Cryptography Functions
Cryptography functions are categorized according to usage as follows:
- CryptXML Functions
- Signer Functions
- Base Cryptography Functions
- Certificate and Certificate Store Functions
- MakeCert Functions
- Certificate Verification Functions
- Message Functions
- Auxiliary Functions
- Certificate Services Backup and Restore Functions
- Callback Functions
- Catalog Definition Functions
- Catalog Functions
- WinTrust Functions
- Object Locator Functions
CryptXML Functions
The cryptographic XML functions provide an API for creating and representing digital signatures by using XML formatted data. For information about XML formatted signatures, see the XML-Signature Syntax and Processing specification at https://go.microsoft.com/fwlink/p/?linkid=139649.
| Function | Description |
|---|---|
| A_SHAFinal | Computes the final hash of the data entered by the MD5Update function. |
| A_SHAInit | Initiates the hashing of a stream of data. |
| A_SHAUpdate | Adds data to a specified hash object. |
| CryptXmlCreateReference | Creates a reference to an XML signature. |
| CryptXmlAddObject | Adds the Object element to the Signature in the Document Context opened for encoding. |
| CryptXmlClose | Closes a cryptographic XML object handle. |
| CryptXmlDigestReference | Used by an application to digest the resolved reference. This function applies transforms before updating the digest. |
| CryptXmlDllCloseDigest | Frees the CRYPT_XML_DIGEST allocated by the CryptXmlDllCreateDigest function. |
| CryptXmlDllCreateDigest | Creates a digest object for the specified method. |
| CryptXmlDllCreateKey | Parses the KeyValue element and creates a Cryptography API: Next Generation (CNG) BCrypt key handle to verify a signature. |
| CryptXmlDllDigestData | Puts data into the digest. |
| CryptXmlDllEncodeAlgorithm | Encodes SignatureMethod or DigestMethod elements for agile algorithms with default parameters. |
| CryptXmlDllEncodeKeyValue | Encodes a KeyValue element. |
| CryptXmlDllFinalizeDigest | Retrieves the digest value. |
| CryptXmlDllGetAlgorithmInfo | Decodes the XML algorithm and returns information about the algorithm. |
| CryptXmlDllGetInterface | Retrieves a pointer to the cryptographic extension functions for the specified algorithm. |
| CryptXmlDllSignData | Signs data. |
| CryptXmlDllVerifySignature | Verifies a signature. |
| CryptXmlEncode | Encodes signature data by using the supplied XML writer callback function. |
| CryptXmlGetAlgorithmInfo | Decodes the CRYPT_XML_ALGORITHM structure and returns information about the algorithm. |
| CryptXmlGetDocContext | Returns the document context specified by the supplied handle. |
| CryptXmlGetReference | Returns the Reference element specified by the supplied handle. |
| CryptXmlGetSignature | Returns an XML Signature element. |
| CryptXmlGetStatus | Returns a CRYPT_XML_STATUS structure that contains status information about the object specified by the supplied handle. |
| CryptXmlGetTransforms | Returns information about the default transform chain engine. |
| CryptXmlImportPublicKey | Imports the public key specified by the supplied handle. |
| CryptXmlOpenToEncode | Opens an XML digital signature to encode and returns a handle of the opened Signature element. The handle encapsulates a document context with a single CRYPT_XML_SIGNATURE structure and remains open until the CryptXmlClose function is called. |
| CryptXmlOpenToDecode | Opens an XML digital signature to decode and returns the handle of the document context that encapsulates a CRYPT_XML_SIGNATURE structure. The document context can include one or more Signature elements. |
| CryptXmlSetHMACSecret | Sets the HMAC secret on the handle before calling the CryptXmlSign or CryptXmlVerify function. |
| CryptXmlSign | Creates a cryptographic signature of a SignedInfo element. |
| CryptXmlVerifySignature | Performs a cryptographic signature validation of a SignedInfo element. |
| PFN_CRYPT_XML_WRITE_CALLBACK | Creates a transform for a specified data provider. |
| PFN_CRYPT_XML_CREATE_TRANSFORM | Writes cryptographic XML data. |
| PFN_CRYPT_XML_DATA_PROVIDER_READ | Reads cryptographic XML data. |
| PFN_CRYPT_XML_DATA_PROVIDER_CLOSE | Releases the cryptographic XML data provider. |
| PFN_CRYPT_XML_ENUM_ALG_INFO | Enumerates predefined and registered CRYPT_XML_ALGORITHM_INFO entries. |
Signer Functions
Provides functions to sign and time stamp data.
| Function | Description |
|---|---|
| SignerFreeSignerContext | Frees a SIGNER_CONTEXT structure allocated by a previous call to the SignerSignEx function. |
| SignError | Calls the GetLastError function and converts the return code to an HRESULT. |
| SignerSign | Signs the specified file. |
| SignerSignEx | Signs the specified file and returns a pointer to the signed data. |
| SignerSignEx2 | Signs and time stamps the specified file, allowing multiple nested signatures. |
| SignerTimeStamp | Time stamps the specified subject. This function supports Authenticode time stamping. To perform X.509 Public Key Infrastructure (RFC 3161) time stamping, use the SignerTimeStampEx2 function. |
| SignerTimeStampEx | Time stamps the specified subject and optionally returns a pointer to a SIGNER_CONTEXT structure that contains a pointer to a BLOB. This function supports Authenticode time stamping. To perform X.509 Public Key Infrastructure (RFC 3161) time stamping, use the SignerTimeStampEx2 function. |
| SignerTimeStampEx2 | Time stamps the specified subject and optionally returns a pointer to a SIGNER_CONTEXT structure that contains a pointer to a BLOB. This function can be used to perform X.509 Public Key Infrastructure, RFC 3161–compliant, time stamps. |
| SignerTimeStampEx3 | Time stamps the specified subject and supports setting time stamps on multiple signatures. |
Base Cryptography Functions
Base cryptographic functions provide the most flexible means of developing cryptography applications. All communication with a cryptographic service provider (CSP) occurs through these functions.
A CSP is an independent module that performs all cryptographic operations. At least one CSP is required with each application that uses cryptographic functions. A single application can occasionally use more than one CSP.
If more than one CSP is used, the one to use can be specified in the CryptoAPI cryptographic function calls. One CSP, the Microsoft Base Cryptographic Provider, is bundled with the CryptoAPI. This CSP is used as a default provider by many of the CryptoAPI functions if no other CSP is specified.
Each CSP provides a different implementation of the cryptographic support provided to CryptoAPI. Some provide stronger cryptographic algorithms; others contain hardware components, such as smart cards. In addition, some CSPs can occasionally communicate directly with users, such as when digital signatures are performed by using the user's signature private key.
