Explorera Button ekleme
///// commandx
procedure CreateExplorerButton(Path: string);
const
Tagit = '{10954C80-4F0F-11d3-B17C-00C0DFE39736}';
var
Reg: TRegistry;
Path: string;
Path1: string;
Merge: string;
begin
Path := 'c:your_program_path';
Reg := TRegistry.Create;
try
with Reg do
begin
RootKey := HKEY_LOCAL_MACHINE;
Path1 := 'SoftwareMicrosoftInternet ExplorerExtensions';
Merge := Path1 + Tagit;
OpenKey(Merge, True);
WriteString('ButtonText', 'ButtonText');
WriteString('MenuText', 'Tools Menu Item');
WriteString('MenuStatusBar', 'Run Script');
WriteString('ClSid', '{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}');
WriteString('Default Visible', 'Yes');
WriteString('Exec', Path + 'ProgramName.exe');
WriteString('HotIcon', ',4');
WriteString('Icon', ',4');
end
finally
Reg.CloseKey;
Reg.Free;
end;
end;
Delphi - .....................................
Cryptographic API interface.
NT sistemlerle gelen crypt api (crypt32.dll) yi programınız içersinden kullanarak
CALG_MD2 = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_MD2);
CALG_MD4 = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_MD4);
CALG_MD5 = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_MD5);
CALG_SHA = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_SHA);
CALG_SHA1 = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_SHA1);
CALG_MAC = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_MAC);
CALG_RSA_SIGN = (ALG_CLASS_SIGNATURE or ALG_TYPE_RSA or ALG_SID_RSA_ANY);
CALG_DSS_SIGN = (ALG_CLASS_SIGNATURE or ALG_TYPE_DSS or ALG_SID_DSS_ANY);
CALG_RSA_KEYX = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_RSA or ALG_SID_RSA_ANY);
CALG_DES = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_DES);
CALG_3DES_112 = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_3DES_112);
CALG_3DES = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_3DES);
CALG_RC2 = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_RC2);
CALG_RC4 = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_STREAM or ALG_SID_RC4);
CALG_SEAL = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_STREAM or ALG_SID_SEAL);
CALG_DH_SF = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_DH or ALG_SID_DH_SANDF);
CALG_DH_EPHEM = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_DH or ALG_SID_DH_EPHEM);
CALG_AGREEDKEY_ANY = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_DH or ALG_SID_AGREED_KEY_ANY);
CALG_KEA_KEYX = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_DH or ALG_SID_KEA);
CALG_HUGHES_MD5 = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_ANY or ALG_SID_MD5);
CALG_SKIPJACK = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_SKIPJACK);
CALG_TEK = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_TEK);
CALG_CYLINK_MEK = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_CYLINK_MEK);
CALG_SSL3_SHAMD5 = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_SSL3SHAMD5);
CALG_SSL3_MASTER = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_SSL3_MASTER);
CALG_SCHANNEL_MASTER_HASH = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_SCHANNEL_MASTER_HASH);
CALG_SCHANNEL_MAC_KEY = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_SCHANNEL_MAC_KEY);
CALG_SCHANNEL_ENC_KEY = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_SCHANNEL_ENC_KEY);
CALG_PCT1_MASTER = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_PCT1_MASTER);
CALG_SSL2_MASTER = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_SSL2_MASTER);
CALG_TLS1_MASTER = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_TLS1_MASTER);
CALG_RC5 = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_RC5);
CALG_HMAC = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_HMAC);
hash ve algoritmalar ile şifreleme yapma şansına sahip olursunuz uygulamanıza
dcp tarzı crypt kütüphaneleride gömmenize gerek kalmaz.
bu algoritmalar, konsol programcılığı ile uğraşanlar için güzel bir
yoldur.
Function DoCrypt(Data, Password: string; DoCrypt: Boolean):String;
var
hProv: HCRYPTPROV;
hash: HCRYPTHASH;
key: HCRYPTKEY;
len: dWord;
begin
CryptAcquireContext(@hProv, nil, nil, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT);
CryptCreateHash(hProv, CALG_SHA, 0, 0, @hash);
CryptHashData(hash, @Password[1], Length(Password), 0);
CryptDeriveKey(hProv, CALG_RC4, hash, 0, @key);
CryptDestroyHash(hash);
Try
Len:=Length(Data);
if DoCrypt then CryptEncrypt(key, 0, False, 0, @Data[1], @len, len)
else
CryptDecrypt(key, 0, False, 0, @Data[1], @len);
finally
Result:=Data;
end;
CryptReleaseContext(hProv, 0);
end;
şifreleme yapmak için örnek fonksiyon.
"CALG_SHA" ve "CALG_RC4" baika hash / algoritma ile değiştirme şansınız var.
ShowMessage( DoCrypt('ben şifrelenecem ne güzel 
','ŞİFRE123',TRUE) );
gibi kullanılır sondaki true verinin crypt yapılacağını false ise decrypt
yapılacağını belirtir. tabiki bu fonksiyonu kullanmak için uses e ExWcrypt2
unitini eklemeyi unutmamak gerek.
ExWcrypt2.pas
-------------
{******************************************************************}
{ }
{ Borland Delphi Runtime Library }
{ Cryptographic API interface unit }
{ }
{ Portions created by Microsoft are }
{ Copyright (C) 1993-1998 Microsoft Corporation. }
{ All Rights Reserved. }
{ }
{ The original file is: wincrypt.h, 1992 - 1997 }
{ The original Pascal code is: wcrypt2.pas, released 01 Jan 1998 }
{ The initial developer of the Pascal code is }
{ Massimo Maria Ghisalberti (nissl@dada.it) }
{ }
{ Portions created by Massimo Maria Ghisalberti are }
{ Copyright (C) 1997-1998 Massimo Maria Ghisalberti }
{ }
{ Contributor(s): }
{ Peter Tang (peter.tang@citicorp.com) }
{ Phil Shrimpton (phil@shrimpton.co.uk) }
{ }
{ Obtained through: }
{ }
{ Joint Endeavour of Delphi Innovators (Project JEDI) }
{ }
{ You may retrieve the latest version of this file at the Project }
{ JEDI home page, located at http://delphi-jedi.org }
{ }
{ The contents of this file are used with permission, subject to }
{ the Mozilla Public License Version 1.1 (the "License"); you may }
{ not use this file except in compliance with the License. You may }
{ obtain a copy of the License at }
{ http://www.mozilla.org/MPL/MPL-1.1.html }
{ }
{ Software distributed under the License is distributed on an }
{ "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or }
{ implied. See the License for the specific language governing }
{ rights and limitations under the License. }
{ }
{******************************************************************}
unit wcrypt2;
{.DEFINE NT5}
{$ALIGN ON}
{$IFNDEF VER90}
{$WEAKPACKAGEUNIT}
{$ENDIF}
interface
uses
Windows
{$IFDEF VER90}
,Ole2
{$ENDIF};
const
ADVAPI32 = 'advapi32.dll';
CRYPT32 = 'crypt32.dll';
SOFTPUB = 'softpub.dll';
{$IFDEF NT5}
ADVAPI32NT5 = 'advapi32.dll';
{$ENDIF}
{Support Type}
type
PVOID = Pointer;
LONG = DWORD;
{$IFDEF UNICODE}
LPAWSTR = PWideChar;
{$ELSE}
LPAWSTR = PAnsiChar;
{$ENDIF}
//-----------------------------------------------------------------------------
// Type support for a pointer to an array of pointer (type **name)
PLPSTR = Pointer; // type for a pointer to Array of pointer a type
PPCERT_INFO = Pointer; // type for a pointer to Array of pointer a type
PPVOID = Pointer; // type for a pointer to Array of pointer a type
PPCCERT_CONTEXT = Pointer; // type for a pointer to Array of pointer a type
PPCCTL_CONTEXT = Pointer; // type for a pointer to Array of pointer a type
PPCCRL_CONTEXT = Pointer; // type for a pointer to Array of pointer a type
//-----------------------------------------------------------------------------
//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1992 - 1997.
//
// File: wincrypt.h
//
// Contents: Cryptographic API Prototypes and Definitions
//
//----------------------------------------------------------------------------
//
// Algorithm IDs and Flags
//
// ALG_ID crackers
function GET_ALG_CLASS(x:integer) :integer;
function GET_ALG_TYPE(x:integer) :integer;
function GET_ALG_SID(x:integer) :integer;
Const
// Algorithm classes
ALG_CLASS_ANY = 0;
ALG_CLASS_SIGNATURE = (1 shl 13);
ALG_CLASS_MSG_ENCRYPT = (2 shl 13);
ALG_CLASS_DATA_ENCRYPT = (3 shl 13);
ALG_CLASS_HASH = (4 shl 13);
ALG_CLASS_KEY_EXCHANGE = (5 shl 13);
// Algorithm types
ALG_TYPE_ANY = 0;
ALG_TYPE_DSS = (1 shl 9);
ALG_TYPE_RSA = (2 shl 9);
ALG_TYPE_BLOCK = (3 shl 9);
ALG_TYPE_STREAM = (4 shl 9);
ALG_TYPE_DH = (5 shl 9);
ALG_TYPE_SECURECHANNEL = (6 shl 9);
// Generic sub-ids
ALG_SID_ANY = 0;
// Some RSA sub-ids
ALG_SID_RSA_ANY = 0;
ALG_SID_RSA_PKCS = 1;
ALG_SID_RSA_MSATWORK = 2;
ALG_SID_RSA_ENTRUST = 3;
ALG_SID_RSA_PGP = 4;
// Some DSS sub-ids
ALG_SID_DSS_ANY = 0;
ALG_SID_DSS_PKCS = 1;
ALG_SID_DSS_DMS = 2;
// Block cipher sub ids
// DES sub_ids
ALG_SID_DES = 1;
ALG_SID_3DES = 3;
ALG_SID_DESX = 4;
ALG_SID_IDEA = 5;
ALG_SID_CAST = 6;
ALG_SID_SAFERSK64 = 7;
ALD_SID_SAFERSK128 = 8;
ALG_SID_SAFERSK128 = 8;
ALG_SID_3DES_112 = 9;
ALG_SID_CYLINK_MEK = 12;
ALG_SID_RC5 = 13;
// Fortezza sub-ids
ALG_SID_SKIPJACK = 10;
ALG_SID_TEK = 11;
// KP_MODE
CRYPT_MODE_CBCI = 6; {ANSI CBC Interleaved}
CRYPT_MODE_CFBP = 7; {ANSI CFB Pipelined}
CRYPT_MODE_OFBP = 8; {ANSI OFB Pipelined}
CRYPT_MODE_CBCOFM = 9; {ANSI CBC + OF Masking}
CRYPT_MODE_CBCOFMI = 10; {ANSI CBC + OFM Interleaved}
// RC2 sub-ids
ALG_SID_RC2 = 2;
// Stream cipher sub-ids
ALG_SID_RC4 = 1;
ALG_SID_SEAL = 2;
// Diffie-Hellman sub-ids
ALG_SID_DH_SANDF = 1;
ALG_SID_DH_EPHEM = 2;
ALG_SID_AGREED_KEY_ANY = 3;
ALG_SID_KEA = 4;
// Hash sub ids
ALG_SID_MD2 = 1;
ALG_SID_MD4 = 2;
ALG_SID_MD5 = 3;
ALG_SID_SHA = 4;
ALG_SID_SHA1 = 4;
ALG_SID_MAC = 5;
ALG_SID_RIPEMD = 6;
ALG_SID_RIPEMD160 = 7;
ALG_SID_SSL3SHAMD5 = 8;
ALG_SID_HMAC = 9;
// secure channel sub ids
ALG_SID_SSL3_MASTER = 1;
ALG_SID_SCHANNEL_MASTER_HASH = 2;
ALG_SID_SCHANNEL_MAC_KEY = 3;
ALG_SID_PCT1_MASTER = 4;
ALG_SID_SSL2_MASTER = 5;
ALG_SID_TLS1_MASTER = 6;
ALG_SID_SCHANNEL_ENC_KEY = 7;
// Our silly example sub-id
ALG_SID_EXAMPLE = 80;
{$IFNDEF ALGIDDEF}
{$DEFINE ALGIDDEF}
Type ALG_ID = ULONG;
{$ENDIF}
// algorithm identifier definitions
Const
CALG_MD2 = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_MD2);
CALG_MD4 = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_MD4);
CALG_MD5 = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_MD5);
CALG_SHA = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_SHA);
CALG_SHA1 = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_SHA1);
CALG_MAC = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_MAC);
CALG_RSA_SIGN = (ALG_CLASS_SIGNATURE or ALG_TYPE_RSA or ALG_SID_RSA_ANY);
CALG_DSS_SIGN = (ALG_CLASS_SIGNATURE or ALG_TYPE_DSS or ALG_SID_DSS_ANY);
CALG_RSA_KEYX = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_RSA or ALG_SID_RSA_ANY);
CALG_DES = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_DES);
CALG_3DES_112 = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_3DES_112);
CALG_3DES = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_3DES);
CALG_RC2 = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_RC2);
CALG_RC4 = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_STREAM or ALG_SID_RC4);
CALG_SEAL = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_STREAM or ALG_SID_SEAL);
CALG_DH_SF = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_DH or ALG_SID_DH_SANDF);
CALG_DH_EPHEM = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_DH or ALG_SID_DH_EPHEM);
CALG_AGREEDKEY_ANY = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_DH or ALG_SID_AGREED_KEY_ANY);
CALG_KEA_KEYX = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_DH or ALG_SID_KEA);
CALG_HUGHES_MD5 = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_ANY or ALG_SID_MD5);
CALG_SKIPJACK = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_SKIPJACK);
CALG_TEK = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_TEK);
CALG_CYLINK_MEK = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_CYLINK_MEK);
CALG_SSL3_SHAMD5 = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_SSL3SHAMD5);
CALG_SSL3_MASTER = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_SSL3_MASTER);
CALG_SCHANNEL_MASTER_HASH = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_SCHANNEL_MASTER_HASH);
CALG_SCHANNEL_MAC_KEY = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_SCHANNEL_MAC_KEY);
CALG_SCHANNEL_ENC_KEY = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_SCHANNEL_ENC_KEY);
CALG_PCT1_MASTER = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_PCT1_MASTER);
CALG_SSL2_MASTER = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_SSL2_MASTER);
CALG_TLS1_MASTER = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_TLS1_MASTER);
CALG_RC5 = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_RC5);
CALG_HMAC = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_HMAC);
type
PVTableProvStruc = ^VTableProvStruc;
VTableProvStruc = record
Version :DWORD;
FuncVerifyImage :TFarProc;
FuncReturnhWnd :TFarProc;
dwProvType :DWORD;
pbContextInfo :PBYTE;
cbContextInfo :DWORD;
end;
//type HCRYPTPROV = ULONG;
//type HCRYPTKEY = ULONG;
//type HCRYPTHASH = ULONG;
const
// dwFlags definitions for CryptAcquireContext
CRYPT_VERIFYCONTEXT = $F0000000;
CRYPT_NEWKEYSET = $00000008;
CRYPT_DELETEKEYSET = $00000010;
CRYPT_MACHINE_KEYSET = $00000020;
// dwFlag definitions for CryptGenKey
CRYPT_EXPORTABLE = $00000001;
CRYPT_USER_PROTECTED = $00000002;
CRYPT_CREATE_SALT = $00000004;
CRYPT_UPDATE_KEY = $00000008;
CRYPT_NO_SALT = $00000010;
CRYPT_PREGEN = $00000040;
CRYPT_RECIPIENT = $00000010;
CRYPT_INITIATOR = $00000040;
CRYPT_ONLINE = $00000080;
CRYPT_SF = $00000100;
CRYPT_CREATE_IV = $00000200;
CRYPT_KEK = $00000400;
CRYPT_DATA_KEY = $00000800;
// dwFlags definitions for CryptDeriveKey
CRYPT_SERVER = $00000400;
KEY_LENGTH_MASK = $FFFF0000;
// dwFlag definitions for CryptExportKey
CRYPT_Y_ONLY = $00000001;
CRYPT_SSL2_SLUMMING = $00000002;
// dwFlags definitions for CryptHashSessionKey
CRYPT_LITTLE_ENDIAN = $00000001;
// dwFlag definitions for CryptSetProviderEx and CryptGetDefaultProvider
CRYPT_MACHINE_DEFAULT = $00000001;
CRYPT_USER_DEFAULT = $00000002;
CRYPT_DELETE_DEFAULT = $00000004;
// exported key blob definitions
SIMPLEBLOB = $1;
PUBLICKEYBLOB = $6;
PRIVATEKEYBLOB = $7;
PLAINTEXTKEYBLOB = $8;
AT_KEYEXCHANGE = 1;
AT_SIGNATURE = 2;
CRYPT_USERDATA = 1;
// dwParam
KP_IV = 1; // Initialization vector
KP_SALT = 2; // Salt value
KP_PADDING = 3; // Padding values
KP_MODE = 4; // Mode of the cipher
KP_MODE_BITS = 5; // Number of bits to feedback
KP_PERMISSIONS = 6; // Key permissions DWORD
KP_ALGID = 7; // Key algorithm
KP_BLOCKLEN = 8; // Block size of the cipher
KP_KEYLEN = 9; // Length of key in bits
KP_SALT_EX = 10; // Length of salt in bytes
KP_P = 11; // DSS/Diffie-Hellman P value
KP_G = 12; // DSS/Diffie-Hellman G value
KP_Q = 13; // DSS Q value
KP_X = 14; // Diffie-Hellman X value
KP_Y = 15; // Y value
KP_RA = 16; // Fortezza RA value
KP_RB = 17; // Fortezza RB value
KP_INFO = 18; // for putting information into an RSA envelope
KP_EFFECTIVE_KEYLEN = 19; // setting and getting RC2 effective key length
KP_SCHANNEL_ALG = 20; // for setting the Secure Channel algorithms
KP_CLIENT_RANDOM = 21; // for setting the Secure Channel client random data
KP_SERVER_RANDOM = 22; // for setting the Secure Channel server random data
KP_RP = 23;
KP_PRECOMP_MD5 = 24;
KP_PRECOMP_SHA = 25;
KP_CERTIFICATE = 26; // for setting Secure Channel certificate data (PCT1)
KP_CLEAR_KEY = 27; // for setting Secure Channel clear key data (PCT1)
KP_PUB_EX_LEN = 28;
KP_PUB_EX_VAL = 29;
// KP_PADDING
PKCS5_PADDING = 1; {PKCS 5 (sec 6.2) padding method}
RANDOM_PADDING = 2;
ZERO_PADDING = 3;
// KP_MODE
CRYPT_MODE_CBC = 1; // Cipher block chaining
CRYPT_MODE_ECB = 2; // Electronic code book
CRYPT_MODE_OFB = 3; // Output feedback mode
CRYPT_MODE_CFB = 4; // Cipher feedback mode
CRYPT_MODE_CTS = 5; // Ciphertext stealing mode
// KP_PERMISSIONS
CRYPT_ENCRYPT = $0001; // Allow encryption
CRYPT_DECRYPT = $0002; // Allow decryption
CRYPT_EXPORT = $0004; // Allow key to be exported
CRYPT_READ = $0008; // Allow parameters to be read
CRYPT_WRITE = $0010; // Allow parameters to be set
CRYPT_MAC = $0020; // Allow MACs to be used with key
CRYPT_EXPORT_KEY = $0040; // Allow key to be used for exporting keys
CRYPT_IMPORT_KEY = $0080; // Allow key to be used for importing keys
HP_ALGID = $0001; // Hash algorithm
HP_HASHVAL = $0002; // Hash value
HP_HASHSIZE = $0004; // Hash value size
HP_HMAC_INFO = $0005; // information for creating an HMAC
CRYPT_FAILED = FALSE;
CRYPT_SUCCEED = TRUE;
function RCRYPT_SUCCEEDED(rt:BOOL):BOOL;
function RCRYPT_FAILED(rt:BOOL):BOOL;
const
// CryptGetProvParam
PP_ENUMALGS = 1;
PP_ENUMCONTAINERS = 2;
PP_IMPTYPE = 3;
PP_NAME = 4;
PP_VERSION = 5;
PP_CONTAINER = 6;
PP_CHANGE_PASSWORD = 7;
PP_KEYSET_SEC_DESCR = 8; // get/set security descriptor of keyset
PP_CERTCHAIN = 9; // for retrieving certificates from tokens
PP_KEY_TYPE_SUBTYPE = 10;
PP_PROVTYPE = 16;
PP_KEYSTORAGE = 17;
PP_APPLI_CERT = 18;
PP_SYM_KEYSIZE = 19;
PP_SESSION_KEYSIZE = 20;
PP_UI_PROMPT = 21;
PP_ENUMALGS_EX = 22;
CRYPT_FIRST = 1;
CRYPT_NEXT = 2;
CRYPT_IMPL_HARDWARE = 1;
CRYPT_IMPL_SOFTWARE = 2;
CRYPT_IMPL_MIXED = 3;
CRYPT_IMPL_UNKNOWN = 4;
// key storage flags
CRYPT_SEC_DESCR = $00000001;
CRYPT_PSTORE = $00000002;
CRYPT_UI_PROMPT = $00000004;
// protocol flags
CRYPT_FLAG_PCT1 = $0001;
CRYPT_FLAG_SSL2 = $0002;
CRYPT_FLAG_SSL3 = $0004;
CRYPT_FLAG_TLS1 = $0008;
// CryptSetProvParam
PP_CLIENT_HWND = 1;
PP_CONTEXT_INFO = 11;
PP_KEYEXCHANGE_KEYSIZE = 12;
PP_SIGNATURE_KEYSIZE = 13;
PP_KEYEXCHANGE_ALG = 14;
PP_SIGNATURE_ALG = 15;
PP_DELETEKEY = 24;
PROV_RSA_FULL = 1;
PROV_RSA_SIG = 2;
PROV_DSS = 3;
PROV_FORTEZZA = 4;
PROV_MS_EXCHANGE = 5;
PROV_SSL = 6;
PROV_RSA_SCHANNEL = 12;
PROV_DSS_DH = 13;
PROV_EC_ECDSA_SIG = 14;
PROV_EC_ECNRA_SIG = 15;
PROV_EC_ECDSA_FULL = 16;
PROV_EC_ECNRA_FULL = 17;
PROV_SPYRUS_LYNKS = 20;
// STT defined Providers
PROV_STT_MER = 7;
PROV_STT_ACQ = 8;
PROV_STT_BRND = 9;
PROV_STT_ROOT = 10;
PROV_STT_ISS = 11;
// Provider friendly names
MS_DEF_PROV_A = 'Microsoft Base Cryptographic Provider v1.0';
{$IFNDEF VER90}
MS_DEF_PROV_W = WideString( 'Microsoft Base Cryptographic Provider v1.0');
{$ELSE}
MS_DEF_PROV_W = ( 'Microsoft Base Cryptographic Provider v1.0');
{$ENDIF}
{$IFDEF UNICODE}
MS_DEF_PROV = MS_DEF_PROV_W;
{$ELSE}
MS_DEF_PROV = MS_DEF_PROV_A;
{$ENDIF}
MS_ENHANCED_PROV_A = 'Microsoft Enhanced Cryptographic Provider v1.0';
{$IFNDEF VER90}
MS_ENHANCED_PROV_W = WideString('Microsoft Enhanced Cryptographic Provider v1.0');
{$ELSE}
MS_ENHANCED_PROV_W = ('Microsoft Enhanced Cryptographic Provider v1.0');
{$ENDIF}
{$IFDEF UNICODE}
MS_ENHANCED_PROV = MS_ENHANCED_PROV_W;
{$ELSE}
MS_ENHANCED_PROV = MS_ENHANCED_PROV_A;
{$ENDIF}
MS_DEF_RSA_SIG_PROV_A = 'Microsoft RSA Signature Cryptographic Provider';
{$IFNDEF VER90}
MS_DEF_RSA_SIG_PROV_W = WideString('Microsoft RSA Signature Cryptographic Provider');
{$ELSE}
MS_DEF_RSA_SIG_PROV_W = ('Microsoft RSA Signature Cryptographic Provider');
{$ENDIF}
{$IFDEF UNICODE}
MS_DEF_RSA_SIG_PROV = MS_DEF_RSA_SIG_PROV_W;
{$ELSE}
MS_DEF_RSA_SIG_PROV = MS_DEF_RSA_SIG_PROV_A;
{$ENDIF}
MS_DEF_RSA_SCHANNEL_PROV_A = 'Microsoft Base RSA SChannel Cryptographic Provider';
{$IFNDEF VER90}
MS_DEF_RSA_SCHANNEL_PROV_W = WideString('Microsoft Base RSA SChannel Cryptographic Provider');
{$ELSE}
MS_DEF_RSA_SCHANNEL_PROV_W = ('Microsoft Base RSA SChannel Cryptographic Provider');
{$ENDIF}
{$IFDEF UNICODE}
MS_DEF_RSA_SCHANNEL_PROV = MS_DEF_RSA_SCHANNEL_PROV_W;
{$ELSE}
MS_DEF_RSA_SCHANNEL_PROV = MS_DEF_RSA_SCHANNEL_PROV_A;
{$ENDIF}
MS_ENHANCED_RSA_SCHANNEL_PROV_A = 'Microsoft Enhanced RSA SChannel Cryptographic Provider';
{$IFNDEF VER90}
MS_ENHANCED_RSA_SCHANNEL_PROV_W = WideString('Microsoft Enhanced RSA SChannel Cryptographic Provider');
{$ELSE}
MS_ENHANCED_RSA_SCHANNEL_PROV_W = ('Microsoft Enhanced RSA SChannel Cryptographic Provider');
{$ENDIF}
{$IFDEF UNICODE}
MS_ENHANCED_RSA_SCHANNEL_PROV = MS_ENHANCED_RSA_SCHANNEL_PROV_W;
{$ELSE}
MS_ENHANCED_RSA_SCHANNEL_PROV = MS_ENHANCED_RSA_SCHANNEL_PROV_A;
{$ENDIF}
MS_DEF_DSS_PROV_A = 'Microsoft Base DSS Cryptographic Provider';
{$IFNDEF VER90}
MS_DEF_DSS_PROV_W = WideString('Microsoft Base DSS Cryptographic Provider');
{$ELSE}
MS_DEF_DSS_PROV_W = ('Microsoft Base DSS Cryptographic Provider');
{$ENDIF}
{$IFDEF UNICODE}
MS_DEF_DSS_PROV = MS_DEF_DSS_PROV_W;
{$ELSE}
MS_DEF_DSS_PROV = MS_DEF_DSS_PROV_A;
{$ENDIF}
MS_DEF_DSS_DH_PROV_A = 'Microsoft Base DSS and Diffie-Hellman Cryptographic Provider';
{$IFNDEF VER90}
MS_DEF_DSS_DH_PROV_W = WideString('Microsoft Base DSS and Diffie-Hellman Cryptographic Provider');
{$ELSE}
MS_DEF_DSS_DH_PROV_W = ('Microsoft Base DSS and Diffie-Hellman Cryptographic Provider');
{$ENDIF}
{$IFDEF UNICODE}
MS_DEF_DSS_DH_PROV = MS_DEF_DSS_DH_PROV_W;
{$ELSE}
MS_DEF_DSS_DH_PROV = MS_DEF_DSS_DH_PROV_A;
{$ENDIF}
MAXUIDLEN = 64;
CUR_BLOB_VERSION = 2;
{structure for use with CryptSetHashParam with CALG_HMAC}
type
PHMAC_INFO = ^HMAC_INFO;
HMAC_INFO = record
HashAlgid :ALG_ID;
pbInnerString :PBYTE;
cbInnerString :DWORD;
pbOuterString :PBYTE;
cbOuterString :DWORD;
end;
// structure for use with CryptSetHashParam with CALG_HMAC
type
PSCHANNEL_ALG = ^SCHANNEL_ALG;
SCHANNEL_ALG = record
dwUse :DWORD;
Algid :ALG_ID;
cBits :DWORD;
end;
// uses of algortihms for SCHANNEL_ALG structure
const
SCHANNEL_MAC_KEY = $00000000;
SCHANNEL_ENC_KEY = $00000001;
type
PPROV_ENUMALGS = ^PROV_ENUMALGS;
PROV_ENUMALGS = record
aiAlgid :ALG_ID;
dwBitLen :DWORD;
dwNameLen :DWORD;
szName :array[0..20-1] of Char;
end ;
type
PPROV_ENUMALGS_EX = ^PROV_ENUMALGS_EX;
PROV_ENUMALGS_EX = record
aiAlgid :ALG_ID;
dwDefaultLen :DWORD;
dwMinLen :DWORD;
dwMaxLen :DWORD;
dwProtocols :DWORD;
dwNameLen :DWORD;
szName :array[0..20-1] of Char;
dwLongNameLen :DWORD;
szLongName :array[0..40-1] of Char;
end;
type
PPUBLICKEYSTRUC = ^PUBLICKEYSTRUC;
PUBLICKEYSTRUC = record
bType :BYTE;
bVersion :BYTE;
reserved :Word;
aiKeyAlg :ALG_ID;
end;
type
BLOBHEADER = PUBLICKEYSTRUC;
PBLOBHEADER = ^BLOBHEADER;
type
PRSAPUBKEY = ^RSAPUBKEY;
RSAPUBKEY = record
magic :DWORD; // Has to be RSA1
bitlen :DWORD; // # of bits in modulus
pubexp :DWORD; // public exponent
// Modulus data follows
end;
type
PPUBKEY = ^PUBKEY;
PUBKEY = record
magic :DWORD;
bitlen :DWORD; // # of bits in modulus
end;
type
DHPUBKEY = PUBKEY;
DSSPUBKEY = PUBKEY;
KEAPUBKEY = PUBKEY;
TEKPUBKEY = PUBKEY;
type
PDSSSEED = ^DSSSEED;
DSSSEED = record
counter :DWORD;
seed :array[0..20-1] of BYTE;
end;
type
PKEY_TYPE_SUBTYPE = ^KEY_TYPE_SUBTYPE;
KEY_TYPE_SUBTYPE = record
dwKeySpec :DWORD;
Type_ :TGUID; {conflict with base Delphi type: original name 'Type'}
Subtype :TGUID;
end;
type
HCRYPTPROV = ULONG;
PHCRYPTPROV = ^HCRYPTPROV;
HCRYPTKEY = ULONG;
PHCRYPTKEY = ^HCRYPTKEY;
HCRYPTHASH = ULONG;
PHCRYPTHASH = ^HCRYPTHASH;
function CryptAcquireContextA(phProv :PHCRYPTPROV;
pszContainer :PAnsiChar;
pszProvider :PAnsiChar;
dwProvType :DWORD;
dwFlags :DWORD) :BOOL;stdcall;
function CryptAcquireContext(phProv :PHCRYPTPROV;
pszContainer :LPAWSTR;
pszProvider :LPAWSTR;
dwProvType :DWORD;
dwFlags :DWORD) :BOOL;stdcall;
function CryptAcquireContextW(phProv :PHCRYPTPROV;
pszContainer :PWideChar;
pszProvider :PWideChar;
dwProvType :DWORD;
dwFlags :DWORD) :BOOL ;stdcall;
function CryptReleaseContext(hProv :HCRYPTPROV;
dwFlags :DWORD) :BOOL;stdcall;
function CryptGenKey(hProv :HCRYPTPROV;
Algid :ALG_ID;
dwFlags :DWORD;
phKey :PHCRYPTKEY) :BOOL;stdcall ;
function CryptDeriveKey(hProv :HCRYPTPROV;
Algid :ALG_ID;
hBaseData :HCRYPTHASH;
dwFlags :DWORD;
phKey :PHCRYPTKEY) :BOOL;stdcall ;
function CryptDestroyKey(hKey :HCRYPTKEY) :BOOL;stdcall ;
function CryptSetKeyParam(hKey :HCRYPTKEY;
dwParam :DWORD;
pbData :PBYTE;
dwFlags :DWORD) :BOOL;stdcall;
function CryptGetKeyParam(hKey :HCRYPTKEY;
dwParam :DWORD;
pbData :PBYTE;
pdwDataLen :PDWORD;
dwFlags :DWORD) :BOOL;stdcall;
function CryptSetHashParam(hHash :HCRYPTHASH;
dwParam :DWORD;
pbData :PBYTE;
dwFlags :DWORD) :BOOL;stdcall;
function CryptGetHashParam(hHash :HCRYPTHASH;
dwParam :DWORD;
pbData :PBYTE;
pdwDataLen :PDWORD;
dwFlags :DWORD) :BOOL;stdcall;
function CryptSetProvParam(hProv :HCRYPTPROV;
dwParam :DWORD;
pbData :PBYTE;
dwFlags :DWORD) :BOOL;stdcall;
function CryptGetProvParam(hProv :HCRYPTPROV;
dwParam :DWORD;
pbData :PBYTE;
pdwDataLen :PDWORD;
dwFlags :DWORD) :BOOL;stdcall;
function CryptGenRandom(hProv :HCRYPTPROV;
dwLen :DWORD;
pbBuffer :PBYTE) :BOOL;stdcall;
function CryptGetUserKey(hProv :HCRYPTPROV;
dwKeySpec :DWORD;
phUserKey :PHCRYPTKEY) :BOOL;stdcall;
function CryptExportKey(hKey :HCRYPTKEY;
hExpKey :HCRYPTKEY;
dwBlobType :DWORD;
dwFlags :DWORD;
pbData :PBYTE;
pdwDataLen :PDWORD) :BOOL;stdcall;
function CryptImportKey(hProv :HCRYPTPROV;
pbData :PBYTE;
dwDataLen :DWORD;
hPubKey :HCRYPTKEY;
dwFlags :DWORD;
phKey :PHCRYPTKEY) :BOOL;stdcall;
function CryptEncrypt(hKey :HCRYPTKEY;
hHash :HCRYPTHASH;
Final :BOOL;
dwFlags :DWORD;
pbData :PBYTE;
pdwDataLen :PDWORD;
dwBufLen :DWORD) :BOOL;stdcall;
function CryptDecrypt(hKey :HCRYPTKEY;
hHash :HCRYPTHASH;
Final :BOOL;
dwFlags :DWORD;
pbData :PBYTE;
pdwDataLen :PDWORD) :BOOL;stdcall;
function CryptCreateHash(hProv :HCRYPTPROV;
Algid :ALG_ID;
hKey :HCRYPTKEY;
dwFlags :DWORD;
phHash :PHCRYPTHASH) :BOOL;stdcall;
function CryptHashData(hHash :HCRYPTHASH;
const pbData :PBYTE;
dwDataLen :DWORD;
dwFlags :DWORD) :BOOL;stdcall;
function CryptHashSessionKey(hHash :HCRYPTHASH;
hKey :HCRYPTKEY;
dwFlags :DWORD) :BOOL;stdcall;
function CryptDestroyHash(hHash :HCRYPTHASH) :BOOL;stdcall;
function CryptSignHashA(hHash :HCRYPTHASH;
dwKeySpec :DWORD;
sDescription :PAnsiChar;
dwFlags :DWORD;
pbSignature :PBYTE;
pdwSigLen :PDWORD) :BOOL;stdcall;
function CryptSignHash(hHash :HCRYPTHASH;
dwKeySpec :DWORD;
sDescription :LPAWSTR;
dwFlags :DWORD;
pbSignature :PBYTE;
pdwSigLen :PDWORD) :BOOL;stdcall;
function CryptSignHashW(hHash :HCRYPTHASH;
dwKeySpec :DWORD;
sDescription :PWideChar;
dwFlags :DWORD;
pbSignature :PBYTE;
pdwSigLen :PDWORD) :BOOL;stdcall;
function CryptSignHashU(hHash :HCRYPTHASH;
dwKeySpec :DWORD;
sDescription :PWideChar;
dwFlags :DWORD;
pbSignature :PBYTE;
pdwSigLen :PDWORD) :BOOL;stdcall;
function CryptVerifySignatureA(hHash :HCRYPTHASH;
const pbSignature :PBYTE;
dwSigLen :DWORD;
hPubKey :HCRYPTKEY;
sDescription :PAnsiChar;
dwFlags :DWORD) :BOOL;stdcall;
function CryptVerifySignature(hHash :HCRYPTHASH;
const pbSignature :PBYTE;
dwSigLen :DWORD;
hPubKey :HCRYPTKEY;
sDescription :LPAWSTR;
dwFlags :DWORD) :BOOL;stdcall;
function CryptVerifySignatureW(hHash :HCRYPTHASH;
const pbSignature :PBYTE;
dwSigLen :DWORD;
hPubKey :HCRYPTKEY;
sDescription :PWideChar;
dwFlags :DWORD) :BOOL;stdcall;
function CryptSetProviderA(pszProvName :PAnsiChar;
dwProvType :DWORD) :BOOL;stdcall;
function CryptSetProvider(pszProvName :LPAWSTR;
dwProvType :DWORD) :BOOL;stdcall;
function CryptSetProviderW(pszProvName :PWideChar;
dwProvType :DWORD) :BOOL;stdcall;
function CryptSetProviderU(pszProvName :PWideChar;
dwProvType :DWORD) :BOOL;stdcall;
{$IFDEF NT5}
function CryptSetProviderExA(pszProvName :LPCSTR;
dwProvType :DWORD;
pdwReserved :PDWORD;
dwFlags :DWORD):BOOL;stdcall;
function CryptSetProviderExW(pszProvName :LPCWSTR;
dwProvType :DWORD;
pdwReserved :PDWORD;
dwFlags :DWORD):BOOL;stdcall;
function CryptSetProviderEx(pszProvName :LPAWSTR;
dwProvType :DWORD;
pdwReserved :PDWORD;
dwFlags :DWORD):BOOL;stdcall;
function CryptGetDefaultProviderA(dwProvType :DWORD;
pdwReserved :DWORD;
dwFlags :DWORD;
pszProvName :LPSTR;
pcbProvName :PDWORD):BOOL ; stdcall;
function CryptGetDefaultProviderW(dwProvType :DWORD;
pdwReserved :DWORD;
dwFlags :DWORD;
pszProvName :LPWSTR;
pcbProvName :PDWORD):BOOL ; stdcall;
function CryptGetDefaultProvider(dwProvType :DWORD;
pdwReserved :DWORD;
dwFlags :DWORD;
pszProvName :LPAWSTR;
pcbProvName :PDWORD):BOOL ; stdcall;
function CryptEnumProviderTypesA(dwIndex :DWORD;
pdwReserved :PDWORD;
dwFlags :DWORD;
pdwProvType :PDWORD;
pszTypeName :LPSTR;
pcbTypeName :PDWORD):BOOL ; stdcall;
function CryptEnumProviderTypesW(dwIndex :DWORD;
pdwReserved :PDWORD;
dwFlags :DWORD;
pdwProvType :PDWORD;
pszTypeName :LPWSTR;
pcbTypeName :PDWORD):BOOL ; stdcall;
function CryptEnumProviderTypes(dwIndex :DWORD;
pdwReserved :PDWORD;
dwFlags :DWORD;
pdwProvType :PDWORD;
pszTypeName :LPAWSTR;
pcbTypeName :PDWORD):BOOL ; stdcall;
function CryptEnumProvidersA(dwIndex :DWORD;
pdwReserved :PDWORD;
dwFlags :DWORD;
pdwProvType :PDWORD;
pszProvName :LPSTR;
pcbProvName :PDWORD):BOOL ; stdcall;
function CryptEnumProvidersW(dwIndex :DWORD;
pdwReserved :PDWORD;
dwFlags :DWORD;
pdwProvType :PDWORD;
pszProvName :LPWSTR;
pcbProvName :PDWORD):BOOL ; stdcall;
function CryptEnumProviders(dwIndex :DWORD;
pdwReserved :PDWORD;
dwFlags :DWORD;
pdwProvType :PDWORD;
pszProvName :LPAWSTR;
pcbProvName :PDWORD):BOOL ; stdcall;
function CryptContextAddRef(hProv :HCRYPTPROV;
pdwReserved :PDWORD;
dwFlags :DWORD):BOOL ; stdcall;
function CryptDuplicateKey(hKey :HCRYPTKEY;
pdwReserved :PDWORD;
dwFlags :DWORD;
phKey :PHCRYPTKEY):BOOL ; stdcall;
function CryptDuplicateHash(hHash :HCRYPTHASH;
pdwReserved :PDWORD;
dwFlags :DWORD;
phHash :PHCRYPTHASH):BOOL ; stdcall;
{$ENDIF NT5}
function CryptEnumProvidersU(dwIndex :DWORD;
pdwReserved :PDWORD;
dwFlags :DWORD;
pdwProvType :PDWORD;
pszProvName :LPWSTR;
pcbProvName :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// CRYPTOAPI BLOB definitions
//--------------------------------------------------------------------------
type
PCRYPTOAPI_BLOB = ^CRYPTOAPI_BLOB;
CRYPTOAPI_BLOB = record
cbData :DWORD;
pbData :PBYTE;
end;
type
CRYPT_INTEGER_BLOB = CRYPTOAPI_BLOB;
PCRYPT_INTEGER_BLOB = ^CRYPT_INTEGER_BLOB;
CRYPT_UINT_BLOB = CRYPTOAPI_BLOB;
PCRYPT_UINT_BLOB = ^CRYPT_UINT_BLOB;
CRYPT_OBJID_BLOB = CRYPTOAPI_BLOB;
PCRYPT_OBJID_BLOB = ^CRYPT_OBJID_BLOB;
CERT_NAME_BLOB = CRYPTOAPI_BLOB;
PCERT_NAME_BLOB = ^CERT_NAME_BLOB;
CERT_RDN_VALUE_BLOB = CRYPTOAPI_BLOB;
PCERT_RDN_VALUE_BLOB = ^CERT_RDN_VALUE_BLOB;
CERT_BLOB = CRYPTOAPI_BLOB;
PCERT_BLOB = ^CERT_BLOB;
CRL_BLOB = CRYPTOAPI_BLOB;
PCRL_BLOB = ^CRL_BLOB;
DATA_BLOB = CRYPTOAPI_BLOB;
PDATA_BLOB = ^DATA_BLOB; // JEFFJEFF temporary (too generic)
CRYPT_DATA_BLOB = CRYPTOAPI_BLOB;
PCRYPT_DATA_BLOB = ^CRYPT_DATA_BLOB;
CRYPT_HASH_BLOB = CRYPTOAPI_BLOB;
PCRYPT_HASH_BLOB = ^CRYPT_HASH_BLOB;
CRYPT_DIGEST_BLOB = CRYPTOAPI_BLOB;
PCRYPT_DIGEST_BLOB = ^CRYPT_DIGEST_BLOB;
CRYPT_DER_BLOB = CRYPTOAPI_BLOB;
PCRYPT_DER_BLOB = ^CRYPT_DER_BLOB;
CRYPT_ATTR_BLOB = CRYPTOAPI_BLOB;
PCRYPT_ATTR_BLOB = ^CRYPT_ATTR_BLOB;
//+-------------------------------------------------------------------------
// In a CRYPT_BIT_BLOB the last byte may contain 0-7 unused bits. Therefore, the
// overall bit length is cbData * 8 - cUnusedBits.
