Upravit

Sdílet prostřednictvím


Cryptography Functions

Cryptography functions are categorized according to usage as follows:

CryptXML Functions

The cryptographic XML functions provide an API for creating and representing digital signatures by using XML formatted data. For information about XML formatted signatures, see the XML-Signature Syntax and Processing specification at https://go.microsoft.com/fwlink/p/?linkid=139649.

Function Description
A_SHAFinal Computes the final hash of the data entered by the MD5Update function.
A_SHAInit Initiates the hashing of a stream of data.
A_SHAUpdate Adds data to a specified hash object.
CryptXmlCreateReference Creates a reference to an XML signature.
CryptXmlAddObject Adds the Object element to the Signature in the Document Context opened for encoding.
CryptXmlClose Closes a cryptographic XML object handle.
CryptXmlDigestReference Used by an application to digest the resolved reference. This function applies transforms before updating the digest.
CryptXmlDllCloseDigest Frees the CRYPT_XML_DIGEST allocated by the CryptXmlDllCreateDigest function.
CryptXmlDllCreateDigest Creates a digest object for the specified method.
CryptXmlDllCreateKey Parses the KeyValue element and creates a Cryptography API: Next Generation (CNG) BCrypt key handle to verify a signature.
CryptXmlDllDigestData Puts data into the digest.
CryptXmlDllEncodeAlgorithm Encodes SignatureMethod or DigestMethod elements for agile algorithms with default parameters.
CryptXmlDllEncodeKeyValue Encodes a KeyValue element.
CryptXmlDllFinalizeDigest Retrieves the digest value.
CryptXmlDllGetAlgorithmInfo Decodes the XML algorithm and returns information about the algorithm.
CryptXmlDllGetInterface Retrieves a pointer to the cryptographic extension functions for the specified algorithm.
CryptXmlDllSignData Signs data.
CryptXmlDllVerifySignature Verifies a signature.
CryptXmlEncode Encodes signature data by using the supplied XML writer callback function.
CryptXmlGetAlgorithmInfo Decodes the CRYPT_XML_ALGORITHM structure and returns information about the algorithm.
CryptXmlGetDocContext Returns the document context specified by the supplied handle.
CryptXmlGetReference Returns the Reference element specified by the supplied handle.
CryptXmlGetSignature Returns an XML Signature element.
CryptXmlGetStatus Returns a CRYPT_XML_STATUS structure that contains status information about the object specified by the supplied handle.
CryptXmlGetTransforms Returns information about the default transform chain engine.
CryptXmlImportPublicKey Imports the public key specified by the supplied handle.
CryptXmlOpenToEncode Opens an XML digital signature to encode and returns a handle of the opened Signature element. The handle encapsulates a document context with a single CRYPT_XML_SIGNATURE structure and remains open until the CryptXmlClose function is called.
CryptXmlOpenToDecode Opens an XML digital signature to decode and returns the handle of the document context that encapsulates a CRYPT_XML_SIGNATURE structure. The document context can include one or more Signature elements.
CryptXmlSetHMACSecret Sets the HMAC secret on the handle before calling the CryptXmlSign or CryptXmlVerify function.
CryptXmlSign Creates a cryptographic signature of a SignedInfo element.
CryptXmlVerifySignature Performs a cryptographic signature validation of a SignedInfo element.
PFN_CRYPT_XML_WRITE_CALLBACK Creates a transform for a specified data provider.
PFN_CRYPT_XML_CREATE_TRANSFORM Writes cryptographic XML data.
PFN_CRYPT_XML_DATA_PROVIDER_READ Reads cryptographic XML data.
PFN_CRYPT_XML_DATA_PROVIDER_CLOSE Releases the cryptographic XML data provider.
PFN_CRYPT_XML_ENUM_ALG_INFO Enumerates predefined and registered CRYPT_XML_ALGORITHM_INFO entries.

 

Signer Functions

Provides functions to sign and time stamp data.

Function Description
SignerFreeSignerContext Frees a SIGNER_CONTEXT structure allocated by a previous call to the SignerSignEx function.
SignError Calls the GetLastError function and converts the return code to an HRESULT.
SignerSign Signs the specified file.
SignerSignEx Signs the specified file and returns a pointer to the signed data.
SignerSignEx2 Signs and time stamps the specified file, allowing multiple nested signatures.
SignerTimeStamp Time stamps the specified subject. This function supports Authenticode time stamping. To perform X.509 Public Key Infrastructure (RFC 3161) time stamping, use the SignerTimeStampEx2 function.
SignerTimeStampEx Time stamps the specified subject and optionally returns a pointer to a SIGNER_CONTEXT structure that contains a pointer to a BLOB. This function supports Authenticode time stamping. To perform X.509 Public Key Infrastructure (RFC 3161) time stamping, use the SignerTimeStampEx2 function.
SignerTimeStampEx2 Time stamps the specified subject and optionally returns a pointer to a SIGNER_CONTEXT structure that contains a pointer to a BLOB. This function can be used to perform X.509 Public Key Infrastructure, RFC 3161–compliant, time stamps.
SignerTimeStampEx3 Time stamps the specified subject and supports setting time stamps on multiple signatures.

 

Base Cryptography Functions

Base cryptographic functions provide the most flexible means of developing cryptography applications. All communication with a cryptographic service provider (CSP) occurs through these functions.

A CSP is an independent module that performs all cryptographic operations. At least one CSP is required with each application that uses cryptographic functions. A single application can occasionally use more than one CSP.

If more than one CSP is used, the one to use can be specified in the CryptoAPI cryptographic function calls. One CSP, the Microsoft Base Cryptographic Provider, is bundled with the CryptoAPI. This CSP is used as a default provider by many of the CryptoAPI functions if no other CSP is specified.

Each CSP provides a different implementation of the cryptographic support provided to CryptoAPI. Some provide stronger cryptographic algorithms; others contain hardware components, such as smart cards. In addition, some CSPs can occasionally communicate directly with users, such as when digital signatures are performed by using the user's signature private key.

Base cryptographic functions are in the following broad groups:

  • Service Provider Functions
  • Key Generation and Exchange Functions
  • Object Encoding and Decoding Functions
  • Data Encryption and Decryption Functions
  • Hash and Digital Signature Functions

Service Provider Functions

Applications use the following service functions to connect and disconnect a cryptographic service provider (CSP).

