Headers diff for wintrust.dll between 6.3.9600.17415-Windows 8.1 and 10.0.10586.0-Windows 10 1511 10586.494 versions



 mscat.h (6.3.9600.17415-Windows 8.1)   mscat.h (10.0.10586.0-Windows 10 1511 10586.494) 
skipping to change at line 24 skipping to change at line 24
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#ifndef MSCAT_H #ifndef MSCAT_H
#define MSCAT_H #define MSCAT_H
#if _MSC_VER > 1000 #if _MSC_VER > 1000
#pragma once #pragma once
#endif #endif
#include <winapifamily.h> #include <winapifamily.h>
#pragma region Desktop Family #pragma region Desktop Family or Wintrust Package
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP | WINAPI_PARTITION_PKG_WINT
RUST)
#include "mssip.h" #include "mssip.h"
#ifdef __cplusplus #ifdef __cplusplus
extern "C" extern "C"
{ {
#endif #endif
///////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////
// //
skipping to change at line 980 skipping to change at line 980
// to NULL. Set fResume to FALSE when pausing the catalog service, and // to NULL. Set fResume to FALSE when pausing the catalog service, and
// set it to TRUE to resume service. // set it to TRUE to resume service.
// //
extern BOOL WINAPI CryptCATAdminPauseServiceForBackup(IN DWORD dwFlags, extern BOOL WINAPI CryptCATAdminPauseServiceForBackup(IN DWORD dwFlags,
IN BOOL fResume); IN BOOL fResume);
#ifdef __cplusplus #ifdef __cplusplus
} }
#endif #endif
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) */ #endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP | WINAPI_PARTITION_PK G_WINTRUST) */
#pragma endregion #pragma endregion
#endif // MSCAT_H #endif // MSCAT_H
 End of changes. 2 change blocks. 
3 lines changed or deleted 4 lines changed or added


 wincrypt.h (6.3.9600.17415-Windows 8.1)   wincrypt.h (10.0.10586.0-Windows 10 1511 10586.494) 
skipping to change at line 22 skipping to change at line 22
#ifndef __WINCRYPT_H__ #ifndef __WINCRYPT_H__
#define __WINCRYPT_H__ #define __WINCRYPT_H__
#include <specstrings.h> /* for SAL annotations */ #include <specstrings.h> /* for SAL annotations */
#if defined (_MSC_VER) #if defined (_MSC_VER)
#if ( _MSC_VER >= 800 ) #if ( _MSC_VER >= 800 )
#if _MSC_VER >= 1200 #if _MSC_VER >= 1200
#pragma warning(push) #pragma warning(push)
#pragma warning(disable:4668) /* #if not_defined treated as #if 0 */
#pragma warning(disable:4820) /* padding added after data member */
#endif #endif
#pragma warning(disable:4201) /* Nameless struct/union */ #pragma warning(disable:4201) /* Nameless struct/union */
#endif #endif
#if (_MSC_VER > 1020) #if (_MSC_VER > 1020)
#pragma once #pragma once
#endif #endif
#endif #endif
#include <winapifamily.h> #include <winapifamily.h>
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {
#endif #endif
#pragma region Desktop Family /*
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) * The relationship between partitions and families (from: winapifamily.h)
*
* The mapping between families and partitions is summarized here.
* An X indicates that the given partition is active for the given
* platform/family.
*
* +-------------------+
* | *Partition* |
* +---+---+---+---+---+
* | | | | P | |
* | | | | H | |
* | D | | | O | O |
* | E | | P | N | N |
* | S | | C | E | E |
* | K | | _ | _ | C |
* | T | A | A | A | O |
* +-------------------------+-+ O | P | P | P | R |
* | *Platform/Family* \| P | P | P | P | E |
* +---------------------------+---+---+---+---+---+
* | WINAPI_FAMILY_DESKTOP_APP | X | X | X | | |
* +---------------------------+---+---+---+---+---+
* | WINAPI_FAMILY_PC_APP | | X | X | | |
* +---------------------------+---+---+---+---+---+
* | WINAPI_FAMILY_PHONE_APP | | X | | X | |
* +---------------------------+---+---+---+---+---+
* | WINAPI_FAMILY_ONECORE_APP | | | | | X |
* +---------------------------+---+---+---+---+---+
*
* The table above is encoded in the following expressions,
* each of which evaluates to 1 or 0.
*
* Whenever a new family is added, all of these expressions
* need to be reconsidered.
*/
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
#ifndef _HRESULT_DEFINED #ifndef _HRESULT_DEFINED
#define _HRESULT_DEFINED #define _HRESULT_DEFINED
typedef _Return_type_success_(return >= 0) long HRESULT; typedef _Return_type_success_(return >= 0) long HRESULT;
#endif #endif
#ifndef WINADVAPI #ifndef WINADVAPI
#define WINADVAPI #define WINADVAPI
#endif #endif
skipping to change at line 981 skipping to change at line 1019
typedef struct _CRYPT_AES_256_KEY_STATE { typedef struct _CRYPT_AES_256_KEY_STATE {
unsigned char Key[32]; unsigned char Key[32];
unsigned char IV[16]; unsigned char IV[16];
unsigned char EncryptionState[15][16]; // 14 rounds + 1 unsigned char EncryptionState[15][16]; // 14 rounds + 1
unsigned char DecryptionState[15][16]; unsigned char DecryptionState[15][16];
unsigned char Feedback[16]; unsigned char Feedback[16];
} CRYPT_AES_256_KEY_STATE, *PCRYPT_AES_256_KEY_STATE; } CRYPT_AES_256_KEY_STATE, *PCRYPT_AES_256_KEY_STATE;
#endif //(NTDDI_VERSION >= NTDDI_VISTA) #endif //(NTDDI_VERSION >= NTDDI_VISTA)
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) */
#pragma endregion
#pragma region Application Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// CRYPTOAPI BLOB definitions // CRYPTOAPI BLOB definitions
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
// certenrolls_begin -- *_BLOB // certenrolls_begin -- *_BLOB
#ifndef CRYPTO_BLOBS_DEFINED #ifndef CRYPTO_BLOBS_DEFINED
#define CRYPTO_BLOBS_DEFINED #define CRYPTO_BLOBS_DEFINED
typedef struct _CRYPTOAPI_BLOB { typedef struct _CRYPTOAPI_BLOB {
DWORD cbData; DWORD cbData;
_Field_size_bytes_(cbData) BYTE *pbData; _Field_size_bytes_(cbData) BYTE *pbData;
} CRYPT_INTEGER_BLOB, *PCRYPT_INTEGER_BLOB, } CRYPT_INTEGER_BLOB, *PCRYPT_INTEGER_BLOB,
skipping to change at line 1012 skipping to change at line 1044
CRL_BLOB, *PCRL_BLOB, CRL_BLOB, *PCRL_BLOB,
DATA_BLOB, *PDATA_BLOB, DATA_BLOB, *PDATA_BLOB,
CRYPT_DATA_BLOB, *PCRYPT_DATA_BLOB, CRYPT_DATA_BLOB, *PCRYPT_DATA_BLOB,
CRYPT_HASH_BLOB, *PCRYPT_HASH_BLOB, CRYPT_HASH_BLOB, *PCRYPT_HASH_BLOB,
CRYPT_DIGEST_BLOB, *PCRYPT_DIGEST_BLOB, CRYPT_DIGEST_BLOB, *PCRYPT_DIGEST_BLOB,
CRYPT_DER_BLOB, *PCRYPT_DER_BLOB, CRYPT_DER_BLOB, *PCRYPT_DER_BLOB,
CRYPT_ATTR_BLOB, *PCRYPT_ATTR_BLOB; CRYPT_ATTR_BLOB, *PCRYPT_ATTR_BLOB;
#endif #endif
// certenrolls_end // certenrolls_end
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP) */
#pragma endregion
#pragma region Desktop Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
// structure for use with CryptSetKeyParam for CMS keys // structure for use with CryptSetKeyParam for CMS keys
typedef struct _CMS_DH_KEY_INFO { typedef struct _CMS_DH_KEY_INFO {
DWORD dwVersion; // sizeof(CMS_DH_KEY_INF O) DWORD dwVersion; // sizeof(CMS_DH_KEY_INF O)
ALG_ID Algid; // algorithmm id for the key to be converted ALG_ID Algid; // algorithmm id for the key to be converted
LPSTR pszContentEncObjId; // pointer to OID to hash in with Z LPSTR pszContentEncObjId; // pointer to OID to hash in with Z
CRYPT_DATA_BLOB PubInfo; // OPTIONAL - public information CRYPT_DATA_BLOB PubInfo; // OPTIONAL - public information
void *pReserved; // reserved - should be NULL void *pReserved; // reserved - should be NULL
} CMS_DH_KEY_INFO, *PCMS_DH_KEY_INFO; } CMS_DH_KEY_INFO, *PCMS_DH_KEY_INFO;
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
) */
#pragma endregion
#pragma region Desktop Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED)
#if (NTDDI_VERSION >= NTDDI_VISTA) #if (NTDDI_VERSION >= NTDDI_VISTA)
WINADVAPI WINADVAPI
BOOL BOOL
WINAPI WINAPI
CryptAcquireContextA( CryptAcquireContextA(
_Out_ HCRYPTPROV *phProv, _Out_ HCRYPTPROV *phProv,
_In_opt_ LPCSTR szContainer, _In_opt_ LPCSTR szContainer,
_In_opt_ LPCSTR szProvider, _In_opt_ LPCSTR szProvider,
_In_ DWORD dwProvType, _In_ DWORD dwProvType,
_In_ DWORD dwFlags _In_ DWORD dwFlags
skipping to change at line 1109 skipping to change at line 1141
#endif //(NTDDI_VERSION < NTDDI_WINXP) #endif //(NTDDI_VERSION < NTDDI_WINXP)
#if (NTDDI_VERSION < NTDDI_VISTA) #if (NTDDI_VERSION < NTDDI_VISTA)
#ifdef UNICODE #ifdef UNICODE
#define CryptAcquireContext CryptAcquireContextW #define CryptAcquireContext CryptAcquireContextW
#else #else
#define CryptAcquireContext CryptAcquireContextA #define CryptAcquireContext CryptAcquireContextA
#endif // !UNICODE #endif // !UNICODE
#endif //(NTDDI_VERSION < NTDDI_VISTA) #endif //(NTDDI_VERSION < NTDDI_VISTA)
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED) */
#pragma endregion
#pragma region Application Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)
#if (NTDDI_VERSION >= NTDDI_WINXP) #if (NTDDI_VERSION >= NTDDI_WINXP)
WINADVAPI WINADVAPI
BOOL BOOL
WINAPI WINAPI
CryptReleaseContext( CryptReleaseContext(
_In_ HCRYPTPROV hProv, _In_ HCRYPTPROV hProv,
_In_ DWORD dwFlags _In_ DWORD dwFlags
); );
#endif //(NTDDI_VERSION >= NTDDI_WINXP) #endif //(NTDDI_VERSION >= NTDDI_WINXP)
#if (NTDDI_VERSION < NTDDI_WINXP) #if (NTDDI_VERSION < NTDDI_WINXP)
WINADVAPI WINADVAPI
BOOL BOOL
WINAPI WINAPI
CryptReleaseContext( CryptReleaseContext(
HCRYPTPROV hProv, HCRYPTPROV hProv,
ULONG_PTR dwFlags ULONG_PTR dwFlags
); );
skipping to change at line 1129 skipping to change at line 1169
#if (NTDDI_VERSION < NTDDI_WINXP) #if (NTDDI_VERSION < NTDDI_WINXP)
WINADVAPI WINADVAPI
BOOL BOOL
WINAPI WINAPI
CryptReleaseContext( CryptReleaseContext(
HCRYPTPROV hProv, HCRYPTPROV hProv,
ULONG_PTR dwFlags ULONG_PTR dwFlags
); );
#endif //(NTDDI_VERSION < NTDDI_WINXP) #endif //(NTDDI_VERSION < NTDDI_WINXP)
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)*/
#pragma endregion
#pragma region Desktop Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED)
WINADVAPI WINADVAPI
BOOL BOOL
WINAPI WINAPI
CryptGenKey( CryptGenKey(
_In_ HCRYPTPROV hProv, _In_ HCRYPTPROV hProv,
_In_ ALG_ID Algid, _In_ ALG_ID Algid,
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_Out_ HCRYPTKEY *phKey _Out_ HCRYPTKEY *phKey
); );
skipping to change at line 1914 skipping to change at line 1960
// encryption provider. // encryption provider.
// //
BOOL BOOL
__cdecl __cdecl
GetEncSChannel( GetEncSChannel(
_Outptr_result_buffer_(*dwDecSize) BYTE **pData, _Outptr_result_buffer_(*dwDecSize) BYTE **pData,
_Out_ DWORD *dwDecSize _Out_ DWORD *dwDecSize
); );
#endif //(NTDDI_VERSION >= NTDDI_WS03) #endif //(NTDDI_VERSION >= NTDDI_WS03)
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) */ #endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON E_RESTRICTED) */
#pragma endregion #pragma endregion
#if !defined(_DDK_DRIVER_) #if !defined(_DDK_DRIVER_)
#pragma region Desktop Family #pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
// In Vista, the following APIs were updated to support the new // In Vista, the following APIs were updated to support the new
// CNG (Cryptography Next Generation) BCrypt* and NCrypt* APIs in addition // CNG (Cryptography Next Generation) BCrypt* and NCrypt* APIs in addition
// to the above CAPI1 APIs. // to the above CAPI1 APIs.
// Include the definitions for the CNG APIs // Include the definitions for the CNG APIs
#include <bcrypt.h> #include <bcrypt.h>
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) */ #endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion #pragma endregion
#pragma region Application Family #pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP) #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
#include <ncrypt.h> #include <ncrypt.h>
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP) */
#pragma endregion
#pragma region Desktop Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
// This type is used when the API can take either the CAPI1 HCRYPTPROV or // This type is used when the API can take either the CAPI1 HCRYPTPROV or
// the CNG NCRYPT_KEY_HANDLE. Where appropriate, the HCRYPTPROV will be // the CNG NCRYPT_KEY_HANDLE. Where appropriate, the HCRYPTPROV will be
// converted to a NCRYPT_KEY_HANDLE via the CNG NCryptTranslateHandle(). // converted to a NCRYPT_KEY_HANDLE via the CNG NCryptTranslateHandle().
typedef ULONG_PTR HCRYPTPROV_OR_NCRYPT_KEY_HANDLE; typedef ULONG_PTR HCRYPTPROV_OR_NCRYPT_KEY_HANDLE;
// This type is used where the HCRYPTPROV parameter is no longer used. // This type is used where the HCRYPTPROV parameter is no longer used.
// The caller should always pass in NULL. // The caller should always pass in NULL.
typedef ULONG_PTR HCRYPTPROV_LEGACY; typedef ULONG_PTR HCRYPTPROV_LEGACY;
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) */
#pragma endregion
#pragma region Application Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// In a CRYPT_BIT_BLOB the last byte may contain 0-7 unused bits. Therefore, th e // In a CRYPT_BIT_BLOB the last byte may contain 0-7 unused bits. Therefore, th e
// overall bit length is cbData * 8 - cUnusedBits. // overall bit length is cbData * 8 - cUnusedBits.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
// certenrolls_begin -- CERT_CONTEXT // certenrolls_begin -- CERT_CONTEXT
typedef struct _CRYPT_BIT_BLOB { typedef struct _CRYPT_BIT_BLOB {
DWORD cbData; DWORD cbData;
BYTE *pbData; BYTE *pbData;
DWORD cUnusedBits; DWORD cUnusedBits;
} CRYPT_BIT_BLOB, *PCRYPT_BIT_BLOB; } CRYPT_BIT_BLOB, *PCRYPT_BIT_BLOB;
skipping to change at line 1981 skipping to change at line 2015
// //
// Where the Parameters CRYPT_OBJID_BLOB is in its encoded representation. For most // Where the Parameters CRYPT_OBJID_BLOB is in its encoded representation. For most
// algorithm types, the Parameters CRYPT_OBJID_BLOB is NULL (Parameters.cbData = 0). // algorithm types, the Parameters CRYPT_OBJID_BLOB is NULL (Parameters.cbData = 0).
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
typedef struct _CRYPT_ALGORITHM_IDENTIFIER { typedef struct _CRYPT_ALGORITHM_IDENTIFIER {
LPSTR pszObjId; LPSTR pszObjId;
CRYPT_OBJID_BLOB Parameters; CRYPT_OBJID_BLOB Parameters;
} CRYPT_ALGORITHM_IDENTIFIER, *PCRYPT_ALGORITHM_IDENTIFIER; } CRYPT_ALGORITHM_IDENTIFIER, *PCRYPT_ALGORITHM_IDENTIFIER;
// certenrolls_end // certenrolls_end
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP) */
#pragma endregion
#pragma region Desktop Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
// Following are the definitions of various algorithm object identifiers // Following are the definitions of various algorithm object identifiers
// RSA // RSA
#define szOID_RSA "1.2.840.113549" #define szOID_RSA "1.2.840.113549"
#define szOID_PKCS "1.2.840.113549.1" #define szOID_PKCS "1.2.840.113549.1"
#define szOID_RSA_HASH "1.2.840.113549.2" #define szOID_RSA_HASH "1.2.840.113549.2"
#define szOID_RSA_ENCRYPT "1.2.840.113549.3" #define szOID_RSA_ENCRYPT "1.2.840.113549.3"
#define szOID_PKCS_1 "1.2.840.113549.1.1" #define szOID_PKCS_1 "1.2.840.113549.1.1"
#define szOID_PKCS_2 "1.2.840.113549.1.2" #define szOID_PKCS_2 "1.2.840.113549.1.2"
#define szOID_PKCS_3 "1.2.840.113549.1.3" #define szOID_PKCS_3 "1.2.840.113549.1.3"
skipping to change at line 2080 skipping to change at line 2108
// iso(1) member-body(2) us(840) 10045 curves(3) prime(1) 7 // iso(1) member-body(2) us(840) 10045 curves(3) prime(1) 7
#define szOID_ECC_CURVE_P256 "1.2.840.10045.3.1.7" #define szOID_ECC_CURVE_P256 "1.2.840.10045.3.1.7"
// iso(1) identified-organization(3) certicom(132) curve(0) 34 // iso(1) identified-organization(3) certicom(132) curve(0) 34
#define szOID_ECC_CURVE_P384 "1.3.132.0.34" #define szOID_ECC_CURVE_P384 "1.3.132.0.34"
// iso(1) identified-organization(3) certicom(132) curve(0) 35 // iso(1) identified-organization(3) certicom(132) curve(0) 35
#define szOID_ECC_CURVE_P521 "1.3.132.0.35" #define szOID_ECC_CURVE_P521 "1.3.132.0.35"
//
// Generic ECC Curve OIDS
//
#define szOID_ECC_CURVE_BRAINPOOLP160R1 "1.3.36.3.3.2.8.1.1.1"
#define szOID_ECC_CURVE_BRAINPOOLP160T1 "1.3.36.3.3.2.8.1.1.2"
#define szOID_ECC_CURVE_BRAINPOOLP192R1 "1.3.36.3.3.2.8.1.1.3"
#define szOID_ECC_CURVE_BRAINPOOLP192T1 "1.3.36.3.3.2.8.1.1.4"
#define szOID_ECC_CURVE_BRAINPOOLP224R1 "1.3.36.3.3.2.8.1.1.5"
#define szOID_ECC_CURVE_BRAINPOOLP224T1 "1.3.36.3.3.2.8.1.1.6"
#define szOID_ECC_CURVE_BRAINPOOLP256R1 "1.3.36.3.3.2.8.1.1.7"
#define szOID_ECC_CURVE_BRAINPOOLP256T1 "1.3.36.3.3.2.8.1.1.8"
#define szOID_ECC_CURVE_BRAINPOOLP320R1 "1.3.36.3.3.2.8.1.1.9"
#define szOID_ECC_CURVE_BRAINPOOLP320T1 "1.3.36.3.3.2.8.1.1.10"
#define szOID_ECC_CURVE_BRAINPOOLP384R1 "1.3.36.3.3.2.8.1.1.11"
#define szOID_ECC_CURVE_BRAINPOOLP384T1 "1.3.36.3.3.2.8.1.1.12"
#define szOID_ECC_CURVE_BRAINPOOLP512R1 "1.3.36.3.3.2.8.1.1.13"
#define szOID_ECC_CURVE_BRAINPOOLP512T1 "1.3.36.3.3.2.8.1.1.14"
#define szOID_ECC_CURVE_EC192WAPI "1.2.156.11235.1.1.2.1"
#define szOID_ECC_CURVE_NISTP192 "1.2.840.10045.3.1.1"
#define szOID_ECC_CURVE_NISTP224 "1.3.132.0.33"
#define szOID_ECC_CURVE_NISTP256 szOID_ECC_CURVE_P256
#define szOID_ECC_CURVE_NISTP384 szOID_ECC_CURVE_P384
#define szOID_ECC_CURVE_NISTP521 szOID_ECC_CURVE_P521
#define szOID_ECC_CURVE_SECP160K1 "1.3.132.0.9"
#define szOID_ECC_CURVE_SECP160R1 "1.3.132.0.8"
#define szOID_ECC_CURVE_SECP160R2 "1.3.132.0.30"
#define szOID_ECC_CURVE_SECP192K1 "1.3.132.0.31"
#define szOID_ECC_CURVE_SECP192R1 szOID_ECC_CURVE_NISTP192
#define szOID_ECC_CURVE_SECP224K1 "1.3.132.0.32"
#define szOID_ECC_CURVE_SECP224R1 szOID_ECC_CURVE_NISTP224
#define szOID_ECC_CURVE_SECP256K1 "1.3.132.0.10"
#define szOID_ECC_CURVE_SECP256R1 szOID_ECC_CURVE_P256
#define szOID_ECC_CURVE_SECP384R1 szOID_ECC_CURVE_P384
#define szOID_ECC_CURVE_SECP521R1 szOID_ECC_CURVE_P521
#define szOID_ECC_CURVE_WTLS7 szOID_ECC_CURVE_SECP160R2
#define szOID_ECC_CURVE_WTLS9 "2.23.43.1.4.9"
#define szOID_ECC_CURVE_WTLS12 szOID_ECC_CURVE_NISTP224
#define szOID_ECC_CURVE_X962P192V1 "1.2.840.10045.3.1.1"
#define szOID_ECC_CURVE_X962P192V2 "1.2.840.10045.3.1.2"
#define szOID_ECC_CURVE_X962P192V3 "1.2.840.10045.3.1.3"
#define szOID_ECC_CURVE_X962P239V1 "1.2.840.10045.3.1.4"
#define szOID_ECC_CURVE_X962P239V2 "1.2.840.10045.3.1.5"
#define szOID_ECC_CURVE_X962P239V3 "1.2.840.10045.3.1.6"
#define szOID_ECC_CURVE_X962P256V1 szOID_ECC_CURVE_P256
// iso(1) member-body(2) us(840) 10045 signatures(4) sha1(1) // iso(1) member-body(2) us(840) 10045 signatures(4) sha1(1)
#define szOID_ECDSA_SHA1 "1.2.840.10045.4.1" #define szOID_ECDSA_SHA1 "1.2.840.10045.4.1"
// iso(1) member-body(2) us(840) 10045 signatures(4) specified(3) // iso(1) member-body(2) us(840) 10045 signatures(4) specified(3)
#define szOID_ECDSA_SPECIFIED "1.2.840.10045.4.3" #define szOID_ECDSA_SPECIFIED "1.2.840.10045.4.3"
// iso(1) member-body(2) us(840) 10045 signatures(4) specified(3) 2 // iso(1) member-body(2) us(840) 10045 signatures(4) specified(3) 2
#define szOID_ECDSA_SHA256 "1.2.840.10045.4.3.2" #define szOID_ECDSA_SHA256 "1.2.840.10045.4.3.2"
// iso(1) member-body(2) us(840) 10045 signatures(4) specified(3) 3 // iso(1) member-body(2) us(840) 10045 signatures(4) specified(3) 3
skipping to change at line 2222 skipping to change at line 2300
} CRYPT_OBJID_TABLE, *PCRYPT_OBJID_TABLE; } CRYPT_OBJID_TABLE, *PCRYPT_OBJID_TABLE;
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// PKCS #1 HashInfo (DigestInfo) // PKCS #1 HashInfo (DigestInfo)
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
typedef struct _CRYPT_HASH_INFO { typedef struct _CRYPT_HASH_INFO {
CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm; CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
CRYPT_HASH_BLOB Hash; CRYPT_HASH_BLOB Hash;
} CRYPT_HASH_INFO, *PCRYPT_HASH_INFO; } CRYPT_HASH_INFO, *PCRYPT_HASH_INFO;
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) */
#pragma endregion
#pragma region Application Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Type used for an extension to an encoded content // Type used for an extension to an encoded content
// //
// Where the Value's CRYPT_OBJID_BLOB is in its encoded representation. // Where the Value's CRYPT_OBJID_BLOB is in its encoded representation.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
// certenrolls_begin -- CERT_CONTEXT // certenrolls_begin -- CERT_CONTEXT
typedef struct _CERT_EXTENSION { typedef struct _CERT_EXTENSION {
LPSTR pszObjId; LPSTR pszObjId;
BOOL fCritical; BOOL fCritical;
CRYPT_OBJID_BLOB Value; CRYPT_OBJID_BLOB Value;
} CERT_EXTENSION, *PCERT_EXTENSION; } CERT_EXTENSION, *PCERT_EXTENSION;
typedef const CERT_EXTENSION* PCCERT_EXTENSION; typedef const CERT_EXTENSION* PCCERT_EXTENSION;
// certenrolls_end // certenrolls_end
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP) */
#pragma endregion
#pragma region Desktop Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// AttributeTypeValue // AttributeTypeValue
// //
// Where the Value's CRYPT_OBJID_BLOB is in its encoded representation. // Where the Value's CRYPT_OBJID_BLOB is in its encoded representation.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
// certenrolls_begin -- CRYPT_ATTRIBUTE_TYPE_VALUE // certenrolls_begin -- CRYPT_ATTRIBUTE_TYPE_VALUE
typedef struct _CRYPT_ATTRIBUTE_TYPE_VALUE { typedef struct _CRYPT_ATTRIBUTE_TYPE_VALUE {
LPSTR pszObjId; LPSTR pszObjId;
CRYPT_OBJID_BLOB Value; CRYPT_OBJID_BLOB Value;
} CRYPT_ATTRIBUTE_TYPE_VALUE, *PCRYPT_ATTRIBUTE_TYPE_VALUE; } CRYPT_ATTRIBUTE_TYPE_VALUE, *PCRYPT_ATTRIBUTE_TYPE_VALUE;
skipping to change at line 2496 skipping to change at line 2562
// Name attribute value without the Object Identifier // Name attribute value without the Object Identifier
// //
// The interpretation of the Value depends on the dwValueType. // The interpretation of the Value depends on the dwValueType.
// See above for a list of the types. // See above for a list of the types.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
typedef struct _CERT_NAME_VALUE { typedef struct _CERT_NAME_VALUE {
DWORD dwValueType; DWORD dwValueType;
CERT_RDN_VALUE_BLOB Value; CERT_RDN_VALUE_BLOB Value;
} CERT_NAME_VALUE, *PCERT_NAME_VALUE; } CERT_NAME_VALUE, *PCERT_NAME_VALUE;
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) */
#pragma endregion
#pragma region Application Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Public Key Info // Public Key Info
// //
// The PublicKey is the encoded representation of the information as it is // The PublicKey is the encoded representation of the information as it is
// stored in the bit string // stored in the bit string
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
// certenrolls_begin -- CERT_CONTEXT // certenrolls_begin -- CERT_CONTEXT
typedef struct _CERT_PUBLIC_KEY_INFO { typedef struct _CERT_PUBLIC_KEY_INFO {
CRYPT_ALGORITHM_IDENTIFIER Algorithm; CRYPT_ALGORITHM_IDENTIFIER Algorithm;
CRYPT_BIT_BLOB PublicKey; CRYPT_BIT_BLOB PublicKey;
} CERT_PUBLIC_KEY_INFO, *PCERT_PUBLIC_KEY_INFO; } CERT_PUBLIC_KEY_INFO, *PCERT_PUBLIC_KEY_INFO;
// certenrolls_end // certenrolls_end
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP) */
#pragma endregion
#pragma region Desktop Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
#define CERT_RSA_PUBLIC_KEY_OBJID szOID_RSA_RSA #define CERT_RSA_PUBLIC_KEY_OBJID szOID_RSA_RSA
#define CERT_DEFAULT_OID_PUBLIC_KEY_SIGN szOID_RSA_RSA #define CERT_DEFAULT_OID_PUBLIC_KEY_SIGN szOID_RSA_RSA
#define CERT_DEFAULT_OID_PUBLIC_KEY_XCHG szOID_RSA_RSA #define CERT_DEFAULT_OID_PUBLIC_KEY_XCHG szOID_RSA_RSA
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// ECC Private Key Info // ECC Private Key Info
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
typedef struct _CRYPT_ECC_PRIVATE_KEY_INFO{ typedef struct _CRYPT_ECC_PRIVATE_KEY_INFO{
DWORD dwVersion; // ecPrivKeyVer1(1) DWORD dwVersion; // ecPrivKeyVer1(1)
CRYPT_DER_BLOB PrivateKey; // d CRYPT_DER_BLOB PrivateKey; // d
skipping to change at line 2652 skipping to change at line 2706
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
typedef struct _CRYPT_PKCS8_EXPORT_PARAMS{ typedef struct _CRYPT_PKCS8_EXPORT_PARAMS{
HCRYPTPROV hCryptProv; HCRYPTPROV hCryptProv;
DWORD dwKeySpec; DWORD dwKeySpec;
LPSTR pszPrivateKeyObjId; LPSTR pszPrivateKeyObjId;
PCRYPT_ENCRYPT_PRIVATE_KEY_FUNC pEncryptPrivateKeyFunc; PCRYPT_ENCRYPT_PRIVATE_KEY_FUNC pEncryptPrivateKeyFunc;
LPVOID pVoidEncryptFunc; LPVOID pVoidEncryptFunc;
} CRYPT_PKCS8_EXPORT_PARAMS, *PCRYPT_PKCS8_EXPORT_PARAMS; } CRYPT_PKCS8_EXPORT_PARAMS, *PCRYPT_PKCS8_EXPORT_PARAMS;
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) */
#pragma endregion
#pragma region Application Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Information stored in a certificate // Information stored in a certificate
// //
// The Issuer, Subject, Algorithm, PublicKey and Extension BLOBs are the // The Issuer, Subject, Algorithm, PublicKey and Extension BLOBs are the
// encoded representation of the information. // encoded representation of the information.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
// certenrolls_begin -- CERT_CONTEXT // certenrolls_begin -- CERT_CONTEXT
typedef struct _CERT_INFO { typedef struct _CERT_INFO {
DWORD dwVersion; DWORD dwVersion;
CRYPT_INTEGER_BLOB SerialNumber; CRYPT_INTEGER_BLOB SerialNumber;
skipping to change at line 2681 skipping to change at line 2729
FILETIME NotAfter; FILETIME NotAfter;
CERT_NAME_BLOB Subject; CERT_NAME_BLOB Subject;
CERT_PUBLIC_KEY_INFO SubjectPublicKeyInfo; CERT_PUBLIC_KEY_INFO SubjectPublicKeyInfo;
CRYPT_BIT_BLOB IssuerUniqueId; CRYPT_BIT_BLOB IssuerUniqueId;
CRYPT_BIT_BLOB SubjectUniqueId; CRYPT_BIT_BLOB SubjectUniqueId;
DWORD cExtension; DWORD cExtension;
PCERT_EXTENSION rgExtension; PCERT_EXTENSION rgExtension;
} CERT_INFO, *PCERT_INFO; } CERT_INFO, *PCERT_INFO;
// certenrolls_end // certenrolls_end
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP) */
#pragma endregion
#pragma region Desktop Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Certificate versions // Certificate versions
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#define CERT_V1 0 #define CERT_V1 0
#define CERT_V2 1 #define CERT_V2 1
#define CERT_V3 2 #define CERT_V3 2
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Certificate Information Flags // Certificate Information Flags
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
skipping to change at line 3411 skipping to change at line 3453
#define X509_ECC_PRIVATE_KEY ((LPCSTR) 82) // CRYPT_ECC_PRIVATE _KEY_INFO #define X509_ECC_PRIVATE_KEY ((LPCSTR) 82) // CRYPT_ECC_PRIVATE _KEY_INFO
#define CNG_RSA_PRIVATE_KEY_BLOB ((LPCSTR) 83) // BCRYPT_RSAKEY_BLO B #define CNG_RSA_PRIVATE_KEY_BLOB ((LPCSTR) 83) // BCRYPT_RSAKEY_BLO B
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Subject Directory Attributes extension // Subject Directory Attributes extension
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#define X509_SUBJECT_DIR_ATTRS ((LPCSTR) 84) #define X509_SUBJECT_DIR_ATTRS ((LPCSTR) 84)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Generic ECC Parameters
//--------------------------------------------------------------------------
#define X509_ECC_PARAMETERS ((LPCSTR) 85)
//+-------------------------------------------------------------------------
// Predefined PKCS #7 data structures that can be encoded / decoded. // Predefined PKCS #7 data structures that can be encoded / decoded.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#define PKCS7_SIGNER_INFO ((LPCSTR) 500) #define PKCS7_SIGNER_INFO ((LPCSTR) 500)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Predefined PKCS #7 data structures that can be encoded / decoded. // Predefined PKCS #7 data structures that can be encoded / decoded.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#define CMS_SIGNER_INFO ((LPCSTR) 501) #define CMS_SIGNER_INFO ((LPCSTR) 501)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
skipping to change at line 3562 skipping to change at line 3609
// of the corresponding base CRL. // of the corresponding base CRL.