//--------------------------------------------------------------------------
type
PCRYPT_BIT_BLOB = ^CRYPT_BIT_BLOB;
CRYPT_BIT_BLOB = record
cbData :DWORD;
pbData :PBYTE;
cUnusedBits :DWORD;
end;
//+-------------------------------------------------------------------------
// Type used for any algorithm
//
// Where the Parameters CRYPT_OBJID_BLOB is in its encoded representation. For most
// algorithm types, the Parameters CRYPT_OBJID_BLOB is NULL (Parameters.cbData = 0).
//--------------------------------------------------------------------------
type
PCRYPT_ALGORITHM_IDENTIFIER = ^CRYPT_ALGORITHM_IDENTIFIER;
CRYPT_ALGORITHM_IDENTIFIER = record
pszObjId :LPSTR;
Parameters :CRYPT_OBJID_BLOB;
end;
// Following are the definitions of various algorithm object identifiers
// RSA
const
szOID_RSA = '1.2.840.113549';
szOID_PKCS = '1.2.840.113549.1';
szOID_RSA_HASH = '1.2.840.113549.2';
szOID_RSA_ENCRYPT = '1.2.840.113549.3';
szOID_PKCS_1 = '1.2.840.113549.1.1';
szOID_PKCS_2 = '1.2.840.113549.1.2';
szOID_PKCS_3 = '1.2.840.113549.1.3';
szOID_PKCS_4 = '1.2.840.113549.1.4';
szOID_PKCS_5 = '1.2.840.113549.1.5';
szOID_PKCS_6 = '1.2.840.113549.1.6';
szOID_PKCS_7 = '1.2.840.113549.1.7';
szOID_PKCS_8 = '1.2.840.113549.1.8';
szOID_PKCS_9 = '1.2.840.113549.1.9';
szOID_PKCS_10 = '1.2.840.113549.1.10';
szOID_RSA_RSA = '1.2.840.113549.1.1.1';
szOID_RSA_MD2RSA = '1.2.840.113549.1.1.2';
szOID_RSA_MD4RSA = '1.2.840.113549.1.1.3';
szOID_RSA_MD5RSA = '1.2.840.113549.1.1.4';
szOID_RSA_SHA1RSA = '1.2.840.113549.1.1.5';
szOID_RSA_SETOAEP_RSA = '1.2.840.113549.1.1.6';
szOID_RSA_data = '1.2.840.113549.1.7.1';
szOID_RSA_signedData = '1.2.840.113549.1.7.2';
szOID_RSA_envelopedData = '1.2.840.113549.1.7.3';
szOID_RSA_signEnvData = '1.2.840.113549.1.7.4';
szOID_RSA_digestedData = '1.2.840.113549.1.7.5';
szOID_RSA_hashedData = '1.2.840.113549.1.7.5';
szOID_RSA_encryptedData = '1.2.840.113549.1.7.6';
szOID_RSA_emailAddr = '1.2.840.113549.1.9.1';
szOID_RSA_unstructName = '1.2.840.113549.1.9.2';
szOID_RSA_contentType = '1.2.840.113549.1.9.3';
szOID_RSA_messageDigest = '1.2.840.113549.1.9.4';
szOID_RSA_signingTime = '1.2.840.113549.1.9.5';
szOID_RSA_counterSign = '1.2.840.113549.1.9.6';
szOID_RSA_challengePwd = '1.2.840.113549.1.9.7';
szOID_RSA_unstructAddr = '1.2.840.113549.1.9.8';
szOID_RSA_extCertAttrs = '1.2.840.113549.1.9.9';
szOID_RSA_SMIMECapabilities = '1.2.840.113549.1.9.15';
szOID_RSA_preferSignedData = '1.2.840.113549.1.9.15.1';
szOID_RSA_MD2 = '1.2.840.113549.2.2';
szOID_RSA_MD4 = '1.2.840.113549.2.4';
szOID_RSA_MD5 = '1.2.840.113549.2.5';
szOID_RSA_RC2CBC = '1.2.840.113549.3.2';
szOID_RSA_RC4 = '1.2.840.113549.3.4';
szOID_RSA_DES_EDE3_CBC = '1.2.840.113549.3.7';
szOID_RSA_RC5_CBCPad = '1.2.840.113549.3.9';
// ITU-T UsefulDefinitions
szOID_DS = '2.5';
szOID_DSALG = '2.5.8';
szOID_DSALG_CRPT = '2.5.8.1';
szOID_DSALG_HASH = '2.5.8.2';
szOID_DSALG_SIGN = '2.5.8.3';
szOID_DSALG_RSA = '2.5.8.1.1';
// NIST OSE Implementors' Workshop (OIW)
// http://nemo.ncsl.nist.gov/oiw/agreements/stable/OSI/12s_9506.w51
// http://nemo.ncsl.nist.gov/oiw/agreements/working/OSI/12w_9503.w51
szOID_OIW = '1.3.14';
// NIST OSE Implementors' Workshop (OIW) Security SIG algorithm identifiers
szOID_OIWSEC = '1.3.14.3.2';
szOID_OIWSEC_md4RSA = '1.3.14.3.2.2';
szOID_OIWSEC_md5RSA = '1.3.14.3.2.3';
szOID_OIWSEC_md4RSA2 = '1.3.14.3.2.4';
szOID_OIWSEC_desECB = '1.3.14.3.2.6';
szOID_OIWSEC_desCBC = '1.3.14.3.2.7';
szOID_OIWSEC_desOFB = '1.3.14.3.2.8';
szOID_OIWSEC_desCFB = '1.3.14.3.2.9';
szOID_OIWSEC_desMAC = '1.3.14.3.2.10';
szOID_OIWSEC_rsaSign = '1.3.14.3.2.11';
szOID_OIWSEC_dsa = '1.3.14.3.2.12';
szOID_OIWSEC_shaDSA = '1.3.14.3.2.13';
szOID_OIWSEC_mdc2RSA = '1.3.14.3.2.14';
szOID_OIWSEC_shaRSA = '1.3.14.3.2.15';
szOID_OIWSEC_dhCommMod = '1.3.14.3.2.16';
szOID_OIWSEC_desEDE = '1.3.14.3.2.17';
szOID_OIWSEC_sha = '1.3.14.3.2.18';
szOID_OIWSEC_mdc2 = '1.3.14.3.2.19';
szOID_OIWSEC_dsaComm = '1.3.14.3.2.20';
szOID_OIWSEC_dsaCommSHA = '1.3.14.3.2.21';
szOID_OIWSEC_rsaXchg = '1.3.14.3.2.22';
szOID_OIWSEC_keyHashSeal = '1.3.14.3.2.23';
szOID_OIWSEC_md2RSASign = '1.3.14.3.2.24';
szOID_OIWSEC_md5RSASign = '1.3.14.3.2.25';
szOID_OIWSEC_sha1 = '1.3.14.3.2.26';
szOID_OIWSEC_dsaSHA1 = '1.3.14.3.2.27';
szOID_OIWSEC_dsaCommSHA1 = '1.3.14.3.2.28';
szOID_OIWSEC_sha1RSASign = '1.3.14.3.2.29';
// NIST OSE Implementors' Workshop (OIW) Directory SIG algorithm identifiers
szOID_OIWDIR = '1.3.14.7.2';
szOID_OIWDIR_CRPT = '1.3.14.7.2.1';
szOID_OIWDIR_HASH = '1.3.14.7.2.2';
szOID_OIWDIR_SIGN = '1.3.14.7.2.3';
szOID_OIWDIR_md2 = '1.3.14.7.2.2.1';
szOID_OIWDIR_md2RSA = '1.3.14.7.2.3.1';
// INFOSEC Algorithms
// joint-iso-ccitt(2) country(16) us(840) organization(1) us-government(101) dod(2) id-infosec(1)
szOID_INFOSEC = '2.16.840.1.101.2.1';
szOID_INFOSEC_sdnsSignature = '2.16.840.1.101.2.1.1.1';
szOID_INFOSEC_mosaicSignature = '2.16.840.1.101.2.1.1.2';
szOID_INFOSEC_sdnsConfidentiality = '2.16.840.1.101.2.1.1.3';
szOID_INFOSEC_mosaicConfidentiality = '2.16.840.1.101.2.1.1.4';
szOID_INFOSEC_sdnsIntegrity = '2.16.840.1.101.2.1.1.5';
szOID_INFOSEC_mosaicIntegrity = '2.16.840.1.101.2.1.1.6';
szOID_INFOSEC_sdnsTokenProtection = '2.16.840.1.101.2.1.1.7';
szOID_INFOSEC_mosaicTokenProtection = '2.16.840.1.101.2.1.1.8';
szOID_INFOSEC_sdnsKeyManagement = '2.16.840.1.101.2.1.1.9';
szOID_INFOSEC_mosaicKeyManagement = '2.16.840.1.101.2.1.1.10';
szOID_INFOSEC_sdnsKMandSig = '2.16.840.1.101.2.1.1.11';
szOID_INFOSEC_mosaicKMandSig = '2.16.840.1.101.2.1.1.12';
szOID_INFOSEC_SuiteASignature = '2.16.840.1.101.2.1.1.13';
szOID_INFOSEC_SuiteAConfidentiality = '2.16.840.1.101.2.1.1.14';
szOID_INFOSEC_SuiteAIntegrity = '2.16.840.1.101.2.1.1.15';
szOID_INFOSEC_SuiteATokenProtection = '2.16.840.1.101.2.1.1.16';
szOID_INFOSEC_SuiteAKeyManagement = '2.16.840.1.101.2.1.1.17';
szOID_INFOSEC_SuiteAKMandSig = '2.16.840.1.101.2.1.1.18';
szOID_INFOSEC_mosaicUpdatedSig = '2.16.840.1.101.2.1.1.19';
szOID_INFOSEC_mosaicKMandUpdSig = '2.16.840.1.101.2.1.1.20';
szOID_INFOSEC_mosaicUpdatedInteg = '2.16.840.1.101.2.1.1.21';
type
PCRYPT_OBJID_TABLE = ^CRYPT_OBJID_TABLE;
CRYPT_OBJID_TABLE = record
dwAlgId :DWORD;
pszObjId :LPCSTR;
end;
//+-------------------------------------------------------------------------
// PKCS #1 HashInfo (DigestInfo)
//--------------------------------------------------------------------------
type
PCRYPT_HASH_INFO = ^CRYPT_HASH_INFO;
CRYPT_HASH_INFO = record
HashAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
Hash :CRYPT_HASH_BLOB;
end;
//+-------------------------------------------------------------------------
// Type used for an extension to an encoded content
//
// Where the Value's CRYPT_OBJID_BLOB is in its encoded representation.
//--------------------------------------------------------------------------
type
PCERT_EXTENSION = ^CERT_EXTENSION;
CERT_EXTENSION = record
pszObjId :LPSTR;
fCritical :BOOL;
Value :CRYPT_OBJID_BLOB;
end;
//+-------------------------------------------------------------------------
// AttributeTypeValue
//
// Where the Value's CRYPT_OBJID_BLOB is in its encoded representation.
//--------------------------------------------------------------------------
type
PCRYPT_ATTRIBUTE_TYPE_VALUE =^CRYPT_ATTRIBUTE_TYPE_VALUE;
CRYPT_ATTRIBUTE_TYPE_VALUE = record
pszObjId :LPSTR;
Value :CRYPT_OBJID_BLOB;
end;
//+-------------------------------------------------------------------------
// Attributes
//
// Where the Value's PATTR_BLOBs are in their encoded representation.
//--------------------------------------------------------------------------
type
PCRYPT_ATTRIBUTE = ^CRYPT_ATTRIBUTE;
CRYPT_ATTRIBUTE = record
pszObjId :LPSTR;
cValue :DWORD;
rgValue :PCRYPT_ATTR_BLOB;
end;
type
PCRYPT_ATTRIBUTES =^CRYPT_ATTRIBUTES;
CRYPT_ATTRIBUTES = record
cAttr :DWORD; {IN}
rgAttr :PCRYPT_ATTRIBUTE; {IN}
end;
//+-------------------------------------------------------------------------
// Attributes making up a Relative Distinguished Name (CERT_RDN)
//
// The interpretation of the Value depends on the dwValueType.
// See below for a list of the types.
//--------------------------------------------------------------------------
type
PCERT_RDN_ATTR = ^CERT_RDN_ATTR;
CERT_RDN_ATTR = record
pszObjId :LPSTR;
dwValueType :DWORD;
Value :CERT_RDN_VALUE_BLOB;
end;
//+-------------------------------------------------------------------------
// CERT_RDN attribute Object Identifiers
//--------------------------------------------------------------------------
// Labeling attribute types:
const
szOID_COMMON_NAME = '2.5.4.3'; // case-ignore string
szOID_SUR_NAME = '2.5.4.4'; // case-ignore string
szOID_DEVICE_SERIAL_NUMBER = '2.5.4.5'; // printable string
// Geographic attribute types:
szOID_COUNTRY_NAME = '2.5.4.6'; // printable 2char string
szOID_LOCALITY_NAME = '2.5.4.7'; // case-ignore string
szOID_STATE_OR_PROVINCE_NAME = '2.5.4.8'; // case-ignore string
szOID_STREET_ADDRESS = '2.5.4.9'; // case-ignore string
// Organizational attribute types:
szOID_ORGANIZATION_NAME = '2.5.4.10';// case-ignore string
szOID_ORGANIZATIONAL_UNIT_NAME = '2.5.4.11'; // case-ignore string
szOID_TITLE = '2.5.4.12'; // case-ignore string
// Explanatory attribute types:
szOID_DESCRIPTION = '2.5.4.13'; // case-ignore string
szOID_SEARCH_GUIDE = '2.5.4.14';
szOID_BUSINESS_CATEGORY = '2.5.4.15'; // case-ignore string
// Postal addressing attribute types:
szOID_POSTAL_ADDRESS = '2.5.4.16';
szOID_POSTAL_CODE = '2.5.4.17'; // case-ignore string
szOID_POST_OFFICE_BOX = '2.5.4.18'; // case-ignore string
szOID_PHYSICAL_DELIVERY_OFFICE_NAME = '2.5.4.19'; // case-ignore string
// Telecommunications addressing attribute types:
szOID_TELEPHONE_NUMBER = '2.5.4.20'; // telephone number
szOID_TELEX_NUMBER = '2.5.4.21';
szOID_TELETEXT_TERMINAL_IDENTIFIER = '2.5.4.22';
szOID_FACSIMILE_TELEPHONE_NUMBER = '2.5.4.23';
szOID_X21_ADDRESS = '2.5.4.24'; // numeric string
szOID_INTERNATIONAL_ISDN_NUMBER = '2.5.4.25'; // numeric string
szOID_REGISTERED_ADDRESS = '2.5.4.26';
szOID_DESTINATION_INDICATOR = '2.5.4.27'; // printable string
// Preference attribute types:
szOID_PREFERRED_DELIVERY_METHOD = '2.5.4.28';
// OSI application attribute types:
szOID_PRESENTATION_ADDRESS = '2.5.4.29';
szOID_SUPPORTED_APPLICATION_CONTEXT = '2.5.4.30';
// Relational application attribute types:
szOID_MEMBER = '2.5.4.31';
szOID_OWNER = '2.5.4.32';
szOID_ROLE_OCCUPANT = '2.5.4.33';
szOID_SEE_ALSO = '2.5.4.34';
// Security attribute types:
szOID_USER_PASSWORD = '2.5.4.35';
szOID_USER_CERTIFICATE = '2.5.4.36';
szOID_CA_CERTIFICATE = '2.5.4.37';
szOID_AUTHORITY_REVOCATION_LIST = '2.5.4.38';
szOID_CERTIFICATE_REVOCATION_LIST = '2.5.4.39';
szOID_CROSS_CERTIFICATE_PAIR = '2.5.4.40';
// Undocumented attribute types???
//#define szOID_??? '2.5.4.41'
szOID_GIVEN_NAME = '2.5.4.42'; // case-ignore string
szOID_INITIALS = '2.5.4.43'; // case-ignore string
// Pilot user attribute types:
szOID_DOMAIN_COMPONENT = '0.9.2342.19200300.100.1.25'; // IA5 string
//+-------------------------------------------------------------------------
// CERT_RDN Attribute Value Types
//
// For RDN_ENCODED_BLOB, the Value's CERT_RDN_VALUE_BLOB is in its encoded
// representation. Otherwise, its an array of bytes.
//
// For all CERT_RDN types, Value.cbData is always the number of bytes, not
// necessarily the number of elements in the string. For instance,
// RDN_UNIVERSAL_STRING is an array of ints (cbData == intCnt * 4) and
// RDN_BMP_STRING is an array of unsigned shorts (cbData == ushortCnt * 2).
//
// For CertDecodeName, two 0 bytes are always appended to the end of the
// string (ensures a CHAR or WCHAR string is null terminated).
// These added 0 bytes are't included in the BLOB.cbData.
//--------------------------------------------------------------------------
const
CERT_RDN_ANY_TYPE = 0;
CERT_RDN_ENCODED_BLOB = 1;
CERT_RDN_OCTET_STRING = 2;
CERT_RDN_NUMERIC_STRING = 3;
CERT_RDN_PRINTABLE_STRING = 4;
CERT_RDN_TELETEX_STRING = 5;
CERT_RDN_T61_STRING = 5;
CERT_RDN_VIDEOTEX_STRING = 6;
CERT_RDN_IA5_STRING = 7;
CERT_RDN_GRAPHIC_STRING = 8;
CERT_RDN_VISIBLE_STRING = 9;
CERT_RDN_ISO646_STRING = 9;
CERT_RDN_GENERAL_STRING = 10;
CERT_RDN_UNIVERSAL_STRING = 11;
CERT_RDN_INT4_STRING = 11;
CERT_RDN_BMP_STRING = 12;
CERT_RDN_UNICODE_STRING = 12;
// Macro to check that the dwValueType is a character string and not an
// encoded blob or octet string
function IS_CERT_RDN_CHAR_STRING(X :DWORD) :BOOL;
//+-------------------------------------------------------------------------
// A CERT_RDN consists of an array of the above attributes
//--------------------------------------------------------------------------
type
PCERT_RDN = ^CERT_RDN;
CERT_RDN = record
cRDNAttr :DWORD;
rgRDNAttr :PCERT_RDN_ATTR;
end;
//+-------------------------------------------------------------------------
// Information stored in a subject's or issuer's name. The information
// is represented as an array of the above RDNs.
//--------------------------------------------------------------------------
type
PCERT_NAME_INFO = ^CERT_NAME_INFO;
CERT_NAME_INFO = record
cRDN :DWORD;
rgRDN :PCERT_RDN;
end;
//+-------------------------------------------------------------------------
// Name attribute value without the Object Identifier
//
// The interpretation of the Value depends on the dwValueType.
// See above for a list of the types.
//--------------------------------------------------------------------------
type
PCERT_NAME_VALUE = ^CERT_NAME_VALUE;
CERT_NAME_VALUE = record
dwValueType :DWORD;
Value :CERT_RDN_VALUE_BLOB;
end;
//+-------------------------------------------------------------------------
// Public Key Info
//
// The PublicKey is the encoded representation of the information as it is
// stored in the bit string
//--------------------------------------------------------------------------
type
PCERT_PUBLIC_KEY_INFO = ^CERT_PUBLIC_KEY_INFO;
CERT_PUBLIC_KEY_INFO = record
Algorithm :CRYPT_ALGORITHM_IDENTIFIER;
PublicKey :CRYPT_BIT_BLOB;
end;
const
CERT_RSA_PUBLIC_KEY_OBJID = szOID_RSA_RSA;
CERT_DEFAULT_OID_PUBLIC_KEY_SIGN = szOID_RSA_RSA;
CERT_DEFAULT_OID_PUBLIC_KEY_XCHG = szOID_RSA_RSA;
//+-------------------------------------------------------------------------
// Information stored in a certificate
//
// The Issuer, Subject, Algorithm, PublicKey and Extension BLOBs are the
// encoded representation of the information.
//--------------------------------------------------------------------------
type
PCERT_INFO = ^CERT_INFO;
CERT_INFO = record
dwVersion :DWORD;
SerialNumber :CRYPT_INTEGER_BLOB;
SignatureAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
Issuer :CERT_NAME_BLOB;
NotBefore :TFILETIME;
NotAfter :TFILETIME;
Subject :CERT_NAME_BLOB;
SubjectPublicKeyInfo :CERT_PUBLIC_KEY_INFO;
IssuerUniqueId :CRYPT_BIT_BLOB;
SubjectUniqueId :CRYPT_BIT_BLOB;
cExtension :DWORD;
rgExtension :PCERT_EXTENSION;
end;
//+-------------------------------------------------------------------------
// Certificate versions
//--------------------------------------------------------------------------
const
CERT_V1 = 0;
CERT_V2 = 1;
CERT_V3 = 2;
//+-------------------------------------------------------------------------
// Certificate Information Flags
//--------------------------------------------------------------------------
CERT_INFO_VERSION_FLAG = 1;
CERT_INFO_SERIAL_NUMBER_FLAG = 2;
CERT_INFO_SIGNATURE_ALGORITHM_FLAG = 3;
CERT_INFO_ISSUER_FLAG = 4;
CERT_INFO_NOT_BEFORE_FLAG = 5;
CERT_INFO_NOT_AFTER_FLAG = 6;
CERT_INFO_SUBJECT_FLAG = 7;
CERT_INFO_SUBJECT_PUBLIC_KEY_INFO_FLAG = 8;
CERT_INFO_ISSUER_UNIQUE_ID_FLAG = 9;
CERT_INFO_SUBJECT_UNIQUE_ID_FLAG = 10;
CERT_INFO_EXTENSION_FLAG = 11;
//+-------------------------------------------------------------------------
// An entry in a CRL
//
// The Extension BLOBs are the encoded representation of the information.
//--------------------------------------------------------------------------
type
PCRL_ENTRY = ^CRL_ENTRY;
CRL_ENTRY = record
SerialNumber :CRYPT_INTEGER_BLOB;
RevocationDate :TFILETIME;
cExtension :DWORD;
rgExtension :PCERT_EXTENSION;
end;
//+-------------------------------------------------------------------------
// Information stored in a CRL
//
// The Issuer, Algorithm and Extension BLOBs are the encoded
// representation of the information.
//--------------------------------------------------------------------------
type
PCRL_INFO = ^CRL_INFO;
CRL_INFO = record
dwVersion :DWORD;
SignatureAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
Issuer :CERT_NAME_BLOB;
ThisUpdate :TFILETIME;
NextUpdate :TFILETIME;
cCRLEntry :DWORD;
rgCRLEntry :PCRL_ENTRY;
cExtension :DWORD;
rgExtension :PCERT_EXTENSION;
end;
//+-------------------------------------------------------------------------
// CRL versions
//--------------------------------------------------------------------------
const
CRL_V1 = 0;
CRL_V2 = 1;
//+-------------------------------------------------------------------------
// Information stored in a certificate request
//
// The Subject, Algorithm, PublicKey and Attribute BLOBs are the encoded
// representation of the information.
//--------------------------------------------------------------------------
type
PCERT_REQUEST_INFO = ^CERT_REQUEST_INFO;
CERT_REQUEST_INFO = record
dwVersion :DWORD;
Subject :CERT_NAME_BLOB;
SubjectPublicKeyInfo :CERT_PUBLIC_KEY_INFO;
cAttribute :DWORD;
rgAttribute :PCRYPT_ATTRIBUTE;
end;
//+-------------------------------------------------------------------------
// Certificate Request versions
//--------------------------------------------------------------------------
const CERT_REQUEST_V1 = 0;
//+-------------------------------------------------------------------------
// Information stored in Netscape's Keygen request
//--------------------------------------------------------------------------
type
PCERT_KEYGEN_REQUEST_INFO = ^CERT_KEYGEN_REQUEST_INFO;
CERT_KEYGEN_REQUEST_INFO = record
dwVersion :DWORD;
SubjectPublicKeyInfo :CERT_PUBLIC_KEY_INFO;
pwszChallengeString :LPWSTR; // encoded as IA5
end;
const
CERT_KEYGEN_REQUEST_V1 = 0;
//+-------------------------------------------------------------------------
// Certificate, CRL, Certificate Request or Keygen Request Signed Content
//
// The "to be signed" encoded content plus its signature. The ToBeSigned
// is the encoded CERT_INFO, CRL_INFO, CERT_REQUEST_INFO or
// CERT_KEYGEN_REQUEST_INFO.
//--------------------------------------------------------------------------
type
PCERT_SIGNED_CONTENT_INFO = ^CERT_SIGNED_CONTENT_INFO;
CERT_SIGNED_CONTENT_INFO = record
ToBeSigned :CRYPT_DER_BLOB;
SignatureAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
Signature :CRYPT_BIT_BLOB;
end;
//+-------------------------------------------------------------------------
// Certificate Trust List (CTL)
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CTL Usage. Also used for EnhancedKeyUsage extension.
//--------------------------------------------------------------------------
type
PCTL_USAGE =^CTL_USAGE;
CTL_USAGE = record
cUsageIdentifier :DWORD;
rgpszUsageIdentifier :PLPSTR; // array of pszObjId
end;
type
CERT_ENHKEY_USAGE = CTL_USAGE;
PCERT_ENHKEY_USAGE = ^CERT_ENHKEY_USAGE;
//+-------------------------------------------------------------------------
// An entry in a CTL
//--------------------------------------------------------------------------
type
PCTL_ENTRY = ^CTL_ENTRY;
CTL_ENTRY = record
SubjectIdentifier :CRYPT_DATA_BLOB; // For example, its hash
cAttribute :DWORD;
rgAttribute :PCRYPT_ATTRIBUTE; // OPTIONAL
end;
//+-------------------------------------------------------------------------
// Information stored in a CTL
//--------------------------------------------------------------------------
type
PCTL_INFO = ^CTL_INFO;
CTL_INFO = record
dwVersion :DWORD;
SubjectUsage :CTL_USAGE;
ListIdentifier :CRYPT_DATA_BLOB; // OPTIONAL
SequenceNumber :CRYPT_INTEGER_BLOB; // OPTIONAL
ThisUpdate :TFILETIME;
NextUpdate :TFILETIME; // OPTIONAL
SubjectAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
cCTLEntry :DWORD;
rgCTLEntry :PCTL_ENTRY; // OPTIONAL
cExtension :DWORD;
rgExtension :PCERT_EXTENSION; // OPTIONAL
end;
//+-------------------------------------------------------------------------
// CTL versions
//--------------------------------------------------------------------------
const
CTL_V1 = 0;
//+-------------------------------------------------------------------------
// TimeStamp Request
//
// The pszTimeStamp is the OID for the Time type requested
// The pszContentType is the Content Type OID for the content, usually DATA
// The Content is a un-decoded blob
//--------------------------------------------------------------------------
type
PCRYPT_TIME_STAMP_REQUEST_INFO = ^CRYPT_TIME_STAMP_REQUEST_INFO;
CRYPT_TIME_STAMP_REQUEST_INFO = record
pszTimeStampAlgorithm :LPSTR; // pszObjId
pszContentType :LPSTR; // pszObjId
Content :CRYPT_OBJID_BLOB;
cAttribute :DWORD;
rgAttribute :PCRYPT_ATTRIBUTE;
end;
//+-------------------------------------------------------------------------
// Certificate and Message encoding types
//
// The encoding type is a DWORD containing both the certificate and message
// encoding types. The certificate encoding type is stored in the LOWORD.
// The message encoding type is stored in the HIWORD. Some functions or
// structure fields require only one of the encoding types. The following
// naming convention is used to indicate which encoding type(s) are
// required:
// dwEncodingType (both encoding types are required)
// dwMsgAndCertEncodingType (both encoding types are required)
// dwMsgEncodingType (only msg encoding type is required)
// dwCertEncodingType (only cert encoding type is required)
//
// Its always acceptable to specify both.
//--------------------------------------------------------------------------
const
CERT_ENCODING_TYPE_MASK = $0000FFFF;
CMSG_ENCODING_TYPE_MASK = $FFFF0000;
//#define GET_CERT_ENCODING_TYPE(X) (X & CERT_ENCODING_TYPE_MASK)
//#define GET_CMSG_ENCODING_TYPE(X) (X & CMSG_ENCODING_TYPE_MASK)
function GET_CERT_ENCODING_TYPE(X :DWORD):DWORD;
function GET_CMSG_ENCODING_TYPE(X :DWORD):DWORD;
const
CRYPT_ASN_ENCODING = $00000001;
CRYPT_NDR_ENCODING = $00000002;
X509_ASN_ENCODING = $00000001;
X509_NDR_ENCODING = $00000002;
PKCS_7_ASN_ENCODING = $00010000;
PKCS_7_NDR_ENCODING = $00020000;
//+-------------------------------------------------------------------------
// format the specified data structure according to the certificate
// encoding type.
//
//--------------------------------------------------------------------------
function CryptFormatObject(dwCertEncodingType :DWORD;
dwFormatType :DWORD;
dwFormatStrType :DWORD;
pFormatStruct :PVOID;
lpszStructType :LPCSTR;
const pbEncoded :PBYTE;
cbEncoded :DWORD;
pbFormat :PVOID;
pcbFormat :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Encode / decode the specified data structure according to the certificate
// encoding type.
//
// See below for a list of the predefined data structures.
//--------------------------------------------------------------------------
function CryptEncodeObject(dwCertEncodingType :DWORD;
lpszStructType :LPCSTR;
const pvStructInfo :PVOID;
pbEncoded :PBYTE;
pcbEncoded :PDWORD ):BOOL ; stdcall;
function CryptDecodeObject(dwCertEncodingType :DWORD;
lpszStructType :LPCSTR;
const pbEncoded :PBYTE;
cbEncoded :DWORD;
dwFlags :DWORD;
pvStructInfo :PVOID;
pcbStructInfo :PDWORD):BOOL ; stdcall;
// When the following flag is set the nocopy optimization is enabled.
// This optimization where appropriate, updates the pvStructInfo fields
// to point to content residing within pbEncoded instead of making a copy
// of and appending to pvStructInfo.
//
// Note, when set, pbEncoded can't be freed until pvStructInfo is freed.
const
CRYPT_DECODE_NOCOPY_FLAG = $1;
//+-------------------------------------------------------------------------
// Predefined X509 certificate data structures that can be encoded / decoded.
//--------------------------------------------------------------------------
CRYPT_ENCODE_DECODE_NONE = 0;
X509_CERT = (LPCSTR(1));
X509_CERT_TO_BE_SIGNED = (LPCSTR(2));
X509_CERT_CRL_TO_BE_SIGNED = (LPCSTR(3));
X509_CERT_REQUEST_TO_BE_SIGNED = (LPCSTR(4));
X509_EXTENSIONS = (LPCSTR(5));
X509_NAME_VALUE = (LPCSTR(6));
X509_NAME = (LPCSTR(7));
X509_PUBLIC_KEY_INFO = (LPCSTR(8));
//+-------------------------------------------------------------------------
// Predefined X509 certificate extension data structures that can be
// encoded / decoded.
//--------------------------------------------------------------------------
X509_AUTHORITY_KEY_ID = (LPCSTR(9));
X509_KEY_ATTRIBUTES = (LPCSTR(10));
X509_KEY_USAGE_RESTRICTION = (LPCSTR(11));
X509_ALTERNATE_NAME = (LPCSTR(12));
X509_BASIC_CONSTRAINTS = (LPCSTR(13));
X509_KEY_USAGE = (LPCSTR(14));
X509_BASIC_CONSTRAINTS2 = (LPCSTR(15));
X509_CERT_POLICIES = (LPCSTR(16));
//+-------------------------------------------------------------------------
// Additional predefined data structures that can be encoded / decoded.
//--------------------------------------------------------------------------
PKCS_UTC_TIME = (LPCSTR(17));
PKCS_TIME_REQUEST = (LPCSTR(18));
RSA_CSP_PUBLICKEYBLOB = (LPCSTR(19));
X509_UNICODE_NAME = (LPCSTR(20));
X509_KEYGEN_REQUEST_TO_BE_SIGNED = (LPCSTR(21));
PKCS_ATTRIBUTE = (LPCSTR(22));
PKCS_CONTENT_INFO_SEQUENCE_OF_ANY = (LPCSTR(23));
//+-------------------------------------------------------------------------
// Predefined primitive data structures that can be encoded / decoded.
//--------------------------------------------------------------------------
X509_UNICODE_NAME_VALUE = (LPCSTR(24));
X509_ANY_STRING = X509_NAME_VALUE;
X509_UNICODE_ANY_STRING = X509_UNICODE_NAME_VALUE;
X509_OCTET_STRING = (LPCSTR(25));
X509_BITS = (LPCSTR(26));
X509_INTEGER = (LPCSTR(27));
X509_MULTI_BYTE_INTEGER = (LPCSTR(28));
X509_ENUMERATED = (LPCSTR(29));
X509_CHOICE_OF_TIME = (LPCSTR(30));
//+-------------------------------------------------------------------------
// More predefined X509 certificate extension data structures that can be
// encoded / decoded.
//--------------------------------------------------------------------------
X509_AUTHORITY_KEY_ID2 = (LPCSTR(31));
// X509_AUTHORITY_INFO_ACCESS (LPCSTR(32));
X509_CRL_REASON_CODE = X509_ENUMERATED;
PKCS_CONTENT_INFO = (LPCSTR(33));
X509_SEQUENCE_OF_ANY = (LPCSTR(34));
X509_CRL_DIST_POINTS = (LPCSTR(35));
X509_ENHANCED_KEY_USAGE = (LPCSTR(36));
PKCS_CTL = (LPCSTR(37));
X509_MULTI_BYTE_UINT = (LPCSTR(38));
X509_DSS_PUBLICKEY = X509_MULTI_BYTE_UINT;
X509_DSS_PARAMETERS = (LPCSTR(39));
X509_DSS_SIGNATURE = (LPCSTR(40));
PKCS_RC2_CBC_PARAMETERS = (LPCSTR(41));
PKCS_SMIME_CAPABILITIES = (LPCSTR(42));
//+-------------------------------------------------------------------------
// Predefined PKCS #7 data structures that can be encoded / decoded.
//--------------------------------------------------------------------------
PKCS7_SIGNER_INFO = (LPCSTR(500));
//+-------------------------------------------------------------------------
// Predefined Software Publishing Credential (SPC) data structures that
// can be encoded / decoded.
//
// Predefined values: 2000 .. 2999
//
// See spc.h for value and data structure definitions.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Extension Object Identifiers
//--------------------------------------------------------------------------
const
szOID_AUTHORITY_KEY_IDENTIFIER = '2.5.29.1';
szOID_KEY_ATTRIBUTES = '2.5.29.2';
szOID_KEY_USAGE_RESTRICTION = '2.5.29.4';
szOID_SUBJECT_ALT_NAME = '2.5.29.7';
szOID_ISSUER_ALT_NAME = '2.5.29.8';
szOID_BASIC_CONSTRAINTS = '2.5.29.10';
szOID_KEY_USAGE = '2.5.29.15';
szOID_BASIC_CONSTRAINTS2 = '2.5.29.19';
szOID_CERT_POLICIES = '2.5.29.32';
szOID_AUTHORITY_KEY_IDENTIFIER2 = '2.5.29.35';
szOID_SUBJECT_KEY_IDENTIFIER = '2.5.29.14';
szOID_SUBJECT_ALT_NAME2 = '2.5.29.17';
szOID_ISSUER_ALT_NAME2 = '2.5.29.18';
szOID_CRL_REASON_CODE = '2.5.29.21';
szOID_CRL_DIST_POINTS = '2.5.29.31';
szOID_ENHANCED_KEY_USAGE = '2.5.29.37';
// Internet Public Key Infrastructure
szOID_PKIX = '1.3.6.1.5.5.7';
szOID_AUTHORITY_INFO_ACCESS = '1.3.6.1.5.5.7.2';
// Microsoft extensions or attributes
szOID_CERT_EXTENSIONS = '1.3.6.1.4.1.311.2.1.14';
szOID_NEXT_UPDATE_LOCATION = '1.3.6.1.4.1.311.10.2';
// Microsoft PKCS #7 ContentType Object Identifiers
szOID_CTL = '1.3.6.1.4.1.311.10.1';
//+-------------------------------------------------------------------------
// Extension Object Identifiers (currently not implemented)
//--------------------------------------------------------------------------
szOID_POLICY_MAPPINGS = '2.5.29.5';
szOID_SUBJECT_DIR_ATTRS = '2.5.29.9';
//+-------------------------------------------------------------------------
// Enhanced Key Usage (Purpose) Object Identifiers
//--------------------------------------------------------------------------
const szOID_PKIX_KP = '1.3.6.1.5.5.7.3';
// Consistent key usage bits: DIGITAL_SIGNATURE, KEY_ENCIPHERMENT
// or KEY_AGREEMENT
szOID_PKIX_KP_SERVER_AUTH = '1.3.6.1.5.5.7.3.1';
// Consistent key usage bits: DIGITAL_SIGNATURE
szOID_PKIX_KP_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2';
// Consistent key usage bits: DIGITAL_SIGNATURE
szOID_PKIX_KP_CODE_SIGNING = '1.3.6.1.5.5.7.3.3';
// Consistent key usage bits: DIGITAL_SIGNATURE, NON_REPUDIATION and/or
// (KEY_ENCIPHERMENT or KEY_AGREEMENT)
szOID_PKIX_KP_EMAIL_PROTECTION = '1.3.6.1.5.5.7.3.4';
//+-------------------------------------------------------------------------
// Microsoft Enhanced Key Usage (Purpose) Object Identifiers
//+-------------------------------------------------------------------------
// Signer of CTLs
szOID_KP_CTL_USAGE_SIGNING = '1.3.6.1.4.1.311.10.3.1';
// Signer of TimeStamps
szOID_KP_TIME_STAMP_SIGNING = '1.3.6.1.4.1.311.10.3.2';
//+-------------------------------------------------------------------------
// Microsoft Attribute Object Identifiers
//+-------------------------------------------------------------------------
szOID_YESNO_TRUST_ATTR = '1.3.6.1.4.1.311.10.4.1';
//+-------------------------------------------------------------------------
// X509_CERT
//
// The "to be signed" encoded content plus its signature. The ToBeSigned
// content is the CryptEncodeObject() output for one of the following:
// X509_CERT_TO_BE_SIGNED, X509_CERT_CRL_TO_BE_SIGNED or
// X509_CERT_REQUEST_TO_BE_SIGNED.
//
// pvStructInfo points to CERT_SIGNED_CONTENT_INFO.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_CERT_TO_BE_SIGNED
//
// pvStructInfo points to CERT_INFO.
//
// For CryptDecodeObject(), the pbEncoded is the "to be signed" plus its
// signature (output of a X509_CERT CryptEncodeObject()).
//
// For CryptEncodeObject(), the pbEncoded is just the "to be signed".
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_CERT_CRL_TO_BE_SIGNED
//
// pvStructInfo points to CRL_INFO.
//
// For CryptDecodeObject(), the pbEncoded is the "to be signed" plus its
// signature (output of a X509_CERT CryptEncodeObject()).
//
// For CryptEncodeObject(), the pbEncoded is just the "to be signed".
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_CERT_REQUEST_TO_BE_SIGNED
//
// pvStructInfo points to CERT_REQUEST_INFO.
//
// For CryptDecodeObject(), the pbEncoded is the "to be signed" plus its
// signature (output of a X509_CERT CryptEncodeObject()).
//
// For CryptEncodeObject(), the pbEncoded is just the "to be signed".