Function Description
CryptAcquireContext Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Acquires a handle to the current user's key container within a particular CSP.
CryptContextAddRef Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Increments the reference count on an HCRYPTPROV handle.
CryptEnumProviders Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Enumerates the providers on a computer.
CryptEnumProviderTypes Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Enumerates the types of providers supported on the computer.
CryptGetDefaultProvider Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Determines the default CSP either for the current user or for the computer for a specified provider type.
CryptGetProvParam Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Retrieves the parameters that govern the operations of a CSP.
CryptInstallDefaultContext Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Installs a previously acquired HCRYPTPROV context to be used as a default context.
CryptReleaseContext Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Releases the handle acquired by the CryptAcquireContext function.
CryptSetProvider and CryptSetProviderEx Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Specifies the user default CSP for a particular CSP type.
CryptSetProvParam Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Specifies attributes of a CSP.
CryptUninstallDefaultContext Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Removes a default context previously installed by CryptInstallDefaultContext.
FreeCryptProvFromCertEx Releases the handle either to a cryptographic service provider (CSP) or to a Cryptography API: Next Generation (CNG) key.

 

Key Generation and Exchange Functions

Key generation and exchange functions exchange keys with other users and create, configure, and destroy cryptographic keys.

Function Description
CryptDeriveKey Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Creates a key derived from a password.
CryptDestroyKey Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Destroys a key.
CryptDuplicateKey Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Makes an exact copy of a key, including the state of the key.
CryptExportKey Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Transfers a key from the CSP into a key BLOB in the application's memory space.
CryptGenKey Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Creates a random key.
CryptGenRandom Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Generates random data.
CryptGetKeyParam Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Retrieves a key's parameters.
CryptGetUserKey Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Gets a handle to the key exchange or signature key.
CryptImportKey Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Transfers a key from a key BLOB to a CSP.
CryptSetKeyParam Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Specifies a key's parameters.

 

Object Encoding and Decoding Functions

These are generalized encoding and decoding functions. They are used to encode and decode certificates, certificate revocation lists (CRLs), certificate requests, and certificate extensions.

Function Description
CryptDecodeObject Decodes a structure of type lpszStructType.
CryptDecodeObjectEx Decodes a structure of type lpszStructType. CryptDecodeObjectEx supports the one-pass memory allocation option.
CryptEncodeObject Encodes a structure of type lpszStructType.
CryptEncodeObjectEx Encodes a structure of type lpszStructType. CryptEncodeObjectEx supports the one-pass memory allocation option.

 

Data Encryption and Decryption Functions

The following functions support encryption and decryption operations. CryptEncrypt and CryptDecrypt require a cryptographic key before being called. This is done by using the CryptGenKey, CryptDeriveKey, or CryptImportKey function. The encryption algorithm is specified when the key is created. CryptSetKeyParam can set additional encryption parameters.

Function Description
CryptDecrypt Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Decrypts a section of ciphertext by using the specified encryption key.
CryptEncrypt Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Encrypts a section of plaintext by using the specified encryption key.
CryptProtectData Performs encryption on the data in a DATA_BLOB structure.
CryptProtectMemory Encrypts memory to protect sensitive information.
CryptUnprotectData Performs a decryption and integrity check of the data in a DATA_BLOB.
CryptUnprotectMemory Decrypts memory that was encrypted using CryptProtectMemory.

 

Hash and Digital Signature Functions

These functions compute hashes of data and also create and verify digital signatures. Hashes are also known as message digests.

Function Description
CryptCreateHash Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Creates an empty hash object.
CryptDestroyHash Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Destroys a hash object.
CryptDuplicateHash Duplicates a hash object.
CryptGetHashParam Retrieves a hash object parameter.
CryptHashData Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Hashes a block of data, adding it to the specified hash object.
CryptHashSessionKey Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Hashes a session key, adding it to the specified hash object.
CryptSetHashParam Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Sets a hash object parameter.
CryptSignHash Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Signs the specified hash object.
CryptUIWizDigitalSign Displays a wizard that digitally signs a document or a BLOB.
CryptUIWizFreeDigitalSignContext Releases a pointer to a CRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT structure.
CryptVerifySignature Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Verifies a digital signature, given a handle to the hash object.
PFNCFILTERPROC Filters the certificates that appear in the digital signature wizard displayed by the CryptUIWizDigitalSign function.

 

Certificate and Certificate Store Functions

Certificate and certificate store functions manage the use, storage, and retrieval of certificates, certificate revocation lists (CRLs), and certificate trust lists (CTLs). These functions are divided into the following groups:

  • Certificate Store Functions
  • Certificate and Certificate Store Maintenance Functions
  • Certificate Functions
  • Certificate Revocation List Functions
  • Certificate Trust List Functions
  • Extended Property Functions
  • MakeCert Functions

Certificate Store Functions

A user site can, over time, collect many certificates. Typically, a site has certificates for the user of the site as well as other certificates that describe those individuals and entities with whom the user communicates. For each entity, there can be more than one certificate. For each individual certificate, there should be a chain of verifying certificates that provides a trail back to a trusted root certificate. Certificate stores and their related functions provide functionality to store, retrieve, enumerate, verify, and use the information stored in the certificates.

Function Description
CertAddStoreToCollection Adds a sibling certificate store to a collection certificate store.
CertCloseStore Closes a certificate store handle.
CertControlStore Allows an application to be notified when there is a difference between the contents of a cached store and the contents of the store that is persisted to storage. It also provides desynchronization of the cached store, if necessary, and provides a means to commit changes made in the cached store to persisted storage.
CertDuplicateStore Duplicates a store handle by incrementing the reference count.
CertEnumPhysicalStore Enumerates the physical stores for a specified system store.
CertEnumSystemStore Enumerates all available system stores.
CertEnumSystemStoreLocation Enumerates all of the locations that have an available system store.
CertGetStoreProperty Gets a store property.
CertOpenStore Opens a certificate store using a specified store provider type.
CertOpenSystemStore Opens a system certificate store based on a subsystem protocol.
CertRegisterPhysicalStore Adds a physical store to a registry system store collection.
CertRegisterSystemStore Registers a system store.
CertRemoveStoreFromCollection Removes a sibling certificate store from a collection store.
CertSaveStore Saves the certificate store.
CertSetStoreProperty Sets a store property.
CertUnregisterPhysicalStore Removes a physical store from a specified system store collection.
CertUnregisterSystemStore Unregisters a specified system store.
CryptUIWizExport Presents a wizard that exports a certificate, certificate trust list (CTL), certificate revocation list (CRL), or certificate store.
CryptUIWizImport Presents a wizard that imports a certificate, certificate trust list (CTL), certificate revocation list (CRL), or certificate store.

 

Certificate and Certificate Store Maintenance Functions

CryptoAPI provides a set of general certificate and certificate store maintenance functions.

