using System; using System.Runtime.InteropServices; using System.Security; using Vanara.Extensions; using Vanara.InteropServices; using FILETIME = System.Runtime.InteropServices.ComTypes.FILETIME; namespace Vanara.PInvoke { ///

Methods and data types found in Crypt32.dll.

public static partial class Crypt32 { ///

/// /// [The PCRYPT_DECRYPT_PRIVATE_KEY_FUNC function is available for use in the operating systems specified in the Requirements /// section. It may be altered or unavailable in subsequent versions.] /// /// /// The PCRYPT_DECRYPT_PRIVATE_KEY_FUNC function decrypts the private key and returns the decrypted key in the pbClearTextKey /// parameter. PCRYPT_DECRYPT_PRIVATE_KEY_FUNC is a callback function specified in a CRYPT_PKCS8_IMPORT_PARAMS structure. It /// is used when a CRYPT_ENCRYPTED_PRIVATE_KEY_INFO structure contains a private key that needs to be decrypted. The /// CryptImportPKCS8 function uses this function. The function must be implemented by the developer to suit each application. /// ///

/// /// A CRYPT_ALGORITHM_IDENTIFIER structure that identifies the algorithm used to encrypt the PrivateKeyInfo ASN.1 type found in the /// PKCS #8 standard. /// /// A CRYPT_DATA_BLOB value that identifies the encrypted private key BLOB. /// A buffer to receive the clear text. /// /// The number of bytes of the pClearTextKey buffer. Note: if this is zero then this should be filled in with the size required to /// decrypt the key into, and pClearTextKey should be ignored. /// /// /// An LPVOID value that provides data used in decryption, such as key, initialization vector, and password. /// /// /// If the function succeeds, the function returns nonzero ( TRUE). /// If the function fails, it returns zero ( FALSE). /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nc-wincrypt-pcrypt_decrypt_private_key_func // PCRYPT_DECRYPT_PRIVATE_KEY_FUNC PcryptDecryptPrivateKeyFunc; BOOL PcryptDecryptPrivateKeyFunc( CRYPT_ALGORITHM_IDENTIFIER // Algorithm, CRYPT_DATA_BLOB EncryptedPrivateKey, BYTE *pbClearTextKey, DWORD *pcbClearTextKey, LPVOID pVoidDecryptFunc ) {...} [PInvokeData("wincrypt.h", MSDNShortId = "f59fd46b-5430-4aa2-85ba-961b416dbaac")] [return: MarshalAs(UnmanagedType.Bool)] public delegate bool PCRYPT_DECRYPT_PRIVATE_KEY_FUNC(CRYPT_ALGORITHM_IDENTIFIER Algorithm, CRYPTOAPI_BLOB EncryptedPrivateKey, IntPtr pbClearTextKey, ref uint pcbClearTextKey, IntPtr pVoidDecryptFunc); ///

/// /// [The PCRYPT_ENCRYPT_PRIVATE_KEY_FUNC function is available for use in the operating systems specified in the Requirements /// section. It may be altered or unavailable in subsequent versions.] /// /// /// The PCRYPT_ENCRYPT_PRIVATE_KEY_FUNC function encrypts the private key and returns the encrypted contents in the /// pbEncryptedKey parameter. It is a callback function identified in a CRYPT_PKCS8_EXPORT_PARAMS structure that creates a PKCS #8 /// CRYPT_ENCRYPTED_PRIVATE_KEY_INFO structure. The function must be implemented by the developer to suit each application. /// ///

/// /// /// /// /// /// An LPVOID variable that contains data used for encryption, such as key, initialization vector, and password. /// /// /// If the function succeeds, the function returns nonzero ( TRUE). /// If the function fails, it returns zero ( FALSE). /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nc-wincrypt-pcrypt_encrypt_private_key_func // PCRYPT_ENCRYPT_PRIVATE_KEY_FUNC PcryptEncryptPrivateKeyFunc; BOOL PcryptEncryptPrivateKeyFunc( CRYPT_ALGORITHM_IDENTIFIER // *pAlgorithm, CRYPT_DATA_BLOB *pClearTextPrivateKey, BYTE *pbEncryptedKey, DWORD *pcbEncryptedKey, LPVOID pVoidEncryptFunc ) {...} [PInvokeData("wincrypt.h", MSDNShortId = "aa6b8bca-4f0d-491e-ab38-5c273a01ca05")] [return: MarshalAs(UnmanagedType.Bool)] public delegate bool PCRYPT_ENCRYPT_PRIVATE_KEY_FUNC(ref CRYPT_ALGORITHM_IDENTIFIER pAlgorithm, ref CRYPTOAPI_BLOB pClearTextPrivateKey, IntPtr pbEncryptedKey, ref uint pcbEncryptedKey, IntPtr pVoidEncryptFunc); ///

/// /// [The PCRYPT_RESOLVE_HCRYPTPROV_FUNC function is available for use in the operating systems specified in the Requirements /// section. It may be altered or unavailable in subsequent versions.] /// /// /// The PCRYPT_RESOLVE_HCRYPTPROV_FUNC function returns a handle to a cryptographic service provider (CSP) by using the /// phCryptProv parameter to receive the key being imported. It is a callback function called from the context of the /// CryptImportPKCS8 function. The function must be implemented by the developer to suit each application. /// ///

/// /// Pointer to a CRYPT_PRIVATE_KEY_INFO structure which describes the key being imported and whose PrivateKey field contains the /// encrypted private key blob. /// /// A pointer to a HCRRYPTPROV to be filled in. /// /// The pVoidResolveFunc member passed in by the caller in the CRYPT_PKCS8_IMPORT_PARAMS structure. /// /// /// If the function succeeds, the function returns nonzero ( TRUE). /// If the function fails, it returns zero ( FALSE). /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nc-wincrypt-pcrypt_resolve_hcryptprov_func BOOL // PCRYPT_RESOLVE_HCRYPTPROV_FUNC( CRYPT_PRIVATE_KEY_INFO *pPrivateKeyInfo, HCRYPTPROV *phCryptProv, LPVOID pVoidResolveFunc ); [PInvokeData("wincrypt.h", MSDNShortId = "d3b2b942-bde5-4399-9412-95fe227cd546")] [return: MarshalAs(UnmanagedType.Bool)] public delegate bool PCRYPT_RESOLVE_HCRYPTPROV_FUNC(in CRYPT_PRIVATE_KEY_INFO pPrivateKeyInfo, ref HCRYPTPROV phCryptProv, IntPtr pVoidResolveFunc); ///

The intended key usage.

[PInvokeData("wincrypt.h", MSDNShortId = "d09c3626-f864-4774-8511-3e912f62e520")] [Flags] public enum CertKeyUsage : ushort { ///

CERT_DIGITAL_SIGNATURE_KEY_USAGE = 0x80, ///

CERT_NON_REPUDIATION_KEY_USAGE = 0x40, ///

CERT_KEY_ENCIPHERMENT_KEY_USAGE = 0x20, ///

CERT_DATA_ENCIPHERMENT_KEY_USAGE = 0x10, ///

CERT_KEY_AGREEMENT_KEY_USAGE = 0x08, ///

CERT_KEY_CERT_SIGN_KEY_USAGE = 0x04, ///

CERT_OFFLINE_CRL_SIGN_KEY_USAGE = 0x02, ///

CERT_CRL_SIGN_KEY_USAGE = 0x02, ///

CERT_ENCIPHER_ONLY_KEY_USAGE = 0x01, ///

CERT_DECIPHER_ONLY_KEY_USAGE = 0x8000, } ///

Indicates the expected content type.

[PInvokeData("wincrypt.h", MSDNShortId = "d882f2b0-0f0a-41c7-afca-a232dc00797b")] [Flags] public enum CertQueryContentFlags : uint { ///

/// The content can be any type. This does not include the CERT_QUERY_CONTENT_FLAG_PFX_AND_LOAD flag. /// /// If this flag is specified, this function will attempt to obtain information about the object, trying different content types /// until the proper content type is found or the content types are exhausted.This is obviously inefficient, so this flag should /// only be used if the content type is not known. /// ///

CERT_QUERY_CONTENT_FLAG_ALL_ISSUER_CERT = (CERT_QUERY_CONTENT_FLAG_CERT | CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE | CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT | CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED | CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED), ///

The content is a single certificate.

CERT_QUERY_CONTENT_FLAG_CERT = (1 << CertQueryContentType.CERT_QUERY_CONTENT_CERT), ///

/// The content is an Abstract Syntax Notation One (ASN.1) encoded X509_CERT_PAIR (an encoded certificate pair that contains /// either forward, reverse, or forward and reverse cross certificates). ///

CERT_QUERY_CONTENT_FLAG_CERT_PAIR = (1 << CertQueryContentType.CERT_QUERY_CONTENT_CERT_PAIR), ///

The content is a single CRL.

CERT_QUERY_CONTENT_FLAG_CRL = (1 << CertQueryContentType.CERT_QUERY_CONTENT_CRL), ///

The content is a single CTL.

CERT_QUERY_CONTENT_FLAG_CTL = (1 << CertQueryContentType.CERT_QUERY_CONTENT_CTL), ///

/// The content is a PFX (PKCS #12) packet, but it will not be loaded by this function. You can use the PFXImportCertStore /// function to load this into a store. ///

CERT_QUERY_CONTENT_FLAG_PFX = (1 << CertQueryContentType.CERT_QUERY_CONTENT_PFX), ///

/// The content is a PFX (PKCS #12) packet and will be loaded by this function subject to the conditions specified in the /// following note. If the PFX packet contains an embedded password that is not an empty string or NULL, and the password /// was not protected to an Active Directory(AD) principal that includes the calling user, this function will not be able to /// decrypt the PFX packet.The packet can be decrypted, however, if the password used when the PFX packet was created was /// encrypted to an AD principal and the user, as part of that principal, has permission to decrypt the password. For more /// information, see the pvPara parameter and the PKCS12_PROTECT_TO_DOMAIN_SIDS flag of the PFXExportCertStoreEx function. /// You can protect PFX passwords to an AD principal beginning in Windows 8 and Windows Server 2012. /// /// Windows Server 2003 and Windows XP: This value is not supported. ///

CERT_QUERY_CONTENT_FLAG_PFX_AND_LOAD = (1 << CertQueryContentType.CERT_QUERY_CONTENT_PFX_AND_LOAD), ///

The content is a PKCS #10 message.

CERT_QUERY_CONTENT_FLAG_PKCS10 = (1 << CertQueryContentType.CERT_QUERY_CONTENT_PKCS10), ///

The content is a PKCS #7 signed message.

CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED = (1 << CertQueryContentType.CERT_QUERY_CONTENT_PKCS7_SIGNED), ///

The content is an embedded PKCS #7 signed message.

CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED = (1 << CertQueryContentType.CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED), ///

The content is a PKCS #7 unsigned message.

CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED = (1 << CertQueryContentType.CERT_QUERY_CONTENT_PKCS7_UNSIGNED), ///

The content is a serialized single certificate.

CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT = (1 << CertQueryContentType.CERT_QUERY_CONTENT_SERIALIZED_CERT), ///

The content is a serialized single CRL.

CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL = (1 << CertQueryContentType.CERT_QUERY_CONTENT_SERIALIZED_CRL), ///

The content is serialized single CTL.

CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL = (1 << CertQueryContentType.CERT_QUERY_CONTENT_SERIALIZED_CTL), ///

The content is a serialized store.

CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE = (1 << CertQueryContentType.CERT_QUERY_CONTENT_SERIALIZED_STORE), } ///

The actual type of the content.

[PInvokeData("wincrypt.h", MSDNShortId = "d882f2b0-0f0a-41c7-afca-a232dc00797b")] public enum CertQueryContentType { ///

The content is a single certificate.

CERT_QUERY_CONTENT_CERT = 1, ///

The content is a single CTL.

CERT_QUERY_CONTENT_CTL = 2, ///

The content is a single CRL.

CERT_QUERY_CONTENT_CRL = 3, ///

The content is a serialized store.

CERT_QUERY_CONTENT_SERIALIZED_STORE = 4, ///

The content is a serialized single certificate.

CERT_QUERY_CONTENT_SERIALIZED_CERT = 5, ///

The content is a serialized single CTL.

CERT_QUERY_CONTENT_SERIALIZED_CTL = 6, ///

The content is a serialized single CRL.

CERT_QUERY_CONTENT_SERIALIZED_CRL = 7, ///

The content is a PKCS #7 signed message.

CERT_QUERY_CONTENT_PKCS7_SIGNED = 8, ///

The content is a PKCS #7 unsigned message.

CERT_QUERY_CONTENT_PKCS7_UNSIGNED = 9, ///

The content is an embedded PKCS #7 signed message.

CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED = 10, ///

The content is a PKCS #10 message.

CERT_QUERY_CONTENT_PKCS10 = 11, ///

/// The content is a PFX (PKCS #12) packet. This function only verifies that the object is a PKCS #12 packet. The PKCS #12 /// packet is not loaded into a certificate store. ///

CERT_QUERY_CONTENT_PFX = 12, ///

The content is an ASN.1 encoded X509_CERT_pair.

CERT_QUERY_CONTENT_CERT_PAIR = 13, ///

/// The content is a PFX (PKCS #12) packet, and it has been loaded into a certificate store. /// Windows Server 2003 and Windows XP: This value is not supported. ///

CERT_QUERY_CONTENT_PFX_AND_LOAD = 14, } ///

Indicates the expected format of the returned type.

[PInvokeData("wincrypt.h", MSDNShortId = "d882f2b0-0f0a-41c7-afca-a232dc00797b")] public enum CertQueryFormatFlags : uint { ///

The content should be returned in binary format.

CERT_QUERY_FORMAT_FLAG_BINARY = (1 << CertQueryFormatType.CERT_QUERY_FORMAT_BINARY), ///

The content should be returned in Base64 encoded format.

CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED = (1 << CertQueryFormatType.CERT_QUERY_FORMAT_BASE64_ENCODED), ///

The content should be returned in ASCII hex-encoded format with a "{ASN}" prefix.

CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED = (1 << CertQueryFormatType.CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED), ///

The content can be returned in any format.

CERT_QUERY_FORMAT_FLAG_ALL = (CERT_QUERY_FORMAT_FLAG_BINARY | CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED | CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED), } ///

The actual format type of the content.

[PInvokeData("wincrypt.h", MSDNShortId = "d882f2b0-0f0a-41c7-afca-a232dc00797b")] public enum CertQueryFormatType { ///

The content is in binary format.

CERT_QUERY_FORMAT_BINARY = 1, ///

The content is in Base64 encoded format.

CERT_QUERY_FORMAT_BASE64_ENCODED = 2, ///

The content is in ASCII hex-encoded format with an "{ASN}" prefix.

CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED = 3, } ///

Indicates the type of the object to be queried.

[PInvokeData("wincrypt.h", MSDNShortId = "d882f2b0-0f0a-41c7-afca-a232dc00797b")] public enum CertQueryObjectType { ///

The cert query object file

CERT_QUERY_OBJECT_FILE = 0x00000001, ///

The cert query object BLOB

CERT_QUERY_OBJECT_BLOB = 0x00000002, } ///

RDN attribute flags.

[Flags] [PInvokeData("wincrypt.h", MSDNShortId = "e45b80a3-9269-4f21-8407-1c8303cb5f32")] public enum CertRDNAttrsFlag { ///

The pRDN was initialized with Unicode strings

CERT_UNICODE_IS_RDN_ATTRS_FLAG = 0x1, ///

Do a case insensitive match.

CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG = 0x2 } ///

Indicates the type of the context structure.

[PInvokeData("wincrypt.h", MSDNShortId = "2d6fb244-5273-4530-bec4-e5451fe26f2e")] public enum CertRevocationType { ///

The revocation of certificates.

CERT_CONTEXT_REVOCATION_TYPE = 1 } ///

Indicates any special processing needs.

[PInvokeData("wincrypt.h", MSDNShortId = "2d6fb244-5273-4530-bec4-e5451fe26f2e")] [Flags] public enum CertVerifyFlags { ///

/// Verification of the chain of certificates is done assuming each certificate except the first certificate is the issuer of /// the certificate that precedes it. If dwRevType is not CERT_CONTEXT_REVOCATION_TYPE, no assumptions are made about the order /// of the contexts. ///

CERT_VERIFY_REV_CHAIN_FLAG = 0x00000001, ///

Prevents the revocation handler from accessing any network-based resources for revocation checking.

CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION = 0x00000002, ///

When set, dwUrlRetrievalTimeout is the cumulative time-out across all URL wire retrievals.

CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG = 0x00000004, ///

/// When set, this function only uses online certificate status protocol (OCSP) for revocation checking. If the certificate does /// not have any OCSP AIA URLs, the dwError member of the pRevStatus parameter is set to CRYPT_E_NOT_IN_REVOCATION_DATABASE. ///

CERT_VERIFY_REV_SERVER_OCSP_FLAG = 0x00000008, ///

/// When set, only the OCSP AIA URL is used if present in the subject. If the subject doesn't have an OCSP AIA URL, then, the /// CDP URLs are used. ///

CERT_VERIFY_REV_NO_OCSP_FAILOVER_TO_CRL_FLAG = 0x00000010, ///

When set, only wire retrieval for OCSP responses.

CERT_VERIFY_REV_SERVER_OCSP_WIRE_ONLY_FLAG = 0x00000020, } ///

Specifies the cause of the error.

[PInvokeData("wincrypt.h", MSDNShortId = "087ea37a-907a-4652-a5df-dd8e86755490")] public enum CRL_REASON { ///

No reason was specified for revocation.

CRL_REASON_UNSPECIFIED = 0, ///

/// It is known or suspected that the subject's private key or other aspects of the subject validated in the certificate are compromised. ///

CRL_REASON_KEY_COMPROMISE = 1, ///

/// It is known or suspected that the CA's private key or other aspects of the CA validated in the certificate are compromised. ///

CRL_REASON_CA_COMPROMISE = 2, ///

/// The subject's name or other information in the certificate has been modified but there is no cause to suspect that the /// private key has been compromised. ///

CRL_REASON_AFFILIATION_CHANGED = 3, ///

The certificate has been superseded, but there is no cause to suspect that the private key has been compromised.

CRL_REASON_SUPERSEDED = 4, ///

/// The certificate is no longer needed for the purpose for which it was issued, but there is no cause to suspect that the /// private key has been compromised. ///

CRL_REASON_CESSATION_OF_OPERATION = 5, ///

The certificate has been placed on hold.

CRL_REASON_CERTIFICATE_HOLD = 6, ///

CRL_REASON_REMOVE_FROM_CRL = 8, ///

CRL_REASON_PRIVILEGE_WITHDRAWN = 9, ///

CRL_REASON_AA_COMPROMISE = 10, } ///

A set of flags that modify the behavior of this function.

[PInvokeData("wincrypt.h", MSDNShortId = "9e63517d-a56e-45a9-972c-de9a297e9e25")] [Flags] public enum CryptFindFlags { ///

Restricts the search to the user container. The default is to search both the user and machine containers.

CRYPT_FIND_USER_KEYSET_FLAG = 0x00000001, ///

Restricts the search to the machine container. The default is to search both the user and machine containers.

CRYPT_FIND_MACHINE_KEYSET_FLAG = 0x00000002, ///

/// The application requests that the CSP not display any user interface (UI) for this context. If the CSP must display the UI /// to operate, the call fails and the NTE_SILENT_CONTEXT error code is set as the last error. ///

CRYPT_FIND_SILENT_KEYSET_FLAG = 0x00000040, ///

/// If a handle is already acquired and cached, that same handle is returned. Otherwise, a new handle is acquired and cached by /// using the certificate's CERT_KEY_CONTEXT_PROP_ID property. /// /// When this flag is set, the pfCallerFreeProvOrNCryptKey parameter receives FALSE and the calling application must not release /// the handle. The handle is freed when the certificate context is freed; however, you must retain the certificate context /// referenced by the pCert parameter as long as the key is in use, otherwise operations that rely on the key will fail. /// ///

CRYPT_ACQUIRE_CACHE_FLAG = 0x00000001, ///

/// Uses the certificate's CERT_KEY_PROV_INFO_PROP_ID property to determine whether caching should be accomplished. For more /// information about the CERT_KEY_PROV_INFO_PROP_ID property, see CertSetCertificateContextProperty. /// /// This function will only use caching if during a previous call, the dwFlags member of the CRYPT_KEY_PROV_INFO structure /// contained CERT_SET_KEY_CONTEXT_PROP. /// ///

CRYPT_ACQUIRE_USE_PROV_INFO_FLAG = 0x00000002, ///

/// The public key in the certificate is compared with the public key returned by the cryptographic service provider (CSP). If /// the keys do not match, the acquisition operation fails and the last error code is set to NTE_BAD_PUBLIC_KEY. If a cached /// handle is returned, no comparison is made. ///

CRYPT_ACQUIRE_COMPARE_KEY_FLAG = 0x00000004, ///

/// This function will not attempt to re-create the CERT_KEY_PROV_INFO_PROP_ID property in the certificate context if this /// property cannot be retrieved. ///

CRYPT_ACQUIRE_NO_HEALING = 0x00000008, ///

/// The CSP should not display any user interface (UI) for this context. If the CSP must display UI to operate, the call fails /// and the NTE_SILENT_CONTEXT error code is set as the last error. ///

CRYPT_ACQUIRE_SILENT_FLAG = 0x00000040, ///

/// Any UI that is needed by the CSP or KSP will be a child of the HWND that is supplied in the pvParameters parameter. For a /// CSP key, using this flag will cause the CryptSetProvParam function with the flag PP_CLIENT_HWND using this HWND to be called /// with NULL for HCRYPTPROV. For a KSP key, using this flag will cause the NCryptSetProperty function with the /// NCRYPT_WINDOW_HANDLE_PROPERTY flag to be called using the HWND. /// Do not use this flag with CRYPT_ACQUIRE_SILENT_FLAG. ///

CRYPT_ACQUIRE_WINDOW_HANDLE_FLAG = 0x00000080, ///

The crypt acquire ncrypt key flags mask

CRYPT_ACQUIRE_NCRYPT_KEY_FLAGS_MASK = 0x00070000, ///

/// This function will attempt to obtain the key by using CryptoAPI. If that fails, this function will attempt to obtain the key /// by using the Cryptography API: Next Generation (CNG). /// The CERT_KEY_PROV_INFO_PROP_ID property of the certificate is set to zero if CNG is used to obtain the key. ///

CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG = 0x00010000, ///

/// This function will attempt to obtain the key by using CNG. If that fails, this function will attempt to obtain the key by /// using CryptoAPI. /// The CERT_KEY_PROV_INFO_PROP_ID property of the certificate is set to zero if CNG is used to obtain the key. ///

CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG = 0x00020000, ///

/// This function will only attempt to obtain the key by using CNG and will not use CryptoAPI to obtain the key. /// The CERT_KEY_PROV_INFO_PROP_ID property of the certificate is set to zero if CNG is used to obtain the key. ///

CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG = 0x00040000, } ///

/// Indicates how the public key information is exported. The flag value is passed directly to the CryptFindOIDInfo function when /// mapping the public key object identifier to the corresponding CNG public key algorithm Unicode string. ///

[PInvokeData("wincrypt.h", MSDNShortId = "38274222-90b3-4038-86d3-6b2813100ce2")] [Flags] public enum CryptOIDInfoFlags : uint { ///

pvKey is the address of a null-terminated ANSI string that contains the OID string to find.

