or else
  11342. // LastError will be updated with E_INVALIDARG.
  11343. //--------------------------------------------------------------------------
  11344. typedef struct _CRYPT_VERIFY_MESSAGE_PARA {
  11345. DWORD cbSize;
  11346. DWORD dwMsgAndCertEncodingType;
  11347. HCRYPTPROV hCryptProv;
  11348. PFN_CRYPT_GET_SIGNER_CERTIFICATE pfnGetSignerCertificate;
  11349. void *pvGetArg;
  11350. } CRYPT_VERIFY_MESSAGE_PARA, *PCRYPT_VERIFY_MESSAGE_PARA;
  11351. //+-------------------------------------------------------------------------
  11352. // The CRYPT_ENCRYPT_MESSAGE_PARA are used for encrypting messages.
  11353. //
  11354. // hCryptProv is used to do content encryption, recipient key
  11355. // encryption, and recipient key export. Its private key
  11356. // isn't used.
  11357. //
  11358. // Currently, pvEncryptionAuxInfo is only defined for RC2 or RC4 encryption
  11359. // algorithms. Otherwise, its not used and must be set to NULL.
  11360. // See CMSG_RC2_AUX_INFO for the RC2 encryption algorithms.
  11361. // See CMSG_RC4_AUX_INFO for the RC4 encryption algorithms.
  11362. //
  11363. // To enable SP3 compatible encryption, pvEncryptionAuxInfo should point to
  11364. // a CMSG_SP3_COMPATIBLE_AUX_INFO data structure.
  11365. //
  11366. // cbSize must be set to the sizeof(CRYPT_ENCRYPT_MESSAGE_PARA) or else
  11367. // LastError will be updated with E_INVALIDARG.
  11368. //
  11369. // dwFlags normally is set to 0. However, if the encoded output
  11370. // is to be a CMSG_ENVELOPED inner content of an outer cryptographic message,
  11371. // such as a CMSG_SIGNED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
  11372. // should be set. If not set, then it would be encoded as an inner content
  11373. // type of CMSG_DATA.
  11374. //
  11375. // dwInnerContentType is normally set to 0. It needs to be set if the
  11376. // ToBeEncrypted input is the encoded output of another cryptographic
  11377. // message, such as, an CMSG_SIGNED. When set, it's one of the cryptographic
  11378. // message types, for example, CMSG_SIGNED.
  11379. //
  11380. // If the inner content of a nested cryptographic message is data (CMSG_DATA
  11381. // the default), then, neither dwFlags or dwInnerContentType need to be set.
  11382. //
  11383. // For CMS messages, CRYPT_MESSAGE_ENCAPSULATED_CONTENT_OUT_FLAG may be
  11384. // set to encapsulate nonData inner content within an OCTET STRING before
  11385. // encrypting.
  11386. //
  11387. // For CMS messages, CRYPT_MESSAGE_KEYID_RECIPIENT_FLAG may be set to identify
  11388. // recipients by their Key Identifier and not their Issuer and Serial Number.
  11389. //--------------------------------------------------------------------------
  11390. typedef struct _CRYPT_ENCRYPT_MESSAGE_PARA {
  11391. DWORD cbSize;
  11392. DWORD dwMsgEncodingType;
  11393. HCRYPTPROV hCryptProv;
  11394. CRYPT_ALGORITHM_IDENTIFIER ContentEncryptionAlgorithm;
  11395. void *pvEncryptionAuxInfo;
  11396. DWORD dwFlags;
  11397. DWORD dwInnerContentType;
  11398. } CRYPT_ENCRYPT_MESSAGE_PARA, *PCRYPT_ENCRYPT_MESSAGE_PARA;
  11399. // When set, recipients are identified by their Key Identifier and not
  11400. // their Issuer and Serial Number.
  11401. #define CRYPT_MESSAGE_KEYID_RECIPIENT_FLAG 0x4
  11402. //+-------------------------------------------------------------------------
  11403. // The CRYPT_DECRYPT_MESSAGE_PARA are used for decrypting messages.
  11404. //
  11405. // The CertContext to use for decrypting a message is obtained from one
  11406. // of the specified cert stores. An encrypted message can have one or
  11407. // more recipients. The recipients are identified by their CertId (Issuer
  11408. // and SerialNumber). The cert stores are searched to find the CertContext
  11409. // corresponding to the CertId.
  11410. //
  11411. // For CMS, the recipients may also be identified by their KeyId.
  11412. // CMS also allows Key Agreement (Diffie Hellman) in addition to
  11413. // Key Transport (RSA) recipients.
  11414. //
  11415. // Only CertContexts in the store with either
  11416. // the CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID set
  11417. // can be used. Either property specifies the private exchange key to use.
  11418. //
  11419. // cbSize must be set to the sizeof(CRYPT_DECRYPT_MESSAGE_PARA) or else
  11420. // LastError will be updated with E_INVALIDARG.
  11421. //--------------------------------------------------------------------------
  11422. typedef struct _CRYPT_DECRYPT_MESSAGE_PARA {
  11423. DWORD cbSize;
  11424. DWORD dwMsgAndCertEncodingType;
  11425. DWORD cCertStore;
  11426. HCERTSTORE *rghCertStore;
  11427. #ifdef CRYPT_DECRYPT_MESSAGE_PARA_HAS_EXTRA_FIELDS
  11428. // The above defined, CRYPT_MESSAGE_SILENT_KEYSET_FLAG, can be set to
  11429. // suppress UI by the CSP. See CryptAcquireContext's CRYPT_SILENT
  11430. // flag for more details.
  11431. DWORD dwFlags;
  11432. #endif
  11433. } CRYPT_DECRYPT_MESSAGE_PARA, *PCRYPT_DECRYPT_MESSAGE_PARA;
  11434. //+-------------------------------------------------------------------------
  11435. // The CRYPT_HASH_MESSAGE_PARA are used for hashing or unhashing
  11436. // messages.
  11437. //
  11438. // hCryptProv is used to compute the hash.
  11439. //
  11440. // pvHashAuxInfo currently isn't used and must be set to NULL.
  11441. //
  11442. // cbSize must be set to the sizeof(CRYPT_HASH_MESSAGE_PARA) or else
  11443. // LastError will be updated with E_INVALIDARG.
  11444. //--------------------------------------------------------------------------
  11445. typedef struct _CRYPT_HASH_MESSAGE_PARA {
  11446. DWORD cbSize;
  11447. DWORD dwMsgEncodingType;
  11448. HCRYPTPROV hCryptProv;
  11449. CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
  11450. void *pvHashAuxInfo;
  11451. } CRYPT_HASH_MESSAGE_PARA, *PCRYPT_HASH_MESSAGE_PARA;
  11452. //+-------------------------------------------------------------------------
  11453. // The CRYPT_KEY_SIGN_MESSAGE_PARA are used for signing messages until a
  11454. // certificate has been created for the signature key.
  11455. //
  11456. // pvHashAuxInfo currently isn't used and must be set to NULL.
  11457. //
  11458. // If PubKeyAlgorithm isn't set, defaults to szOID_RSA_RSA.
  11459. //
  11460. // cbSize must be set to the sizeof(CRYPT_KEY_SIGN_MESSAGE_PARA) or else
  11461. // LastError will be updated with E_INVALIDARG.
  11462. //--------------------------------------------------------------------------
  11463. typedef struct _CRYPT_KEY_SIGN_MESSAGE_PARA {
  11464. DWORD cbSize;
  11465. DWORD dwMsgAndCertEncodingType;
  11466. HCRYPTPROV hCryptProv;
  11467. DWORD dwKeySpec;
  11468. CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
  11469. void *pvHashAuxInfo;
  11470. CRYPT_ALGORITHM_IDENTIFIER PubKeyAlgorithm;
  11471. } CRYPT_KEY_SIGN_MESSAGE_PARA, *PCRYPT_KEY_SIGN_MESSAGE_PARA;
  11472. //+-------------------------------------------------------------------------
  11473. // The CRYPT_KEY_VERIFY_MESSAGE_PARA are used to verify signed messages without
  11474. // a certificate for the signer.
  11475. //
  11476. // Normally used until a certificate has been created for the key.
  11477. //
  11478. // hCryptProv is used to do hashing and signature verification.
  11479. //
  11480. // cbSize must be set to the sizeof(CRYPT_KEY_VERIFY_MESSAGE_PARA) or else
  11481. // LastError will be updated with E_INVALIDARG.
  11482. //--------------------------------------------------------------------------
  11483. typedef struct _CRYPT_KEY_VERIFY_MESSAGE_PARA {
  11484. DWORD cbSize;
  11485. DWORD dwMsgEncodingType;
  11486. HCRYPTPROV hCryptProv;
  11487. } CRYPT_KEY_VERIFY_MESSAGE_PARA, *PCRYPT_KEY_VERIFY_MESSAGE_PARA;
  11488. //+-------------------------------------------------------------------------
  11489. // Sign the message.
  11490. //
  11491. // If fDetachedSignature is TRUE, the "to be signed" content isn't included
  11492. // in the encoded signed blob.
  11493. //--------------------------------------------------------------------------
  11494. WINCRYPT32API
  11495. BOOL
  11496. WINAPI
  11497. CryptSignMessage(
  11498. IN PCRYPT_SIGN_MESSAGE_PARA pSignPara,
  11499. IN BOOL fDetachedSignature,
  11500. IN DWORD cToBeSigned,
  11501. IN const BYTE *rgpbToBeSigned[],
  11502. IN DWORD rgcbToBeSigned[],
  11503. OUT BYTE *pbSignedBlob,
  11504. IN OUT DWORD *pcbSignedBlob
  11505. );
  11506. //+-------------------------------------------------------------------------
  11507. // Verify a signed message.
  11508. //
  11509. // If pbDecoded == NULL, then, *pcbDecoded is implicitly set to 0 on input.
  11510. // For *pcbDecoded == 0 && ppSignerCert == NULL on input, the signer isn't
  11511. // verified.
  11512. //
  11513. // A message might have more than one signer. Set dwSignerIndex to iterate
  11514. // through all the signers. dwSignerIndex == 0 selects the first signer.
  11515. //
  11516. // pVerifyPara's pfnGetSignerCertificate is called to get the signer's
  11517. // certificate.
  11518. //
  11519. // For a verified signer and message, *ppSignerCert is updated
  11520. // with the CertContext of the signer. It must be freed by calling
  11521. // CertFreeCertificateContext. Otherwise, *ppSignerCert is set to NULL.
  11522. //
  11523. // ppSignerCert can be NULL, indicating the caller isn't interested
  11524. // in getting the CertContext of the signer.
  11525. //
  11526. // pcbDecoded can be NULL, indicating the caller isn't interested in getting
  11527. // the decoded content. Furthermore, if the message doesn't contain any
  11528. // content or signers, then, pcbDecoded must be set to NULL, to allow the
  11529. // pVerifyPara->pfnGetCertificate to be called. Normally, this would be
  11530. // the case when the signed message contains only certficates and CRLs.
  11531. // If pcbDecoded is NULL and the message doesn't have the indicated signer,
  11532. // pfnGetCertificate is called with pSignerId set to NULL.
  11533. //
  11534. // If the message doesn't contain any signers || dwSignerIndex > message's
  11535. // SignerCount, then, an error is returned with LastError set to
  11536. // CRYPT_E_NO_SIGNER. Also, for CRYPT_E_NO_SIGNER, pfnGetSignerCertificate
  11537. // is still called with pSignerId set to NULL.
  11538. //
  11539. // Note, an alternative way to get the certificates and CRLs from a
  11540. // signed message is to call CryptGetMessageCertificates.
  11541. //--------------------------------------------------------------------------
  11542. WINCRYPT32API
  11543. BOOL
  11544. WINAPI
  11545. CryptVerifyMessageSignature(
  11546. IN PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara,
  11547. IN DWORD dwSignerIndex,
  11548. IN const BYTE *pbSignedBlob,
  11549. IN DWORD cbSignedBlob,
  11550. OUT BYTE OPTIONAL *pbDecoded,
  11551. IN OUT OPTIONAL DWORD *pcbDecoded,
  11552. OUT OPTIONAL PCCERT_CONTEXT *ppSignerCert
  11553. );
  11554. //+-------------------------------------------------------------------------
  11555. // Returns the count of signers in the signed message. For no signers, returns
  11556. // 0. For an error returns -1 with LastError updated accordingly.
  11557. //--------------------------------------------------------------------------
  11558. WINCRYPT32API
  11559. LONG
  11560. WINAPI
  11561. CryptGetMessageSignerCount(
  11562. IN DWORD dwMsgEncodingType,
  11563. IN const BYTE *pbSignedBlob,
  11564. IN DWORD cbSignedBlob
  11565. );
  11566. //+-------------------------------------------------------------------------
  11567. // Returns the cert store containing the message's certs and CRLs.
  11568. // For an error, returns NULL with LastError updated.
  11569. //--------------------------------------------------------------------------
  11570. WINCRYPT32API
  11571. HCERTSTORE
  11572. WINAPI
  11573. CryptGetMessageCertificates(
  11574. IN DWORD dwMsgAndCertEncodingType,
  11575. IN HCRYPTPROV hCryptProv, // passed to CertOpenStore
  11576. IN DWORD dwFlags, // passed to CertOpenStore
  11577. IN const BYTE *pbSignedBlob,
  11578. IN DWORD cbSignedBlob
  11579. );
  11580. //+-------------------------------------------------------------------------
  11581. // Verify a signed message containing detached signature(s).
  11582. // The "to be signed" content is passed in separately. No
  11583. // decoded output. Otherwise, identical to CryptVerifyMessageSignature.
  11584. //--------------------------------------------------------------------------
  11585. WINCRYPT32API
  11586. BOOL
  11587. WINAPI
  11588. CryptVerifyDetachedMessageSignature(
  11589. IN PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara,
  11590. IN DWORD dwSignerIndex,
  11591. IN const BYTE *pbDetachedSignBlob,
  11592. IN DWORD cbDetachedSignBlob,
  11593. IN DWORD cToBeSigned,
  11594. IN const BYTE *rgpbToBeSigned[],
  11595. IN DWORD rgcbToBeSigned[],
  11596. OUT OPTIONAL PCCERT_CONTEXT *ppSignerCert
  11597. );
  11598. //+-------------------------------------------------------------------------
  11599. // Encrypts the message for the recipient(s).
  11600. //--------------------------------------------------------------------------
  11601. WINCRYPT32API
  11602. BOOL
  11603. WINAPI
  11604. CryptEncryptMessage(
  11605. IN PCRYPT_ENCRYPT_MESSAGE_PARA pEncryptPara,
  11606. IN DWORD cRecipientCert,
  11607. IN PCCERT_CONTEXT rgpRecipientCert[],
  11608. IN const BYTE *pbToBeEncrypted,
  11609. IN DWORD cbToBeEncrypted,
  11610. OUT BYTE *pbEncryptedBlob,
  11611. IN OUT DWORD *pcbEncryptedBlob
  11612. );
  11613. //+-------------------------------------------------------------------------
  11614. // Decrypts the message.
  11615. //
  11616. // If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
  11617. // For *pcbDecrypted == 0 && ppXchgCert == NULL on input, the message isn't
  11618. // decrypted.
  11619. //
  11620. // For a successfully decrypted message, *ppXchgCert is updated
  11621. // with the CertContext used to decrypt. It must be freed by calling
  11622. // CertStoreFreeCert. Otherwise, *ppXchgCert is set to NULL.
  11623. //
  11624. // ppXchgCert can be NULL, indicating the caller isn't interested
  11625. // in getting the CertContext used to decrypt.
  11626. //--------------------------------------------------------------------------
  11627. WINCRYPT32API
  11628. BOOL
  11629. WINAPI
  11630. CryptDecryptMessage(
  11631. IN PCRYPT_DECRYPT_MESSAGE_PARA pDecryptPara,
  11632. IN const BYTE *pbEncryptedBlob,
  11633. IN DWORD cbEncryptedBlob,
  11634. OUT OPTIONAL BYTE *pbDecrypted,
  11635. IN OUT OPTIONAL DWORD *pcbDecrypted,
  11636. OUT OPTIONAL PCCERT_CONTEXT *ppXchgCert
  11637. );
  11638. //+-------------------------------------------------------------------------
  11639. // Sign the message and encrypt for the recipient(s). Does a CryptSignMessage
  11640. // followed with a CryptEncryptMessage.
  11641. //
  11642. // Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
  11643. // inside of an CMSG_ENVELOPED.
  11644. //--------------------------------------------------------------------------
  11645. WINCRYPT32API
  11646. BOOL
  11647. WINAPI
  11648. CryptSignAndEncryptMessage(
  11649. IN PCRYPT_SIGN_MESSAGE_PARA pSignPara,
  11650. IN PCRYPT_ENCRYPT_MESSAGE_PARA pEncryptPara,
  11651. IN DWORD cRecipientCert,
  11652. IN PCCERT_CONTEXT rgpRecipientCert[],
  11653. IN const BYTE *pbToBeSignedAndEncrypted,
  11654. IN DWORD cbToBeSignedAndEncrypted,
  11655. OUT BYTE *pbSignedAndEncryptedBlob,
  11656. IN OUT DWORD *pcbSignedAndEncryptedBlob
  11657. );
  11658. //+-------------------------------------------------------------------------
  11659. // Decrypts the message and verifies the signer. Does a CryptDecryptMessage
  11660. // followed with a CryptVerifyMessageSignature.
