EN
Este conteúdo não está disponível em seu idioma, mas aqui está a versão em inglês.

CryptVerifyCertificateSignatureEx function

The CryptVerifyCertificateSignatureEx function verifies the signature of a subject certificate, certificate revocation list, certificate request, or keygen request by using the issuer's public key. The function does not require access to a private key.

Syntax


BOOL WINAPI CryptVerifyCertificateSignatureEx(
  _In_         HCRYPTPROV_LEGACY hCryptProv,
  _In_         DWORD dwCertEncodingType,
  _In_         DWORD dwSubjectType,
  _In_         void *pvSubject,
  _In_         DWORD dwIssuerType,
  _In_         void *pvIssuer,
  _In_         DWORD dwFlags,
  _Inout_opt_  void *pvExtra
);

Parameters

hCryptProv [in]

This parameter is not used and should be set to NULL.

Windows Server 2003 and Windows XP:  A handle to the cryptographic service provider used to verify the signature.

This parameter's data type is HCRYPTPROV.

NULL is passed unless there is a strong reason for passing in a specific cryptographic provider. Passing in NULL causes the default RSA or DSS provider to be acquired.

dwCertEncodingType [in]

The certificate encoding type that was used to encrypt the subject. The message encoding type identifier, contained in the high WORD of this value, is ignored by this function.

This parameter can be the following currently defined certificate encoding type.

ValueMeaning
X509_ASN_ENCODING
1 (0x1)

Specifies X.509 certificate encoding.

 

dwSubjectType [in]

The subject type. This parameter can be one of the following subject types.

ValueMeaning
CRYPT_VERIFY_CERT_SIGN_SUBJECT_BLOB
1 (0x1)

pvSubject is a pointer to a CRYPT_DATA_BLOB structure.

CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT
2 (0x2)

pvSubject is a pointer to a CCERT_CONTEXT structure.

CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL
3 (0x3)

pvSubject is a pointer to a CCRL_CONTEXT structure.

CRYPT_VERIFY_CERT_SIGN_SUBJECT_OCSP_BASIC_SIGNED_RESPONSE
4 (0x4)

pvSubject is a pointer to an OCSP_BASIC_SIGNED_RESPONSE_INFO structure.

Windows Server 2003 and Windows XP:  This subject type is not supported.

 

pvSubject [in]

A pointer to a structure of the type indicated by dwSubjectType that contains the signature to be verified.

dwIssuerType [in]

The issuer type. This parameter can be one of the following issuer types.

ValueMeaning
CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY
1 (0x1)

pvIssuer is a pointer to a CERT_PUBLIC_KEY_INFO structure.

CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT
2 (0x2)

pvIssuer is a pointer to a CCERT_CONTEXT structure.

CRYPT_VERIFY_CERT_SIGN_ISSUER_CHAIN
3 (0x3)

pvIssuer is a pointer to a CCERT_CHAIN_CONTEXT structure.

CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL
4 (0x4)

pvIssuer must be NULL.

 

Note  If dwIssuerType is CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL and the signature algorithm is a hashing algorithm, the signature is expected to contain only unencrypted hash octets. Only CRYPT_VERIFY_CERT_SIGN_ISSUER_NULL can be specified in this nonencrypted signature case. If any other dwIssuerType is specified, verification fails and GetLastError returns E_INVALIDARG.

pvIssuer [in]

A pointer to a structure of the type indicated by the value of dwIssuerType. The structure contains access to the public key needed to verify the signature.

dwFlags [in]

Flags that modify the function behavior. This can be zero or a bitwise OR of the following values.

ValueMeaning
CRYPT_VERIFY_CERT_SIGN_DISABLE_MD2_MD4_FLAG
0x00000001

If you set this flag and CryptVerifyCertificateSignatureEx detects an MD2 or MD4 algorithm, the function returns FALSE and sets GetLastError to NTE_BAD_ALGID. The signature is still verified, but this combination of errors enables the caller, now knowing that an MD2 or MD4 algorithm was used, to decide whether to trust or reject the signature.

Windows 8 and Windows Server 2012:  Support for this flag begins.

CRYPT_VERIFY_CERT_SIGN_SET_STRONG_PROPERTIES_FLAG
0x00000002

Sets strong signature properties, after successful verification, on the subject pointed to by the pvSubject parameter.

The following property is set on the certificate context:

  • CERT_SIGN_HASH_CNG_ALG_PROP_ID

The following properties are set on the CRL context:

  • CERT_SIGN_HASH_CNG_ALG_PROP_ID
  • CERT_ISSUER_PUB_KEY_BIT_LENGTH_PROP_ID

Note  This flag is only applicable if CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL is specified in the dwSubjectType parameter.

Windows 8 and Windows Server 2012:  Support for this flag begins.

CRYPT_VERIFY_CERT_SIGN_RETURN_STRONG_PROPERTIES_FLAG
0x00000004

Returns a pointer to a CRYPT_VERIFY_CERT_SIGN_STRONG_PROPERTIES_INFO structure in the pvExtra parameter. The structure contains the length, in bits, of the public key and the names of the signing and hashing algorithms used.

You must call CryptMemFree to free the structure. If memory cannot be allocated for the CRYPT_VERIFY_CERT_SIGN_STRONG_PROPERTIES_INFO structure, this function returns successfully but sets the pvExtra parameter to NULL.

Note  This flag is only applicable if CRYPT_VERIFY_CERT_SIGN_SUBJECT_OCSP_BASIC_SIGNED_RESPONSE is specified in the dwSubjectType parameter.

Windows 8 and Windows Server 2012:  Support for this flag begins.

 

pvExtra [in, out, optional]

Pointer to a CRYPT_VERIFY_CERT_SIGN_STRONG_PROPERTIES_INFO structure if the dwFlags parameter is set to CRYPT_VERIFY_CERT_SIGN_RETURN_STRONG_PROPERTIES_FLAG.

You must call CryptMemFree to free the structure.

Return value

Returns nonzero if successful or zero otherwise.

For extended error information, call GetLastError.

Note  Errors from the called functions CryptCreateHash, CryptImportKey, CryptVerifySignature, and CryptHashData may be propagated to this function.

On failure, this function will cause the following error codes to be returned from GetLastError.

Return codeDescription
ERROR_FILE_NOT_FOUND

Invalid certificate encoding type. Currently only X509_ASN_ENCODING is supported.

NTE_BAD_ALGID

The signature algorithm's object identifier (OID) does not map to a known or supported hash algorithm.

NTE_BAD_SIGNATURE

The signature was not valid.

 

If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information about these errors, see ASN.1 Encoding/Decoding Return Values.

Remarks

The subject buffer can contain an encoded BLOB or a context for a certificate or CRL. In the case of a certificate context, if the certificate's public key parameters are missing and if these parameters can be inherited from the certificate's issuer for example from the DSS public key parameter, the context's CERT_PUBKEY_ALG_PARA_PROP_ID property is updated with the issuer's public key algorithm parameters for a valid signature.

Requirements

Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]

Header

Wincrypt.h

Library

Crypt32.lib

DLL

Crypt32.dll

See also

CryptVerifyCertificateSignature

 

 

Contribuições da comunidade

ADICIONAR
Mostrar:
© 2014 Microsoft