Base cryptographic functions are in the following broad groups:
- Service Provider Functions
- Key Generation and Exchange Functions
- Object Encoding and Decoding Functions
- Data Encryption and Decryption Functions
- Hash and Digital Signature Functions
Service Provider Functions
Applications use the following service functions to connect and disconnect a cryptographic service provider (CSP).
| Function | Description |
|---|---|
| CryptAcquireContext | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Acquires a handle to the current user's key container within a particular CSP. |
| CryptContextAddRef | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Increments the reference count on an HCRYPTPROV handle. |
| CryptEnumProviders | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Enumerates the providers on a computer. |
| CryptEnumProviderTypes | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Enumerates the types of providers supported on the computer. |
| CryptGetDefaultProvider | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Determines the default CSP either for the current user or for the computer for a specified provider type. |
| CryptGetProvParam | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Retrieves the parameters that govern the operations of a CSP. |
| CryptInstallDefaultContext | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Installs a previously acquired HCRYPTPROV context to be used as a default context. |
| CryptReleaseContext | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Releases the handle acquired by the CryptAcquireContext function. |
| CryptSetProvider and CryptSetProviderEx | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Specifies the user default CSP for a particular CSP type. |
| CryptSetProvParam | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Specifies attributes of a CSP. |
| CryptUninstallDefaultContext | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Removes a default context previously installed by CryptInstallDefaultContext. |
| FreeCryptProvFromCertEx | Releases the handle either to a cryptographic service provider (CSP) or to a Cryptography API: Next Generation (CNG) key. |
Key Generation and Exchange Functions
Key generation and exchange functions exchange keys with other users and create, configure, and destroy cryptographic keys.
| Function | Description |
|---|---|
| CryptDeriveKey | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Creates a key derived from a password. |
| CryptDestroyKey | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Destroys a key. |
| CryptDuplicateKey | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Makes an exact copy of a key, including the state of the key. |
| CryptExportKey | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Transfers a key from the CSP into a key BLOB in the application's memory space. |
| CryptGenKey | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Creates a random key. |
| CryptGenRandom | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Generates random data. |
| CryptGetKeyParam | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Retrieves a key's parameters. |
| CryptGetUserKey | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Gets a handle to the key exchange or signature key. |
| CryptImportKey | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Transfers a key from a key BLOB to a CSP. |
| CryptSetKeyParam | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Specifies a key's parameters. |
Object Encoding and Decoding Functions
These are generalized encoding and decoding functions. They are used to encode and decode certificates, certificate revocation lists (CRLs), certificate requests, and certificate extensions.
| Function | Description |
|---|---|
| CryptDecodeObject | Decodes a structure of type lpszStructType. |
| CryptDecodeObjectEx | Decodes a structure of type lpszStructType. CryptDecodeObjectEx supports the one-pass memory allocation option. |
| CryptEncodeObject | Encodes a structure of type lpszStructType. |
| CryptEncodeObjectEx | Encodes a structure of type lpszStructType. CryptEncodeObjectEx supports the one-pass memory allocation option. |
Data Encryption and Decryption Functions
The following functions support encryption and decryption operations. CryptEncrypt and CryptDecrypt require a cryptographic key before being called. This is done by using the CryptGenKey, CryptDeriveKey, or CryptImportKey function. The encryption algorithm is specified when the key is created. CryptSetKeyParam can set additional encryption parameters.
| Function | Description |
|---|---|
| CryptDecrypt | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Decrypts a section of ciphertext by using the specified encryption key. |
| CryptEncrypt | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Encrypts a section of plaintext by using the specified encryption key. |
| CryptProtectData | Performs encryption on the data in a DATA_BLOB structure. |
| CryptProtectMemory | Encrypts memory to protect sensitive information. |
| CryptUnprotectData | Performs a decryption and integrity check of the data in a DATA_BLOB. |
| CryptUnprotectMemory | Decrypts memory that was encrypted using CryptProtectMemory. |
Hash and Digital Signature Functions
These functions compute hashes of data and also create and verify digital signatures. Hashes are also known as message digests.
| Function | Description |
|---|---|
| CryptCreateHash | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Creates an empty hash object. |
| CryptDestroyHash | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Destroys a hash object. |
| CryptDuplicateHash | Duplicates a hash object. |
| CryptGetHashParam | Retrieves a hash object parameter. |
| CryptHashData | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Hashes a block of data, adding it to the specified hash object. |
| CryptHashSessionKey | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Hashes a session key, adding it to the specified hash object. |
| CryptSetHashParam | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Sets a hash object parameter. |
| CryptSignHash | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Signs the specified hash object. |
| CryptUIWizDigitalSign | Displays a wizard that digitally signs a document or a BLOB. |
| CryptUIWizFreeDigitalSignContext | Releases a pointer to a CRYPTUI_WIZ_DIGITAL_SIGN_CONTEXT structure. |
| CryptVerifySignature | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Verifies a digital signature, given a handle to the hash object. |
| PFNCFILTERPROC | Filters the certificates that appear in the digital signature wizard displayed by the CryptUIWizDigitalSign function. |
Certificate and Certificate Store Functions
Certificate and certificate store functions manage the use, storage, and retrieval of certificates, certificate revocation lists (CRLs), and certificate trust lists (CTLs). These functions are divided into the following groups:
- Certificate Store Functions
- Certificate and Certificate Store Maintenance Functions
- Certificate Functions
- Certificate Revocation List Functions
- Certificate Trust List Functions
- Extended Property Functions
- MakeCert Functions
Certificate Store Functions
A user site can, over time, collect many certificates. Typically, a site has certificates for the user of the site as well as other certificates that describe those individuals and entities with whom the user communicates. For each entity, there can be more than one certificate. For each individual certificate, there should be a chain of verifying certificates that provides a trail back to a trusted root certificate. Certificate stores and their related functions provide functionality to store, retrieve, enumerate, verify, and use the information stored in the certificates.
| Function | Description |
|---|---|
| CertAddStoreToCollection | Adds a sibling certificate store to a collection certificate store. |
| CertCloseStore | Closes a certificate store handle. |
| CertControlStore | Allows an application to be notified when there is a difference between the contents of a cached store and the contents of the store that is persisted to storage. It also provides desynchronization of the cached store, if necessary, and provides a means to commit changes made in the cached store to persisted storage. |
| CertDuplicateStore | Duplicates a store handle by incrementing the reference count. |
| CertEnumPhysicalStore | Enumerates the physical stores for a specified system store. |
| CertEnumSystemStore | Enumerates all available system stores. |
| CertEnumSystemStoreLocation | Enumerates all of the locations that have an available system store. |
| CertGetStoreProperty | Gets a store property. |
| CertOpenStore | Opens a certificate store using a specified store provider type. |
| CertOpenSystemStore | Opens a system certificate store based on a subsystem protocol. |
| CertRegisterPhysicalStore | Adds a physical store to a registry system store collection. |
| CertRegisterSystemStore | Registers a system store. |
| CertRemoveStoreFromCollection | Removes a sibling certificate store from a collection store. |
| CertSaveStore | Saves the certificate store. |
| CertSetStoreProperty | Sets a store property. |
| CertUnregisterPhysicalStore | Removes a physical store from a specified system store collection. |
| CertUnregisterSystemStore | Unregisters a specified system store. |
| CryptUIWizExport | Presents a wizard that exports a certificate, certificate trust list (CTL), certificate revocation list (CRL), or certificate store. |
| CryptUIWizImport | Presents a wizard that imports a certificate, certificate trust list (CTL), certificate revocation list (CRL), or certificate store. |
Certificate and Certificate Store Maintenance Functions
CryptoAPI provides a set of general certificate and certificate store maintenance functions.
