CryptDecodeMessage function (wincrypt.h)

The CryptDecodeMessage function decodes, decrypts, and verifies a cryptographic message.

This function can be used when the type of cryptographic message is unknown. The dwMsgTypeFlags constants can be combined with a bitwise-OR operation so that the function will try to find one of the types. When one of the types is found, the function reports the type found and returns the data appropriate to that type.

In each pass, the function cracks only a single level of encryption or encoding. For additional cracking, this function, or one of the other Simplified Message Functions, must be called again.


BOOL CryptDecodeMessage(
  [in]                DWORD                       dwMsgTypeFlags,
  [in]                PCRYPT_DECRYPT_MESSAGE_PARA pDecryptPara,
  [in]                PCRYPT_VERIFY_MESSAGE_PARA  pVerifyPara,
  [in]                DWORD                       dwSignerIndex,
  [in]                const BYTE                  *pbEncodedBlob,
  [in]                DWORD                       cbEncodedBlob,
  [in]                DWORD                       dwPrevInnerContentType,
  [out, optional]     DWORD                       *pdwMsgType,
  [out, optional]     DWORD                       *pdwInnerContentType,
  [out, optional]     BYTE                        *pbDecoded,
  [in, out, optional] DWORD                       *pcbDecoded,
  [out, optional]     PCCERT_CONTEXT              *ppXchgCert,
  [out, optional]     PCCERT_CONTEXT              *ppSignerCert


[in] dwMsgTypeFlags

Indicates the message type. Message types can be combined with the bitwise-OR operator. This parameter can be one of the following message types:

Note  After return, the DWORD pointed to by pdwMsgType is set with the type of the message.

[in] pDecryptPara

A pointer to a CRYPT_DECRYPT_MESSAGE_PARA structure that contains decryption parameters.

[in] pVerifyPara

A pointer to a CRYPT_VERIFY_MESSAGE_PARA structure that contains verification parameters.

[in] dwSignerIndex

Indicates which signer, among the possible many signers of a message, is to be verified. This index can be changed in multiple calls to the function to verify additional signers.

dwSignerIndex is set to zero for the first signer. If the function returns FALSE, and GetLastError returns CRYPT_E_NO_SIGNER, the previous call returned the last signer of the message. This parameter is used only with messages of types CMSG_SIGNED_AND_ENVELOPED or CMSG_SIGNED. For all other message types, it should be set to zero.

[in] pbEncodedBlob

A pointer to the encoded BLOB that is to be decoded.

[in] cbEncodedBlob

The size, in bytes, of the encoded BLOB.

[in] dwPrevInnerContentType

Only applicable when processing nested cryptographic messages. When processing an outer cryptographic message, it must be set to zero. When decoding a nested cryptographic message, it is set to the value returned at pdwInnerContentType by a previous calling of CryptDecodeMessage for the outer message. It can be any of the CMSG types listed in pdwMsgType. For backward compatibility, set dwPrevInnerContentType to zero.

[out, optional] pdwMsgType

A pointer to a DWORD that specifies the message type returned. This parameter can be one of the following message types:


[out, optional] pdwInnerContentType

A pointer to a DWORD that specifies the type of an inner message. The message type codes used for pdwMsgType are used here, also.

If there is no cryptographic nesting, CMSG_DATA is returned.

[out, optional] pbDecoded

A pointer to a buffer to receive the decoded message.

This parameter can be NULL if the decoded message is not required or to set the size of the decoded message for memory allocation purposes. A decoded message will not be returned if this parameter is NULL. For more information, see Retrieving Data of Unknown Length.

[in, out, optional] pcbDecoded

A pointer to a variable that specifies the size, in bytes, of the buffer pointed to by the pbDecoded parameter. When the function returns, this variable contains the size of the decoded message.

Note  When processing the data returned in the buffer, applications must use the actual size of the data returned. The actual size can be slightly smaller than the size of the buffer specified on input. (On input, buffer sizes are usually specified large enough to ensure that the largest possible output data will fit in the buffer.) On output, the variable pointed to by this parameter is updated to reflect the actual size of the data copied to the buffer.

[out, optional] ppXchgCert

A pointer to a pointer to a CERT_CONTEXT structure with a certificate that corresponds to the private exchange key needed to decode the message. This parameter is only set for message types CMSG_ENVELOPED and CMSG_SIGNED_AND_ENVELOPED.

[out, optional] ppSignerCert

A pointer to a pointer to a CERT_CONTEXT structure of the certificate context of the signer. This parameter is only set for message types CMSG_SIGNED and CMSG_SIGNED_AND_ENVELOPED.

Return value

If the function succeeds, the function returns nonzero (TRUE).

If the function fails, it returns zero (FALSE). For extended error information, call GetLastError.

The CryptDecryptMessage, CryptVerifyMessageSignature, or CryptVerifyMessageHash functions can be propagated to this function.

The following error code is most commonly returned by the GetLastError function.

Return code Description
If the buffer specified by the pbDecoded parameter is not large enough to hold the returned data, the function sets the ERROR_MORE_DATA code and stores the required buffer size, in bytes, in the variable pointed to by pcbDecoded.


The dwMsgTypeFlags parameter specifies the set of allowable messages. For example, to decode either SIGNED or ENVELOPED messages, set dwMsgTypeFlags to CMSG_SIGNED_FLAG | CMSG_ENVELOPED_FLAG. Either or both of the pDecryptPara or pVerifyPara parameters must be specified.

For a successfully decoded or verified message, the certificate context pointers pointed to by ppXchgCert and ppSignerCert are updated. They must be freed by calling CertFreeCertificateContext. If the function fails, they are set to NULL.

The ppXchgCert or ppSignerCert parameters can be set to NULL before the function is called, which indicates that the caller is not interested in getting the exchange certificate or the signer certificate context.


Requirement Value
Minimum supported client Windows XP [desktop apps only]
Minimum supported server Windows Server 2003 [desktop apps only]
Target Platform Windows
Header wincrypt.h
Library Crypt32.lib
DLL Crypt32.dll

See also




Simplified Message Functions