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_EXTENSIONS
// szOID_CERT_EXTENSIONS
//
// pvStructInfo points to following CERT_EXTENSIONS.
//--------------------------------------------------------------------------
type
PCERT_EXTENSIONS = ^CERT_EXTENSIONS;
CERT_EXTENSIONS = record
cExtension :DWORD;
rgExtension :PCERT_EXTENSION;
end;
//+-------------------------------------------------------------------------
// X509_NAME_VALUE
// X509_ANY_STRING
//
// pvStructInfo points to CERT_NAME_VALUE.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_UNICODE_NAME_VALUE
// X509_UNICODE_ANY_STRING
//
// pvStructInfo points to CERT_NAME_VALUE.
//
// The name values are unicode strings.
//
// For CryptEncodeObject:
// Value.pbData points to the unicode string.
// If Value.cbData = 0, then, the unicode string is NULL terminated.
// Otherwise, Value.cbData is the unicode string byte count. The byte count
// is twice the character count.
//
// If the unicode string contains an invalid character for the specified
// dwValueType, then, *pcbEncoded is updated with the unicode character
// index of the first invalid character. LastError is set to:
// CRYPT_E_INVALID_NUMERIC_STRING, CRYPT_E_INVALID_PRINTABLE_STRING or
// CRYPT_E_INVALID_IA5_STRING.
//
// The unicode string is converted before being encoded according to
// the specified dwValueType. If dwValueType is set to 0, LastError
// is set to E_INVALIDARG.
//
// If the dwValueType isn't one of the character strings (its a
// CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING), then, CryptEncodeObject
// will return FALSE with LastError set to CRYPT_E_NOT_CHAR_STRING.
//
// For CryptDecodeObject:
// Value.pbData points to a NULL terminated unicode string. Value.cbData
// contains the byte count of the unicode string excluding the NULL
// terminator. dwValueType contains the type used in the encoded object.
// Its not forced to CERT_RDN_UNICODE_STRING. The encoded value is
// converted to the unicode string according to the dwValueType.
//
// If the encoded object isn't one of the character string types, then,
// CryptDecodeObject will return FALSE with LastError set to
// CRYPT_E_NOT_CHAR_STRING. For a non character string, decode using
// X509_NAME_VALUE or X509_ANY_STRING.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_NAME
//
// pvStructInfo points to CERT_NAME_INFO.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_UNICODE_NAME
//
// pvStructInfo points to CERT_NAME_INFO.
//
// The RDN attribute values are unicode strings except for the dwValueTypes of
// CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING. These dwValueTypes are
// the same as for a X509_NAME. Their values aren't converted to/from unicode.
//
// For CryptEncodeObject:
// Value.pbData points to the unicode string.
// If Value.cbData = 0, then, the unicode string is NULL terminated.
// Otherwise, Value.cbData is the unicode string byte count. The byte count
// is twice the character count.
//
// If dwValueType = 0 (CERT_RDN_ANY_TYPE), the pszObjId is used to find
// an acceptable dwValueType. If the unicode string contains an
// invalid character for the found or specified dwValueType, then,
// *pcbEncoded is updated with the error location of the invalid character.
// See below for details. LastError is set to:
// CRYPT_E_INVALID_NUMERIC_STRING, CRYPT_E_INVALID_PRINTABLE_STRING or
// CRYPT_E_INVALID_IA5_STRING.
//
// The unicode string is converted before being encoded according to
// the specified or ObjId matching dwValueType.
//
// For CryptDecodeObject:
// Value.pbData points to a NULL terminated unicode string. Value.cbData
// contains the byte count of the unicode string excluding the NULL
// terminator. dwValueType contains the type used in the encoded object.
// Its not forced to CERT_RDN_UNICODE_STRING. The encoded value is
// converted to the unicode string according to the dwValueType.
//
// If the dwValueType of the encoded value isn't a character string
// type, then, it isn't converted to UNICODE. Use the
// IS_CERT_RDN_CHAR_STRING() macro on the dwValueType to check
// that Value.pbData points to a converted unicode string.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Unicode Name Value Error Location Definitions
//
// Error location is returned in *pcbEncoded by
// CryptEncodeObject(X509_UNICODE_NAME)
//
// Error location consists of:
// RDN_INDEX - 10 bits << 22
// ATTR_INDEX - 6 bits << 16
// VALUE_INDEX - 16 bits (unicode character index)
//--------------------------------------------------------------------------
const
CERT_UNICODE_RDN_ERR_INDEX_MASK = $3FF;
CERT_UNICODE_RDN_ERR_INDEX_SHIFT = 22;
CERT_UNICODE_ATTR_ERR_INDEX_MASK = $003F;
CERT_UNICODE_ATTR_ERR_INDEX_SHIFT = 16;
CERT_UNICODE_VALUE_ERR_INDEX_MASK = $0000FFFF;
CERT_UNICODE_VALUE_ERR_INDEX_SHIFT = 0;
{#define GET_CERT_UNICODE_RDN_ERR_INDEX(X)
((X >> CERT_UNICODE_RDN_ERR_INDEX_SHIFT) & CERT_UNICODE_RDN_ERR_INDEX_MASK)}
function GET_CERT_UNICODE_RDN_ERR_INDEX(X :integer):integer;
{#define GET_CERT_UNICODE_ATTR_ERR_INDEX(X)
((X >> CERT_UNICODE_ATTR_ERR_INDEX_SHIFT) & CERT_UNICODE_ATTR_ERR_INDEX_MASK)}
function GET_CERT_UNICODE_ATTR_ERR_INDEX(X :integer):integer;
{#define GET_CERT_UNICODE_VALUE_ERR_INDEX(X)
(X & CERT_UNICODE_VALUE_ERR_INDEX_MASK)}
function GET_CERT_UNICODE_VALUE_ERR_INDEX(X :integer):integer;
//+-------------------------------------------------------------------------
// X509_PUBLIC_KEY_INFO
//
// pvStructInfo points to CERT_PUBLIC_KEY_INFO.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_AUTHORITY_KEY_ID
// szOID_AUTHORITY_KEY_IDENTIFIER
//
// pvStructInfo points to following CERT_AUTHORITY_KEY_ID_INFO.
//--------------------------------------------------------------------------
type
PCERT_AUTHORITY_KEY_ID_INFO = ^CERT_AUTHORITY_KEY_ID_INFO;
CERT_AUTHORITY_KEY_ID_INFO = record
KeyId :CRYPT_DATA_BLOB;
CertIssuer :CERT_NAME_BLOB;
CertSerialNumber :CRYPT_INTEGER_BLOB;
end;
//+-------------------------------------------------------------------------
// X509_KEY_ATTRIBUTES
// szOID_KEY_ATTRIBUTES
//
// pvStructInfo points to following CERT_KEY_ATTRIBUTES_INFO.
//--------------------------------------------------------------------------
type
PCERT_PRIVATE_KEY_VALIDITY = ^CERT_PRIVATE_KEY_VALIDITY;
CERT_PRIVATE_KEY_VALIDITY = record
NotBefore :TFILETIME;
NotAfter :TFILETIME;
end;
type
PCERT_KEY_ATTRIBUTES_INFO = ^CERT_KEY_ATTRIBUTES_INFO;
CERT_KEY_ATTRIBUTES_INFO = record
KeyId :CRYPT_DATA_BLOB;
IntendedKeyUsage :CRYPT_BIT_BLOB;
pPrivateKeyUsagePeriod :PCERT_PRIVATE_KEY_VALIDITY; // OPTIONAL
end;
const
CERT_DIGITAL_SIGNATURE_KEY_USAGE = $80;
CERT_NON_REPUDIATION_KEY_USAGE = $40;
CERT_KEY_ENCIPHERMENT_KEY_USAGE = $20;
CERT_DATA_ENCIPHERMENT_KEY_USAGE = $10;
CERT_KEY_AGREEMENT_KEY_USAGE = $08;
CERT_KEY_CERT_SIGN_KEY_USAGE = $04;
CERT_OFFLINE_CRL_SIGN_KEY_USAGE = $02;
CERT_CRL_SIGN_KEY_USAGE = $02;
//+-------------------------------------------------------------------------
// X509_KEY_USAGE_RESTRICTION
// szOID_KEY_USAGE_RESTRICTION
//
// pvStructInfo points to following CERT_KEY_USAGE_RESTRICTION_INFO.
//--------------------------------------------------------------------------
type
PCERT_POLICY_ID = ^CERT_POLICY_ID;
CERT_POLICY_ID = record
cCertPolicyElementId :DWORD;
rgpszCertPolicyElementId :PLPSTR; // pszObjId
end;
type
PCERT_KEY_USAGE_RESTRICTION_INFO = ^CERT_KEY_USAGE_RESTRICTION_INFO;
CERT_KEY_USAGE_RESTRICTION_INFO = record
cCertPolicyId :DWORD;
rgCertPolicyId :PCERT_POLICY_ID;
RestrictedKeyUsage :CRYPT_BIT_BLOB;
end;
// See CERT_KEY_ATTRIBUTES_INFO for definition of the RestrictedKeyUsage bits
//+-------------------------------------------------------------------------
// X509_ALTERNATE_NAME
// szOID_SUBJECT_ALT_NAME
// szOID_ISSUER_ALT_NAME
// szOID_SUBJECT_ALT_NAME2
// szOID_ISSUER_ALT_NAME2
//
// pvStructInfo points to following CERT_ALT_NAME_INFO.
//--------------------------------------------------------------------------
type
PCERT_ALT_NAME_ENTRY = ^CERT_ALT_NAME_ENTRY;
CERT_ALT_NAME_ENTRY = record
dwAltNameChoice :DWORD;
case integer of
{1}0: ({OtherName :Not implemented});
{2}1: (pwszRfc822Name :LPWSTR); //(encoded IA5)
{3}2: (pwszDNSName :LPWSTR); //(encoded IA5)
{4}3: ({x400Address :Not implemented});
{5}4: (DirectoryName :CERT_NAME_BLOB);
{6}5: ({pEdiPartyName :Not implemented});
{7}6: (pwszURL :LPWSTR); //(encoded IA5)
{8}7: (IPAddress :CRYPT_DATA_BLOB); //(Octet String)
{9}8: (pszRegisteredID :LPSTR); //(Octet String)
end;
const
CERT_ALT_NAME_OTHER_NAME = 1;
CERT_ALT_NAME_RFC822_NAME = 2;
CERT_ALT_NAME_DNS_NAME = 3;
CERT_ALT_NAME_X400_ADDRESS = 4;
CERT_ALT_NAME_DIRECTORY_NAME = 5;
CERT_ALT_NAME_EDI_PARTY_NAME = 6;
CERT_ALT_NAME_URL = 7;
CERT_ALT_NAME_IP_ADDRESS = 8;
CERT_ALT_NAME_REGISTERED_ID = 9;
type
PCERT_ALT_NAME_INFO = ^CERT_ALT_NAME_INFO;
CERT_ALT_NAME_INFO = record
cAltEntry :DWORD;
rgAltEntry :PCERT_ALT_NAME_ENTRY;
end;
//+-------------------------------------------------------------------------
// Alternate name IA5 Error Location Definitions for
// CRYPT_E_INVALID_IA5_STRING.
//
// Error location is returned in *pcbEncoded by
// CryptEncodeObject(X509_ALTERNATE_NAME)
//
// Error location consists of:
// ENTRY_INDEX - 8 bits << 16
// VALUE_INDEX - 16 bits (unicode character index)
//--------------------------------------------------------------------------
const
CERT_ALT_NAME_ENTRY_ERR_INDEX_MASK = $FF;
CERT_ALT_NAME_ENTRY_ERR_INDEX_SHIFT = 16;
CERT_ALT_NAME_VALUE_ERR_INDEX_MASK = $0000FFFF;
CERT_ALT_NAME_VALUE_ERR_INDEX_SHIFT = 0;
{#define GET_CERT_ALT_NAME_ENTRY_ERR_INDEX(X)
((X >> CERT_ALT_NAME_ENTRY_ERR_INDEX_SHIFT) &
CERT_ALT_NAME_ENTRY_ERR_INDEX_MASK)}
function GET_CERT_ALT_NAME_ENTRY_ERR_INDEX(X :DWORD):DWORD;
{#define GET_CERT_ALT_NAME_VALUE_ERR_INDEX(X)
(X & CERT_ALT_NAME_VALUE_ERR_INDEX_MASK)}
function GET_CERT_ALT_NAME_VALUE_ERR_INDEX(X :DWORD):DWORD;
//+-------------------------------------------------------------------------
// X509_BASIC_CONSTRAINTS
// szOID_BASIC_CONSTRAINTS
//
// pvStructInfo points to following CERT_BASIC_CONSTRAINTS_INFO.
//--------------------------------------------------------------------------
type
PCERT_BASIC_CONSTRAINTS_INFO = ^CERT_BASIC_CONSTRAINTS_INFO;
CERT_BASIC_CONSTRAINTS_INFO = record
SubjectType :CRYPT_BIT_BLOB;
fPathLenConstraint :BOOL;
dwPathLenConstraint :DWORD;
cSubtreesConstraint :DWORD;
rgSubtreesConstraint :PCERT_NAME_BLOB;
end;
const
CERT_CA_SUBJECT_FLAG = $80;
CERT_END_ENTITY_SUBJECT_FLAG = $40;
//+-------------------------------------------------------------------------
// X509_BASIC_CONSTRAINTS2
// szOID_BASIC_CONSTRAINTS2
//
// pvStructInfo points to following CERT_BASIC_CONSTRAINTS2_INFO.
//--------------------------------------------------------------------------
type
PCERT_BASIC_CONSTRAINTS2_INFO = ^CERT_BASIC_CONSTRAINTS2_INFO;
CERT_BASIC_CONSTRAINTS2_INFO = record
fCA :BOOL;
fPathLenConstraint :BOOL;
dwPathLenConstraint :DWORD;
end;
//+-------------------------------------------------------------------------
// X509_KEY_USAGE
// szOID_KEY_USAGE
//
// pvStructInfo points to a CRYPT_BIT_BLOB. Has same bit definitions as
// CERT_KEY_ATTRIBUTES_INFO's IntendedKeyUsage.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_CERT_POLICIES
// szOID_CERT_POLICIES
//
// pvStructInfo points to following CERT_POLICIES_INFO.
//--------------------------------------------------------------------------
type
PCERT_POLICY_QUALIFIER_INFO = ^CERT_POLICY_QUALIFIER_INFO;
CERT_POLICY_QUALIFIER_INFO = record
pszPolicyQualifierId :LPSTR; // pszObjId
Qualifier :CRYPT_OBJID_BLOB; // optional
end;
type
PCERT_POLICY_INFO = ^CERT_POLICY_INFO;
CERT_POLICY_INFO = record
pszPolicyIdentifier :LPSTR; // pszObjId
cPolicyQualifier :DWORD; // optional
rgPolicyQualifier :PCERT_POLICY_QUALIFIER_INFO;
end;
type
PCERT_POLICIES_INFO = ^CERT_POLICIES_INFO;
CERT_POLICIES_INFO = record
cPolicyInfo :DWORD;
rgPolicyInfo :PCERT_POLICY_INFO;
end;
//+-------------------------------------------------------------------------
// RSA_CSP_PUBLICKEYBLOB
//
// pvStructInfo points to a PUBLICKEYSTRUC immediately followed by a
// RSAPUBKEY and the modulus bytes.
//
// CryptExportKey outputs the above StructInfo for a dwBlobType of
// PUBLICKEYBLOB. CryptImportKey expects the above StructInfo when
// importing a public key.
//
// For dwCertEncodingType = X509_ASN_ENCODING, the RSA_CSP_PUBLICKEYBLOB is
// encoded as a PKCS #1 RSAPublicKey consisting of a SEQUENCE of a
// modulus INTEGER and a publicExponent INTEGER. The modulus is encoded
// as being a unsigned integer. When decoded, if the modulus was encoded
// as unsigned integer with a leading 0 byte, the 0 byte is removed before
// converting to the CSP modulus bytes.
//
// For decode, the aiKeyAlg field of PUBLICKEYSTRUC is always set to
// CALG_RSA_KEYX.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_KEYGEN_REQUEST_TO_BE_SIGNED
//
// pvStructInfo points to CERT_KEYGEN_REQUEST_INFO.
//
// For CryptDecodeObject(), the pbEncoded is the "to be signed" plus its
// signature (output of a X509_CERT CryptEncodeObject()).
//
// For CryptEncodeObject(), the pbEncoded is just the "to be signed".
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// PKCS_ATTRIBUTE data structure
//
// pvStructInfo points to a CRYPT_ATTRIBUTE.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// PKCS_CONTENT_INFO_SEQUENCE_OF_ANY data structure
//
// pvStructInfo points to following CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY.
//
// For X509_ASN_ENCODING: encoded as a PKCS#7 ContentInfo structure wrapping
// a sequence of ANY. The value of the contentType field is pszObjId,
// while the content field is the following structure:
// SequenceOfAny ::= SEQUENCE OF ANY
//
// The CRYPT_DER_BLOBs point to the already encoded ANY content.
//--------------------------------------------------------------------------
type
PCRYPT_CONTENT_INFO_SEQUENCE_OF_ANY = ^CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY;
CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY = record
pszObjId :LPSTR;
cValue :DWORD;
rgValue :PCRYPT_DER_BLOB;
end;
//+-------------------------------------------------------------------------
// PKCS_CONTENT_INFO data structure
//
// pvStructInfo points to following CRYPT_CONTENT_INFO.
//
// For X509_ASN_ENCODING: encoded as a PKCS#7 ContentInfo structure.
// The CRYPT_DER_BLOB points to the already encoded ANY content.
//--------------------------------------------------------------------------
type
PCRYPT_CONTENT_INFO = ^CRYPT_CONTENT_INFO;
CRYPT_CONTENT_INFO = record
pszObjId :LPSTR;
Content :CRYPT_DER_BLOB;
end;
//+-------------------------------------------------------------------------
// X509_OCTET_STRING data structure
//
// pvStructInfo points to a CRYPT_DATA_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_BITS data structure
//
// pvStructInfo points to a CRYPT_BIT_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_INTEGER data structure
//
// pvStructInfo points to an int.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_MULTI_BYTE_INTEGER data structure
//
// pvStructInfo points to a CRYPT_INTEGER_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_ENUMERATED data structure
//
// pvStructInfo points to an int containing the enumerated value
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_CHOICE_OF_TIME data structure
//
// pvStructInfo points to a FILETIME.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_SEQUENCE_OF_ANY data structure
//
// pvStructInfo points to following CRYPT_SEQUENCE_OF_ANY.
//
// The CRYPT_DER_BLOBs point to the already encoded ANY content.
//--------------------------------------------------------------------------
type
PCRYPT_SEQUENCE_OF_ANY = ^CRYPT_SEQUENCE_OF_ANY;
CRYPT_SEQUENCE_OF_ANY = record
cValue :DWORD;
rgValue :PCRYPT_DER_BLOB;
end;
//+-------------------------------------------------------------------------
// X509_AUTHORITY_KEY_ID2
// szOID_AUTHORITY_KEY_IDENTIFIER2
//
// pvStructInfo points to following CERT_AUTHORITY_KEY_ID2_INFO.
//
// For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
// *pcbEncoded by CryptEncodeObject(X509_AUTHORITY_KEY_ID2)
//
// See X509_ALTERNATE_NAME for error location defines.
//--------------------------------------------------------------------------
type
PCERT_AUTHORITY_KEY_ID2_INFO = ^CERT_AUTHORITY_KEY_ID2_INFO;
CERT_AUTHORITY_KEY_ID2_INFO = record
KeyId :CRYPT_DATA_BLOB;
AuthorityCertIssuer :CERT_ALT_NAME_INFO; // Optional, set cAltEntry to 0 to omit.
AuthorityCertSerialNumber :CRYPT_INTEGER_BLOB;
end;
//+-------------------------------------------------------------------------
// szOID_SUBJECT_KEY_IDENTIFIER
//
// pvStructInfo points to a CRYPT_DATA_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_CRL_REASON_CODE
// szOID_CRL_REASON_CODE
//
// pvStructInfo points to an int which can be set to one of the following
// enumerated values:
//--------------------------------------------------------------------------
const
CRL_REASON_UNSPECIFIED = 0;
CRL_REASON_KEY_COMPROMISE = 1;
CRL_REASON_CA_COMPROMISE = 2;
CRL_REASON_AFFILIATION_CHANGED = 3;
CRL_REASON_SUPERSEDED = 4;
CRL_REASON_CESSATION_OF_OPERATION = 5;
CRL_REASON_CERTIFICATE_HOLD = 6;
CRL_REASON_REMOVE_FROM_CRL = 8;
//+-------------------------------------------------------------------------
// X509_CRL_DIST_POINTS
// szOID_CRL_DIST_POINTS
//
// pvStructInfo points to following CRL_DIST_POINTS_INFO.
//
// For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
// *pcbEncoded by CryptEncodeObject(X509_CRL_DIST_POINTS)
//
// Error location consists of:
// CRL_ISSUER_BIT - 1 bit << 31 (0 for FullName, 1 for CRLIssuer)
// POINT_INDEX - 7 bits << 24
// ENTRY_INDEX - 8 bits << 16
// VALUE_INDEX - 16 bits (unicode character index)
//
// See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
// defines.
//--------------------------------------------------------------------------
type
PCRL_DIST_POINT_NAME = ^CRL_DIST_POINT_NAME;
CRL_DIST_POINT_NAME = record
dwDistPointNameChoice :DWORD;
case integer of
0:(FullName :CERT_ALT_NAME_INFO); {1}
1:({IssuerRDN :Not implemented}); {2}
end;
const
CRL_DIST_POINT_NO_NAME = 0;
CRL_DIST_POINT_FULL_NAME = 1;
CRL_DIST_POINT_ISSUER_RDN_NAME = 2;
type
PCRL_DIST_POINT = ^CRL_DIST_POINT;
CRL_DIST_POINT = record
DistPointName :CRL_DIST_POINT_NAME; // OPTIONAL
ReasonFlags :CRYPT_BIT_BLOB; // OPTIONAL
CRLIssuer :CERT_ALT_NAME_INFO; // OPTIONAL
end;
const
CRL_REASON_UNUSED_FLAG = $80;
CRL_REASON_KEY_COMPROMISE_FLAG = $40;
CRL_REASON_CA_COMPROMISE_FLAG = $20;
CRL_REASON_AFFILIATION_CHANGED_FLAG = $10;
CRL_REASON_SUPERSEDED_FLAG = $08;
CRL_REASON_CESSATION_OF_OPERATION_FLAG = $04;
CRL_REASON_CERTIFICATE_HOLD_FLAG = $02;
type
PCRL_DIST_POINTS_INFO = ^CRL_DIST_POINTS_INFO;
CRL_DIST_POINTS_INFO = record
cDistPoint :DWORD;
rgDistPoint :PCRL_DIST_POINT;
end;
const
CRL_DIST_POINT_ERR_INDEX_MASK = $7F;
CRL_DIST_POINT_ERR_INDEX_SHIFT = 24;
{#define GET_CRL_DIST_POINT_ERR_INDEX(X)
((X >> CRL_DIST_POINT_ERR_INDEX_SHIFT) & CRL_DIST_POINT_ERR_INDEX_MASK)}
function GET_CRL_DIST_POINT_ERR_INDEX(X :DWORD):DWORD;
const CRL_DIST_POINT_ERR_CRL_ISSUER_BIT = (DWORD($80000000));
{#define IS_CRL_DIST_POINT_ERR_CRL_ISSUER(X)
(0 != (X & CRL_DIST_POINT_ERR_CRL_ISSUER_BIT))}
function IS_CRL_DIST_POINT_ERR_CRL_ISSUER(X :DWORD):BOOL;
//+-------------------------------------------------------------------------
// X509_ENHANCED_KEY_USAGE
// szOID_ENHANCED_KEY_USAGE
//
// pvStructInfo points to a CERT_ENHKEY_USAGE, CTL_USAGE.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NEXT_UPDATE_LOCATION
//
// pvStructInfo points to a CERT_ALT_NAME_INFO.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// PKCS_CTL
// szOID_CTL
//
// pvStructInfo points to a CTL_INFO.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_MULTI_BYTE_UINT
//
// pvStructInfo points to a CRYPT_UINT_BLOB. Before encoding, inserts a
// leading 0x00. After decoding, removes a leading 0x00.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_DSS_PUBLICKEY
//
// pvStructInfo points to a CRYPT_UINT_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// X509_DSS_PARAMETERS
//
// pvStructInfo points to following CERT_DSS_PARAMETERS data structure.
//--------------------------------------------------------------------------
type
PCERT_DSS_PARAMETERS = ^CERT_DSS_PARAMETERS;
CERT_DSS_PARAMETERS = record
p :CRYPT_UINT_BLOB;
q :CRYPT_UINT_BLOB;
g :CRYPT_UINT_BLOB;
end;
//+-------------------------------------------------------------------------
// X509_DSS_SIGNATURE
//
// pvStructInfo is a BYTE rgbSignature[CERT_DSS_SIGNATURE_LEN]. The
// bytes are ordered as output by the DSS CSP's CryptSignHash().
//--------------------------------------------------------------------------
const
CERT_DSS_R_LEN = 20;
CERT_DSS_S_LEN = 20;
CERT_DSS_SIGNATURE_LEN = (CERT_DSS_R_LEN + CERT_DSS_S_LEN);
// Sequence of 2 unsigned integers (the extra +1 is for a potential leading
// 0x00 to make the integer unsigned)
CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN = (2 + 2*(2 + 20 +1));
//+-------------------------------------------------------------------------
// PKCS_RC2_CBC_PARAMETERS
// szOID_RSA_RC2CBC
//
// pvStructInfo points to following CRYPT_RC2_CBC_PARAMETERS data structure.
//--------------------------------------------------------------------------
type
PCRYPT_RC2_CBC_PARAMETERS = ^CRYPT_RC2_CBC_PARAMETERS;
CRYPT_RC2_CBC_PARAMETERS = record
dwVersion :DWORD;
fIV :BOOL; // set if has following IV
rgbIV :array[0..8-1] of BYTE;
end;
const
CRYPT_RC2_40BIT_VERSION = 160;
CRYPT_RC2_64BIT_VERSION = 120;
CRYPT_RC2_128BIT_VERSION = 58;
//+-------------------------------------------------------------------------
// PKCS_SMIME_CAPABILITIES
// szOID_RSA_SMIMECapabilities
//
// pvStructInfo points to following CRYPT_SMIME_CAPABILITIES data structure.
//
// Note, for CryptEncodeObject(X509_ASN_ENCODING), Parameters.cbData == 0
// causes the encoded parameters to be omitted and not encoded as a NULL
// (05 00) as is done when encoding a CRYPT_ALGORITHM_IDENTIFIER. This
// is per the SMIME specification for encoding capabilities.
//--------------------------------------------------------------------------
type
PCRYPT_SMIME_CAPABILITY = ^CRYPT_SMIME_CAPABILITY;
CRYPT_SMIME_CAPABILITY = record
pszObjId :LPSTR;
Parameters :CRYPT_OBJID_BLOB;
end;
type
PCRYPT_SMIME_CAPABILITIES = ^CRYPT_SMIME_CAPABILITIES;
CRYPT_SMIME_CAPABILITIES = record
cCapability :DWORD;
rgCapability :PCRYPT_SMIME_CAPABILITY;
end;
//+-------------------------------------------------------------------------
// PKCS7_SIGNER_INFO
//
// pvStructInfo points to CMSG_SIGNER_INFO.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Netscape Certificate Extension Object Identifiers
//--------------------------------------------------------------------------
const
szOID_NETSCAPE = '2.16.840.1.113730';
szOID_NETSCAPE_CERT_EXTENSION = '2.16.840.1.113730.1';
szOID_NETSCAPE_CERT_TYPE = '2.16.840.1.113730.1.1';
szOID_NETSCAPE_BASE_URL = '2.16.840.1.113730.1.2';
szOID_NETSCAPE_REVOCATION_URL = '2.16.840.1.113730.1.3';
szOID_NETSCAPE_CA_REVOCATION_URL = '2.16.840.1.113730.1.4';
szOID_NETSCAPE_CERT_RENEWAL_URL = '2.16.840.1.113730.1.7';
szOID_NETSCAPE_CA_POLICY_URL = '2.16.840.1.113730.1.8';
szOID_NETSCAPE_SSL_SERVER_NAME = '2.16.840.1.113730.1.12';
szOID_NETSCAPE_COMMENT = '2.16.840.1.113730.1.13';
//+-------------------------------------------------------------------------
// Netscape Certificate Data Type Object Identifiers
//--------------------------------------------------------------------------
const
szOID_NETSCAPE_DATA_TYPE = '2.16.840.1.113730.2';
szOID_NETSCAPE_CERT_SEQUENCE = '2.16.840.1.113730.2.5';
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_CERT_TYPE extension
//
// Its value is a bit string. CryptDecodeObject/CryptEncodeObject using
// X509_BITS.
//
// The following bits are defined:
//--------------------------------------------------------------------------
const
NETSCAPE_SSL_CLIENT_AUTH_CERT_TYPE = $80;
NETSCAPE_SSL_SERVER_AUTH_CERT_TYPE = $40;
NETSCAPE_SSL_CA_CERT_TYPE = $04;
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_BASE_URL extension
//
// Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
// X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
// dwValueType = CERT_RDN_IA5_STRING.
//
// When present this string is added to the beginning of all relative URLs
// in the certificate. This extension can be considered an optimization
// to reduce the size of the URL extensions.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_REVOCATION_URL extension
//
// Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
// X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
// dwValueType = CERT_RDN_IA5_STRING.
//
// It is a relative or absolute URL that can be used to check the
// revocation status of a certificate. The revocation check will be
// performed as an HTTP GET method using a url that is the concatenation of
// revocation-url and certificate-serial-number.
// Where the certificate-serial-number is encoded as a string of
// ascii hexadecimal digits. For example, if the netscape-base-url is
// https://www.certs-r-us.com/, the netscape-revocation-url is
// cgi-bin/check-rev.cgi?, and the certificate serial number is 173420,
// the resulting URL would be:
// https://www.certs-r-us.com/cgi-bin/check-rev.cgi?02a56c
//
// The server should return a document with a Content-Type of
// application/x-netscape-revocation. The document should contain
// a single ascii digit, '1' if the certificate is not curently valid,
// and '0' if it is curently valid.
//
// Note: for all of the URLs that include the certificate serial number,
// the serial number will be encoded as a string which consists of an even
// number of hexadecimal digits. If the number of significant digits is odd,
// the string will have a single leading zero to ensure an even number of
// digits is generated.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_CA_REVOCATION_URL extension
//
// Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
// X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
// dwValueType = CERT_RDN_IA5_STRING.
//
// It is a relative or absolute URL that can be used to check the
// revocation status of any certificates that are signed by the CA that
// this certificate belongs to. This extension is only valid in CA
// certificates. The use of this extension is the same as the above
// szOID_NETSCAPE_REVOCATION_URL extension.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_CERT_RENEWAL_URL extension
//
// Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
// X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
// dwValueType = CERT_RDN_IA5_STRING.
//
// It is a relative or absolute URL that points to a certificate renewal
// form. The renewal form will be accessed with an HTTP GET method using a
// url that is the concatenation of renewal-url and
// certificate-serial-number. Where the certificate-serial-number is
// encoded as a string of ascii hexadecimal digits. For example, if the
// netscape-base-url is https://www.certs-r-us.com/, the
// netscape-cert-renewal-url is cgi-bin/check-renew.cgi?, and the
// certificate serial number is 173420, the resulting URL would be:
// https://www.certs-r-us.com/cgi-bin/check-renew.cgi?02a56c
// The document returned should be an HTML form that will allow the user
// to request a renewal of their certificate.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_CA_POLICY_URL extension
//
// Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
// X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
// dwValueType = CERT_RDN_IA5_STRING.
//
// It is a relative or absolute URL that points to a web page that
// describes the policies under which the certificate was issued.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_SSL_SERVER_NAME extension
//
// Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
// X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
// dwValueType = CERT_RDN_IA5_STRING.
//
// It is a "shell expression" that can be used to match the hostname of the
// SSL server that is using this certificate. It is recommended that if
// the server's hostname does not match this pattern the user be notified
// and given the option to terminate the SSL connection. If this extension
// is not present then the CommonName in the certificate subject's
// distinguished name is used for the same purpose.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_COMMENT extension
//
// Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
// X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
// dwValueType = CERT_RDN_IA5_STRING.
//
// It is a comment that may be displayed to the user when the certificate
// is viewed.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// szOID_NETSCAPE_CERT_SEQUENCE
//
// Its value is a PKCS#7 ContentInfo structure wrapping a sequence of
// certificates. The value of the contentType field is
// szOID_NETSCAPE_CERT_SEQUENCE, while the content field is the following
// structure:
// CertificateSequence ::= SEQUENCE OF Certificate.
//
// CryptDecodeObject/CryptEncodeObject using
// PKCS_CONTENT_INFO_SEQUENCE_OF_ANY, where,
// pszObjId = szOID_NETSCAPE_CERT_SEQUENCE and the CRYPT_DER_BLOBs point
// to encoded X509 certificates.
//--------------------------------------------------------------------------
//+=========================================================================
// Object IDentifier (OID) Installable Functions: Data Structures and APIs
//==========================================================================
type
HCRYPTOIDFUNCSET = procedure;
HCRYPTOIDFUNCADDR = procedure;
// Predefined OID Function Names
const
CRYPT_OID_ENCODE_OBJECT_FUNC = 'CryptDllEncodeObject';
CRYPT_OID_DECODE_OBJECT_FUNC = 'CryptDllDecodeObject';
CRYPT_OID_CREATE_COM_OBJECT_FUNC = 'CryptDllCreateCOMObject';
CRYPT_OID_VERIFY_REVOCATION_FUNC = 'CertDllVerifyRevocation';
CRYPT_OID_VERIFY_CTL_USAGE_FUNC = 'CertDllVerifyCTLUsage';
CRYPT_OID_FORMAT_OBJECT_FUNC = 'CryptDllFormatObject';
CRYPT_OID_FIND_OID_INFO_FUNC = 'CryptDllFindOIDInfo';
// CryptDllEncodeObject has same function signature as CryptEncodeObject.
// CryptDllDecodeObject has same function signature as CryptDecodeObject.
// CryptDllCreateCOMObject has the following signature:
// BOOL WINAPI CryptDllCreateCOMObject(
// IN DWORD dwEncodingType,
// IN LPCSTR pszOID,
// IN PCRYPT_DATA_BLOB pEncodedContent,
// IN DWORD dwFlags,
// IN REFIID riid,
// OUT void **ppvObj);
// CertDllVerifyRevocation has the same signature as CertVerifyRevocation
// (See CertVerifyRevocation for details on when called)
// CertDllVerifyCTLUsage has the same signature as CertVerifyCTLUsage
// CryptDllFindOIDInfo currently is only used to store values used by
// CryptFindOIDInfo. See CryptFindOIDInfo() for more details.
// Example of a complete OID Function Registry Name:
// HKEY_LOCAL_MACHINESoftwareMicrosoftCryptographyOID
// Encoding Type 1CryptDllEncodeObject1.2.3
//
// The key's L"Dll" value contains the name of the Dll.
// The key's L"FuncName" value overrides the default function name
const
CRYPT_OID_REGPATH = 'SoftwareMicrosoftCryptographyOID';
CRYPT_OID_REG_ENCODING_TYPE_PREFIX = 'EncodingType ';
{$IFNDEF VER90}
CRYPT_OID_REG_DLL_VALUE_NAME = WideString('Dll');
CRYPT_OID_REG_FUNC_NAME_VALUE_NAME = WideString('FuncName');
{$ELSE}
CRYPT_OID_REG_DLL_VALUE_NAME = ('Dll');
CRYPT_OID_REG_FUNC_NAME_VALUE_NAME = ('FuncName');
{$ENDIF}
CRYPT_OID_REG_FUNC_NAME_VALUE_NAME_A = 'FuncName';
// OID used for Default OID functions
CRYPT_DEFAULT_OID = 'DEFAULT';
type
PCRYPT_OID_FUNC_ENTRY = ^CRYPT_OID_FUNC_ENTRY;
CRYPT_OID_FUNC_ENTRY = record
pszOID :LPCSTR;
pvFuncAddr :PVOID;
end;
const
CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG = 1;
//+-------------------------------------------------------------------------
// Install a set of callable OID function addresses.
//
// By default the functions are installed at end of the list.
// Set CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG to install at beginning of list.
//
// hModule should be updated with the hModule passed to DllMain to prevent
// the Dll containing the function addresses from being unloaded by
// CryptGetOIDFuncAddress/CryptFreeOIDFunctionAddress. This would be the
// case when the Dll has also regsvr32'ed OID functions via
// CryptRegisterOIDFunction.
//
// DEFAULT functions are installed by setting rgFuncEntry[].pszOID =
// CRYPT_DEFAULT_OID.
//--------------------------------------------------------------------------
function CryptInstallOIDFunctionAddress(hModule :HMODULE; // hModule passed to DllMain
dwEncodingType :DWORD;
pszFuncName :LPCSTR;
cFuncEntry :DWORD;
const rgFuncEntry :array of CRYPT_OID_FUNC_ENTRY;
dwFlags :DWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Initialize and return handle to the OID function set identified by its
// function name.
//
// If the set already exists, a handle to the existing set is returned.
//--------------------------------------------------------------------------
function CryptInitOIDFunctionSet(pszFuncName :LPCSTR;
dwFlags :DWORD ):HCRYPTOIDFUNCSET ; stdcall;
//+-------------------------------------------------------------------------
// Search the list of installed functions for an encoding type and OID match.
// If not found, search the registry.
//
// For success, returns TRUE with *ppvFuncAddr updated with the function's
// address and *phFuncAddr updated with the function address's handle.
// The function's handle is AddRef'ed. CryptFreeOIDFunctionAddress needs to
// be called to release it.
//
// For a registry match, the Dll containing the function is loaded.
//--------------------------------------------------------------------------
function CryptGetOIDFunctionAddress(hFuncSet :HCRYPTOIDFUNCSET;
dwEncodingType :DWORD;
pszOID :LPCSTR;
dwFlags :DWORD;
var ppvFuncAddr :array of PVOID;
var phFuncAddr :HCRYPTOIDFUNCADDR):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Get the list of registered default Dll entries for the specified
// function set and encoding type.
//
// The returned list consists of none, one or more null terminated Dll file
// names. The list is terminated with an empty (L"�") Dll file name.
// For example: L"first.dll" L"�" L"second.dll" L"�" L"�"
//--------------------------------------------------------------------------
function CryptGetDefaultOIDDllList(hFuncSet :HCRYPTOIDFUNCSET;
dwEncodingType :DWORD;
pwszDllList :LPWSTR;
pcchDllList :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Either: get the first or next installed DEFAULT function OR
// load the Dll containing the DEFAULT function.
//
// If pwszDll is NULL, search the list of installed DEFAULT functions.
// *phFuncAddr must be set to NULL to get the first installed function.
// Successive installed functions are returned by setting *phFuncAddr
// to the hFuncAddr returned by the previous call.
//
// If pwszDll is NULL, the input *phFuncAddr
// is always CryptFreeOIDFunctionAddress'ed by this function, even for
// an error.
//
// If pwszDll isn't NULL, then, attempts to load the Dll and the DEFAULT
// function. *phFuncAddr is ignored upon entry and isn't
// CryptFreeOIDFunctionAddress'ed.
//
// For success, returns TRUE with *ppvFuncAddr updated with the function's
// address and *phFuncAddr updated with the function address's handle.
// The function's handle is AddRef'ed. CryptFreeOIDFunctionAddress needs to
// be called to release it or CryptGetDefaultOIDFunctionAddress can also
// be called for a NULL pwszDll.
//--------------------------------------------------------------------------
function CryptGetDefaultOIDFunctionAddress(hFuncSet :HCRYPTOIDFUNCSET;
dwEncodingType :DWORD;
pwszDll :DWORD;
dwFlags :LPCWSTR;
var ppvFuncAddr :array of PVOID;
var phFuncAddr :HCRYPTOIDFUNCADDR):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Releases the handle AddRef'ed and returned by CryptGetOIDFunctionAddress
// or CryptGetDefaultOIDFunctionAddress.
//
// If a Dll was loaded for the function its unloaded. However, before doing
// the unload, the DllCanUnloadNow function exported by the loaded Dll is
// called. It should return S_FALSE to inhibit the unload or S_TRUE to enable
// the unload. If the Dll doesn't export DllCanUnloadNow, the Dll is unloaded.
//
// DllCanUnloadNow has the following signature:
// STDAPI DllCanUnloadNow(void);
//--------------------------------------------------------------------------
function CryptFreeOIDFunctionAddress(hFuncAddr :HCRYPTOIDFUNCADDR;
dwFlags :DWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Register the Dll containing the function to be called for the specified
// encoding type, function name and OID.
//
// pwszDll may contain environment-variable strings
// which are ExpandEnvironmentStrings()'ed before loading the Dll.
//
// In addition to registering the DLL, you may override the
// name of the function to be called. For example,
// pszFuncName = "CryptDllEncodeObject",
// pszOverrideFuncName = "MyEncodeXyz".
