wcrypt2.pas

{******************************************************************}
{                                                                  }
{ Borland Delphi Runtime Library                                   }
{ Cryptographic API interface unit                                 }
{                                                                  }
{ Portions created by Microsoft are                                }
{ Copyright (C) 1993-1998 Microsoft Corporation.                   }
{ All Rights Reserved.                                             }
{                                                                  }
{ The original file is: wincrypt.h, 1992 - 1997                    }
{ The original Pascal code is: wcrypt2.pas, released 01 Jan 1998   }
{ The initial developer of the Pascal code is                      }
{  Massimo Maria Ghisalberti  (nissl@dada.it)                      }
{                                                                  }
{ Portions created by Massimo Maria Ghisalberti are                }
{ Copyright (C) 1997-1998 Massimo Maria Ghisalberti                }
{                                                                  }
{ Contributor(s):                                                  }
{     Peter Tang (peter.tang@citicorp.com)                         }
{     Phil Shrimpton (phil@shrimpton.co.uk)                        }
{     Vincent Hardy (vincent.hardy.be@gmail.com)                   }
{                                                                  }
{ Obtained through:                                                }
{                                                                  }
{ Joint Endeavour of Delphi Innovators (Project JEDI)              }
{                                                                  }
{ You may retrieve the original version of this file at the        }
{ Project JEDI home page, located at http://delphi-jedi.org        }
{                                                                  }
{ You may retrieve the latest version of this file at              }
{ https://github.com/delphiunderground/eid-mw-sdk-delphi           }
{                                                                  }
{ The contents of this file are used with permission, subject to   }
{ the Mozilla Public License Version 1.1 (the "License"); you may  }
{ not use this file except in compliance with the License. You may }
{ obtain a copy of the License at                                  }
{ http://www.mozilla.org/MPL/MPL-1.1.html                          }
{                                                                  }
{ Software distributed under the License is distributed on an      }
{ "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or   }
{ implied. See the License for the specific language governing     }
{ rights and limitations under the License.                        }
{                                                                  }
{******************************************************************}

unit wcrypt2;

{.DEFINE NT5}

{$ALIGN ON}

{$IFNDEF VER90}
  {$WEAKPACKAGEUNIT}
{$ENDIF}

{$IFDEF FPC}
  {$MODE DELPHI}
{$ENDIF}

interface

uses
  Windows
  {$IFDEF VER90}
  ,Ole2
  {$ENDIF};

const
  ADVAPI32    = 'advapi32.dll';
  CRYPT32     = 'crypt32.dll';
  SOFTPUB     = 'softpub.dll';
{$IFDEF NT5}
  ADVAPI32NT5 = 'advapi32.dll';
{$ENDIF}

{Support Type}

type
    PVOID = Pointer;
    LONG  = DWORD;
    {$IFDEF UNICODE}
      LPAWSTR = PWideChar;
    {$ELSE}
      LPAWSTR = PAnsiChar;
    {$ENDIF}

//-----------------------------------------------------------------------------
    // Type support for a pointer to an array of pointer (type **name)
    PLPSTR          = Pointer; // type for a pointer to Array of pointer a type
    PPCERT_INFO     = Pointer; // type for a pointer to Array of pointer a type
    PPVOID          = Pointer; // type for a pointer to Array of pointer a type
    PPCCERT_CONTEXT = Pointer; // type for a pointer to Array of pointer a type
    PPCCTL_CONTEXT  = Pointer; // type for a pointer to Array of pointer a type
    PPCCRL_CONTEXT  = Pointer; // type for a pointer to Array of pointer a type
//-----------------------------------------------------------------------------

//+---------------------------------------------------------------------------
//
//  Microsoft Windows
//  Copyright (C) Microsoft Corporation, 1992 - 1997.
//
//  File:       wincrypt.h
//
//  Contents:   Cryptographic API Prototypes and Definitions
//
//----------------------------------------------------------------------------


//
// Algorithm IDs and Flags
//

// ALG_ID crackers
function GET_ALG_CLASS(x:integer) :integer;
function GET_ALG_TYPE(x:integer) :integer;
function GET_ALG_SID(x:integer) :integer;

Const
  // Algorithm classes
  ALG_CLASS_ANY          = 0;
  ALG_CLASS_SIGNATURE    = (1 shl 13);
  ALG_CLASS_MSG_ENCRYPT  = (2 shl 13);
  ALG_CLASS_DATA_ENCRYPT = (3 shl 13);
  ALG_CLASS_HASH         = (4 shl 13);
  ALG_CLASS_KEY_EXCHANGE = (5 shl 13);

  // Algorithm types
  ALG_TYPE_ANY           = 0;
  ALG_TYPE_DSS           = (1 shl 9);
  ALG_TYPE_RSA           = (2 shl 9);
  ALG_TYPE_BLOCK         = (3 shl 9);
  ALG_TYPE_STREAM        = (4 shl 9);
  ALG_TYPE_DH            = (5 shl 9);
  ALG_TYPE_SECURECHANNEL = (6 shl 9);

  // Generic sub-ids
  ALG_SID_ANY = 0;

  // Some RSA sub-ids
  ALG_SID_RSA_ANY        = 0;
  ALG_SID_RSA_PKCS       = 1;
  ALG_SID_RSA_MSATWORK   = 2;
  ALG_SID_RSA_ENTRUST    = 3;
  ALG_SID_RSA_PGP        = 4;

  // Some DSS sub-ids
  ALG_SID_DSS_ANY        = 0;
  ALG_SID_DSS_PKCS       = 1;
  ALG_SID_DSS_DMS        = 2;

  // Block cipher sub ids
  // DES sub_ids
  ALG_SID_DES            = 1;
  ALG_SID_3DES           = 3;
  ALG_SID_DESX           = 4;
  ALG_SID_IDEA           = 5;
  ALG_SID_CAST           = 6;
  ALG_SID_SAFERSK64      = 7;
  ALD_SID_SAFERSK128     = 8;
  ALG_SID_SAFERSK128     = 8;
  ALG_SID_3DES_112       = 9;
  // AES sub_ids
  //algorithm identifier got from
  //https://msdn.microsoft.com/en-us/library/windows/desktop/aa375549%28v=vs.85%29.aspx
  ALG_SID_AES_128        = 14;
  ALG_SID_AES_192        = 15;
  ALG_SID_AES_256        = 16;
  ALG_SID_AES            = 17;
  //---------------------------------------------------------------------------
  ALG_SID_CYLINK_MEK     = 12;
  ALG_SID_RC5            = 13;

  // Fortezza sub-ids
  ALG_SID_SKIPJACK       = 10;
  ALG_SID_TEK            = 11;

  // KP_MODE
  CRYPT_MODE_CBCI        = 6;  {ANSI CBC Interleaved}
  CRYPT_MODE_CFBP        = 7;  {ANSI CFB Pipelined}
  CRYPT_MODE_OFBP        = 8;  {ANSI OFB Pipelined}
  CRYPT_MODE_CBCOFM      = 9;  {ANSI CBC + OF Masking}
  CRYPT_MODE_CBCOFMI     = 10; {ANSI CBC + OFM Interleaved}

  // RC2 sub-ids
  ALG_SID_RC2            = 2;

  // Stream cipher sub-ids
  ALG_SID_RC4            = 1;
  ALG_SID_SEAL           = 2;

  // Diffie-Hellman sub-ids
  ALG_SID_DH_SANDF       = 1;
  ALG_SID_DH_EPHEM       = 2;
  ALG_SID_AGREED_KEY_ANY = 3;
  ALG_SID_KEA            = 4;

  // Hash sub ids
  ALG_SID_MD2            = 1;
  ALG_SID_MD4            = 2;
  ALG_SID_MD5            = 3;
  ALG_SID_SHA            = 4;
  ALG_SID_SHA1           = 4;
  ALG_SID_MAC            = 5;
  ALG_SID_RIPEMD         = 6;
  ALG_SID_RIPEMD160      = 7;
  ALG_SID_SSL3SHAMD5     = 8;
  ALG_SID_HMAC           = 9;
  ALG_SID_SHA_256        = 12;
  ALG_SID_SHA_384        = 13;
  ALG_SID_SHA_512        = 14;

  // secure channel sub ids
  ALG_SID_SSL3_MASTER          = 1;
  ALG_SID_SCHANNEL_MASTER_HASH = 2;
  ALG_SID_SCHANNEL_MAC_KEY     = 3;
  ALG_SID_PCT1_MASTER          = 4;
  ALG_SID_SSL2_MASTER          = 5;
  ALG_SID_TLS1_MASTER          = 6;
  ALG_SID_SCHANNEL_ENC_KEY     = 7;

  // Our silly example sub-id
  ALG_SID_EXAMPLE              = 80;

{$IFNDEF ALGIDDEF}
  {$DEFINE ALGIDDEF}
Type ALG_ID = ULONG;
{$ENDIF}

// algorithm identifier definitions
Const
  CALG_MD2              = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_MD2);
  CALG_MD4              = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_MD4);
  CALG_MD5              = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_MD5);
  CALG_SHA              = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_SHA);
  CALG_SHA1             = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_SHA1);
  CALG_SHA_256          = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_SHA_256);
  CALG_SHA_384          = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_SHA_384);
  CALG_SHA_512          = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_SHA_512);
  CALG_MAC              = (ALG_CLASS_HASH or ALG_TYPE_ANY or ALG_SID_MAC);
  CALG_RSA_SIGN         = (ALG_CLASS_SIGNATURE or ALG_TYPE_RSA or ALG_SID_RSA_ANY);
  CALG_DSS_SIGN         = (ALG_CLASS_SIGNATURE or ALG_TYPE_DSS or ALG_SID_DSS_ANY);
  CALG_RSA_KEYX         = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_RSA or ALG_SID_RSA_ANY);
  CALG_DES              = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_DES);
  CALG_3DES_112         = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_3DES_112);
  CALG_3DES             = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_3DES);
  CALG_AES_128          = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_AES_128);
  CALG_AES_192          = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_AES_192);
  CALG_AES_256          = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_AES_256);
  CALG_AES              = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_AES);
  CALG_RC2              = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_RC2);
  CALG_RC4              = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_STREAM or ALG_SID_RC4);
  CALG_SEAL             = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_STREAM or ALG_SID_SEAL);
  CALG_DH_SF            = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_DH or ALG_SID_DH_SANDF);
  CALG_DH_EPHEM         = (ALG_CLASS_KEY_EXCHANGE  or  ALG_TYPE_DH  or  ALG_SID_DH_EPHEM);
  CALG_AGREEDKEY_ANY    = (ALG_CLASS_KEY_EXCHANGE  or ALG_TYPE_DH or ALG_SID_AGREED_KEY_ANY);
  CALG_KEA_KEYX         = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_DH or ALG_SID_KEA);
  CALG_HUGHES_MD5       = (ALG_CLASS_KEY_EXCHANGE or ALG_TYPE_ANY or ALG_SID_MD5);
  CALG_SKIPJACK         = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_SKIPJACK);
  CALG_TEK              = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_TEK);
  CALG_CYLINK_MEK       = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_CYLINK_MEK);
  CALG_SSL3_SHAMD5      = (ALG_CLASS_HASH  or  ALG_TYPE_ANY  or  ALG_SID_SSL3SHAMD5);
  CALG_SSL3_MASTER      = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_SSL3_MASTER);
  CALG_SCHANNEL_MASTER_HASH = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_SCHANNEL_MASTER_HASH);
  CALG_SCHANNEL_MAC_KEY = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_SCHANNEL_MAC_KEY);
  CALG_SCHANNEL_ENC_KEY = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_SCHANNEL_ENC_KEY);
  CALG_PCT1_MASTER      = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_PCT1_MASTER);
  CALG_SSL2_MASTER      = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_SSL2_MASTER);
  CALG_TLS1_MASTER      = (ALG_CLASS_MSG_ENCRYPT or ALG_TYPE_SECURECHANNEL or ALG_SID_TLS1_MASTER);
  CALG_RC5              = (ALG_CLASS_DATA_ENCRYPT or ALG_TYPE_BLOCK or ALG_SID_RC5);
  CALG_HMAC             = (ALG_CLASS_HASH  or  ALG_TYPE_ANY  or  ALG_SID_HMAC);

type
  PVTableProvStruc = ^VTableProvStruc;
  VTableProvStruc = record
    Version         :DWORD;
    FuncVerifyImage :TFarProc;
    FuncReturnhWnd  :TFarProc;
    dwProvType      :DWORD;
    pbContextInfo   :PBYTE;
    cbContextInfo   :DWORD;
end;

//type HCRYPTPROV = ULONG;
//type HCRYPTKEY  = ULONG;
//type HCRYPTHASH = ULONG;


const
  // dwFlags definitions for CryptAcquireContext
  CRYPT_VERIFYCONTEXT  = $F0000000;
  CRYPT_NEWKEYSET      = $00000008;
  CRYPT_DELETEKEYSET   = $00000010;
  CRYPT_MACHINE_KEYSET = $00000020;

  // dwFlag definitions for CryptGenKey
  CRYPT_EXPORTABLE     = $00000001;
  CRYPT_USER_PROTECTED = $00000002;
  CRYPT_CREATE_SALT    = $00000004;
  CRYPT_UPDATE_KEY     = $00000008;
  CRYPT_NO_SALT        = $00000010;
  CRYPT_PREGEN         = $00000040;
  CRYPT_RECIPIENT      = $00000010;
  CRYPT_INITIATOR      = $00000040;
  CRYPT_ONLINE         = $00000080;
  CRYPT_SF             = $00000100;
  CRYPT_CREATE_IV      = $00000200;
  CRYPT_KEK            = $00000400;
  CRYPT_DATA_KEY       = $00000800;

  // dwFlags definitions for CryptDeriveKey
  CRYPT_SERVER         = $00000400;

  KEY_LENGTH_MASK      = $FFFF0000;

  // dwFlag definitions for CryptExportKey
  CRYPT_Y_ONLY        = $00000001;
  CRYPT_SSL2_SLUMMING = $00000002;

  // dwFlags definitions for CryptHashSessionKey
  CRYPT_LITTLE_ENDIAN = $00000001;

  // dwFlag definitions for CryptSetProviderEx and CryptGetDefaultProvider
  CRYPT_MACHINE_DEFAULT = $00000001;
  CRYPT_USER_DEFAULT    = $00000002;
  CRYPT_DELETE_DEFAULT  = $00000004;

  // exported key blob definitions
  SIMPLEBLOB        = $1;
  PUBLICKEYBLOB     = $6;
  PRIVATEKEYBLOB    = $7;
  PLAINTEXTKEYBLOB  = $8;
  AT_KEYEXCHANGE    = 1;
  AT_SIGNATURE      = 2;
  CRYPT_USERDATA    = 1;

  // dwParam
  KP_IV                 = 1;  // Initialization vector
  KP_SALT               = 2;  // Salt value
  KP_PADDING            = 3;  // Padding values
  KP_MODE               = 4;  // Mode of the cipher
  KP_MODE_BITS          = 5;  // Number of bits to feedback
  KP_PERMISSIONS        = 6;  // Key permissions DWORD
  KP_ALGID              = 7;  // Key algorithm
  KP_BLOCKLEN           = 8;  // Block size of the cipher
  KP_KEYLEN             = 9;  // Length of key in bits
  KP_SALT_EX            = 10; // Length of salt in bytes
  KP_P                  = 11; // DSS/Diffie-Hellman P value
  KP_G                  = 12; // DSS/Diffie-Hellman G value
  KP_Q                  = 13; // DSS Q value
  KP_X                  = 14; // Diffie-Hellman X value
  KP_Y                  = 15; // Y value
  KP_RA                 = 16; // Fortezza RA value
  KP_RB                 = 17; // Fortezza RB value
  KP_INFO               = 18; // for putting information into an RSA envelope
  KP_EFFECTIVE_KEYLEN   = 19; // setting and getting RC2 effective key length
  KP_SCHANNEL_ALG	= 20; // for setting the Secure Channel algorithms
  KP_CLIENT_RANDOM      = 21; // for setting the Secure Channel client random data
  KP_SERVER_RANDOM      = 22; // for setting the Secure Channel server random data
  KP_RP                 = 23;
  KP_PRECOMP_MD5        = 24;
  KP_PRECOMP_SHA        = 25;
  KP_CERTIFICATE        = 26; // for setting Secure Channel certificate data (PCT1)
  KP_CLEAR_KEY          = 27; // for setting Secure Channel clear key data (PCT1)
  KP_PUB_EX_LEN         = 28;
  KP_PUB_EX_VAL         = 29;

  // KP_PADDING
  PKCS5_PADDING         = 1; {PKCS 5 (sec 6.2) padding method}
  RANDOM_PADDING        = 2;
  ZERO_PADDING          = 3;

  // KP_MODE
  CRYPT_MODE_CBC    = 1; // Cipher block chaining
  CRYPT_MODE_ECB    = 2; // Electronic code book
  CRYPT_MODE_OFB    = 3; // Output feedback mode
  CRYPT_MODE_CFB    = 4; // Cipher feedback mode
  CRYPT_MODE_CTS    = 5; // Ciphertext stealing mode

  // KP_PERMISSIONS
  CRYPT_ENCRYPT     = $0001; // Allow encryption
  CRYPT_DECRYPT     = $0002; // Allow decryption
  CRYPT_EXPORT      = $0004; // Allow key to be exported
  CRYPT_READ        = $0008; // Allow parameters to be read
  CRYPT_WRITE       = $0010; // Allow parameters to be set
  CRYPT_MAC         = $0020; // Allow MACs to be used with key
  CRYPT_EXPORT_KEY  = $0040; // Allow key to be used for exporting keys
  CRYPT_IMPORT_KEY  = $0080; // Allow key to be used for importing keys

  HP_ALGID          = $0001; // Hash algorithm
  HP_HASHVAL        = $0002; // Hash value
  HP_HASHSIZE       = $0004; // Hash value size

  HP_HMAC_INFO      = $0005; // information for creating an HMAC

  CRYPT_FAILED      = FALSE;
  CRYPT_SUCCEED     = TRUE;

function RCRYPT_SUCCEEDED(rt:BOOL):BOOL;
function RCRYPT_FAILED(rt:BOOL):BOOL;

const
  // CryptGetProvParam
  PP_ENUMALGS            = 1;
  PP_ENUMCONTAINERS      = 2;
  PP_IMPTYPE             = 3;
  PP_NAME                = 4;
  PP_VERSION             = 5;
  PP_CONTAINER           = 6;
  PP_CHANGE_PASSWORD     = 7;
  PP_KEYSET_SEC_DESCR    = 8;  // get/set security descriptor of keyset
  PP_CERTCHAIN           = 9;  // for retrieving certificates from tokens
  PP_KEY_TYPE_SUBTYPE    = 10;
  PP_PROVTYPE            = 16;
  PP_KEYSTORAGE          = 17;
  PP_APPLI_CERT          = 18;
  PP_SYM_KEYSIZE         = 19;
  PP_SESSION_KEYSIZE     = 20;
  PP_UI_PROMPT           = 21;
  PP_ENUMALGS_EX         = 22;
  CRYPT_FIRST            = 1;
  CRYPT_NEXT             = 2;
  CRYPT_IMPL_HARDWARE    = 1;
  CRYPT_IMPL_SOFTWARE    = 2;
  CRYPT_IMPL_MIXED       = 3;
  CRYPT_IMPL_UNKNOWN     = 4;

  // key storage flags
  CRYPT_SEC_DESCR        = $00000001;
  CRYPT_PSTORE           = $00000002;
  CRYPT_UI_PROMPT        = $00000004;

  // protocol flags
  CRYPT_FLAG_PCT1        = $0001;
  CRYPT_FLAG_SSL2        = $0002;
  CRYPT_FLAG_SSL3        = $0004;
  CRYPT_FLAG_TLS1        = $0008;

  // CryptSetProvParam
  PP_CLIENT_HWND         = 1;
  PP_CONTEXT_INFO        = 11;
  PP_KEYEXCHANGE_KEYSIZE = 12;
  PP_SIGNATURE_KEYSIZE   = 13;
  PP_KEYEXCHANGE_ALG     = 14;
  PP_SIGNATURE_ALG       = 15;
  PP_DELETEKEY           = 24;

  PROV_RSA_FULL          = 1;
  PROV_RSA_SIG           = 2;
  PROV_DSS               = 3;
  PROV_FORTEZZA          = 4;
  PROV_MS_EXCHANGE       = 5;
  PROV_SSL               = 6;