Function Description
CertAddSerializedElementToStore Adds the serialized certificate or CRL element to the store.
CertCreateContext Creates the specified context from the encoded bytes. The new context is not put into a store.
CertEnumSubjectInSortedCTL Enumerates the TrustedSubjects in a sorted CTL context.
CertFindSubjectInCTL Finds the specified subject in a CTL.
CertFindSubjectInSortedCTL Finds the specified subject in a sorted CTL.
OpenPersonalTrustDBDialog and OpenPersonalTrustDBDialogEx Displays the Certificates dialog box.

 

Certificate Functions

Most Certificate functions have related functions to deal with CRLs and CTLs. For more information about related CRL and CTL functions, see Certificate Revocation List Functions and Certificate Trust List Functions.

Function Description
CertAddCertificateContextToStore Adds a certificate context to the certificate store.
CertAddCertificateLinkToStore Adds a link in a certificate store to a certificate context in a different store.
CertAddEncodedCertificateToStore Converts the encoded certificate to a certificate context, and then adds the context to the certificate store.
CertAddRefServerOcspResponse Increments the reference count for an HCERT_SERVER_OCSP_RESPONSE handle.
CertAddRefServerOcspResponseContext Increments the reference count for a CERT_SERVER_OCSP_RESPONSE_CONTEXT structure.
CertCloseServerOcspResponse Closes an online certificate status protocol (OCSP) server response handle.
CertCreateCertificateContext Creates a certificate context from an encoded certificate. The created context is not put in a certificate store.
CertCreateSelfSignCertificate Creates a self-signed certificate.
CertDeleteCertificateFromStore Deletes a certificate from the certificate store.
CertDuplicateCertificateContext Duplicates a certificate context by incrementing its reference count.
CertEnumCertificatesInStore Enumerates the certificate contexts in the certificate store.
CertFindCertificateInStore Finds the first, or next, certificate context in the certificate store that meets a search criterion.
CertFreeCertificateContext Frees a certificate context.
CertGetIssuerCertificateFromStore Gets a certificate context from the certificate store for the first, or next, issuer of the specified subject certificate.
CertGetServerOcspResponseContext Retrieves a non-blocking, time valid online certificate status protocol (OCSP) response context for the specified handle.
CertGetSubjectCertificateFromStore Gets from the certificate store the subject certificate context, which is uniquely identified by its issuer and serial number.
CertGetValidUsages Returns an array of usages that consist of the intersection of the valid usages for all certificates in an array of certificates.
CertOpenServerOcspResponse Opens a handle to an online certificate status protocol (OCSP) response associated with a server certificate chain.
CertRetrieveLogoOrBiometricInfo Performs a URL retrieval of logo or biometric information specified in either the szOID_LOGOTYPE_EXT or szOID_BIOMETRIC_EXT certificate extension.
CertSelectCertificate Presents a dialog box that allows the user to select certificates from a set of certificates that match a given criteria.
CertSelectCertificateChains Retrieves certificate chains based on specified selection criteria.
CertSelectionGetSerializedBlob A helper function used to retrieve a serialized certificate BLOB from a CERT_SELECTUI_INPUT structure.
CertSerializeCertificateStoreElement Serializes a certificate context's encoded certificate and an encoded representation of its properties.
CertVerifySubjectCertificateContext Performs the enabled verification checks on the subject certificate using the issuer.
CryptUIDlgCertMgr Displays a dialog box that allows the user to manage certificates.
CryptUIDlgSelectCertificate Displays a dialog box that allows a user to select a certificate.
CryptUIDlgSelectCertificateFromStore Displays a dialog box that allows the selection of a certificate from a specified store.
CryptUIDlgViewCertificate Presents a dialog box that displays a specified certificate.
CryptUIDlgViewContext Displays a certificate, CRL, or CTL.
CryptUIDlgViewSignerInfo Displays a dialog box that contains the signer information for a signed message.
GetFriendlyNameOfCert Retrieves the display name for a certificate.
RKeyCloseKeyService Closes a key service handle.
RKeyOpenKeyService Opens a key service handle on a remote computer.
RKeyPFXInstall Installs a certificate on a remote computer.

 

Certificate Revocation List Functions

These functions manage the storage and retrieval of certificate revocation lists (CRLs).

Function Description
CertAddCRLContextToStore Adds a CRL context to the certificate store.
CertAddCRLLinkToStore Adds a link in a store to a CRL context in a different store.
CertAddEncodedCRLToStore Converts the encoded CRL to a CRL context, and then adds the context to the certificate store.
CertCreateCRLContext Creates a CRL context from an encoded CRL. The created context is not put in a certificate store.
CertDeleteCRLFromStore Deletes a CRL from the certificate store.
CertDuplicateCRLContext Duplicates a CRL context by incrementing the reference count.
CertEnumCRLsInStore Enumerates the CRL contexts in a store.
CertFindCertificateInCRL Searches the certificate revocation list (CRL) for the specified certificate.
CertFindCRLInStore Finds the first, or next, CRL context in the certificate store that matches a specific criterion.
CertFreeCRLContext Frees a CRL context.
CertGetCRLFromStore Gets the first, or next, CRL context from the certificate store for the specified issuer certificate.
CertSerializeCRLStoreElement Serializes the CRL context's encoded CRL and its properties.

 

Certificate Trust List Functions

These functions manage the storage and retrieval of certificate trust lists (CTLs).

Function Description
CertAddCTLContextToStore Adds a CTL context to the certificate store.
CertAddCTLLinkToStore Adds a link in a store to a CRL context in a different store.
CertAddEncodedCTLToStore Converts the encoded CTL to a CTL context, and then adds the context to the certificate store.
CertCreateCTLContext Creates a CTL context from an encoded certificate trust list. The created context is not put in a certificate store.
CertDeleteCTLFromStore Deletes a CTL from the certificate store.
CertDuplicateCTLContext Duplicates a CTL context by incrementing the reference count.
CertEnumCTLsInStore Enumerates the CTL contexts in the certificate store.
CertFindCTLInStore Finds the first, or next, CTL context in the certificate store that matches a specific criteria.
CertFreeCTLContext Frees a CTL context.
CertModifyCertificatesToTrust Modifies the set of certificates in a CTL for a given purpose.
CertSerializeCTLStoreElement Serializes the CTL context's encoded CTL and its properties.

 

Extended Property Functions

The following functions work with extended properties of certificates, CRLs, and CTLs.