// This allows a Dll to export multiple OID functions for the same
// function name without needing to interpose its own OID dispatcher function.
//--------------------------------------------------------------------------
function CryptRegisterOIDFunction(dwEncodingType :DWORD;
pszFuncName :LPCSTR;
pszOID :LPCSTR; //OPTIONAL
pwszDll :LPCWSTR; //OPTIONAL
pszOverrideFuncName :LPCSTR):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Unregister the Dll containing the function to be called for the specified
// encoding type, function name and OID.
//--------------------------------------------------------------------------
function CryptUnregisterOIDFunction(dwEncodingType :DWORD;
pszFuncName :LPCSTR;
pszOID :LPCSTR):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Register the Dll containing the default function to be called for the
// specified encoding type and function name.
//
// Unlike CryptRegisterOIDFunction, you can't override the function name
// needing to be exported by the Dll.
//
// The Dll is inserted before the entry specified by dwIndex.
// dwIndex == 0, inserts at the beginning.
// dwIndex == CRYPT_REGISTER_LAST_INDEX, appends at the end.
//
// pwszDll may contain environment-variable strings
// which are ExpandEnvironmentStrings()'ed before loading the Dll.
//--------------------------------------------------------------------------
function CryptRegisterDefaultOIDFunction(dwEncodingType :DWORD;
pszFuncName :LPCSTR;
dwIndex :DWORD;
pwszDll :LPCWSTR):BOOL ; stdcall;
const
CRYPT_REGISTER_FIRST_INDEX = 0;
CRYPT_REGISTER_LAST_INDEX = $FFFFFFFF;
//+-------------------------------------------------------------------------
// Unregister the Dll containing the default function to be called for
// the specified encoding type and function name.
//--------------------------------------------------------------------------
function CryptUnregisterDefaultOIDFunction(dwEncodingType :DWORD;
pszFuncName :LPCSTR;
pwszDll :LPCWSTR):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Set the value for the specified encoding type, function name, OID and
// value name.
//
// See RegSetValueEx for the possible value types.
//
// String types are UNICODE.
//--------------------------------------------------------------------------
function CryptSetOIDFunctionValue(dwEncodingType :DWORD;
pszFuncName :LPCSTR;
pszOID :LPCSTR;
pwszValueName :LPCWSTR;
dwValueType :DWORD;
const pbValueData :PBYTE;
cbValueData :DWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Get the value for the specified encoding type, function name, OID and
// value name.
//
// See RegEnumValue for the possible value types.
//
// String types are UNICODE.
//--------------------------------------------------------------------------
function CryptGetOIDFunctionValue(dwEncodingType :DWORD;
pszFuncName :LPCSTR;
pwszValueName :LPCSTR;
pszOID :LPCWSTR;
pdwValueType :PDWORD;
pbValueData :PBYTE;
pcbValueData :PDWORD):BOOL ; stdcall;
type
PFN_CRYPT_ENUM_OID_FUNC = function (dwEncodingType :DWORD;
pszFuncName :LPCSTR;
pszOID :LPCSTR;
cValue :DWORD;
const rgdwValueType :array of DWORD;
const rgpwszValueName :array of LPCWSTR;
const rgpbValueData :array of PBYTE;
const rgcbValueData :array of DWORD;
pvArg :PVOID):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Enumerate the OID functions identified by their encoding type,
// function name and OID.
//
// pfnEnumOIDFunc is called for each registry key matching the input
// parameters. Setting dwEncodingType to CRYPT_MATCH_ANY_ENCODING_TYPE matches
// any. Setting pszFuncName or pszOID to NULL matches any.
//
// Set pszOID == CRYPT_DEFAULT_OID to restrict the enumeration to only the
// DEFAULT functions
//
// String types are UNICODE.
//--------------------------------------------------------------------------
function CryptEnumOIDFunction(dwEncodingType :DWORD;
pszFuncName :LPCSTR; //OPTIONAL
pszOID :LPCSTR; //OPTIONAL
dwFlags :DWORD;
pvArg :PVOID;
pfnEnumOIDFunc :PFN_CRYPT_ENUM_OID_FUNC):BOOL ; stdcall;
const
CRYPT_MATCH_ANY_ENCODING_TYPE = $FFFFFFFF;
//+=========================================================================
// Object IDentifier (OID) Information: Data Structures and APIs
//==========================================================================
//+-------------------------------------------------------------------------
// OID Information
//--------------------------------------------------------------------------
type
PCRYPT_OID_INFO = ^CRYPT_OID_INFO;
CRYPT_OID_INFO = record
cbSize :DWORD;
pszOID :LPCSTR;
pwszName :LPCWSTR;
dwGroupId :DWORD;
EnumValue : record {type EnumValue for the union part of the original struct --max--}
case integer of
0:(dwValue :DWORD);
1:(Algid :ALG_ID);
2:(dwLength :DWORD);
end;
ExtraInfo :CRYPT_DATA_BLOB;
end;
type
CCRYPT_OID_INFO = CRYPT_OID_INFO;
PCCRYPT_OID_INFO = ^CCRYPT_OID_INFO;
//+-------------------------------------------------------------------------
// OID Group IDs
//--------------------------------------------------------------------------
const
CRYPT_HASH_ALG_OID_GROUP_ID = 1;
CRYPT_ENCRYPT_ALG_OID_GROUP_ID = 2;
CRYPT_PUBKEY_ALG_OID_GROUP_ID = 3;
CRYPT_SIGN_ALG_OID_GROUP_ID = 4;
CRYPT_RDN_ATTR_OID_GROUP_ID = 5;
CRYPT_EXT_OR_ATTR_OID_GROUP_ID = 6;
CRYPT_ENHKEY_USAGE_OID_GROUP_ID = 7;
CRYPT_POLICY_OID_GROUP_ID = 8;
CRYPT_LAST_OID_GROUP_ID = 8;
CRYPT_FIRST_ALG_OID_GROUP_ID = CRYPT_HASH_ALG_OID_GROUP_ID;
CRYPT_LAST_ALG_OID_GROUP_ID = CRYPT_SIGN_ALG_OID_GROUP_ID;
// The CRYPT_*_ALG_OID_GROUP_ID's have an Algid. The CRYPT_RDN_ATTR_OID_GROUP_ID
// has a dwLength. The CRYPT_EXT_OR_ATTR_OID_GROUP_ID,
// CRYPT_ENHKEY_USAGE_OID_GROUP_ID or CRYPT_POLICY_OID_GROUP_ID don't have a
// dwValue.
// CRYPT_PUBKEY_ALG_OID_GROUP_ID has the following optional ExtraInfo:
// DWORD[0] - Flags. CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG can be set to
// inhibit the reformatting of the signature before
// CryptVerifySignature is called or after CryptSignHash
// is called. CRYPT_OID_USE_PUBKEY_PARA_FOR_PKCS7_FLAG can
// be set to include the public key algorithm's parameters
// in the PKCS7's digestEncryptionAlgorithm's parameters.
CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG = $1;
CRYPT_OID_USE_PUBKEY_PARA_FOR_PKCS7_FLAG = $2;
// CRYPT_SIGN_ALG_OID_GROUP_ID has the following optional ExtraInfo:
// DWORD[0] - Public Key Algid.
// DWORD[1] - Flags. Same as above for CRYPT_PUBKEY_ALG_OID_GROUP_ID.
// CRYPT_RDN_ATTR_OID_GROUP_ID has the following optional ExtraInfo:
// Array of DWORDs:
// [0 ..] - Null terminated list of acceptable RDN attribute
// value types. An empty list implies CERT_RDN_PRINTABLE_STRING,
// CERT_RDN_T61_STRING, 0.
//+-------------------------------------------------------------------------
// Find OID information. Returns NULL if unable to find any information
// for the specified key and group. Note, returns a pointer to a constant
// data structure. The returned pointer MUST NOT be freed.
//
// dwKeyType's:
// CRYPT_OID_INFO_OID_KEY, pvKey points to a szOID
// CRYPT_OID_INFO_NAME_KEY, pvKey points to a wszName
// CRYPT_OID_INFO_ALGID_KEY, pvKey points to an ALG_ID
// CRYPT_OID_INFO_SIGN_KEY, pvKey points to an array of two ALG_ID's:
// ALG_ID[0] - Hash Algid
// ALG_ID[1] - PubKey Algid
//
// Setting dwGroupId to 0, searches all groups according to the dwKeyType.
// Otherwise, only the dwGroupId is searched.
//--------------------------------------------------------------------------
function CryptFindOIDInfo(dwKeyType :DWORD;
pvKey :PVOID;
dwGroupId :DWORD):PCCRYPT_OID_INFO ; stdcall;
const
CRYPT_OID_INFO_OID_KEY = 1;
CRYPT_OID_INFO_NAME_KEY = 2;
CRYPT_OID_INFO_ALGID_KEY = 3;
CRYPT_OID_INFO_SIGN_KEY = 4;
//+-------------------------------------------------------------------------
// Register OID information. The OID information specified in the
// CCRYPT_OID_INFO structure is persisted to the registry.
//
// crypt32.dll contains information for the commonly known OIDs. This function
// allows applications to augment crypt32.dll's OID information. During
// CryptFindOIDInfo's first call, the registered OID information is installed.
//
// By default the registered OID information is installed after crypt32.dll's
// OID entries. Set CRYPT_INSTALL_OID_INFO_BEFORE_FLAG to install before.
//--------------------------------------------------------------------------
function CryptRegisterOIDInfo(pInfo :PCCRYPT_OID_INFO;
dwFlags:DWORD):BOOL ; stdcall;
const
CRYPT_INSTALL_OID_INFO_BEFORE_FLAG = 1;
//+-------------------------------------------------------------------------
// Unregister OID information. Only the pszOID and dwGroupId fields are
// used to identify the OID information to be unregistered.
//--------------------------------------------------------------------------
function CryptUnregisterOIDInfo(pInfo :PCCRYPT_OID_INFO):BOOL ; stdcall;
//+=========================================================================
// Low Level Cryptographic Message Data Structures and APIs
//==========================================================================
type
HCRYPTMSG = Pointer;
const
szOID_PKCS_7_DATA = '1.2.840.113549.1.7.1';
szOID_PKCS_7_SIGNED = '1.2.840.113549.1.7.2';
szOID_PKCS_7_ENVELOPED = '1.2.840.113549.1.7.3';
szOID_PKCS_7_SIGNEDANDENVELOPED = '1.2.840.113549.1.7.4';
szOID_PKCS_7_DIGESTED = '1.2.840.113549.1.7.5';
szOID_PKCS_7_ENCRYPTED = '1.2.840.113549.1.7.6';
szOID_PKCS_9_CONTENT_TYPE = '1.2.840.113549.1.9.3';
szOID_PKCS_9_MESSAGE_DIGEST = '1.2.840.113549.1.9.4';
//+-------------------------------------------------------------------------
// Message types
//--------------------------------------------------------------------------
const
CMSG_DATA = 1;
CMSG_SIGNED = 2;
CMSG_ENVELOPED = 3;
CMSG_SIGNED_AND_ENVELOPED = 4;
CMSG_HASHED = 5;
CMSG_ENCRYPTED = 6;
//+-------------------------------------------------------------------------
// Message Type Bit Flags
//--------------------------------------------------------------------------
CMSG_ALL_FLAGS = (not ULONG(0));
CMSG_DATA_FLAG = (1 shl CMSG_DATA);
CMSG_SIGNED_FLAG = (1 shl CMSG_SIGNED);
CMSG_ENVELOPED_FLAG = (1 shl CMSG_ENVELOPED);
CMSG_SIGNED_AND_ENVELOPED_FLAG = (1 shl CMSG_SIGNED_AND_ENVELOPED);
CMSG_HASHED_FLAG = (1 shl CMSG_HASHED);
CMSG_ENCRYPTED_FLAG = (1 shl CMSG_ENCRYPTED);
//+-------------------------------------------------------------------------
// The message encode information (pvMsgEncodeInfo) is message type dependent
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_DATA: pvMsgEncodeInfo = NULL
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_SIGNED
//
// The pCertInfo in the CMSG_SIGNER_ENCODE_INFO provides the Issuer, SerialNumber
// and PublicKeyInfo.Algorithm. The PublicKeyInfo.Algorithm implicitly
// specifies the HashEncryptionAlgorithm to be used.
//
// The hCryptProv and dwKeySpec specify the private key to use. If dwKeySpec
// == 0, then, defaults to AT_SIGNATURE.
//
// pvHashAuxInfo currently isn't used and must be set to NULL.
//--------------------------------------------------------------------------
type
PCMSG_SIGNER_ENCODE_INFO = ^CMSG_SIGNER_ENCODE_INFO;
CMSG_SIGNER_ENCODE_INFO = record
cbSize :DWORD;
pCertInfo :PCERT_INFO;
hCryptProv :HCRYPTPROV;
dwKeySpec :DWORD;
HashAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
pvHashAuxInfo :PVOID;
cAuthAttr :DWORD;
rgAuthAttr :PCRYPT_ATTRIBUTE;
cUnauthAttr :DWORD;
rgUnauthAttr :PCRYPT_ATTRIBUTE;
end;
type
PCMSG_SIGNED_ENCODE_INFO = ^CMSG_SIGNED_ENCODE_INFO;
CMSG_SIGNED_ENCODE_INFO = record
cbSize :DWORD;
cSigners :DWORD;
rgSigners :PCMSG_SIGNER_ENCODE_INFO;
cCertEncoded :DWORD;
rgCertEncoded :PCERT_BLOB;
cCrlEncoded :DWORD;
rgCrlEncoded :PCRL_BLOB;
end;
//+-------------------------------------------------------------------------
// CMSG_ENVELOPED
//
// The PCERT_INFO for the rgRecipients provides the Issuer, SerialNumber
// and PublicKeyInfo. The PublicKeyInfo.Algorithm implicitly
// specifies the KeyEncryptionAlgorithm to be used.
//
// The PublicKeyInfo.PublicKey in PCERT_INFO is used to encrypt the content
// encryption key for the recipient.
//
// hCryptProv is used to do the content encryption, recipient key encryption
// and export. The hCryptProv's private keys aren't used.
//
// Note: CAPI currently doesn't support more than one KeyEncryptionAlgorithm
// per provider. This will need to be fixed.
//
// pvEncryptionAuxInfo currently isn't used and must be set to NULL.
//--------------------------------------------------------------------------
type
PCMSG_ENVELOPED_ENCODE_INFO = ^CMSG_ENVELOPED_ENCODE_INFO;
CMSG_ENVELOPED_ENCODE_INFO = record
cbSize :DWORD;
hCryptProv :HCRYPTPROV;
ContentEncryptionAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
pvEncryptionAuxInfo :PVOID;
cRecipients :DWORD;
rgpRecipients :PPCERT_INFO; // pointer to array of PCERT_INFO
end;
//+-------------------------------------------------------------------------
// CMSG_SIGNED_AND_ENVELOPED
//
// For PKCS #7, a signed and enveloped message doesn't have the
// signer's authenticated or unauthenticated attributes. Otherwise, a
// combination of the CMSG_SIGNED_ENCODE_INFO and CMSG_ENVELOPED_ENCODE_INFO.
//--------------------------------------------------------------------------
type
PCMSG_SIGNED_AND_ENVELOPED_ENCODE_INFO = ^CMSG_SIGNED_AND_ENVELOPED_ENCODE_INFO;
CMSG_SIGNED_AND_ENVELOPED_ENCODE_INFO = record
cbSize :DWORD;
SignedInfo :CMSG_SIGNED_ENCODE_INFO;
EnvelopedInfo :CMSG_ENVELOPED_ENCODE_INFO;
end;
//+-------------------------------------------------------------------------
// CMSG_HASHED
//
// hCryptProv is used to do the hash. Doesn't need to use a private key.
//
// If fDetachedHash is set, then, the encoded message doesn't contain
// any content (its treated as NULL Data)
//
// pvHashAuxInfo currently isn't used and must be set to NULL.
//--------------------------------------------------------------------------
type
PCMSG_HASHED_ENCODE_INFO = ^CMSG_HASHED_ENCODE_INFO;
CMSG_HASHED_ENCODE_INFO = record
cbSize :DWORD;
hCryptProv :HCRYPTPROV;
HashAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
pvHashAuxInfo :PVOID;
end;
//+-------------------------------------------------------------------------
// CMSG_ENCRYPTED
//
// The key used to encrypt the message is identified outside of the message
// content (for example, password).
//
// The content input to CryptMsgUpdate has already been encrypted.
//
// pvEncryptionAuxInfo currently isn't used and must be set to NULL.
//--------------------------------------------------------------------------
type
PCMSG_ENCRYPTED_ENCODE_INFO = ^CMSG_ENCRYPTED_ENCODE_INFO;
CMSG_ENCRYPTED_ENCODE_INFO = record
cbSize :DWORD;
ContentEncryptionAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
pvEncryptionAuxInfo :PVOID;
end;
//+-------------------------------------------------------------------------
// This parameter allows messages to be of variable length with streamed
// output.
//
// By default, messages are of a definite length and
// CryptMsgGetParam(CMSG_CONTENT_PARAM) is
// called to get the cryptographically processed content. Until closed,
// the handle keeps a copy of the processed content.
//
// With streamed output, the processed content can be freed as its streamed.
//
// If the length of the content to be updated is known at the time of the
// open, then, ContentLength should be set to that length. Otherwise, it
// should be set to CMSG_INDEFINITE_LENGTH.
//--------------------------------------------------------------------------
type
PFN_CMSG_STREAM_OUTPUT = function (
const pvArg :PVOID;
pbData :PBYTE;
cbData :DWORD;
fFinal :BOOL):BOOL ; stdcall;
const
CMSG_INDEFINITE_LENGTH = ($FFFFFFFF);
type
PCMSG_STREAM_INFO = ^CMSG_STREAM_INFO;
CMSG_STREAM_INFO = record
cbContent :DWORD;
pfnStreamOutput :PFN_CMSG_STREAM_OUTPUT;
pvArg :PVOID;
end;
//+-------------------------------------------------------------------------
// Open dwFlags
//--------------------------------------------------------------------------
const
CMSG_BARE_CONTENT_FLAG = $00000001;
CMSG_LENGTH_ONLY_FLAG = $00000002;
CMSG_DETACHED_FLAG = $00000004;
CMSG_AUTHENTICATED_ATTRIBUTES_FLAG = $00000008;
CMSG_CONTENTS_OCTETS_FLAG = $00000010;
CMSG_MAX_LENGTH_FLAG = $00000020;
//+-------------------------------------------------------------------------
// Open a cryptographic message for encoding
//
// For PKCS #7:
// If the content to be passed to CryptMsgUpdate has already
// been message encoded (the input to CryptMsgUpdate is the streamed output
// from another message encode), then, the CMSG_ENCODED_CONTENT_INFO_FLAG should
// be set in dwFlags. If not set, then, the inner ContentType is Data and
// the input to CryptMsgUpdate is treated as the inner Data type's Content,
// a string of bytes.
// If CMSG_BARE_CONTENT_FLAG is specified for a streamed message,
// the streamed output will not have an outer ContentInfo wrapper. This
// makes it suitable to be streamed into an enclosing message.
//
// The pStreamInfo parameter needs to be set to stream the encoded message
// output.
//--------------------------------------------------------------------------
function CryptMsgOpenToEncode(dwMsgEncodingType :DWORD;
dwFlags :DWORD;
dwMsgType :DWORD;
pvMsgEncodeInfo :PVOID;
pszInnerContentObjID :LPSTR; //OPTIONAL
pStreamInfo :PCMSG_STREAM_INFO //OPTIONAL
):HCRYPTMSG ; stdcall;
//+-------------------------------------------------------------------------
// Calculate the length of an encoded cryptographic message.
//
// Calculates the length of the encoded message given the
// message type, encoding parameters and total length of
// the data to be updated. Note, this might not be the exact length. However,
// it will always be greater than or equal to the actual length.
//--------------------------------------------------------------------------
function CryptMsgCalculateEncodedLength(dwMsgEncodingType :DWORD;
dwFlags :DWORD;
dwMsgType :DWORD;
pvMsgEncodeInfo :PVOID;
pszInnerContentObjID :LPSTR; //OPTIONAL
cbData :DWORD):DWORD ; stdcall;
//+-------------------------------------------------------------------------
// Open a cryptographic message for decoding
//
// For PKCS #7: if the inner ContentType isn't Data, then, the inner
// ContentInfo consisting of both ContentType and Content is output.
// To also enable ContentInfo output for the Data ContentType, then,
// the CMSG_ENCODED_CONTENT_INFO_FLAG should be set
// in dwFlags. If not set, then, only the content portion of the inner
// ContentInfo is output for the Data ContentType.
//
// To only calculate the length of the decoded message, set the
// CMSG_LENGTH_ONLY_FLAG in dwFlags. After the final CryptMsgUpdate get the
// MSG_CONTENT_PARAM. Note, this might not be the exact length. However,
// it will always be greater than or equal to the actual length.
//
// hCryptProv specifies the crypto provider to use for hashing and/or
// decrypting the message. For enveloped messages, hCryptProv also specifies
// the private exchange key to use. For signed messages, hCryptProv is used
// when CryptMsgVerifySigner is called.
//
// For enveloped messages, the pRecipientInfo contains the Issuer and
// SerialNumber identifying the RecipientInfo in the message.
//
// Note, the pRecipientInfo should correspond to the provider's private
// exchange key.
//
// If pRecipientInfo is NULL, then, the message isn't decrypted. To decrypt
// the message, CryptMsgControl(CMSG_CTRL_DECRYPT) is called after the final
// CryptMsgUpdate.
//
// The pStreamInfo parameter needs to be set to stream the decoded content
// output. Note, if pRecipientInfo is NULL, then, the streamed output isn't
// decrypted.
//--------------------------------------------------------------------------
function CryptMsgOpenToDecode(dwMsgEncodingType :DWORD;
dwFlags :DWORD;
dwMsgType :DWORD;
hCryptProv :HCRYPTPROV;
pRecipientInfo :PCERT_INFO; //OPTIONAL
pStreamInfo:PCMSG_STREAM_INFO //OPTIONAL
):HCRYPTMSG ; stdcall;
//+-------------------------------------------------------------------------
// Close a cryptographic message handle
//
// LastError is preserved unless FALSE is returned.
//--------------------------------------------------------------------------
function CryptMsgClose(hCryptMsg :HCRYPTMSG):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Update the content of a cryptographic message. Depending on how the
// message was opened, the content is either encoded or decoded.
//
// This function is repetitively called to append to the message content.
// fFinal is set to identify the last update. On fFinal, the encode/decode
// is completed. The encoded/decoded content and the decoded parameters
// are valid until the open and all duplicated handles are closed.
//--------------------------------------------------------------------------
function CryptMsgUpdate(hCryptMsg :HCRYPTMSG;
const pbData :PBYTE;
cbData :DWORD;
fFinal :BOOL):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Perform a special "control" function after the final CryptMsgUpdate of a
// encoded/decoded cryptographic message.
//
// The dwCtrlType parameter specifies the type of operation to be performed.
//
// The pvCtrlPara definition depends on the dwCtrlType value.
//
// See below for a list of the control operations and their pvCtrlPara
// type definition.
//--------------------------------------------------------------------------
function CryptMsgControl(hCryptMsg :HCRYPTMSG;
dwFlags :DWORD;
dwCtrlType :DWORD;
pvCtrlPara :PVOID):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Message control types
//--------------------------------------------------------------------------
const
CMSG_CTRL_VERIFY_SIGNATURE = 1;
CMSG_CTRL_DECRYPT = 2;
CMSG_CTRL_VERIFY_HASH = 5;
CMSG_CTRL_ADD_SIGNER = 6;
CMSG_CTRL_DEL_SIGNER = 7;
CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR = 8;
CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR = 9;
CMSG_CTRL_ADD_CERT = 10;
CMSG_CTRL_DEL_CERT = 11;
CMSG_CTRL_ADD_CRL = 12;
CMSG_CTRL_DEL_CRL = 13;
//+-------------------------------------------------------------------------
// CMSG_CTRL_VERIFY_SIGNATURE
//
// Verify the signature of a SIGNED or SIGNED_AND_ENVELOPED
// message after it has been decoded.
//
// For a SIGNED_AND_ENVELOPED message, called after
// CryptMsgControl(CMSG_CTRL_DECRYPT), if CryptMsgOpenToDecode was called
// with a NULL pRecipientInfo.
//
// pvCtrlPara points to a CERT_INFO struct.
//
// The CERT_INFO contains the Issuer and SerialNumber identifying
// the Signer of the message. The CERT_INFO also contains the
// PublicKeyInfo
// used to verify the signature. The cryptographic provider specified
// in CryptMsgOpenToDecode is used.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_DECRYPT
//
// Decrypt an ENVELOPED or SIGNED_AND_ENVELOPED message after it has been
// decoded.
//
// hCryptProv and dwKeySpec specify the private key to use. For dwKeySpec ==
// 0, defaults to AT_KEYEXCHANGE.
//
// dwRecipientIndex is the index of the recipient in the message associated
// with the hCryptProv's private key.
//
// This control function needs to be called, if you don't know the appropriate
// recipient before calling CryptMsgOpenToDecode. After the final
// CryptMsgUpdate, the list of recipients is obtained by iterating through
// CMSG_RECIPIENT_INFO_PARAM. The recipient corresponding to a private
// key owned by the caller is selected and passed to this function to decrypt
// the message.
//
// Note, the message can only be decrypted once.
//--------------------------------------------------------------------------
type
PCMSG_CTRL_DECRYPT_PARA = ^CMSG_CTRL_DECRYPT_PARA;
CMSG_CTRL_DECRYPT_PARA = record
cbSize :DWORD;
hCryptProv :HCRYPTPROV;
dwKeySpec :DWORD;
dwRecipientIndex :DWORD;
end;
//+-------------------------------------------------------------------------
// CMSG_CTRL_VERIFY_HASH
//
// Verify the hash of a HASHED message after it has been decoded.
//
// Only the hCryptMsg parameter is used, to specify the message whose
// hash is being verified.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_ADD_SIGNER
//
// Add a signer to a signed-data or signed-and-enveloped-data message.
//
// pvCtrlPara points to a CMSG_SIGNER_ENCODE_INFO.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_DEL_SIGNER
//
// Remove a signer from a signed-data or signed-and-enveloped-data message.
//
// pvCtrlPara points to a DWORD containing the 0-based index of the
// signer to be removed.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR
//
// Add an unauthenticated attribute to the SignerInfo of a signed-data or
// signed-and-enveloped-data message.
//
// The unauthenticated attribute is input in the form of an encoded blob.
//--------------------------------------------------------------------------
type
PCMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR_PARA = ^CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR_PARA;
CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR_PARA = record
cbSize :DWORD;
dwSignerIndex :DWORD;
blob :CRYPT_DATA_BLOB;
end;
//+-------------------------------------------------------------------------
// CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR
//
// Delete an unauthenticated attribute from the SignerInfo of a signed-data
// or signed-and-enveloped-data message.
//
// The unauthenticated attribute to be removed is specified by
// a 0-based index.
//--------------------------------------------------------------------------
type
PCMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR_PARA = ^CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR_PARA;
CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR_PARA = record
cbSize :DWORD;
dwSignerIndex :DWORD;
dwUnauthAttrIndex :DWORD;
end;
//+-------------------------------------------------------------------------
// CMSG_CTRL_ADD_CERT
//
// Add a certificate to a signed-data or signed-and-enveloped-data message.
//
// pvCtrlPara points to a CRYPT_DATA_BLOB containing the certificate's
// encoded bytes.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_DEL_CERT
//
// Delete a certificate from a signed-data or signed-and-enveloped-data
// message.
//
// pvCtrlPara points to a DWORD containing the 0-based index of the
// certificate to be removed.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_ADD_CRL
//
// Add a CRL to a signed-data or signed-and-enveloped-data message.
//
// pvCtrlPara points to a CRYPT_DATA_BLOB containing the CRL's
// encoded bytes.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CTRL_DEL_CRL
//
// Delete a CRL from a signed-data or signed-and-enveloped-data message.
//
// pvCtrlPara points to a DWORD containing the 0-based index of the CRL
// to be removed.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Verify a countersignature, at the SignerInfo level.
// ie. verify that pbSignerInfoCountersignature contains the encrypted
// hash of the encryptedDigest field of pbSignerInfo.
//
// hCryptProv is used to hash the encryptedDigest field of pbSignerInfo.
// The only fields referenced from pciCountersigner are SerialNumber, Issuer,
// and SubjectPublicKeyInfo.
//--------------------------------------------------------------------------
function CryptMsgVerifyCountersignatureEncoded(hCryptProv :HCRYPTPROV;
dwEncodingType :DWORD;
pbSignerInfo :PBYTE;
cbSignerInfo :DWORD;
pbSignerInfoCountersignature :PBYTE;
cbSignerInfoCountersignature :DWORD;
pciCountersigner :PCERT_INFO):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Countersign an already-existing signature in a message
//
// dwIndex is a zero-based index of the SignerInfo to be countersigned.
//--------------------------------------------------------------------------
function CryptMsgCountersign(hCryptMsg :HCRYPTMSG;
dwIndex :DWORD;
cCountersigners :DWORD;
rgCountersigners :PCMSG_SIGNER_ENCODE_INFO):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Countersign an already-existing signature (encoded SignerInfo).
// Output an encoded SignerInfo blob, suitable for use as a countersignature
// attribute in the unauthenticated attributes of a signed-data or
// signed-and-enveloped-data message.
//--------------------------------------------------------------------------
function CryptMsgCountersignEncoded(dwEncodingType :DWORD;
pbSignerInfo :PBYTE;
cbSignerInfo :DWORD;
cCountersigners :DWORD;
rgCountersigners :PCMSG_SIGNER_ENCODE_INFO;
pbCountersignature :PBYTE;
pcbCountersignature :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Get a parameter after encoding/decoding a cryptographic message. Called
// after the final CryptMsgUpdate. Only the CMSG_CONTENT_PARAM and
// CMSG_COMPUTED_HASH_PARAM are valid for an encoded message.
//
// For an encoded HASHED message, the CMSG_COMPUTED_HASH_PARAM can be got
// before any CryptMsgUpdates to get its length.
//
// The pvData type definition depends on the dwParamType value.
//
// Elements pointed to by fields in the pvData structure follow the
// structure. Therefore, *pcbData may exceed the size of the structure.
//
// Upon input, if *pcbData == 0, then, *pcbData is updated with the length
// of the data and the pvData parameter is ignored.
//
// Upon return, *pcbData is updated with the length of the data.
//
// The OBJID BLOBs returned in the pvData structures point to
// their still encoded representation. The appropriate functions
// must be called to decode the information.
//
// See below for a list of the parameters to get.
//--------------------------------------------------------------------------
function CryptMsgGetParam(hCryptMsg :HCRYPTMSG;
dwParamType :DWORD;
dwIndex :DWORD;
pvData :PVOID;
pcbData :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Get parameter types and their corresponding data structure definitions.
//--------------------------------------------------------------------------
const
CMSG_TYPE_PARAM = 1;
CMSG_CONTENT_PARAM = 2;
CMSG_BARE_CONTENT_PARAM = 3;
CMSG_INNER_CONTENT_TYPE_PARAM = 4;
CMSG_SIGNER_COUNT_PARAM = 5;
CMSG_SIGNER_INFO_PARAM = 6;
CMSG_SIGNER_CERT_INFO_PARAM = 7;
CMSG_SIGNER_HASH_ALGORITHM_PARAM = 8;
CMSG_SIGNER_AUTH_ATTR_PARAM = 9;
CMSG_SIGNER_UNAUTH_ATTR_PARAM = 10;
CMSG_CERT_COUNT_PARAM = 11;
CMSG_CERT_PARAM = 12;
CMSG_CRL_COUNT_PARAM = 13;
CMSG_CRL_PARAM = 14;
CMSG_ENVELOPE_ALGORITHM_PARAM = 15;
CMSG_RECIPIENT_COUNT_PARAM = 17;
CMSG_RECIPIENT_INDEX_PARAM = 18;
CMSG_RECIPIENT_INFO_PARAM = 19;
CMSG_HASH_ALGORITHM_PARAM = 20;
CMSG_HASH_DATA_PARAM = 21;
CMSG_COMPUTED_HASH_PARAM = 22;
CMSG_ENCRYPT_PARAM = 26;
CMSG_ENCRYPTED_DIGEST = 27;
CMSG_ENCODED_SIGNER = 28;
CMSG_ENCODED_MESSAGE = 29;
//+-------------------------------------------------------------------------
// CMSG_TYPE_PARAM
//
// The type of the decoded message.
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CONTENT_PARAM
//
// The encoded content of a cryptographic message. Depending on how the
// message was opened, the content is either the whole PKCS#7
// message (opened to encode) or the inner content (opened to decode).
// In the decode case, the decrypted content is returned, if enveloped.
// If not enveloped, and if the inner content is of type DATA, the returned
// data is the contents octets of the inner content.
//
// pvData points to the buffer receiving the content bytes
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_BARE_CONTENT_PARAM
//
// The encoded content of an encoded cryptographic message, without the
// outer layer of ContentInfo. That is, only the encoding of the
// ContentInfo.content field is returned.
//
// pvData points to the buffer receiving the content bytes
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_INNER_CONTENT_TYPE_PARAM
//
// The type of the inner content of a decoded cryptographic message,
// in the form of a NULL-terminated object identifier string
// (eg. "1.2.840.113549.1.7.1").
//
// pvData points to the buffer receiving the object identifier string
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_SIGNER_COUNT_PARAM
//
// Count of signers in a SIGNED or SIGNED_AND_ENVELOPED message
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_SIGNER_CERT_INFO_PARAM
//
// To get all the signers, repetitively call CryptMsgGetParam, with
// dwIndex set to 0 .. SignerCount - 1.
//
// pvData points to a CERT_INFO struct.
//
// Only the following fields have been updated in the CERT_INFO struct:
// Issuer and SerialNumber.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_SIGNER_INFO_PARAM
//
// To get all the signers, repetitively call CryptMsgGetParam, with
// dwIndex set to 0 .. SignerCount - 1.
//
// pvData points to a CMSG_SIGNER_INFO struct.
//--------------------------------------------------------------------------
type
PCMSG_SIGNER_INFO = ^CMSG_SIGNER_INFO;
CMSG_SIGNER_INFO = record
dwVersion :DWORD;
Issuer :CERT_NAME_BLOB;
SerialNumber :CRYPT_INTEGER_BLOB;
HashAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
HashEncryptionAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
EncryptedHash :CRYPT_DATA_BLOB;
AuthAttrs :CRYPT_ATTRIBUTES;
UnauthAttrs :CRYPT_ATTRIBUTES;
end;
//+-------------------------------------------------------------------------
// CMSG_SIGNER_HASH_ALGORITHM_PARAM
//
// This parameter specifies the HashAlgorithm that was used for the signer.
//
// Set dwIndex to iterate through all the signers.
//
// pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_SIGNER_AUTH_ATTR_PARAM
//
// The authenticated attributes for the signer.
//
// Set dwIndex to iterate through all the signers.
//
// pvData points to a CMSG_ATTR struct.
//--------------------------------------------------------------------------
type
CMSG_ATTR = CRYPT_ATTRIBUTES;
PCMSG_ATTR = ^CRYPT_ATTRIBUTES;
//+-------------------------------------------------------------------------
// CMSG_SIGNER_UNAUTH_ATTR_PARAM
//
// The unauthenticated attributes for the signer.
//
// Set dwIndex to iterate through all the signers.
//
// pvData points to a CMSG_ATTR struct.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CERT_COUNT_PARAM
//
// Count of certificates in a SIGNED or SIGNED_AND_ENVELOPED message.
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CERT_PARAM
//
// To get all the certificates, repetitively call CryptMsgGetParam, with
// dwIndex set to 0 .. CertCount - 1.
//
// pvData points to an array of the certificate's encoded bytes.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CRL_COUNT_PARAM
//
// Count of CRLs in a SIGNED or SIGNED_AND_ENVELOPED message.
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_CRL_PARAM
//
// To get all the CRLs, repetitively call CryptMsgGetParam, with
// dwIndex set to 0 .. CrlCount - 1.
//
// pvData points to an array of the CRL's encoded bytes.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_ENVELOPE_ALGORITHM_PARAM
//
// The ContentEncryptionAlgorithm that was used in
// an ENVELOPED or SIGNED_AND_ENVELOPED message.
//
// pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_RECIPIENT_COUNT_PARAM
//
// Count of recipients in an ENVELOPED or SIGNED_AND_ENVELOPED message.
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_RECIPIENT_INDEX_PARAM
//
// Index of the recipient used to decrypt an ENVELOPED or SIGNED_AND_ENVELOPED
// message.
//
// pvData points to a DWORD
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_RECIPIENT_INFO_PARAM
//
// To get all the recipients, repetitively call CryptMsgGetParam, with
// dwIndex set to 0 .. RecipientCount - 1.
//
// pvData points to a CERT_INFO struct.
//
// Only the following fields have been updated in the CERT_INFO struct:
// Issuer, SerialNumber and PublicKeyAlgorithm. The PublicKeyAlgorithm
// specifies the KeyEncryptionAlgorithm that was used.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_HASH_ALGORITHM_PARAM
//
// The HashAlgorithm in a HASHED message.
//
// pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_HASH_DATA_PARAM
//
// The hash in a HASHED message.
//
// pvData points to an array of bytes.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_COMPUTED_HASH_PARAM
//
// The computed hash for a HASHED message.
//
// This may be called for either an encoded or decoded message.
// It also may be called before any encoded CryptMsgUpdates to get its length.
//
// pvData points to an array of bytes.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_ENCRYPT_PARAM
//
// The ContentEncryptionAlgorithm that was used in an ENCRYPTED message.
//
// pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CMSG_ENCODED_MESSAGE
//
// The full encoded message. This is useful in the case of a decoded
// message which has been modified (eg. a signed-data or
// signed-and-enveloped-data message which has been countersigned).
//
// pvData points to an array of the message's encoded bytes.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CryptMsg OID installable functions
//--------------------------------------------------------------------------
// If *phCryptProv is NULL upon entry, then, if supported, the installable
// function should acquire a default provider and return. Note, its up
// to the installable function to release at process detach.
const
CMSG_OID_GEN_ENCRYPT_KEY_FUNC = 'CryptMsgDllGenEncryptKey';
type
PFN_CMSG_GEN_ENCRYPT_KEY = function (phCryptProv :PHCRYPTPROV;
paiEncrypt :PCRYPT_ALGORITHM_IDENTIFIER;
pvEncryptAuxInfo :PVOID;
pPublicKeyInfo :PCERT_PUBLIC_KEY_INFO;
phEncryptKey :PHCRYPTKEY
):BOOL ; stdcall;
const
CMSG_OID_EXPORT_ENCRYPT_KEY_FUNC = 'CryptMsgDllExportEncryptKey';
type
PFN_CMSG_EXPORT_ENCRYPT_KEY = function (hCryptProv :HCRYPTPROV;
hEncryptKey :HCRYPTKEY;
pPublicKeyInfo :PCERT_PUBLIC_KEY_INFO;
pbData :PBYTE;
pcbData :PDWORD):BOOL ; stdcall;
const
CMSG_OID_IMPORT_ENCRYPT_KEY_FUNC = 'CryptMsgDllImportEncryptKey';
type
PFN_CMSG_IMPORT_ENCRYPT_KEY = function (hCryptProv :HCRYPTPROV;
dwKeySpec :DWORD;
paiEncrypt :PCRYPT_ALGORITHM_IDENTIFIER;
paiPubKey :PCRYPT_ALGORITHM_IDENTIFIER;
pbEncodedKey :PBYTE;
cbEncodedKey :DWORD;
phEncryptKey :PHCRYPTKEY
):BOOL ; stdcall;
//+=========================================================================
// Certificate Store Data Structures and APIs
//==========================================================================
//+-------------------------------------------------------------------------
// In its most basic implementation, a cert store is simply a
// collection of certificates and/or CRLs. This is the case when
// a cert store is opened with all of its certificates and CRLs
// coming from a PKCS #7 encoded cryptographic message.
//
// Nonetheless, all cert stores have the following properties:
// - A public key may have more than one certificate in the store.
// For example, a private/public key used for signing may have a
// certificate issued for VISA and another issued for
// Mastercard. Also, when a certificate is renewed there might
// be more than one certificate with the same subject and
// issuer.
// - However, each certificate in the store is uniquely
// identified by its Issuer and SerialNumber.
// - There's an issuer of subject certificate relationship. A
// certificate's issuer is found by doing a match of
// pSubjectCert->Issuer with pIssuerCert->Subject.
// The relationship is verified by using
// the issuer's public key to verify the subject certificate's
// signature. Note, there might be X.509 v3 extensions
// to assist in finding the issuer certificate.
// - Since issuer certificates might be renewed, a subject
// certificate might have more than one issuer certificate.
// - There's an issuer of CRL relationship. An
// issuer's CRL is found by doing a match of
// pIssuerCert->Subject with pCrl->Issuer.
// The relationship is verified by using
// the issuer's public key to verify the CRL's
// signature. Note, there might be X.509 v3 extensions
// to assist in finding the CRL.
// - Since some issuers might support the X.509 v3 delta CRL
// extensions, an issuer might have more than one CRL.