PROV_RSA_SCHANNEL        = 12;
PROV_DSS_DH              = 13;
PROV_EC_ECDSA_SIG        = 14;
PROV_EC_ECNRA_SIG        = 15;
PROV_EC_ECDSA_FULL       = 16;
PROV_EC_ECNRA_FULL       = 17;
PROV_SPYRUS_LYNKS        = 20;
PROV_RSA_AES             = 24;


  // STT defined Providers
  PROV_STT_MER           = 7;
  PROV_STT_ACQ           = 8;
  PROV_STT_BRND          = 9;
  PROV_STT_ROOT          = 10;
  PROV_STT_ISS           = 11;

  // Provider friendly names
  MS_DEF_PROV_A          = 'Microsoft Base Cryptographic Provider v1.0';
  {$IFNDEF VER90}
    MS_DEF_PROV_W        = WideString( 'Microsoft Base Cryptographic Provider v1.0');
  {$ELSE}
    MS_DEF_PROV_W        = ( 'Microsoft Base Cryptographic Provider v1.0');
  {$ENDIF}

{$IFDEF UNICODE}
  MS_DEF_PROV            = MS_DEF_PROV_W;
{$ELSE}
  MS_DEF_PROV            = MS_DEF_PROV_A;
{$ENDIF}

  MS_ENHANCED_PROV_A   = 'Microsoft Enhanced Cryptographic Provider v1.0';
  {$IFNDEF VER90}
    MS_ENHANCED_PROV_W = WideString('Microsoft Enhanced Cryptographic Provider v1.0');
  {$ELSE}
    MS_ENHANCED_PROV_W = ('Microsoft Enhanced Cryptographic Provider v1.0');
  {$ENDIF}

{$IFDEF UNICODE}
  MS_ENHANCED_PROV = MS_ENHANCED_PROV_W;
{$ELSE}
  MS_ENHANCED_PROV = MS_ENHANCED_PROV_A;
{$ENDIF}

  MS_DEF_RSA_SIG_PROV_A    = 'Microsoft RSA Signature Cryptographic Provider';
  {$IFNDEF VER90}
    MS_DEF_RSA_SIG_PROV_W  = WideString('Microsoft RSA Signature Cryptographic Provider');
  {$ELSE}
    MS_DEF_RSA_SIG_PROV_W  = ('Microsoft RSA Signature Cryptographic Provider');
  {$ENDIF}

{$IFDEF UNICODE}
  MS_DEF_RSA_SIG_PROV = MS_DEF_RSA_SIG_PROV_W;
{$ELSE}
  MS_DEF_RSA_SIG_PROV = MS_DEF_RSA_SIG_PROV_A;
{$ENDIF}

  MS_DEF_RSA_SCHANNEL_PROV_A    = 'Microsoft Base RSA SChannel Cryptographic Provider';
  {$IFNDEF VER90}
    MS_DEF_RSA_SCHANNEL_PROV_W  = WideString('Microsoft Base RSA SChannel Cryptographic Provider');
  {$ELSE}
    MS_DEF_RSA_SCHANNEL_PROV_W  = ('Microsoft Base RSA SChannel Cryptographic Provider');
  {$ENDIF}


{$IFDEF UNICODE}
  MS_DEF_RSA_SCHANNEL_PROV = MS_DEF_RSA_SCHANNEL_PROV_W;
{$ELSE}
  MS_DEF_RSA_SCHANNEL_PROV = MS_DEF_RSA_SCHANNEL_PROV_A;
{$ENDIF}

  MS_ENHANCED_RSA_SCHANNEL_PROV_A    = 'Microsoft Enhanced RSA SChannel Cryptographic Provider';
  {$IFNDEF VER90}
    MS_ENHANCED_RSA_SCHANNEL_PROV_W  = WideString('Microsoft Enhanced RSA SChannel Cryptographic Provider');
  {$ELSE}
    MS_ENHANCED_RSA_SCHANNEL_PROV_W  = ('Microsoft Enhanced RSA SChannel Cryptographic Provider');
  {$ENDIF}

{$IFDEF UNICODE}
  MS_ENHANCED_RSA_SCHANNEL_PROV = MS_ENHANCED_RSA_SCHANNEL_PROV_W;
{$ELSE}
  MS_ENHANCED_RSA_SCHANNEL_PROV = MS_ENHANCED_RSA_SCHANNEL_PROV_A;
{$ENDIF}

  MS_DEF_DSS_PROV_A    =  'Microsoft Base DSS Cryptographic Provider';
  {$IFNDEF VER90}
    MS_DEF_DSS_PROV_W  = WideString('Microsoft Base DSS Cryptographic Provider');
  {$ELSE}
    MS_DEF_DSS_PROV_W  = ('Microsoft Base DSS Cryptographic Provider');
  {$ENDIF}

{$IFDEF UNICODE}
  MS_DEF_DSS_PROV = MS_DEF_DSS_PROV_W;
{$ELSE}
  MS_DEF_DSS_PROV = MS_DEF_DSS_PROV_A;
{$ENDIF}

  MS_DEF_DSS_DH_PROV_A    = 'Microsoft Base DSS and Diffie-Hellman Cryptographic Provider';
  {$IFNDEF VER90}
    MS_DEF_DSS_DH_PROV_W  = WideString('Microsoft Base DSS and Diffie-Hellman Cryptographic Provider');
  {$ELSE}
    MS_DEF_DSS_DH_PROV_W  = ('Microsoft Base DSS and Diffie-Hellman Cryptographic Provider');
  {$ENDIF}

{$IFDEF UNICODE}
  MS_DEF_DSS_DH_PROV = MS_DEF_DSS_DH_PROV_W;
{$ELSE}
  MS_DEF_DSS_DH_PROV = MS_DEF_DSS_DH_PROV_A;
{$ENDIF}

  MAXUIDLEN              = 64;
  CUR_BLOB_VERSION       = 2;

{structure for use with CryptSetHashParam with CALG_HMAC}
type
  PHMAC_INFO = ^HMAC_INFO;
  HMAC_INFO = record
    HashAlgid     :ALG_ID;
    pbInnerString :PBYTE;
    cbInnerString :DWORD;
    pbOuterString :PBYTE;
    cbOuterString :DWORD;
  end;

// structure for use with CryptSetHashParam with CALG_HMAC
type
  PSCHANNEL_ALG = ^SCHANNEL_ALG;
  SCHANNEL_ALG  = record
    dwUse :DWORD;
    Algid :ALG_ID;
    cBits :DWORD;
  end;

// uses of algortihms for SCHANNEL_ALG structure
const
  SCHANNEL_MAC_KEY = $00000000;
  SCHANNEL_ENC_KEY = $00000001;

type
  PPROV_ENUMALGS = ^PROV_ENUMALGS;
  PROV_ENUMALGS = record
    aiAlgid   :ALG_ID;
    dwBitLen  :DWORD;
    dwNameLen :DWORD;
    szName    :array[0..20-1] of Char;
  end ;

type
  PPROV_ENUMALGS_EX = ^PROV_ENUMALGS_EX;
  PROV_ENUMALGS_EX = record
    aiAlgid       :ALG_ID;
    dwDefaultLen  :DWORD;
    dwMinLen      :DWORD;
    dwMaxLen      :DWORD;
    dwProtocols   :DWORD;
    dwNameLen     :DWORD;
    szName        :array[0..20-1] of Char;
    dwLongNameLen :DWORD;
    szLongName    :array[0..40-1] of Char;
    end;

type
  PPUBLICKEYSTRUC = ^PUBLICKEYSTRUC;
  PUBLICKEYSTRUC = record
    bType    :BYTE;
    bVersion :BYTE;
    reserved :Word;
    aiKeyAlg :ALG_ID;
  end;

type
  BLOBHEADER  = PUBLICKEYSTRUC;
  PBLOBHEADER = ^BLOBHEADER;

type
  PRSAPUBKEY = ^RSAPUBKEY;
  RSAPUBKEY = record
    magic  :DWORD;  // Has to be RSA1
    bitlen :DWORD;  // # of bits in modulus
    pubexp :DWORD;  // public exponent
                    // Modulus data follows
    end;

type
  PPUBKEY = ^PUBKEY;
  PUBKEY = record
    magic  :DWORD;
    bitlen :DWORD; // # of bits in modulus
  end;

type
  DHPUBKEY  = PUBKEY;
  DSSPUBKEY = PUBKEY;
  KEAPUBKEY = PUBKEY;
  TEKPUBKEY = PUBKEY;


type
  PDSSSEED = ^DSSSEED;
  DSSSEED = record
    counter :DWORD;
    seed    :array[0..20-1] of BYTE;
  end;

type
  PKEY_TYPE_SUBTYPE = ^KEY_TYPE_SUBTYPE;
  KEY_TYPE_SUBTYPE = record
    dwKeySpec :DWORD;
    Type_     :TGUID; {conflict with base Delphi type: original name 'Type'}
    Subtype   :TGUID;
  end;

type
  HCRYPTPROV  = ULONG;
  PHCRYPTPROV = ^HCRYPTPROV;
  HCRYPTKEY   = ULONG;
  PHCRYPTKEY  = ^HCRYPTKEY;
  HCRYPTHASH  = ULONG;
  PHCRYPTHASH = ^HCRYPTHASH;

function CryptAcquireContextA(phProv       :PHCRYPTPROV;
                              pszContainer :PAnsiChar;
                              pszProvider  :PAnsiChar;
                              dwProvType   :DWORD;
                              dwFlags      :DWORD) :BOOL;stdcall;

function CryptAcquireContext(phProv        :PHCRYPTPROV;
                              pszContainer :LPAWSTR;
                              pszProvider  :LPAWSTR;
                              dwProvType   :DWORD;
                              dwFlags      :DWORD) :BOOL;stdcall;

function CryptAcquireContextW(phProv       :PHCRYPTPROV;
                              pszContainer :PWideChar;
                              pszProvider  :PWideChar;
                              dwProvType   :DWORD;
                              dwFlags      :DWORD) :BOOL ;stdcall;


function CryptReleaseContext(hProv   :HCRYPTPROV;
                             dwFlags :DWORD) :BOOL;stdcall;



function CryptGenKey(hProv   :HCRYPTPROV;
                     Algid   :ALG_ID;
                     dwFlags :DWORD;
                     phKey   :PHCRYPTKEY) :BOOL;stdcall ;


function CryptDeriveKey(hProv     :HCRYPTPROV;
                        Algid     :ALG_ID;
                        hBaseData :HCRYPTHASH;
                        dwFlags   :DWORD;
                        phKey     :PHCRYPTKEY) :BOOL;stdcall ;



function CryptDestroyKey(hKey  :HCRYPTKEY) :BOOL;stdcall ;


function CryptSetKeyParam(hKey    :HCRYPTKEY;
                          dwParam :DWORD;
                          pbData  :PBYTE;
                          dwFlags :DWORD) :BOOL;stdcall;


function CryptGetKeyParam(hKey       :HCRYPTKEY;
                          dwParam    :DWORD;
                          pbData     :PBYTE;
                          pdwDataLen :PDWORD;
                          dwFlags    :DWORD) :BOOL;stdcall;


function CryptSetHashParam(hHash   :HCRYPTHASH;
                           dwParam :DWORD;
                           pbData  :PBYTE;
                           dwFlags :DWORD) :BOOL;stdcall;


function CryptGetHashParam(hHash      :HCRYPTHASH;
                           dwParam    :DWORD;
                           pbData     :PBYTE;
                           pdwDataLen :PDWORD;
                           dwFlags    :DWORD) :BOOL;stdcall;


function CryptSetProvParam(hProv   :HCRYPTPROV;
                           dwParam :DWORD;
                           pbData  :PBYTE;
                           dwFlags :DWORD) :BOOL;stdcall;


function CryptGetProvParam(hProv      :HCRYPTPROV;
                           dwParam    :DWORD;
                           pbData     :PBYTE;
                           pdwDataLen :PDWORD;
                           dwFlags    :DWORD) :BOOL;stdcall;


function CryptGenRandom(hProv    :HCRYPTPROV;
                        dwLen    :DWORD;
                        pbBuffer :PBYTE) :BOOL;stdcall;


function CryptGetUserKey(hProv     :HCRYPTPROV;
                         dwKeySpec :DWORD;
                         phUserKey :PHCRYPTKEY) :BOOL;stdcall;


function CryptExportKey(hKey       :HCRYPTKEY;
                        hExpKey    :HCRYPTKEY;
                        dwBlobType :DWORD;
                        dwFlags    :DWORD;
                        pbData     :PBYTE;
                        pdwDataLen :PDWORD) :BOOL;stdcall;


function CryptImportKey(hProv     :HCRYPTPROV;
                        pbData    :PBYTE;
                        dwDataLen :DWORD;
                        hPubKey   :HCRYPTKEY;
                        dwFlags   :DWORD;
                        phKey     :PHCRYPTKEY) :BOOL;stdcall;


function CryptEncrypt(hKey       :HCRYPTKEY;
                      hHash      :HCRYPTHASH;
                      Final      :BOOL;
                      dwFlags    :DWORD;
                      pbData     :PBYTE;
                      pdwDataLen :PDWORD;
                      dwBufLen   :DWORD) :BOOL;stdcall;


function CryptDecrypt(hKey       :HCRYPTKEY;
                      hHash      :HCRYPTHASH;
                      Final      :BOOL;
                      dwFlags    :DWORD;
                      pbData     :PBYTE;
                      pdwDataLen :PDWORD) :BOOL;stdcall;


function CryptCreateHash(hProv   :HCRYPTPROV;
                         Algid   :ALG_ID;
                         hKey    :HCRYPTKEY;
                         dwFlags :DWORD;
                         phHash  :PHCRYPTHASH) :BOOL;stdcall;


function CryptHashData(hHash       :HCRYPTHASH;
                 const pbData      :PBYTE;
                       dwDataLen   :DWORD;
                       dwFlags     :DWORD) :BOOL;stdcall;


function CryptHashSessionKey(hHash   :HCRYPTHASH;
                             hKey    :HCRYPTKEY;
                             dwFlags :DWORD) :BOOL;stdcall;


function CryptDestroyHash(hHash :HCRYPTHASH) :BOOL;stdcall;


function CryptSignHashA(hHash        :HCRYPTHASH;
                        dwKeySpec    :DWORD;
                        sDescription :PAnsiChar;
                        dwFlags      :DWORD;
                        pbSignature  :PBYTE;
                        pdwSigLen    :PDWORD) :BOOL;stdcall;


function CryptSignHash(hHash         :HCRYPTHASH;
                        dwKeySpec    :DWORD;
                        sDescription :LPAWSTR;
                        dwFlags      :DWORD;
                        pbSignature  :PBYTE;
                        pdwSigLen    :PDWORD) :BOOL;stdcall;

function CryptSignHashW(hHash        :HCRYPTHASH;
                        dwKeySpec    :DWORD;
                        sDescription :PWideChar;
                        dwFlags      :DWORD;
                        pbSignature  :PBYTE;
                        pdwSigLen    :PDWORD) :BOOL;stdcall;

function CryptSignHashU(hHash        :HCRYPTHASH;
                        dwKeySpec    :DWORD;
                        sDescription :PWideChar;
                        dwFlags      :DWORD;
                        pbSignature  :PBYTE;
                        pdwSigLen    :PDWORD) :BOOL;stdcall;

function CryptVerifySignatureA(hHash        :HCRYPTHASH;
                         const pbSignature  :PBYTE;
                               dwSigLen     :DWORD;
                               hPubKey      :HCRYPTKEY;
                               sDescription :PAnsiChar;
                               dwFlags      :DWORD) :BOOL;stdcall;

function CryptVerifySignature(hHash         :HCRYPTHASH;
                        const pbSignature  :PBYTE;
                              dwSigLen     :DWORD;
                              hPubKey      :HCRYPTKEY;
                              sDescription :LPAWSTR;
                               dwFlags      :DWORD) :BOOL;stdcall;


function CryptVerifySignatureW(hHash        :HCRYPTHASH;
                         const pbSignature  :PBYTE;
                               dwSigLen     :DWORD;
                               hPubKey      :HCRYPTKEY;
                               sDescription :PWideChar;
                               dwFlags      :DWORD) :BOOL;stdcall;


function CryptSetProviderA(pszProvName :PAnsiChar;
                           dwProvType  :DWORD) :BOOL;stdcall;

function CryptSetProvider(pszProvName :LPAWSTR;
                           dwProvType :DWORD) :BOOL;stdcall;

function CryptSetProviderW(pszProvName :PWideChar;
                           dwProvType  :DWORD) :BOOL;stdcall;

function CryptSetProviderU(pszProvName :PWideChar;
                           dwProvType  :DWORD) :BOOL;stdcall;

{$IFDEF NT5}

function CryptSetProviderExA(pszProvName :LPCSTR;
                             dwProvType  :DWORD;
                             pdwReserved :PDWORD;
                             dwFlags     :DWORD):BOOL;stdcall;

function CryptSetProviderExW(pszProvName :LPCWSTR;
                             dwProvType  :DWORD;
                             pdwReserved :PDWORD;
                             dwFlags     :DWORD):BOOL;stdcall;

function CryptSetProviderEx(pszProvName :LPAWSTR;
                            dwProvType  :DWORD;
                            pdwReserved :PDWORD;
                            dwFlags     :DWORD):BOOL;stdcall;


function CryptGetDefaultProviderA(dwProvType  :DWORD;
                                  pdwReserved :DWORD;
                                  dwFlags     :DWORD;
                                  pszProvName :LPSTR;
                                  pcbProvName :PDWORD):BOOL ; stdcall;

function CryptGetDefaultProviderW(dwProvType  :DWORD;
                                  pdwReserved :DWORD;
                                  dwFlags     :DWORD;
                                  pszProvName :LPWSTR;
                                  pcbProvName :PDWORD):BOOL ; stdcall;

function CryptGetDefaultProvider(dwProvType  :DWORD;
                                 pdwReserved :DWORD;
                                 dwFlags     :DWORD;
                                 pszProvName :LPAWSTR;
                                 pcbProvName :PDWORD):BOOL ; stdcall;

function CryptEnumProviderTypesA(dwIndex     :DWORD;
                                 pdwReserved :PDWORD;
                                 dwFlags     :DWORD;
                                 pdwProvType :PDWORD;
                                 pszTypeName :LPSTR;
                                 pcbTypeName :PDWORD):BOOL ; stdcall;

function CryptEnumProviderTypesW(dwIndex     :DWORD;
                                 pdwReserved :PDWORD;
                                 dwFlags     :DWORD;
                                 pdwProvType :PDWORD;
                                 pszTypeName :LPWSTR;
                                 pcbTypeName :PDWORD):BOOL ; stdcall;

function CryptEnumProviderTypes(dwIndex     :DWORD;
                                pdwReserved :PDWORD;
                                dwFlags     :DWORD;
                                pdwProvType :PDWORD;
                                pszTypeName :LPAWSTR;
                                pcbTypeName :PDWORD):BOOL ; stdcall;

function CryptEnumProvidersA(dwIndex     :DWORD;
                             pdwReserved :PDWORD;
                             dwFlags     :DWORD;
                             pdwProvType :PDWORD;
                             pszProvName :LPSTR;
                             pcbProvName :PDWORD):BOOL ; stdcall;

function CryptEnumProvidersW(dwIndex     :DWORD;
                             pdwReserved :PDWORD;
                             dwFlags     :DWORD;
                             pdwProvType :PDWORD;
                             pszProvName :LPWSTR;
                             pcbProvName :PDWORD):BOOL ; stdcall;

function CryptEnumProviders(dwIndex      :DWORD;
                             pdwReserved :PDWORD;
                             dwFlags     :DWORD;
                             pdwProvType :PDWORD;
                             pszProvName :LPAWSTR;
                             pcbProvName :PDWORD):BOOL ; stdcall;

function CryptContextAddRef(hProv       :HCRYPTPROV;
                            pdwReserved :PDWORD;
                            dwFlags     :DWORD):BOOL ; stdcall;

function CryptDuplicateKey(hKey        :HCRYPTKEY;
                           pdwReserved :PDWORD;
                           dwFlags     :DWORD;
                           phKey       :PHCRYPTKEY):BOOL ; stdcall;

function CryptDuplicateHash(hHash       :HCRYPTHASH;
                            pdwReserved :PDWORD;
                            dwFlags     :DWORD;
                            phHash      :PHCRYPTHASH):BOOL ; stdcall;