#define szOID_CRL_VIRTUAL_BASE "1.3.6.1.4.1.311.21.3" #define szOID_CRL_VIRTUAL_BASE "1.3.6.1.4.1.311.21.3"
// szOID_CRL_NEXT_PUBLISH -- Contains the time when the next CRL is expected // szOID_CRL_NEXT_PUBLISH -- Contains the time when the next CRL is expected
// to be published. This may be sooner than the CRL's NextUpdate field. // to be published. This may be sooner than the CRL's NextUpdate field.
#define szOID_CRL_NEXT_PUBLISH "1.3.6.1.4.1.311.21.4" #define szOID_CRL_NEXT_PUBLISH "1.3.6.1.4.1.311.21.4"
// Enhanced Key Usage for CA encryption certificate // Enhanced Key Usage for CA encryption certificate
#define szOID_KP_CA_EXCHANGE "1.3.6.1.4.1.311.21.5" #define szOID_KP_CA_EXCHANGE "1.3.6.1.4.1.311.21.5"
// Enhanced Key Usage for Privacy CA encryption certificate
#define szOID_KP_PRIVACY_CA "1.3.6.1.4.1.311.21.36"
// Enhanced Key Usage for key recovery agent certificate // Enhanced Key Usage for key recovery agent certificate
#define szOID_KP_KEY_RECOVERY_AGENT "1.3.6.1.4.1.311.21.6" #define szOID_KP_KEY_RECOVERY_AGENT "1.3.6.1.4.1.311.21.6"
// Certificate template extension (v2) // Certificate template extension (v2)
#define szOID_CERTIFICATE_TEMPLATE "1.3.6.1.4.1.311.21.7" #define szOID_CERTIFICATE_TEMPLATE "1.3.6.1.4.1.311.21.7"
// The root oid for all enterprise specific oids // The root oid for all enterprise specific oids
#define szOID_ENTERPRISE_OID_ROOT "1.3.6.1.4.1.311.21.8" #define szOID_ENTERPRISE_OID_ROOT "1.3.6.1.4.1.311.21.8"
// Dummy signing Subject RDN // Dummy signing Subject RDN
skipping to change at line 3681 skipping to change at line 3731
#define szOID_SERVER_GATED_CRYPTO "1.3.6.1.4.1.311.10.3.3" #define szOID_SERVER_GATED_CRYPTO "1.3.6.1.4.1.311.10.3.3"
#endif #endif
#ifndef szOID_SGC_NETSCAPE #ifndef szOID_SGC_NETSCAPE
#define szOID_SGC_NETSCAPE "2.16.840.1.113730.4.1" #define szOID_SGC_NETSCAPE "2.16.840.1.113730.4.1"
#endif #endif
#define szOID_KP_EFS "1.3.6.1.4.1.311.10.3.4" #define szOID_KP_EFS "1.3.6.1.4.1.311.10.3.4"
#define szOID_EFS_RECOVERY "1.3.6.1.4.1.311.10.3.4.1" #define szOID_EFS_RECOVERY "1.3.6.1.4.1.311.10.3.4.1"
// Can use Windows Hardware Compatible (WHQL) // Signed by Microsoft through hardware certification (WHQL)
#define szOID_WHQL_CRYPTO "1.3.6.1.4.1.311.10.3.5" #define szOID_WHQL_CRYPTO "1.3.6.1.4.1.311.10.3.5"
// Signed by Microsoft after the developer attests it is valid (Attested WHQL)
#define szOID_ATTEST_WHQL_CRYPTO "1.3.6.1.4.1.311.10.3.5.1"
// Signed by the NT5 build lab // Signed by the NT5 build lab
#define szOID_NT5_CRYPTO "1.3.6.1.4.1.311.10.3.6" #define szOID_NT5_CRYPTO "1.3.6.1.4.1.311.10.3.6"
// Signed by and OEM of WHQL // Signed by and OEM of WHQL
#define szOID_OEM_WHQL_CRYPTO "1.3.6.1.4.1.311.10.3.7" #define szOID_OEM_WHQL_CRYPTO "1.3.6.1.4.1.311.10.3.7"
// Signed by the Embedded NT // Signed by the Embedded NT
#define szOID_EMBEDDED_NT_CRYPTO "1.3.6.1.4.1.311.10.3.8" #define szOID_EMBEDDED_NT_CRYPTO "1.3.6.1.4.1.311.10.3.8"
// Signer of a CTL containing trusted roots // Signer of a CTL containing trusted roots
skipping to change at line 3720 skipping to change at line 3773
// szOID_PKIX_KP_CODE_SIGNING to indicate new time stamp semantics should be // szOID_PKIX_KP_CODE_SIGNING to indicate new time stamp semantics should be
// used. Support for this OID was added in WXP. // used. Support for this OID was added in WXP.
#define szOID_KP_LIFETIME_SIGNING "1.3.6.1.4.1.311.10.3.13" #define szOID_KP_LIFETIME_SIGNING "1.3.6.1.4.1.311.10.3.13"
#define szOID_KP_MOBILE_DEVICE_SOFTWARE "1.3.6.1.4.1.311.10.3.14" #define szOID_KP_MOBILE_DEVICE_SOFTWARE "1.3.6.1.4.1.311.10.3.14"
#define szOID_KP_SMART_DISPLAY "1.3.6.1.4.1.311.10.3.15" #define szOID_KP_SMART_DISPLAY "1.3.6.1.4.1.311.10.3.15"
#define szOID_KP_CSP_SIGNATURE "1.3.6.1.4.1.311.10.3.16" #define szOID_KP_CSP_SIGNATURE "1.3.6.1.4.1.311.10.3.16"
#define szOID_KP_FLIGHT_SIGNING "1.3.6.1.4.1.311.10.3.27"
#ifndef szOID_DRM #ifndef szOID_DRM
#define szOID_DRM "1.3.6.1.4.1.311.10.5.1" #define szOID_DRM "1.3.6.1.4.1.311.10.5.1"
#endif #endif
// Microsoft DRM EKU // Microsoft DRM EKU
#ifndef szOID_DRM_INDIVIDUALIZATION #ifndef szOID_DRM_INDIVIDUALIZATION
#define szOID_DRM_INDIVIDUALIZATION "1.3.6.1.4.1.311.10.5.2" #define szOID_DRM_INDIVIDUALIZATION "1.3.6.1.4.1.311.10.5.2"
#endif #endif
#ifndef szOID_LICENSES #ifndef szOID_LICENSES
skipping to change at line 3772 skipping to change at line 3827
// Signer of third-party components that are Windows in box // Signer of third-party components that are Windows in box
#define szOID_WINDOWS_THIRD_PARTY_COMPONENT_SIGNER "1.3.6.1.4.1.311.10.3.25" #define szOID_WINDOWS_THIRD_PARTY_COMPONENT_SIGNER "1.3.6.1.4.1.311.10.3.25"
// Signed by the Windows Software Portal // Signed by the Windows Software Portal
#define szOID_WINDOWS_SOFTWARE_EXTENSION_SIGNER "1.3.6.1.4.1.311.10.3.26" #define szOID_WINDOWS_SOFTWARE_EXTENSION_SIGNER "1.3.6.1.4.1.311.10.3.26"
// CTL containing disallowed entries // CTL containing disallowed entries
#define szOID_DISALLOWED_LIST "1.3.6.1.4.1.311.10.3.30" #define szOID_DISALLOWED_LIST "1.3.6.1.4.1.311.10.3.30"
// Signer of a CTL containing Pin Rules.
// The szOID_ROOT_LIST_SIGNER OID can also be used
#define szOID_PIN_RULES_SIGNER "1.3.6.1.4.1.311.10.3.31"
// CTL containing Site Pin Rules
#define szOID_PIN_RULES_CTL "1.3.6.1.4.1.311.10.3.32"
// Pin Rules CTL extension
#define szOID_PIN_RULES_EXT "1.3.6.1.4.1.311.10.3.33"
// SubjectAlgorithm for Pin Rules CTL entries
#define szOID_PIN_RULES_DOMAIN_NAME "1.3.6.1.4.1.311.10.3.34"
// Pin Rules Log End Date CTL extension
#define szOID_PIN_RULES_LOG_END_DATE_EXT "1.3.6.1.4.1.311.10.3.35"
// Image can be executed in Isolated User Mode (IUM)
#define szOID_IUM_SIGNING "1.3.6.1.4.1.311.10.3.37"
// Signed by Microsoft through EV hardware certification (EV WHQL)
#define szOID_EV_WHQL_CRYPTO "1.3.6.1.4.1.311.10.3.39"
// The following extension is set in the disallowed CTL to trigger // The following extension is set in the disallowed CTL to trigger
// a quicker sync of the autorootupdate CTL // a quicker sync of the autorootupdate CTL
#define szOID_SYNC_ROOT_CTL_EXT "1.3.6.1.4.1.311.10.3.50" #define szOID_SYNC_ROOT_CTL_EXT "1.3.6.1.4.1.311.10.3.50"
// HAL Extensions // HAL Extensions
#define szOID_KP_KERNEL_MODE_HAL_EXTENSION_SIGNING "1.3.6.1.4.1.311.61.5.1" #define szOID_KP_KERNEL_MODE_HAL_EXTENSION_SIGNING "1.3.6.1.4.1.311.61.5.1"
// Signer of Windows Store applications // Signer of Windows Store applications
#define szOID_WINDOWS_STORE_SIGNER "1.3.6.1.4.1.311.76.3.1" #define szOID_WINDOWS_STORE_SIGNER "1.3.6.1.4.1.311.76.3.1"
// Signer of dynamic code generators // Signer of dynamic code generators
#define szOID_DYNAMIC_CODE_GEN_SIGNER "1.3.6.1.4.1.311.76.5.1" #define szOID_DYNAMIC_CODE_GEN_SIGNER "1.3.6.1.4.1.311.76.5.1"
// Signer of Microsoft code // Signer of Microsoft code
#define szOID_MICROSOFT_PUBLISHER_SIGNER "1.3.6.1.4.1.311.76.8.1" #define szOID_MICROSOFT_PUBLISHER_SIGNER "1.3.6.1.4.1.311.76.8.1"
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Microsoft Attribute Object Identifiers // Microsoft Attribute Object Identifiers
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
#define szOID_YESNO_TRUST_ATTR "1.3.6.1.4.1.311.10.4.1" #define szOID_YESNO_TRUST_ATTR "1.3.6.1.4.1.311.10.4.1"
#define szOID_SITE_PIN_RULES_INDEX_ATTR "1.3.6.1.4.1.311.10.4.2"
#define szOID_SITE_PIN_RULES_FLAGS_ATTR "1.3.6.1.4.1.311.10.4.3"
#define SITE_PIN_RULES_ALL_SUBDOMAINS_FLAG 0x1
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Qualifiers that may be part of the szOID_CERT_POLICIES and // Qualifiers that may be part of the szOID_CERT_POLICIES and
// szOID_CERT_POLICIES95 extensions // szOID_CERT_POLICIES95 extensions
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
#define szOID_PKIX_POLICY_QUALIFIER_CPS "1.3.6.1.5.5.7.2.1" #define szOID_PKIX_POLICY_QUALIFIER_CPS "1.3.6.1.5.5.7.2.1"
#define szOID_PKIX_POLICY_QUALIFIER_USERNOTICE "1.3.6.1.5.5.7.2.2" #define szOID_PKIX_POLICY_QUALIFIER_USERNOTICE "1.3.6.1.5.5.7.2.2"
#define szOID_ROOT_PROGRAM_FLAGS "1.3.6.1.4.1.311.60.1.1" #define szOID_ROOT_PROGRAM_FLAGS "1.3.6.1.4.1.311.60.1.1"
skipping to change at line 3838 skipping to change at line 3919
//+========================================================================= //+=========================================================================
// TPM Object Identifiers // TPM Object Identifiers
//-========================================================================= //-=========================================================================
// Subject Alt Name Directory Name RDNs // Subject Alt Name Directory Name RDNs
#define szOID_RDN_TPM_MANUFACTURER "2.23.133.2.1" #define szOID_RDN_TPM_MANUFACTURER "2.23.133.2.1"
#define szOID_RDN_TPM_MODEL "2.23.133.2.2" #define szOID_RDN_TPM_MODEL "2.23.133.2.2"
#define szOID_RDN_TPM_VERSION "2.23.133.2.3" #define szOID_RDN_TPM_VERSION "2.23.133.2.3"
#define szOID_RDN_TCG_PLATFORM_MANUFACTURER "2.23.133.2.4"
#define szOID_RDN_TCG_PLATFORM_MODEL "2.23.133.2.5"
#define szOID_RDN_TCG_PLATFORM_VERSION "2.23.133.2.6"
// TPM Manufacturer ASCII Hex Strings // TPM Manufacturer ASCII Hex Strings
// AMD "AMD" 0x41 0x4D 0x44 0x00 // AMD "AMD" 0x41 0x4D 0x44 0x00
// Atmel "ATML" 0x41 0x54 0x4D 0x4C // Atmel "ATML" 0x41 0x54 0x4D 0x4C
// Broadcom "BRCM" 0x42 0x52 0x43 0x4D // Broadcom "BRCM" 0x42 0x52 0x43 0x4D
// IBM "IBM" 0x49 0x42 0x4d 0x00 // IBM "IBM" 0x49 0x42 0x4d 0x00
// Infineon "IFX" 0x49 0x46 0x58 0x00 // Infineon "IFX" 0x49 0x46 0x58 0x00
// Intel "INTC" 0x49 0x4E 0x54 0x43 // Intel "INTC" 0x49 0x4E 0x54 0x43
// Lenovo "LEN" 0x4C 0x45 0x4E 0x00 // Lenovo "LEN" 0x4C 0x45 0x4E 0x00
// National Semiconductor "NSM " 0x4E 0x53 0x4D 0x20 // National Semiconductor "NSM " 0x4E 0x53 0x4D 0x20
// Nationz "NTZ" 0x4E 0x54 0x5A 0x00
// Nuvoton Technology "NTC" 0x4E 0x54 0x43 0x00
// Qualcomm "QCOM" 0x51 0x43 0x4F 0x4D // Qualcomm "QCOM" 0x51 0x43 0x4F 0x4D
// SMSC "SMSC" 0x53 0x4D 0x53 0x43 // SMSC "SMSC" 0x53 0x4D 0x53 0x43
// ST Microelectronics "STM " 0x53 0x54 0x4D 0x20 // ST Microelectronics "STM " 0x53 0x54 0x4D 0x20
// Samsung "SMSN" 0x53 0x4D 0x53 0x4E // Samsung "SMSN" 0x53 0x4D 0x53 0x4E
// Sinosun "SNS" 0x53 0x4E 0x53 0x00 // Sinosun "SNS" 0x53 0x4E 0x53 0x00
// Texas Instruments "TXN" 0x54 0x58 0x4E 0x00 // Texas Instruments "TXN" 0x54 0x58 0x4E 0x00
// Winbond "WEC" 0x57 0x45 0x43 0x00 // Winbond "WEC" 0x57 0x45 0x43 0x00
// //
// Obtained from: http://www.trustedcomputinggroup.org/files/static_page_files/B 4D74EEA-1A4B-B294-D022691CD8A6FD41/Vendor_ID_Registry_0.5_clean.pdf // Obtained from: http://www.trustedcomputinggroup.org/files/static_page_files/3 3FCF23D-1A4B-B294-D07ED1FE636CF4BE/Vendor_ID_Registry_0%207_clean.pdf
// pkcs10 attributes // pkcs10 attributes
#define szOID_ENROLL_EK_INFO "1.3.6.1.4.1.311.21.23" #define szOID_ENROLL_EK_INFO "1.3.6.1.4.1.311.21.23" // EKInfo
#define szOID_ENROLL_AIK_INFO "1.3.6.1.4.1.311.21.39" // EKInfo
#define szOID_ENROLL_ATTESTATION_STATEMENT "1.3.6.1.4.1.311.21.24" #define szOID_ENROLL_ATTESTATION_STATEMENT "1.3.6.1.4.1.311.21.24"
#define szOID_ENROLL_KSP_NAME "1.3.6.1.4.1.311.21.25" // pkcs10 an
d cmc full response // pkcs10 and CMC Full Response Tagged Attribute containing the KSP name.
// ksp_name // Encoded as a unicode string, which must be null terminated.
encoded as a unicode // See CERT_RDN_UNICODE_STRING in the CERT_NAME_VALUE structure.
// string. S #define szOID_ENROLL_KSP_NAME "1.3.6.1.4.1.311.21.25"
ee CERT_RDN_UNICODE_STRING.
// on CERT_N
AME_VALUE structure. It
// must be n
ull terminated.
// CMC Full Response Tagged Attributes // CMC Full Response Tagged Attributes
#define szOID_ENROLL_EKPUB_CHALLENGE "1.3.6.1.4.1.311.21.26" #define szOID_ENROLL_EKPUB_CHALLENGE "1.3.6.1.4.1.311.21.26"
#define szOID_ENROLL_CAXCHGCERT_HASH "1.3.6.1.4.1.311.21.27" #define szOID_ENROLL_CAXCHGCERT_HASH "1.3.6.1.4.1.311.21.27"
#define szOID_ENROLL_ATTESTATION_CHALLENGE "1.3.6.1.4.1.311.21.28" #define szOID_ENROLL_ATTESTATION_CHALLENGE "1.3.6.1.4.1.311.21.28"
#define szOID_ENROLL_ENCRYPTION_ALGORITHM "1.3.6.1.4.1.311.21.29" // algorithm oid #define szOID_ENROLL_ENCRYPTION_ALGORITHM "1.3.6.1.4.1.311.21.29" // algorithm oid
// TPM certificate EKU OIDs // TPM certificate EKU OIDs
#define szOID_KP_TPM_EK_CERTIFICATE "2.23.133.8.1" #define szOID_KP_TPM_EK_CERTIFICATE "2.23.133.8.1"
#define szOID_KP_TPM_PLATFORM_CERTIFICATE "2.23.133.8.2" #define szOID_KP_TPM_PLATFORM_CERTIFICATE "2.23.133.8.2"
#define szOID_KP_TPM_AIK_CERTIFICATE "2.23.133.8.3" #define szOID_KP_TPM_AIK_CERTIFICATE "2.23.133.8.3"
// EK validation Issuance Policy OIDs // EK validation Issuance Policy OIDs
#define szOID_ENROLL_EKVERIFYKEY "1.3.6.1.4.1.311.21.30" #define szOID_ENROLL_EKVERIFYKEY "1.3.6.1.4.1.311.21.30"
#define szOID_ENROLL_EKVERIFYCERT "1.3.6.1.4.1.311.21.31" #define szOID_ENROLL_EKVERIFYCERT "1.3.6.1.4.1.311.21.31"
#define szOID_ENROLL_EKVERIFYCREDS "1.3.6.1.4.1.311.21.32" #define szOID_ENROLL_EKVERIFYCREDS "1.3.6.1.4.1.311.21.32"
// Signed decimal string encoded as a Printable String // Signed decimal string encoded as a Printable String
#define szOID_ENROLL_SCEP_ERROR "1.3.6.1.4.1.311.21.33" #define szOID_ENROLL_SCEP_ERROR "1.3.6.1.4.1.311.21.33" // HRESULT
// SCEP attestation attributes
#define szOID_ENROLL_SCEP_SERVER_STATE "1.3.6.1.4.1.311.21.34" // blob
#define szOID_ENROLL_SCEP_CHALLENGE_ANSWER "1.3.6.1.4.1.311.21.35" // blob
#define szOID_ENROLL_SCEP_CLIENT_REQUEST "1.3.6.1.4.1.311.21.37" // Pkcs10
#define szOID_ENROLL_SCEP_SERVER_MESSAGE "1.3.6.1.4.1.311.21.38" // String
#define szOID_ENROLL_SCEP_SERVER_SECRET "1.3.6.1.4.1.311.21.40" // blob
// key affinity extension: ASN NULL in requests, SEQUENCE of ANY containing
// two OCTET strings in issued certs: a salt blob and a hash value.
#define szOID_ENROLL_KEY_AFFINITY "1.3.6.1.4.1.311.21.41"
// SCEP pkcs10 attribute: signer cert thumbprint
#define szOID_ENROLL_SCEP_SIGNER_HASH "1.3.6.1.4.1.311.21.42" // blob
// TPM line specific EK CA KeyId
#define szOID_ENROLL_EK_CA_KEYID "1.3.6.1.4.1.311.21.43" // blob
// Subject Directory Attributes // Subject Directory Attributes
#define szOID_ATTR_SUPPORTED_ALGORITHMS "2.5.4.52" #define szOID_ATTR_SUPPORTED_ALGORITHMS "2.5.4.52"
#define szOID_ATTR_TPM_SPECIFICATION "2.23.133.2.16" #define szOID_ATTR_TPM_SPECIFICATION "2.23.133.2.16"
#define szOID_ATTR_PLATFORM_SPECIFICATION "2.23.133.2.17"
#define szOID_ATTR_TPM_SECURITY_ASSERTIONS "2.23.133.2.18" #define szOID_ATTR_TPM_SECURITY_ASSERTIONS "2.23.133.2.18"
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// X509_CERT // X509_CERT
// //
// The "to be signed" encoded content plus its signature. The ToBeSigned // The "to be signed" encoded content plus its signature. The ToBeSigned
// content is the CryptEncodeObject() output for one of the following: // content is the CryptEncodeObject() output for one of the following:
// X509_CERT_TO_BE_SIGNED, X509_CERT_CRL_TO_BE_SIGNED or // X509_CERT_TO_BE_SIGNED, X509_CERT_CRL_TO_BE_SIGNED or
// X509_CERT_REQUEST_TO_BE_SIGNED. // X509_CERT_REQUEST_TO_BE_SIGNED.
// //
skipping to change at line 4444 skipping to change at line 4550
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// szOID_SUBJECT_DIR_ATTRS // szOID_SUBJECT_DIR_ATTRS
// X509_SUBJECT_DIR_ATTRS // X509_SUBJECT_DIR_ATTRS
// //
// pvStructInfo points to a CRYPT_ATTRIBUTES. // pvStructInfo points to a CRYPT_ATTRIBUTES.
// //
// Encoded as a "SEQUENCE OF" instead of "SET OF" // Encoded as a "SEQUENCE OF" instead of "SET OF"
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// X509_ECC_PARAMETERS
//
// pvStructInfo points to a CRYPT_DATA_BLOB which contains CNG Parameters
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
// PKCS_CONTENT_INFO_SEQUENCE_OF_ANY data structure // PKCS_CONTENT_INFO_SEQUENCE_OF_ANY data structure
// //
// pvStructInfo points to following CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY. // pvStructInfo points to following CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY.
// //
// For X509_ASN_ENCODING: encoded as a PKCS#7 ContentInfo structure wrapping // For X509_ASN_ENCODING: encoded as a PKCS#7 ContentInfo structure wrapping
// a sequence of ANY. The value of the contentType field is pszObjId, // a sequence of ANY. The value of the contentType field is pszObjId,
// while the content field is the following structure: // while the content field is the following structure:
// SequenceOfAny ::= SEQUENCE OF ANY // SequenceOfAny ::= SEQUENCE OF ANY
// //
// The CRYPT_DER_BLOBs point to the already encoded ANY content. // The CRYPT_DER_BLOBs point to the already encoded ANY content.
skipping to change at line 4617 skipping to change at line 4729
// enumerated values: // enumerated values:
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#define CRL_REASON_UNSPECIFIED 0 #define CRL_REASON_UNSPECIFIED 0
#define CRL_REASON_KEY_COMPROMISE 1 #define CRL_REASON_KEY_COMPROMISE 1
#define CRL_REASON_CA_COMPROMISE 2 #define CRL_REASON_CA_COMPROMISE 2
#define CRL_REASON_AFFILIATION_CHANGED 3 #define CRL_REASON_AFFILIATION_CHANGED 3
#define CRL_REASON_SUPERSEDED 4 #define CRL_REASON_SUPERSEDED 4
#define CRL_REASON_CESSATION_OF_OPERATION 5 #define CRL_REASON_CESSATION_OF_OPERATION 5
#define CRL_REASON_CERTIFICATE_HOLD 6 #define CRL_REASON_CERTIFICATE_HOLD 6
#define CRL_REASON_REMOVE_FROM_CRL 8 #define CRL_REASON_REMOVE_FROM_CRL 8
#define CRL_REASON_PRIVILEGE_WITHDRAWN 9
#define CRL_REASON_AA_COMPROMISE 10
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// X509_CRL_DIST_POINTS // X509_CRL_DIST_POINTS
// szOID_CRL_DIST_POINTS // szOID_CRL_DIST_POINTS
// //
// pvStructInfo points to following CRL_DIST_POINTS_INFO. // pvStructInfo points to following CRL_DIST_POINTS_INFO.
// //
// For CRYPT_E_INVALID_IA5_STRING, the error location is returned in // For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
// *pcbEncoded by CryptEncodeObject(X509_CRL_DIST_POINTS) // *pcbEncoded by CryptEncodeObject(X509_CRL_DIST_POINTS)
// //
skipping to change at line 4654 skipping to change at line 4768
#define CRL_DIST_POINT_NO_NAME 0 #define CRL_DIST_POINT_NO_NAME 0
#define CRL_DIST_POINT_FULL_NAME 1 #define CRL_DIST_POINT_FULL_NAME 1
#define CRL_DIST_POINT_ISSUER_RDN_NAME 2 #define CRL_DIST_POINT_ISSUER_RDN_NAME 2
typedef struct _CRL_DIST_POINT { typedef struct _CRL_DIST_POINT {
CRL_DIST_POINT_NAME DistPointName; // OPTIONAL CRL_DIST_POINT_NAME DistPointName; // OPTIONAL
CRYPT_BIT_BLOB ReasonFlags; // OPTIONAL CRYPT_BIT_BLOB ReasonFlags; // OPTIONAL
CERT_ALT_NAME_INFO CRLIssuer; // OPTIONAL CERT_ALT_NAME_INFO CRLIssuer; // OPTIONAL
} CRL_DIST_POINT, *PCRL_DIST_POINT; } CRL_DIST_POINT, *PCRL_DIST_POINT;
// Byte[0]
#define CRL_REASON_UNUSED_FLAG 0x80 #define CRL_REASON_UNUSED_FLAG 0x80
#define CRL_REASON_KEY_COMPROMISE_FLAG 0x40 #define CRL_REASON_KEY_COMPROMISE_FLAG 0x40
#define CRL_REASON_CA_COMPROMISE_FLAG 0x20 #define CRL_REASON_CA_COMPROMISE_FLAG 0x20
#define CRL_REASON_AFFILIATION_CHANGED_FLAG 0x10 #define CRL_REASON_AFFILIATION_CHANGED_FLAG 0x10
#define CRL_REASON_SUPERSEDED_FLAG 0x08 #define CRL_REASON_SUPERSEDED_FLAG 0x08
#define CRL_REASON_CESSATION_OF_OPERATION_FLAG 0x04 #define CRL_REASON_CESSATION_OF_OPERATION_FLAG 0x04
#define CRL_REASON_CERTIFICATE_HOLD_FLAG 0x02 #define CRL_REASON_CERTIFICATE_HOLD_FLAG 0x02
#define CRL_REASON_PRIVILEGE_WITHDRAWN_FLAG 0x01
// Byte[1]
#define CRL_REASON_AA_COMPROMISE_FLAG 0x80
typedef struct _CRL_DIST_POINTS_INFO { typedef struct _CRL_DIST_POINTS_INFO {
DWORD cDistPoint; DWORD cDistPoint;
PCRL_DIST_POINT rgDistPoint; PCRL_DIST_POINT rgDistPoint;
} CRL_DIST_POINTS_INFO, *PCRL_DIST_POINTS_INFO; } CRL_DIST_POINTS_INFO, *PCRL_DIST_POINTS_INFO;
#define CRL_DIST_POINT_ERR_INDEX_MASK 0x7F #define CRL_DIST_POINT_ERR_INDEX_MASK 0x7F
#define CRL_DIST_POINT_ERR_INDEX_SHIFT 24 #define CRL_DIST_POINT_ERR_INDEX_SHIFT 24
#define GET_CRL_DIST_POINT_ERR_INDEX(X) \ #define GET_CRL_DIST_POINT_ERR_INDEX(X) \
((X >> CRL_DIST_POINT_ERR_INDEX_SHIFT) & CRL_DIST_POINT_ERR_INDEX_MASK) ((X >> CRL_DIST_POINT_ERR_INDEX_SHIFT) & CRL_DIST_POINT_ERR_INDEX_MASK)
skipping to change at line 5927 skipping to change at line 6045
// szOID_ATTR_TPM_SPECIFICATION // szOID_ATTR_TPM_SPECIFICATION
// //
// pvStructInfo points to following CERT_TPM_SPECIFICATION_INFO. // pvStructInfo points to following CERT_TPM_SPECIFICATION_INFO.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
typedef struct _CERT_TPM_SPECIFICATION_INFO { typedef struct _CERT_TPM_SPECIFICATION_INFO {
LPWSTR pwszFamily; // Encoded as UTF8 LPWSTR pwszFamily; // Encoded as UTF8
DWORD dwLevel; DWORD dwLevel;
DWORD dwRevision; DWORD dwRevision;
} CERT_TPM_SPECIFICATION_INFO, *PCERT_TPM_SPECIFICATION_INFO; } CERT_TPM_SPECIFICATION_INFO, *PCERT_TPM_SPECIFICATION_INFO;
//+-------------------------------------------------------------------------
// szOID_ENROLL_KEY_AFFINITY -- certificate extension
//
// pvStructInfo points to a CRYPT_SEQUENCE_OF_ANY.