// - The store shouldn't have any redundant certificates or
// CRLs. There shouldn't be two certificates with the same
// Issuer and SerialNumber. There shouldn't be two CRLs with
// the same Issuer, ThisUpdate and NextUpdate.
// - The store has NO policy or trust information. No
// certificates are tagged as being "root". Its up to
// the application to maintain a list of CertIds (Issuer +
// SerialNumber) for certificates it trusts.
// - The store might contain bad certificates and/or CRLs.
// The issuer's signature of a subject certificate or CRL may
// not verify. Certificates or CRLs may not satisfy their
// time validity requirements. Certificates may be
// revoked.
//
// In addition to the certificates and CRLs, properties can be
// stored. There are two predefined property IDs for a user
// certificate: CERT_KEY_PROV_HANDLE_PROP_ID and
// CERT_KEY_PROV_INFO_PROP_ID. The CERT_KEY_PROV_HANDLE_PROP_ID
// is a HCRYPTPROV handle to the private key assoicated
// with the certificate. The CERT_KEY_PROV_INFO_PROP_ID contains
// information to be used to call
// CryptAcquireContext and CryptProvSetParam to get a handle
// to the private key associated with the certificate.
//
// There exists two more predefined property IDs for certificates
// and CRLs, CERT_SHA1_HASH_PROP_ID and CERT_MD5_HASH_PROP_ID.
// If these properties don't already exist, then, a hash of the
// content is computed. (CERT_HASH_PROP_ID maps to the default
// hash algorithm, currently, CERT_SHA1_HASH_PROP_ID).
//
// There are additional APIs for creating certificate and CRL
// contexts not in a store (CertCreateCertificateContext and
// CertCreateCRLContext).
//
//--------------------------------------------------------------------------
type
HCERTSTORE = PVOID;
//+-------------------------------------------------------------------------
// Certificate context.
//
// A certificate context contains both the encoded and decoded representation
// of a certificate. A certificate context returned by a cert store function
// must be freed by calling the CertFreeCertificateContext function. The
// CertDuplicateCertificateContext function can be called to make a duplicate
// copy (which also must be freed by calling CertFreeCertificateContext).
//--------------------------------------------------------------------------
type
PCERT_CONTEXT = ^CERT_CONTEXT;
CERT_CONTEXT = record
dwCertEncodingType :DWORD;
pbCertEncoded :PBYTE;
cbCertEncoded :DWORD;
pCertInfo :PCERT_INFO;
hCertStore :HCERTSTORE;
end;
type
PCCERT_CONTEXT = ^CERT_CONTEXT;
//+-------------------------------------------------------------------------
// CRL context.
//
// A CRL context contains both the encoded and decoded representation
// of a CRL. A CRL context returned by a cert store function
// must be freed by calling the CertFreeCRLContext function. The
// CertDuplicateCRLContext function can be called to make a duplicate
// copy (which also must be freed by calling CertFreeCRLContext).
//--------------------------------------------------------------------------
type
PCRL_CONTEXT = ^CRL_CONTEXT;
CRL_CONTEXT = record
dwCertEncodingType :DWORD;
pbCrlEncoded :PBYTE;
cbCrlEncoded :DWORD;
pCrlInfo :PCRL_INFO;
hCertStore :HCERTSTORE;
end;
type
PCCRL_CONTEXT = ^CRL_CONTEXT;
//+-------------------------------------------------------------------------
// Certificate Trust List (CTL) context.
//
// A CTL context contains both the encoded and decoded representation
// of a CTL. Also contains an opened HCRYPTMSG handle to the decoded
// cryptographic signed message containing the CTL_INFO as its inner content.
// pbCtlContent is the encoded inner content of the signed message.
//
// The CryptMsg APIs can be used to extract additional signer information.
//--------------------------------------------------------------------------
type
PCTL_CONTEXT = ^CTL_CONTEXT;
CTL_CONTEXT = record
dwMsgAndCertEncodingType :DWORD;
pbCtlEncoded :PBYTE;
cbCtlEncoded :DWORD;
pCtlInfo :PCTL_INFO;
hCertStore :HCERTSTORE;
hCryptMsg :HCRYPTMSG;
pbCtlContent :PBYTE;
cbCtlContent :DWORD;
end;
type
PCCTL_CONTEXT = ^CTL_CONTEXT;
//+-------------------------------------------------------------------------
// Certificate, CRL and CTL property IDs
//
// See CertSetCertificateContextProperty or CertGetCertificateContextProperty
// for usage information.
//--------------------------------------------------------------------------
const
CERT_KEY_PROV_HANDLE_PROP_ID = 1;
CERT_KEY_PROV_INFO_PROP_ID = 2;
CERT_SHA1_HASH_PROP_ID = 3;
CERT_MD5_HASH_PROP_ID = 4;
CERT_HASH_PROP_ID = CERT_SHA1_HASH_PROP_ID;
CERT_KEY_CONTEXT_PROP_ID = 5;
CERT_KEY_SPEC_PROP_ID = 6;
CERT_IE30_RESERVED_PROP_ID = 7;
CERT_PUBKEY_HASH_RESERVED_PROP_ID = 8;
CERT_ENHKEY_USAGE_PROP_ID = 9;
CERT_CTL_USAGE_PROP_ID = CERT_ENHKEY_USAGE_PROP_ID;
CERT_NEXT_UPDATE_LOCATION_PROP_ID = 10;
CERT_FRIENDLY_NAME_PROP_ID = 11;
CERT_PVK_FILE_PROP_ID = 12;
// Note, 32 - 34 are reserved for the CERT, CRL and CTL file element IDs.
CERT_FIRST_RESERVED_PROP_ID = 13;
CERT_LAST_RESERVED_PROP_ID = $00007FFF;
CERT_FIRST_USER_PROP_ID = $00008000;
CERT_LAST_USER_PROP_ID = $0000FFFF;
function IS_CERT_HASH_PROP_ID( X :DWORD):BOOL ;
//+-------------------------------------------------------------------------
// Cryptographic Key Provider Information
//
// CRYPT_KEY_PROV_INFO defines the CERT_KEY_PROV_INFO_PROP_ID's pvData.
//
// The CRYPT_KEY_PROV_INFO fields are passed to CryptAcquireContext
// to get a HCRYPTPROV handle. The optional CRYPT_KEY_PROV_PARAM fields are
// passed to CryptProvSetParam to further initialize the provider.
//
// The dwKeySpec field identifies the private key to use from the container
// For example, AT_KEYEXCHANGE or AT_SIGNATURE.
//--------------------------------------------------------------------------
type
PCRYPT_KEY_PROV_PARAM = ^CRYPT_KEY_PROV_PARAM;
CRYPT_KEY_PROV_PARAM = record
dwParam :DWORD;
pbData :PBYTE;
cbData :DWORD;
dwFlags :DWORD;
end;
type
PCRYPT_KEY_PROV_INFO = ^CRYPT_KEY_PROV_INFO;
CRYPT_KEY_PROV_INFO = record
pwszContainerName :LPWSTR;
pwszProvName :LPWSTR;
dwProvType :DWORD;
dwFlags :DWORD;
cProvParam :DWORD;
rgProvParam :PCRYPT_KEY_PROV_PARAM;
dwKeySpec :DWORD;
end;
//+-------------------------------------------------------------------------
// The following flag should be set in the above dwFlags to enable
// a CertSetCertificateContextProperty(CERT_KEY_CONTEXT_PROP_ID) after a
// CryptAcquireContext is done in the Sign or Decrypt Message functions.
//
// The following define must not collide with any of the
// CryptAcquireContext dwFlag defines.
//--------------------------------------------------------------------------
const
CERT_SET_KEY_PROV_HANDLE_PROP_ID = $00000001;
CERT_SET_KEY_CONTEXT_PROP_ID = $00000001;
//+-------------------------------------------------------------------------
// Certificate Key Context
//
// CERT_KEY_CONTEXT defines the CERT_KEY_CONTEXT_PROP_ID's pvData.
//--------------------------------------------------------------------------
type
PCERT_KEY_CONTEXT = ^CERT_KEY_CONTEXT;
CERT_KEY_CONTEXT = record
cbSize :DWORD; // sizeof(CERT_KEY_CONTEXT)
hCryptProv :HCRYPTPROV;
dwKeySpec :DWORD;
end;
//+-------------------------------------------------------------------------
// Certificate Store Provider Types
//--------------------------------------------------------------------------
const
CERT_STORE_PROV_MSG = (LPCSTR(1));
CERT_STORE_PROV_MEMORY = (LPCSTR(2));
CERT_STORE_PROV_FILE = (LPCSTR(3));
CERT_STORE_PROV_REG = (LPCSTR(4));
CERT_STORE_PROV_PKCS7 = (LPCSTR(5));
CERT_STORE_PROV_SERIALIZED = (LPCSTR(6));
CERT_STORE_PROV_FILENAME_A = (LPCSTR(7));
CERT_STORE_PROV_FILENAME_W = (LPCSTR(8));
CERT_STORE_PROV_FILENAME = CERT_STORE_PROV_FILENAME_W;
CERT_STORE_PROV_SYSTEM_A = (LPCSTR(9));
CERT_STORE_PROV_SYSTEM_W = (LPCSTR(10));
CERT_STORE_PROV_SYSTEM = CERT_STORE_PROV_SYSTEM_W;
sz_CERT_STORE_PROV_MEMORY = 'Memory';
sz_CERT_STORE_PROV_FILENAME_W = 'File';
sz_CERT_STORE_PROV_FILENAME = sz_CERT_STORE_PROV_FILENAME_W;
sz_CERT_STORE_PROV_SYSTEM_W = 'System';
sz_CERT_STORE_PROV_SYSTEM = sz_CERT_STORE_PROV_SYSTEM_W;
sz_CERT_STORE_PROV_PKCS7 = 'PKCS7';
sz_CERT_STORE_PROV_SERIALIZED = 'Serialized';
//+-------------------------------------------------------------------------
// Certificate Store verify/results flags
//--------------------------------------------------------------------------
CERT_STORE_SIGNATURE_FLAG = $00000001;
CERT_STORE_TIME_VALIDITY_FLAG = $00000002;
CERT_STORE_REVOCATION_FLAG = $00000004;
CERT_STORE_NO_CRL_FLAG = $00010000;
CERT_STORE_NO_ISSUER_FLAG = $00020000;
//+-------------------------------------------------------------------------
// Certificate Store open/property flags
//--------------------------------------------------------------------------
CERT_STORE_NO_CRYPT_RELEASE_FLAG = $00000001;
CERT_STORE_READONLY_FLAG = $00008000;
//+-------------------------------------------------------------------------
// Certificate Store Provider flags are in the HiWord (0xFFFF0000)
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Certificate System Store Flag Values
//--------------------------------------------------------------------------
// Location of the system store in the registry:
// HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE
CERT_SYSTEM_STORE_LOCATION_MASK = $00030000;
CERT_SYSTEM_STORE_CURRENT_USER = $00010000;
CERT_SYSTEM_STORE_LOCAL_MACHINE = $00020000;
//+-------------------------------------------------------------------------
// Open the cert store using the specified store provider.
//
// hCryptProv specifies the crypto provider to use to create the hash
// properties or verify the signature of a subject certificate or CRL.
// The store doesn't need to use a private
// key. If the CERT_STORE_NO_CRYPT_RELEASE_FLAG isn't set, hCryptProv is
// CryptReleaseContext'ed on the final CertCloseStore.
//
// Note, if the open fails, hCryptProv is released if it would have been
// released when the store was closed.
//
// If hCryptProv is zero, then, the default provider and container for the
// PROV_RSA_FULL provider type is CryptAcquireContext'ed with
// CRYPT_VERIFYCONTEXT access. The CryptAcquireContext is deferred until
// the first create hash or verify signature. In addition, once acquired,
// the default provider isn't released until process exit when crypt32.dll
// is unloaded. The acquired default provider is shared across all stores
// and threads.
//
// After initializing the store's data structures and optionally acquiring a
// default crypt provider, CertOpenStore calls CryptGetOIDFunctionAddress to
// get the address of the CRYPT_OID_OPEN_STORE_PROV_FUNC specified by
// lpszStoreProvider. Since a store can contain certificates with different
// encoding types, CryptGetOIDFunctionAddress is called with dwEncodingType
// set to 0 and not the dwEncodingType passed to CertOpenStore.
// PFN_CERT_DLL_OPEN_STORE_FUNC specifies the signature of the provider's
// open function. This provider open function is called to load the
// store's certificates and CRLs. Optionally, the provider may return an
// array of functions called before a certificate or CRL is added or deleted
// or has a property that is set.
//
// Use of the dwEncodingType parameter is provider dependent. The type
// definition for pvPara also depends on the provider.
//
// Store providers are installed or registered via
// CryptInstallOIDFunctionAddress or CryptRegisterOIDFunction, where,
// dwEncodingType is 0 and pszFuncName is CRYPT_OID_OPEN_STORE_PROV_FUNC.
//
// Here's a list of the predefined provider types (implemented in crypt32.dll):
//
// CERT_STORE_PROV_MSG:
// Gets the certificates and CRLs from the specified cryptographic message.
// dwEncodingType contains the message and certificate encoding types.
// The message's handle is passed in pvPara. Given,
// HCRYPTMSG hCryptMsg; pvPara = (const void *) hCryptMsg;
//
// CERT_STORE_PROV_MEMORY
// sz_CERT_STORE_PROV_MEMORY:
// Opens a store without any initial certificates or CRLs. pvPara
// isn't used.
//
// CERT_STORE_PROV_FILE:
// Reads the certificates and CRLs from the specified file. The file's
// handle is passed in pvPara. Given,
// HANDLE hFile; pvPara = (const void *) hFile;
//
// For a successful open, the file pointer is advanced past
// the certificates and CRLs and their properties read from the file.
// Note, only expects a serialized store and not a file containing
// either a PKCS #7 signed message or a single encoded certificate.
//
// The hFile isn't closed.
//
// CERT_STORE_PROV_REG:
// Reads the certificates and CRLs from the registry. The registry's
// key handle is passed in pvPara. Given,
// HKEY hKey; pvPara = (const void *) hKey;
//
// The input hKey isn't closed by the provider. Before returning, the
// provider opens/creates "Certificates" and "CRLs" subkeys. These
// subkeys remain open until the store is closed.
//
// If CERT_STORE_READONLY_FLAG is set, then, the registry subkeys are
// RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry subkeys
// are RegCreateKey'ed with KEY_ALL_ACCESS.
//
// This provider returns the array of functions for reading, writing,
// deleting and property setting certificates and CRLs.
// Any changes to the opened store are immediately pushed through to
// the registry. However, if CERT_STORE_READONLY_FLAG is set, then,
// writing, deleting or property setting results in a
// SetLastError(E_ACCESSDENIED).
//
// Note, all the certificates and CRLs are read from the registry
// when the store is opened. The opened store serves as a write through
// cache. However, the opened store isn't notified of other changes
// made to the registry. Note, RegNotifyChangeKeyValue is supported
// on NT but not supported on Windows95.
//
// CERT_STORE_PROV_PKCS7:
// sz_CERT_STORE_PROV_PKCS7:
// Gets the certificates and CRLs from the encoded PKCS #7 signed message.
// dwEncodingType specifies the message and certificate encoding types.
// The pointer to the encoded message's blob is passed in pvPara. Given,
// CRYPT_DATA_BLOB EncodedMsg; pvPara = (const void *) &EncodedMsg;
//
// Note, also supports the IE3.0 special version of a
// PKCS #7 signed message referred to as a "SPC" formatted message.
//
// CERT_STORE_PROV_SERIALIZED:
// sz_CERT_STORE_PROV_SERIALIZED:
// Gets the certificates and CRLs from memory containing a serialized
// store. The pointer to the serialized memory blob is passed in pvPara.
// Given,
// CRYPT_DATA_BLOB Serialized; pvPara = (const void *) &Serialized;
//
// CERT_STORE_PROV_FILENAME_A:
// CERT_STORE_PROV_FILENAME_W:
// CERT_STORE_PROV_FILENAME:
// sz_CERT_STORE_PROV_FILENAME_W:
// sz_CERT_STORE_PROV_FILENAME:
// Opens the file and first attempts to read as a serialized store. Then,
// as a PKCS #7 signed message. Finally, as a single encoded certificate.
// The filename is passed in pvPara. The filename is UNICODE for the
// "_W" provider and ASCII for the "_A" provider. For "_W": given,
// LPCWSTR pwszFilename; pvPara = (const void *) pwszFilename;
// For "_A": given,
// LPCSTR pszFilename; pvPara = (const void *) pszFilename;
//
// Note, the default (without "_A" or "_W") is unicode.
//
// Note, also supports the reading of the IE3.0 special version of a
// PKCS #7 signed message file referred to as a "SPC" formatted file.
//
// CERT_STORE_PROV_SYSTEM_A:
// CERT_STORE_PROV_SYSTEM_W:
// CERT_STORE_PROV_SYSTEM:
// sz_CERT_STORE_PROV_SYSTEM_W:
// sz_CERT_STORE_PROV_SYSTEM:
// Opens the specified "system" store. Currently, all the system
// stores are stored in the registry. The upper word of the dwFlags
// parameter is used to specify the location of the system store. It
// should be set to either CERT_SYSTEM_STORE_CURRENT_USER for
// HKEY_CURRENT_USER or CERT_SYSTEM_STORE_LOCAL_MACHINE for
// HKEY_LOCAL_MACHINE.
//
// After opening the registry key associated with the system name,
// the CERT_STORE_PROV_REG provider is called to complete the open.
//
// The system store name is passed in pvPara. The name is UNICODE for the
// "_W" provider and ASCII for the "_A" provider. For "_W": given,
// LPCWSTR pwszSystemName; pvPara = (const void *) pwszSystemName;
// For "_A": given,
// LPCSTR pszSystemName; pvPara = (const void *) pszSystemName;
//
// Note, the default (without "_A" or "_W") is UNICODE.
//
// If CERT_STORE_READONLY_FLAG is set, then, the registry is
// RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry is
// RegCreateKey'ed with KEY_ALL_ACCESS.
//
// The "root" store is treated differently from the other system
// stores. Before a certificate is added to or deleted from the "root"
// store, a pop up message box is displayed. The certificate's subject,
// issuer, serial number, time validity, sha1 and md5 thumbprints are
// displayed. The user is given the option to do the add or delete.
// If they don't allow the operation, LastError is set to E_ACCESSDENIED.
//--------------------------------------------------------------------------
function CertOpenStore(lpszStoreProvider :LPCSTR;
dwEncodingType :DWORD;
hCryptProv :HCRYPTPROV;
dwFlags :DWORD;
const pvPara :PVOID):HCERTSTORE ; stdcall;
//+-------------------------------------------------------------------------
// OID Installable Certificate Store Provider Data Structures
//--------------------------------------------------------------------------
// Handle returned by the store provider when opened.
type
HCERTSTOREPROV = PVOID;
// Store Provider OID function's pszFuncName.
const
CRYPT_OID_OPEN_STORE_PROV_FUNC = 'CertDllOpenStoreProv';
// Note, the Store Provider OID function's dwEncodingType is always 0.
// The following information is returned by the provider when opened. Its
// zeroed with cbSize set before the provider is called. If the provider
// doesn't need to be called again after the open it doesn't need to
// make any updates to the CERT_STORE_PROV_INFO.
type
PCERT_STORE_PROV_INFO = ^CERT_STORE_PROV_INFO;
CERT_STORE_PROV_INFO = record
cbSize :DWORD;
cStoreProvFunc :DWORD;
rgpvStoreProvFunc :PPVOID;
hStoreProv :HCERTSTOREPROV;
dwStoreProvFlags :DWORD;
end;
// Definition of the store provider's open function.
//
// *pStoreProvInfo has been zeroed before the call.
//
// Note, pStoreProvInfo->cStoreProvFunc should be set last. Once set,
// all subsequent store calls, such as CertAddSerializedElementToStore will
// call the appropriate provider callback function.
type
PFN_CERT_DLL_OPEN_STORE_PROV_FUNC = function (lpszStoreProvider :LPCSTR;
dwEncodingType :DWORD;
hCryptProv :HCRYPTPROV;
dwFlags :DWORD;
const pvPara :PVOID;
hCertStore :HCERTSTORE;
pStoreProvInfo :PCERT_STORE_PROV_INFO
):BOOL ; stdcall;
// Indices into the store provider's array of callback functions.
//
// The provider can implement any subset of the following functions. It
// sets pStoreProvInfo->cStoreProvFunc to the last index + 1 and any
// preceding not implemented functions to NULL.
const
CERT_STORE_PROV_CLOSE_FUNC = 0;
CERT_STORE_PROV_READ_CERT_FUNC = 1;
CERT_STORE_PROV_WRITE_CERT_FUNC = 2;
CERT_STORE_PROV_DELETE_CERT_FUNC = 3;
CERT_STORE_PROV_SET_CERT_PROPERTY_FUNC = 4;
CERT_STORE_PROV_READ_CRL_FUNC = 5;
CERT_STORE_PROV_WRITE_CRL_FUNC = 6;
CERT_STORE_PROV_DELETE_CRL_FUNC = 7;
CERT_STORE_PROV_SET_CRL_PROPERTY_FUNC = 8;
CERT_STORE_PROV_READ_CTL_FUNC = 9;
CERT_STORE_PROV_WRITE_CTL_FUNC = 10;
CERT_STORE_PROV_DELETE_CTL_FUNC = 11;
CERT_STORE_PROV_SET_CTL_PROPERTY_FUNC = 12;
// Called by CertCloseStore when the store's reference count is
// decremented to 0.
type
PFN_CERT_STORE_PROV_CLOSE = procedure(hStoreProv :HCERTSTOREPROV;
dwFlags :DWORD) ; stdcall;
// Currently not called directly by the store APIs. However, may be exported
// to support other providers based on it.
//
// Reads the provider's copy of the certificate context. If it exists,
// creates a new certificate context.
type
PFN_CERT_STORE_PROV_READ_CERT = function (hStoreProv :HCERTSTOREPROV;
pStoreCertContext :PCCERT_CONTEXT;
dwFlags :DWORD;
var ppProvCertContext :PCCERT_CONTEXT
):BOOL ; stdcall;
const
CERT_STORE_PROV_WRITE_ADD_FLAG = $1;
// Called by CertAddEncodedCertificateToStore,
// CertAddCertificateContextToStore or CertAddSerializedElementToStore before
// adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
// addition to the encoded certificate, the added pCertContext might also
// have properties.
//
// Returns TRUE if its OK to update the the store.
type
PFN_CERT_STORE_PROV_WRITE_CERT = function (hStoreProv :HCERTSTOREPROV;
pCertContext :PCCERT_CONTEXT;
dwFlags :DWORD):BOOL ; stdcall;
// Called by CertDeleteCertificateFromStore before deleting from the
// store.
//
// Returns TRUE if its OK to delete from the store.
type
PFN_CERT_STORE_PROV_DELETE_CERT = function (hStoreProv :HCERTSTOREPROV;
pCertContext :PCCERT_CONTEXT;
dwFlags :DWORD):BOOL ; stdcall;
// Called by CertSetCertificateContextProperty before setting the
// certificate's property. Also called by CertGetCertificateContextProperty,
// when getting a hash property that needs to be created and then persisted
// via the set.
//
// Upon input, the property hasn't been set for the pCertContext parameter.
//
// Returns TRUE if its OK to set the property.
type
PFN_CERT_STORE_PROV_SET_CERT_PROPERTY = function (hStoreProv :HCERTSTOREPROV;
pCertContext :PCCERT_CONTEXT;
dwPropId :DWORD;
dwFlags :DWORD;
const pvData :PVOID
):BOOL ; stdcall;
// Currently not called directly by the store APIs. However, may be exported
// to support other providers based on it.
//
// Reads the provider's copy of the CRL context. If it exists,
// creates a new CRL context.
type
PFN_CERT_STORE_PROV_READ_CRL = function (hStoreProv :HCERTSTOREPROV;
pStoreCrlContext :PCCRL_CONTEXT;
dwFlags :DWORD;
var ppProvCrlContext :PCCRL_CONTEXT
):BOOL ; stdcall;
// Called by CertAddEncodedCRLToStore,
// CertAddCRLContextToStore or CertAddSerializedElementToStore before
// adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
// addition to the encoded CRL, the added pCertContext might also
// have properties.
//
// Returns TRUE if its OK to update the the store.
type
PFN_CERT_STORE_PROV_WRITE_CRL = function (hStoreProv :HCERTSTOREPROV;
pCrlContext :PCCRL_CONTEXT;
dwFlags :DWORD):BOOL ; stdcall;
// Called by CertDeleteCRLFromStore before deleting from the store.
//
// Returns TRUE if its OK to delete from the store.
type
PFN_CERT_STORE_PROV_DELETE_CRL = function (hStoreProv :HCERTSTOREPROV;
pCrlContext :PCCRL_CONTEXT;
dwFlags :DWORD):BOOL ; stdcall;
// Called by CertDeleteCRLFromStore before deleting from the store.
//
// Returns TRUE if its OK to delete from the store.
type
PFN_CERT_STORE_PROV_SET_CRL_PROPERTY = function (hStoreProv :HCERTSTOREPROV;
pCrlContext :PCCRL_CONTEXT;
dwPropId :DWORD;
dwFlags :DWORD;
pvData :PVOID):BOOL ; stdcall;
// Currently not called directly by the store APIs. However, may be exported
// to support other providers based on it.
//
// Reads the provider's copy of the CTL context. If it exists,
// creates a new CTL context.
type
PFN_CERT_STORE_PROV_READ_CTL = function (hStoreProv :HCERTSTOREPROV;
pStoreCtlContext :PCCTL_CONTEXT;
dwFlags :DWORD;
var ppProvCtlContext :PCCTL_CONTEXT
):BOOL ; stdcall;
// Called by CertAddEncodedCTLToStore,
// CertAddCTLContextToStore or CertAddSerializedElementToStore before
// adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
// addition to the encoded CTL, the added pCertContext might also
// have properties.
//
// Returns TRUE if its OK to update the the store.
type
PFN_CERT_STORE_PROV_WRITE_CTL = function (hStoreProv :HCERTSTOREPROV;
pCtlContext :PCCTL_CONTEXT;
dwFlags :DWORD):BOOL ; stdcall;
// Called by CertDeleteCTLFromStore before deleting from the store.
//
// Returns TRUE if its OK to delete from the store.
type
PFN_CERT_STORE_PROV_DELETE_CTL = function (hStoreProv :HCERTSTOREPROV;
pCtlContext :PCCTL_CONTEXT;
dwFlags :DWORD):BOOL ; stdcall;
// Called by CertSetCTLContextProperty before setting the
// CTL's property. Also called by CertGetCTLContextProperty,
// when getting a hash property that needs to be created and then persisted
// via the set.
//
// Upon input, the property hasn't been set for the pCtlContext parameter.
//
// Returns TRUE if its OK to set the property.
type
PFN_CERT_STORE_PROV_SET_CTL_PROPERTY = function (hStoreProv :HCERTSTOREPROV;
pCtlContext :PCCTL_CONTEXT;
dwPropId :DWORD;
dwFlags :DWORD;
const pvData :PVOID
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Duplicate a cert store handle
//--------------------------------------------------------------------------
function CertDuplicateStore(hCertStore :HCERTSTORE):HCERTSTORE ; stdcall;
const CERT_STORE_SAVE_AS_STORE = 1;
const CERT_STORE_SAVE_AS_PKCS7 = 2;
const CERT_STORE_SAVE_TO_FILE = 1;
const CERT_STORE_SAVE_TO_MEMORY = 2;
const CERT_STORE_SAVE_TO_FILENAME_A = 3;
const CERT_STORE_SAVE_TO_FILENAME_W = 4;
const CERT_STORE_SAVE_TO_FILENAME = CERT_STORE_SAVE_TO_FILENAME_W;
//+-------------------------------------------------------------------------
// Save the cert store. Extended version with lots of options.
//
// According to the dwSaveAs parameter, the store can be saved as a
// serialized store (CERT_STORE_SAVE_AS_STORE) containing properties in
// addition to encoded certificates, CRLs and CTLs or the store can be saved
// as a PKCS #7 signed message (CERT_STORE_SAVE_AS_PKCS7) which doesn't
// include the properties or CTLs.
//
// Note, the CERT_KEY_CONTEXT_PROP_ID property (and its
// CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't saved into
// a serialized store.
//
// For CERT_STORE_SAVE_AS_PKCS7, the dwEncodingType specifies the message
// encoding type. The dwEncodingType parameter isn't used for
// CERT_STORE_SAVE_AS_STORE.
//
// The dwFlags parameter currently isn't used and should be set to 0.
//
// The dwSaveTo and pvSaveToPara parameters specify where to save the
// store as follows:
// CERT_STORE_SAVE_TO_FILE:
// Saves to the specified file. The file's handle is passed in
// pvSaveToPara. Given,
// HANDLE hFile; pvSaveToPara = (void *) hFile;
//
// For a successful save, the file pointer is positioned after the
// last write.
//
// CERT_STORE_SAVE_TO_MEMORY:
// Saves to the specified memory blob. The pointer to
// the memory blob is passed in pvSaveToPara. Given,
// CRYPT_DATA_BLOB SaveBlob; pvSaveToPara = (void *) &SaveBlob;
// Upon entry, the SaveBlob's pbData and cbData need to be initialized.
// Upon return, cbData is updated with the actual length.
// For a length only calculation, pbData should be set to NULL. If
// pbData is non-NULL and cbData isn't large enough, FALSE is returned
// with a last error of ERRROR_MORE_DATA.
//
// CERT_STORE_SAVE_TO_FILENAME_A:
// CERT_STORE_SAVE_TO_FILENAME_W:
// CERT_STORE_SAVE_TO_FILENAME:
// Opens the file and saves to it. The filename is passed in pvSaveToPara.
// The filename is UNICODE for the "_W" option and ASCII for the "_A"
// option. For "_W": given,
// LPCWSTR pwszFilename; pvSaveToPara = (void *) pwszFilename;
// For "_A": given,
// LPCSTR pszFilename; pvSaveToPara = (void *) pszFilename;
//
// Note, the default (without "_A" or "_W") is UNICODE.
//
//--------------------------------------------------------------------------
function CertSaveStore(hCertStore :HCERTSTORE;
dwEncodingType :DWORD;
dwSaveAs :DWORD;
dwSaveTo :DWORD;
pvSaveToPara :PVOID;
dwFlags :DWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Certificate Store close flags
//--------------------------------------------------------------------------
const CERT_CLOSE_STORE_FORCE_FLAG = $00000001;
const CERT_CLOSE_STORE_CHECK_FLAG = $00000002;
//+-------------------------------------------------------------------------
// Close a cert store handle.
//
// There needs to be a corresponding close for each open and duplicate.
//
// Even on the final close, the cert store isn't freed until all of its
// certificate and CRL contexts have also been freed.
//
// On the final close, the hCryptProv passed to CertStoreOpen is
// CryptReleaseContext'ed.
//
// To force the closure of the store with all of its memory freed, set the
// CERT_STORE_CLOSE_FORCE_FLAG. This flag should be set when the caller does
// its own reference counting and wants everything to vanish.
//
// To check if all the store's certificates and CRLs have been freed and that
// this is the last CertCloseStore, set the CERT_CLOSE_STORE_CHECK_FLAG. If
// set and certs, CRLs or stores still need to be freed/closed, FALSE is
// returned with LastError set to CRYPT_E_PENDING_CLOSE. Note, for FALSE,
// the store is still closed. This is a diagnostic flag.
//
// LastError is preserved unless CERT_CLOSE_STORE_CHECK_FLAG is set and FALSE
// is returned.
//--------------------------------------------------------------------------
function CertCloseStore(hCertStore :HCERTSTORE; dwFlags :DWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Get the subject certificate context uniquely identified by its Issuer and
// SerialNumber from the store.
//
// If the certificate isn't found, NULL is returned. Otherwise, a pointer to
// a read only CERT_CONTEXT is returned. CERT_CONTEXT must be freed by calling
// CertFreeCertificateContext. CertDuplicateCertificateContext can be called to make a
// duplicate.
//
// The returned certificate might not be valid. Normally, it would be
// verified when getting its issuer certificate (CertGetIssuerCertificateFromStore).
//--------------------------------------------------------------------------
function CertGetSubjectCertificateFromStore(hCertStore :HCERTSTORE;
dwCertEncodingType :DWORD;
pCertId :PCERT_INFO // Only the Issuer and SerialNumber
):PCCERT_CONTEXT ; stdcall; // fields are used
//+-------------------------------------------------------------------------
// Enumerate the certificate contexts in the store.
//
// If a certificate isn't found, NULL is returned.
// Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
// must be freed by calling CertFreeCertificateContext or is freed when passed as the
// pPrevCertContext on a subsequent call. CertDuplicateCertificateContext
// can be called to make a duplicate.
//
// pPrevCertContext MUST BE NULL to enumerate the first
// certificate in the store. Successive certificates are enumerated by setting
// pPrevCertContext to the CERT_CONTEXT returned by a previous call.
//
// NOTE: a NON-NULL pPrevCertContext is always CertFreeCertificateContext'ed by
// this function, even for an error.
//--------------------------------------------------------------------------
function CertEnumCertificatesInStore(hCertStore :HCERTSTORE;
pPrevCertContext :PCCERT_CONTEXT
):PCCERT_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
// Find the first or next certificate context in the store.
//
// The certificate is found according to the dwFindType and its pvFindPara.
// See below for a list of the find types and its parameters.
//
// Currently dwFindFlags is only used for CERT_FIND_SUBJECT_ATTR,
// CERT_FIND_ISSUER_ATTR or CERT_FIND_CTL_USAGE. Otherwise, must be set to 0.
//
// Usage of dwCertEncodingType depends on the dwFindType.
//
// If the first or next certificate isn't found, NULL is returned.
// Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
// must be freed by calling CertFreeCertificateContext or is freed when passed as the
// pPrevCertContext on a subsequent call. CertDuplicateCertificateContext
// can be called to make a duplicate.
//
// pPrevCertContext MUST BE NULL on the first
// call to find the certificate. To find the next certificate, the
// pPrevCertContext is set to the CERT_CONTEXT returned by a previous call.
//
// NOTE: a NON-NULL pPrevCertContext is always CertFreeCertificateContext'ed by
// this function, even for an error.
//--------------------------------------------------------------------------
function CertFindCertificateInStore(hCertStore :HCERTSTORE;
dwCertEncodingType :DWORD;
dwFindFlags :DWORD;
dwFindType :DWORD;
const pvFindPara :PVOID;
pPrevCertContext :PCCERT_CONTEXT
):PCCERT_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
// Certificate comparison functions
//--------------------------------------------------------------------------
const CERT_COMPARE_SHIFT = 16;
const CERT_COMPARE_ANY = 0;
const CERT_COMPARE_SHA1_HASH = 1;
const CERT_COMPARE_NAME = 2;
const CERT_COMPARE_ATTR = 3;
const CERT_COMPARE_MD5_HASH = 4;
const CERT_COMPARE_PROPERTY = 5;
const CERT_COMPARE_PUBLIC_KEY = 6;
const CERT_COMPARE_HASH = CERT_COMPARE_SHA1_HASH;
const CERT_COMPARE_NAME_STR_A = 7;
const CERT_COMPARE_NAME_STR_W = 8;
const CERT_COMPARE_KEY_SPEC = 9;
const CERT_COMPARE_ENHKEY_USAGE = 10;
const CERT_COMPARE_CTL_USAGE = CERT_COMPARE_ENHKEY_USAGE;
//+-------------------------------------------------------------------------
// dwFindType
//
// The dwFindType definition consists of two components:
// - comparison function
// - certificate information flag
//--------------------------------------------------------------------------
const CERT_FIND_ANY = (CERT_COMPARE_ANY shl CERT_COMPARE_SHIFT);
const CERT_FIND_SHA1_HASH = (CERT_COMPARE_SHA1_HASH shl CERT_COMPARE_SHIFT);
const CERT_FIND_MD5_HASH = (CERT_COMPARE_MD5_HASH shl CERT_COMPARE_SHIFT);
const CERT_FIND_HASH = CERT_FIND_SHA1_HASH;
const CERT_FIND_PROPERTY = (CERT_COMPARE_PROPERTY shl CERT_COMPARE_SHIFT);
const CERT_FIND_PUBLIC_KEY = (CERT_COMPARE_PUBLIC_KEY shl CERT_COMPARE_SHIFT);
const CERT_FIND_SUBJECT_NAME = (CERT_COMPARE_NAME shl CERT_COMPARE_SHIFT or CERT_INFO_SUBJECT_FLAG);
const CERT_FIND_SUBJECT_ATTR = (CERT_COMPARE_ATTR shl CERT_COMPARE_SHIFT or CERT_INFO_SUBJECT_FLAG);
const CERT_FIND_ISSUER_NAME = (CERT_COMPARE_NAME shl CERT_COMPARE_SHIFT or CERT_INFO_ISSUER_FLAG);
const CERT_FIND_ISSUER_ATTR = (CERT_COMPARE_ATTR shl CERT_COMPARE_SHIFT or CERT_INFO_ISSUER_FLAG);
const CERT_FIND_SUBJECT_STR_A = (CERT_COMPARE_NAME_STR_A shl CERT_COMPARE_SHIFT or CERT_INFO_SUBJECT_FLAG);
const CERT_FIND_SUBJECT_STR_W = (CERT_COMPARE_NAME_STR_W shl CERT_COMPARE_SHIFT or CERT_INFO_SUBJECT_FLAG);
const CERT_FIND_SUBJECT_STR = CERT_FIND_SUBJECT_STR_W;
const CERT_FIND_ISSUER_STR_A = (CERT_COMPARE_NAME_STR_A shl CERT_COMPARE_SHIFT or CERT_INFO_ISSUER_FLAG);
const CERT_FIND_ISSUER_STR_W = (CERT_COMPARE_NAME_STR_W shl CERT_COMPARE_SHIFT or CERT_INFO_ISSUER_FLAG);
const CERT_FIND_ISSUER_STR = CERT_FIND_ISSUER_STR_W;
const CERT_FIND_KEY_SPEC = (CERT_COMPARE_KEY_SPEC shl CERT_COMPARE_SHIFT);
const CERT_FIND_ENHKEY_USAGE = (CERT_COMPARE_ENHKEY_USAGE shl CERT_COMPARE_SHIFT);
const CERT_FIND_CTL_USAGE = CERT_FIND_ENHKEY_USAGE;
//+-------------------------------------------------------------------------
// CERT_FIND_ANY
//
// Find any certificate.
//
// pvFindPara isn't used.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_HASH
//
// Find a certificate with the specified hash.
//
// pvFindPara points to a CRYPT_HASH_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_PROPERTY
//
// Find a certificate having the specified property.
//
// pvFindPara points to a DWORD containing the PROP_ID
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_PUBLIC_KEY
//
// Find a certificate matching the specified public key.
//
// pvFindPara points to a CERT_PUBLIC_KEY_INFO containing the public key
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_SUBJECT_NAME
// CERT_FIND_ISSUER_NAME
//
// Find a certificate with the specified subject/issuer name. Does an exact
// match of the entire name.
//
// Restricts search to certificates matching the dwCertEncodingType.
//
// pvFindPara points to a CERT_NAME_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_SUBJECT_ATTR
// CERT_FIND_ISSUER_ATTR
//
// Find a certificate with the specified subject/issuer attributes.
//
// Compares the attributes in the subject/issuer name with the
// Relative Distinguished Name's (CERT_RDN) array of attributes specified in
// pvFindPara. The comparison iterates through the CERT_RDN attributes and looks
// for an attribute match in any of the subject/issuer's RDNs.
//
// The CERT_RDN_ATTR fields can have the following special values:
// pszObjId == NULL - ignore the attribute object identifier
// dwValueType == RDN_ANY_TYPE - ignore the value type
// Value.pbData == NULL - match any value
//
// Currently only an exact, case sensitive match is supported.
//
// CERT_UNICODE_IS_RDN_ATTRS_FLAG should be set in dwFindFlags if the RDN was
// initialized with unicode strings as for
// CryptEncodeObject(X509_UNICODE_NAME).
//
// Restricts search to certificates matching the dwCertEncodingType.
//
// pvFindPara points to a CERT_RDN (defined in wincert.h).
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_SUBJECT_STR_A
// CERT_FIND_SUBJECT_STR_W | CERT_FIND_SUBJECT_STR
// CERT_FIND_ISSUER_STR_A
// CERT_FIND_ISSUER_STR_W | CERT_FIND_ISSUER_STR
//
// Find a certificate containing the specified subject/issuer name string.
//
// First, the certificate's subject/issuer is converted to a name string
// via CertNameToStrA/CertNameToStrW(CERT_SIMPLE_NAME_STR). Then, a
// case insensitive substring within string match is performed.
//
// Restricts search to certificates matching the dwCertEncodingType.
//
// For *_STR_A, pvFindPara points to a null terminated character string.
// For *_STR_W, pvFindPara points to a null terminated wide character string.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_KEY_SPEC
//
// Find a certificate having a CERT_KEY_SPEC_PROP_ID property matching
// the specified KeySpec.
