Cryptography functions are categorized according to usage as follows:
The cryptographic XML functions provide an API for creating and representing digital signatures by using XML formatted data. For information about XML formatted signatures, see the XML-Signature Syntax and Processing specification at https://go.microsoft.com/fwlink/p/?linkid=139649.
Signer FunctionsProvides functions to sign and time stamp data.
Function Description SignerFreeSignerContext Frees a SIGNER_CONTEXT structure allocated by a previous call to the SignerSignEx function. SignError Calls the GetLastError function and converts the return code to an HRESULT. SignerSign Signs the specified file. SignerSignEx Signs the specified file and returns a pointer to the signed data. SignerSignEx2 Signs and time stamps the specified file, allowing multiple nested signatures. SignerTimeStamp Time stamps the specified subject. This function supports Authenticode time stamping. To perform X.509 Public Key Infrastructure (RFC 3161) time stamping, use the SignerTimeStampEx2 function. SignerTimeStampEx Time stamps the specified subject and optionally returns a pointer to a SIGNER_CONTEXT structure that contains a pointer to a BLOB. This function supports Authenticode time stamping. To perform X.509 Public Key Infrastructure (RFC 3161) time stamping, use the SignerTimeStampEx2 function. SignerTimeStampEx2 Time stamps the specified subject and optionally returns a pointer to a SIGNER_CONTEXT structure that contains a pointer to a BLOB. This function can be used to perform X.509 Public Key Infrastructure, RFC 3161âcompliant, time stamps. SignerTimeStampEx3 Time stamps the specified subject and supports setting time stamps on multiple signatures. Base Cryptography FunctionsBase cryptographic functions provide the most flexible means of developing cryptography applications. All communication with a cryptographic service provider (CSP) occurs through these functions.
A CSP is an independent module that performs all cryptographic operations. At least one CSP is required with each application that uses cryptographic functions. A single application can occasionally use more than one CSP.
If more than one CSP is used, the one to use can be specified in the CryptoAPI cryptographic function calls. One CSP, the Microsoft Base Cryptographic Provider, is bundled with the CryptoAPI. This CSP is used as a default provider by many of the CryptoAPI functions if no other CSP is specified.
Each CSP provides a different implementation of the cryptographic support provided to CryptoAPI. Some provide stronger cryptographic algorithms; others contain hardware components, such as smart cards. In addition, some CSPs can occasionally communicate directly with users, such as when digital signatures are performed by using the user's signature private key.
Base cryptographic functions are in the following broad groups:
Applications use the following service functions to connect and disconnect a cryptographic service provider (CSP).
Key Generation and Exchange FunctionsKey generation and exchange functions exchange keys with other users and create, configure, and destroy cryptographic keys.
Object Encoding and Decoding FunctionsThese are generalized encoding and decoding functions. They are used to encode and decode certificates, certificate revocation lists (CRLs), certificate requests, and certificate extensions.
Data Encryption and Decryption FunctionsThe following functions support encryption and decryption operations. CryptEncrypt and CryptDecrypt require a cryptographic key before being called. This is done by using the CryptGenKey, CryptDeriveKey, or CryptImportKey function. The encryption algorithm is specified when the key is created. CryptSetKeyParam can set additional encryption parameters.
Hash and Digital Signature FunctionsThese functions compute hashes of data and also create and verify digital signatures. Hashes are also known as message digests.
Certificate and Certificate Store FunctionsCertificate and certificate store functions manage the use, storage, and retrieval of certificates, certificate revocation lists (CRLs), and certificate trust lists (CTLs). These functions are divided into the following groups:
A user site can, over time, collect many certificates. Typically, a site has certificates for the user of the site as well as other certificates that describe those individuals and entities with whom the user communicates. For each entity, there can be more than one certificate. For each individual certificate, there should be a chain of verifying certificates that provides a trail back to a trusted root certificate. Certificate stores and their related functions provide functionality to store, retrieve, enumerate, verify, and use the information stored in the certificates.
Certificate and Certificate Store Maintenance FunctionsCryptoAPI provides a set of general certificate and certificate store maintenance functions.