//
// The two resulting CRYPT_DER_BLOBs point to a salt blob and a hash result.
// In Pkcs10 requests, the extension will contain an ASN NULL.
//--------------------------------------------------------------------------
//+========================================================================= //+=========================================================================
// Object IDentifier (OID) Installable Functions: Data Structures and APIs // Object IDentifier (OID) Installable Functions: Data Structures and APIs
//========================================================================== //==========================================================================
typedef void *HCRYPTOIDFUNCSET; typedef void *HCRYPTOIDFUNCSET;
typedef void *HCRYPTOIDFUNCADDR; typedef void *HCRYPTOIDFUNCADDR;
// Predefined OID Function Names // Predefined OID Function Names
#define CRYPT_OID_ENCODE_OBJECT_FUNC "CryptDllEncodeObject" #define CRYPT_OID_ENCODE_OBJECT_FUNC "CryptDllEncodeObject"
#define CRYPT_OID_DECODE_OBJECT_FUNC "CryptDllDecodeObject" #define CRYPT_OID_DECODE_OBJECT_FUNC "CryptDllDecodeObject"
#define CRYPT_OID_ENCODE_OBJECT_EX_FUNC "CryptDllEncodeObjectEx" #define CRYPT_OID_ENCODE_OBJECT_EX_FUNC "CryptDllEncodeObjectEx"
#define CRYPT_OID_DECODE_OBJECT_EX_FUNC "CryptDllDecodeObjectEx" #define CRYPT_OID_DECODE_OBJECT_EX_FUNC "CryptDllDecodeObjectEx"
#define CRYPT_OID_CREATE_COM_OBJECT_FUNC "CryptDllCreateCOMObject" #define CRYPT_OID_CREATE_COM_OBJECT_FUNC "CryptDllCreateCOMObject"
#define CRYPT_OID_VERIFY_REVOCATION_FUNC "CertDllVerifyRevocation" #define CRYPT_OID_VERIFY_REVOCATION_FUNC "CertDllVerifyRevocation"
skipping to change at line 6155 skipping to change at line 6281
// or CryptGetDefaultOIDFunctionAddress. // or CryptGetDefaultOIDFunctionAddress.
// //
// If a Dll was loaded for the function its unloaded. However, before doing // If a Dll was loaded for the function its unloaded. However, before doing
// the unload, the DllCanUnloadNow function exported by the loaded Dll is // the unload, the DllCanUnloadNow function exported by the loaded Dll is
// called. It should return S_FALSE to inhibit the unload or S_TRUE to enable // called. It should return S_FALSE to inhibit the unload or S_TRUE to enable
// the unload. If the Dll doesn't export DllCanUnloadNow, the Dll is unloaded. // the unload. If the Dll doesn't export DllCanUnloadNow, the Dll is unloaded.
// //
// DllCanUnloadNow has the following signature: // DllCanUnloadNow has the following signature:
// STDAPI DllCanUnloadNow(void); // STDAPI DllCanUnloadNow(void);
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CryptFreeOIDFunctionAddress( CryptFreeOIDFunctionAddress(
_In_ HCRYPTOIDFUNCADDR hFuncAddr, _In_ HCRYPTOIDFUNCADDR hFuncAddr,
_In_ DWORD dwFlags _In_ DWORD dwFlags
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Register the Dll containing the function to be called for the specified // Register the Dll containing the function to be called for the specified
// encoding type, function name and OID. // encoding type, function name and OID.
// //
// pwszDll may contain environment-variable strings // pwszDll may contain environment-variable strings
// which are ExpandEnvironmentStrings()'ed before loading the Dll. // which are ExpandEnvironmentStrings()'ed before loading the Dll.
// //
// In addition to registering the DLL, you may override the // In addition to registering the DLL, you may override the
// name of the function to be called. For example, // name of the function to be called. For example,
// pszFuncName = "CryptDllEncodeObject", // pszFuncName = "CryptDllEncodeObject",
skipping to change at line 6270 skipping to change at line 6403
); );
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Get the value for the specified encoding type, function name, OID and // Get the value for the specified encoding type, function name, OID and
// value name. // value name.
// //
// See RegEnumValue for the possible value types. // See RegEnumValue for the possible value types.
// //
// String types are UNICODE. // String types are UNICODE.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CryptGetOIDFunctionValue( CryptGetOIDFunctionValue(
_In_ DWORD dwEncodingType, _In_ DWORD dwEncodingType,
_In_ LPCSTR pszFuncName, _In_ LPCSTR pszFuncName,
_In_ LPCSTR pszOID, _In_ LPCSTR pszOID,
_In_opt_ LPCWSTR pwszValueName, _In_opt_ LPCWSTR pwszValueName,
_Out_opt_ DWORD *pdwValueType, _Out_opt_ DWORD *pdwValueType,
_Out_writes_bytes_to_opt_(*pcbValueData, *pcbValueData) BYTE *pbValueData, _Out_writes_bytes_to_opt_(*pcbValueData, *pcbValueData) BYTE *pbValueData,
skipping to change at line 6439 skipping to change at line 6579
// in the PKCS7's digestEncryptionAlgorithm's parameters. // in the PKCS7's digestEncryptionAlgorithm's parameters.
// CRYPT_OID_NO_NULL_ALGORITHM_PARA_FLAG can be set to omit // CRYPT_OID_NO_NULL_ALGORITHM_PARA_FLAG can be set to omit
// NULL parameters when encoding. // NULL parameters when encoding.
// //
// For the ECC named curve public keys // For the ECC named curve public keys
// DWORD[1] - BCRYPT_ECCKEY_BLOB dwMagic field value // DWORD[1] - BCRYPT_ECCKEY_BLOB dwMagic field value
// DWORD[2] - dwBitLength. Where BCRYPT_ECCKEY_BLOB's // DWORD[2] - dwBitLength. Where BCRYPT_ECCKEY_BLOB's
// cbKey = dwBitLength / 8 + ((dwBitLength % 8) ? 1 : 0) // cbKey = dwBitLength / 8 + ((dwBitLength % 8) ? 1 : 0)
// //
#define CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG 0x00000001 #define CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG 0x00000001
#define CRYPT_OID_USE_PUBKEY_PARA_FOR_PKCS7_FLAG 0x00000002 #define CRYPT_OID_USE_PUBKEY_PARA_FOR_PKCS7_FLAG 0x00000002
#define CRYPT_OID_NO_NULL_ALGORITHM_PARA_FLAG 0x00000004 #define CRYPT_OID_NO_NULL_ALGORITHM_PARA_FLAG 0x00000004
#define CRYPT_OID_PUBKEY_SIGN_ONLY_FLAG 0x80000000 #define CRYPT_OID_PUBKEY_SIGN_ONLY_FLAG 0x80000000
#define CRYPT_OID_PUBKEY_ENCRYPT_ONLY_FLAG 0x40000000 #define CRYPT_OID_PUBKEY_ENCRYPT_ONLY_FLAG 0x40000000
#define CRYPT_OID_USE_CURVE_NAME_FOR_ENCODE_FLAG 0x20000000
#define CRYPT_OID_USE_CURVE_PARAMETERS_FOR_ENCODE_FLAG 0x10000000
// CRYPT_SIGN_ALG_OID_GROUP_ID has the following optional ExtraInfo: // CRYPT_SIGN_ALG_OID_GROUP_ID has the following optional ExtraInfo:
// DWORD[0] - Public Key Algid. // DWORD[0] - Public Key Algid.
// DWORD[1] - Flags. Same as above for CRYPT_PUBKEY_ALG_OID_GROUP_ID. // DWORD[1] - Flags. Same as above for CRYPT_PUBKEY_ALG_OID_GROUP_ID.
// DWORD[2] - Optional CryptAcquireContext(CRYPT_VERIFYCONTEXT)'s dwProvType. // DWORD[2] - Optional CryptAcquireContext(CRYPT_VERIFYCONTEXT)'s dwProvType.
// If omitted or 0, uses Public Key Algid to select // If omitted or 0, uses Public Key Algid to select
// appropriate dwProvType for signature verification. // appropriate dwProvType for signature verification.
// CRYPT_RDN_ATTR_OID_GROUP_ID has the following optional ExtraInfo: // CRYPT_RDN_ATTR_OID_GROUP_ID has the following optional ExtraInfo:
// Array of DWORDs: // Array of DWORDs:
skipping to change at line 6542 skipping to change at line 6684
// CryptFindOIDInfo( // CryptFindOIDInfo(
// CRYPT_OID_INFO_CNG_ALGID_KEY, // CRYPT_OID_INFO_CNG_ALGID_KEY,
// (void *) BCRYPT_AES_ALGORITHM, // (void *) BCRYPT_AES_ALGORITHM,
// CRYPT_ENCRYPT_ALG_OID_GROUP_ID | // CRYPT_ENCRYPT_ALG_OID_GROUP_ID |
// (192 << CRYPT_OID_INFO_OID_GROUP_BIT_LEN_SHIFT) // (192 << CRYPT_OID_INFO_OID_GROUP_BIT_LEN_SHIFT)
// ); // );
#define CRYPT_OID_INFO_OID_GROUP_BIT_LEN_MASK 0x0FFF0000 #define CRYPT_OID_INFO_OID_GROUP_BIT_LEN_MASK 0x0FFF0000
#define CRYPT_OID_INFO_OID_GROUP_BIT_LEN_SHIFT 16 #define CRYPT_OID_INFO_OID_GROUP_BIT_LEN_SHIFT 16
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Register OID information. The OID information specified in the // Register OID information. The OID information specified in the
// CCRYPT_OID_INFO structure is persisted to the registry. // CCRYPT_OID_INFO structure is persisted to the registry.
// //
// crypt32.dll contains information for the commonly known OIDs. This function // crypt32.dll contains information for the commonly known OIDs. This function
// allows applications to augment crypt32.dll's OID information. During // allows applications to augment crypt32.dll's OID information. During
// CryptFindOIDInfo's first call, the registered OID information is installed. // CryptFindOIDInfo's first call, the registered OID information is installed.
// //
// By default the registered OID information is installed after crypt32.dll's // By default the registered OID information is installed after crypt32.dll's
// OID entries. Set CRYPT_INSTALL_OID_INFO_BEFORE_FLAG to install before. // OID entries. Set CRYPT_INSTALL_OID_INFO_BEFORE_FLAG to install before.
skipping to change at line 6574 skipping to change at line 6722
// Unregister OID information. Only the pszOID and dwGroupId fields are // Unregister OID information. Only the pszOID and dwGroupId fields are
// used to identify the OID information to be unregistered. // used to identify the OID information to be unregistered.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CryptUnregisterOIDInfo( CryptUnregisterOIDInfo(
_In_ PCCRYPT_OID_INFO pInfo _In_ PCCRYPT_OID_INFO pInfo
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
// If the callback returns FALSE, stops the enumeration. // If the callback returns FALSE, stops the enumeration.
typedef BOOL (WINAPI *PFN_CRYPT_ENUM_OID_INFO)( typedef BOOL (WINAPI *PFN_CRYPT_ENUM_OID_INFO)(
_In_ PCCRYPT_OID_INFO pInfo, _In_ PCCRYPT_OID_INFO pInfo,
_Inout_opt_ void *pvArg _Inout_opt_ void *pvArg
); );
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Enumerate the OID information. // Enumerate the OID information.
// //
// pfnEnumOIDInfo is called for each OID information entry. // pfnEnumOIDInfo is called for each OID information entry.
skipping to change at line 6862 skipping to change at line 7017
// CMS signed messages allow the inclusion of Attribute Certs. // CMS signed messages allow the inclusion of Attribute Certs.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
typedef struct _CMSG_SIGNER_ENCODE_INFO { typedef struct _CMSG_SIGNER_ENCODE_INFO {
DWORD cbSize; DWORD cbSize;
PCERT_INFO pCertInfo; PCERT_INFO pCertInfo;
// NCryptIsKeyHandle() is called to determine the union choice. // NCryptIsKeyHandle() is called to determine the union choice.
union { union {
HCRYPTPROV hCryptProv; HCRYPTPROV hCryptProv;
NCRYPT_KEY_HANDLE hNCryptKey; NCRYPT_KEY_HANDLE hNCryptKey;
#ifdef CMSG_SIGNER_ENCODE_INFO_HAS_IUM_FIELDS
BCRYPT_KEY_HANDLE hBCryptKey;
#endif
} DUMMYUNIONNAME; } DUMMYUNIONNAME;
// not applicable for hNCryptKey choice // not applicable for hNCryptKey choice
DWORD dwKeySpec; DWORD dwKeySpec;
CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm; CRYPT_ALGORITHM_IDENTIFIER HashAlgorithm;
void *pvHashAuxInfo; void *pvHashAuxInfo;
DWORD cAuthAttr; DWORD cAuthAttr;
PCRYPT_ATTRIBUTE rgAuthAttr; PCRYPT_ATTRIBUTE rgAuthAttr;
DWORD cUnauthAttr; DWORD cUnauthAttr;
skipping to change at line 7307 skipping to change at line 7465
#define CMSG_LENGTH_ONLY_FLAG 0x00000002 #define CMSG_LENGTH_ONLY_FLAG 0x00000002
#define CMSG_DETACHED_FLAG 0x00000004 #define CMSG_DETACHED_FLAG 0x00000004
#define CMSG_AUTHENTICATED_ATTRIBUTES_FLAG 0x00000008 #define CMSG_AUTHENTICATED_ATTRIBUTES_FLAG 0x00000008
#define CMSG_CONTENTS_OCTETS_FLAG 0x00000010 #define CMSG_CONTENTS_OCTETS_FLAG 0x00000010
#define CMSG_MAX_LENGTH_FLAG 0x00000020 #define CMSG_MAX_LENGTH_FLAG 0x00000020
// When set, nonData type inner content is encapsulated within an // When set, nonData type inner content is encapsulated within an
// OCTET STRING. Applicable to both Signed and Enveloped messages. // OCTET STRING. Applicable to both Signed and Enveloped messages.
#define CMSG_CMS_ENCAPSULATED_CONTENT_FLAG 0x00000040 #define CMSG_CMS_ENCAPSULATED_CONTENT_FLAG 0x00000040
// If set then the message will not have a signature in the final PKCS7
// of SignedData type. Instead the signature will contain plain text of
// the to-be-signed hash. It is used with digest signing.
#define CMSG_SIGNED_DATA_NO_SIGN_FLAG 0x00000080
// If set, then, the hCryptProv passed to CryptMsgOpenToEncode or // If set, then, the hCryptProv passed to CryptMsgOpenToEncode or
// CryptMsgOpenToDecode is released on the final CryptMsgClose. // CryptMsgOpenToDecode is released on the final CryptMsgClose.
// Not released if CryptMsgOpenToEncode or CryptMsgOpenToDecode fails. // Not released if CryptMsgOpenToEncode or CryptMsgOpenToDecode fails.
// //
// Also applies to hNCryptKey where applicable. // Also applies to hNCryptKey where applicable.
// //
// Note, the envelope recipient hCryptProv's aren't released. // Note, the envelope recipient hCryptProv's aren't released.
#define CMSG_CRYPT_RELEASE_CONTEXT_FLAG 0x00008000 #define CMSG_CRYPT_RELEASE_CONTEXT_FLAG 0x00008000
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
skipping to change at line 9075 skipping to change at line 9238
// If these properties don't already exist, then, a hash of the // If these properties don't already exist, then, a hash of the
// content is computed. (CERT_HASH_PROP_ID maps to the default // content is computed. (CERT_HASH_PROP_ID maps to the default
// hash algorithm, currently, CERT_SHA1_HASH_PROP_ID). // hash algorithm, currently, CERT_SHA1_HASH_PROP_ID).
// //
// There are additional APIs for creating certificate and CRL // There are additional APIs for creating certificate and CRL
// contexts not in a store (CertCreateCertificateContext and // contexts not in a store (CertCreateCertificateContext and
// CertCreateCRLContext). // CertCreateCRLContext).
// //
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) */
#pragma endregion
#pragma region Application Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)
typedef void *HCERTSTORE; typedef void *HCERTSTORE;
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Certificate context. // Certificate context.
// //
// A certificate context contains both the encoded and decoded representation // A certificate context contains both the encoded and decoded representation
// of a certificate. A certificate context returned by a cert store function // of a certificate. A certificate context returned by a cert store function
// must be freed by calling the CertFreeCertificateContext function. The // must be freed by calling the CertFreeCertificateContext function. The
// CertDuplicateCertificateContext function can be called to make a duplicate // CertDuplicateCertificateContext function can be called to make a duplicate
// copy (which also must be freed by calling CertFreeCertificateContext). // copy (which also must be freed by calling CertFreeCertificateContext).
skipping to change at line 9103 skipping to change at line 9260
typedef struct _CERT_CONTEXT { typedef struct _CERT_CONTEXT {
DWORD dwCertEncodingType; DWORD dwCertEncodingType;
BYTE *pbCertEncoded; BYTE *pbCertEncoded;
DWORD cbCertEncoded; DWORD cbCertEncoded;
PCERT_INFO pCertInfo; PCERT_INFO pCertInfo;
HCERTSTORE hCertStore; HCERTSTORE hCertStore;
} CERT_CONTEXT, *PCERT_CONTEXT; } CERT_CONTEXT, *PCERT_CONTEXT;
typedef const CERT_CONTEXT *PCCERT_CONTEXT; typedef const CERT_CONTEXT *PCCERT_CONTEXT;
// certenrolls_end // certenrolls_end
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP) */
#pragma endregion
#pragma region Desktop Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// CRL context. // CRL context.
// //
// A CRL context contains both the encoded and decoded representation // A CRL context contains both the encoded and decoded representation
// of a CRL. A CRL context returned by a cert store function // of a CRL. A CRL context returned by a cert store function
// must be freed by calling the CertFreeCRLContext function. The // must be freed by calling the CertFreeCRLContext function. The
// CertDuplicateCRLContext function can be called to make a duplicate // CertDuplicateCRLContext function can be called to make a duplicate
// copy (which also must be freed by calling CertFreeCRLContext). // copy (which also must be freed by calling CertFreeCRLContext).
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
typedef struct _CRL_CONTEXT { typedef struct _CRL_CONTEXT {
skipping to change at line 9161 skipping to change at line 9312
// Certificate, CRL and CTL property IDs // Certificate, CRL and CTL property IDs
// //
// See CertSetCertificateContextProperty or CertGetCertificateContextProperty // See CertSetCertificateContextProperty or CertGetCertificateContextProperty
// for usage information. // for usage information.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#define CERT_KEY_PROV_HANDLE_PROP_ID 1 #define CERT_KEY_PROV_HANDLE_PROP_ID 1
#define CERT_KEY_PROV_INFO_PROP_ID 2 // CRYPT_KEY_PROV_INFO #define CERT_KEY_PROV_INFO_PROP_ID 2 // CRYPT_KEY_PROV_INFO
#define CERT_SHA1_HASH_PROP_ID 3 #define CERT_SHA1_HASH_PROP_ID 3
#define CERT_MD5_HASH_PROP_ID 4 #define CERT_MD5_HASH_PROP_ID 4
#define CERT_HASH_PROP_ID CERT_SHA1_HASH_PROP_ID #define CERT_HASH_PROP_ID CERT_SHA1_HASH_PROP_ID
#define CERT_KEY_CONTEXT_PROP_ID 5 #define CERT_KEY_CONTEXT_PROP_ID 5 // CERT_KEY_CONTEXT
#define CERT_KEY_SPEC_PROP_ID 6 #define CERT_KEY_SPEC_PROP_ID 6
#define CERT_IE30_RESERVED_PROP_ID 7 #define CERT_IE30_RESERVED_PROP_ID 7
#define CERT_PUBKEY_HASH_RESERVED_PROP_ID 8 #define CERT_PUBKEY_HASH_RESERVED_PROP_ID 8
#define CERT_ENHKEY_USAGE_PROP_ID 9 #define CERT_ENHKEY_USAGE_PROP_ID 9
#define CERT_CTL_USAGE_PROP_ID CERT_ENHKEY_USAGE_PROP_ID #define CERT_CTL_USAGE_PROP_ID CERT_ENHKEY_USAGE_PROP_ID
#define CERT_NEXT_UPDATE_LOCATION_PROP_ID 10 #define CERT_NEXT_UPDATE_LOCATION_PROP_ID 10
#define CERT_FRIENDLY_NAME_PROP_ID 11 // string #define CERT_FRIENDLY_NAME_PROP_ID 11 // string
#define CERT_PVK_FILE_PROP_ID 12 #define CERT_PVK_FILE_PROP_ID 12
#define CERT_DESCRIPTION_PROP_ID 13 // string #define CERT_DESCRIPTION_PROP_ID 13 // string
#define CERT_ACCESS_STATE_PROP_ID 14 #define CERT_ACCESS_STATE_PROP_ID 14
skipping to change at line 9264 skipping to change at line 9415
#define CERT_SCEP_SERVER_CERTS_PROP_ID 108 // Pkcs7 #define CERT_SCEP_SERVER_CERTS_PROP_ID 108 // Pkcs7
#define CERT_SCEP_RA_SIGNATURE_CERT_PROP_ID 109 // sha1 Thumbprint #define CERT_SCEP_RA_SIGNATURE_CERT_PROP_ID 109 // sha1 Thumbprint
#define CERT_SCEP_RA_ENCRYPTION_CERT_PROP_ID 110 // sha1 Thumbprint #define CERT_SCEP_RA_ENCRYPTION_CERT_PROP_ID 110 // sha1 Thumbprint
#define CERT_SCEP_CA_CERT_PROP_ID 111 // sha1 Thumbprint #define CERT_SCEP_CA_CERT_PROP_ID 111 // sha1 Thumbprint
#define CERT_SCEP_SIGNER_CERT_PROP_ID 112 // sha1 Thumbprint #define CERT_SCEP_SIGNER_CERT_PROP_ID 112 // sha1 Thumbprint
#define CERT_SCEP_NONCE_PROP_ID 113 // blob #define CERT_SCEP_NONCE_PROP_ID 113 // blob
// string: "CNGEncryptAlgId/CNGHashAlgId" example: "3DES/SHA1" // string: "CNGEncryptAlgId/CNGHashAlgId" example: "3DES/SHA1"
#define CERT_SCEP_ENCRYPT_HASH_CNG_ALG_PROP_ID 114 #define CERT_SCEP_ENCRYPT_HASH_CNG_ALG_PROP_ID 114
#define CERT_SCEP_FLAGS_PROP_ID 115 // DWORD #define CERT_SCEP_FLAGS_PROP_ID 115 // DWORD
#define CERT_SCEP_GUID_PROP_ID 116 // string
#define CERT_SERIALIZABLE_KEY_CONTEXT_PROP_ID 117 // CERT_KEY_CONTEXT
#define CERT_FIRST_RESERVED_PROP_ID 116 // Binary: isolated
#define CERT_ISOLATED_KEY_PROP_ID 118 // blob
#define CERT_SERIAL_CHAIN_PROP_ID 119
#define CERT_FIRST_RESERVED_PROP_ID 120
#define CERT_LAST_RESERVED_PROP_ID 0x00007FFF #define CERT_LAST_RESERVED_PROP_ID 0x00007FFF
#define CERT_FIRST_USER_PROP_ID 0x00008000 #define CERT_FIRST_USER_PROP_ID 0x00008000
#define CERT_LAST_USER_PROP_ID 0x0000FFFF #define CERT_LAST_USER_PROP_ID 0x0000FFFF
// certenrolld_end // certenrolld_end
#define IS_CERT_HASH_PROP_ID(X) (CERT_SHA1_HASH_PROP_ID == (X) || \ #define IS_CERT_HASH_PROP_ID(X) (CERT_SHA1_HASH_PROP_ID == (X) || \
CERT_MD5_HASH_PROP_ID == (X) || \ CERT_MD5_HASH_PROP_ID == (X) || \
CERT_SHA256_HASH_PROP_ID == (X) || \ CERT_SHA256_HASH_PROP_ID == (X) || \
CERT_SIGNATURE_HASH_PROP_ID == (X)) CERT_SIGNATURE_HASH_PROP_ID == (X))
skipping to change at line 9751 skipping to change at line 9907
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
// Registry path to the OCM Subcomponents local machine subkey // Registry path to the OCM Subcomponents local machine subkey
#define CERT_OCM_SUBCOMPONENTS_LOCAL_MACHINE_REGPATH \ #define CERT_OCM_SUBCOMPONENTS_LOCAL_MACHINE_REGPATH \
L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\OC Manager\\Subcompon ents" L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\OC Manager\\Subcompon ents"
// REG_DWORD, 1 is installed, 0 is NOT installed // REG_DWORD, 1 is installed, 0 is NOT installed
#define CERT_OCM_SUBCOMPONENTS_ROOT_AUTO_UPDATE_VALUE_NAME L"RootAutoUpdate" #define CERT_OCM_SUBCOMPONENTS_ROOT_AUTO_UPDATE_VALUE_NAME L"RootAutoUpdate"
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Root and Disallowed Certificate AutoUpdate Defines // Root, Disallowed Certificate and Pin Rules AutoUpdate Defines
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
// Registry path to the DisableRootAutoUpdate SubKey // Registry path to the DisableRootAutoUpdate SubKey
#define CERT_DISABLE_ROOT_AUTO_UPDATE_REGPATH \ #define CERT_DISABLE_ROOT_AUTO_UPDATE_REGPATH \
CERT_GROUP_POLICY_SYSTEM_STORE_REGPATH L"\\AuthRoot" CERT_GROUP_POLICY_SYSTEM_STORE_REGPATH L"\\AuthRoot"
// The following disables both Root and Disallowed Certificate AutoUpdate // The following disables Root, Disallowed Certificate and Pin Rules AutoUpdate
// REG_DWORD Value Name, 1 - disables, 0 - enables // REG_DWORD Value Name, 1 - disables, 0 - enables
#define CERT_DISABLE_ROOT_AUTO_UPDATE_VALUE_NAME L"DisableRootAutoUpdate" #define CERT_DISABLE_ROOT_AUTO_UPDATE_VALUE_NAME L"DisableRootAutoUpdate"
// The following enables Disallowed Certificate AutoUpdate. It takes precedence // The following enables Disallowed Certificate and Pin Rules AutoUpdate.
// over the above registry setting. // It takes precedence over the above registry setting.
// REG_DWORD Value Name, 1 - enables // REG_DWORD Value Name, 1 - enables
#define CERT_ENABLE_DISALLOWED_CERT_AUTO_UPDATE_VALUE_NAME L"EnableDisallowedCer tAutoUpdate" #define CERT_ENABLE_DISALLOWED_CERT_AUTO_UPDATE_VALUE_NAME L"EnableDisallowedCer tAutoUpdate"
// The following disables Pin Rules AutoUpdate.
// It takes precedence over the above registry setting.
// REG_DWORD Value Name, 1 - disables
#define CERT_DISABLE_PIN_RULES_AUTO_UPDATE_VALUE_NAME L"DisablePinRulesAutoUpdat
e"
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Auto Update Definitions // Auto Update Definitions
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
// Registry path to the "Auto Update" local machine subkey // Registry path to the "Auto Update" local machine subkey
#define CERT_AUTO_UPDATE_LOCAL_MACHINE_REGPATH \ #define CERT_AUTO_UPDATE_LOCAL_MACHINE_REGPATH \
CERT_LOCAL_MACHINE_SYSTEM_STORE_REGPATH L"\\AuthRoot\\AutoUpdate" CERT_LOCAL_MACHINE_SYSTEM_STORE_REGPATH L"\\AuthRoot\\AutoUpdate"
// Auto Update subkey value names. // Auto Update subkey value names.
// REG_SZ, URL to the directory containing the AutoUpdate files // REG_SZ, URL to the directory containing the AutoUpdate files
#define CERT_AUTO_UPDATE_ROOT_DIR_URL_VALUE_NAME L"RootDirUrl" #define CERT_AUTO_UPDATE_ROOT_DIR_URL_VALUE_NAME L"RootDirUrl"
// REG_SZ, URL to the AutoUpdate test staging directory containing the
// AutoUpdate files. certutil.exe will use for its -syncWithWU and
// -generateSSTFromWU verbs to override the default Windows Update URL.
#define CERT_AUTO_UPDATE_SYNC_FROM_DIR_URL_VALUE_NAME L"SyncFromDirUrl
"
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// AuthRoot Auto Update Definitions // AuthRoot Auto Update Definitions
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
// Registry path to the AuthRoot "Auto Update" local machine subkey // Registry path to the AuthRoot "Auto Update" local machine subkey
#define CERT_AUTH_ROOT_AUTO_UPDATE_LOCAL_MACHINE_REGPATH \ #define CERT_AUTH_ROOT_AUTO_UPDATE_LOCAL_MACHINE_REGPATH \
CERT_AUTO_UPDATE_LOCAL_MACHINE_REGPATH CERT_AUTO_UPDATE_LOCAL_MACHINE_REGPATH
// AuthRoot Auto Update subkey value names. // AuthRoot Auto Update subkey value names.
skipping to change at line 9872 skipping to change at line 10038
// //
// DisallowedCert Auto Update CTL List Identifiers // DisallowedCert Auto Update CTL List Identifiers
// //
// Disallowed Cert CTL List Identifier // Disallowed Cert CTL List Identifier
#define CERT_DISALLOWED_CERT_AUTO_UPDATE_LIST_IDENTIFIER \ #define CERT_DISALLOWED_CERT_AUTO_UPDATE_LIST_IDENTIFIER \
L"DisallowedCert_AutoUpdate_1" L"DisallowedCert_AutoUpdate_1"
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// PinRules Auto Update Definitions
//--------------------------------------------------------------------------
//
// PinRules Auto Update subkey value names.
//
// REG_DWORD, seconds between syncs. 0 implies use default.
#define CERT_PIN_RULES_AUTO_UPDATE_SYNC_DELTA_TIME_VALUE_NAME \
L"PinRulesSyncDeltaTime"
// REG_BINARY, updated with FILETIME of last wire retrieval of pin rules
// CTL
#define CERT_PIN_RULES_AUTO_UPDATE_LAST_SYNC_TIME_VALUE_NAME \
L"PinRulesLastSyncTime"
// REG_BINARY, updated with last retrieved and verified pin rules ctl
#define CERT_PIN_RULES_AUTO_UPDATE_ENCODED_CTL_VALUE_NAME \
L"PinRulesEncodedCtl"
//
// PinRules Auto Update filenames
//
// CTL containing the list of pin rules
#define CERT_PIN_RULES_CTL_FILENAME L"pinrules.stl"
#define CERT_PIN_RULES_CTL_FILENAME_A "pinrules.stl"
// Cab containing pin rules CTL
#define CERT_PIN_RULES_CAB_FILENAME L"pinrulesstl.cab"
//
// Pin Rules Auto Update CTL List Identifiers
//
// Pin Rules CTL List Identifier
#define CERT_PIN_RULES_AUTO_UPDATE_LIST_IDENTIFIER \
L"PinRules_AutoUpdate_1"
//+-------------------------------------------------------------------------
// Certificate Registry Store Flag Values (CERT_STORE_REG) // Certificate Registry Store Flag Values (CERT_STORE_REG)
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
// Set this flag if the HKEY passed in pvPara points to a remote computer // Set this flag if the HKEY passed in pvPara points to a remote computer
// registry key. // registry key.
#define CERT_REGISTRY_STORE_REMOTE_FLAG 0x10000 #define CERT_REGISTRY_STORE_REMOTE_FLAG 0x10000
// Set this flag if the contexts are to be persisted as a single serialized // Set this flag if the contexts are to be persisted as a single serialized
// store in the registry. Mainly used for stores downloaded from the GPT. // store in the registry. Mainly used for stores downloaded from the GPT.