| Function | Description |
|---|---|
| CertAddSerializedElementToStore | Adds the serialized certificate or CRL element to the store. |
| CertCreateContext | Creates the specified context from the encoded bytes. The new context is not put into a store. |
| CertEnumSubjectInSortedCTL | Enumerates the TrustedSubjects in a sorted CTL context. |
| CertFindSubjectInCTL | Finds the specified subject in a CTL. |
| CertFindSubjectInSortedCTL | Finds the specified subject in a sorted CTL. |
| OpenPersonalTrustDBDialog and OpenPersonalTrustDBDialogEx | Displays the Certificates dialog box. |
Certificate Functions
Most Certificate functions have related functions to deal with CRLs and CTLs. For more information about related CRL and CTL functions, see Certificate Revocation List Functions and Certificate Trust List Functions.
| Function | Description |
|---|---|
| CertAddCertificateContextToStore | Adds a certificate context to the certificate store. |
| CertAddCertificateLinkToStore | Adds a link in a certificate store to a certificate context in a different store. |
| CertAddEncodedCertificateToStore | Converts the encoded certificate to a certificate context, and then adds the context to the certificate store. |
| CertAddRefServerOcspResponse | Increments the reference count for an HCERT_SERVER_OCSP_RESPONSE handle. |
| CertAddRefServerOcspResponseContext | Increments the reference count for a CERT_SERVER_OCSP_RESPONSE_CONTEXT structure. |
| CertCloseServerOcspResponse | Closes an online certificate status protocol (OCSP) server response handle. |
| CertCreateCertificateContext | Creates a certificate context from an encoded certificate. The created context is not put in a certificate store. |
| CertCreateSelfSignCertificate | Creates a self-signed certificate. |
| CertDeleteCertificateFromStore | Deletes a certificate from the certificate store. |
| CertDuplicateCertificateContext | Duplicates a certificate context by incrementing its reference count. |
| CertEnumCertificatesInStore | Enumerates the certificate contexts in the certificate store. |
| CertFindCertificateInStore | Finds the first, or next, certificate context in the certificate store that meets a search criterion. |
| CertFreeCertificateContext | Frees a certificate context. |
| CertGetIssuerCertificateFromStore | Gets a certificate context from the certificate store for the first, or next, issuer of the specified subject certificate. |
| CertGetServerOcspResponseContext | Retrieves a non-blocking, time valid online certificate status protocol (OCSP) response context for the specified handle. |
| CertGetSubjectCertificateFromStore | Gets from the certificate store the subject certificate context, which is uniquely identified by its issuer and serial number. |
| CertGetValidUsages | Returns an array of usages that consist of the intersection of the valid usages for all certificates in an array of certificates. |
| CertOpenServerOcspResponse | Opens a handle to an online certificate status protocol (OCSP) response associated with a server certificate chain. |
| CertRetrieveLogoOrBiometricInfo | Performs a URL retrieval of logo or biometric information specified in either the szOID_LOGOTYPE_EXT or szOID_BIOMETRIC_EXT certificate extension. |
| CertSelectCertificate | Presents a dialog box that allows the user to select certificates from a set of certificates that match a given criteria. |
| CertSelectCertificateChains | Retrieves certificate chains based on specified selection criteria. |
| CertSelectionGetSerializedBlob | A helper function used to retrieve a serialized certificate BLOB from a CERT_SELECTUI_INPUT structure. |
| CertSerializeCertificateStoreElement | Serializes a certificate context's encoded certificate and an encoded representation of its properties. |
| CertVerifySubjectCertificateContext | Performs the enabled verification checks on the subject certificate using the issuer. |
| CryptUIDlgCertMgr | Displays a dialog box that allows the user to manage certificates. |
| CryptUIDlgSelectCertificate | Displays a dialog box that allows a user to select a certificate. |
| CryptUIDlgSelectCertificateFromStore | Displays a dialog box that allows the selection of a certificate from a specified store. |
| CryptUIDlgViewCertificate | Presents a dialog box that displays a specified certificate. |
| CryptUIDlgViewContext | Displays a certificate, CRL, or CTL. |
| CryptUIDlgViewSignerInfo | Displays a dialog box that contains the signer information for a signed message. |
| GetFriendlyNameOfCert | Retrieves the display name for a certificate. |
| RKeyCloseKeyService | Closes a key service handle. |
| RKeyOpenKeyService | Opens a key service handle on a remote computer. |
| RKeyPFXInstall | Installs a certificate on a remote computer. |
Certificate Revocation List Functions
These functions manage the storage and retrieval of certificate revocation lists (CRLs).
| Function | Description |
|---|---|
| CertAddCRLContextToStore | Adds a CRL context to the certificate store. |
| CertAddCRLLinkToStore | Adds a link in a store to a CRL context in a different store. |
| CertAddEncodedCRLToStore | Converts the encoded CRL to a CRL context, and then adds the context to the certificate store. |
| CertCreateCRLContext | Creates a CRL context from an encoded CRL. The created context is not put in a certificate store. |
| CertDeleteCRLFromStore | Deletes a CRL from the certificate store. |
| CertDuplicateCRLContext | Duplicates a CRL context by incrementing the reference count. |
| CertEnumCRLsInStore | Enumerates the CRL contexts in a store. |
| CertFindCertificateInCRL | Searches the certificate revocation list (CRL) for the specified certificate. |
| CertFindCRLInStore | Finds the first, or next, CRL context in the certificate store that matches a specific criterion. |
| CertFreeCRLContext | Frees a CRL context. |
| CertGetCRLFromStore | Gets the first, or next, CRL context from the certificate store for the specified issuer certificate. |
| CertSerializeCRLStoreElement | Serializes the CRL context's encoded CRL and its properties. |
Certificate Trust List Functions
These functions manage the storage and retrieval of certificate trust lists (CTLs).
| Function | Description |
|---|---|
| CertAddCTLContextToStore | Adds a CTL context to the certificate store. |
| CertAddCTLLinkToStore | Adds a link in a store to a CRL context in a different store. |
| CertAddEncodedCTLToStore | Converts the encoded CTL to a CTL context, and then adds the context to the certificate store. |
| CertCreateCTLContext | Creates a CTL context from an encoded certificate trust list. The created context is not put in a certificate store. |
| CertDeleteCTLFromStore | Deletes a CTL from the certificate store. |
| CertDuplicateCTLContext | Duplicates a CTL context by incrementing the reference count. |
| CertEnumCTLsInStore | Enumerates the CTL contexts in the certificate store. |
| CertFindCTLInStore | Finds the first, or next, CTL context in the certificate store that matches a specific criteria. |
| CertFreeCTLContext | Frees a CTL context. |
| CertModifyCertificatesToTrust | Modifies the set of certificates in a CTL for a given purpose. |
| CertSerializeCTLStoreElement | Serializes the CTL context's encoded CTL and its properties. |
Extended Property Functions
The following functions work with extended properties of certificates, CRLs, and CTLs.
