using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using Vanara.InteropServices;
namespace Vanara.PInvoke
{
/// Methods and data types found in Crypt32.dll.
public static partial class Crypt32
{
/// A set of flags that override the default behavior of this function.
[PInvokeData("wincrypt.h", MSDNShortId = "89028c4e-f896-4c50-9fa2-bcb4e1784244")]
[Flags]
public enum CertCreateSelfSignFlags
{
///
/// By default, the returned PCCERT_CONTEXT references the private keys by setting the CERT_KEY_PROV_INFO_PROP_ID. If you do not
/// want the returned PCCERT_CONTEXT to reference private keys by setting the CERT_KEY_PROV_INFO_PROP_ID, specify CERT_CREATE_SELFSIGN_NO_KEY_INFO.
///
CERT_CREATE_SELFSIGN_NO_KEY_INFO = 2,
///
/// By default, the certificate being created is signed. If the certificate being created is only a dummy placeholder, the
/// certificate might not need to be signed. Signing of the certificate is skipped if CERT_CREATE_SELFSIGN_NO_SIGN is specified.
///
CERT_CREATE_SELFSIGN_NO_SIGN = 1,
}
/// Specifies the type of selection criteria used for the ppPara member.
[PInvokeData("wincrypt.h", MSDNShortId = "246722a9-5db6-4a82-8f29-f60f0a2263e3")]
public enum CertSelectBy : uint
{
///
/// Select certificates based on a specific enhanced key usage. When this flag is set, the ppPara must reference a
/// null-terminated object identifier (OID) ANSI string that specifies the enhanced key usage.
/// This criteria is evaluated on the certificate.
///
CERT_SELECT_BY_ENHKEY_USAGE = 1,
///
/// Select certificates based on a specific szOID_KEY_USAGE extension in the certificate. When this flag is set, the ppPara
/// member must reference a CERT_EXTENSION structure where the value of the extension is a DWORD that identifies the Key Usage bits.
/// This criteria is evaluated on the certificate.
///
CERT_SELECT_BY_KEY_USAGE = 2,
///
/// Select certificates based on a specific issuance policy. The ppPara member must reference a null-terminated OID ANSI string
/// of the desired issuance policy.
/// This criteria is evaluated on the issuance policy of the certificate chain.
///
CERT_SELECT_BY_POLICY_OID = 3,
///
/// Select certificates based on a specific private key provider. The ppPara member must reference a null-terminated Unicode
/// string that represents the name of the provider.
///
CERT_SELECT_BY_PROV_NAME = 4,
///
/// Select certificates based on the presence of a specified extension and an optional specified value. The ppPara member must
/// reference a CERT_EXTENSION structure that specifies the extension OID and the associated value.
///
CERT_SELECT_BY_EXTENSION = 5,
///
/// Select certificates based on the Subject DNS HOST Name. The ppPara member must reference a null-terminated Unicode string
/// that contains the subject host name. The selection performed based on this flag is the same as the evaluation of the
/// pwszServerName member of the SSL_EXTRA_CERT_CHAIN_POLICY_PARA structure during a call to the
/// CertVerifyCertificateChainPolicy function.
/// This criteria is evaluated on the certificate.
///
CERT_SELECT_BY_SUBJECT_HOST_NAME = 6,
///
/// Select certificates based on the relative distinguished name (RDN) element of the issuer of the certificate. The ppPara
/// member must reference a CERT_RDN structure that contains the RDN element of the issuer.
/// This criteria is evaluated on the certificate chain.
///
CERT_SELECT_BY_ISSUER_ATTR = 7,
///
/// Select certificates based on the RDN element in the Subject of the certificate. The ppPara member must be a reference to a
/// CERT_RDN structure that contains the RDN element of the Subject.
/// This criteria is evaluated on the certificate.
///
CERT_SELECT_BY_SUBJECT_ATTR = 8,
///
/// Select certificates based on the issuer of the certificate. The ppPara member must be a reference to a CERT_NAME_BLOB
/// structure that contains the name of the issuer.
/// This criteria is evaluated on the certificate chain.
///
CERT_SELECT_BY_ISSUER_NAME = 9,
///
/// Select certificates based on the public key of the certificate. The ppPara member must reference a pointer to a
/// CERT_PUBLIC_KEY_INFO structure that contains the public key.
/// This criteria is evaluated on the certificate.
///
CERT_SELECT_BY_PUBLIC_KEY = 10,
///
/// Select certificates based on the Transport Layer Security protocol (TLS) Signature requirement. The ppPara member must
/// reference a SecPkgContext_SupportedSignatures structure.
/// This criteria is evaluated on the certificate.
///
CERT_SELECT_BY_TLS_SIGNATURES = 11,
}
/// Flags for controlling the certificate selection process.
[PInvokeData("wincrypt.h", MSDNShortId = "b740772b-d25b-4b3d-9acb-03f7018750d6")]
public enum CertSelection : uint
{
///
/// Select expired certificates that meet selection criteria. By default expired certificates are rejected from selection.
///
CERT_SELECT_ALLOW_EXPIRED = 0x00000001,
///
/// Select certificates on which the error bit in the certificate chain trust status is not set to CERT_TRUST_IS_UNTRUSTED_ROOT,
/// CERT_TRUST_IS_PARTIAL_CHAIN, or CERT_TRUST_IS_NOT_TIME_VALID.
/// In addition, certificates that have one of the following invalid constraint errors are not selected:
/// CERT_TRUST_INVALID_POLICY_CONSTRAINTS
/// CERT_TRUST_INVALID_BASIC_CONSTRAINTS
/// CERT_TRUST_INVALID_NAME_CONSTRAINTS
///
CERT_SELECT_TRUSTED_ROOT = 0x00000002,
/// Select certificates that are not self-issued and self-signed.
CERT_SELECT_DISALLOW_SELFSIGNED = 0x00000004,
/// Select certificates that have a value set for the CERT_KEY_PROV_INFO_PROP_ID property of the certificate.
CERT_SELECT_HAS_PRIVATE_KEY = 0x00000008,
///
/// Select certificates on which the value of the dwKeySpec member of the CERT_KEY_PROV_INFO_PROP_ID property is set to AT_SIGNATURE.
///
/// If this function is being called as part of a CNG enabled application and the dwKeySpec member of the
/// CERT_KEY_PROV_INFO_PROP_ID property is set to -1, select certificates on which the value of the NCRYPT_KEY_USAGE_PROPERTY
/// property of the associated private key has the NCRYPT_ALLOW_SIGNING_FLAG set.
///
///
CERT_SELECT_HAS_KEY_FOR_SIGNATURE = 0x00000010,
///
/// Select certificates on which the value of the dwKeySpec member of the CERT_KEY_PROV_INFO_PROP_ID property is set to AT_KEYEXCHANGE.
///
/// If this function is being called as part of a CNG enabled application and the dwKeySpec member of the
/// CERT_KEY_PROV_INFO_PROP_ID property is set to -1, select certificates on which either NCRYPT_ALLOW_DECRYPT_FLAG or
/// NCRYPT_ALLOW_KEY_AGREEMENT_FLAG is set.
///
///
CERT_SELECT_HAS_KEY_FOR_KEY_EXCHANGE = 0x00000020,
///
/// Select certificates on which the value of the PP_IMPTYPE property of the associated private key provider is set to either
/// CRYPT_IMPL_HARDWARE or CRYPT_IMPL_REMOVABLE. (For CNG providers, NCRYPT_IMPL_TYPE_PROPERTY property value MUST have either
/// the NCRYPT_IMPL_HARDWARE_FLAG or NCRYPT_IMPL_REMOVABLE_FLAG bit set).
///
/// If this function is being called as part of a CNG enabled application, select certificates on which the
/// NCRYPT_IMPL_TYPE_PROPERTY property is set to NCRYPT_IMPL_HARDWARE_FLAG or NCRYPT_IMPL_REMOVABLE_FLAG.
///
///
CERT_SELECT_HARDWARE_ONLY = 0x00000040,
///
/// Allow the selection of certificates on which the Subject and Subject Alt Name contain the same information and the
/// certificate template extension value is equivalent. By default when certificates match this criteria, only the most recent
/// certificate is selected.
///
CERT_SELECT_ALLOW_DUPLICATES = 0x00000080,
///
CERT_SELECT_IGNORE_AUTOSELECT = 0x00000100,
}
/// A set of flags that specify how the information should be retrieved.
[Flags]
public enum CryptRetrievalFlags
{
///
/// Validates the content retrieved by a wire URL before writing the URL to the cache. The default provider does not support the
/// HTTPS protocol for AIA retrievals.
///
CRYPT_AIA_RETRIEVAL = 0x00080000,
/// This value is not supported.
CRYPT_ASYNC_RETRIEVAL = 0x00000010,
/// Retrieves the encoded bits from the URL cache only. Do not use the wire to retrieve the URL.
CRYPT_CACHE_ONLY_RETRIEVAL = 0x00000002,
/// The crypt create new flush entry
CRYPT_CREATE_NEW_FLUSH_ENTRY = 0x10000000,
/// Does not store the retrieved encoded bits to the URL cache. If this flag is not set, the retrieved URL is cached.
CRYPT_DONT_CACHE_RESULT = 0x00000008,
/// The crypt enable file retrieval
CRYPT_ENABLE_FILE_RETRIEVAL = 0x08000000,
/// The crypt enable SSL revocation retrieval
CRYPT_ENABLE_SSL_REVOCATION_RETRIEVAL = 0x00800000,
///
/// Uses the POST method instead of the default GET method for HTTP retrievals.
/// In a POST URL, additional binary data and header strings are appended to the base URL in the following format:
/// BaseURL/OptionalURLEscaped&Base64EncodedAdditionalData?OptionalAdditionalHTTPHeaders
///
/// The following example shows the additional binary data delimited by the last slash mark (/) and a Content-Type header
/// delimited by a question mark (?) appended to a base URL.
///
///
/// http://ocsp.openvalidation.org/MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdKNEwjytjKBQADcgM61jfflNpyQQUv1NDgnjQnsOA5RtnygUA37lIg6UCAQI%3D?Content-Type: application/ocsp-request
///
///
/// When this flag is set, the CryptRetrieveObjectByUrl function parses the URL by using the last slash mark
/// (/) and question mark (?) delimiters. The string, which is delimited by a slash mark (/), contains an unescaped URL (that
/// is, a plain text URL without escape characters or escape sequences) and Base64 data decoded into binary form before being
/// passed to the WinHttpSendRequest function as the lpOptional parameter. The string delimited by a question mark (?) is passed
/// to the WinHttpSendRequest function as the pwszHeaders parameter.
///
///
CRYPT_HTTP_POST_RETRIEVAL = 0x00100000,
///
/// Performs A-Record-only DNS lookup on the supplied host string, preventing the generation of false DNS queries when resolving
/// host names. This flag should be used when passing a host name as opposed to a domain name.
///
CRYPT_LDAP_AREC_EXCLUSIVE_RETRIEVAL = 0x00040000,
///
/// Retrieves the entry index and attribute name for each LDAP object. The beginning of each returned BLOB contains the
/// following ANSI string:
/// "entry index in decimal\0attribute name\0"
/// When this flag is set, pszObjectOid must be NULL so that a BLOB is returned. This flag only applies to the ldap scheme.
///
CRYPT_LDAP_INSERT_ENTRY_ATTRIBUTE = 0x00008000,
/// Fails if the LDAP search scope is not set to base in the URL. Use with LDAP only.
CRYPT_LDAP_SCOPE_BASE_ONLY_RETRIEVAL = 0x00002000,
///
/// Digitally signs all of the LDAP traffic to and from a server by using the Kerberos authentication protocol. This feature
/// provides integrity required by some applications.
///
CRYPT_LDAP_SIGN_RETRIEVAL = 0x00010000,
/// Inhibits automatic authentication handling.
CRYPT_NO_AUTH_RETRIEVAL = 0x00020000,
///
/// Enables a conditional HTTP URL retrieval. When this flag is set, for a conditional retrieval that returns
/// HTTP_STATUS_NOT_MODIFIED, CryptRetrieveObjectByUrl returns TRUE and ppvObject is set to NULL. If pAuxInfo is not NULL,
/// dwHttpStatusCode is set to HTTP_STATUS_NOT_MODIFIED. Otherwise, ppvObject is updated for a successful retrieval.
///
CRYPT_NOT_MODIFIED_RETRIEVAL = 0x00400000,
///
/// Keeps track of offline failures and delays before hitting the wire on subsequent retrievals. This value is for wire
/// retrieval only.
///
CRYPT_OFFLINE_CHECK_RETRIEVAL = 0x00004000,
///
/// Enables proxy cache retrieval of an object. If a proxy cache was not explicitly bypassed, fProxyCacheRetrieval is set to
/// TRUE in pAuxInfo. This value only applies to HTTP URL retrievals.
///
CRYPT_PROXY_CACHE_RETRIEVAL = 0x00200000,
///
CRYPT_RANDOM_QUERY_STRING_RETRIEVAL = 0x04000000,
///
/// Retrieves multiple objects if available. All objects must be of a homogeneous object type as determined by the value of
/// pszObjectOid, unless the object identifier (OID) value is CONTEXT_OID_CAPI2_ANY.
///
CRYPT_RETRIEVE_MULTIPLE_OBJECTS = 0x00000001,
/// Tags the URL as exempt from being flushed from the cache. For more information, see STICKY_CACHE_ENTRY in INTERNET_CACHE_ENTRY_INFO.
CRYPT_STICKY_CACHE_RETRIEVAL = 0x00001000,
/// Retrieves the encoded bits from the wire only. Does not use the URL cache.
CRYPT_WIRE_ONLY_RETRIEVAL = 0x00000004,
}
/// The CertAddCertificateContextToStore function adds a certificate context to the certificate store.
/// Handle of a certificate store.
/// A pointer to the CERT_CONTEXT structure to be added to the store.
///
///
/// Specifies the action to take if a matching certificate or a link to a matching certificate already exists in the store.
/// Currently defined disposition values and their uses are as follows.
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_STORE_ADD_ALWAYS
///
/// The function makes no check for an existing matching certificate or link to a matching certificate. A new certificate is always
/// added to the store. This can lead to duplicates in a store.
///
///
/// -
/// CERT_STORE_ADD_NEW
///
/// If a matching certificate or a link to a matching certificate exists, the operation fails. GetLastError returns the
/// CRYPT_E_EXISTS code.
///
///
/// -
/// CERT_STORE_ADD_NEWER
///
/// If a matching certificate or a link to a matching certificate exists and the NotBefore time of the existing context is equal to
/// or greater than the NotBefore time of the new context being added, the operation fails and GetLastError returns the
/// CRYPT_E_EXISTS code. If the NotBefore time of the existing context is less than the NotBefore time of the new context being
/// added, the existing certificate or link is deleted and a new certificate is created and added to the store. If a matching
/// certificate or a link to a matching certificate does not exist, a new link is added. If certificate revocation lists (CRLs) or
/// certificate trust list (CTLs) are being compared, the ThisUpdate time is used.
///
///
/// -
/// CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES
///
/// If a matching certificate or a link to a matching certificate exists and the NotBefore time of the existing context is equal to
/// or greater than the NotBefore time of the new context being added, the operation fails and GetLastError returns the
/// CRYPT_E_EXISTS code. If the NotBefore time of the existing context is less than the NotBefore time of the new context being
/// added, the existing context is deleted before creating and adding the new context. The new added context inherits properties
/// from the existing certificate. If CRLs or CTLs are being compared, the ThisUpdate time is used.
///
///
/// -
/// CERT_STORE_ADD_REPLACE_EXISTING
///
/// If a link to a matching certificate exists, that existing certificate or link is deleted and a new certificate is created and
/// added to the store. If a matching certificate or a link to a matching certificate does not exist, a new link is added.
///
///
/// -
/// CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES
///
/// If a matching certificate exists in the store, the existing context is not replaced. The existing context inherits properties
/// from the new certificate.
///
///
/// -
/// CERT_STORE_ADD_USE_EXISTING
///
/// If a matching certificate or a link to a matching certificate exists, that existing certificate or link is used and properties
/// from the new certificate are added. The function does not fail, but it does not add a new context. If pCertContext is not NULL,
/// the existing context is duplicated. If a matching certificate or a link to a matching certificate does not exist, a new
/// certificate is added.
///
///
///
///
///
/// A pointer to a pointer to the copy to be made of the certificate that was added to the store.
///
/// The ppStoreContext parameter can be NULL, indicating that the calling application does not require a copy of the added
/// certificate. If a copy is made, it must be freed by using CertFreeCertificateContext.
///
///
///
/// If the function succeeds, the return value is TRUE.
///
/// If the function fails, the return value is FALSE. For extended error information, call GetLastError. Some possible error
/// codes follow.
///
///
///
/// Return code
/// Description
///
/// -
/// CRYPT_E_EXISTS
///
/// This value is returned if CERT_STORE_ADD_NEW is set and the certificate already exists in the store, or if CERT_STORE_ADD_NEWER
/// is set and a certificate exists in the store with a NotBefore date greater than or equal to the NotBefore date on the
/// certificate to be added.
///
///
/// -
/// E_INVALIDARG
/// A disposition value that is not valid was specified in the dwAddDisposition parameter.
///
///
///
/// Errors from the called functions, CertAddEncodedCertificateToStore and CertSetCertificateContextProperty, can be propagated to
/// this function.
///
///
///
///
/// The certificate context is not duplicated using CertDuplicateCertificateContext. Instead, the function creates a new copy of the
/// context and adds it to the store.
///
///
/// In addition to the encoded certificate, CertDuplicateCertificateContext also copies the context's properties, with the exception
/// of the CERT_KEY_PROV_HANDLE_PROP_ID and CERT_KEY_CONTEXT_PROP_ID properties.
///
/// To remove the certificate context from the certificate store, use the CertDeleteCertificateFromStore function.
///
/// Note The order of the certificate context may not be preserved within the store. To access a specific certificate you
/// must iterate across the certificates in the store.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certaddcertificatecontexttostore BOOL
// CertAddCertificateContextToStore( HCERTSTORE hCertStore, PCCERT_CONTEXT pCertContext, DWORD dwAddDisposition, PCCERT_CONTEXT
// *ppStoreContext );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "5e4d8cae-1096-491f-9a04-92b7e9c020bb")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CertAddCertificateContextToStore(HCERTSTORE hCertStore, PCCERT_CONTEXT pCertContext, CertStoreAdd dwAddDisposition, out SafePCCERT_CONTEXT ppStoreContext);
/// The CertAddCertificateContextToStore function adds a certificate context to the certificate store.
/// Handle of a certificate store.
/// A pointer to the CERT_CONTEXT structure to be added to the store.
///
///
/// Specifies the action to take if a matching certificate or a link to a matching certificate already exists in the store.
/// Currently defined disposition values and their uses are as follows.
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_STORE_ADD_ALWAYS
///
/// The function makes no check for an existing matching certificate or link to a matching certificate. A new certificate is always
/// added to the store. This can lead to duplicates in a store.
///
///
/// -
/// CERT_STORE_ADD_NEW
///
/// If a matching certificate or a link to a matching certificate exists, the operation fails. GetLastError returns the
/// CRYPT_E_EXISTS code.
///
///
/// -
/// CERT_STORE_ADD_NEWER
///
/// If a matching certificate or a link to a matching certificate exists and the NotBefore time of the existing context is equal to
/// or greater than the NotBefore time of the new context being added, the operation fails and GetLastError returns the
/// CRYPT_E_EXISTS code. If the NotBefore time of the existing context is less than the NotBefore time of the new context being
/// added, the existing certificate or link is deleted and a new certificate is created and added to the store. If a matching
/// certificate or a link to a matching certificate does not exist, a new link is added. If certificate revocation lists (CRLs) or
/// certificate trust list (CTLs) are being compared, the ThisUpdate time is used.