// Such as the CurrentUserGroupPolicy or LocalMachineGroupPolicy stores. // Such as the CurrentUserGroupPolicy or LocalMachineGroupPolicy stores.
skipping to change at line 9956 skipping to change at line 10162
// //
// For the FILENAME providers: the file is committed as either a PKCS7 or // For the FILENAME providers: the file is committed as either a PKCS7 or
// serialized store depending on the type read at open. However, if the // serialized store depending on the type read at open. However, if the
// file is empty then, if the filename has either a ".p7c" or ".spc" // file is empty then, if the filename has either a ".p7c" or ".spc"
// extension its committed as a PKCS7. Otherwise, its committed as a // extension its committed as a PKCS7. Otherwise, its committed as a
// serialized store. // serialized store.
// //
// For CERT_STORE_PROV_FILE, the file handle is duplicated. Its always // For CERT_STORE_PROV_FILE, the file handle is duplicated. Its always
// committed as a serialized store. // committed as a serialized store.
// //
#define CERT_FILE_STORE_COMMIT_ENABLE_FLAG 0x10000 #define CERT_FILE_STORE_COMMIT_ENABLE_FLAG 0x10000
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Certificate LDAP Store Flag Values for the providers: // Certificate LDAP Store Flag Values for the providers:
// CERT_STORE_PROV_LDAP // CERT_STORE_PROV_LDAP
// CERT_STORE_PROV_LDAP_W // CERT_STORE_PROV_LDAP_W
// sz_CERT_STORE_PROV_LDAP_W // sz_CERT_STORE_PROV_LDAP_W
// sz_CERT_STORE_PROV_LDAP // sz_CERT_STORE_PROV_LDAP
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
// Set this flag to digitally sign all of the ldap traffic to and from a // Set this flag to digitally sign all of the ldap traffic to and from a
skipping to change at line 11591 skipping to change at line 11797
// property, they aren't enumerated individually. // property, they aren't enumerated individually.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
DWORD DWORD
WINAPI WINAPI
CertEnumCertificateContextProperties( CertEnumCertificateContextProperties(
_In_ PCCERT_CONTEXT pCertContext, _In_ PCCERT_CONTEXT pCertContext,
_In_ DWORD dwPropId _In_ DWORD dwPropId
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Creates a CTL entry whose attributes are the certificate context's // Creates a CTL entry whose attributes are the certificate context's
// properties. // properties.
// //
// The SubjectIdentifier in the CTL entry is the SHA1 hash of the certificate. // The SubjectIdentifier in the CTL entry is the SHA1 hash of the certificate.
// //
// The certificate properties are added as attributes. The property attribute // The certificate properties are added as attributes. The property attribute
// OID is the decimal PROP_ID preceded by szOID_CERT_PROP_ID_PREFIX. Each // OID is the decimal PROP_ID preceded by szOID_CERT_PROP_ID_PREFIX. Each
// property value is copied as a single attribute value. // property value is copied as a single attribute value.
// //
skipping to change at line 11644 skipping to change at line 11856
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CertSetCertificateContextPropertiesFromCTLEntry( CertSetCertificateContextPropertiesFromCTLEntry(
_In_ PCCERT_CONTEXT pCertContext, _In_ PCCERT_CONTEXT pCertContext,
_In_ PCTL_ENTRY pCtlEntry, _In_ PCTL_ENTRY pCtlEntry,
_In_ DWORD dwFlags _In_ DWORD dwFlags
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Get the first or next CRL context from the store for the specified // Get the first or next CRL context from the store for the specified
// issuer certificate. Perform the enabled verification checks on the CRL. // issuer certificate. Perform the enabled verification checks on the CRL.
// //
// If the first or next CRL isn't found, NULL is returned. // If the first or next CRL isn't found, NULL is returned.
// Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT // Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT
// must be freed by calling CertFreeCRLContext. However, the free must be // must be freed by calling CertFreeCRLContext. However, the free must be
// pPrevCrlContext on a subsequent call. CertDuplicateCRLContext // pPrevCrlContext on a subsequent call. CertDuplicateCRLContext
// can be called to make a duplicate. // can be called to make a duplicate.
// //
skipping to change at line 13084 skipping to change at line 13303
} CERT_PHYSICAL_STORE_INFO, *PCERT_PHYSICAL_STORE_INFO; } CERT_PHYSICAL_STORE_INFO, *PCERT_PHYSICAL_STORE_INFO;
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Physical Store Information dwFlags // Physical Store Information dwFlags
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#define CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG 0x1 #define CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG 0x1
#define CERT_PHYSICAL_STORE_OPEN_DISABLE_FLAG 0x2 #define CERT_PHYSICAL_STORE_OPEN_DISABLE_FLAG 0x2
#define CERT_PHYSICAL_STORE_REMOTE_OPEN_DISABLE_FLAG 0x4 #define CERT_PHYSICAL_STORE_REMOTE_OPEN_DISABLE_FLAG 0x4
#define CERT_PHYSICAL_STORE_INSERT_COMPUTER_NAME_ENABLE_FLAG 0x8 #define CERT_PHYSICAL_STORE_INSERT_COMPUTER_NAME_ENABLE_FLAG 0x8
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Register a system store. // Register a system store.
// //
// The upper word of the dwFlags parameter is used to specify the location of // The upper word of the dwFlags parameter is used to specify the location of
// the system store. // the system store.
// //
// If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore // If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
// points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise, // points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
// pvSystemStore points to a null terminated UNICODE string. // pvSystemStore points to a null terminated UNICODE string.
// //
skipping to change at line 13195 skipping to change at line 13420
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CertUnregisterPhysicalStore( CertUnregisterPhysicalStore(
_In_ const void *pvSystemStore, _In_ const void *pvSystemStore,
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_In_ LPCWSTR pwszStoreName _In_ LPCWSTR pwszStoreName
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Enum callbacks // Enum callbacks
// //
// The CERT_SYSTEM_STORE_LOCATION_MASK bits in the dwFlags parameter // The CERT_SYSTEM_STORE_LOCATION_MASK bits in the dwFlags parameter
// specifies the location of the system store // specifies the location of the system store
// //
// If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore // If CERT_SYSTEM_STORE_RELOCATE_FLAG is set in dwFlags, pvSystemStore
// points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise, // points to a CERT_SYSTEM_STORE_RELOCATE_PARA data structure. Otherwise,
// pvSystemStore points to a null terminated UNICODE string. // pvSystemStore points to a null terminated UNICODE string.
// //
skipping to change at line 13392 skipping to change at line 13623
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CertGetEnhancedKeyUsage( CertGetEnhancedKeyUsage(
_In_ PCCERT_CONTEXT pCertContext, _In_ PCCERT_CONTEXT pCertContext,
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_Out_writes_bytes_to_opt_(*pcbUsage, *pcbUsage) PCERT_ENHKEY_USAGE pUsage, _Out_writes_bytes_to_opt_(*pcbUsage, *pcbUsage) PCERT_ENHKEY_USAGE pUsage,
_Inout_ DWORD *pcbUsage _Inout_ DWORD *pcbUsage
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Set the enhanced key usage property for the certificate. // Set the enhanced key usage property for the certificate.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CertSetEnhancedKeyUsage( CertSetEnhancedKeyUsage(
_In_ PCCERT_CONTEXT pCertContext, _In_ PCCERT_CONTEXT pCertContext,
_In_opt_ PCERT_ENHKEY_USAGE pUsage _In_opt_ PCERT_ENHKEY_USAGE pUsage
); );
skipping to change at line 13426 skipping to change at line 13663
// property. // property.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CertRemoveEnhancedKeyUsageIdentifier( CertRemoveEnhancedKeyUsageIdentifier(
_In_ PCCERT_CONTEXT pCertContext, _In_ PCCERT_CONTEXT pCertContext,
_In_ LPCSTR pszUsageIdentifier _In_ LPCSTR pszUsageIdentifier
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
//+--------------------------------------------------------------------------- //+---------------------------------------------------------------------------
// //
// //
// Takes an array of certs and returns an array of usages // Takes an array of certs and returns an array of usages
// which consists of the intersection of the valid usages for each cert. // which consists of the intersection of the valid usages for each cert.
// If each cert is good for all possible usages then the cNumOIDs is set to -1. // If each cert is good for all possible usages then the cNumOIDs is set to -1.
// //
//---------------------------------------------------------------------------- //----------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
_Success_(return != FALSE) _Success_(return != FALSE)
skipping to change at line 13490 skipping to change at line 13734
_In_reads_opt_(cSignerStore) HCERTSTORE *rghSignerStore, _In_reads_opt_(cSignerStore) HCERTSTORE *rghSignerStore,
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_Outptr_opt_ PCCERT_CONTEXT *ppSigner, _Outptr_opt_ PCCERT_CONTEXT *ppSigner,
_Inout_opt_ DWORD *pdwSignerIndex _Inout_opt_ DWORD *pdwSignerIndex
); );
#define CMSG_TRUSTED_SIGNER_FLAG 0x1 #define CMSG_TRUSTED_SIGNER_FLAG 0x1
#define CMSG_SIGNER_ONLY_FLAG 0x2 #define CMSG_SIGNER_ONLY_FLAG 0x2
#define CMSG_USE_SIGNER_INDEX_FLAG 0x4 #define CMSG_USE_SIGNER_INDEX_FLAG 0x4
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Sign an encoded CTL. // Sign an encoded CTL.
// //
// The pbCtlContent can be obtained via a CTL_CONTEXT's pbCtlContent // The pbCtlContent can be obtained via a CTL_CONTEXT's pbCtlContent
// field or via a CryptEncodeObject(PKCS_CTL or PKCS_SORTED_CTL). // field or via a CryptEncodeObject(PKCS_CTL or PKCS_SORTED_CTL).
// //
// CMSG_CMS_ENCAPSULATED_CTL_FLAG can be set to encode a CMS compatible // CMSG_CMS_ENCAPSULATED_CTL_FLAG can be set to encode a CMS compatible
// V3 SignedData message. // V3 SignedData message.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
skipping to change at line 13592 skipping to change at line 13842
_In_ PCCTL_CONTEXT pCtlContext, _In_ PCCTL_CONTEXT pCtlContext,
_Inout_ void **ppvNextSubject, _Inout_ void **ppvNextSubject,
_Out_opt_ PCRYPT_DER_BLOB pSubjectIdentifier, _Out_opt_ PCRYPT_DER_BLOB pSubjectIdentifier,
_Out_opt_ PCRYPT_DER_BLOB pEncodedAttributes _Out_opt_ PCRYPT_DER_BLOB pEncodedAttributes
); );
//+========================================================================= //+=========================================================================
// Certificate Verify CTL Usage Data Structures and APIs // Certificate Verify CTL Usage Data Structures and APIs
//========================================================================== //==========================================================================
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
typedef struct _CTL_VERIFY_USAGE_PARA { typedef struct _CTL_VERIFY_USAGE_PARA {
DWORD cbSize; DWORD cbSize;
CRYPT_DATA_BLOB ListIdentifier; // OPTIONAL CRYPT_DATA_BLOB ListIdentifier; // OPTIONAL
DWORD cCtlStore; DWORD cCtlStore;
HCERTSTORE *rghCtlStore; // OPTIONAL HCERTSTORE *rghCtlStore; // OPTIONAL
DWORD cSignerStore; DWORD cSignerStore;
HCERTSTORE *rghSignerStore; // OPTIONAL HCERTSTORE *rghSignerStore; // OPTIONAL
} CTL_VERIFY_USAGE_PARA, *PCTL_VERIFY_USAGE_PARA; } CTL_VERIFY_USAGE_PARA, *PCTL_VERIFY_USAGE_PARA;
typedef struct _CTL_VERIFY_USAGE_STATUS { typedef struct _CTL_VERIFY_USAGE_STATUS {
skipping to change at line 13618 skipping to change at line 13874
DWORD dwSignerIndex; DWORD dwSignerIndex;
} CTL_VERIFY_USAGE_STATUS, *PCTL_VERIFY_USAGE_STATUS; } CTL_VERIFY_USAGE_STATUS, *PCTL_VERIFY_USAGE_STATUS;
#define CERT_VERIFY_INHIBIT_CTL_UPDATE_FLAG 0x1 #define CERT_VERIFY_INHIBIT_CTL_UPDATE_FLAG 0x1
#define CERT_VERIFY_TRUSTED_SIGNERS_FLAG 0x2 #define CERT_VERIFY_TRUSTED_SIGNERS_FLAG 0x2
#define CERT_VERIFY_NO_TIME_CHECK_FLAG 0x4 #define CERT_VERIFY_NO_TIME_CHECK_FLAG 0x4
#define CERT_VERIFY_ALLOW_MORE_USAGE_FLAG 0x8 #define CERT_VERIFY_ALLOW_MORE_USAGE_FLAG 0x8
#define CERT_VERIFY_UPDATED_CTL_FLAG 0x1 #define CERT_VERIFY_UPDATED_CTL_FLAG 0x1
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Verify that a subject is trusted for the specified usage by finding a // Verify that a subject is trusted for the specified usage by finding a
// signed and time valid CTL with the usage identifiers and containing the // signed and time valid CTL with the usage identifiers and containing the
// the subject. A subject can be identified by either its certificate context // the subject. A subject can be identified by either its certificate context
// or any identifier such as its SHA1 hash. // or any identifier such as its SHA1 hash.
// //
// See CertFindSubjectInCTL for definition of dwSubjectType and pvSubject // See CertFindSubjectInCTL for definition of dwSubjectType and pvSubject
// parameters. // parameters.
// //
// Via pVerifyUsagePara, the caller can specify the stores to be searched // Via pVerifyUsagePara, the caller can specify the stores to be searched
skipping to change at line 13684 skipping to change at line 13946
_In_ PCTL_USAGE pSubjectUsage, _In_ PCTL_USAGE pSubjectUsage,
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_In_opt_ PCTL_VERIFY_USAGE_PARA pVerifyUsagePara, _In_opt_ PCTL_VERIFY_USAGE_PARA pVerifyUsagePara,
_Inout_ PCTL_VERIFY_USAGE_STATUS pVerifyUsageStatus _Inout_ PCTL_VERIFY_USAGE_STATUS pVerifyUsageStatus
); );
//+========================================================================= //+=========================================================================
// Certificate Revocation Data Structures and APIs // Certificate Revocation Data Structures and APIs
//========================================================================== //==========================================================================
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// This data structure is updated by a CRL revocation type handler // This data structure is updated by a CRL revocation type handler
// with the base and possibly the delta CRL used. // with the base and possibly the delta CRL used.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
typedef struct _CERT_REVOCATION_CRL_INFO { typedef struct _CERT_REVOCATION_CRL_INFO {
DWORD cbSize; DWORD cbSize;
PCCRL_CONTEXT pBaseCrlContext; PCCRL_CONTEXT pBaseCrlContext;
PCCRL_CONTEXT pDeltaCrlContext; PCCRL_CONTEXT pDeltaCrlContext;
// When revoked, points to entry in either of the above CRL contexts. // When revoked, points to entry in either of the above CRL contexts.
skipping to change at line 13805 skipping to change at line 14073
// The Freshness time is only applicable to the last context checked. If // The Freshness time is only applicable to the last context checked. If
// interested in this information, then, CertVerifyRevocation should be // interested in this information, then, CertVerifyRevocation should be
// called with cContext = 1. // called with cContext = 1.
// //
// fHasFreshnessTime is only set if we are able to retrieve revocation // fHasFreshnessTime is only set if we are able to retrieve revocation
// information. For a CRL its CurrentTime - ThisUpdate. // information. For a CRL its CurrentTime - ThisUpdate.
BOOL fHasFreshnessTime; BOOL fHasFreshnessTime;
DWORD dwFreshnessTime; // seconds DWORD dwFreshnessTime; // seconds
} CERT_REVOCATION_STATUS, *PCERT_REVOCATION_STATUS; } CERT_REVOCATION_STATUS, *PCERT_REVOCATION_STATUS;
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Verifies the array of contexts for revocation. The dwRevType parameter // Verifies the array of contexts for revocation. The dwRevType parameter
// indicates the type of the context data structure passed in rgpvContext. // indicates the type of the context data structure passed in rgpvContext.
// Currently only the revocation of certificates is defined. // Currently only the revocation of certificates is defined.
// //
// If the CERT_VERIFY_REV_CHAIN_FLAG flag is set, then, CertVerifyRevocation // If the CERT_VERIFY_REV_CHAIN_FLAG flag is set, then, CertVerifyRevocation
// is verifying a chain of certs where, rgpvContext[i + 1] is the issuer // is verifying a chain of certs where, rgpvContext[i + 1] is the issuer
// of rgpvContext[i]. Otherwise, CertVerifyRevocation makes no assumptions // of rgpvContext[i]. Otherwise, CertVerifyRevocation makes no assumptions
// about the order of the contexts. // about the order of the contexts.
// //
skipping to change at line 13895 skipping to change at line 14169
CertVerifyRevocation( CertVerifyRevocation(
_In_ DWORD dwEncodingType, _In_ DWORD dwEncodingType,
_In_ DWORD dwRevType, _In_ DWORD dwRevType,
_In_ DWORD cContext, _In_ DWORD cContext,
_In_reads_(cContext) PVOID rgpvContext[], _In_reads_(cContext) PVOID rgpvContext[],
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_In_opt_ PCERT_REVOCATION_PARA pRevPara, _In_opt_ PCERT_REVOCATION_PARA pRevPara,
_Inout_ PCERT_REVOCATION_STATUS pRevStatus _Inout_ PCERT_REVOCATION_STATUS pRevStatus
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Revocation types // Revocation types
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#define CERT_CONTEXT_REVOCATION_TYPE 1 #define CERT_CONTEXT_REVOCATION_TYPE 1
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// When the following flag is set, rgpvContext[] consists of a chain // When the following flag is set, rgpvContext[] consists of a chain
// of certificates, where rgpvContext[i + 1] is the issuer of rgpvContext[i]. // of certificates, where rgpvContext[i + 1] is the issuer of rgpvContext[i].
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#define CERT_VERIFY_REV_CHAIN_FLAG 0x00000001 #define CERT_VERIFY_REV_CHAIN_FLAG 0x00000001
skipping to change at line 13996 skipping to change at line 14276
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CertCompareCertificateName( CertCompareCertificateName(
_In_ DWORD dwCertEncodingType, _In_ DWORD dwCertEncodingType,
_In_ PCERT_NAME_BLOB pCertName1, _In_ PCERT_NAME_BLOB pCertName1,
_In_ PCERT_NAME_BLOB pCertName2 _In_ PCERT_NAME_BLOB pCertName2
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Compare the attributes in the certificate name with the specified // Compare the attributes in the certificate name with the specified
// Relative Distinguished Name's (CERT_RDN) array of attributes. // Relative Distinguished Name's (CERT_RDN) array of attributes.
// The comparison iterates through the CERT_RDN attributes and looks for an // The comparison iterates through the CERT_RDN attributes and looks for an
// attribute match in any of the certificate name's RDNs. // attribute match in any of the certificate name's RDNs.
// Returns TRUE if all the attributes are found and match. // Returns TRUE if all the attributes are found and match.
// //
// The CERT_RDN_ATTR fields can have the following special values: // The CERT_RDN_ATTR fields can have the following special values:
// pszObjId == NULL - ignore the attribute object identifier // pszObjId == NULL - ignore the attribute object identifier
// dwValueType == RDN_ANY_TYPE - ignore the value type // dwValueType == RDN_ANY_TYPE - ignore the value type
skipping to change at line 14041 skipping to change at line 14327
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CertComparePublicKeyInfo( CertComparePublicKeyInfo(
_In_ DWORD dwCertEncodingType, _In_ DWORD dwCertEncodingType,
_In_ PCERT_PUBLIC_KEY_INFO pPublicKey1, _In_ PCERT_PUBLIC_KEY_INFO pPublicKey1,
_In_ PCERT_PUBLIC_KEY_INFO pPublicKey2 _In_ PCERT_PUBLIC_KEY_INFO pPublicKey2
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM)*/
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Get the public/private key's bit length. // Get the public/private key's bit length.
// //
// Returns 0 if unable to determine the key's length. // Returns 0 if unable to determine the key's length.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
DWORD DWORD
WINAPI WINAPI
CertGetPublicKeyLength( CertGetPublicKeyLength(
_In_ DWORD dwCertEncodingType, _In_ DWORD dwCertEncodingType,
_In_ PCERT_PUBLIC_KEY_INFO pPublicKey _In_ PCERT_PUBLIC_KEY_INFO pPublicKey
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Verify the signature of a subject certificate or a CRL using the // Verify the signature of a subject certificate or a CRL using the
// public key info // public key info
// //
// Returns TRUE for a valid signature. // Returns TRUE for a valid signature.
// //
// hCryptProv specifies the crypto provider to use to verify the signature. // hCryptProv specifies the crypto provider to use to verify the signature.
// It doesn't need to use a private key. // It doesn't need to use a private key.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
skipping to change at line 14115 skipping to change at line 14413
_In_opt_ HCRYPTPROV_LEGACY hCryptProv, _In_opt_ HCRYPTPROV_LEGACY hCryptProv,
_In_ DWORD dwCertEncodingType, _In_ DWORD dwCertEncodingType,
_In_ DWORD dwSubjectType, _In_ DWORD dwSubjectType,
_In_ void *pvSubject, _In_ void *pvSubject,
_In_ DWORD dwIssuerType, _In_ DWORD dwIssuerType,
_In_opt_ void *pvIssuer, _In_opt_ void *pvIssuer,
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_Inout_opt_ void *pvExtra _Inout_opt_ void *pvExtra
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
// Subject Types // Subject Types
#define CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB 1 #define CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB 1
// pvSubject :: PCRYPT_DATA_BLOB // pvSubject :: PCRYPT_DATA_BLOB
#define CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT 2 #define CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT 2
// pvSubject :: PCCERT_CONTEXT // pvSubject :: PCCERT_CONTEXT
#define CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL 3 #define CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL 3
// pvSubject :: PCCRL_CONTEXT // pvSubject :: PCCRL_CONTEXT
#define CRYPT_VERIFY_CERT_SIGN_SUBJECT_OCSP_BASIC_SIGNED_RESPONSE 4 #define CRYPT_VERIFY_CERT_SIGN_SUBJECT_OCSP_BASIC_SIGNED_RESPONSE 4
// pvSubject :: POCSP_BASIC_SIGNED_RESPONSE_INFO // pvSubject :: POCSP_BASIC_SIGNED_RESPONSE_INFO
skipping to change at line 14194 skipping to change at line 14498
typedef struct _CRYPT_VERIFY_CERT_SIGN_WEAK_HASH_INFO { typedef struct _CRYPT_VERIFY_CERT_SIGN_WEAK_HASH_INFO {
DWORD cCNGHashAlgid; DWORD cCNGHashAlgid;
PCWSTR *rgpwszCNGHashAlgid; PCWSTR *rgpwszCNGHashAlgid;
// If not weak, dwWeakIndex is set to cCNGHashAlgid. Otherwise, // If not weak, dwWeakIndex is set to cCNGHashAlgid. Otherwise,
// index into the above array. // index into the above array.
DWORD dwWeakIndex; DWORD dwWeakIndex;
} CRYPT_VERIFY_CERT_SIGN_WEAK_HASH_INFO, } CRYPT_VERIFY_CERT_SIGN_WEAK_HASH_INFO,
*PCRYPT_VERIFY_CERT_SIGN_WEAK_HASH_INFO; *PCRYPT_VERIFY_CERT_SIGN_WEAK_HASH_INFO;
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Checks if the specified hash algorithm and the signing certificate's // Checks if the specified hash algorithm and the signing certificate's
// public key algorithm can be used to do a strong signature. // public key algorithm can be used to do a strong signature.
// //
// Returns TRUE if the hash algorithm and certificate public key algorithm // Returns TRUE if the hash algorithm and certificate public key algorithm
// satisfy the strong signature requirements. // satisfy the strong signature requirements.
// //
// pwszCNGHashAlgid is the CNG hash algorithm identifier string, for example, // pwszCNGHashAlgid is the CNG hash algorithm identifier string, for example,
// BCRYPT_SHA256_ALGORITHM (L"SHA256") // BCRYPT_SHA256_ALGORITHM (L"SHA256")
// //
skipping to change at line 14296 skipping to change at line 14606
// //
// If the SignatureAlgorithm is a hash algorithm, then, the signature // If the SignatureAlgorithm is a hash algorithm, then, the signature
// contains the hash octets. A private key isn't used to encrypt the hash. // contains the hash octets. A private key isn't used to encrypt the hash.
// dwKeySpec isn't used and hCryptProvOrNCryptKey can be NULL where an // dwKeySpec isn't used and hCryptProvOrNCryptKey can be NULL where an
// appropriate default provider will be used for hashing. // appropriate default provider will be used for hashing.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CryptSignCertificate( CryptSignCertificate(
#ifdef CMSG_SIGNER_ENCODE_INFO_HAS_IUM_FIELDS
_In_ BCRYPT_KEY_HANDLE hBCryptKey,
#else
_In_opt_ HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, _In_opt_ HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey,
#endif
_In_opt_ DWORD dwKeySpec, // not applicable for NCRYPT_KEY_HANDLE _In_opt_ DWORD dwKeySpec, // not applicable for NCRYPT_KEY_HANDLE
_In_ DWORD dwCertEncodingType, _In_ DWORD dwCertEncodingType,
_In_reads_bytes_(cbEncodedToBeSigned) const BYTE *pbEncodedToBeSigned, _In_reads_bytes_(cbEncodedToBeSigned) const BYTE *pbEncodedToBeSigned,
_In_ DWORD cbEncodedToBeSigned, _In_ DWORD cbEncodedToBeSigned,
_In_ PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, _In_ PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
_In_opt_ const void *pvHashAuxInfo, _In_opt_ const void *pvHashAuxInfo,
_Out_writes_bytes_to_opt_(*pcbSignature, *pcbSignature) BYTE *pbSignature, _Out_writes_bytes_to_opt_(*pcbSignature, *pcbSignature) BYTE *pbSignature,
_Inout_ DWORD *pcbSignature _Inout_ DWORD *pcbSignature
); );
skipping to change at line 14323 skipping to change at line 14637
// //
// If the SignatureAlgorithm is a hash algorithm, then, the signature // If the SignatureAlgorithm is a hash algorithm, then, the signature
// contains the hash octets. A private key isn't used to encrypt the hash. // contains the hash octets. A private key isn't used to encrypt the hash.
// dwKeySpec isn't used and hCryptProv can be NULL where an appropriate // dwKeySpec isn't used and hCryptProv can be NULL where an appropriate
// default provider will be used for hashing. // default provider will be used for hashing.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CryptSignAndEncodeCertificate( CryptSignAndEncodeCertificate(
#ifdef CMSG_SIGNER_ENCODE_INFO_HAS_IUM_FIELDS
_In_ BCRYPT_KEY_HANDLE hBCryptKey,
#else
_In_opt_ HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, _In_opt_ HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey,
#endif
_In_opt_ DWORD dwKeySpec, // not applicable for NCRYPT_KEY_HANDLE _In_opt_ DWORD dwKeySpec, // not applicable for NCRYPT_KEY_HANDLE
_In_ DWORD dwCertEncodingType, _In_ DWORD dwCertEncodingType,
_In_ LPCSTR lpszStructType, // "to be signed" _In_ LPCSTR lpszStructType, // "to be signed"
_In_ const void *pvStructInfo, _In_ const void *pvStructInfo,
_In_ PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, _In_ PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
_In_opt_ const void *pvHashAuxInfo, _In_opt_ const void *pvHashAuxInfo,
_Out_writes_bytes_to_opt_(*pcbEncoded, *pcbEncoded) BYTE *pbEncoded, _Out_writes_bytes_to_opt_(*pcbEncoded, *pcbEncoded) BYTE *pbEncoded,
_Inout_ DWORD *pcbEncoded _Inout_ DWORD *pcbEncoded
); );
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Certificate and CryptMsg encoded signature OID installable functions // Certificate and CryptMsg encoded signature OID installable functions
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
// The dwCertEncodingType and pSignatureAlgorithm->pszObjId are used // The dwCertEncodingType and pSignatureAlgorithm->pszObjId are used
// to call the signature OID installable functions. // to call the signature OID installable functions.
// //
// If the OID installable function doesn't support the signature, // If the OID installable function doesn't support the signature,
// it should return FALSE with LastError set to ERROR_NOT_SUPPORTED. // it should return FALSE with LastError set to ERROR_NOT_SUPPORTED.
// Called if the signature has encoded parameters. Returns the CNG // Called if the signature has encoded parameters. Returns the CNG
// hash algorithm identifier string. Optionally returns the decoded // hash algorithm identifier string. Optionally returns the decoded
// signature parameters passed to either the SignAndEncodeHash or // signature parameters passed to either the SignAndEncodeHash or
// VerifyEncodedSignature OID installable function. // VerifyEncodedSignature OID installable function.
skipping to change at line 14408 skipping to change at line 14732
// If pTimeToVerify is NULL, uses the current time. // If pTimeToVerify is NULL, uses the current time.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
LONG LONG
WINAPI WINAPI
CertVerifyTimeValidity( CertVerifyTimeValidity(
_In_opt_ LPFILETIME pTimeToVerify, _In_opt_ LPFILETIME pTimeToVerify,
_In_ PCERT_INFO pCertInfo _In_ PCERT_INFO pCertInfo
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Verify the time validity of a CRL. // Verify the time validity of a CRL.
// //
// Returns -1 if before ThisUpdate, +1 if after NextUpdate and otherwise 0 for // Returns -1 if before ThisUpdate, +1 if after NextUpdate and otherwise 0 for
// a valid CRL // a valid CRL
// //
// If pTimeToVerify is NULL, uses the current time. // If pTimeToVerify is NULL, uses the current time.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
LONG LONG
skipping to change at line 14483 skipping to change at line 14813
WINAPI WINAPI
CertOIDToAlgId( CertOIDToAlgId(
_In_ LPCSTR pszObjId _In_ LPCSTR pszObjId
); );
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Find an extension identified by its Object Identifier. // Find an extension identified by its Object Identifier.
// //
// If found, returns pointer to the extension. Otherwise, returns NULL. // If found, returns pointer to the extension. Otherwise, returns NULL.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
WINCRYPT32API WINCRYPT32API
PCERT_EXTENSION PCERT_EXTENSION
WINAPI WINAPI
CertFindExtension( CertFindExtension(
_In_ LPCSTR pszObjId, _In_ LPCSTR pszObjId,
_In_ DWORD cExtensions, _In_ DWORD cExtensions,
_In_reads_(cExtensions) CERT_EXTENSION rgExtensions[] _In_reads_(cExtensions) CERT_EXTENSION rgExtensions[]
); );
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
skipping to change at line 14540 skipping to change at line 14876
WINAPI WINAPI
CertGetIntendedKeyUsage( CertGetIntendedKeyUsage(
_In_ DWORD dwCertEncodingType, _In_ DWORD dwCertEncodingType,
_In_ PCERT_INFO pCertInfo, _In_ PCERT_INFO pCertInfo,
_Out_writes_bytes_all_(cbKeyUsage) BYTE *pbKeyUsage, _Out_writes_bytes_all_(cbKeyUsage) BYTE *pbKeyUsage,
_In_ DWORD cbKeyUsage _In_ DWORD cbKeyUsage
); );
typedef void *HCRYPTDEFAULTCONTEXT; typedef void *HCRYPTDEFAULTCONTEXT;
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Install a previously CryptAcquiredContext'ed HCRYPTPROV to be used as // Install a previously CryptAcquiredContext'ed HCRYPTPROV to be used as
// a default context. // a default context.
// //
// dwDefaultType and pvDefaultPara specify where the default context is used. // dwDefaultType and pvDefaultPara specify where the default context is used.