Certificate FunctionsMost Certificate functions have related functions to deal with CRLs and CTLs. For more information about related CRL and CTL functions, see Certificate Revocation List Functions and Certificate Trust List Functions.
Certificate Revocation List FunctionsThese functions manage the storage and retrieval of certificate revocation lists (CRLs).
Certificate Trust List FunctionsThese functions manage the storage and retrieval of certificate trust lists (CTLs).
Extended Property FunctionsThe following functions work with extended properties of certificates, CRLs, and CTLs.
MakeCert FunctionsThe following functions support the MakeCert tool.
Certificate Verification FunctionsCertificates are verified using CTLs or certificate chains. Functions are provided for both of these:
These functions use CTLs in the verification process. Additional functions for working with CTLs can be found in Certificate Trust List Functions and Extended Property Functions.
The following functions use CTLs directly for verification.
Certificate Chain Verification FunctionsCertificate chains are built to provide trust information about individual certificates.
Message FunctionsCryptoAPI message functions consist of two groups of functions: low-level message functions and simplified message functions.
Low-level message functions create and work directly with PKCS #7 messages. These functions encode PKCS #7 data for transmission and decode PKCS #7 data received. They also decrypt and verify the signatures of received messages. For an overview of the PKCS #7 standard and low-level messages, see Low-level Messages.
Simplified message functions are at a higher level and wrap several low-level message functions and certificate functions into single functions that perform a specific task in a specific manner. These functions reduce the number of function calls needed to accomplish a task, thereby simplifying CryptoAPI use. For an overview of simplified messages, see Simplified Messages.
Low-level message functions provide the functionality necessary to encode data for transmission and to decode PKCS #7 messages received. Functionality is also provided to decrypt and verify the signatures of received messages. Use of these low-level message functions in most applications is not recommended. For most applications, the use of Simplified Message Functions, which wrap several low-level message functions into a single function call, is preferred.
Simplified Message Functionssimplified message functions wrap Low-level Message Functions into a single function to accomplish a specified task.
Auxiliary FunctionsThe auxiliary functions are grouped as follows:
The following CryptoAPI functions manage data and certificates.
Function Description CertCompareCertificate Compares two certificates to determine whether they are identical. CertCompareCertificateName Compares two certificate names to determine whether they are identical. CertCompareIntegerBlob Compares two integer BLOBs. CertComparePublicKeyInfo Compares two public keys to determine whether they are identical. CertFindAttribute Finds the first attribute identified by its object identifier (OID). CertFindExtension Finds the first extension identified by its OID. CertFindRDNAttr Finds the first RDN attribute identified by its OID in the name list of the Relative Distinguished Names. CertGetIntendedKeyUsage Acquires the intended key usage bytes from the certificate. CertGetPublicKeyLength Acquires the public/private key's bit length from the public key BLOB. CertIsRDNAttrsInCertificateName Compares the attributes in the certificate name with the specified CERT_RDN to determine whether all attributes are included there. CertIsStrongHashToSign Determines whether the specified hash algorithm and the public key in the signing certificate can be used to perform strong signing. CertVerifyCRLRevocation Verifies that the subject certificate is not on the certificate revocation list (CRL). CertVerifyCRLTimeValidity Verifies the time validity of a CRL. CertVerifyRevocation Verifies that the subject certificate is not on the CRL. CertVerifyTimeValidity Verifies the time validity of a certificate. CertVerifyValidityNesting Verifies that the subject's time validity nests within the issuer's time validity. CryptExportPKCS8 This function is superseded by the CryptExportPKCS8Ex function. CryptExportPKCS8Ex Exports the private key in PKCS #8 format. CryptExportPublicKeyInfo Exports the public key information associated with the provider's corresponding private key. CryptExportPublicKeyInfoEx Exports the public key information associated with the provider's corresponding private key. This function differs from CryptExportPublicKeyInfo in that the user can specify the public key algorithm, thereby overriding the default provided by the CSP. CryptExportPublicKeyInfoFromBCryptKeyHandle Exports the public key info associated with a provider's corresponding private key. CryptFindCertificateKeyProvInfo Enumerates the cryptographic providers and their key containers to find the private key that corresponds to a certificate's public key. CryptFindLocalizedName Finds the localized name for a specified name, for example, finds the localized name for the store name of the Root system. CryptHashCertificate Important:The following CryptoAPI functions convert certificate structure members to different forms.