///
///
/// -
/// CERT_STORE_ADD_NEWER_INHERIT_PROPERTIES
///
/// If a matching certificate or a link to a matching certificate exists and the NotBefore time of the existing context is equal to
/// or greater than the NotBefore time of the new context being added, the operation fails and GetLastError returns the
/// CRYPT_E_EXISTS code. If the NotBefore time of the existing context is less than the NotBefore time of the new context being
/// added, the existing context is deleted before creating and adding the new context. The new added context inherits properties
/// from the existing certificate. If CRLs or CTLs are being compared, the ThisUpdate time is used.
///
///
/// -
/// CERT_STORE_ADD_REPLACE_EXISTING
///
/// If a link to a matching certificate exists, that existing certificate or link is deleted and a new certificate is created and
/// added to the store. If a matching certificate or a link to a matching certificate does not exist, a new link is added.
///
///
/// -
/// CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES
///
/// If a matching certificate exists in the store, the existing context is not replaced. The existing context inherits properties
/// from the new certificate.
///
///
/// -
/// CERT_STORE_ADD_USE_EXISTING
///
/// If a matching certificate or a link to a matching certificate exists, that existing certificate or link is used and properties
/// from the new certificate are added. The function does not fail, but it does not add a new context. If pCertContext is not NULL,
/// the existing context is duplicated. If a matching certificate or a link to a matching certificate does not exist, a new
/// certificate is added.
///
///
///
///
///
/// A pointer to a pointer to the copy to be made of the certificate that was added to the store.
///
/// The ppStoreContext parameter can be NULL, indicating that the calling application does not require a copy of the added
/// certificate. If a copy is made, it must be freed by using CertFreeCertificateContext.
///
///
///
/// If the function succeeds, the return value is TRUE.
///
/// If the function fails, the return value is FALSE. For extended error information, call GetLastError. Some possible error
/// codes follow.
///
///
///
/// Return code
/// Description
///
/// -
/// CRYPT_E_EXISTS
///
/// This value is returned if CERT_STORE_ADD_NEW is set and the certificate already exists in the store, or if CERT_STORE_ADD_NEWER
/// is set and a certificate exists in the store with a NotBefore date greater than or equal to the NotBefore date on the
/// certificate to be added.
///
///
/// -
/// E_INVALIDARG
/// A disposition value that is not valid was specified in the dwAddDisposition parameter.
///
///
///
/// Errors from the called functions, CertAddEncodedCertificateToStore and CertSetCertificateContextProperty, can be propagated to
/// this function.
///
///
///
///
/// The certificate context is not duplicated using CertDuplicateCertificateContext. Instead, the function creates a new copy of the
/// context and adds it to the store.
///
///
/// In addition to the encoded certificate, CertDuplicateCertificateContext also copies the context's properties, with the exception
/// of the CERT_KEY_PROV_HANDLE_PROP_ID and CERT_KEY_CONTEXT_PROP_ID properties.
///
/// To remove the certificate context from the certificate store, use the CertDeleteCertificateFromStore function.
///
/// Note The order of the certificate context may not be preserved within the store. To access a specific certificate you
/// must iterate across the certificates in the store.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certaddcertificatecontexttostore BOOL
// CertAddCertificateContextToStore( HCERTSTORE hCertStore, PCCERT_CONTEXT pCertContext, DWORD dwAddDisposition, PCCERT_CONTEXT
// *ppStoreContext );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "5e4d8cae-1096-491f-9a04-92b7e9c020bb")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CertAddCertificateContextToStore(HCERTSTORE hCertStore, PCCERT_CONTEXT pCertContext, CertStoreAdd dwAddDisposition, [Optional] IntPtr ppStoreContext);
///
/// The CertAddCertificateLinkToStore function adds a link in a certificate store to a certificate context in a different
/// store. Instead of creating and adding a duplicate of the certificate context, this function adds a link to the original certificate.
///
/// A handle to the certificate store where the link is to be added.
/// A pointer to the CERT_CONTEXT structure to be linked.
///
///
/// Specifies the action if a matching certificate or a link to a matching certificate already exists in the store. Currently
/// defined disposition values and their uses are as follows.
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_STORE_ADD_ALWAYS
///
/// The function makes no check for an existing matching certificate or link to a matching certificate. A new certificate is always
/// added to the store. This can lead to duplicates in a store.
///
///
/// -
/// CERT_STORE_ADD_NEW
///
/// If a matching certificate or a link to a matching certificate exists, the operation fails. GetLastError returns the
/// CRYPT_E_EXISTS code.
///
///
/// -
/// CERT_STORE_ADD_REPLACE_EXISTING
///
/// If a link to a matching certificate exists, that existing link is deleted and a new link is created and added to the store. If
/// no matching certificate or link to a matching certificate exists, one is added.
///
///
/// -
/// CERT_STORE_ADD_USE_EXISTING
///
/// If a matching certificate or a link to a matching certificate exists, the existing certificate is used. The function does not
/// fail, but no new link is added. If no matching certificate or link to a matching certificate exists, a new link is added.
///
///
///
///
///
/// A pointer to a pointer to a copy of the link created. The ppStoreContext parameter can be NULL to indicate that a copy of
/// the link is not needed. If a copy of the link is created, that copy must be freed using the CertFreeCertificateContext function.
///
///
/// If the function succeeds, the return value is TRUE.
///
/// If the function fails, the return value is FALSE. For extended error information, call GetLastError. Some possible error
/// codes follow.
///
///
///
/// Return code
/// Description
///
/// -
/// CRYPT_E_EXISTS
/// For a dwAddDisposition parameter of CERT_STORE_ADD_NEW, the certificate already exists in the store.
///
/// -
/// E_INVALIDARG
/// A disposition value that is not valid was specified in the dwAddDisposition parameter.
///
///
///
///
///
/// Because the link provides access to the original certificate context, setting an extended property in the linked certificate
/// context changes that extended property in the certificate's original location and in any other links to that certificate.
///
///
/// Links cannot be added to a store opened as a collection. Stores opened as collections include all stores opened with
/// CertOpenSystemStore or CertOpenStore using CERT_STORE_PROV_SYSTEM or CERT_STORE_PROV_COLLECTION. For more information, see CertAddStoreToCollection.
///
///
/// If links are used and CertCloseStore is called with CERT_CLOSE_STORE_FORCE_FLAG, the store that uses links must be closed before
/// the store that contains the original contexts is closed. If CERT_CLOSE_STORE_FORCE_FLAG is not used, the two stores can be
/// closed in either order.
///
/// To remove the certificate context link from the certificate store, use the CertDeleteCertificateFromStore function.
/// Examples
///
/// For an example that uses this function, see Example C Program: Certificate Store Operations. For additional code that uses this
/// function, see Example C Program: Collection and Sibling Certificate Store Operations.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certaddcertificatelinktostore BOOL
// CertAddCertificateLinkToStore( HCERTSTORE hCertStore, PCCERT_CONTEXT pCertContext, DWORD dwAddDisposition, PCCERT_CONTEXT
// *ppStoreContext );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "bcbf7755-d0ce-4dd5-8462-72760364fdc3")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CertAddCertificateLinkToStore(HCERTSTORE hCertStore, PCCERT_CONTEXT pCertContext, CertStoreAdd dwAddDisposition, out SafePCCERT_CONTEXT ppStoreContext);
///
/// The CertAddCertificateLinkToStore function adds a link in a certificate store to a certificate context in a different
/// store. Instead of creating and adding a duplicate of the certificate context, this function adds a link to the original certificate.
///
/// A handle to the certificate store where the link is to be added.
/// A pointer to the CERT_CONTEXT structure to be linked.
///
///
/// Specifies the action if a matching certificate or a link to a matching certificate already exists in the store. Currently
/// defined disposition values and their uses are as follows.
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_STORE_ADD_ALWAYS
///
/// The function makes no check for an existing matching certificate or link to a matching certificate. A new certificate is always
/// added to the store. This can lead to duplicates in a store.
///
///
/// -
/// CERT_STORE_ADD_NEW
///
/// If a matching certificate or a link to a matching certificate exists, the operation fails. GetLastError returns the
/// CRYPT_E_EXISTS code.
///
///
/// -
/// CERT_STORE_ADD_REPLACE_EXISTING
///
/// If a link to a matching certificate exists, that existing link is deleted and a new link is created and added to the store. If
/// no matching certificate or link to a matching certificate exists, one is added.
///
///
/// -
/// CERT_STORE_ADD_USE_EXISTING
///
/// If a matching certificate or a link to a matching certificate exists, the existing certificate is used. The function does not
/// fail, but no new link is added. If no matching certificate or link to a matching certificate exists, a new link is added.
///
///
///
///
///
/// A pointer to a pointer to a copy of the link created. The ppStoreContext parameter can be NULL to indicate that a copy of
/// the link is not needed. If a copy of the link is created, that copy must be freed using the CertFreeCertificateContext function.
///
///
/// If the function succeeds, the return value is TRUE.
///
/// If the function fails, the return value is FALSE. For extended error information, call GetLastError. Some possible error
/// codes follow.
///
///
///
/// Return code
/// Description
///
/// -
/// CRYPT_E_EXISTS
/// For a dwAddDisposition parameter of CERT_STORE_ADD_NEW, the certificate already exists in the store.
///
/// -
/// E_INVALIDARG
/// A disposition value that is not valid was specified in the dwAddDisposition parameter.
///
///
///
///
///
/// Because the link provides access to the original certificate context, setting an extended property in the linked certificate
/// context changes that extended property in the certificate's original location and in any other links to that certificate.
///
///
/// Links cannot be added to a store opened as a collection. Stores opened as collections include all stores opened with
/// CertOpenSystemStore or CertOpenStore using CERT_STORE_PROV_SYSTEM or CERT_STORE_PROV_COLLECTION. For more information, see CertAddStoreToCollection.
///
///
/// If links are used and CertCloseStore is called with CERT_CLOSE_STORE_FORCE_FLAG, the store that uses links must be closed before
/// the store that contains the original contexts is closed. If CERT_CLOSE_STORE_FORCE_FLAG is not used, the two stores can be
/// closed in either order.
///
/// To remove the certificate context link from the certificate store, use the CertDeleteCertificateFromStore function.
/// Examples
///
/// For an example that uses this function, see Example C Program: Certificate Store Operations. For additional code that uses this
/// function, see Example C Program: Collection and Sibling Certificate Store Operations.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certaddcertificatelinktostore BOOL
// CertAddCertificateLinkToStore( HCERTSTORE hCertStore, PCCERT_CONTEXT pCertContext, DWORD dwAddDisposition, PCCERT_CONTEXT
// *ppStoreContext );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "bcbf7755-d0ce-4dd5-8462-72760364fdc3")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CertAddCertificateLinkToStore(HCERTSTORE hCertStore, PCCERT_CONTEXT pCertContext, CertStoreAdd dwAddDisposition, [Optional] IntPtr ppStoreContext);
///
///
/// The CertAddEncodedCertificateToStore function creates a certificate context from an encoded certificate and adds it to
/// the certificate store. The context created does not include any extended properties.
///
///
/// The CertAddEncodedCertificateToStore function also makes a copy of the encoded certificate before adding the certificate
/// to the store.
///
///
/// A handle to the certificate store.
///
///
/// Specifies the type of encoding used. It is always acceptable to specify both the certificate and message encoding types by
/// combining them with a bitwise- OR operation as shown in the following example:
///
/// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING Currently defined encoding types are:
///
/// -
/// X509_ASN_ENCODING
///
/// -
/// PKCS_7_ASN_ENCODING
///
///
///
///
/// A pointer to a buffer containing the encoded certificate that is to be added to the certificate store.
///
/// The size, in bytes, of the pbCertEncoded buffer.
///
///
/// Specifies the action to take if a matching certificate or link to a matching certificate exists in the store. Currently defined
/// disposition values and their uses are as follows.
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_STORE_ADD_ALWAYS
///
/// The function makes no check for an existing matching certificate or link to a matching certificate. A new certificate is always
/// added to the store. This can lead to duplicates in a store.
///
///
/// -
/// CERT_STORE_ADD_NEW
///
/// If a matching certificate or a link to a matching certificate exists in the store, the operation fails. GetLastError returns the
/// CRYPT_E_EXISTS code.
///
///
/// -
/// CERT_STORE_ADD_REPLACE_EXISTING
///
/// If a matching certificate or link to a matching certificate exists in the store, the existing certificate or link is deleted and
/// a new certificate is created and added to the store. If a matching certificate or link to a matching certificate does not exist,
/// a new certificate is created and added to the store.
///
///
/// -
/// CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES
///
/// If a matching certificate exists in the store, that existing context is deleted before creating and adding the new context. The
/// new context inherits properties from the existing certificate.
///
///
/// -
/// CERT_STORE_ADD_USE_EXISTING
///
/// If a matching certificate or a link to a matching certificate exists, that existing certificate or link is used and properties
/// from the new certificate are added. The function does not fail, but it does not add a new context. If ppCertContext is not NULL,
/// the existing context is duplicated. If a matching certificate or link to a matching certificate does not exist, a new
/// certificate is added.
///
///
///
///
///
/// A pointer to a pointer to the decoded certificate context. This is an optional parameter that can be NULL, indicating
/// that the calling application does not require a copy of the new or existing certificate. When a copy is made, its context must
/// be freed by using CertFreeCertificateContext.
///
///
/// If the function succeeds, the return value is TRUE.
///
/// If the function fails, the return value is FALSE. For extended error information, call GetLastError. Some possible error
/// codes follow.
///
///
///
/// Return code
/// Description
///
/// -
/// CRYPT_E_EXISTS
///
/// This code is returned if CERT_STORE_ADD_NEW is set and the certificate already exists in the store, or if CERT_STORE_ADD_NEWER
/// is set and there is a certificate in the store with a NotBefore date greater than or equal to the NotBefore date on the
/// certificate to be added.
///
///
/// -
/// E_INVALIDARG
///
/// A disposition value that is not valid was specified in the dwAddDisposition parameter, or a certificate encoding type that is
/// not valid was specified. Currently, only the X509_ASN_ENCODING type is supported.
///
///
///
///
/// If the function fails, GetLastError returns an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information
/// about these errors, see ASN.1 Encoding/Decoding Return Values.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certaddencodedcertificatetostore BOOL
// CertAddEncodedCertificateToStore( HCERTSTORE hCertStore, DWORD dwCertEncodingType, const BYTE *pbCertEncoded, DWORD
// cbCertEncoded, DWORD dwAddDisposition, PCCERT_CONTEXT *ppCertContext );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "7c092bf5-f8b2-47d0-94ee-c8e0f4bca62d")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CertAddEncodedCertificateToStore(HCERTSTORE hCertStore, CertEncodingType dwCertEncodingType, [In] IntPtr pbCertEncoded, uint cbCertEncoded, CertStoreAdd dwAddDisposition, out SafePCCERT_CONTEXT ppCertContext);
///
///
/// The CertAddEncodedCertificateToStore function creates a certificate context from an encoded certificate and adds it to
/// the certificate store. The context created does not include any extended properties.
///
///
/// The CertAddEncodedCertificateToStore function also makes a copy of the encoded certificate before adding the certificate
/// to the store.
///
///
/// A handle to the certificate store.
///
///
/// Specifies the type of encoding used. It is always acceptable to specify both the certificate and message encoding types by
/// combining them with a bitwise- OR operation as shown in the following example:
///
/// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING Currently defined encoding types are:
///
/// -
/// X509_ASN_ENCODING
///
/// -
/// PKCS_7_ASN_ENCODING
///
///
///
///
/// A pointer to a buffer containing the encoded certificate that is to be added to the certificate store.
///
/// The size, in bytes, of the pbCertEncoded buffer.
///
///
/// Specifies the action to take if a matching certificate or link to a matching certificate exists in the store. Currently defined
/// disposition values and their uses are as follows.
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_STORE_ADD_ALWAYS
///
/// The function makes no check for an existing matching certificate or link to a matching certificate. A new certificate is always
/// added to the store. This can lead to duplicates in a store.
///
///
/// -
/// CERT_STORE_ADD_NEW
///
/// If a matching certificate or a link to a matching certificate exists in the store, the operation fails. GetLastError returns the
/// CRYPT_E_EXISTS code.
///
///
/// -
/// CERT_STORE_ADD_REPLACE_EXISTING
///
/// If a matching certificate or link to a matching certificate exists in the store, the existing certificate or link is deleted and
/// a new certificate is created and added to the store. If a matching certificate or link to a matching certificate does not exist,
/// a new certificate is created and added to the store.
///
///
/// -
/// CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES
///
/// If a matching certificate exists in the store, that existing context is deleted before creating and adding the new context. The
/// new context inherits properties from the existing certificate.
///
///
/// -
/// CERT_STORE_ADD_USE_EXISTING
///
/// If a matching certificate or a link to a matching certificate exists, that existing certificate or link is used and properties
/// from the new certificate are added. The function does not fail, but it does not add a new context. If ppCertContext is not NULL,
/// the existing context is duplicated. If a matching certificate or link to a matching certificate does not exist, a new
/// certificate is added.
///
///
///
///
///
/// A pointer to a pointer to the decoded certificate context. This is an optional parameter that can be NULL, indicating
/// that the calling application does not require a copy of the new or existing certificate. When a copy is made, its context must
/// be freed by using CertFreeCertificateContext.
///
///
/// If the function succeeds, the return value is TRUE.
///
/// If the function fails, the return value is FALSE. For extended error information, call GetLastError. Some possible error
/// codes follow.
///
///
///
/// Return code
/// Description
///
/// -
/// CRYPT_E_EXISTS
///
/// This code is returned if CERT_STORE_ADD_NEW is set and the certificate already exists in the store, or if CERT_STORE_ADD_NEWER
/// is set and there is a certificate in the store with a NotBefore date greater than or equal to the NotBefore date on the
/// certificate to be added.
///
///
/// -
/// E_INVALIDARG
///
/// A disposition value that is not valid was specified in the dwAddDisposition parameter, or a certificate encoding type that is
/// not valid was specified. Currently, only the X509_ASN_ENCODING type is supported.
///
///
///
///
/// If the function fails, GetLastError returns an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information
/// about these errors, see ASN.1 Encoding/Decoding Return Values.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certaddencodedcertificatetostore BOOL
// CertAddEncodedCertificateToStore( HCERTSTORE hCertStore, DWORD dwCertEncodingType, const BYTE *pbCertEncoded, DWORD
// cbCertEncoded, DWORD dwAddDisposition, PCCERT_CONTEXT *ppCertContext );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "7c092bf5-f8b2-47d0-94ee-c8e0f4bca62d")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CertAddEncodedCertificateToStore(HCERTSTORE hCertStore, CertEncodingType dwCertEncodingType, [In] IntPtr pbCertEncoded, uint cbCertEncoded, CertStoreAdd dwAddDisposition, [Optional] IntPtr ppCertContext);
///
/// The CertAddRefServerOcspResponse function increments the reference count for an HCERT_SERVER_OCSP_RESPONSE handle.
///
/// A handle to an HCERT_SERVER_OCSP_RESPONSE returned by CertOpenServerOcspResponse.
/// This function has no return value.
/// Each CertOpenServerOcspResponse and CertAddRefServerOcspResponse requires a corresponding CertCloseServerOcspResponse.