// For example, install the HCRYPTPROV to be used to verify certificate's // For example, install the HCRYPTPROV to be used to verify certificate's
// having szOID_OIWSEC_md5RSA signatures. // having szOID_OIWSEC_md5RSA signatures.
// //
// By default, the installed HCRYPTPROV is only applicable to the current // By default, the installed HCRYPTPROV is only applicable to the current
// thread. Set CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG to allow the HCRYPTPROV // thread. Set CRYPT_DEFAULT_CONTEXT_PROCESS_FLAG to allow the HCRYPTPROV
skipping to change at line 14664 skipping to change at line 15006
// //
// If unable to find an installable OID function for the pszPublicKeyObjId, // If unable to find an installable OID function for the pszPublicKeyObjId,
// attempts to export as a RSA Public Key (szOID_RSA_RSA). // attempts to export as a RSA Public Key (szOID_RSA_RSA).
// //
// The dwFlags and pvAuxInfo aren't used for szOID_RSA_RSA. // The dwFlags and pvAuxInfo aren't used for szOID_RSA_RSA.
// //
// dwFlags can be set with the following 2 flags passed directly to // dwFlags can be set with the following 2 flags passed directly to
// CryptFindOIDInfo: // CryptFindOIDInfo:
// CRYPT_OID_INFO_PUBKEY_SIGN_KEY_FLAG // CRYPT_OID_INFO_PUBKEY_SIGN_KEY_FLAG
// CRYPT_OID_INFO_PUBKEY_ENCRYPT_KEY_FLAG // CRYPT_OID_INFO_PUBKEY_ENCRYPT_KEY_FLAG
//
// dwFlags can be set with the following 2 flags to encode either Curve OID
// or ECC Parameters in Algorithm's Parameters section:
// CRYPT_OID_USE_CURVE_NAME_FOR_ENCODE_FLAG
// CRYPT_OID_USE_CURVE_PARAMETERS_FOR_ENCODE_FLAG
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CryptExportPublicKeyInfoEx( CryptExportPublicKeyInfoEx(
_In_ HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, _In_ HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey,
_In_opt_ DWORD dwKeySpec, // not applicable for NCRYPT_KEY_HANDLE _In_opt_ DWORD dwKeySpec, // not applicable for NCRYPT_KEY_HANDLE
_In_ DWORD dwCertEncodingType, _In_ DWORD dwCertEncodingType,
_In_opt_ LPSTR pszPublicKeyObjId, _In_opt_ LPSTR pszPublicKeyObjId,
skipping to change at line 14918 skipping to change at line 15266
// returned HCRYPTPROV or NCRYPT_KEY_HANDLE will be released on the last // returned HCRYPTPROV or NCRYPT_KEY_HANDLE will be released on the last
// free of the certificate context. // free of the certificate context.
// //
// Otherwise, *pfCallerFreeProvOrNCryptKey is TRUE and a returned // Otherwise, *pfCallerFreeProvOrNCryptKey is TRUE and a returned
// HCRYPTPROV must be released by the caller by calling CryptReleaseContext. // HCRYPTPROV must be released by the caller by calling CryptReleaseContext.
// A returned NCRYPT_KEY_HANDLE is freed by calling NCryptFreeObject. // A returned NCRYPT_KEY_HANDLE is freed by calling NCryptFreeObject.
// *pdwKeySpec MUST be checked when CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG // *pdwKeySpec MUST be checked when CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG
// or CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG is set. // or CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG is set.
// //
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CryptAcquireCertificatePrivateKey( CryptAcquireCertificatePrivateKey(
_In_ PCCERT_CONTEXT pCert, _In_ PCCERT_CONTEXT pCert,
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_In_opt_ void *pvParameters, _In_opt_ void *pvParameters,
_Out_ HCRYPTPROV_OR_NCRYPT_KEY_HANDLE *phCryptProvOrNCryptKey, _Out_ HCRYPTPROV_OR_NCRYPT_KEY_HANDLE *phCryptProvOrNCryptKey,
_Out_opt_ DWORD *pdwKeySpec, _Out_opt_ DWORD *pdwKeySpec,
_Out_opt_ BOOL *pfCallerFreeProvOrNCryptKey _Out_opt_ BOOL *pfCallerFreeProvOrNCryptKey
skipping to change at line 14943 skipping to change at line 15298
#define CRYPT_ACQUIRE_NO_HEALING 0x00000008 #define CRYPT_ACQUIRE_NO_HEALING 0x00000008
#define CRYPT_ACQUIRE_SILENT_FLAG 0x00000040 #define CRYPT_ACQUIRE_SILENT_FLAG 0x00000040
#define CRYPT_ACQUIRE_WINDOW_HANDLE_FLAG 0x00000080 #define CRYPT_ACQUIRE_WINDOW_HANDLE_FLAG 0x00000080
#define CRYPT_ACQUIRE_NCRYPT_KEY_FLAGS_MASK 0x00070000 #define CRYPT_ACQUIRE_NCRYPT_KEY_FLAGS_MASK 0x00070000
#define CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG 0x00010000 #define CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG 0x00010000
#define CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG 0x00020000 #define CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG 0x00020000
#define CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG 0x00040000 #define CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG 0x00040000
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Enumerates the cryptographic providers and their containers to find the // Enumerates the cryptographic providers and their containers to find the
// private key corresponding to the certificate's public key. For a match, // private key corresponding to the certificate's public key. For a match,
// the certificate's CERT_KEY_PROV_INFO_PROP_ID property is updated. // the certificate's CERT_KEY_PROV_INFO_PROP_ID property is updated.
// //
// If the CERT_KEY_PROV_INFO_PROP_ID is already set, then, its checked to // If the CERT_KEY_PROV_INFO_PROP_ID is already set, then, its checked to
// see if it matches the provider's public key. For a match, the above // see if it matches the provider's public key. For a match, the above
// enumeration is skipped. // enumeration is skipped.
// //
// By default both the user and machine key containers are searched. // By default both the user and machine key containers are searched.
skipping to change at line 15063 skipping to change at line 15424
CryptExportPKCS8( CryptExportPKCS8(
_In_ HCRYPTPROV hCryptProv, // in _In_ HCRYPTPROV hCryptProv, // in
_In_ DWORD dwKeySpec, // in _In_ DWORD dwKeySpec, // in
_In_ LPSTR pszPrivateKeyObjId, // in _In_ LPSTR pszPrivateKeyObjId, // in
_In_ DWORD dwFlags, // in _In_ DWORD dwFlags, // in
_In_opt_ void* pvAuxInfo, // in _In_opt_ void* pvAuxInfo, // in
_Out_writes_bytes_opt_ (*pcbPrivateKeyBlob) BYTE* pbPrivateKeyBlob, // out _Out_writes_bytes_opt_ (*pcbPrivateKeyBlob) BYTE* pbPrivateKeyBlob, // out
_Inout_ DWORD *pcbPrivateKeyBlob // in, out _Inout_ DWORD *pcbPrivateKeyBlob // in, out
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Desktop Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// CryptExportPKCS8Ex // CryptExportPKCS8Ex
// //
// Export the private key in PKCS8 format // Export the private key in PKCS8 format
// //
// //
// Uses the pszPrivateKeyObjId to call the // Uses the pszPrivateKeyObjId to call the
// installable CRYPT_OID_EXPORT_PRIVATE_KEY_INFO_FUNC. The called function // installable CRYPT_OID_EXPORT_PRIVATE_KEY_INFO_FUNC. The called function
// has the signature defined by PFN_EXPORT_PRIV_KEY_FUNC. // has the signature defined by PFN_EXPORT_PRIV_KEY_FUNC.
// //
skipping to change at line 15096 skipping to change at line 15463
BOOL BOOL
WINAPI WINAPI
CryptExportPKCS8Ex( CryptExportPKCS8Ex(
_In_ CRYPT_PKCS8_EXPORT_PARAMS* psExportParams, // in _In_ CRYPT_PKCS8_EXPORT_PARAMS* psExportParams, // in
_In_ DWORD dwFlags, // in _In_ DWORD dwFlags, // in
_In_opt_ void* pvAuxInfo, // in _In_opt_ void* pvAuxInfo, // in
_Out_writes_bytes_opt_ (*pcbPrivateKeyBlob) BYTE* pbPrivateKeyBlob, // out _Out_writes_bytes_opt_ (*pcbPrivateKeyBlob) BYTE* pbPrivateKeyBlob, // out
_Inout_ DWORD* pcbPrivateKeyBlob // in, out _Inout_ DWORD* pcbPrivateKeyBlob // in, out
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Compute the hash of the encoded public key info. // Compute the hash of the encoded public key info.
// //
// The public key info is encoded and then hashed. // The public key info is encoded and then hashed.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CryptHashPublicKeyInfo( CryptHashPublicKeyInfo(
_In_opt_ HCRYPTPROV_LEGACY hCryptProv, _In_opt_ HCRYPTPROV_LEGACY hCryptProv,
skipping to change at line 15266 skipping to change at line 15640
WINCRYPT32API WINCRYPT32API
DWORD DWORD
WINAPI WINAPI
CertNameToStrA( CertNameToStrA(
_In_ DWORD dwCertEncodingType, _In_ DWORD dwCertEncodingType,
_In_ PCERT_NAME_BLOB pName, _In_ PCERT_NAME_BLOB pName,
_In_ DWORD dwStrType, _In_ DWORD dwStrType,
_Out_writes_to_opt_(csz, return) LPSTR psz, _Out_writes_to_opt_(csz, return) LPSTR psz,
_In_ DWORD csz _In_ DWORD csz
); );
//+-------------------------------------------------------------------------
//--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
DWORD DWORD
WINAPI WINAPI
CertNameToStrW( CertNameToStrW(
_In_ DWORD dwCertEncodingType, _In_ DWORD dwCertEncodingType,
_In_ PCERT_NAME_BLOB pName, _In_ PCERT_NAME_BLOB pName,
_In_ DWORD dwStrType, _In_ DWORD dwStrType,
_Out_writes_to_opt_(csz, return) LPWSTR psz, _Out_writes_to_opt_(csz, return) LPWSTR psz,
_In_ DWORD csz _In_ DWORD csz
); );
skipping to change at line 15937 skipping to change at line 16309
// //
// cbSize must be set to the sizeof(CRYPT_KEY_VERIFY_MESSAGE_PARA) or else // cbSize must be set to the sizeof(CRYPT_KEY_VERIFY_MESSAGE_PARA) or else
// LastError will be updated with E_INVALIDARG. // LastError will be updated with E_INVALIDARG.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
typedef struct _CRYPT_KEY_VERIFY_MESSAGE_PARA { typedef struct _CRYPT_KEY_VERIFY_MESSAGE_PARA {
DWORD cbSize; DWORD cbSize;
DWORD dwMsgEncodingType; DWORD dwMsgEncodingType;
HCRYPTPROV_LEGACY hCryptProv; HCRYPTPROV_LEGACY hCryptProv;
} CRYPT_KEY_VERIFY_MESSAGE_PARA, *PCRYPT_KEY_VERIFY_MESSAGE_PARA; } CRYPT_KEY_VERIFY_MESSAGE_PARA, *PCRYPT_KEY_VERIFY_MESSAGE_PARA;
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Sign the message. // Sign the message.
// //
// If fDetachedSignature is TRUE, the "to be signed" content isn't included // If fDetachedSignature is TRUE, the "to be signed" content isn't included
// in the encoded signed blob. // in the encoded signed blob.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CryptSignMessage( CryptSignMessage(
skipping to change at line 16382 skipping to change at line 16760
_In_ LPCWSTR szCertStoreName, _In_ LPCWSTR szCertStoreName,
_In_reads_bytes_(cbCertEncoded) const BYTE * pbCertEncoded, _In_reads_bytes_(cbCertEncoded) const BYTE * pbCertEncoded,
_In_ DWORD cbCertEncoded _In_ DWORD cbCertEncoded
); );
#ifdef UNICODE #ifdef UNICODE
#define CertAddEncodedCertificateToSystemStore CertAddEncodedCertificateToSyste mStoreW #define CertAddEncodedCertificateToSystemStore CertAddEncodedCertificateToSyste mStoreW
#else #else
#define CertAddEncodedCertificateToSystemStore CertAddEncodedCertificateToSyste mStoreA #define CertAddEncodedCertificateToSystemStore CertAddEncodedCertificateToSyste mStoreA
#endif // !UNICODE #endif // !UNICODE
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Desktop Family or Wintrust Package
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP |WINAPI_PARTITION_PHONE_RES
TRICTED | WINAPI_PARTITION_PKG_WINTRUST)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Find all certificate chains tying the given issuer name to any certificate // Find all certificate chains tying the given issuer name to any certificate
// that the current user has a private key for. // that the current user has a private key for.
// //
// If no certificate chain is found, FALSE is returned with LastError set // If no certificate chain is found, FALSE is returned with LastError set
// to CRYPT_E_NOT_FOUND and the counts zeroed. // to CRYPT_E_NOT_FOUND and the counts zeroed.
// //
// IE 3.0 ASSUMPTION: // IE 3.0 ASSUMPTION:
// The client certificates are in the "My" system store. The issuer // The client certificates are in the "My" system store. The issuer
// cerificates may be in the "Root", "CA" or "My" system stores. // cerificates may be in the "Root", "CA" or "My" system stores.
skipping to change at line 16414 skipping to change at line 16798
_Out_writes_bytes_to_opt_(*pcbCertChains, *pcbCertChains) PCERT_CHAIN pCertC hains, _Out_writes_bytes_to_opt_(*pcbCertChains, *pcbCertChains) PCERT_CHAIN pCertC hains,
_Inout_ DWORD *pcbCertChains, _Inout_ DWORD *pcbCertChains,
_Out_ DWORD *pcCertChains, // count of certificates chains returned _Out_ DWORD *pcCertChains, // count of certificates chains returned
_In_reads_bytes_opt_(cbEncodedIssuerName) BYTE* pbEncodedIssuerName, // DE R encoded issuer name _In_reads_bytes_opt_(cbEncodedIssuerName) BYTE* pbEncodedIssuerName, // DE R encoded issuer name
_In_ DWORD cbEncodedIssuerName, // count in bytes of encoded issuer name _In_ DWORD cbEncodedIssuerName, // count in bytes of encoded issuer name
_In_opt_ LPCWSTR pwszPurpose, // "ClientAuth" or "CodeSigning" _In_opt_ LPCWSTR pwszPurpose, // "ClientAuth" or "CodeSigning"
_In_ DWORD dwKeySpec // only return signers supporting this _In_ DWORD dwKeySpec // only return signers supporting this
// keyspec // keyspec
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP |WINAPI_PARTITION_PHO
NE_RESTRICTED | WINAPI_PARTITION_PKG_WINTRUST) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
//------------------------------------------------------------------------- //-------------------------------------------------------------------------
// //
// CryptQueryObject takes a CERT_BLOB or a file name and returns the // CryptQueryObject takes a CERT_BLOB or a file name and returns the
// information about the content in the blob or in the file. // information about the content in the blob or in the file.
// //
// Parameters: // Parameters:
// INPUT dwObjectType: // INPUT dwObjectType:
// Indicate the type of the object. Should be one of the // Indicate the type of the object. Should be one of the
// following: // following:
// CERT_QUERY_OBJECT_FILE // CERT_QUERY_OBJECT_FILE
skipping to change at line 16716 skipping to change at line 17106
//the content is ascii hex encoded with "{ASN}" prefix //the content is ascii hex encoded with "{ASN}" prefix
#define CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED \ #define CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED \
( 1 << CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED) ( 1 << CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED)
//the content can be of any format //the content can be of any format
#define CERT_QUERY_FORMAT_FLAG_ALL \ #define CERT_QUERY_FORMAT_FLAG_ALL \
( CERT_QUERY_FORMAT_FLAG_BINARY | \ ( CERT_QUERY_FORMAT_FLAG_BINARY | \
CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED | \ CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED | \
CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED ) CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED )
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
// //
// Crypt32 Memory Management Routines. All Crypt32 API which return allocated // Crypt32 Memory Management Routines. All Crypt32 API which return allocated
// buffers will do so via CryptMemAlloc, CryptMemRealloc. Clients can free // buffers will do so via CryptMemAlloc, CryptMemRealloc. Clients can free
// those buffers using CryptMemFree. Also included is CryptMemSize // those buffers using CryptMemFree. Also included is CryptMemSize
// //
WINCRYPT32API WINCRYPT32API
LPVOID LPVOID
WINAPI WINAPI
CryptMemAlloc ( CryptMemAlloc (
skipping to change at line 16796 skipping to change at line 17192
_Outptr_opt_result_maybenull_ __callback PFN_CRYPT_ASYNC_PARAM_FREE_FUNC* p pfnFree _Outptr_opt_result_maybenull_ __callback PFN_CRYPT_ASYNC_PARAM_FREE_FUNC* p pfnFree
); );
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CryptCloseAsyncHandle ( CryptCloseAsyncHandle (
_In_opt_ HCRYPTASYNC hAsync _In_opt_ HCRYPTASYNC hAsync
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
// //
// Crypt32 Remote Object Retrieval Routines. This API allows retrieval of // Crypt32 Remote Object Retrieval Routines. This API allows retrieval of
// remote PKI objects where the location is given by an URL. The remote // remote PKI objects where the location is given by an URL. The remote
// object retrieval manager exposes two provider models. One is the "Scheme // object retrieval manager exposes two provider models. One is the "Scheme
// Provider" model which allows for installable protocol providers as defined // Provider" model which allows for installable protocol providers as defined
// by the URL scheme e.g. ldap, http, ftp. The scheme provider entry point is // by the URL scheme e.g. ldap, http, ftp. The scheme provider entry point is
// the same as the CryptRetrieveObjectByUrl however the *ppvObject returned // the same as the CryptRetrieveObjectByUrl however the *ppvObject returned
// is ALWAYS a counted array of encoded bits (one per object retrieved). The // is ALWAYS a counted array of encoded bits (one per object retrieved). The
// second provider model is the "Context Provider" model which allows for // second provider model is the "Context Provider" model which allows for
// installable creators of CAPI2 context handles (objects) based on the // installable creators of CAPI2 context handles (objects) based on the
skipping to change at line 17015 skipping to change at line 17417
// Update content. The random query string ensures that cached proxy content // Update content. The random query string ensures that cached proxy content
// isn't used and the HTTP request will always reach the Content Delivery // isn't used and the HTTP request will always reach the Content Delivery
// Network (CDN) used by Windows Update which removes a query string // Network (CDN) used by Windows Update which removes a query string
// before doing a cache lookup. // before doing a cache lookup.
#define CRYPT_RANDOM_QUERY_STRING_RETRIEVAL 0x04000000 #define CRYPT_RANDOM_QUERY_STRING_RETRIEVAL 0x04000000
// File scheme retrieval's are disabled by default. This flag can be set to // File scheme retrieval's are disabled by default. This flag can be set to
// allow file retrievals. // allow file retrievals.
#define CRYPT_ENABLE_FILE_RETRIEVAL 0x08000000 #define CRYPT_ENABLE_FILE_RETRIEVAL 0x08000000
// Set this flag to check if a cache flush entry already exists for this URL.
// If it already exists, this API will fail and set LastError to
// ERROR_FILE_EXISTS. Otherwise, the pvVerify parameter will be used.
// If NULL, we only check if the cache entry exists. If nonNULL, then,
// pvVerify should be a PCRYPTNET_URL_CACHE_FLUSH_INFO containing the
// flush information to be written.
#define CRYPT_CREATE_NEW_FLUSH_ENTRY 0x10000000
// //
// Data verification retrieval flags // Data verification retrieval flags
// //
// CRYPT_VERIFY_CONTEXT_SIGNATURE is used to get signature verification // CRYPT_VERIFY_CONTEXT_SIGNATURE is used to get signature verification
// on the context created. In this case pszObjectOid must be non-NULL and // on the context created. In this case pszObjectOid must be non-NULL and
// pvVerify points to the signer certificate context // pvVerify points to the signer certificate context
// //
// CRYPT_VERIFY_DATA_HASH is used to get verification of the blob data // CRYPT_VERIFY_DATA_HASH is used to get verification of the blob data
// retrieved by the protocol. The pvVerify points to an URL_DATA_HASH // retrieved by the protocol. The pvVerify points to an URL_DATA_HASH
// structure (TBD) // structure (TBD)
skipping to change at line 17079 skipping to change at line 17489
FILETIME PublishTime; // May be zero FILETIME PublishTime; // May be zero
} CRYPTNET_URL_CACHE_PRE_FETCH_INFO, *PCRYPTNET_URL_CACHE_PRE_FETCH_INFO; } CRYPTNET_URL_CACHE_PRE_FETCH_INFO, *PCRYPTNET_URL_CACHE_PRE_FETCH_INFO;
// Pre-fetch ObjectTypes // Pre-fetch ObjectTypes
#define CRYPTNET_URL_CACHE_PRE_FETCH_NONE 0 #define CRYPTNET_URL_CACHE_PRE_FETCH_NONE 0
#define CRYPTNET_URL_CACHE_PRE_FETCH_BLOB 1 #define CRYPTNET_URL_CACHE_PRE_FETCH_BLOB 1
#define CRYPTNET_URL_CACHE_PRE_FETCH_CRL 2 #define CRYPTNET_URL_CACHE_PRE_FETCH_CRL 2
#define CRYPTNET_URL_CACHE_PRE_FETCH_OCSP 3 #define CRYPTNET_URL_CACHE_PRE_FETCH_OCSP 3
#define CRYPTNET_URL_CACHE_PRE_FETCH_AUTOROOT_CAB 5 #define CRYPTNET_URL_CACHE_PRE_FETCH_AUTOROOT_CAB 5
#define CRYPTNET_URL_CACHE_PRE_FETCH_DISALLOWED_CERT_CAB 6 #define CRYPTNET_URL_CACHE_PRE_FETCH_DISALLOWED_CERT_CAB 6
#define CRYPTNET_URL_CACHE_PRE_FETCH_PIN_RULES_CAB 7
// //
// Cryptnet URL Cache Flush Info // Cryptnet URL Cache Flush Info
// //
typedef struct _CRYPTNET_URL_CACHE_FLUSH_INFO { typedef struct _CRYPTNET_URL_CACHE_FLUSH_INFO {
DWORD cbSize; DWORD cbSize;
// If pre-fetching is enabled, following is ignored // If pre-fetching is enabled, following is ignored
// //
// 0 - use default flush exempt seconds (2 weeks) // 0 - use default flush exempt seconds (2 weeks)
// 0xFFFFFFFF - disable flushing // 0xFFFFFFFF - disable flushing
skipping to change at line 17179 skipping to change at line 17590
// This value is only updated upon return for a nonSuccessful status code // This value is only updated upon return for a nonSuccessful status code
// returned in a HTTP response header. This value won't be explicitly // returned in a HTTP response header. This value won't be explicitly
// cleared. This value will only be updated for http or https URL // cleared. This value will only be updated for http or https URL
// retrievals. // retrievals.
// //
// If CRYPT_NOT_MODIFIED_RETRIEVAL was set in dwFlags, set to winhttp.h's // If CRYPT_NOT_MODIFIED_RETRIEVAL was set in dwFlags, set to winhttp.h's
// HTTP_STATUS_NOT_MODIFIED if the retrieval returned not modified. In // HTTP_STATUS_NOT_MODIFIED if the retrieval returned not modified. In
// this case TRUE is returned with *ppvObject set to NULL. // this case TRUE is returned with *ppvObject set to NULL.
DWORD dwHttpStatusCode; DWORD dwHttpStatusCode;
// To get the HTTP response headers for a retrieval error, set the following
// pointer to the address of a LPWSTR to receive the list of
// headers. L'|' is used as the separator between headers.
// The *ppwszErrorResponseHeaders must be freed via CryptMemFree().
LPWSTR *ppwszErrorResponseHeaders;
// To get the content for a retrieval decode error, set the following
// pointer to the address of a PCRYPT_DATA_BLOB.
// The *ppErrorContentBlob must be freed via CryptMemFree().
PCRYPT_DATA_BLOB *ppErrorContentBlob;
} CRYPT_RETRIEVE_AUX_INFO, *PCRYPT_RETRIEVE_AUX_INFO; } CRYPT_RETRIEVE_AUX_INFO, *PCRYPT_RETRIEVE_AUX_INFO;
// Limit the error content to be allocated and returned.
#define CRYPT_RETRIEVE_MAX_ERROR_CONTENT_LENGTH 0x1000
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
WINCRYPT32API WINCRYPT32API
_Success_(return == TRUE) _Success_(return == TRUE)
BOOL BOOL
WINAPI WINAPI
CryptRetrieveObjectByUrlA ( CryptRetrieveObjectByUrlA (
_In_ LPCSTR pszUrl, _In_ LPCSTR pszUrl,
_In_opt_ LPCSTR pszObjectOid, _In_opt_ LPCSTR pszObjectOid,
_In_ DWORD dwRetrievalFlags, _In_ DWORD dwRetrievalFlags,
_In_ DWORD dwTimeout, // milliseconds _In_ DWORD dwTimeout, // milliseconds
_Outptr_ LPVOID* ppvObject, _Outptr_ LPVOID* ppvObject,
skipping to change at line 17257 skipping to change at line 17688
); );
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CryptUninstallCancelRetrieval( CryptUninstallCancelRetrieval(
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_Reserved_ void *pvReserved _Reserved_ void *pvReserved
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Desktop Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED)
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
CryptCancelAsyncRetrieval ( CryptCancelAsyncRetrieval (
_In_opt_ HCRYPTASYNC hAsyncRetrieval _In_opt_ HCRYPTASYNC hAsyncRetrieval
); );
// //
// Remote Object Async Retrieval parameters // Remote Object Async Retrieval parameters
// //
skipping to change at line 17299 skipping to change at line 17736
// This function is set on the async handle by a scheme provider that // This function is set on the async handle by a scheme provider that
// supports asynchronous retrieval // supports asynchronous retrieval
// //
#define CRYPT_PARAM_CANCEL_ASYNC_RETRIEVAL ((LPCSTR)2) #define CRYPT_PARAM_CANCEL_ASYNC_RETRIEVAL ((LPCSTR)2)
typedef BOOL (WINAPI *PFN_CANCEL_ASYNC_RETRIEVAL_FUNC) ( typedef BOOL (WINAPI *PFN_CANCEL_ASYNC_RETRIEVAL_FUNC) (
_In_opt_ HCRYPTASYNC hAsyncRetrieve _In_opt_ HCRYPTASYNC hAsyncRetrieve
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED) */
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
// //
// Get the locator for a CAPI object // Get the locator for a CAPI object
// //
#define CRYPT_GET_URL_FROM_PROPERTY 0x00000001 #define CRYPT_GET_URL_FROM_PROPERTY 0x00000001
#define CRYPT_GET_URL_FROM_EXTENSION 0x00000002 #define CRYPT_GET_URL_FROM_EXTENSION 0x00000002
#define CRYPT_GET_URL_FROM_UNAUTH_ATTRIBUTE 0x00000004 #define CRYPT_GET_URL_FROM_UNAUTH_ATTRIBUTE 0x00000004
#define CRYPT_GET_URL_FROM_AUTH_ATTRIBUTE 0x00000008 #define CRYPT_GET_URL_FROM_AUTH_ATTRIBUTE 0x00000008
typedef struct _CRYPT_URL_ARRAY { typedef struct _CRYPT_URL_ARRAY {
skipping to change at line 17468 skipping to change at line 17910
#define URL_OID_CERTIFICATE_CRL_DIST_POINT_AND_OCSP ((LPCSTR)11) #define URL_OID_CERTIFICATE_CRL_DIST_POINT_AND_OCSP ((LPCSTR)11)
#define URL_OID_CROSS_CERT_SUBJECT_INFO_ACCESS ((LPCSTR)12) #define URL_OID_CROSS_CERT_SUBJECT_INFO_ACCESS ((LPCSTR)12)
#define URL_OID_CERTIFICATE_ONLY_OCSP ((LPCSTR)13) #define URL_OID_CERTIFICATE_ONLY_OCSP ((LPCSTR)13)
typedef struct _CERT_CRL_CONTEXT_PAIR { typedef struct _CERT_CRL_CONTEXT_PAIR {
PCCERT_CONTEXT pCertContext; PCCERT_CONTEXT pCertContext;
PCCRL_CONTEXT pCrlContext; PCCRL_CONTEXT pCrlContext;
} CERT_CRL_CONTEXT_PAIR, *PCERT_CRL_CONTEXT_PAIR; } CERT_CRL_CONTEXT_PAIR, *PCERT_CRL_CONTEXT_PAIR;
typedef const CERT_CRL_CONTEXT_PAIR *PCCERT_CRL_CONTEXT_PAIR; typedef const CERT_CRL_CONTEXT_PAIR *PCCERT_CRL_CONTEXT_PAIR;
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Desktop Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED)
// //
// Get a time valid CAPI2 object // Get a time valid CAPI2 object
// //
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// The following optional Extra Info may be passed to // The following optional Extra Info may be passed to
// CryptGetTimeValidObject(). // CryptGetTimeValidObject().
// //
// All unused fields in this data structure must be zeroed. More fields // All unused fields in this data structure must be zeroed. More fields
// could be added in a future release. // could be added in a future release.
skipping to change at line 17607 skipping to change at line 18055
// freshest CRL to flush // freshest CRL to flush
// //
#define TIME_VALID_OID_FLUSH_CTL ((LPCSTR)1) #define TIME_VALID_OID_FLUSH_CTL ((LPCSTR)1)
#define TIME_VALID_OID_FLUSH_CRL ((LPCSTR)2) #define TIME_VALID_OID_FLUSH_CRL ((LPCSTR)2)
#define TIME_VALID_OID_FLUSH_CRL_FROM_CERT ((LPCSTR)3) #define TIME_VALID_OID_FLUSH_CRL_FROM_CERT ((LPCSTR)3)
#define TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CERT ((LPCSTR)4) #define TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CERT ((LPCSTR)4)
#define TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CRL ((LPCSTR)5) #define TIME_VALID_OID_FLUSH_FRESHEST_CRL_FROM_CRL ((LPCSTR)5)
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
//+========================================================================= //+=========================================================================
// Helper functions to build certificates // Helper functions to build certificates
//========================================================================== //==========================================================================
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// //
// Builds a self-signed certificate and returns a PCCERT_CONTEXT representing // Builds a self-signed certificate and returns a PCCERT_CONTEXT representing
// the certificate. A hProv may be specified to build the cert context. // the certificate. A hProv may be specified to build the cert context.
// //
// pSubjectIssuerBlob is the DN for the certifcate. If an alternate subject // pSubjectIssuerBlob is the DN for the certifcate. If an alternate subject
skipping to change at line 17640 skipping to change at line 18094
// pEntensions will be empty. // pEntensions will be empty.
// //
// The returned PCCERT_CONTEXT will reference the private keys by setting the // The returned PCCERT_CONTEXT will reference the private keys by setting the
// CERT_KEY_PROV_INFO_PROP_ID. However, if this property is not desired specify the // CERT_KEY_PROV_INFO_PROP_ID. However, if this property is not desired specify the
// CERT_CREATE_SELFSIGN_NO_KEY_INFO in dwFlags. // CERT_CREATE_SELFSIGN_NO_KEY_INFO in dwFlags.
// //
// If the cert being built is only a dummy placeholder cert for speed it may not // If the cert being built is only a dummy placeholder cert for speed it may not
// need to be signed. Signing of the cert is skipped if CERT_CREATE_SELFSIGN_NO_ SIGN // need to be signed. Signing of the cert is skipped if CERT_CREATE_SELFSIGN_NO_ SIGN
// is specified in dwFlags. // is specified in dwFlags.