CRYPT_OID_INFO_OID_KEY = 1, ///

pvKey is the address of a null-terminated Unicode string that contains the name to find.

CRYPT_OID_INFO_NAME_KEY = 2, ///

pvKey is the address of an ALG_IDvariable.

CRYPT_OID_INFO_ALGID_KEY = 3, ///

/// pvKey is the address of an array of two ALG_IDs where the first element contains the hash algorithm identifier and the /// second element contains the public key algorithm identifier. ///

CRYPT_OID_INFO_SIGN_KEY = 4, ///

/// pvKey is the address of a null-terminated Unicode string that contains the CNG algorithm identifier to find. This can be one /// of the predefined CNG Algorithm Identifiers or another registered algorithm identifier. ///

CRYPT_OID_INFO_CNG_ALGID_KEY = 5, ///

/// pvKey is the address of an array of two null-terminated Unicode string pointers where the first string contains the hash CNG /// algorithm identifier and the second string contains the public key CNG algorithm identifier. These can be from the /// predefined CNG Algorithm Identifiers or another registered algorithm identifier. ///

CRYPT_OID_INFO_CNG_SIGN_KEY = 6, ///

/// Skips public keys in the CRYPT_PUBKEY_ALG_OID_GROUP_ID group explicitly flagged with the CRYPT_OID_PUBKEY_ENCRYPT_ONLY_FLAG flag. ///

CRYPT_OID_INFO_PUBKEY_SIGN_KEY_FLAG = 0x80000000, ///

/// Skips public keys in the CRYPT_PUBKEY_ALG_OID_GROUP_ID group explicitly flagged with the CRYPT_OID_PUBKEY_SIGN_ONLY_FLAG flag. ///

CRYPT_OID_INFO_PUBKEY_ENCRYPT_KEY_FLAG = 0x40000000 } ///

Flags that modify the function behavior.

[PInvokeData("wincrypt.h", MSDNShortId = "8a84af66-b174-4a3e-b1d7-6f218a52d877")] [Flags] public enum CryptVerifyCertSignFlags { ///

/// If you set this flag and CryptVerifyCertificateSignatureEx detects an MD2 or MD4 algorithm, the function returns FALSE and /// sets GetLastError to NTE_BAD_ALGID. The signature is still verified, but this combination of errors enables the caller, now /// knowing that an MD2 or MD4 algorithm was used, to decide whether to trust or reject the signature. /// Windows 8 and Windows Server 2012: Support for this flag begins. ///

CRYPT_VERIFY_CERT_SIGN_DISABLE_MD2_MD4_FLAG = 0x00000001, ///

/// Sets strong signature properties, after successful verification, on the subject pointed to by the pvSubject parameter. /// The following property is set on the certificate context: /// CERT_SIGN_HASH_CNG_ALG_PROP_ID /// The following properties are set on the CRL context: /// CERT_SIGN_HASH_CNG_ALG_PROP_ID /// CERT_ISSUER_PUB_KEY_BIT_LENGTH_PROP_ID /// Note This flag is only applicable if CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL is specified in the dwSubjectType parameter. /// Windows 8 and Windows Server 2012: Support for this flag begins. ///

CRYPT_VERIFY_CERT_SIGN_SET_STRONG_PROPERTIES_FLAG = 0x00000002, ///

/// Returns a pointer to a CRYPT_VERIFY_CERT_SIGN_STRONG_PROPERTIES_INFO structure in the pvExtra parameter. The structure /// contains the length, in bits, of the public key and the names of the signing and hashing algorithms used. /// /// You must call CryptMemFree to free the structure. If memory cannot be allocated for the /// CRYPT_VERIFY_CERT_SIGN_STRONG_PROPERTIES_INFO structure, this function returns successfully but sets the pvExtra parameter /// to NULL. /// /// /// Note This flag is only applicable if CRYPT_VERIFY_CERT_SIGN_SUBJECT_OCSP_BASIC_SIGNED_RESPONSE is specified in the /// dwSubjectType parameter. /// /// Windows 8 and Windows Server 2012: Support for this flag begins. ///

CRYPT_VERIFY_CERT_SIGN_RETURN_STRONG_PROPERTIES_FLAG = 0x00000004, } ///

The issuer type.

[PInvokeData("wincrypt.h", MSDNShortId = "8a84af66-b174-4a3e-b1d7-6f218a52d877")] public enum CryptVerifyCertSignIssuer { ///

pvIssuer is a pointer to a CERT_PUBLIC_KEY_INFOstructure.

CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY = 1, ///

pvIssuer is a pointer to a CCERT_CONTEXTstructure.

CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT = 2, ///

pvIssuer is a pointer to a CCERT_CHAIN_CONTEXTstructure.

CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN = 3, ///

pvIssuer must be NULL.

CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL = 4, } ///

The subject type.

[PInvokeData("wincrypt.h", MSDNShortId = "8a84af66-b174-4a3e-b1d7-6f218a52d877")] public enum CryptVerifyCertSignSubject { ///

pvSubject is a pointer to a CRYPT_DATA_BLOBstructure.

CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB = 1, ///

pvSubject is a pointer to a CCERT_CONTEXTstructure.

CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT = 2, ///

pvSubject is a pointer to a CCRL_CONTEXTstructure.

CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL = 3, ///

/// pvSubject is a pointer to an OCSP_BASIC_SIGNED_RESPONSE_INFO structure. /// Windows Server 2003 and Windows XP: This subject type is not supported. ///

CRYPT_VERIFY_CERT_SIGN_SUBJECT_OCSP_BASIC_SIGNED_RESPONSE = 4, } ///

/// /// The CertCompareCertificate function determines whether two certificates are identical by comparing the issuer name and /// serial number of the certificates. /// /// /// Caution The CertCompareCertificate function must not be used for security assertions because it does not compare BLOBs. /// ///

/// The CertCompareCertificateName function compares two certificate CERT_NAME_BLOB structures to determine whether they are /// identical. The CERT_NAME_BLOB structures are used for the subject and the issuer of certificates. ///

/// The CertCompareIntegerBlob function compares two integer BLOBs to determine whether they represent equal numeric values. ///

/// A pointer to a CRYPT_INTEGER_BLOB structure that contains the first integer in the comparison. /// A pointer to a CRYPT_INTEGER_BLOB structure that contains the second integer in the comparison. /// /// If the representations of the integer BLOBs are identical and the function succeeds, the function returns nonzero ( TRUE). /// If the function fails, it returns zero ( FALSE). For extended error information, call GetLastError. /// /// /// /// Before doing the comparison, most significant bytes with a value of 0x00 are removed from a positive number. Positive here means /// that the most significant bit in the next nonzero byte is not set. /// /// /// Most significant bytes with a value of 0xFF are removed from a negative number. Negative here means that the most significant /// bit in the next non-0xFF byte is set. This produces the unique representation of that integer, as shown in the following table. /// /// /// /// Original bytes /// Reduced form /// /// /// 0xFFFFFF88 /// 0xFF88 /// /// /// 0xFF23 /// 0xFF23 /// /// /// 0x007F /// 0x7F /// /// /// 0x00000080 /// 0x80 /// /// /// /// Multiple-byte integers are treated as little-endian. The least significant byte is pbData[0]. The most significant byte is /// pbData[cbData - 1], that is, 0xFFFFFF88 is stored in four bytes as: /// /// {0x88, 0xFF, 0xFF, 0xFF} /// Examples /// For an example that uses this function, see Example C Program: Using CertOIDToAlgId and CertCompareIntegerBlob. /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certcompareintegerblob BOOL CertCompareIntegerBlob( // PCRYPT_INTEGER_BLOB pInt1, PCRYPT_INTEGER_BLOB pInt2 ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "467ce464-2f22-4583-a745-711ba3b05f4f")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CertCompareIntegerBlob(in CRYPTOAPI_BLOB pInt1, in CRYPTOAPI_BLOB pInt2); ///

The CertComparePublicKeyInfo function compares two encoded public keys to determine whether they are identical.

/// The CertFindAttribute function finds the first attribute in the CRYPT_ATTRIBUTE array, as identified by its object /// identifier (OID). This function can be used in the processing of a decoded certificate request. A CERT_REQUEST_INFO structure is /// derived from a decoded certificate request. The rgAttribute array is retrieved from that structure and passed to this /// function in the rgAttr parameter. This function determines whether a particular attribute is in the array, and if so, returns a /// pointer to it. ///

/// A pointer to the object identifier (OID) to use in the search. /// Number of attributes in the rgAttr array. /// Array of CRYPT_ATTRIBUTE structures. /// Returns a pointer to the attribute, if one is found. Otherwise, NULL is returned. // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certfindattribute PCRYPT_ATTRIBUTE CertFindAttribute( // LPCSTR pszObjId, DWORD cAttr, CRYPT_ATTRIBUTE [] rgAttr ); [DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "99d690fb-ea85-4cb1-9fb0-bdb02e4ac50a")] public static extern IntPtr CertFindAttribute(SafeOID pszObjId, uint cAttr, [MarshalAs(UnmanagedType.LPArray)] CRYPT_ATTRIBUTE[] rgAttr); ///

/// The object identifier (OID) to use in the search. /// Array of CRYPT_ATTRIBUTE structures. /// Returns a reference to the attribute, if one is found. Otherwise, is returned. public static CRYPT_ATTRIBUTE? CertFindAttribute(string pszObjId, CRYPT_ATTRIBUTE[] rgAttr) => CertFindAttribute(pszObjId, (uint)(rgAttr?.Length ?? 0), rgAttr).ToNullableStructure(); ///

/// The CertFindExtension function finds the first extension in the CERT_EXTENSION array, as identified by its object /// identifier (OID). This function can be used in the processing of a decoded certificate. A CERT_INFO structure is derived from a /// decoded certificate. The CERT_INFO structure's rgExtension member is passed to CertFindExtension in the /// rgExtensions parameter. This function determines whether a particular extension is in the array, and if so, returns a pointer to it ///

/// A pointer to the object identifier (OID) to use in the search. /// Number of extensions in the rgExtensions array. /// Array of CERT_EXTENSION structures. /// Returns a pointer to the extension, if one is found. Otherwise, NULL is returned. // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certfindextension PCERT_EXTENSION CertFindExtension( // LPCSTR pszObjId, DWORD cExtensions, CERT_EXTENSION [] rgExtensions ); [DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "489c58b6-a704-4f54-bc64-34eacafc347c")] public static extern IntPtr CertFindExtension(SafeOID pszObjId, uint cExtensions, [MarshalAs(UnmanagedType.LPArray)] CERT_EXTENSION[] rgExtensions); ///

/// A pointer to the object identifier (OID) to use in the search. /// Array of CERT_EXTENSION structures. /// Returns a reference to the extension, if one is found. Otherwise, is returned. public static CERT_EXTENSION? CertFindExtension(string pszObjId, CERT_EXTENSION[] rgExtensions) => CertFindExtension(pszObjId, (uint)(rgExtensions?.Length ?? 0), rgExtensions).ToNullableStructure(); ///

/// The CertFindRDNAttr function finds the first RDN attribute identified by its object identifier (OID) in a list of the /// Relative Distinguished Names (RDN). ///

/// A pointer to the object identifier (OID) to use In the search. /// A pointer to a CERT_NAME_INFO structure containing the list of the Relative Distinguished Names to be searched. /// Returns a pointer to the attribute, if one is found. Otherwise, NULL is returned. // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certfindrdnattr PCERT_RDN_ATTR CertFindRDNAttr( LPCSTR // pszObjId, PCERT_NAME_INFO pName ); [DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "31f82a02-e90a-48de-857a-9fbb03048b5c")] public static extern IntPtr CertFindRDNAttr(SafeOID pszObjId, in CERT_NAME_INFO pName); ///

/// The CertGetIntendedKeyUsage function acquires the intended key usage bytes from a certificate. The intended key usage can /// be in either the szOID_KEY_USAGE ("2.5.29.15") or szOID_KEY_ATTRIBUTES ("2.5.29.2") extension. ///

/// /// /// Specifies the encoding type used. It is always acceptable to specify both the certificate and message encoding types by /// combining them with a bitwise- OR operation as shown in the following example: /// /// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING Currently defined encoding types are: /// /// /// X509_ASN_ENCODING /// /// /// PKCS_7_ASN_ENCODING /// /// /// /// A pointer to CERT_INFO structure of the specified certificate. /// /// /// A pointer to a buffer to receive the intended key usage. The following list shows currently defined values. These can be /// combined by using bitwise- OR operations. /// /// /// /// CERT_DATA_ENCIPHERMENT_KEY_USAGE /// /// /// CERT_DIGITAL_SIGNATURE_KEY_USAGE /// /// /// CERT_KEY_AGREEMENT_KEY_USAGE /// /// /// CERT_KEY_CERT_SIGN_KEY_USAGE /// /// /// CERT_KEY_ENCIPHERMENT_KEY_USAGE /// /// /// CERT_NON_REPUDIATION_KEY_USAGE /// /// /// CERT_OFFLINE_CRL_SIGN_KEY_USAGE /// /// /// /// /// The size, in bytes, of the buffer pointed to by pbKeyUsage. Currently, the intended key usage occupies 1 or 2 bytes of data. /// /// /// /// If the certificate does not have any intended key usage bytes, FALSE is returned and pbKeyUsage is zeroed. Otherwise, /// TRUE is returned and up to cbKeyUsage number of bytes are copied into pbKeyUsage. Any remaining bytes not copied are zeroed. /// /// GetLastError returns zero if none of the required extensions is found. /// /// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information /// about these errors, see ASN.1 Encoding/Decoding Return Values. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetintendedkeyusage BOOL CertGetIntendedKeyUsage( // DWORD dwCertEncodingType, PCERT_INFO pCertInfo, BYTE *pbKeyUsage, DWORD cbKeyUsage ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "d09c3626-f864-4774-8511-3e912f62e520")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CertGetIntendedKeyUsage(CertEncodingType dwCertEncodingType, in CERT_INFO pCertInfo, out CertKeyUsage pbKeyUsage, uint cbKeyUsage = 2); ///

The CertGetPublicKeyLength function acquires the bit length of public/private keys from a public key BLOB.

/// The CertIsRDNAttrsInCertificateName function compares the attributes in the certificate name with the specified CERT_RDN /// to determine whether all attributes are included there. The comparison iterates through the CERT_RDN and looks for an /// attribute match in any of the CERT_RDN s of the certificate name. ///

/// /// /// Specifies the encoding type used. It is always acceptable to specify both the certificate and message encoding types by /// combining them with a bitwise- OR operation as shown in the following example: /// /// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING /// Currently defined encoding types are: /// /// /// X509_ASN_ENCODING /// /// /// PKCS_7_ASN_ENCODING /// /// /// /// /// /// CERT_UNICODE_IS_RDN_ATTRS_FLAG must be set if the pRDN was initialized with Unicode strings as in CryptEncodeObject with /// lpszStructType set to X509_UNICODE_NAME. /// /// /// CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG is set to do a case insensitive match. Otherwise, an exact, case sensitive match is done. /// /// /// A pointer to a CRYPT_INTEGER_BLOB that contains the encoded subject or issuer name. /// /// /// Array of CERT_RDN structures that contain the attributes to be found in the name. The CERT_RDN_ATTR member of the /// CERT_RDN structure behaves according to the following rules. /// /// /// /// If pszObjId is NULL, the attribute object identifier (OID) is ignored. /// /// /// If dwValueType is CERT_RDN_ANY_TYPE, the value type is ignored. /// /// /// If the pbData member of Value is NULL, any value can be a match. /// /// /// /// /// /// If the function succeeds and all of the RDN values in the specified CERT_RDN are in the certificate name, the return value is /// nonzero ( TRUE). /// /// /// If the function fails, or if there are RDN values in the specified CERT_RDN that are not in the certificate name, the return /// value is zero ( FALSE). For extended error information, call GetLastError. /// /// The following table lists some possible error codes. /// /// /// Return code /// Description /// /// /// CRYPT_E_NO_MATCH /// Not all the attributes were found and matched. /// /// /// ERROR_FILE_NOT_FOUND /// Invalid certificate encoding type. Currently only X509_ASN_ENCODING is supported. /// /// /// /// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information /// about these errors, see ASN.1 Encoding/Decoding Return Values. /// /// /// Currently, only an exact, case-sensitive match is supported. // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certisrdnattrsincertificatename BOOL // CertIsRDNAttrsInCertificateName( DWORD dwCertEncodingType, DWORD dwFlags, PCERT_NAME_BLOB pCertName, PCERT_RDN pRDN ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "e45b80a3-9269-4f21-8407-1c8303cb5f32")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CertIsRDNAttrsInCertificateName(CertEncodingType dwCertEncodingType, CertRDNAttrsFlag dwFlags, in CRYPTOAPI_BLOB pCertName, [In, MarshalAs(UnmanagedType.LPArray)] CERT_RDN[] pRDN); ///

/// Determines whether the specified hash algorithm and the public key in the signing certificate can be used to perform strong signing. ///

/// /// Pointer to a CERT_STRONG_SIGN_PARA structure that contains information about supported signing and hashing algorithms. /// /// /// Pointer to a Unicode string that contains the name of the hashing algorithm. The following algorithms are supported: /// /// /// L"MD5" (BCRYPT_MD5_ALGORITHM) /// /// /// L"SHA1" (BCRYPT_SHA1_ALGORITHM) /// /// /// L"SHA256" (BCRYPT_SHA256_ALGORITHM) /// /// /// L"SHA256" (BCRYPT_SHA256_ALGORITHM) /// /// /// L"SHA512" (BCRYPT_SHA512_ALGORITHM) /// /// /// /// /// /// Pointer to a CERT_CONTEXT structure that contains the signing certificate. The public key algorithm in the signing certificate /// is checked for strength. The public key (asymmetric) algorithm is used for signing. The following signature algorithms are supported: /// /// /// /// L"RSA" (BCRYPT_RSA_ALGORITHM) /// /// /// L"DSA" (BCRYPT_DSA_ALGORITHM) /// /// /// L"ECDSA" (SSL_ECDSA_ALGORITHM) /// /// /// This parameter can be /// NULL /// if you want to check only whether the hashing algorithm is strong. /// /// /// If the function succeeds, the function returns TRUE. /// /// If the function fails, it returns FALSE. For extended error information, call GetLastError. This function has the /// following error codes. /// /// /// /// Return code /// Description /// /// /// E_INVALIDARG /// One or more of the input arguments is not correct. /// /// /// NTE_BAD_ALGID /// A specified algorithm is not supported. /// /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certisstronghashtosign BOOL CertIsStrongHashToSign( // PCCERT_STRONG_SIGN_PARA pStrongSignPara, LPCWSTR pwszCNGHashAlgid, PCCERT_CONTEXT pSigningCert ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "B498C1F0-1EFF-49AF-9CD4-A447F79256F1")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CertIsStrongHashToSign(in CERT_STRONG_SIGN_PARA pStrongSignPara, [MarshalAs(UnmanagedType.LPWStr)] string pwszCNGHashAlgid, [Optional] PCCERT_CONTEXT pSigningCert); ///

/// The CertVerifyCRLRevocation function check a certificate revocation list (CRL) to determine whether a subject's /// certificate has or has not been revoked. The new Certificate Chain Verification Functions are recommended instead of the use of /// this function. ///

The CertVerifyCRLTimeValidity function verifies the time validity of a CRL.