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certaddrefserverocspresponse void
// CertAddRefServerOcspResponse( HCERT_SERVER_OCSP_RESPONSE hServerOcspResponse );
[DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "6ccc0e85-1fa0-480c-a5b4-b21ba811e5d0")]
public static extern void CertAddRefServerOcspResponse(HCERT_SERVER_OCSP_RESPONSE hServerOcspResponse);
///
/// The CertAddRefServerOcspResponseContext function increments the reference count for a CERT_SERVER_OCSP_RESPONSE_CONTEXT structure.
///
/// A pointer to a CERT_SERVER_OCSP_RESPONSE_CONTEXT returned by CertGetServerOcspResponseContext.
/// The function has no return value.
///
/// Each call to CertGetServerOcspResponseContext and CertAddRefServerOcspResponseContext requires a corresponding call to CertFreeServerOcspResponseContext.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certaddrefserverocspresponsecontext void
// CertAddRefServerOcspResponseContext( PCCERT_SERVER_OCSP_RESPONSE_CONTEXT pServerOcspResponseContext );
[DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "b7cdce9b-25fe-4fb9-b266-61989793699b")]
public static extern void CertAddRefServerOcspResponseContext(PCCERT_SERVER_OCSP_RESPONSE_CONTEXT pServerOcspResponseContext);
///
/// The CertCloseServerOcspResponse function closes an online certificate status protocol (OCSP) server response handle.
///
/// The handle to close for an OCSP server response.
/// This parameter is not used and must be zero.
/// This function does not return a value.
///
/// The CertCloseServerOcspResponse function closes a handle returned by either the CertOpenServerOcspResponse or
/// CertAddRefServerOcspResponse function.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certcloseserverocspresponse void
// CertCloseServerOcspResponse( HCERT_SERVER_OCSP_RESPONSE hServerOcspResponse, DWORD dwFlags );
[DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "6247e8ca-ba12-432f-9bf8-a6c644f253e9")]
public static extern void CertCloseServerOcspResponse(HCERT_SERVER_OCSP_RESPONSE hServerOcspResponse, uint dwFlags = 0);
///
/// The CertCreateCertificateContext function creates a certificate context from an encoded certificate. The created context
/// is not persisted to a certificate store. The function makes a copy of the encoded certificate within the created context.
///
///
///
/// Specifies the type of encoding used. It is always acceptable to specify both the certificate and message encoding types by
/// combining them with a bitwise- OR operation as shown in the following example:
///
/// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING Currently defined encoding types are:
///
/// -
/// X509_ASN_ENCODING
///
/// -
/// PKCS_7_ASN_ENCODING
///
///
///
/// A pointer to a buffer that contains the encoded certificate from which the context is to be created.
/// The size, in bytes, of the pbCertEncoded buffer.
///
///
/// If the function succeeds, the function returns a pointer to a read-only CERT_CONTEXT. When you have finished using the
/// certificate context, free it by calling the CertFreeCertificateContext function.
///
///
/// If the function is unable to decode and create the certificate context, it returns NULL. For extended error information,
/// call GetLastError. Some possible error codes follow.
///
///
///
/// Return code
/// Description
///
/// -
/// E_INVALIDARG
/// A certificate encoding type that is not valid was specified. Currently, only the X509_ASN_ENCODING type is supported.
///
///
///
/// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information
/// about these errors, see ASN.1 Encoding/Decoding Return Values.
///
///
///
///
/// The CERT_CONTEXT must be freed by calling CertFreeCertificateContext. CertDuplicateCertificateContext can be called to make a
/// duplicate. CertSetCertificateContextProperty and CertGetCertificateContextProperty can be called to store and read properties
/// for the certificate.
///
/// Examples
///
/// The following example shows creating a certificate context from an encoded certificate. The created context is not put in a
/// certificate store. For another example that uses this function, see Example C Program: Certificate Store Operations.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certcreatecertificatecontext PCCERT_CONTEXT
// CertCreateCertificateContext( DWORD dwCertEncodingType, const BYTE *pbCertEncoded, DWORD cbCertEncoded );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "a32714c4-ee88-48a8-a40a-bbbfec0613ac")]
public static extern SafePCCERT_CONTEXT CertCreateCertificateContext(CertEncodingType dwCertEncodingType, [In] IntPtr pbCertEncoded, uint cbCertEncoded);
///
/// The CertCreateSelfSignCertificate function builds a self-signed certificate and returns a pointer to a CERT_CONTEXT
/// structure that represents the certificate.
///
///
///
/// A handle of a cryptographic provider used to sign the certificate created. If NULL, information from the pKeyProvInfo
/// parameter is used to acquire the needed handle. If pKeyProvInfo is also NULL, the default provider type, PROV_RSA_FULL
/// provider type, the default key specification, AT_SIGNATURE, and a newly created key container with a unique container name are used.
///
///
/// This handle must be an HCRYPTPROV handle that has been created by using the CryptAcquireContext function or an
/// NCRYPT_KEY_HANDLE handle that has been created by using the NCryptOpenKey function. New applications should always pass
/// in the NCRYPT_KEY_HANDLE handle of a CNG cryptographic service provider (CSP).
///
///
///
/// A pointer to a BLOB that contains the distinguished name (DN) for the certificate subject. This parameter cannot be NULL.
/// Minimally, a pointer to an empty DN must be provided. This BLOB is normally created by using the CertStrToName function. It can
/// also be created by using the CryptEncodeObject function and specifying either the X509_NAME or X509_UNICODE_NAME StructType.
///
///
///
/// A set of flags that override the default behavior of this function. This can be zero or a combination of one or more of the
/// following values.
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_CREATE_SELFSIGN_NO_KEY_INFO 2
///
/// By default, the returned PCCERT_CONTEXT references the private keys by setting the CERT_KEY_PROV_INFO_PROP_ID. If you do not
/// want the returned PCCERT_CONTEXT to reference private keys by setting the CERT_KEY_PROV_INFO_PROP_ID, specify CERT_CREATE_SELFSIGN_NO_KEY_INFO.
///
///
/// -
/// CERT_CREATE_SELFSIGN_NO_SIGN 1
///
/// By default, the certificate being created is signed. If the certificate being created is only a dummy placeholder, the
/// certificate might not need to be signed. Signing of the certificate is skipped if CERT_CREATE_SELFSIGN_NO_SIGN is specified.
///
///
///
///
///
///
/// A pointer to a CRYPT_KEY_PROV_INFO structure. Before a certificate is created, the CSP is queried for the key provider, key
/// provider type, and the key container name. If the CSP queried does not support these queries, the function fails. If the default
/// provider does not support these queries, a pKeyProvInfo value must be specified. The RSA BASE does support these queries.
///
///
/// If the pKeyProvInfo parameter is not NULL, the corresponding values are set in the CERT_KEY_PROV_INFO_PROP_ID
/// value of the generated certificate. You must ensure that all parameters of the supplied structure are correctly specified.
///
///
///
/// A pointer to a CRYPT_ALGORITHM_IDENTIFIER structure. If NULL, the default algorithm, SHA1RSA, is used.
///
/// A pointer to a SYSTEMTIME structure. If NULL, the system current time is used by default.
///
/// A pointer to a SYSTEMTIME structure. If NULL, the pStartTime value plus one year will be used by default.
///
///
/// A pointer to a CERT_EXTENSIONS array of CERT_EXTENSION structures. By default, the array is empty. An alternate subject name, if
/// desired, can be specified as one of these extensions.
///
///
/// If the function succeeds, a PCCERT_CONTEXT variable that points to the created certificate is returned. If the function fails,
/// it returns NULL. For extended error information, call GetLastError.
///
///
/// As the pEndTime must be a valid date, and is automatically generated if it is not supplied by the user, unexpected failures may
/// easily be caused when this API is called on a leap day without accompanying app logic to compensate. For more information,
/// please see leap year readiness.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certcreateselfsigncertificate PCCERT_CONTEXT
// CertCreateSelfSignCertificate( HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, PCERT_NAME_BLOB pSubjectIssuerBlob, DWORD
// dwFlags, PCRYPT_KEY_PROV_INFO pKeyProvInfo, PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, PSYSTEMTIME pStartTime, PSYSTEMTIME
// pEndTime, PCERT_EXTENSIONS pExtensions );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "89028c4e-f896-4c50-9fa2-bcb4e1784244")]
public static extern SafePCCERT_CONTEXT CertCreateSelfSignCertificate(IntPtr hCryptProvOrNCryptKey, in CRYPTOAPI_BLOB pSubjectIssuerBlob, CertCreateSelfSignFlags dwFlags, IntPtr pKeyProvInfo, IntPtr pSignatureAlgorithm, IntPtr pStartTime, IntPtr pEndTime, IntPtr pExtensions);
///
/// The CertCreateSelfSignCertificate function builds a self-signed certificate and returns a pointer to a CERT_CONTEXT
/// structure that represents the certificate.
///
///
///
/// A handle of a cryptographic provider used to sign the certificate created. If NULL, information from the pKeyProvInfo
/// parameter is used to acquire the needed handle. If pKeyProvInfo is also NULL, the default provider type, PROV_RSA_FULL
/// provider type, the default key specification, AT_SIGNATURE, and a newly created key container with a unique container name are used.
///
///
/// This handle must be an HCRYPTPROV handle that has been created by using the CryptAcquireContext function or an
/// NCRYPT_KEY_HANDLE handle that has been created by using the NCryptOpenKey function. New applications should always pass
/// in the NCRYPT_KEY_HANDLE handle of a CNG cryptographic service provider (CSP).
///
///
///
/// A pointer to a BLOB that contains the distinguished name (DN) for the certificate subject. This parameter cannot be NULL.
/// Minimally, a pointer to an empty DN must be provided. This BLOB is normally created by using the CertStrToName function. It can
/// also be created by using the CryptEncodeObject function and specifying either the X509_NAME or X509_UNICODE_NAME StructType.
///
///
///
/// A set of flags that override the default behavior of this function. This can be zero or a combination of one or more of the
/// following values.
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_CREATE_SELFSIGN_NO_KEY_INFO 2
///
/// By default, the returned PCCERT_CONTEXT references the private keys by setting the CERT_KEY_PROV_INFO_PROP_ID. If you do not
/// want the returned PCCERT_CONTEXT to reference private keys by setting the CERT_KEY_PROV_INFO_PROP_ID, specify CERT_CREATE_SELFSIGN_NO_KEY_INFO.
///
///
/// -
/// CERT_CREATE_SELFSIGN_NO_SIGN 1
///
/// By default, the certificate being created is signed. If the certificate being created is only a dummy placeholder, the
/// certificate might not need to be signed. Signing of the certificate is skipped if CERT_CREATE_SELFSIGN_NO_SIGN is specified.
///
///
///
///
///
///
/// A pointer to a CRYPT_KEY_PROV_INFO structure. Before a certificate is created, the CSP is queried for the key provider, key
/// provider type, and the key container name. If the CSP queried does not support these queries, the function fails. If the default
/// provider does not support these queries, a pKeyProvInfo value must be specified. The RSA BASE does support these queries.
///
///
/// If the pKeyProvInfo parameter is not NULL, the corresponding values are set in the CERT_KEY_PROV_INFO_PROP_ID
/// value of the generated certificate. You must ensure that all parameters of the supplied structure are correctly specified.
///
///
///
/// A pointer to a CRYPT_ALGORITHM_IDENTIFIER structure. If NULL, the default algorithm, SHA1RSA, is used.
///
/// A pointer to a SYSTEMTIME structure. If NULL, the system current time is used by default.
///
/// A pointer to a SYSTEMTIME structure. If NULL, the pStartTime value plus one year will be used by default.
///
///
/// A pointer to a CERT_EXTENSIONS array of CERT_EXTENSION structures. By default, the array is empty. An alternate subject name, if
/// desired, can be specified as one of these extensions.
///
///
/// If the function succeeds, a PCCERT_CONTEXT variable that points to the created certificate is returned. If the function fails,
/// it returns NULL. For extended error information, call GetLastError.
///
///
/// As the pEndTime must be a valid date, and is automatically generated if it is not supplied by the user, unexpected failures may
/// easily be caused when this API is called on a leap day without accompanying app logic to compensate. For more information,
/// please see leap year readiness.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certcreateselfsigncertificate PCCERT_CONTEXT
// CertCreateSelfSignCertificate( HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, PCERT_NAME_BLOB pSubjectIssuerBlob, DWORD
// dwFlags, PCRYPT_KEY_PROV_INFO pKeyProvInfo, PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, PSYSTEMTIME pStartTime, PSYSTEMTIME
// pEndTime, PCERT_EXTENSIONS pExtensions );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "89028c4e-f896-4c50-9fa2-bcb4e1784244")]
public static extern SafePCCERT_CONTEXT CertCreateSelfSignCertificate(IntPtr hCryptProvOrNCryptKey, in CRYPTOAPI_BLOB pSubjectIssuerBlob, CertCreateSelfSignFlags dwFlags, in CRYPT_KEY_PROV_INFO pKeyProvInfo, in CRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, IntPtr pStartTime, IntPtr pEndTime, IntPtr pExtensions);
///
/// The CertCreateSelfSignCertificate function builds a self-signed certificate and returns a pointer to a CERT_CONTEXT
/// structure that represents the certificate.
///
///
///
/// A handle of a cryptographic provider used to sign the certificate created. If NULL, information from the pKeyProvInfo
/// parameter is used to acquire the needed handle. If pKeyProvInfo is also NULL, the default provider type, PROV_RSA_FULL
/// provider type, the default key specification, AT_SIGNATURE, and a newly created key container with a unique container name are used.
///
///
/// This handle must be an HCRYPTPROV handle that has been created by using the CryptAcquireContext function or an
/// NCRYPT_KEY_HANDLE handle that has been created by using the NCryptOpenKey function. New applications should always pass
/// in the NCRYPT_KEY_HANDLE handle of a CNG cryptographic service provider (CSP).
///
///
///
/// A pointer to a BLOB that contains the distinguished name (DN) for the certificate subject. This parameter cannot be NULL.
/// Minimally, a pointer to an empty DN must be provided. This BLOB is normally created by using the CertStrToName function. It can
/// also be created by using the CryptEncodeObject function and specifying either the X509_NAME or X509_UNICODE_NAME StructType.
///
///
///
/// A set of flags that override the default behavior of this function. This can be zero or a combination of one or more of the
/// following values.
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_CREATE_SELFSIGN_NO_KEY_INFO 2
///
/// By default, the returned PCCERT_CONTEXT references the private keys by setting the CERT_KEY_PROV_INFO_PROP_ID. If you do not
/// want the returned PCCERT_CONTEXT to reference private keys by setting the CERT_KEY_PROV_INFO_PROP_ID, specify CERT_CREATE_SELFSIGN_NO_KEY_INFO.
///
///
/// -
/// CERT_CREATE_SELFSIGN_NO_SIGN 1
///
/// By default, the certificate being created is signed. If the certificate being created is only a dummy placeholder, the
/// certificate might not need to be signed. Signing of the certificate is skipped if CERT_CREATE_SELFSIGN_NO_SIGN is specified.
///
///
///
///
///
///
/// A pointer to a CRYPT_KEY_PROV_INFO structure. Before a certificate is created, the CSP is queried for the key provider, key
/// provider type, and the key container name. If the CSP queried does not support these queries, the function fails. If the default
/// provider does not support these queries, a pKeyProvInfo value must be specified. The RSA BASE does support these queries.
///
///
/// If the pKeyProvInfo parameter is not NULL, the corresponding values are set in the CERT_KEY_PROV_INFO_PROP_ID
/// value of the generated certificate. You must ensure that all parameters of the supplied structure are correctly specified.
///
///
///
/// A pointer to a CRYPT_ALGORITHM_IDENTIFIER structure. If NULL, the default algorithm, SHA1RSA, is used.
///
/// A pointer to a SYSTEMTIME structure. If NULL, the system current time is used by default.
///
/// A pointer to a SYSTEMTIME structure. If NULL, the pStartTime value plus one year will be used by default.
///
///
/// A pointer to a CERT_EXTENSIONS array of CERT_EXTENSION structures. By default, the array is empty. An alternate subject name, if
/// desired, can be specified as one of these extensions.
///
///
/// If the function succeeds, a PCCERT_CONTEXT variable that points to the created certificate is returned. If the function fails,
/// it returns NULL. For extended error information, call GetLastError.
///
///
/// As the pEndTime must be a valid date, and is automatically generated if it is not supplied by the user, unexpected failures may
/// easily be caused when this API is called on a leap day without accompanying app logic to compensate. For more information,
/// please see leap year readiness.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certcreateselfsigncertificate PCCERT_CONTEXT
// CertCreateSelfSignCertificate( HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, PCERT_NAME_BLOB pSubjectIssuerBlob, DWORD
// dwFlags, PCRYPT_KEY_PROV_INFO pKeyProvInfo, PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, PSYSTEMTIME pStartTime, PSYSTEMTIME
// pEndTime, PCERT_EXTENSIONS pExtensions );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "89028c4e-f896-4c50-9fa2-bcb4e1784244")]
public static extern SafePCCERT_CONTEXT CertCreateSelfSignCertificate(IntPtr hCryptProvOrNCryptKey, in CRYPTOAPI_BLOB pSubjectIssuerBlob, CertCreateSelfSignFlags dwFlags, in CRYPT_KEY_PROV_INFO pKeyProvInfo, in CRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, in SYSTEMTIME pStartTime, in SYSTEMTIME pEndTime, in CERT_EXTENSIONS pExtensions);
///
/// The CertDeleteCertificateFromStore function deletes the specified certificate context from the certificate store.
///
/// A pointer to the CERT_CONTEXT structure to be deleted.
///
/// If the function succeeds, the return value is TRUE.
///
/// If the function fails, the return value is FALSE. For extended error information, call GetLastError. One possible error
/// code is the following.
///
///
///
/// Return code
/// Description
///
/// -
/// E_ACCESSDENIED
/// Indicates the store was opened as read-only and a delete operation is not allowed.
///
///
///
///
///
/// After a certificate is deleted from a store, all subsequent attempts to get or find that certificate in that store will fail.
/// However, memory allocated for the certificate is not freed until all duplicated contexts have also been freed.
///
///
/// The CertDeleteCertificateFromStore function always frees pCertContext by calling the CertFreeCertificateContext function,
/// even if an error is encountered. Freeing the context reduces the context's reference count by one. If the reference count
/// reaches zero, memory allocated for the certificate is freed.
///
/// Examples
/// For an example that uses this function, see Example C Program: Deleting Certificates from a Certificate Store.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certdeletecertificatefromstore BOOL
// CertDeleteCertificateFromStore( PCCERT_CONTEXT pCertContext );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "4390c8da-9c4d-47a4-9af4-d179829f77f3")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CertDeleteCertificateFromStore(PCCERT_CONTEXT pCertContext);
///
/// The CertDuplicateCertificateContext function duplicates a certificate context by incrementing its reference count.
///
/// A pointer to the CERT_CONTEXT structure for which the reference count is incremented.
///
/// Currently, a copy is not made of the context, and the returned pointer to a context has the same value as the pointer to a
/// context that was input. If the pointer passed into this function is NULL, NULL is returned. When you have finished
/// using the duplicate context, decrease its reference count by calling the CertFreeCertificateContext function.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certduplicatecertificatecontext PCCERT_CONTEXT
// CertDuplicateCertificateContext( PCCERT_CONTEXT pCertContext );
[DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "589edd25-c8d0-4f93-83b2-9df2ed2e2812")]
public static extern PCCERT_CONTEXT CertDuplicateCertificateContext(PCCERT_CONTEXT pCertContext);
///
/// The CertEnumCertificatesInStore function retrieves the first or next certificate in a certificate store. Used in a loop,
/// this function can retrieve in sequence all certificates in a certificate store.
///
/// A handle of a certificate store.