// //
// Following flags can be passed to CertCreateSelfSignCertificate which will be
// directly passed to CryptExportPublicKeyInfo to indicate the preference of
// putting ECC Curve OID vs ECC Curve Parameters in Cert's Public Key informatio
n's
// algorithm section:
// CRYPT_OID_USE_CURVE_NAME_FOR_ENCODE_FLAG
// CRYPT_OID_USE_CURVE_PARAMETERS_FOR_ENCODE_FLAG
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
PCCERT_CONTEXT PCCERT_CONTEXT
WINAPI WINAPI
CertCreateSelfSignCertificate( CertCreateSelfSignCertificate(
_In_opt_ HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, _In_opt_ HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey,
_In_ PCERT_NAME_BLOB pSubjectIssuerBlob, _In_ PCERT_NAME_BLOB pSubjectIssuerBlob,
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_In_opt_ PCRYPT_KEY_PROV_INFO pKeyProvInfo, _In_opt_ PCRYPT_KEY_PROV_INFO pKeyProvInfo,
_In_opt_ PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, _In_opt_ PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
_In_opt_ PSYSTEMTIME pStartTime, _In_opt_ PSYSTEMTIME pStartTime,
_In_opt_ PSYSTEMTIME pEndTime, _In_opt_ PSYSTEMTIME pEndTime,
_In_opt_ PCERT_EXTENSIONS pExtensions _In_opt_ PCERT_EXTENSIONS pExtensions
); );
#define CERT_CREATE_SELFSIGN_NO_SIGN 1 #define CERT_CREATE_SELFSIGN_NO_SIGN 1
#define CERT_CREATE_SELFSIGN_NO_KEY_INFO 2 #define CERT_CREATE_SELFSIGN_NO_KEY_INFO 2
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+========================================================================= //+=========================================================================
// Key Identifier Property Data Structures and APIs // Key Identifier Property Data Structures and APIs
//========================================================================== //==========================================================================
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Get the property for the specified Key Identifier. // Get the property for the specified Key Identifier.
// //
// The Key Identifier is the SHA1 hash of the encoded CERT_PUBLIC_KEY_INFO. // The Key Identifier is the SHA1 hash of the encoded CERT_PUBLIC_KEY_INFO.
// The Key Identifier for a certificate can be obtained by getting the // The Key Identifier for a certificate can be obtained by getting the
// certificate's CERT_KEY_IDENTIFIER_PROP_ID. The // certificate's CERT_KEY_IDENTIFIER_PROP_ID. The
skipping to change at line 17820 skipping to change at line 18286
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_Reserved_ void *pvReserved, _Reserved_ void *pvReserved,
_Out_writes_bytes_to_opt_(*pcbHash, *pcbHash) BYTE *pbHash, _Out_writes_bytes_to_opt_(*pcbHash, *pcbHash) BYTE *pbHash,
_Inout_ DWORD *pcbHash _Inout_ DWORD *pcbHash
); );
//+========================================================================= //+=========================================================================
// Certificate Chaining Infrastructure // Certificate Chaining Infrastructure
//========================================================================== //==========================================================================
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
#define CERT_CHAIN_CONFIG_REGPATH \ #define CERT_CHAIN_CONFIG_REGPATH \
L"Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCerti ficateChainEngine\\Config" L"Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCerti ficateChainEngine\\Config"
// max size of the cryptographic object to download, in bytes // max size of the cryptographic object to download, in bytes
// NOTE: AIA has different configuration // NOTE: AIA has different configuration
#define CERT_CHAIN_MAX_URL_RETRIEVAL_BYTE_COUNT_VALUE_NAME \ #define CERT_CHAIN_MAX_URL_RETRIEVAL_BYTE_COUNT_VALUE_NAME \
L"MaxUrlRetrievalByteCount" L"MaxUrlRetrievalByteCount"
#define CERT_CHAIN_MAX_URL_RETRIEVAL_BYTE_COUNT_DEFAULT (100*1024*1024) #define CERT_CHAIN_MAX_URL_RETRIEVAL_BYTE_COUNT_DEFAULT (100*1024*1024)
// The following is a REG_BINARY. It contains the cache resync FILETIME. // The following is a REG_BINARY. It contains the cache resync FILETIME.
skipping to change at line 17882 skipping to change at line 18354
L"MaxAIAUrlRetrievalCertCount" L"MaxAIAUrlRetrievalCertCount"
#define CERT_CHAIN_MAX_AIA_URL_RETRIEVAL_CERT_COUNT_DEFAULT 10 #define CERT_CHAIN_MAX_AIA_URL_RETRIEVAL_CERT_COUNT_DEFAULT 10
// The following is a REG_DWORD. If the OCSP response NextUpdate is zero, // The following is a REG_DWORD. If the OCSP response NextUpdate is zero,
// this value is added to the ThisUpdate to get a nonzero NextUpdate. // this value is added to the ThisUpdate to get a nonzero NextUpdate.
#define CERT_CHAIN_OCSP_VALIDITY_SECONDS_VALUE_NAME \ #define CERT_CHAIN_OCSP_VALIDITY_SECONDS_VALUE_NAME \
L"OcspValiditySeconds" L"OcspValiditySeconds"
// 12 hours // 12 hours
#define CERT_CHAIN_OCSP_VALIDITY_SECONDS_DEFAULT (12 * 60 * 60) #define CERT_CHAIN_OCSP_VALIDITY_SECONDS_DEFAULT (12 * 60 * 60)
// The following is a REG_DWORD. It can be set to a nonzero value to disable
// the use of the Serial Chain optimization for SSL ServerAuth chains. This
// value is queried in each process on the first CertGetCertificateChain call
// where the CERT_SERIAL_CHAIN_PROP_ID property is set.
#define CERT_CHAIN_DISABLE_SERIAL_CHAIN_VALUE_NAME \
L"DisableSerialChain"
// The following is a REG_SZ containing the name of the file to log
// Serial Chain errors.
// The file's directory must already exist. If the file already
// exists, events are appended. Otherwise, the file is created.
// The directory/file should be ACL'ed so all processes and users have
// write access.
#define CERT_CHAIN_SERIAL_CHAIN_LOG_FILE_NAME_VALUE_NAME \
L"SerialChainLogFileName"
// The following is a REG_DWORD. It can be set to a nonzero value to disable
// using SSL handshakes as a source of time. Will also disable the above
// Serial Chain optimization. Value is queried once on the first SSL
// handshake in the lsass.exe process.
#define CERT_CHAIN_DISABLE_SYNC_WITH_SSL_TIME_VALUE_NAME \
L"DisableSyncWithSslTime"
// The following is a REG_DWORD that specifies the maximum number of
// "SslTimeUpdated" events to be uploaded after boot or when the
// current time is synch'ed with SSL time. If not defined or a value of
// 0, uses the default value.
#define CERT_CHAIN_MAX_SSL_TIME_UPDATED_EVENT_COUNT_VALUE_NAME \
L"MaxSslTimeUpdatedEventCount"
#define CERT_CHAIN_MAX_SSL_TIME_UPDATED_EVENT_COUNT_DEFAULT 256
// The following value disables uploading "SslTimeUpdated" events
#define CERT_CHAIN_MAX_SSL_TIME_UPDATED_EVENT_COUNT_DISABLE 0xFFFFFFFF
// The following is a REG_SZ containing the name of the file to log
// SSL handshakes that were processed.
// The file's directory must already exist. If the file already
// exists, events are appended. Otherwise, the file is created.
#define CERT_CHAIN_SSL_HANDSHAKE_LOG_FILE_NAME_VALUE_NAME \
L"SslHandshakeLogFileName"
// The following is a REG_DWORD. Flags can be set to enable weak // The following is a REG_DWORD. Flags can be set to enable weak
// signature hash algorithms and/or weak public key lengths that // signature hash algorithms and/or weak public key lengths that
// are disabled by default. Also, has flags to enable logging of weak // are disabled by default. Also, has flags to enable logging of weak
// certificates. // certificates.
// //
#define CERT_CHAIN_ENABLE_WEAK_SIGNATURE_FLAGS_VALUE_NAME \ #define CERT_CHAIN_ENABLE_WEAK_SIGNATURE_FLAGS_VALUE_NAME \
L"EnableWeakSignatureFlags" L"EnableWeakSignatureFlags"
// The following flag is set to enable MD2 or MD4 hashes that are // The following flag is set to enable MD2 or MD4 hashes that are
// disabled by default. If none, code signing, driver signing // disabled by default. If none, code signing, driver signing
skipping to change at line 17960 skipping to change at line 18473
#define CERT_CHAIN_DEFAULT_CONFIG_SUBDIR L"Default" #define CERT_CHAIN_DEFAULT_CONFIG_SUBDIR L"Default"
// //
// The registry values will have the following name syntax: // The registry values will have the following name syntax:
// "Weak"<CryptoAlg><ConfigType><ValueType> // "Weak"<CryptoAlg><ConfigType><ValueType>
// //
// Where: // Where:
// - <CryptoAlg> can be: "Md5", "Sha1", "Rsa", "Dsa" or "Ecdsa" // - <CryptoAlg> can be: "Md5", "Sha1", "Rsa", "Dsa" or "Ecdsa"
// - <ConfigType> can be: "ThirdParty" or "All" // - <ConfigType> can be: "ThirdParty" or "All"
// - <ValueType> can be: "Flags", "Hygiene", "MinBitLength", "AfterTime" or // - <ValueType> can be: "Flags", "Hygiene", "MinBitLength", "AfterTime",
// "Sha256Allow" // "FileHashAfterTime "TimestampHashAfterTime" or "Sha256Allow"
// - "Hygiene" is only applicable to hash algorithms // - "Hygiene" is only applicable to hash algorithms
// - "FileHashAfterTime" and "TimestampHashAfterTime" are only applicable
// to hash algorithms. These times can be in the future.
// - "MinBitLengh" is only applicable to key algorithms // - "MinBitLengh" is only applicable to key algorithms
// - <CryptoAlg>, <ConfigType> and <ValueType> will be present in all names. // - <CryptoAlg>, <ConfigType> and <ValueType> will be present in all names.
// //
// //
// For example, all possible registry value names for Md5: // For example, all possible registry value names for Md5:
// WeakMd5ThirdPartyFlags // WeakMd5ThirdPartyFlags
// WeakMd5AllFlags // WeakMd5AllFlags
// WeakMd5ThirdPartyHygiene // WeakMd5ThirdPartyHygiene
// WeakMd5AllHygiene // WeakMd5AllHygiene
// WeakMd5ThirdPartyAfterTime // WeakMd5ThirdPartyAfterTime
// WeakMd5AllAfterTime // WeakMd5AllAfterTime
// WeakMd5ThirdPartyFileHashAfterTime
// WeakMd5AllFileHashAfterTime
// WeakMd5ThirdPartyTimestampHashAfterTime
// WeakMd5AllTimestampHashAfterTime
// WeakMd5ThirdPartySha256Allow // WeakMd5ThirdPartySha256Allow
// WeakMd5AllSha256Allow // WeakMd5AllSha256Allow
// //
// For example, all possible registry value names for Rsa: // For example, all possible registry value names for Rsa:
// WeakRsaThirdPartyFlags // WeakRsaThirdPartyFlags
// WeakRsaAllFlags // WeakRsaAllFlags
// WeakRsaThirdPartyAfterTime // WeakRsaThirdPartyAfterTime
// WeakRsaAllAfterTime // WeakRsaAllAfterTime
// WeakRsaThirdPartyMinBitLength // WeakRsaThirdPartyMinBitLength
// WeakRsaAllMinBitLength // WeakRsaAllMinBitLength
skipping to change at line 18008 skipping to change at line 18527
// - The hygiene checks are skipped if the hash algorithm has been disabled. // - The hygiene checks are skipped if the hash algorithm has been disabled.
// - "Weak"<KeyCryptoAlg><ConfigType>"MinBitLength" // - "Weak"<KeyCryptoAlg><ConfigType>"MinBitLength"
// - REG_DWORD // - REG_DWORD
// - This value specifies the minimum public key length in bits. // - This value specifies the minimum public key length in bits.
// - "Weak"<CryptoAlg><ConfigType>"AfterTime" // - "Weak"<CryptoAlg><ConfigType>"AfterTime"
// - REG_BINARY // - REG_BINARY
// - This value contains an 8 byte FILETIME. The weak crypto algorithm // - This value contains an 8 byte FILETIME. The weak crypto algorithm
// check is disabled for time stamped files before this time. // check is disabled for time stamped files before this time.
// - This configuration value isn't applicable to timestamp chains. // - This configuration value isn't applicable to timestamp chains.
// - This configuration value isn't applicable to hygiene checks. // - This configuration value isn't applicable to hygiene checks.
// - If this time is after the CurrentTime, then, the CurrentTime is used.
// - "Weak"<CryptoAlg><ConfigType>"FileHashAfterTime"
// - REG_BINARY
// - This value contains an 8 byte FILETIME. The file hash weak crypto
// algorithm check is disabled for time stamped files before this time.
// This can be set to a date/time in the future.
// - Only applicable to the API: CertIsWeakHash.
// - "Weak"<CryptoAlg><ConfigType>"TimestampHashAfterTime"
// - REG_BINARY
// - This value contains an 8 byte FILETIME. The timestamp hash weak crypto
// algorithm check is disabled before this time is reached. This can be
// set to a date/time in the future.
// - Only applicable to the API: CertIsWeakHash.
// - "Weak"<CryptoAlg><ConfigType>"Sha256Allow" // - "Weak"<CryptoAlg><ConfigType>"Sha256Allow"
// - REG_SZ or REG_MULTI_SZ // - REG_SZ or REG_MULTI_SZ
// - This value contains the list of certificate SHA256 thumbprints // - This value contains the list of certificate SHA256 thumbprints
// (ASCII_HEX formatted) identifying weak certificates to be explicitly // (ASCII_HEX formatted) identifying weak certificates to be explicitly
// allowed. Non ASCII_HEX characters in the string are skipped. // allowed. Non ASCII_HEX characters in the string are skipped.
// This allows embedded spaces. // This allows embedded spaces.
// - The resultant set used for either "Weak"<CryptoAlg>"ThirdParty" or // - The resultant set used for either "Weak"<CryptoAlg>"ThirdParty" or
// "Weak"<CryptoAlg>"All" is the union of: // "Weak"<CryptoAlg>"All" is the union of:
// - Default and Administrator // - Default and Administrator
// - "ThirdParty" and "All" // - "ThirdParty" and "All"
// //
#define CERT_CHAIN_WEAK_PREFIX_NAME L"Weak" #define CERT_CHAIN_WEAK_PREFIX_NAME L"Weak"
#define CERT_CHAIN_WEAK_THIRD_PARTY_CONFIG_NAME L"ThirdParty" #define CERT_CHAIN_WEAK_THIRD_PARTY_CONFIG_NAME L"ThirdParty"
#define CERT_CHAIN_WEAK_ALL_CONFIG_NAME L"All" #define CERT_CHAIN_WEAK_ALL_CONFIG_NAME L"All"
#define CERT_CHAIN_WEAK_FLAGS_NAME L"Flags" #define CERT_CHAIN_WEAK_FLAGS_NAME L"Flags"
#define CERT_CHAIN_WEAK_HYGIENE_NAME L"Hygiene" #define CERT_CHAIN_WEAK_HYGIENE_NAME L"Hygiene"
#define CERT_CHAIN_WEAK_AFTER_TIME_NAME L"AfterTime" #define CERT_CHAIN_WEAK_AFTER_TIME_NAME L"AfterTime"
#define CERT_CHAIN_WEAK_MIN_BIT_LENGTH_NAME L"MinBitLength" #define CERT_CHAIN_WEAK_FILE_HASH_AFTER_TIME_NAME L"FileHashAfterTime"
#define CERT_CHAIN_WEAK_SHA256_ALLOW_NAME L"Sha256Allow" #define CERT_CHAIN_WEAK_TIMESTAMP_HASH_AFTER_TIME_NAME L"TimestampHashAfterTime
"
#define CERT_CHAIN_WEAK_MIN_BIT_LENGTH_NAME L"MinBitLength"
#define CERT_CHAIN_WEAK_SHA256_ALLOW_NAME L"Sha256Allow"
// The following value disables checking for weak public key lengths. // The following value disables checking for weak public key lengths.
#define CERT_CHAIN_MIN_PUB_KEY_BIT_LENGTH_DISABLE \ #define CERT_CHAIN_MIN_PUB_KEY_BIT_LENGTH_DISABLE \
0xFFFFFFFF 0xFFFFFFFF
// The following flags can be set in the above // The following flags can be set in the above
// "Weak"<CryptoAlg><ConfigType>"Flags" // "Weak"<CryptoAlg><ConfigType>"Flags"
// If the following flag isn't set, then all other flags and registry values // If the following flag isn't set, then all other flags and registry values
// are ignored for this "Weak"<CryptoAlg><ConfigType>. // are ignored for this "Weak"<CryptoAlg><ConfigType>.
skipping to change at line 18128 skipping to change at line 18662
// Mark-Of-The-Web (CERT_CHAIN_HAS_MOTW) // Mark-Of-The-Web (CERT_CHAIN_HAS_MOTW)
#define CERT_CHAIN_MOTW_IGNORE_AFTER_TIME_WEAK_FLAG 0x40000000 #define CERT_CHAIN_MOTW_IGNORE_AFTER_TIME_WEAK_FLAG 0x40000000
// If the hash algorithm is disabled, then, the hygiene check will be skipped. // If the hash algorithm is disabled, then, the hygiene check will be skipped.
// The hygiene flags are only applicable to hash algorithms. // The hygiene flags are only applicable to hash algorithms.
// If no EKU flags are set, then, weak crypto isn't enforced for the // If no EKU flags are set, then, weak crypto isn't enforced for the
// "Weak"<CryptoAlg><ConfigType>. This allows the administrator to always // "Weak"<CryptoAlg><ConfigType>. This allows the administrator to always
// ignore the Default OS/Windows Update settings. // ignore the Default OS/Windows Update settings.
// This flag disables for file hashes. Only applicable to CertIsWeakHash()
// API.
#define CERT_CHAIN_DISABLE_FILE_HASH_WEAK_FLAG 0x00001000
// This flag disables for file hashes. Only applicable when CertIsWeakHash()
// API is called with the Mark-Of-The-Web (CERT_CHAIN_HAS_MOTW)
#define CERT_CHAIN_DISABLE_MOTW_FILE_HASH_WEAK_FLAG 0x00002000
// This flag disables for timestamp hashes. Only applicable to CertIsWeakHash()
// API.
#define CERT_CHAIN_DISABLE_TIMESTAMP_HASH_WEAK_FLAG 0x00004000
// This flag disables for timestamp hashes. Only applicable when CertIsWeakHash(
)
// API is called with the Mark-Of-The-Web (CERT_CHAIN_HAS_MOTW)
#define CERT_CHAIN_DISABLE_MOTW_TIMESTAMP_HASH_WEAK_FLAG 0x00008000
#define CERT_CHAIN_DISABLE_WEAK_FLAGS ( \ #define CERT_CHAIN_DISABLE_WEAK_FLAGS ( \
CERT_CHAIN_DISABLE_ALL_EKU_WEAK_FLAG | \ CERT_CHAIN_DISABLE_ALL_EKU_WEAK_FLAG | \
CERT_CHAIN_DISABLE_SERVER_AUTH_WEAK_FLAG | \ CERT_CHAIN_DISABLE_SERVER_AUTH_WEAK_FLAG | \
CERT_CHAIN_DISABLE_CODE_SIGNING_WEAK_FLAG | \ CERT_CHAIN_DISABLE_CODE_SIGNING_WEAK_FLAG | \
CERT_CHAIN_DISABLE_MOTW_CODE_SIGNING_WEAK_FLAG | \ CERT_CHAIN_DISABLE_MOTW_CODE_SIGNING_WEAK_FLAG | \
CERT_CHAIN_DISABLE_TIMESTAMP_WEAK_FLAG | \ CERT_CHAIN_DISABLE_TIMESTAMP_WEAK_FLAG | \
CERT_CHAIN_DISABLE_MOTW_TIMESTAMP_WEAK_FLAG ) CERT_CHAIN_DISABLE_MOTW_TIMESTAMP_WEAK_FLAG )
#define CERT_CHAIN_DISABLE_FILE_HASH_WEAK_FLAGS ( \
CERT_CHAIN_DISABLE_FILE_HASH_WEAK_FLAG | \
CERT_CHAIN_DISABLE_MOTW_FILE_HASH_WEAK_FLAG )
#define CERT_CHAIN_DISABLE_TIMESTAMP_HASH_WEAK_FLAGS ( \
CERT_CHAIN_DISABLE_TIMESTAMP_HASH_WEAK_FLAG | \
CERT_CHAIN_DISABLE_MOTW_TIMESTAMP_HASH_WEAK_FLAG )
#define CERT_CHAIN_ENABLE_HYGIENE_FLAGS ( \ #define CERT_CHAIN_ENABLE_HYGIENE_FLAGS ( \
CERT_CHAIN_ENABLE_ALL_EKU_HYGIENE_FLAG | \ CERT_CHAIN_ENABLE_ALL_EKU_HYGIENE_FLAG | \
CERT_CHAIN_ENABLE_SERVER_AUTH_HYGIENE_FLAG | \ CERT_CHAIN_ENABLE_SERVER_AUTH_HYGIENE_FLAG | \
CERT_CHAIN_ENABLE_CODE_SIGNING_HYGIENE_FLAG | \ CERT_CHAIN_ENABLE_CODE_SIGNING_HYGIENE_FLAG | \
CERT_CHAIN_ENABLE_MOTW_CODE_SIGNING_HYGIENE_FLAG | \ CERT_CHAIN_ENABLE_MOTW_CODE_SIGNING_HYGIENE_FLAG | \
CERT_CHAIN_ENABLE_TIMESTAMP_HYGIENE_FLAG | \ CERT_CHAIN_ENABLE_TIMESTAMP_HYGIENE_FLAG | \
CERT_CHAIN_ENABLE_MOTW_TIMESTAMP_HYGIENE_FLAG ) CERT_CHAIN_ENABLE_MOTW_TIMESTAMP_HYGIENE_FLAG )
#define CERT_CHAIN_MOTW_WEAK_FLAGS ( \ #define CERT_CHAIN_MOTW_WEAK_FLAGS ( \
CERT_CHAIN_DISABLE_MOTW_CODE_SIGNING_WEAK_FLAG | \ CERT_CHAIN_DISABLE_MOTW_CODE_SIGNING_WEAK_FLAG | \
CERT_CHAIN_DISABLE_MOTW_TIMESTAMP_WEAK_FLAG | \ CERT_CHAIN_DISABLE_MOTW_TIMESTAMP_WEAK_FLAG | \
CERT_CHAIN_ENABLE_MOTW_CODE_SIGNING_HYGIENE_FLAG | \ CERT_CHAIN_ENABLE_MOTW_CODE_SIGNING_HYGIENE_FLAG | \
CERT_CHAIN_ENABLE_MOTW_TIMESTAMP_HYGIENE_FLAG | \ CERT_CHAIN_ENABLE_MOTW_TIMESTAMP_HYGIENE_FLAG | \
CERT_CHAIN_MOTW_IGNORE_AFTER_TIME_WEAK_FLAG) CERT_CHAIN_MOTW_IGNORE_AFTER_TIME_WEAK_FLAG)
//+=========================================================================
//
// Certificate Chain Engine Auto Flush Registry Configuration
//
//==========================================================================
//
// The following registry values are under the
// CERT_CHAIN_CONFIG_REGPATH defined above.
//
//
// Types of certificate chain engine auto create and flush events
//
#define CERT_CHAIN_AUTO_CURRENT_USER 1
#define CERT_CHAIN_AUTO_LOCAL_MACHINE 2
#define CERT_CHAIN_AUTO_IMPERSONATED 3
#define CERT_CHAIN_AUTO_PROCESS_INFO 4
#define CERT_CHAIN_AUTO_PINRULE_INFO 5
#define CERT_CHAIN_AUTO_NETWORK_INFO 6
#define CERT_CHAIN_AUTO_SERIAL_LOCAL_MACHINE 7
// The following is a REG_DWORD that can be set to disable
// auto flush or enable the logging of auto create, free or
// flush events. By default, auto flush is enabled without
// any logging.
#define CERT_CHAIN_AUTO_FLAGS_VALUE_NAME \
L"AutoFlags"
#define CERT_CHAIN_AUTO_FLUSH_DISABLE_FLAG 0x00000001
#define CERT_CHAIN_AUTO_LOG_CREATE_FLAG 0x00000002
#define CERT_CHAIN_AUTO_LOG_FREE_FLAG 0x00000004
#define CERT_CHAIN_AUTO_LOG_FLUSH_FLAG 0x00000008
#define CERT_CHAIN_AUTO_LOG_FLAGS ( \
CERT_CHAIN_AUTO_LOG_CREATE_FLAG | \
CERT_CHAIN_AUTO_LOG_FREE_FLAG | \
CERT_CHAIN_AUTO_LOG_FLUSH_FLAG )
// The following are REG_DWORDs. If the registry value doesn't exist or
// is set to zero, then, the DEFAULT is used.
// This is the delta time in seconds to set the first timeout.
// At the first timeout we set the initial next timeout.
#define CERT_CHAIN_AUTO_FLUSH_FIRST_DELTA_SECONDS_VALUE_NAME \
L"AutoFlushFirstDeltaSeconds"
// 5 Minutes
#define CERT_CHAIN_AUTO_FLUSH_FIRST_DELTA_SECONDS_DEFAULT \
(5 * 60)
// This is the delta time in seconds to set the next timeouts.
// For each next timeout, we check if there was any chain
// engine usage (such as CertGetCertificateChain) since
// the last timeout. Auto flush is triggered if there wasn't
// any usage. Otherwise, we set the next timeout to this delta time.
#define CERT_CHAIN_AUTO_FLUSH_NEXT_DELTA_SECONDS_VALUE_NAME \
L"AutoFlushNextDeltaSeconds"
// 30 Minutes
#define CERT_CHAIN_AUTO_FLUSH_NEXT_DELTA_SECONDS_DEFAULT \
(30 * 60)
// The following is REG_SZ containing the name of the file to log
// the certificate chain engine auto events to.
// The file's directory must already exist. If the file already
// exists, events are appended. Otherwise, the file is created.
// The directory/file should be ACL'ed so all processes and users have
// write access.
#define CERT_CHAIN_AUTO_LOG_FILE_NAME_VALUE_NAME \
L"AutoLogFileName"
// The following is REG_MULTI_SZ containing the list of
// process names to disable auto flush for.
//
// Auto flush is always disabled for the lsass.exe process. It doesn't need
// to be in the following registry value list.
#define CERT_CHAIN_DISABLE_AUTO_FLUSH_PROCESS_NAME_LIST_VALUE_NAME \
L"DisableAutoFlushProcessNameList"
// The following are REG_DWORD's. These configuration parameters are // The following are REG_DWORD's. These configuration parameters are
// used by the following APIs to get a non-blocking, time valid OCSP // used by the following APIs to get a non-blocking, time valid OCSP
// response for a server certificate chain: // response for a server certificate chain:
// CertOpenServerOcspResponse // CertOpenServerOcspResponse
// CertAddRefServerOcspResponse // CertAddRefServerOcspResponse
// CertCloseServerOcspResponse // CertCloseServerOcspResponse
// CertGetServerOcspResponseContext // CertGetServerOcspResponseContext
// CertAddRefServerOcspResponseContext // CertAddRefServerOcspResponseContext
// CertFreeServerOcspResponseContext // CertFreeServerOcspResponseContext
skipping to change at line 18208 skipping to change at line 18847
// This is the minimum number of seconds to do a server OCSP response // This is the minimum number of seconds to do a server OCSP response
// pre-fetch retrieval after the OCSP response's NextUpdate when // pre-fetch retrieval after the OCSP response's NextUpdate when
// (NextUpdate - MinBeforeNextUpdateSeconds) < CurrentTime < NextUpdate. // (NextUpdate - MinBeforeNextUpdateSeconds) < CurrentTime < NextUpdate.
#define CERT_SRV_OCSP_RESP_MIN_AFTER_NEXT_UPDATE_SECONDS_VALUE_NAME\ #define CERT_SRV_OCSP_RESP_MIN_AFTER_NEXT_UPDATE_SECONDS_VALUE_NAME\
L"SrvOcspRespMinAfterNextUpdateSeconds" L"SrvOcspRespMinAfterNextUpdateSeconds"
// 1 minute // 1 minute
#define CERT_SRV_OCSP_RESP_MIN_AFTER_NEXT_UPDATE_SECONDS_DEFAULT \ #define CERT_SRV_OCSP_RESP_MIN_AFTER_NEXT_UPDATE_SECONDS_DEFAULT \
(1 * 60) (1 * 60)
// This is the minimum number of seconds between certificate directory
// update sync checks. Used by certutil.exe for the downloadOcsp option.
#define CERT_SRV_OCSP_RESP_MIN_SYNC_CERT_FILE_SECONDS_VALUE_NAME \
L"SrvOcspRespMinSyncCertFileSeconds"
// 5 seconds
#define CERT_SRV_OCSP_RESP_MIN_SYNC_CERT_FILE_SECONDS_DEFAULT \
5
// This is the maximum number of seconds between certificate directory
// update sync checks. Used by certutil.exe for the downloadOcsp option.
#define CERT_SRV_OCSP_RESP_MAX_SYNC_CERT_FILE_SECONDS_VALUE_NAME \
L"SrvOcspRespMaxSyncCertFileSeconds"
// 1 hour
#define CERT_SRV_OCSP_RESP_MAX_SYNC_CERT_FILE_SECONDS_DEFAULT \
(1 * 60 * 60)
// The following are REG_DWORD's. These configuration parameters are used // The following are REG_DWORD's. These configuration parameters are used
// in the ordering of the revocation retrieval URLs. // in the ordering of the revocation retrieval URLs.
// When the number of cached OCSP URLs associated with the same CDP extension // When the number of cached OCSP URLs associated with the same CDP extension
// equal or exceed this number, the OCSP AIA URLs aren't used. // equal or exceed this number, the OCSP AIA URLs aren't used.
#define CRYPTNET_MAX_CACHED_OCSP_PER_CRL_COUNT_VALUE_NAME \ #define CRYPTNET_MAX_CACHED_OCSP_PER_CRL_COUNT_VALUE_NAME \
L"CryptnetMaxCachedOcspPerCrlCount" L"CryptnetMaxCachedOcspPerCrlCount"
#define CRYPTNET_MAX_CACHED_OCSP_PER_CRL_COUNT_DEFAULT \ #define CRYPTNET_MAX_CACHED_OCSP_PER_CRL_COUNT_DEFAULT \
500 500
skipping to change at line 18372 skipping to change at line 19027
// The above registry value can be set to this value, to disable the // The above registry value can be set to this value, to disable the
// sending of trigger URL cache PreFetch LRPC messages. Note, a registry // sending of trigger URL cache PreFetch LRPC messages. Note, a registry
// value of 0, uses the above default value. // value of 0, uses the above default value.
#define CRYPTNET_PRE_FETCH_TRIGGER_DISABLE \ #define CRYPTNET_PRE_FETCH_TRIGGER_DISABLE \
0xFFFFFFFF 0xFFFFFFFF
// Following parameter specifies the delay time to wait to scan the // Following parameter specifies the delay time to wait to scan the
// URL cache directory after receiving a trigger LRPC message request. // URL cache directory after receiving a trigger LRPC message request.