  11661. //
  11662. // If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
  11663. // For *pcbDecrypted == 0 && ppSignerCert == NULL on input, the signer isn't
  11664. // verified.
  11665. //
  11666. // A message might have more than one signer. Set dwSignerIndex to iterate
  11667. // through all the signers. dwSignerIndex == 0 selects the first signer.
  11668. //
  11669. // The pVerifyPara's VerifySignerPolicy is called to verify the signer's
  11670. // certificate.
  11671. //
  11672. // For a successfully decrypted and verified message, *ppXchgCert and
  11673. // *ppSignerCert are updated. They must be freed by calling
  11674. // CertStoreFreeCert. Otherwise, they are set to NULL.
  11675. //
  11676. // ppXchgCert and/or ppSignerCert can be NULL, indicating the
  11677. // caller isn't interested in getting the CertContext.
  11678. //
  11679. // Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
  11680. // inside of an CMSG_ENVELOPED.
  11681. //
  11682. // The message always needs to be decrypted to allow access to the
  11683. // signed message. Therefore, if ppXchgCert != NULL, its always updated.
  11684. //--------------------------------------------------------------------------
  11685. WINCRYPT32API
  11686. BOOL
  11687. WINAPI
  11688. CryptDecryptAndVerifyMessageSignature(
  11689. IN PCRYPT_DECRYPT_MESSAGE_PARA pDecryptPara,
  11690. IN PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara,
  11691. IN DWORD dwSignerIndex,
  11692. IN const BYTE *pbEncryptedBlob,
  11693. IN DWORD cbEncryptedBlob,
  11694. OUT OPTIONAL BYTE *pbDecrypted,
  11695. IN OUT OPTIONAL DWORD *pcbDecrypted,
  11696. OUT OPTIONAL PCCERT_CONTEXT *ppXchgCert,
  11697. OUT OPTIONAL PCCERT_CONTEXT *ppSignerCert
  11698. );
  11699. //+-------------------------------------------------------------------------
  11700. // Decodes a cryptographic message which may be one of the following types:
  11701. // CMSG_DATA
  11702. // CMSG_SIGNED
  11703. // CMSG_ENVELOPED
  11704. // CMSG_SIGNED_AND_ENVELOPED
  11705. // CMSG_HASHED
  11706. //
  11707. // dwMsgTypeFlags specifies the set of allowable messages. For example, to
  11708. // decode either SIGNED or ENVELOPED messages, set dwMsgTypeFlags to:
  11709. // CMSG_SIGNED_FLAG | CMSG_ENVELOPED_FLAG.
  11710. //
  11711. // dwProvInnerContentType is only applicable when processing nested
  11712. // crytographic messages. When processing an outer crytographic message
  11713. // it must be set to 0. When decoding a nested cryptographic message
  11714. // its the dwInnerContentType returned by a previous CryptDecodeMessage
  11715. // of the outer message. The InnerContentType can be any of the CMSG types,
  11716. // for example, CMSG_DATA, CMSG_SIGNED, ...
  11717. //
  11718. // The optional *pdwMsgType is updated with the type of message.
  11719. //
  11720. // The optional *pdwInnerContentType is updated with the type of the inner
  11721. // message. Unless there is cryptographic message nesting, CMSG_DATA
  11722. // is returned.
  11723. //
  11724. // For CMSG_DATA: returns decoded content.
  11725. // For CMSG_SIGNED: same as CryptVerifyMessageSignature.
  11726. // For CMSG_ENVELOPED: same as CryptDecryptMessage.
  11727. // For CMSG_SIGNED_AND_ENVELOPED: same as CryptDecryptMessage plus
  11728. // CryptVerifyMessageSignature.
  11729. // For CMSG_HASHED: verifies the hash and returns decoded content.
  11730. //--------------------------------------------------------------------------
  11731. WINCRYPT32API
  11732. BOOL
  11733. WINAPI
  11734. CryptDecodeMessage(
  11735. IN DWORD dwMsgTypeFlags,
  11736. IN PCRYPT_DECRYPT_MESSAGE_PARA pDecryptPara,
  11737. IN PCRYPT_VERIFY_MESSAGE_PARA pVerifyPara,
  11738. IN DWORD dwSignerIndex,
  11739. IN const BYTE *pbEncodedBlob,
  11740. IN DWORD cbEncodedBlob,
  11741. IN DWORD dwPrevInnerContentType,
  11742. OUT OPTIONAL DWORD *pdwMsgType,
  11743. OUT OPTIONAL DWORD *pdwInnerContentType,
  11744. OUT OPTIONAL BYTE *pbDecoded,
  11745. IN OUT OPTIONAL DWORD *pcbDecoded,
  11746. OUT OPTIONAL PCCERT_CONTEXT *ppXchgCert,
  11747. OUT OPTIONAL PCCERT_CONTEXT *ppSignerCert
  11748. );
  11749. //+-------------------------------------------------------------------------
  11750. // Hash the message.
  11751. //
  11752. // If fDetachedHash is TRUE, only the ComputedHash is encoded in the
  11753. // pbHashedBlob. Otherwise, both the ToBeHashed and ComputedHash
  11754. // are encoded.
  11755. //
  11756. // pcbHashedBlob or pcbComputedHash can be NULL, indicating the caller
  11757. // isn't interested in getting the output.
  11758. //--------------------------------------------------------------------------
  11759. WINCRYPT32API
  11760. BOOL
  11761. WINAPI
  11762. CryptHashMessage(
  11763. IN PCRYPT_HASH_MESSAGE_PARA pHashPara,
  11764. IN BOOL fDetachedHash,
  11765. IN DWORD cToBeHashed,
  11766. IN const BYTE *rgpbToBeHashed[],
  11767. IN DWORD rgcbToBeHashed[],
  11768. OUT OPTIONAL BYTE *pbHashedBlob,
  11769. IN OUT OPTIONAL DWORD *pcbHashedBlob,
  11770. OUT OPTIONAL BYTE *pbComputedHash,
  11771. IN OUT OPTIONAL DWORD *pcbComputedHash
  11772. );
  11773. //+-------------------------------------------------------------------------
  11774. // Verify a hashed message.
  11775. //
  11776. // pcbToBeHashed or pcbComputedHash can be NULL,
  11777. // indicating the caller isn't interested in getting the output.
  11778. //--------------------------------------------------------------------------
  11779. WINCRYPT32API
  11780. BOOL
  11781. WINAPI
  11782. CryptVerifyMessageHash(
  11783. IN PCRYPT_HASH_MESSAGE_PARA pHashPara,
  11784. IN BYTE *pbHashedBlob,
  11785. IN DWORD cbHashedBlob,
  11786. OUT OPTIONAL BYTE *pbToBeHashed,
  11787. IN OUT OPTIONAL DWORD *pcbToBeHashed,
  11788. OUT OPTIONAL BYTE *pbComputedHash,
  11789. IN OUT OPTIONAL DWORD *pcbComputedHash
  11790. );
  11791. //+-------------------------------------------------------------------------
  11792. // Verify a hashed message containing a detached hash.
  11793. // The "to be hashed" content is passed in separately. No
  11794. // decoded output. Otherwise, identical to CryptVerifyMessageHash.
  11795. //
  11796. // pcbComputedHash can be NULL, indicating the caller isn't interested
  11797. // in getting the output.
  11798. //--------------------------------------------------------------------------
  11799. WINCRYPT32API
  11800. BOOL
  11801. WINAPI
  11802. CryptVerifyDetachedMessageHash(
  11803. IN PCRYPT_HASH_MESSAGE_PARA pHashPara,
  11804. IN BYTE *pbDetachedHashBlob,
  11805. IN DWORD cbDetachedHashBlob,
  11806. IN DWORD cToBeHashed,
  11807. IN const BYTE *rgpbToBeHashed[],
  11808. IN DWORD rgcbToBeHashed[],
  11809. OUT OPTIONAL BYTE *pbComputedHash,
  11810. IN OUT OPTIONAL DWORD *pcbComputedHash
  11811. );
  11812. //+-------------------------------------------------------------------------
  11813. // Sign the message using the provider's private key specified in the
  11814. // parameters. A dummy SignerId is created and stored in the message.
  11815. //
  11816. // Normally used until a certificate has been created for the key.
  11817. //--------------------------------------------------------------------------
  11818. WINCRYPT32API
  11819. BOOL
  11820. WINAPI
  11821. CryptSignMessageWithKey(
  11822. IN PCRYPT_KEY_SIGN_MESSAGE_PARA pSignPara,
  11823. IN const BYTE *pbToBeSigned,
  11824. IN DWORD cbToBeSigned,
  11825. OUT BYTE *pbSignedBlob,
  11826. IN OUT DWORD *pcbSignedBlob
  11827. );
  11828. //+-------------------------------------------------------------------------
  11829. // Verify a signed message using the specified public key info.
  11830. //
  11831. // Normally called by a CA until it has created a certificate for the
  11832. // key.
  11833. //
  11834. // pPublicKeyInfo contains the public key to use to verify the signed
  11835. // message. If NULL, the signature isn't verified (for instance, the decoded
  11836. // content may contain the PublicKeyInfo).
  11837. //
  11838. // pcbDecoded can be NULL, indicating the caller isn't interested
  11839. // in getting the decoded content.
  11840. //--------------------------------------------------------------------------
  11841. WINCRYPT32API
  11842. BOOL
  11843. WINAPI
  11844. CryptVerifyMessageSignatureWithKey(
  11845. IN PCRYPT_KEY_VERIFY_MESSAGE_PARA pVerifyPara,
  11846. IN OPTIONAL PCERT_PUBLIC_KEY_INFO pPublicKeyInfo,
  11847. IN const BYTE *pbSignedBlob,
  11848. IN DWORD cbSignedBlob,
  11849. OUT OPTIONAL BYTE *pbDecoded,
  11850. IN OUT OPTIONAL DWORD *pcbDecoded
  11851. );
  11852. //+=========================================================================
  11853. // System Certificate Store Data Structures and APIs
  11854. //==========================================================================
  11855. //+-------------------------------------------------------------------------
  11856. // Get a system certificate store based on a subsystem protocol.
  11857. //
  11858. // Current examples of subsystems protocols are:
  11859. // "MY" Cert Store hold certs with associated Private Keys
  11860. // "CA" Certifying Authority certs
  11861. // "ROOT" Root Certs
  11862. // "SPC" Software publisher certs
  11863. //
  11864. //
  11865. // If hProv is NULL the default provider "1" is opened for you.
  11866. // When the store is closed the provider is release. Otherwise
  11867. // if hProv is not NULL, no provider is created or released.
  11868. //
  11869. // The returned Cert Store can be searched for an appropriate Cert
  11870. // using the Cert Store API's (see certstor.h)
  11871. //
  11872. // When done, the cert store should be closed using CertStoreClose
  11873. //--------------------------------------------------------------------------
  11874. WINCRYPT32API
  11875. HCERTSTORE
  11876. WINAPI
  11877. CertOpenSystemStore%(
  11878. HCRYPTPROV hProv,
  11879. LPCTSTR% szSubsystemProtocol
  11880. );
  11881. WINCRYPT32API
  11882. BOOL
  11883. WINAPI
  11884. CertAddEncodedCertificateToSystemStore%(
  11885. LPCTSTR% szCertStoreName,
  11886. const BYTE * pbCertEncoded,
  11887. DWORD cbCertEncoded
  11888. );
  11889. //+-------------------------------------------------------------------------
  11890. // Find all certificate chains tying the given issuer name to any certificate
  11891. // that the current user has a private key for.
  11892. //
  11893. // If no certificate chain is found, FALSE is returned with LastError set
  11894. // to CRYPT_E_NOT_FOUND and the counts zeroed.
  11895. //
  11896. // IE 3.0 ASSUMPTION:
  11897. // The client certificates are in the "My" system store. The issuer
  11898. // cerificates may be in the "Root", "CA" or "My" system stores.
  11899. //--------------------------------------------------------------------------
  11900. typedef struct _CERT_CHAIN {
  11901. DWORD cCerts; // number of certs in chain
  11902. PCERT_BLOB certs; // pointer to array of cert chain blobs
  11903. // representing the certs
  11904. CRYPT_KEY_PROV_INFO keyLocatorInfo; // key locator for cert
  11905. } CERT_CHAIN, *PCERT_CHAIN;
  11906. // WINCRYPT32API This is not exported by crypt32, it is exported by softpub
  11907. HRESULT
  11908. WINAPI
  11909. FindCertsByIssuer(
  11910. OUT PCERT_CHAIN pCertChains,
  11911. IN OUT DWORD *pcbCertChains,
  11912. OUT DWORD *pcCertChains, // count of certificates chains returned
  11913. IN BYTE* pbEncodedIssuerName, // DER encoded issuer name
  11914. IN DWORD cbEncodedIssuerName, // count in bytes of encoded issuer name
  11915. IN LPCWSTR pwszPurpose, // "ClientAuth" or "CodeSigning"
  11916. IN DWORD dwKeySpec // only return signers supporting this
  11917. // keyspec
  11918. );
  11919. //-------------------------------------------------------------------------
  11920. //
  11921. // CryptQueryObject takes a CERT_BLOB or a file name and returns the
  11922. // information about the content in the blob or in the file.
  11923. //
  11924. // Parameters:
  11925. // INPUT dwObjectType:
  11926. // Indicate the type of the object. Should be one of the
  11927. // following:
  11928. // CERT_QUERY_OBJECT_FILE
  11929. // CERT_QUERY_OBJECT_BLOB
  11930. //
  11931. // INPUT pvObject:
  11932. // If dwObjectType == CERT_QUERY_OBJECT_FILE, it is a
  11933. // LPWSTR, that is, the pointer to a wchar file name
  11934. // if dwObjectType == CERT_QUERY_OBJECT_BLOB, it is a
  11935. // PCERT_BLOB, that is, a pointer to a CERT_BLOB
  11936. //
  11937. // INPUT dwExpectedContentTypeFlags:
  11938. // Indicate the expected contenet type.
  11939. // Can be one of the following:
  11940. // CERT_QUERY_CONTENT_FLAG_ALL (the content can be any type)
  11941. // CERT_QUERY_CONTENT_FLAG_CERT
  11942. // CERT_QUERY_CONTENT_FLAG_CTL
  11943. // CERT_QUERY_CONTENT_FLAG_CRL
  11944. // CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE
  11945. // CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT
  11946. // CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL
  11947. // CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL
  11948. // CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED
  11949. // CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED
  11950. // CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED
  11951. // CERT_QUERY_CONTENT_FLAG_PKCS10
  11952. // CERT_QUERY_CONTENT_FLAG_PFX
  11953. // CERT_QUERY_CONTENT_FLAG_CERT_PAIR
  11954. //
  11955. // INPUT dwExpectedFormatTypeFlags:
  11956. // Indicate the expected format type.
  11957. // Can be one of the following:
  11958. // CERT_QUERY_FORMAT_FLAG_ALL (the content can be any format)
  11959. // CERT_QUERY_FORMAT_FLAG_BINARY
  11960. // CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED
  11961. // CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED
  11962. //
  11963. //
  11964. // INPUT dwFlags
  11965. // Reserved flag. Should always set to 0
  11966. //
  11967. // OUTPUT pdwMsgAndCertEncodingType
  11968. // Optional output. If NULL != pdwMsgAndCertEncodingType,
  11969. // it contains the encoding type of the content as any
  11970. // combination of the following:
  11971. // X509_ASN_ENCODING
  11972. // PKCS_7_ASN_ENCODING
  11973. //
  11974. // OUTPUT pdwContentType
  11975. // Optional output. If NULL!=pdwContentType, it contains
  11976. // the content type as one of the the following:
  11977. // CERT_QUERY_CONTENT_CERT
  11978. // CERT_QUERY_CONTENT_CTL
  11979. // CERT_QUERY_CONTENT_CRL
  11980. // CERT_QUERY_CONTENT_SERIALIZED_STORE
  11981. // CERT_QUERY_CONTENT_SERIALIZED_CERT
  11982. // CERT_QUERY_CONTENT_SERIALIZED_CTL
  11983. // CERT_QUERY_CONTENT_SERIALIZED_CRL
  11984. // CERT_QUERY_CONTENT_PKCS7_SIGNED
  11985. // CERT_QUERY_CONTENT_PKCS7_UNSIGNED
  11986. // CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
  11987. // CERT_QUERY_CONTENT_PKCS10
  11988. // CERT_QUERY_CONTENT_PFX
  11989. // CERT_QUERY_CONTENT_CERT_PAIR
  11990. //
  11991. // OUTPUT pdwFormatType
  11992. // Optional output. If NULL !=pdwFormatType, it
  11993. // contains the format type of the content as one of the
  11994. // following:
  11995. // CERT_QUERY_FORMAT_BINARY
  11996. // CERT_QUERY_FORMAT_BASE64_ENCODED
  11997. // CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED
  11998. //
  11999. //
  12000. // OUTPUT phCertStore
  12001. // Optional output. If NULL !=phStore,
  12002. // it contains a cert store that includes all of certificates,
  12003. // CRL, and CTL in the object if the object content type is
  12004. // one of the following:
  12005. // CERT_QUERY_CONTENT_CERT
  12006. // CERT_QUERY_CONTENT_CTL
  12007. // CERT_QUERY_CONTENT_CRL
  12008. // CERT_QUERY_CONTENT_SERIALIZED_STORE
  12009. // CERT_QUERY_CONTENT_SERIALIZED_CERT
  12010. // CERT_QUERY_CONTENT_SERIALIZED_CTL
  12011. // CERT_QUERY_CONTENT_SERIALIZED_CRL
  12012. // CERT_QUERY_CONTENT_PKCS7_SIGNED
  12013. // CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
  12014. // CERT_QUERY_CONTENT_CERT_PAIR
  12015. //
  12016. // Caller should free *phCertStore via CertCloseStore.