///
/// A pointer to the CERT_CONTEXT of the previous certificate context found.
///
/// This parameter must be NULL to begin the enumeration and get the first certificate in the store. Successive certificates
/// are enumerated by setting pPrevCertContext to the pointer returned by a previous call to the function. This function frees the
/// CERT_CONTEXT referenced by non- NULL values of this parameter.
///
///
/// For logical stores, including collection stores, a duplicate of the pCertContext returned by this function cannot be used to
/// begin a new subsequence of enumerations because the duplicated certificate loses the initial enumeration state. The enumeration
/// skips any certificate previously deleted by CertDeleteCertificateFromStore.
///
///
///
///
/// If the function succeeds, the function returns a pointer to the next CERT_CONTEXT in the store. If no more certificates exist in
/// the store, the function returns NULL.
///
/// For extended error information, call GetLastError. Some possible error codes follow.
///
///
/// Value
/// Description
///
/// -
/// E_INVALIDARG
/// The handle in the hCertStore parameter is not the same as that in the certificate context pointed to by pPrevCertContext.
///
/// -
/// CRYPT_E_NOT_FOUND
/// No certificates were found. This happens if the store is empty or if the function reached the end of the store's list.
///
/// -
/// ERROR_NO_MORE_FILES
///
/// Applies to external stores. No certificates were found. This happens if the store is empty or if the function reached the end of
/// the store's list.
///
///
///
///
///
///
/// The returned pointer is freed when passed as the pPrevCertContext parameter on a subsequent call. Otherwise, the pointer must be
/// freed by calling CertFreeCertificateContext. A non- NULL pPrevCertContext passed to CertEnumCertificatesInStore is
/// always freed even for an error.
///
/// A duplicate of the currently enumerated certificate can be made by calling CertDuplicateCertificateContext.
/// Examples
///
/// The following example lists the certificate contexts in the certificate store. For another example that uses this function, see
/// Example C Program: Deleting Certificates from a Certificate Store.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certenumcertificatesinstore PCCERT_CONTEXT
// CertEnumCertificatesInStore( HCERTSTORE hCertStore, PCCERT_CONTEXT pPrevCertContext );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "c5ab5b4c-dc0c-416b-aa9e-b939398cfa6d")]
public static extern PCCERT_CONTEXT CertEnumCertificatesInStore(HCERTSTORE hCertStore, PCCERT_CONTEXT pPrevCertContext);
///
/// The CertFindCertificateInStore function finds the first or next certificate context in a certificate store that matches a
/// search criteria established by the dwFindType and its associated pvFindPara. This function can be used in a loop to find all of
/// the certificates in a certificate store that match the specified find criteria.
///
/// A handle of the certificate store to be searched.
///
///
/// Specifies the type of encoding used. Both the certificate and message encoding types must be specified by combining them with a
/// bitwise- OR operation as shown in the following example:
///
/// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING Currently defined encoding types are:
///
/// -
/// X509_ASN_ENCODING
///
/// -
/// PKCS_7_ASN_ENCODING
///
///
///
///
/// Used with some dwFindType values to modify the search criteria. For most dwFindType values, dwFindFlags is not used and should
/// be set to zero. For detailed information, see Remarks.
///
///
///
/// Specifies the type of search being made. The search type determines the data type, contents, and the use of pvFindPara. This
/// parameter can be one of the following values.
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_FIND_ANY
/// Data type of pvFindPara: NULL, not used. No search criteria used. Returns the next certificate in the store.
///
/// -
/// CERT_FIND_CERT_ID
/// Data type of pvFindPara: CERT_ID structure. Find the certificate identified by the specified CERT_ID.
///
/// -
/// CERT_FIND_CTL_USAGE
///
/// Data type of pvFindPara: CTL_USAGE structure. Searches for a certificate that has a szOID_ENHANCED_KEY_USAGE extension or a
/// CERT_CTL_PROP_ID that matches the pszUsageIdentifier member of the CTL_USAGE structure.
///
///
/// -
/// CERT_FIND_ENHKEY_USAGE
///
/// Data type of pvFindPara: CERT_ENHKEY_USAGE structure. Searches for a certificate in the store that has either an enhanced key
/// usage extension or an enhanced key usage property and a usage identifier that matches the cUsageIdentifier member in the
/// CERT_ENHKEY_USAGE structure. A certificate has an enhanced key usage extension if it has a CERT_EXTENSION structure with the
/// pszObjId member set to szOID_ENHANCED_KEY_USAGE. A certificate has an enhanced key usage property if its
/// CERT_ENHKEY_USAGE_PROP_ID identifier is set. If CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set in dwFindFlags, certificates without
/// the key usage extension or property are also matches. Setting this flag takes precedence over passing NULL in pvFindPara. If
/// CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG is set, a match is done only on the key usage extension. For information about flag
/// modifications to search criteria, see Remarks.
///
///
/// -
/// CERT_FIND_EXISTING
///
/// Data type of pvFindPara: CERT_CONTEXT structure. Searches for a certificate that is an exact match of the specified certificate context.
///
///
/// -
/// CERT_FIND_HASH
///
/// Data type of pvFindPara: CRYPT_HASH_BLOB structure. Searches for a certificate with a SHA1 hash that matches the hash in the
/// CRYPT_HASH_BLOB structure.
///
///
/// -
/// CERT_FIND_HAS_PRIVATE_KEY
///
/// Data type of pvFindPara: NULL, not used. Searches for a certificate that has a private key. The key can be ephemeral or saved on
/// disk. The key can be a legacy Cryptography API (CAPI) key or a CNG key. Windows 8 and Windows Server 2012: Support for this flag begins.
///
///
/// -
/// CERT_FIND_ISSUER_ATTR
///
/// Data type of pvFindPara: CERT_RDN structure. Searches for a certificate with specified issuer attributes that match attributes
/// in the CERT_RDN structure. If these values are set, the function compares attributes of the issuer in a certificate with
/// elements of the CERT_RDN_ATTR array in this CERT_RDN structure. Comparisons iterate through the CERT_RDN_ATTR attributes looking
/// for a match with the certificate's issuer attributes. If the pszObjId member of CERT_RDN_ATTR is NULL, the attribute object
/// identifier is ignored. If the dwValueType member of CERT_RDN_ATTR is CERT_RDN_ANY_TYPE, the value type is ignored. If the pbData
/// member of CERT_RDN_VALUE_BLOB is NULL, any value is a match. Currently only an exact, case-sensitive match is supported. For
/// information about Unicode options, see Remarks. When these values are set, the search is restricted to certificates whose
/// encoding type matches dwCertEncodingType.
///
///
/// -
/// CERT_FIND_ISSUER_NAME
///
/// Data type of pvFindPara: CERT_NAME_BLOB structure. Search for a certificate with an exact match of the entire issuer name with
/// the name in CERT_NAME_BLOB The search is restricted to certificates that match the dwCertEncodingType.
///
///
/// -
/// CERT_FIND_ISSUER_OF
///
/// Data type of pvFindPara: CERT_CONTEXT structure. Searches for a certificate with an subject that matches the issuer in
/// CERT_CONTEXT. Instead of using CertFindCertificateInStore with this value, use the CertGetCertificateChain function.
///
///
/// -
/// CERT_FIND_ISSUER_STR
///
/// Data type of pvFindPara: Null-terminated Unicode string. Searches for a certificate that contains the specified issuer name
/// string. The certificate's issuer member is converted to a name string of the appropriate type using the appropriate form of
/// CertNameToStr formatted as CERT_SIMPLE_NAME_STR. Then a case-insensitive substring-within-a-string match is performed. When this
/// value is set, the search is restricted to certificates whose encoding type matches dwCertEncodingType. If the substring match
/// fails and the subject contains an email RDN with Punycode encoded string, CERT_NAME_STR_ENABLE_PUNYCODE_FLAG is used to convert
/// the subject to a Unicode string and the substring match is performed again.
///
///
/// -
/// CERT_FIND_KEY_IDENTIFIER
///
/// Data type of pvFindPara: CRYPT_HASH_BLOB structure. Searches for a certificate with a CERT_KEY_IDENTIFIER_PROP_ID property that
/// matches the key identifier in CRYPT_HASH_BLOB.
///
///
/// -
/// CERT_FIND_KEY_SPEC
///
/// Data type of pvFindPara: DWORD variable that contains a key specification. Searches for a certificate that has a
/// CERT_KEY_SPEC_PROP_ID property that matches the key specification in pvFindPara.
///
///
/// -
/// CERT_FIND_MD5_HASH
///
/// Data type of pvFindPara: CRYPT_HASH_BLOB structure. Searches for a certificate with an MD5 hash that matches the hash in CRYPT_HASH_BLOB.
///
///
/// -
/// CERT_FIND_PROPERTY
///
/// Data type of pvFindPara: DWORD variable that contains a property identifier. Searches for a certificate with a property that
/// matches the property identifier specified by the DWORD value in pvFindPara.
///
///
/// -
/// CERT_FIND_PUBLIC_KEY
///
/// Data type of pvFindPara: CERT_PUBLIC_KEY_INFO structure. Searches for a certificate with a public key that matches the public
/// key in the CERT_PUBLIC_KEY_INFO structure.
///
///
/// -
/// CERT_FIND_SHA1_HASH
///
/// Data type of pvFindPara: CRYPT_HASH_BLOB structure. Searches for a certificate with a SHA1 hash that matches the hash in the
/// CRYPT_HASH_BLOB structure.
///
///
/// -
/// CERT_FIND_SIGNATURE_HASH
///
/// Data type of pvFindPara: CRYPT_HASH_BLOB structure. Searches for a certificate with a signature hash that matches the signature
/// hash in the CRYPT_HASH_BLOB structure.
///
///
/// -
/// CERT_FIND_SUBJECT_ATTR
///
/// Data type of pvFindPara: CERT_RDN structure. Searches for a certificate with specified subject attributes that match attributes
/// in the CERT_RDN structure. If RDN values are set, the function compares attributes of the subject in a certificate with elements
/// of the CERT_RDN_ATTR array in this CERT_RDN structure. Comparisons iterate through the CERT_RDN_ATTR attributes looking for a
/// match with the certificate's subject's attributes. If the pszObjId member of CERT_RDN_ATTR is NULL, the attribute object
/// identifier is ignored. If the dwValueType member of CERT_RDN_ATTR is CERT_RDN_ANY_TYPE, the value type is ignored. If the pbData
/// member of CERT_RDN_VALUE_BLOB is NULL, any value is a match. Currently only an exact, case-sensitive match is supported. For
/// information about Unicode options, see Remarks. When these values are set, the search is restricted to certificates whose
/// encoding type matches dwCertEncodingType.
///
///
/// -
/// CERT_FIND_SUBJECT_CERT
///
/// Data type of pvFindPara: CERT_INFO structure. Searches for a certificate with both an issuer and a serial number that match the
/// issuer and serial number in the CERT_INFO structure.
///
///
/// -
/// CERT_FIND_SUBJECT_NAME
///
/// Data type of pvFindPara: CERT_NAME_BLOB structure. Searches for a certificate with an exact match of the entire subject name
/// with the name in the CERT_NAME_BLOB structure. The search is restricted to certificates that match the value of dwCertEncodingType.
///
///
/// -
/// CERT_FIND_SUBJECT_STR
///
/// Data type of pvFindPara: Null-terminated Unicode string. Searches for a certificate that contains the specified subject name
/// string. The certificate's subject member is converted to a name string of the appropriate type using the appropriate form of
/// CertNameToStr formatted as CERT_SIMPLE_NAME_STR. Then a case-insensitive substring-within-a-string match is performed. When this
/// value is set, the search is restricted to certificates whose encoding type matches dwCertEncodingType.
///
///
/// -
/// CERT_FIND_CROSS_CERT_DIST_POINTS
///
/// Data type of pvFindPara: Not used. Find a certificate that has either a cross certificate distribution point extension or property.
///
///
/// -
/// CERT_FIND_PUBKEY_MD5_HASH
///
/// Data type of pvFindPara: CRYPT_HASH_BLOB structure. Find a certificate whose MD5-hashed public key matches the specified hash.
///
///
///
///
/// Note There are alternate forms of the value of dwFindType that pass a string in pvFindPara. One form uses a Unicode
/// string, and the other an ASCII string. Values that end in "_W" or without a suffix use Unicode. Values that end with "_A" use
/// ASCII strings.
///
///
/// Points to a data item or structure used with dwFindType.
///
/// A pointer to the last CERT_CONTEXT structure returned by this function. This parameter must be NULL on the first call of
/// the function. To find successive certificates meeting the search criteria, set pPrevCertContext to the pointer returned by the
/// previous call to the function. This function frees the CERT_CONTEXT referenced by non- NULL values of this parameter.
///
///
/// If the function succeeds, the function returns a pointer to a read-only CERT_CONTEXT structure.
/// If the function fails and a certificate that matches the search criteria is not found, the return value is NULL.
///
/// A non- NULL CERT_CONTEXT that CertFindCertificateInStore returns must be freed by CertFreeCertificateContext or by
/// being passed as the pPrevCertContext parameter on a subsequent call to CertFindCertificateInStore.
///
/// For extended error information, call GetLastError. Some possible error codes follow.
///
///
/// Return code
/// Description
///
/// -
/// CRYPT_E_NOT_FOUND
///
/// No certificate was found matching the search criteria. This can happen if the store is empty or the end of the store's list is reached.
///
///
/// -
/// E_INVALIDARG
///
/// The handle in the hCertStore parameter is not the same as that in the certificate context pointed to by the pPrevCertContext
/// parameter, or a value that is not valid was specified in the dwFindType parameter.
///
///
///
///
///
/// The dwFindFlags parameter is used to modify the criteria of some search types.
///
/// The CERT_UNICODE_IS_RDN_ATTRS_FLAG dwFindFlags value is used only with the CERT_FIND_SUBJECT_ATTR and CERT_FIND_ISSUER_ATTR
/// values for dwFindType. CERT_UNICODE_IS_RDN_ATTRS_FLAG must be set if the CERT_RDN_ATTR structure pointed to by pvFindPara was
/// initialized with Unicode strings. Before any comparison is made, the string to be matched is converted by using
/// X509_UNICODE_NAME to provide for Unicode comparisons.
///
/// The following dwFindFlags values are used only with the CERT_FIND_ENKEY_USAGE value for dwFindType:
///
/// CertDuplicateCertificateContext can be called to make a duplicate of the returned context. The returned context can be added to
/// a different certificate store by using CertAddCertificateContextToStore, or a link to that certificate context can be added to a
/// store that is not a collection store by using CertAddCertificateLinkToStore.
///
///
/// The returned pointer is freed when passed as the pPrevCertContext parameter on a subsequent call to the function. Otherwise, the
/// pointer must be explicitly freed by calling CertFreeCertificateContext. A pPrevCertContext that is not NULL is always
/// freed by CertFindCertificateInStore using a call to CertFreeCertificateContext, even if there is an error in the function.
///
/// Examples
///
/// The following example shows finding a certificate context in the certificate store meeting a search criterion. For a complete
/// example that includes the context for this example, see Example C Program: Certificate Store Operations.
///
/// For another example that uses this function, see Example C Program: Collection and Sibling Certificate Store Operations.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certfindcertificateinstore PCCERT_CONTEXT
// CertFindCertificateInStore( HCERTSTORE hCertStore, DWORD dwCertEncodingType, DWORD dwFindFlags, DWORD dwFindType, const void
// *pvFindPara, PCCERT_CONTEXT pPrevCertContext );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "20b3fcfb-55df-46ff-80a5-70f31a3d03b2")]
public static extern SafePCCERT_CONTEXT CertFindCertificateInStore(HCERTSTORE hCertStore, CertEncodingType dwCertEncodingType, CertFindUsageFlags dwFindFlags,
CertFindType dwFindType, [In] IntPtr pvFindPara, PCCERT_CONTEXT pPrevCertContext);
///
/// The CertFindCertificateInStore function finds the first or next certificate context in a certificate store that matches a
/// search criteria established by the dwFindType and its associated pvFindPara. This function can be used in a loop to find all of
/// the certificates in a certificate store that match the specified find criteria.
///
/// A handle of the certificate store to be searched.
///
///
/// Specifies the type of encoding used. Both the certificate and message encoding types must be specified by combining them with a
/// bitwise- OR operation as shown in the following example:
///
/// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING Currently defined encoding types are:
///
/// -
/// X509_ASN_ENCODING
///
/// -
/// PKCS_7_ASN_ENCODING
///
///
///
///
/// Used with some dwFindType values to modify the search criteria. For most dwFindType values, dwFindFlags is not used and should
/// be set to zero. For detailed information, see Remarks.
///
///
///
/// Specifies the type of search being made. The search type determines the data type, contents, and the use of pvFindPara. This
/// parameter can be one of the following values.
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_FIND_ANY
/// Data type of pvFindPara: NULL, not used. No search criteria used. Returns the next certificate in the store.
///
/// -
/// CERT_FIND_CERT_ID
/// Data type of pvFindPara: CERT_ID structure. Find the certificate identified by the specified CERT_ID.
///
/// -
/// CERT_FIND_CTL_USAGE
///
/// Data type of pvFindPara: CTL_USAGE structure. Searches for a certificate that has a szOID_ENHANCED_KEY_USAGE extension or a
/// CERT_CTL_PROP_ID that matches the pszUsageIdentifier member of the CTL_USAGE structure.
///
///
/// -
/// CERT_FIND_ENHKEY_USAGE
///
/// Data type of pvFindPara: CERT_ENHKEY_USAGE structure. Searches for a certificate in the store that has either an enhanced key
/// usage extension or an enhanced key usage property and a usage identifier that matches the cUsageIdentifier member in the
/// CERT_ENHKEY_USAGE structure. A certificate has an enhanced key usage extension if it has a CERT_EXTENSION structure with the
/// pszObjId member set to szOID_ENHANCED_KEY_USAGE. A certificate has an enhanced key usage property if its
/// CERT_ENHKEY_USAGE_PROP_ID identifier is set. If CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set in dwFindFlags, certificates without
/// the key usage extension or property are also matches. Setting this flag takes precedence over passing NULL in pvFindPara. If
/// CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG is set, a match is done only on the key usage extension. For information about flag
/// modifications to search criteria, see Remarks.
///
///
/// -
/// CERT_FIND_EXISTING
///
/// Data type of pvFindPara: CERT_CONTEXT structure. Searches for a certificate that is an exact match of the specified certificate context.
///
///
/// -
/// CERT_FIND_HASH
///
/// Data type of pvFindPara: CRYPT_HASH_BLOB structure. Searches for a certificate with a SHA1 hash that matches the hash in the
/// CRYPT_HASH_BLOB structure.
///
///
/// -
/// CERT_FIND_HAS_PRIVATE_KEY
///
/// Data type of pvFindPara: NULL, not used. Searches for a certificate that has a private key. The key can be ephemeral or saved on
/// disk. The key can be a legacy Cryptography API (CAPI) key or a CNG key. Windows 8 and Windows Server 2012: Support for this flag begins.
///
///
/// -
/// CERT_FIND_ISSUER_ATTR
///
/// Data type of pvFindPara: CERT_RDN structure. Searches for a certificate with specified issuer attributes that match attributes
/// in the CERT_RDN structure. If these values are set, the function compares attributes of the issuer in a certificate with
/// elements of the CERT_RDN_ATTR array in this CERT_RDN structure. Comparisons iterate through the CERT_RDN_ATTR attributes looking
/// for a match with the certificate's issuer attributes. If the pszObjId member of CERT_RDN_ATTR is NULL, the attribute object
/// identifier is ignored. If the dwValueType member of CERT_RDN_ATTR is CERT_RDN_ANY_TYPE, the value type is ignored. If the pbData
/// member of CERT_RDN_VALUE_BLOB is NULL, any value is a match. Currently only an exact, case-sensitive match is supported. For
/// information about Unicode options, see Remarks. When these values are set, the search is restricted to certificates whose
/// encoding type matches dwCertEncodingType.