Function Description
CertEnumCertificateContextProperties Enumerates the properties for the specified certificate context.
CertEnumCRLContextProperties Enumerates the properties for the specified CRL context.
CertEnumCTLContextProperties Enumerates the properties for the specified CTL context.
CertGetCertificateContextProperty Retrieves certificate properties.
CertGetCRLContextProperty Retrieves CRL properties.
CertGetCTLContextProperty Retrieves CTL properties.
CertSetCertificateContextProperty Sets certificate properties.
CertSetCRLContextProperty Sets CRL properties.
CertSetCTLContextProperty Sets CTL properties.

 

MakeCert Functions

The following functions support the MakeCert tool.

Function Description
FreeCryptProvFromCert Releases the handle to a cryptographic service provider (CSP) and optionally deletes the temporary container created by the GetCryptProvFromCert function.
GetCryptProvFromCert Gets a handle to a CSP and a key specification for a certificate context.
PvkFreeCryptProv Releases the handle to a CSP and optionally deletes the temporary container created by the PvkGetCryptProv function.
PvkGetCryptProv Gets a handle to a CSP based on either a private key file name or a key container name.
PvkPrivateKeyAcquireContextFromMemory Creates a temporary container in the CSP and loads a private key from memory into the container.
PvkPrivateKeySave Saves a private key and its corresponding public key to a specified file.
SignError Calls GetLastError and converts the return code to an HRESULT.

 

Certificate Verification Functions

Certificates are verified using CTLs or certificate chains. Functions are provided for both of these:

  • Verification Functions Using CTLs
  • Certificate Chain Verification Functions

Verification Functions Using CTLs

These functions use CTLs in the verification process. Additional functions for working with CTLs can be found in Certificate Trust List Functions and Extended Property Functions.

The following functions use CTLs directly for verification.

Function Description
CertVerifyCTLUsage Verifies the usage of a CTL.
CryptMsgEncodeAndSignCTL Encodes and signs a CTL as a message.
CryptMsgGetAndVerifySigner Retrieves and verifies a CTL from a message.
CryptMsgSignCTL Signs a message that contains a CTL.

 

Certificate Chain Verification Functions

Certificate chains are built to provide trust information about individual certificates.

Function Name Description
CertCreateCertificateChainEngine Creates a new, nondefault chain engine for an application.
CertCreateCTLEntryFromCertificateContextProperties Creates a CTL entry whose attributes are the certificate context's properties.
CertDuplicateCertificateChain Duplicates a certificate chain by incrementing the chain's reference count and returning a pointer to the chain.
CertFindChainInStore Finds the first, or next, certificate chain context in a store.
CertFreeCertificateChain Frees a certificate chain by reducing its reference count.
CertFreeCertificateChainEngine Frees a nondefault certificate chain engine.
CertFreeCertificateChainList Frees the array of pointers to chain contexts.
CertGetCertificateChain Builds a chain context starting from an end certificate and going back to a trusted root certificate, if possible.
CertIsValidCRLForCertificate Checks a CRL to determine whether it would include a specific certificate if that certificate were revoked.
CertSetCertificateContextPropertiesFromCTLEntry Sets properties on the certificate context using the attributes in the CTL entry.
CertVerifyCertificateChainPolicy Checks a certificate chain to verify its validity, including its compliance with any specified validity policy criteria.

 

Message Functions

CryptoAPI message functions consist of two groups of functions: low-level message functions and simplified message functions.

Low-level message functions create and work directly with PKCS #7 messages. These functions encode PKCS #7 data for transmission and decode PKCS #7 data received. They also decrypt and verify the signatures of received messages. For an overview of the PKCS #7 standard and low-level messages, see Low-level Messages.

Simplified message functions are at a higher level and wrap several low-level message functions and certificate functions into single functions that perform a specific task in a specific manner. These functions reduce the number of function calls needed to accomplish a task, thereby simplifying CryptoAPI use. For an overview of simplified messages, see Simplified Messages.

  • Low-level Message Functions
  • Simplified Message Functions

Low-level Message Functions

Low-level message functions provide the functionality necessary to encode data for transmission and to decode PKCS #7 messages received. Functionality is also provided to decrypt and verify the signatures of received messages. Use of these low-level message functions in most applications is not recommended. For most applications, the use of Simplified Message Functions, which wrap several low-level message functions into a single function call, is preferred.

Function Description
CryptMsgCalculateEncodedLength Calculates the length of an encoded cryptographic message.
CryptMsgClose Closes a handle of a cryptographic message.
CryptMsgControl Performs a special control function after the final CryptMsgUpdate of an encoded or decoded cryptographic message.
CryptMsgCountersign Countersigns an already existing signature in a message.
CryptMsgCountersignEncoded Countersigns an already existing signature (encoded SignerInfo, as defined by PKCS #7).
CryptMsgDuplicate Duplicates a cryptographic message handle by incrementing the reference count. The reference count keeps track of the lifetime of the message.
CryptMsgGetParam Acquires a parameter after encoding or decoding a cryptographic message.
CryptMsgOpenToDecode Opens a cryptographic message for decoding.
CryptMsgOpenToEncode Opens a cryptographic message for encoding.
CryptMsgUpdate Updates the contents of a cryptographic message.
CryptMsgVerifyCountersignatureEncoded Verifies a countersignature in terms of the SignerInfo structure (as defined by PKCS #7).
CryptMsgVerifyCountersignatureEncodedEx Verifies that the pbSignerInfoCounterSignature parameter contains the encrypted hash of the encryptedDigest field of the pbSignerInfo parameter structure.

 

Simplified Message Functions

simplified message functions wrap Low-level Message Functions into a single function to accomplish a specified task.

Function Description
CryptDecodeMessage Decodes a cryptographic message.
CryptDecryptAndVerifyMessageSignature Decrypts the specified message, and verifies the signer.
CryptDecryptMessage Decrypts the specified message.
CryptEncryptMessage Encrypts the message for the recipient or recipients.
CryptGetMessageCertificates Returns the certificate store that contains the message's certificates and CRLs.
CryptGetMessageSignerCount Returns the count of signers in the signed message.
CryptHashMessage Creates a hash of the message.
CryptSignAndEncryptMessage Signs the message, and then encrypts it for the recipient or recipients.
CryptSignMessageWithKey Signs a message using a CSP's private key specified in the parameters to the function.
CryptSignMessage Signs the message.
CryptVerifyDetachedMessageHash Verifies a hashed message that contains a detached hash.
CryptVerifyDetachedMessageSignature Verifies a signed message that contains a detached signature or signatures.
CryptVerifyMessageHash Verifies a hashed message.
CryptVerifyMessageSignature Verifies a signed message.
CryptVerifyMessageSignatureWithKey Verifies a signed message's signature by using specified public key information.