  12017. //
  12018. //
  12019. // OUTPUT phMsg Optional output. If NULL != phMsg,
  12020. // it contains a handle to a opened message if
  12021. // the content type is one of the following:
  12022. // CERT_QUERY_CONTENT_PKCS7_SIGNED
  12023. // CERT_QUERY_CONTENT_PKCS7_UNSIGNED
  12024. // CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
  12025. //
  12026. // Caller should free *phMsg via CryptMsgClose.
  12027. //
  12028. // OUTPUT pContext Optional output. If NULL != pContext,
  12029. // it contains either a PCCERT_CONTEXT or PCCRL_CONTEXT,
  12030. // or PCCTL_CONTEXT based on the content type.
  12031. //
  12032. // If the content type is CERT_QUERY_CONTENT_CERT or
  12033. // CERT_QUERY_CONTENT_SERIALIZED_CERT, it is a PCCERT_CONTEXT;
  12034. // Caller should free the pContext via CertFreeCertificateContext.
  12035. //
  12036. // If the content type is CERT_QUERY_CONTENT_CRL or
  12037. // CERT_QUERY_CONTENT_SERIALIZED_CRL, it is a PCCRL_CONTEXT;
  12038. // Caller should free the pContext via CertFreeCRLContext.
  12039. //
  12040. // If the content type is CERT_QUERY_CONTENT_CTL or
  12041. // CERT_QUERY_CONTENT_SERIALIZED_CTL, it is a PCCTL_CONTEXT;
  12042. // Caller should free the pContext via CertFreeCTLContext.
  12043. //
  12044. // If the *pbObject is of type CERT_QUERY_CONTENT_PKCS10 or CERT_QUERY_CONTENT_PFX, CryptQueryObject
  12045. // will not return anything in *phCertstore, *phMsg, or *ppvContext.
  12046. //--------------------------------------------------------------------------
  12047. WINCRYPT32API
  12048. BOOL
  12049. WINAPI
  12050. CryptQueryObject(
  12051. DWORD dwObjectType,
  12052. const void *pvObject,
  12053. DWORD dwExpectedContentTypeFlags,
  12054. DWORD dwExpectedFormatTypeFlags,
  12055. DWORD dwFlags,
  12056. DWORD *pdwMsgAndCertEncodingType,
  12057. DWORD *pdwContentType,
  12058. DWORD *pdwFormatType,
  12059. HCERTSTORE *phCertStore,
  12060. HCRYPTMSG *phMsg,
  12061. const void **ppvContext
  12062. );
  12063. //-------------------------------------------------------------------------
  12064. //dwObjectType for CryptQueryObject
  12065. //-------------------------------------------------------------------------
  12066. #define CERT_QUERY_OBJECT_FILE 0x00000001
  12067. #define CERT_QUERY_OBJECT_BLOB 0x00000002
  12068. //-------------------------------------------------------------------------
  12069. //dwContentType for CryptQueryObject
  12070. //-------------------------------------------------------------------------
  12071. //encoded single certificate
  12072. #define CERT_QUERY_CONTENT_CERT 1
  12073. //encoded single CTL
  12074. #define CERT_QUERY_CONTENT_CTL 2
  12075. //encoded single CRL
  12076. #define CERT_QUERY_CONTENT_CRL 3
  12077. //serialized store
  12078. #define CERT_QUERY_CONTENT_SERIALIZED_STORE 4
  12079. //serialized single certificate
  12080. #define CERT_QUERY_CONTENT_SERIALIZED_CERT 5
  12081. //serialized single CTL
  12082. #define CERT_QUERY_CONTENT_SERIALIZED_CTL 6
  12083. //serialized single CRL
  12084. #define CERT_QUERY_CONTENT_SERIALIZED_CRL 7
  12085. //a PKCS#7 signed message
  12086. #define CERT_QUERY_CONTENT_PKCS7_SIGNED 8
  12087. //a PKCS#7 message, such as enveloped message. But it is not a signed message,
  12088. #define CERT_QUERY_CONTENT_PKCS7_UNSIGNED 9
  12089. //a PKCS7 signed message embedded in a file
  12090. #define CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED 10
  12091. //an encoded PKCS#10
  12092. #define CERT_QUERY_CONTENT_PKCS10 11
  12093. //an encoded PKX BLOB
  12094. #define CERT_QUERY_CONTENT_PFX 12
  12095. //an encoded CertificatePair (contains forward and/or reverse cross certs)
  12096. #define CERT_QUERY_CONTENT_CERT_PAIR 13
  12097. //-------------------------------------------------------------------------
  12098. //dwExpectedConentTypeFlags for CryptQueryObject
  12099. //-------------------------------------------------------------------------
  12100. //encoded single certificate
  12101. #define CERT_QUERY_CONTENT_FLAG_CERT \
  12102. ( 1 << CERT_QUERY_CONTENT_CERT)
  12103. //encoded single CTL
  12104. #define CERT_QUERY_CONTENT_FLAG_CTL \
  12105. ( 1 << CERT_QUERY_CONTENT_CTL)
  12106. //encoded single CRL
  12107. #define CERT_QUERY_CONTENT_FLAG_CRL \
  12108. ( 1 << CERT_QUERY_CONTENT_CRL)
  12109. //serialized store
  12110. #define CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE \
  12111. ( 1 << CERT_QUERY_CONTENT_SERIALIZED_STORE)
  12112. //serialized single certificate
  12113. #define CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT \
  12114. ( 1 << CERT_QUERY_CONTENT_SERIALIZED_CERT)
  12115. //serialized single CTL
  12116. #define CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL \
  12117. ( 1 << CERT_QUERY_CONTENT_SERIALIZED_CTL)
  12118. //serialized single CRL
  12119. #define CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL \
  12120. ( 1 << CERT_QUERY_CONTENT_SERIALIZED_CRL)
  12121. //an encoded PKCS#7 signed message
  12122. #define CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED \
  12123. ( 1 << CERT_QUERY_CONTENT_PKCS7_SIGNED)
  12124. //an encoded PKCS#7 message. But it is not a signed message
  12125. #define CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED \
  12126. ( 1 << CERT_QUERY_CONTENT_PKCS7_UNSIGNED)
  12127. //the content includes an embedded PKCS7 signed message
  12128. #define CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED \
  12129. ( 1 << CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED)
  12130. //an encoded PKCS#10
  12131. #define CERT_QUERY_CONTENT_FLAG_PKCS10 \
  12132. ( 1 << CERT_QUERY_CONTENT_PKCS10)
  12133. //an encoded PFX BLOB
  12134. #define CERT_QUERY_CONTENT_FLAG_PFX \
  12135. ( 1 << CERT_QUERY_CONTENT_PFX)
  12136. //an encoded CertificatePair (contains forward and/or reverse cross certs)
  12137. #define CERT_QUERY_CONTENT_FLAG_CERT_PAIR \
  12138. ( 1 << CERT_QUERY_CONTENT_CERT_PAIR)
  12139. //content can be any type
  12140. #define CERT_QUERY_CONTENT_FLAG_ALL \
  12141. CERT_QUERY_CONTENT_FLAG_CERT | \
  12142. CERT_QUERY_CONTENT_FLAG_CTL | \
  12143. CERT_QUERY_CONTENT_FLAG_CRL | \
  12144. CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE | \
  12145. CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT | \
  12146. CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL | \
  12147. CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL | \
  12148. CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED | \
  12149. CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED | \
  12150. CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED | \
  12151. CERT_QUERY_CONTENT_FLAG_PKCS10 | \
  12152. CERT_QUERY_CONTENT_FLAG_PFX | \
  12153. CERT_QUERY_CONTENT_FLAG_CERT_PAIR
  12154. //-------------------------------------------------------------------------
  12155. //dwFormatType for CryptQueryObject
  12156. //-------------------------------------------------------------------------
  12157. //the content is in binary format
  12158. #define CERT_QUERY_FORMAT_BINARY 1
  12159. //the content is base64 encoded
  12160. #define CERT_QUERY_FORMAT_BASE64_ENCODED 2
  12161. //the content is ascii hex encoded with "{ASN}" prefix
  12162. #define CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED 3
  12163. //-------------------------------------------------------------------------
  12164. //dwExpectedFormatTypeFlags for CryptQueryObject
  12165. //-------------------------------------------------------------------------
  12166. //the content is in binary format
  12167. #define CERT_QUERY_FORMAT_FLAG_BINARY \
  12168. ( 1 << CERT_QUERY_FORMAT_BINARY)
  12169. //the content is base64 encoded
  12170. #define CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED \
  12171. ( 1 << CERT_QUERY_FORMAT_BASE64_ENCODED)
  12172. //the content is ascii hex encoded with "{ASN}" prefix
  12173. #define CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED \
  12174. ( 1 << CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED)
  12175. //the content can be of any format
  12176. #define CERT_QUERY_FORMAT_FLAG_ALL \
  12177. CERT_QUERY_FORMAT_FLAG_BINARY | \
  12178. CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED | \
  12179. CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED
  12180. //
  12181. // Crypt32 Memory Management Routines. All Crypt32 API which return allocated
  12182. // buffers will do so via CryptMemAlloc, CryptMemRealloc. Clients can free
  12183. // those buffers using CryptMemFree. Also included is CryptMemSize
  12184. //
  12185. WINCRYPT32API
  12186. LPVOID
  12187. WINAPI
  12188. CryptMemAlloc (
  12189. IN ULONG cbSize
  12190. );
  12191. WINCRYPT32API
  12192. LPVOID
  12193. WINAPI
  12194. CryptMemRealloc (
  12195. IN LPVOID pv,
  12196. IN ULONG cbSize
  12197. );
  12198. WINCRYPT32API
  12199. VOID
  12200. WINAPI
  12201. CryptMemFree (
  12202. IN LPVOID pv
  12203. );
  12204. //
  12205. // Crypt32 Asynchronous Parameter Management Routines. All Crypt32 API which
  12206. // expose asynchronous mode operation use a Crypt32 Async Handle to pass
  12207. // around information about the operation e.g. callback routines. The
  12208. // following API are used for manipulation of the async handle
  12209. //
  12210. typedef HANDLE HCRYPTASYNC, *PHCRYPTASYNC;
  12211. typedef VOID (WINAPI *PFN_CRYPT_ASYNC_PARAM_FREE_FUNC) (
  12212. LPSTR pszParamOid,
  12213. LPVOID pvParam
  12214. );
  12215. WINCRYPT32API
  12216. BOOL
  12217. WINAPI
  12218. CryptCreateAsyncHandle (
  12219. IN DWORD dwFlags,
  12220. OUT PHCRYPTASYNC phAsync
  12221. );
  12222. WINCRYPT32API
  12223. BOOL
  12224. WINAPI
  12225. CryptSetAsyncParam (
  12226. IN HCRYPTASYNC hAsync,
  12227. IN LPSTR pszParamOid,
  12228. IN LPVOID pvParam,
  12229. IN OPTIONAL PFN_CRYPT_ASYNC_PARAM_FREE_FUNC pfnFree
  12230. );
  12231. WINCRYPT32API
  12232. BOOL
  12233. WINAPI
  12234. CryptGetAsyncParam (
  12235. IN HCRYPTASYNC hAsync,
  12236. IN LPSTR pszParamOid,
  12237. OUT LPVOID* ppvParam,
  12238. OUT OPTIONAL PFN_CRYPT_ASYNC_PARAM_FREE_FUNC* ppfnFree
  12239. );
  12240. WINCRYPT32API
  12241. BOOL
  12242. WINAPI
  12243. CryptCloseAsyncHandle (
  12244. IN HCRYPTASYNC hAsync
  12245. );
  12246. //
  12247. // Crypt32 Remote Object Retrieval Routines. This API allows retrieval of
  12248. // remote PKI objects where the location is given by an URL. The remote
  12249. // object retrieval manager exposes two provider models. One is the "Scheme
  12250. // Provider" model which allows for installable protocol providers as defined
  12251. // by the URL scheme e.g. ldap, http, ftp. The scheme provider entry point is
  12252. // the same as the CryptRetrieveObjectByUrl however the *ppvObject returned
  12253. // is ALWAYS a counted array of encoded bits (one per object retrieved). The
  12254. // second provider model is the "Context Provider" model which allows for
  12255. // installable creators of CAPI2 context handles (objects) based on the
  12256. // retrieved encoded bits. These are dispatched based on the object OID given
  12257. // in the call to CryptRetrieveObjectByUrl.
  12258. //
  12259. typedef struct _CRYPT_BLOB_ARRAY {
  12260. DWORD cBlob;
  12261. PCRYPT_DATA_BLOB rgBlob;
  12262. } CRYPT_BLOB_ARRAY, *PCRYPT_BLOB_ARRAY;
  12263. typedef struct _CRYPT_CREDENTIALS {
  12264. DWORD cbSize;
  12265. LPCSTR pszCredentialsOid;
  12266. LPVOID pvCredentials;
  12267. } CRYPT_CREDENTIALS, *PCRYPT_CREDENTIALS;
  12268. #define CREDENTIAL_OID_PASSWORD_CREDENTIALS_A ((LPCSTR)1)
  12269. #define CREDENTIAL_OID_PASSWORD_CREDENTIALS_W ((LPCSTR)2)
  12270. #ifdef UNICODE
  12271. #define CREDENTIAL_OID_PASSWORD_CREDENTIALS CREDENTIAL_OID_PASSWORD_CREDENTIALS_W
  12272. #else
  12273. #define CREDENTIAL_OID_PASSWORD_CREDENTIALS CREDENTIAL_OID_PASSWORD_CREDENTIALS_A
  12274. #endif //UNICODE
  12275. typedef struct _CRYPT_PASSWORD_CREDENTIALS% {
  12276. DWORD cbSize;
  12277. LPTSTR% pszUsername;
  12278. LPTSTR% pszPassword;
  12279. } CRYPT_PASSWORD_CREDENTIALS%, *PCRYPT_PASSWORD_CREDENTIALS%;
  12280. //
  12281. // Scheme Provider Signatures
  12282. //
  12283. #define SCHEME_OID_RETRIEVE_ENCODED_OBJECT_FUNC "SchemeDllRetrieveEncodedObject"
  12284. typedef VOID (WINAPI *PFN_FREE_ENCODED_OBJECT_FUNC) (
  12285. LPCSTR pszObjectOid,
  12286. PCRYPT_BLOB_ARRAY pObject,
  12287. LPVOID pvFreeContext
  12288. );
  12289. //
  12290. // SchemeDllRetrieveEncodedObject has the following signature:
  12291. //
  12292. // BOOL WINAPI SchemeDllRetrieveEncodedObject (
  12293. // IN LPCSTR pszUrl,
  12294. // IN LPCSTR pszObjectOid,
  12295. // IN DWORD dwRetrievalFlags,
  12296. // IN DWORD dwTimeout, // milliseconds
  12297. // OUT PCRYPT_BLOB_ARRAY pObject,
  12298. // OUT PFN_FREE_ENCODED_OBJECT_FUNC* ppfnFreeObject,
  12299. // OUT LPVOID* ppvFreeContext,
  12300. // IN HCRYPTASYNC hAsyncRetrieve,
  12301. // IN PCRYPT_CREDENTIALS pCredentials,
  12302. // IN PCRYPT_RETRIEVE_AUX_INFO pAuxInfo
  12303. // )
  12304. //
  12305. //
  12306. // Context Provider Signatures
  12307. //
  12308. #define CONTEXT_OID_CREATE_OBJECT_CONTEXT_FUNC "ContextDllCreateObjectContext"
  12309. #define CONTEXT_OID_CERTIFICATE ((LPCSTR)1)
  12310. #define CONTEXT_OID_CRL ((LPCSTR)2)
  12311. #define CONTEXT_OID_CTL ((LPCSTR)3)
  12312. #define CONTEXT_OID_PKCS7 ((LPCSTR)4)
  12313. #define CONTEXT_OID_CAPI2_ANY ((LPCSTR)5)
  12314. //
  12315. // ContextDllCreateObjectContext has the following signature:
  12316. //
  12317. // BOOL WINAPI ContextDllCreateObjectContext (
  12318. // IN LPCSTR pszObjectOid,
  12319. // IN DWORD dwRetrievalFlags,
  12320. // IN PCRYPT_BLOB_ARRAY pObject,
  12321. // OUT LPVOID* ppvContext
  12322. // )
  12323. //
  12324. //
  12325. // Remote Object Retrieval API
  12326. //
  12327. //
  12328. // Retrieval flags
  12329. //
  12330. #define CRYPT_RETRIEVE_MULTIPLE_OBJECTS 0x00000001
  12331. #define CRYPT_CACHE_ONLY_RETRIEVAL 0x00000002
  12332. #define CRYPT_WIRE_ONLY_RETRIEVAL 0x00000004
  12333. #define CRYPT_DONT_CACHE_RESULT 0x00000008
  12334. #define CRYPT_ASYNC_RETRIEVAL 0x00000010
  12335. #define CRYPT_STICKY_CACHE_RETRIEVAL 0x00001000
  12336. #define CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL 0x00002000
  12337. #define CRYPT_OFFLINE_CHECK_RETRIEVAL 0x00004000
  12338. // When the following flag is set, the following 2 NULL terminated ascii
  12339. // strings are inserted at the beginning of each returned blob:
  12340. // "%d\0%s\0", dwEntryIndex, pszAttribute
  12341. //
  12342. // The first dwEntryIndex is 0, "0\0".