//
// pvFindPara points to a DWORD containing the KeySpec.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CERT_FIND_ENHKEY_USAGE
//
// Find a certificate having the szOID_ENHANCED_KEY_USAGE extension or
// the CERT_ENHKEY_USAGE_PROP_ID and matching the specified pszUsageIdentifers.
//
// pvFindPara points to a CERT_ENHKEY_USAGE data structure. If pvFindPara
// is NULL or CERT_ENHKEY_USAGE's cUsageIdentifier is 0, then, matches any
// certificate having enhanced key usage.
//
// The CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG can be set in dwFindFlags to
// also match a certificate without either the extension or property.
//
// If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set in dwFindFlags, finds
// certificates without the key usage extension or property. Setting this
// flag takes precedence over pvFindPara being NULL.
//
// If the CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG is set, then, only does a match
// using the extension. If pvFindPara is NULL or cUsageIdentifier is set to
// 0, finds certificates having the extension. If
// CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set, also matches a certificate
// without the extension. If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set, finds
// certificates without the extension.
//
// If the CERT_FIND_EXT_PROP_ENHKEY_USAGE_FLAG is set, then, only does a match
// using the property. If pvFindPara is NULL or cUsageIdentifier is set to
// 0, finds certificates having the property. If
// CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set, also matches a certificate
// without the property. If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set, finds
// certificates without the property.
//--------------------------------------------------------------------------
const CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG = $1;
const CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG = $2;
const CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG = $4;
const CERT_FIND_NO_ENHKEY_USAGE_FLAG = $8;
const CERT_FIND_OPTIONAL_CTL_USAGE_FLAG = CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG;
const CERT_FIND_EXT_ONLY_CTL_USAGE_FLAG = CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG;
const CERT_FIND_PROP_ONLY_CTL_USAGE_FLAG = CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG;
const CERT_FIND_NO_CTL_USAGE_FLAG = CERT_FIND_NO_ENHKEY_USAGE_FLAG;
//+-------------------------------------------------------------------------
// Get the certificate context from the store for the first or next issuer
// of the specified subject certificate. Perform the enabled
// verification checks on the subject. (Note, the checks are on the subject
// using the returned issuer certificate.)
//
// If the first or next issuer certificate isn't found, NULL is returned.
// Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
// must be freed by calling CertFreeCertificateContext or is freed when passed as the
// pPrevIssuerContext on a subsequent call. CertDuplicateCertificateContext
// can be called to make a duplicate.
//
// For a self signed subject certificate, NULL is returned with LastError set
// to CERT_STORE_SELF_SIGNED. The enabled verification checks are still done.
//
// The pSubjectContext may have been obtained from this store, another store
// or created by the caller application. When created by the caller, the
// CertCreateCertificateContext function must have been called.
//
// An issuer may have multiple certificates. This may occur when the validity
// period is about to change. pPrevIssuerContext MUST BE NULL on the first
// call to get the issuer. To get the next certificate for the issuer, the
// pPrevIssuerContext is set to the CERT_CONTEXT returned by a previous call.
//
// NOTE: a NON-NULL pPrevIssuerContext is always CertFreeCertificateContext'ed by
// this function, even for an error.
//
// The following flags can be set in *pdwFlags to enable verification checks
// on the subject certificate context:
// CERT_STORE_SIGNATURE_FLAG - use the public key in the returned
// issuer certificate to verify the
// signature on the subject certificate.
// Note, if pSubjectContext->hCertStore ==
// hCertStore, the store provider might
// be able to eliminate a redo of
// the signature verify.
// CERT_STORE_TIME_VALIDITY_FLAG - get the current time and verify that
// its within the subject certificate's
// validity period
// CERT_STORE_REVOCATION_FLAG - check if the subject certificate is on
// the issuer's revocation list
//
// If an enabled verification check fails, then, its flag is set upon return.
// If CERT_STORE_REVOCATION_FLAG was enabled and the issuer doesn't have a
// CRL in the store, then, CERT_STORE_NO_CRL_FLAG is set in addition to
// the CERT_STORE_REVOCATION_FLAG.
//
// If CERT_STORE_SIGNATURE_FLAG or CERT_STORE_REVOCATION_FLAG is set, then,
// CERT_STORE_NO_ISSUER_FLAG is set if it doesn't have an issuer certificate
// in the store.
//
// For a verification check failure, a pointer to the issuer's CERT_CONTEXT
// is still returned and SetLastError isn't updated.
//--------------------------------------------------------------------------
function CertGetIssuerCertificateFromStore(hCertStore :HCERTSTORE;
pSubjectContext :PCCERT_CONTEXT;
pPrevIssuerContext :PCCERT_CONTEXT; //OPTIONAL
pdwFlags :PDWORD):PCCERT_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
// Perform the enabled verification checks on the subject certificate
// using the issuer. Same checks and flags definitions as for the above
// CertGetIssuerCertificateFromStore.
//
// If you are only checking CERT_STORE_TIME_VALIDITY_FLAG, then, the
// issuer can be NULL.
//
// For a verification check failure, SUCCESS is still returned.
//--------------------------------------------------------------------------
function CertVerifySubjectCertificateContext(pSubject :PCCERT_CONTEXT;
pIssuer :PCCERT_CONTEXT; //OPTIONAL
pdwFlags :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Duplicate a certificate context
//--------------------------------------------------------------------------
function CertDuplicateCertificateContext(pCertContext :PCCERT_CONTEXT):PCCERT_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
// Create a certificate context from the encoded certificate. The created
// context isn't put in a store.
//
// Makes a copy of the encoded certificate in the created context.
//
// If unable to decode and create the certificate context, NULL is returned.
// Otherwise, a pointer to a read only CERT_CONTEXT is returned.
// CERT_CONTEXT must be freed by calling CertFreeCertificateContext.
// CertDuplicateCertificateContext can be called to make a duplicate.
//
// CertSetCertificateContextProperty and CertGetCertificateContextProperty can be called
// to store properties for the certificate.
//--------------------------------------------------------------------------
function CertCreateCertificateContext(dwCertEncodingType :DWORD;
pbCertEncoded :PBYTE;
cbCertEncoded :DWORD):PCCERT_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
// Free a certificate context
//
// There needs to be a corresponding free for each context obtained by a
// get, find, duplicate or create.
//--------------------------------------------------------------------------
function CertFreeCertificateContext(pCertContext :PCCERT_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Set the property for the specified certificate context.
//
// The type definition for pvData depends on the dwPropId value. There are
// five predefined types:
// CERT_KEY_PROV_HANDLE_PROP_ID - a HCRYPTPROV for the certificate's
// private key is passed in pvData. Updates the hCryptProv field
// of the CERT_KEY_CONTEXT_PROP_ID. If the CERT_KEY_CONTEXT_PROP_ID
// doesn't exist, its created with all the other fields zeroed out. If
// CERT_STORE_NO_CRYPT_RELEASE_FLAG isn't set, HCRYPTPROV is implicitly
// released when either the property is set to NULL or on the final
// free of the CertContext.
//
// CERT_KEY_PROV_INFO_PROP_ID - a PCRYPT_KEY_PROV_INFO for the certificate's
// private key is passed in pvData.
//
// CERT_SHA1_HASH_PROP_ID -
// CERT_MD5_HASH_PROP_ID - normally, either property is implicitly
// set by doing a CertGetCertificateContextProperty. pvData points to a
// CRYPT_HASH_BLOB.
//
// CERT_KEY_CONTEXT_PROP_ID - a PCERT_KEY_CONTEXT for the certificate's
// private key is passed in pvData. The CERT_KEY_CONTEXT contains both the
// hCryptProv and dwKeySpec for the private key.
// See the CERT_KEY_PROV_HANDLE_PROP_ID for more information about
// the hCryptProv field and dwFlags settings. Note, more fields may
// be added for this property. The cbSize field value will be adjusted
// accordingly.
//
// CERT_KEY_SPEC_PROP_ID - the dwKeySpec for the private key. pvData
// points to a DWORD containing the KeySpec
//
// CERT_ENHKEY_USAGE_PROP_ID - enhanced key usage definition for the
// certificate. pvData points to a CRYPT_DATA_BLOB containing an
// ASN.1 encoded CERT_ENHKEY_USAGE (encoded via
// CryptEncodeObject(X509_ENHANCED_KEY_USAGE).
//
// CERT_NEXT_UPDATE_LOCATION_PROP_ID - location of the next update.
// Currently only applicable to CTLs. pvData points to a CRYPT_DATA_BLOB
// containing an ASN.1 encoded CERT_ALT_NAME_INFO (encoded via
// CryptEncodeObject(X509_ALTERNATE_NAME)).
//
// CERT_FRIENDLY_NAME_PROP_ID - friendly name for the cert, CRL or CTL.
// pvData points to a CRYPT_DATA_BLOB. pbData is a pointer to a NULL
// terminated unicode, wide character string.
// cbData = (wcslen((LPWSTR) pbData) + 1) * sizeof(WCHAR).
//
// For all the other PROP_IDs: an encoded PCRYPT_DATA_BLOB is passed in pvData.
//
// If the property already exists, then, the old value is deleted and silently
// replaced. Setting, pvData to NULL, deletes the property.
//--------------------------------------------------------------------------
function CertSetCertificateContextProperty(pCertContext :PCCERT_CONTEXT;
dwPropId :DWORD;
dwFlags :DWORD;
pvData :PVOID):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Get the property for the specified certificate context.
//
// For CERT_KEY_PROV_HANDLE_PROP_ID, pvData points to a HCRYPTPROV.
//
// For CERT_KEY_PROV_INFO_PROP_ID, pvData points to a CRYPT_KEY_PROV_INFO structure.
// Elements pointed to by fields in the pvData structure follow the
// structure. Therefore, *pcbData may exceed the size of the structure.
//
// For CERT_KEY_CONTEXT_PROP_ID, pvData points to a CERT_KEY_CONTEXT structure.
//
// For CERT_KEY_SPEC_PROP_ID, pvData points to a DWORD containing the KeySpec.
// If the CERT_KEY_CONTEXT_PROP_ID exists, the KeySpec is obtained from there.
// Otherwise, if the CERT_KEY_PROV_INFO_PROP_ID exists, its the source
// of the KeySpec.
//
// For CERT_SHA1_HASH_PROP_ID or CERT_MD5_HASH_PROP_ID, if the hash
// doesn't already exist, then, its computed via CryptHashCertificate()
// and then set. pvData points to the computed hash. Normally, the length
// is 20 bytes for SHA and 16 for MD5.
//
// For all other PROP_IDs, pvData points to an encoded array of bytes.
//--------------------------------------------------------------------------
function CertGetCertificateContextProperty(pCertContext :PCCERT_CONTEXT;
dwPropId :DWORD;
pvData :PVOID;
pcbData :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Enumerate the properties for the specified certificate context.
//
// To get the first property, set dwPropId to 0. The ID of the first
// property is returned. To get the next property, set dwPropId to the
// ID returned by the last call. To enumerate all the properties continue
// until 0 is returned.
//
// CertGetCertificateContextProperty is called to get the property's data.
//
// Note, since, the CERT_KEY_PROV_HANDLE_PROP_ID and CERT_KEY_SPEC_PROP_ID
// properties are stored as fields in the CERT_KEY_CONTEXT_PROP_ID
// property, they aren't enumerated individually.
//--------------------------------------------------------------------------
function CertEnumCertificateContextProperties(pCertContext :PCCERT_CONTEXT;
dwPropId :DWORD):DWORD ; stdcall;
//+-------------------------------------------------------------------------
// Get the first or next CRL context from the store for the specified
// issuer certificate. Perform the enabled verification checks on the CRL.
//
// If the first or next CRL isn't found, NULL is returned.
// Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT
// must be freed by calling CertFreeCRLContext. However, the free must be
// pPrevCrlContext on a subsequent call. CertDuplicateCRLContext
// can be called to make a duplicate.
//
// The pIssuerContext may have been obtained from this store, another store
// or created by the caller application. When created by the caller, the
// CertCreateCertificateContext function must have been called.
//
// If pIssuerContext == NULL, finds all the CRLs in the store.
//
// An issuer may have multiple CRLs. For example, it generates delta CRLs
// using a X.509 v3 extension. pPrevCrlContext MUST BE NULL on the first
// call to get the CRL. To get the next CRL for the issuer, the
// pPrevCrlContext is set to the CRL_CONTEXT returned by a previous call.
//
// NOTE: a NON-NULL pPrevCrlContext is always CertFreeCRLContext'ed by
// this function, even for an error.
//
// The following flags can be set in *pdwFlags to enable verification checks
// on the returned CRL:
// CERT_STORE_SIGNATURE_FLAG - use the public key in the
// issuer's certificate to verify the
// signature on the returned CRL.
// Note, if pIssuerContext->hCertStore ==
// hCertStore, the store provider might
// be able to eliminate a redo of
// the signature verify.
// CERT_STORE_TIME_VALIDITY_FLAG - get the current time and verify that
// its within the CRL's ThisUpdate and
// NextUpdate validity period.
//
// If an enabled verification check fails, then, its flag is set upon return.
//
// If pIssuerContext == NULL, then, an enabled CERT_STORE_SIGNATURE_FLAG
// always fails and the CERT_STORE_NO_ISSUER_FLAG is also set.
//
// For a verification check failure, a pointer to the first or next
// CRL_CONTEXT is still returned and SetLastError isn't updated.
//--------------------------------------------------------------------------
function CertGetCRLFromStore(hCertStore :HCERTSTORE;
pIssuerContext :PCCERT_CONTEXT; //OPTIONAL
pPrevCrlContext :PCCRL_CONTEXT;
pdwFlags :PDWORD):PCCRL_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
// Duplicate a CRL context
//--------------------------------------------------------------------------
function CertDuplicateCRLContext(pCrlContext :PCCRL_CONTEXT):PCCRL_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
// Create a CRL context from the encoded CRL. The created
// context isn't put in a store.
//
// Makes a copy of the encoded CRL in the created context.
//
// If unable to decode and create the CRL context, NULL is returned.
// Otherwise, a pointer to a read only CRL_CONTEXT is returned.
// CRL_CONTEXT must be freed by calling CertFreeCRLContext.
// CertDuplicateCRLContext can be called to make a duplicate.
//
// CertSetCRLContextProperty and CertGetCRLContextProperty can be called
// to store properties for the CRL.
//--------------------------------------------------------------------------
function CertCreateCRLContext(dwCertEncodingType :DWORD;
pbCrlEncoded :PBYTE;
cbCrlEncoded :DWORD):PCCRL_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
// Free a CRL context
//
// There needs to be a corresponding free for each context obtained by a
// get, duplicate or create.
//--------------------------------------------------------------------------
function CertFreeCRLContext(pCrlContext :PCCRL_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Set the property for the specified CRL context.
//
// Same Property Ids and semantics as CertSetCertificateContextProperty.
//--------------------------------------------------------------------------
function CertSetCRLContextProperty(pCrlContext :PCCRL_CONTEXT;
dwPropId :DWORD;
dwFlags :DWORD;
const pvData :PVOID):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Get the property for the specified CRL context.
//
// Same Property Ids and semantics as CertGetCertificateContextProperty.
//
// CERT_SHA1_HASH_PROP_ID or CERT_MD5_HASH_PROP_ID is the predefined
// property of most interest.
//--------------------------------------------------------------------------
function CertGetCRLContextProperty(pCrlContext :PCCRL_CONTEXT;
dwPropId :DWORD;
pvData :PVOID;
pcbData :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Enumerate the properties for the specified CRL context.
//
// To get the first property, set dwPropId to 0. The ID of the first
// property is returned. To get the next property, set dwPropId to the
// ID returned by the last call. To enumerate all the properties continue
// until 0 is returned.
//
// CertGetCRLContextProperty is called to get the property's data.
//--------------------------------------------------------------------------
function CertEnumCRLContextProperties(pCrlContext :PCCRL_CONTEXT;
dwPropId :DWORD):DWORD ; stdcall;
//+-------------------------------------------------------------------------
// Add certificate/CRL, encoded, context or element disposition values.
//--------------------------------------------------------------------------
const CERT_STORE_ADD_NEW = 1;
const CERT_STORE_ADD_USE_EXISTING = 2;
const CERT_STORE_ADD_REPLACE_EXISTING = 3;
const CERT_STORE_ADD_ALWAYS = 4;
//+-------------------------------------------------------------------------
// Add the encoded certificate to the store according to the specified
// disposition action.
//
// Makes a copy of the encoded certificate before adding to the store.
//
// dwAddDispostion specifies the action to take if the certificate
// already exists in the store. This parameter must be one of the following
// values:
// CERT_STORE_ADD_NEW
// Fails if the certificate already exists in the store. LastError
// is set to CRYPT_E_EXISTS.
// CERT_STORE_ADD_USE_EXISTING
// If the certifcate already exists, then, its used and if ppCertContext
// is non-NULL, the existing context is duplicated.
// CERT_STORE_ADD_REPLACE_EXISTING
// If the certificate already exists, then, the existing certificate
// context is deleted before creating and adding the new context.
// CERT_STORE_ADD_ALWAYS
// No check is made to see if the certificate already exists. A
// new certificate context is always created. This may lead to
// duplicates in the store.
//
// CertGetSubjectCertificateFromStore is called to determine if the
// certificate already exists in the store.
//
// ppCertContext can be NULL, indicating the caller isn't interested
// in getting the CERT_CONTEXT of the added or existing certificate.
//--------------------------------------------------------------------------
function CertAddEncodedCertificateToStore(hCertStore :HCERTSTORE;
dwCertEncodingType :DWORD;
const pbCertEncoded :PBYTE;
cbCertEncoded :DWORD;
dwAddDisposition :DWORD;
var ppCertContext :PCCERT_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Add the certificate context to the store according to the specified
// disposition action.
//
// In addition to the encoded certificate, the context's properties are
// also copied. Note, the CERT_KEY_CONTEXT_PROP_ID property (and its
// CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't copied.
//
// Makes a copy of the certificate context before adding to the store.
//
// dwAddDispostion specifies the action to take if the certificate
// already exists in the store. This parameter must be one of the following
// values:
// CERT_STORE_ADD_NEW
// Fails if the certificate already exists in the store. LastError
// is set to CRYPT_E_EXISTS.
// CERT_STORE_ADD_USE_EXISTING
// If the certifcate already exists, then, its used and if ppStoreContext
// is non-NULL, the existing context is duplicated. Iterates
// through pCertContext's properties and only copies the properties
// that don't already exist. The SHA1 and MD5 hash properties aren't
// copied.
// CERT_STORE_ADD_REPLACE_EXISTING
// If the certificate already exists, then, the existing certificate
// context is deleted before creating and adding a new context.
// Properties are copied before doing the add.
// CERT_STORE_ADD_ALWAYS
// No check is made to see if the certificate already exists. A
// new certificate context is always created and added. This may lead to
// duplicates in the store. Properties are
// copied before doing the add.
//
// CertGetSubjectCertificateFromStore is called to determine if the
// certificate already exists in the store.
//
// ppStoreContext can be NULL, indicating the caller isn't interested
// in getting the CERT_CONTEXT of the added or existing certificate.
//--------------------------------------------------------------------------
function CertAddCertificateContextToStore(hCertStore :HCERTSTORE;
pCertContext :PCCERT_CONTEXT;
dwAddDisposition :DWORD;
var ppStoreContext :PCCERT_CONTEXT //OPTIONAL
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Certificate Store Context Types
//--------------------------------------------------------------------------
const CERT_STORE_CERTIFICATE_CONTEXT = 1;
const CERT_STORE_CRL_CONTEXT = 2;
const CERT_STORE_CTL_CONTEXT = 3;
//+-------------------------------------------------------------------------
// Certificate Store Context Bit Flags
//--------------------------------------------------------------------------
const CERT_STORE_ALL_CONTEXT_FLAG = (not ULONG(0));
const CERT_STORE_CERTIFICATE_CONTEXT_FLAG = (1 shl CERT_STORE_CERTIFICATE_CONTEXT);
const CERT_STORE_CRL_CONTEXT_FLAG = (1 shl CERT_STORE_CRL_CONTEXT);
const CERT_STORE_CTL_CONTEXT_FLAG = (1 shl CERT_STORE_CTL_CONTEXT);
//+-------------------------------------------------------------------------
// Add the serialized certificate or CRL element to the store.
//
// The serialized element contains the encoded certificate, CRL or CTL and
// its properties, such as, CERT_KEY_PROV_INFO_PROP_ID.
//
// If hCertStore is NULL, creates a certificate, CRL or CTL context not
// residing in any store.
//
// dwAddDispostion specifies the action to take if the certificate or CRL
// already exists in the store. See CertAddCertificateContextToStore for a
// list of and actions taken.
//
// dwFlags currently isn't used and should be set to 0.
//
// dwContextTypeFlags specifies the set of allowable contexts. For example, to
// add either a certificate or CRL, set dwContextTypeFlags to:
// CERT_STORE_CERTIFICATE_CONTEXT_FLAG | CERT_STORE_CRL_CONTEXT_FLAG
//
// *pdwContextType is updated with the type of the context returned in
// *ppvContxt. pdwContextType or ppvContext can be NULL, indicating the
// caller isn't interested in getting the output. If *ppvContext is
// returned it must be freed by calling CertFreeCertificateContext or
// CertFreeCRLContext.
//--------------------------------------------------------------------------
function CertAddSerializedElementToStore(hCertStore :HCERTSTORE;
pbElement :PBYTE;
cbElement :DWORD;
dwAddDisposition :DWORD;
dwFlags :DWORD;
dwContextTypeFlags :DWORD;
pdwContextType :PDWORD;
var ppvContext : array of PVOID):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Delete the specified certificate from the store.
//
// All subsequent gets or finds for the certificate will fail. However,
// memory allocated for the certificate isn't freed until all of its contexts
// have also been freed.
//
// The pCertContext is obtained from a get, enum, find or duplicate.
//
// Some store provider implementations might also delete the issuer's CRLs
// if this is the last certificate for the issuer in the store.
//
// NOTE: the pCertContext is always CertFreeCertificateContext'ed by
// this function, even for an error.
//--------------------------------------------------------------------------
function CertDeleteCertificateFromStore(pCertContext :PCCERT_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Add the encoded CRL to the store according to the specified
// disposition option.
//
// Makes a copy of the encoded CRL before adding to the store.
//
// dwAddDispostion specifies the action to take if the CRL
// already exists in the store. See CertAddEncodedCertificateToStore for a
// list of and actions taken.
//
// Compares the CRL's Issuer to determine if the CRL already exists in the
// store.
//
// ppCrlContext can be NULL, indicating the caller isn't interested
// in getting the CRL_CONTEXT of the added or existing CRL.
//--------------------------------------------------------------------------
function CertAddEncodedCRLToStore(hCertStore :HCERTSTORE;
dwCertEncodingType :DWORD;
pbCrlEncoded :PBYTE;
cbCrlEncoded :DWORD;
dwAddDisposition :DWORD;
var ppCrlContext :PCCRL_CONTEXT
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Add the CRL context to the store according to the specified
// disposition option.
//
// In addition to the encoded CRL, the context's properties are
// also copied. Note, the CERT_KEY_CONTEXT_PROP_ID property (and its
// CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't copied.
//
// Makes a copy of the encoded CRL before adding to the store.
//
// dwAddDispostion specifies the action to take if the CRL
// already exists in the store. See CertAddCertificateContextToStore for a
// list of and actions taken.
//
// Compares the CRL's Issuer, ThisUpdate and NextUpdate to determine
// if the CRL already exists in the store.
//
// ppStoreContext can be NULL, indicating the caller isn't interested
// in getting the CRL_CONTEXT of the added or existing CRL.
//--------------------------------------------------------------------------
function CertAddCRLContextToStore(hCertStore :HCERTSTORE;
pCrlContext :PCCRL_CONTEXT;
dwAddDisposition :DWORD;
var ppStoreContext :PCCRL_CONTEXT
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Delete the specified CRL from the store.
//
// All subsequent gets for the CRL will fail. However,
// memory allocated for the CRL isn't freed until all of its contexts
// have also been freed.
//
// The pCrlContext is obtained from a get or duplicate.
//
// NOTE: the pCrlContext is always CertFreeCRLContext'ed by
// this function, even for an error.
//--------------------------------------------------------------------------
function CertDeleteCRLFromStore(pCrlContext :PCCRL_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Serialize the certificate context's encoded certificate and its
// properties.
//--------------------------------------------------------------------------
function CertSerializeCertificateStoreElement(pCertContext :PCCERT_CONTEXT;
dwFlags :DWORD;
pbElement :PBYTE;
pcbElement :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Serialize the CRL context's encoded CRL and its properties.
//--------------------------------------------------------------------------
function CertSerializeCRLStoreElement(pCrlContext :PCCRL_CONTEXT;
dwFlags :DWORD;
pbElement :PBYTE;
pcbElement :PDWORD):BOOL ; stdcall;
//+=========================================================================
// Certificate Trust List (CTL) Store Data Structures and APIs
//==========================================================================
//+-------------------------------------------------------------------------
// Duplicate a CTL context
//--------------------------------------------------------------------------
function CertDuplicateCTLContext(pCtlContext :PCCTL_CONTEXT):PCCTL_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
// Create a CTL context from the encoded CTL. The created
// context isn't put in a store.
//
// Makes a copy of the encoded CTL in the created context.
//
// If unable to decode and create the CTL context, NULL is returned.
// Otherwise, a pointer to a read only CTL_CONTEXT is returned.
// CTL_CONTEXT must be freed by calling CertFreeCTLContext.
// CertDuplicateCTLContext can be called to make a duplicate.
//
// CertSetCTLContextProperty and CertGetCTLContextProperty can be called
// to store properties for the CTL.
//--------------------------------------------------------------------------
function CertCreateCTLContext(dwMsgAndCertEncodingType :DWORD;
const pbCtlEncoded :PBYTE;
cbCtlEncoded :DWORD):PCCTL_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
// Free a CTL context
//
// There needs to be a corresponding free for each context obtained by a
// get, duplicate or create.
//--------------------------------------------------------------------------
function CertFreeCTLContext(pCtlContext :PCCTL_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Set the property for the specified CTL context.
//
// Same Property Ids and semantics as CertSetCertificateContextProperty.
//--------------------------------------------------------------------------
function CertSetCTLContextProperty(pCtlContext :PCCTL_CONTEXT;
dwPropId :DWORD;
dwFlags :DWORD;
const pvData :PVOID):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Get the property for the specified CTL context.
//
// Same Property Ids and semantics as CertGetCertificateContextProperty.
//
// CERT_SHA1_HASH_PROP_ID or CERT_NEXT_UPDATE_LOCATION_PROP_ID are the
// predefined properties of most interest.
//--------------------------------------------------------------------------
function CertGetCTLContextProperty(pCtlContext :PCCTL_CONTEXT;
dwPropId :DWORD;
pvData :PVOID;
pcbData :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Enumerate the properties for the specified CTL context.
//--------------------------------------------------------------------------
function CertEnumCTLContextProperties(pCtlContext :PCCTL_CONTEXT;
dwPropId :DWORD):DWORD ; stdcall;
//+-------------------------------------------------------------------------
// Enumerate the CTL contexts in the store.
//
// If a CTL isn't found, NULL is returned.
// Otherwise, a pointer to a read only CTL_CONTEXT is returned. CTL_CONTEXT
// must be freed by calling CertFreeCTLContext or is freed when passed as the
// pPrevCtlContext on a subsequent call. CertDuplicateCTLContext
// can be called to make a duplicate.
//
// pPrevCtlContext MUST BE NULL to enumerate the first
// CTL in the store. Successive CTLs are enumerated by setting
// pPrevCtlContext to the CTL_CONTEXT returned by a previous call.
//
// NOTE: a NON-NULL pPrevCtlContext is always CertFreeCTLContext'ed by
// this function, even for an error.
//--------------------------------------------------------------------------
function CertEnumCTLsInStore(hCertStore :HCERTSTORE;
pPrevCtlContext :PCCTL_CONTEXT
):PCCTL_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
// Attempt to find the specified subject in the CTL.
//
// For CTL_CERT_SUBJECT_TYPE, pvSubject points to a CERT_CONTEXT. The CTL's
// SubjectAlgorithm is examined to determine the representation of the
// subject's identity. Initially, only SHA1 or MD5 hash will be supported.
// The appropriate hash property is obtained from the CERT_CONTEXT.
//
// For CTL_ANY_SUBJECT_TYPE, pvSubject points to the CTL_ANY_SUBJECT_INFO
// structure which contains the SubjectAlgorithm to be matched in the CTL
// and the SubjectIdentifer to be matched in one of the CTL entries.
//
// The certificate's hash or the CTL_ANY_SUBJECT_INFO's SubjectIdentifier
// is used as the key in searching the subject entries. A binary
// memory comparison is done between the key and the entry's SubjectIdentifer.
//
// dwEncodingType isn't used for either of the above SubjectTypes.
//--------------------------------------------------------------------------
function CertFindSubjectInCTL(dwEncodingType :DWORD;
dwSubjectType :DWORD;
pvSubject :PVOID;
pCtlContext :PCCTL_CONTEXT;
dwFlags :DWORD):PCTL_ENTRY ; stdcall;
// Subject Types:
// CTL_ANY_SUBJECT_TYPE, pvSubject points to following CTL_ANY_SUBJECT_INFO.
// CTL_CERT_SUBJECT_TYPE, pvSubject points to CERT_CONTEXT.
const CTL_ANY_SUBJECT_TYPE = 1;
const CTL_CERT_SUBJECT_TYPE = 2;
type
PCTL_ANY_SUBJECT_INFO = ^CTL_ANY_SUBJECT_INFO;
CTL_ANY_SUBJECT_INFO = record
SubjectAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
SubjectIdentifier :CRYPT_DATA_BLOB;
end;
//+-------------------------------------------------------------------------
// Find the first or next CTL context in the store.
//
// The CTL is found according to the dwFindType and its pvFindPara.
// See below for a list of the find types and its parameters.
//
// Currently dwFindFlags isn't used and must be set to 0.
//
// Usage of dwMsgAndCertEncodingType depends on the dwFindType.
//
// If the first or next CTL isn't found, NULL is returned.
// Otherwise, a pointer to a read only CTL_CONTEXT is returned. CTL_CONTEXT
// must be freed by calling CertFreeCTLContext or is freed when passed as the
// pPrevCtlContext on a subsequent call. CertDuplicateCTLContext
// can be called to make a duplicate.
//
// pPrevCtlContext MUST BE NULL on the first
// call to find the CTL. To find the next CTL, the
// pPrevCtlContext is set to the CTL_CONTEXT returned by a previous call.
//
// NOTE: a NON-NULL pPrevCtlContext is always CertFreeCTLContext'ed by
// this function, even for an error.
//--------------------------------------------------------------------------
function CertFindCTLInStore(hCertStore :HCERTSTORE;
dwMsgAndCertEncodingType :DWORD;
dwFindFlags :DWORD;
dwFindType :DWORD;
const pvFindPara :PVOID;
pPrevCtlContext :PCCTL_CONTEXT):PCCTL_CONTEXT ; stdcall;
const CTL_FIND_ANY = 0;
const CTL_FIND_SHA1_HASH = 1;
const CTL_FIND_MD5_HASH = 2;
const CTL_FIND_USAGE = 3;
const CTL_FIND_SUBJECT = 4;
type
PCTL_FIND_USAGE_PARA = ^CTL_FIND_USAGE_PARA;
CTL_FIND_USAGE_PARA = record
cbSize :DWORD;
SubjectUsage :CTL_USAGE; // optional
ListIdentifier :CRYPT_DATA_BLOB; // optional
pSigner :PCERT_INFO; // optional
end;
const CTL_FIND_NO_LIST_ID_CBDATA = $FFFFFFFF;
const CTL_FIND_NO_SIGNER_PTR = (PCERT_INFO($FFFFFFFF));
const CTL_FIND_SAME_USAGE_FLAG = $1;
type
PCTL_FIND_SUBJECT_PARA = ^CTL_FIND_SUBJECT_PARA;
CTL_FIND_SUBJECT_PARA = record
cbSize :DWORD;
pUsagePara :PCTL_FIND_USAGE_PARA; // optional
dwSubjectType :DWORD;
pvSubject :PVOID;
end;
//+-------------------------------------------------------------------------
// CTL_FIND_ANY
//
// Find any CTL.
//
// pvFindPara isn't used.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CTL_FIND_SHA1_HASH
// CTL_FIND_MD5_HASH
//
// Find a CTL with the specified hash.
//
// pvFindPara points to a CRYPT_HASH_BLOB.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CTL_FIND_USAGE
//
// Find a CTL having the specified usage identifiers, list identifier or
// signer. The CertEncodingType of the signer is obtained from the
// dwMsgAndCertEncodingType parameter.
//
// pvFindPara points to a CTL_FIND_USAGE_PARA data structure. The
// SubjectUsage.cUsageIdentifer can be 0 to match any usage. The
// ListIdentifier.cbData can be 0 to match any list identifier. To only match
// CTLs without a ListIdentifier, cbData must be set to
// CTL_FIND_NO_LIST_ID_CBDATA. pSigner can be NULL to match any signer. Only
// the Issuer and SerialNumber fields of the pSigner's PCERT_INFO are used.
// To only match CTLs without a signer, pSigner must be set to
// CTL_FIND_NO_SIGNER_PTR.
//
// The CTL_FIND_SAME_USAGE_FLAG can be set in dwFindFlags to
// only match CTLs with the same usage identifiers. CTLs having additional
// usage identifiers aren't matched. For example, if only "1.2.3" is specified
// in CTL_FIND_USAGE_PARA, then, for a match, the CTL must only contain
// "1.2.3" and not any additional usage identifers.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// CTL_FIND_SUBJECT
//
// Find a CTL having the specified subject. CertFindSubjectInCTL can be
// called to get a pointer to the subject's entry in the CTL. pUsagePara can
// optionally be set to enable the above CTL_FIND_USAGE matching.
//
// pvFindPara points to a CTL_FIND_SUBJECT_PARA data structure.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Add the encoded CTL to the store according to the specified
// disposition option.
//
// Makes a copy of the encoded CTL before adding to the store.
//
// dwAddDispostion specifies the action to take if the CTL
// already exists in the store. See CertAddEncodedCertificateToStore for a
// list of and actions taken.
//
// Compares the CTL's SubjectUsage, ListIdentifier and any of its signers
// to determine if the CTL already exists in the store.
//
// ppCtlContext can be NULL, indicating the caller isn't interested
// in getting the CTL_CONTEXT of the added or existing CTL.
//--------------------------------------------------------------------------
function CertAddEncodedCTLToStore(hCertStore :HCERTSTORE;
dwMsgAndCertEncodingType :DWORD;
const pbCtlEncoded :PBYTE;
cbCtlEncoded :DWORD;
dwAddDisposition :DWORD;
var ppCtlContext :PCCTL_CONTEXT //OPTIONAL
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Add the CTL context to the store according to the specified
// disposition option.
//
// In addition to the encoded CTL, the context's properties are
// also copied. Note, the CERT_KEY_CONTEXT_PROP_ID property (and its
// CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't copied.
//
// Makes a copy of the encoded CTL before adding to the store.
//
// dwAddDispostion specifies the action to take if the CTL
// already exists in the store. See CertAddCertificateContextToStore for a
// list of and actions taken.
//
// Compares the CTL's SubjectUsage, ListIdentifier and any of its signers
// to determine if the CTL already exists in the store.
//
// ppStoreContext can be NULL, indicating the caller isn't interested
// in getting the CTL_CONTEXT of the added or existing CTL.
//--------------------------------------------------------------------------
function CertAddCTLContextToStore(hCertStore :HCERTSTORE;
pCtlContext :PCCTL_CONTEXT;
dwAddDisposition :DWORD;
var ppStoreContext :PCCTL_CONTEXT
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Serialize the CTL context's encoded CTL and its properties.
//--------------------------------------------------------------------------
function CertSerializeCTLStoreElement(pCtlContext :PCCTL_CONTEXT;
dwFlags :DWORD;
pbElement :PBYTE;
pcbElement :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Delete the specified CTL from the store.
//
// All subsequent gets for the CTL will fail. However,
// memory allocated for the CTL isn't freed until all of its contexts
// have also been freed.
//
// The pCtlContext is obtained from a get or duplicate.
//
// NOTE: the pCtlContext is always CertFreeCTLContext'ed by
// this function, even for an error.
//--------------------------------------------------------------------------
function CertDeleteCTLFromStore(pCtlContext :PCCTL_CONTEXT):BOOL ; stdcall;
//+=========================================================================
// Enhanced Key Usage Helper Functions
//==========================================================================
//+-------------------------------------------------------------------------
// Get the enhanced key usage extension or property from the certificate
// and decode.
//
// If the CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG is set, then, only get the
// extension.
//
// If the CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG is set, then, only get the
// property.
//--------------------------------------------------------------------------
function CertGetEnhancedKeyUsage(pCertContext :PCCERT_CONTEXT;
dwFlags :DWORD;
pUsage :PCERT_ENHKEY_USAGE;
pcbUsage :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Set the enhanced key usage property for the certificate.
//--------------------------------------------------------------------------
function CertSetEnhancedKeyUsage(pCertContext :PCCERT_CONTEXT;
pUsage :PCERT_ENHKEY_USAGE
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Add the usage identifier to the certificate's enhanced key usage property.
//--------------------------------------------------------------------------
function CertAddEnhancedKeyUsageIdentifier(pCertContext :PCCERT_CONTEXT;
pszUsageIdentifier :LPCSTR
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Remove the usage identifier from the certificate's enhanced key usage
// property.
//--------------------------------------------------------------------------
function CertRemoveEnhancedKeyUsageIdentifier(pCertContext :PCCERT_CONTEXT;
pszUsageIdentifier :LPCSTR
):BOOL ; stdcall;
//+=========================================================================
// Cryptographic Message helper functions for verifying and signing a
// CTL.
//==========================================================================
//+-------------------------------------------------------------------------
// Get and verify the signer of a cryptographic message.
//
// To verify a CTL, the hCryptMsg is obtained from the CTL_CONTEXT's
// hCryptMsg field.
//
// If CMSG_TRUSTED_SIGNER_FLAG is set, then, treat the Signer stores as being
// trusted and only search them to find the certificate corresponding to the
// signer's issuer and serial number. Otherwise, the SignerStores are
// optionally provided to supplement the message's store of certificates.
// If a signer certificate is found, its public key is used to verify
// the message signature. The CMSG_SIGNER_ONLY_FLAG can be set to
// return the signer without doing the signature verify.
//
// If CMSG_USE_SIGNER_INDEX_FLAG is set, then, only get the signer specified
// by *pdwSignerIndex. Otherwise, iterate through all the signers
// until a signer verifies or no more signers.
//
// For a verified signature, *ppSigner is updated with certificate context
// of the signer and *pdwSignerIndex is updated with the index of the signer.
// ppSigner and/or pdwSignerIndex can be NULL, indicating the caller isn't
// interested in getting the CertContext and/or index of the signer.
//--------------------------------------------------------------------------
function CryptMsgGetAndVerifySigner(hCryptMsg :HCRYPTMSG;
cSignerStore :DWORD;
var rghSignerStore :HCERTSTORE;
dwFlags :DWORD;
var ppSigner :PCCERT_CONTEXT;
pdwSignerIndex :PDWORD):BOOL ; stdcall;
const CMSG_TRUSTED_SIGNER_FLAG = $1;
const CMSG_SIGNER_ONLY_FLAG = $2;
const CMSG_USE_SIGNER_INDEX_FLAG = $4;
//+-------------------------------------------------------------------------
// Sign an encoded CTL.
//
// The pbCtlContent can be obtained via a CTL_CONTEXT's pbCtlContent
// field or via a CryptEncodeObject(PKCS_CTL).
//--------------------------------------------------------------------------
function CryptMsgSignCTL(dwMsgEncodingType :DWORD;
pbCtlContent :PBYTE;
cbCtlContent :DWORD;
pSignInfo :PCMSG_SIGNED_ENCODE_INFO;
dwFlags :DWORD;
pbEncoded :PBYTE;
pcbEncoded :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Encode the CTL and create a signed message containing the encoded CTL.
//--------------------------------------------------------------------------
function CryptMsgEncodeAndSignCTL(dwMsgEncodingType :DWORD;
pCtlInfo :PCTL_INFO;
pSignInfo :PCMSG_SIGNED_ENCODE_INFO;
dwFlags :DWORD;
pbEncoded :PBYTE;
pcbEncoded :PDWORD):BOOL ; stdcall;
//+=========================================================================
// Certificate Verify CTL Usage Data Structures and APIs
//==========================================================================
type
PHCERTSTORE = ^HCERTSTORE;
type
PCTL_VERIFY_USAGE_PARA = ^CTL_VERIFY_USAGE_PARA;
CTL_VERIFY_USAGE_PARA = record
cbSize :DWORD;
ListIdentifier :CRYPT_DATA_BLOB;// OPTIONAL
cCtlStore :DWORD;
rghCtlStore :PHCERTSTORE; // OPTIONAL
cSignerStore :DWORD;
rghSignerStore :PHCERTSTORE; // OPTIONAL
end;
type
PCTL_VERIFY_USAGE_STATUS = ^CTL_VERIFY_USAGE_STATUS;
CTL_VERIFY_USAGE_STATUS = record
cbSize :DWORD;
dwError :DWORD;
dwFlags :DWORD;
ppCtl :PPCCTL_CONTEXT; // IN OUT OPTIONAL
dwCtlEntryIndex :DWORD;
ppSigner :PPCCERT_CONTEXT ; // IN OUT OPTIONAL
dwSignerIndex :DWORD;
end;
const CERT_VERIFY_INHIBIT_CTL_UPDATE_FLAG = $1;
const CERT_VERIFY_TRUSTED_SIGNERS_FLAG = $2;
const CERT_VERIFY_NO_TIME_CHECK_FLAG = $4;
const CERT_VERIFY_ALLOW_MORE_USAGE_FLAG = $8;
const CERT_VERIFY_UPDATED_CTL_FLAG = $1;
//+-------------------------------------------------------------------------
// Verify that a subject is trusted for the specified usage by finding a
// signed and time valid CTL with the usage identifiers and containing the
// the subject. A subject can be identified by either its certificate context
// or any identifier such as its SHA1 hash.