 

Auxiliary Functions

The auxiliary functions are grouped as follows:

  • Data Management Functions
  • Data Conversion Functions
  • Enhanced Key Usage Functions
  • Key Identifier Functions
  • OID Support Functions
  • Remote Object Retrieval Functions
  • PFX Functions

Data Management Functions

The following CryptoAPI functions manage data and certificates.

Function Description
CertCompareCertificate Compares two certificates to determine whether they are identical.
CertCompareCertificateName Compares two certificate names to determine whether they are identical.
CertCompareIntegerBlob Compares two integer BLOBs.
CertComparePublicKeyInfo Compares two public keys to determine whether they are identical.
CertFindAttribute Finds the first attribute identified by its object identifier (OID).
CertFindExtension Finds the first extension identified by its OID.
CertFindRDNAttr Finds the first RDN attribute identified by its OID in the name list of the Relative Distinguished Names.
CertGetIntendedKeyUsage Acquires the intended key usage bytes from the certificate.
CertGetPublicKeyLength Acquires the public/private key's bit length from the public key BLOB.
CertIsRDNAttrsInCertificateName Compares the attributes in the certificate name with the specified CERT_RDN to determine whether all attributes are included there.
CertIsStrongHashToSign Determines whether the specified hash algorithm and the public key in the signing certificate can be used to perform strong signing.
CertVerifyCRLRevocation Verifies that the subject certificate is not on the certificate revocation list (CRL).
CertVerifyCRLTimeValidity Verifies the time validity of a CRL.
CertVerifyRevocation Verifies that the subject certificate is not on the CRL.
CertVerifyTimeValidity Verifies the time validity of a certificate.
CertVerifyValidityNesting Verifies that the subject's time validity nests within the issuer's time validity.
CryptExportPKCS8 This function is superseded by the CryptExportPKCS8Ex function.
CryptExportPKCS8Ex Exports the private key in PKCS #8 format.
CryptExportPublicKeyInfo Exports the public key information associated with the provider's corresponding private key.
CryptExportPublicKeyInfoEx Exports the public key information associated with the provider's corresponding private key. This function differs from CryptExportPublicKeyInfo in that the user can specify the public key algorithm, thereby overriding the default provided by the CSP.
CryptExportPublicKeyInfoFromBCryptKeyHandle Exports the public key info associated with a provider's corresponding private key.
CryptFindCertificateKeyProvInfo Enumerates the cryptographic providers and their key containers to find the private key that corresponds to a certificate's public key.
CryptFindLocalizedName Finds the localized name for a specified name, for example, finds the localized name for the store name of the Root system.
CryptHashCertificate Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Hashes the encoded content.
CryptHashCertificate2 Hashes a block of data by using a Cryptography API: Next Generation (CNG) hash provider.
CryptHashPublicKeyInfo Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Computes the hash of the encoded public key information.
CryptHashToBeSigned Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Computes the hash of the "to be signed" information in the encoded signed content (CERT_SIGNED_CONTENT_INFO).
CryptImportPKCS8 Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Imports the private key in PKCS #8 format to a cryptographic service provider (CSP).
CryptImportPublicKeyInfo Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Converts and imports public key information into the provider, and returns a handle of the public key.
CryptImportPublicKeyInfoEx Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Converts and imports the public key information into the provider, and returns a handle of the public key. Additional parameters (over those specified by CryptImportPublicKeyInfo) that can be used to override defaults are provided to supplement CERT_PUBLIC_KEY_INFO.
CryptImportPublicKeyInfoEx2 Imports a public key into a CNG asymmetric provider.
CryptMemAlloc Allocates memory for a buffer. This memory is used by all Crypt32.lib functions that return allocated buffers.
CryptMemFree Frees memory allocated by CryptMemAlloc or CryptMemRealloc.
CryptMemRealloc Frees memory currently allocated for a buffer, and allocates memory for a new buffer.
CryptQueryObject Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Retrieves information about the content of a BLOB or a file.
CryptSignAndEncodeCertificate Encodes the "to be signed" information, signs this encoded information, and encodes the resulting signed, encoded information.
CryptSignCertificate Signs the "to be signed" information in the encoded, signed content.
CryptSIPAddProvider Adds a Subject Interface Package (SIP).
CryptSIPCreateIndirectData Returns a SIP_INDIRECT_DATA structure that contains a hash of the supplied SIP_SUBJECTINFO structure, the digest algorithm, and an encoding attribute. The hash can be used as an indirect reference to the data.
CryptSIPGetCaps Retrieves the capabilities of an SIP.
CryptSIPGetSignedDataMsg Retrieves an Authenticode signature from the file.
CryptSIPLoad Loads the dynamic link library that implements a subject interface package and assigns appropriate library export functions to a SIP_DISPATCH_INFO structure.
CryptSIPPutSignedDataMsg Stores an Authenticode Signature in the target file.
CryptSIPRemoveProvider Removes a SIP added by a previous call to the CryptSIPAddProvider function.
CryptSIPRemoveSignedDataMsg Removes a specified Authenticode signature.
CryptSIPRetrieveSubjectGuid Retrieves a GUID based on the header information in a specified file.
CryptSIPRetrieveSubjectGuidForCatalogFile Retrieves the subject GUID associated with the specified file.
CryptSIPVerifyIndirectData Validates the indirect hashed data against the supplied subject.
CryptUpdateProtectedState Migrates the current user's master keys after the user's security identifier (SID) has changed.
CryptVerifyCertificateSignature Verifies the signature of a subject certificate or a CRL by using the public key information.
CryptVerifyCertificateSignatureEx An extended version of CryptVerifyCertificateSignature.
GetEncSChannel Stores the encrypted Schannel DLL contents in memory.
pCryptSIPGetCaps Implemented by an SIP to report capabilities.

 

Data Conversion Functions

The following CryptoAPI functions convert certificate structure members to different forms.

Function Description
CertAlgIdToOID Converts a CryptoAPI algorithm identifier (ALG_ID) to an Abstract Syntax Notation One (ASN.1) object identifier (OID) string.
CertGetNameString Acquires the subject or issuer name from a certificate, and converts it to a null-terminated character string.
CertNameToStr Converts a certificate name BLOB to a zero-terminated string.
CertOIDToAlgId Converts the ASN.1 Object Identifier string to the CSP algorithm identifier.
CertRDNValueToStr Converts a Name Value to a null-terminated string.
CertStrToName Converts a null-terminated X.500 string to an encoded certificate name.
CryptBinaryToString Converts a binary sequence into a formatted string.
CryptFormatObject Formats encoded data, and returns a Unicode string.
CryptStringToBinary Converts a formatted string to a binary sequence.