/// /// A pointer to FILETIME structure containing the time to be used in the verification. If set to NULL, the current time is used. /// /// A pointer to a CRL_INFO structure containing the CRL for which the time is to be verified. /// /// Returns a minus one (–1) if the comparison time is before the ThisUpdate member of the CRL_INFO pointed to by pCrlInfo. /// Returns a plus one (+1) if the comparison time is after the NextUpdate time. Returns zero for valid time for the CRL. /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certverifycrltimevalidity LONG CertVerifyCRLTimeValidity( // LPFILETIME pTimeToVerify, PCRL_INFO pCrlInfo ); [DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "ff321fe8-df45-4a1d-b626-055fb0696438")] public static extern int CertVerifyCRLTimeValidity(in FILETIME pTimeToVerify, in CRL_INFO pCrlInfo); ///

/// The CertVerifyRevocation function checks the revocation status of the certificates contained in the rgpvContext array. If /// a certificate in the list is found to be revoked, no further checking is done. This array can be a chain of certificates /// propagating upward from an end entity to the root authority, but this nature of the list of certificates is not required or assumed. ///

/// /// Specifies the encoding type used. Currently, only X509_ASN_ENCODING and PKCS_7_ASN_ENCODING are being used; however, additional /// encoding types may be added in the future. For either current encoding type, use X509_ASN_ENCODING | PKCS_7_ASN_ENCODING. /// /// /// Indicates the type of the context structure passed in rgpvContext. Currently only CERT_CONTEXT_REVOCATION_TYPE, the revocation /// of certificates, is defined. /// /// Count of elements in the rgpvContext array. /// /// /// When the dwRevType is CERT_CONTEXT_REVOCATION_TYPE, rgpvContext is an array of pointers to CERT_CONTEXT structures. These /// contexts must contain sufficient information to allow the installable or registered revocation DLLs to find the revocation /// server. This information would normally be conveyed in an extension such as the CRLDistributionsPoints extension defined by the /// Internet Engineering Task Force (IETF) in PKIX Part 1. /// /// For efficiency, the more contexts that are passed in at one time, the better. /// /// /// Indicates any special processing needs. This parameter can be one of the following flags. /// /// /// Value /// Meaning /// /// /// CERT_VERIFY_REV_CHAIN_FLAG /// /// Verification of the chain of certificates is done assuming each certificate except the first certificate is the issuer of the /// certificate that precedes it. If dwRevType is not CERT_CONTEXT_REVOCATION_TYPE, no assumptions are made about the order of the contexts. /// /// /// /// CERT_VERIFY_CACHE_ONLY_BASED_REVOCATION /// Prevents the revocation handler from accessing any network-based resources for revocation checking. /// /// /// CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG /// When set, dwUrlRetrievalTimeout is the cumulative time-out across all URL wire retrievals. /// /// /// CERT_VERIFY_REV_SERVER_OCSP_FLAG /// /// When set, this function only uses online certificate status protocol (OCSP) for revocation checking. If the certificate does not /// have any OCSP AIA URLs, the dwError member of the pRevStatus parameter is set to CRYPT_E_NOT_IN_REVOCATION_DATABASE. /// /// /// /// /// Optionally set to assist in finding the issuer. For details, see the CERT_REVOCATION_PARA structure. /// /// /// Only the cbSize member of the CERT_REVOCATION_STATUS pointed to by pRevStatus needs to be set before /// CertVerifyRevocation is called. /// /// /// If the function returns FALSE, this structure's members will contain error status information. For more information, see /// CERT_REVOCATION_STATUS. For a description of how pRevStatus is updated when a revocation verification problem is encountered, /// see Remarks. /// /// /// /// /// If the function successfully checks all of the contexts and none were revoked, the function returns TRUE. If the function /// fails, it returns FALSE and updates the CERT_REVOCATION_STATUS structure pointed to by pRevStatus as described in CERT_REVOCATION_STATUS. /// /// /// When the revocation handler for any of the contexts returns FALSE due to an error, the dwError member in the /// structure pointed to by pRevStatus will be set by the handler to specify which error was encountered. GetLastError returns an /// error code equal to the error specified in the dwError member of the CERT_REVOCATION_STATUS structure. /// GetLastError can be one of the following values. /// /// /// /// Value /// Description /// /// /// CRYPT_E_NO_REVOCATION_CHECK /// An installed or registered revocation function was not able to do a revocation check on the context. /// /// /// CRYPT_E_NO_REVOCATION_DLL /// No installed or registered DLL was found that was able to verify revocation. /// /// /// CRYPT_E_NOT_IN_REVOCATION_DATABASE /// The context to be checked was not found in the revocation server's database. /// /// /// CRYPT_E_REVOCATION_OFFLINE /// It was not possible to connect to the revocation server. /// /// /// CRYPT_E_REVOKED /// The context was revoked. dwReason in pRevStatus contains the reason for revocation. /// /// /// ERROR_SUCCESS /// The context was good. /// /// /// E_INVALIDARG /// /// cbSize in pRevStatus is less than sizeof(CERT_REVOCATION_STATUS). Note that dwError in pRevStatus is not updated for this error. /// /// /// /// /// /// The following example shows how pRevStatus is updated when a revocation verification problem is encountered: /// Consider the case where cContext is four: /// /// If CertVerifyRevocation can verify that rgpvContext[0] and rgpvContext[1] are not revoked, but cannot check /// rgpvContext[2], the pRevStatus member dwIndex is set to two, indicating that the context at index two has the problem, /// the dwError member of pRevStatus is set to CRYPT_E_NO_REVOCATION_CHECK, and FALSE is returned. /// /// /// If rgpvContext[2] is found to be revoked, the dwIndex member of pRevStatus is set to two, and the dwError member /// of pRevStatus is set to CRYPT_E_REVOKED, dwReason is updated, and FALSE is returned. /// /// /// In either case, both rgpvContext[0] and rgpvContext[1] are verified not to be revoked, rgpvContext[2] is the last array index /// checked, and rgpvContext[3] has not been checked at all. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certverifyrevocation BOOL CertVerifyRevocation( DWORD // dwEncodingType, DWORD dwRevType, DWORD cContext, PVOID [] rgpvContext, DWORD dwFlags, PCERT_REVOCATION_PARA pRevPara, // PCERT_REVOCATION_STATUS pRevStatus ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "2d6fb244-5273-4530-bec4-e5451fe26f2e")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CertVerifyRevocation(CertEncodingType dwEncodingType, CertRevocationType dwRevType, uint cContext, [In, MarshalAs(UnmanagedType.LPArray)] IntPtr[] rgpvContext, CertVerifyFlags dwFlags, in CERT_REVOCATION_PARA pRevPara, ref CERT_REVOCATION_STATUS pRevStatus); ///

The CertVerifyTimeValidity function verifies the time validity of a certificate.

/// /// A pointer to a FILETIME structure containing the comparison time. If NULL, the current time is used. /// /// A pointer to the CERT_INFO structure of the certificate for which the time is being verified. /// /// Returns a minus one if the comparison time is before the NotBefore member of the CERT_INFO structure. Returns a plus one /// if the comparison time is after the NotAfter member. Returns zero for valid time for the certificate. /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certverifytimevalidity LONG CertVerifyTimeValidity( // LPFILETIME pTimeToVerify, PCERT_INFO pCertInfo ); [DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "9ccf9230-e998-4f82-9db0-6cbaa1c36850")] public static extern int CertVerifyTimeValidity(in FILETIME pTimeToVerify, in CERT_INFO pCertInfo); ///

/// The CertVerifyValidityNesting function verifies that a subject certificate's time validity nests correctly within its /// issuer's time validity. ///

/// A pointer to the CERT_INFO structure of the subject certificate. /// A pointer to the CERT_INFO structure of the issuer certificate. /// /// Returns TRUE if the NotBefore time of the subject's certificate is after the NotBefore time of the issuer's /// certificate and the NotAfter time of the subject's certificate is not after the NotAfter time of the issuer's /// certificate. Otherwise, returns FALSE. /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certverifyvaliditynesting BOOL CertVerifyValidityNesting( // PCERT_INFO pSubjectInfo, PCERT_INFO pIssuerInfo ); [DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "dc73a21d-5b55-45c4-80d2-220508d9f762")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CertVerifyValidityNesting(in CERT_INFO pSubjectInfo, in CERT_INFO pIssuerInfo); ///

/// /// [The CryptExportPKCS8 function is no longer available for use as of Windows Server 2008 and Windows Vista. Instead, use /// the PFXExportCertStoreEx function.] /// /// /// The CryptExportPKCS8 function exports the private key in PKCS #8 format. The function is superseded by /// CryptExportPKCS8Ex, which also may be altered or unavailable in subsequent versions. /// ///

/// /// An HCRYPTPROV variable that contains the cryptographic service provider (CSP). This is a handle to the CSP obtained by calling CryptAcquireContext. /// /// /// /// A DWORD variable that contains the key specification. The following dwKeySpec values are defined for the default provider. /// /// /// /// Value /// Meaning /// /// /// AT_KEYEXCHANGE /// Keys used to encrypt/decrypt session keys. /// /// /// AT_SIGNATURE /// Keys used to create and verify digital signatures. /// /// /// /// An LPSTR variable that contains the private key object identifier (OID). /// This parameter should be zero if pbPrivateKeyBlob is NULL and 0x8000 otherwise. /// This parameter must be set to NULL. /// /// A pointer to an array of BYTE structures to receive the private key to be exported. /// /// The private key will contain the information in a PKCS #8 PrivateKeyInfo Abstract Syntax Notation One (ASN.1) type found in the /// PKCS #8 standard. /// /// /// For memory allocation purposes, you can get the size of the private key to be exported by setting this parameter to NULL. /// For more information, see Retrieving Data of Unknown Length. /// /// /// /// A pointer to a DWORD that may contain, on input, the size, in bytes, of the memory allocation needed to contain the /// pbPrivateKeyBlob. If pbPrivateKeyBlob is NULL, this parameter will return the size of the memory allocation needed for a /// second call to the function. For more information, see Retrieving Data of Unknown Length. /// /// /// If the function succeeds, the function returns nonzero. /// If the function fails, it returns zero. For extended error information, call GetLastError. /// The following error codes are specific to this function. /// /// /// Return code /// Description /// /// /// ERROR_UNSUPPORTED_TYPE /// An export function that can be installed or registered could not be found. /// /// /// ERROR_MORE_DATA /// /// If the buffer specified by the pbPrivateKeyBlob parameter is not large enough to hold the returned data, the function sets the /// ERROR_MORE_DATA code and stores the required buffer size, in bytes, in the variable pointed to by the pcbPrivateKeyBlob parameter. /// /// /// /// /// If the function fails, GetLastError may return an ASN.1 encoding/decoding error. For information about these errors, see ASN.1 /// Encoding/Decoding Return Values. /// /// /// This function is only supported for asymmetric keys. // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptexportpkcs8 BOOL CryptExportPKCS8( HCRYPTPROV // hCryptProv, DWORD dwKeySpec, LPSTR pszPrivateKeyObjId, DWORD dwFlags, void *pvAuxInfo, BYTE *pbPrivateKeyBlob, DWORD // *pcbPrivateKeyBlob ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "defd0b23-d9c2-4b28-a6a6-1be7487ae656")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptExportPKCS8(HCRYPTPROV hCryptProv, CertKeySpec dwKeySpec, SafeOID pszPrivateKeyObjId, uint dwFlags, [In, Optional] IntPtr pvAuxInfo, [Out, Optional] IntPtr pbPrivateKeyBlob, ref uint pcbPrivateKeyBlob); ///

/// /// [The CryptExportPKCS8Ex function is no longer available for use as of Windows Server 2008 and Windows Vista. Instead, use /// the PFXExportCertStoreEx function.] /// /// /// The CryptExportPKCS8Ex function exports the private key in PKCS #8 format.This function has no associated import library. /// You must use the LoadLibrary and GetProcAddress functions to dynamically link to Crypt32.dll. /// ///

/// /// A pointer to a CRYPT_PKCS8_EXPORT_PARAMS structure that contains information about the key to export. /// /// This parameter should be zero if pbPrivateKeyBlob is NULL and 0x8000 otherwise. /// This parameter must be NULL. /// /// A pointer to an array of BYTE structures to receive the private key to be exported. /// /// The private key will contain the information in a PKCS #8 PrivateKeyInfo Abstract Syntax Notation One (ASN.1) type found in the /// PKCS #8 standard. /// /// /// For memory allocation purposes, you can get the size of the private key to be exported by setting this parameter to NULL. /// For more information, see Retrieving Data of Unknown Length. /// /// /// /// A pointer to a DWORD that may contain, on input, the size, in bytes, of the memory allocation needed to contain the /// pbPrivateKeyBlob. If pbPrivateKeyBlob is NULL, this parameter will return the size of the memory allocation needed for a /// second call to the function. For more information, see Retrieving Data of Unknown Length. /// /// /// If the function succeeds, the function returns nonzero ( TRUE). /// If the function fails, it returns zero ( FALSE). For extended error information, call GetLastError. /// The following error codes are specific to this function. /// /// /// Return code /// Description /// /// /// ERROR_UNSUPPORTED_TYPE /// An export function that can be installed or registered could not be found. /// /// /// ERROR_MORE_DATA /// /// If the buffer specified by the pbPrivateKeyBlob parameter is not large enough to hold the returned data, the function sets the /// ERROR_MORE_DATA code and stores the required buffer size, in bytes, in the variable pointed to by the pcbPrivateKeyBlob parameter. /// /// /// /// /// If the function fails, GetLastError returns an ASN.1 encoding/decoding error. For information about these errors, see ASN.1 /// Encoding/Decoding Return Values. /// /// /// This function is only supported for asymmetric keys. // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptexportpkcs8ex BOOL CryptExportPKCS8Ex( // CRYPT_PKCS8_EXPORT_PARAMS *psExportParams, DWORD dwFlags, void *pvAuxInfo, BYTE *pbPrivateKeyBlob, DWORD *pcbPrivateKeyBlob ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "82fee86a-8704-4f22-8f11-f89509c5a0aa")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptExportPKCS8Ex(in CRYPT_PKCS8_EXPORT_PARAMS psExportParams, uint dwFlags, [In, Optional] IntPtr pvAuxInfo, [Optional, Out] IntPtr pbPrivateKeyBlob, ref uint pcbPrivateKeyBlob); ///

/// The CryptExportPublicKeyInfo function exports the public key information associated with the corresponding private key of /// the provider. For an updated version of this function, see CryptExportPublicKeyInfoEx. ///

/// /// Handle of the cryptographic service provider (CSP) to use when exporting the public key information. This handle must be an /// HCRYPTPROV handle that has been created by using the CryptAcquireContext function or an NCRYPT_KEY_HANDLE handle that has /// been created by using the NCryptOpenKey function. New applications should always pass in the NCRYPT_KEY_HANDLE handle of /// a CNG CSP. /// /// /// Identifies the private key to use from the container of the provider. It can be AT_KEYEXCHANGE or AT_SIGNATURE. This parameter /// is ignored if an NCRYPT_KEY_HANDLE is used in the hCryptProvOrNCryptKey parameter. /// /// /// /// Specifies the encoding type used. It is always acceptable to specify both the certificate and message encoding types by /// combining them with a bitwise- OR operation as shown in the following example: /// /// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING /// Currently defined encoding types are: /// /// /// X509_ASN_ENCODING /// /// /// PKCS_7_ASN_ENCODING /// /// /// /// /// A pointer to a CERT_PUBLIC_KEY_INFO structure to receive the public key information to be exported. /// /// To set the size of this information for memory allocation purposes, this parameter can be NULL. For more information, see /// Retrieving Data of Unknown Length. /// /// /// /// /// A pointer to a DWORD that contains the size, in bytes, of the buffer pointed to by the pInfo parameter. When the function /// returns, the DWORD contains the number of bytes needed for the return buffer. /// /// /// Note When processing the data returned in the buffer, applications need to use the actual size of the data returned. The /// actual size can be slightly smaller than the size of the buffer specified on input. (On input, buffer sizes are usually /// specified large enough to ensure that the largest possible output data will fit in the buffer.) On output, the variable pointed /// to by this parameter is updated to reflect the actual size of the data copied to the buffer. /// /// /// /// If the function succeeds, the function returns nonzero ( TRUE). /// If the function fails, it returns zero ( FALSE). For extended error information, call GetLastError. /// Note Errors from the called functions CryptGetUserKey and CryptExportKey might be propagated to this function. /// This function has the following error codes. /// /// /// Return code /// Description /// /// /// ERROR_MORE_DATA /// /// If the buffer specified by the pInfo parameter is not large enough to hold the returned data, the function sets the /// ERROR_MORE_DATA code, and stores the required buffer size, in bytes, into the variable pointed to by pcbInfo. /// /// /// /// ERROR_FILE_NOT_FOUND /// Invalid certificate encoding type. Currently only X509_ASN_ENCODING is supported. /// /// /// /// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information /// about these errors, see ASN.1 Encoding/Decoding Return Values. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptexportpublickeyinfo BOOL CryptExportPublicKeyInfo( // HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, DWORD dwKeySpec, DWORD dwCertEncodingType, PCERT_PUBLIC_KEY_INFO pInfo, // DWORD *pcbInfo ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "ad43a991-aaf5-4272-abab-0a981112e5e4")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptExportPublicKeyInfo(HCRYPTPROV hCryptProvOrNCryptKey, CertKeySpec dwKeySpec, CertEncodingType dwCertEncodingType, IntPtr pInfo, ref uint pcbInfo); ///

/// /// Handle of the cryptographic service provider (CSP) to use when exporting the public key information. This handle must be an /// HCRYPTPROV handle that has been created by using the CryptAcquireContext function or an NCRYPT_KEY_HANDLE handle that has /// been created by using the NCryptOpenKey function. New applications should always pass in the NCRYPT_KEY_HANDLE handle of /// a CNG CSP. /// /// /// Identifies the private key to use from the container of the provider. It can be AT_KEYEXCHANGE or AT_SIGNATURE. This parameter /// is ignored if an NCRYPT_KEY_HANDLE is used in the hCryptProvOrNCryptKey parameter. /// /// /// /// Specifies the encoding type used. It is always acceptable to specify both the certificate and message encoding types by /// combining them with a bitwise- OR operation as shown in the following example: /// /// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING /// Currently defined encoding types are: /// /// /// X509_ASN_ENCODING /// /// /// PKCS_7_ASN_ENCODING /// /// /// /// /// A pointer to a CERT_PUBLIC_KEY_INFO structure to receive the public key information to be exported. /// /// To set the size of this information for memory allocation purposes, this parameter can be NULL. For more information, see /// Retrieving Data of Unknown Length. /// /// /// /// /// A pointer to a DWORD that contains the size, in bytes, of the buffer pointed to by the pInfo parameter. When the function /// returns, the DWORD contains the number of bytes needed for the return buffer. /// /// /// Note When processing the data returned in the buffer, applications need to use the actual size of the data returned. The /// actual size can be slightly smaller than the size of the buffer specified on input. (On input, buffer sizes are usually /// specified large enough to ensure that the largest possible output data will fit in the buffer.) On output, the variable pointed /// to by this parameter is updated to reflect the actual size of the data copied to the buffer. /// /// /// /// If the function succeeds, the function returns nonzero ( TRUE). /// If the function fails, it returns zero ( FALSE). For extended error information, call GetLastError. /// Note Errors from the called functions CryptGetUserKey and CryptExportKey might be propagated to this function. /// This function has the following error codes. /// /// /// Return code /// Description /// /// /// ERROR_MORE_DATA /// /// If the buffer specified by the pInfo parameter is not large enough to hold the returned data, the function sets the /// ERROR_MORE_DATA code, and stores the required buffer size, in bytes, into the variable pointed to by pcbInfo. /// /// /// /// ERROR_FILE_NOT_FOUND /// Invalid certificate encoding type. Currently only X509_ASN_ENCODING is supported. /// /// /// /// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information /// about these errors, see ASN.1 Encoding/Decoding Return Values. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptexportpublickeyinfo BOOL CryptExportPublicKeyInfo( // HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, DWORD dwKeySpec, DWORD dwCertEncodingType, PCERT_PUBLIC_KEY_INFO pInfo, // DWORD *pcbInfo ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "ad43a991-aaf5-4272-abab-0a981112e5e4")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptExportPublicKeyInfo(NCrypt.NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, CertKeySpec dwKeySpec, CertEncodingType dwCertEncodingType, IntPtr pInfo, ref uint pcbInfo); ///

/// The CryptExportPublicKeyInfoEx function exports the public key information associated with the provider's corresponding /// private key. This function allows the application to specify the public key algorithm, overriding the default provided by the /// cryptographic service provider (CSP). ///

