CERT_STRONG_SIGN_PARA structure (wincrypt.h)

Contains parameters used to check for strong signatures on certificates, certificate revocation lists (CRLs), online certificate status protocol (OCSP) responses, and PKCS #7 messages.

Syntax

typedef struct _CERT_STRONG_SIGN_PARA {
  DWORD cbSize;
  DWORD dwInfoChoice;
  union {
    void                              *pvInfo;
    PCERT_STRONG_SIGN_SERIALIZED_INFO pSerializedInfo;
    LPSTR                             pszOID;
  } DUMMYUNIONNAME;
} CERT_STRONG_SIGN_PARA, *PCERT_STRONG_SIGN_PARA;

Members

cbSize

Size, in bytes, of this structure.

dwInfoChoice

Indicates which nested union member points to the strong signature information. This can be one of the following values:

Value	Description
CERT_STRONG_SIGN_SERIALIZED_INFO_CHOICE	Specifies the pSerializedInfo member.
CERT_STRONG_SIGN_OID_INFO_CHOICE	Specifies the pszOID member.

DUMMYUNIONNAME

Union that contains the parameters that can be used for checking whether a signature is strong. The parameters consist of signature algorithm / hash algorithm pairs and public key algorithm / bit length pairs.

DUMMYUNIONNAME.pvInfo

Reserved.

DUMMYUNIONNAME.pSerializedInfo

Pointer to a CERT_STRONG_SIGN_SERIALIZED_INFO structure that specifies the parameters.

DUMMYUNIONNAME.pszOID

Pointer to a string that contains an object identifier (OID) that represents predefined parameters that can be used for strong signature checking. This can be one of the following values:

Value	Meaning
szOID_CERT_STRONG_SIGN_OS_1 "1.3.6.1.4.1.311.72.1.1"	The SHA2 hash algorithm is supported. MD2, MD4, MD5, and SSHA1 are not supported. The signing and public key algorithms can be RSA or ECDSA. The DSA algorithm is not supported. The key size for the RSA algorithm must equal or be greater than 2047 bits. The key size for the ECDSA algorithm must equal or be greater than 256 bits. Strong signing of CRLs and OCSP responses are enabled.
szOID_CERT_STRONG_KEY_OS_1 "1.3.6.1.4.1.311.72.2.1"	SHA1 and SHA2 hashes are supported. MD2, MD4, and MD5 are not. The signing and public key algorithms can be RSA or ECDSA. The DSA algorithm is not supported. The key size for the RSA algorithm must equal or be greater than 2047 bits. The key size for the ECDSA algorithm must equal or be greater than 256 bits. Strong signing of CRLs and OCSP responses are enabled.

Remarks

The parameters needed to check for a strong signature include the following:

• Name of the public (asymmetric) algorithm
• Size, in bits, of the public key
• Name of the signature algorithm
• Name of the hashing algorithm

The value you specify for the dwInfoChoice member of this structure chooses whether the parameters are transmitted as serialized strings or are predefined by using an object identifier.

The CERT_STRONG_SIGN_PARA structure is directly referenced by the following functions:

• CertIsStrongHashToSign
• CryptMsgControl
• CryptMsgVerifyCountersignatureEncodedEx

The CERT_STRONG_SIGN_PARA structure is also directly referenced by the CRYPT_VERIFY_MESSAGE_PARA structure and is therefore available for use by the following functions:

• CryptDecodeMessage
• CryptDecryptAndVerifyMessageSignature
• CryptVerifyDetachedMessageSignature
• CryptVerifyMessageSignature

Finally, the CERT_STRONG_SIGN_PARA structure is directly referenced by the CERT_CHAIN_PARA structure and is therefore available for use by the following functions:

• CertGetCertificateChain
• CertSelectCertificateChains

Requirements

Requirement	Value
Minimum supported client	Windows 8 [desktop apps only]
Minimum supported server	Windows Server 2012 [desktop apps only]
Header	wincrypt.h

See also

CERT_STRONG_SIGN_SERIALIZED_INFO