 

Enhanced Key Usage Functions

The following functions deal with the enhanced key usage (EKU) extension and the EKU extended property of certificates. The EKU extension and extended property specify and limit the valid uses of a certificate. The extensions are part of the certificate itself. They are set by the issuer of the certificate and are read-only. Certificate-extended properties are values associated with a certificate that can be set in an application.

Function Description
CertAddEnhancedKeyUsageIdentifier Adds a usage identifier to a certificate's EKU property.
CertGetEnhancedKeyUsage Acquires, from a certificate, information about the EKU extension or property.
CertRemoveEnhancedKeyUsageIdentifier Removes the usage identifier from a certificate's EKU extended property.
CertSetEnhancedKeyUsage Sets the EKU property for a certificate.

 

Key Identifier Functions

Key identifier functions allow the user to create, set, retrieve, or locate a key identifier or its properties.

A key identifier is the unique identifier of a public/private key pair. It can be any unique identifier but is usually the 20-byte SHA1 hash of an encoded CERT_PUBLIC_KEY_INFO structure. A key identifier can be obtained through the certificate's CERT_KEY_IDENTIFIER_PROP_ID. The key identifier allows the use of that key pair to encrypt or decrypt messages without using the certificate.

Key identifiers are not associated with CRLs or CTLs.

A key identifier can have the same properties as a certificate context. For more information, see CertCreateContext.

Function Description
CryptCreateKeyIdentifierFromCSP Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Creates a key identifier from a CSP's public key BLOB.
CryptEnumKeyIdentifierProperties Enumerates key identifiers and their properties.
CryptGetKeyIdentifierProperty Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Acquires a specific property from a specified key identifier.
CryptSetKeyIdentifierProperty Important:
This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases.
Sets a property of a specified key identifier.

 

OID Support Functions

These functions provide object identifier (OID) support. These functions install, register, and dispatch to OID and encoding type-specific functions.

The following CryptoAPI functions use these OID support functions:

For an overview of this process, see Extending CryptoAPI Functionality.

The following functions work with OIDs.

Function Description
CryptEnumOIDFunction Enumerates the registered OID functions identified by their encoding type, function name, and OID.
CryptEnumOIDInfo Enumerates the registered OID information identified by their group, and calls pfnEnumOIDInfo for matches.
CryptFindOIDInfo Uses the specified key and group to find OID information.
CryptFreeOIDFunctionAddress Releases the handle count that was incremented and returned by CryptGetOIDFunctionAddress or CryptGetDefaultOIDFunctionAddress.
CryptGetDefaultOIDDllList Acquires the list of registered default DLL entries for the specified function set and encoding type.
CryptGetDefaultOIDFunctionAddress Either acquires the first or next installed default function, or loads the DLL that contains the default function.
CryptGetOIDFunctionAddress Searches the list of installed functions for an encoding type and OID match. If a match is not found there, the registry is searched for a match.
CryptGetOIDFunctionValue Acquires the value for the specified encoding type, function name, OID, and value name.
CryptInitOIDFunctionSet Initializes and returns a handle of the OID function set identified by the function name supplied.
CryptInstallOIDFunctionAddress Installs a set of callable OID function addresses.
CryptRegisterDefaultOIDFunction Registers the DLL that contains the default function to be called for the specified encoding type and function name.
CryptRegisterOIDFunction Registers the DLL that contains the function to be called for the specified encoding type, function name, and OID.
CryptRegisterOIDInfo Registers the OID information specified in the CRYPT_OID_INFO structure, persisting it to the registry.
CryptSetOIDFunctionValue Sets the value for the specified encoding type, function name, OID, and value name.
CryptUnregisterDefaultOIDFunction Removes the registration for the DLL that contains the default function to be called for the specified encoding type and function name.
CryptUnregisterOIDFunction Removes the registration for the DLL that contains the function to be called for the specified encoding type, function name, and OID.
CryptUnregisterOIDInfo Removes the registration for the specified OID information.

 

Remote Object Retrieval Functions

The following functions allow the user to retrieve a Public Key Infrastructure (PKI) object, acquire the URL of a certificate, CTL, or CRL, or to extract a URL from an object.

Function Description
CryptGetObjectUrl Acquires the URL of the remote object from a certificate, CTL, or CRL.
CryptRetrieveObjectByUrl Retrieves the PKI object from a location specified by a URL.

 

PFX Functions

The following functions support Personal Information Exchange (PFX) format BLOBs.

Function Description
PFXExportCertStore Exports from the referenced certificate store the certificates and, if available, their associated private keys.
PFXExportCertStoreEx Exports from the referenced certificate store the certificates and, if available, their associated private keys.
PFXImportCertStore Imports a PFX BLOB, and returns the handle of a store that contains certificates and any associated private keys.
PFXIsPFXBlob Attempts to decode the outer layer of a BLOB as a PFX packet.
PFXVerifyPassword Attempts to decode the outer layer of a BLOB as a PFX packet and to decrypt it with the given password.

 

Certificate Services Backup and Restore Functions

Certificate Services includes functions for backing up and restoring the Certificate Services database. These Certificate Services backup and restore functions are contained in Certadm.dll. Unlike the other API elements associated with Certificate Services, these functions are not encapsulated in an object that can be used to call class methods. Instead, the backup and restore APIs are called by first loading the Certadm.dll library into memory by calling LoadLibrary and then determining the address of the functions by calling GetProcAddress. When you have finished calling the Certificate Services backup and restore functions, call FreeLibrary to free Certadm.dll resources from memory.

Note

Backup and restore functions provided by Certadm.dll do not backup or restore the Certificate Service's private keys. For information about backing up the Certificate Services private keys, see Backing Up and Restoring the Certificate Services Private Key.

To call the backup and restore functions, you must have backup and restore privileges. For details, see Setting the Backup and Restore Privileges.

 

Note

If CoInitializeEx was previously called in the same thread used to call the Certificate Services backup and restore APIs, the COINIT_APARTMENTTHREADED flag must have been passed to CoInitializeEx. That is, when using the same thread, you cannot call the Certificate Services backup and restore API if the thread has previously passed in the COINIT_MULTITHREADED flag in a call to CoInitializeEx.

 

The Certificate Services Backup APIs are defined in Certbcli.h. However, when you create your program, use Certsrv.h as the include file.

The following APIs are exported by Certadm.dll.

