The CryptDecrypt function is used to decrypt data that was previously encrypted by using the CryptEncrypt function.
Important changes have been made to the CryptoAPI in order to support S/MIME e-mail interoperability, which affect the handling of enveloped messages. See the Remarks for CryptMsgOpenToEncode for details.
Due to French import laws, the Microsoft CSPs do not allow encryption when the Microsoft® Windows NT® operating system is used in France. Therefore, under this condition, this function will fail with the error NTE_PERM.
#include <wincrypt.h>
BOOL WINAPI CryptDecrypt(
HCRYPTKEY hKey, // in
HCRYPTHASH hHash, // in
BOOL Final, // in
DWORD dwFlags, // in
BYTE *pbData, // in/out
DWORD *pcbData // in/out
);
This key specifies the decryption algorithm that is used.
If no hash is to be done, this parameter must be zero.
The number of encrypted bytes in this buffer is specified by pcbData.
When a block cipher is used, this data length must be a multiple of the block size, unless this is the final section of data to be decrypted and the Final flag is TRUE.
If the function succeeds, the return value is TRUE. If it fails, the return value is FALSE. To retrieve extended error information, use the GetLastError function.
The following table lists the error codes most commonly returned by the GetLastError function. The error codes prefaced by "NTE" are generated by the particular CSP you are using.
Error code | Description |
---|---|
ERROR_INVALID_HANDLE | One of the parameters specifies an invalid handle. |
ERROR_INVALID_PARAMETER | One of the parameters contains an invalid value. This is most often an illegal pointer. |
NTE_BAD_ALGID | The hKey session key specifies an algorithm that this CSP does not support. |
NTE_BAD_DATA | The data to be decrypted is invalid. For example, when a block cipher is used and the Final flag is FALSE, the value specified by pcbData must be a multiple of the block size. This error can also be returned when the padding is found to be invalid. |
NTE_BAD_FLAGS | The dwFlags parameter is nonzero. |
NTE_BAD_HASH | The hHash parameter contains an invalid handle. |
NTE_BAD_KEY | The hKey parameter does not contain a valid handle to a key. |
NTE_BAD_LEN | The size of the output buffer is too small to hold the generated plaintext. |
NTE_BAD_UID | The CSP context that was specified when the key was created cannot be found. |
NTE_DOUBLE_ENCRYPT | The application attempted to decrypt the same data twice. |
NTE_FAIL | The function failed in some unexpected way. |
If data is to be decrypted and hashed simultaneously, a handle to a hash object can be passed in the hHash parameter. The hash value will be updated with the decrypted plaintext. This option is useful when simultaneously decrypting and verifying a signature.
Before calling CryptDecrypt, the application should obtain a handle to the hash object by calling the CryptCreateHash function. After the decryption is complete, the hash value can be obtained (through CryptGetHashParam), it can be signed (through CryptSignHash), or it can be used to verify a digital signature (through CryptVerifySignature).
When a large amount of data needs to be decrypted, it can be done in sections. This is done by calling CryptDecrypt repeatedly. The Final parameter should be set to TRUE only on the last invocation of CryptDecrypt, so the decryption engine can properly finish the decryption process. The following extra actions are performed when Final is TRUE:
See Encrypting and Decrypting Data.
Windows NT: Requires version 4.0 or later.
Windows: Requires Windows 95 OSR2 or later (or Windows 95 with IE 3.02 or later).
Windows CE: Unsupported.
Header: Declared in wincrypt.h.
Import Library: Use advapi32.lib.
CryptCreateHash, CryptEncrypt, CryptGenKey, CryptGetKeyParam, CryptGetHashParam, CryptImportKey, CryptSignHash, CryptVerifySignature