///
///
/// -
/// CERT_FIND_ISSUER_NAME
///
/// Data type of pvFindPara: CERT_NAME_BLOB structure. Search for a certificate with an exact match of the entire issuer name with
/// the name in CERT_NAME_BLOB The search is restricted to certificates that match the dwCertEncodingType.
///
///
/// -
/// CERT_FIND_ISSUER_OF
///
/// Data type of pvFindPara: CERT_CONTEXT structure. Searches for a certificate with an subject that matches the issuer in
/// CERT_CONTEXT. Instead of using CertFindCertificateInStore with this value, use the CertGetCertificateChain function.
///
///
/// -
/// CERT_FIND_ISSUER_STR
///
/// Data type of pvFindPara: Null-terminated Unicode string. Searches for a certificate that contains the specified issuer name
/// string. The certificate's issuer member is converted to a name string of the appropriate type using the appropriate form of
/// CertNameToStr formatted as CERT_SIMPLE_NAME_STR. Then a case-insensitive substring-within-a-string match is performed. When this
/// value is set, the search is restricted to certificates whose encoding type matches dwCertEncodingType. If the substring match
/// fails and the subject contains an email RDN with Punycode encoded string, CERT_NAME_STR_ENABLE_PUNYCODE_FLAG is used to convert
/// the subject to a Unicode string and the substring match is performed again.
///
///
/// -
/// CERT_FIND_KEY_IDENTIFIER
///
/// Data type of pvFindPara: CRYPT_HASH_BLOB structure. Searches for a certificate with a CERT_KEY_IDENTIFIER_PROP_ID property that
/// matches the key identifier in CRYPT_HASH_BLOB.
///
///
/// -
/// CERT_FIND_KEY_SPEC
///
/// Data type of pvFindPara: DWORD variable that contains a key specification. Searches for a certificate that has a
/// CERT_KEY_SPEC_PROP_ID property that matches the key specification in pvFindPara.
///
///
/// -
/// CERT_FIND_MD5_HASH
///
/// Data type of pvFindPara: CRYPT_HASH_BLOB structure. Searches for a certificate with an MD5 hash that matches the hash in CRYPT_HASH_BLOB.
///
///
/// -
/// CERT_FIND_PROPERTY
///
/// Data type of pvFindPara: DWORD variable that contains a property identifier. Searches for a certificate with a property that
/// matches the property identifier specified by the DWORD value in pvFindPara.
///
///
/// -
/// CERT_FIND_PUBLIC_KEY
///
/// Data type of pvFindPara: CERT_PUBLIC_KEY_INFO structure. Searches for a certificate with a public key that matches the public
/// key in the CERT_PUBLIC_KEY_INFO structure.
///
///
/// -
/// CERT_FIND_SHA1_HASH
///
/// Data type of pvFindPara: CRYPT_HASH_BLOB structure. Searches for a certificate with a SHA1 hash that matches the hash in the
/// CRYPT_HASH_BLOB structure.
///
///
/// -
/// CERT_FIND_SIGNATURE_HASH
///
/// Data type of pvFindPara: CRYPT_HASH_BLOB structure. Searches for a certificate with a signature hash that matches the signature
/// hash in the CRYPT_HASH_BLOB structure.
///
///
/// -
/// CERT_FIND_SUBJECT_ATTR
///
/// Data type of pvFindPara: CERT_RDN structure. Searches for a certificate with specified subject attributes that match attributes
/// in the CERT_RDN structure. If RDN values are set, the function compares attributes of the subject in a certificate with elements
/// of the CERT_RDN_ATTR array in this CERT_RDN structure. Comparisons iterate through the CERT_RDN_ATTR attributes looking for a
/// match with the certificate's subject's attributes. If the pszObjId member of CERT_RDN_ATTR is NULL, the attribute object
/// identifier is ignored. If the dwValueType member of CERT_RDN_ATTR is CERT_RDN_ANY_TYPE, the value type is ignored. If the pbData
/// member of CERT_RDN_VALUE_BLOB is NULL, any value is a match. Currently only an exact, case-sensitive match is supported. For
/// information about Unicode options, see Remarks. When these values are set, the search is restricted to certificates whose
/// encoding type matches dwCertEncodingType.
///
///
/// -
/// CERT_FIND_SUBJECT_CERT
///
/// Data type of pvFindPara: CERT_INFO structure. Searches for a certificate with both an issuer and a serial number that match the
/// issuer and serial number in the CERT_INFO structure.
///
///
/// -
/// CERT_FIND_SUBJECT_NAME
///
/// Data type of pvFindPara: CERT_NAME_BLOB structure. Searches for a certificate with an exact match of the entire subject name
/// with the name in the CERT_NAME_BLOB structure. The search is restricted to certificates that match the value of dwCertEncodingType.
///
///
/// -
/// CERT_FIND_SUBJECT_STR
///
/// Data type of pvFindPara: Null-terminated Unicode string. Searches for a certificate that contains the specified subject name
/// string. The certificate's subject member is converted to a name string of the appropriate type using the appropriate form of
/// CertNameToStr formatted as CERT_SIMPLE_NAME_STR. Then a case-insensitive substring-within-a-string match is performed. When this
/// value is set, the search is restricted to certificates whose encoding type matches dwCertEncodingType.
///
///
/// -
/// CERT_FIND_CROSS_CERT_DIST_POINTS
///
/// Data type of pvFindPara: Not used. Find a certificate that has either a cross certificate distribution point extension or property.
///
///
/// -
/// CERT_FIND_PUBKEY_MD5_HASH
///
/// Data type of pvFindPara: CRYPT_HASH_BLOB structure. Find a certificate whose MD5-hashed public key matches the specified hash.
///
///
///
///
/// Note There are alternate forms of the value of dwFindType that pass a string in pvFindPara. One form uses a Unicode
/// string, and the other an ASCII string. Values that end in "_W" or without a suffix use Unicode. Values that end with "_A" use
/// ASCII strings.
///
///
/// Points to a data item or structure used with dwFindType.
///
/// A pointer to the last CERT_CONTEXT structure returned by this function. This parameter must be NULL on the first call of
/// the function. To find successive certificates meeting the search criteria, set pPrevCertContext to the pointer returned by the
/// previous call to the function. This function frees the CERT_CONTEXT referenced by non- NULL values of this parameter.
///
///
/// If the function succeeds, the function returns a pointer to a read-only CERT_CONTEXT structure.
/// If the function fails and a certificate that matches the search criteria is not found, the return value is NULL.
///
/// A non- NULL CERT_CONTEXT that CertFindCertificateInStore returns must be freed by CertFreeCertificateContext or by
/// being passed as the pPrevCertContext parameter on a subsequent call to CertFindCertificateInStore.
///
/// For extended error information, call GetLastError. Some possible error codes follow.
///
///
/// Return code
/// Description
///
/// -
/// CRYPT_E_NOT_FOUND
///
/// No certificate was found matching the search criteria. This can happen if the store is empty or the end of the store's list is reached.
///
///
/// -
/// E_INVALIDARG
///
/// The handle in the hCertStore parameter is not the same as that in the certificate context pointed to by the pPrevCertContext
/// parameter, or a value that is not valid was specified in the dwFindType parameter.
///
///
///
///
///
/// The dwFindFlags parameter is used to modify the criteria of some search types.
///
/// The CERT_UNICODE_IS_RDN_ATTRS_FLAG dwFindFlags value is used only with the CERT_FIND_SUBJECT_ATTR and CERT_FIND_ISSUER_ATTR
/// values for dwFindType. CERT_UNICODE_IS_RDN_ATTRS_FLAG must be set if the CERT_RDN_ATTR structure pointed to by pvFindPara was
/// initialized with Unicode strings. Before any comparison is made, the string to be matched is converted by using
/// X509_UNICODE_NAME to provide for Unicode comparisons.
///
/// The following dwFindFlags values are used only with the CERT_FIND_ENKEY_USAGE value for dwFindType:
///
/// CertDuplicateCertificateContext can be called to make a duplicate of the returned context. The returned context can be added to
/// a different certificate store by using CertAddCertificateContextToStore, or a link to that certificate context can be added to a
/// store that is not a collection store by using CertAddCertificateLinkToStore.
///
///
/// The returned pointer is freed when passed as the pPrevCertContext parameter on a subsequent call to the function. Otherwise, the
/// pointer must be explicitly freed by calling CertFreeCertificateContext. A pPrevCertContext that is not NULL is always
/// freed by CertFindCertificateInStore using a call to CertFreeCertificateContext, even if there is an error in the function.
///
/// Examples
///
/// The following example shows finding a certificate context in the certificate store meeting a search criterion. For a complete
/// example that includes the context for this example, see Example C Program: Certificate Store Operations.
///
/// For another example that uses this function, see Example C Program: Collection and Sibling Certificate Store Operations.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certfindcertificateinstore PCCERT_CONTEXT
// CertFindCertificateInStore( HCERTSTORE hCertStore, DWORD dwCertEncodingType, DWORD dwFindFlags, DWORD dwFindType, const void
// *pvFindPara, PCCERT_CONTEXT pPrevCertContext );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "20b3fcfb-55df-46ff-80a5-70f31a3d03b2")]
public static extern SafePCCERT_CONTEXT CertFindCertificateInStore(HCERTSTORE hCertStore, CertEncodingType dwCertEncodingType, CertFindUsageFlags dwFindFlags,
CertFindType dwFindType, [In, MarshalAs(UnmanagedType.LPWStr)] string pvFindPara, PCCERT_CONTEXT pPrevCertContext);
///
/// The CertFreeServerOcspResponseContext function decrements the reference count for a CERT_SERVER_OCSP_RESPONSE_CONTEXT
/// structure. If the reference count becomes zero, memory allocated for the structure is released.
///
///
/// A pointer to a CERT_SERVER_OCSP_RESPONSE_CONTEXT structure that contains a value returned by the
/// CertGetServerOcspResponseContext function.
///
/// This function has no return value.
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certfreeserverocspresponsecontext void
// CertFreeServerOcspResponseContext( PCCERT_SERVER_OCSP_RESPONSE_CONTEXT pServerOcspResponseContext );
[DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "a07fc1e0-6f06-4336-b33c-d4d6a838b609")]
public static extern void CertFreeServerOcspResponseContext(PCCERT_SERVER_OCSP_RESPONSE_CONTEXT pServerOcspResponseContext);
///
/// The CertGetIssuerCertificateFromStore function retrieves the certificate context from the certificate store for the first
/// or next issuer of the specified subject certificate. The new Certificate Chain Verification Functions are recommended instead of
/// the use of this function.
///
/// Handle of a certificate store.
///
/// A pointer to a CERT_CONTEXT structure that contains the subject information. This parameter can be obtained from any certificate
/// store or can be created by the calling application using the CertCreateCertificateContext function.
///
///
///
/// A pointer to a CERT_CONTEXT structure that contains the issuer information. An issuer can have multiple certificates, especially
/// when a validity period is about to change. This parameter must be NULL on the call to get the first issuer certificate.
/// To get the next certificate for the issuer, set pPrevIssuerContext to the CERT_CONTEXT structure returned by the previous call.
///
/// This function frees the CERT_CONTEXT referenced by non- NULL values of this parameter.
///
///
///
/// The following flags enable verification checks on the returned certificate. They can be combined using a bitwise- OR
/// operation to enable multiple verifications.
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_STORE_NO_CRL_FLAG
/// Indicates no matching CRL was found.
///
/// -
/// CERT_STORE_NO_ISSUER_FLAG
/// Indicates no issuer certificate was found.
///
/// -
/// CERT_STORE_REVOCATION_FLAG
/// Checks whether the subject certificate is on the issuer's revocation list.
///
/// -
/// CERT_STORE_SIGNATURE_FLAG
/// Uses the public key in the issuer's certificate to verify the signature on the subject certificate.
///
/// -
/// CERT_STORE_TIME_VALIDITY_FLAG
/// Gets the current time and verifies that it is within the subject certificate's validity period.
///
///
///
/// If a verification check of an enabled type succeeds, its flag is set to zero. If it fails, its flag remains set upon return. For
/// CERT_STORE_REVOCATION_FLAG, the verification succeeds if the function does not find a CRL related to the subject certificate.
///
///
/// If CERT_STORE_REVOCATION_FLAG is set and the issuer does not have a CRL in the store, CERT_STORE_NO_CRL_FLAG is set and
/// CERT_STORE_REVOCATION_FLAG remains set.
///
///
/// If CERT_STORE_SIGNATURE_FLAG or CERT_STORE_REVOCATION_FLAG is set, CERT_STORE_NO_ISSUER_FLAG is set if the function does not
/// find an issuer certificate in the store. For more details, see Remarks.
///
///
/// In the case of a verification check failure, a pointer to the issuer's CERT_CONTEXT is still returned and GetLastError is not updated.
///
///
///
/// If the function succeeds, the return value is a pointer to a read-only issuer CERT_CONTEXT.
/// If the function fails and the first or next issuer certificate is not found, the return value is NULL.
///
/// Only the last returned CERT_CONTEXT structure must be freed by calling CertFreeCertificateContext. When the returned
/// CERT_CONTEXT from one call to the function is supplied as the pPrevIssuerContext parameter on a subsequent call, the
/// context is freed as part of the action of the function.
///
/// For extended error information, call GetLastError. Some possible error codes follow.
///
///
/// Return code
/// Description
///
/// -
/// CRYPT_E_NOT_FOUND
/// No issuer was found for the subject certificate.
///
/// -
/// CRYPT_E_SELF_SIGNED
/// The issuer certificate is the same as the subject certificate. It is a self-signed root certificate.
///
/// -
/// E_INVALIDARG
///
/// The handle in the hCertStore parameter is not the same as that of the certificate context pointed to by the pPrevIssuerContext
/// parameter, or an unsupported flag was set in pdwFlags.
///
///
///
///
///
///
/// The returned pointer is freed when passed as the pPrevIssuerContext parameter on a subsequent call to the function. Otherwise,
/// the pointer must be explicitly freed by calling CertFreeCertificateContext. A pPrevIssuerContext that is not NULL is
/// always freed by CertGetIssuerCertificateFromStore using a call to CertFreeCertificateContext, even if there is an
/// error in the function.
///
/// CertDuplicateCertificateContext can be called to make a duplicate of the issuer certificate.
///
/// The hexadecimal values for dwFlags can be combined using a bitwise- OR operation to enable multiple verifications. For
/// example, to enable both signature and time validity, the value 0x00000003 is passed in dwFlags on input. In this case, if
/// CERT_STORE_SIGNATURE_FLAG verification succeeds but CERT_STORE_TIME_VALIDITY_FLAG verification fails, dwFlags returns as
/// 0x00000002 on output.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetissuercertificatefromstore PCCERT_CONTEXT
// CertGetIssuerCertificateFromStore( HCERTSTORE hCertStore, PCCERT_CONTEXT pSubjectContext, PCCERT_CONTEXT pPrevIssuerContext,
// DWORD *pdwFlags );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "b57982d0-cba8-43cd-a544-3635fdf599e2")]
public static extern SafePCCERT_CONTEXT CertGetIssuerCertificateFromStore(HCERTSTORE hCertStore, PCCERT_CONTEXT pSubjectContext, PCCERT_CONTEXT pPrevIssuerContext, ref CertStoreVerification pdwFlags);
///
/// The CertGetServerOcspResponseContext function retrieves a non-blocking, time valid online certificate status protocol
/// (OCSP) response context for the specified handle.
///
///
/// The OCSP server response handle for which to retrieve a response context. This handle is returned by the
/// CertOpenServerOcspResponse function.
///
/// This parameter is reserved for future use and must be zero.
/// This parameter is reserved for future use and must be NULL.
///
/// If the function succeeds, it returns a pointer to a CERT_SERVER_OCSP_RESPONSE_CONTEXT structure.
///
/// For a response to be time valid, the current time on the system hosting this function call must be less than the next update
/// time for the certificate revocation list (CRL) context. When a time valid OCSP response is not available, this function returns
/// NULL with the last error set to CRYPT_E_REVOCATION_OFFLINE.
///
///
///
/// If you use the CertGetServerOcspResponseContext function to create multiple references to an OCSP response context, you
/// must call CertAddRefServerOcspResponseContext to increment the reference count for the CERT_SERVER_OCSP_RESPONSE_CONTEXT
/// structure. When you have finished using the structure, you must free it by calling the CertFreeServerOcspResponseContext function.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetserverocspresponsecontext
// PCCERT_SERVER_OCSP_RESPONSE_CONTEXT CertGetServerOcspResponseContext( HCERT_SERVER_OCSP_RESPONSE hServerOcspResponse, DWORD
// dwFlags, LPVOID pvReserved );
[DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "07476e43-db6b-4119-8d6b-41143b98744e")]
public static extern SafePCCERT_SERVER_OCSP_RESPONSE_CONTEXT CertGetServerOcspResponseContext(HCERT_SERVER_OCSP_RESPONSE hServerOcspResponse, uint dwFlags = 0, IntPtr pvReserved = default);
///
/// The CertGetSubjectCertificateFromStore function returns from a certificate store a subject certificate context uniquely
/// identified by its issuer and serial number.
///
/// A handle of a certificate store.
///
///
/// The type of encoding used. It is always acceptable to specify both the certificate and message encoding types by combining them
/// with a bitwise- OR operation as shown in the following example:
///
/// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING Currently defined encoding types are:
///
/// -
/// X509_ASN_ENCODING
///
/// -
/// PKCS_7_ASN_ENCODING
///
///
///
/// A pointer to a CERT_INFO structure. Only the Issuer and SerialNumber members are used.
///
///
/// If the function succeeds, the function returns a pointer to a read-only CERT_CONTEXT. The CERT_CONTEXT must be freed by
/// calling CertFreeCertificateContext.
///
/// The returned certificate might not be valid. Usually, it is verified when getting its issuer certificate (CertGetIssuerCertificateFromStore).
/// For extended error information, call GetLastError. One possible error code is the following.
///
///
/// Return code
/// Description
///
/// -
/// CRYPT_E_NOT_FOUND
/// The subject certificate was not found in the store.
///
///
///
///
/// CertDuplicateCertificateContext can be called to make a duplicate certificate.
/// Examples
///
/// The following example shows retrieving a subject's certificate context, uniquely identified by its issuer and serial number,
/// from the certificate store. For an example that includes the complete context for this example, see Example C Program: Signing,
/// Encoding, Decoding, and Verifying a Message.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetsubjectcertificatefromstore PCCERT_CONTEXT
// CertGetSubjectCertificateFromStore( HCERTSTORE hCertStore, DWORD dwCertEncodingType, PCERT_INFO pCertId );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "61d73501-91b1-4498-b1a3-17392360c700")]
public static extern SafePCCERT_CONTEXT CertGetSubjectCertificateFromStore(HCERTSTORE hCertStore, CertEncodingType dwCertEncodingType, in CERT_INFO pCertId);
///
/// The CertGetValidUsages function returns an array of usages that consist of the intersection of the valid usages for all
/// certificates in an array of certificates.
///
/// The number of certificates in the array to be checked.
/// An array of certificates to be checked for valid usage.
///
/// The number of valid usages found as the intersection of the valid usages of all certificates in the array. If all of the
/// certificates are valid for all usages, cNumOIDs is set to negative one (–1).
///
///
/// An array of the object identifiers (OIDs) of the valid usages that are shared by all of the certificates in the rghCerts array.
