CryptVerifyCertificateSignatureEx function (wincrypt.h)

The CryptVerifyCertificateSignatureEx function verifies the signature of a subject certificate, certificate revocation list, certificate request, or keygen request by using the issuer's public key. The function does not require access to a private key.

Syntax

BOOL CryptVerifyCertificateSignatureEx(
  [in]                HCRYPTPROV_LEGACY hCryptProv,
  [in]                DWORD             dwCertEncodingType,
  [in]                DWORD             dwSubjectType,
  [in]                void              *pvSubject,
  [in]                DWORD             dwIssuerType,
  [in]                void              *pvIssuer,
  [in]                DWORD             dwFlags,
  [in, out, optional] void              *pvExtra
);

Parameters

[in] hCryptProv

This parameter is not used and should be set to NULL.

Windows Server 2003 and Windows XP:  A handle to the cryptographic service provider used to verify the signature.This parameter's data type is HCRYPTPROV.

NULL is passed unless there is a strong reason for passing in a specific cryptographic provider. Passing in NULL causes the default RSA or DSS provider to be acquired.

[in] dwCertEncodingType

The certificate encoding type that was used to encrypt the subject. The message encoding type identifier, contained in the high WORD of this value, is ignored by this function.

This parameter can be the following currently defined certificate encoding type.

Value Meaning
X509_ASN_ENCODING
1 (0x1)
Specifies X.509 certificate encoding.

[in] dwSubjectType

The subject type. This parameter can be one of the following subject types.

Value Meaning
CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB
1 (0x1)
pvSubject is a pointer to a CRYPT_DATA_BLOB structure.
CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT
2 (0x2)
pvSubject is a pointer to a CCERT_CONTEXT structure.
CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL
3 (0x3)
pvSubject is a pointer to a CCRL_CONTEXT structure.
CRYPT_VERIFY_CERT_SIGN_SUBJECT_OCSP_BASIC_SIGNED_RESPONSE
4 (0x4)
pvSubject is a pointer to an OCSP_BASIC_SIGNED_RESPONSE_INFO structure.

Windows Server 2003 and Windows XP:  This subject type is not supported.

[in] pvSubject

A pointer to a structure of the type indicated by dwSubjectType that contains the signature to be verified.

[in] dwIssuerType

The issuer type. This parameter can be one of the following issuer types.

Value Meaning
CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY
1 (0x1)
pvIssuer is a pointer to a CERT_PUBLIC_KEY_INFO structure.
CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT
2 (0x2)
pvIssuer is a pointer to a CCERT_CONTEXT structure.
CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN
3 (0x3)
pvIssuer is a pointer to a CCERT_CHAIN_CONTEXT structure.
CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL
4 (0x4)
pvIssuer must be NULL.
 
Note  If dwIssuerType is CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL and the signature algorithm is a hashing algorithm, the signature is expected to contain only unencrypted hash octets. Only CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL can be specified in this nonencrypted signature case. If any other dwIssuerType is specified, verification fails and GetLastError returns E_INVALIDARG.
 

[in] pvIssuer

A pointer to a structure of the type indicated by the value of dwIssuerType. The structure contains access to the public key needed to verify the signature.

[in] dwFlags

Flags that modify the function behavior. This can be zero or a bitwise OR of the following values.

Value Meaning
CRYPT_VERIFY_CERT_SIGN_DISABLE_MD2_MD4_FLAG
0x00000001
If you set this flag and CryptVerifyCertificateSignatureEx detects an MD2 or MD4 algorithm, the function returns FALSE and sets GetLastError to NTE_BAD_ALGID. The signature is still verified, but this combination of errors enables the caller, now knowing that an MD2 or MD4 algorithm was used, to decide whether to trust or reject the signature.

Windows 8 and Windows Server 2012:  Support for this flag begins.

CRYPT_VERIFY_CERT_SIGN_SET_STRONG_PROPERTIES_FLAG
0x00000002
Sets strong signature properties, after successful verification, on the subject pointed to by the pvSubject parameter.

The following property is set on the certificate context:

  • CERT_SIGN_HASH_CNG_ALG_PROP_ID
The following properties are set on the CRL context:
  • CERT_SIGN_HASH_CNG_ALG_PROP_ID
  • CERT_ISSUER_PUB_KEY_BIT_LENGTH_PROP_ID
Note  This flag is only applicable if CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL is specified in the dwSubjectType parameter.
 
Windows 8 and Windows Server 2012:  Support for this flag begins.
CRYPT_VERIFY_CERT_SIGN_RETURN_STRONG_PROPERTIES_FLAG
0x00000004
Returns a pointer to a CRYPT_VERIFY_CERT_SIGN_STRONG_PROPERTIES_INFO structure in the pvExtra parameter. The structure contains the length, in bits, of the public key and the names of the signing and hashing algorithms used.

You must call CryptMemFree to free the structure. If memory cannot be allocated for the CRYPT_VERIFY_CERT_SIGN_STRONG_PROPERTIES_INFO structure, this function returns successfully but sets the pvExtra parameter to NULL.

Note  This flag is only applicable if CRYPT_VERIFY_CERT_SIGN_SUBJECT_OCSP_BASIC_SIGNED_RESPONSE is specified in the dwSubjectType parameter.
 
Windows 8 and Windows Server 2012:  Support for this flag begins.

[in, out, optional] pvExtra

Pointer to a CRYPT_VERIFY_CERT_SIGN_STRONG_PROPERTIES_INFO structure if the dwFlags parameter is set to CRYPT_VERIFY_CERT_SIGN_RETURN_STRONG_PROPERTIES_FLAG.

You must call CryptMemFree to free the structure.

Return value

Returns nonzero if successful or zero otherwise.

For extended error information, call GetLastError.

Note  Errors from the called functions CryptCreateHash, CryptImportKey, CryptVerifySignature, and CryptHashData may be propagated to this function.
 
On failure, this function will cause the following error codes to be returned from GetLastError.
Return code Description
ERROR_FILE_NOT_FOUND
Invalid certificate encoding type. Currently only X509_ASN_ENCODING is supported.
NTE_BAD_ALGID
The signature algorithm's object identifier (OID) does not map to a known or supported hash algorithm.
NTE_BAD_SIGNATURE
The signature was not valid.
 

If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information about these errors, see ASN.1 Encoding/Decoding Return Values.

Remarks

The subject buffer can contain an encoded BLOB or a context for a certificate or CRL. In the case of a certificate context, if the certificate's public key parameters are missing and if these parameters can be inherited from the certificate's issuer for example from the DSS public key parameter, the context's CERT_PUBKEY_ALG_PARA_PROP_ID property is updated with the issuer's public key algorithm parameters for a valid signature.

Requirements

Requirement Value
Minimum supported client Windows XP [desktop apps only]
Minimum supported server Windows Server 2003 [desktop apps only]
Target Platform Windows
Header wincrypt.h
Library Crypt32.lib
DLL Crypt32.dll

See also

CryptVerifyCertificateSignature