Enhanced Key Usage FunctionsThe following functions deal with the enhanced key usage (EKU) extension and the EKU extended property of certificates. The EKU extension and extended property specify and limit the valid uses of a certificate. The extensions are part of the certificate itself. They are set by the issuer of the certificate and are read-only. Certificate-extended properties are values associated with a certificate that can be set in an application.
Key Identifier FunctionsKey identifier functions allow the user to create, set, retrieve, or locate a key identifier or its properties.
A key identifier is the unique identifier of a public/private key pair. It can be any unique identifier but is usually the 20-byte SHA1 hash of an encoded CERT_PUBLIC_KEY_INFO structure. A key identifier can be obtained through the certificate's CERT_KEY_IDENTIFIER_PROP_ID. The key identifier allows the use of that key pair to encrypt or decrypt messages without using the certificate.
Key identifiers are not associated with CRLs or CTLs.
A key identifier can have the same properties as a certificate context. For more information, see CertCreateContext.
OID Support FunctionsThese functions provide object identifier (OID) support. These functions install, register, and dispatch to OID and encoding type-specific functions.
The following CryptoAPI functions use these OID support functions:
For an overview of this process, see Extending CryptoAPI Functionality.
The following functions work with OIDs.
Function Description CryptEnumOIDFunction Enumerates the registered OID functions identified by their encoding type, function name, and OID. CryptEnumOIDInfo Enumerates the registered OID information identified by their group, and calls pfnEnumOIDInfo for matches. CryptFindOIDInfo Uses the specified key and group to find OID information. CryptFreeOIDFunctionAddress Releases the handle count that was incremented and returned by CryptGetOIDFunctionAddress or CryptGetDefaultOIDFunctionAddress. CryptGetDefaultOIDDllList Acquires the list of registered default DLL entries for the specified function set and encoding type. CryptGetDefaultOIDFunctionAddress Either acquires the first or next installed default function, or loads the DLL that contains the default function. CryptGetOIDFunctionAddress Searches the list of installed functions for an encoding type and OID match. If a match is not found there, the registry is searched for a match. CryptGetOIDFunctionValue Acquires the value for the specified encoding type, function name, OID, and value name. CryptInitOIDFunctionSet Initializes and returns a handle of the OID function set identified by the function name supplied. CryptInstallOIDFunctionAddress Installs a set of callable OID function addresses. CryptRegisterDefaultOIDFunction Registers the DLL that contains the default function to be called for the specified encoding type and function name. CryptRegisterOIDFunction Registers the DLL that contains the function to be called for the specified encoding type, function name, and OID. CryptRegisterOIDInfo Registers the OID information specified in the CRYPT_OID_INFO structure, persisting it to the registry. CryptSetOIDFunctionValue Sets the value for the specified encoding type, function name, OID, and value name. CryptUnregisterDefaultOIDFunction Removes the registration for the DLL that contains the default function to be called for the specified encoding type and function name. CryptUnregisterOIDFunction Removes the registration for the DLL that contains the function to be called for the specified encoding type, function name, and OID. CryptUnregisterOIDInfo Removes the registration for the specified OID information. Remote Object Retrieval FunctionsThe following functions allow the user to retrieve a Public Key Infrastructure (PKI) object, acquire the URL of a certificate, CTL, or CRL, or to extract a URL from an object.
PFX FunctionsThe following functions support Personal Information Exchange (PFX) format BLOBs.