| Function | Description |
|---|---|
| CertEnumCertificateContextProperties | Enumerates the properties for the specified certificate context. |
| CertEnumCRLContextProperties | Enumerates the properties for the specified CRL context. |
| CertEnumCTLContextProperties | Enumerates the properties for the specified CTL context. |
| CertGetCertificateContextProperty | Retrieves certificate properties. |
| CertGetCRLContextProperty | Retrieves CRL properties. |
| CertGetCTLContextProperty | Retrieves CTL properties. |
| CertSetCertificateContextProperty | Sets certificate properties. |
| CertSetCRLContextProperty | Sets CRL properties. |
| CertSetCTLContextProperty | Sets CTL properties. |
MakeCert Functions
The following functions support the MakeCert tool.
| Function | Description |
|---|---|
| FreeCryptProvFromCert | Releases the handle to a cryptographic service provider (CSP) and optionally deletes the temporary container created by the GetCryptProvFromCert function. |
| GetCryptProvFromCert | Gets a handle to a CSP and a key specification for a certificate context. |
| PvkFreeCryptProv | Releases the handle to a CSP and optionally deletes the temporary container created by the PvkGetCryptProv function. |
| PvkGetCryptProv | Gets a handle to a CSP based on either a private key file name or a key container name. |
| PvkPrivateKeyAcquireContextFromMemory | Creates a temporary container in the CSP and loads a private key from memory into the container. |
| PvkPrivateKeySave | Saves a private key and its corresponding public key to a specified file. |
| SignError | Calls GetLastError and converts the return code to an HRESULT. |
Certificate Verification Functions
Certificates are verified using CTLs or certificate chains. Functions are provided for both of these:
- Verification Functions Using CTLs
- Certificate Chain Verification Functions
Verification Functions Using CTLs
These functions use CTLs in the verification process. Additional functions for working with CTLs can be found in Certificate Trust List Functions and Extended Property Functions.
The following functions use CTLs directly for verification.
| Function | Description |
|---|---|
| CertVerifyCTLUsage | Verifies the usage of a CTL. |
| CryptMsgEncodeAndSignCTL | Encodes and signs a CTL as a message. |
| CryptMsgGetAndVerifySigner | Retrieves and verifies a CTL from a message. |
| CryptMsgSignCTL | Signs a message that contains a CTL. |
Certificate Chain Verification Functions
Certificate chains are built to provide trust information about individual certificates.
| Function Name | Description |
|---|---|
| CertCreateCertificateChainEngine | Creates a new, nondefault chain engine for an application. |
| CertCreateCTLEntryFromCertificateContextProperties | Creates a CTL entry whose attributes are the certificate context's properties. |
| CertDuplicateCertificateChain | Duplicates a certificate chain by incrementing the chain's reference count and returning a pointer to the chain. |
| CertFindChainInStore | Finds the first, or next, certificate chain context in a store. |
| CertFreeCertificateChain | Frees a certificate chain by reducing its reference count. |
| CertFreeCertificateChainEngine | Frees a nondefault certificate chain engine. |
| CertFreeCertificateChainList | Frees the array of pointers to chain contexts. |
| CertGetCertificateChain | Builds a chain context starting from an end certificate and going back to a trusted root certificate, if possible. |
| CertIsValidCRLForCertificate | Checks a CRL to determine whether it would include a specific certificate if that certificate were revoked. |
| CertSetCertificateContextPropertiesFromCTLEntry | Sets properties on the certificate context using the attributes in the CTL entry. |
| CertVerifyCertificateChainPolicy | Checks a certificate chain to verify its validity, including its compliance with any specified validity policy criteria. |
Message Functions
CryptoAPI message functions consist of two groups of functions: low-level message functions and simplified message functions.
Low-level message functions create and work directly with PKCS #7 messages. These functions encode PKCS #7 data for transmission and decode PKCS #7 data received. They also decrypt and verify the signatures of received messages. For an overview of the PKCS #7 standard and low-level messages, see Low-level Messages.
Simplified message functions are at a higher level and wrap several low-level message functions and certificate functions into single functions that perform a specific task in a specific manner. These functions reduce the number of function calls needed to accomplish a task, thereby simplifying CryptoAPI use. For an overview of simplified messages, see Simplified Messages.
- Low-level Message Functions
- Simplified Message Functions
Low-level Message Functions
Low-level message functions provide the functionality necessary to encode data for transmission and to decode PKCS #7 messages received. Functionality is also provided to decrypt and verify the signatures of received messages. Use of these low-level message functions in most applications is not recommended. For most applications, the use of Simplified Message Functions, which wrap several low-level message functions into a single function call, is preferred.
| Function | Description |
|---|---|
| CryptMsgCalculateEncodedLength | Calculates the length of an encoded cryptographic message. |
| CryptMsgClose | Closes a handle of a cryptographic message. |
| CryptMsgControl | Performs a special control function after the final CryptMsgUpdate of an encoded or decoded cryptographic message. |
| CryptMsgCountersign | Countersigns an already existing signature in a message. |
| CryptMsgCountersignEncoded | Countersigns an already existing signature (encoded SignerInfo, as defined by PKCS #7). |
| CryptMsgDuplicate | Duplicates a cryptographic message handle by incrementing the reference count. The reference count keeps track of the lifetime of the message. |
| CryptMsgGetParam | Acquires a parameter after encoding or decoding a cryptographic message. |
| CryptMsgOpenToDecode | Opens a cryptographic message for decoding. |
| CryptMsgOpenToEncode | Opens a cryptographic message for encoding. |
| CryptMsgUpdate | Updates the contents of a cryptographic message. |
| CryptMsgVerifyCountersignatureEncoded | Verifies a countersignature in terms of the SignerInfo structure (as defined by PKCS #7). |
| CryptMsgVerifyCountersignatureEncodedEx | Verifies that the pbSignerInfoCounterSignature parameter contains the encrypted hash of the encryptedDigest field of the pbSignerInfo parameter structure. |
Simplified Message Functions
simplified message functions wrap Low-level Message Functions into a single function to accomplish a specified task.
| Function | Description |
|---|---|
| CryptDecodeMessage | Decodes a cryptographic message. |
| CryptDecryptAndVerifyMessageSignature | Decrypts the specified message, and verifies the signer. |
| CryptDecryptMessage | Decrypts the specified message. |
| CryptEncryptMessage | Encrypts the message for the recipient or recipients. |
| CryptGetMessageCertificates | Returns the certificate store that contains the message's certificates and CRLs. |
| CryptGetMessageSignerCount | Returns the count of signers in the signed message. |
| CryptHashMessage | Creates a hash of the message. |
| CryptSignAndEncryptMessage | Signs the message, and then encrypts it for the recipient or recipients. |
| CryptSignMessageWithKey | Signs a message using a CSP's private key specified in the parameters to the function. |
| CryptSignMessage | Signs the message. |
| CryptVerifyDetachedMessageHash | Verifies a hashed message that contains a detached hash. |
| CryptVerifyDetachedMessageSignature | Verifies a signed message that contains a detached signature or signatures. |
| CryptVerifyMessageHash | Verifies a hashed message. |
| CryptVerifyMessageSignature | Verifies a signed message. |
| CryptVerifyMessageSignatureWithKey | Verifies a signed message's signature by using specified public key information. |
Auxiliary Functions
The auxiliary functions are grouped as follows:
- Data Management Functions
- Data Conversion Functions
- Enhanced Key Usage Functions
- Key Identifier Functions
- OID Support Functions
- Remote Object Retrieval Functions
- PFX Functions
Data Management Functions
The following CryptoAPI functions manage data and certificates.