{$ENDIF NT5}

function CryptEnumProvidersU(dwIndex     :DWORD;
                             pdwReserved :PDWORD;
                             dwFlags     :DWORD;
                             pdwProvType :PDWORD;
                             pszProvName :LPWSTR;
                             pcbProvName :PDWORD):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  CRYPTOAPI BLOB definitions
//--------------------------------------------------------------------------

type
  PCRYPTOAPI_BLOB = ^CRYPTOAPI_BLOB;
  CRYPTOAPI_BLOB = record
    cbData :DWORD;
    pbData :PBYTE;
  end;

type
  CRYPT_INTEGER_BLOB            = CRYPTOAPI_BLOB;
  PCRYPT_INTEGER_BLOB           = ^CRYPT_INTEGER_BLOB;
  CRYPT_UINT_BLOB               = CRYPTOAPI_BLOB;
  PCRYPT_UINT_BLOB              = ^CRYPT_UINT_BLOB;
  CRYPT_OBJID_BLOB              = CRYPTOAPI_BLOB;
  PCRYPT_OBJID_BLOB             = ^CRYPT_OBJID_BLOB;
  CERT_NAME_BLOB                = CRYPTOAPI_BLOB;
  PCERT_NAME_BLOB               = ^CERT_NAME_BLOB;
  CERT_RDN_VALUE_BLOB           = CRYPTOAPI_BLOB;
  PCERT_RDN_VALUE_BLOB          = ^CERT_RDN_VALUE_BLOB;
  CERT_BLOB                     = CRYPTOAPI_BLOB;
  PCERT_BLOB                    = ^CERT_BLOB;
  CRL_BLOB                      = CRYPTOAPI_BLOB;
  PCRL_BLOB                     = ^CRL_BLOB;
  DATA_BLOB                     = CRYPTOAPI_BLOB;
  PDATA_BLOB                    = ^DATA_BLOB;     // JEFFJEFF temporary (too generic)
  CRYPT_DATA_BLOB               = CRYPTOAPI_BLOB;
  PCRYPT_DATA_BLOB              = ^CRYPT_DATA_BLOB;
  CRYPT_HASH_BLOB               = CRYPTOAPI_BLOB;
  PCRYPT_HASH_BLOB              = ^CRYPT_HASH_BLOB;
  CRYPT_DIGEST_BLOB             = CRYPTOAPI_BLOB;
  PCRYPT_DIGEST_BLOB            = ^CRYPT_DIGEST_BLOB;
  CRYPT_DER_BLOB                = CRYPTOAPI_BLOB;
  PCRYPT_DER_BLOB               = ^CRYPT_DER_BLOB;
  CRYPT_ATTR_BLOB               = CRYPTOAPI_BLOB;
  PCRYPT_ATTR_BLOB              = ^CRYPT_ATTR_BLOB;

//+-------------------------------------------------------------------------
//  In a CRYPT_BIT_BLOB the last byte may contain 0-7 unused bits. Therefore, the
//  overall bit length is cbData * 8 - cUnusedBits.
//--------------------------------------------------------------------------

type
  PCRYPT_BIT_BLOB = ^CRYPT_BIT_BLOB;
  CRYPT_BIT_BLOB = record
    cbData      :DWORD;
    pbData      :PBYTE;
    cUnusedBits :DWORD;
  end;

//+-------------------------------------------------------------------------
//  Type used for any algorithm
//
//  Where the Parameters CRYPT_OBJID_BLOB is in its encoded representation. For most
//  algorithm types, the Parameters CRYPT_OBJID_BLOB is NULL (Parameters.cbData = 0).
//--------------------------------------------------------------------------

type
  PCRYPT_ALGORITHM_IDENTIFIER = ^CRYPT_ALGORITHM_IDENTIFIER;
  CRYPT_ALGORITHM_IDENTIFIER = record
    pszObjId   :LPSTR;
    Parameters :CRYPT_OBJID_BLOB;
  end;

// Following are the definitions of various algorithm object identifiers
// RSA
const 
  szOID_RSA         = '1.2.840.113549';
  szOID_PKCS        = '1.2.840.113549.1';
  szOID_RSA_HASH    = '1.2.840.113549.2';
  szOID_RSA_ENCRYPT = '1.2.840.113549.3';

  szOID_PKCS_1      = '1.2.840.113549.1.1';
  szOID_PKCS_2      = '1.2.840.113549.1.2';
  szOID_PKCS_3      = '1.2.840.113549.1.3';
  szOID_PKCS_4      = '1.2.840.113549.1.4';
  szOID_PKCS_5      = '1.2.840.113549.1.5';
  szOID_PKCS_6      = '1.2.840.113549.1.6';
  szOID_PKCS_7      = '1.2.840.113549.1.7';
  szOID_PKCS_8      = '1.2.840.113549.1.8';
  szOID_PKCS_9      = '1.2.840.113549.1.9';
  szOID_PKCS_10     = '1.2.840.113549.1.10';

  szOID_RSA_RSA          = '1.2.840.113549.1.1.1';
  szOID_RSA_MD2RSA       = '1.2.840.113549.1.1.2';
  szOID_RSA_MD4RSA       = '1.2.840.113549.1.1.3';
  szOID_RSA_MD5RSA       = '1.2.840.113549.1.1.4';
  szOID_RSA_SHA1RSA      = '1.2.840.113549.1.1.5';
  szOID_RSA_SETOAEP_RSA  = '1.2.840.113549.1.1.6';
  szOID_RSA_SHA256RSA    = '1.2.840.113549.1.1.11';
  szOID_RSA_SHA384RSA    = '1.2.840.113549.1.1.12';
  szOID_RSA_SHA512RSA    = '1.2.840.113549.1.1.13';

  szOID_RSA_data             = '1.2.840.113549.1.7.1';
  szOID_RSA_signedData       = '1.2.840.113549.1.7.2';
  szOID_RSA_envelopedData    = '1.2.840.113549.1.7.3';
  szOID_RSA_signEnvData      = '1.2.840.113549.1.7.4';
  szOID_RSA_digestedData     = '1.2.840.113549.1.7.5';
  szOID_RSA_hashedData       = '1.2.840.113549.1.7.5';
  szOID_RSA_encryptedData    = '1.2.840.113549.1.7.6';

  szOID_RSA_emailAddr           = '1.2.840.113549.1.9.1';
  szOID_RSA_unstructName        = '1.2.840.113549.1.9.2';
  szOID_RSA_contentType         = '1.2.840.113549.1.9.3';
  szOID_RSA_messageDigest       = '1.2.840.113549.1.9.4';
  szOID_RSA_signingTime         = '1.2.840.113549.1.9.5';
  szOID_RSA_counterSign         = '1.2.840.113549.1.9.6';
  szOID_RSA_challengePwd        = '1.2.840.113549.1.9.7';
  szOID_RSA_unstructAddr        = '1.2.840.113549.1.9.8';
  szOID_RSA_extCertAttrs        = '1.2.840.113549.1.9.9';
  szOID_RSA_SMIMECapabilities   = '1.2.840.113549.1.9.15';
  szOID_RSA_preferSignedData    = '1.2.840.113549.1.9.15.1';

  szOID_RSA_MD2 = '1.2.840.113549.2.2';
  szOID_RSA_MD4 = '1.2.840.113549.2.4';
  szOID_RSA_MD5 = '1.2.840.113549.2.5';

  szOID_RSA_RC2CBC        = '1.2.840.113549.3.2';
  szOID_RSA_RC4           = '1.2.840.113549.3.4';
  szOID_RSA_DES_EDE3_CBC  = '1.2.840.113549.3.7';
  szOID_RSA_RC5_CBCPad    = '1.2.840.113549.3.9';

// ITU-T UsefulDefinitions
  szOID_DS          = '2.5';
  szOID_DSALG       = '2.5.8';
  szOID_DSALG_CRPT  = '2.5.8.1';
  szOID_DSALG_HASH  = '2.5.8.2';
  szOID_DSALG_SIGN  = '2.5.8.3';
  szOID_DSALG_RSA   = '2.5.8.1.1';

// NIST OSE Implementors' Workshop (OIW)
// http://nemo.ncsl.nist.gov/oiw/agreements/stable/OSI/12s_9506.w51
// http://nemo.ncsl.nist.gov/oiw/agreements/working/OSI/12w_9503.w51
  szOID_OIW            = '1.3.14';
// NIST OSE Implementors' Workshop (OIW) Security SIG algorithm identifiers
  szOID_OIWSEC         = '1.3.14.3.2';
  szOID_OIWSEC_md4RSA  = '1.3.14.3.2.2';
  szOID_OIWSEC_md5RSA  = '1.3.14.3.2.3';
  szOID_OIWSEC_md4RSA2 = '1.3.14.3.2.4';
  szOID_OIWSEC_desECB  = '1.3.14.3.2.6';
  szOID_OIWSEC_desCBC  = '1.3.14.3.2.7';
  szOID_OIWSEC_desOFB  = '1.3.14.3.2.8';
  szOID_OIWSEC_desCFB  = '1.3.14.3.2.9';
  szOID_OIWSEC_desMAC  = '1.3.14.3.2.10';
  szOID_OIWSEC_rsaSign = '1.3.14.3.2.11';
  szOID_OIWSEC_dsa     = '1.3.14.3.2.12';
  szOID_OIWSEC_shaDSA  = '1.3.14.3.2.13';
  szOID_OIWSEC_mdc2RSA = '1.3.14.3.2.14';
  szOID_OIWSEC_shaRSA  = '1.3.14.3.2.15';
  szOID_OIWSEC_dhCommMod = '1.3.14.3.2.16';
  szOID_OIWSEC_desEDE    = '1.3.14.3.2.17';
  szOID_OIWSEC_sha       = '1.3.14.3.2.18';
  szOID_OIWSEC_mdc2      = '1.3.14.3.2.19';
  szOID_OIWSEC_dsaComm   = '1.3.14.3.2.20';
  szOID_OIWSEC_dsaCommSHA  = '1.3.14.3.2.21';
  szOID_OIWSEC_rsaXchg     = '1.3.14.3.2.22';
  szOID_OIWSEC_keyHashSeal = '1.3.14.3.2.23';
  szOID_OIWSEC_md2RSASign  = '1.3.14.3.2.24';
  szOID_OIWSEC_md5RSASign  = '1.3.14.3.2.25';
  szOID_OIWSEC_sha1        = '1.3.14.3.2.26';
  szOID_OIWSEC_dsaSHA1     = '1.3.14.3.2.27';
  szOID_OIWSEC_dsaCommSHA1 =  '1.3.14.3.2.28';
  szOID_OIWSEC_sha1RSASign =  '1.3.14.3.2.29';
// NIST OSE Implementors' Workshop (OIW) Directory SIG algorithm identifiers
  szOID_OIWDIR             = '1.3.14.7.2';
  szOID_OIWDIR_CRPT        = '1.3.14.7.2.1';
  szOID_OIWDIR_HASH        = '1.3.14.7.2.2';
  szOID_OIWDIR_SIGN        = '1.3.14.7.2.3';
  szOID_OIWDIR_md2         = '1.3.14.7.2.2.1';
  szOID_OIWDIR_md2RSA      = '1.3.14.7.2.3.1';


// INFOSEC Algorithms
// joint-iso-ccitt(2) country(16) us(840) organization(1) us-government(101) dod(2) id-infosec(1)
  szOID_INFOSEC                       = '2.16.840.1.101.2.1';
  szOID_INFOSEC_sdnsSignature         = '2.16.840.1.101.2.1.1.1';
  szOID_INFOSEC_mosaicSignature       = '2.16.840.1.101.2.1.1.2';
  szOID_INFOSEC_sdnsConfidentiality   = '2.16.840.1.101.2.1.1.3';
  szOID_INFOSEC_mosaicConfidentiality = '2.16.840.1.101.2.1.1.4';
  szOID_INFOSEC_sdnsIntegrity         = '2.16.840.1.101.2.1.1.5';
  szOID_INFOSEC_mosaicIntegrity       = '2.16.840.1.101.2.1.1.6';
  szOID_INFOSEC_sdnsTokenProtection   = '2.16.840.1.101.2.1.1.7';
  szOID_INFOSEC_mosaicTokenProtection = '2.16.840.1.101.2.1.1.8';
  szOID_INFOSEC_sdnsKeyManagement     = '2.16.840.1.101.2.1.1.9';
  szOID_INFOSEC_mosaicKeyManagement   = '2.16.840.1.101.2.1.1.10';
  szOID_INFOSEC_sdnsKMandSig          = '2.16.840.1.101.2.1.1.11';
  szOID_INFOSEC_mosaicKMandSig        = '2.16.840.1.101.2.1.1.12';
  szOID_INFOSEC_SuiteASignature       = '2.16.840.1.101.2.1.1.13';
  szOID_INFOSEC_SuiteAConfidentiality = '2.16.840.1.101.2.1.1.14';
  szOID_INFOSEC_SuiteAIntegrity       = '2.16.840.1.101.2.1.1.15';
  szOID_INFOSEC_SuiteATokenProtection = '2.16.840.1.101.2.1.1.16';
  szOID_INFOSEC_SuiteAKeyManagement   = '2.16.840.1.101.2.1.1.17';
  szOID_INFOSEC_SuiteAKMandSig        = '2.16.840.1.101.2.1.1.18';
  szOID_INFOSEC_mosaicUpdatedSig      = '2.16.840.1.101.2.1.1.19';
  szOID_INFOSEC_mosaicKMandUpdSig     = '2.16.840.1.101.2.1.1.20';
  szOID_INFOSEC_mosaicUpdatedInteg    = '2.16.840.1.101.2.1.1.21';

type
  PCRYPT_OBJID_TABLE = ^CRYPT_OBJID_TABLE;
  CRYPT_OBJID_TABLE = record
    dwAlgId  :DWORD;
    pszObjId :LPCSTR;
  end;

//+-------------------------------------------------------------------------
//  PKCS #1 HashInfo (DigestInfo)
//--------------------------------------------------------------------------

type
  PCRYPT_HASH_INFO = ^CRYPT_HASH_INFO;
  CRYPT_HASH_INFO = record
    HashAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
    Hash :CRYPT_HASH_BLOB;
  end;

//+-------------------------------------------------------------------------
//  Type used for an extension to an encoded content
//
//  Where the Value's CRYPT_OBJID_BLOB is in its encoded representation.
//--------------------------------------------------------------------------

type
  PCERT_EXTENSION = ^CERT_EXTENSION;
  CERT_EXTENSION = record
    pszObjId :LPSTR;
    fCritical :BOOL;
    Value :CRYPT_OBJID_BLOB;
  end;

//+-------------------------------------------------------------------------
//  AttributeTypeValue
//
//  Where the Value's CRYPT_OBJID_BLOB is in its encoded representation.
//--------------------------------------------------------------------------

type
  PCRYPT_ATTRIBUTE_TYPE_VALUE =^CRYPT_ATTRIBUTE_TYPE_VALUE;
  CRYPT_ATTRIBUTE_TYPE_VALUE = record
    pszObjId :LPSTR;
    Value :CRYPT_OBJID_BLOB;
  end;

//+-------------------------------------------------------------------------
//  Attributes
//
//  Where the Value's PATTR_BLOBs are in their encoded representation.
//--------------------------------------------------------------------------

type
  PCRYPT_ATTRIBUTE = ^CRYPT_ATTRIBUTE;
  CRYPT_ATTRIBUTE = record
     pszObjId :LPSTR;
     cValue :DWORD;
     rgValue :PCRYPT_ATTR_BLOB;
  end;

type
  PCRYPT_ATTRIBUTES =^CRYPT_ATTRIBUTES;
  CRYPT_ATTRIBUTES = record
    cAttr  :DWORD; {IN}
    rgAttr :PCRYPT_ATTRIBUTE; {IN}
  end;

//+-------------------------------------------------------------------------
//  Attributes making up a Relative Distinguished Name (CERT_RDN)
//
//  The interpretation of the Value depends on the dwValueType.
//  See below for a list of the types.
//--------------------------------------------------------------------------

type
  PCERT_RDN_ATTR = ^CERT_RDN_ATTR;
  CERT_RDN_ATTR = record
    pszObjId :LPSTR;
    dwValueType :DWORD;
    Value :CERT_RDN_VALUE_BLOB;
  end;

//+-------------------------------------------------------------------------
//  CERT_RDN attribute Object Identifiers
//--------------------------------------------------------------------------
// Labeling attribute types:
const 
  szOID_COMMON_NAME          = '2.5.4.3';  // case-ignore string
  szOID_SUR_NAME             = '2.5.4.4';  // case-ignore string
  szOID_DEVICE_SERIAL_NUMBER = '2.5.4.5';  // printable string

// Geographic attribute types:
  szOID_COUNTRY_NAME            = '2.5.4.6';  // printable 2char string
  szOID_LOCALITY_NAME           = '2.5.4.7';  // case-ignore string
  szOID_STATE_OR_PROVINCE_NAME  = '2.5.4.8';  // case-ignore string
  szOID_STREET_ADDRESS          = '2.5.4.9';  // case-ignore string

// Organizational attribute types:
  szOID_ORGANIZATION_NAME          = '2.5.4.10';// case-ignore string
  szOID_ORGANIZATIONAL_UNIT_NAME   = '2.5.4.11'; // case-ignore string
  szOID_TITLE                      = '2.5.4.12'; // case-ignore string

// Explanatory attribute types:
  szOID_DESCRIPTION          = '2.5.4.13'; // case-ignore string
  szOID_SEARCH_GUIDE         = '2.5.4.14';
  szOID_BUSINESS_CATEGORY    = '2.5.4.15'; // case-ignore string

// Postal addressing attribute types:
  szOID_POSTAL_ADDRESS       = '2.5.4.16';
  szOID_POSTAL_CODE          = '2.5.4.17'; // case-ignore string
  szOID_POST_OFFICE_BOX      = '2.5.4.18'; // case-ignore string
  szOID_PHYSICAL_DELIVERY_OFFICE_NAME = '2.5.4.19'; // case-ignore string

// Telecommunications addressing attribute types:
  szOID_TELEPHONE_NUMBER              = '2.5.4.20'; // telephone number
  szOID_TELEX_NUMBER                  = '2.5.4.21';
  szOID_TELETEXT_TERMINAL_IDENTIFIER  = '2.5.4.22';
  szOID_FACSIMILE_TELEPHONE_NUMBER    = '2.5.4.23';
  szOID_X21_ADDRESS                   = '2.5.4.24'; // numeric string
  szOID_INTERNATIONAL_ISDN_NUMBER     = '2.5.4.25'; // numeric string
  szOID_REGISTERED_ADDRESS            = '2.5.4.26';
  szOID_DESTINATION_INDICATOR         = '2.5.4.27'; // printable string

// Preference attribute types:
  szOID_PREFERRED_DELIVERY_METHOD     = '2.5.4.28';

// OSI application attribute types:
  szOID_PRESENTATION_ADDRESS          = '2.5.4.29';
  szOID_SUPPORTED_APPLICATION_CONTEXT = '2.5.4.30';

// Relational application attribute types:
  szOID_MEMBER                        = '2.5.4.31';
  szOID_OWNER                         = '2.5.4.32';
  szOID_ROLE_OCCUPANT                 = '2.5.4.33';
  szOID_SEE_ALSO                      = '2.5.4.34';

// Security attribute types:
  szOID_USER_PASSWORD                 = '2.5.4.35';
  szOID_USER_CERTIFICATE              = '2.5.4.36';
  szOID_CA_CERTIFICATE                = '2.5.4.37';
  szOID_AUTHORITY_REVOCATION_LIST     = '2.5.4.38';
  szOID_CERTIFICATE_REVOCATION_LIST   = '2.5.4.39';
  szOID_CROSS_CERTIFICATE_PAIR        = '2.5.4.40';

// Undocumented attribute types???
//#define szOID_???                         '2.5.4.41'
  szOID_GIVEN_NAME                    = '2.5.4.42'; // case-ignore string
  szOID_INITIALS                      = '2.5.4.43'; // case-ignore string

// Pilot user attribute types:
  szOID_DOMAIN_COMPONENT      = '0.9.2342.19200300.100.1.25'; // IA5 string