#define CRYPTNET_PRE_FETCH_SCAN_AFTER_TRIGGER_DELAY_SECONDS_VALUE_NAME \ #define CRYPTNET_PRE_FETCH_SCAN_AFTER_TRIGGER_DELAY_SECONDS_VALUE_NAME \
L"CryptnetPreFetchScanAfterTriggerDelaySeconds" L"CryptnetPreFetchScanAfterTriggerDelaySeconds"
// 30 seconds // 60 seconds
#define CRYPTNET_PRE_FETCH_SCAN_AFTER_TRIGGER_DELAY_SECONDS_DEFAULT \ #define CRYPTNET_PRE_FETCH_SCAN_AFTER_TRIGGER_DELAY_SECONDS_DEFAULT \
30 60
// Following parameter specifies the maximum amount of time to wait for any // Following parameter specifies the maximum amount of time to wait for any
// PreFetch retrieval to complete // PreFetch retrieval to complete
#define CRYPTNET_PRE_FETCH_RETRIEVAL_TIMEOUT_SECONDS_VALUE_NAME \ #define CRYPTNET_PRE_FETCH_RETRIEVAL_TIMEOUT_SECONDS_VALUE_NAME \
L"CryptnetPreFetchRetrievalTimeoutSeconds" L"CryptnetPreFetchRetrievalTimeoutSeconds"
// 5 minutes // 5 minutes
#define CRYPTNET_PRE_FETCH_RETRIEVAL_TIMEOUT_SECONDS_DEFAULT \ #define CRYPTNET_PRE_FETCH_RETRIEVAL_TIMEOUT_SECONDS_DEFAULT \
(5 * 60) (5 * 60)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Cryptnet in-process CRL PreFetch configuration
//--------------------------------------------------------------------------
#define CRYPTNET_CRL_PRE_FETCH_CONFIG_REGPATH \
CERT_CHAIN_CONFIG_REGPATH L"\\CrlPreFetch"
// The following is REG_MULTI_SZ containing the list of
// process names to enable PreFetching for
#define CRYPTNET_CRL_PRE_FETCH_PROCESS_NAME_LIST_VALUE_NAME \
L"ProcessNameList"
// The following is REG_MULTI_SZ containing the list of
// CRL Urls to be PreFetched. This should be the encoded format used
// in the certificate. Normally, the one with the %20 for the " " space
// character.
#define CRYPTNET_CRL_PRE_FETCH_URL_LIST_VALUE_NAME \
L"PreFetchUrlList"
// By default PreFetch information events are logged to the Windows
// Application Logs. The following REG_DWORD can be set to nonzero
// value to disable the logging.
#define CRYPTNET_CRL_PRE_FETCH_DISABLE_INFORMATION_EVENTS_VALUE_NAME \
L"DisableInformationEvents"
// The following is REG_SZ containing the name of the file to log verbose events
// to. The file's directory must already exist. If the file already
// exists, events are appended. Otherwise, the file is created.
// The directory/file should be ACL'ed so all processes and users have
// write access.
#define CRYPTNET_CRL_PRE_FETCH_LOG_FILE_NAME_VALUE_NAME \
L"LogFileName"
// The following are REG_DWORDs. If the registry value doesn't exist or
// is set to zero, then, the DEFAULT is used.
// Following parameter specifies the maximum amount of time to wait for any
// CRL PreFetch retrieval to complete
#define CRYPTNET_CRL_PRE_FETCH_TIMEOUT_SECONDS_VALUE_NAME \
L"TimeoutSeconds"
// 5 minutes
#define CRYPTNET_CRL_PRE_FETCH_TIMEOUT_SECONDS_DEFAULT \
(5 * 60)
// Following parameter specifies the max-age retrievals before the
// expected publish time. Setting to any value >= NextUpdate - ThisUpdate
// will disable. 5 minutes is the minimum.
#define CRYPTNET_CRL_PRE_FETCH_MAX_AGE_SECONDS_VALUE_NAME \
L"MaxAgeSeconds"
// 2 hours
#define CRYPTNET_CRL_PRE_FETCH_MAX_AGE_SECONDS_DEFAULT \
(2 * 60 * 60)
// 5 minutes
#define CRYPTNET_CRL_PRE_FETCH_MAX_AGE_SECONDS_MIN \
(5 * 60)
// Following parameter specifies the expected publish time before
// NextUpdate
#define CRYPTNET_CRL_PRE_FETCH_PUBLISH_BEFORE_NEXT_UPDATE_SECONDS_VALUE_NAME \
L"PublishBeforeNextUpdateSeconds"
// 1 hour
#define CRYPTNET_CRL_PRE_FETCH_PUBLISH_BEFORE_NEXT_UPDATE_SECONDS_DEFAULT \
(1 * 60 * 60)
// Following parameter specifies the interval to be randomized and
// subtracted from the expected publish time. Setting to any value
// >= publish time will disable randomization. Setting to 1
// will disable any randomization. Setting to 0 will use the DEFAULT.
#define CRYPTNET_CRL_PRE_FETCH_PUBLISH_RANDOM_INTERVAL_SECONDS_VALUE_NAME \
L"PublishRandomIntervalSeconds"
// 5 minutes
#define CRYPTNET_CRL_PRE_FETCH_PUBLISH_RANDOM_INTERVAL_SECONDS_DEFAULT \
(5 * 60)
// Following parameter specifies the minimum time before NextUpdate
#define CRYPTNET_CRL_PRE_FETCH_MIN_BEFORE_NEXT_UPDATE_SECONDS_VALUE_NAME \
L"MinBeforeNextUpdateSeconds"
// 5 minutes
#define CRYPTNET_CRL_PRE_FETCH_MIN_BEFORE_NEXT_UPDATE_SECONDS_DEFAULT \
(5 * 60)
// Following parameter specifies the minimum time after NextUpdate
#define CRYPTNET_CRL_PRE_FETCH_MIN_AFTER_NEXT_UPDATE_SECONDS_VALUE_NAME \
L"MinAfterNextUpdateSeconds"
// 5 minutes
#define CRYPTNET_CRL_PRE_FETCH_MIN_AFTER_NEXT_UPDATE_SECONDS_DEFAULT \
(5 * 60)
//+-------------------------------------------------------------------------
// The following configuration parameters are store in HKLM group policy // The following configuration parameters are store in HKLM group policy
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#define CERT_GROUP_POLICY_CHAIN_CONFIG_REGPATH \ #define CERT_GROUP_POLICY_CHAIN_CONFIG_REGPATH \
CERT_GROUP_POLICY_SYSTEM_STORE_REGPATH L"\\ChainEngine\\Config" CERT_GROUP_POLICY_SYSTEM_STORE_REGPATH L"\\ChainEngine\\Config"
// In Vista, the following have been moved from the above HKLM // In Vista, the following have been moved from the above HKLM
// configuration parameters: // configuration parameters:
// The following are REG_DWORD's. These configuration parameters are used // The following are REG_DWORD's. These configuration parameters are used
skipping to change at line 18484 skipping to change at line 19228
// is defined for the process which uses all default system stores e.g. // is defined for the process which uses all default system stores e.g.
// Root, CA, Trust, for chain building and caching. If an application // Root, CA, Trust, for chain building and caching. If an application
// wishes to define its own store namespace or have its own partitioned // wishes to define its own store namespace or have its own partitioned
// cache then it can create its own chain engine. It is advisable to create // cache then it can create its own chain engine. It is advisable to create
// a chain engine at application startup and use it throughout the lifetime // a chain engine at application startup and use it throughout the lifetime
// of the application in order to get optimal caching behavior // of the application in order to get optimal caching behavior
// //
typedef HANDLE HCERTCHAINENGINE; typedef HANDLE HCERTCHAINENGINE;
#define HCCE_CURRENT_USER ((HCERTCHAINENGINE)NULL) #define HCCE_CURRENT_USER ((HCERTCHAINENGINE)NULL)
#define HCCE_LOCAL_MACHINE ((HCERTCHAINENGINE)0x1) #define HCCE_LOCAL_MACHINE ((HCERTCHAINENGINE)0x1)
#define HCCE_SERIAL_LOCAL_MACHINE ((HCERTCHAINENGINE)0x2)
// //
// Create a certificate chain engine. // Create a certificate chain engine.
// //
// //
// Configuration parameters for the certificate chain engine // Configuration parameters for the certificate chain engine
// //
// hRestrictedRoot - restrict the root store (must be a subset of "Root") // hRestrictedRoot - restrict the root store (must be a subset of "Root")
// //
skipping to change at line 18710 skipping to change at line 19455
// These can be applied to certificates only // These can be applied to certificates only
#define CERT_TRUST_HAS_EXACT_MATCH_ISSUER 0x00000001 #define CERT_TRUST_HAS_EXACT_MATCH_ISSUER 0x00000001
#define CERT_TRUST_HAS_KEY_MATCH_ISSUER 0x00000002 #define CERT_TRUST_HAS_KEY_MATCH_ISSUER 0x00000002
#define CERT_TRUST_HAS_NAME_MATCH_ISSUER 0x00000004 #define CERT_TRUST_HAS_NAME_MATCH_ISSUER 0x00000004
#define CERT_TRUST_IS_SELF_SIGNED 0x00000008 #define CERT_TRUST_IS_SELF_SIGNED 0x00000008
#define CERT_TRUST_AUTO_UPDATE_CA_REVOCATION 0x00000010 #define CERT_TRUST_AUTO_UPDATE_CA_REVOCATION 0x00000010
#define CERT_TRUST_AUTO_UPDATE_END_REVOCATION 0x00000020 #define CERT_TRUST_AUTO_UPDATE_END_REVOCATION 0x00000020
#define CERT_TRUST_NO_OCSP_FAILOVER_TO_CRL 0x00000040 #define CERT_TRUST_NO_OCSP_FAILOVER_TO_CRL 0x00000040
#define CERT_TRUST_IS_KEY_ROLLOVER 0x00000080
#define CERT_TRUST_SSL_HANDSHAKE_OCSP 0x00040000
#define CERT_TRUST_SSL_TIME_VALID_OCSP 0x00080000
#define CERT_TRUST_SSL_RECONNECT_OCSP 0x00100000
// These can be applied to certificates and chains // These can be applied to certificates and chains
#define CERT_TRUST_HAS_PREFERRED_ISSUER 0x00000100 #define CERT_TRUST_HAS_PREFERRED_ISSUER 0x00000100
#define CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY 0x00000200 #define CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY 0x00000200
#define CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS 0x00000400 #define CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS 0x00000400
#define CERT_TRUST_IS_PEER_TRUSTED 0x00000800 #define CERT_TRUST_IS_PEER_TRUSTED 0x00000800
#define CERT_TRUST_HAS_CRL_VALIDITY_EXTENDED 0x00001000 #define CERT_TRUST_HAS_CRL_VALIDITY_EXTENDED 0x00001000
// Indicates that the certificate was found in // Indicates that the certificate was found in
skipping to change at line 18732 skipping to change at line 19481
#if (NTDDI_VERSION >= NTDDI_WIN8) #if (NTDDI_VERSION >= NTDDI_WIN8)
#define CERT_TRUST_IS_CA_TRUSTED 0x00004000 #define CERT_TRUST_IS_CA_TRUSTED 0x00004000
#define CERT_TRUST_HAS_AUTO_UPDATE_WEAK_SIGNATURE 0x00008000 #define CERT_TRUST_HAS_AUTO_UPDATE_WEAK_SIGNATURE 0x00008000
#define CERT_TRUST_HAS_ALLOW_WEAK_SIGNATURE 0x00020000 #define CERT_TRUST_HAS_ALLOW_WEAK_SIGNATURE 0x00020000
#endif #endif
// These can be applied to chains only // These can be applied to chains only
#define CERT_TRUST_IS_COMPLEX_CHAIN 0x00010000 #define CERT_TRUST_IS_COMPLEX_CHAIN 0x00010000
#define CERT_TRUST_SSL_TIME_VALID 0x01000000
#define CERT_TRUST_NO_TIME_CHECK 0x02000000
// //
// Each certificate context in a simple chain has a corresponding chain element // Each certificate context in a simple chain has a corresponding chain element
// in the simple chain context // in the simple chain context
// //
// dwErrorStatus has CERT_TRUST_IS_REVOKED, pRevocationInfo set // dwErrorStatus has CERT_TRUST_IS_REVOKED, pRevocationInfo set
// dwErrorStatus has CERT_TRUST_REVOCATION_STATUS_UNKNOWN, pRevocationInfo set // dwErrorStatus has CERT_TRUST_REVOCATION_STATUS_UNKNOWN, pRevocationInfo set
// //
// Note that the post processing revocation supported in the first // Note that the post processing revocation supported in the first
skipping to change at line 19032 skipping to change at line 19783
#define CERT_CHAIN_DISABLE_MD2_MD4 0x00001000 #define CERT_CHAIN_DISABLE_MD2_MD4 0x00001000
// The following flag can be set to explicitly disable AIA retrievals. // The following flag can be set to explicitly disable AIA retrievals.
// If can also be set in the chain engine dwFlags. // If can also be set in the chain engine dwFlags.
#define CERT_CHAIN_DISABLE_AIA 0x00002000 #define CERT_CHAIN_DISABLE_AIA 0x00002000
// The following flag should be set when verifying the certificate // The following flag should be set when verifying the certificate
// associated with a file having the Mark-Of-The-Web // associated with a file having the Mark-Of-The-Web
#define CERT_CHAIN_HAS_MOTW 0x00004000 #define CERT_CHAIN_HAS_MOTW 0x00004000
// Only use certificates from the Additional and AuthRoot stores.
// If disabled, AuthRoot trust is enabled for this call.
#define CERT_CHAIN_ONLY_ADDITIONAL_AND_AUTH_ROOT 0x00008000
WINCRYPT32API WINCRYPT32API
_Success_(return != FALSE) _Success_(return != FALSE)
BOOL BOOL
WINAPI WINAPI
CertGetCertificateChain ( CertGetCertificateChain (
_In_opt_ HCERTCHAINENGINE hChainEngine, _In_opt_ HCERTCHAINENGINE hChainEngine,
_In_ PCCERT_CONTEXT pCertContext, _In_ PCCERT_CONTEXT pCertContext,
_In_opt_ LPFILETIME pTime, _In_opt_ LPFILETIME pTime,
_In_opt_ HCERTSTORE hAdditionalStore, _In_opt_ HCERTSTORE hAdditionalStore,
_In_ PCERT_CHAIN_PARA pChainPara, _In_ PCERT_CHAIN_PARA pChainPara,
skipping to change at line 19115 skipping to change at line 19870
// //
typedef struct _CRL_REVOCATION_INFO { typedef struct _CRL_REVOCATION_INFO {
PCRL_ENTRY pCrlEntry; PCRL_ENTRY pCrlEntry;
PCCRL_CONTEXT pCrlContext; PCCRL_CONTEXT pCrlContext;
PCCERT_CHAIN_CONTEXT pCrlIssuerChain; PCCERT_CHAIN_CONTEXT pCrlIssuerChain;
} CRL_REVOCATION_INFO, *PCRL_REVOCATION_INFO; } CRL_REVOCATION_INFO, *PCRL_REVOCATION_INFO;
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Find the first or next certificate chain context in the store. // Find the first or next certificate chain context in the store.
// //
// The chain context is found according to the dwFindFlags, dwFindType and // The chain context is found according to the dwFindFlags, dwFindType and
// its pvFindPara. See below for a list of the find types and its parameters. // its pvFindPara. See below for a list of the find types and its parameters.
// //
// If the first or next chain context isn't found, NULL is returned. // If the first or next chain context isn't found, NULL is returned.
// Otherwise, a pointer to a read only CERT_CHAIN_CONTEXT is returned. // Otherwise, a pointer to a read only CERT_CHAIN_CONTEXT is returned.
// CERT_CHAIN_CONTEXT must be freed by calling CertFreeCertificateChain // CERT_CHAIN_CONTEXT must be freed by calling CertFreeCertificateChain
// or is freed when passed as the // or is freed when passed as the
skipping to change at line 19148 skipping to change at line 19909
WINAPI WINAPI
CertFindChainInStore( CertFindChainInStore(
_In_ HCERTSTORE hCertStore, _In_ HCERTSTORE hCertStore,
_In_ DWORD dwCertEncodingType, _In_ DWORD dwCertEncodingType,
_In_ DWORD dwFindFlags, _In_ DWORD dwFindFlags,
_In_ DWORD dwFindType, _In_ DWORD dwFindType,
_In_opt_ const void *pvFindPara, _In_opt_ const void *pvFindPara,
_In_opt_ PCCERT_CHAIN_CONTEXT pPrevChainContext _In_opt_ PCCERT_CHAIN_CONTEXT pPrevChainContext
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
#define CERT_CHAIN_FIND_BY_ISSUER 1 #define CERT_CHAIN_FIND_BY_ISSUER 1
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// CERT_CHAIN_FIND_BY_ISSUER // CERT_CHAIN_FIND_BY_ISSUER
// //
// Find a certificate chain having a private key for the end certificate and // Find a certificate chain having a private key for the end certificate and
// matching one of the given issuer names. A matching dwKeySpec and // matching one of the given issuer names. A matching dwKeySpec and
// enhanced key usage can also be specified. Additionally a callback can // enhanced key usage can also be specified. Additionally a callback can
// be provided for even more caller provided filtering before building the // be provided for even more caller provided filtering before building the
// chain. // chain.
skipping to change at line 19545 skipping to change at line 20312
// pPolicyPara is optional. However, // pPolicyPara is optional. However,
// MICROSOFT_ROOT_CERT_CHAIN_POLICY_ENABLE_TEST_ROOT_FLAG can be set in // MICROSOFT_ROOT_CERT_CHAIN_POLICY_ENABLE_TEST_ROOT_FLAG can be set in
// the dwFlags in pPolicyPara to also check for the Microsoft Test Roots. // the dwFlags in pPolicyPara to also check for the Microsoft Test Roots.
// //
// MICROSOFT_ROOT_CERT_CHAIN_POLICY_CHECK_APPLICATION_ROOT_FLAG can be set // MICROSOFT_ROOT_CERT_CHAIN_POLICY_CHECK_APPLICATION_ROOT_FLAG can be set
// in the dwFlags in pPolicyPara to check for the Microsoft root for // in the dwFlags in pPolicyPara to check for the Microsoft root for
// application signing instead of the Microsoft product root. This flag // application signing instead of the Microsoft product root. This flag
// explicitly checks for the application root only and cannot be combined // explicitly checks for the application root only and cannot be combined
// with the test root flag. // with the test root flag.
// //
// MICROSOFT_ROOT_CERT_CHAIN_POLICY_DISABLE_FLIGHT_ROOT_FLAG can be set
// in the dwFlags in pPolicyPara to always disable the Flight root.
//
// pvExtraPolicyPara and pvExtraPolicyStatus aren't used and must be set // pvExtraPolicyPara and pvExtraPolicyStatus aren't used and must be set
// to NULL. // to NULL.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#define MICROSOFT_ROOT_CERT_CHAIN_POLICY_ENABLE_TEST_ROOT_FLAG 0x00010000 #define MICROSOFT_ROOT_CERT_CHAIN_POLICY_ENABLE_TEST_ROOT_FLAG 0x00010000
#define MICROSOFT_ROOT_CERT_CHAIN_POLICY_CHECK_APPLICATION_ROOT_FLAG 0x00020000 #define MICROSOFT_ROOT_CERT_CHAIN_POLICY_CHECK_APPLICATION_ROOT_FLAG 0x00020000
#define MICROSOFT_ROOT_CERT_CHAIN_POLICY_DISABLE_FLIGHT_ROOT_FLAG 0x00040000
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// CERT_CHAIN_POLICY_EV // CERT_CHAIN_POLICY_EV
// //
// Verify the issuance policy in the end certificate of the first simple // Verify the issuance policy in the end certificate of the first simple
// chain matches with the root certificate EV policy. // chain matches with the root certificate EV policy.
// //
// pvExtraPolicyPara may optionally be set to point to the following // pvExtraPolicyPara may optionally be set to point to the following
// EV_EXTRA_CERT_CHAIN_POLICY_PARA. The dwRootProgramQualifierFlags member // EV_EXTRA_CERT_CHAIN_POLICY_PARA. The dwRootProgramQualifierFlags member
// can be set to one or more of the CERT_ROOT_PROGRAM_FLAG_* to define // can be set to one or more of the CERT_ROOT_PROGRAM_FLAG_* to define
skipping to change at line 19579 skipping to change at line 20350
DWORD dwRootProgramQualifierFlags; DWORD dwRootProgramQualifierFlags;
} EV_EXTRA_CERT_CHAIN_POLICY_PARA, } EV_EXTRA_CERT_CHAIN_POLICY_PARA,
*PEV_EXTRA_CERT_CHAIN_POLICY_PARA; *PEV_EXTRA_CERT_CHAIN_POLICY_PARA;
typedef struct _EV_EXTRA_CERT_CHAIN_POLICY_STATUS { typedef struct _EV_EXTRA_CERT_CHAIN_POLICY_STATUS {
DWORD cbSize; DWORD cbSize;
DWORD dwQualifiers; DWORD dwQualifiers;
DWORD dwIssuanceUsageIndex; DWORD dwIssuanceUsageIndex;
} EV_EXTRA_CERT_CHAIN_POLICY_STATUS, *PEV_EXTRA_CERT_CHAIN_POLICY_STATUS; } EV_EXTRA_CERT_CHAIN_POLICY_STATUS, *PEV_EXTRA_CERT_CHAIN_POLICY_STATUS;
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// convert formatted string to binary // convert formatted string to binary
// If cchString is 0, then pszString is NULL terminated and // If cchString is 0, then pszString is NULL terminated and
// cchString is obtained via strlen() + 1. // cchString is obtained via strlen() + 1.
// dwFlags defines string format // dwFlags defines string format
// if pbBinary is NULL, *pcbBinary returns the size of required memory // if pbBinary is NULL, *pcbBinary returns the size of required memory
// *pdwSkip returns the character count of skipped strings, optional // *pdwSkip returns the character count of skipped strings, optional
// *pdwFlags returns the actual format used in the conversion, optional // *pdwFlags returns the actual format used in the conversion, optional
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
_Success_(return)
WINCRYPT32STRINGAPI WINCRYPT32STRINGAPI
BOOL BOOL
WINAPI WINAPI
CryptStringToBinaryA( CryptStringToBinaryA(
_In_reads_(cchString) LPCSTR pszString, _In_reads_(cchString) LPCSTR pszString,
_In_ DWORD cchString, _In_ DWORD cchString,
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_Out_writes_bytes_to_opt_(*pcbBinary, *pcbBinary) BYTE *pbBinary, _Out_writes_bytes_to_opt_(*pcbBinary, *pcbBinary) BYTE *pbBinary,
_Inout_ DWORD *pcbBinary, _Inout_ DWORD *pcbBinary,
_Out_opt_ DWORD *pdwSkip, _Out_opt_ DWORD *pdwSkip,
skipping to change at line 19609 skipping to change at line 20387
); );
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// convert formatted string to binary // convert formatted string to binary
// If cchString is 0, then pszString is NULL terminated and // If cchString is 0, then pszString is NULL terminated and
// cchString is obtained via strlen() + 1. // cchString is obtained via strlen() + 1.
// dwFlags defines string format // dwFlags defines string format
// if pbBinary is NULL, *pcbBinary returns the size of required memory // if pbBinary is NULL, *pcbBinary returns the size of required memory
// *pdwSkip returns the character count of skipped strings, optional // *pdwSkip returns the character count of skipped strings, optional
// *pdwFlags returns the actual format used in the conversion, optional // *pdwFlags returns the actual format used in the conversion, optional
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
_Success_(return)
WINCRYPT32STRINGAPI WINCRYPT32STRINGAPI
BOOL BOOL
WINAPI WINAPI
CryptStringToBinaryW( CryptStringToBinaryW(
_In_reads_(cchString) LPCWSTR pszString, _In_reads_(cchString) LPCWSTR pszString,
_In_ DWORD cchString, _In_ DWORD cchString,
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_Out_writes_bytes_to_opt_(*pcbBinary, *pcbBinary) BYTE *pbBinary, _Out_writes_bytes_to_opt_(*pcbBinary, *pcbBinary) BYTE *pbBinary,
_Inout_ DWORD *pcbBinary, _Inout_ DWORD *pcbBinary,
_Out_opt_ DWORD *pdwSkip, _Out_opt_ DWORD *pdwSkip,
skipping to change at line 19667 skipping to change at line 20446
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_Out_writes_to_opt_(*pcchString, *pcchString) LPWSTR pszString, _Out_writes_to_opt_(*pcchString, *pcchString) LPWSTR pszString,
_Inout_ DWORD *pcchString _Inout_ DWORD *pcchString
); );
#ifdef UNICODE #ifdef UNICODE
#define CryptBinaryToString CryptBinaryToStringW #define CryptBinaryToString CryptBinaryToStringW
#else #else
#define CryptBinaryToString CryptBinaryToStringA #define CryptBinaryToString CryptBinaryToStringA
#endif // !UNICODE #endif // !UNICODE
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
// dwFlags has the following defines // dwFlags has the following defines
// certenrolld_begin -- CRYPT_STRING_* // certenrolld_begin -- CRYPT_STRING_*
#define CRYPT_STRING_BASE64HEADER 0x00000000 #define CRYPT_STRING_BASE64HEADER 0x00000000
#define CRYPT_STRING_BASE64 0x00000001 #define CRYPT_STRING_BASE64 0x00000001
#define CRYPT_STRING_BINARY 0x00000002 #define CRYPT_STRING_BINARY 0x00000002
#define CRYPT_STRING_BASE64REQUESTHEADER 0x00000003 #define CRYPT_STRING_BASE64REQUESTHEADER 0x00000003
#define CRYPT_STRING_HEX 0x00000004 #define CRYPT_STRING_HEX 0x00000004
#define CRYPT_STRING_HEXASCII 0x00000005 #define CRYPT_STRING_HEXASCII 0x00000005
#define CRYPT_STRING_BASE64_ANY 0x00000006 #define CRYPT_STRING_BASE64_ANY 0x00000006
#define CRYPT_STRING_ANY 0x00000007 #define CRYPT_STRING_ANY 0x00000007
#define CRYPT_STRING_HEX_ANY 0x00000008 #define CRYPT_STRING_HEX_ANY 0x00000008
#define CRYPT_STRING_BASE64X509CRLHEADER 0x00000009 #define CRYPT_STRING_BASE64X509CRLHEADER 0x00000009
#define CRYPT_STRING_HEXADDR 0x0000000a #define CRYPT_STRING_HEXADDR 0x0000000a
#define CRYPT_STRING_HEXASCIIADDR 0x0000000b #define CRYPT_STRING_HEXASCIIADDR 0x0000000b
#define CRYPT_STRING_HEXRAW 0x0000000c #define CRYPT_STRING_HEXRAW 0x0000000c
#define CRYPT_STRING_BASE64URI 0x0000000d
#define CRYPT_STRING_PERCENTESCAPE 0x08000000 // base64 formats only
#define CRYPT_STRING_HASHDATA 0x10000000 #define CRYPT_STRING_HASHDATA 0x10000000
#define CRYPT_STRING_STRICT 0x20000000 #define CRYPT_STRING_STRICT 0x20000000
#define CRYPT_STRING_NOCRLF 0x40000000 #define CRYPT_STRING_NOCRLF 0x40000000
#define CRYPT_STRING_NOCR 0x80000000 #define CRYPT_STRING_NOCR 0x80000000
// certenrolld_end // certenrolld_end
// CryptBinaryToString uses the following flags // CryptBinaryToString uses the following flags
// CRYPT_STRING_BASE64HEADER - base64 format with certificate begin // CRYPT_STRING_BASE64HEADER - base64 format with certificate begin
// and end headers // and end headers
// CRYPT_STRING_BASE64 - only base64 without headers // CRYPT_STRING_BASE64 - only base64 without headers
skipping to change at line 19775 skipping to change at line 20562
// CRYPT_USER_PROTECTED - (see documentation on CryptImportKey) // CRYPT_USER_PROTECTED - (see documentation on CryptImportKey)
// CRYPT_MACHINE_KEYSET - used to force the private key to be stored in the // CRYPT_MACHINE_KEYSET - used to force the private key to be stored in the
// the local machine and not the current user. // the local machine and not the current user.
// CRYPT_USER_KEYSET - used to force the private key to be stored in the // CRYPT_USER_KEYSET - used to force the private key to be stored in the
// the current user and not the local machine, even if // the current user and not the local machine, even if
// the pfx blob specifies that it should go into local // the pfx blob specifies that it should go into local
// machine. // machine.
// PKCS12_INCLUDE_EXTENDED_PROPERTIES - used to import all extended // PKCS12_INCLUDE_EXTENDED_PROPERTIES - used to import all extended
// properties that were saved with CertExportCertStore() // properties that were saved with CertExportCertStore()
// using the same flag. // using the same flag.
//
// PKCS12_ONLY_CERTIFICATES - the returned store only contains certificates.
// Private keys aren't decrypted or imported.
// If the certificates weren't encrypted, then,
// we won't use a password to decrypt. Otherwise,
// will do normal password decryption.
// For certificates having an associated private
// key, we add the CERT_KEY_PROV_INFO_PROP_ID.
// The KeyProvInfo will have the following special
// values:
// dwProvType = 0
// pwszProvName = L"PfxProvider"
// pwszProvName = L"PfxContainer"
//
// For not encrypted certificates, we won't use
// any password to do the MAC check. If a MAC
// check is necessary, then, PKCS12_NO_PERSIST_KEY
// option should be selected instead.
//
// PKCS12_ONLY_NOT_ENCRYPTED_CERTIFICATES - same as for PKCS12_ONLY_CERTIFICATE
S
// except, we won't fallback to
// using the password to decrypt.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
HCERTSTORE HCERTSTORE
WINAPI WINAPI
PFXImportCertStore( PFXImportCertStore(
_In_ CRYPT_DATA_BLOB* pPFX, _In_ CRYPT_DATA_BLOB* pPFX,
_In_ LPCWSTR szPassword, _In_ LPCWSTR szPassword,
_In_ DWORD dwFlags); _In_ DWORD dwFlags);
// dwFlags definitions for PFXImportCertStore // dwFlags definitions for PFXImportCertStore
//#define CRYPT_EXPORTABLE 0x00000001 // CryptImportKey dwFlags //#define CRYPT_EXPORTABLE 0x00000001 // CryptImportKey dwFlags
//#define CRYPT_USER_PROTECTED 0x00000002 // CryptImportKey dwFlags //#define CRYPT_USER_PROTECTED 0x00000002 // CryptImportKey dwFlags
//#define CRYPT_MACHINE_KEYSET 0x00000020 // CryptAcquireContext dwFlags //#define CRYPT_MACHINE_KEYSET 0x00000020 // CryptAcquireContext dwFlags
//#define CRYPT_USER_PROTECTED_STRONG 0x00100000
//#define PKCS12_INCLUDE_EXTENDED_PROPERTIES 0x10 //#define PKCS12_INCLUDE_EXTENDED_PROPERTIES 0x10
#define PKCS12_IMPORT_SILENT 0x00000040 #define PKCS12_IMPORT_SILENT 0x00000040
#define CRYPT_USER_KEYSET 0x00001000 #define CRYPT_USER_KEYSET 0x00001000
#define PKCS12_PREFER_CNG_KSP 0x00000100 // prefer using CNG KSP #define PKCS12_PREFER_CNG_KSP 0x00000100 // prefer using CNG KSP
#define PKCS12_ALWAYS_CNG_KSP 0x00000200 // always use CNG KSP #define PKCS12_ALWAYS_CNG_KSP 0x00000200 // always use CNG KSP
#define PKCS12_ONLY_CERTIFICATES 0x00000400
#define PKCS12_ONLY_NOT_ENCRYPTED_CERTIFICATES 0x00000800
#define PKCS12_ALLOW_OVERWRITE_KEY 0x00004000 // allow overwrite existing key #define PKCS12_ALLOW_OVERWRITE_KEY 0x00004000 // allow overwrite existing key
#define PKCS12_NO_PERSIST_KEY 0x00008000 // key will not be persisted #define PKCS12_NO_PERSIST_KEY 0x00008000 // key will not be persisted
#define PKCS12_IMPORT_RESERVED_MASK 0xffff0000 #define PKCS12_IMPORT_RESERVED_MASK 0xffff0000
#define PKCS12_OBJECT_LOCATOR_ALL_IMPORT_FLAGS \ #define PKCS12_OBJECT_LOCATOR_ALL_IMPORT_FLAGS \
( PKCS12_ALWAYS_CNG_KSP | \ ( PKCS12_ALWAYS_CNG_KSP | \
PKCS12_NO_PERSIST_KEY | \ PKCS12_NO_PERSIST_KEY | \
PKCS12_IMPORT_SILENT | \ PKCS12_IMPORT_SILENT | \
PKCS12_INCLUDE_EXTENDED_PROPERTIES ) PKCS12_INCLUDE_EXTENDED_PROPERTIES )
#define PKCS12_ONLY_CERTIFICATES_PROVIDER_TYPE 0
#define PKCS12_ONLY_CERTIFICATES_PROVIDER_NAME L"PfxProvider"
#define PKCS12_ONLY_CERTIFICATES_CONTAINER_NAME L"PfxContainer"
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// PFXIsPFXBlob // PFXIsPFXBlob
// //
// This function will try to decode the outer layer of the blob as a pfx // This function will try to decode the outer layer of the blob as a pfx
// blob, and if that works it will return TRUE, it will return FALSE otherwise // blob, and if that works it will return TRUE, it will return FALSE otherwise
// //
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
skipping to change at line 19859 skipping to change at line 20675
// in the pfx protected to the NCRYPT_DESCRIPTOR_HANDLE. On import, any // in the pfx protected to the NCRYPT_DESCRIPTOR_HANDLE. On import, any
// principal that is listed in NCRYPT_DESCRIPTOR_HANDLE can decrypt the // principal that is listed in NCRYPT_DESCRIPTOR_HANDLE can decrypt the
// password within the pfx and use it to descrypt the entire pfx. // password within the pfx and use it to descrypt the entire pfx.
