CryptVerifyCertificateSignatureEx function (wincrypt.h)
The CryptVerifyCertificateSignatureEx function verifies the signature of a subject certificate, certificate revocation list, certificate request, or keygen request by using the issuer's public key. The function does not require access to a private key.
Syntax
BOOL CryptVerifyCertificateSignatureEx(
[in] HCRYPTPROV_LEGACY hCryptProv,
[in] DWORD dwCertEncodingType,
[in] DWORD dwSubjectType,
[in] void *pvSubject,
[in] DWORD dwIssuerType,
[in] void *pvIssuer,
[in] DWORD dwFlags,
[in, out, optional] void *pvExtra
);
Parameters
[in] hCryptProv
This parameter is not used and should be set to NULL.
Windows Server 2003 and Windows XP: A handle to the cryptographic service provider used to verify the signature.This parameter's data type is HCRYPTPROV.
NULL is passed unless there is a strong reason for passing in a specific cryptographic provider. Passing in NULL causes the default RSA or DSS provider to be acquired.
[in] dwCertEncodingType
The certificate encoding type that was used to encrypt the subject. The message encoding type identifier, contained in the high WORD of this value, is ignored by this function.
This parameter can be the following currently defined certificate encoding type.
| Value | Meaning |
|---|---|
|
Specifies X.509 certificate encoding. |
[in] dwSubjectType
The subject type. This parameter can be one of the following subject types.
| Value | Meaning |
|---|---|
|
pvSubject is a pointer to a CRYPT_DATA_BLOB structure. |
|
pvSubject is a pointer to a CCERT_CONTEXT structure. |
|
pvSubject is a pointer to a CCRL_CONTEXT structure. |
|
pvSubject is a pointer to an OCSP_BASIC_SIGNED_RESPONSE_INFO structure.
Windows Server 2003 and Windows XP: This subject type is not supported. |
[in] pvSubject
A pointer to a structure of the type indicated by dwSubjectType that contains the signature to be verified.
[in] dwIssuerType
The issuer type. This parameter can be one of the following issuer types.
| Value | Meaning |
|---|---|
|
pvIssuer is a pointer to a CERT_PUBLIC_KEY_INFO structure. |
|
pvIssuer is a pointer to a CCERT_CONTEXT structure. |
|
pvIssuer is a pointer to a CCERT_CHAIN_CONTEXT structure. |
|
pvIssuer must be NULL. |
[in] pvIssuer
A pointer to a structure of the type indicated by the value of dwIssuerType. The structure contains access to the public key needed to verify the signature.
[in] dwFlags
Flags that modify the function behavior. This can be zero or a bitwise OR of the following values.
| Value | Meaning |
|---|---|
|
If you set this flag and CryptVerifyCertificateSignatureEx detects an MD2 or MD4 algorithm, the function returns FALSE and sets GetLastError to NTE_BAD_ALGID. The signature is still verified, but this combination of errors enables the caller, now knowing that an MD2 or MD4 algorithm was used, to decide whether to trust or reject the signature.
Windows 8 and Windows Server 2012: Support for this flag begins. |
|
Sets strong signature properties, after successful verification, on the subject pointed to by the pvSubject parameter.
The following property is set on the certificate context:
Note This flag is only applicable if CRYPT_VERIFY_CERT_SIGN_SUBJECT_CRL is specified in the dwSubjectType parameter.
|
|
Returns a pointer to a CRYPT_VERIFY_CERT_SIGN_STRONG_PROPERTIES_INFO structure in the pvExtra parameter. The structure contains the length, in bits, of the public key and the names of the signing and hashing algorithms used.
You must call CryptMemFree to free the structure. If memory cannot be allocated for the CRYPT_VERIFY_CERT_SIGN_STRONG_PROPERTIES_INFO structure, this function returns successfully but sets the pvExtra parameter to NULL. Note This flag is only applicable if CRYPT_VERIFY_CERT_SIGN_SUBJECT_OCSP_BASIC_SIGNED_RESPONSE is specified in the dwSubjectType parameter.
|
[in, out, optional] pvExtra
Pointer to a CRYPT_VERIFY_CERT_SIGN_STRONG_PROPERTIES_INFO structure if the dwFlags parameter is set to CRYPT_VERIFY_CERT_SIGN_RETURN_STRONG_PROPERTIES_FLAG.
You must call CryptMemFree to free the structure.
Return value
Returns nonzero if successful or zero otherwise.
For extended error information, call GetLastError.
| Return code | Description |
|---|---|
|
Invalid certificate encoding type. Currently only X509_ASN_ENCODING is supported. |
|
The signature algorithm's object identifier (OID) does not map to a known or supported hash algorithm. |
|
The signature was not valid. |
If the function fails, GetLastError may return an Abstract Syntax Notation One (ASN.1) encoding/decoding error. For information about these errors, see ASN.1 Encoding/Decoding Return Values.
Remarks
The subject buffer can contain an encoded BLOB or a context for a certificate or CRL. In the case of a certificate context, if the certificate's public key parameters are missing and if these parameters can be inherited from the certificate's issuer for example from the DSS public key parameter, the context's CERT_PUBKEY_ALG_PARA_PROP_ID property is updated with the issuer's public key algorithm parameters for a valid signature.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows XP [desktop apps only] |
| Minimum supported server | Windows Server 2003 [desktop apps only] |
| Target Platform | Windows |
| Header | wincrypt.h |
| Library | Crypt32.lib |
| DLL | Crypt32.dll |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for