//+-------------------------------------------------------------------------
//  CERT_RDN Attribute Value Types
//
//  For RDN_ENCODED_BLOB, the Value's CERT_RDN_VALUE_BLOB is in its encoded
//  representation. Otherwise, its an array of bytes.
//
//  For all CERT_RDN types, Value.cbData is always the number of bytes, not
//  necessarily the number of elements in the string. For instance,
//  RDN_UNIVERSAL_STRING is an array of ints (cbData == intCnt * 4) and
//  RDN_BMP_STRING is an array of unsigned shorts (cbData == ushortCnt * 2).
//
//  For CertDecodeName, two 0 bytes are always appended to the end of the
//  string (ensures a CHAR or WCHAR string is null terminated).
//  These added 0 bytes are't included in the BLOB.cbData.
//--------------------------------------------------------------------------

const 
  CERT_RDN_ANY_TYPE             = 0;
  CERT_RDN_ENCODED_BLOB         = 1;
  CERT_RDN_OCTET_STRING         = 2;
  CERT_RDN_NUMERIC_STRING       = 3;
  CERT_RDN_PRINTABLE_STRING     = 4;
  CERT_RDN_TELETEX_STRING       = 5;
  CERT_RDN_T61_STRING           = 5;
  CERT_RDN_VIDEOTEX_STRING      = 6;
  CERT_RDN_IA5_STRING           = 7;
  CERT_RDN_GRAPHIC_STRING       = 8;
  CERT_RDN_VISIBLE_STRING       = 9;
  CERT_RDN_ISO646_STRING        = 9;
  CERT_RDN_GENERAL_STRING       = 10;
  CERT_RDN_UNIVERSAL_STRING     = 11;
  CERT_RDN_INT4_STRING          = 11;
  CERT_RDN_BMP_STRING           = 12;
  CERT_RDN_UNICODE_STRING       = 12;


// Macro to check that the dwValueType is a character string and not an
// encoded blob or octet string
function IS_CERT_RDN_CHAR_STRING(X :DWORD) :BOOL;

//+-------------------------------------------------------------------------
//  A CERT_RDN consists of an array of the above attributes
//--------------------------------------------------------------------------

type
  PCERT_RDN = ^CERT_RDN;
  CERT_RDN = record
    cRDNAttr :DWORD;
    rgRDNAttr :PCERT_RDN_ATTR;
  end;

//+-------------------------------------------------------------------------
//  Information stored in a subject's or issuer's name. The information
//  is represented as an array of the above RDNs.
//--------------------------------------------------------------------------

type
  PCERT_NAME_INFO = ^CERT_NAME_INFO;
  CERT_NAME_INFO = record
    cRDN :DWORD;
    rgRDN :PCERT_RDN;
  end;

//+-------------------------------------------------------------------------
//  Name attribute value without the Object Identifier
//
//  The interpretation of the Value depends on the dwValueType.
//  See above for a list of the types.
//--------------------------------------------------------------------------

type
  PCERT_NAME_VALUE = ^CERT_NAME_VALUE;
  CERT_NAME_VALUE = record
    dwValueType :DWORD;
    Value :CERT_RDN_VALUE_BLOB;
  end;

//+-------------------------------------------------------------------------
//  Public Key Info
//
//  The PublicKey is the encoded representation of the information as it is
//  stored in the bit string
//--------------------------------------------------------------------------

type
  PCERT_PUBLIC_KEY_INFO = ^CERT_PUBLIC_KEY_INFO;
  CERT_PUBLIC_KEY_INFO = record
    Algorithm :CRYPT_ALGORITHM_IDENTIFIER;
    PublicKey :CRYPT_BIT_BLOB;
  end;

const 
  CERT_RSA_PUBLIC_KEY_OBJID        = szOID_RSA_RSA;
  CERT_DEFAULT_OID_PUBLIC_KEY_SIGN = szOID_RSA_RSA;
  CERT_DEFAULT_OID_PUBLIC_KEY_XCHG = szOID_RSA_RSA;

//+-------------------------------------------------------------------------
//  Information stored in a certificate
//
//  The Issuer, Subject, Algorithm, PublicKey and Extension BLOBs are the
//  encoded representation of the information.
//--------------------------------------------------------------------------

type
  PCERT_INFO = ^CERT_INFO;
  CERT_INFO = record
    dwVersion              :DWORD;
    SerialNumber           :CRYPT_INTEGER_BLOB;
    SignatureAlgorithm     :CRYPT_ALGORITHM_IDENTIFIER;
    Issuer                 :CERT_NAME_BLOB;
    NotBefore              :TFILETIME;
    NotAfter               :TFILETIME;
    Subject                :CERT_NAME_BLOB;
    SubjectPublicKeyInfo   :CERT_PUBLIC_KEY_INFO;
    IssuerUniqueId         :CRYPT_BIT_BLOB;
    SubjectUniqueId        :CRYPT_BIT_BLOB;
    cExtension             :DWORD;
    rgExtension            :PCERT_EXTENSION;
  end;

//+-------------------------------------------------------------------------
//  Certificate versions
//--------------------------------------------------------------------------
const 
  CERT_V1 = 0;
  CERT_V2 = 1;
  CERT_V3 = 2;

//+-------------------------------------------------------------------------
//  Certificate Information Flags
//--------------------------------------------------------------------------

  CERT_INFO_VERSION_FLAG                 = 1;
  CERT_INFO_SERIAL_NUMBER_FLAG           = 2;
  CERT_INFO_SIGNATURE_ALGORITHM_FLAG     = 3;
  CERT_INFO_ISSUER_FLAG                  = 4;
  CERT_INFO_NOT_BEFORE_FLAG              = 5;
  CERT_INFO_NOT_AFTER_FLAG               = 6;
  CERT_INFO_SUBJECT_FLAG                 = 7;
  CERT_INFO_SUBJECT_PUBLIC_KEY_INFO_FLAG = 8;
  CERT_INFO_ISSUER_UNIQUE_ID_FLAG        = 9;
  CERT_INFO_SUBJECT_UNIQUE_ID_FLAG       = 10;
  CERT_INFO_EXTENSION_FLAG               = 11;

//+-------------------------------------------------------------------------
//  An entry in a CRL
//
//  The Extension BLOBs are the encoded representation of the information.
//--------------------------------------------------------------------------

type
  PCRL_ENTRY = ^CRL_ENTRY;
  CRL_ENTRY = record
    SerialNumber :CRYPT_INTEGER_BLOB;
    RevocationDate :TFILETIME;
    cExtension :DWORD;
    rgExtension :PCERT_EXTENSION;
  end;

//+-------------------------------------------------------------------------
//  Information stored in a CRL
//
//  The Issuer, Algorithm and Extension BLOBs are the encoded
//  representation of the information.
//--------------------------------------------------------------------------

type
  PCRL_INFO = ^CRL_INFO;
  CRL_INFO = record
    dwVersion           :DWORD;
    SignatureAlgorithm  :CRYPT_ALGORITHM_IDENTIFIER;
    Issuer              :CERT_NAME_BLOB;
    ThisUpdate          :TFILETIME;
    NextUpdate          :TFILETIME;
    cCRLEntry           :DWORD;
    rgCRLEntry          :PCRL_ENTRY;
    cExtension          :DWORD;
    rgExtension         :PCERT_EXTENSION;
  end;

//+-------------------------------------------------------------------------
//  CRL versions
//--------------------------------------------------------------------------
const 
  CRL_V1 = 0;
  CRL_V2 = 1;

//+-------------------------------------------------------------------------
//  Information stored in a certificate request
//
//  The Subject, Algorithm, PublicKey and Attribute BLOBs are the encoded
//  representation of the information.
//--------------------------------------------------------------------------

type
  PCERT_REQUEST_INFO = ^CERT_REQUEST_INFO;
  CERT_REQUEST_INFO = record
    dwVersion            :DWORD;
    Subject              :CERT_NAME_BLOB;
    SubjectPublicKeyInfo :CERT_PUBLIC_KEY_INFO;
    cAttribute           :DWORD;
    rgAttribute          :PCRYPT_ATTRIBUTE;
  end;

//+-------------------------------------------------------------------------
//  Certificate Request versions
//--------------------------------------------------------------------------
const CERT_REQUEST_V1 = 0;

//+-------------------------------------------------------------------------
//  Information stored in Netscape's Keygen request
//--------------------------------------------------------------------------
type
  PCERT_KEYGEN_REQUEST_INFO = ^CERT_KEYGEN_REQUEST_INFO;
  CERT_KEYGEN_REQUEST_INFO = record
    dwVersion            :DWORD;
    SubjectPublicKeyInfo :CERT_PUBLIC_KEY_INFO;
    pwszChallengeString  :LPWSTR;        // encoded as IA5
  end;

const 
  CERT_KEYGEN_REQUEST_V1 = 0;


//+-------------------------------------------------------------------------
//  Certificate, CRL, Certificate Request or Keygen Request Signed Content
//
//  The "to be signed" encoded content plus its signature. The ToBeSigned
//  is the encoded CERT_INFO, CRL_INFO, CERT_REQUEST_INFO or
//  CERT_KEYGEN_REQUEST_INFO.
//--------------------------------------------------------------------------
type
  PCERT_SIGNED_CONTENT_INFO = ^CERT_SIGNED_CONTENT_INFO;
  CERT_SIGNED_CONTENT_INFO = record
    ToBeSigned          :CRYPT_DER_BLOB;
    SignatureAlgorithm  :CRYPT_ALGORITHM_IDENTIFIER;
    Signature           :CRYPT_BIT_BLOB;
end;

//+-------------------------------------------------------------------------
//  Certificate Trust List (CTL)
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CTL Usage. Also used for EnhancedKeyUsage extension.
//--------------------------------------------------------------------------

type
  PCTL_USAGE =^CTL_USAGE;
  CTL_USAGE = record
    cUsageIdentifier :DWORD;
    rgpszUsageIdentifier :PLPSTR;      // array of pszObjId
  end;

type
  CERT_ENHKEY_USAGE = CTL_USAGE;
  PCERT_ENHKEY_USAGE = ^CERT_ENHKEY_USAGE;


//+-------------------------------------------------------------------------
//  An entry in a CTL
//--------------------------------------------------------------------------
type
  PCTL_ENTRY = ^CTL_ENTRY;
  CTL_ENTRY = record
    SubjectIdentifier :CRYPT_DATA_BLOB;    // For example, its hash
    cAttribute        :DWORD;
    rgAttribute       :PCRYPT_ATTRIBUTE;   // OPTIONAL
  end;

//+-------------------------------------------------------------------------
//  Information stored in a CTL
//--------------------------------------------------------------------------
type
  PCTL_INFO = ^CTL_INFO;
  CTL_INFO = record
    dwVersion           :DWORD;
    SubjectUsage        :CTL_USAGE;
    ListIdentifier      :CRYPT_DATA_BLOB;     // OPTIONAL
    SequenceNumber      :CRYPT_INTEGER_BLOB;  // OPTIONAL
    ThisUpdate          :TFILETIME;
    NextUpdate          :TFILETIME;           // OPTIONAL
    SubjectAlgorithm    :CRYPT_ALGORITHM_IDENTIFIER;
    cCTLEntry           :DWORD;
    rgCTLEntry          :PCTL_ENTRY;          // OPTIONAL
    cExtension          :DWORD;
    rgExtension         :PCERT_EXTENSION;     // OPTIONAL
  end;

//+-------------------------------------------------------------------------
//  CTL versions
//--------------------------------------------------------------------------
const 
  CTL_V1 = 0;

//+-------------------------------------------------------------------------
//  TimeStamp Request
//
//  The pszTimeStamp is the OID for the Time type requested
//  The pszContentType is the Content Type OID for the content, usually DATA
//  The Content is a un-decoded blob
//--------------------------------------------------------------------------

type
  PCRYPT_TIME_STAMP_REQUEST_INFO = ^CRYPT_TIME_STAMP_REQUEST_INFO;
  CRYPT_TIME_STAMP_REQUEST_INFO = record
    pszTimeStampAlgorithm :LPSTR;   // pszObjId
    pszContentType        :LPSTR;   // pszObjId
    Content               :CRYPT_OBJID_BLOB;
    cAttribute            :DWORD;
    rgAttribute           :PCRYPT_ATTRIBUTE;
  end;

//+-------------------------------------------------------------------------
//  Certificate and Message encoding types
//
//  The encoding type is a DWORD containing both the certificate and message
//  encoding types. The certificate encoding type is stored in the LOWORD.
//  The message encoding type is stored in the HIWORD. Some functions or
//  structure fields require only one of the encoding types. The following
//  naming convention is used to indicate which encoding type(s) are
//  required:
//      dwEncodingType              (both encoding types are required)
//      dwMsgAndCertEncodingType    (both encoding types are required)
//      dwMsgEncodingType           (only msg encoding type is required)
//      dwCertEncodingType          (only cert encoding type is required)
//
//  Its always acceptable to specify both.
//--------------------------------------------------------------------------

const 
  CERT_ENCODING_TYPE_MASK = $0000FFFF;
  CMSG_ENCODING_TYPE_MASK = $FFFF0000;

//#define GET_CERT_ENCODING_TYPE(X)   (X & CERT_ENCODING_TYPE_MASK)
//#define GET_CMSG_ENCODING_TYPE(X)   (X & CMSG_ENCODING_TYPE_MASK)
function GET_CERT_ENCODING_TYPE(X :DWORD):DWORD;
function GET_CMSG_ENCODING_TYPE(X :DWORD):DWORD;

const 
  CRYPT_ASN_ENCODING  = $00000001;
  CRYPT_NDR_ENCODING = $00000002;
  X509_ASN_ENCODING = $00000001;
  X509_NDR_ENCODING = $00000002;
  PKCS_7_ASN_ENCODING = $00010000;
  PKCS_7_NDR_ENCODING = $00020000;

//+-------------------------------------------------------------------------
//  format the specified data structure according to the certificate
//  encoding type.
//
//--------------------------------------------------------------------------

function CryptFormatObject(dwCertEncodingType :DWORD;
                           dwFormatType       :DWORD;
                           dwFormatStrType    :DWORD;
                           pFormatStruct      :PVOID;
                           lpszStructType     :LPCSTR;
                     const pbEncoded          :PBYTE;
                           cbEncoded          :DWORD;
                           pbFormat           :PVOID;
                           pcbFormat          :PDWORD):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Encode / decode the specified data structure according to the certificate
//  encoding type.
//
//  See below for a list of the predefined data structures.
//--------------------------------------------------------------------------

function CryptEncodeObject(dwCertEncodingType :DWORD;
                           lpszStructType     :LPCSTR;
                     const pvStructInfo       :PVOID;
                           pbEncoded          :PBYTE;
                           pcbEncoded         :PDWORD ):BOOL ; stdcall;

function CryptDecodeObject(dwCertEncodingType :DWORD;
                           lpszStructType     :LPCSTR;
                     const pbEncoded          :PBYTE;
                           cbEncoded          :DWORD;
                           dwFlags            :DWORD;
                           pvStructInfo       :PVOID;
                           pcbStructInfo      :PDWORD):BOOL ; stdcall;

// When the following flag is set the nocopy optimization is enabled.
// This optimization where appropriate, updates the pvStructInfo fields
// to point to content residing within pbEncoded instead of making a copy
// of and appending to pvStructInfo.
//
// Note, when set, pbEncoded can't be freed until pvStructInfo is freed.
const 
  CRYPT_DECODE_NOCOPY_FLAG = $1;

//+-------------------------------------------------------------------------
//  Predefined X509 certificate data structures that can be encoded / decoded.
//--------------------------------------------------------------------------
  CRYPT_ENCODE_DECODE_NONE         = 0;
  X509_CERT                        = (LPCSTR(1));
  X509_CERT_TO_BE_SIGNED           = (LPCSTR(2));
  X509_CERT_CRL_TO_BE_SIGNED       = (LPCSTR(3));
  X509_CERT_REQUEST_TO_BE_SIGNED   = (LPCSTR(4));
  X509_EXTENSIONS                  = (LPCSTR(5));
  X509_NAME_VALUE                  = (LPCSTR(6));
  X509_NAME                        = (LPCSTR(7));
  X509_PUBLIC_KEY_INFO             = (LPCSTR(8));

//+-------------------------------------------------------------------------
//  Predefined X509 certificate extension data structures that can be
//  encoded / decoded.
//--------------------------------------------------------------------------
  X509_AUTHORITY_KEY_ID            = (LPCSTR(9));
  X509_KEY_ATTRIBUTES              = (LPCSTR(10));
  X509_KEY_USAGE_RESTRICTION       = (LPCSTR(11));
  X509_ALTERNATE_NAME              = (LPCSTR(12));
  X509_BASIC_CONSTRAINTS          = (LPCSTR(13));
  X509_KEY_USAGE                   = (LPCSTR(14));
  X509_BASIC_CONSTRAINTS2          = (LPCSTR(15));
  X509_CERT_POLICIES               = (LPCSTR(16));

//+-------------------------------------------------------------------------
//  Additional predefined data structures that can be encoded / decoded.
//--------------------------------------------------------------------------
  PKCS_UTC_TIME                    = (LPCSTR(17));
  PKCS_TIME_REQUEST                = (LPCSTR(18));
  RSA_CSP_PUBLICKEYBLOB            = (LPCSTR(19));
  X509_UNICODE_NAME                = (LPCSTR(20));

  X509_KEYGEN_REQUEST_TO_BE_SIGNED  = (LPCSTR(21));
  PKCS_ATTRIBUTE                    = (LPCSTR(22));
  PKCS_CONTENT_INFO_SEQUENCE_OF_ANY = (LPCSTR(23));

//+-------------------------------------------------------------------------
//  Predefined primitive data structures that can be encoded / decoded.
//--------------------------------------------------------------------------
  X509_UNICODE_NAME_VALUE    = (LPCSTR(24));
  X509_ANY_STRING            = X509_NAME_VALUE;
  X509_UNICODE_ANY_STRING    = X509_UNICODE_NAME_VALUE;
  X509_OCTET_STRING          = (LPCSTR(25));
  X509_BITS                  = (LPCSTR(26));
  X509_INTEGER               = (LPCSTR(27));
  X509_MULTI_BYTE_INTEGER    = (LPCSTR(28));
  X509_ENUMERATED            = (LPCSTR(29));
  X509_CHOICE_OF_TIME        = (LPCSTR(30));

//+-------------------------------------------------------------------------
//  More predefined X509 certificate extension data structures that can be
//  encoded / decoded.
//--------------------------------------------------------------------------

  X509_AUTHORITY_KEY_ID2        = (LPCSTR(31));
//  X509_AUTHORITY_INFO_ACCESS          (LPCSTR(32));
  X509_CRL_REASON_CODE          = X509_ENUMERATED;
  PKCS_CONTENT_INFO             = (LPCSTR(33));
  X509_SEQUENCE_OF_ANY          = (LPCSTR(34));
  X509_CRL_DIST_POINTS          = (LPCSTR(35));
  X509_ENHANCED_KEY_USAGE       = (LPCSTR(36));
  PKCS_CTL                      = (LPCSTR(37));

  X509_MULTI_BYTE_UINT          = (LPCSTR(38));
  X509_DSS_PUBLICKEY            =  X509_MULTI_BYTE_UINT;
  X509_DSS_PARAMETERS           = (LPCSTR(39));
  X509_DSS_SIGNATURE            = (LPCSTR(40));
  PKCS_RC2_CBC_PARAMETERS       = (LPCSTR(41));
  PKCS_SMIME_CAPABILITIES       = (LPCSTR(42));

//+-------------------------------------------------------------------------
//  Predefined PKCS #7 data structures that can be encoded / decoded.
//--------------------------------------------------------------------------
  PKCS7_SIGNER_INFO             = (LPCSTR(500));

//+-------------------------------------------------------------------------
//  Predefined Software Publishing Credential (SPC)  data structures that
//  can be encoded / decoded.
//
//  Predefined values: 2000 .. 2999
//
//  See spc.h for value and data structure definitions.
//--------------------------------------------------------------------------
//+-------------------------------------------------------------------------
//  Extension Object Identifiers
//--------------------------------------------------------------------------
const 
  szOID_AUTHORITY_KEY_IDENTIFIER      = '2.5.29.1';
  szOID_KEY_ATTRIBUTES                = '2.5.29.2';
  szOID_KEY_USAGE_RESTRICTION         = '2.5.29.4';
  szOID_SUBJECT_ALT_NAME              = '2.5.29.7';
  szOID_ISSUER_ALT_NAME               = '2.5.29.8';
  szOID_BASIC_CONSTRAINTS             = '2.5.29.10';
  szOID_KEY_USAGE                     = '2.5.29.15';
  szOID_BASIC_CONSTRAINTS2            = '2.5.29.19';
  szOID_CERT_POLICIES                 = '2.5.29.32';

  szOID_AUTHORITY_KEY_IDENTIFIER2     =  '2.5.29.35';
  szOID_SUBJECT_KEY_IDENTIFIER        = '2.5.29.14';
  szOID_SUBJECT_ALT_NAME2             = '2.5.29.17';
  szOID_ISSUER_ALT_NAME2              = '2.5.29.18';
  szOID_CRL_REASON_CODE               = '2.5.29.21';
  szOID_CRL_DIST_POINTS               = '2.5.29.31';
  szOID_ENHANCED_KEY_USAGE            = '2.5.29.37';