Function Description
CertSrvBackupClose Closes an opened file.
CertSrvBackupEnd Ends a backup session.
CertSrvBackupFree Frees a buffer allocated by the backup and restore APIs.
CertSrvBackupGetBackupLogs Returns a list of log files that need to be backed up.
CertSrvBackupGetDatabaseNames Returns a list of database files that need to be backed up.
CertSrvBackupGetDynamicFileList Retrieves the list of Certificate Services dynamic file names that need to be backed up for the given backup context.
CertSrvBackupOpenFile Opens a file in preparation for backing it up.
CertSrvBackupPrepare Prepares the database for the online backup.
CertSrvBackupRead Reads the contents of an opened file.
CertSrvBackupTruncateLogs Truncates the log files.
CertSrvIsServerOnline Determines whether a Certificate Services server is online (actively running).
CertSrvRestoreEnd Ends a restore session.
CertSrvRestoreGetDatabaseLocations Retrieves database locations (used for both backup and restore scenarios).
CertSrvRestorePrepare Begins a restore session.
CertSrvRestoreRegister Registers a restore operation.
CertSrvRestoreRegisterComplete Completes a previously registered restore operation.
CertSrvRestoreRegisterThroughFile Registers a restore operation.
CertSrvServerControl Sends a control command to the Certificate Services instance.

 

Callback Functions

The callback functions in this section are used to register or install application-defined certificate store providers and to provide related functionality through callback functions. Callback functions are implemented by an application and are called by CryptoAPI functions. Callback functions enable the application to control, in part, the way that CryptoAPI functions manipulate data.

Callback function Use
CertChainFindByIssuerCallback An application-defined callback function that allows the application to filter certificates that might be added to the certificate chain.
CertDllOpenStoreProv Defines the store provider open function.
CertEnumPhysicalStoreCallback Callback function used by the CertEnumPhysicalStore function to format and present information on each physical store found.
CertEnumSystemStoreCallback Callback function used by the CertEnumSystemStore function to format and present information on each physical store found.
CertEnumSystemStoreLocationCallback Callback function used by the CertEnumSystemStoreLocation function to format and present information on each physical store found.
CertStoreProvCloseCallback Determines what happens when an open store's reference count becomes zero.
CertStoreProvControl Allows an application to be notified when there is a difference between the contents of a cached store in use and the contents of that store as it is persisted to storage.
CertStoreProvDeleteCertCallback Determines actions to be taken before a certificate is deleted from a certificate store.
CertStoreProvDeleteCRLCallback Determines actions to be taken before a certificate revocation list (CRL) is deleted from a certificate store.
CertStoreProvDeleteCTL Determines whether a CTL can be deleted.
CertStoreProvFindCert Finds the first, or next, certificate in a store that matches specified criteria.
CertStoreProvFindCRL Finds the first, or next, CRL in a store that matches specified criteria.
CertStoreProvFindCTL Finds the first, or next, CTL in a store that matches specified criteria.
CertStoreProvFreeFindCert Frees a previously found certificate context.
CertStoreProvFreeFindCRL Frees a previously found CRL context.
CertStoreProvFreeFindCTL Frees a previously found CTL context.
CertStoreProvGetCertProperty Retrieves a specified property of a certificate.
CertStoreProvGetCRLProperty Retrieves a specified property of a CRL.
CertStoreProvGetCTLProperty Retrieves a specified property of a CTL.
CertStoreProvReadCertCallback Currently not used but might be exported to future CSPs.
CertStoreProvReadCRLCallback Currently not used but might be exported to future CSPs.
CertStoreProvReadCTL Read the provider's copy of the CTL context, and, if it exists, create a new CTL context.
CertStoreProvSetCertPropertyCallback Determines actions to be taken before a call to CertSetCertificateContextProperty or CertGetCertificateContextProperty.
CertStoreProvSetCRLPropertyCallback Determines actions to be taken before a call to CertSetCRLContextProperty or CertGetCRLContextProperty.
CertStoreProvSetCTLProperty Determines whether a property can be set on a CTL.
CertStoreProvWriteCertCallback Determines actions to be taken before adding a certificate to a store.
CertStoreProvWriteCRLCallback Determines actions to be taken before adding a CRL to a store.
CertStoreProvWriteCTL Determines whether a CTL can be added to the store.
CRYPT_ENUM_KEYID_PROP Callback function used by the CryptEnumKeyIdentifierProperties function.
CRYPT_ENUM_OID_FUNCTION Callback function used by the CryptEnumOIDFunction function.
CRYPT_ENUM_OID_INFO Callback function used by the CryptEnumOIDInfo function.
CryptGetSignerCertificateCallback Callback function used with the CRYPT_VERIFY_MESSAGE_PARA structure to get and verify a message signer's certificate.
PCRYPT_DECRYPT_PRIVATE_KEY_FUNC Callback function used by the CryptImportPKCS8 function.
PCRYPT_ENCRYPT_PRIVATE_KEY_FUNC Callback function used when creating the CRYPT_ENCRYPTED_PRIVATE_KEY_INFO structure.
PCRYPT_RESOLVE_HCRYPTPROV_FUNC Callback function used by the CryptImportPKCS8 function.
PFN_CDF_PARSE_ERROR_CALLBACK A user-defined function called for Catalog Definition Function errors while parsing a catalog definition file (CDF).
PFN_CERT_CREATE_CONTEXT_SORT_FUNC Called for each sorted context entry when a context is created.
PFN_CMSG_CNG_IMPORT_CONTENT_ENCRYPT_KEY A CNG object identifier (OID) installable function for import of an already decrypted content encryption key (CEK).
PFN_CMSG_CNG_IMPORT_KEY_AGREE Imports a content encryption key for a key transport recipient of an enveloped message.
PFN_CMSG_CNG_IMPORT_KEY_TRANS A CNG OID installable function for import and decryption of a key-transport-recipient, encrypted, content encryption key (CEK).
PFN_CMSG_EXPORT_KEY_AGREE Encrypts and exports the content encryption key for a key agreement recipient of an enveloped message.
PFN_CMSG_EXPORT_KEY_TRANS Encrypts and exports the content encryption key for a key transport recipient of an enveloped message.
PFN_CMSG_EXPORT_MAIL_LIST Encrypts and exports the content encryption key for a mailing list recipient of an enveloped message.
PFN_CMSG_GEN_CONTENT_ENCRYPT_KEY Generates the symmetric key used to encrypt content for an enveloped message.
PFN_CMSG_IMPORT_KEY_AGREE Imports a content encryption key for a key transport recipient of an enveloped message.
PFN_CMSG_IMPORT_KEY_TRANS Imports a content encryption key for a key transport recipient of an enveloped message.
PFN_CMSG_IMPORT_MAIL_LIST Imports a content encryption key for a key transport recipient of an enveloped message.
PFN_CRYPT_EXPORT_PUBLIC_KEY_INFO_EX2_FUNC Called by CryptExportPublicKeyInfoEx to export a public key BLOB and encode it.
PFN_CRYPT_EXTRACT_ENCODED_SIGNATURE_PARAMETERS_FUNC Called to decode and return the hash algorithm identifier and optionally the signature parameters.
PFN_CRYPT_SIGN_AND_ENCODE_HASH_FUNC Called to sign and encode a computed hash.
PFN_CRYPT_VERIFY_ENCODED_SIGNATURE_FUNC Called to decrypt an encoded signature and compare it to a computed hash.
PFN_IMPORT_PUBLIC_KEY_INFO_EX2_FUNC Called by CryptImportPublicKeyInfoEx2 to decode the public key algorithm identifier, load the algorithm provider, and import the key pair.
PFNCCERTDISPLAYPROC A user-defined callback function that allows the caller of the CryptUIDlgSelectCertificate function to handle the display of certificates that the user selects to view.
PFNCMFILTERPROC Filters each certificate to decide if it will appear in the certificate selection dialog box displayed by the CertSelectCertificate function.
PFNCMHOOKPROC Called before messages are processed by the certificate selection dialog box produced by the CertSelectCertificate function.