  12343. //
  12344. // When set, pszObjectOid must be NULL, so that a PCRYPT_BLOB_ARRAY is returned.
  12345. #define CRYPT_LDAP_INSERT_ENTRY_ATTRIBUTE 0x00008000
  12346. // Set this flag to digitally sign all of the ldap traffic to and from a
  12347. // Windows 2000 LDAP server using the Kerberos authentication protocol.
  12348. // This feature provides integrity required by some applications.
  12349. #define CRYPT_LDAP_SIGN_RETRIEVAL 0x00010000
  12350. // Set this flag to inhibit automatic authentication handling. See the
  12351. // wininet flag, INTERNET_FLAG_NO_AUTH, for more details.
  12352. #define CRYPT_NO_AUTH_RETRIEVAL 0x00020000
  12353. // Performs an A-Record only DNS lookup on the supplied host string.
  12354. // This prevents bogus DNS queries from being generated when resolving host
  12355. // names. Use this flag whenever passing a hostname as opposed to a
  12356. // domain name for the hostname parameter.
  12357. //
  12358. // See LDAP_OPT_AREC_EXCLUSIVE defined in winldap.h for more details.
  12359. #define CRYPT_LDAP_AREC_EXCLUSIVE_RETRIEVAL 0x00040000
  12360. //
  12361. // Data verification retrieval flags
  12362. //
  12363. // CRYPT_VERIFY_CONTEXT_SIGNATURE is used to get signature verification
  12364. // on the context created. In this case pszObjectOid must be non-NULL and
  12365. // pvVerify points to the signer certificate context
  12366. //
  12367. // CRYPT_VERIFY_DATA_HASH is used to get verification of the blob data
  12368. // retrieved by the protocol. The pvVerify points to an URL_DATA_HASH
  12369. // structure (TBD)
  12370. //
  12371. #define CRYPT_VERIFY_CONTEXT_SIGNATURE 0x00000020
  12372. #define CRYPT_VERIFY_DATA_HASH 0x00000040
  12373. //
  12374. // Time Valid Object flags
  12375. //
  12376. #define CRYPT_KEEP_TIME_VALID 0x00000080
  12377. #define CRYPT_DONT_VERIFY_SIGNATURE 0x00000100
  12378. #define CRYPT_DONT_CHECK_TIME_VALIDITY 0x00000200
  12379. // The default checks if ftNextUpdate >= ftValidFor. Set this flag to
  12380. // check if ftThisUpdate >= ftValidFor.
  12381. #define CRYPT_CHECK_FRESHNESS_TIME_VALIDITY 0x00000400
  12382. #define CRYPT_ACCUMULATIVE_TIMEOUT 0x00000800
  12383. typedef struct _CRYPT_RETRIEVE_AUX_INFO {
  12384. DWORD cbSize;
  12385. FILETIME *pLastSyncTime;
  12386. } CRYPT_RETRIEVE_AUX_INFO, *PCRYPT_RETRIEVE_AUX_INFO;
  12387. WINCRYPT32API
  12388. BOOL
  12389. WINAPI
  12390. CryptRetrieveObjectByUrl% (
  12391. IN LPCTSTR% pszUrl,
  12392. IN LPCSTR pszObjectOid,
  12393. IN DWORD dwRetrievalFlags,
  12394. IN DWORD dwTimeout, // milliseconds
  12395. OUT LPVOID* ppvObject,
  12396. IN HCRYPTASYNC hAsyncRetrieve,
  12397. IN OPTIONAL PCRYPT_CREDENTIALS pCredentials,
  12398. IN OPTIONAL LPVOID pvVerify,
  12399. IN OPTIONAL PCRYPT_RETRIEVE_AUX_INFO pAuxInfo
  12400. );
  12401. //
  12402. // Call back function to cancel object retrieval
  12403. //
  12404. // The function can be installed on a per thread basis.
  12405. // If CryptInstallCancelRetrieval is called for multiple times, only the most recent
  12406. // installation will be kept.
  12407. //
  12408. // This is only effective for http, https, gopher, and ftp protocol.
  12409. // It is ignored by the rest of the protocols.
  12410. typedef BOOL (WINAPI *PFN_CRYPT_CANCEL_RETRIEVAL)(
  12411. IN DWORD dwFlags,
  12412. IN void *pvArg
  12413. );
  12414. //
  12415. // PFN_CRYPT_CANCEL_RETRIEVAL
  12416. //
  12417. // This function should return FALSE when the object retrieval should be continued
  12418. // and return TRUE when the object retrieval should be cancelled.
  12419. //
  12420. WINCRYPT32API
  12421. BOOL
  12422. WINAPI
  12423. CryptInstallCancelRetrieval(
  12424. IN PFN_CRYPT_CANCEL_RETRIEVAL pfnCancel,
  12425. IN const void *pvArg,
  12426. IN DWORD dwFlags,
  12427. IN void *pvReserved
  12428. );
  12429. WINCRYPT32API
  12430. BOOL
  12431. WINAPI
  12432. CryptUninstallCancelRetrieval(
  12433. IN DWORD dwFlags,
  12434. IN void *pvReserved
  12435. );
  12436. WINCRYPT32API
  12437. BOOL
  12438. WINAPI
  12439. CryptCancelAsyncRetrieval (
  12440. HCRYPTASYNC hAsyncRetrieval
  12441. );
  12442. //
  12443. // Remote Object Async Retrieval parameters
  12444. //
  12445. //
  12446. // A client that wants to be notified of asynchronous object retrieval
  12447. // completion sets this parameter on the async handle
  12448. //
  12449. #define CRYPT_PARAM_ASYNC_RETRIEVAL_COMPLETION ((LPCSTR)1)
  12450. typedef VOID (WINAPI *PFN_CRYPT_ASYNC_RETRIEVAL_COMPLETION_FUNC) (
  12451. IN LPVOID pvCompletion,
  12452. IN DWORD dwCompletionCode,
  12453. IN LPCSTR pszUrl,
  12454. IN LPSTR pszObjectOid,
  12455. IN LPVOID pvObject
  12456. );
  12457. typedef struct _CRYPT_ASYNC_RETRIEVAL_COMPLETION {
  12458. PFN_CRYPT_ASYNC_RETRIEVAL_COMPLETION_FUNC pfnCompletion;
  12459. LPVOID pvCompletion;
  12460. } CRYPT_ASYNC_RETRIEVAL_COMPLETION, *PCRYPT_ASYNC_RETRIEVAL_COMPLETION;
  12461. //
  12462. // This function is set on the async handle by a scheme provider that
  12463. // supports asynchronous retrieval
  12464. //
  12465. #define CRYPT_PARAM_CANCEL_ASYNC_RETRIEVAL ((LPCSTR)2)
  12466. typedef BOOL (WINAPI *PFN_CANCEL_ASYNC_RETRIEVAL_FUNC) (
  12467. HCRYPTASYNC hAsyncRetrieve
  12468. );
  12469. //
  12470. // Get the locator for a CAPI object
  12471. //
  12472. #define CRYPT_GET_URL_FROM_PROPERTY 0x00000001
  12473. #define CRYPT_GET_URL_FROM_EXTENSION 0x00000002
  12474. #define CRYPT_GET_URL_FROM_UNAUTH_ATTRIBUTE 0x00000004
  12475. #define CRYPT_GET_URL_FROM_AUTH_ATTRIBUTE 0x00000008
  12476. typedef struct _CRYPT_URL_ARRAY {
  12477. DWORD cUrl;
  12478. LPWSTR* rgwszUrl;
  12479. } CRYPT_URL_ARRAY, *PCRYPT_URL_ARRAY;
  12480. typedef struct _CRYPT_URL_INFO {
  12481. DWORD cbSize;
  12482. // Seconds between syncs
  12483. DWORD dwSyncDeltaTime;
  12484. // Returned URLs may be grouped. For instance, groups of cross cert
  12485. // distribution points. Each distribution point may have multiple
  12486. // URLs, (LDAP and HTTP scheme).
  12487. DWORD cGroup;
  12488. DWORD *rgcGroupEntry;
  12489. } CRYPT_URL_INFO, *PCRYPT_URL_INFO;
  12490. WINCRYPT32API
  12491. BOOL
  12492. WINAPI
  12493. CryptGetObjectUrl (
  12494. IN LPCSTR pszUrlOid,
  12495. IN LPVOID pvPara,
  12496. IN DWORD dwFlags,
  12497. OUT OPTIONAL PCRYPT_URL_ARRAY pUrlArray,
  12498. IN OUT DWORD* pcbUrlArray,
  12499. OUT OPTIONAL PCRYPT_URL_INFO pUrlInfo,
  12500. IN OUT OPTIONAL DWORD* pcbUrlInfo,
  12501. IN OPTIONAL LPVOID pvReserved
  12502. );
  12503. #define URL_OID_GET_OBJECT_URL_FUNC "UrlDllGetObjectUrl"
  12504. //
  12505. // UrlDllGetObjectUrl has the same signature as CryptGetObjectUrl
  12506. //
  12507. //
  12508. // URL_OID_CERTIFICATE_ISSUER
  12509. //
  12510. // pvPara == PCCERT_CONTEXT, certificate whose issuer's URL is being requested
  12511. //
  12512. // This will be retrieved from the authority info access extension or property
  12513. // on the certificate
  12514. //
  12515. // URL_OID_CERTIFICATE_CRL_DIST_POINT
  12516. //
  12517. // pvPara == PCCERT_CONTEXT, certificate whose CRL distribution point is being
  12518. // requested
  12519. //
  12520. // This will be retrieved from the CRL distribution point extension or property
  12521. // on the certificate
  12522. //
  12523. // URL_OID_CTL_ISSUER
  12524. //
  12525. // pvPara == PCCTL_CONTEXT, Signer Index, CTL whose issuer's URL (identified
  12526. // by the signer index) is being requested
  12527. //
  12528. // This will be retrieved from an authority info access attribute method encoded
  12529. // in each signer info in the PKCS7 (CTL)
  12530. //
  12531. // URL_OID_CTL_NEXT_UPDATE
  12532. //
  12533. // pvPara == PCCTL_CONTEXT, Signer Index, CTL whose next update URL is being
  12534. // requested and an optional signer index in case we need to check signer
  12535. // info attributes
  12536. //
  12537. // This will be retrieved from an authority info access CTL extension, property,
  12538. // or signer info attribute method
  12539. //
  12540. // URL_OID_CRL_ISSUER
  12541. //
  12542. // pvPara == PCCRL_CONTEXT, CRL whose issuer's URL is being requested
  12543. //
  12544. // This will be retrieved from a property on the CRL which has been inherited
  12545. // from the subject cert (either from the subject cert issuer or the subject
  12546. // cert distribution point extension). It will be encoded as an authority
  12547. // info access extension method.
  12548. //
  12549. // URL_OID_CERTIFICATE_FRESHEST_CRL
  12550. //
  12551. // pvPara == PCCERT_CONTEXT, certificate whose freshest CRL distribution point
  12552. // is being requested
  12553. //
  12554. // This will be retrieved from the freshest CRL extension or property
  12555. // on the certificate
  12556. //
  12557. // URL_OID_CRL_FRESHEST_CRL
  12558. //
  12559. // pvPara == PCCERT_CRL_CONTEXT_PAIR, certificate's base CRL whose
  12560. // freshest CRL distribution point is being requested
  12561. //
  12562. // This will be retrieved from the freshest CRL extension or property
  12563. // on the CRL
  12564. //
  12565. // URL_OID_CROSS_CERT_DIST_POINT
  12566. //
  12567. // pvPara == PCCERT_CONTEXT, certificate whose cross certificate distribution
  12568. // point is being requested
  12569. //
  12570. // This will be retrieved from the cross certificate distribution point
  12571. // extension or property on the certificate
  12572. //
  12573. #define URL_OID_CERTIFICATE_ISSUER ((LPCSTR)1)
  12574. #define URL_OID_CERTIFICATE_CRL_DIST_POINT ((LPCSTR)2)
  12575. #define URL_OID_CTL_ISSUER ((LPCSTR)3)
  12576. #define URL_OID_CTL_NEXT_UPDATE ((LPCSTR)4)
  12577. #define URL_OID_CRL_ISSUER ((LPCSTR)5)
  12578. #define URL_OID_CERTIFICATE_FRESHEST_CRL ((LPCSTR)6)
  12579. #define URL_OID_CRL_FRESHEST_CRL ((LPCSTR)7)
  12580. #define URL_OID_CROSS_CERT_DIST_POINT ((LPCSTR)8)
  12581. typedef struct _CERT_CRL_CONTEXT_PAIR {
  12582. PCCERT_CONTEXT pCertContext;
  12583. PCCRL_CONTEXT pCrlContext;
  12584. } CERT_CRL_CONTEXT_PAIR, *PCERT_CRL_CONTEXT_PAIR;
  12585. typedef const CERT_CRL_CONTEXT_PAIR *PCCERT_CRL_CONTEXT_PAIR;
  12586. //
  12587. // Get a time valid CAPI2 object
  12588. //
  12589. WINCRYPT32API
  12590. BOOL
  12591. WINAPI
  12592. CryptGetTimeValidObject (
  12593. IN LPCSTR pszTimeValidOid,
  12594. IN LPVOID pvPara,
  12595. IN PCCERT_CONTEXT pIssuer,
  12596. IN OPTIONAL LPFILETIME pftValidFor,
  12597. IN DWORD dwFlags,
  12598. IN DWORD dwTimeout, // milliseconds
  12599. OUT OPTIONAL LPVOID* ppvObject,
  12600. IN OPTIONAL PCRYPT_CREDENTIALS pCredentials,
  12601. IN OPTIONAL LPVOID pvReserved
  12602. );
  12603. #define TIME_VALID_OID_GET_OBJECT_FUNC "TimeValidDllGetObject"
  12604. //
  12605. // TimeValidDllGetObject has the same signature as CryptGetTimeValidObject
  12606. //
  12607. //
  12608. // TIME_VALID_OID_GET_CTL
  12609. //
  12610. // pvPara == PCCTL_CONTEXT, the current CTL
  12611. //
  12612. // TIME_VALID_OID_GET_CRL
  12613. //
  12614. // pvPara == PCCRL_CONTEXT, the current CRL
  12615. //
  12616. // TIME_VALID_OID_GET_CRL_FROM_CERT
  12617. //
  12618. // pvPara == PCCERT_CONTEXT, the subject cert
  12619. //
  12620. // TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CERT
  12621. //
  12622. // pvPara == PCCERT_CONTEXT, the subject cert
  12623. //
  12624. // TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CRL
  12625. //
  12626. // pvPara == PCCERT_CRL_CONTEXT_PAIR, the subject cert and its base CRL
  12627. //
  12628. #define TIME_VALID_OID_GET_CTL ((LPCSTR)1)
  12629. #define TIME_VALID_OID_GET_CRL ((LPCSTR)2)
  12630. #define TIME_VALID_OID_GET_CRL_FROM_CERT ((LPCSTR)3)
  12631. #define TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CERT ((LPCSTR)4)
  12632. #define TIME_VALID_OID_GET_FRESHEST_CRL_FROM_CRL ((LPCSTR)5)
  12633. WINCRYPT32API
  12634. BOOL
  12635. WINAPI
  12636. CryptFlushTimeValidObject (
  12637. IN LPCSTR pszFlushTimeValidOid,
  12638. IN LPVOID pvPara,
  12639. IN PCCERT_CONTEXT pIssuer,
  12640. IN DWORD dwFlags,
  12641. IN LPVOID pvReserved
  12642. );
  12643. #define TIME_VALID_OID_FLUSH_OBJECT_FUNC "TimeValidDllFlushObject"
  12644. //
  12645. // TimeValidDllFlushObject has the same signature as CryptFlushTimeValidObject
  12646. //
  12647. //
  12648. // TIME_VALID_OID_FLUSH_CTL
  12649. //
  12650. // pvPara == PCCTL_CONTEXT, the CTL to flush
  12651. //
  12652. // TIME_VALID_OID_FLUSH_CRL
  12653. //
  12654. // pvPara == PCCRL_CONTEXT, the CRL to flush
  12655. //
  12656. // TIME_VALID_OID_FLUSH_CRL_FROM_CERT
  12657. //
  12658. // pvPara == PCCERT_CONTEXT, the subject cert's CRL to flush
  12659. //
  12660. // TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CERT
  12661. //
  12662. // pvPara == PCCERT_CONTEXT, the subject cert's freshest CRL to flush
  12663. //
  12664. // TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CRL
  12665. //
  12666. // pvPara == PCCERT_CRL_CONTEXT_PAIR, the subject cert and its base CRL's
  12667. // freshest CRL to flush
  12668. //
  12669. #define TIME_VALID_OID_FLUSH_CTL ((LPCSTR)1)
  12670. #define TIME_VALID_OID_FLUSH_CRL ((LPCSTR)2)
  12671. #define TIME_VALID_OID_FLUSH_CRL_FROM_CERT ((LPCSTR)3)
  12672. #define TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CERT ((LPCSTR)4)
  12673. #define TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CRL ((LPCSTR)5)
  12674. //-------------------------------------------------------------------------
  12675. // Data Protection APIs
  12676. //-------------------------------------------------------------------------
  12677. //
  12678. // Data protection APIs enable applications to easily secure data.