// Internet Public Key Infrastructure
  szOID_PKIX                          = '1.3.6.1.5.5.7';
  szOID_AUTHORITY_INFO_ACCESS         = '1.3.6.1.5.5.7.2';

// Microsoft extensions or attributes
  szOID_CERT_EXTENSIONS               = '1.3.6.1.4.1.311.2.1.14';
  szOID_NEXT_UPDATE_LOCATION          = '1.3.6.1.4.1.311.10.2';

//  Microsoft PKCS #7 ContentType Object Identifiers
  szOID_CTL                           = '1.3.6.1.4.1.311.10.1';

//+-------------------------------------------------------------------------
//  Extension Object Identifiers (currently not implemented)
//--------------------------------------------------------------------------
  szOID_POLICY_MAPPINGS               = '2.5.29.5';
  szOID_SUBJECT_DIR_ATTRS             = '2.5.29.9';

//+-------------------------------------------------------------------------
//  Enhanced Key Usage (Purpose) Object Identifiers
//--------------------------------------------------------------------------
const szOID_PKIX_KP                       = '1.3.6.1.5.5.7.3';

// Consistent key usage bits: DIGITAL_SIGNATURE, KEY_ENCIPHERMENT
// or KEY_AGREEMENT
  szOID_PKIX_KP_SERVER_AUTH           = '1.3.6.1.5.5.7.3.1';

// Consistent key usage bits: DIGITAL_SIGNATURE
  szOID_PKIX_KP_CLIENT_AUTH           = '1.3.6.1.5.5.7.3.2';

// Consistent key usage bits: DIGITAL_SIGNATURE
  szOID_PKIX_KP_CODE_SIGNING          = '1.3.6.1.5.5.7.3.3';

// Consistent key usage bits: DIGITAL_SIGNATURE, NON_REPUDIATION and/or
// (KEY_ENCIPHERMENT or KEY_AGREEMENT)
  szOID_PKIX_KP_EMAIL_PROTECTION      = '1.3.6.1.5.5.7.3.4';

//+-------------------------------------------------------------------------
//  Microsoft Enhanced Key Usage (Purpose) Object Identifiers
//+-------------------------------------------------------------------------

//  Signer of CTLs
  szOID_KP_CTL_USAGE_SIGNING          = '1.3.6.1.4.1.311.10.3.1';

//  Signer of TimeStamps
  szOID_KP_TIME_STAMP_SIGNING         = '1.3.6.1.4.1.311.10.3.2';

//+-------------------------------------------------------------------------
//  Microsoft Attribute Object Identifiers
//+-------------------------------------------------------------------------
  szOID_YESNO_TRUST_ATTR              = '1.3.6.1.4.1.311.10.4.1';

//+-------------------------------------------------------------------------
//  X509_CERT
//
//  The "to be signed" encoded content plus its signature. The ToBeSigned
//  content is the CryptEncodeObject() output for one of the following:
//  X509_CERT_TO_BE_SIGNED, X509_CERT_CRL_TO_BE_SIGNED or
//  X509_CERT_REQUEST_TO_BE_SIGNED.
//
//  pvStructInfo points to CERT_SIGNED_CONTENT_INFO.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_CERT_TO_BE_SIGNED
//
//  pvStructInfo points to CERT_INFO.
//
//  For CryptDecodeObject(), the pbEncoded is the "to be signed" plus its
//  signature (output of a X509_CERT CryptEncodeObject()).
//
//  For CryptEncodeObject(), the pbEncoded is just the "to be signed".
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_CERT_CRL_TO_BE_SIGNED
//
//  pvStructInfo points to CRL_INFO.
//
//  For CryptDecodeObject(), the pbEncoded is the "to be signed" plus its
//  signature (output of a X509_CERT CryptEncodeObject()).
//
//  For CryptEncodeObject(), the pbEncoded is just the "to be signed".
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_CERT_REQUEST_TO_BE_SIGNED
//
//  pvStructInfo points to CERT_REQUEST_INFO.
//
//  For CryptDecodeObject(), the pbEncoded is the "to be signed" plus its
//  signature (output of a X509_CERT CryptEncodeObject()).
//
//  For CryptEncodeObject(), the pbEncoded is just the "to be signed".
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_EXTENSIONS
//  szOID_CERT_EXTENSIONS
//
//  pvStructInfo points to following CERT_EXTENSIONS.
//--------------------------------------------------------------------------
type
  PCERT_EXTENSIONS = ^CERT_EXTENSIONS;
  CERT_EXTENSIONS = record
    cExtension  :DWORD;
    rgExtension :PCERT_EXTENSION;
  end;

//+-------------------------------------------------------------------------
//  X509_NAME_VALUE
//  X509_ANY_STRING
//
//  pvStructInfo points to CERT_NAME_VALUE.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_UNICODE_NAME_VALUE
//  X509_UNICODE_ANY_STRING
//
//  pvStructInfo points to CERT_NAME_VALUE.
//
//  The name values are unicode strings.
//
//  For CryptEncodeObject:
//    Value.pbData points to the unicode string.
//    If Value.cbData = 0, then, the unicode string is NULL terminated.
//    Otherwise, Value.cbData is the unicode string byte count. The byte count
//    is twice the character count.
//
//    If the unicode string contains an invalid character for the specified
//    dwValueType, then, *pcbEncoded is updated with the unicode character
//    index of the first invalid character. LastError is set to:
//    CRYPT_E_INVALID_NUMERIC_STRING, CRYPT_E_INVALID_PRINTABLE_STRING or
//    CRYPT_E_INVALID_IA5_STRING.
//
//    The unicode string is converted before being encoded according to
//    the specified dwValueType. If dwValueType is set to 0, LastError
//    is set to E_INVALIDARG.
//
//    If the dwValueType isn't one of the character strings (its a
//    CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING), then, CryptEncodeObject
//    will return FALSE with LastError set to CRYPT_E_NOT_CHAR_STRING.
//
//  For CryptDecodeObject:
//    Value.pbData points to a NULL terminated unicode string. Value.cbData
//    contains the byte count of the unicode string excluding the NULL
//    terminator. dwValueType contains the type used in the encoded object.
//    Its not forced to CERT_RDN_UNICODE_STRING. The encoded value is
//    converted to the unicode string according to the dwValueType.
//
//    If the encoded object isn't one of the character string types, then,
//    CryptDecodeObject will return FALSE with LastError set to
//    CRYPT_E_NOT_CHAR_STRING. For a non character string, decode using
//    X509_NAME_VALUE or X509_ANY_STRING.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_NAME
//
//  pvStructInfo points to CERT_NAME_INFO.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_UNICODE_NAME
//
//  pvStructInfo points to CERT_NAME_INFO.
//
//  The RDN attribute values are unicode strings except for the dwValueTypes of
//  CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING. These dwValueTypes are
//  the same as for a X509_NAME. Their values aren't converted to/from unicode.
//
//  For CryptEncodeObject:
//    Value.pbData points to the unicode string.
//    If Value.cbData = 0, then, the unicode string is NULL terminated.
//    Otherwise, Value.cbData is the unicode string byte count. The byte count
//    is twice the character count.
//
//    If dwValueType = 0 (CERT_RDN_ANY_TYPE), the pszObjId is used to find
//    an acceptable dwValueType. If the unicode string contains an
//    invalid character for the found or specified dwValueType, then,
//    *pcbEncoded is updated with the error location of the invalid character.
//    See below for details. LastError is set to:
//    CRYPT_E_INVALID_NUMERIC_STRING, CRYPT_E_INVALID_PRINTABLE_STRING or
//    CRYPT_E_INVALID_IA5_STRING.
//
//    The unicode string is converted before being encoded according to
//    the specified or ObjId matching dwValueType.
//
//  For CryptDecodeObject:
//    Value.pbData points to a NULL terminated unicode string. Value.cbData
//    contains the byte count of the unicode string excluding the NULL
//    terminator. dwValueType contains the type used in the encoded object.
//    Its not forced to CERT_RDN_UNICODE_STRING. The encoded value is
//    converted to the unicode string according to the dwValueType.
//
//    If the dwValueType of the encoded value isn't a character string
//    type, then, it isn't converted to UNICODE. Use the
//    IS_CERT_RDN_CHAR_STRING() macro on the dwValueType to check
//    that Value.pbData points to a converted unicode string.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  Unicode Name Value Error Location Definitions
//
//  Error location is returned in *pcbEncoded by
//  CryptEncodeObject(X509_UNICODE_NAME)
//
//  Error location consists of:
//    RDN_INDEX     - 10 bits << 22
//    ATTR_INDEX    - 6 bits << 16
//    VALUE_INDEX   - 16 bits (unicode character index)
//--------------------------------------------------------------------------
const 
  CERT_UNICODE_RDN_ERR_INDEX_MASK     = $3FF;
  CERT_UNICODE_RDN_ERR_INDEX_SHIFT    = 22;
  CERT_UNICODE_ATTR_ERR_INDEX_MASK    = $003F;
  CERT_UNICODE_ATTR_ERR_INDEX_SHIFT   = 16;
  CERT_UNICODE_VALUE_ERR_INDEX_MASK   = $0000FFFF;
  CERT_UNICODE_VALUE_ERR_INDEX_SHIFT  = 0;

{#define GET_CERT_UNICODE_RDN_ERR_INDEX(X)   \
    ((X >> CERT_UNICODE_RDN_ERR_INDEX_SHIFT) & CERT_UNICODE_RDN_ERR_INDEX_MASK)}
function  GET_CERT_UNICODE_RDN_ERR_INDEX(X :integer):integer;
{#define GET_CERT_UNICODE_ATTR_ERR_INDEX(X)  \
    ((X >> CERT_UNICODE_ATTR_ERR_INDEX_SHIFT) & CERT_UNICODE_ATTR_ERR_INDEX_MASK)}
function  GET_CERT_UNICODE_ATTR_ERR_INDEX(X :integer):integer;
{#define GET_CERT_UNICODE_VALUE_ERR_INDEX(X) \
    (X & CERT_UNICODE_VALUE_ERR_INDEX_MASK)}
function  GET_CERT_UNICODE_VALUE_ERR_INDEX(X :integer):integer;

//+-------------------------------------------------------------------------
//  X509_PUBLIC_KEY_INFO
//
//  pvStructInfo points to CERT_PUBLIC_KEY_INFO.
//--------------------------------------------------------------------------


//+-------------------------------------------------------------------------
//  X509_AUTHORITY_KEY_ID
//  szOID_AUTHORITY_KEY_IDENTIFIER
//
//  pvStructInfo points to following CERT_AUTHORITY_KEY_ID_INFO.
//--------------------------------------------------------------------------
type
  PCERT_AUTHORITY_KEY_ID_INFO = ^CERT_AUTHORITY_KEY_ID_INFO;
  CERT_AUTHORITY_KEY_ID_INFO = record
    KeyId            :CRYPT_DATA_BLOB;
    CertIssuer       :CERT_NAME_BLOB;
    CertSerialNumber :CRYPT_INTEGER_BLOB;
  end;

//+-------------------------------------------------------------------------
//  X509_KEY_ATTRIBUTES
//  szOID_KEY_ATTRIBUTES
//
//  pvStructInfo points to following CERT_KEY_ATTRIBUTES_INFO.
//--------------------------------------------------------------------------
type
  PCERT_PRIVATE_KEY_VALIDITY = ^CERT_PRIVATE_KEY_VALIDITY;
  CERT_PRIVATE_KEY_VALIDITY = record
    NotBefore :TFILETIME;
    NotAfter  :TFILETIME;
  end;

type
  PCERT_KEY_ATTRIBUTES_INFO = ^CERT_KEY_ATTRIBUTES_INFO;
  CERT_KEY_ATTRIBUTES_INFO = record
    KeyId                  :CRYPT_DATA_BLOB;
    IntendedKeyUsage       :CRYPT_BIT_BLOB;
    pPrivateKeyUsagePeriod :PCERT_PRIVATE_KEY_VALIDITY;     // OPTIONAL
  end;

const 
  CERT_DIGITAL_SIGNATURE_KEY_USAGE    = $80;
  CERT_NON_REPUDIATION_KEY_USAGE      = $40;
  CERT_KEY_ENCIPHERMENT_KEY_USAGE     = $20;
  CERT_DATA_ENCIPHERMENT_KEY_USAGE    = $10;
  CERT_KEY_AGREEMENT_KEY_USAGE        = $08;
  CERT_KEY_CERT_SIGN_KEY_USAGE        = $04;
  CERT_OFFLINE_CRL_SIGN_KEY_USAGE     = $02;

  CERT_CRL_SIGN_KEY_USAGE             = $02;

//+-------------------------------------------------------------------------
//  X509_KEY_USAGE_RESTRICTION
//  szOID_KEY_USAGE_RESTRICTION
//
//  pvStructInfo points to following CERT_KEY_USAGE_RESTRICTION_INFO.
//--------------------------------------------------------------------------
type
  PCERT_POLICY_ID = ^CERT_POLICY_ID;
  CERT_POLICY_ID = record
    cCertPolicyElementId     :DWORD;
    rgpszCertPolicyElementId :PLPSTR;  // pszObjId
  end;

type
  PCERT_KEY_USAGE_RESTRICTION_INFO = ^CERT_KEY_USAGE_RESTRICTION_INFO;
  CERT_KEY_USAGE_RESTRICTION_INFO = record
    cCertPolicyId      :DWORD;
    rgCertPolicyId     :PCERT_POLICY_ID;
    RestrictedKeyUsage :CRYPT_BIT_BLOB;
  end;

// See CERT_KEY_ATTRIBUTES_INFO for definition of the RestrictedKeyUsage bits

//+-------------------------------------------------------------------------
//  X509_ALTERNATE_NAME
//  szOID_SUBJECT_ALT_NAME
//  szOID_ISSUER_ALT_NAME
//  szOID_SUBJECT_ALT_NAME2
//  szOID_ISSUER_ALT_NAME2
//
//  pvStructInfo points to following CERT_ALT_NAME_INFO.
//--------------------------------------------------------------------------

type
  PCERT_ALT_NAME_ENTRY = ^CERT_ALT_NAME_ENTRY;
  CERT_ALT_NAME_ENTRY = record
    dwAltNameChoice :DWORD;
    case integer of
    {1}0: ({OtherName :Not implemented});
    {2}1: (pwszRfc822Name  :LPWSTR);            //(encoded IA5)
    {3}2: (pwszDNSName     :LPWSTR);            //(encoded IA5)
    {4}3: ({x400Address    :Not implemented});
    {5}4: (DirectoryName   :CERT_NAME_BLOB);
    {6}5: ({pEdiPartyName  :Not implemented});
    {7}6: (pwszURL         :LPWSTR);            //(encoded IA5)
    {8}7: (IPAddress       :CRYPT_DATA_BLOB);   //(Octet String)
    {9}8: (pszRegisteredID :LPSTR);             //(Octet String)
    end;

const 
  CERT_ALT_NAME_OTHER_NAME      = 1;
  CERT_ALT_NAME_RFC822_NAME     = 2;
  CERT_ALT_NAME_DNS_NAME        = 3;
  CERT_ALT_NAME_X400_ADDRESS    = 4;
  CERT_ALT_NAME_DIRECTORY_NAME  = 5;
  CERT_ALT_NAME_EDI_PARTY_NAME  = 6;
  CERT_ALT_NAME_URL             = 7;
  CERT_ALT_NAME_IP_ADDRESS      = 8;
  CERT_ALT_NAME_REGISTERED_ID   = 9;

type
  PCERT_ALT_NAME_INFO = ^CERT_ALT_NAME_INFO;
  CERT_ALT_NAME_INFO = record
    cAltEntry  :DWORD;
    rgAltEntry :PCERT_ALT_NAME_ENTRY;
  end;

//+-------------------------------------------------------------------------
//  Alternate name IA5 Error Location Definitions for
//  CRYPT_E_INVALID_IA5_STRING.
//
//  Error location is returned in *pcbEncoded by
//  CryptEncodeObject(X509_ALTERNATE_NAME)
//
//  Error location consists of:
//    ENTRY_INDEX   - 8 bits << 16
//    VALUE_INDEX   - 16 bits (unicode character index)
//--------------------------------------------------------------------------

const 
  CERT_ALT_NAME_ENTRY_ERR_INDEX_MASK  = $FF;
  CERT_ALT_NAME_ENTRY_ERR_INDEX_SHIFT = 16;
  CERT_ALT_NAME_VALUE_ERR_INDEX_MASK  = $0000FFFF;
  CERT_ALT_NAME_VALUE_ERR_INDEX_SHIFT = 0;

{#define GET_CERT_ALT_NAME_ENTRY_ERR_INDEX(X)   \
    ((X >> CERT_ALT_NAME_ENTRY_ERR_INDEX_SHIFT) & \
                                  CERT_ALT_NAME_ENTRY_ERR_INDEX_MASK)}
function GET_CERT_ALT_NAME_ENTRY_ERR_INDEX(X :DWORD):DWORD;

{#define GET_CERT_ALT_NAME_VALUE_ERR_INDEX(X) \
    (X & CERT_ALT_NAME_VALUE_ERR_INDEX_MASK)}
function GET_CERT_ALT_NAME_VALUE_ERR_INDEX(X :DWORD):DWORD;

//+-------------------------------------------------------------------------
//  X509_BASIC_CONSTRAINTS
//  szOID_BASIC_CONSTRAINTS
//
//  pvStructInfo points to following CERT_BASIC_CONSTRAINTS_INFO.
//--------------------------------------------------------------------------

type
  PCERT_BASIC_CONSTRAINTS_INFO = ^CERT_BASIC_CONSTRAINTS_INFO;
  CERT_BASIC_CONSTRAINTS_INFO = record
    SubjectType          :CRYPT_BIT_BLOB;
    fPathLenConstraint   :BOOL;
    dwPathLenConstraint  :DWORD;
    cSubtreesConstraint  :DWORD;
    rgSubtreesConstraint :PCERT_NAME_BLOB;
  end;

const 
  CERT_CA_SUBJECT_FLAG         = $80;
  CERT_END_ENTITY_SUBJECT_FLAG = $40;

//+-------------------------------------------------------------------------
//  X509_BASIC_CONSTRAINTS2
//  szOID_BASIC_CONSTRAINTS2
//
//  pvStructInfo points to following CERT_BASIC_CONSTRAINTS2_INFO.
//--------------------------------------------------------------------------

type
  PCERT_BASIC_CONSTRAINTS2_INFO = ^CERT_BASIC_CONSTRAINTS2_INFO;
  CERT_BASIC_CONSTRAINTS2_INFO = record
    fCA                 :BOOL;
    fPathLenConstraint  :BOOL;
    dwPathLenConstraint :DWORD;
  end;

//+-------------------------------------------------------------------------
//  X509_KEY_USAGE
//  szOID_KEY_USAGE
//
//  pvStructInfo points to a CRYPT_BIT_BLOB. Has same bit definitions as
//  CERT_KEY_ATTRIBUTES_INFO's IntendedKeyUsage.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_CERT_POLICIES
//  szOID_CERT_POLICIES
//
//  pvStructInfo points to following CERT_POLICIES_INFO.
//--------------------------------------------------------------------------

type
  PCERT_POLICY_QUALIFIER_INFO = ^CERT_POLICY_QUALIFIER_INFO;
  CERT_POLICY_QUALIFIER_INFO = record
    pszPolicyQualifierId  :LPSTR;            // pszObjId
    Qualifier             :CRYPT_OBJID_BLOB; // optional
  end;

type
  PCERT_POLICY_INFO = ^CERT_POLICY_INFO;
  CERT_POLICY_INFO = record
    pszPolicyIdentifier :LPSTR;    // pszObjId
    cPolicyQualifier    :DWORD;       // optional
    rgPolicyQualifier   :PCERT_POLICY_QUALIFIER_INFO;
  end;

type
  PCERT_POLICIES_INFO = ^CERT_POLICIES_INFO;
  CERT_POLICIES_INFO = record
    cPolicyInfo  :DWORD;
    rgPolicyInfo :PCERT_POLICY_INFO;
  end;