/// This parameter can be NULL to set the size of this structure for memory allocation purposes. For more information, see
/// Retrieving Data of Unknown Length.
///
///
/// A pointer to a DWORD value that specifies the size, in bytes, of the rghOIDs array and the strings pointed to. When the
/// function returns, the DWORD value contains the number of bytes needed for the array.
///
///
/// If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. For extended error
/// information, call GetLastError.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetvalidusages BOOL CertGetValidUsages( DWORD cCerts,
// PCCERT_CONTEXT *rghCerts, int *cNumOIDs, LPSTR *rghOIDs, DWORD *pcbOIDs );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "1504f166-2fa9-4041-9d72-b150cd8baa8a")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CertGetValidUsages(uint cCerts, [MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 0)] PCCERT_CONTEXT[] rghCerts, out int cNumOIDs, IntPtr rghOIDs, ref uint pcbOIDs);
///
/// The CertOpenServerOcspResponse function opens a handle to an online certificate status protocol (OCSP) response
/// associated with a server certificate chain.
///
/// The address of a CERT_CHAIN_CONTEXT structure that contains the certificate chain.
/// This parameter is not used and must be zero.
/// This parameter is not used and must be NULL.
///
///
/// Returns a handle to the OCSP response associated with a server certificate chain if successful; otherwise, NULL. This
/// handle must be passed to the CertCloseServerOcspResponse function when it is no longer needed.
///
///
/// For extended error information, call GetLastError. Possible error codes returned by the GetLastError function include,
/// but are not limited to, the following.
///
///
///
/// Return code
/// Description
///
/// -
/// ERROR_INVALID_PARAMETER
/// One or more parameters are not valid.
///
/// -
/// CRYPT_E_NOT_IN_REVOCATION_DATABASE
/// The end certificate does not contain an OCSP authority information access (AIA) URL.
///
///
///
///
///
/// The CertOpenServerOcspResponse function tries to retrieve an initial OCSP response before it returns. It blocks its
/// process thread during the retrieval. The CertOpenServerOcspResponse function creates a background thread that prefetches
/// time-valid OCSP responses.
///
///
/// The CertOpenServerOcspResponse function increments the reference count for the chain context represented by the
/// pChainContext parameter. When you have finished using the chain context, close the returned handle by calling the
/// CertCloseServerOcspResponse function.
///
/// The CertOpenServerOcspResponse function initializes configuration settings used by the following functions:
///
/// -
/// CertAddRefServerOcspResponse
///
/// -
/// CertCloseServerOcspResponse
///
/// -
/// CertGetServerOcspResponseContext
///
/// -
/// CertAddRefServerOcspResponseContext
///
/// -
/// CertFreeServerOcspResponseContext
///
///
///
/// First, the CertOpenServerOcspResponse function initializes the settings based on default values in Wincrypt.h. If the
/// function subsequently finds the registry key defined in CERT_CHAIN_CONFIG_REGPATH, it updates the previously initialized
/// values with the registry values.
///
/// The following configuration setting names and default values are initialized by this function:
///
/// -
/// CERT_SRV_OCSP_RESP_MIN_VALIDITY_SECONDS_VALUE_NAME
///
/// -
/// CERT_SRV_OCSP_RESP_MIN_VALIDITY_SECONDS_DEFAULT
///
/// -
/// CERT_SRV_OCSP_RESP_URL_RETRIEVAL_TIMEOUT_MILLISECONDS_VALUE_NAME
///
/// -
/// CERT_SRV_OCSP_RESP_URL_RETRIEVAL_TIMEOUT_MILLISECONDS_DEFAULT
///
/// -
/// CERT_SRV_OCSP_RESP_MAX_BEFORE_NEXT_UPDATE_SECONDS_VALUE_NAME
///
/// -
/// CERT_SRV_OCSP_RESP_MAX_BEFORE_NEXT_UPDATE_SECONDS_DEFAULT
///
/// -
/// CERT_SRV_OCSP_RESP_MIN_BEFORE_NEXT_UPDATE_SECONDS_VALUE_NAME
///
/// -
/// CERT_SRV_OCSP_RESP_MIN_BEFORE_NEXT_UPDATE_SECONDS_DEFAULT
///
/// -
/// CERT_SRV_OCSP_RESP_MIN_AFTER_NEXT_UPDATE_SECONDS_VALUE_NAME
///
/// -
/// CERT_SRV_OCSP_RESP_MIN_AFTER_NEXT_UPDATE_SECONDS_DEFAULT
///
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopenserverocspresponse HCERT_SERVER_OCSP_RESPONSE
// CertOpenServerOcspResponse( PCCERT_CHAIN_CONTEXT pChainContext, DWORD dwFlags, PCERT_SERVER_OCSP_RESPONSE_OPEN_PARA pOpenPara );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "c29d1972-b329-4e32-aead-a038130fb85e")]
public static extern HCERT_SERVER_OCSP_RESPONSE CertOpenServerOcspResponse([In] PCCERT_CHAIN_CONTEXT pChainContext, uint dwFlags = 0, IntPtr pOpenPara = default);
///
/// The CertRetrieveLogoOrBiometricInfo function performs a URL retrieval of logo or biometric information specified in
/// either the szOID_LOGOTYPE_EXT or szOID_BIOMETRIC_EXT certificate extension. The szOID_BIOMETRIC_EXT
/// extension (IETF RFC 3739) supports the addition of a signature or a pictorial representation of the human holder of the
/// certificate. The szOID_LOGOTYPE_EXT extension (IETF RFC 3709) supports the addition of organizational pictorial
/// representations in certificates.
///
/// The address of a CERT_CONTEXT structure that contains the certificate.
///
///
/// The address of a null-terminated ANSI string that contains an object identifier (OID) string that identifies the type of
/// information to retrieve.
///
/// This parameter may also contain one of the following predefined values.
///
///
/// Value
/// Meaning
///
/// -
/// CERT_RETRIEVE_ISSUER_LOGO
/// Retrieve the certificate issuer logotype.
///
/// -
/// CERT_RETRIEVE_SUBJECT_LOGO
/// Retrieve the certificate subject logotype.
///
/// -
/// CERT_RETRIEVE_COMMUNITY_LOGO
/// Retrieve the certificate community logotype.
///
/// -
/// CERT_RETRIEVE_BIOMETRIC_PICTURE_TYPE
/// Retrieve the picture associated with the certificate.
///
/// -
/// CERT_RETRIEVE_BIOMETRIC_SIGNATURE_TYPE
/// Retrieve the signature associated with the certificate.
///
///
///
///
/// A set of flags that specify how the information should be retrieved. This parameter is passed as the dwRetrievalFlags in the
/// CryptRetrieveObjectByUrl function.
///
/// The maximum amount of time, in milliseconds, to wait for the retrieval.
/// This parameter is not used and must be zero.
/// This parameter is not used and must be NULL.
///
/// The address of a BYTE pointer that receives the logotype or biometric data. This memory must be freed when it is no
/// longer needed by passing this pointer to the CryptMemFree function.
///
/// The address of a DWORD variable that receives the number of bytes in the ppbData buffer.
///
///
/// The address of a pointer to a null-terminated Unicode string that receives the Multipurpose Internet Mail Extensions (MIME) type
/// of the data. This parameter can be NULL if this information is not needed. This memory must be freed when it is no longer
/// needed by passing this pointer to the CryptMemFree function.
///
///
/// This address always receives NULL for biometric types. You must always ensure that this parameter contains a valid memory
/// address before attempting to access the memory.
///
///
///
/// Returns nonzero if successful or zero otherwise.
///
/// For extended error information, call GetLastError. Possible error codes returned by the GetLastError function include,
/// but are not limited to, the following.
///
///
///
/// Return code
/// Description
///
/// -
/// CRYPT_E_HASH_VALUE
/// The computed hash value does not match the hash value in the certificate.
///
/// -
/// CRYPT_E_NOT_FOUND
///
/// The certificate does not contain the szOID_LOGOTYPE_EXT or szOID_BIOMETRIC_EXT extension, or the specified
/// lpszLogoOrBiometricType was not found.
///
///
/// -
/// E_INVALIDARG
/// One or more parameters are not valid.
///
/// -
/// ERROR_INVALID_DATA
/// No data could be retrieved from the URL specified by the certificate extension.
///
/// -
/// ERROR_NOT_SUPPORTED
/// The certificate does not support the required extension.
///
/// -
/// NTE_BAD_ALGID
/// The hash algorithm OID is unknown.
///
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certretrievelogoorbiometricinfo BOOL
// CertRetrieveLogoOrBiometricInfo( PCCERT_CONTEXT pCertContext, LPCSTR lpszLogoOrBiometricType, DWORD dwRetrievalFlags, DWORD
// dwTimeout, DWORD dwFlags, void *pvReserved, BYTE **ppbData, DWORD *pcbData, LPWSTR *ppwszMimeType );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "35813928-728e-40b7-b627-817d3094eeb1")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CertRetrieveLogoOrBiometricInfo(PCCERT_CONTEXT pCertContext, [In] SafeOID lpszLogoOrBiometricType, CryptRetrievalFlags dwRetrievalFlags,
uint dwTimeout, [Optional] uint dwFlags, [Optional] IntPtr pvReserved, out SafeCryptMem ppbData, out uint pcbData, out SafeCryptMem ppwszMimeType);
/// The CertSelectCertificateChains function retrieves certificate chains based on specified selection criteria.
/// A pointer to the GUID of the certificate selection scenario to use for this call.
///
///
/// Flags for controlling the certificate selection process. This parameter can be a combination of zero or more of the following flags:
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_SELECT_ALLOW_EXPIRED
/// Select expired certificates that meet selection criteria. By default expired certificates are rejected from selection.
///
/// -
/// CERT_SELECT_TRUSTED_ROOT
///
/// Select certificates on which the error bit in the certificate chain trust status is not set to CERT_TRUST_IS_UNTRUSTED_ROOT,
/// CERT_TRUST_IS_PARTIAL_CHAIN, or CERT_TRUST_IS_NOT_TIME_VALID. In addition, certificates that have one of the following invalid
/// constraint errors are not selected:
///
///
/// -
/// CERT_SELECT_DISALLOW_SELFSIGNED
/// Select certificates that are not self-issued and self-signed.
///
/// -
/// CERT_SELECT_HAS_PRIVATE_KEY
/// Select certificates that have a value set for the CERT_KEY_PROV_INFO_PROP_ID property of the certificate.
///
/// -
/// CERT_SELECT_HAS_KEY_FOR_SIGNATURE
///
/// Select certificates on which the value of the dwKeySpec member of the CERT_KEY_PROV_INFO_PROP_ID property is set to
/// AT_SIGNATURE. If this function is being called as part of a CNG enabled application and the dwKeySpec member of the
/// CERT_KEY_PROV_INFO_PROP_ID property is set to -1, select certificates on which the value of the NCRYPT_KEY_USAGE_PROPERTY
/// property of the associated private key has the NCRYPT_ALLOW_SIGNING_FLAG set.
///
///
/// -
/// CERT_SELECT_HAS_KEY_FOR_KEY_EXCHANGE
///
/// Select certificates on which the value of the dwKeySpec member of the CERT_KEY_PROV_INFO_PROP_ID property is set to
/// AT_KEYEXCHANGE. If this function is being called as part of a CNG enabled application and the dwKeySpec member of the
/// CERT_KEY_PROV_INFO_PROP_ID property is set to -1, select certificates on which either NCRYPT_ALLOW_DECRYPT_FLAG or
/// NCRYPT_ALLOW_KEY_AGREEMENT_FLAG is set.
///
///
/// -
/// CERT_SELECT_HARDWARE_ONLY
///
/// Select certificates on which the value of the PP_IMPTYPE property of the associated private key provider is set to either
/// CRYPT_IMPL_HARDWARE or CRYPT_IMPL_REMOVABLE. (For CNG providers, NCRYPT_IMPL_TYPE_PROPERTY property value MUST have either the
/// NCRYPT_IMPL_HARDWARE_FLAG or NCRYPT_IMPL_REMOVABLE_FLAG bit set). If this function is being called as part of a CNG enabled
/// application, select certificates on which the NCRYPT_IMPL_TYPE_PROPERTY property is set to NCRYPT_IMPL_HARDWARE_FLAG or NCRYPT_IMPL_REMOVABLE_FLAG.
///
///
/// -
/// CERT_SELECT_ALLOW_DUPLICATES
///
/// Allow the selection of certificates on which the Subject and Subject Alt Name contain the same information and the certificate
/// template extension value is equivalent. By default when certificates match this criteria, only the most recent certificate is selected.
///
///
///
///
///
///
/// A pointer to a CERT_SELECT_CHAIN_PARA structure to specify parameters for chain building. If NULL, default parameters
/// will be used.
///
///
/// The pChainPara member of the CERT_SELECT_CHAIN_PARA structure points to a CERT_CHAIN_PARA structure that can be used to
/// enable strong signing.
///
///
/// The number of elements in the array pointed to by the rgpCriteria array.
///
/// A pointer to an array of CERT_SELECT_CRITERIA structures that define the selection criteria. If this parameter is set to
/// NULL, the value of the cCriteria parameter must be zero.
///
/// The handle to a store from which to select the certificates.
///
/// A pointer to a DWORD value to receive the number of elements in the array pointed to by the pprgpSelection parameter.
///
///
///
/// A pointer to a pointer to a location to receive an array of CERT_CHAIN_CONTEXT structure. The CertSelectCertificateChains
/// function only returns certificate chains that match all the selection criteria. The entries in the array are ordered by quality,
/// i.e. the chain with the highest quality is the first entry.
///
///
/// Storage for the array is allocated by the CertSelectCertificateChains function. To free the allocated memory you must
/// first release each individual chain context in the array by calling the CertFreeCertificateChain function. Then you must free
/// the memory by calling the CertFreeCertificateChainList function.
///
///
///
/// If the function succeeds, the function returns TRUE.
/// If the function fails, it returns zero (FALSE). For extended error information, call the GetLastError function.
///
/// Note If the selection does not yield any results, the CertSelectCertificateChains function returns TRUE,
/// but the value pointed to by pcSelection parameter is set to zero.
///
///
///
///
/// Selection criteria can be specified through either the dwFlags parameter, through the rgpCriteria parameter, or through both
/// parameters. If no selection criteria are specified, the function succeeds and returns certificate chains for all certificates in
/// the store specified by the hStore parameter.
///
/// Certificate chains that are selected are ordered based on the following preference logic:
///
/// -
/// Prefer certificates that are smart card certificates over certificates that are not smart-card based.
///
/// -
/// Prefer certificates that have a longer validity period (the expiration date is later.)
///
/// -
/// If multiple certificates have same expiration date, prefer certificates that were issued more recently.
///
/// -
/// If there is a tie, prefer shorter chains.
///
///
///
/// Certain selection criteria require that a certificate chain be built before you can select that criteria for use. If the
/// intermediate certificates required to build the chain are not available locally, a network retrieval is performed for the issuer
/// certificates. This network retrieval is performed if the CERT_SELECT_TRUSTED_ROOT flag is set or for the following criteria:
///
///
/// -
/// CERT_SELECT_BY_ISSUER_NAME
///
/// -
/// CERT_SELECT_BY_ISSUER_ATTR
///
/// -
/// CERT_SELECT_BY_POLICY_OID
///
///
/// Perform the following actions to enable strong signature checking:
///
/// -
///
/// Create a CERT_STRONG_SIGN_PARA structure, specify the required strong signing parameters, and set a pointer to the structure in
/// the pStrongSignPara member of a CERT_CHAIN_PARA structure.
///
///
/// -
/// Set a pointer to the CERT_CHAIN_PARA structure in the pChainPara member of a CERT_SELECT_CHAIN_PARA structure.
///
/// -
/// Set a pointer to the CERT_SELECT_CHAIN_PARA structure in the pChainParameters parameter of this ( CertSelectCertificateChains)function.
///
///
///
/// When you enable strong signature checking, any certificate chain that returns a CERT_TRUST_IS_NOT_SIGNATURE_VALID error
/// in the dwErrorStatus field of the CERT_TRUST_STATUS structure will be skipped. (The pprgpSelection parameter points to a
/// CERT_CHAIN_CONTEXT structure which, in turn, points to the CERT_TRUST_STATUS structure.) The
/// CERT_TRUST_HAS_WEAK_SIGNATURE value is also set for a weak signature.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certselectcertificatechains BOOL
// CertSelectCertificateChains( LPCGUID pSelectionContext, DWORD dwFlags, PCCERT_SELECT_CHAIN_PARA pChainParameters, DWORD
// cCriteria, PCCERT_SELECT_CRITERIA rgpCriteria, HCERTSTORE hStore, PDWORD pcSelection, PCCERT_CHAIN_CONTEXT **pprgpSelection );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "b740772b-d25b-4b3d-9acb-03f7018750d6")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CertSelectCertificateChains(in Guid pSelectionContext, CertSelection dwFlags, [Optional] IntPtr pChainParameters, uint cCriteria, [In, Optional, MarshalAs(UnmanagedType.LPArray)] CERT_SELECT_CRITERIA[] rgpCriteria,
HCERTSTORE hStore, out uint pcSelection, out IntPtr pprgpSelection);
/// The CertSelectCertificateChains function retrieves certificate chains based on specified selection criteria.
/// A pointer to the GUID of the certificate selection scenario to use for this call.
///
///
/// Flags for controlling the certificate selection process. This parameter can be a combination of zero or more of the following flags:
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_SELECT_ALLOW_EXPIRED
/// Select expired certificates that meet selection criteria. By default expired certificates are rejected from selection.
///
/// -
/// CERT_SELECT_TRUSTED_ROOT
///
/// Select certificates on which the error bit in the certificate chain trust status is not set to CERT_TRUST_IS_UNTRUSTED_ROOT,
/// CERT_TRUST_IS_PARTIAL_CHAIN, or CERT_TRUST_IS_NOT_TIME_VALID. In addition, certificates that have one of the following invalid
/// constraint errors are not selected:
///
///
/// -
/// CERT_SELECT_DISALLOW_SELFSIGNED
/// Select certificates that are not self-issued and self-signed.
///
/// -
/// CERT_SELECT_HAS_PRIVATE_KEY
/// Select certificates that have a value set for the CERT_KEY_PROV_INFO_PROP_ID property of the certificate.
///
/// -
/// CERT_SELECT_HAS_KEY_FOR_SIGNATURE
///
/// Select certificates on which the value of the dwKeySpec member of the CERT_KEY_PROV_INFO_PROP_ID property is set to
/// AT_SIGNATURE. If this function is being called as part of a CNG enabled application and the dwKeySpec member of the
/// CERT_KEY_PROV_INFO_PROP_ID property is set to -1, select certificates on which the value of the NCRYPT_KEY_USAGE_PROPERTY
/// property of the associated private key has the NCRYPT_ALLOW_SIGNING_FLAG set.
///
///
/// -
/// CERT_SELECT_HAS_KEY_FOR_KEY_EXCHANGE
///
/// Select certificates on which the value of the dwKeySpec member of the CERT_KEY_PROV_INFO_PROP_ID property is set to
/// AT_KEYEXCHANGE. If this function is being called as part of a CNG enabled application and the dwKeySpec member of the
/// CERT_KEY_PROV_INFO_PROP_ID property is set to -1, select certificates on which either NCRYPT_ALLOW_DECRYPT_FLAG or
/// NCRYPT_ALLOW_KEY_AGREEMENT_FLAG is set.