  12679. //
  12680. // The base provider provides protection based on the users' logon
  12681. // credentials. The data secured with these APIs follow the same
  12682. // roaming characteristics as HKCU -- if HKCU roams, the data
  12683. // protected by the base provider may roam as well. This makes
  12684. // the API ideal for the munging of data stored in the registry.
  12685. //
  12686. //
  12687. // Prompt struct -- what to tell users about the access
  12688. //
  12689. typedef struct _CRYPTPROTECT_PROMPTSTRUCT
  12690. {
  12691. DWORD cbSize;
  12692. DWORD dwPromptFlags;
  12693. HWND hwndApp;
  12694. LPCWSTR szPrompt;
  12695. } CRYPTPROTECT_PROMPTSTRUCT, *PCRYPTPROTECT_PROMPTSTRUCT;
  12696. //
  12697. // base provider action
  12698. //
  12699. #define CRYPTPROTECT_DEFAULT_PROVIDER { 0xdf9d8cd0, 0x1501, 0x11d1, {0x8c, 0x7a, 0x00, 0xc0, 0x4f, 0xc2, 0x97, 0xeb} }
  12700. //
  12701. // CryptProtect PromptStruct dwPromtFlags
  12702. //
  12703. //
  12704. // prompt on unprotect
  12705. #define CRYPTPROTECT_PROMPT_ON_UNPROTECT 0x1 // 1<<0
  12706. //
  12707. // prompt on protect
  12708. #define CRYPTPROTECT_PROMPT_ON_PROTECT 0x2 // 1<<1
  12709. #define CRYPTPROTECT_PROMPT_RESERVED 0x04 // reserved, do not use.
  12710. //
  12711. // default to strong variant UI protection (user supplied password currently).
  12712. #define CRYPTPROTECT_PROMPT_STRONG 0x08 // 1<<3
  12713. //
  12714. // require strong variant UI protection (user supplied password currently).
  12715. #define CRYPTPROTECT_PROMPT_REQUIRE_STRONG 0x10 // 1<<4
  12716. //
  12717. // CryptProtectData and CryptUnprotectData dwFlags
  12718. //
  12719. // for remote-access situations where ui is not an option
  12720. // if UI was specified on protect or unprotect operation, the call
  12721. // will fail and GetLastError() will indicate ERROR_PASSWORD_RESTRICTION
  12722. #define CRYPTPROTECT_UI_FORBIDDEN 0x1
  12723. //
  12724. // per machine protected data -- any user on machine where CryptProtectData
  12725. // took place may CryptUnprotectData
  12726. #define CRYPTPROTECT_LOCAL_MACHINE 0x4
  12727. //
  12728. // force credential synchronize during CryptProtectData()
  12729. // Synchronize is only operation that occurs during this operation
  12730. #define CRYPTPROTECT_CRED_SYNC 0x8
  12731. //
  12732. // Generate an Audit on protect and unprotect operations
  12733. //
  12734. #define CRYPTPROTECT_AUDIT 0x10
  12735. //
  12736. // Protect data with a non-recoverable key
  12737. //
  12738. #define CRYPTPROTECT_NO_RECOVERY 0x20
  12739. //
  12740. // Verify the protection of a protected blob
  12741. //
  12742. #define CRYPTPROTECT_VERIFY_PROTECTION 0x40
  12743. //
  12744. // Regenerate the local machine protection
  12745. //
  12746. #define CRYPTPROTECT_CRED_REGENERATE 0x80
  12747. // flags reserved for system use
  12748. #define CRYPTPROTECT_FIRST_RESERVED_FLAGVAL 0x0FFFFFFF
  12749. #define CRYPTPROTECT_LAST_RESERVED_FLAGVAL 0xFFFFFFFF
  12750. //
  12751. // flags specific to base provider
  12752. //
  12753. WINCRYPT32API
  12754. BOOL
  12755. WINAPI
  12756. CryptProtectData(
  12757. IN DATA_BLOB* pDataIn,
  12758. IN LPCWSTR szDataDescr,
  12759. IN OPTIONAL DATA_BLOB* pOptionalEntropy,
  12760. IN PVOID pvReserved,
  12761. IN OPTIONAL CRYPTPROTECT_PROMPTSTRUCT* pPromptStruct,
  12762. IN DWORD dwFlags,
  12763. OUT DATA_BLOB* pDataOut // out encr blob
  12764. );
  12765. WINCRYPT32API
  12766. BOOL
  12767. WINAPI
  12768. CryptUnprotectData(
  12769. IN DATA_BLOB* pDataIn, // in encr blob
  12770. OUT OPTIONAL LPWSTR* ppszDataDescr, // out
  12771. IN OPTIONAL DATA_BLOB* pOptionalEntropy,
  12772. IN PVOID pvReserved,
  12773. IN OPTIONAL CRYPTPROTECT_PROMPTSTRUCT* pPromptStruct,
  12774. IN DWORD dwFlags,
  12775. OUT DATA_BLOB* pDataOut
  12776. );
  12777. //+=========================================================================
  12778. // Helper functions to build certificates
  12779. //==========================================================================
  12780. //+-------------------------------------------------------------------------
  12781. //
  12782. // Builds a self-signed certificate and returns a PCCERT_CONTEXT representing
  12783. // the certificate. A hProv must be specified to build the cert context.
  12784. //
  12785. // pSubjectIssuerBlob is the DN for the certifcate. If an alternate subject
  12786. // name is desired it must be specified as an extension in the pExtensions
  12787. // parameter. pSubjectIssuerBlob can NOT be NULL, so minimually an empty DN
  12788. // must be specified.
  12789. //
  12790. // By default:
  12791. // pKeyProvInfo - The CSP is queried for the KeyProvInfo parameters. Only the Provider,
  12792. // Provider Type and Container is queried. Many CSPs don't support these
  12793. // queries and will cause a failure. In such cases the pKeyProvInfo
  12794. // must be specified (RSA BASE works fine).
  12795. //
  12796. // pSignatureAlgorithm - will default to SHA1RSA
  12797. // pStartTime will default to the current time
  12798. // pEndTime will default to 1 year
  12799. // pEntensions will be empty.
  12800. //
  12801. // The returned PCCERT_CONTEXT will reference the private keys by setting the
  12802. // CERT_KEY_PROV_INFO_PROP_ID. However, if this property is not desired specify the
  12803. // CERT_CREATE_SELFSIGN_NO_KEY_INFO in dwFlags.
  12804. //
  12805. // If the cert being built is only a dummy placeholder cert for speed it may not
  12806. // need to be signed. Signing of the cert is skipped if CERT_CREATE_SELFSIGN_NO_SIGN
  12807. // is specified in dwFlags.
  12808. //
  12809. //--------------------------------------------------------------------------
  12810. WINCRYPT32API
  12811. PCCERT_CONTEXT
  12812. WINAPI
  12813. CertCreateSelfSignCertificate(
  12814. IN HCRYPTPROV hProv,
  12815. IN PCERT_NAME_BLOB pSubjectIssuerBlob,
  12816. IN DWORD dwFlags,
  12817. OPTIONAL PCRYPT_KEY_PROV_INFO pKeyProvInfo,
  12818. OPTIONAL PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
  12819. OPTIONAL PSYSTEMTIME pStartTime,
  12820. OPTIONAL PSYSTEMTIME pEndTime,
  12821. OPTIONAL PCERT_EXTENSIONS pExtensions
  12822. );
  12823. #define CERT_CREATE_SELFSIGN_NO_SIGN 1
  12824. #define CERT_CREATE_SELFSIGN_NO_KEY_INFO 2
  12825. //+=========================================================================
  12826. // Key Identifier Property Data Structures and APIs
  12827. //==========================================================================
  12828. //+-------------------------------------------------------------------------
  12829. // Get the property for the specified Key Identifier.
  12830. //
  12831. // The Key Identifier is the SHA1 hash of the encoded CERT_PUBLIC_KEY_INFO.
  12832. // The Key Identifier for a certificate can be obtained by getting the
  12833. // certificate's CERT_KEY_IDENTIFIER_PROP_ID. The
  12834. // CryptCreateKeyIdentifierFromCSP API can be called to create the Key
  12835. // Identifier from a CSP Public Key Blob.
  12836. //
  12837. // A Key Identifier can have the same properties as a certificate context.
  12838. // CERT_KEY_PROV_INFO_PROP_ID is the property of most interest.
  12839. // For CERT_KEY_PROV_INFO_PROP_ID, pvData points to a CRYPT_KEY_PROV_INFO
  12840. // structure. Elements pointed to by fields in the pvData structure follow the
  12841. // structure. Therefore, *pcbData will exceed the size of the structure.
  12842. //
  12843. // If CRYPT_KEYID_ALLOC_FLAG is set, then, *pvData is updated with a
  12844. // pointer to allocated memory. LocalFree() must be called to free the
  12845. // allocated memory.
  12846. //
  12847. // By default, searches the CurrentUser's list of Key Identifiers.
  12848. // CRYPT_KEYID_MACHINE_FLAG can be set to search the LocalMachine's list
  12849. // of Key Identifiers. When CRYPT_KEYID_MACHINE_FLAG is set, pwszComputerName
  12850. // can also be set to specify the name of a remote computer to be searched
  12851. // instead of the local machine.
  12852. //--------------------------------------------------------------------------
  12853. WINCRYPT32API
  12854. BOOL
  12855. WINAPI
  12856. CryptGetKeyIdentifierProperty(
  12857. IN const CRYPT_HASH_BLOB *pKeyIdentifier,
  12858. IN DWORD dwPropId,
  12859. IN DWORD dwFlags,
  12860. IN OPTIONAL LPCWSTR pwszComputerName,
  12861. IN OPTIONAL void *pvReserved,
  12862. OUT void *pvData,
  12863. IN OUT DWORD *pcbData
  12864. );
  12865. // When the following flag is set, searches the LocalMachine instead of the
  12866. // CurrentUser. This flag is applicable to all the KeyIdentifierProperty APIs.
  12867. #define CRYPT_KEYID_MACHINE_FLAG 0x00000020
  12868. // When the following flag is set, *pvData is updated with a pointer to
  12869. // allocated memory. LocalFree() must be called to free the allocated memory.
  12870. #define CRYPT_KEYID_ALLOC_FLAG 0x00008000
  12871. //+-------------------------------------------------------------------------
  12872. // Set the property for the specified Key Identifier.
  12873. //
  12874. // For CERT_KEY_PROV_INFO_PROP_ID pvData points to the
  12875. // CRYPT_KEY_PROV_INFO data structure. For all other properties, pvData
  12876. // points to a CRYPT_DATA_BLOB.
  12877. //
  12878. // Setting pvData == NULL, deletes the property.
  12879. //
  12880. // Set CRYPT_KEYID_MACHINE_FLAG to set the property for a LocalMachine
  12881. // Key Identifier. Set pwszComputerName, to select a remote computer.
  12882. //
  12883. // If CRYPT_KEYID_DELETE_FLAG is set, the Key Identifier and all its
  12884. // properties is deleted.
  12885. //
  12886. // If CRYPT_KEYID_SET_NEW_FLAG is set, the set fails if the property already
  12887. // exists. For an existing property, FALSE is returned with LastError set to
  12888. // CRYPT_E_EXISTS.
  12889. //--------------------------------------------------------------------------
  12890. WINCRYPT32API
  12891. BOOL
  12892. WINAPI
  12893. CryptSetKeyIdentifierProperty(
  12894. IN const CRYPT_HASH_BLOB *pKeyIdentifier,
  12895. IN DWORD dwPropId,
  12896. IN DWORD dwFlags,
  12897. IN OPTIONAL LPCWSTR pwszComputerName,
  12898. IN OPTIONAL void *pvReserved,
  12899. IN const void *pvData
  12900. );
  12901. // When the following flag is set, the Key Identifier and all its properties
  12902. // are deleted.
  12903. #define CRYPT_KEYID_DELETE_FLAG 0x00000010
  12904. // When the following flag is set, the set fails if the property already
  12905. // exists.
  12906. #define CRYPT_KEYID_SET_NEW_FLAG 0x00002000
  12907. //+-------------------------------------------------------------------------
  12908. // For CERT_KEY_PROV_INFO_PROP_ID, rgppvData[] points to a
  12909. // CRYPT_KEY_PROV_INFO.
  12910. //
  12911. // Return FALSE to stop the enumeration.
  12912. //--------------------------------------------------------------------------
  12913. typedef BOOL (WINAPI *PFN_CRYPT_ENUM_KEYID_PROP)(
  12914. IN const CRYPT_HASH_BLOB *pKeyIdentifier,
  12915. IN DWORD dwFlags,
  12916. IN void *pvReserved,
  12917. IN void *pvArg,
  12918. IN DWORD cProp,
  12919. IN DWORD *rgdwPropId,
  12920. IN void **rgpvData,
  12921. IN DWORD *rgcbData
  12922. );
  12923. //+-------------------------------------------------------------------------
  12924. // Enumerate the Key Identifiers.
  12925. //
  12926. // If pKeyIdentifier is NULL, enumerates all Key Identifers. Otherwise,
  12927. // calls the callback for the specified KeyIdentifier. If dwPropId is
  12928. // 0, calls the callback with all the properties. Otherwise, only calls
  12929. // the callback with the specified property (cProp = 1).
  12930. // Furthermore, when dwPropId is specified, skips KeyIdentifiers not
  12931. // having the property.
  12932. //
  12933. // Set CRYPT_KEYID_MACHINE_FLAG to enumerate the LocalMachine
  12934. // Key Identifiers. Set pwszComputerName, to enumerate Key Identifiers on
  12935. // a remote computer.
  12936. //--------------------------------------------------------------------------
  12937. WINCRYPT32API
  12938. BOOL
  12939. WINAPI
  12940. CryptEnumKeyIdentifierProperties(
  12941. IN OPTIONAL const CRYPT_HASH_BLOB *pKeyIdentifier,
  12942. IN DWORD dwPropId,
  12943. IN DWORD dwFlags,
  12944. IN OPTIONAL LPCWSTR pwszComputerName,
  12945. IN OPTIONAL void *pvReserved,
  12946. IN OPTIONAL void *pvArg,
  12947. IN PFN_CRYPT_ENUM_KEYID_PROP pfnEnum
  12948. );
  12949. //+-------------------------------------------------------------------------
  12950. // Create a KeyIdentifier from the CSP Public Key Blob.
  12951. //
  12952. // Converts the CSP PUBLICKEYSTRUC into a X.509 CERT_PUBLIC_KEY_INFO and
  12953. // encodes. The encoded CERT_PUBLIC_KEY_INFO is SHA1 hashed to obtain
  12954. // the Key Identifier.
  12955. //
  12956. // By default, the pPubKeyStruc->aiKeyAlg is used to find the appropriate
  12957. // public key Object Identifier. pszPubKeyOID can be set to override
  12958. // the default OID obtained from the aiKeyAlg.
  12959. //--------------------------------------------------------------------------
  12960. WINCRYPT32API
  12961. BOOL
  12962. WINAPI
  12963. CryptCreateKeyIdentifierFromCSP(
  12964. IN DWORD dwCertEncodingType,
  12965. IN OPTIONAL LPCSTR pszPubKeyOID,
  12966. IN const PUBLICKEYSTRUC *pPubKeyStruc,
  12967. IN DWORD cbPubKeyStruc,
  12968. IN DWORD dwFlags,
  12969. IN OPTIONAL void *pvReserved,
  12970. OUT BYTE *pbHash,
  12971. IN OUT DWORD *pcbHash
  12972. );
  12973. //+=========================================================================
  12974. // Certificate Chaining Infrastructure
  12975. //==========================================================================
  12976. //
  12977. // The chain engine defines the store namespace and cache partitioning for
  12978. // the Certificate Chaining infrastructure. A default chain engine
  12979. // is defined for the process which uses all default system stores e.g.
  12980. // Root, CA, Trust, for chain building and caching. If an application
  12981. // wishes to define its own store namespace or have its own partitioned
  12982. // cache then it can create its own chain engine. It is advisable to create
  12983. // a chain engine at application startup and use it throughout the lifetime
  12984. // of the application in order to get optimal caching behavior
  12985. //
  12986. typedef HANDLE HCERTCHAINENGINE;
  12987. #define HCCE_CURRENT_USER ((HCERTCHAINENGINE)NULL)
  12988. #define HCCE_LOCAL_MACHINE ((HCERTCHAINENGINE)0x1)
  12989. //
  12990. // Create a certificate chain engine.