/// /// A handle of the CSP to use when exporting the public key information. This handle must be an HCRYPTPROV handle that has been /// created by using the CryptAcquireContext function or an NCRYPT_KEY_HANDLE handle that has been created by using the /// NCryptOpenKey function. New applications should always pass in the NCRYPT_KEY_HANDLE handle of a CNG CSP. /// /// /// Identifies the private key to use from the provider's container. It can be AT_KEYEXCHANGE or AT_SIGNATURE. This parameter is /// ignored if an NCRYPT_KEY_HANDLE is used in the hCryptProvOrNCryptKey parameter. /// /// /// /// Specifies the encoding type used. It is always acceptable to specify both the certificate and message encoding types by /// combining them with a bitwise- OR operation as shown in the following example: /// /// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING /// Currently defined encoding types are: /// /// /// X509_ASN_ENCODING /// /// /// PKCS_7_ASN_ENCODING /// /// /// /// /// Specifies the public key algorithm. /// /// Note pszPublicKeyObjId and dwCertEncodingType are used together to determine the installable /// CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC to call. If an installable function was not found for the pszPublicKeyObjId /// parameter, an attempt is made to export the key as an RSA Public Key (szOID_RSA_RSA). /// /// /// /// /// A DWORD flag value that indicates how the public key information is exported. The flag value is passed directly to the /// CryptFindOIDInfo function when mapping the public key object identifier to the corresponding CNG public key algorithm Unicode /// string. The following flag values can be set. /// /// /// /// Value /// Meaning /// /// /// CRYPT_OID_INFO_PUBKEY_SIGN_KEY_FLAG /// /// Skips public keys in the CRYPT_PUBKEY_ALG_OID_GROUP_ID group explicitly flagged with the CRYPT_OID_PUBKEY_ENCRYPT_ONLY_FLAG flag. /// /// /// /// CRYPT_OID_INFO_PUBKEY_ENCRYPT_KEY_FLAG /// /// Skips public keys in the CRYPT_PUBKEY_ALG_OID_GROUP_ID group explicitly flagged with the CRYPT_OID_PUBKEY_SIGN_ONLY_FLAG flag. /// /// /// /// /// This parameter is reserved for future use and must be set to NULL. /// /// A pointer to a CERT_PUBLIC_KEY_INFO structure to receive the public key information to be exported. /// /// This parameter can be NULL to set the size of this information for memory allocation purposes. For more information, see /// Retrieving Data of Unknown Length. /// /// /// /// /// A pointer to a DWORD that contains the size, in bytes, of the buffer pointed to by the pInfo parameter. When the function /// returns, the DWORD contains the number of bytes stored in the buffer. /// /// /// Note When processing the data returned in the buffer, applications need to use the actual size of the data returned. The /// actual size can be slightly smaller than the size of the buffer specified on input. (On input, buffer sizes are usually /// specified large enough to ensure that the largest possible output data will fit in the buffer.) On output, the variable pointed /// to by this parameter is updated to reflect the actual size of the data copied to the buffer. /// /// /// /// If the function succeeds, the return value is nonzero ( TRUE). /// If the function fails, the return value is zero ( FALSE). For extended error information, call GetLastError. /// Note Errors from the called functions CryptGetUserKey and CryptExportKey can be propagated to this function. /// This function has the following error codes. /// /// /// Return code /// Description /// /// /// ERROR_FILE_NOT_FOUND /// /// An export function that can be installed or registered could not be found for the specified dwCertEncodingType and /// pszPublicKeyObjId parameters. /// /// /// /// ERROR_MORE_DATA /// /// If the buffer specified by the pInfo parameter is not large enough to hold the returned data, the function sets the /// ERROR_MORE_DATA code and stores the required buffer size, in bytes, in the variable pointed to by the pcbInfo parameter. /// /// /// /// /// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information /// about these errors, see ASN.1 Encoding/Decoding Return Values. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptexportpublickeyinfoex BOOL // CryptExportPublicKeyInfoEx( HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, DWORD dwKeySpec, DWORD dwCertEncodingType, // LPSTR pszPublicKeyObjId, DWORD dwFlags, void *pvAuxInfo, PCERT_PUBLIC_KEY_INFO pInfo, DWORD *pcbInfo ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "38274222-90b3-4038-86d3-6b2813100ce2")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptExportPublicKeyInfoEx(HCRYPTPROV hCryptProvOrNCryptKey, CertKeySpec dwKeySpec, CertEncodingType dwCertEncodingType, SafeOID pszPublicKeyObjId, CryptOIDInfoFlags dwFlags, [In, Optional] IntPtr pvAuxInfo, [Out, Optional] IntPtr pInfo, ref uint pcbInfo); ///

/// /// A handle of the CSP to use when exporting the public key information. This handle must be an HCRYPTPROV handle that has been /// created by using the CryptAcquireContext function or an NCRYPT_KEY_HANDLE handle that has been created by using the /// NCryptOpenKey function. New applications should always pass in the NCRYPT_KEY_HANDLE handle of a CNG CSP. /// /// /// Identifies the private key to use from the provider's container. It can be AT_KEYEXCHANGE or AT_SIGNATURE. This parameter is /// ignored if an NCRYPT_KEY_HANDLE is used in the hCryptProvOrNCryptKey parameter. /// /// /// /// Specifies the encoding type used. It is always acceptable to specify both the certificate and message encoding types by /// combining them with a bitwise- OR operation as shown in the following example: /// /// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING /// Currently defined encoding types are: /// /// /// X509_ASN_ENCODING /// /// /// PKCS_7_ASN_ENCODING /// /// /// /// /// Specifies the public key algorithm. /// /// Note pszPublicKeyObjId and dwCertEncodingType are used together to determine the installable /// CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC to call. If an installable function was not found for the pszPublicKeyObjId /// parameter, an attempt is made to export the key as an RSA Public Key (szOID_RSA_RSA). /// /// /// /// /// A DWORD flag value that indicates how the public key information is exported. The flag value is passed directly to the /// CryptFindOIDInfo function when mapping the public key object identifier to the corresponding CNG public key algorithm Unicode /// string. The following flag values can be set. /// /// /// /// Value /// Meaning /// /// /// CRYPT_OID_INFO_PUBKEY_SIGN_KEY_FLAG /// /// Skips public keys in the CRYPT_PUBKEY_ALG_OID_GROUP_ID group explicitly flagged with the CRYPT_OID_PUBKEY_ENCRYPT_ONLY_FLAG flag. /// /// /// /// CRYPT_OID_INFO_PUBKEY_ENCRYPT_KEY_FLAG /// /// Skips public keys in the CRYPT_PUBKEY_ALG_OID_GROUP_ID group explicitly flagged with the CRYPT_OID_PUBKEY_SIGN_ONLY_FLAG flag. /// /// /// /// /// This parameter is reserved for future use and must be set to NULL. /// /// A pointer to a CERT_PUBLIC_KEY_INFO structure to receive the public key information to be exported. /// /// This parameter can be NULL to set the size of this information for memory allocation purposes. For more information, see /// Retrieving Data of Unknown Length. /// /// /// /// /// A pointer to a DWORD that contains the size, in bytes, of the buffer pointed to by the pInfo parameter. When the function /// returns, the DWORD contains the number of bytes stored in the buffer. /// /// /// Note When processing the data returned in the buffer, applications need to use the actual size of the data returned. The /// actual size can be slightly smaller than the size of the buffer specified on input. (On input, buffer sizes are usually /// specified large enough to ensure that the largest possible output data will fit in the buffer.) On output, the variable pointed /// to by this parameter is updated to reflect the actual size of the data copied to the buffer. /// /// /// /// If the function succeeds, the return value is nonzero ( TRUE). /// If the function fails, the return value is zero ( FALSE). For extended error information, call GetLastError. /// Note Errors from the called functions CryptGetUserKey and CryptExportKey can be propagated to this function. /// This function has the following error codes. /// /// /// Return code /// Description /// /// /// ERROR_FILE_NOT_FOUND /// /// An export function that can be installed or registered could not be found for the specified dwCertEncodingType and /// pszPublicKeyObjId parameters. /// /// /// /// ERROR_MORE_DATA /// /// If the buffer specified by the pInfo parameter is not large enough to hold the returned data, the function sets the /// ERROR_MORE_DATA code and stores the required buffer size, in bytes, in the variable pointed to by the pcbInfo parameter. /// /// /// /// /// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information /// about these errors, see ASN.1 Encoding/Decoding Return Values. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptexportpublickeyinfoex BOOL // CryptExportPublicKeyInfoEx( HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, DWORD dwKeySpec, DWORD dwCertEncodingType, // LPSTR pszPublicKeyObjId, DWORD dwFlags, void *pvAuxInfo, PCERT_PUBLIC_KEY_INFO pInfo, DWORD *pcbInfo ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "38274222-90b3-4038-86d3-6b2813100ce2")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptExportPublicKeyInfoEx(NCrypt.NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, CertKeySpec dwKeySpec, CertEncodingType dwCertEncodingType, SafeOID pszPublicKeyObjId, CryptOIDInfoFlags dwFlags, [In, Optional] IntPtr pvAuxInfo, [Out, Optional] IntPtr pInfo, ref uint pcbInfo); ///

/// The CryptExportPublicKeyInfoFromBCryptKeyHandle function exports the public key information associated with a provider's /// corresponding private key. ///

/// The handle of the key from which to export the public key information. /// /// Specifies the encoding type to be matched. /// This value can be a bitwise combination of the currently defined encoding types: /// /// /// X509_ASN_ENCODING /// /// /// PKCS_7_ASN_ENCODING /// /// /// /// /// A pointer to the object identifier (OID) that identifies the installable function to use to export the key. If the high-order /// word of the OID is nonzero, pszPublicKeyObjId is a pointer to either an OID string such as "2.5.29.1" or an ASCII string such as /// "file." If the high-order word of the OID is zero, the low-order word specifies the integer identifier to be used as the object identifier. /// /// /// A DWORD value that indicates how the public key information is exported. /// /// /// Value /// Meaning /// /// /// CRYPT_OID_INFO_PUBKEY_SIGN_KEY_FLAG 0x80000000 /// /// Skips public keys in the CRYPT_PUBKEY_ALG_OID_GROUP_ID group that are explicitly flagged with the /// CRYPT_OID_PUBKEY_ENCRYPT_ONLY_FLAG flag. /// /// /// /// CRYPT_OID_INFO_PUBKEY_ENCRYPT_KEY_FLAG 0x40000000 /// /// Skips public keys in the CRYPT_PUBKEY_ALG_OID_GROUP_ID group that are explicitly flagged with the /// CRYPT_OID_PUBKEY_SIGN_ONLY_FLAG flag. /// /// /// /// /// This parameter is reserved for future use and must be set to NULL. /// /// A pointer to a CERT_PUBLIC_KEY_INFO structure to receive the public key information to be exported. /// /// This parameter can be NULL to set the size of this information for memory allocation purposes. For more information, see /// Retrieving Data of Unknown Length. /// /// /// /// A pointer to a DWORD that contains the size, in bytes, of the buffer pointed to by the pInfo parameter. When the function /// returns, the DWORD contains the number of bytes stored in the buffer. /// /// The function returns TRUE if it succeeds; otherwise, it returns FALSE. /// /// If the CryptExportPublicKeyInfoFromBCryptKeyHandle function is unable to find an installable OID function for the OID /// specified by the pszPublicKeyObjId parameter, it attempts to export the key as a RSA Public Key ( szOID_RSA_RSA). If the /// key is exported as a RSA Public Key, the values of the dwFlags and pvAuxInfo parameters are not used. /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptexportpublickeyinfofrombcryptkeyhandle BOOL // CryptExportPublicKeyInfoFromBCryptKeyHandle( BCRYPT_KEY_HANDLE hBCryptKey, DWORD dwCertEncodingType, LPSTR pszPublicKeyObjId, // DWORD dwFlags, void *pvAuxInfo, PCERT_PUBLIC_KEY_INFO pInfo, DWORD *pcbInfo ); [DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "f96bff4a-d354-4231-907a-383aff5cfacc")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptExportPublicKeyInfoFromBCryptKeyHandle(BCrypt.BCRYPT_KEY_HANDLE hBCryptKey, CertEncodingType dwCertEncodingType, SafeOID pszPublicKeyObjId, CryptOIDInfoFlags dwFlags, [In, Optional] IntPtr pvAuxInfo, [Out, Optional] IntPtr pInfo, ref uint pcbInfo); ///

/// The CryptFindCertificateKeyProvInfo function enumerates the cryptographic providers and their containers to find the /// private key that corresponds to the certificate's public key. ///

/// A pointer to the CERT_CONTEXT structure of the certificate to use when exporting public key information. /// /// A set of flags that modify the behavior of this function. This can be zero or one of the following values. /// /// /// Value /// Meaning /// /// /// CRYPT_FIND_USER_KEYSET_FLAG /// Restricts the search to the user container. The default is to search both the user and machine containers. /// /// /// CRYPT_FIND_MACHINE_KEYSET_FLAG /// Restricts the search to the machine container. The default is to search both the user and machine containers. /// /// /// CRYPT_FIND_SILENT_KEYSET_FLAG /// /// The application requests that the CSP not display any user interface (UI) for this context. If the CSP must display the UI to /// operate, the call fails and the NTE_SILENT_CONTEXT error code is set as the last error. /// /// /// /// /// The following flags determine which technology is used to obtain the key. If none of these flags is present, this function will /// only attempt to obtain the key by using CryptoAPI. /// /// Windows Server 2003 and Windows XP: These flags are not supported. /// /// /// Value /// Meaning /// /// /// CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG /// /// This function will attempt to obtain the key by using CryptoAPI. If that fails, this function will attempt to obtain the key by /// using the Cryptography API: Next Generation (CNG). The CERT_KEY_PROV_INFO_PROP_ID property of the certificate is set to zero if /// CNG is used to obtain the key. /// /// /// /// CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG /// /// This function will only attempt to obtain the key by using CNG and will not use CryptoAPI to obtain the key. The /// CERT_KEY_PROV_INFO_PROP_ID property of the certificate is set to zero if CNG is used to obtain the key. /// /// /// /// CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG /// /// This function will attempt to obtain the key by using CNG. If that fails, this function will attempt to obtain the key by using /// CryptoAPI. The CERT_KEY_PROV_INFO_PROP_ID property of the certificate is set to zero if CNG is used to obtain the key. /// /// /// /// /// Reserved for future use and must be NULL. /// /// /// TRUE if the function finds a private key that corresponds to the certificate's public key within a searched container; /// FALSE if the function fails to find a container or a private key within a container. /// /// GetLastError returns the following error: /// /// /// Return code /// Description /// /// /// NTE_NO_KEY /// No container found. /// /// /// /// /// This function enumerates the cryptographic providers and their containers to find the private key that corresponds to the /// certificate's public key. For a match, the function updates the certificate's CERT_KEY_PROV_INFO_PROP_ID property. If the /// CERT_KEY_PROV_INFO_PROP_ID is already set, it is checked to determine whether it matches the provider's public key. For a /// match, the function skips the previously mentioned enumeration. /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptfindcertificatekeyprovinfo BOOL // CryptFindCertificateKeyProvInfo( PCCERT_CONTEXT pCert, DWORD dwFlags, void *pvReserved ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "9e63517d-a56e-45a9-972c-de9a297e9e25")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptFindCertificateKeyProvInfo(PCCERT_CONTEXT pCert, CryptFindFlags dwFlags, IntPtr pvReserved = default); ///

/// The CryptFindLocalizedName function finds the localized name for the specified name, such as the localize name of the /// "Root" system store. This function can be used before displaying any UI that included a name that might have a localized form. ///

/// /// /// A pointer to a specified name. An internal table is searched to compare a predefined localized name to the specified name. The /// search matches the localized name by using a case insensitive string comparison. /// /// /// Note Localized names for the predefined system stores ("Root", "My") and predefined physical stores (".Default", /// ".LocalMachine") are preinstalled as resource strings in Crypt32.dll. /// /// /// /// If the specified name is found, a pointer to the localized name is returned. The returned pointer must not be freed. /// If the specified name is not found, NULL is returned. /// /// /// CryptSetOIDFunctionValue can be called as follows to register additional localized strings. /// dwEncodingType = CRYPT_LOCALIZED_NAME_ENCODING_TYPE /// pszFuncName = CRYPT_OID_FIND_LOCALIZED_NAME_FUNC /// pszOID = CRYPT_LOCALIZED_NAME_OID /// pwszValueName = Name to be localized, for example, L"ApplicationStore" /// dwValueType = REG_SZ /// pbValueData = pointer to the Unicode localized string /// cbValueData = (wcslen(Unicode localized string) + 1) * sizeof(WCHAR) /// CryptSetOIDFunctionValue can be called as follows to unregister the localized strings. /// pbValueData = NULL /// cbValueData = 0. /// The registered names are searched before the preinstalled names. /// /// /// CRYPT_LOCALIZED_NAME_ ENCODING_TYPE /// 0 /// /// /// CRYPT_LOCALIZED_NAME_ OID /// "LocalizedNames" /// /// /// CRYPT_OID_FIND_LOCALIZED_ NAME_FUNC /// "CryptDLLFindLocalizedName" /// /// /// Examples /// For an example that uses this function, see Example C Program: Setting and Getting Certificate Store Properties. /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptfindlocalizedname LPCWSTR CryptFindLocalizedName( // LPCWSTR pwszCryptName ); [DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "8f0006a9-0930-4b71-87ce-e72371095e4c")] [return: MarshalAs(UnmanagedType.LPWStr)] public static extern StrPtrUni CryptFindLocalizedName([MarshalAs(UnmanagedType.LPWStr)] string pwszCryptName); ///

/// Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. /// Microsoft may remove this API in future releases. /// The CryptHashCertificate function hashes the entire encoded content of a certificate including its signature. ///

/// /// This parameter is not used and should be set to NULL. /// /// Windows Server 2003 and Windows XP: A handle of the cryptographic service provider (CSP) to use to compute the hash. /// /// This parameter's data type is HCRYPTPROV. /// /// Unless there is a strong reason for passing in a specific CSP in hCryptProv, zero is passed in. Passing in zero causes the /// default RSA or Digital Signature Standard (DSS) provider to be acquired before doing hash, signature verification, or recipient /// encryption operations. /// /// /// /// An ALG_ID structure that specifies the hash algorithm to use. If Algid is zero, the default hash algorithm, SHA1, is used. /// /// Value to be passed to the hash API. For details, see CryptCreateHash. /// Address of the encoded content to be hashed. /// The size, in bytes, of the encoded content. /// /// A pointer to a buffer to receive the computed hash. /// /// To set the size of this information for memory allocation purposes, this parameter can be NULL. For more information, see /// Retrieving Data of Unknown Length. /// /// /// /// /// A pointer to a DWORD that contains the size, in bytes, of the buffer pointed to by the pbComputedHash parameter. When the /// function returns, the DWORD contains the number of bytes stored in the buffer. /// /// /// Note When processing the data returned in the buffer, applications need to use the actual size of the data returned. The /// actual size can be slightly smaller than the size of the buffer specified on input. On input, buffer sizes are usually specified /// large enough to ensure that the largest possible output data will fit in the buffer. On output, the variable pointed to by this /// parameter is updated to reflect the actual size of the data copied to the buffer. /// /// /// /// If the function succeeds, the function returns nonzero ( TRUE). /// If the function fails, it returns zero ( FALSE). For extended error information, call GetLastError. /// /// Note Errors from the called functions CryptCreateHash, CryptGetHashParam and CryptHashData might be propagated to this function. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-crypthashcertificate BOOL CryptHashCertificate( // HCRYPTPROV_LEGACY hCryptProv, ALG_ID Algid, DWORD dwFlags, const BYTE *pbEncoded, DWORD cbEncoded, BYTE *pbComputedHash, DWORD // *pcbComputedHash ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "a5beba30-f32b-4d57-8a54-7d9096459c50")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptHashCertificate([Optional] HCRYPTPROV hCryptProv, ALG_ID Algid, [Optional] uint dwFlags, [In] IntPtr pbEncoded, uint cbEncoded, [Out] IntPtr pbComputedHash, ref uint pcbComputedHash); ///

The CryptHashCertificate2 function hashes a block of data by using a CNG hash provider.

/// /// The address of a null-terminated Unicode string that contains the CNG hash algorithm identifier of the hash algorithm to use to /// hash the certificate. This can be one of the CNG Algorithm Identifiers that represents a hash algorithm or any other registered /// hash algorithm identifier. /// /// A set of flags that modify the behavior of this function. No flags are defined for this function. /// Reserved for future use and must be NULL. /// The address of an array of bytes to be hashed. The cbEncoded parameter contains the size of this array. /// The number of elements in the pbEncoded array. /// /// The address of a buffer that receives the computed hash. The variable pointed to by the pcbComputedHash parameter contains the /// size of this buffer. /// /// /// The address of a DWORD variable that, on entry, contains the size, in bytes, of the pbComputedHash buffer. After this /// function returns, this variable contains the number of bytes copied to the pbComputedHash buffer. /// /// /// If the function succeeds, the function returns nonzero ( TRUE). /// /// If the function fails, it returns zero ( FALSE). For extended error information, call GetLastError. Some of the possible /// error codes are identified in the following topics. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-crypthashcertificate2 BOOL CryptHashCertificate2( LPCWSTR // pwszCNGHashAlgid, DWORD dwFlags, void *pvReserved, const BYTE *pbEncoded, DWORD cbEncoded, BYTE *pbComputedHash, DWORD // *pcbComputedHash ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "9f315374-0002-499a-81ea-efcb3c19e68f")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptHashCertificate2([MarshalAs(UnmanagedType.LPWStr)] string pwszCNGHashAlgid, [Optional] uint dwFlags, [Optional] IntPtr pvReserved, [In] IntPtr pbEncoded, uint cbEncoded, [Out] IntPtr pbComputedHash, ref uint pcbComputedHash); ///

/// Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. /// Microsoft may remove this API in future releases. /// /// The CryptHashPublicKeyInfo function encodes the public key information in a CERT_PUBLIC_KEY_INFO structure and computes the hash /// of the encoded bytes.The hash created is used with key identifier functions. /// ///

/// /// This parameter is not used and should be set to NULL. /// /// Windows Server 2003 and Windows XP: A handle of the cryptographic service provider (CSP) to use to compute the hash.This /// parameter's data type is HCRYPTPROV. /// /// /// Unless there is a strong reason for passing in a specific cryptographic provider in hCryptProv, zero is passed in. Passing in /// zero causes the default RSA or Digital Signature Standard (DSS) provider to be acquired before doing hash, signature /// verification, or recipient encryption operations. /// /// /// /// An ALG_ID structure that specifies the CryptoAPI hash algorithm to use. If Algid is zero, the default hash algorithm, SHA1, is used. /// /// Values to be passed on to CryptCreateHash. /// /// /// Specifies the encoding type used. It is always acceptable to specify both the certificate and message encoding types by /// combining them with a bitwise- OR operation as shown in the following example: /// /// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING /// Currently defined encoding types are: /// /// /// X509_ASN_ENCODING /// /// /// PKCS_7_ASN_ENCODING /// /// /// /// /// A pointer to a CERT_PUBLIC_KEY_INFO structure that contains the public key information to be encoded and hashed. /// /// /// A pointer to a buffer to receive the computed hash. /// /// To set the size of this information for memory allocation purposes, this parameter can be NULL. For more information, see /// Retrieving Data of Unknown Length. /// /// /// /// /// A pointer to a DWORD that contains the size, in bytes, of the buffer pointed to by the pbComputedHash parameter. When the /// function returns, the DWORD contains the number of bytes stored in the buffer. /// /// /// Note When processing the data returned in the buffer, applications need to use the actual size of the data returned. The /// actual size can be slightly smaller than the size of the buffer specified on input. On input, buffer sizes are usually specified /// large enough to ensure that the largest possible output data will fit in the buffer. On output, the variable pointed to by this /// parameter is updated to reflect the actual size of the data copied to the buffer. /// /// /// /// If the function succeeds, the function returns nonzero ( TRUE). /// If the function fails, it returns zero ( FALSE). For extended error information, call GetLastError. /// /// Note Errors from the called functions CryptCreateHash, CryptGetHashParam, and CryptHashData can be propagated to this /// function. This function has the following error codes. /// /// /// /// Return code /// Description /// /// /// ERROR_MORE_DATA /// /// If the buffer specified by the pbComputedHash parameter is not large enough to hold the returned data, the function sets the /// ERROR_MORE_DATA code, and stores the required buffer size, in bytes, in the variable pointed to by pcbComputedHash. /// /// /// /// ERROR_FILE_NOT_FOUND /// Invalid certificate encoding type. Currently only X509_ASN_ENCODING is supported. /// /// /// /// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information /// about these errors, see ASN.1 Encoding/Decoding Return Values. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-crypthashpublickeyinfo BOOL CryptHashPublicKeyInfo( // HCRYPTPROV_LEGACY hCryptProv, ALG_ID Algid, DWORD dwFlags, DWORD dwCertEncodingType, PCERT_PUBLIC_KEY_INFO pInfo, BYTE // *pbComputedHash, DWORD *pcbComputedHash ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "b0c419b7-ebb3-42c6-9f6a-59b55a2db1b2")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptHashPublicKeyInfo([Optional] HCRYPTPROV hCryptProv, ALG_ID Algid, [Optional] uint dwFlags, CertEncodingType dwCertEncodingType, in CERT_PUBLIC_KEY_INFO pInfo, [Out] IntPtr pbComputedHash, ref uint pcbComputedHash); ///

/// Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. /// Microsoft may remove this API in future releases. /// /// The CryptHashToBeSigned function computes the hash of the encoded content from a signed and encoded certificate. The hash is /// performed on only the "to be signed" encoded content and its signature. /// ///

/// /// This parameter is not used and should be set to NULL. /// /// Windows Server 2003 and Windows XP: A handle of the cryptographic service provider (CSP) to use to compute the hash.This /// parameter's data type is HCRYPTPROV. /// /// /// Unless there is a strong reason for passing in a specific cryptographic provider in hCryptProv, zero is passed in. Passing in /// zero causes the default RSA or Digital Signature Standard (DSS) provider to be acquired before doing hash, signature /// verification, or recipient encryption operations. /// /// /// /// /// Specifies the encoding type used. It is always acceptable to specify both the certificate and message encoding types by /// combining them with a bitwise- OR operation as shown in the following example: /// /// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING /// Currently defined encoding types are: /// /// /// X509_ASN_ENCODING /// /// /// PKCS_7_ASN_ENCODING /// /// /// /// Address of a buffer that contains the content to be hashed. This is the encoded form of a CERT_SIGNED_CONTENT_INFO. /// The size, in bytes, of the buffer. /// /// A pointer to a buffer to receive the computed hash. /// /// This parameter can be NULL to set the size of this information for memory allocation purposes. For more information, see /// Retrieving Data of Unknown Length. /// /// /// /// /// A pointer to a DWORD that contains the size, in bytes, of the buffer pointed to by the pbComputedHash parameter. When the /// function returns, the DWORD contains the number of bytes stored in the buffer. /// /// /// Note When processing the data returned in the buffer, applications need to use the actual size of the data returned. The /// actual size can be slightly smaller than the size of the buffer specified on input. On input, buffer sizes are usually specified /// large enough to ensure that the largest possible output data will fit in the buffer. On output, the variable pointed to by this /// parameter is updated to reflect the actual size of the data copied to the buffer. /// /// /// /// If the function succeeds, the function returns nonzero ( TRUE). /// If the function fails, it returns zero ( FALSE). For extended error information, call GetLastError. /// /// Note Errors from the called functions CryptCreateHash, CryptGetHashParam, and CryptHashData might be propagated to this /// function. This function has the following error codes. /// /// /// /// Return code /// Description /// /// /// ERROR_MORE_DATA /// /// If the buffer specified by the pbComputedHash parameter is not large enough to hold the returned data, the function sets the /// ERROR_MORE_DATA code, and stores the required buffer size, in bytes, into the variable pointed to by pcbComputedHash. /// /// /// /// ERROR_FILE_NOT_FOUND /// Invalid certificate encoding type. Currently only X509_ASN_ENCODING is supported. /// /// /// NTE_BAD_ALGID /// The object identifier (OID) of the signature algorithm does not map to a known or supported hash algorithm. /// /// /// /// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information /// about these errors, see ASN.1 Encoding/Decoding Return Values. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-crypthashtobesigned BOOL CryptHashToBeSigned( // HCRYPTPROV_LEGACY hCryptProv, DWORD dwCertEncodingType, const BYTE *pbEncoded, DWORD cbEncoded, BYTE *pbComputedHash, DWORD // *pcbComputedHash ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "84477054-dd76-4dde-b465-9edeaf192714")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptHashToBeSigned([Optional] HCRYPTPROV hCryptProv, CertEncodingType dwCertEncodingType, [In] IntPtr pbEncoded, uint cbEncoded, [Out] IntPtr pbComputedHash, ref uint pcbComputedHash); ///

/// /// [The CryptImportPKCS8 function is no longer available for use as of Windows Server 2008 and Windows Vista. Instead, use /// the PFXImportCertStore function.] /// /// /// Important This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. /// Microsoft may remove this API in future releases. /// /// /// The CryptImportPKCS8 function imports the private key in PKCS #8 format to a cryptographic service provider (CSP). /// CryptImportPKCS8 will return a handle to the provider and the import KeySpec used. /// ///

/// /// A CRYPT_PKCS8_IMPORT_PARAMS structure that contains the private key BLOB and corresponding parameters. /// /// /// A DWORD value. This parameter can be one of the following values, a combination of them, or a null value. /// /// /// Value /// Meaning /// /// /// CRYPT_EXPORTABLE /// /// The key being imported is eventually to be reexported. If this flag is not used, then calls to CryptExportKey with the key /// handle fail. /// /// /// /// CRYPT_USER_PROTECTED /// /// If this flag is set, the CSP notifies the user through a dialog box or some other method when certain actions are attempted /// using this key. The precise behavior is specified by the CSP or the CSP type used. If the provider context was acquired with /// CRYPT_SILENT set, using this flag causes a failure, and the last error is set to NTE_SILENT_CONTEXT. /// /// /// /// /// /// /// A pointer to the HCRYPTPROV to receive the handle of the provider into which the key is imported by calling the /// CryptImportPKCS8 function. /// /// When you have finished using the handle, free the handle by calling CryptReleaseContext. /// This parameter can be NULL, in which case the handle of the provider is not returned. /// /// This parameter must be NULL. /// /// If the function succeeds, the function returns nonzero ( TRUE). /// If the function fails, it returns zero ( FALSE). For extended error information, call GetLastError. /// The following error code is specific to this function. /// /// /// Return code /// Description /// /// /// ERROR_UNSUPPORTED_TYPE /// The algorithm object identifier (OID) of the private key is not supported. /// /// /// /// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information /// about these errors, see ASN.1 Encoding/Decoding Return Values. /// /// /// /// /// CryptImportPKCS8 calls the PCRYPT_RESOLVE_HCRYPTPROV_FUNC function by using the CRYPT_PKCS8_IMPORT_PARAMS structure /// contained in the sPrivateKeyAndParams parameter to retrieve a handle of the provider to which to import the key. If /// PCRYPT_RESOLVE_HCRYPTPROV_FUNC is NULL, then the default provider is used. /// /// This function is only supported for asymmetric keys. /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptimportpkcs8 BOOL CryptImportPKCS8( // CRYPT_PKCS8_IMPORT_PARAMS sPrivateKeyAndParams, DWORD dwFlags, HCRYPTPROV *phCryptProv, void *pvAuxInfo ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "fa3deff9-b4c1-4b63-a59f-738f87e1a409")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptImportPKCS8(CRYPT_PKCS8_IMPORT_PARAMS sPrivateKeyAndParams, uint dwFlags, out IntPtr phCryptProv, IntPtr pvAuxInfo = default); ///

/// /// The handle of the cryptographic service provider (CSP) to use when importing the public key. This handle must have already been /// created using CryptAcquireContext. /// /// /// /// Specifies the encoding type used. It is always acceptable to specify both the certificate and message encoding types by /// combining them with a bitwise- OR operation as shown in the following example: /// /// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING /// Currently defined encoding types are: /// /// /// X509_ASN_ENCODING /// /// /// PKCS_7_ASN_ENCODING /// /// /// /// The address of a CERT_PUBLIC_KEY_INFO structure that contains the public key to import into the provider. /// /// The address of an HCRYPTKEY variable that receives the handle of the imported public key. When you have finished using /// the public key, release the handle by calling the CryptDestroyKey function. /// /// /// If the function succeeds, the return value is nonzero ( TRUE). /// If the function fails, the return value is zero ( FALSE). For extended error information, call GetLastError. /// /// Note Errors from the called functions CryptGetUserKey and CryptExportKey might be propagated to this function. This /// function has the following error code. /// /// /// /// Return code /// Description /// /// /// ERROR_FILE_NOT_FOUND /// /// An import function that can be installed or registered could not be found for the specified dwCertEncodingType and /// pInfo->Algorithm.pszObjId parameters. /// /// /// /// /// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information /// about these errors, see ASN.1 Encoding/Decoding Return Values. /// /// /// /// This function is normally used to retrieve the public key from a certificate. This is done by passing the CERT_PUBLIC_KEY_INFO /// structure from a filled-in certificate structure as shown in the following pseudocode. /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptimportpublickeyinfo BOOL CryptImportPublicKeyInfo( // HCRYPTPROV hCryptProv, DWORD dwCertEncodingType, PCERT_PUBLIC_KEY_INFO pInfo, HCRYPTKEY *phKey ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "f5f8ebb6-c838-404b-9b61-3ec36fdaef01")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptImportPublicKeyInfo(HCRYPTPROV hCryptProv, CertEncodingType dwCertEncodingType, in CERT_PUBLIC_KEY_INFO pInfo, out SafeHCRYPTKEY phKey); ///

/// The handle of the CSP to receive the imported public key. This handle must have already been created using CryptAcquireContext. /// /// Specifies the encoding type used. It is always acceptable to specify both the certificate and message encoding types by /// combining them with a bitwise- OR operation as shown in the following example: /// /// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING /// Currently defined encoding types are: /// /// /// X509_ASN_ENCODING /// /// /// PKCS_7_ASN_ENCODING /// /// /// the address of a CERT_PUBLIC_KEY_INFO structure that contains the public key to import into the provider. /// /// Note The pzObjId member of the Algorithm member pointed to by the pInfo and dwCertEncodingType parameters /// determine an installable CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC callback function. If an installable function is not /// found, an attempt is made to import the key as an RSA Public Key (szOID_RSA_RSA). /// /// An ALG_ID structure that contains a CSP-specific algorithm to override the CALG_RSA_KEYX default algorithm. /// Reserved for future use and must be zero. /// Reserved for future use and must be NULL. /// /// The address of an HCRYPTKEY variable that receives the handle of the imported public key. When you have finished using /// the public key, release the handle by calling the CryptDestroyKey function. /// ///

/// /// The handle of the CSP to receive the imported public key. This handle must have already been created using CryptAcquireContext. /// /// /// /// Specifies the encoding type used. It is always acceptable to specify both the certificate and message encoding types by /// combining them with a bitwise- OR operation as shown in the following example: /// /// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING /// Currently defined encoding types are: /// /// /// X509_ASN_ENCODING /// /// /// PKCS_7_ASN_ENCODING /// /// /// /// /// the address of a CERT_PUBLIC_KEY_INFO structure that contains the public key to import into the provider. /// /// Note The pzObjId member of the Algorithm member pointed to by the pInfo and dwCertEncodingType parameters /// determine an installable CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC callback function. If an installable function is not /// found, an attempt is made to import the key as an RSA Public Key (szOID_RSA_RSA). /// /// /// An ALG_ID structure that contains a CSP-specific algorithm to override the CALG_RSA_KEYX default algorithm. /// Reserved for future use and must be zero. /// Reserved for future use and must be NULL. /// /// The address of an HCRYPTKEY variable that receives the handle of the imported public key. When you have finished using /// the public key, release the handle by calling the CryptDestroyKey function. /// /// /// If the function succeeds, the function returns nonzero ( TRUE). /// If the function fails, it returns zero ( FALSE). For extended error information, call GetLastError. /// /// Note Errors from the called functions CryptGetUserKey and CryptExportKey might be propagated to this function. This /// function has the following error code. /// /// /// /// Value /// Description /// /// /// ERROR_FILE_NOT_FOUND /// /// An import function that can be installed or registered could not be found for the specified dwCertEncodingType and pInfo parameters. /// /// /// /// /// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information /// about these errors, see ASN.1 Encoding/Decoding Return Values. /// /// /// /// This function is normally used to retrieve the public key from a certificate. This is done by passing the CERT_PUBLIC_KEY_INFO /// structure from a filled-in certificate structure as shown in the following pseudocode. /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptimportpublickeyinfoex BOOL // CryptImportPublicKeyInfoEx( HCRYPTPROV hCryptProv, DWORD dwCertEncodingType, PCERT_PUBLIC_KEY_INFO pInfo, ALG_ID aiKeyAlg, DWORD // dwFlags, void *pvAuxInfo, HCRYPTKEY *phKey ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "d3a59f83-c761-46bb-ac4f-f42f689ea5f1")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptImportPublicKeyInfoEx(HCRYPTPROV hCryptProv, uint dwCertEncodingType, in CERT_PUBLIC_KEY_INFO pInfo, ALG_ID aiKeyAlg, [Optional] uint dwFlags, [Optional] IntPtr pvAuxInfo, out SafeHCRYPTKEY phKey); ///

/// The CryptImportPublicKeyInfoEx2 function imports a public key into the CNG asymmetric provider that corresponds to the /// public key object identifier (OID) and returns a CNG handle to the key. ///

/// /// /// The certificate encoding type that was used to encrypt the subject. The message encoding type identifier, contained in the high /// WORD of this value, is ignored by this function. /// /// This parameter can be the following currently defined certificate encoding type. /// /// /// Value /// Meaning /// /// /// X509_ASN_ENCODING 1 (0x1) /// Specifies X.509 certificate encoding. /// /// /// /// /// The address of a CERT_PUBLIC_KEY_INFO structure that contains the public key information to import into the provider. /// /// /// /// A set of flags that modify the behavior of this function. This can be zero or a combination of one or more of the following values. /// /// /// /// Value /// Meaning /// /// /// CRYPT_OID_INFO_PUBKEY_SIGN_KEY_FLAG /// /// Skips public keys in the CRYPT_PUBKEY_ALG_OID_GROUP_ID group that are explicitly flagged with the /// CRYPT_OID_PUBKEY_ENCRYPT_ONLY_FLAG flag. /// /// /// /// CRYPT_OID_INFO_PUBKEY_ENCRYPT_KEY_FLAG /// /// Skips public keys in the CRYPT_PUBKEY_ALG_OID_GROUP_ID group that are explicitly flagged with the /// CRYPT_OID_PUBKEY_SIGN_ONLY_FLAG flag. /// /// /// /// /// These flags are passed in the dwKeyType parameter of the CryptFindOIDInfo function when mapping the public key object identifier /// to the corresponding CNG public key algorithm identifier. /// /// /// This parameter is reserved for future use and must be set to NULL. /// /// The address of a BCRYPT_KEY_HANDLE variable that receives the handle of the imported key. /// When this handle is no longer needed, you must release it by calling the BCryptDestroyKey function. /// /// /// If the function succeeds, the function returns nonzero ( TRUE). /// /// If the function fails, it returns zero ( FALSE). For extended error information, call GetLastError. Possible error codes /// include, but are not limited to, the following. /// /// /// /// Return code /// Description /// /// /// ERROR_FILE_NOT_FOUND /// /// An import function that can be installed or registered could not be found for the specified dwCertEncodingType and pInfo parameters. /// /// /// /// E_INVALIDARG /// One or more parameters are not valid. /// /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptimportpublickeyinfoex2 BOOL // CryptImportPublicKeyInfoEx2( DWORD dwCertEncodingType, PCERT_PUBLIC_KEY_INFO pInfo, DWORD dwFlags, void *pvAuxInfo, // BCRYPT_KEY_HANDLE *phKey ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "c73f2499-75e9-4146-ae4c-0e949206ea37")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptImportPublicKeyInfoEx2(CertEncodingType dwCertEncodingType, in CERT_PUBLIC_KEY_INFO pInfo, CryptOIDInfoFlags dwFlags, [Optional] IntPtr pvAuxInfo, out BCrypt.SafeBCRYPT_KEY_HANDLE phKey); ///

/// The CryptMemAlloc function allocates memory for a buffer. It is used by all Crypt32.lib functions that return allocated buffers. ///

/// Number of bytes to be allocated. /// /// Returns a pointer to the buffer allocated. If the function fails, NULL is returned. When you have finished using the /// buffer, free the memory by calling the CryptMemFree function. /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptmemalloc LPVOID CryptMemAlloc( ULONG cbSize ); [DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "ac7588b1-ff8c-4f8d-a8ab-f0e8a18e5614")] public static extern IntPtr CryptMemAlloc(uint cbSize); ///

The CryptMemFree function frees memory allocated by CryptMemAlloc or CryptMemRealloc.

/// A pointer to the buffer to be freed. /// This function does not return a value. // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptmemfree void CryptMemFree( LPVOID pv ); [DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "fb5c10ba-da8e-4a34-9302-67586a0a9624")] public static extern void CryptMemFree(IntPtr pv); ///

/// The CryptMemRealloc function frees the memory currently allocated for a buffer and allocates memory for a new buffer. ///

/// A pointer to a currently allocated buffer. /// Number of bytes to be allocated. /// /// Returns a pointer to the buffer allocated. If the function fails, NULL is returned. When you have finished using the /// buffer, free the memory by calling the CryptMemFree function. /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptmemrealloc LPVOID CryptMemRealloc( LPVOID pv, ULONG // cbSize ); [DllImport(Lib.Crypt32, SetLastError = false, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "74bdd2dd-9f05-4d36-8323-79d547820068")] public static extern IntPtr CryptMemRealloc(IntPtr pv, uint cbSize); ///