///
///
/// -
/// CERT_SELECT_HARDWARE_ONLY
///
/// Select certificates on which the value of the PP_IMPTYPE property of the associated private key provider is set to either
/// CRYPT_IMPL_HARDWARE or CRYPT_IMPL_REMOVABLE. (For CNG providers, NCRYPT_IMPL_TYPE_PROPERTY property value MUST have either the
/// NCRYPT_IMPL_HARDWARE_FLAG or NCRYPT_IMPL_REMOVABLE_FLAG bit set). If this function is being called as part of a CNG enabled
/// application, select certificates on which the NCRYPT_IMPL_TYPE_PROPERTY property is set to NCRYPT_IMPL_HARDWARE_FLAG or NCRYPT_IMPL_REMOVABLE_FLAG.
///
///
/// -
/// CERT_SELECT_ALLOW_DUPLICATES
///
/// Allow the selection of certificates on which the Subject and Subject Alt Name contain the same information and the certificate
/// template extension value is equivalent. By default when certificates match this criteria, only the most recent certificate is selected.
///
///
///
///
///
///
/// A pointer to a CERT_SELECT_CHAIN_PARA structure to specify parameters for chain building. If NULL, default parameters
/// will be used.
///
///
/// The pChainPara member of the CERT_SELECT_CHAIN_PARA structure points to a CERT_CHAIN_PARA structure that can be used to
/// enable strong signing.
///
///
/// The number of elements in the array pointed to by the rgpCriteria array.
///
/// A pointer to an array of CERT_SELECT_CRITERIA structures that define the selection criteria. If this parameter is set to
/// NULL, the value of the cCriteria parameter must be zero.
///
/// The handle to a store from which to select the certificates.
///
/// A pointer to a DWORD value to receive the number of elements in the array pointed to by the pprgpSelection parameter.
///
///
///
/// A pointer to a pointer to a location to receive an array of CERT_CHAIN_CONTEXT structure. The CertSelectCertificateChains
/// function only returns certificate chains that match all the selection criteria. The entries in the array are ordered by quality,
/// i.e. the chain with the highest quality is the first entry.
///
///
/// Storage for the array is allocated by the CertSelectCertificateChains function. To free the allocated memory you must
/// first release each individual chain context in the array by calling the CertFreeCertificateChain function. Then you must free
/// the memory by calling the CertFreeCertificateChainList function.
///
///
///
/// If the function succeeds, the function returns TRUE.
/// If the function fails, it returns zero (FALSE). For extended error information, call the GetLastError function.
///
/// Note If the selection does not yield any results, the CertSelectCertificateChains function returns TRUE,
/// but the value pointed to by pcSelection parameter is set to zero.
///
///
///
///
/// Selection criteria can be specified through either the dwFlags parameter, through the rgpCriteria parameter, or through both
/// parameters. If no selection criteria are specified, the function succeeds and returns certificate chains for all certificates in
/// the store specified by the hStore parameter.
///
/// Certificate chains that are selected are ordered based on the following preference logic:
///
/// -
/// Prefer certificates that are smart card certificates over certificates that are not smart-card based.
///
/// -
/// Prefer certificates that have a longer validity period (the expiration date is later.)
///
/// -
/// If multiple certificates have same expiration date, prefer certificates that were issued more recently.
///
/// -
/// If there is a tie, prefer shorter chains.
///
///
///
/// Certain selection criteria require that a certificate chain be built before you can select that criteria for use. If the
/// intermediate certificates required to build the chain are not available locally, a network retrieval is performed for the issuer
/// certificates. This network retrieval is performed if the CERT_SELECT_TRUSTED_ROOT flag is set or for the following criteria:
///
///
/// -
/// CERT_SELECT_BY_ISSUER_NAME
///
/// -
/// CERT_SELECT_BY_ISSUER_ATTR
///
/// -
/// CERT_SELECT_BY_POLICY_OID
///
///
/// Perform the following actions to enable strong signature checking:
///
/// -
///
/// Create a CERT_STRONG_SIGN_PARA structure, specify the required strong signing parameters, and set a pointer to the structure in
/// the pStrongSignPara member of a CERT_CHAIN_PARA structure.
///
///
/// -
/// Set a pointer to the CERT_CHAIN_PARA structure in the pChainPara member of a CERT_SELECT_CHAIN_PARA structure.
///
/// -
/// Set a pointer to the CERT_SELECT_CHAIN_PARA structure in the pChainParameters parameter of this ( CertSelectCertificateChains)function.
///
///
///
/// When you enable strong signature checking, any certificate chain that returns a CERT_TRUST_IS_NOT_SIGNATURE_VALID error
/// in the dwErrorStatus field of the CERT_TRUST_STATUS structure will be skipped. (The pprgpSelection parameter points to a
/// CERT_CHAIN_CONTEXT structure which, in turn, points to the CERT_TRUST_STATUS structure.) The
/// CERT_TRUST_HAS_WEAK_SIGNATURE value is also set for a weak signature.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certselectcertificatechains BOOL
// CertSelectCertificateChains( LPCGUID pSelectionContext, DWORD dwFlags, PCCERT_SELECT_CHAIN_PARA pChainParameters, DWORD
// cCriteria, PCCERT_SELECT_CRITERIA rgpCriteria, HCERTSTORE hStore, PDWORD pcSelection, PCCERT_CHAIN_CONTEXT **pprgpSelection );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "b740772b-d25b-4b3d-9acb-03f7018750d6")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CertSelectCertificateChains([Optional] IntPtr pSelectionContext, CertSelection dwFlags, [Optional] IntPtr pChainParameters, uint cCriteria, [In, Optional, MarshalAs(UnmanagedType.LPArray)] CERT_SELECT_CRITERIA[] rgpCriteria,
HCERTSTORE hStore, out uint pcSelection, out IntPtr pprgpSelection);
///
/// The CertSerializeCertificateStoreElement function serializes a certificate context's encoded certificate and its encoded
/// properties. The result can be persisted to storage so that the certificate and properties can be retrieved at a later time.
///
/// A pointer to the CERT_CONTEXT to be serialized.
/// Reserved for future use and must be zero.
///
/// A pointer to a buffer that receives the serialized output, including the encoded certificate and possibly its properties.
///
/// This parameter can be NULL to set the size of this information for memory allocation purposes. For more information, see
/// Retrieving Data of Unknown Length.
///
///
///
///
/// A pointer to a DWORD value specifying the size, in bytes, of the buffer pointed to by the pbElement parameter. When the
/// function returns, DWORD value contains the number of bytes stored in the buffer.
///
///
/// Note When processing the data returned in the buffer, applications must use the actual size of the data returned. The
/// actual size can be slightly smaller than the size of the buffer specified on input. (On input, buffer sizes are usually
/// specified large enough to ensure that the largest possible output data fits in the buffer.) On output, the variable pointed to
/// by this parameter is updated to reflect the actual size of the data copied to the buffer.
///
///
///
/// If the function succeeds, the return value is TRUE.
/// If the function fails, the return value is FALSE. For extended error information, call GetLastError.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certserializecertificatestoreelement BOOL
// CertSerializeCertificateStoreElement( PCCERT_CONTEXT pCertContext, DWORD dwFlags, BYTE *pbElement, DWORD *pcbElement );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "104fc986-6344-41b7-8843-23c3c72405a2")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CertSerializeCertificateStoreElement(PCCERT_CONTEXT pCertContext, [Optional] uint dwFlags, [In, Out, Optional] IntPtr pbElement, ref uint pcbElement);
///
/// The CertVerifySubjectCertificateContext function performs the enabled verification checks on a certificate by checking
/// the validity of the certificate's issuer. The new Certificate Chain Verification Functions are recommended instead of this function.
///
/// A pointer to a CERT_CONTEXT structure containing the subject's certificate.
///
/// A pointer to a CERT_CONTEXT containing the issuer's certificate. When checking just CERT_STORE_TIME_VALIDITY_FLAG, pIssuer can
/// be NULL.
///
///
///
/// A pointer to a DWORD value contain verification check flags. The following flags can be set to enable verification checks
/// on the subject certificate. They can be combined using a bitwise- OR operation to enable multiple verifications.
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_STORE_REVOCATION_FLAG
/// Checks whether the subject certificate is on the issuer's revocation list.
///
/// -
/// CERT_STORE_SIGNATURE_FLAG
/// Uses the public key in the issuer's certificate to verify the signature on the subject certificate.
///
/// -
/// CERT_STORE_TIME_VALIDITY_FLAG
/// Gets the current time and verifies that it is within the subject certificate's validity period.
///
///
/// If an enabled verification check succeeds, its flag is set to zero. If it fails, then its flag is set upon return.
///
/// If CERT_STORE_REVOCATION_FLAG was enabled and the issuer does not have a CRL in the store, then CERT_STORE_NO_CRL_FLAG is set in
/// addition to CERT_STORE_REVOCATION_FLAG.
///
///
///
/// If the function succeeds, the return value is TRUE.
/// If the function fails, the return value is FALSE.
///
/// For a verification check failure, TRUE is still returned. FALSE is returned only when a bad parameter is passed in.
///
/// For extended error information, call GetLastError. One possible error code is the following.
///
///
/// Return code
/// Description
///
/// -
/// E_INVALIDARG
///
/// An unsupported bit was set in pdwFlags. Any combination of CERT_STORE_SIGNATURE_FLAG, CERT_STORE_TIME_VALIDITY_FLAG, and
/// CERT_STORE_REVOCATION_FLAG can be set. If pIssuer is NULL, only CERT_STORE_TIME_VALIDITY_FLAG can be set.
///
///
///
///
///
///
/// The hexadecimal value of the flags can be combined using bitwise- OR operations to enable multiple verifications. For
/// example, to enable both signature and time validity, the value
///
///
/// is placed in the pdwFlags DWORD value as an input parameter. If CERT_STORE_SIGNATURE_FLAG verification succeeds, but
/// CERT_STORE_TIME_VALIDITY_FLAG verification fails, pdwFlags is set to CERT_STORE_TIME_VALIDITY_FLAG when the function returns.
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certverifysubjectcertificatecontext BOOL
// CertVerifySubjectCertificateContext( PCCERT_CONTEXT pSubject, PCCERT_CONTEXT pIssuer, DWORD *pdwFlags );
[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
[PInvokeData("wincrypt.h", MSDNShortId = "063b19cf-d3b3-4ec3-bfd3-9406eecd3e10")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool CertVerifySubjectCertificateContext(PCCERT_CONTEXT pSubject, PCCERT_CONTEXT pIssuer, ref CertStoreVerification pdwFlags);
///
/// The CERT_CHAIN_CONTEXT structure contains an array of simple certificate chains and a trust status structure that
/// indicates summary validity data on all of the connected simple chains.
///
///
/// When a CERT_CHAIN_CONTEXT is built, the first simple chain begins with an end certificate and ends with a self-signed
/// certificate. If that self-signed certificate is not a root or otherwise trusted certificate, an attempt is made to build a new
/// chain. CTLs are used to create the new chain beginning with the self-signed certificate from the original chain as the end
/// certificate of the new chain. This process continues building additional simple chains until the first self-signed certificate
/// is a trusted certificate or until an additional simple chain cannot be built.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_chain_context typedef struct _CERT_CHAIN_CONTEXT {
// DWORD cbSize; CERT_TRUST_STATUS TrustStatus; DWORD cChain; PCERT_SIMPLE_CHAIN *rgpChain; DWORD cLowerQualityChainContext;
// PCCERT_CHAIN_CONTEXT *rgpLowerQualityChainContext; BOOL fHasRevocationFreshnessTime; DWORD dwRevocationFreshnessTime; DWORD
// dwCreateFlags; GUID ChainId; } CERT_CHAIN_CONTEXT, *PCERT_CHAIN_CONTEXT;
[PInvokeData("wincrypt.h", MSDNShortId = "609311f4-9cd6-4945-9f93-7266b3fc4a74")]
[StructLayout(LayoutKind.Sequential)]
public struct CERT_CHAIN_CONTEXT
{
/// The size, in bytes, of this structure.
public uint cbSize;
///
/// A structure that indicates the combined trust status of the simple chains array. The structure includes an error status code
/// and an information status code. For information about status code values, see CERT_TRUST_STATUS.
///
public CERT_TRUST_STATUS TrustStatus;
/// The number of simple chains in the array.
public uint cChain;
///
/// An array of pointers to simple chain structures. rgpChain[0] is the end certificate simple chain, and
/// rgpChain[ cChain–1] is the final chain. If the end certificate is to be considered valid, the final chain must
/// begin with a certificate contained in the root store or an otherwise trusted, self-signed certificate. If the original chain
/// begins with a trusted certificate, there will be only a single simple chain in the array.
///
public IntPtr rgpChain;
/// The number of chains in the rgpLowerQualityChainContext array.
public uint cLowerQualityChainContext;
///
/// An array of pointers to CERT_CHAIN_CONTEXT structures. Returned when CERT_CHAIN_RETURN_LOWER_QUALITY_CONTEXTS is set in dwFlags.
///
public IntPtr rgpLowerQualityChainContext;
/// A Boolean value set to TRUE if dwRevocationFreshnessTime is available.
[MarshalAs(UnmanagedType.Bool)] public bool fHasRevocationFreshnessTime;
///
/// The largest CurrentTime, in seconds, minus the certificate revocation list's (CRL's) ThisUpdate of all elements checked.
///
public uint dwRevocationFreshnessTime;
///
public uint dwCreateFlags;
///
public Guid ChainId;
/// Gets the chain from .
public unsafe CERT_SIMPLE_CHAIN*[] GetChain()
{
var ret = new CERT_SIMPLE_CHAIN*[(int)cChain];
for (int i = 0; i < cChain; i++)
ret[i] = ((CERT_SIMPLE_CHAIN**)rgpChain)[i];
return ret;
}
/// Gets the contexts from .
public unsafe CERT_CHAIN_CONTEXT*[] GetLowerQualityChainContext()
{
var ret = new CERT_CHAIN_CONTEXT*[(int)cLowerQualityChainContext];
for (int i = 0; i < cLowerQualityChainContext; i++)
ret[i] = ((CERT_CHAIN_CONTEXT**)rgpLowerQualityChainContext)[i];
return ret;
}
}
///
/// The CERT_CHAIN_ELEMENT structure is a single element in a simple certificate chain. Each element has a pointer to a
/// certificate context, a pointer to a structure that indicates the error status and information status of the certificate, and a
/// pointer to a structure that indicates the revocation status of the certificate.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_chain_element typedef struct _CERT_CHAIN_ELEMENT {
// DWORD cbSize; PCCERT_CONTEXT pCertContext; CERT_TRUST_STATUS TrustStatus; PCERT_REVOCATION_INFO pRevocationInfo;
// PCERT_ENHKEY_USAGE pIssuanceUsage; PCERT_ENHKEY_USAGE pApplicationUsage; LPCWSTR pwszExtendedErrorInfo; } CERT_CHAIN_ELEMENT, *PCERT_CHAIN_ELEMENT;
[PInvokeData("wincrypt.h", MSDNShortId = "a1f6ba18-63ef-43ac-a17f-900fa13398aa")]
[StructLayout(LayoutKind.Sequential)]
public struct CERT_CHAIN_ELEMENT
{
/// Size of this structure in bytes.
public uint cbSize;
/// A pointer to a certificate context.
public PCCERT_CONTEXT pCertContext;
///
/// Structure indicating the status of the certificate. The structure includes an error status code and an information status
/// code. For information about status code values, see CERT_TRUST_STATUS.
///
public CERT_TRUST_STATUS TrustStatus;
///
/// A pointer to a CERT_REVOCATION_INFO structure with information on the revocation status of the certificate. If revocation
/// checking was not enabled, pRevocationInfo is NULL.
///
public IntPtr pRevocationInfo;
/// A pointer to a CERT_ENHKEY_USAGE structure. If NULL, any issuance policy is acceptable.
public IntPtr pIssuanceUsage;
/// A pointer to a CERT_ENHKEY_USAGE structure. If NULL, any enhanced key usage is acceptable.
public IntPtr pApplicationUsage;
///
/// A pointer to a null-terminated wide character string that contains extended error information. If NULL, there
/// is no extended error information.
///
public StrPtrUni pwszExtendedErrorInfo;
}
///
/// Contains information updated by a certificate revocation list (CRL) revocation type handler. The CERT_REVOCATION_CRL_INFO
/// structure is used with both base and delta CRLs.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_revocation_crl_info typedef struct
// _CERT_REVOCATION_CRL_INFO { DWORD cbSize; PCCRL_CONTEXT pBaseCrlContext; PCCRL_CONTEXT pDeltaCrlContext; PCRL_ENTRY pCrlEntry;
// BOOL fDeltaCrlEntry; } CERT_REVOCATION_CRL_INFO, *PCERT_REVOCATION_CRL_INFO;
[PInvokeData("wincrypt.h", MSDNShortId = "069ff521-90fd-4de8-9b5c-045e44e87f75")]
[StructLayout(LayoutKind.Sequential)]
public struct CERT_REVOCATION_CRL_INFO
{
/// Size, in bytes, of the structure.
public uint cbSize;
///
public PCCRL_CONTEXT pBaseCrlContext;
///
public PCCRL_CONTEXT pDeltaCrlContext;
/// A pointer to an entry in either the base CRL or the delta CRL.
public IntPtr pCrlEntry;
///
/// TRUE if pCrlEntry points to an entry in the delta CRL. FALSE if pCrlEntry points to an entry in
/// the base CRL.
///
[MarshalAs(UnmanagedType.Bool)] public bool fDeltaCrlEntry;
}
/// The CERT_REVOCATION_INFO structure indicates the revocation status of a certificate in a CERT_CHAIN_ELEMENT.
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_revocation_info typedef struct _CERT_REVOCATION_INFO
// { DWORD cbSize; DWORD dwRevocationResult; LPCSTR pszRevocationOid; LPVOID pvOidSpecificInfo; BOOL fHasFreshnessTime; DWORD
// dwFreshnessTime; PCERT_REVOCATION_CRL_INFO pCrlInfo; } CERT_REVOCATION_INFO, *PCERT_REVOCATION_INFO;
[PInvokeData("wincrypt.h", MSDNShortId = "798aa2d7-bf8a-425f-bc36-98a44ba3a9d6")]
[StructLayout(LayoutKind.Sequential)]
public struct CERT_REVOCATION_INFO
{
/// Size of this structure in bytes.
public uint cbSize;
///
/// Currently defined values are:
///
/// -
/// CERT_TRUST_IS_REVOKED
///
/// -
/// CERT_TRUST_REVOCATION_STATUS_IS_UNKNOWN
///
///
///
public uint dwRevocationResult;
/// Not currently used and is set to NULL.
public StrPtrAnsi pszRevocationOid;
/// Not currently used and is set to NULL.
public IntPtr pvOidSpecificInfo;
/// BOOL set to TRUE if dwFreshnessTime has been updated.
[MarshalAs(UnmanagedType.Bool)] public bool fHasFreshnessTime;
///
/// If fHasFreshnessTime is TRUE, holds the CurrentTime minus the certificate revocation list's (CRL's). This time
/// is in seconds.
///
public uint dwFreshnessTime;
/// For CRL base revocation checking, a non- NULL pointer to a CERT_REVOCATION_CRL_INFO structure.
public IntPtr pCrlInfo;
}
///
/// The CERT_SELECT_CHAIN_PARA structure contains the parameters used for building and selecting chains. This structure is
/// used by the CertGetCertificateChain and CertSelectCertificateChains functions.
///
///
///
/// Trust in a particular certificate being a trusted root is based on the current state of the root store and not the state of the
/// root store at a time passed in by this parameter. For revocation, a certificate revocation list (CRL), itself, must be valid at
/// the current time. The value of this parameter is used to determine whether a certificate listed in a CRL has been revoked.
