IX509PublicKey::EncodedParameters property

The EncodedParameters property retrieves a byte array that contains the parameters associated with the public key algorithm. The byte array is represented by a Unicode-encoded string.

This property is read-only.


HRESULT get_EncodedParameters(
  [in]  EncodingType Encoding,
  [out] BSTR         *pValue

Property value

Pointer to a BSTR variable that contains the parameters.

Error codes

If the function succeeds, the function returns S_OK.

If the function fails, it returns an HRESULT value that indicates the error. Possible values include, but are not limited to, those in the following table. For a list of common error codes, see Common HRESULT Values.


The property value could not be found.


Call the InitializeFromEncodedPublicKeyInfo method or the Initialize method to initialize the public key object before calling this property.

The AlgorithmIdentifier Abstract Syntax Notation One (ASN.1) object that is referenced by the SubjectPublicKeyInfo object in an X.509 version 3 certificate contains an algorithm object identifier (OID) and optional parameters.

SubjectPublicKeyInfo  ::=  SEQUENCE
   algorithm            AlgorithmIdentifier,
   subjectPublicKey     BIT STRING  

AlgorithmIdentifier  ::=  SEQUENCE  
   algorithm            OBJECT IDENTIFIER,
   parameters           ANY DEFINED BY algorithm OPTIONAL  

The format and content of the parameters differs by algorithm. The Certificate Enrollment Control generates parameter values for various algorithms as required. For more information, see the following sections:

  • RSA Public Key Algorithm
  • Key Transport Using RSA-OAEP
  • Key Agreement Using ECDH
  • Content Encryption Using AES

RSA Public Key Algorithm

RSA is often used to encrypt a private key and send it to a certification authority (CA) for archival. The XCN_OID_RSA_RSA (1.2.840.113549.1.1.1) algorithm OID must have a NULL parameter value. The ASN.1 NULL value is represented by two bytes. The tag number is 0x05 and the value associated with the tag is 0x00. This is shown by the following certificate example.

Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_KEYX)
    Algorithm Parameters:
    05 00

Key Transport Using RSA-OAEP

The RSA-OAEP algorithm, XCN_OID_RSAES_OAEP (1.2.840.113549.1.1.7), is also supported for key transport. The parameters field has the following syntax.

RSAES-OAEP-params  ::=  SEQUENCE  
   hashFunc    [0] AlgorithmIdentifier DEFAULT sha1OID,
   maskGenFunc [1] AlgorithmIdentifier DEFAULT mgf1SHA1OID,
   pSourceFunc [2] AlgorithmIdentifier DEFAULT pSpecifiedEmptyOID

Key Agreement Using ECDH

The single pass Elliptic Curve Diffie-Hellman algorithm, XCN_OID_DH_SINGLE_PASS_STDDH_SHA1_KDF (, is supported for key agreement. Key agreement uses two levels of encryption:

  • The message is encrypted by using a content encryption key (CEK) and a symmetric encryption algorithm.
  • The CEK is encrypted (wrapped) by using a symmetric key encryption key (KEK).
The KEK is computed from a shared secret number that is computed from the private key of one party and the public key of the other party. The parameters field contains the OID of the KEK algorithm used to wrap or encrypt the CEK. The following wrap algorithms are supported:
  • XCN_OID_RSA_SMIMEalgCMS3DESwrap (1.2.840.113549.
  • XCN_OID_RSA_SMIMEalgCMSRC2wrap (1.2.840.113549.
  • XCN_OID_NIST_AES128_WRAP (2.16.840.
  • XCN_OID_NIST_AES192_WRAP (2.16.840.
  • XCN_OID_NIST_AES256_WRAP (2.16.840.

Content Encryption Using AES

The Advanced Encryption Standard (AES) is used to encrypt content. The following algorithms are supported:

  • XCN_OID_NIST_AES128_CBC (2.16.840.
  • XCN_OID_NIST_AES192_CBC (2.16.840.
  • XCN_OID_NIST_AES256_CBC (2.16.840.
The parameters field contains a random initialization vector, AES-IV.



Minimum supported client

Windows Vista [desktop apps only]

Minimum supported server

Windows Server 2008 [desktop apps only]





See also




Community Additions