CryptVerifyCertificateSignature

The CryptVerifyCertificateSignature function verifies the signature of a subject certificate, certificate request list (CRL), or certificate request by using the public key information.

#include <wincrypt.h>
BOOL WINAPI CryptVerifyCertificateSignature(
  HCRYPTPROV hCryptProv,            // in
  DWORD dwCertEncodingType,         // in
  BYTE *pbEncoded,                  // in, constant
  DWORD cbEncoded,                  // in
  PCERT_PUBLIC_KEY_INFO pPublicKey  // in
);

Parameters

hCryptProv

Specifies the Cryptographic Service Provider to use when verifying the signature.

Unless there is a strong reason for passing in a specific cryptographic provider in hCryptProv, zero should be passed in. Passing in zero causes the default RSA or DSS provider to be acquired before doing hash, signature verification or recipient encryption operations.

dwCertEncodingType

The type of encoding used on the certificate. Currently defined certificate encoding types are shown in the following table:

Encoding type	Value
X509_ASN_ENCODING	0x00000001

pbEncoded

The address of the encoded content (an encoded CERT_SIGNED_CONTENT_INFO structure) on which the signature is to be verified.

cbEncoded

The size, in bytes, of the encoded content.

pPublicKey

A pointer to the specified public key to use when verifying the signature.

Return Values

Returns TRUE for a valid signature.

Call GetLastError to see the reason for any failures. Note that errors from the called functions CryptCreateHash, CryptImportKey, CryptVerifySignature, and CryptHashData may be propagated to this function. This function has the following error codes.

Error code	Description
CRYPT_E_OSS_ERROR	Name ASN.1 decoding error. Note, to get the OSS error subtract CRYPT_E_OSS_ERROR from the returned error and see asn1code.h for details on the error.
ERROR_FILE_NOT_FOUND	Invalid certificate encoding type. Currently only X509_ASN_ENCODING is supported.
NTE_BAD_ALGID	The signature algorithm's Object Identifier doesn't map to a known or supported hash algorithm.
NTE_BAD_SIGNATURE	The signature was not verified.

Example

// EXAMPLE CODE FOR USING CryptVerifyCertificateSignature().
// Verifies the signature of a subject certificate, certificate
// request list (CRL), or certificate request.
// Assume that pointers to the encoded content (pbEncoded)
// and the public key (pPublicKey) have already been defined.

// Set up the variables.
HCRYPTPROV hCryptProv = 0;        // Service Provider handle
DWORD dwCertEncodingType = X509_ASN_ENCODING;
                                  // Type of encoding
BYTE *pbEncoded;                  // Initialized elsewhere
DWORD cbEncoded;                  // Size of content (bytes)
PCERT_PUBLIC_KEY_INFO pPublicKey; // Initialized elsewhere
BOOL fResult;                     // Return TRUE for a valid signature
                                  //   FALSE for a invalid signature

fResult= CryptVerifyCertificateSignature(
           hCryptProv,        // in - 0 is default RSA or DSS provider 
           dwCertEncodingType,// in - X509_ASN_ENCODING
           pbEncoded,         // in/constant - Pointer to encoded
                              //   content
           cbEncoded,         // in - Size of encoded content (bytes)
           pPublicKey);       // in - Pointer to the public key

if (!fResult) {               // FALSE
  cout<< "Invalid signature or error"<< endl
      << "error code = "<< GetLastError()<< endl;
}
else {                        // TRUE
 cout<< "Valid signature"<< endl;
}

QuickInfo

  Windows NT: Requires version 4.0 SP3 or later. Available also in IE 3.02 and later.
  Windows: Requires Windows 98 (or Windows 95 with IE 3.02 or later).
  Windows CE: Unsupported.
  Header: Declared in wincrypt.h.
  Import Library: Use crypt32.lib.