//+-------------------------------------------------------------------------
//  RSA_CSP_PUBLICKEYBLOB
//
//  pvStructInfo points to a PUBLICKEYSTRUC immediately followed by a
//  RSAPUBKEY and the modulus bytes.
//
//  CryptExportKey outputs the above StructInfo for a dwBlobType of
//  PUBLICKEYBLOB. CryptImportKey expects the above StructInfo when
//  importing a public key.
//
//  For dwCertEncodingType = X509_ASN_ENCODING, the RSA_CSP_PUBLICKEYBLOB is
//  encoded as a PKCS #1 RSAPublicKey consisting of a SEQUENCE of a
//  modulus INTEGER and a publicExponent INTEGER. The modulus is encoded
//  as being a unsigned integer. When decoded, if the modulus was encoded
//  as unsigned integer with a leading 0 byte, the 0 byte is removed before
//  converting to the CSP modulus bytes.
//
//  For decode, the aiKeyAlg field of PUBLICKEYSTRUC is always set to
//  CALG_RSA_KEYX.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_KEYGEN_REQUEST_TO_BE_SIGNED
//
//  pvStructInfo points to CERT_KEYGEN_REQUEST_INFO.
//
//  For CryptDecodeObject(), the pbEncoded is the "to be signed" plus its
//  signature (output of a X509_CERT CryptEncodeObject()).
//
//  For CryptEncodeObject(), the pbEncoded is just the "to be signed".
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  PKCS_ATTRIBUTE data structure
//
//  pvStructInfo points to a CRYPT_ATTRIBUTE.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  PKCS_CONTENT_INFO_SEQUENCE_OF_ANY data structure
//
//  pvStructInfo points to following CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY.
//
//  For X509_ASN_ENCODING: encoded as a PKCS#7 ContentInfo structure wrapping
//  a sequence of ANY. The value of the contentType field is pszObjId,
//  while the content field is the following structure:
//      SequenceOfAny ::= SEQUENCE OF ANY
//
//  The CRYPT_DER_BLOBs point to the already encoded ANY content.
//--------------------------------------------------------------------------

type
  PCRYPT_CONTENT_INFO_SEQUENCE_OF_ANY = ^CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY;
  CRYPT_CONTENT_INFO_SEQUENCE_OF_ANY = record
    pszObjId :LPSTR;
    cValue   :DWORD;
    rgValue  :PCRYPT_DER_BLOB;
  end;

//+-------------------------------------------------------------------------
//  PKCS_CONTENT_INFO data structure
//
//  pvStructInfo points to following CRYPT_CONTENT_INFO.
//
//  For X509_ASN_ENCODING: encoded as a PKCS#7 ContentInfo structure.
//  The CRYPT_DER_BLOB points to the already encoded ANY content.
//--------------------------------------------------------------------------

type
  PCRYPT_CONTENT_INFO = ^CRYPT_CONTENT_INFO;
  CRYPT_CONTENT_INFO = record
    pszObjId :LPSTR;
    Content  :CRYPT_DER_BLOB;
  end;


//+-------------------------------------------------------------------------
//  X509_OCTET_STRING data structure
//
//  pvStructInfo points to a CRYPT_DATA_BLOB.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_BITS data structure
//
//  pvStructInfo points to a CRYPT_BIT_BLOB.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_INTEGER data structure
//
//  pvStructInfo points to an int.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_MULTI_BYTE_INTEGER data structure
//
//  pvStructInfo points to a CRYPT_INTEGER_BLOB.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_ENUMERATED data structure
//
//  pvStructInfo points to an int containing the enumerated value
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_CHOICE_OF_TIME data structure
//
//  pvStructInfo points to a FILETIME.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_SEQUENCE_OF_ANY data structure
//
//  pvStructInfo points to following CRYPT_SEQUENCE_OF_ANY.
//
//  The CRYPT_DER_BLOBs point to the already encoded ANY content.
//--------------------------------------------------------------------------

type
  PCRYPT_SEQUENCE_OF_ANY = ^CRYPT_SEQUENCE_OF_ANY;
  CRYPT_SEQUENCE_OF_ANY = record
    cValue  :DWORD;
    rgValue :PCRYPT_DER_BLOB;
  end;

//+-------------------------------------------------------------------------
//  X509_AUTHORITY_KEY_ID2
//  szOID_AUTHORITY_KEY_IDENTIFIER2
//
//  pvStructInfo points to following CERT_AUTHORITY_KEY_ID2_INFO.
//
//  For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
//  *pcbEncoded by CryptEncodeObject(X509_AUTHORITY_KEY_ID2)
//
//  See X509_ALTERNATE_NAME for error location defines.
//--------------------------------------------------------------------------

type
  PCERT_AUTHORITY_KEY_ID2_INFO = ^CERT_AUTHORITY_KEY_ID2_INFO;
  CERT_AUTHORITY_KEY_ID2_INFO = record
    KeyId                     :CRYPT_DATA_BLOB;
    AuthorityCertIssuer       :CERT_ALT_NAME_INFO;  // Optional, set cAltEntry to 0 to omit.
    AuthorityCertSerialNumber :CRYPT_INTEGER_BLOB;
  end;

//+-------------------------------------------------------------------------
//  szOID_SUBJECT_KEY_IDENTIFIER
//
//  pvStructInfo points to a CRYPT_DATA_BLOB.
//--------------------------------------------------------------------------


//+-------------------------------------------------------------------------
//  X509_CRL_REASON_CODE
//  szOID_CRL_REASON_CODE
//
//  pvStructInfo points to an int which can be set to one of the following
//  enumerated values:
//--------------------------------------------------------------------------

const 
  CRL_REASON_UNSPECIFIED            = 0;
  CRL_REASON_KEY_COMPROMISE         = 1;
  CRL_REASON_CA_COMPROMISE          = 2;
  CRL_REASON_AFFILIATION_CHANGED    = 3;
  CRL_REASON_SUPERSEDED             = 4;
  CRL_REASON_CESSATION_OF_OPERATION = 5;
  CRL_REASON_CERTIFICATE_HOLD       = 6;
  CRL_REASON_REMOVE_FROM_CRL        = 8;

//+-------------------------------------------------------------------------
//  X509_CRL_DIST_POINTS
//  szOID_CRL_DIST_POINTS
//
//  pvStructInfo points to following CRL_DIST_POINTS_INFO.
//
//  For CRYPT_E_INVALID_IA5_STRING, the error location is returned in
//  *pcbEncoded by CryptEncodeObject(X509_CRL_DIST_POINTS)
//
//  Error location consists of:
//    CRL_ISSUER_BIT    - 1 bit  << 31 (0 for FullName, 1 for CRLIssuer)
//    POINT_INDEX       - 7 bits << 24
//    ENTRY_INDEX       - 8 bits << 16
//    VALUE_INDEX       - 16 bits (unicode character index)
//
//  See X509_ALTERNATE_NAME for ENTRY_INDEX and VALUE_INDEX error location
//  defines.
//--------------------------------------------------------------------------

type
  PCRL_DIST_POINT_NAME = ^CRL_DIST_POINT_NAME;
  CRL_DIST_POINT_NAME = record
    dwDistPointNameChoice :DWORD;
    case integer of
      0:(FullName :CERT_ALT_NAME_INFO);  {1}
      1:({IssuerRDN :Not implemented});  {2}
  end;

const 
  CRL_DIST_POINT_NO_NAME         = 0;
  CRL_DIST_POINT_FULL_NAME       = 1;
  CRL_DIST_POINT_ISSUER_RDN_NAME = 2;

type
  PCRL_DIST_POINT = ^CRL_DIST_POINT;
  CRL_DIST_POINT = record
    DistPointName :CRL_DIST_POINT_NAME;   // OPTIONAL
    ReasonFlags   :CRYPT_BIT_BLOB;        // OPTIONAL
    CRLIssuer     :CERT_ALT_NAME_INFO;    // OPTIONAL
  end;

const 
  CRL_REASON_UNUSED_FLAG                 = $80;
  CRL_REASON_KEY_COMPROMISE_FLAG         = $40;
  CRL_REASON_CA_COMPROMISE_FLAG          = $20;
  CRL_REASON_AFFILIATION_CHANGED_FLAG    = $10;
  CRL_REASON_SUPERSEDED_FLAG             = $08;
  CRL_REASON_CESSATION_OF_OPERATION_FLAG = $04;
  CRL_REASON_CERTIFICATE_HOLD_FLAG       = $02;

type
  PCRL_DIST_POINTS_INFO = ^CRL_DIST_POINTS_INFO;
  CRL_DIST_POINTS_INFO = record
    cDistPoint  :DWORD;
    rgDistPoint :PCRL_DIST_POINT;
  end;

const 
  CRL_DIST_POINT_ERR_INDEX_MASK  = $7F;
  CRL_DIST_POINT_ERR_INDEX_SHIFT = 24;

{#define GET_CRL_DIST_POINT_ERR_INDEX(X)   \
    ((X >> CRL_DIST_POINT_ERR_INDEX_SHIFT) & CRL_DIST_POINT_ERR_INDEX_MASK)}
function GET_CRL_DIST_POINT_ERR_INDEX(X :DWORD):DWORD;
const CRL_DIST_POINT_ERR_CRL_ISSUER_BIT = (DWORD($80000000));

{#define IS_CRL_DIST_POINT_ERR_CRL_ISSUER(X)   \
    (0 != (X & CRL_DIST_POINT_ERR_CRL_ISSUER_BIT))}
function IS_CRL_DIST_POINT_ERR_CRL_ISSUER(X :DWORD):BOOL;

//+-------------------------------------------------------------------------
//  X509_ENHANCED_KEY_USAGE
//  szOID_ENHANCED_KEY_USAGE
//
//  pvStructInfo points to a CERT_ENHKEY_USAGE, CTL_USAGE.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  szOID_NEXT_UPDATE_LOCATION
//
//  pvStructInfo points to a CERT_ALT_NAME_INFO.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  PKCS_CTL
//  szOID_CTL
//
//  pvStructInfo points to a CTL_INFO.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_MULTI_BYTE_UINT
//
//  pvStructInfo points to a CRYPT_UINT_BLOB. Before encoding, inserts a
//  leading 0x00. After decoding, removes a leading 0x00.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_DSS_PUBLICKEY
//
//  pvStructInfo points to a CRYPT_UINT_BLOB.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  X509_DSS_PARAMETERS
//
//  pvStructInfo points to following CERT_DSS_PARAMETERS data structure.
//--------------------------------------------------------------------------

type
  PCERT_DSS_PARAMETERS = ^CERT_DSS_PARAMETERS;
  CERT_DSS_PARAMETERS = record
    p :CRYPT_UINT_BLOB;
    q :CRYPT_UINT_BLOB;
    g :CRYPT_UINT_BLOB;
  end;

//+-------------------------------------------------------------------------
//  X509_DSS_SIGNATURE
//
//  pvStructInfo is a BYTE rgbSignature[CERT_DSS_SIGNATURE_LEN]. The
//  bytes are ordered as output by the DSS CSP's CryptSignHash().
//--------------------------------------------------------------------------

const 
  CERT_DSS_R_LEN         = 20;
  CERT_DSS_S_LEN         = 20;
  CERT_DSS_SIGNATURE_LEN = (CERT_DSS_R_LEN + CERT_DSS_S_LEN);

// Sequence of 2 unsigned integers (the extra +1 is for a potential leading
// 0x00 to make the integer unsigned)
  CERT_MAX_ASN_ENCODED_DSS_SIGNATURE_LEN = (2 + 2*(2 + 20 +1));

//+-------------------------------------------------------------------------
//  PKCS_RC2_CBC_PARAMETERS
//  szOID_RSA_RC2CBC
//
//  pvStructInfo points to following CRYPT_RC2_CBC_PARAMETERS data structure.
//--------------------------------------------------------------------------

type
  PCRYPT_RC2_CBC_PARAMETERS = ^CRYPT_RC2_CBC_PARAMETERS;
  CRYPT_RC2_CBC_PARAMETERS = record
    dwVersion :DWORD;
    fIV       :BOOL;           // set if has following IV
    rgbIV     :array[0..8-1] of BYTE;
  end;

const 
  CRYPT_RC2_40BIT_VERSION  = 160;
  CRYPT_RC2_64BIT_VERSION  = 120;
  CRYPT_RC2_128BIT_VERSION = 58;


//+-------------------------------------------------------------------------
//  PKCS_SMIME_CAPABILITIES
//  szOID_RSA_SMIMECapabilities
//
//  pvStructInfo points to following CRYPT_SMIME_CAPABILITIES data structure.
//
//  Note, for CryptEncodeObject(X509_ASN_ENCODING), Parameters.cbData == 0
//  causes the encoded parameters to be omitted and not encoded as a NULL
//  (05 00) as is done when encoding a CRYPT_ALGORITHM_IDENTIFIER. This
//  is per the SMIME specification for encoding capabilities.
//--------------------------------------------------------------------------

type
  PCRYPT_SMIME_CAPABILITY = ^CRYPT_SMIME_CAPABILITY;
  CRYPT_SMIME_CAPABILITY = record
    pszObjId   :LPSTR;
    Parameters :CRYPT_OBJID_BLOB;
  end;

type
  PCRYPT_SMIME_CAPABILITIES = ^CRYPT_SMIME_CAPABILITIES;
  CRYPT_SMIME_CAPABILITIES = record
    cCapability  :DWORD;
    rgCapability :PCRYPT_SMIME_CAPABILITY;
  end;


//+-------------------------------------------------------------------------
//  PKCS7_SIGNER_INFO
//
//  pvStructInfo points to CMSG_SIGNER_INFO.
//--------------------------------------------------------------------------


//+-------------------------------------------------------------------------
//  Netscape Certificate Extension Object Identifiers
//--------------------------------------------------------------------------

const 
  szOID_NETSCAPE                   = '2.16.840.1.113730';
  szOID_NETSCAPE_CERT_EXTENSION    = '2.16.840.1.113730.1';
  szOID_NETSCAPE_CERT_TYPE         = '2.16.840.1.113730.1.1';
  szOID_NETSCAPE_BASE_URL          = '2.16.840.1.113730.1.2';
  szOID_NETSCAPE_REVOCATION_URL    = '2.16.840.1.113730.1.3';
  szOID_NETSCAPE_CA_REVOCATION_URL = '2.16.840.1.113730.1.4';
  szOID_NETSCAPE_CERT_RENEWAL_URL  = '2.16.840.1.113730.1.7';
  szOID_NETSCAPE_CA_POLICY_URL     = '2.16.840.1.113730.1.8';
  szOID_NETSCAPE_SSL_SERVER_NAME   = '2.16.840.1.113730.1.12';
  szOID_NETSCAPE_COMMENT           = '2.16.840.1.113730.1.13';

//+-------------------------------------------------------------------------
//  Netscape Certificate Data Type Object Identifiers
//--------------------------------------------------------------------------

const 
  szOID_NETSCAPE_DATA_TYPE      = '2.16.840.1.113730.2';
  szOID_NETSCAPE_CERT_SEQUENCE  = '2.16.840.1.113730.2.5';

//+-------------------------------------------------------------------------
//  szOID_NETSCAPE_CERT_TYPE extension
//
//  Its value is a bit string. CryptDecodeObject/CryptEncodeObject using
//  X509_BITS.
//
//  The following bits are defined:
//--------------------------------------------------------------------------

const 
  NETSCAPE_SSL_CLIENT_AUTH_CERT_TYPE  = $80;
  NETSCAPE_SSL_SERVER_AUTH_CERT_TYPE  = $40;
  NETSCAPE_SSL_CA_CERT_TYPE           = $04;

//+-------------------------------------------------------------------------
//  szOID_NETSCAPE_BASE_URL extension
//
//  Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
//  X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
//  dwValueType = CERT_RDN_IA5_STRING.
//
//  When present this string is added to the beginning of all relative URLs
//  in the certificate.  This extension can be considered an optimization
//  to reduce the size of the URL extensions.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  szOID_NETSCAPE_REVOCATION_URL extension
//
//  Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
//  X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
//  dwValueType = CERT_RDN_IA5_STRING.
//
//  It is a relative or absolute URL that can be used to check the
//  revocation status of a certificate. The revocation check will be
//  performed as an HTTP GET method using a url that is the concatenation of
//  revocation-url and certificate-serial-number.
//  Where the certificate-serial-number is encoded as a string of
//  ascii hexadecimal digits. For example, if the netscape-base-url is
//  https://www.certs-r-us.com/, the netscape-revocation-url is
//  cgi-bin/check-rev.cgi?, and the certificate serial number is 173420,
//  the resulting URL would be:
//  https://www.certs-r-us.com/cgi-bin/check-rev.cgi?02a56c
//
//  The server should return a document with a Content-Type of
//  application/x-netscape-revocation.  The document should contain
//  a single ascii digit, '1' if the certificate is not curently valid,
//  and '0' if it is curently valid.
//
//  Note: for all of the URLs that include the certificate serial number,
//  the serial number will be encoded as a string which consists of an even
//  number of hexadecimal digits.  If the number of significant digits is odd,
//  the string will have a single leading zero to ensure an even number of
//  digits is generated.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  szOID_NETSCAPE_CA_REVOCATION_URL extension
//
//  Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
//  X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
//  dwValueType = CERT_RDN_IA5_STRING.
//
//  It is a relative or absolute URL that can be used to check the
//  revocation status of any certificates that are signed by the CA that
//  this certificate belongs to. This extension is only valid in CA
//  certificates.  The use of this extension is the same as the above
//  szOID_NETSCAPE_REVOCATION_URL extension.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  szOID_NETSCAPE_CERT_RENEWAL_URL extension
//
//  Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
//  X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
//  dwValueType = CERT_RDN_IA5_STRING.
//
//  It is a relative or absolute URL that points to a certificate renewal
//  form. The renewal form will be accessed with an HTTP GET method using a
//  url that is the concatenation of renewal-url and
//  certificate-serial-number. Where the certificate-serial-number is
//  encoded as a string of ascii hexadecimal digits. For example, if the
//  netscape-base-url is https://www.certs-r-us.com/, the
//  netscape-cert-renewal-url is cgi-bin/check-renew.cgi?, and the
//  certificate serial number is 173420, the resulting URL would be:
//  https://www.certs-r-us.com/cgi-bin/check-renew.cgi?02a56c
//  The document returned should be an HTML form that will allow the user
//  to request a renewal of their certificate.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  szOID_NETSCAPE_CA_POLICY_URL extension
//
//  Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
//  X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
//  dwValueType = CERT_RDN_IA5_STRING.
//
//  It is a relative or absolute URL that points to a web page that
//  describes the policies under which the certificate was issued.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  szOID_NETSCAPE_SSL_SERVER_NAME extension
//
//  Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
//  X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
//  dwValueType = CERT_RDN_IA5_STRING.
//
//  It is a "shell expression" that can be used to match the hostname of the
//  SSL server that is using this certificate.  It is recommended that if
//  the server's hostname does not match this pattern the user be notified
//  and given the option to terminate the SSL connection.  If this extension
//  is not present then the CommonName in the certificate subject's
//  distinguished name is used for the same purpose.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  szOID_NETSCAPE_COMMENT extension
//
//  Its value is an IA5_STRING. CryptDecodeObject/CryptEncodeObject using
//  X509_ANY_STRING or X509_UNICODE_ANY_STRING, where,
//  dwValueType = CERT_RDN_IA5_STRING.
//
//  It is a comment that may be displayed to the user when the certificate
//  is viewed.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  szOID_NETSCAPE_CERT_SEQUENCE
//
//  Its value is a PKCS#7 ContentInfo structure wrapping a sequence of
//  certificates. The value of the contentType field is
//  szOID_NETSCAPE_CERT_SEQUENCE, while the content field is the following
//  structure:
//      CertificateSequence ::= SEQUENCE OF Certificate.
//
//  CryptDecodeObject/CryptEncodeObject using
//  PKCS_CONTENT_INFO_SEQUENCE_OF_ANY, where,
//  pszObjId = szOID_NETSCAPE_CERT_SEQUENCE and the CRYPT_DER_BLOBs point
//  to encoded X509 certificates.
//--------------------------------------------------------------------------


//+=========================================================================
//  Object IDentifier (OID) Installable Functions:  Data Structures and APIs
//==========================================================================

type
  HCRYPTOIDFUNCSET = procedure;
  HCRYPTOIDFUNCADDR = procedure;

// Predefined OID Function Names
const 
  CRYPT_OID_ENCODE_OBJECT_FUNC     = 'CryptDllEncodeObject';
  CRYPT_OID_DECODE_OBJECT_FUNC     = 'CryptDllDecodeObject';
  CRYPT_OID_CREATE_COM_OBJECT_FUNC = 'CryptDllCreateCOMObject';
  CRYPT_OID_VERIFY_REVOCATION_FUNC = 'CertDllVerifyRevocation';
  CRYPT_OID_VERIFY_CTL_USAGE_FUNC  = 'CertDllVerifyCTLUsage';
  CRYPT_OID_FORMAT_OBJECT_FUNC     = 'CryptDllFormatObject';
  CRYPT_OID_FIND_OID_INFO_FUNC     = 'CryptDllFindOIDInfo';

// CryptDllEncodeObject has same function signature as CryptEncodeObject.