| Function | Description |
|---|---|
| CertCompareCertificate | Compares two certificates to determine whether they are identical. |
| CertCompareCertificateName | Compares two certificate names to determine whether they are identical. |
| CertCompareIntegerBlob | Compares two integer BLOBs. |
| CertComparePublicKeyInfo | Compares two public keys to determine whether they are identical. |
| CertFindAttribute | Finds the first attribute identified by its object identifier (OID). |
| CertFindExtension | Finds the first extension identified by its OID. |
| CertFindRDNAttr | Finds the first RDN attribute identified by its OID in the name list of the Relative Distinguished Names. |
| CertGetIntendedKeyUsage | Acquires the intended key usage bytes from the certificate. |
| CertGetPublicKeyLength | Acquires the public/private key's bit length from the public key BLOB. |
| CertIsRDNAttrsInCertificateName | Compares the attributes in the certificate name with the specified CERT_RDN to determine whether all attributes are included there. |
| CertIsStrongHashToSign | Determines whether the specified hash algorithm and the public key in the signing certificate can be used to perform strong signing. |
| CertVerifyCRLRevocation | Verifies that the subject certificate is not on the certificate revocation list (CRL). |
| CertVerifyCRLTimeValidity | Verifies the time validity of a CRL. |
| CertVerifyRevocation | Verifies that the subject certificate is not on the CRL. |
| CertVerifyTimeValidity | Verifies the time validity of a certificate. |
| CertVerifyValidityNesting | Verifies that the subject's time validity nests within the issuer's time validity. |
| CryptExportPKCS8 | This function is superseded by the CryptExportPKCS8Ex function. |
| CryptExportPKCS8Ex | Exports the private key in PKCS #8 format. |
| CryptExportPublicKeyInfo | Exports the public key information associated with the provider's corresponding private key. |
| CryptExportPublicKeyInfoEx | Exports the public key information associated with the provider's corresponding private key. This function differs from CryptExportPublicKeyInfo in that the user can specify the public key algorithm, thereby overriding the default provided by the CSP. |
| CryptExportPublicKeyInfoFromBCryptKeyHandle | Exports the public key info associated with a provider's corresponding private key. |
| CryptFindCertificateKeyProvInfo | Enumerates the cryptographic providers and their key containers to find the private key that corresponds to a certificate's public key. |
| CryptFindLocalizedName | Finds the localized name for a specified name, for example, finds the localized name for the store name of the Root system. |
| CryptHashCertificate | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Hashes the encoded content. |
| CryptHashCertificate2 | Hashes a block of data by using a Cryptography API: Next Generation (CNG) hash provider. |
| CryptHashPublicKeyInfo | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Computes the hash of the encoded public key information. |
| CryptHashToBeSigned | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Computes the hash of the "to be signed" information in the encoded signed content (CERT_SIGNED_CONTENT_INFO). |
| CryptImportPKCS8 | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Imports the private key in PKCS #8 format to a cryptographic service provider (CSP). |
| CryptImportPublicKeyInfo | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Converts and imports public key information into the provider, and returns a handle of the public key. |
| CryptImportPublicKeyInfoEx | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Converts and imports the public key information into the provider, and returns a handle of the public key. Additional parameters (over those specified by CryptImportPublicKeyInfo) that can be used to override defaults are provided to supplement CERT_PUBLIC_KEY_INFO. |
| CryptImportPublicKeyInfoEx2 | Imports a public key into a CNG asymmetric provider. |
| CryptMemAlloc | Allocates memory for a buffer. This memory is used by all Crypt32.lib functions that return allocated buffers. |
| CryptMemFree | Frees memory allocated by CryptMemAlloc or CryptMemRealloc. |
| CryptMemRealloc | Frees memory currently allocated for a buffer, and allocates memory for a new buffer. |
| CryptQueryObject | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Retrieves information about the content of a BLOB or a file. |
| CryptSignAndEncodeCertificate | Encodes the "to be signed" information, signs this encoded information, and encodes the resulting signed, encoded information. |
| CryptSignCertificate | Signs the "to be signed" information in the encoded, signed content. |
| CryptSIPAddProvider | Adds a Subject Interface Package (SIP). |
| CryptSIPCreateIndirectData | Returns a SIP_INDIRECT_DATA structure that contains a hash of the supplied SIP_SUBJECTINFO structure, the digest algorithm, and an encoding attribute. The hash can be used as an indirect reference to the data. |
| CryptSIPGetCaps | Retrieves the capabilities of an SIP. |
| CryptSIPGetSignedDataMsg | Retrieves an Authenticode signature from the file. |
| CryptSIPLoad | Loads the dynamic link library that implements a subject interface package and assigns appropriate library export functions to a SIP_DISPATCH_INFO structure. |
| CryptSIPPutSignedDataMsg | Stores an Authenticode Signature in the target file. |
| CryptSIPRemoveProvider | Removes a SIP added by a previous call to the CryptSIPAddProvider function. |
| CryptSIPRemoveSignedDataMsg | Removes a specified Authenticode signature. |
| CryptSIPRetrieveSubjectGuid | Retrieves a GUID based on the header information in a specified file. |
| CryptSIPRetrieveSubjectGuidForCatalogFile | Retrieves the subject GUID associated with the specified file. |
| CryptSIPVerifyIndirectData | Validates the indirect hashed data against the supplied subject. |
| CryptUpdateProtectedState | Migrates the current user's master keys after the user's security identifier (SID) has changed. |
| CryptVerifyCertificateSignature | Verifies the signature of a subject certificate or a CRL by using the public key information. |
| CryptVerifyCertificateSignatureEx | An extended version of CryptVerifyCertificateSignature. |
| GetEncSChannel | Stores the encrypted Schannel DLL contents in memory. |
| pCryptSIPGetCaps | Implemented by an SIP to report capabilities. |
Data Conversion Functions
The following CryptoAPI functions convert certificate structure members to different forms.
| Function | Description |
|---|---|
| CertAlgIdToOID | Converts a CryptoAPI algorithm identifier (ALG_ID) to an Abstract Syntax Notation One (ASN.1) object identifier (OID) string. |
| CertGetNameString | Acquires the subject or issuer name from a certificate, and converts it to a null-terminated character string. |
| CertNameToStr | Converts a certificate name BLOB to a zero-terminated string. |
| CertOIDToAlgId | Converts the ASN.1 Object Identifier string to the CSP algorithm identifier. |
| CertRDNValueToStr | Converts a Name Value to a null-terminated string. |
| CertStrToName | Converts a null-terminated X.500 string to an encoded certificate name. |
| CryptBinaryToString | Converts a binary sequence into a formatted string. |
| CryptFormatObject | Formats encoded data, and returns a Unicode string. |
| CryptStringToBinary | Converts a formatted string to a binary sequence. |
Enhanced Key Usage Functions
The following functions deal with the enhanced key usage (EKU) extension and the EKU extended property of certificates. The EKU extension and extended property specify and limit the valid uses of a certificate. The extensions are part of the certificate itself. They are set by the issuer of the certificate and are read-only. Certificate-extended properties are values associated with a certificate that can be set in an application.