///
/// The following remarks apply to strong signature checking:
///
/// -
///
/// You can enable strong signature checking by using the CERT_CHAIN_PARA structure referenced by the pChainPara member. The
/// pStrongSignPara member of the CERT_CHAIN_PARA structure points to a CERT_STRONG_SIGN_PARA structure that can be
/// used to determine signature strength.
///
///
/// -
///
/// When you enable strong checking and a weak signature is encountered, the CERT_TRUST_IS_NOT_SIGNATURE_VALID and
/// CERT_TRUST_HAS_WEAK_SIGNATURE errors are set in the dwErrorStatus field of the CERT_TRUST_STATUS structure.
///
///
///
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_select_chain_para typedef struct
// _CERT_SELECT_CHAIN_PARA { HCERTCHAINENGINE hChainEngine; PFILETIME pTime; HCERTSTORE hAdditionalStore; PCERT_CHAIN_PARA
// pChainPara; DWORD dwFlags; } CERT_SELECT_CHAIN_PARA, *PCERT_SELECT_CHAIN_PARA;
[PInvokeData("wincrypt.h", MSDNShortId = "55c6c063-2a65-40ad-8d3f-7723b83cf021")]
[StructLayout(LayoutKind.Sequential)]
public struct CERT_SELECT_CHAIN_PARA
{
///
/// The handle of the chain engine to use to build the chain. If the value of the hChainEngine parameter is NULL, the
/// default chain engine, HCCE_CURRENT_USER, is used.
///
public HCERTCHAINENGINE hChainEngine;
///
///
/// A pointer to a FILETIME structure that contains the time for which the chain is to be validated. If the value of the pTime
/// parameter is NULL, the current system time is passed to this parameter.
///
/// Note The time does not affect trust list, revocation, or root store checking.
///
public IntPtr pTime;
///
/// The handle of any additional store to search for supporting certificates and certificate trust lists (CTLs). This parameter
/// can be NULL if no additional store is to be searched.
///
public HCERTSTORE hAdditionalStore;
/// A pointer to a CERT_CHAIN_PARA structure that includes chain-building parameters.
public IntPtr pChainPara;
///
/// Flag values that indicate special processing during chain build.
///
///
/// Value
/// Meaning
///
/// -
/// CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY 0x00000004
/// Revocation checking only accesses cached URLs.
///
/// -
/// CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL 0x80000000
/// Use only cached URLs in building a certificate chain. The Internet and intranet are not searched for URL-based objects.
///
///
///
public uint dwFlags;
}
///
/// The CERT_SELECT_CRITERIA structure specifies selection criteria that is passed to the CertSelectCertificateChains function.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_select_criteria typedef struct _CERT_SELECT_CRITERIA
// { DWORD dwType; DWORD cPara; void **ppPara; } CERT_SELECT_CRITERIA, *PCERT_SELECT_CRITERIA;
[PInvokeData("wincrypt.h", MSDNShortId = "246722a9-5db6-4a82-8f29-f60f0a2263e3")]
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)]
public struct CERT_SELECT_CRITERIA
{
///
///
/// Specifies the type of selection criteria used for the ppPara member. This member can have one of the following values.
///
///
///
/// Value
/// Meaning
///
/// -
/// CERT_SELECT_BY_ENHKEY_USAGE 1
///
/// Select certificates based on a specific enhanced key usage. When this flag is set, the ppPara must reference a
/// null-terminated object identifier (OID) ANSI string that specifies the enhanced key usage. This criteria is evaluated on the certificate.
///
///
/// -
/// CERT_SELECT_BY_KEY_USAGE 2
///
/// Select certificates based on a specific szOID_KEY_USAGE extension in the certificate. When this flag is set, the ppPara
/// member must reference a CERT_EXTENSION structure where the value of the extension is a DWORD that identifies the Key Usage
/// bits. This criteria is evaluated on the certificate.
///
///
/// -
/// CERT_SELECT_BY_POLICY_OID 3
///
/// Select certificates based on a specific issuance policy. The ppPara member must reference a null-terminated OID ANSI string
/// of the desired issuance policy. This criteria is evaluated on the issuance policy of the certificate chain.
///
///
/// -
/// CERT_SELECT_BY_PROV_NAME 4
///
/// Select certificates based on a specific private key provider. The ppPara member must reference a null-terminated Unicode
/// string that represents the name of the provider.
///
///
/// -
/// CERT_SELECT_BY_EXTENSION 5
///
/// Select certificates based on the presence of a specified extension and an optional specified value. The ppPara member must
/// reference a CERT_EXTENSION structure that specifies the extension OID and the associated value.
///
///
/// -
/// CERT_SELECT_BY_SUBJECT_HOST_NAME 6
///
/// Select certificates based on the Subject DNS HOST Name. The ppPara member must reference a null-terminated Unicode string
/// that contains the subject host name. The selection performed based on this flag is the same as the evaluation of the
/// pwszServerName member of the SSL_EXTRA_CERT_CHAIN_POLICY_PARA structure during a call to the
/// CertVerifyCertificateChainPolicy function. This criteria is evaluated on the certificate.
///
///
/// -
/// CERT_SELECT_BY_ISSUER_ATTR 7
///
/// Select certificates based on the relative distinguished name (RDN) element of the issuer of the certificate. The ppPara
/// member must reference a CERT_RDN structure that contains the RDN element of the issuer. This criteria is evaluated on the
/// certificate chain.
///
///
/// -
/// CERT_SELECT_BY_SUBJECT_ATTR 8
///
/// Select certificates based on the RDN element in the Subject of the certificate. The ppPara member must be a reference to a
/// CERT_RDN structure that contains the RDN element of the Subject. This criteria is evaluated on the certificate.
///
///
/// -
/// CERT_SELECT_BY_ISSUER_NAME 9
///
/// Select certificates based on the issuer of the certificate. The ppPara member must be a reference to a CERT_NAME_BLOB
/// structure that contains the name of the issuer. This criteria is evaluated on the certificate chain.
///
///
/// -
/// CERT_SELECT_BY_PUBLIC_KEY 10
///
/// Select certificates based on the public key of the certificate. The ppPara member must reference a pointer to a
/// CERT_PUBLIC_KEY_INFO structure that contains the public key. This criteria is evaluated on the certificate.
///
///
/// -
/// CERT_SELECT_BY_TLS_SIGNATURES 11
///
/// Select certificates based on the Transport Layer Security protocol (TLS) Signature requirement. The ppPara member must
/// reference a SecPkgContext_SupportedSignatures structure. This criteria is evaluated on the certificate.
///
///
///
///
public CertSelectBy dwType;
/// A DWORD value that specifies the number of search attributes specified in the ppPara member.
public uint cPara;
///
/// A pointer to a pointer to one or more selection values. The data type depends on the selection type specified by the
/// dwType member. If more than one selection value is present, an application must match only one value.
///
public IntPtr ppPara;
}
///
/// The CERT_SIMPLE_CHAIN structure contains an array of chain elements and a summary trust status for the chain that the
/// array represents.
///
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_simple_chain typedef struct _CERT_SIMPLE_CHAIN {
// DWORD cbSize; CERT_TRUST_STATUS TrustStatus; DWORD cElement; PCERT_CHAIN_ELEMENT *rgpElement; PCERT_TRUST_LIST_INFO
// pTrustListInfo; BOOL fHasRevocationFreshnessTime; DWORD dwRevocationFreshnessTime; } CERT_SIMPLE_CHAIN, *PCERT_SIMPLE_CHAIN;
[PInvokeData("wincrypt.h", MSDNShortId = "c130cab4-bf8d-429a-beb7-04cb5d37d466")]
[StructLayout(LayoutKind.Sequential)]
public struct CERT_SIMPLE_CHAIN
{
/// The size, in bytes, of this structure.
public uint cbSize;
///
/// A structure that indicates the trust status of the whole chain. The structure includes an error status code and an
/// information status code. For information about status code values, see CERT_TRUST_STATUS.
///
public CERT_TRUST_STATUS TrustStatus;
/// The number of CERT_CHAIN_ELEMENT structures in the array.
public uint cElement;
///
/// An array of pointers to CERT_CHAIN_ELEMENT structures. rgpElement[0] is the end certificate chain element.
/// rgpElement[ cElement–1] is the self-signed "root" certificate element.
///
public IntPtr rgpElement;
///
/// A pointer to a CERT_TRUST_LIST_INFO structure that contains a pointer to a certificate trust list (CTL) connecting this
/// chain to a next certificate chain. If the current chain is the final chain, pTrustListInfo is NULL.
///
public IntPtr pTrustListInfo;
/// BOOL. If TRUE, dwRevocationFreshnessTime has been calculated.
[MarshalAs(UnmanagedType.Bool)] public bool fHasRevocationFreshnessTime;
///
/// The age of a certificate revocation list (CRL) in seconds, calculated as the CurrentTime minus the CRL's ThisUpdate time.
/// This values is the largest time across all elements checked.
///
public uint dwRevocationFreshnessTime;
/// Gets the elements from .
public unsafe CERT_CHAIN_ELEMENT*[] GetElements()
{
var ret = new CERT_CHAIN_ELEMENT*[(int)cElement];
for (int i = 0; i < cElement; i++)
ret[i] = ((CERT_CHAIN_ELEMENT**)rgpElement)[i];
return ret;
}
}
/// The CERT_TRUST_LIST_INFO structure that indicates valid usage of a CTL.
// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_trust_list_info typedef struct _CERT_TRUST_LIST_INFO
// { DWORD cbSize; PCTL_ENTRY pCtlEntry; PCCTL_CONTEXT pCtlContext; } CERT_TRUST_LIST_INFO, *PCERT_TRUST_LIST_INFO;
[PInvokeData("wincrypt.h", MSDNShortId = "774f5626-9b48-4585-b713-adbf191861cc")]
[StructLayout(LayoutKind.Sequential)]
public struct CERT_TRUST_LIST_INFO
{
/// Size of this structure in bytes.
public uint cbSize;
///
/// A pointer to a structure that includes a subject identifier, the count of attributes associated with a CTL, and an array of
/// those attributes.
///
public IntPtr pCtlEntry;
/// A pointer to a CTL context.
public PCCTL_CONTEXT pCtlContext;
}
/// Provides a handle to an online certificate status protocol (OCSP) response.
[StructLayout(LayoutKind.Sequential)]
public struct HCERT_SERVER_OCSP_RESPONSE : IHandle
{
private IntPtr handle;
/// Initializes a new instance of the struct.
/// An object that represents the pre-existing handle to use.
public HCERT_SERVER_OCSP_RESPONSE(IntPtr preexistingHandle) => handle = preexistingHandle;
/// Returns an invalid handle by instantiating a object with .
public static HCERT_SERVER_OCSP_RESPONSE NULL => new HCERT_SERVER_OCSP_RESPONSE(IntPtr.Zero);
/// Gets a value indicating whether this instance is a null handle.
public bool IsNull => handle == IntPtr.Zero;
/// Performs an explicit conversion from to .
/// The handle.
/// The result of the conversion.
public static explicit operator IntPtr(HCERT_SERVER_OCSP_RESPONSE h) => h.handle;
/// Performs an implicit conversion from to .
/// The pointer to a handle.
/// The result of the conversion.
public static implicit operator HCERT_SERVER_OCSP_RESPONSE(IntPtr h) => new HCERT_SERVER_OCSP_RESPONSE(h);
/// Implements the operator !=.
/// The first handle.
/// The second handle.
/// The result of the operator.
public static bool operator !=(HCERT_SERVER_OCSP_RESPONSE h1, HCERT_SERVER_OCSP_RESPONSE h2) => !(h1 == h2);
/// Implements the operator ==.
/// The first handle.
/// The second handle.
/// The result of the operator.
public static bool operator ==(HCERT_SERVER_OCSP_RESPONSE h1, HCERT_SERVER_OCSP_RESPONSE h2) => h1.Equals(h2);
///
public override bool Equals(object obj) => obj is HCERT_SERVER_OCSP_RESPONSE h ? handle == h.handle : false;
///
public override int GetHashCode() => handle.GetHashCode();
///
public IntPtr DangerousGetHandle() => handle;
}
//public static CERT_SELECT_CRITERIA[] CertSelectCertificateChains(in Guid pSelectionContext, HCERTSTORE hStore, CertSelection dwFlags, [Optional] CERT_SELECT_CHAIN_PARA? pChainParameters, [Optional] CERT_SELECT_CRITERIA[] rgpCriteria)
//{
// unsafe
// {
// var cpdef = pChainParameters.GetValueOrDefault();
// if (!CertSelectCertificateChains(pSelectionContext, dwFlags, pChainParameters.HasValue ? &cpdef : null, rgpCriteria?.Length ?? 0, rgpCriteria, hStore, out var cSelections, out var ppSelections))
// throw new Win32Exception();
// var ret = new CERT_CHAIN_CONTEXT[cSelections];
// for (var i = 0; i < cSelections; i++)
// ret[i] = *ppSelections[i];
// return ret;
// }
//}
//[DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)]
//[return: MarshalAs(UnmanagedType.Bool)]
//private static extern unsafe bool CertSelectCertificateChains(in Guid pSelectionContext, CertSelection dwFlags, [In, Optional] CERT_SELECT_CHAIN_PARA* pChainParameters, int cCriteria,
// [In, Optional, MarshalAs(UnmanagedType.LPArray)] CERT_SELECT_CRITERIA[] rgpCriteria, HCERTSTORE hStore, out int pcSelection, out CERT_CHAIN_CONTEXT*[] pprgpSelection);
/// Provides a handle to a Certificate Chain Engine.
[StructLayout(LayoutKind.Sequential)]
public struct HCERTCHAINENGINE : IHandle
{
private IntPtr handle;
/// Initializes a new instance of the struct.
/// An object that represents the pre-existing handle to use.
public HCERTCHAINENGINE(IntPtr preexistingHandle) => handle = preexistingHandle;
/// Returns an invalid handle by instantiating a object with .
public static HCERTCHAINENGINE NULL => new HCERTCHAINENGINE(IntPtr.Zero);
/// Gets a value indicating whether this instance is a null handle.
public bool IsNull => handle == IntPtr.Zero;
/// Performs an explicit conversion from to .
/// The handle.
/// The result of the conversion.
public static explicit operator IntPtr(HCERTCHAINENGINE h) => h.handle;
/// Performs an implicit conversion from to .
/// The pointer to a handle.
/// The result of the conversion.
public static implicit operator HCERTCHAINENGINE(IntPtr h) => new HCERTCHAINENGINE(h);
/// Implements the operator !=.
/// The first handle.
/// The second handle.
/// The result of the operator.
public static bool operator !=(HCERTCHAINENGINE h1, HCERTCHAINENGINE h2) => !(h1 == h2);
/// Implements the operator ==.
/// The first handle.
/// The second handle.
/// The result of the operator.
public static bool operator ==(HCERTCHAINENGINE h1, HCERTCHAINENGINE h2) => h1.Equals(h2);
///
public override bool Equals(object obj) => obj is HCERTCHAINENGINE h ? handle == h.handle : false;
///
public override int GetHashCode() => handle.GetHashCode();
///
public IntPtr DangerousGetHandle() => handle;
}
/// Provides a handle to a CERT_SERVER_OCSP_RESPONSE_CONTEXT.
[StructLayout(LayoutKind.Sequential)]
public struct PCCERT_SERVER_OCSP_RESPONSE_CONTEXT : IHandle
{
private IntPtr handle;
/// Initializes a new instance of the struct.
/// An object that represents the pre-existing handle to use.
public PCCERT_SERVER_OCSP_RESPONSE_CONTEXT(IntPtr preexistingHandle) => handle = preexistingHandle;
///
/// Returns an invalid handle by instantiating a object with .
///
public static PCCERT_SERVER_OCSP_RESPONSE_CONTEXT NULL => new PCCERT_SERVER_OCSP_RESPONSE_CONTEXT(IntPtr.Zero);
/// Gets a value indicating whether this instance is a null handle.
public bool IsNull => handle == IntPtr.Zero;
/// Performs an explicit conversion from to .
/// The handle.
/// The result of the conversion.
public static explicit operator IntPtr(PCCERT_SERVER_OCSP_RESPONSE_CONTEXT h) => h.handle;
/// Performs an implicit conversion from to .
/// The pointer to a handle.
/// The result of the conversion.
public static implicit operator PCCERT_SERVER_OCSP_RESPONSE_CONTEXT(IntPtr h) => new PCCERT_SERVER_OCSP_RESPONSE_CONTEXT(h);
/// Implements the operator !=.
/// The first handle.
/// The second handle.
/// The result of the operator.
public static bool operator !=(PCCERT_SERVER_OCSP_RESPONSE_CONTEXT h1, PCCERT_SERVER_OCSP_RESPONSE_CONTEXT h2) => !(h1 == h2);
/// Implements the operator ==.
/// The first handle.
/// The second handle.
/// The result of the operator.
public static bool operator ==(PCCERT_SERVER_OCSP_RESPONSE_CONTEXT h1, PCCERT_SERVER_OCSP_RESPONSE_CONTEXT h2) => h1.Equals(h2);
///
public override bool Equals(object obj) => obj is PCCERT_SERVER_OCSP_RESPONSE_CONTEXT h ? handle == h.handle : false;
///
public override int GetHashCode() => handle.GetHashCode();
///
public IntPtr DangerousGetHandle() => handle;
}
/// Provides a for that is disposed using .
public class SafePCCERT_CONTEXT : SafeHANDLE
{
/// Represents a NULL handle for . This must be used instead of .
public static readonly SafePCCERT_CONTEXT Null = new SafePCCERT_CONTEXT(IntPtr.Zero, false);
/// Initializes a new instance of the class and assigns an existing handle.
/// An object that represents the pre-existing handle to use.
///
/// to reliably release the handle during the finalization phase; otherwise, (not recommended).
///
public SafePCCERT_CONTEXT(IntPtr preexistingHandle, bool ownsHandle = true) : base(preexistingHandle, ownsHandle) { }
/// Initializes a new instance of the class.
private SafePCCERT_CONTEXT() : base() { }
/// Performs an implicit conversion from to .
/// The safe handle instance.
/// The result of the conversion.
public static implicit operator PCCERT_CONTEXT(SafePCCERT_CONTEXT h) => h.handle;
///
/// Performs an explicit conversion from to .
///
/// The h.
///
/// The resulting instance from the conversion.
///
public static unsafe explicit operator CERT_CONTEXT*(SafePCCERT_CONTEXT h) => (CERT_CONTEXT*)(void*)h.handle;
///
protected override bool InternalReleaseHandle() => CertFreeCertificateContext(handle);
}
///
/// Provides a for that is disposed using .
///
public class SafePCCERT_SERVER_OCSP_RESPONSE_CONTEXT : SafeHANDLE
{
///
/// Initializes a new instance of the class and assigns an existing handle.
///
/// An object that represents the pre-existing handle to use.
///
/// to reliably release the handle during the finalization phase; otherwise, (not recommended).
///
public SafePCCERT_SERVER_OCSP_RESPONSE_CONTEXT(IntPtr preexistingHandle, bool ownsHandle = true) : base(preexistingHandle, ownsHandle) { }
/// Initializes a new instance of the class.
private SafePCCERT_SERVER_OCSP_RESPONSE_CONTEXT() : base() { }
/// Performs an implicit conversion from to .
/// The safe handle instance.
/// The result of the conversion.
public static implicit operator PCCERT_SERVER_OCSP_RESPONSE_CONTEXT(SafePCCERT_SERVER_OCSP_RESPONSE_CONTEXT h) => h.handle;
///
protected override bool InternalReleaseHandle() { CertFreeServerOcspResponseContext(handle); return true; }
}
}
}