// //
// If the password parameter is NULL or L"" and the // If the password parameter is NULL or L"" and the
// PKCS12_PROTECT_TO_DOMAIN_SIDS flag is set together with an // PKCS12_PROTECT_TO_DOMAIN_SIDS flag is set together with an
// NCRYPT_DESCRIPTOR_HANDLE* for pvPara then a random password of length // NCRYPT_DESCRIPTOR_HANDLE* for pvPara then a random password of length
// 40 characters is chosen to protect the pfx. This password will be // 40 characters is chosen to protect the pfx. This password will be
// protected inside the pfx. // protected inside the pfx.
// //
// If the certificates don't need to be private, such as, the PFX is
// hosted on a file share accessed by IIS, then,
// the PKCS12_DISABLE_ENCRYPT_CERTIFICATES flag should be set.
//
// Note, OpenSSL and down level platforms support certificates that weren't
// encrypted.
//
// In Threshold the default was changed not to encrypt the certificates.
// The following registry value can be set to change the default to enable
// the encryption.
// HKLM\Software\Microsoft\Windows\CurrentVersion\PFX
// REG_DWORD EncryptCertificates
//
// The PKCS12_ENCRYPT_CERTIFICATES flag should be set to always
// encrypt the certificates.
//
// The dwFlags parameter may be set to any combination of // The dwFlags parameter may be set to any combination of
// EXPORT_PRIVATE_KEYS // EXPORT_PRIVATE_KEYS
// REPORT_NO_PRIVATE_KEY // REPORT_NO_PRIVATE_KEY
// REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY // REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY
// PKCS12_EXPORT_SILENT // PKCS12_EXPORT_SILENT
// PKCS12_INCLUDE_EXTENDED_PROPERTIES // PKCS12_INCLUDE_EXTENDED_PROPERTIES
// PKCS12_PROTECT_TO_DOMAIN_SIDS // PKCS12_PROTECT_TO_DOMAIN_SIDS
// PKCS12_DISABLE_ENCRYPT_CERTIFICATES or PKCS12_ENCRYPT_CERTIFICATES
// PKCS12_EXPORT_ECC_CURVE_PARAMETERS
// PKCS12_EXPORT_ECC_CURVE_OID
// //
// The encoded PFX blob is returned in *pPFX. If pPFX->pbData is NULL upon // The encoded PFX blob is returned in *pPFX. If pPFX->pbData is NULL upon
// input, this is a length only calculation, whereby, pPFX->cbData is updated // input, this is a length only calculation, whereby, pPFX->cbData is updated
// with the number of bytes required for the encoded blob. Otherwise, // with the number of bytes required for the encoded blob. Otherwise,
// the memory pointed to by pPFX->pbData is updated with the encoded bytes // the memory pointed to by pPFX->pbData is updated with the encoded bytes
// and pPFX->cbData is updated with the encoded byte length. // and pPFX->cbData is updated with the encoded byte length.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
skipping to change at line 19890 skipping to change at line 20725
_In_ void* pvPara, _In_ void* pvPara,
_In_ DWORD dwFlags); _In_ DWORD dwFlags);
// dwFlags definitions for PFXExportCertStoreEx // dwFlags definitions for PFXExportCertStoreEx
#define REPORT_NO_PRIVATE_KEY 0x0001 #define REPORT_NO_PRIVATE_KEY 0x0001
#define REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY 0x0002 #define REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY 0x0002
#define EXPORT_PRIVATE_KEYS 0x0004 #define EXPORT_PRIVATE_KEYS 0x0004
#define PKCS12_INCLUDE_EXTENDED_PROPERTIES 0x0010 #define PKCS12_INCLUDE_EXTENDED_PROPERTIES 0x0010
#define PKCS12_PROTECT_TO_DOMAIN_SIDS 0x0020 #define PKCS12_PROTECT_TO_DOMAIN_SIDS 0x0020
#define PKCS12_EXPORT_SILENT 0x0040 #define PKCS12_EXPORT_SILENT 0x0040
#define PKCS12_DISABLE_ENCRYPT_CERTIFICATES 0x0100
#define PKCS12_ENCRYPT_CERTIFICATES 0x0200
#define PKCS12_EXPORT_ECC_CURVE_PARAMETERS 0x1000
#define PKCS12_EXPORT_ECC_CURVE_OID 0x2000
#define PKCS12_EXPORT_RESERVED_MASK 0xffff0000 #define PKCS12_EXPORT_RESERVED_MASK 0xffff0000
// Registry path to the PFX configuration local machine subkey
#define PKCS12_CONFIG_REGPATH \
L"Software\\Microsoft\\Windows\\CurrentVersion\\PFX"
// The default is not to encrypt the certificates included in the PFX.
// The following is a REG_DWORD. It should be set to a nonzero value
// to change the default to enable encrypting the certificates.
#define PKCS12_ENCRYPT_CERTIFICATES_VALUE_NAME \
L"EncryptCertificates"
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// PFXExportCertStore // PFXExportCertStore
// //
// Export the certificates and private keys referenced in the passed-in store // Export the certificates and private keys referenced in the passed-in store
// //
// This is an old API kept for compatibility with IE4 clients. New applications // This is an old API kept for compatibility with IE4 clients. New applications
// should call the above PfxExportCertStoreEx for enhanced security. // should call the above PfxExportCertStoreEx for enhanced security.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
BOOL BOOL
WINAPI WINAPI
PFXExportCertStore( PFXExportCertStore(
_In_ HCERTSTORE hStore, _In_ HCERTSTORE hStore,
_Inout_ CRYPT_DATA_BLOB* pPFX, _Inout_ CRYPT_DATA_BLOB* pPFX,
_In_ LPCWSTR szPassword, _In_ LPCWSTR szPassword,
_In_ DWORD dwFlags); _In_ DWORD dwFlags);
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
//+========================================================================= //+=========================================================================
// APIs to get a non-blocking, time valid OCSP response for // APIs to get a non-blocking, time valid OCSP response for
// a server certificate chain. // a server certificate chain.
// //
// Normally, this OCSP response will be included along with the server // Normally, this OCSP response will be included along with the server
// certificate in a message returned to the client. As a result only the // certificate in a message returned to the client. As a result only the
// server should need to contact the OCSP responser for its certificate. // server should need to contact the OCSP responser for its certificate.
//========================================================================== //==========================================================================
#if (NTDDI_VERSION >= NTDDI_VISTA) #if (NTDDI_VERSION >= NTDDI_VISTA)
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Server OCSP response handle. // Server OCSP response handle.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
typedef VOID *HCERT_SERVER_OCSP_RESPONSE; typedef VOID *HCERT_SERVER_OCSP_RESPONSE;
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Server OCSP response context.
//--------------------------------------------------------------------------
typedef struct _CERT_SERVER_OCSP_RESPONSE_CONTEXT
CERT_SERVER_OCSP_RESPONSE_CONTEXT,
*PCERT_SERVER_OCSP_RESPONSE_CONTEXT;
typedef const CERT_SERVER_OCSP_RESPONSE_CONTEXT
*PCCERT_SERVER_OCSP_RESPONSE_CONTEXT;
struct _CERT_SERVER_OCSP_RESPONSE_CONTEXT {
DWORD cbSize;
BYTE *pbEncodedOcspResponse;
DWORD cbEncodedOcspResponse;
};
//+-------------------------------------------------------------------------
// Server OCSP response update callback
//
// If CERT_SERVER_OCSP_RESPONSE_OPEN_PARA_WRITE_FLAG has been enabled
// then dwWriteOcspFileError will be set. Otherwise, always set to 0.
//--------------------------------------------------------------------------
typedef VOID (CALLBACK *PFN_CERT_SERVER_OCSP_RESPONSE_UPDATE_CALLBACK)(
_In_ PCCERT_CHAIN_CONTEXT pChainContext,
_In_ PCCERT_SERVER_OCSP_RESPONSE_CONTEXT pServerOcspResponseContext,
_In_ PCCRL_CONTEXT pNewCrlContext,
_In_opt_ PCCRL_CONTEXT pPrevCrlContext,
_Inout_opt_ PVOID pvArg,
_In_ DWORD dwWriteOcspFileError
);
//+-------------------------------------------------------------------------
// Server OCSP response open parameters
//--------------------------------------------------------------------------
typedef struct _CERT_SERVER_OCSP_RESPONSE_OPEN_PARA {
DWORD cbSize;
DWORD dwFlags;
// If nonNULL, *pcbUsedSize is updated with subset of cbSize that was
// used. If OPEN_PARA isn't supported, then, *pcbUsedSize won't be
// updated.
DWORD *pcbUsedSize;
// If nonNULL, the OCSP response is either read from or written to
// this directory. The CERT_SERVER_OCSP_RESPONSE_OPEN_PARA_READ_FLAG
// dwFlags must be set to read.
// The CERT_SERVER_OCSP_RESPONSE_OPEN_PARA_WRITE_FLAG dwFlags must be
// set to write. Its an ERROR_INVALID_PARAMETER error to set both dwFlags.
//
// The format of the OCSP response file name:
// <ASCII HEX ServerCert SHA1 Thumbprint>".ocsp"
PWSTR pwszOcspDirectory;
// If nonNULL, the callback is called whenever the OCSP response is
// updated. Note, the updated OCSP response might not be time valid.
PFN_CERT_SERVER_OCSP_RESPONSE_UPDATE_CALLBACK pfnUpdateCallback;
PVOID pvUpdateCallbackArg;
} CERT_SERVER_OCSP_RESPONSE_OPEN_PARA, *PCERT_SERVER_OCSP_RESPONSE_OPEN_PARA;
// Set either of these flags in the above dwFlags to use the
// pwszOcspDirectory.
#define CERT_SERVER_OCSP_RESPONSE_OPEN_PARA_READ_FLAG 0x00000001
#define CERT_SERVER_OCSP_RESPONSE_OPEN_PARA_WRITE_FLAG 0x00000002
//+-------------------------------------------------------------------------
// Open a handle to an OCSP response associated with a server certificate // Open a handle to an OCSP response associated with a server certificate
// chain. If the end certificate doesn't have an OCSP AIA URL, NULL is // chain. If the end certificate doesn't have an OCSP AIA URL, NULL is
// returned with LastError set to CRYPT_E_NOT_IN_REVOCATION_DATABASE. NULL // returned with LastError set to CRYPT_E_NOT_IN_REVOCATION_DATABASE. NULL
// will also be returned if unable to allocate memory or create system // will also be returned if unable to allocate memory or create system
// objects. // objects.
// //
// This API will try to retrieve an initial OCSP response before returning. // This API will try to retrieve an initial OCSP response before returning.
// This API will block during the retrieval. If unable to successfully // This API will block during the retrieval. If unable to successfully
// retrieve the first OCSP response, a non-NULL handle will still be returned // retrieve the first OCSP response, a non-NULL handle will still be returned
// if not one of the error cases mentioned above. // if not one of the error cases mentioned above.
skipping to change at line 19947 skipping to change at line 20865
// return immediately without making the initial synchronous retrieval. // return immediately without making the initial synchronous retrieval.
// //
// A background thread is created that will pre-fetch time valid // A background thread is created that will pre-fetch time valid
// OCSP responses. // OCSP responses.
// //
// The input chain context will be AddRef'ed and not freed until // The input chain context will be AddRef'ed and not freed until
// the returned handle is closed. // the returned handle is closed.
// //
// CertCloseServerOcspResponse() must be called to close the returned // CertCloseServerOcspResponse() must be called to close the returned
// handle. // handle.
//
// pvReserved isn't currently used and must be set to NULL.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
HCERT_SERVER_OCSP_RESPONSE HCERT_SERVER_OCSP_RESPONSE
WINAPI WINAPI
CertOpenServerOcspResponse( CertOpenServerOcspResponse(
_In_ PCCERT_CHAIN_CONTEXT pChainContext, _In_ PCCERT_CHAIN_CONTEXT pChainContext,
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_Reserved_ LPVOID pvReserved _In_opt_ PCERT_SERVER_OCSP_RESPONSE_OPEN_PARA pOpenPara
); );
// Set this flag to return immediately without making the initial // Set this flag to return immediately without making the initial
// synchronous retrieval // synchronous retrieval
#define CERT_SERVER_OCSP_RESPONSE_ASYNC_FLAG 0x00000001 #define CERT_SERVER_OCSP_RESPONSE_ASYNC_FLAG 0x00000001
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// AddRef a HCERT_SERVER_OCSP_RESPONSE returned by // AddRef a HCERT_SERVER_OCSP_RESPONSE returned by
// CertOpenServerOcspResponse(). Each Open and AddRef requires a // CertOpenServerOcspResponse(). Each Open and AddRef requires a
// corresponding CertCloseServerOcspResponse(). // corresponding CertCloseServerOcspResponse().
skipping to change at line 19990 skipping to change at line 20906
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
WINCRYPT32API WINCRYPT32API
VOID VOID
WINAPI WINAPI
CertCloseServerOcspResponse( CertCloseServerOcspResponse(
_In_opt_ HCERT_SERVER_OCSP_RESPONSE hServerOcspResponse, _In_opt_ HCERT_SERVER_OCSP_RESPONSE hServerOcspResponse,
_In_ DWORD dwFlags _In_ DWORD dwFlags
); );
//+------------------------------------------------------------------------- //+-------------------------------------------------------------------------
// Server OCSP response context.
//--------------------------------------------------------------------------
typedef struct _CERT_SERVER_OCSP_RESPONSE_CONTEXT
CERT_SERVER_OCSP_RESPONSE_CONTEXT,
*PCERT_SERVER_OCSP_RESPONSE_CONTEXT;
typedef const CERT_SERVER_OCSP_RESPONSE_CONTEXT
*PCCERT_SERVER_OCSP_RESPONSE_CONTEXT;
struct _CERT_SERVER_OCSP_RESPONSE_CONTEXT {
DWORD cbSize;
BYTE *pbEncodedOcspResponse;
DWORD cbEncodedOcspResponse;
};
//+-------------------------------------------------------------------------
// Get a time valid OCSP response context for the handle created for // Get a time valid OCSP response context for the handle created for
// the server certificate chain. // the server certificate chain.
// //
// This API won't block to retrieve the OCSP response. It will return // This API won't block to retrieve the OCSP response. It will return
// the current pre-fetched OCSP response. If a time valid OCSP response // the current pre-fetched OCSP response. If a time valid OCSP response
// isn't available, NULL will be returned with LAST_ERROR set to // isn't available, NULL will be returned with LAST_ERROR set to
// CRYPT_E_REVOCATION_OFFLINE. // CRYPT_E_REVOCATION_OFFLINE.
// //
// CertFreeServerOcspResponseContext() must be called to free the // CertFreeServerOcspResponseContext() must be called to free the
// returned OCSP response context. // returned OCSP response context.
skipping to change at line 20113 skipping to change at line 21014
_In_ LPCSTR lpszLogoOrBiometricType, _In_ LPCSTR lpszLogoOrBiometricType,
_In_ DWORD dwRetrievalFlags, _In_ DWORD dwRetrievalFlags,
_In_ DWORD dwTimeout, // milliseconds _In_ DWORD dwTimeout, // milliseconds
_In_ DWORD dwFlags, _In_ DWORD dwFlags,
_Reserved_ void *pvReserved, _Reserved_ void *pvReserved,
_Outptr_result_bytebuffer_(*pcbData) BYTE **ppbData, // CryptMemFree() _Outptr_result_bytebuffer_(*pcbData) BYTE **ppbData, // CryptMemFree()
_Out_ DWORD *pcbData, _Out_ DWORD *pcbData,
_Outptr_opt_result_maybenull_ LPWSTR *ppwszMimeType // CryptMemFree( ) _Outptr_opt_result_maybenull_ LPWSTR *ppwszMimeType // CryptMemFree( )
); );
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON
E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion
#pragma region Application Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM)
// Predefined Logotypes // Predefined Logotypes
#define CERT_RETRIEVE_ISSUER_LOGO ((LPCSTR) 1) #define CERT_RETRIEVE_ISSUER_LOGO ((LPCSTR) 1)
#define CERT_RETRIEVE_SUBJECT_LOGO ((LPCSTR) 2) #define CERT_RETRIEVE_SUBJECT_LOGO ((LPCSTR) 2)
#define CERT_RETRIEVE_COMMUNITY_LOGO ((LPCSTR) 3) #define CERT_RETRIEVE_COMMUNITY_LOGO ((LPCSTR) 3)
// Predefined Biometric types // Predefined Biometric types
#define CERT_RETRIEVE_BIOMETRIC_PREDEFINED_BASE_TYPE ((LPCSTR) 1000) #define CERT_RETRIEVE_BIOMETRIC_PREDEFINED_BASE_TYPE ((LPCSTR) 1000)
#define CERT_RETRIEVE_BIOMETRIC_PICTURE_TYPE \ #define CERT_RETRIEVE_BIOMETRIC_PICTURE_TYPE \
(CERT_RETRIEVE_BIOMETRIC_PREDEFINED_BASE_TYPE + CERT_BIOMETRIC_PICTURE_TYPE) (CERT_RETRIEVE_BIOMETRIC_PREDEFINED_BASE_TYPE + CERT_BIOMETRIC_PICTURE_TYPE)
skipping to change at line 20474 skipping to change at line 21382
const BYTE *pbData, const BYTE *pbData,
DWORD cbData, DWORD cbData,
_In_opt_ HCERTSTORE hAdditionalStore, _In_opt_ HCERTSTORE hAdditionalStore,
_Outptr_ PCRYPT_TIMESTAMP_CONTEXT *ppTsContext, _Outptr_ PCRYPT_TIMESTAMP_CONTEXT *ppTsContext,
_Outptr_result_maybenull_ PCCERT_CONTEXT *ppTsSigner, _Outptr_result_maybenull_ PCCERT_CONTEXT *ppTsSigner,
_Out_opt_ HCERTSTORE *phStore _Out_opt_ HCERTSTORE *phStore
); );
#endif // (NTDDI_VERSION >= NTDDI_WIN7) #endif // (NTDDI_VERSION >= NTDDI_WIN7)
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP | WINAPI_PARTITION_SYSTEM
)*/
#pragma endregion
#pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHONE_REST
RICTED | WINAPI_PARTITION_SYSTEM)
// //
// Object Locator Provider API // Object Locator Provider API
// //
#if (NTDDI_VERSION >= NTDDI_WIN8) #if (NTDDI_VERSION >= NTDDI_WIN8)
#define CRYPT_OBJECT_LOCATOR_SPN_NAME_TYPE 1 //ex. "HTTP/www .contoso.com" #define CRYPT_OBJECT_LOCATOR_SPN_NAME_TYPE 1 //ex. "HTTP/www .contoso.com"
#define CRYPT_OBJECT_LOCATOR_LAST_RESERVED_NAME_TYPE 32 #define CRYPT_OBJECT_LOCATOR_LAST_RESERVED_NAME_TYPE 32
#define CRYPT_OBJECT_LOCATOR_FIRST_RESERVED_USER_NAME_TYPE 33 #define CRYPT_OBJECT_LOCATOR_FIRST_RESERVED_USER_NAME_TYPE 33
#define CRYPT_OBJECT_LOCATOR_LAST_RESERVED_USER_NAME_TYPE 0x0000FFFF #define CRYPT_OBJECT_LOCATOR_LAST_RESERVED_USER_NAME_TYPE 0x0000FFFF
skipping to change at line 20683 skipping to change at line 21597
// will be passed back to each of the subsequent callback functions. // will be passed back to each of the subsequent callback functions.
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
_Success_(return != 0) _Success_(return != 0)
typedef BOOL (WINAPI *PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_INITIALIZE)( typedef BOOL (WINAPI *PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_INITIALIZE)(
_In_ PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_FLUSH pfnFlush, _In_ PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_FLUSH pfnFlush,
_In_ LPVOID pContext, _In_ LPVOID pContext,
_Out_ DWORD *pdwExpectedObjectCount, _Out_ DWORD *pdwExpectedObjectCount,
_Outptr_ PCRYPT_OBJECT_LOCATOR_PROVIDER_TABLE *ppFuncTable, _Outptr_ PCRYPT_OBJECT_LOCATOR_PROVIDER_TABLE *ppFuncTable,
_Outptr_result_maybenull_ void **ppPluginContext); _Outptr_result_maybenull_ void **ppPluginContext);
//
// If pTimeStamp is NULL or zero time, then, current time is used.
// For CERT_TIMESTAMP_HASH_USE_TYPE, current time is always used.
//
// If pSignerChainContext is NULL, then, checks if weak hash has
// been disabled for the more restrictive Third Party Chain. If TRUE
// is returned, then, this API must be called again with a nonNULL
// pSignerChainContext which might return FALSE for logging only or
// if this isn't a Third Party Chain and weak hash hasn't been disabled for
// all signers.
//
// For CERT_TIMESTAMP_HASH_USE_TYPE, this should be the file signer and
// not the timestamp chain signer.
//
// The following WinVerifyTrust dwProvFlags map to the corresponding
// dwChainFlags:
// WTD_DISABLE_MD2_MD4 -> CERT_CHAIN_DISABLE_MD2_MD4
// WTD_MOTW -> CERT_CHAIN_HAS_MOTW
//
WINCRYPT32API
BOOL
WINAPI
CertIsWeakHash(
_In_ DWORD dwHashUseType,
_In_ LPCWSTR pwszCNGHashAlgid,
_In_ DWORD dwChainFlags,
_In_opt_ PCCERT_CHAIN_CONTEXT pSignerChainContext,
_In_opt_ LPFILETIME pTimeStamp,
_In_opt_ LPCWSTR pwszFileName
);
typedef WINCRYPT32API BOOL (WINAPI *PFN_CERT_IS_WEAK_HASH)(
_In_ DWORD dwHashUseType,
_In_ LPCWSTR pwszCNGHashAlgid,
_In_ DWORD dwChainFlags,
_In_opt_ PCCERT_CHAIN_CONTEXT pSignerChainContext,
_In_opt_ LPFILETIME pTimeStamp,
_In_opt_ LPCWSTR pwszFileName
);
//
// Hash Use Types
//
#define CERT_FILE_HASH_USE_TYPE 1
#define CERT_TIMESTAMP_HASH_USE_TYPE 2
#endif // (NTDDI_VERSION >= NTDDI_WIN8) #endif // (NTDDI_VERSION >= NTDDI_WIN8)
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) */ #endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP|WINAPI_PARTITION_PHON E_RESTRICTED | WINAPI_PARTITION_SYSTEM) */
#pragma endregion #pragma endregion
#endif //!defined(_DDK_DRIVER_) #endif //!defined(_DDK_DRIVER_)
#ifdef __cplusplus #ifdef __cplusplus
} // Balance extern "C" above } // Balance extern "C" above
#endif #endif
#if defined (_MSC_VER) #if defined (_MSC_VER)
#if ( _MSC_VER >= 800 ) #if ( _MSC_VER >= 800 )
skipping to change at line 20696 skipping to change at line 21658
#pragma endregion #pragma endregion
#endif //!defined(_DDK_DRIVER_) #endif //!defined(_DDK_DRIVER_)
#ifdef __cplusplus #ifdef __cplusplus
} // Balance extern "C" above } // Balance extern "C" above
#endif #endif
#if defined (_MSC_VER) #if defined (_MSC_VER)
#if ( _MSC_VER >= 800 ) #if ( _MSC_VER >= 800 )
#if _MSC_VER >= 1200 #if _MSC_VER >= 1200
#pragma warning(pop) #pragma warning(pop)
#else #else
#pragma warning(default:4201) #pragma warning(default:4201)
#endif #endif
#endif #endif
#endif #endif
#pragma region Desktop Family #pragma region Desktop Family or OneCore Family
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP | WINAPI_PARTITION_SYSTEM)
// //
// The following headers are refactored out of WinCrypt.h, // The following headers are refactored out of WinCrypt.h,
// reflecting the separate binaries. // reflecting the separate binaries.
// Applications which do not depend on all functionality of CRYPT32 etc., // Applications which do not depend on all functionality of CRYPT32 etc.,
// can link directly to smaller binaries using smaller headers also. // can link directly to smaller binaries using smaller headers also.
// //
#ifndef _WINCRYPT_NO_DPAPI #ifndef _WINCRYPT_NO_DPAPI
#include <dpapi.h> #include <dpapi.h>
skipping to change at line 20718 skipping to change at line 21678
// //
// The following headers are refactored out of WinCrypt.h, // The following headers are refactored out of WinCrypt.h,
// reflecting the separate binaries. // reflecting the separate binaries.
// Applications which do not depend on all functionality of CRYPT32 etc., // Applications which do not depend on all functionality of CRYPT32 etc.,
// can link directly to smaller binaries using smaller headers also. // can link directly to smaller binaries using smaller headers also.
// //
#ifndef _WINCRYPT_NO_DPAPI #ifndef _WINCRYPT_NO_DPAPI
#include <dpapi.h> #include <dpapi.h>
#endif #endif
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) */ #endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP | WINAPI_PARTITION_SY STEM) */
#pragma endregion #pragma endregion
#endif // __WINCRYPT_H__ #endif // __WINCRYPT_H__
 End of changes. 160 change blocks. 
154 lines changed or deleted 1188 lines changed or added


 wintrust.h (6.3.9600.17415-Windows 8.1)   wintrust.h (10.0.10586.0-Windows 10 1511 10586.494) 
skipping to change at line 20 skipping to change at line 20
// //
// History: 31-May-1997 pberkman created // History: 31-May-1997 pberkman created
// //
//-------------------------------------------------------------------------- //--------------------------------------------------------------------------
#ifndef WINTRUST_H #ifndef WINTRUST_H
#define WINTRUST_H #define WINTRUST_H
#include <winapifamily.h> #include <winapifamily.h>
#pragma region Desktop Family #pragma region Desktop Family or Wintrust Package
#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) #if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP | WINAPI_PARTITION_PKG_WINT
RUST)
#include <wincrypt.h> #include <wincrypt.h>
#if defined(_MSC_VER) && (_MSC_VER >= 800) #if defined(_MSC_VER) && (_MSC_VER >= 800)
#if _MSC_VER > 1000 #if _MSC_VER > 1000
#pragma once #pragma once
#endif #endif
#if _MSC_VER >= 1200 #if _MSC_VER >= 1200
#pragma warning(push) #pragma warning(push)
#endif #endif
skipping to change at line 1177 skipping to change at line 1177
//Indicates the attribute is an octet encoded PKCS7 //Indicates the attribute is an octet encoded PKCS7
#define szOID_NESTED_SIGNATURE "1.3.6.1.4.1.311.2.4.1" #define szOID_NESTED_SIGNATURE "1.3.6.1.4.1.311.2.4.1"
#define szOID_INTENT_TO_SEAL "1.3.6.1.4.1.311.2.4.2" #define szOID_INTENT_TO_SEAL "1.3.6.1.4.1.311.2.4.2"
#define szOID_SEALING_SIGNATURE "1.3.6.1.4.1.311.2.4.3" #define szOID_SEALING_SIGNATURE "1.3.6.1.4.1.311.2.4.3"
#define szOID_SEALING_TIMESTAMP "1.3.6.1.4.1.311.2.4.4" #define szOID_SEALING_TIMESTAMP "1.3.6.1.4.1.311.2.4.4"
//Indicates an enhanced hash for a SIP Indirect Data //Indicates an enhanced hash for a SIP Indirect Data
#define szOID_ENHANCED_HASH "1.3.6.1.4.1.311.2.5.1" #define szOID_ENHANCED_HASH "1.3.6.1.4.1.311.2.5.1"
//
// For PE Marker uses.
//
// Indicates the PE is subjected to relaxed marker check semantic.
#define SPC_RELAXED_PE_MARKER_CHECK_OBJID "1.3.6.1.4.1.311.2.6.1"
// Used to ensure marker free encrypted digest can be created.
#define SPC_ENCRYPTED_DIGEST_RETRY_COUNT_OBJID "1.3.6.1.4.1.311.2.6.2"
//Indicates a PKCS9 sequence number as an attribute //Indicates a PKCS9 sequence number as an attribute
#define szOID_PKCS_9_SEQUENCE_NUMBER "1.2.840.113549.1.9.25.4" #define szOID_PKCS_9_SEQUENCE_NUMBER "1.2.840.113549.1.9.25.4"
// //
// Catalog entries // Catalog entries
// //
#define CAT_NAMEVALUE_OBJID "1.3.6.1.4.1.311.12.2.1" #define CAT_NAMEVALUE_OBJID "1.3.6.1.4.1.311.12.2.1"
#define CAT_MEMBERINFO_OBJID "1.3.6.1.4.1.311.12.2.2" #define CAT_MEMBERINFO_OBJID "1.3.6.1.4.1.311.12.2.2"
#define CAT_MEMBERINFO2_OBJID "1.3.6.1.4.1.311.12.2.3" #define CAT_MEMBERINFO2_OBJID "1.3.6.1.4.1.311.12.2.3"
skipping to change at line 1595 skipping to change at line 1605
#endif #endif
#if defined(_MSC_VER) && (_MSC_VER >= 800) #if defined(_MSC_VER) && (_MSC_VER >= 800)
#if _MSC_VER >= 1200 #if _MSC_VER >= 1200
#pragma warning(pop) #pragma warning(pop)
#else #else
#pragma warning(default:4201) // nonstandard extension used : nameless s truct/union #pragma warning(default:4201) // nonstandard extension used : nameless s truct/union
#endif #endif
#endif #endif
#endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) */ #endif /* WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP | WINAPI_PARTITION_PK G_WINTRUST) */
#pragma endregion #pragma endregion
#endif // WINTRUST_H #endif // WINTRUST_H
 End of changes. 3 change blocks. 
3 lines changed or deleted 14 lines changed or added

This html diff was produced by rfcdiff 1.41.