Platform SDK: Cryptography

CPDecrypt

The CPDecrypt function decrypts data previously encrypted with the CPEncrypt function. Optionally, the application can specify that the decrypted data be hashed.

BOOL CPDecrypt(
  HCRYPTPROV hProv,      // in
  HCRYPTKEY hKey,        // in
  HCRYPTHASH hHash,      // in
  BOOL Final,            // in
  DWORD dwFlags,         // in
  BYTE *pbData,          // in, out
  DWORD *pdwDataLen      // in, out
);

Parameters

hProv
Handle to a particular key container within the CSP. This handle is obtained by a call to CPAcquireContext.
hKey
Handle to the session key for the decryption. This key specifies the decryption algorithm to be used.
hHash
Handle to a hash object. This parameter is used only if a hash of the data is to be computed after the data is decrypted.

This parameter is zero if no hash is to be done.

Final
Boolean value specifying whether this is the last section in a series of data blocks being decrypted. This will be TRUE if this is the last or only block, and FALSE otherwise.
dwFlags
No flags are currently defined.
pbData
Buffer on input holding the ciphertext to be decrypted. Once the decryption has been performed, the plaintext is written to this buffer overwriting the ciphertext. If a block cipher is used and dwFlags is TRUE, any padding data must be removed before returning the plaintext to the application.

This is simpler than the encryption case, since the plaintext generated is never larger than the ciphertext.

pdwDataLen
Address of a DWORD. Upon entry, the DWORD is the number of bytes of ciphertext in the pbData buffer. If a block cipher is used and Final is FALSE, this value must be a multiple of the cipher block length. Decryption is done in place, and the CPDecrypt function does not need to buffer any data internally.

Upon exit, the DWORD pointed to by this parameter indicates the number of bytes of plaintext in the pbData buffer.

Return Values

If the function succeeds, the return value is TRUE.

If the function fails, the return value is FALSE, and the appropriate error code from the following table must be set using SetLastError.

Error Description
NTE_BAD_ALGID The hKey session key specifies an algorithm that this CSP does not support.
NTE_BAD_DATA The data to be decrypted is invalid. For example, when a block cipher is used and the Final flag is FALSE, the value specified by pdwDataLen must be a multiple of the block size. This error can also be returned when the padding is found to be invalid.
NTE_BAD_FLAGS The dwFlags parameter is non-zero.
NTE_BAD_HASH The hHash parameter contains an invalid handle.
NTE_BAD_KEY The hKey parameter does not contain a valid handle to a session key.
NTE_BAD_LEN The size of the output buffer is too small to hold the generated plaintext.
NTE_BAD_UID The CSP context that was specified when the key was created cannot now be found.
NTE_DOUBLE_
ENCRYPT		 The application attempted to decrypt the same data twice.
NTE_FAIL The function failed in some unexpected way.

Remarks

In Windows 2000, the Microsoft Enhanced RSA Provider supports direct encryption with RSA public keys and decryption with RSA private keys. The encryption is done with PKCS #1 Type 2 padding, and on decryption this padding is verified. The length of ciphertext text data to be decrypted must be the same length as the modulus of the RSA key used to encrypt the data. If the ciphertext has 0x00 bytes in the most significant bytes, these bytes must be included in the input data buffer and in the input buffer length. The ciphertext must be in little endian format.

For additional requirement for developing this function for an schannel provider, see Bulk Data Encryption.

Requirements

  Windows NT/2000: Requires Windows NT 4.0 or later.
  Windows 95/98: Requires Windows 95 OSR2 or later (or Windows 95 with Internet Explorer 3.02 or later).
  Header: Declared in Wincrypt.h.

See Also

CPEncrypt, CPGenKey, CryptDecrypt

Built on Thursday, February 17, 2000