| Function | Description |
|---|---|
| CertAddEnhancedKeyUsageIdentifier | Adds a usage identifier to a certificate's EKU property. |
| CertGetEnhancedKeyUsage | Acquires, from a certificate, information about the EKU extension or property. |
| CertRemoveEnhancedKeyUsageIdentifier | Removes the usage identifier from a certificate's EKU extended property. |
| CertSetEnhancedKeyUsage | Sets the EKU property for a certificate. |
Key Identifier Functions
Key identifier functions allow the user to create, set, retrieve, or locate a key identifier or its properties.
A key identifier is the unique identifier of a public/private key pair. It can be any unique identifier but is usually the 20-byte SHA1 hash of an encoded CERT_PUBLIC_KEY_INFO structure. A key identifier can be obtained through the certificate's CERT_KEY_IDENTIFIER_PROP_ID. The key identifier allows the use of that key pair to encrypt or decrypt messages without using the certificate.
Key identifiers are not associated with CRLs or CTLs.
A key identifier can have the same properties as a certificate context. For more information, see CertCreateContext.
| Function | Description |
|---|---|
| CryptCreateKeyIdentifierFromCSP | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Creates a key identifier from a CSP's public key BLOB. |
| CryptEnumKeyIdentifierProperties | Enumerates key identifiers and their properties. |
| CryptGetKeyIdentifierProperty | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Acquires a specific property from a specified key identifier. |
| CryptSetKeyIdentifierProperty | Important: This API is deprecated. New and existing software should start using Cryptography Next Generation APIs. Microsoft may remove this API in future releases. Sets a property of a specified key identifier. |
OID Support Functions
These functions provide object identifier (OID) support. These functions install, register, and dispatch to OID and encoding type-specific functions.
The following CryptoAPI functions use these OID support functions:
- CryptEncodeObject
- CryptEncodeObjectEx
- CryptDecodeObject
- CryptDecodeObjectEx
- CertVerifyRevocation
- CertOpenStore
For an overview of this process, see Extending CryptoAPI Functionality.
The following functions work with OIDs.
| Function | Description |
|---|---|
| CryptEnumOIDFunction | Enumerates the registered OID functions identified by their encoding type, function name, and OID. |
| CryptEnumOIDInfo | Enumerates the registered OID information identified by their group, and calls pfnEnumOIDInfo for matches. |
| CryptFindOIDInfo | Uses the specified key and group to find OID information. |
| CryptFreeOIDFunctionAddress | Releases the handle count that was incremented and returned by CryptGetOIDFunctionAddress or CryptGetDefaultOIDFunctionAddress. |
| CryptGetDefaultOIDDllList | Acquires the list of registered default DLL entries for the specified function set and encoding type. |
| CryptGetDefaultOIDFunctionAddress | Either acquires the first or next installed default function, or loads the DLL that contains the default function. |
| CryptGetOIDFunctionAddress | Searches the list of installed functions for an encoding type and OID match. If a match is not found there, the registry is searched for a match. |
| CryptGetOIDFunctionValue | Acquires the value for the specified encoding type, function name, OID, and value name. |
| CryptInitOIDFunctionSet | Initializes and returns a handle of the OID function set identified by the function name supplied. |
| CryptInstallOIDFunctionAddress | Installs a set of callable OID function addresses. |
| CryptRegisterDefaultOIDFunction | Registers the DLL that contains the default function to be called for the specified encoding type and function name. |
| CryptRegisterOIDFunction | Registers the DLL that contains the function to be called for the specified encoding type, function name, and OID. |
| CryptRegisterOIDInfo | Registers the OID information specified in the CRYPT_OID_INFO structure, persisting it to the registry. |
| CryptSetOIDFunctionValue | Sets the value for the specified encoding type, function name, OID, and value name. |
| CryptUnregisterDefaultOIDFunction | Removes the registration for the DLL that contains the default function to be called for the specified encoding type and function name. |
| CryptUnregisterOIDFunction | Removes the registration for the DLL that contains the function to be called for the specified encoding type, function name, and OID. |
| CryptUnregisterOIDInfo | Removes the registration for the specified OID information. |
Remote Object Retrieval Functions
The following functions allow the user to retrieve a Public Key Infrastructure (PKI) object, acquire the URL of a certificate, CTL, or CRL, or to extract a URL from an object.
| Function | Description |
|---|---|
| CryptGetObjectUrl | Acquires the URL of the remote object from a certificate, CTL, or CRL. |
| CryptRetrieveObjectByUrl | Retrieves the PKI object from a location specified by a URL. |
PFX Functions
The following functions support Personal Information Exchange (PFX) format BLOBs.
| Function | Description |
|---|---|
| PFXExportCertStore | Exports from the referenced certificate store the certificates and, if available, their associated private keys. |
| PFXExportCertStoreEx | Exports from the referenced certificate store the certificates and, if available, their associated private keys. |
| PFXImportCertStore | Imports a PFX BLOB, and returns the handle of a store that contains certificates and any associated private keys. |
| PFXIsPFXBlob | Attempts to decode the outer layer of a BLOB as a PFX packet. |
| PFXVerifyPassword | Attempts to decode the outer layer of a BLOB as a PFX packet and to decrypt it with the given password. |
Certificate Services Backup and Restore Functions
Certificate Services includes functions for backing up and restoring the Certificate Services database. These Certificate Services backup and restore functions are contained in Certadm.dll. Unlike the other API elements associated with Certificate Services, these functions are not encapsulated in an object that can be used to call class methods. Instead, the backup and restore APIs are called by first loading the Certadm.dll library into memory by calling LoadLibrary and then determining the address of the functions by calling GetProcAddress. When you have finished calling the Certificate Services backup and restore functions, call FreeLibrary to free Certadm.dll resources from memory.
Note
Backup and restore functions provided by Certadm.dll do not backup or restore the Certificate Service's private keys. For information about backing up the Certificate Services private keys, see Backing Up and Restoring the Certificate Services Private Key.
To call the backup and restore functions, you must have backup and restore privileges. For details, see Setting the Backup and Restore Privileges.
Note
If CoInitializeEx was previously called in the same thread used to call the Certificate Services backup and restore APIs, the COINIT_APARTMENTTHREADED flag must have been passed to CoInitializeEx. That is, when using the same thread, you cannot call the Certificate Services backup and restore API if the thread has previously passed in the COINIT_MULTITHREADED flag in a call to CoInitializeEx.
The Certificate Services Backup APIs are defined in Certbcli.h. However, when you create your program, use Certsrv.h as the include file.