 

Catalog Definition Functions

These functions are used to create a catalog. All of these functions are called by MakeCat.

Function Description
CryptCATCDFClose Closes a catalog definition file and frees the memory for the corresponding CRYPTCATCDF structure.
CryptCATCDFEnumAttributesWithCDFTag Enumerates the attributes of member files in the CatalogFiles section of a CDF.
CryptCATCDFEnumCatAttributes Enumerates catalog-level attributes within the CatalogHeader section of a CDF.
CryptCATCDFEnumMembersByCDFTagEx Enumerates the individual file members in the CatalogFiles section of a CDF.
CryptCATCDFOpen Opens an existing CDF for reading and initializes a CRYPTCATCDF structure.

 

Catalog Functions

These functions are used to manage a catalog.

Function Description
CryptCATAdminAcquireContext Acquires a handle to a catalog administrator context. This handle can be used by subsequent calls to the CryptCATAdminAddCatalog, CryptCATAdminEnumCatalogFromHash, and CryptCATAdminRemoveCatalog functions.
CryptCATAdminAcquireContext2 Acquires a handle to a catalog administrator context for a given hash algorithm and hash policy.
CryptCATAdminAddCatalog Adds a catalog to the catalog database.
CryptCATAdminCalcHashFromFileHandle Calculates the hash for a file.
CryptCATAdminCalcHashFromFileHandle2 Calculates the hash for a file by using the specified algorithm.
CryptCATAdminEnumCatalogFromHash Enumerates the catalogs that contain a specified hash.
CryptCATAdminReleaseCatalogContext Releases a handle to a catalog context previously returned by the CryptCATAdminAddCatalog function.
CryptCATAdminReleaseContext Releases the handle previously assigned by the CryptCATAdminAcquireContext function.
CryptCATAdminRemoveCatalog Deletes a catalog file and removes that catalog's entry from the Windows catalog database.
CryptCATAdminResolveCatalogPath Retrieves the fully qualified path of the specified catalog.
CryptCATCatalogInfoFromContext Retrieves catalog information from a specified catalog context.
CryptCATClose Closes a catalog handle opened previously by the CryptCATOpen function.
CryptCATEnumerateAttr Enumerates the attributes associated with a member of a catalog.
CryptCATEnumerateCatAttr Enumerates the attributes associated with a catalog.
CryptCATEnumerateMember Enumerates the members of a catalog.
CryptCATGetAttrInfo Retrieves information about an attribute of a member of a catalog.
CryptCATGetMemberInfo Retrieves member information from the catalog's PKCS #7. In addition to retrieving the member information for a specified reference tag, this function opens a member context.
CryptCATOpen Opens a catalog, and returns a context handle to the open catalog.
IsCatalogFile Retrieves a Boolean value that indicates whether the specified file is a catalog file.

 

WinTrust Functions

The following functions are used to perform various trust operations.

Function Description
WintrustAddActionID Adds a trust provider action to the user's system.
WintrustGetRegPolicyFlags Retrieves policy flags for a policy provider.
WintrustAddDefaultForUsage Specifies the default usage identifier and callback information for a provider
WintrustGetDefaultForUsage Retrieves the default usage identifier and callback information.
WintrustLoadFunctionPointers Loads function entry points for a specified action GUID.
WintrustRemoveActionID Removes an action added by the WintrustAddActionID function.
WintrustSetDefaultIncludePEPageHashes Sets the default setting that determines whether page hashes are included when creating subject interface package (SIP) indirect data for portable executable files.
WintrustSetRegPolicyFlags Sets policy flags for a policy provider.
WinVerifyTrust Performs a trust verification action on a specified object.
WinVerifyTrustEx Performs a trust verification action on a specified object and takes a pointer to a WINTRUST_DATA structure.
WTHelperCertCheckValidSignature Checks whether a signature is valid.
WTHelperCertFindIssuerCertificate Finds an issuer certificate from the specified certificate stores that matches the specified subject certificate.
WTHelperCertIsSelfSigned Checks whether a certificate is self-signed.
WTHelperGetFileHash Verifies the signature of a signed file and obtains the hash value and algorithm identifier for the file.
WTHelperGetProvCertFromChain Retrieves a trust provider certificate from the certificate chain.
WTHelperGetProvPrivateDataFromChain Receives a CRYPT_PROVIDER_PRIVDATA structure from the chain by using the provider ID.
WTHelperGetProvSignerFromChain Retrieves a signer or countersigner by index from the chain.
WTHelperProvDataFromStateData Retrieves trust provider information from a specified handle.

 

Object Locator Functions

The following callback functions can be implemented by a custom provider that is intended to be called by the Secure Channel (Schannel) security package to retrieve certificates.

Function Description
PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_FLUSH Specifies that an object has changed.
PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_GET Retrieves an object.
PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_RELEASE Releases the provider.
PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_FREE_PASSWORD Releases the password used to encrypt a PFX byte array.
PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_FREE Releases the object returned by the provider.
PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_FREE_IDENTIFIER Releases memory for an object identifier.
PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_INITIALIZE Initializes the provider.