  12991. //
  12992. //
  12993. // Configuration parameters for the certificate chain engine
  12994. //
  12995. // hRestrictedRoot - restrict the root store (must be a subset of "Root")
  12996. //
  12997. // hRestrictedTrust - restrict the store for CTLs
  12998. //
  12999. // hRestrictedOther - restrict the store for certs and CRLs
  13000. //
  13001. // cAdditionalStore, rghAdditionalStore - additional stores
  13002. //
  13003. // NOTE: The algorithm used to define the stores for the engine is as
  13004. // follows:
  13005. //
  13006. // hRoot = hRestrictedRoot or System Store "Root"
  13007. //
  13008. // hTrust = hRestrictedTrust or hWorld (defined later)
  13009. //
  13010. // hOther = hRestrictedOther or (hRestrictedTrust == NULL) ? hWorld :
  13011. // hRestrictedTrust + hWorld
  13012. //
  13013. // hWorld = hRoot + "CA" + "My" + "Trust" + rghAdditionalStore
  13014. //
  13015. // dwFlags - flags
  13016. //
  13017. // CERT_CHAIN_CACHE_END_CERT - information will be cached on
  13018. // the end cert as well as the other
  13019. // certs in the chain
  13020. //
  13021. // CERT_CHAIN_THREAD_STORE_SYNC - use separate thread for store syncs
  13022. // and related cache updates
  13023. //
  13024. // CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL - don't hit the wire to get
  13025. // URL based objects
  13026. //
  13027. // dwUrlRetrievalTimeout - timeout for wire based URL object retrievals
  13028. // (milliseconds)
  13029. //
  13030. #define CERT_CHAIN_CACHE_END_CERT 0x00000001
  13031. #define CERT_CHAIN_THREAD_STORE_SYNC 0x00000002
  13032. #define CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL 0x00000004
  13033. #define CERT_CHAIN_USE_LOCAL_MACHINE_STORE 0x00000008
  13034. #define CERT_CHAIN_ENABLE_CACHE_AUTO_UPDATE 0x00000010
  13035. #define CERT_CHAIN_ENABLE_SHARE_STORE 0x00000020
  13036. typedef struct _CERT_CHAIN_ENGINE_CONFIG {
  13037. DWORD cbSize;
  13038. HCERTSTORE hRestrictedRoot;
  13039. HCERTSTORE hRestrictedTrust;
  13040. HCERTSTORE hRestrictedOther;
  13041. DWORD cAdditionalStore;
  13042. HCERTSTORE* rghAdditionalStore;
  13043. DWORD dwFlags;
  13044. DWORD dwUrlRetrievalTimeout; // milliseconds
  13045. DWORD MaximumCachedCertificates;
  13046. DWORD CycleDetectionModulus;
  13047. } CERT_CHAIN_ENGINE_CONFIG, *PCERT_CHAIN_ENGINE_CONFIG;
  13048. WINCRYPT32API
  13049. BOOL
  13050. WINAPI
  13051. CertCreateCertificateChainEngine (
  13052. IN PCERT_CHAIN_ENGINE_CONFIG pConfig,
  13053. OUT HCERTCHAINENGINE* phChainEngine
  13054. );
  13055. //
  13056. // Free a certificate trust engine
  13057. //
  13058. WINCRYPT32API
  13059. VOID
  13060. WINAPI
  13061. CertFreeCertificateChainEngine (
  13062. IN HCERTCHAINENGINE hChainEngine
  13063. );
  13064. //
  13065. // Resync the certificate chain engine. This resync's the stores backing
  13066. // the engine and updates the engine caches.
  13067. //
  13068. WINCRYPT32API
  13069. BOOL
  13070. WINAPI
  13071. CertResyncCertificateChainEngine (
  13072. IN HCERTCHAINENGINE hChainEngine
  13073. );
  13074. //
  13075. // When an application requests a certificate chain, the data structure
  13076. // returned is in the form of a CERT_CHAIN_CONTEXT. This contains
  13077. // an array of CERT_SIMPLE_CHAIN where each simple chain goes from
  13078. // an end cert to a self signed cert and the chain context connects simple
  13079. // chains via trust lists. Each simple chain contains the chain of
  13080. // certificates, summary trust information about the chain and trust information
  13081. // about each certificate element in the chain.
  13082. //
  13083. //
  13084. // Trust status bits
  13085. //
  13086. typedef struct _CERT_TRUST_STATUS {
  13087. DWORD dwErrorStatus;
  13088. DWORD dwInfoStatus;
  13089. } CERT_TRUST_STATUS, *PCERT_TRUST_STATUS;
  13090. //
  13091. // The following are error status bits
  13092. //
  13093. // These can be applied to certificates and chains
  13094. #define CERT_TRUST_NO_ERROR 0x00000000
  13095. #define CERT_TRUST_IS_NOT_TIME_VALID 0x00000001
  13096. #define CERT_TRUST_IS_NOT_TIME_NESTED 0x00000002
  13097. #define CERT_TRUST_IS_REVOKED 0x00000004
  13098. #define CERT_TRUST_IS_NOT_SIGNATURE_VALID 0x00000008
  13099. #define CERT_TRUST_IS_NOT_VALID_FOR_USAGE 0x00000010
  13100. #define CERT_TRUST_IS_UNTRUSTED_ROOT 0x00000020
  13101. #define CERT_TRUST_REVOCATION_STATUS_UNKNOWN 0x00000040
  13102. #define CERT_TRUST_IS_CYCLIC 0x00000080
  13103. #define CERT_TRUST_INVALID_EXTENSION 0x00000100
  13104. #define CERT_TRUST_INVALID_POLICY_CONSTRAINTS 0x00000200
  13105. #define CERT_TRUST_INVALID_BASIC_CONSTRAINTS 0x00000400
  13106. #define CERT_TRUST_INVALID_NAME_CONSTRAINTS 0x00000800
  13107. #define CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT 0x00001000
  13108. #define CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT 0x00002000
  13109. #define CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT 0x00004000
  13110. #define CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT 0x00008000
  13111. #define CERT_TRUST_IS_OFFLINE_REVOCATION 0x01000000
  13112. #define CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY 0x02000000
  13113. // These can be applied to chains only
  13114. #define CERT_TRUST_IS_PARTIAL_CHAIN 0x00010000
  13115. #define CERT_TRUST_CTL_IS_NOT_TIME_VALID 0x00020000
  13116. #define CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID 0x00040000
  13117. #define CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE 0x00080000
  13118. //
  13119. // The following are info status bits
  13120. //
  13121. // These can be applied to certificates only
  13122. #define CERT_TRUST_HAS_EXACT_MATCH_ISSUER 0x00000001
  13123. #define CERT_TRUST_HAS_KEY_MATCH_ISSUER 0x00000002
  13124. #define CERT_TRUST_HAS_NAME_MATCH_ISSUER 0x00000004
  13125. #define CERT_TRUST_IS_SELF_SIGNED 0x00000008
  13126. // These can be applied to certificates and chains
  13127. #define CERT_TRUST_HAS_PREFERRED_ISSUER 0x00000100
  13128. #define CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY 0x00000200
  13129. #define CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS 0x00000400
  13130. // These can be applied to chains only
  13131. #define CERT_TRUST_IS_COMPLEX_CHAIN 0x00010000
  13132. //
  13133. // Each certificate context in a simple chain has a corresponding chain element
  13134. // in the simple chain context
  13135. //
  13136. // dwErrorStatus has CERT_TRUST_IS_REVOKED, pRevocationInfo set
  13137. // dwErrorStatus has CERT_TRUST_REVOCATION_STATUS_UNKNOWN, pRevocationInfo set
  13138. //
  13139. // Note that the post processing revocation supported in the first
  13140. // version only sets cbSize and dwRevocationResult. Everything else
  13141. // is NULL
  13142. //
  13143. //
  13144. // Revocation Information
  13145. //
  13146. typedef struct _CERT_REVOCATION_INFO {
  13147. DWORD cbSize;
  13148. DWORD dwRevocationResult;
  13149. LPCSTR pszRevocationOid;
  13150. LPVOID pvOidSpecificInfo;
  13151. // fHasFreshnessTime is only set if we are able to retrieve revocation
  13152. // information. For a CRL its CurrentTime - ThisUpdate.
  13153. BOOL fHasFreshnessTime;
  13154. DWORD dwFreshnessTime; // seconds
  13155. // NonNULL for CRL base revocation checking
  13156. PCERT_REVOCATION_CRL_INFO pCrlInfo;
  13157. } CERT_REVOCATION_INFO, *PCERT_REVOCATION_INFO;
  13158. //
  13159. // Trust List Information
  13160. //
  13161. typedef struct _CERT_TRUST_LIST_INFO {
  13162. DWORD cbSize;
  13163. PCTL_ENTRY pCtlEntry;
  13164. PCCTL_CONTEXT pCtlContext;
  13165. } CERT_TRUST_LIST_INFO, *PCERT_TRUST_LIST_INFO;
  13166. //
  13167. // Chain Element
  13168. //
  13169. typedef struct _CERT_CHAIN_ELEMENT {
  13170. DWORD cbSize;
  13171. PCCERT_CONTEXT pCertContext;
  13172. CERT_TRUST_STATUS TrustStatus;
  13173. PCERT_REVOCATION_INFO pRevocationInfo;
  13174. PCERT_ENHKEY_USAGE pIssuanceUsage; // If NULL, any
  13175. PCERT_ENHKEY_USAGE pApplicationUsage; // If NULL, any
  13176. LPCWSTR pwszExtendedErrorInfo; // If NULL, none
  13177. } CERT_CHAIN_ELEMENT, *PCERT_CHAIN_ELEMENT;
  13178. //
  13179. // The simple chain is an array of chain elements and a summary trust status
  13180. // for the chain
  13181. //
  13182. // rgpElements[0] is the end certificate chain element
  13183. //
  13184. // rgpElements[cElement-1] is the self-signed "root" certificate chain element
  13185. //
  13186. typedef struct _CERT_SIMPLE_CHAIN {
  13187. DWORD cbSize;
  13188. CERT_TRUST_STATUS TrustStatus;
  13189. DWORD cElement;
  13190. PCERT_CHAIN_ELEMENT* rgpElement;
  13191. PCERT_TRUST_LIST_INFO pTrustListInfo;
  13192. // fHasRevocationFreshnessTime is only set if we are able to retrieve
  13193. // revocation information for all elements checked for revocation.
  13194. // For a CRL its CurrentTime - ThisUpdate.
  13195. //
  13196. // dwRevocationFreshnessTime is the largest time across all elements
  13197. // checked.
  13198. BOOL fHasRevocationFreshnessTime;
  13199. DWORD dwRevocationFreshnessTime; // seconds
  13200. } CERT_SIMPLE_CHAIN, *PCERT_SIMPLE_CHAIN;
  13201. //
  13202. // And the chain context contains an array of simple chains and summary trust
  13203. // status for all the connected simple chains
  13204. //
  13205. // rgpChains[0] is the end certificate simple chain
  13206. //
  13207. // rgpChains[cChain-1] is the final (possibly trust list signer) chain which
  13208. // ends in a certificate which is contained in the root store
  13209. //
  13210. typedef struct _CERT_CHAIN_CONTEXT CERT_CHAIN_CONTEXT, *PCERT_CHAIN_CONTEXT;
  13211. typedef const CERT_CHAIN_CONTEXT *PCCERT_CHAIN_CONTEXT;
  13212. struct _CERT_CHAIN_CONTEXT {
  13213. DWORD cbSize;
  13214. CERT_TRUST_STATUS TrustStatus;
  13215. DWORD cChain;
  13216. PCERT_SIMPLE_CHAIN* rgpChain;
  13217. // Following is returned when CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS
  13218. // is set in dwFlags
  13219. DWORD cLowerQualityChainContext;
  13220. PCCERT_CHAIN_CONTEXT* rgpLowerQualityChainContext;
  13221. // fHasRevocationFreshnessTime is only set if we are able to retrieve
  13222. // revocation information for all elements checked for revocation.
  13223. // For a CRL its CurrentTime - ThisUpdate.
  13224. //
  13225. // dwRevocationFreshnessTime is the largest time across all elements
  13226. // checked.
  13227. BOOL fHasRevocationFreshnessTime;
  13228. DWORD dwRevocationFreshnessTime; // seconds
  13229. };
  13230. //
  13231. // When building a chain, the there are various parameters used for finding
  13232. // issuing certificates and trust lists. They are identified in the
  13233. // following structure
  13234. //
  13235. // Default usage match type is AND with value zero
  13236. #define USAGE_MATCH_TYPE_AND 0x00000000
  13237. #define USAGE_MATCH_TYPE_OR 0x00000001
  13238. typedef struct _CERT_USAGE_MATCH {
  13239. DWORD dwType;
  13240. CERT_ENHKEY_USAGE Usage;
  13241. } CERT_USAGE_MATCH, *PCERT_USAGE_MATCH;
  13242. typedef struct _CTL_USAGE_MATCH {
  13243. DWORD dwType;
  13244. CTL_USAGE Usage;
  13245. } CTL_USAGE_MATCH, *PCTL_USAGE_MATCH;
  13246. typedef struct _CERT_CHAIN_PARA {
  13247. DWORD cbSize;
  13248. CERT_USAGE_MATCH RequestedUsage;
  13249. #ifdef CERT_CHAIN_PARA_HAS_EXTRA_FIELDS
  13250. // Note, if you #define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS, then, you
  13251. // must zero all unused fields in this data structure.
  13252. // More fields could be added in a future release.
  13253. CERT_USAGE_MATCH RequestedIssuancePolicy;
  13254. DWORD dwUrlRetrievalTimeout; // milliseconds
  13255. BOOL fCheckRevocationFreshnessTime;
  13256. DWORD dwRevocationFreshnessTime; // seconds
  13257. #endif
  13258. } CERT_CHAIN_PARA, *PCERT_CHAIN_PARA;
  13259. //
  13260. // The following API is used for retrieving certificate chains
  13261. //
  13262. // Parameters:
  13263. //
  13264. // hChainEngine - the chain engine (namespace and cache) to use, NULL
  13265. // mean use the default chain engine
  13266. //
  13267. // pCertContext - the context we are retrieving the chain for, it
  13268. // will be the zero index element in the chain
  13269. //
  13270. // pTime - the point in time that we want the chain validated
  13271. // for. Note that the time does not affect trust list,
  13272. // revocation, or root store checking. NULL means use
  13273. // the current system time
  13274. //
  13275. // hAdditionalStore - additional store to use when looking up objects
  13276. //
  13277. // pChainPara - parameters for chain building
  13278. //
  13279. // dwFlags - flags such as should revocation checking be done
  13280. // on the chain?
  13281. //
  13282. // pvReserved - reserved parameter, must be NULL
  13283. //
  13284. // ppChainContext - chain context returned
  13285. //
  13286. // CERT_CHAIN_CACHE_END_CERT can be used here as well
  13287. // Revocation flags are in the high nibble
  13288. #define CERT_CHAIN_REVOCATION_CHECK_END_CERT 0x10000000
  13289. #define CERT_CHAIN_REVOCATION_CHECK_CHAIN 0x20000000
  13290. #define CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT 0x40000000
  13291. #define CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY 0x80000000
  13292. // By default, the dwUrlRetrievalTimeout in pChainPara is the timeout used
  13293. // for each revocation URL wire retrieval. When the following flag is set,
  13294. // dwUrlRetrievalTimeout is the accumulative timeout across all
  13295. // revocation URL wire retrievals.
  13296. #define CERT_CHAIN_REVOCATION_ACCUMULATIVE_TIMEOUT 0x08000000
  13297. // First pass determines highest quality based upon:
  13298. // - Chain signature valid (higest quality bit of this set)
  13299. // - Complete chain
  13300. // - Trusted root (lowestest quality bit of this set)
  13301. // By default, second pass only considers paths >= highest first pass quality
  13302. #define CERT_CHAIN_DISABLE_PASS1_QUALITY_FILTERING 0x00000040
  13303. #define CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS 0x00000080
  13304. #define CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE 0x00000100
  13305. // When this flag is set, pTime will be used as the timestamp time.
  13306. // pTime will be used to determine if the end certificate was valid at this
  13307. // time. Revocation checking will be relative to pTime.
  13308. // In addition, current time will also be used
  13309. // to determine if the certificate is still time valid. All remaining
  13310. // CA and root certificates will be checked using current time and not pTime.
  13311. //
  13312. // This flag was added 4/5/01 in WXP.