//
// See CertFindSubjectInCTL for definition of dwSubjectType and pvSubject
// parameters.
//
// Via pVerifyUsagePara, the caller can specify the stores to be searched
// to find the CTL. The caller can also specify the stores containing
// acceptable CTL signers. By setting the ListIdentifier, the caller
// can also restrict to a particular signer CTL list.
//
// Via pVerifyUsageStatus, the CTL containing the subject, the subject's
// index into the CTL's array of entries, and the signer of the CTL
// are returned. If the caller is not interested, ppCtl and ppSigner can be set
// to NULL. Returned contexts must be freed via the store's free context APIs.
//
// If the CERT_VERIFY_INHIBIT_CTL_UPDATE_FLAG isn't set, then, a time
// invalid CTL in one of the CtlStores may be replaced. When replaced, the
// CERT_VERIFY_UPDATED_CTL_FLAG is set in pVerifyUsageStatus->dwFlags.
//
// If the CERT_VERIFY_TRUSTED_SIGNERS_FLAG is set, then, only the
// SignerStores specified in pVerifyUsageStatus are searched to find
// the signer. Otherwise, the SignerStores provide additional sources
// to find the signer's certificate.
//
// If CERT_VERIFY_NO_TIME_CHECK_FLAG is set, then, the CTLs aren't checked
// for time validity.
//
// If CERT_VERIFY_ALLOW_MORE_USAGE_FLAG is set, then, the CTL may contain
// additional usage identifiers than specified by pSubjectUsage. Otherwise,
// the found CTL will contain the same usage identifers and no more.
//
// CertVerifyCTLUsage will be implemented as a dispatcher to OID installable
// functions. First, it will try to find an OID function matching the first
// usage object identifier in the pUsage sequence. Next, it will dispatch
// to the default CertDllVerifyCTLUsage functions.
//
// If the subject is trusted for the specified usage, then, TRUE is
// returned. Otherwise, FALSE is returned with dwError set to one of the
// following:
// CRYPT_E_NO_VERIFY_USAGE_DLL
// CRYPT_E_NO_VERIFY_USAGE_CHECK
// CRYPT_E_VERIFY_USAGE_OFFLINE
// CRYPT_E_NOT_IN_CTL
// CRYPT_E_NO_TRUSTED_SIGNER
//--------------------------------------------------------------------------
function CertVerifyCTLUsage(dwEncodingType :DWORD;
dwSubjectType :DWORD;
pvSubject :PVOID;
pSubjectUsage :PCTL_USAGE;
dwFlags :DWORD;
pVerifyUsagePara :PCTL_VERIFY_USAGE_PARA;
pVerifyUsageStatus:PCTL_VERIFY_USAGE_STATUS
):BOOL ; stdcall;
//+=========================================================================
// Certificate Revocation Data Structures and APIs
//==========================================================================
//+-------------------------------------------------------------------------
// The following data structure may be passed to CertVerifyRevocation to
// assist in finding the issuer of the context to be verified.
//
// When pIssuerCert is specified, pIssuerCert is the issuer of
// rgpvContext[cContext - 1].
//
// When cCertStore and rgCertStore are specified, these stores may contain
// an issuer certificate.
//--------------------------------------------------------------------------
type
PCERT_REVOCATION_PARA = ^CERT_REVOCATION_PARA;
CERT_REVOCATION_PARA = record
cbSize :DWORD;
pIssuerCert :PCCERT_CONTEXT;
cCertStore :DWORD;
rgCertStore :PHCERTSTORE ;
end;
//+-------------------------------------------------------------------------
// The following data structure is returned by CertVerifyRevocation to
// specify the status of the revoked or unchecked context. Review the
// following CertVerifyRevocation comments for details.
//
// Upon input to CertVerifyRevocation, cbSize must be set to a size
// >= sizeof(CERT_REVOCATION_STATUS). Otherwise, CertVerifyRevocation
// returns FALSE and sets LastError to E_INVALIDARG.
//
// Upon input to the installed or registered CRYPT_OID_VERIFY_REVOCATION_FUNC
// functions, the dwIndex, dwError and dwReason have been zero'ed.
//--------------------------------------------------------------------------
type
PCERT_REVOCATION_STATUS = ^CERT_REVOCATION_STATUS;
CERT_REVOCATION_STATUS = record
cbSize :DWORD;
dwIndex :DWORD;
dwError :DWORD;
dwReason :DWORD;
end;
//+-------------------------------------------------------------------------
// Verifies the array of contexts for revocation. The dwRevType parameter
// indicates the type of the context data structure passed in rgpvContext.
// Currently only the revocation of certificates is defined.
//
// If the CERT_VERIFY_REV_CHAIN_FLAG flag is set, then, CertVerifyRevocation
// is verifying a chain of certs where, rgpvContext[i + 1] is the issuer
// of rgpvContext[i]. Otherwise, CertVerifyRevocation makes no assumptions
// about the order of the contexts.
//
// To assist in finding the issuer, the pRevPara may optionally be set. See
// the CERT_REVOCATION_PARA data structure for details.
//
// The contexts must contain enough information to allow the
// installable or registered revocation DLLs to find the revocation server. For
// certificates, this information would normally be conveyed in an
// extension such as the IETF's AuthorityInfoAccess extension.
//
// CertVerifyRevocation returns TRUE if all of the contexts were successfully
// checked and none were revoked. Otherwise, returns FALSE and updates the
// returned pRevStatus data structure as follows:
// dwIndex
// Index of the first context that was revoked or unable to
// be checked for revocation
// dwError
// Error status. LastError is also set to this error status.
// dwError can be set to one of the following error codes defined
// in winerror.h:
// ERROR_SUCCESS - good context
// CRYPT_E_REVOKED - context was revoked. dwReason contains the
// reason for revocation
// CRYPT_E_REVOCATION_OFFLINE - unable to connect to the
// revocation server
// CRYPT_E_NOT_IN_REVOCATION_DATABASE - the context to be checked
// was not found in the revocation server's database.
// CRYPT_E_NO_REVOCATION_CHECK - the called revocation function
// wasn't able to do a revocation check on the context
// CRYPT_E_NO_REVOCATION_DLL - no installed or registered Dll was
// found to verify revocation
// dwReason
// The dwReason is currently only set for CRYPT_E_REVOKED and contains
// the reason why the context was revoked. May be one of the following
// CRL reasons defined by the CRL Reason Code extension ("2.5.29.21")
// CRL_REASON_UNSPECIFIED 0
// CRL_REASON_KEY_COMPROMISE 1
// CRL_REASON_CA_COMPROMISE 2
// CRL_REASON_AFFILIATION_CHANGED 3
// CRL_REASON_SUPERSEDED 4
// CRL_REASON_CESSATION_OF_OPERATION 5
// CRL_REASON_CERTIFICATE_HOLD 6
//
// For each entry in rgpvContext, CertVerifyRevocation iterates
// through the CRYPT_OID_VERIFY_REVOCATION_FUNC
// function set's list of installed DEFAULT functions.
// CryptGetDefaultOIDFunctionAddress is called with pwszDll = NULL. If no
// installed functions are found capable of doing the revocation verification,
// CryptVerifyRevocation iterates through CRYPT_OID_VERIFY_REVOCATION_FUNC's
// list of registered DEFAULT Dlls. CryptGetDefaultOIDDllList is called to
// get the list. CryptGetDefaultOIDFunctionAddress is called to load the Dll.
//
// The called functions have the same signature as CertVerifyRevocation. A
// called function returns TRUE if it was able to successfully check all of
// the contexts and none were revoked. Otherwise, the called function returns
// FALSE and updates pRevStatus. dwIndex is set to the index of
// the first context that was found to be revoked or unable to be checked.
// dwError and LastError are updated. For CRYPT_E_REVOKED, dwReason
// is updated. Upon input to the called function, dwIndex, dwError and
// dwReason have been zero'ed. cbSize has been checked to be >=
// sizeof(CERT_REVOCATION_STATUS).
//
// If the called function returns FALSE, and dwError isn't set to
// CRYPT_E_REVOKED, then, CertVerifyRevocation either continues on to the
// next DLL in the list for a returned dwIndex of 0 or for a returned
// dwIndex > 0, restarts the process of finding a verify function by
// advancing the start of the context array to the returned dwIndex and
// decrementing the count of remaining contexts.
//--------------------------------------------------------------------------
function CertVerifyRevocation(dwEncodingType :DWORD;
dwRevType :DWORD;
cContext :DWORD;
rgpvContext :array of PVOID;
dwFlags :DWORD;
pRevPara :PCERT_REVOCATION_PARA;
pRevStatus :PCERT_REVOCATION_STATUS
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Revocation types
//--------------------------------------------------------------------------
const CERT_CONTEXT_REVOCATION_TYPE = 1;
//+-------------------------------------------------------------------------
// When the following flag is set, rgpvContext[] consists of a chain
// of certificates, where rgpvContext[i + 1] is the issuer of rgpvContext[i].
//--------------------------------------------------------------------------
const CERT_VERIFY_REV_CHAIN_FLAG = $1;
//+-------------------------------------------------------------------------
// CERT_CONTEXT_REVOCATION_TYPE
//
// pvContext points to a const CERT_CONTEXT.
//--------------------------------------------------------------------------
//+=========================================================================
// Certificate Helper APIs
//==========================================================================
//+-------------------------------------------------------------------------
// Compare two multiple byte integer blobs to see if they are identical.
//
// Before doing the comparison, leading zero bytes are removed from a
// positive number and leading 0xFF bytes are removed from a negative
// number.
//
// The multiple byte integers are treated as Little Endian. pbData[0] is the
// least significant byte and pbData[cbData - 1] is the most significant
// byte.
//
// Returns TRUE if the integer blobs are identical after removing leading
// 0 or 0xFF bytes.
//--------------------------------------------------------------------------
function CertCompareIntegerBlob(pInt1 :PCRYPT_INTEGER_BLOB;
pInt2 :PCRYPT_INTEGER_BLOB
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Compare two certificates to see if they are identical.
//
// Since a certificate is uniquely identified by its Issuer and SerialNumber,
// these are the only fields needing to be compared.
//
// Returns TRUE if the certificates are identical.
//--------------------------------------------------------------------------
function CertCompareCertificate(dwCertEncodingType :DWORD;
pCertId1 :PCERT_INFO;
pCertId2 :PCERT_INFO):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Compare two certificate names to see if they are identical.
//
// Returns TRUE if the names are identical.
//--------------------------------------------------------------------------
function CertCompareCertificateName(dwCertEncodingType :DWORD;
pCertName1 :PCERT_NAME_BLOB;
pCertName2 :PCERT_NAME_BLOB):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Compare the attributes in the certificate name with the specified
// Relative Distinguished Name's (CERT_RDN) array of attributes.
// The comparison iterates through the CERT_RDN attributes and looks for an
// attribute match in any of the certificate name's RDNs.
// Returns TRUE if all the attributes are found and match.
//
// The CERT_RDN_ATTR fields can have the following special values:
// pszObjId == NULL - ignore the attribute object identifier
// dwValueType == RDN_ANY_TYPE - ignore the value type
//
// Currently only an exact, case sensitive match is supported.
//
// CERT_UNICODE_IS_RDN_ATTRS_FLAG should be set if the pRDN was initialized
// with unicode strings as for CryptEncodeObject(X509_UNICODE_NAME).
//--------------------------------------------------------------------------
function CertIsRDNAttrsInCertificateName(dwCertEncodingType :DWORD;
dwFlags :DWORD;
pCertName :PCERT_NAME_BLOB;
pRDN :PCERT_RDN):BOOL ; stdcall;
const CERT_UNICODE_IS_RDN_ATTRS_FLAG = $1;
//+-------------------------------------------------------------------------
// Compare two public keys to see if they are identical.
//
// Returns TRUE if the keys are identical.
//--------------------------------------------------------------------------
function CertComparePublicKeyInfo(dwCertEncodingType :DWORD;
pPublicKey1 :PCERT_PUBLIC_KEY_INFO;
pPublicKey2 :PCERT_PUBLIC_KEY_INFO
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Get the public/private key's bit length.
//
// Returns 0 if unable to determine the key's length.
//--------------------------------------------------------------------------
function CertGetPublicKeyLength(dwCertEncodingType :DWORD;
pPublicKey :PCERT_PUBLIC_KEY_INFO
):DWORD ; stdcall;
//+-------------------------------------------------------------------------
// Verify the signature of a subject certificate or a CRL using the
// public key info
//
// Returns TRUE for a valid signature.
//
// hCryptProv specifies the crypto provider to use to verify the signature.
// It doesn't need to use a private key.
//--------------------------------------------------------------------------
function CryptVerifyCertificateSignature(hCryptProv :HCRYPTPROV;
dwCertEncodingType :DWORD;
const pbEncoded :PBYTE;
cbEncoded :DWORD;
pPublicKey :PCERT_PUBLIC_KEY_INFO
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Compute the hash of the "to be signed" information in the encoded
// signed content (CERT_SIGNED_CONTENT_INFO).
//
// hCryptProv specifies the crypto provider to use to compute the hash.
// It doesn't need to use a private key.
//--------------------------------------------------------------------------
function CryptHashToBeSigned(hCryptProv :HCRYPTPROV;
dwCertEncodingType :DWORD;
const pbEncoded :PBYTE;
cbEncoded :DWORD;
pbComputedHash :PBYTE;
pcbComputedHash :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Hash the encoded content.
//
// hCryptProv specifies the crypto provider to use to compute the hash.
// It doesn't need to use a private key.
//
// Algid specifies the CAPI hash algorithm to use. If Algid is 0, then, the
// default hash algorithm (currently SHA1) is used.
//--------------------------------------------------------------------------
function CryptHashCertificate(hCryptProv :HCRYPTPROV;
Algid :ALG_ID;
dwFlags :DWORD;
const pbEncoded :PBYTE;
cbEncoded :DWORD;
pbComputedHash :PBYTE;
pcbComputedHash :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Sign the "to be signed" information in the encoded signed content.
//
// hCryptProv specifies the crypto provider to use to do the signature.
// It uses the specified private key.
//--------------------------------------------------------------------------
function CryptSignCertificate(hCryptProv :HCRYPTPROV;
dwKeySpec :DWORD;
dwCertEncodingType :DWORD;
const pbEncodedToBeSigned :PBYTE;
cbEncodedToBeSigned :DWORD;
pSignatureAlgorithm :PCRYPT_ALGORITHM_IDENTIFIER;
const pvHashAuxInfo :PVOID;
pbSignature :PBYTE;
pcbSignature:PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Encode the "to be signed" information. Sign the encoded "to be signed".
// Encode the "to be signed" and the signature.
//
// hCryptProv specifies the crypto provider to use to do the signature.
// It uses the specified private key.
//--------------------------------------------------------------------------
function CryptSignAndEncodeCertificate(hCryptProv :HCRYPTPROV;
dwKeySpec :DWORD;
dwCertEncodingType :DWORD;
const lpszStructType :LPCSTR; // "to be signed"
pvStructInfo :PVOID;
pSignatureAlgorithm :PCRYPT_ALGORITHM_IDENTIFIER;
const pvHashAuxInfo :PVOID;
pbEncoded :PBYTE;
pcbEncoded :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Verify the time validity of a certificate.
//
// Returns -1 if before NotBefore, +1 if after NotAfter and otherwise 0 for
// a valid certificate
//
// If pTimeToVerify is NULL, uses the current time.
//--------------------------------------------------------------------------
function CertVerifyTimeValidity(pTimeToVerify :PFILETIME;
pCertInfo :PCERT_INFO):LONG ; stdcall;
//+-------------------------------------------------------------------------
// Verify the time validity of a CRL.
//
// Returns -1 if before ThisUpdate, +1 if after NextUpdate and otherwise 0 for
// a valid CRL
//
// If pTimeToVerify is NULL, uses the current time.
//--------------------------------------------------------------------------
function CertVerifyCRLTimeValidity(pTimeToVerify :PFILETIME;
pCrlInfo :PCRL_INFO):LONG ; stdcall;
//+-------------------------------------------------------------------------
// Verify that the subject's time validity nests within the issuer's time
// validity.
//
// Returns TRUE if it nests. Otherwise, returns FALSE.
//--------------------------------------------------------------------------
function CertVerifyValidityNesting(pSubjectInfo :PCERT_INFO;
pIssuerInfo :PCERT_INFO):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Verify that the subject certificate isn't on its issuer CRL.
//
// Returns true if the certificate isn't on the CRL.
//--------------------------------------------------------------------------
function CertVerifyCRLRevocation(dwCertEncodingType :DWORD;
pCertId :PCERT_INFO; // Only the Issuer and SerialNumber
cCrlInfo :DWORD; // fields are used
rgpCrlInfo :array of PCRL_INFO):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Convert the CAPI AlgId to the ASN.1 Object Identifier string
//
// Returns NULL if there isn't an ObjId corresponding to the AlgId.
//--------------------------------------------------------------------------
function CertAlgIdToOID(dwAlgId :DWORD):LPCSTR ; stdcall;
//+-------------------------------------------------------------------------
// Convert the ASN.1 Object Identifier string to the CAPI AlgId.
//
// Returns 0 if there isn't an AlgId corresponding to the ObjId.
//--------------------------------------------------------------------------
function CertOIDToAlgId(pszObjId :LPCSTR):DWORD ; stdcall;
//+-------------------------------------------------------------------------
// Find an extension identified by its Object Identifier.
//
// If found, returns pointer to the extension. Otherwise, returns NULL.
//--------------------------------------------------------------------------
function CertFindExtension(pszObjId :LPCSTR;
cExtensions :DWORD;
rgExtensions :array of CERT_EXTENSION):PCERT_EXTENSION ; stdcall;
//+-------------------------------------------------------------------------
// Find the first attribute identified by its Object Identifier.
//
// If found, returns pointer to the attribute. Otherwise, returns NULL.
//--------------------------------------------------------------------------
function CertFindAttribute(pszObjId :LPCSTR;
cAttr :DWORD;
rgAttr :array of CRYPT_ATTRIBUTE):PCRYPT_ATTRIBUTE ; stdcall;
//+-------------------------------------------------------------------------
// Find the first CERT_RDN attribute identified by its Object Identifier in
// the name's list of Relative Distinguished Names.
//
// If found, returns pointer to the attribute. Otherwise, returns NULL.
//--------------------------------------------------------------------------
function CertFindRDNAttr(pszObjId :LPCSTR;
pName :PCERT_NAME_INFO ):PCERT_RDN_ATTR ; stdcall;
//+-------------------------------------------------------------------------
// Get the intended key usage bytes from the certificate.
//
// If the certificate doesn't have any intended key usage bytes, returns FALSE
// and *pbKeyUsage is zeroed. Otherwise, returns TRUE and up through
// cbKeyUsage bytes are copied into *pbKeyUsage. Any remaining uncopied
// bytes are zeroed.
//--------------------------------------------------------------------------
function CertGetIntendedKeyUsage(dwCertEncodingType :DWORD;
pCertInfo :PCERT_INFO;
pbKeyUsage :PBYTE;
cbKeyUsage :DWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Export the public key info associated with the provider's corresponding
// private key.
//
// Calls CryptExportPublicKeyInfo with pszPublicKeyObjId = szOID_RSA_RSA,
// dwFlags = 0 and pvAuxInfo = NULL.
//--------------------------------------------------------------------------
function CryptExportPublicKeyInfo(hCryptProv :HCRYPTPROV;
dwKeySpec :DWORD;
dwCertEncodingType :DWORD;
pInfo :PCERT_PUBLIC_KEY_INFO;
pcbInfo :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Export the public key info associated with the provider's corresponding
// private key.
//
// Uses the dwCertEncodingType and pszPublicKeyObjId to call the
// installable CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC. The called function
// has the same signature as CryptExportPublicKeyInfoEx.
//
// If unable to find an installable OID function for the pszPublicKeyObjId,
// attempts to export as a RSA Public Key (szOID_RSA_RSA).
//
// The dwFlags and pvAuxInfo aren't used for szOID_RSA_RSA.
//--------------------------------------------------------------------------
const CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC = 'CryptDllExportPublicKeyInfoEx';
function CryptExportPublicKeyInfoEx(hCryptProv :HCRYPTPROV;
dwKeySpec :DWORD;
dwCertEncodingType :DWORD;
pszPublicKeyObjId :LPSTR;
dwFlags :DWORD;
pvAuxInfo :PVOID;
pInfo :PCERT_PUBLIC_KEY_INFO;
pcbInfo :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Convert and import the public key info into the provider and return a
// handle to the public key.
//
// Calls CryptImportPublicKeyInfoEx with aiKeyAlg = 0, dwFlags = 0 and
// pvAuxInfo = NULL.
//--------------------------------------------------------------------------
function CryptImportPublicKeyInfo(hCryptProv :HCRYPTPROV;
dwCertEncodingType :DWORD;
pInfo :PCERT_PUBLIC_KEY_INFO;
phKey :PHCRYPTKEY):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Convert and import the public key info into the provider and return a
// handle to the public key.
//
// Uses the dwCertEncodingType and pInfo->Algorithm.pszObjId to call the
// installable CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC. The called function
// has the same signature as CryptImportPublicKeyInfoEx.
//
// If unable to find an installable OID function for the pszObjId,
// attempts to import as a RSA Public Key (szOID_RSA_RSA).
//
// For szOID_RSA_RSA: aiKeyAlg may be set to CALG_RSA_SIGN or CALG_RSA_KEYX.
// Defaults to CALG_RSA_KEYX. The dwFlags and pvAuxInfo aren't used.
//--------------------------------------------------------------------------
const CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC = 'CryptDllImportPublicKeyInfoEx';
function CryptImportPublicKeyInfoEx(hCryptProv :HCRYPTPROV;
dwCertEncodingType :DWORD;
pInfo :PCERT_PUBLIC_KEY_INFO;
aiKeyAlg :ALG_ID;
dwFlags :DWORD;
pvAuxInfo :PVOID;
phKey :PHCRYPTKEY
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Compute the hash of the encoded public key info.
//
// The public key info is encoded and then hashed.
//--------------------------------------------------------------------------
function CryptHashPublicKeyInfo(hCryptProv :HCRYPTPROV;
Algid :ALG_ID;
dwFlags :DWORD;
dwCertEncodingType :DWORD;
pInfo :PCERT_PUBLIC_KEY_INFO;
pbComputedHash :PBYTE;
pcbComputedHash :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Convert a Name Value to a null terminated char string
//
// Returns the number of characters converted including the terminating null
// character. If psz is NULL or csz is 0, returns the required size of the
// destination string (including the terminating null char).
//
// If psz != NULL && csz != 0, returned psz is always NULL terminated.
//
// Note: csz includes the NULL char.
//--------------------------------------------------------------------------
function CertRDNValueToStrA(dwValueType :DWORD;
pValue :PCERT_RDN_VALUE_BLOB;
psz :LPSTR; //OPTIONAL
csz :DWORD):DWORD ; stdcall;
//+-------------------------------------------------------------------------
// Convert a Name Value to a null terminated char string
//
// Returns the number of characters converted including the terminating null
// character. If psz is NULL or csz is 0, returns the required size of the
// destination string (including the terminating null char).
//
// If psz != NULL && csz != 0, returned psz is always NULL terminated.
//
// Note: csz includes the NULL char.
//--------------------------------------------------------------------------
function CertRDNValueToStrW(dwValueType :DWORD;
pValue :PCERT_RDN_VALUE_BLOB;
psz :LPWSTR; //OPTIONAL
csz :DWORD):DWORD ; stdcall;
function CertRDNValueToStr(dwValueType :DWORD;
pValue :PCERT_RDN_VALUE_BLOB;
psz :LPAWSTR; //OPTIONAL
csz :DWORD):DWORD ; stdcall;
//+-------------------------------------------------------------------------
// Convert the certificate name blob to a null terminated char string.
//
// Follows the string representation of distinguished names specified in
// RFC 1779. (Note, added double quoting "" for embedded quotes, quote
// empty strings and don't quote strings containing consecutive spaces).
// RDN values of type CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING are
// formatted in hexadecimal (e.g. #0A56CF).
//
// The name string is formatted according to the dwStrType:
// CERT_SIMPLE_NAME_STR
// The object identifiers are discarded. CERT_RDN entries are separated
// by ", ". Multiple attributes per CERT_RDN are separated by " + ".
// For example:
// Microsoft, Joe Cool + Programmer
// CERT_OID_NAME_STR
// The object identifiers are included with a "=" separator from their
// attribute value. CERT_RDN entries are separated by ", ".
// Multiple attributes per CERT_RDN are separated by " + ". For example:
// 2.5.4.11=Microsoft, 2.5.4.3=Joe Cool + 2.5.4.12=Programmer
// CERT_X500_NAME_STR
// The object identifiers are converted to their X500 key name. Otherwise,
// same as CERT_OID_NAME_STR. If the object identifier doesn't have
// a corresponding X500 key name, then, the object identifier is used with
// a "OID." prefix. For example:
// OU=Microsoft, CN=Joe Cool + T=Programmer, OID.1.2.3.4.5.6=Unknown
//
// We quote the RDN value if it contains leading or trailing whitespace
// or one of the following characters: ",", "+", "=", """, "n", "<", ">",
// "#" or ";". The quoting character is ". If the the RDN Value contains
// a " it is double quoted (""). For example:
// OU=" Microsoft", CN="Joe ""Cool""" + T="Programmer, Manager"
//
// CERT_NAME_STR_SEMICOLON_FLAG can be or'ed into dwStrType to replace
// the ", " separator with a "; " separator.
//
// CERT_NAME_STR_CRLF_FLAG can be or'ed into dwStrType to replace
// the ", " separator with a "rn" separator.
//
// CERT_NAME_STR_NO_PLUS_FLAG can be or'ed into dwStrType to replace the
// " + " separator with a single space, " ".
//
// CERT_NAME_STR_NO_QUOTING_FLAG can be or'ed into dwStrType to inhibit
// the above quoting.
//
// Returns the number of characters converted including the terminating null
// character. If psz is NULL or csz is 0, returns the required size of the
// destination string (including the terminating null char).
//
// If psz != NULL && csz != 0, returned psz is always NULL terminated.
//
// Note: csz includes the NULL char.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
//--------------------------------------------------------------------------
function CertNameToStrA(dwCertEncodingType :DWORD;
pName :PCERT_NAME_BLOB;
dwStrType :DWORD;
psz :LPSTR; //OPTIONAL
csz :DWORD):DWORD ; stdcall;
//+-------------------------------------------------------------------------
//--------------------------------------------------------------------------
function CertNameToStrW(dwCertEncodingType :DWORD;
pName :PCERT_NAME_BLOB;
dwStrType :DWORD;
psz :LPWSTR; //OPTIONAL
csz :DWORD):DWORD ; stdcall;
function CertNameToStr(dwCertEncodingType :DWORD;
pName :PCERT_NAME_BLOB;
dwStrType :DWORD;
psz :LPAWSTR; //OPTIONAL
csz :DWORD):DWORD ; stdcall;
//+-------------------------------------------------------------------------
// Certificate name string types
//--------------------------------------------------------------------------
const CERT_SIMPLE_NAME_STR = 1;
const CERT_OID_NAME_STR = 2;
const CERT_X500_NAME_STR = 3;
//+-------------------------------------------------------------------------
// Certificate name string type flags OR'ed with the above types
//--------------------------------------------------------------------------
const CERT_NAME_STR_SEMICOLON_FLAG = $40000000;
const CERT_NAME_STR_NO_PLUS_FLAG = $20000000;
const CERT_NAME_STR_NO_QUOTING_FLAG = $10000000;
const CERT_NAME_STR_CRLF_FLAG = $08000000;
const CERT_NAME_STR_COMMA_FLAG = $04000000;
//+-------------------------------------------------------------------------
// Convert the null terminated X500 string to an encoded certificate name.
//
// The input string is expected to be formatted the same as the output
// from the above CertNameToStr API.
//
// The CERT_SIMPLE_NAME_STR type isn't supported. Otherwise, when dwStrType
// is set to 0, CERT_OID_NAME_STR or CERT_X500_NAME_STR, allow either a
// case insensitive X500 key (CN=), case insensitive "OID." prefixed
// object identifier (OID.1.2.3.4.5.6=) or an object identifier (1.2.3.4=).
//
// If no flags are OR'ed into dwStrType, then, allow "," or ";" as RDN
// separators and "+" as the multiple RDN value separator. Quoting is
// supported. A quote may be included in a quoted value by double quoting,
// for example (CN="Joe ""Cool"""). A value starting with a "#" is treated
// as ascii hex and converted to a CERT_RDN_OCTET_STRING. Embedded whitespace
// is skipped (1.2.3 = # AB CD 01 is the same as 1.2.3=#ABCD01).
//
// Whitespace surrounding the keys, object identifers and values is removed.
//
// CERT_NAME_STR_COMMA_FLAG can be or'ed into dwStrType to only allow the
// "," as the RDN separator.
//
// CERT_NAME_STR_SEMICOLON_FLAG can be or'ed into dwStrType to only allow the
// ";" as the RDN separator.
//
// CERT_NAME_STR_CRLF_FLAG can be or'ed into dwStrType to only allow
// "r" or "n" as the RDN separator.
//
// CERT_NAME_STR_NO_PLUS_FLAG can be or'ed into dwStrType to ignore "+"
// as a separator and not allow multiple values per RDN.
//
// CERT_NAME_STR_NO_QUOTING_FLAG can be or'ed into dwStrType to inhibit
// quoting.
//
// Support the following X500 Keys:
//
// Key Object Identifier RDN Value Type(s)
// --- ----------------- -----------------
// CN szOID_COMMON_NAME Printable, T61
// L szOID_LOCALITY_NAME Printable, T61
// O szOID_ORGANIZATION_NAME Printable, T61
// OU szOID_ORGANIZATIONAL_UNIT_NAME Printable, T61
// Email szOID_RSA_emailAddr Only IA5
// C szOID_COUNTRY_NAME Only Printable
// S szOID_STATE_OR_PROVINCE_NAME Printable, T61
// ST szOID_STATE_OR_PROVINCE_NAME Printable, T61
// STREET szOID_STREET_ADDRESS Printable, T61
// T szOID_TITLE Printable, T61
// Title szOID_TITLE Printable, T61
// G szOID_GIVEN_NAME Printable, T61
// GivenName szOID_GIVEN_NAME Printable, T61
// I szOID_INITIALS Printable, T61
// Initials szOID_INITIALS Printable, T61
// SN szOID_SUR_NAME Printable, T61
// DC szOID_DOMAIN_COMPONENT Only IA5
//
// The T61 types are UTF-8 encoded.
//
// Returns TRUE if successfully parsed the input string and encoded
// the name.
//
// If the input string is detected to be invalid, *ppszError is updated
// to point to the beginning of the invalid character sequence. Otherwise,
// *ppszError is set to NULL. *ppszError is updated with a non-NULL pointer
// for the following errors:
// CRYPT_E_INVALID_X500_STRING
// CRYPT_E_INVALID_NUMERIC_STRING
// CRYPT_E_INVALID_PRINTABLE_STRING
// CRYPT_E_INVALID_IA5_STRING
//
// ppszError can be set to NULL if not interested in getting a pointer
// to the invalid character sequence.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
//--------------------------------------------------------------------------
function CertStrToNameA(dwCertEncodingType :DWORD;
pszX500 :LPCSTR;
dwStrType :DWORD;
pvReserved :PVOID;
pbEncoded :PBYTE;
pcbEncoded :PDWORD;
var ppszError :array of LPCSTR):BOOL ; stdcall; {--max-- iniziato qui}
//+-------------------------------------------------------------------------
//--------------------------------------------------------------------------
function CertStrToNameW(dwCertEncodingType :DWORD;
pszX500 :LPCWSTR;
dwStrType :DWORD;
pvReserved :PVOID;
pbEncoded :PBYTE;
pcbEncoded :PDWORD;
var ppszError :array of LPWSTR):BOOL ; stdcall;
function CertStrToName(dwCertEncodingType :DWORD;
pszX500 :LPAWSTR;
dwStrType :DWORD;
pvReserved :PVOID;
pbEncoded :PBYTE;
pcbEncoded :PDWORD;
var ppszError :array of LPAWSTR):BOOL ; stdcall;
//+=========================================================================
// Simplified Cryptographic Message Data Structures and APIs
//==========================================================================
//+-------------------------------------------------------------------------
// Conventions for the *pb and *pcb output parameters:
//
// Upon entry to the function:
// if pcb is OPTIONAL && pcb == NULL, then,
// No output is returned
// else if pb == NULL && pcb != NULL, then,
// Length only determination. No length error is
// returned.
// otherwise where (pb != NULL && pcb != NULL && *pcb != 0)
// Output is returned. If *pcb isn't big enough a
// length error is returned. In all cases *pcb is updated
// with the actual length needed/returned.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Type definitions of the parameters used for doing the cryptographic
// operations.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// Callback to get and verify the signer's certificate.
//
// Passed the CertId of the signer (its Issuer and SerialNumber) and a
// handle to its cryptographic signed message's cert store.
//
// For CRYPT_E_NO_SIGNER, called with pSignerId == NULL.
//
// For a valid signer certificate, returns a pointer to a read only
// CERT_CONTEXT. The returned CERT_CONTEXT is either obtained from a
// cert store or was created via CertCreateCertificateContext. For either case,
// its freed via CertFreeCertificateContext.
//
// If a valid certificate isn't found, this callback returns NULL with
// LastError set via SetLastError().
//
// The NULL implementation tries to get the Signer certificate from the
// message cert store. It doesn't verify the certificate.
//--------------------------------------------------------------------------
type
PFN_CRYPT_GET_SIGNER_CERTIFICATE = function (pvGetArg :PVOID;
dwCertEncodingType :DWORD;
pSignerId :PCERT_INFO; // Only the Issuer and SerialNumber
hMsgCertStore :HCERTSTORE // fields have been updated
):PCCERT_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
// The CRYPT_SIGN_MESSAGE_PARA are used for signing messages using the
// specified signing certificate contexts. (Note, allows multiple signers.)
//
// Either the CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID must
// be set for each rgpSigningCert[]. Either one specifies the private
// signature key to use.
//
// If any certificates and/or CRLs are to be included in the signed message,
// then, the MsgCert and MsgCrl parameters need to be updated. If the
// rgpSigningCerts are to be included, then, they must also be in the
// rgpMsgCert array.
//
// cbSize must be set to the sizeof(CRYPT_SIGN_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//
// pvHashAuxInfo currently isn't used and must be set to NULL.
//
// dwFlags normally is set to 0. However, if the encoded output
// is to be a CMSG_SIGNED inner content of an outer cryptographic message,
// such as a CMSG_ENVELOPED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
// should be set. If not set, then it would be encoded as an inner content
// type of CMSG_DATA.
//
// dwInnerContentType is normally set to 0. It needs to be set if the
// ToBeSigned input is the encoded output of another cryptographic
// message, such as, an CMSG_ENVELOPED. When set, it's one of the cryptographic
// message types, for example, CMSG_ENVELOPED.
//
// If the inner content of a nested cryptographic message is data (CMSG_DATA
// the default), then, neither dwFlags or dwInnerContentType need to be set.
//--------------------------------------------------------------------------
type
PCRYPT_SIGN_MESSAGE_PARA = ^CRYPT_SIGN_MESSAGE_PARA;
CRYPT_SIGN_MESSAGE_PARA = record
cbSize :DWORD;
dwMsgEncodingType :DWORD;
pSigningCert :PCCERT_CONTEXT;
HashAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
pvHashAuxInfo :PVOID;
cMsgCert :DWORD;
rgpMsgCert :PPCCERT_CONTEXT;// pointer to array of PCCERT_CONTEXT
cMsgCrl :DWORD;
rgpMsgCrl :PPCCRL_CONTEXT; // pointer to array of PCCERT_CO
cAuthAttr :DWORD;
rgAuthAttr :PCRYPT_ATTRIBUTE;
cUnauthAttr :DWORD;
rgUnauthAttr :PCRYPT_ATTRIBUTE;
dwFlags :DWORD;
dwInnerContentType :DWORD;
end;
const CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG = $1;
//+-------------------------------------------------------------------------
// The CRYPT_VERIFY_MESSAGE_PARA are used to verify signed messages.
//
// hCryptProv is used to do hashing and signature verification.
//
// The dwCertEncodingType specifies the encoding type of the certificates
// and/or CRLs in the message.
//
// pfnGetSignerCertificate is called to get and verify the message signer's
// certificate.
//
// cbSize must be set to the sizeof(CRYPT_VERIFY_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
type
PCRYPT_VERIFY_MESSAGE_PARA = ^CRYPT_VERIFY_MESSAGE_PARA;
CRYPT_VERIFY_MESSAGE_PARA = record
cbSize :DWORD;
dwMsgAndCertEncodingType :DWORD;
hCryptProv :HCRYPTPROV;
pfnGetSignerCertificate :PFN_CRYPT_GET_SIGNER_CERTIFICATE;
pvGetArg :PVOID;
end;
//+-------------------------------------------------------------------------
// The CRYPT_ENCRYPT_MESSAGE_PARA are used for encrypting messages.
//
// hCryptProv is used to do content encryption, recipient key
// encryption, and recipient key export. Its private key
// isn't used.
//
// pvEncryptionAuxInfo currently isn't used and must be set to NULL.
//
// cbSize must be set to the sizeof(CRYPT_ENCRYPT_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//
// dwFlags normally is set to 0. However, if the encoded output
// is to be a CMSG_ENVELOPED inner content of an outer cryptographic message,
// such as a CMSG_SIGNED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
// should be set. If not set, then it would be encoded as an inner content
// type of CMSG_DATA.
//
// dwInnerContentType is normally set to 0. It needs to be set if the
// ToBeEncrypted input is the encoded output of another cryptographic
// message, such as, an CMSG_SIGNED. When set, it's one of the cryptographic
// message types, for example, CMSG_SIGNED.
//
// If the inner content of a nested cryptographic message is data (CMSG_DATA
// the default), then, neither dwFlags or dwInnerContentType need to be set.
//--------------------------------------------------------------------------
type
PCRYPT_ENCRYPT_MESSAGE_PARA = ^CRYPT_ENCRYPT_MESSAGE_PARA;
CRYPT_ENCRYPT_MESSAGE_PARA = record
cbSize :DWORD;
dwMsgEncodingType :DWORD;
hCryptProv :HCRYPTPROV;
ContentEncryptionAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
pvEncryptionAuxInfo :PVOID;
dwFlags :DWORD;
dwInnerContentType :DWORD;
end;
//+-------------------------------------------------------------------------
// The CRYPT_DECRYPT_MESSAGE_PARA are used for decrypting messages.
//
// The CertContext to use for decrypting a message is obtained from one
// of the specified cert stores. An encrypted message can have one or
// more recipients. The recipients are identified by their CertId (Issuer
// and SerialNumber). The cert stores are searched to find the CertContext
// corresponding to the CertId.
//
// Only CertContexts in the store with either
// the CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID set
// can be used. Either property specifies the private exchange key to use.
//
// cbSize must be set to the sizeof(CRYPT_DECRYPT_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
type
PCRYPT_DECRYPT_MESSAGE_PARA = ^CRYPT_DECRYPT_MESSAGE_PARA;
CRYPT_DECRYPT_MESSAGE_PARA = record
cbSize :DWORD;
dwMsgAndCertEncodingType :DWORD;
cCertStore :DWORD;
rghCertStore :PHCERTSTORE;
end;
//+-------------------------------------------------------------------------
// The CRYPT_HASH_MESSAGE_PARA are used for hashing or unhashing
// messages.
//
// hCryptProv is used to compute the hash.
//
// pvHashAuxInfo currently isn't used and must be set to NULL.
//
// cbSize must be set to the sizeof(CRYPT_HASH_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
type
PCRYPT_HASH_MESSAGE_PARA = ^CRYPT_HASH_MESSAGE_PARA;
CRYPT_HASH_MESSAGE_PARA = record
cbSize :DWORD;
dwMsgEncodingType :DWORD;
hCryptProv :HCRYPTPROV;
HashAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
pvHashAuxInfo :PVOID;
end;
//+-------------------------------------------------------------------------
// The CRYPT_KEY_SIGN_MESSAGE_PARA are used for signing messages until a
// certificate has been created for the signature key.