Function Description PFXExportCertStore Exports from the referenced certificate store the certificates and, if available, their associated private keys. PFXExportCertStoreEx Exports from the referenced certificate store the certificates and, if available, their associated private keys. PFXImportCertStore Imports a PFX BLOB, and returns the handle of a store that contains certificates and any associated private keys. PFXIsPFXBlob Attempts to decode the outer layer of a BLOB as a PFX packet. PFXVerifyPassword Attempts to decode the outer layer of a BLOB as a PFX packet and to decrypt it with the given password. Certificate Services Backup and Restore FunctionsCertificate Services includes functions for backing up and restoring the Certificate Services database. These Certificate Services backup and restore functions are contained in Certadm.dll. Unlike the other API elements associated with Certificate Services, these functions are not encapsulated in an object that can be used to call class methods. Instead, the backup and restore APIs are called by first loading the Certadm.dll library into memory by calling LoadLibrary and then determining the address of the functions by calling GetProcAddress. When you have finished calling the Certificate Services backup and restore functions, call FreeLibrary to free Certadm.dll resources from memory.
Note
If CoInitializeEx was previously called in the same thread used to call the Certificate Services backup and restore APIs, the COINIT_APARTMENTTHREADED flag must have been passed to CoInitializeEx. That is, when using the same thread, you cannot call the Certificate Services backup and restore API if the thread has previously passed in the COINIT_MULTITHREADED flag in a call to CoInitializeEx.
The Certificate Services Backup APIs are defined in Certbcli.h. However, when you create your program, use Certsrv.h as the include file.
The following APIs are exported by Certadm.dll.
Callback FunctionsThe callback functions in this section are used to register or install application-defined certificate store providers and to provide related functionality through callback functions. Callback functions are implemented by an application and are called by CryptoAPI functions. Callback functions enable the application to control, in part, the way that CryptoAPI functions manipulate data.
Callback function Use CertChainFindByIssuerCallback An application-defined callback function that allows the application to filter certificates that might be added to the certificate chain. CertDllOpenStoreProv Defines the store provider open function. CertEnumPhysicalStoreCallback Callback function used by the CertEnumPhysicalStore function to format and present information on each physical store found. CertEnumSystemStoreCallback Callback function used by the CertEnumSystemStore function to format and present information on each physical store found. CertEnumSystemStoreLocationCallback Callback function used by the CertEnumSystemStoreLocation function to format and present information on each physical store found. CertStoreProvCloseCallback Determines what happens when an open store's reference count becomes zero. CertStoreProvControl Allows an application to be notified when there is a difference between the contents of a cached store in use and the contents of that store as it is persisted to storage. CertStoreProvDeleteCertCallback Determines actions to be taken before a certificate is deleted from a certificate store. CertStoreProvDeleteCRLCallback Determines actions to be taken before a certificate revocation list (CRL) is deleted from a certificate store. CertStoreProvDeleteCTL Determines whether a CTL can be deleted. CertStoreProvFindCert Finds the first, or next, certificate in a store that matches specified criteria. CertStoreProvFindCRL Finds the first, or next, CRL in a store that matches specified criteria. CertStoreProvFindCTL Finds the first, or next, CTL in a store that matches specified criteria. CertStoreProvFreeFindCert Frees a previously found certificate context. CertStoreProvFreeFindCRL Frees a previously found CRL context. CertStoreProvFreeFindCTL Frees a previously found CTL context. CertStoreProvGetCertProperty Retrieves a specified property of a certificate. CertStoreProvGetCRLProperty Retrieves a specified property of a CRL. CertStoreProvGetCTLProperty Retrieves a specified property of a CTL. CertStoreProvReadCertCallback Currently not used but might be exported to future CSPs. CertStoreProvReadCRLCallback Currently not used but might be exported to future CSPs. CertStoreProvReadCTL