/// Indicates the type of the object to be queried. This must be one of the following values. /// /// /// Value /// Meaning /// /// /// CERT_QUERY_OBJECT_BLOB /// The object is stored in a structure in memory. /// /// /// CERT_QUERY_OBJECT_FILE /// The object is stored in a file. /// /// /// A pointer to the object to be queried. The type of data pointer depends on the contents of the dwObjectType parameter. /// /// /// dwObjectType value /// Meaning /// /// /// CERT_QUERY_OBJECT_BLOB /// This parameter is a pointer to a CERT_BLOB, or similar, structure that contains the object to query. /// /// /// CERT_QUERY_OBJECT_FILE /// This parameter is a pointer to a null-terminated Unicode string that contains the path and name of the file to query. /// /// /// Indicates the expected content type. This can be one of the following values. /// /// /// Value /// Meaning /// /// /// CERT_QUERY_CONTENT_FLAG_ALL /// /// The content can be any type. This does not include the CERT_QUERY_CONTENT_FLAG_PFX_AND_LOAD flag. If this flag is specified, /// this function will attempt to obtain information about the object, trying different content types until the proper content type /// is found or the content types are exhausted. This is obviously inefficient, so this flag should only be used if the content type /// is not known. /// /// /// /// CERT_QUERY_CONTENT_FLAG_CERT /// The content is a single certificate. /// /// /// CERT_QUERY_CONTENT_FLAG_CERT_PAIR /// /// The content is an Abstract Syntax Notation One (ASN.1) encoded X509_CERT_PAIR (an encoded certificate pair that contains either /// forward, reverse, or forward and reverse cross certificates). /// /// /// /// CERT_QUERY_CONTENT_FLAG_CRL /// The content is a single CRL. /// /// /// CERT_QUERY_CONTENT_FLAG_CTL /// The content is a single CTL. /// /// /// CERT_QUERY_CONTENT_FLAG_PFX /// /// The content is a PFX (PKCS #12) packet, but it will not be loaded by this function. You can use the PFXImportCertStore function /// to load this into a store. /// /// /// /// CERT_QUERY_CONTENT_FLAG_PFX_AND_LOAD /// /// The content is a PFX (PKCS #12) packet and will be loaded by this function subject to the conditions specified in the following /// note. Windows Server 2003 and Windows XP: This value is not supported. /// /// /// /// CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED /// The content is a PKCS #7 signed message. /// /// /// CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED /// The content is an embedded PKCS #7 signed message. /// /// /// CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED /// The content is a PKCS #7 unsigned message. /// /// /// CERT_QUERY_CONTENT_FLAG_PKCS10 /// The content is a PKCS #10 message. /// /// /// CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT /// The content is a serialized single certificate. /// /// /// CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL /// The content is a serialized single CRL. /// /// /// CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL /// The content is serialized single CTL. /// /// /// CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE /// The content is a serialized store. /// /// /// Indicates the expected format of the returned type. This can be one of the following values. /// /// /// Value /// Meaning /// /// /// CERT_QUERY_FORMAT_FLAG_ALL /// The content can be returned in any format. /// /// /// CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED /// The content should be returned in ASCII hex-encoded format with a "{ASN}" prefix. /// /// /// CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED /// The content should be returned in Base64 encoded format. /// /// /// CERT_QUERY_FORMAT_FLAG_BINARY /// The content should be returned in binary format. /// /// /// This parameter is reserved for future use and must be set to zero. /// /// A pointer to a DWORD value that receives the type of encoding used in the message. If this information is not needed, set /// this parameter to NULL. /// /// This parameter can receives a combination of one or more of the following values. /// /// /// Value /// Meaning /// /// /// PKCS_7_ASN_ENCODING 65536 (0x10000) /// Specifies PKCS 7 message encoding. /// /// /// X509_ASN_ENCODING 1 (0x1) /// Specifies X.509 certificate encoding. /// /// /// /// A pointer to a DWORD value that receives the actual type of the content. If this information is not needed, set this /// parameter to NULL. The returned content type can be one of the following values. /// /// /// /// Value /// Meaning /// /// /// CERT_QUERY_CONTENT_CERT /// The content is a single certificate. /// /// /// CERT_QUERY_CONTENT_CERT_PAIR /// The content is an ASN.1 encoded X509_CERT_pair. /// /// /// CERT_QUERY_CONTENT_CRL /// The content is a single CRL. /// /// /// CERT_QUERY_CONTENT_CTL /// The content is a single CTL. /// /// /// CERT_QUERY_CONTENT_PFX /// /// The content is a PFX (PKCS #12) packet. This function only verifies that the object is a PKCS #12 packet. The PKCS #12 packet is /// not loaded into a certificate store. /// /// /// /// CERT_QUERY_CONTENT_PFX_AND_LOAD /// /// The content is a PFX (PKCS #12) packet, and it has been loaded into a certificate store. Windows Server 2003 and Windows XP: /// This value is not supported. /// /// /// /// CERT_QUERY_CONTENT_PKCS7_SIGNED /// The content is a PKCS #7 signed message. /// /// /// CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED /// The content is an embedded PKCS #7 signed message. /// /// /// CERT_QUERY_CONTENT_PKCS7_UNSIGNED /// The content is a PKCS #7 unsigned message. /// /// /// CERT_QUERY_CONTENT_PKCS10 /// The content is a PKCS #10 message. /// /// /// CERT_QUERY_CONTENT_SERIALIZED_CERT /// The content is a serialized single certificate. /// /// /// CERT_QUERY_CONTENT_SERIALIZED_CRL /// The content is a serialized single CRL. /// /// /// CERT_QUERY_CONTENT_SERIALIZED_CTL /// The content is a serialized single CTL. /// /// /// CERT_QUERY_CONTENT_SERIALIZED_STORE /// The content is a serialized store. /// /// /// /// A pointer to a DWORD value that receives the actual format type of the content. If this information is not needed, set /// this parameter to NULL. The returned format type can be one of the following values. /// /// /// /// Value /// Meaning /// /// /// CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED /// The content is in ASCII hex-encoded format with an "{ASN}" prefix. /// /// /// CERT_QUERY_FORMAT_BASE64_ENCODED /// The content is in Base64 encoded format. /// /// /// CERT_QUERY_FORMAT_BINARY /// The content is in binary format. /// /// /// /// A pointer to an HCERTSTORE value that receives a handle to a certificate store that includes all of the certificates, /// CRLs, and CTLs in the object. /// /// /// This parameter only receives a certificate store handle when the dwContentType parameter receives one of the following values. /// This parameter receives NULL for all other content types. /// /// CERT_QUERY_CONTENT_CERT /// CERT_QUERY_CONTENT_CRL /// CERT_QUERY_CONTENT_CTL /// CERT_QUERY_CONTENT_PFX_AND_LOAD /// CERT_QUERY_CONTENT_PKCS7_SIGNED /// CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED /// CERT_QUERY_CONTENT_SERIALIZED_CERT /// CERT_QUERY_CONTENT_SERIALIZED_CRL /// CERT_QUERY_CONTENT_SERIALIZED_CTL /// CERT_QUERY_CONTENT_SERIALIZED_STORE /// When you have finished using the handle, free it by passing the handle to the CertCloseStore function. /// If this information is not needed, set this parameter to NULL. /// A pointer to an HCRYPTMSG value that receives the handle of an opened message. /// /// This parameter only receives a message handle when the dwContentType parameter receives one of the following values. This /// parameter receives NULL for all other content types. /// /// CERT_QUERY_CONTENT_PKCS7_SIGNED /// CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED /// CERT_QUERY_CONTENT_PKCS7_UNSIGNED /// When you have finished using the handle, free it by passing the handle to the CryptMsgClose function. /// If this information is not needed, set this parameter to NULL. /// A pointer to a pointer that receives additional information about the object. /// /// The format of this data depends on the value received by the dwContentType parameter. The following table lists the format of /// the data for the specified dwContentType value. /// /// /// /// dwContentType value /// Meaning /// /// /// CERT_QUERY_CONTENT_CERT /// /// This parameter receives a pointer to a CERT_CONTEXT structure. When you have finished using the structure, free it by passing /// this pointer to the CertFreeCertificateContext function. /// /// /// /// CERT_QUERY_CONTENT_CRL /// /// This parameter receives a pointer to a CRL_CONTEXT structure. When you have finished using the structure, free it by passing /// this pointer to the CertFreeCRLContext function. /// /// /// /// CERT_QUERY_CONTENT_CTL /// /// This parameter receives a pointer to a CTL_CONTEXT structure. When you have finished using the structure, free it by passing /// this pointer to the CertFreeCTLContext function. /// /// /// /// CERT_QUERY_CONTENT_SERIALIZED_CERT /// /// This parameter receives a pointer to a CERT_CONTEXT structure. When you have finished using the structure, free it by passing /// this pointer to the CertFreeCertificateContext function. /// /// /// /// CERT_QUERY_CONTENT_SERIALIZED_CRL /// /// This parameter receives a pointer to a CRL_CONTEXT structure. When you have finished using the structure, free it by passing /// this pointer to the CertFreeCRLContext function. /// /// /// /// CERT_QUERY_CONTENT_SERIALIZED_CTL /// /// This parameter receives a pointer to a CTL_CONTEXT structure. When you have finished using the structure, free it by passing /// this pointer to the CertFreeCTLContext function. /// /// /// /// If this information is not needed, set this parameter to NULL. ///

/// /// Indicates the type of the object to be queried. This must be one of the following values. /// /// /// Value /// Meaning /// /// /// CERT_QUERY_OBJECT_BLOB /// The object is stored in a structure in memory. /// /// /// CERT_QUERY_OBJECT_FILE /// The object is stored in a file. /// /// /// /// /// A pointer to the object to be queried. The type of data pointer depends on the contents of the dwObjectType parameter. /// /// /// dwObjectType value /// Meaning /// /// /// CERT_QUERY_OBJECT_BLOB /// This parameter is a pointer to a CERT_BLOB, or similar, structure that contains the object to query. /// /// /// CERT_QUERY_OBJECT_FILE /// This parameter is a pointer to a null-terminated Unicode string that contains the path and name of the file to query. /// /// /// /// /// Indicates the expected content type. This can be one of the following values. /// /// /// Value /// Meaning /// /// /// CERT_QUERY_CONTENT_FLAG_ALL /// /// The content can be any type. This does not include the CERT_QUERY_CONTENT_FLAG_PFX_AND_LOAD flag. If this flag is specified, /// this function will attempt to obtain information about the object, trying different content types until the proper content type /// is found or the content types are exhausted. This is obviously inefficient, so this flag should only be used if the content type /// is not known. /// /// /// /// CERT_QUERY_CONTENT_FLAG_CERT /// The content is a single certificate. /// /// /// CERT_QUERY_CONTENT_FLAG_CERT_PAIR /// /// The content is an Abstract Syntax Notation One (ASN.1) encoded X509_CERT_PAIR (an encoded certificate pair that contains either /// forward, reverse, or forward and reverse cross certificates). /// /// /// /// CERT_QUERY_CONTENT_FLAG_CRL /// The content is a single CRL. /// /// /// CERT_QUERY_CONTENT_FLAG_CTL /// The content is a single CTL. /// /// /// CERT_QUERY_CONTENT_FLAG_PFX /// /// The content is a PFX (PKCS #12) packet, but it will not be loaded by this function. You can use the PFXImportCertStore function /// to load this into a store. /// /// /// /// CERT_QUERY_CONTENT_FLAG_PFX_AND_LOAD /// /// The content is a PFX (PKCS #12) packet and will be loaded by this function subject to the conditions specified in the following /// note. Windows Server 2003 and Windows XP: This value is not supported. /// /// /// /// CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED /// The content is a PKCS #7 signed message. /// /// /// CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED /// The content is an embedded PKCS #7 signed message. /// /// /// CERT_QUERY_CONTENT_FLAG_PKCS7_UNSIGNED /// The content is a PKCS #7 unsigned message. /// /// /// CERT_QUERY_CONTENT_FLAG_PKCS10 /// The content is a PKCS #10 message. /// /// /// CERT_QUERY_CONTENT_FLAG_SERIALIZED_CERT /// The content is a serialized single certificate. /// /// /// CERT_QUERY_CONTENT_FLAG_SERIALIZED_CRL /// The content is a serialized single CRL. /// /// /// CERT_QUERY_CONTENT_FLAG_SERIALIZED_CTL /// The content is serialized single CTL. /// /// /// CERT_QUERY_CONTENT_FLAG_SERIALIZED_STORE /// The content is a serialized store. /// /// /// /// /// Indicates the expected format of the returned type. This can be one of the following values. /// /// /// Value /// Meaning /// /// /// CERT_QUERY_FORMAT_FLAG_ALL /// The content can be returned in any format. /// /// /// CERT_QUERY_FORMAT_FLAG_ASN_ASCII_HEX_ENCODED /// The content should be returned in ASCII hex-encoded format with a "{ASN}" prefix. /// /// /// CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED /// The content should be returned in Base64 encoded format. /// /// /// CERT_QUERY_FORMAT_FLAG_BINARY /// The content should be returned in binary format. /// /// /// /// This parameter is reserved for future use and must be set to zero. /// /// /// A pointer to a DWORD value that receives the type of encoding used in the message. If this information is not needed, set /// this parameter to NULL. /// /// This parameter can receives a combination of one or more of the following values. /// /// /// Value /// Meaning /// /// /// PKCS_7_ASN_ENCODING 65536 (0x10000) /// Specifies PKCS 7 message encoding. /// /// /// X509_ASN_ENCODING 1 (0x1) /// Specifies X.509 certificate encoding. /// /// /// /// /// /// A pointer to a DWORD value that receives the actual type of the content. If this information is not needed, set this /// parameter to NULL. The returned content type can be one of the following values. /// /// /// /// Value /// Meaning /// /// /// CERT_QUERY_CONTENT_CERT /// The content is a single certificate. /// /// /// CERT_QUERY_CONTENT_CERT_PAIR /// The content is an ASN.1 encoded X509_CERT_pair. /// /// /// CERT_QUERY_CONTENT_CRL /// The content is a single CRL. /// /// /// CERT_QUERY_CONTENT_CTL /// The content is a single CTL. /// /// /// CERT_QUERY_CONTENT_PFX /// /// The content is a PFX (PKCS #12) packet. This function only verifies that the object is a PKCS #12 packet. The PKCS #12 packet is /// not loaded into a certificate store. /// /// /// /// CERT_QUERY_CONTENT_PFX_AND_LOAD /// /// The content is a PFX (PKCS #12) packet, and it has been loaded into a certificate store. Windows Server 2003 and Windows XP: /// This value is not supported. /// /// /// /// CERT_QUERY_CONTENT_PKCS7_SIGNED /// The content is a PKCS #7 signed message. /// /// /// CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED /// The content is an embedded PKCS #7 signed message. /// /// /// CERT_QUERY_CONTENT_PKCS7_UNSIGNED /// The content is a PKCS #7 unsigned message. /// /// /// CERT_QUERY_CONTENT_PKCS10 /// The content is a PKCS #10 message. /// /// /// CERT_QUERY_CONTENT_SERIALIZED_CERT /// The content is a serialized single certificate. /// /// /// CERT_QUERY_CONTENT_SERIALIZED_CRL /// The content is a serialized single CRL. /// /// /// CERT_QUERY_CONTENT_SERIALIZED_CTL /// The content is a serialized single CTL. /// /// /// CERT_QUERY_CONTENT_SERIALIZED_STORE /// The content is a serialized store. /// /// /// /// /// /// A pointer to a DWORD value that receives the actual format type of the content. If this information is not needed, set /// this parameter to NULL. The returned format type can be one of the following values. /// /// /// /// Value /// Meaning /// /// /// CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED /// The content is in ASCII hex-encoded format with an "{ASN}" prefix. /// /// /// CERT_QUERY_FORMAT_BASE64_ENCODED /// The content is in Base64 encoded format. /// /// /// CERT_QUERY_FORMAT_BINARY /// The content is in binary format. /// /// /// /// /// /// A pointer to an HCERTSTORE value that receives a handle to a certificate store that includes all of the certificates, /// CRLs, and CTLs in the object. /// /// /// This parameter only receives a certificate store handle when the dwContentType parameter receives one of the following values. /// This parameter receives NULL for all other content types. /// /// CERT_QUERY_CONTENT_CERT /// CERT_QUERY_CONTENT_CRL /// CERT_QUERY_CONTENT_CTL /// CERT_QUERY_CONTENT_PFX_AND_LOAD /// CERT_QUERY_CONTENT_PKCS7_SIGNED /// CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED /// CERT_QUERY_CONTENT_SERIALIZED_CERT /// CERT_QUERY_CONTENT_SERIALIZED_CRL /// CERT_QUERY_CONTENT_SERIALIZED_CTL /// CERT_QUERY_CONTENT_SERIALIZED_STORE /// When you have finished using the handle, free it by passing the handle to the CertCloseStore function. /// If this information is not needed, set this parameter to NULL. /// /// /// A pointer to an HCRYPTMSG value that receives the handle of an opened message. /// /// This parameter only receives a message handle when the dwContentType parameter receives one of the following values. This /// parameter receives NULL for all other content types. /// /// CERT_QUERY_CONTENT_PKCS7_SIGNED /// CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED /// CERT_QUERY_CONTENT_PKCS7_UNSIGNED /// When you have finished using the handle, free it by passing the handle to the CryptMsgClose function. /// If this information is not needed, set this parameter to NULL. /// /// /// A pointer to a pointer that receives additional information about the object. /// /// The format of this data depends on the value received by the dwContentType parameter. The following table lists the format of /// the data for the specified dwContentType value. /// /// /// /// dwContentType value /// Meaning /// /// /// CERT_QUERY_CONTENT_CERT /// /// This parameter receives a pointer to a CERT_CONTEXT structure. When you have finished using the structure, free it by passing /// this pointer to the CertFreeCertificateContext function. /// /// /// /// CERT_QUERY_CONTENT_CRL /// /// This parameter receives a pointer to a CRL_CONTEXT structure. When you have finished using the structure, free it by passing /// this pointer to the CertFreeCRLContext function. /// /// /// /// CERT_QUERY_CONTENT_CTL /// /// This parameter receives a pointer to a CTL_CONTEXT structure. When you have finished using the structure, free it by passing /// this pointer to the CertFreeCTLContext function. /// /// /// /// CERT_QUERY_CONTENT_SERIALIZED_CERT /// /// This parameter receives a pointer to a CERT_CONTEXT structure. When you have finished using the structure, free it by passing /// this pointer to the CertFreeCertificateContext function. /// /// /// /// CERT_QUERY_CONTENT_SERIALIZED_CRL /// /// This parameter receives a pointer to a CRL_CONTEXT structure. When you have finished using the structure, free it by passing /// this pointer to the CertFreeCRLContext function. /// /// /// /// CERT_QUERY_CONTENT_SERIALIZED_CTL /// /// This parameter receives a pointer to a CTL_CONTEXT structure. When you have finished using the structure, free it by passing /// this pointer to the CertFreeCTLContext function. /// /// /// /// If this information is not needed, set this parameter to NULL. /// /// /// If the function succeeds, the function returns nonzero. /// If the function fails, it returns zero. For extended error information, call GetLastError. /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptqueryobject BOOL CryptQueryObject( DWORD // dwObjectType, const void *pvObject, DWORD dwExpectedContentTypeFlags, DWORD dwExpectedFormatTypeFlags, DWORD dwFlags, DWORD // *pdwMsgAndCertEncodingType, DWORD *pdwContentType, DWORD *pdwFormatType, HCERTSTORE *phCertStore, HCRYPTMSG *phMsg, const void // **ppvContext ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "d882f2b0-0f0a-41c7-afca-a232dc00797b")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptQueryObject(CertQueryObjectType dwObjectType, [In] IntPtr pvObject, CertQueryContentFlags dwExpectedContentTypeFlags, CertQueryFormatFlags dwExpectedFormatTypeFlags, [Optional] uint dwFlags, out CertEncodingType pdwMsgAndCertEncodingType, out CertQueryContentType pdwContentType, out CertQueryFormatType pdwFormatType, out SafeHCERTSTORE phCertStore, out SafeHCRYPTMSG phMsg, out SafePCCERT_CONTEXT ppvContext); ///

/// /// The CryptSignAndEncodeCertificate function encodes and signs a certificate, certificate revocation list (CRL), /// certificate trust list (CTL), or certificate request. /// /// This function performs the following operations: /// /// /// Calls CryptEncodeObject using lpszStructType to encode the "to be signed" information. /// /// /// Calls CryptSignCertificate to sign this encoded information. /// /// /// Calls CryptEncodeObject again, with lpszStructType set to X509_CERT, to further encode the resulting signed, encoded information. /// /// ///

/// /// A handle of the cryptographic service provider (CSP) to do the signature. This handle is an HCRYPTPROV handle that has been /// created by using the CryptAcquireContext function or an NCRYPT_KEY_HANDLE handle that has been created by using the /// NCryptOpenKey function. New applications should always pass in a NCRYPT_KEY_HANDLE handle of a CNG CSP. /// /// /// /// Identifies the private key to use from the provider's container. This must be one of the following values. This parameter is /// ignored if a CNG key is passed in the hCryptProvOrNCryptKey parameter. /// /// /// /// Value /// Meaning /// /// /// AT_KEYEXCHANGE /// Use the key exchange key. /// /// /// AT_SIGNATURE /// Use the digital signature key. /// /// /// /// /// Specifies the encoding type used. This can be the following value. /// /// /// Value /// Meaning /// /// /// X509_ASN_ENCODING /// Specifies X.509 certificate encoding. /// /// /// /// /// /// A pointer to a null-terminated ANSI string that contains the type of data to be encoded and signed. The following predefined /// lpszStructType constants are used with encode operations. /// /// /// /// Value /// Meaning /// /// /// X509_CERT_CRL_TO_BE_SIGNED /// pvStructInfo is the address of a CRL_INFO structure. /// /// /// X509_CERT_REQUEST_TO_BE_SIGNED /// pvStructInfo is the address of a CERT_REQUEST_INFO structure. /// /// /// X509_CERT_TO_BE_SIGNED /// pvStructInfo is the address of a CERT_INFO structure. /// /// /// X509_KEYGEN_REQUEST_TO_BE_SIGNED /// pvStructInfo is the address of a CERT_KEYGEN_REQUEST_INFO structure. /// /// /// /// /// The address of a structure that contains the data to be signed and encoded. The format of this structure is determined by the /// lpszStructType parameter. /// /// /// /// A pointer to a CRYPT_ALGORITHM_IDENTIFIER structure that contains the object identifier (OID) of the signature algorithm and any /// additional parameters needed. This function uses the following algorithm OIDs: /// /// /// /// szOID_RSA_MD5RSA /// /// /// szOID_RSA_SHA1RSA /// /// /// szOID_X957_SHA1DSA /// /// /// If the signature algorithm is a /// hash /// algorithm, the signature contains only the unencrypted hash octets. A private key is not used to encrypt the hash. /// dwKeySpec /// is not used and /// hCryptProvOrNCryptKey /// can be /// NULL /// if an appropriate default CSP can be used for hashing. /// /// Reserved. Must be NULL. /// /// A pointer to a buffer to receive the signed and encoded output. /// /// This parameter can be NULL to set the size of this information for memory allocation purposes. For more information, see /// Retrieving Data of Unknown Length. /// /// /// /// /// A pointer to a DWORD that contains the size, in bytes, of the buffer pointed to by the pbEncoded parameter. When the /// function returns, the DWORD contains the number of bytes stored or to be stored in the buffer. /// /// /// Note When processing the data returned in the buffer, applications need to use the actual size of the data returned. The /// actual size can be slightly smaller than the size of the buffer specified on input. (On input, buffer sizes are usually /// specified large enough to ensure that the largest possible output data will fit in the buffer.) On output, the variable pointed /// to by this parameter is updated to reflect the actual size of the data copied to the buffer. /// /// /// /// If the function succeeds, the return value is nonzero ( TRUE). /// If the function fails, the return value is zero ( FALSE). For extended error information, call GetLastError. /// /// Note Errors from the called functions CryptCreateHash, CryptSignHash and CryptHashData might be propagated to this function. /// /// Possible error codes include, but are not limited to, the following. /// /// /// Return code /// Description /// /// /// ERROR_MORE_DATA /// /// If the buffer specified by the pbEncoded parameter is not large enough to hold the returned data, the function sets the /// ERROR_MORE_DATA code and stores the required buffer size, in bytes, into the variable pointed to by pcbEncoded. /// /// /// /// ERROR_FILE_NOT_FOUND /// Invalid certificate encoding type. Currently only X509_ASN_ENCODING is supported. /// /// /// NTE_BAD_ALGID /// The signature algorithm's OID does not map to a known or supported hash algorithm. /// /// /// CRYPT_E_BAD_ENCODE /// /// An error was encountered while encoding or decoding. The most likely cause of this error is the improper initialization of the /// fields in the structure pointed to by pvStructInfo. /// /// /// /// /// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information /// about these errors, see ASN.1 Encoding/Decoding Return Values. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptsignandencodecertificate BOOL // CryptSignAndEncodeCertificate( BCRYPT_KEY_HANDLE hBCryptKey, DWORD dwKeySpec, DWORD dwCertEncodingType, LPCSTR lpszStructType, // const void *pvStructInfo, PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, const void *pvHashAuxInfo, BYTE *pbEncoded, DWORD // *pcbEncoded ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "ee138918-ed7c-4980-8b18-64004a0dd7df")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptSignAndEncodeCertificate(NCrypt.NCRYPT_KEY_HANDLE hBCryptKey, CertKeySpec dwKeySpec, CertEncodingType dwCertEncodingType, [In] SafeOID lpszStructType, [In] IntPtr pvStructInfo, in CRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, [In, Optional] IntPtr pvHashAuxInfo, [Out] IntPtr pbEncoded, ref uint pcbEncoded); ///