//
// pvHashAuxInfo currently isn't used and must be set to NULL.
//
// If PubKeyAlgorithm isn't set, defaults to szOID_RSA_RSA.
//
// cbSize must be set to the sizeof(CRYPT_KEY_SIGN_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
type
PCRYPT_KEY_SIGN_MESSAGE_PARA = ^CRYPT_KEY_SIGN_MESSAGE_PARA;
CRYPT_KEY_SIGN_MESSAGE_PARA = record
cbSize :DWORD;
dwMsgAndCertEncodingType :DWORD;
hCryptProv :HCRYPTPROV;
dwKeySpec :DWORD;
HashAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
pvHashAuxInfo :PVOID;
PubKeyAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
end;
//+-------------------------------------------------------------------------
// The CRYPT_KEY_VERIFY_MESSAGE_PARA are used to verify signed messages without
// a certificate for the signer.
//
// Normally used until a certificate has been created for the key.
//
// hCryptProv is used to do hashing and signature verification.
//
// cbSize must be set to the sizeof(CRYPT_KEY_VERIFY_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
type
PCRYPT_KEY_VERIFY_MESSAGE_PARA = ^CRYPT_KEY_VERIFY_MESSAGE_PARA;
CRYPT_KEY_VERIFY_MESSAGE_PARA = record
cbSize :DWORD;
dwMsgEncodingType :DWORD;
hCryptProv :HCRYPTPROV;
end;
//+-------------------------------------------------------------------------
// Sign the message.
//
// If fDetachedSignature is TRUE, the "to be signed" content isn't included
// in the encoded signed blob.
//--------------------------------------------------------------------------
function CryptSignMessage(pSignPara :PCRYPT_SIGN_MESSAGE_PARA;
fDetachedSignature :BOOL;
cToBeSigned :DWORD;
const rgpbToBeSigned :array of PBYTE;
rgcbToBeSigned :array of DWORD;
pbSignedBlob :PBYTE;
pcbSignedBlob :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Verify a signed message.
//
// If pbDecoded == NULL, then, *pcbDecoded is implicitly set to 0 on input.
// For *pcbDecoded == 0 && ppSignerCert == NULL on input, the signer isn't
// verified.
//
// A message might have more than one signer. Set dwSignerIndex to iterate
// through all the signers. dwSignerIndex == 0 selects the first signer.
//
// pVerifyPara's pfnGetSignerCertificate is called to get the signer's
// certificate.
//
// For a verified signer and message, *ppSignerCert is updated
// with the CertContext of the signer. It must be freed by calling
// CertFreeCertificateContext. Otherwise, *ppSignerCert is set to NULL.
//
// ppSignerCert can be NULL, indicating the caller isn't interested
// in getting the CertContext of the signer.
//
// pcbDecoded can be NULL, indicating the caller isn't interested in getting
// the decoded content. Furthermore, if the message doesn't contain any
// content or signers, then, pcbDecoded must be set to NULL, to allow the
// pVerifyPara->pfnGetCertificate to be called. Normally, this would be
// the case when the signed message contains only certficates and CRLs.
// If pcbDecoded is NULL and the message doesn't have the indicated signer,
// pfnGetCertificate is called with pSignerId set to NULL.
//
// If the message doesn't contain any signers || dwSignerIndex > message's
// SignerCount, then, an error is returned with LastError set to
// CRYPT_E_NO_SIGNER. Also, for CRYPT_E_NO_SIGNER, pfnGetSignerCertificate
// is still called with pSignerId set to NULL.
//
// Note, an alternative way to get the certificates and CRLs from a
// signed message is to call CryptGetMessageCertificates.
//--------------------------------------------------------------------------
function CryptVerifyMessageSignature(pVerifyPara :PCRYPT_VERIFY_MESSAGE_PARA;
dwSignerIndex :DWORD;
const pbSignedBlob :PBYTE;
cbSignedBlob :DWORD;
pbDecoded :PBYTE;
pcbDecoded :DWORD;
ppSignerCert :PCCERT_CONTEXT
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Returns the count of signers in the signed message. For no signers, returns
// 0. For an error returns -1 with LastError updated accordingly.
//--------------------------------------------------------------------------
function CryptGetMessageSignerCount(dwMsgEncodingType :DWORD;
const pbSignedBlob :PBYTE;
cbSignedBlob :DWORD):LONG ; stdcall;
//+-------------------------------------------------------------------------
// Returns the cert store containing the message's certs and CRLs.
// For an error, returns NULL with LastError updated.
//--------------------------------------------------------------------------
function CryptGetMessageCertificates(dwMsgAndCertEncodingType :DWORD;
hCryptProv :HCRYPTPROV; // passed to CertOpenStore
dwFlags :DWORD; // passed to CertOpenStore
const pbSignedBlob :PBYTE;
cbSignedBlob :DWORD):HCERTSTORE ; stdcall;
//+-------------------------------------------------------------------------
// Verify a signed message containing detached signature(s).
// The "to be signed" content is passed in separately. No
// decoded output. Otherwise, identical to CryptVerifyMessageSignature.
//--------------------------------------------------------------------------
function CryptVerifyDetachedMessageSignature(pVerifyPara :PCRYPT_VERIFY_MESSAGE_PARA;
dwSignerIndex :DWORD;
const pbDetachedSignBlob :PBYTE;
cbDetachedSignBlob :DWORD;
cToBeSigned :DWORD;
const rgpbToBeSigned :array of PBYTE;
rgcbToBeSigned :array of DWORD;
ppSignerCert :PPCCERT_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Encrypts the message for the recipient(s).
//--------------------------------------------------------------------------
function CryptEncryptMessage(pEncryptPara :PCRYPT_ENCRYPT_MESSAGE_PARA;
cRecipientCert :DWORD;
rgpRecipientCert :array of PCCERT_CONTEXT;
const pbToBeEncrypted :PBYTE;
cbToBeEncrypted :DWORD;
pbEncryptedBlob :PBYTE;
pcbEncryptedBlob :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Decrypts the message.
//
// If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
// For *pcbDecrypted == 0 && ppXchgCert == NULL on input, the message isn't
// decrypted.
//
// For a successfully decrypted message, *ppXchgCert is updated
// with the CertContext used to decrypt. It must be freed by calling
// CertStoreFreeCert. Otherwise, *ppXchgCert is set to NULL.
//
// ppXchgCert can be NULL, indicating the caller isn't interested
// in getting the CertContext used to decrypt.
//--------------------------------------------------------------------------
function CryptDecryptMessage(pDecryptPara :PCRYPT_DECRYPT_MESSAGE_PARA;
const pbEncryptedBlob :PBYTE;
cbEncryptedBlob :DWORD;
pbDecrypted :PBYTE;
pcbDecrypted :PDWORD;
ppXchgCert :PPCCERT_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Sign the message and encrypt for the recipient(s). Does a CryptSignMessage
// followed with a CryptEncryptMessage.
//
// Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
// inside of an CMSG_ENVELOPED.
//--------------------------------------------------------------------------
function CryptSignAndEncryptMessage(pSignPara :PCRYPT_SIGN_MESSAGE_PARA;
pEncryptPara :PCRYPT_ENCRYPT_MESSAGE_PARA;
cRecipientCert :DWORD;
rgpRecipientCert :array of PCCERT_CONTEXT;
const pbToBeSignedAndEncrypted :PBYTE;
cbToBeSignedAndEncrypted :DWORD;
pbSignedAndEncryptedBlob :PBYTE;
pcbSignedAndEncryptedBlob :PDWORD
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Decrypts the message and verifies the signer. Does a CryptDecryptMessage
// followed with a CryptVerifyMessageSignature.
//
// If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
// For *pcbDecrypted == 0 && ppSignerCert == NULL on input, the signer isn't
// verified.
//
// A message might have more than one signer. Set dwSignerIndex to iterate
// through all the signers. dwSignerIndex == 0 selects the first signer.
//
// The pVerifyPara's VerifySignerPolicy is called to verify the signer's
// certificate.
//
// For a successfully decrypted and verified message, *ppXchgCert and
// *ppSignerCert are updated. They must be freed by calling
// CertStoreFreeCert. Otherwise, they are set to NULL.
//
// ppXchgCert and/or ppSignerCert can be NULL, indicating the
// caller isn't interested in getting the CertContext.
//
// Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
// inside of an CMSG_ENVELOPED.
//
// The message always needs to be decrypted to allow access to the
// signed message. Therefore, if ppXchgCert != NULL, its always updated.
//--------------------------------------------------------------------------
function CryptDecryptAndVerifyMessageSignature(pDecryptPara :PCRYPT_DECRYPT_MESSAGE_PARA;
pVerifyPara :PCRYPT_VERIFY_MESSAGE_PARA;
dwSignerIndex :DWORD;
const pbEncryptedBlob :PBYTE;
cbEncryptedBlob :DWORD;
pbDecrypted :PBYTE;
pcbDecrypted :PDWORD;
var ppXchgCert :array of PCCERT_CONTEXT;
var ppSignerCert :array of PCCERT_CONTEXT
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Decodes a cryptographic message which may be one of the following types:
// CMSG_DATA
// CMSG_SIGNED
// CMSG_ENVELOPED
// CMSG_SIGNED_AND_ENVELOPED
// CMSG_HASHED
//
// dwMsgTypeFlags specifies the set of allowable messages. For example, to
// decode either SIGNED or ENVELOPED messages, set dwMsgTypeFlags to:
// CMSG_SIGNED_FLAG | CMSG_ENVELOPED_FLAG.
//
// dwProvInnerContentType is only applicable when processing nested
// crytographic messages. When processing an outer crytographic message
// it must be set to 0. When decoding a nested cryptographic message
// its the dwInnerContentType returned by a previous CryptDecodeMessage
// of the outer message. The InnerContentType can be any of the CMSG types,
// for example, CMSG_DATA, CMSG_SIGNED, ...
//
// The optional *pdwMsgType is updated with the type of message.
//
// The optional *pdwInnerContentType is updated with the type of the inner
// message. Unless there is cryptographic message nesting, CMSG_DATA
// is returned.
//
// For CMSG_DATA: returns decoded content.
// For CMSG_SIGNED: same as CryptVerifyMessageSignature.
// For CMSG_ENVELOPED: same as CryptDecryptMessage.
// For CMSG_SIGNED_AND_ENVELOPED: same as CryptDecryptMessage plus
// CryptVerifyMessageSignature.
// For CMSG_HASHED: verifies the hash and returns decoded content.
//--------------------------------------------------------------------------
function CryptDecodeMessage(dwMsgTypeFlags :DWORD;
pDecryptPara :PCRYPT_DECRYPT_MESSAGE_PARA;
pVerifyPara :PCRYPT_VERIFY_MESSAGE_PARA ;
dwSignerIndex :DWORD;
const pbEncodedBlob :PBYTE;
cbEncodedBlob :DWORD;
dwPrevInnerContentType :DWORD;
pdwMsgType :PDWORD;
pdwInnerContentType :PDWORD;
pbDecoded :PBYTE;
pcbDecoded :PDWORD;
var ppXchgCert :array of PCCERT_CONTEXT;
var ppSignerCert :array of PCCERT_CONTEXT
):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Hash the message.
//
// If fDetachedHash is TRUE, only the ComputedHash is encoded in the
// pbHashedBlob. Otherwise, both the ToBeHashed and ComputedHash
// are encoded.
//
// pcbHashedBlob or pcbComputedHash can be NULL, indicating the caller
// isn't interested in getting the output.
//--------------------------------------------------------------------------
function CryptHashMessage(pHashPara :PCRYPT_HASH_MESSAGE_PARA;
fDetachedHash :BOOL;
cToBeHashed :DWORD;
const rgpbToBeHashed :array of PBYTE;
rgcbToBeHashed :array of DWORD;
pbHashedBlob :PBYTE;
pcbHashedBlob :PDWORD;
pbComputedHash :PBYTE;
pcbComputedHash :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Verify a hashed message.
//
// pcbToBeHashed or pcbComputedHash can be NULL,
// indicating the caller isn't interested in getting the output.
//--------------------------------------------------------------------------
function CryptVerifyMessageHash(pHashPara :PCRYPT_HASH_MESSAGE_PARA;
pbHashedBlob :PBYTE;
cbHashedBlob :DWORD;
pbToBeHashed :PBYTE;
pcbToBeHashed :PDWORD;
pbComputedHash :PBYTE;
pcbComputedHash :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Verify a hashed message containing a detached hash.
// The "to be hashed" content is passed in separately. No
// decoded output. Otherwise, identical to CryptVerifyMessageHash.
//
// pcbComputedHash can be NULL, indicating the caller isn't interested
// in getting the output.
//--------------------------------------------------------------------------
function CryptVerifyDetachedMessageHash(pHashPara :PCRYPT_HASH_MESSAGE_PARA;
pbDetachedHashBlob :PBYTE;
cbDetachedHashBlob :DWORD;
cToBeHashed :DWORD;
rgpbToBeHashed :array of PBYTE;
rgcbToBeHashed :array of DWORD;
pbComputedHash :PBYTE;
pcbComputedHash :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Sign the message using the provider's private key specified in the
// parameters. A dummy SignerId is created and stored in the message.
//
// Normally used until a certificate has been created for the key.
//--------------------------------------------------------------------------
function CryptSignMessageWithKey(pSignPara :PCRYPT_KEY_SIGN_MESSAGE_PARA;
const pbToBeSigned :PBYTE;
cbToBeSigned :DWORD;
pbSignedBlob :PBYTE;
pcbSignedBlob :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Verify a signed message using the specified public key info.
//
// Normally called by a CA until it has created a certificate for the
// key.
//
// pPublicKeyInfo contains the public key to use to verify the signed
// message. If NULL, the signature isn't verified (for instance, the decoded
// content may contain the PublicKeyInfo).
//
// pcbDecoded can be NULL, indicating the caller isn't interested
// in getting the decoded content.
//--------------------------------------------------------------------------
function CryptVerifyMessageSignatureWithKey(pVerifyPara :PCRYPT_KEY_VERIFY_MESSAGE_PARA;
pPublicKeyInfo :PCERT_PUBLIC_KEY_INFO;
const pbSignedBlob :PBYTE;
cbSignedBlob :DWORD;
pbDecoded :PBYTE;
pcbDecoded :PDWORD):BOOL ; stdcall;
//+=========================================================================
// System Certificate Store Data Structures and APIs
//==========================================================================
//+-------------------------------------------------------------------------
// Get a system certificate store based on a subsystem protocol.
//
// Current examples of subsystems protocols are:
// "MY" Cert Store hold certs with associated Private Keys
// "CA" Certifying Authority certs
// "ROOT" Root Certs
// "SPC" Software publisher certs
//
//
// If hProv is NULL the default provider "1" is opened for you.
// When the store is closed the provider is release. Otherwise
// if hProv is not NULL, no provider is created or released.
//
// The returned Cert Store can be searched for an appropriate Cert
// using the Cert Store API's (see certstor.h)
//
// When done, the cert store should be closed using CertStoreClose
//--------------------------------------------------------------------------
function CertOpenSystemStoreA(hProv :HCRYPTPROV;
szSubsystemProtocol :LPCSTR):HCERTSTORE ; stdcall;
function CertOpenSystemStoreW(hProv :HCRYPTPROV;
szSubsystemProtocol :LPCWSTR):HCERTSTORE ; stdcall;
function CertOpenSystemStore(hProv :HCRYPTPROV;
szSubsystemProtocol :LPAWSTR):HCERTSTORE ; stdcall;
function CertAddEncodedCertificateToSystemStoreA(szCertStoreName :LPCSTR;
const pbCertEncoded :PBYTE;
cbCertEncoded :DWORD):BOOL ; stdcall;
function CertAddEncodedCertificateToSystemStoreW(szCertStoreName :LPCWSTR;
const pbCertEncoded :PBYTE;
cbCertEncoded :DWORD):BOOL ; stdcall;
function CertAddEncodedCertificateToSystemStore(szCertStoreName :LPAWSTR;
const pbCertEncoded :PBYTE;
cbCertEncoded :DWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
// Find all certificate chains tying the given issuer name to any certificate
// that the current user has a private key for.
//
// If no certificate chain is found, FALSE is returned with LastError set
// to CRYPT_E_NOT_FOUND and the counts zeroed.
//
// IE 3.0 ASSUMPTION:
// The client certificates are in the "My" system store. The issuer
// cerificates may be in the "Root", "CA" or "My" system stores.
//--------------------------------------------------------------------------
type
PCERT_CHAIN = ^CERT_CHAIN;
CERT_CHAIN = record
cCerts :DWORD; // number of certs in chain
certs :PCERT_BLOB; // pointer to array of cert chain blobs representing the certs
keyLocatorInfo :CRYPT_KEY_PROV_INFO; // key locator for cert
end;
// WINCRYPT32API This is not exported by crypt32, it is exported by softpub
function FindCertsByIssuer(pCertChains :PCERT_CHAIN;
pcbCertChains :PDWORD;
pcCertChains :PDWORD; // count of certificates chains returned
pbEncodedIssuerName :PBYTE; // DER encoded issuer name
cbEncodedIssuerName :DWORD; // count in bytes of encoded issuer name
pwszPurpose :LPCWSTR; // "ClientAuth" or "CodeSigning"
dwKeySpec :DWORD // only return signers supporting this keyspec
):HRESULT ; stdcall;
//////////////////////////// VERSION 2 ////////////////////////////////////////////////////////////////////
implementation
{Macro inplementation}
function GET_ALG_CLASS(x:integer) :integer;
begin
Result:=(x and (7 shl 13));
end;
function GET_ALG_TYPE(x:integer) :integer;
begin
Result:=(x and (15 shl 9));
end;
function GET_ALG_SID(x:integer) :integer;
begin
Result:=(x and (511));
end;
function RCRYPT_SUCCEEDED(rt:BOOL):BOOL;
begin
Result:= rt = CRYPT_SUCCEED;
end;
function RCRYPT_FAILED(rt:BOOL):BOOL;
begin
Result:= rt = CRYPT_FAILED;
end ;
function GET_CERT_UNICODE_RDN_ERR_INDEX(X :integer):integer;
begin
Result := ((X shr CERT_UNICODE_RDN_ERR_INDEX_SHIFT) and CERT_UNICODE_RDN_ERR_INDEX_MASK);
end;
function GET_CERT_UNICODE_ATTR_ERR_INDEX(X :integer):integer;
begin
Result := ((X shr CERT_UNICODE_ATTR_ERR_INDEX_SHIFT) and CERT_UNICODE_ATTR_ERR_INDEX_MASK);
end;
function GET_CERT_UNICODE_VALUE_ERR_INDEX(X :integer):integer;
begin
Result := (X and CERT_UNICODE_VALUE_ERR_INDEX_MASK);
end;
function GET_CERT_ALT_NAME_ENTRY_ERR_INDEX(X :DWORD):DWORD;
begin
Result := ((X shr CERT_ALT_NAME_ENTRY_ERR_INDEX_SHIFT) and CERT_ALT_NAME_ENTRY_ERR_INDEX_MASK);
end;
function GET_CERT_ALT_NAME_VALUE_ERR_INDEX(X :DWORD):DWORD;
begin
Result := (X and CERT_ALT_NAME_VALUE_ERR_INDEX_MASK);
end;
function GET_CRL_DIST_POINT_ERR_INDEX(X :DWORD):DWORD;
begin
Result := ((X shr CRL_DIST_POINT_ERR_INDEX_SHIFT) and CRL_DIST_POINT_ERR_INDEX_MASK);
end;
function IS_CRL_DIST_POINT_ERR_CRL_ISSUER(X :DWORD):BOOL;
begin
Result := (0 <> (X and CRL_DIST_POINT_ERR_CRL_ISSUER_BIT));
end;
///////////////////////////////////////version 2 /////////////////////////
function IS_CERT_RDN_CHAR_STRING(X :DWORD) :BOOL;
begin
Result :=BOOL(X >= CERT_RDN_NUMERIC_STRING);
end;
function GET_CERT_ENCODING_TYPE(X :DWORD):DWORD;
begin
Result := (X and CERT_ENCODING_TYPE_MASK);
end;
function GET_CMSG_ENCODING_TYPE(X :DWORD):DWORD;
begin
Result := (X and CMSG_ENCODING_TYPE_MASK);
end;
function IS_CERT_HASH_PROP_ID( X :DWORD):BOOL ;
begin
if (X = CERT_SHA1_HASH_PROP_ID) or (X = CERT_MD5_HASH_PROP_ID) then
Result := True
else
Result := False;
end;
{end Macro}
function CryptAcquireContextA ;external ADVAPI32 name 'CryptAcquireContextA';
{$IFDEF UNICODE}
function CryptAcquireContext ;external ADVAPI32 name 'CryptAcquireContextW';
{$ELSE}
function CryptAcquireContext ;external ADVAPI32 name 'CryptAcquireContextA';
{$ENDIF}
function CryptAcquireContextW ;external ADVAPI32 name 'CryptAcquireContextW';
function CryptReleaseContext ;external ADVAPI32 name 'CryptReleaseContext';
function CryptGenKey ;external ADVAPI32 name 'CryptGenKey';
function CryptDeriveKey ;external ADVAPI32 name 'CryptDeriveKey';
function CryptDestroyKey ;external ADVAPI32 name 'CryptDestroyKey';
function CryptSetKeyParam ;external ADVAPI32 name 'CryptSetKeyParam';
function CryptGetKeyParam ;external ADVAPI32 name 'CryptGetKeyParam';
function CryptSetHashParam ;external ADVAPI32 name 'CryptSetHashParam';
function CryptGetHashParam ;external ADVAPI32 name 'CryptGetHashParam';
function CryptSetProvParam ;external ADVAPI32 name 'CryptSetProvParam';
function CryptGetProvParam ;external ADVAPI32 name 'CryptGetProvParam';
function CryptGenRandom ;external ADVAPI32 name 'CryptGenRandom';
function CryptGetUserKey ;external ADVAPI32 name 'CryptGetUserKey';
function CryptExportKey ;external ADVAPI32 name 'CryptExportKey';
function CryptImportKey ;external ADVAPI32 name 'CryptImportKey';
function CryptEncrypt ;external ADVAPI32 name 'CryptEncrypt';
function CryptDecrypt ;external ADVAPI32 name 'CryptDecrypt';
function CryptCreateHash ;external ADVAPI32 name 'CryptCreateHash';
function CryptHashData ;external ADVAPI32 name 'CryptHashData';
function CryptHashSessionKey ;external ADVAPI32 name 'CryptHashSessionKey';
function CryptDestroyHash ;external ADVAPI32 name 'CryptDestroyHash';
function CryptSignHashA ;external ADVAPI32 name 'CryptSignHashA';
function CryptSignHashW ;external ADVAPI32 name 'CryptSignHashW';
function CryptSignHashU ;external CRYPT32 name 'CryptSignHashU';
{$IFDEF UNICODE}
function CryptSignHash ;external ADVAPI32 name 'CryptSignHashW';
{$ELSE}
function CryptSignHash ;external ADVAPI32 name 'CryptSignHashA';
{$ENDIF}
function CryptVerifySignatureA ;external ADVAPI32 name 'CryptVerifySignatureA';
function CryptVerifySignatureW ;external ADVAPI32 name 'CryptVerifySignatureW';
{$IFDEF UNICODE}
function CryptVerifySignature ;external ADVAPI32 name 'CryptVerifySignatureW';
{$ELSE}
function CryptVerifySignature ;external ADVAPI32 name 'CryptVerifySignatureA';
{$ENDIF}
function CryptSetProviderW ;external ADVAPI32 name 'CryptSetProviderW';
function CryptSetProviderA ;external ADVAPI32 name 'CryptSetProviderA';
function CryptSetProviderU ;external CRYPT32 name 'CryptSetProviderU';
{$IFDEF UNICODE}
function CryptSetProvider ;external ADVAPI32 name 'CryptSetProviderW';
{$ELSE}
function CryptSetProvider ;external ADVAPI32 name 'CryptSetProviderA';
{$ENDIF}
{$IFDEF NT5}
function CryptSetProviderExA ;external ADVAPI32NT5 name 'CryptSetProviderExA';//nt5 advapi32
function CryptSetProviderExW ;external ADVAPI32NT5 name 'CryptSetProviderExW';
{$IFDEF UNICODE}
function CryptSetProviderEx ;external ADVAPI32NT5 name 'CryptSetProviderExW';
{$ELSE}
function CryptSetProviderEx ;external ADVAPI32NT5 name 'CryptSetProviderExA';
{$ENDIF} // !UNICODE
function CryptGetDefaultProviderA ; external ADVAPI32NT5 name 'CryptGetDefaultProviderA';//nt5 advapi32
function CryptGetDefaultProviderW ; external ADVAPI32NT5 name 'CryptGetDefaultProviderW';
{$IFDEF UNICODE}
function CryptGetDefaultProvider ; external ADVAPI32NT5 name 'CryptGetDefaultProviderW';
{$ELSE}
function CryptGetDefaultProvider; external ADVAPI32NT5 name 'CryptGetDefaultProviderA';
{$ENDIF} // !UNICODE
function CryptEnumProviderTypesA ; external ADVAPI32NT5 name 'CryptEnumProviderTypesA';//nt5 advapi32
function CryptEnumProviderTypesW ; external ADVAPI32NT5 name 'CryptEnumProviderTypesW';
{$IFDEF UNICODE}
function CryptEnumProviderTypes ; external ADVAPI32NT5 name 'CryptEnumProviderTypesW';
{$ELSE}
function CryptEnumProviderTypes ; external ADVAPI32NT5 name 'CryptEnumProviderTypesA';
{$ENDIF} // !UNICODE
function CryptEnumProvidersA; external ADVAPI32NT5 name 'CryptEnumProvidersA';//nt5 advapi32
function CryptEnumProvidersW; external ADVAPI32NT5 name 'CryptEnumProvidersW';
{$IFDEF UNICODE}
function CryptEnumProviders; external ADVAPI32NT5 name 'CryptEnumProvidersW';
{$ELSE}
function CryptEnumProviders; external ADVAPI32NT5 name 'CryptEnumProvidersA';
{$ENDIF} // !UNICODE
function CryptContextAddRef; external ADVAPI32NT5 name 'CryptContextAddRef';//nt5 advapi32
function CryptDuplicateKey; external ADVAPI32NT5 name 'CryptDuplicateKey';//nt5 advapi32
function CryptDuplicateHash; external ADVAPI32NT5 name 'CryptDuplicateHash';//nt5 advapi32
{$ENDIF NT5}
function CryptEnumProvidersU; external CRYPT32 name 'CryptEnumProvidersU';
function CryptFormatObject; external CRYPT32 name 'CryptFormatObject';
function CryptEncodeObject; external CRYPT32 name 'CryptEncodeObject';
function CryptDecodeObject; external CRYPT32 name 'CryptDecodeObject';
function CryptInstallOIDFunctionAddress; external CRYPT32 name 'CryptInstallOIDFunctionAddress';
function CryptInitOIDFunctionSet; external CRYPT32 name 'CryptInitOIDFunctionSet';
function CryptGetOIDFunctionAddress; external CRYPT32 name 'CryptGetOIDFunctionAddress';
function CryptGetDefaultOIDDllList; external CRYPT32 name 'CryptGetDefaultOIDDllList';
function CryptGetDefaultOIDFunctionAddress; external CRYPT32 name 'CryptGetDefaultOIDFunctionAddress';
function CryptFreeOIDFunctionAddress; external CRYPT32 name 'CryptFreeOIDFunctionAddress';
function CryptRegisterOIDFunction; external CRYPT32 name 'CryptRegisterOIDFunction';
function CryptUnregisterOIDFunction; external CRYPT32 name 'CryptUnregisterOIDFunction';
function CryptRegisterDefaultOIDFunction; external CRYPT32 name 'CryptRegisterDefaultOIDFunction';
function CryptUnregisterDefaultOIDFunction; external CRYPT32 name 'CryptUnregisterDefaultOIDFunction';
function CryptSetOIDFunctionValue; external CRYPT32 name 'CryptSetOIDFunctionValue';
function CryptGetOIDFunctionValue; external CRYPT32 name 'CryptGetOIDFunctionValue';
function CryptEnumOIDFunction; external CRYPT32 name 'CryptEnumOIDFunction';
function CryptFindOIDInfo; external CRYPT32 name 'CryptFindOIDInfo';
function CryptRegisterOIDInfo; external CRYPT32 name 'CryptRegisterOIDInfo';
function CryptUnregisterOIDInfo; external CRYPT32 name 'CryptUnregisterOIDInfo';
function CryptMsgOpenToEncode; external CRYPT32 name 'CryptMsgOpenToEncode';
function CryptMsgCalculateEncodedLength; external CRYPT32 name 'CryptMsgCalculateEncodedLength';
function CryptMsgOpenToDecode; external CRYPT32 name 'CryptMsgOpenToDecode';
function CryptMsgClose; external CRYPT32 name 'CryptMsgClose';
function CryptMsgUpdate; external CRYPT32 name 'CryptMsgUpdate';
function CryptMsgControl; external CRYPT32 name 'CryptMsgControl';
function CryptMsgVerifyCountersignatureEncoded; external CRYPT32 name 'CryptMsgVerifyCountersignatureEncoded';
function CryptMsgCountersign; external CRYPT32 name 'CryptMsgCountersign';
function CryptMsgCountersignEncoded; external CRYPT32 name 'CryptMsgCountersignEncoded';
function CryptMsgGetParam; external CRYPT32 name 'CryptMsgGetParam';
function CertOpenStore; external CRYPT32 name 'CertOpenStore';
function CertDuplicateStore; external CRYPT32 name 'CertDuplicateStore';
function CertSaveStore; external CRYPT32 name 'CertSaveStore';
function CertCloseStore; external CRYPT32 name 'CertCloseStore';
function CertGetSubjectCertificateFromStore; external CRYPT32 name 'CertGetSubjectCertificateFromStore';
function CertEnumCertificatesInStore; external CRYPT32 name 'CertEnumCertificatesInStore';
function CertFindCertificateInStore; external CRYPT32 name 'CertFindCertificateInStore';
function CertGetIssuerCertificateFromStore; external CRYPT32 name 'CertGetIssuerCertificateFromStore';
function CertVerifySubjectCertificateContext; external CRYPT32 name 'CertVerifySubjectCertificateContext';
function CertDuplicateCertificateContext; external CRYPT32 name 'CertDuplicateCertificateContext';
function CertCreateCertificateContext; external CRYPT32 name 'CertCreateCertificateContext';
function CertFreeCertificateContext; external CRYPT32 name 'CertFreeCertificateContext';
function CertSetCertificateContextProperty; external CRYPT32 name 'CertSetCertificateContextProperty';
function CertGetCertificateContextProperty; external CRYPT32 name 'CertGetCertificateContextProperty';
function CertEnumCertificateContextProperties; external CRYPT32 name 'CertEnumCertificateContextProperties';
function CertGetCRLFromStore; external CRYPT32 name 'CertGetCRLFromStore';
function CertDuplicateCRLContext; external CRYPT32 name 'CertDuplicateCRLContext';
function CertCreateCRLContext; external CRYPT32 name 'CertCreateCRLContext';
function CertFreeCRLContext; external CRYPT32 name 'CertFreeCRLContext';
function CertSetCRLContextProperty; external CRYPT32 name 'CertSetCRLContextProperty';
function CertGetCRLContextProperty; external CRYPT32 name 'CertGetCRLContextProperty';
function CertEnumCRLContextProperties; external CRYPT32 name 'CertEnumCRLContextProperties';
function CertAddEncodedCertificateToStore; external CRYPT32 name 'CertAddEncodedCertificateToStore';
function CertAddCertificateContextToStore; external CRYPT32 name 'CertAddCertificateContextToStore';
function CertAddSerializedElementToStore; external CRYPT32 name 'CertAddSerializedElementToStore';
function CertDeleteCertificateFromStore; external CRYPT32 name 'CertDeleteCertificateFromStore';
function CertAddEncodedCRLToStore; external CRYPT32 name 'CertAddEncodedCRLToStore';
function CertAddCRLContextToStore; external CRYPT32 name 'CertAddCRLContextToStore';
function CertDeleteCRLFromStore; external CRYPT32 name 'CertDeleteCRLFromStore';
function CertSerializeCertificateStoreElement; external CRYPT32 name 'CertSerializeCertificateStoreElement';
function CertSerializeCRLStoreElement; external CRYPT32 name 'CertSerializeCRLStoreElement';
function CertDuplicateCTLContext; external CRYPT32 name 'CertDuplicateCTLContext';
function CertCreateCTLContext; external CRYPT32 name 'CertCreateCTLContext';
function CertFreeCTLContext; external CRYPT32 name 'CertFreeCTLContext';
function CertSetCTLContextProperty; external CRYPT32 name 'CertSetCTLContextProperty';
function CertGetCTLContextProperty; external CRYPT32 name 'CertGetCTLContextProperty';
function CertEnumCTLContextProperties; external CRYPT32 name 'CertEnumCTLContextProperties';
function CertEnumCTLsInStore; external CRYPT32 name 'CertEnumCTLsInStore';
function CertFindSubjectInCTL; external CRYPT32 name 'CertFindSubjectInCTL';
function CertFindCTLInStore; external CRYPT32 name 'CertFindCTLInStore';
function CertAddEncodedCTLToStore; external CRYPT32 name 'CertAddEncodedCTLToStore';
function CertAddCTLContextToStore; external CRYPT32 name 'CertAddCTLContextToStore';
function CertSerializeCTLStoreElement; external CRYPT32 name 'CertSerializeCTLStoreElement';
function CertDeleteCTLFromStore; external CRYPT32 name 'CertDeleteCTLFromStore';
function CertGetEnhancedKeyUsage; external CRYPT32 name 'CertGetEnhancedKeyUsage';
function CertSetEnhancedKeyUsage; external CRYPT32 name 'CertSetEnhancedKeyUsage';
function CertAddEnhancedKeyUsageIdentifier; external CRYPT32 name 'CertAddEnhancedKeyUsageIdentifier';
function CertRemoveEnhancedKeyUsageIdentifier; external CRYPT32 name 'CertRemoveEnhancedKeyUsageIdentifier';
function CryptMsgGetAndVerifySigner; external CRYPT32 name 'CryptMsgGetAndVerifySigner';
function CryptMsgSignCTL; external CRYPT32 name 'CryptMsgSignCTL';
function CryptMsgEncodeAndSignCTL; external CRYPT32 name 'CryptMsgEncodeAndSignCTL';
function CertVerifyCTLUsage; external CRYPT32 name 'CertVerifyCTLUsage';
function CertVerifyRevocation; external CRYPT32 name 'CertVerifyRevocation';
function CertCompareIntegerBlob; external CRYPT32 name 'CertCompareIntegerBlob';
function CertCompareCertificate; external CRYPT32 name 'CertCompareCertificate';
function CertCompareCertificateName; external CRYPT32 name 'CertCompareCertificateName';
function CertIsRDNAttrsInCertificateName; external CRYPT32 name 'CertIsRDNAttrsInCertificateName';
function CertComparePublicKeyInfo; external CRYPT32 name 'CertComparePublicKeyInfo';
function CertGetPublicKeyLength; external CRYPT32 name 'CertGetPublicKeyLength';
function CryptVerifyCertificateSignature; external CRYPT32 name 'CryptVerifyCertificateSignature';
function CryptHashToBeSigned; external CRYPT32 name 'CryptHashToBeSigned';
function CryptHashCertificate; external CRYPT32 name 'CryptHashCertificate';
function CryptSignCertificate; external CRYPT32 name 'CryptSignCertificate';
function CryptSignAndEncodeCertificate; external CRYPT32 name 'CryptSignAndEncodeCertificate';
function CertVerifyTimeValidity; external CRYPT32 name 'CertVerifyTimeValidity';
function CertVerifyCRLTimeValidity; external CRYPT32 name 'CertVerifyCRLTimeValidity';
function CertVerifyValidityNesting; external CRYPT32 name 'CertVerifyValidityNesting';
function CertVerifyCRLRevocation; external CRYPT32 name 'CertVerifyCRLRevocation';
function CertAlgIdToOID; external CRYPT32 name 'CertAlgIdToOID';
function CertOIDToAlgId; external CRYPT32 name 'CertOIDToAlgId';
function CertFindExtension; external CRYPT32 name 'CertFindExtension';
function CertFindAttribute; external CRYPT32 name 'CertFindAttribute';
function CertFindRDNAttr; external CRYPT32 name 'CertFindRDNAttr';
function CertGetIntendedKeyUsage; external CRYPT32 name 'CertGetIntendedKeyUsage';
function CryptExportPublicKeyInfo; external CRYPT32 name 'CryptExportPublicKeyInfo';
function CryptExportPublicKeyInfoEx; external CRYPT32 name 'CryptExportPublicKeyInfoEx';
function CryptImportPublicKeyInfo; external CRYPT32 name 'CryptImportPublicKeyInfo';
function CryptImportPublicKeyInfoEx; external CRYPT32 name 'CryptImportPublicKeyInfoEx';
function CryptHashPublicKeyInfo; external CRYPT32 name 'CryptHashPublicKeyInfo';
function CertRDNValueToStrA; external CRYPT32 name 'CertRDNValueToStrA';
function CertRDNValueToStrW; external CRYPT32 name 'CertRDNValueToStrW';
{$IFDEF UNICODE}
function CertRDNValueToStr; external CRYPT32 name 'CertRDNValueToStrW';
{$ELSE}
function CertRDNValueToStr; external CRYPT32 name 'CertRDNValueToStrA';
{$ENDIF} // !UNICODE
function CertNameToStrA; external CRYPT32 name 'CertNameToStrA';
function CertNameToStrW; external CRYPT32 name 'CertNameToStrW';
{$IFDEF UNICODE}
function CertNameToStr; external CRYPT32 name 'CertNameToStrW';
{$ELSE}
function CertNameToStr; external CRYPT32 name 'CertNameToStrA';
{$ENDIF} // !UNICODE
function CertStrToNameW; external CRYPT32 name 'CertStrToNameW';
function CertStrToNameA; external CRYPT32 name 'CertStrToNameA';
{$IFDEF UNICODE}
function CertStrToName; external CRYPT32 name 'CertStrToNameW';
{$ELSE}
function CertStrToName; external CRYPT32 name 'CertStrToNameA';
{$ENDIF} // !UNICODE
function CryptSignMessage; external CRYPT32 name 'CryptSignMessage';
//function CryptSignMessageWithKey; external CRYPT32 name 'CryptSignMessageWithKey';
function CryptVerifyMessageSignature; external CRYPT32 name 'CryptVerifyMessageSignature';
//function CryptVerifyMessageSignatureWithKey; external CRYPT32 name 'CryptVerifyMessageSignatureWithKey';
function CryptGetMessageSignerCount; external CRYPT32 name 'CryptGetMessageSignerCount';
function CryptGetMessageCertificates; external CRYPT32 name 'CryptGetMessageCertificates';
function CryptVerifyDetachedMessageSignature; external CRYPT32 name 'CryptVerifyDetachedMessageSignature';
function CryptEncryptMessage; external CRYPT32 name 'CryptEncryptMessage';
function CryptDecryptMessage; external CRYPT32 name 'CryptDecryptMessage';
function CryptSignAndEncryptMessage; external CRYPT32 name 'CryptSignAndEncryptMessage';
function CryptDecryptAndVerifyMessageSignature; external CRYPT32 name 'CryptDecryptAndVerifyMessageSignature';
function CryptDecodeMessage; external CRYPT32 name 'CryptDecodeMessage';
function CryptHashMessage; external CRYPT32 name 'CryptHashMessage';
function CryptVerifyMessageHash; external CRYPT32 name 'CryptVerifyMessageHash';
function CryptVerifyDetachedMessageHash; external CRYPT32 name 'CryptVerifyDetachedMessageHash';
function CryptSignMessageWithKey; external CRYPT32 name 'CryptSignMessageWithKey';
function CryptVerifyMessageSignatureWithKey; external CRYPT32 name 'CryptVerifyMessageSignatureWithKey';
function CertOpenSystemStoreA; external CRYPT32 name 'CertOpenSystemStoreA';
function CertOpenSystemStoreW; external CRYPT32 name 'CertOpenSystemStoreW';
{$IFDEF UNICODE}
function CertOpenSystemStore; external CRYPT32 name 'CertOpenSystemStoreW';
{$ELSE}
function CertOpenSystemStore; external CRYPT32 name 'CertOpenSystemStoreA';
{$ENDIF} // !UNICODE
function CertAddEncodedCertificateToSystemStoreA; external CRYPT32 name 'CertAddEncodedCertificateToSystemStoreA';
function CertAddEncodedCertificateToSystemStoreW; external CRYPT32 name 'CertAddEncodedCertificateToSystemStoreW';
{$IFDEF UNICODE}
function CertAddEncodedCertificateToSystemStore; external CRYPT32 name 'CertAddEncodedCertificateToSystemStoreW';
{$ELSE}
function CertAddEncodedCertificateToSystemStore; external CRYPT32 name 'CertAddEncodedCertificateToSystemStoreA';
{$ENDIF} // !UNICODE
function FindCertsByIssuer; external SOFTPUB name 'FindCertsByIssuer';
end.
--------------------------------------
enfes kodlarınız varsa paylaşın.
msn: admin@g3nius.net
Delphi - .....................................
'