The following APIs are exported by Certadm.dll.
| Function | Description |
|---|---|
| CertSrvBackupClose | Closes an opened file. |
| CertSrvBackupEnd | Ends a backup session. |
| CertSrvBackupFree | Frees a buffer allocated by the backup and restore APIs. |
| CertSrvBackupGetBackupLogs | Returns a list of log files that need to be backed up. |
| CertSrvBackupGetDatabaseNames | Returns a list of database files that need to be backed up. |
| CertSrvBackupGetDynamicFileList | Retrieves the list of Certificate Services dynamic file names that need to be backed up for the given backup context. |
| CertSrvBackupOpenFile | Opens a file in preparation for backing it up. |
| CertSrvBackupPrepare | Prepares the database for the online backup. |
| CertSrvBackupRead | Reads the contents of an opened file. |
| CertSrvBackupTruncateLogs | Truncates the log files. |
| CertSrvIsServerOnline | Determines whether a Certificate Services server is online (actively running). |
| CertSrvRestoreEnd | Ends a restore session. |
| CertSrvRestoreGetDatabaseLocations | Retrieves database locations (used for both backup and restore scenarios). |
| CertSrvRestorePrepare | Begins a restore session. |
| CertSrvRestoreRegister | Registers a restore operation. |
| CertSrvRestoreRegisterComplete | Completes a previously registered restore operation. |
| CertSrvRestoreRegisterThroughFile | Registers a restore operation. |
| CertSrvServerControl | Sends a control command to the Certificate Services instance. |
Callback Functions
The callback functions in this section are used to register or install application-defined certificate store providers and to provide related functionality through callback functions. Callback functions are implemented by an application and are called by CryptoAPI functions. Callback functions enable the application to control, in part, the way that CryptoAPI functions manipulate data.
| Callback function | Use |
|---|---|
| CertChainFindByIssuerCallback | An application-defined callback function that allows the application to filter certificates that might be added to the certificate chain. |
| CertDllOpenStoreProv | Defines the store provider open function. |
| CertEnumPhysicalStoreCallback | Callback function used by the CertEnumPhysicalStore function to format and present information on each physical store found. |
| CertEnumSystemStoreCallback | Callback function used by the CertEnumSystemStore function to format and present information on each physical store found. |
| CertEnumSystemStoreLocationCallback | Callback function used by the CertEnumSystemStoreLocation function to format and present information on each physical store found. |
| CertStoreProvCloseCallback | Determines what happens when an open store's reference count becomes zero. |
| CertStoreProvControl | Allows an application to be notified when there is a difference between the contents of a cached store in use and the contents of that store as it is persisted to storage. |
| CertStoreProvDeleteCertCallback | Determines actions to be taken before a certificate is deleted from a certificate store. |
| CertStoreProvDeleteCRLCallback | Determines actions to be taken before a certificate revocation list (CRL) is deleted from a certificate store. |
| CertStoreProvDeleteCTL | Determines whether a CTL can be deleted. |
| CertStoreProvFindCert | Finds the first, or next, certificate in a store that matches specified criteria. |
| CertStoreProvFindCRL | Finds the first, or next, CRL in a store that matches specified criteria. |
| CertStoreProvFindCTL | Finds the first, or next, CTL in a store that matches specified criteria. |
| CertStoreProvFreeFindCert | Frees a previously found certificate context. |
| CertStoreProvFreeFindCRL | Frees a previously found CRL context. |
| CertStoreProvFreeFindCTL | Frees a previously found CTL context. |
| CertStoreProvGetCertProperty | Retrieves a specified property of a certificate. |
| CertStoreProvGetCRLProperty | Retrieves a specified property of a CRL. |
| CertStoreProvGetCTLProperty | Retrieves a specified property of a CTL. |
| CertStoreProvReadCertCallback | Currently not used but might be exported to future CSPs. |
| CertStoreProvReadCRLCallback | Currently not used but might be exported to future CSPs. |
| CertStoreProvReadCTL | Read the provider's copy of the CTL context, and, if it exists, create a new CTL context. |
| CertStoreProvSetCertPropertyCallback | Determines actions to be taken before a call to CertSetCertificateContextProperty or CertGetCertificateContextProperty. |
| CertStoreProvSetCRLPropertyCallback | Determines actions to be taken before a call to CertSetCRLContextProperty or CertGetCRLContextProperty. |
| CertStoreProvSetCTLProperty | Determines whether a property can be set on a CTL. |
| CertStoreProvWriteCertCallback | Determines actions to be taken before adding a certificate to a store. |
| CertStoreProvWriteCRLCallback | Determines actions to be taken before adding a CRL to a store. |
| CertStoreProvWriteCTL | Determines whether a CTL can be added to the store. |
| CRYPT_ENUM_KEYID_PROP | Callback function used by the CryptEnumKeyIdentifierProperties function. |
| CRYPT_ENUM_OID_FUNCTION | Callback function used by the CryptEnumOIDFunction function. |
| CRYPT_ENUM_OID_INFO | Callback function used by the CryptEnumOIDInfo function. |
| CryptGetSignerCertificateCallback | Callback function used with the CRYPT_VERIFY_MESSAGE_PARA structure to get and verify a message signer's certificate. |
| PCRYPT_DECRYPT_PRIVATE_KEY_FUNC | Callback function used by the CryptImportPKCS8 function. |
| PCRYPT_ENCRYPT_PRIVATE_KEY_FUNC | Callback function used when creating the CRYPT_ENCRYPTED_PRIVATE_KEY_INFO structure. |
| PCRYPT_RESOLVE_HCRYPTPROV_FUNC | Callback function used by the CryptImportPKCS8 function. |
| PFN_CDF_PARSE_ERROR_CALLBACK | A user-defined function called for Catalog Definition Function errors while parsing a catalog definition file (CDF). |
| PFN_CERT_CREATE_CONTEXT_SORT_FUNC | Called for each sorted context entry when a context is created. |
| PFN_CMSG_CNG_IMPORT_CONTENT_ENCRYPT_KEY | A CNG object identifier (OID) installable function for import of an already decrypted content encryption key (CEK). |
| PFN_CMSG_CNG_IMPORT_KEY_AGREE | Imports a content encryption key for a key transport recipient of an enveloped message. |
| PFN_CMSG_CNG_IMPORT_KEY_TRANS | A CNG OID installable function for import and decryption of a key-transport-recipient, encrypted, content encryption key (CEK). |
| PFN_CMSG_EXPORT_KEY_AGREE | Encrypts and exports the content encryption key for a key agreement recipient of an enveloped message. |
| PFN_CMSG_EXPORT_KEY_TRANS | Encrypts and exports the content encryption key for a key transport recipient of an enveloped message. |
| PFN_CMSG_EXPORT_MAIL_LIST | Encrypts and exports the content encryption key for a mailing list recipient of an enveloped message. |
| PFN_CMSG_GEN_CONTENT_ENCRYPT_KEY | Generates the symmetric key used to encrypt content for an enveloped message. |
| PFN_CMSG_IMPORT_KEY_AGREE | Imports a content encryption key for a key transport recipient of an enveloped message. |
| PFN_CMSG_IMPORT_KEY_TRANS | Imports a content encryption key for a key transport recipient of an enveloped message. |
| PFN_CMSG_IMPORT_MAIL_LIST | Imports a content encryption key for a key transport recipient of an enveloped message. |
| PFN_CRYPT_EXPORT_PUBLIC_KEY_INFO_EX2_FUNC | Called by CryptExportPublicKeyInfoEx to export a public key BLOB and encode it. |
| PFN_CRYPT_EXTRACT_ENCODED_SIGNATURE_PARAMETERS_FUNC | Called to decode and return the hash algorithm identifier and optionally the signature parameters. |
| PFN_CRYPT_SIGN_AND_ENCODE_HASH_FUNC | Called to sign and encode a computed hash. |
| PFN_CRYPT_VERIFY_ENCODED_SIGNATURE_FUNC | Called to decrypt an encoded signature and compare it to a computed hash. |
| PFN_IMPORT_PUBLIC_KEY_INFO_EX2_FUNC | Called by CryptImportPublicKeyInfoEx2 to decode the public key algorithm identifier, load the algorithm provider, and import the key pair. |
| PFNCCERTDISPLAYPROC | A user-defined callback function that allows the caller of the CryptUIDlgSelectCertificate function to handle the display of certificates that the user selects to view. |
| PFNCMFILTERPROC | Filters each certificate to decide if it will appear in the certificate selection dialog box displayed by the CertSelectCertificate function. |
| PFNCMHOOKPROC | Called before messages are processed by the certificate selection dialog box produced by the CertSelectCertificate function. |
Catalog Definition Functions
These functions are used to create a catalog. All of these functions are called by MakeCat.