  13313. #define CERT_CHAIN_TIMESTAMP_TIME 0x00000200
  13314. WINCRYPT32API
  13315. BOOL
  13316. WINAPI
  13317. CertGetCertificateChain (
  13318. IN OPTIONAL HCERTCHAINENGINE hChainEngine,
  13319. IN PCCERT_CONTEXT pCertContext,
  13320. IN OPTIONAL LPFILETIME pTime,
  13321. IN OPTIONAL HCERTSTORE hAdditionalStore,
  13322. IN PCERT_CHAIN_PARA pChainPara,
  13323. IN DWORD dwFlags,
  13324. IN LPVOID pvReserved,
  13325. OUT PCCERT_CHAIN_CONTEXT* ppChainContext
  13326. );
  13327. //
  13328. // Free a certificate chain
  13329. //
  13330. WINCRYPT32API
  13331. VOID
  13332. WINAPI
  13333. CertFreeCertificateChain (
  13334. IN PCCERT_CHAIN_CONTEXT pChainContext
  13335. );
  13336. //
  13337. // Duplicate (add a reference to) a certificate chain
  13338. //
  13339. WINCRYPT32API
  13340. PCCERT_CHAIN_CONTEXT
  13341. WINAPI
  13342. CertDuplicateCertificateChain (
  13343. IN PCCERT_CHAIN_CONTEXT pChainContext
  13344. );
  13345. //
  13346. // Specific Revocation Type OID and structure definitions
  13347. //
  13348. //
  13349. // CRL Revocation OID
  13350. //
  13351. #define REVOCATION_OID_CRL_REVOCATION ((LPCSTR)1)
  13352. //
  13353. // For the CRL revocation OID the pvRevocationPara is NULL
  13354. //
  13355. //
  13356. // CRL Revocation Info
  13357. //
  13358. typedef struct _CRL_REVOCATION_INFO {
  13359. PCRL_ENTRY pCrlEntry;
  13360. PCCRL_CONTEXT pCrlContext;
  13361. PCCERT_CHAIN_CONTEXT pCrlIssuerChain;
  13362. } CRL_REVOCATION_INFO, *PCRL_REVOCATION_INFO;
  13363. //+-------------------------------------------------------------------------
  13364. // Find the first or next certificate chain context in the store.
  13365. //
  13366. // The chain context is found according to the dwFindFlags, dwFindType and
  13367. // its pvFindPara. See below for a list of the find types and its parameters.
  13368. //
  13369. // If the first or next chain context isn't found, NULL is returned.
  13370. // Otherwise, a pointer to a read only CERT_CHAIN_CONTEXT is returned.
  13371. // CERT_CHAIN_CONTEXT must be freed by calling CertFreeCertificateChain
  13372. // or is freed when passed as the
  13373. // pPrevChainContext on a subsequent call. CertDuplicateCertificateChain
  13374. // can be called to make a duplicate.
  13375. //
  13376. // pPrevChainContext MUST BE NULL on the first
  13377. // call to find the chain context. To find the next chain context, the
  13378. // pPrevChainContext is set to the CERT_CHAIN_CONTEXT returned by a previous
  13379. // call.
  13380. //
  13381. // NOTE: a NON-NULL pPrevChainContext is always CertFreeCertificateChain'ed by
  13382. // this function, even for an error.
  13383. //--------------------------------------------------------------------------
  13384. WINCRYPT32API
  13385. PCCERT_CHAIN_CONTEXT
  13386. WINAPI
  13387. CertFindChainInStore(
  13388. IN HCERTSTORE hCertStore,
  13389. IN DWORD dwCertEncodingType,
  13390. IN DWORD dwFindFlags,
  13391. IN DWORD dwFindType,
  13392. IN const void *pvFindPara,
  13393. IN PCCERT_CHAIN_CONTEXT pPrevChainContext
  13394. );
  13395. #define CERT_CHAIN_FIND_BY_ISSUER 1
  13396. //+-------------------------------------------------------------------------
  13397. // CERT_CHAIN_FIND_BY_ISSUER
  13398. //
  13399. // Find a certificate chain having a private key for the end certificate and
  13400. // matching one of the given issuer names. A matching dwKeySpec and
  13401. // enhanced key usage can also be specified. Additionally a callback can
  13402. // be provided for even more caller provided filtering before building the
  13403. // chain.
  13404. //
  13405. // By default, only the issuers in the first simple chain are compared
  13406. // for a name match. CERT_CHAIN_FIND_BY_ISSUER_COMPLEX_CHAIN_FLAG can
  13407. // be set in dwFindFlags to match issuers in all the simple chains.
  13408. //
  13409. // CERT_CHAIN_FIND_BY_ISSUER_NO_KEY_FLAG can be set in dwFindFlags to
  13410. // not check if the end certificate has a private key.
  13411. //
  13412. // CERT_CHAIN_FIND_BY_ISSUER_COMPARE_KEY_FLAG can be set in dwFindFlags
  13413. // to compare the public key in the end certificate with the crypto
  13414. // provider's public key. The dwAcquirePrivateKeyFlags can be set
  13415. // in CERT_CHAIN_FIND_BY_ISSUER_PARA to enable caching of the private key's
  13416. // HKEY returned by the CSP.
  13417. //
  13418. // If dwCertEncodingType == 0, defaults to X509_ASN_ENCODING for the
  13419. // array of encoded issuer names.
  13420. //
  13421. // By default, the hCertStore passed to CertFindChainInStore, is passed
  13422. // as an additional store to CertGetCertificateChain.
  13423. // CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_FLAG can be set in dwFindFlags
  13424. // to improve performance by only searching the cached system stores
  13425. // (root, my, ca, trust) to find the issuer certificates. If you are doing
  13426. // a find in the "my" system store, than, this flag should be set to
  13427. // improve performance.
  13428. //
  13429. // Setting CERT_CHAIN_FIND_BY_ISSUER_LOCAL_MACHINE_FLAG in dwFindFlags
  13430. // restricts CertGetCertificateChain to search the Local Machine
  13431. // cached system stores instead of the Current User's.
  13432. //
  13433. // Setting CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG in dwFindFlags
  13434. // restricts CertGetCertificateChain to only search the URL cache
  13435. // and not hit the wire.
  13436. //--------------------------------------------------------------------------
  13437. // Returns FALSE to skip this certificate. Otherwise, returns TRUE to
  13438. // build a chain for this certificate.
  13439. typedef BOOL (WINAPI *PFN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK)(
  13440. IN PCCERT_CONTEXT pCert,
  13441. IN void *pvFindArg
  13442. );
  13443. typedef struct _CERT_CHAIN_FIND_BY_ISSUER_PARA {
  13444. DWORD cbSize;
  13445. // If pszUsageIdentifier == NULL, matches any usage.
  13446. LPCSTR pszUsageIdentifier;
  13447. // If dwKeySpec == 0, matches any KeySpec
  13448. DWORD dwKeySpec;
  13449. // When CERT_CHAIN_FIND_BY_ISSUER_COMPARE_KEY_FLAG is set in dwFindFlags,
  13450. // CryptAcquireCertificatePrivateKey is called to do the public key
  13451. // comparison. The following flags can be set to enable caching
  13452. // of the acquired private key or suppress CSP UI. See the API for more
  13453. // details on these flags.
  13454. DWORD dwAcquirePrivateKeyFlags;
  13455. // Pointer to an array of X509, ASN.1 encoded issuer name blobs. If
  13456. // cIssuer == 0, matches any issuer
  13457. DWORD cIssuer;
  13458. CERT_NAME_BLOB *rgIssuer;
  13459. // If NULL or Callback returns TRUE, builds the chain for the end
  13460. // certificate having a private key with the specified KeySpec and
  13461. // enhanced key usage.
  13462. PFN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK pfnFindCallback;
  13463. void *pvFindArg;
  13464. #ifdef CERT_CHAIN_FIND_BY_ISSUER_PARA_HAS_EXTRA_FIELDS
  13465. // Note, if you #define CERT_CHAIN_FIND_BY_ISSUER_PARA_HAS_EXTRA_FIELDS,
  13466. // then, you must zero all unused fields in this data structure.
  13467. // More fields could be added in a future release.
  13468. // If the following pointers are nonNull, returns the index of the
  13469. // matching issuer certificate, which is at:
  13470. // pChainContext->
  13471. // rgpChain[*pdwIssuerChainIndex]->rgpElement[*pdwIssuerElementIndex].
  13472. //
  13473. // The issuer name blob is compared against the Issuer field in the
  13474. // certificate. The *pdwIssuerElementIndex is set to the index of this
  13475. // subject certificate + 1. Therefore, its possible for a partial chain or
  13476. // a self signed certificate matching the name blob, where
  13477. // *pdwIssuerElementIndex points past the last certificate in the chain.
  13478. //
  13479. // Note, not updated if the above cIssuer == 0.
  13480. DWORD *pdwIssuerChainIndex;
  13481. DWORD *pdwIssuerElementIndex;
  13482. #endif
  13483. } CERT_CHAIN_FIND_ISSUER_PARA, *PCERT_CHAIN_FIND_ISSUER_PARA,
  13484. CERT_CHAIN_FIND_BY_ISSUER_PARA, *PCERT_CHAIN_FIND_BY_ISSUER_PARA;
  13485. // The following dwFindFlags can be set for CERT_CHAIN_FIND_BY_ISSUER
  13486. // If set, compares the public key in the end certificate with the crypto
  13487. // provider's public key. This comparison is the last check made on the
  13488. // build chain.
  13489. #define CERT_CHAIN_FIND_BY_ISSUER_COMPARE_KEY_FLAG 0x0001
  13490. // If not set, only checks the first simple chain for an issuer name match.
  13491. // When set, also checks second and subsequent simple chains.
  13492. #define CERT_CHAIN_FIND_BY_ISSUER_COMPLEX_CHAIN_FLAG 0x0002
  13493. // If set, CertGetCertificateChain only searches the URL cache and
  13494. // doesn't hit the wire.
  13495. #define CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_URL_FLAG 0x0004
  13496. // If set, CertGetCertificateChain only opens the Local Machine
  13497. // certificate stores instead of the Current User's.
  13498. #define CERT_CHAIN_FIND_BY_ISSUER_LOCAL_MACHINE_FLAG 0x0008
  13499. // If set, no check is made to see if the end certificate has a private
  13500. // key associated with it.
  13501. #define CERT_CHAIN_FIND_BY_ISSUER_NO_KEY_FLAG 0x4000
  13502. // By default, the hCertStore passed to CertFindChainInStore, is passed
  13503. // as the additional store to CertGetCertificateChain. This flag can be
  13504. // set to improve performance by only searching the cached system stores
  13505. // (root, my, ca, trust) to find the issuer certificates. If not set, then,
  13506. // the hCertStore is always searched in addition to the cached system
  13507. // stores.
  13508. #define CERT_CHAIN_FIND_BY_ISSUER_CACHE_ONLY_FLAG 0x8000
  13509. //+=========================================================================
  13510. // Certificate Chain Policy Data Structures and APIs
  13511. //==========================================================================
  13512. typedef struct _CERT_CHAIN_POLICY_PARA {
  13513. DWORD cbSize;
  13514. DWORD dwFlags;
  13515. void *pvExtraPolicyPara; // pszPolicyOID specific
  13516. } CERT_CHAIN_POLICY_PARA, *PCERT_CHAIN_POLICY_PARA;
  13517. // If both lChainIndex and lElementIndex are set to -1, the dwError applies
  13518. // to the whole chain context. If only lElementIndex is set to -1, the
  13519. // dwError applies to the lChainIndex'ed chain. Otherwise, the dwError applies
  13520. // to the certificate element at
  13521. // pChainContext->rgpChain[lChainIndex]->rgpElement[lElementIndex].
  13522. typedef struct _CERT_CHAIN_POLICY_STATUS {
  13523. DWORD cbSize;
  13524. DWORD dwError;
  13525. LONG lChainIndex;
  13526. LONG lElementIndex;
  13527. void *pvExtraPolicyStatus; // pszPolicyOID specific
  13528. } CERT_CHAIN_POLICY_STATUS, *PCERT_CHAIN_POLICY_STATUS;
  13529. // Common chain policy flags
  13530. #define CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG 0x00000001
  13531. #define CERT_CHAIN_POLICY_IGNORE_CTL_NOT_TIME_VALID_FLAG 0x00000002
  13532. #define CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG 0x00000004
  13533. #define CERT_CHAIN_POLICY_IGNORE_INVALID_BASIC_CONSTRAINTS_FLAG 0x00000008
  13534. #define CERT_CHAIN_POLICY_IGNORE_ALL_NOT_TIME_VALID_FLAGS ( \
  13535. CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG | \
  13536. CERT_CHAIN_POLICY_IGNORE_CTL_NOT_TIME_VALID_FLAG | \
  13537. CERT_CHAIN_POLICY_IGNORE_NOT_TIME_NESTED_FLAG \
  13538. )
  13539. #define CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG 0x00000010
  13540. #define CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG 0x00000020
  13541. #define CERT_CHAIN_POLICY_IGNORE_INVALID_NAME_FLAG 0x00000040
  13542. #define CERT_CHAIN_POLICY_IGNORE_INVALID_POLICY_FLAG 0x00000080
  13543. #define CERT_CHAIN_POLICY_IGNORE_END_REV_UNKNOWN_FLAG 0x00000100
  13544. #define CERT_CHAIN_POLICY_IGNORE_CTL_SIGNER_REV_UNKNOWN_FLAG 0x00000200
  13545. #define CERT_CHAIN_POLICY_IGNORE_CA_REV_UNKNOWN_FLAG 0x00000400
  13546. #define CERT_CHAIN_POLICY_IGNORE_ROOT_REV_UNKNOWN_FLAG 0x00000800
  13547. #define CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS ( \
  13548. CERT_CHAIN_POLICY_IGNORE_END_REV_UNKNOWN_FLAG | \
  13549. CERT_CHAIN_POLICY_IGNORE_CTL_SIGNER_REV_UNKNOWN_FLAG | \
  13550. CERT_CHAIN_POLICY_IGNORE_CA_REV_UNKNOWN_FLAG | \
  13551. CERT_CHAIN_POLICY_IGNORE_ROOT_REV_UNKNOWN_FLAG \
  13552. )
  13553. #define CERT_CHAIN_POLICY_ALLOW_TESTROOT_FLAG 0x00008000
  13554. #define CERT_CHAIN_POLICY_TRUST_TESTROOT_FLAG 0x00004000
  13555. //+-------------------------------------------------------------------------
  13556. // Verify that the certificate chain satisfies the specified policy
  13557. // requirements. If we were able to verify the chain policy, TRUE is returned
  13558. // and the dwError field of the pPolicyStatus is updated. A dwError of 0
  13559. // (ERROR_SUCCESS, S_OK) indicates the chain satisfies the specified policy.
  13560. //
  13561. // If dwError applies to the entire chain context, both lChainIndex and
  13562. // lElementIndex are set to -1. If dwError applies to a simple chain,
  13563. // lElementIndex is set to -1 and lChainIndex is set to the index of the
  13564. // first offending chain having the error. If dwError applies to a
  13565. // certificate element, lChainIndex and lElementIndex are updated to
  13566. // index the first offending certificate having the error, where, the
  13567. // the certificate element is at:
  13568. // pChainContext->rgpChain[lChainIndex]->rgpElement[lElementIndex].
  13569. //
  13570. // The dwFlags in pPolicyPara can be set to change the default policy checking
  13571. // behaviour. In addition, policy specific parameters can be passed in
  13572. // the pvExtraPolicyPara field of pPolicyPara.
  13573. //
  13574. // In addition to returning dwError, in pPolicyStatus, policy OID specific
  13575. // extra status may be returned via pvExtraPolicyStatus.
  13576. //--------------------------------------------------------------------------
  13577. WINCRYPT32API
  13578. BOOL
  13579. WINAPI
  13580. CertVerifyCertificateChainPolicy(
  13581. IN LPCSTR pszPolicyOID,
  13582. IN PCCERT_CHAIN_CONTEXT pChainContext,
  13583. IN PCERT_CHAIN_POLICY_PARA pPolicyPara,
  13584. IN OUT PCERT_CHAIN_POLICY_STATUS pPolicyStatus
  13585. );
  13586. // Predefined OID Function Names
  13587. #define CRYPT_OID_VERIFY_CERTIFICATE_CHAIN_POLICY_FUNC \
  13588. "CertDllVerifyCertificateChainPolicy"
  13589. // CertDllVerifyCertificateChainPolicy has same function signature as
  13590. // CertVerifyCertificateChainPolicy.
  13591. //+-------------------------------------------------------------------------
  13592. // Predefined verify chain policies
  13593. //--------------------------------------------------------------------------
  13594. #define CERT_CHAIN_POLICY_BASE ((LPCSTR) 1)
  13595. #define CERT_CHAIN_POLICY_AUTHENTICODE ((LPCSTR) 2)
  13596. #define CERT_CHAIN_POLICY_AUTHENTICODE_TS ((LPCSTR) 3)
  13597. #define CERT_CHAIN_POLICY_SSL ((LPCSTR) 4)
  13598. #define CERT_CHAIN_POLICY_BASIC_CONSTRAINTS ((LPCSTR) 5)
  13599. #define CERT_CHAIN_POLICY_NT_AUTH ((LPCSTR) 6)
  13600. #define CERT_CHAIN_POLICY_MICROSOFT_ROOT ((LPCSTR) 7)
  13601. //+-------------------------------------------------------------------------
  13602. // CERT_CHAIN_POLICY_BASE
  13603. //
  13604. // Implements the base chain policy verification checks. dwFlags can
  13605. // be set in pPolicyPara to alter the default policy checking behaviour.
  13606. //--------------------------------------------------------------------------
  13607. //+-------------------------------------------------------------------------
  13608. // CERT_CHAIN_POLICY_AUTHENTICODE
  13609. //
  13610. // Implements the Authenticode chain policy verification checks.