/// /// A handle of the cryptographic service provider (CSP) to do the signature. This handle is an HCRYPTPROV handle that has been /// created by using the CryptAcquireContext function or an NCRYPT_KEY_HANDLE handle that has been created by using the /// NCryptOpenKey function. New applications should always pass in a NCRYPT_KEY_HANDLE handle of a CNG CSP. /// /// /// /// Identifies the private key to use from the provider's container. This must be one of the following values. This parameter is /// ignored if a CNG key is passed in the hCryptProvOrNCryptKey parameter. /// /// /// /// Value /// Meaning /// /// /// AT_KEYEXCHANGE /// Use the key exchange key. /// /// /// AT_SIGNATURE /// Use the digital signature key. /// /// /// /// /// Specifies the encoding type used. This can be the following value. /// /// /// Value /// Meaning /// /// /// X509_ASN_ENCODING /// Specifies X.509 certificate encoding. /// /// /// /// /// /// A pointer to a null-terminated ANSI string that contains the type of data to be encoded and signed. The following predefined /// lpszStructType constants are used with encode operations. /// /// /// /// Value /// Meaning /// /// /// X509_CERT_CRL_TO_BE_SIGNED /// pvStructInfo is the address of a CRL_INFO structure. /// /// /// X509_CERT_REQUEST_TO_BE_SIGNED /// pvStructInfo is the address of a CERT_REQUEST_INFO structure. /// /// /// X509_CERT_TO_BE_SIGNED /// pvStructInfo is the address of a CERT_INFO structure. /// /// /// X509_KEYGEN_REQUEST_TO_BE_SIGNED /// pvStructInfo is the address of a CERT_KEYGEN_REQUEST_INFO structure. /// /// /// /// /// The address of a structure that contains the data to be signed and encoded. The format of this structure is determined by the /// lpszStructType parameter. /// /// /// /// A pointer to a CRYPT_ALGORITHM_IDENTIFIER structure that contains the object identifier (OID) of the signature algorithm and any /// additional parameters needed. This function uses the following algorithm OIDs: /// /// /// /// szOID_RSA_MD5RSA /// /// /// szOID_RSA_SHA1RSA /// /// /// szOID_X957_SHA1DSA /// /// /// If the signature algorithm is a /// hash /// algorithm, the signature contains only the unencrypted hash octets. A private key is not used to encrypt the hash. /// dwKeySpec /// is not used and /// hCryptProvOrNCryptKey /// can be /// NULL /// if an appropriate default CSP can be used for hashing. /// /// Reserved. Must be NULL. /// /// A pointer to a buffer to receive the signed and encoded output. /// /// This parameter can be NULL to set the size of this information for memory allocation purposes. For more information, see /// Retrieving Data of Unknown Length. /// /// /// /// /// A pointer to a DWORD that contains the size, in bytes, of the buffer pointed to by the pbEncoded parameter. When the /// function returns, the DWORD contains the number of bytes stored or to be stored in the buffer. /// /// /// Note When processing the data returned in the buffer, applications need to use the actual size of the data returned. The /// actual size can be slightly smaller than the size of the buffer specified on input. (On input, buffer sizes are usually /// specified large enough to ensure that the largest possible output data will fit in the buffer.) On output, the variable pointed /// to by this parameter is updated to reflect the actual size of the data copied to the buffer. /// /// /// /// If the function succeeds, the return value is nonzero ( TRUE). /// If the function fails, the return value is zero ( FALSE). For extended error information, call GetLastError. /// /// Note Errors from the called functions CryptCreateHash, CryptSignHash and CryptHashData might be propagated to this function. /// /// Possible error codes include, but are not limited to, the following. /// /// /// Return code /// Description /// /// /// ERROR_MORE_DATA /// /// If the buffer specified by the pbEncoded parameter is not large enough to hold the returned data, the function sets the /// ERROR_MORE_DATA code and stores the required buffer size, in bytes, into the variable pointed to by pcbEncoded. /// /// /// /// ERROR_FILE_NOT_FOUND /// Invalid certificate encoding type. Currently only X509_ASN_ENCODING is supported. /// /// /// NTE_BAD_ALGID /// The signature algorithm's OID does not map to a known or supported hash algorithm. /// /// /// CRYPT_E_BAD_ENCODE /// /// An error was encountered while encoding or decoding. The most likely cause of this error is the improper initialization of the /// fields in the structure pointed to by pvStructInfo. /// /// /// /// /// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information /// about these errors, see ASN.1 Encoding/Decoding Return Values. /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptsignandencodecertificate BOOL // CryptSignAndEncodeCertificate( BCRYPT_KEY_HANDLE hBCryptKey, DWORD dwKeySpec, DWORD dwCertEncodingType, LPCSTR lpszStructType, // const void *pvStructInfo, PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, const void *pvHashAuxInfo, BYTE *pbEncoded, DWORD // *pcbEncoded ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "ee138918-ed7c-4980-8b18-64004a0dd7df")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptSignAndEncodeCertificate(HCRYPTPROV hBCryptKey, CertKeySpec dwKeySpec, CertEncodingType dwCertEncodingType, [In] SafeOID lpszStructType, [In] IntPtr pvStructInfo, in CRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, [In, Optional] IntPtr pvHashAuxInfo, [Out] IntPtr pbEncoded, ref uint pcbEncoded); ///

The CryptSignCertificate function signs the "to be signed" information in the encoded signed content.

/// /// Handle of the CSP that does the signature. This handle must be an HCRYPTPROV handle that has been created by using the /// CryptAcquireContext function or an NCRYPT_KEY_HANDLE handle that has been created by using the NCryptOpenKey function. /// New applications should always pass in the NCRYPT_KEY_HANDLE handle of a CNG CSP. /// /// /// Identifies the private key to use from the provider's container. It can be AT_KEYEXCHANGE or AT_SIGNATURE. This parameter is /// ignored if an NCRYPT_KEY_HANDLE is used in the hCryptProvOrNCryptKey parameter. /// /// /// /// Specifies the encoding type used. It is always acceptable to specify both the certificate and message encoding types by /// combining them with a bitwise- OR operation as shown in the following example: /// /// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING /// Currently defined encoding types are: /// /// /// X509_ASN_ENCODING /// /// /// PKCS_7_ASN_ENCODING /// /// /// /// A pointer to the encoded content to be signed. /// The size, in bytes, of the encoded content, pbEncodedToBeSigned. /// /// A pointer to a CRYPT_ALGORITHM_IDENTIFIER structure with a pszObjId member set to one of the following: /// /// /// szOID_RSA_MD5RSA /// /// /// szOID_RSA_SHA1RSA /// /// /// szOID_X957_SHA1DSA /// /// /// szOID_RSA_SSA_PSS /// /// /// szOID_ECDSA_SPECIFIED /// /// /// /// If the signature algorithm is a hash algorithm, the signature contains only the un-encrypted hash octets. A private key is not /// used to encrypt the hash. /// /// dwKeySpec /// is not used and /// hCryptProvOrNCryptKey /// can be /// NULL /// if an appropriate default CSP can be used for hashing. /// /// Not currently used. Must be NULL. /// /// A pointer to a buffer to receive the signed hash of the content. /// /// This parameter can be NULL to set the size of this information for memory allocation purposes. For more information, see /// Retrieving Data of Unknown Length. /// /// /// /// /// A pointer to a DWORD that contains the size, in bytes, of the buffer pointed to by the pbSignature parameter. When the /// function returns, the DWORD contains the number of bytes stored or to be stored in the buffer. /// /// /// Note When processing the data returned in the buffer, applications must use the actual size of the data returned. The /// actual size can be slightly smaller than the size of the buffer specified on input. (On input, buffer sizes are usually /// specified large enough to ensure that the largest possible output data will fit in the buffer.) On output, the variable pointed /// to by this parameter is updated to reflect the actual size of the data copied to the buffer. /// /// /// /// If the function succeeds, the return value is nonzero ( TRUE). /// If the function fails, the return value is zero ( FALSE). For extended error information, call GetLastError. /// /// Note Errors from the called functions CryptCreateHash, CryptSignHash and CryptHashData might be propagated to this function. /// /// This function has the following error codes. /// /// /// Return code /// Description /// /// /// ERROR_MORE_DATA /// /// If the buffer specified by the pbSignature parameter is not large enough to hold the returned data, the function sets the /// ERROR_MORE_DATA code, and stores the required buffer size, in bytes, into the variable pointed to by pcbSignature. /// /// /// /// NTE_BAD_ALGID /// The signature algorithm's object identifier (OID) does not map to a known or supported hash algorithm. /// /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptsigncertificate BOOL CryptSignCertificate( // BCRYPT_KEY_HANDLE hBCryptKey, DWORD dwKeySpec, DWORD dwCertEncodingType, const BYTE *pbEncodedToBeSigned, DWORD // cbEncodedToBeSigned, PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, const void *pvHashAuxInfo, BYTE *pbSignature, DWORD // *pcbSignature ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "27578149-e5c0-47e5-8309-0d0ed7075d13")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptSignCertificate(NCrypt.NCRYPT_KEY_HANDLE hBCryptKey, CertKeySpec dwKeySpec, CertEncodingType dwCertEncodingType, [In] IntPtr pbEncodedToBeSigned, uint cbEncodedToBeSigned, in CRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, [In, Optional] IntPtr pvHashAuxInfo, [Out] IntPtr pbSignature, ref uint pcbSignature); ///

The CryptSignCertificate function signs the "to be signed" information in the encoded signed content.

/// /// Handle of the CSP that does the signature. This handle must be an HCRYPTPROV handle that has been created by using the /// CryptAcquireContext function or an NCRYPT_KEY_HANDLE handle that has been created by using the NCryptOpenKey function. /// New applications should always pass in the NCRYPT_KEY_HANDLE handle of a CNG CSP. /// /// /// Identifies the private key to use from the provider's container. It can be AT_KEYEXCHANGE or AT_SIGNATURE. This parameter is /// ignored if an NCRYPT_KEY_HANDLE is used in the hCryptProvOrNCryptKey parameter. /// /// /// /// Specifies the encoding type used. It is always acceptable to specify both the certificate and message encoding types by /// combining them with a bitwise- OR operation as shown in the following example: /// /// X509_ASN_ENCODING | PKCS_7_ASN_ENCODING /// Currently defined encoding types are: /// /// /// X509_ASN_ENCODING /// /// /// PKCS_7_ASN_ENCODING /// /// /// /// A pointer to the encoded content to be signed. /// The size, in bytes, of the encoded content, pbEncodedToBeSigned. /// /// A pointer to a CRYPT_ALGORITHM_IDENTIFIER structure with a pszObjId member set to one of the following: /// /// /// szOID_RSA_MD5RSA /// /// /// szOID_RSA_SHA1RSA /// /// /// szOID_X957_SHA1DSA /// /// /// szOID_RSA_SSA_PSS /// /// /// szOID_ECDSA_SPECIFIED /// /// /// /// If the signature algorithm is a hash algorithm, the signature contains only the un-encrypted hash octets. A private key is not /// used to encrypt the hash. /// /// dwKeySpec /// is not used and /// hCryptProvOrNCryptKey /// can be /// NULL /// if an appropriate default CSP can be used for hashing. /// /// Not currently used. Must be NULL. /// /// A pointer to a buffer to receive the signed hash of the content. /// /// This parameter can be NULL to set the size of this information for memory allocation purposes. For more information, see /// Retrieving Data of Unknown Length. /// /// /// /// /// A pointer to a DWORD that contains the size, in bytes, of the buffer pointed to by the pbSignature parameter. When the /// function returns, the DWORD contains the number of bytes stored or to be stored in the buffer. /// /// /// Note When processing the data returned in the buffer, applications must use the actual size of the data returned. The /// actual size can be slightly smaller than the size of the buffer specified on input. (On input, buffer sizes are usually /// specified large enough to ensure that the largest possible output data will fit in the buffer.) On output, the variable pointed /// to by this parameter is updated to reflect the actual size of the data copied to the buffer. /// /// /// /// If the function succeeds, the return value is nonzero ( TRUE). /// If the function fails, the return value is zero ( FALSE). For extended error information, call GetLastError. /// /// Note Errors from the called functions CryptCreateHash, CryptSignHash and CryptHashData might be propagated to this function. /// /// This function has the following error codes. /// /// /// Return code /// Description /// /// /// ERROR_MORE_DATA /// /// If the buffer specified by the pbSignature parameter is not large enough to hold the returned data, the function sets the /// ERROR_MORE_DATA code, and stores the required buffer size, in bytes, into the variable pointed to by pcbSignature. /// /// /// /// NTE_BAD_ALGID /// The signature algorithm's object identifier (OID) does not map to a known or supported hash algorithm. /// /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptsigncertificate BOOL CryptSignCertificate( // BCRYPT_KEY_HANDLE hBCryptKey, DWORD dwKeySpec, DWORD dwCertEncodingType, const BYTE *pbEncodedToBeSigned, DWORD // cbEncodedToBeSigned, PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, const void *pvHashAuxInfo, BYTE *pbSignature, DWORD // *pcbSignature ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "27578149-e5c0-47e5-8309-0d0ed7075d13")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptSignCertificate(HCRYPTPROV hBCryptKey, CertKeySpec dwKeySpec, CertEncodingType dwCertEncodingType, [In] IntPtr pbEncodedToBeSigned, uint cbEncodedToBeSigned, in CRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, [In, Optional] IntPtr pvHashAuxInfo, [Out] IntPtr pbSignature, ref uint pcbSignature); ///

/// The CryptVerifyCertificateSignature function verifies the signature of a certificate, certificate revocation list (CRL), /// or certificate request by using the public key in a CERT_PUBLIC_KEY_INFO structure. The function does not require access to a /// private key. ///

/// /// This parameter is not used and should be set to NULL. /// /// Windows Server 2003 and Windows XP: A handle to the cryptographic service provider (CSP) used to verify the /// signature.This parameter's data type is HCRYPTPROV. /// /// /// NULL is passed unless there is a strong reason for passing in a specific cryptographic provider. Passing in NULL /// causes the default RSA or DSS provider to be acquired. /// /// /// /// /// The certificate encoding type that was used to encrypt the subject. The message encoding type identifier, contained in the high /// WORD of this value, is ignored by this function. /// /// This parameter can be the following currently defined certificate encoding type. /// /// /// Value /// Meaning /// /// /// X509_ASN_ENCODING 1 (0x1) /// Specifies X.509 certificate encoding. /// /// /// /// A pointer to an encoded BLOB of CERT_SIGNED_CONTENT_INFO content on which the signature is to be verified. /// The size, in bytes, of the encoded content in pbEncoded. /// /// A pointer to a CERT_PUBLIC_KEY_INFO structure that contains the public key to use when verifying the signature. /// /// /// Returns nonzero if successful or zero otherwise. /// For extended error information, call GetLastError. /// /// Note Errors from the called functions CryptCreateHash, CryptImportKey, CryptVerifySignature, and CryptHashData may be /// propagated to this function. /// /// On failure, this function will cause the following error codes to be returned from GetLastError. /// /// /// Return code /// Description /// /// /// ERROR_FILE_NOT_FOUND /// Invalid certificate encoding type. Currently only X509_ASN_ENCODING is supported. /// /// /// NTE_BAD_ALGID /// The signature algorithm's object identifier (OID) does not map to a known or supported hash algorithm. /// /// /// NTE_BAD_SIGNATURE /// The signature was not valid. /// /// /// /// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information /// about these errors, see ASN.1 Encoding/Decoding Return Values. /// /// /// This function currently calls the CryptVerifyCertificateSignatureEx function to perform the verification. // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptverifycertificatesignature BOOL // CryptVerifyCertificateSignature( HCRYPTPROV_LEGACY hCryptProv, DWORD dwCertEncodingType, const BYTE *pbEncoded, DWORD cbEncoded, // PCERT_PUBLIC_KEY_INFO pPublicKey ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "ac13a1dd-3ca9-470e-8d8f-d79d7d057f45")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptVerifyCertificateSignature([Optional] HCRYPTPROV hCryptProv, CertEncodingType dwCertEncodingType, [In] IntPtr pbEncoded, uint cbEncoded, in CERT_PUBLIC_KEY_INFO pPublicKey); ///

/// The CryptVerifyCertificateSignatureEx function verifies the signature of a subject certificate, certificate revocation /// list, certificate request, or keygen request by using the issuer's public key. The function does not require access to a private key. ///

/// /// This parameter is not used and should be set to NULL. /// /// Windows Server 2003 and Windows XP: A handle to the cryptographic service provider used to verify the signature.This /// parameter's data type is HCRYPTPROV. /// /// /// NULL is passed unless there is a strong reason for passing in a specific cryptographic provider. Passing in NULL /// causes the default RSA or DSS provider to be acquired. /// /// /// /// /// The certificate encoding type that was used to encrypt the subject. The message encoding type identifier, contained in the high /// WORD of this value, is ignored by this function. /// /// This parameter can be the following currently defined certificate encoding type. /// /// /// Value /// Meaning /// /// /// X509_ASN_ENCODING 1 (0x1) /// Specifies X.509 certificate encoding. /// /// /// /// /// The subject type. This parameter can be one of the following subject types. /// /// /// Value /// Meaning /// /// /// CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB 1 (0x1) /// pvSubject is a pointer to a CRYPT_DATA_BLOBstructure. /// /// /// CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT 2 (0x2) /// pvSubject is a pointer to a CCERT_CONTEXTstructure. /// /// /// CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL 3 (0x3) /// pvSubject is a pointer to a CCRL_CONTEXTstructure. /// /// /// CRYPT_VERIFY_CERT_SIGN_SUBJECT_OCSP_BASIC_SIGNED_RESPONSE 4 (0x4) /// /// pvSubject is a pointer to an OCSP_BASIC_SIGNED_RESPONSE_INFO structure. Windows Server 2003 and Windows XP: This subject type is /// not supported. /// /// /// /// /// A pointer to a structure of the type indicated by dwSubjectType that contains the signature to be verified. /// /// The issuer type. This parameter can be one of the following issuer types. /// /// /// Value /// Meaning /// /// /// CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY 1 (0x1) /// pvIssuer is a pointer to a CERT_PUBLIC_KEY_INFOstructure. /// /// /// CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT 2 (0x2) /// pvIssuer is a pointer to a CCERT_CONTEXTstructure. /// /// /// CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN 3 (0x3) /// pvIssuer is a pointer to a CCERT_CHAIN_CONTEXTstructure. /// /// /// CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL 4 (0x4) /// pvIssuer must be NULL. /// /// /// /// Note If dwIssuerType is CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL and the signature algorithm is a hashing algorithm, the /// signature is expected to contain only unencrypted hash octets. Only CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL can be specified /// in this nonencrypted signature case. If any other dwIssuerType is specified, verification fails and GetLastError returns E_INVALIDARG. /// /// /// /// A pointer to a structure of the type indicated by the value of dwIssuerType. The structure contains access to the public key /// needed to verify the signature. /// /// /// Flags that modify the function behavior. This can be zero or a bitwise OR of the following values. /// /// /// Value /// Meaning /// /// /// CRYPT_VERIFY_CERT_SIGN_DISABLE_MD2_MD4_FLAG 0x00000001 /// /// If you set this flag and CryptVerifyCertificateSignatureEx detects an MD2 or MD4 algorithm, the function returns FALSE and sets /// GetLastError to NTE_BAD_ALGID. The signature is still verified, but this combination of errors enables the caller, now knowing /// that an MD2 or MD4 algorithm was used, to decide whether to trust or reject the signature. Windows 8 and Windows Server 2012: /// Support for this flag begins. /// /// /// /// CRYPT_VERIFY_CERT_SIGN_SET_STRONG_PROPERTIES_FLAG 0x00000002 /// /// Sets strong signature properties, after successful verification, on the subject pointed to by the pvSubject parameter. The /// following property is set on the certificate context: The following properties are set on the CRL context: Windows 8 and Windows /// Server 2012: Support for this flag begins. /// /// /// /// CRYPT_VERIFY_CERT_SIGN_RETURN_STRONG_PROPERTIES_FLAG 0x00000004 /// /// Returns a pointer to a CRYPT_VERIFY_CERT_SIGN_STRONG_PROPERTIES_INFO structure in the pvExtra parameter. The structure contains /// the length, in bits, of the public key and the names of the signing and hashing algorithms used. You must call CryptMemFree to /// free the structure. If memory cannot be allocated for the CRYPT_VERIFY_CERT_SIGN_STRONG_PROPERTIES_INFO structure, this function /// returns successfully but sets the pvExtra parameter to NULL. Windows 8 and Windows Server 2012: Support for this flag begins. /// /// /// /// /// /// Pointer to a CRYPT_VERIFY_CERT_SIGN_STRONG_PROPERTIES_INFO structure if the dwFlags parameter is set to CRYPT_VERIFY_CERT_SIGN_RETURN_STRONG_PROPERTIES_FLAG. /// You must call CryptMemFree to free the structure. /// /// /// Returns nonzero if successful or zero otherwise. /// For extended error information, call GetLastError. /// /// Note Errors from the called functions CryptCreateHash, CryptImportKey, CryptVerifySignature, and CryptHashData may be /// propagated to this function. /// /// On failure, this function will cause the following error codes to be returned from GetLastError. /// /// /// Return code /// Description /// /// /// ERROR_FILE_NOT_FOUND /// Invalid certificate encoding type. Currently only X509_ASN_ENCODING is supported. /// /// /// NTE_BAD_ALGID /// The signature algorithm's object identifier (OID) does not map to a known or supported hash algorithm. /// /// /// NTE_BAD_SIGNATURE /// The signature was not valid. /// /// /// /// If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information /// about these errors, see ASN.1 Encoding/Decoding Return Values. /// /// /// /// The subject buffer can contain an encoded BLOB or a context for a certificate or CRL. In the case of a certificate context, if /// the certificate's public key parameters are missing and if these parameters can be inherited from the certificate's issuer for /// example from the DSS public key parameter, the context's CERT_PUBKEY_ALG_PARA_PROP_ID property is updated with the issuer's /// public key algorithm parameters for a valid signature. /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptverifycertificatesignatureex BOOL // CryptVerifyCertificateSignatureEx( HCRYPTPROV_LEGACY hCryptProv, DWORD dwCertEncodingType, DWORD dwSubjectType, void *pvSubject, // DWORD dwIssuerType, void *pvIssuer, DWORD dwFlags, void *pvExtra ); [DllImport(Lib.Crypt32, SetLastError = true, ExactSpelling = true)] [PInvokeData("wincrypt.h", MSDNShortId = "8a84af66-b174-4a3e-b1d7-6f218a52d877")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool CryptVerifyCertificateSignatureEx([Optional] HCRYPTPROV hCryptProv, CertEncodingType dwCertEncodingType, CryptVerifyCertSignSubject dwSubjectType, IntPtr pvSubject, CryptVerifyCertSignIssuer dwIssuerType, [In, Optional] IntPtr pvIssuer, CryptVerifyCertSignFlags dwFlags, [In, Out, Optional] IntPtr pvExtra); ///