| Function | Description |
|---|---|
| CryptCATCDFClose | Closes a catalog definition file and frees the memory for the corresponding CRYPTCATCDF structure. |
| CryptCATCDFEnumAttributesWithCDFTag | Enumerates the attributes of member files in the CatalogFiles section of a CDF. |
| CryptCATCDFEnumCatAttributes | Enumerates catalog-level attributes within the CatalogHeader section of a CDF. |
| CryptCATCDFEnumMembersByCDFTagEx | Enumerates the individual file members in the CatalogFiles section of a CDF. |
| CryptCATCDFOpen | Opens an existing CDF for reading and initializes a CRYPTCATCDF structure. |
Catalog Functions
These functions are used to manage a catalog.
| Function | Description |
|---|---|
| CryptCATAdminAcquireContext | Acquires a handle to a catalog administrator context. This handle can be used by subsequent calls to the CryptCATAdminAddCatalog, CryptCATAdminEnumCatalogFromHash, and CryptCATAdminRemoveCatalog functions. |
| CryptCATAdminAcquireContext2 | Acquires a handle to a catalog administrator context for a given hash algorithm and hash policy. |
| CryptCATAdminAddCatalog | Adds a catalog to the catalog database. |
| CryptCATAdminCalcHashFromFileHandle | Calculates the hash for a file. |
| CryptCATAdminCalcHashFromFileHandle2 | Calculates the hash for a file by using the specified algorithm. |
| CryptCATAdminEnumCatalogFromHash | Enumerates the catalogs that contain a specified hash. |
| CryptCATAdminReleaseCatalogContext | Releases a handle to a catalog context previously returned by the CryptCATAdminAddCatalog function. |
| CryptCATAdminReleaseContext | Releases the handle previously assigned by the CryptCATAdminAcquireContext function. |
| CryptCATAdminRemoveCatalog | Deletes a catalog file and removes that catalog's entry from the Windows catalog database. |
| CryptCATAdminResolveCatalogPath | Retrieves the fully qualified path of the specified catalog. |
| CryptCATCatalogInfoFromContext | Retrieves catalog information from a specified catalog context. |
| CryptCATClose | Closes a catalog handle opened previously by the CryptCATOpen function. |
| CryptCATEnumerateAttr | Enumerates the attributes associated with a member of a catalog. |
| CryptCATEnumerateCatAttr | Enumerates the attributes associated with a catalog. |
| CryptCATEnumerateMember | Enumerates the members of a catalog. |
| CryptCATGetAttrInfo | Retrieves information about an attribute of a member of a catalog. |
| CryptCATGetMemberInfo | Retrieves member information from the catalog's PKCS #7. In addition to retrieving the member information for a specified reference tag, this function opens a member context. |
| CryptCATOpen | Opens a catalog, and returns a context handle to the open catalog. |
| IsCatalogFile | Retrieves a Boolean value that indicates whether the specified file is a catalog file. |
WinTrust Functions
The following functions are used to perform various trust operations.
| Function | Description |
|---|---|
| WintrustAddActionID | Adds a trust provider action to the user's system. |
| WintrustGetRegPolicyFlags | Retrieves policy flags for a policy provider. |
| WintrustAddDefaultForUsage | Specifies the default usage identifier and callback information for a provider |
| WintrustGetDefaultForUsage | Retrieves the default usage identifier and callback information. |
| WintrustLoadFunctionPointers | Loads function entry points for a specified action GUID. |
| WintrustRemoveActionID | Removes an action added by the WintrustAddActionID function. |
| WintrustSetDefaultIncludePEPageHashes | Sets the default setting that determines whether page hashes are included when creating subject interface package (SIP) indirect data for portable executable files. |
| WintrustSetRegPolicyFlags | Sets policy flags for a policy provider. |
| WinVerifyTrust | Performs a trust verification action on a specified object. |
| WinVerifyTrustEx | Performs a trust verification action on a specified object and takes a pointer to a WINTRUST_DATA structure. |
| WTHelperCertCheckValidSignature | Checks whether a signature is valid. |
| WTHelperCertFindIssuerCertificate | Finds an issuer certificate from the specified certificate stores that matches the specified subject certificate. |
| WTHelperCertIsSelfSigned | Checks whether a certificate is self-signed. |
| WTHelperGetFileHash | Verifies the signature of a signed file and obtains the hash value and algorithm identifier for the file. |
| WTHelperGetProvCertFromChain | Retrieves a trust provider certificate from the certificate chain. |
| WTHelperGetProvPrivateDataFromChain | Receives a CRYPT_PROVIDER_PRIVDATA structure from the chain by using the provider ID. |
| WTHelperGetProvSignerFromChain | Retrieves a signer or countersigner by index from the chain. |
| WTHelperProvDataFromStateData | Retrieves trust provider information from a specified handle. |
Object Locator Functions
The following callback functions can be implemented by a custom provider that is intended to be called by the Secure Channel (Schannel) security package to retrieve certificates.
| Function | Description |
|---|---|
| PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_FLUSH | Specifies that an object has changed. |
| PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_GET | Retrieves an object. |
| PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_RELEASE | Releases the provider. |
| PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_FREE_PASSWORD | Releases the password used to encrypt a PFX byte array. |
| PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_FREE | Releases the object returned by the provider. |
| PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_FREE_IDENTIFIER | Releases memory for an object identifier. |
| PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_INITIALIZE | Initializes the provider. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for