// CryptDllDecodeObject has same function signature as CryptDecodeObject.

// CryptDllCreateCOMObject has the following signature:
//      BOOL WINAPI CryptDllCreateCOMObject(
//          IN DWORD dwEncodingType,
//          IN LPCSTR pszOID,
//          IN PCRYPT_DATA_BLOB pEncodedContent,
//          IN DWORD dwFlags,
//          IN REFIID riid,
//          OUT void **ppvObj);

// CertDllVerifyRevocation has the same signature as CertVerifyRevocation
//  (See CertVerifyRevocation for details on when called)

// CertDllVerifyCTLUsage has the same signature as CertVerifyCTLUsage

// CryptDllFindOIDInfo currently is only used to store values used by
// CryptFindOIDInfo. See CryptFindOIDInfo() for more details.

//  Example of a complete OID Function Registry Name:
//    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
//      Encoding Type 1\CryptDllEncodeObject\1.2.3
//
//  The key's L"Dll" value contains the name of the Dll.
//  The key's L"FuncName" value overrides the default function name

const 
  CRYPT_OID_REGPATH                    = 'Software\\Microsoft\\Cryptography\\OID';
  CRYPT_OID_REG_ENCODING_TYPE_PREFIX   = 'EncodingType ';
{$IFNDEF VER90}
    CRYPT_OID_REG_DLL_VALUE_NAME         = WideString('Dll');
    CRYPT_OID_REG_FUNC_NAME_VALUE_NAME   = WideString('FuncName');
{$ELSE}
    CRYPT_OID_REG_DLL_VALUE_NAME         = ('Dll');
    CRYPT_OID_REG_FUNC_NAME_VALUE_NAME   = ('FuncName');
{$ENDIF}
  CRYPT_OID_REG_FUNC_NAME_VALUE_NAME_A = 'FuncName';

// OID used for Default OID functions
  CRYPT_DEFAULT_OID    = 'DEFAULT';

type
  PCRYPT_OID_FUNC_ENTRY = ^CRYPT_OID_FUNC_ENTRY;
  CRYPT_OID_FUNC_ENTRY = record
    pszOID     :LPCSTR;
    pvFuncAddr :PVOID;
  end;

const 
  CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG = 1;

//+-------------------------------------------------------------------------
//  Install a set of callable OID function addresses.
//
//  By default the functions are installed at end of the list.
//  Set CRYPT_INSTALL_OID_FUNC_BEFORE_FLAG to install at beginning of list.
//
//  hModule should be updated with the hModule passed to DllMain to prevent
//  the Dll containing the function addresses from being unloaded by
//  CryptGetOIDFuncAddress/CryptFreeOIDFunctionAddress. This would be the
//  case when the Dll has also regsvr32'ed OID functions via
//  CryptRegisterOIDFunction.
//
//  DEFAULT functions are installed by setting rgFuncEntry[].pszOID =
//  CRYPT_DEFAULT_OID.
//--------------------------------------------------------------------------

function CryptInstallOIDFunctionAddress(hModule :HMODULE;  // hModule passed to DllMain
                                        dwEncodingType :DWORD;
                                        pszFuncName :LPCSTR;
                                        cFuncEntry :DWORD;
                                  const rgFuncEntry :array of CRYPT_OID_FUNC_ENTRY;
                                        dwFlags :DWORD):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Initialize and return handle to the OID function set identified by its
//  function name.
//
//  If the set already exists, a handle to the existing set is returned.
//--------------------------------------------------------------------------

function CryptInitOIDFunctionSet(pszFuncName :LPCSTR;
                                 dwFlags :DWORD ):HCRYPTOIDFUNCSET ; stdcall;
//+-------------------------------------------------------------------------
//  Search the list of installed functions for an encoding type and OID match.
//  If not found, search the registry.
//
//  For success, returns TRUE with *ppvFuncAddr updated with the function's
//  address and *phFuncAddr updated with the function address's handle.
//  The function's handle is AddRef'ed. CryptFreeOIDFunctionAddress needs to
//  be called to release it.
//
//  For a registry match, the Dll containing the function is loaded.
//--------------------------------------------------------------------------

function CryptGetOIDFunctionAddress(hFuncSet :HCRYPTOIDFUNCSET;
                                    dwEncodingType :DWORD;
                                    pszOID :LPCSTR;
                                    dwFlags :DWORD;
                                var ppvFuncAddr :array of PVOID;
                                var phFuncAddr :HCRYPTOIDFUNCADDR):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Get the list of registered default Dll entries for the specified
//  function set and encoding type.
//
//  The returned list consists of none, one or more null terminated Dll file
//  names. The list is terminated with an empty (L"\0") Dll file name.
//  For example: L"first.dll" L"\0" L"second.dll" L"\0" L"\0"
//--------------------------------------------------------------------------

function CryptGetDefaultOIDDllList(hFuncSet :HCRYPTOIDFUNCSET;
                                   dwEncodingType :DWORD;
                                   pwszDllList    :LPWSTR;
                                   pcchDllList    :PDWORD):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Either: get the first or next installed DEFAULT function OR
//  load the Dll containing the DEFAULT function.
//
//  If pwszDll is NULL, search the list of installed DEFAULT functions.
//  *phFuncAddr must be set to NULL to get the first installed function.
//  Successive installed functions are returned by setting *phFuncAddr
//  to the hFuncAddr returned by the previous call.
//
//  If pwszDll is NULL, the input *phFuncAddr
//  is always CryptFreeOIDFunctionAddress'ed by this function, even for
//  an error.
//
//  If pwszDll isn't NULL, then, attempts to load the Dll and the DEFAULT
//  function. *phFuncAddr is ignored upon entry and isn't
//  CryptFreeOIDFunctionAddress'ed.
//
//  For success, returns TRUE with *ppvFuncAddr updated with the function's
//  address and *phFuncAddr updated with the function address's handle.
//  The function's handle is AddRef'ed. CryptFreeOIDFunctionAddress needs to
//  be called to release it or CryptGetDefaultOIDFunctionAddress can also
//  be called for a NULL pwszDll.
//--------------------------------------------------------------------------

function CryptGetDefaultOIDFunctionAddress(hFuncSet :HCRYPTOIDFUNCSET;
                                           dwEncodingType :DWORD;
                                           pwszDll :DWORD;
                                           dwFlags :LPCWSTR;
                                       var ppvFuncAddr :array of PVOID;
                                       var phFuncAddr :HCRYPTOIDFUNCADDR):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Releases the handle AddRef'ed and returned by CryptGetOIDFunctionAddress
//  or CryptGetDefaultOIDFunctionAddress.
//
//  If a Dll was loaded for the function its unloaded. However, before doing
//  the unload, the DllCanUnloadNow function exported by the loaded Dll is
//  called. It should return S_FALSE to inhibit the unload or S_TRUE to enable
//  the unload. If the Dll doesn't export DllCanUnloadNow, the Dll is unloaded.
//
//  DllCanUnloadNow has the following signature:
//      STDAPI  DllCanUnloadNow(void);
//--------------------------------------------------------------------------

function CryptFreeOIDFunctionAddress(hFuncAddr :HCRYPTOIDFUNCADDR;
                                     dwFlags :DWORD):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Register the Dll containing the function to be called for the specified
//  encoding type, function name and OID.
//
//  pwszDll may contain environment-variable strings
//  which are ExpandEnvironmentStrings()'ed before loading the Dll.
//
//  In addition to registering the DLL, you may override the
//  name of the function to be called. For example,
//      pszFuncName = "CryptDllEncodeObject",
//      pszOverrideFuncName = "MyEncodeXyz".
//  This allows a Dll to export multiple OID functions for the same
//  function name without needing to interpose its own OID dispatcher function.
//--------------------------------------------------------------------------

function CryptRegisterOIDFunction(dwEncodingType :DWORD;
                                  pszFuncName :LPCSTR;
                                  pszOID :LPCSTR; //OPTIONAL
                                  pwszDll :LPCWSTR; //OPTIONAL
                                  pszOverrideFuncName :LPCSTR):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Unregister the Dll containing the function to be called for the specified
//  encoding type, function name and OID.
//--------------------------------------------------------------------------

function CryptUnregisterOIDFunction(dwEncodingType :DWORD;
                                    pszFuncName :LPCSTR;
                                    pszOID :LPCSTR):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Register the Dll containing the default function to be called for the
//  specified encoding type and function name.
//
//  Unlike CryptRegisterOIDFunction, you can't override the function name
//  needing to be exported by the Dll.
//
//  The Dll is inserted before the entry specified by dwIndex.
//    dwIndex == 0, inserts at the beginning.
//    dwIndex == CRYPT_REGISTER_LAST_INDEX, appends at the end.
//
//  pwszDll may contain environment-variable strings
//  which are ExpandEnvironmentStrings()'ed before loading the Dll.
//--------------------------------------------------------------------------

function CryptRegisterDefaultOIDFunction(dwEncodingType :DWORD;
                                         pszFuncName :LPCSTR;
                                         dwIndex :DWORD;
                                         pwszDll :LPCWSTR):BOOL ; stdcall;

const 
  CRYPT_REGISTER_FIRST_INDEX = 0;
  CRYPT_REGISTER_LAST_INDEX  = $FFFFFFFF;

//+-------------------------------------------------------------------------
//  Unregister the Dll containing the default function to be called for
//  the specified encoding type and function name.
//--------------------------------------------------------------------------

function CryptUnregisterDefaultOIDFunction(dwEncodingType :DWORD;
                                           pszFuncName :LPCSTR;
                                           pwszDll :LPCWSTR):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Set the value for the specified encoding type, function name, OID and
//  value name.
//
//  See RegSetValueEx for the possible value types.
//
//  String types are UNICODE.
//--------------------------------------------------------------------------

function CryptSetOIDFunctionValue(dwEncodingType :DWORD;
                                  pszFuncName :LPCSTR;
                                  pszOID :LPCSTR;
                                  pwszValueName :LPCWSTR;
                                  dwValueType :DWORD;
                            const pbValueData :PBYTE;
                                  cbValueData :DWORD):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Get the value for the specified encoding type, function name, OID and
//  value name.
//
//  See RegEnumValue for the possible value types.
//
//  String types are UNICODE.
//--------------------------------------------------------------------------

function CryptGetOIDFunctionValue(dwEncodingType :DWORD;
                                  pszFuncName :LPCSTR;
                                  pwszValueName :LPCSTR;
                                  pszOID :LPCWSTR;
                                  pdwValueType  :PDWORD;
                                  pbValueData  :PBYTE;
                                  pcbValueData :PDWORD):BOOL ; stdcall;

type
  PFN_CRYPT_ENUM_OID_FUNC = function (dwEncodingType :DWORD;
                                      pszFuncName :LPCSTR;
                                      pszOID :LPCSTR;
                                      cValue :DWORD;
                                const rgdwValueType :array of DWORD;
                                const rgpwszValueName :array of LPCWSTR;
                                const rgpbValueData :array of PBYTE;
                                const rgcbValueData :array of DWORD;
                                      pvArg :PVOID):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Enumerate the OID functions identified by their encoding type,
//  function name and OID.
//
//  pfnEnumOIDFunc is called for each registry key matching the input
//  parameters. Setting dwEncodingType to CRYPT_MATCH_ANY_ENCODING_TYPE matches
//  any. Setting pszFuncName or pszOID to NULL matches any.
//
//  Set pszOID == CRYPT_DEFAULT_OID to restrict the enumeration to only the
//  DEFAULT functions
//
//  String types are UNICODE.
//--------------------------------------------------------------------------

function CryptEnumOIDFunction(dwEncodingType :DWORD;
                              pszFuncName :LPCSTR;    //OPTIONAL
                              pszOID :LPCSTR;         //OPTIONAL
                              dwFlags :DWORD;
                              pvArg :PVOID;
                              pfnEnumOIDFunc :PFN_CRYPT_ENUM_OID_FUNC):BOOL ; stdcall;

const 
  CRYPT_MATCH_ANY_ENCODING_TYPE = $FFFFFFFF;

//+=========================================================================
//  Object IDentifier (OID) Information:  Data Structures and APIs
//==========================================================================

//+-------------------------------------------------------------------------
//  OID Information
//--------------------------------------------------------------------------

type
  PCRYPT_OID_INFO = ^CRYPT_OID_INFO;
  CRYPT_OID_INFO = record
    cbSize :DWORD;
    pszOID :LPCSTR;
    pwszName :LPCWSTR;
    dwGroupId :DWORD;
    EnumValue : record {type EnumValue for the union part of the original struct --max--}
    case integer of
      0:(dwValue :DWORD);
      1:(Algid :ALG_ID);
      2:(dwLength :DWORD);
    end;
    ExtraInfo :CRYPT_DATA_BLOB;
  end;

type
  CCRYPT_OID_INFO  = CRYPT_OID_INFO;
  PCCRYPT_OID_INFO = ^CCRYPT_OID_INFO;

//+-------------------------------------------------------------------------
//  OID Group IDs
//--------------------------------------------------------------------------

const
  CRYPT_HASH_ALG_OID_GROUP_ID      = 1;
  CRYPT_ENCRYPT_ALG_OID_GROUP_ID   = 2;
  CRYPT_PUBKEY_ALG_OID_GROUP_ID    = 3;
  CRYPT_SIGN_ALG_OID_GROUP_ID      = 4;
  CRYPT_RDN_ATTR_OID_GROUP_ID      = 5;
  CRYPT_EXT_OR_ATTR_OID_GROUP_ID   = 6;
  CRYPT_ENHKEY_USAGE_OID_GROUP_ID  = 7;
  CRYPT_POLICY_OID_GROUP_ID        = 8;
  CRYPT_LAST_OID_GROUP_ID          = 8;

  CRYPT_FIRST_ALG_OID_GROUP_ID     = CRYPT_HASH_ALG_OID_GROUP_ID;
  CRYPT_LAST_ALG_OID_GROUP_ID      = CRYPT_SIGN_ALG_OID_GROUP_ID;


// The CRYPT_*_ALG_OID_GROUP_ID's have an Algid. The CRYPT_RDN_ATTR_OID_GROUP_ID
// has a dwLength. The CRYPT_EXT_OR_ATTR_OID_GROUP_ID,
// CRYPT_ENHKEY_USAGE_OID_GROUP_ID or CRYPT_POLICY_OID_GROUP_ID don't have a
// dwValue.

// CRYPT_PUBKEY_ALG_OID_GROUP_ID has the following optional ExtraInfo:
//  DWORD[0] - Flags. CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG can be set to
//             inhibit the reformatting of the signature before
//             CryptVerifySignature is called or after CryptSignHash
//             is called. CRYPT_OID_USE_PUBKEY_PARA_FOR_PKCS7_FLAG can
//             be set to include the public key algorithm's parameters
//             in the PKCS7's digestEncryptionAlgorithm's parameters.

  CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG  = $1;
  CRYPT_OID_USE_PUBKEY_PARA_FOR_PKCS7_FLAG = $2;

// CRYPT_SIGN_ALG_OID_GROUP_ID has the following optional ExtraInfo:
//  DWORD[0] - Public Key Algid.
//  DWORD[1] - Flags. Same as above for CRYPT_PUBKEY_ALG_OID_GROUP_ID.

// CRYPT_RDN_ATTR_OID_GROUP_ID has the following optional ExtraInfo:
//  Array of DWORDs:
//   [0 ..] - Null terminated list of acceptable RDN attribute
//            value types. An empty list implies CERT_RDN_PRINTABLE_STRING,
//            CERT_RDN_T61_STRING, 0.

//+-------------------------------------------------------------------------
//  Find OID information. Returns NULL if unable to find any information
//  for the specified key and group. Note, returns a pointer to a constant
//  data structure. The returned pointer MUST NOT be freed.
//
//  dwKeyType's:
//    CRYPT_OID_INFO_OID_KEY, pvKey points to a szOID
//    CRYPT_OID_INFO_NAME_KEY, pvKey points to a wszName
//    CRYPT_OID_INFO_ALGID_KEY, pvKey points to an ALG_ID
//    CRYPT_OID_INFO_SIGN_KEY, pvKey points to an array of two ALG_ID's:
//      ALG_ID[0] - Hash Algid
//      ALG_ID[1] - PubKey Algid
//
//  Setting dwGroupId to 0, searches all groups according to the dwKeyType.
//  Otherwise, only the dwGroupId is searched.
//--------------------------------------------------------------------------

function CryptFindOIDInfo(dwKeyType :DWORD;
                          pvKey :PVOID;
                          dwGroupId :DWORD):PCCRYPT_OID_INFO ; stdcall;

const 
  CRYPT_OID_INFO_OID_KEY   = 1;
  CRYPT_OID_INFO_NAME_KEY  = 2;
  CRYPT_OID_INFO_ALGID_KEY = 3;
  CRYPT_OID_INFO_SIGN_KEY  = 4;

//+-------------------------------------------------------------------------
//  Register OID information. The OID information specified in the
//  CCRYPT_OID_INFO structure is persisted to the registry.
//
//  crypt32.dll contains information for the commonly known OIDs. This function
//  allows applications to augment crypt32.dll's OID information. During
//  CryptFindOIDInfo's first call, the registered OID information is installed.
//
//  By default the registered OID information is installed after crypt32.dll's
//  OID entries. Set CRYPT_INSTALL_OID_INFO_BEFORE_FLAG to install before.
//--------------------------------------------------------------------------

function CryptRegisterOIDInfo(pInfo :PCCRYPT_OID_INFO;
                              dwFlags:DWORD):BOOL ; stdcall;

const 
  CRYPT_INSTALL_OID_INFO_BEFORE_FLAG = 1;

//+-------------------------------------------------------------------------
//  Unregister OID information. Only the pszOID and dwGroupId fields are
//  used to identify the OID information to be unregistered.
//--------------------------------------------------------------------------

function CryptUnregisterOIDInfo(pInfo :PCCRYPT_OID_INFO):BOOL ; stdcall;

//+=========================================================================
//  Low Level Cryptographic Message Data Structures and APIs
//==========================================================================

type
  HCRYPTMSG = Pointer;

const 
  szOID_PKCS_7_DATA                = '1.2.840.113549.1.7.1';
  szOID_PKCS_7_SIGNED              = '1.2.840.113549.1.7.2';
  szOID_PKCS_7_ENVELOPED           = '1.2.840.113549.1.7.3';
  szOID_PKCS_7_SIGNEDANDENVELOPED  = '1.2.840.113549.1.7.4';
  szOID_PKCS_7_DIGESTED            = '1.2.840.113549.1.7.5';
  szOID_PKCS_7_ENCRYPTED           = '1.2.840.113549.1.7.6';

  szOID_PKCS_9_CONTENT_TYPE        = '1.2.840.113549.1.9.3';
  szOID_PKCS_9_MESSAGE_DIGEST      = '1.2.840.113549.1.9.4';

//+-------------------------------------------------------------------------
//  Message types
//--------------------------------------------------------------------------

const 
  CMSG_DATA                  = 1;
  CMSG_SIGNED                = 2;
  CMSG_ENVELOPED             = 3;
  CMSG_SIGNED_AND_ENVELOPED  = 4;
  CMSG_HASHED                = 5;
  CMSG_ENCRYPTED             = 6;

//+-------------------------------------------------------------------------
//  Message Type Bit Flags
//--------------------------------------------------------------------------