/// The CERT_NAME_INFO structure contains subject or issuer names. The information is represented as an array of CERT_RDN structures. ///

// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_name_info typedef struct _CERT_NAME_INFO { DWORD // cRDN; PCERT_RDN rgRDN; } CERT_NAME_INFO, *PCERT_NAME_INFO; [PInvokeData("wincrypt.h", MSDNShortId = "402d1051-d91a-4a79-96f6-10ed96a32d5c")] [StructLayout(LayoutKind.Sequential)] public struct CERT_NAME_INFO { ///

Number of elements in the rgRDN array.

public uint cRDN; ///

Array of pointers to CERT_RDN structures.

public IntPtr rgRDN; } ///

/// The CERT_REVOCATION_PARA structure is passed in calls to the CertVerifyRevocation function to assist in finding the /// issuer of the context to be verified. The CERT_REVOCATION_PARA structure is an optional parameter in the /// CertVerifyRevocation function. ///

/// /// /// The CERT_REVOCATION_PARA structure provides additional information that the CertVerifyRevocation function can use to /// determine the context issuer. /// /// /// If your application must check the freshness of the CRL or resynchronize the CRL cache, you can provide extra structure members /// to assist the CertVerifyRevocation function with this. To include the additional structure members, define the constant /// CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS in your application before including Wincrypt.h /// /// // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_revocation_para typedef struct _CERT_REVOCATION_PARA // { DWORD cbSize; PCCERT_CONTEXT pIssuerCert; DWORD cCertStore; HCERTSTORE *rgCertStore; HCERTSTORE hCrlStore; LPFILETIME // pftTimeToUse; DWORD dwUrlRetrievalTimeout; BOOL fCheckFreshnessTime; DWORD dwFreshnessTime; LPFILETIME pftCurrentTime; // PCERT_REVOCATION_CRL_INFO pCrlInfo; LPFILETIME pftCacheResync; PCERT_REVOCATION_CHAIN_PARA pChainPara; } CERT_REVOCATION_PARA, *PCERT_REVOCATION_PARA; [PInvokeData("wincrypt.h", MSDNShortId = "730db593-c55f-4ecf-bcac-5de54ab90db6")] [StructLayout(LayoutKind.Sequential)] public struct CERT_REVOCATION_PARA { ///

The size, in bytes, of this structure.

public uint cbSize; ///

/// A pointer to a CERT_CONTEXT structure that contains the certificate of the issuer of a certificate specified in the /// rgpvContext array in the CertVerifyRevocation parameter list. ///

public PCCERT_CONTEXT pIssuerCert; ///

/// When set, contains the number of elements in the rgCertStore array. Set to zero if you are not supplying a list of /// store handles in the rgCertStore parameter. ///

public uint cCertStore; ///

/// An array of certificate store handles. Specifies a set of stores that are searched for issuer certificates. If rgCertStore /// is not set, the default stores are searched. ///

public IntPtr rgCertStore; ///

/// Optional store handle. When specified, a handler that uses certificate revocation lists (CRLs) can search this store for CRLs. ///

public HCERTSTORE hCrlStore; ///

/// A pointer to a FILETIME version of UTC time. When specified, the handler must, if possible, determine revocation /// status relative to the time given. If NULL or the handler cannot determine the status relative to the /// pftTimeToUse value, revocation status can be determined independent of time or relative to current time. ///

public IntPtr pftTimeToUse; ///

/// This member is defined only if CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS is defined. The time-out, in milliseconds, that /// the revocation handler will wait when attempting to retrieve revocation information. If it is set to zero, the revocation /// handler's default time-out is used. If CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS is defined, this member must be set to /// zero if it is unused. ///

public uint dwUrlRetrievalTimeout; ///

/// This member is defined only if CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS is defined. If TRUE, an attempt is made /// to retrieve a new CRL if the issue date of the CRL is less than or equal to the Current Time minus dwFreshnessTime. /// If this flag is not set, the CRL's NextUpdate time is used. If CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS is defined, this /// member must be set to FALSE if it is unused. ///

[MarshalAs(UnmanagedType.Bool)] public bool fCheckFreshnessTime; ///

/// This member is defined only if CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS is defined. The time, in seconds, is used to /// determine whether an attempt will be made to retrieve a new CRL. If CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS is defined, /// this member must be set to zero if it is unused. ///

public uint dwFreshnessTime; ///

/// This member is defined only if CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS is defined. A pointer to a FILETIME /// structure that is used in the freshness time check. If the value of this pointer is null, the revocation handler uses the /// current time. If CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS is defined, this member must be set to null if it is unused. ///

public IntPtr pftCurrentTime; ///

/// This member is defined only if CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS is defined. This member contains a pointer to a /// PCERT_REVOCATION_CRL_INFO structure that contains CRL context information. The CRL information is only applicable to the /// last context checked. To access the information in this CRL, call the CertVerifyRevocation function with cContext set to 1. /// If CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS is defined, the member must be set to null if it is unused. ///

public IntPtr pCrlInfo; ///

/// /// This member is defined only if CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS is defined. This member contains a pointer to a /// FILETIME structure that specifies the use of cached information. Any information cached before the specified time is /// considered invalid and new information is retrieved. If CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS is defined, this member /// must be set to null if it is unused. /// /// Windows Server 2003 and Windows XP: This member is not used. ///

public IntPtr pftCacheResync; ///

/// /// This member is defined only if CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS is defined. This member contains a pointer to a /// CERT_REVOCATION_CHAIN_PARA structure that contains parameters used for building a chain for an independent OCSP signer /// certificate. If CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS is defined, this member must be set to null if it is unused. /// /// /// Windows Vista, Windows Server 2003 and Windows XP: This member is not used in the listed systems. The member is /// available beginning with Windows Vista with SP1. /// ///

public IntPtr pChainPara; } ///

/// The CERT_REVOCATION_STATUS structure contains information on the revocation status of the certificate. It is passed to /// and returned by CertVerifyRevocation. On return from the function, it specifies the status of a revoked or unchecked context. ///

// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_revocation_status typedef struct // _CERT_REVOCATION_STATUS { DWORD cbSize; DWORD dwIndex; DWORD dwError; DWORD dwReason; BOOL fHasFreshnessTime; DWORD // dwFreshnessTime; } CERT_REVOCATION_STATUS, *PCERT_REVOCATION_STATUS; [PInvokeData("wincrypt.h", MSDNShortId = "087ea37a-907a-4652-a5df-dd8e86755490")] [StructLayout(LayoutKind.Sequential)] public struct CERT_REVOCATION_STATUS { ///

/// Size of this structure in bytes. /// /// Upon input to CERT_REVOCATION_STATUS, cbSize must be set to a size greater than or equal to the size of a /// CERT_REVOCATION_STATUS structure. Otherwise, CERT_REVOCATION_STATUS returns FALSE and GetLastError /// returns E_INVALIDARG. /// ///

public uint cbSize; ///

/// Specifies an index value for the rgpvContext array passed to CertVerifyRevocation. It is the index of the first context in /// that array that was revoked or that could not be checked for revocation. For information about the contexts that were not /// checked, CertVerifyRevocation is called again, specifying a rgpvContext array that contains the unchecked contexts /// from the original list. ///

public uint dwIndex; ///

/// Specifies the returned error status. This value matches the return value of GetLastError on return from the call to /// CertVerifyRevocation. For the list of these error values, see the table in the Return Values section of CertVerifyRevocation. ///

public Win32Error dwError; ///

/// /// Specifies the cause of the error. This member is set only if dwError is CRYPT_E_REVOKED. It contains a code that /// indicates why the context was revoked. It can be one of the following values. /// /// /// /// Value /// Meaning /// /// /// CRL_REASON_UNSPECIFIED /// No reason was specified for revocation. /// /// /// CRL_REASON_KEY_COMPROMISE /// /// It is known or suspected that the subject's private key or other aspects of the subject validated in the certificate are compromised. /// /// /// /// CRL_REASON_CA_COMPROMISE /// It is known or suspected that the CA's private key or other aspects of the CA validated in the certificate are compromised. /// /// /// CRL_REASON_AFFILIATION_CHANGED /// /// The subject's name or other information in the certificate has been modified but there is no cause to suspect that the /// private key has been compromised. /// /// /// /// CRL_REASON_SUPERSEDED /// The certificate has been superseded, but there is no cause to suspect that the private key has been compromised. /// /// /// CRL_REASON_CESSATION_OF_OPERATION /// /// The certificate is no longer needed for the purpose for which it was issued, but there is no cause to suspect that the /// private key has been compromised. /// /// /// /// CRL_REASON_CERTIFICATE_HOLD /// The certificate has been placed on hold. /// /// ///

public CRL_REASON dwReason; ///

/// Depending on cbSize, this structure can contain this member. If this member is TRUE, the revocation freshness /// time returned by dwFreshnessTime is valid. ///

[MarshalAs(UnmanagedType.Bool)] public bool fHasFreshnessTime; ///

/// Depending on cbSize, this structure can contain this member. If present, this member gives the time in seconds /// between the current time and when the CRL was published. ///

public uint dwFreshnessTime; } ///

/// /// [The CRYPT_ATTRIBUTES structure is available for use in the operating systems specified in the Requirements section. It /// may be altered or unavailable in subsequent versions.] /// /// The CRYPT_ATTRIBUTES structure contains an array of attributes. ///

// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-crypt_attributes typedef struct _CRYPT_ATTRIBUTES { DWORD // cAttr; PCRYPT_ATTRIBUTE rgAttr; } CRYPT_ATTRIBUTES, *PCRYPT_ATTRIBUTES; [PInvokeData("wincrypt.h", MSDNShortId = "782f3022-d852-4ad7-8e0f-afbccc25928a")] [StructLayout(LayoutKind.Sequential)] public struct CRYPT_ATTRIBUTES { ///

Number of elements in the rgAttr array.

public uint cAttr; ///

Array of CRYPT_ATTRIBUTE structures.

public IntPtr rgAttr; } ///

/// /// [The CRYPT_PKCS8_EXPORT_PARAMS structure is available for use in the operating systems specified in the Requirements /// section. It may be altered or unavailable in subsequent versions.] /// /// /// The CRYPT_PKCS8_EXPORT_PARAMS structure identifies the private key and a callback function to encrypt the private key. /// CRYPT_PKCS8_EXPORT_PARAMS is used as a parameter to the CryptExportPKCS8Ex function, which exports a private key in PKCS /// #8 format. /// ///

// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-crypt_pkcs8_export_params typedef struct // _CRYPT_PKCS8_EXPORT_PARAMS { HCRYPTPROV hCryptProv; DWORD dwKeySpec; LPSTR pszPrivateKeyObjId; PCRYPT_ENCRYPT_PRIVATE_KEY_FUNC // pEncryptPrivateKeyFunc; LPVOID pVoidEncryptFunc; } CRYPT_PKCS8_EXPORT_PARAMS, *PCRYPT_PKCS8_EXPORT_PARAMS; [PInvokeData("wincrypt.h", MSDNShortId = "5a60c96e-907a-409e-921c-59055452463f")] [StructLayout(LayoutKind.Sequential)] public struct CRYPT_PKCS8_EXPORT_PARAMS { ///

/// An HCRYPTPROV variable that contains a handle to the cryptographic service provider (CSP) used to encrypt the private key. /// This is a handle to the CSP obtained by calling CryptAcquireContext. ///

public HCRYPTPROV hCryptProv; ///

/// /// A DWORD variable that contains the key specification. The following dwKeySpec values are defined for the /// default provider. /// /// /// /// Value /// Meaning /// /// /// AT_KEYEXCHANGE /// Keys used to encrypt/decrypt session keys. /// /// /// AT_SIGNATURE /// Keys used to create and verify digital signatures. /// /// ///

public CertKeySpec dwKeySpec; ///

An LPSTR variable that contains the object identifier (OID) of the private key to be exported.

public StrPtrAnsi pszPrivateKeyObjId; ///

/// A PCRYPT_ENCRYPT_PRIVATE_KEY_FUNC pointer that points to a callback to a function that encrypts the private key. If this is /// NULL, the private key is not encrypted, and a PKCS #8 CRYPT_ENCRYPTED_PRIVATE_KEY_INFO structure will not be /// generated by CryptExportPKCS8Ex. ///

[MarshalAs(UnmanagedType.FunctionPtr)] public PCRYPT_ENCRYPT_PRIVATE_KEY_FUNC pEncryptPrivateKeyFunc; ///

A LPVOID value that provides data used for encryption, such as key, initialization vector, and password.

public IntPtr pVoidEncryptFunc; } ///

/// /// [The CRYPT_PKCS8_IMPORT_PARAMS structure is available for use in the operating systems specified in the Requirements /// section. It may be altered or unavailable in subsequent versions.] /// /// /// The CRYPT_PKCS8_IMPORT_PARAMS structure contains a PKCS #8 private key and pointers to callback functions. /// CRYPT_PKCS8_IMPORT_PARAMS is used by the CryptImportPKCS8 function. The first callback supplies the algorithm object /// identifier (OID) and key length needed to specify the cryptographic service provider (CSP) into which the key will be imported. /// If the private key in PKCS #8 is encrypted, the CRYPT_PKCS8_IMPORT_PARAMS structure contains the encrypted private key, /// and the second callback is used to decrypt this private key. /// ///

// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-crypt_pkcs8_import_params typedef struct // _CRYPT_PKCS8_IMPORT_PARAMS { CRYPT_DIGEST_BLOB PrivateKey; PCRYPT_RESOLVE_HCRYPTPROV_FUNC pResolvehCryptProvFunc; LPVOID // pVoidResolveFunc; PCRYPT_DECRYPT_PRIVATE_KEY_FUNC pDecryptPrivateKeyFunc; LPVOID pVoidDecryptFunc; } CRYPT_PKCS8_IMPORT_PARAMS, // *PCRYPT_PKCS8_IMPORT_PARAMS, CRYPT_PRIVATE_KEY_BLOB_AND_PARAMS, *PCRYPT_PRIVATE_KEY_BLOB_AND_PARAMS; [PInvokeData("wincrypt.h", MSDNShortId = "a016e807-60d3-4ae4-829b-43acea2ee8c1")] [StructLayout(LayoutKind.Sequential)] public struct CRYPT_PKCS8_IMPORT_PARAMS { ///

A CRYPT_DIGEST_BLOB structure that contains the PKCS #8 data.

public CRYPTOAPI_BLOB PrivateKey; ///

/// A PCRYPT_RESOLVE_HCRYPTPROV_FUNC pointer that points to data used by a user-defined function that retrieves a handle to a CSP. ///

[MarshalAs(UnmanagedType.FunctionPtr)] public PCRYPT_RESOLVE_HCRYPTPROV_FUNC pResolvehCryptProvFunc; ///

An LPVOID value that identifies the function used to retrieve the CSP provider handle.

public IntPtr pVoidResolveFunc; ///

A PCRYPT_DECRYPT_PRIVATE_KEY_FUNC pointer that points to a callback function used to decrypt the private key.

[MarshalAs(UnmanagedType.FunctionPtr)] public PCRYPT_DECRYPT_PRIVATE_KEY_FUNC pDecryptPrivateKeyFunc; ///

An LPVOID value that provides data used for encryption, such as key, initialization vector, and password.

public IntPtr pVoidDecryptFunc; } ///

/// /// [The CRYPT_PRIVATE_KEY_INFO structure is available for use in the operating systems specified in the Requirements /// section. It may be altered or unavailable in subsequent versions.] /// /// /// The CRYPT_PRIVATE_KEY_INFO structure contains a clear-text private key in the PrivateKey field (DER encoded). /// CRYPT_PRIVATE_KEY_INFO contains the information in a PKCS #8 PrivateKeyInfo ASN.1 type found in the PKCS #8 standard. /// ///

// https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-crypt_private_key_info typedef struct // _CRYPT_PRIVATE_KEY_INFO { DWORD Version; CRYPT_ALGORITHM_IDENTIFIER Algorithm; CRYPT_DER_BLOB PrivateKey; PCRYPT_ATTRIBUTES // pAttributes; } CRYPT_PRIVATE_KEY_INFO, *PCRYPT_PRIVATE_KEY_INFO; [PInvokeData("wincrypt.h", MSDNShortId = "63a5d1c2-88b3-45fa-94d3-2179cb8802c9")] [StructLayout(LayoutKind.Sequential)] public struct CRYPT_PRIVATE_KEY_INFO { ///

A DWORD value that identifies the PKCS #8 version.

public uint Version; ///

/// A CRYPT_ALGORITHM_IDENTIFIER structure that indicates the algorithm in which the private key (RSA or DSA) is to be used. ///

public CRYPT_ALGORITHM_IDENTIFIER Algorithm; ///

A CRYPT_DER_BLOB structure that contains the key data.

public CRYPTOAPI_BLOB PrivateKey; ///

A CRYPT_ATTRIBUTES structure that identifies the PKCS #8 attributes.

public IntPtr pAttributes; } ///

Standard crypto memory allocation methods.

/// public class CryptMemMethods : MemoryMethodsBase { ///

Gets a static instance of this class.

public static readonly CryptMemMethods Instance = new CryptMemMethods(); ///

Gets a handle to a memory allocation of the specified size.

/// The size, in bytes, of memory to allocate. /// A memory handle. /// public override IntPtr AllocMem(int size) => Win32Error.ThrowLastErrorIfNull(CryptMemAlloc((uint)size)); ///

Frees the memory associated with a handle.

/// A memory handle. /// public override void FreeMem(IntPtr hMem) => CryptMemFree(hMem); ///

Gets the reallocation method.

/// A memory handle. /// The size, in bytes, of memory to allocate. /// A memory handle. public override IntPtr ReAllocMem(IntPtr hMem, int size) => Win32Error.ThrowLastErrorIfNull(CryptMemRealloc(hMem, (uint)size)); } ///

Safe handle for crypto memory.

/// public class SafeCryptMem : SafeMemoryHandleExt { ///

Initializes a new instance of the class.

/// The size of memory to allocate, in bytes. /// size - The value of this argument must be non-negative public SafeCryptMem(SizeT size = default) : base(size) { } ///

Initializes a new instance of the class.

/// The handle. /// The size of memory allocated to the handle, in bytes. /// if set to true if this class is responsible for freeing the memory on disposal. public SafeCryptMem(IntPtr handle, SizeT size, bool ownsHandle) : base(handle, size, ownsHandle) { } ///

/// Allocates from unmanaged memory to represent an array of pointers and marshals the unmanaged pointers (IntPtr) to the native /// array equivalent. ///

/// Array of unmanaged pointers /// SafeHGlobalHandle object to an native (unmanaged) array of pointers public SafeCryptMem(byte[] bytes) : base(bytes) { } ///

Allocates from unmanaged memory to represent a Unicode string (WSTR) and marshal this to a native PWSTR.

/// The string value. /// The character set of the string. /// SafeMemoryHandleExt object to an native (unmanaged) string public SafeCryptMem(string s, CharSet charSet = CharSet.Unicode) : base(s, charSet) { } } ///

Provides a for that is disposed using .

public class SafeHCRYPTKEY : SafeHANDLE { ///

Represents a NULL handle for . This must be used instead of .

public static readonly SafeHCRYPTKEY Null = new SafeHCRYPTKEY(IntPtr.Zero, false); ///

Initializes a new instance of the class and assigns an existing handle.

/// An object that represents the pre-existing handle to use. /// /// to reliably release the handle during the finalization phase; otherwise, (not recommended). /// public SafeHCRYPTKEY(IntPtr preexistingHandle, bool ownsHandle = true) : base(preexistingHandle, ownsHandle) { } ///

Initializes a new instance of the class.

private SafeHCRYPTKEY() : base() { } ///

Performs an implicit conversion from to .

/// The safe handle instance. /// The result of the conversion. public static implicit operator HCRYPTKEY(SafeHCRYPTKEY h) => h.handle; /// protected override bool InternalReleaseHandle() => CryptDestroyKey(handle); [DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)] [return: MarshalAs(UnmanagedType.Bool)] private static extern bool CryptDestroyKey(HCRYPTKEY hKey); } } }