Read the provider's copy of the CTL context, and, if it exists, create a new CTL context. CertStoreProvSetCertPropertyCallback Determines actions to be taken before a call to CertSetCertificateContextProperty or CertGetCertificateContextProperty. CertStoreProvSetCRLPropertyCallback Determines actions to be taken before a call to CertSetCRLContextProperty or CertGetCRLContextProperty. CertStoreProvSetCTLProperty Determines whether a property can be set on a CTL. CertStoreProvWriteCertCallback Determines actions to be taken before adding a certificate to a store. CertStoreProvWriteCRLCallback Determines actions to be taken before adding a CRL to a store. CertStoreProvWriteCTL Determines whether a CTL can be added to the store. CRYPT_ENUM_KEYID_PROP Callback function used by the CryptEnumKeyIdentifierProperties function. CRYPT_ENUM_OID_FUNCTION Callback function used by the CryptEnumOIDFunction function. CRYPT_ENUM_OID_INFO Callback function used by the CryptEnumOIDInfo function. CryptGetSignerCertificateCallback Callback function used with the CRYPT_VERIFY_MESSAGE_PARA structure to get and verify a message signer's certificate. PCRYPT_DECRYPT_PRIVATE_KEY_FUNC Callback function used by the CryptImportPKCS8 function. PCRYPT_ENCRYPT_PRIVATE_KEY_FUNC Callback function used when creating the CRYPT_ENCRYPTED_PRIVATE_KEY_INFO structure. PCRYPT_RESOLVE_HCRYPTPROV_FUNC Callback function used by the CryptImportPKCS8 function. PFN_CDF_PARSE_ERROR_CALLBACK A user-defined function called for Catalog Definition Function errors while parsing a catalog definition file (CDF). PFN_CERT_CREATE_CONTEXT_SORT_FUNC Called for each sorted context entry when a context is created. PFN_CMSG_CNG_IMPORT_CONTENT_ENCRYPT_KEY A CNG object identifier (OID) installable function for import of an already decrypted content encryption key (CEK). PFN_CMSG_CNG_IMPORT_KEY_AGREE Imports a content encryption key for a key transport recipient of an enveloped message. PFN_CMSG_CNG_IMPORT_KEY_TRANS A CNG OID installable function for import and decryption of a key-transport-recipient, encrypted, content encryption key (CEK). PFN_CMSG_EXPORT_KEY_AGREE Encrypts and exports the content encryption key for a key agreement recipient of an enveloped message. PFN_CMSG_EXPORT_KEY_TRANS Encrypts and exports the content encryption key for a key transport recipient of an enveloped message. PFN_CMSG_EXPORT_MAIL_LIST Encrypts and exports the content encryption key for a mailing list recipient of an enveloped message. PFN_CMSG_GEN_CONTENT_ENCRYPT_KEY Generates the symmetric key used to encrypt content for an enveloped message. PFN_CMSG_IMPORT_KEY_AGREE Imports a content encryption key for a key transport recipient of an enveloped message. PFN_CMSG_IMPORT_KEY_TRANS Imports a content encryption key for a key transport recipient of an enveloped message. PFN_CMSG_IMPORT_MAIL_LIST Imports a content encryption key for a key transport recipient of an enveloped message. PFN_CRYPT_EXPORT_PUBLIC_KEY_INFO_EX2_FUNC Called by CryptExportPublicKeyInfoEx to export a public key BLOB and encode it. PFN_CRYPT_EXTRACT_ENCODED_SIGNATURE_PARAMETERS_FUNC Called to decode and return the hash algorithm identifier and optionally the signature parameters. PFN_CRYPT_SIGN_AND_ENCODE_HASH_FUNC Called to sign and encode a computed hash. PFN_CRYPT_VERIFY_ENCODED_SIGNATURE_FUNC Called to decrypt an encoded signature and compare it to a computed hash. PFN_IMPORT_PUBLIC_KEY_INFO_EX2_FUNC Called by CryptImportPublicKeyInfoEx2 to decode the public key algorithm identifier, load the algorithm provider, and import the key pair. PFNCCERTDISPLAYPROC A user-defined callback function that allows the caller of the CryptUIDlgSelectCertificate function to handle the display of certificates that the user selects to view. PFNCMFILTERPROC Filters each certificate to decide if it will appear in the certificate selection dialog box displayed by the CertSelectCertificate function. PFNCMHOOKPROC Called before messages are processed by the certificate selection dialog box produced by the CertSelectCertificate function. Catalog Definition FunctionsThese functions are used to create a catalog. All of these functions are called by MakeCat.
Catalog FunctionsThese functions are used to manage a catalog.
WinTrust FunctionsThe following functions are used to perform various trust operations.
Object Locator FunctionsThe following callback functions can be implemented by a custom provider that is intended to be called by the Secure Channel (Schannel) security package to retrieve certificates.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4