  13611. //
  13612. // pvExtraPolicyPara may optionally be set to point to the following
  13613. // AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA.
  13614. //
  13615. // pvExtraPolicyStatus may optionally be set to point to the following
  13616. // AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS.
  13617. //--------------------------------------------------------------------------
  13618. // dwRegPolicySettings are defined in wintrust.h
  13619. typedef struct _AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA {
  13620. DWORD cbSize;
  13621. DWORD dwRegPolicySettings;
  13622. PCMSG_SIGNER_INFO pSignerInfo; // optional
  13623. } AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA,
  13624. *PAUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA;
  13625. typedef struct _AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS {
  13626. DWORD cbSize;
  13627. BOOL fCommercial; // obtained from signer statement
  13628. } AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS,
  13629. *PAUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_STATUS;
  13630. //+-------------------------------------------------------------------------
  13631. // CERT_CHAIN_POLICY_AUTHENTICODE_TS
  13632. //
  13633. // Implements the Authenticode Time Stamp chain policy verification checks.
  13634. //
  13635. // pvExtraPolicyPara may optionally be set to point to the following
  13636. // AUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA.
  13637. //
  13638. // pvExtraPolicyStatus isn't used and must be set to NULL.
  13639. //--------------------------------------------------------------------------
  13640. // dwRegPolicySettings are defined in wintrust.h
  13641. typedef struct _AUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA {
  13642. DWORD cbSize;
  13643. DWORD dwRegPolicySettings;
  13644. BOOL fCommercial;
  13645. } AUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA,
  13646. *PAUTHENTICODE_TS_EXTRA_CERT_CHAIN_POLICY_PARA;
  13647. //+-------------------------------------------------------------------------
  13648. // CERT_CHAIN_POLICY_SSL
  13649. //
  13650. // Implements the SSL client/server chain policy verification checks.
  13651. //
  13652. // pvExtraPolicyPara may optionally be set to point to the following
  13653. // SSL_EXTRA_CERT_CHAIN_POLICY_PARA data structure
  13654. //--------------------------------------------------------------------------
  13655. // fdwChecks flags are defined in wininet.h
  13656. typedef struct _HTTPSPolicyCallbackData
  13657. {
  13658. union {
  13659. DWORD cbStruct; // sizeof(HTTPSPolicyCallbackData);
  13660. DWORD cbSize; // sizeof(HTTPSPolicyCallbackData);
  13661. };
  13662. DWORD dwAuthType;
  13663. # define AUTHTYPE_CLIENT 1
  13664. # define AUTHTYPE_SERVER 2
  13665. DWORD fdwChecks;
  13666. WCHAR *pwszServerName; // used to check against CN=xxxx
  13667. } HTTPSPolicyCallbackData, *PHTTPSPolicyCallbackData,
  13668. SSL_EXTRA_CERT_CHAIN_POLICY_PARA, *PSSL_EXTRA_CERT_CHAIN_POLICY_PARA;
  13669. //+-------------------------------------------------------------------------
  13670. // CERT_CHAIN_POLICY_BASIC_CONSTRAINTS
  13671. //
  13672. // Implements the basic constraints chain policy.
  13673. //
  13674. // Iterates through all the certificates in the chain checking for either
  13675. // a szOID_BASIC_CONSTRAINTS or a szOID_BASIC_CONSTRAINTS2 extension. If
  13676. // neither extension is present, the certificate is assumed to have
  13677. // valid policy. Otherwise, for the first certificate element, checks if
  13678. // it matches the expected CA_FLAG or END_ENTITY_FLAG specified in
  13679. // pPolicyPara->dwFlags. If neither or both flags are set, then, the first
  13680. // element can be either a CA or END_ENTITY. All other elements must be
  13681. // a CA. If the PathLenConstraint is present in the extension, its
  13682. // checked.
  13683. //
  13684. // The first elements in the remaining simple chains (ie, the certificate
  13685. // used to sign the CTL) are checked to be an END_ENTITY.
  13686. //
  13687. // If this verification fails, dwError will be set to
  13688. // TRUST_E_BASIC_CONSTRAINTS.
  13689. //--------------------------------------------------------------------------
  13690. #define BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_CA_FLAG 0x80000000
  13691. #define BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_END_ENTITY_FLAG 0x40000000
  13692. //+-------------------------------------------------------------------------
  13693. // CERT_CHAIN_POLICY_NT_AUTH
  13694. //
  13695. // Implements the NT Authentication chain policy.
  13696. //
  13697. // The NT Authentication chain policy consists of 3 distinct chain
  13698. // verifications in the following order:
  13699. // [1] CERT_CHAIN_POLICY_BASE - Implements the base chain policy
  13700. // verification checks. The LOWORD of dwFlags can be set in
  13701. // pPolicyPara to alter the default policy checking behaviour. See
  13702. // CERT_CHAIN_POLICY_BASE for more details.
  13703. //
  13704. // [2] CERT_CHAIN_POLICY_BASIC_CONSTRAINTS - Implements the basic
  13705. // constraints chain policy. The HIWORD of dwFlags can be set
  13706. // to specify if the first element must be either a CA or END_ENTITY.
  13707. // See CERT_CHAIN_POLICY_BASIC_CONSTRAINTS for more details.
  13708. //
  13709. // [3] Checks if the second element in the chain, the CA that issued
  13710. // the end certificate, is a trusted CA for NT
  13711. // Authentication. A CA is considered to be trusted if it exists in
  13712. // the "NTAuth" system registry store found in the
  13713. // CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE store location.
  13714. // If this verification fails, whereby the CA isn't trusted,
  13715. // dwError is set to CERT_E_UNTRUSTEDCA.
  13716. //
  13717. // If CERT_PROT_ROOT_DISABLE_NT_AUTH_REQUIRED_FLAG is set
  13718. // in the "Flags" value of the HKLM policy "ProtectedRoots" subkey
  13719. // defined by CERT_PROT_ROOT_FLAGS_REGPATH, then,
  13720. // if the above check fails, checks if the chain
  13721. // has CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS set in dwInfoStatus. This
  13722. // will only be set if there was a valid name constraint for all
  13723. // name spaces including UPN. If the chain doesn't have this info
  13724. // status set, dwError is set to CERT_E_UNTRUSTEDCA.
  13725. //--------------------------------------------------------------------------
  13726. //+-------------------------------------------------------------------------
  13727. // CERT_CHAIN_POLICY_MICROSOFT_ROOT
  13728. //
  13729. // Checks if the last element of the first simple chain contains a
  13730. // Microsoft root public key. If it doesn't contain a Microsoft root
  13731. // public key, dwError is set to CERT_E_UNTRUSTEDROOT.
  13732. //
  13733. // pvExtraPolicyPara and pvExtraPolicyStatus aren't used and must be set
  13734. // to NULL.
  13735. //--------------------------------------------------------------------------
  13736. //+-------------------------------------------------------------------------
  13737. // convert formatted string to binary
  13738. // If cchString is 0, then pszString is NULL terminated and
  13739. // cchString is obtained via strlen() + 1.
  13740. // dwFlags defines string format
  13741. // if pbBinary is NULL, *pcbBinary returns the size of required memory
  13742. // *pdwSkip returns the character count of skipped strings, optional
  13743. // *pdwFlags returns the actual format used in the conversion, optional
  13744. //--------------------------------------------------------------------------
  13745. WINCRYPT32STRINGAPI
  13746. BOOL
  13747. WINAPI
  13748. CryptStringToBinary%(
  13749. IN LPCTSTR% pszString,
  13750. IN DWORD cchString,
  13751. IN DWORD dwFlags,
  13752. IN BYTE *pbBinary,
  13753. IN OUT DWORD *pcbBinary,
  13754. OUT DWORD *pdwSkip, //OPTIONAL
  13755. OUT DWORD *pdwFlags //OPTIONAL
  13756. );
  13757. //+-------------------------------------------------------------------------
  13758. // convert binary to formatted string
  13759. // dwFlags defines string format
  13760. // if pszString is NULL, *pcchString returns the size of required memory in byte
  13761. //--------------------------------------------------------------------------
  13762. WINCRYPT32STRINGAPI
  13763. BOOL
  13764. WINAPI
  13765. CryptBinaryToString%(
  13766. IN CONST BYTE *pbBinary,
  13767. IN DWORD cbBinary,
  13768. IN DWORD dwFlags,
  13769. IN LPTSTR% pszString,
  13770. IN OUT DWORD *pcchString
  13771. );
  13772. // dwFlags has the following defines
  13773. #define CRYPT_STRING_BASE64HEADER 0x00000000
  13774. #define CRYPT_STRING_BASE64 0x00000001
  13775. #define CRYPT_STRING_BINARY 0x00000002
  13776. #define CRYPT_STRING_BASE64REQUESTHEADER 0x00000003
  13777. #define CRYPT_STRING_HEX 0x00000004
  13778. #define CRYPT_STRING_HEXASCII 0x00000005
  13779. #define CRYPT_STRING_BASE64_ANY 0x00000006
  13780. #define CRYPT_STRING_ANY 0x00000007
  13781. #define CRYPT_STRING_HEX_ANY 0x00000008
  13782. #define CRYPT_STRING_BASE64X509CRLHEADER 0x00000009
  13783. #define CRYPT_STRING_HEXADDR 0x0000000a
  13784. #define CRYPT_STRING_HEXASCIIADDR 0x0000000b
  13785. #define CRYPT_STRING_NOCR 0x80000000
  13786. // CryptBinaryToString uses the following flags
  13787. // CRYPT_STRING_BASE64HEADER - base64 format with certificate begin
  13788. // and end headers
  13789. // CRYPT_STRING_BASE64 - only base64 without headers
  13790. // CRYPT_STRING_BINARY - pure binary copy
  13791. // CRYPT_STRING_BASE64REQUESTHEADER - base64 format with request begin
  13792. // and end headers
  13793. // CRYPT_STRING_BASE64X509CRLHEADER - base64 format with x509 crl begin
  13794. // and end headers
  13795. // CRYPT_STRING_HEX - only hex format
  13796. // CRYPT_STRING_HEXASCII - hex format with ascii char display
  13797. // CRYPT_STRING_HEXADDR - hex format with address display
  13798. // CRYPT_STRING_HEXASCIIADDR - hex format with ascii char and address display
  13799. //
  13800. // CryptBinaryToString accepts CRYPT_STRING_NOCR or'd into one of the above.
  13801. // When set, line breaks contain only LF, instead of CR-LF pairs.
  13802. // CryptStringToBinary uses the following flags
  13803. // CRYPT_STRING_BASE64_ANY tries the following, in order:
  13804. // CRYPT_STRING_BASE64HEADER
  13805. // CRYPT_STRING_BASE64
  13806. // CRYPT_STRING_ANY tries the following, in order:
  13807. // CRYPT_STRING_BASE64_ANY
  13808. // CRYPT_STRING_BINARY -- should always succeed
  13809. // CRYPT_STRING_HEX_ANY tries the following, in order:
  13810. // CRYPT_STRING_HEXADDR
  13811. // CRYPT_STRING_HEXASCIIADDR
  13812. // CRYPT_STRING_HEXASCII
  13813. // CRYPT_STRING_HEX
  13814. //+=========================================================================
  13815. // PFX (PKCS #12) function defintions and types
  13816. //==========================================================================
  13817. //+-------------------------------------------------------------------------
  13818. // PFXImportCertStore
  13819. //
  13820. // Import the PFX blob and return a store containing certificates
  13821. //
  13822. // If the password parameter is incorrect or any other problems decoding
  13823. // the PFX blob are encountered, the function will return NULL and the
  13824. // error code can be found from GetLastError().
  13825. //
  13826. // The dwFlags parameter may be set to the following:
  13827. // CRYPT_EXPORTABLE - specify that any imported keys should be marked as
  13828. // exportable (see documentation on CryptImportKey)
  13829. // CRYPT_USER_PROTECTED - (see documentation on CryptImportKey)
  13830. // CRYPT_MACHINE_KEYSET - used to force the private key to be stored in the
  13831. // the local machine and not the current user.
  13832. // CRYPT_USER_KEYSET - used to force the private key to be stored in the
  13833. // the current user and not the local machine, even if
  13834. // the pfx blob specifies that it should go into local
  13835. // machine.
  13836. //--------------------------------------------------------------------------
  13837. WINCRYPT32API
  13838. HCERTSTORE
  13839. WINAPI
  13840. PFXImportCertStore(
  13841. IN CRYPT_DATA_BLOB* pPFX,
  13842. IN LPCWSTR szPassword,
  13843. IN DWORD dwFlags);
  13844. // dwFlags definitions for PFXImportCertStore
  13845. //#define CRYPT_EXPORTABLE 0x00000001 // CryptImportKey dwFlags
  13846. //#define CRYPT_USER_PROTECTED 0x00000002 // CryptImportKey dwFlags
  13847. //#define CRYPT_MACHINE_KEYSET 0x00000020 // CryptAcquireContext dwFlags
  13848. #define CRYPT_USER_KEYSET 0x00001000
  13849. #define PKCS12_IMPORT_RESERVED_MASK 0xffff0000
  13850. //+-------------------------------------------------------------------------
  13851. // PFXIsPFXBlob
  13852. //
  13853. // This function will try to decode the outer layer of the blob as a pfx
  13854. // blob, and if that works it will return TRUE, it will return FALSE otherwise
  13855. //
  13856. //--------------------------------------------------------------------------
  13857. WINCRYPT32API
  13858. BOOL
  13859. WINAPI
  13860. PFXIsPFXBlob(
  13861. IN CRYPT_DATA_BLOB* pPFX);
  13862. //+-------------------------------------------------------------------------
  13863. // PFXVerifyPassword
  13864. //
  13865. // This function will attempt to decode the outer layer of the blob as a pfx
  13866. // blob and decrypt with the given password. No data from the blob will be
  13867. // imported.
  13868. //
  13869. // Return value is TRUE if password appears correct, FALSE otherwise.
  13870. //
  13871. //--------------------------------------------------------------------------
  13872. WINCRYPT32API
  13873. BOOL
  13874. WINAPI
  13875. PFXVerifyPassword(
  13876. IN CRYPT_DATA_BLOB* pPFX,
  13877. IN LPCWSTR szPassword,
  13878. IN DWORD dwFlags);
  13879. //+-------------------------------------------------------------------------
  13880. // PFXExportCertStoreEx
  13881. //
  13882. // Export the certificates and private keys referenced in the passed-in store
  13883. //
  13884. // This API encodes the blob under a stronger algorithm. The resulting
  13885. // PKCS12 blobs are incompatible with the earlier PFXExportCertStore API.
  13886. //
  13887. // The value passed in the password parameter will be used to encrypt and
  13888. // verify the integrity of the PFX packet. If any problems encoding the store
  13889. // are encountered, the function will return FALSE and the error code can
  13890. // be found from GetLastError().
  13891. //
  13892. // The dwFlags parameter may be set to any combination of
  13893. // EXPORT_PRIVATE_KEYS
  13894. // REPORT_NO_PRIVATE_KEY
  13895. // REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY
  13896. //
  13897. // The encoded PFX blob is returned in *pPFX. If pPFX->pbData is NULL upon
  13898. // input, this is a length only calculation, whereby, pPFX->cbData is updated
  13899. // with the number of bytes required for the encoded blob. Otherwise,
  13900. // the memory pointed to by pPFX->pbData is updated with the encoded bytes
  13901. // and pPFX->cbData is updated with the encoded byte length.
  13902. //--------------------------------------------------------------------------
  13903. WINCRYPT32API
  13904. BOOL
  13905. WINAPI
  13906. PFXExportCertStoreEx(
  13907. IN HCERTSTORE hStore,
  13908. IN OUT CRYPT_DATA_BLOB* pPFX,
  13909. IN LPCWSTR szPassword,
  13910. IN void* pvReserved,
  13911. IN DWORD dwFlags);
  13912. // dwFlags definitions for PFXExportCertStoreEx
  13913. #define REPORT_NO_PRIVATE_KEY 0x0001
  13914. #define REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY 0x0002
  13915. #define EXPORT_PRIVATE_KEYS 0x0004
  13916. #define PKCS12_EXPORT_RESERVED_MASK 0xffff0000
  13917. //+-------------------------------------------------------------------------
  13918. // PFXExportCertStore
  13919. //
  13920. // Export the certificates and private keys referenced in the passed-in store
  13921. //
  13922. // This is an old API kept for compatibility with IE4 clients. New applications
  13923. // should call the above PfxExportCertStoreEx for enhanced security.
  13924. //--------------------------------------------------------------------------
  13925. WINCRYPT32API
  13926. BOOL
  13927. WINAPI
  13928. PFXExportCertStore(
  13929. IN HCERTSTORE hStore,
  13930. IN OUT CRYPT_DATA_BLOB* pPFX,
  13931. IN LPCWSTR szPassword,
  13932. IN DWORD dwFlags);
  13933. #ifdef __cplusplus
  13934. } // Balance extern "C" above
  13935. #endif
  13936. #if defined (_MSC_VER)
  13937. #if ( _MSC_VER >= 800 )
  13938. #if _MSC_VER >= 1200
  13939. #pragma warning(pop)
  13940. #else
  13941. #pragma warning(default:4201)
  13942. #endif
  13943. #endif
  13944. #endif
  13945. #endif // __WINCRYPT_H__