  CMSG_ALL_FLAGS                 = (not ULONG(0));
  CMSG_DATA_FLAG                 = (1 shl CMSG_DATA);
  CMSG_SIGNED_FLAG               = (1 shl CMSG_SIGNED);
  CMSG_ENVELOPED_FLAG            = (1 shl CMSG_ENVELOPED);
  CMSG_SIGNED_AND_ENVELOPED_FLAG = (1 shl CMSG_SIGNED_AND_ENVELOPED);
  CMSG_HASHED_FLAG               = (1 shl CMSG_HASHED);
  CMSG_ENCRYPTED_FLAG            = (1 shl CMSG_ENCRYPTED);

//+-------------------------------------------------------------------------
//  The message encode information (pvMsgEncodeInfo) is message type dependent
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_DATA: pvMsgEncodeInfo = NULL
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_SIGNED
//
//  The pCertInfo in the CMSG_SIGNER_ENCODE_INFO provides the Issuer, SerialNumber
//  and PublicKeyInfo.Algorithm. The PublicKeyInfo.Algorithm implicitly
//  specifies the HashEncryptionAlgorithm to be used.
//
//  The hCryptProv and dwKeySpec specify the private key to use. If dwKeySpec
//  == 0, then, defaults to AT_SIGNATURE.
//
//  pvHashAuxInfo currently isn't used and must be set to NULL.
//--------------------------------------------------------------------------

type
  PCMSG_SIGNER_ENCODE_INFO = ^CMSG_SIGNER_ENCODE_INFO;
  CMSG_SIGNER_ENCODE_INFO = record
    cbSize        :DWORD;
    pCertInfo     :PCERT_INFO;
    hCryptProv    :HCRYPTPROV;
    dwKeySpec     :DWORD;
    HashAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
    pvHashAuxInfo :PVOID;
    cAuthAttr     :DWORD;
    rgAuthAttr    :PCRYPT_ATTRIBUTE;
    cUnauthAttr   :DWORD;
    rgUnauthAttr  :PCRYPT_ATTRIBUTE;
  end;

type
  PCMSG_SIGNED_ENCODE_INFO = ^CMSG_SIGNED_ENCODE_INFO;
  CMSG_SIGNED_ENCODE_INFO = record
    cbSize        :DWORD;
    cSigners      :DWORD;
    rgSigners     :PCMSG_SIGNER_ENCODE_INFO;
    cCertEncoded  :DWORD;
    rgCertEncoded :PCERT_BLOB;
    cCrlEncoded   :DWORD;
    rgCrlEncoded  :PCRL_BLOB;
  end;

//+-------------------------------------------------------------------------
//  CMSG_ENVELOPED
//
//  The PCERT_INFO for the rgRecipients provides the Issuer, SerialNumber
//  and PublicKeyInfo. The PublicKeyInfo.Algorithm implicitly
//  specifies the KeyEncryptionAlgorithm to be used.
//
//  The PublicKeyInfo.PublicKey in PCERT_INFO is used to encrypt the content
//  encryption key for the recipient.
//
//  hCryptProv is used to do the content encryption, recipient key encryption
//  and export. The hCryptProv's private keys aren't used.
//
//  Note: CAPI currently doesn't support more than one KeyEncryptionAlgorithm
//  per provider. This will need to be fixed.
//
//  pvEncryptionAuxInfo currently isn't used and must be set to NULL.
//--------------------------------------------------------------------------

type
  PCMSG_ENVELOPED_ENCODE_INFO = ^CMSG_ENVELOPED_ENCODE_INFO;
  CMSG_ENVELOPED_ENCODE_INFO = record
    cbSize :DWORD;
    hCryptProv :HCRYPTPROV;
    ContentEncryptionAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
    pvEncryptionAuxInfo :PVOID;
    cRecipients :DWORD;
    rgpRecipients :PPCERT_INFO; // pointer to array of PCERT_INFO
end;

//+-------------------------------------------------------------------------
//  CMSG_SIGNED_AND_ENVELOPED
//
//  For PKCS #7, a signed and enveloped message doesn't have the
//  signer's authenticated or unauthenticated attributes. Otherwise, a
//  combination of the CMSG_SIGNED_ENCODE_INFO and CMSG_ENVELOPED_ENCODE_INFO.
//--------------------------------------------------------------------------

type
  PCMSG_SIGNED_AND_ENVELOPED_ENCODE_INFO = ^CMSG_SIGNED_AND_ENVELOPED_ENCODE_INFO;
  CMSG_SIGNED_AND_ENVELOPED_ENCODE_INFO = record
    cbSize        :DWORD;
    SignedInfo    :CMSG_SIGNED_ENCODE_INFO;
    EnvelopedInfo :CMSG_ENVELOPED_ENCODE_INFO;
  end;

//+-------------------------------------------------------------------------
//  CMSG_HASHED
//
//  hCryptProv is used to do the hash. Doesn't need to use a private key.
//
//  If fDetachedHash is set, then, the encoded message doesn't contain
//  any content (its treated as NULL Data)
//
//  pvHashAuxInfo currently isn't used and must be set to NULL.
//--------------------------------------------------------------------------

type
  PCMSG_HASHED_ENCODE_INFO = ^CMSG_HASHED_ENCODE_INFO;
  CMSG_HASHED_ENCODE_INFO = record
    cbSize :DWORD;
    hCryptProv :HCRYPTPROV;
    HashAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
    pvHashAuxInfo :PVOID;
  end;

//+-------------------------------------------------------------------------
//  CMSG_ENCRYPTED
//
//  The key used to encrypt the message is identified outside of the message
//  content (for example, password).
//
//  The content input to CryptMsgUpdate has already been encrypted.
//
//  pvEncryptionAuxInfo currently isn't used and must be set to NULL.
//--------------------------------------------------------------------------

type
  PCMSG_ENCRYPTED_ENCODE_INFO = ^CMSG_ENCRYPTED_ENCODE_INFO;
  CMSG_ENCRYPTED_ENCODE_INFO = record
    cbSize :DWORD;
    ContentEncryptionAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
    pvEncryptionAuxInfo :PVOID;
  end;

//+-------------------------------------------------------------------------
//  This parameter allows messages to be of variable length with streamed
//  output.
//
//  By default, messages are of a definite length and
//  CryptMsgGetParam(CMSG_CONTENT_PARAM) is
//  called to get the cryptographically processed content. Until closed,
//  the handle keeps a copy of the processed content.
//
//  With streamed output, the processed content can be freed as its streamed.
//
//  If the length of the content to be updated is known at the time of the
//  open, then, ContentLength should be set to that length. Otherwise, it
//  should be set to CMSG_INDEFINITE_LENGTH.
//--------------------------------------------------------------------------

type
  PFN_CMSG_STREAM_OUTPUT = function (
                               const pvArg :PVOID;
                                     pbData :PBYTE;
                                     cbData :DWORD;
                                     fFinal :BOOL):BOOL ; stdcall;

const 
  CMSG_INDEFINITE_LENGTH = ($FFFFFFFF);

type
  PCMSG_STREAM_INFO = ^CMSG_STREAM_INFO;
  CMSG_STREAM_INFO = record
    cbContent :DWORD;
    pfnStreamOutput :PFN_CMSG_STREAM_OUTPUT;
    pvArg :PVOID;
  end;

//+-------------------------------------------------------------------------
//  Open dwFlags
//--------------------------------------------------------------------------

const 
  CMSG_BARE_CONTENT_FLAG              = $00000001;
  CMSG_LENGTH_ONLY_FLAG               = $00000002;
  CMSG_DETACHED_FLAG                  = $00000004;
  CMSG_AUTHENTICATED_ATTRIBUTES_FLAG  = $00000008;
  CMSG_CONTENTS_OCTETS_FLAG           = $00000010;
  CMSG_MAX_LENGTH_FLAG                = $00000020;

//+-------------------------------------------------------------------------
//  Open a cryptographic message for encoding
//
//  For PKCS #7:
//  If the content to be passed to CryptMsgUpdate has already
//  been message encoded (the input to CryptMsgUpdate is the streamed output
//  from another message encode), then, the CMSG_ENCODED_CONTENT_INFO_FLAG should
//  be set in dwFlags. If not set, then, the inner ContentType is Data and
//  the input to CryptMsgUpdate is treated as the inner Data type's Content,
//  a string of bytes.
//  If CMSG_BARE_CONTENT_FLAG is specified for a streamed message,
//  the streamed output will not have an outer ContentInfo wrapper. This
//  makes it suitable to be streamed into an enclosing message.
//
//  The pStreamInfo parameter needs to be set to stream the encoded message
//  output.
//--------------------------------------------------------------------------

function CryptMsgOpenToEncode(dwMsgEncodingType :DWORD;
                              dwFlags :DWORD;
                              dwMsgType :DWORD;
                              pvMsgEncodeInfo :PVOID;
                              pszInnerContentObjID :LPSTR;      //OPTIONAL
                              pStreamInfo :PCMSG_STREAM_INFO    //OPTIONAL
                              ):HCRYPTMSG ; stdcall;

//+-------------------------------------------------------------------------
//  Calculate the length of an encoded cryptographic message.
//
//  Calculates the length of the encoded message given the
//  message type, encoding parameters and total length of
//  the data to be updated. Note, this might not be the exact length. However,
//  it will always be greater than or equal to the actual length.
//--------------------------------------------------------------------------

function CryptMsgCalculateEncodedLength(dwMsgEncodingType :DWORD;
                                        dwFlags :DWORD;
                                        dwMsgType :DWORD;
                                        pvMsgEncodeInfo :PVOID;
                                        pszInnerContentObjID :LPSTR; //OPTIONAL
                                        cbData :DWORD):DWORD ; stdcall;

//+-------------------------------------------------------------------------
//  Open a cryptographic message for decoding
//
//  For PKCS #7: if the inner ContentType isn't Data, then, the inner
//  ContentInfo consisting of both ContentType and Content is output.
//  To also enable ContentInfo output for the Data ContentType, then,
//  the CMSG_ENCODED_CONTENT_INFO_FLAG should be set
//  in dwFlags. If not set, then, only the content portion of the inner
//  ContentInfo is output for the Data ContentType.
//
//  To only calculate the length of the decoded message, set the
//  CMSG_LENGTH_ONLY_FLAG in dwFlags. After the final CryptMsgUpdate get the
//  MSG_CONTENT_PARAM. Note, this might not be the exact length. However,
//  it will always be greater than or equal to the actual length.
//
//  hCryptProv specifies the crypto provider to use for hashing and/or
//  decrypting the message. For enveloped messages, hCryptProv also specifies
//  the private exchange key to use. For signed messages, hCryptProv is used
//  when CryptMsgVerifySigner is called.
//
//  For enveloped messages, the pRecipientInfo contains the Issuer and
//  SerialNumber identifying the RecipientInfo in the message.
//
//  Note, the pRecipientInfo should correspond to the provider's private
//  exchange key.
//
//  If pRecipientInfo is NULL, then, the message isn't decrypted. To decrypt
//  the message, CryptMsgControl(CMSG_CTRL_DECRYPT) is called after the final
//  CryptMsgUpdate.
//
//  The pStreamInfo parameter needs to be set to stream the decoded content
//  output. Note, if pRecipientInfo is NULL, then, the streamed output isn't
//  decrypted.
//--------------------------------------------------------------------------

function CryptMsgOpenToDecode(dwMsgEncodingType :DWORD;
                              dwFlags :DWORD;
                              dwMsgType :DWORD;
                              hCryptProv :HCRYPTPROV;
                              pRecipientInfo :PCERT_INFO;   //OPTIONAL
                              pStreamInfo:PCMSG_STREAM_INFO //OPTIONAL
                              ):HCRYPTMSG ; stdcall;

//+-------------------------------------------------------------------------
//  Close a cryptographic message handle
//
//  LastError is preserved unless FALSE is returned.
//--------------------------------------------------------------------------

function CryptMsgClose(hCryptMsg :HCRYPTMSG):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Update the content of a cryptographic message. Depending on how the
//  message was opened, the content is either encoded or decoded.
//
//  This function is repetitively called to append to the message content.
//  fFinal is set to identify the last update. On fFinal, the encode/decode
//  is completed. The encoded/decoded content and the decoded parameters
//  are valid until the open and all duplicated handles are closed.
//--------------------------------------------------------------------------

function CryptMsgUpdate(hCryptMsg :HCRYPTMSG;
                  const pbData :PBYTE;
                        cbData :DWORD;
                        fFinal :BOOL):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Perform a special "control" function after the final CryptMsgUpdate of a
//  encoded/decoded cryptographic message.
//
//  The dwCtrlType parameter specifies the type of operation to be performed.
//
//  The pvCtrlPara definition depends on the dwCtrlType value.
//
//  See below for a list of the control operations and their pvCtrlPara
//  type definition.
//--------------------------------------------------------------------------

function CryptMsgControl(hCryptMsg :HCRYPTMSG;
                         dwFlags :DWORD;
                         dwCtrlType :DWORD;
                         pvCtrlPara :PVOID):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Message control types
//--------------------------------------------------------------------------

const 
  CMSG_CTRL_VERIFY_SIGNATURE       = 1;
  CMSG_CTRL_DECRYPT                = 2;
  CMSG_CTRL_VERIFY_HASH            = 5;
  CMSG_CTRL_ADD_SIGNER             = 6;
  CMSG_CTRL_DEL_SIGNER             = 7;
  CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR = 8;
  CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR = 9;
  CMSG_CTRL_ADD_CERT               = 10;
  CMSG_CTRL_DEL_CERT               = 11;
  CMSG_CTRL_ADD_CRL                = 12;
  CMSG_CTRL_DEL_CRL                = 13;

//+-------------------------------------------------------------------------
//  CMSG_CTRL_VERIFY_SIGNATURE
//
//  Verify the signature of a SIGNED or SIGNED_AND_ENVELOPED
//  message after it has been decoded.
//
//  For a SIGNED_AND_ENVELOPED message, called after
//  CryptMsgControl(CMSG_CTRL_DECRYPT), if CryptMsgOpenToDecode was called
//  with a NULL pRecipientInfo.
//
//  pvCtrlPara points to a CERT_INFO struct.
//
//  The CERT_INFO contains the Issuer and SerialNumber identifying
//  the Signer of the message. The CERT_INFO also contains the
//  PublicKeyInfo
//  used to verify the signature. The cryptographic provider specified
//  in CryptMsgOpenToDecode is used.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_CTRL_DECRYPT
//
//  Decrypt an ENVELOPED or SIGNED_AND_ENVELOPED message after it has been
//  decoded.
//
//  hCryptProv and dwKeySpec specify the private key to use. For dwKeySpec ==
//  0, defaults to AT_KEYEXCHANGE.
//
//  dwRecipientIndex is the index of the recipient in the message associated
//  with the hCryptProv's private key.
//
//  This control function needs to be called, if you don't know the appropriate
//  recipient before calling CryptMsgOpenToDecode. After the final
//  CryptMsgUpdate, the list of recipients is obtained by iterating through
//  CMSG_RECIPIENT_INFO_PARAM. The recipient corresponding to a private
//  key owned by the caller is selected and passed to this function to decrypt
//  the message.
//
//  Note, the message can only be decrypted once.
//--------------------------------------------------------------------------

type
  PCMSG_CTRL_DECRYPT_PARA = ^CMSG_CTRL_DECRYPT_PARA;
  CMSG_CTRL_DECRYPT_PARA = record
    cbSize :DWORD;
    hCryptProv :HCRYPTPROV;
    dwKeySpec :DWORD;
    dwRecipientIndex :DWORD;
  end;

//+-------------------------------------------------------------------------
//  CMSG_CTRL_VERIFY_HASH
//
//  Verify the hash of a HASHED message after it has been decoded.
//
//  Only the hCryptMsg parameter is used, to specify the message whose
//  hash is being verified.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_CTRL_ADD_SIGNER
//
//  Add a signer to a signed-data or signed-and-enveloped-data message.
//
//  pvCtrlPara points to a CMSG_SIGNER_ENCODE_INFO.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_CTRL_DEL_SIGNER
//
//  Remove a signer from a signed-data or signed-and-enveloped-data message.
//
//  pvCtrlPara points to a DWORD containing the 0-based index of the
//  signer to be removed.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR
//
//  Add an unauthenticated attribute to the SignerInfo of a signed-data or
//  signed-and-enveloped-data message.
//
//  The unauthenticated attribute is input in the form of an encoded blob.
//--------------------------------------------------------------------------

type
  PCMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR_PARA = ^CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR_PARA;
  CMSG_CTRL_ADD_SIGNER_UNAUTH_ATTR_PARA = record
    cbSize :DWORD;
    dwSignerIndex :DWORD;
    blob :CRYPT_DATA_BLOB;
  end;

//+-------------------------------------------------------------------------
//  CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR
//
//  Delete an unauthenticated attribute from the SignerInfo of a signed-data
//  or signed-and-enveloped-data message.
//
//  The unauthenticated attribute to be removed is specified by
//  a 0-based index.
//--------------------------------------------------------------------------

type
  PCMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR_PARA = ^CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR_PARA;
  CMSG_CTRL_DEL_SIGNER_UNAUTH_ATTR_PARA = record
    cbSize :DWORD;
    dwSignerIndex :DWORD;
    dwUnauthAttrIndex :DWORD;
  end;

//+-------------------------------------------------------------------------
//  CMSG_CTRL_ADD_CERT
//
//  Add a certificate to a signed-data or signed-and-enveloped-data message.
//
//  pvCtrlPara points to a CRYPT_DATA_BLOB containing the certificate's
//  encoded bytes.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_CTRL_DEL_CERT
//
//  Delete a certificate from a signed-data or signed-and-enveloped-data
//  message.
//
//  pvCtrlPara points to a DWORD containing the 0-based index of the
//  certificate to be removed.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_CTRL_ADD_CRL
//
//  Add a CRL to a signed-data or signed-and-enveloped-data message.
//
//  pvCtrlPara points to a CRYPT_DATA_BLOB containing the CRL's
//  encoded bytes.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_CTRL_DEL_CRL
//
//  Delete a CRL from a signed-data or signed-and-enveloped-data message.
//
//  pvCtrlPara points to a DWORD containing the 0-based index of the CRL
//  to be removed.
//--------------------------------------------------------------------------


//+-------------------------------------------------------------------------
//  Verify a countersignature, at the SignerInfo level.
//  ie. verify that pbSignerInfoCountersignature contains the encrypted
//  hash of the encryptedDigest field of pbSignerInfo.
//
//  hCryptProv is used to hash the encryptedDigest field of pbSignerInfo.
//  The only fields referenced from pciCountersigner are SerialNumber, Issuer,
//  and SubjectPublicKeyInfo.
//--------------------------------------------------------------------------

function CryptMsgVerifyCountersignatureEncoded(hCryptProv :HCRYPTPROV;
                                               dwEncodingType :DWORD;
                                               pbSignerInfo :PBYTE;
                                               cbSignerInfo :DWORD;
                                               pbSignerInfoCountersignature :PBYTE;
                                               cbSignerInfoCountersignature :DWORD;
                                               pciCountersigner :PCERT_INFO):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Countersign an already-existing signature in a message
//
//  dwIndex is a zero-based index of the SignerInfo to be countersigned.
//--------------------------------------------------------------------------

function CryptMsgCountersign(hCryptMsg :HCRYPTMSG;
                             dwIndex :DWORD;
                             cCountersigners :DWORD;
                             rgCountersigners :PCMSG_SIGNER_ENCODE_INFO):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Countersign an already-existing signature (encoded SignerInfo).
//  Output an encoded SignerInfo blob, suitable for use as a countersignature
//  attribute in the unauthenticated attributes of a signed-data or
//  signed-and-enveloped-data message.
//--------------------------------------------------------------------------

function CryptMsgCountersignEncoded(dwEncodingType :DWORD;
                                    pbSignerInfo :PBYTE;
                                    cbSignerInfo :DWORD;
                                    cCountersigners :DWORD;
                                    rgCountersigners :PCMSG_SIGNER_ENCODE_INFO;
                                    pbCountersignature :PBYTE;
                                    pcbCountersignature :PDWORD):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Get a parameter after encoding/decoding a cryptographic message. Called
//  after the final CryptMsgUpdate. Only the CMSG_CONTENT_PARAM and
//  CMSG_COMPUTED_HASH_PARAM are valid for an encoded message.
//
//  For an encoded HASHED message, the CMSG_COMPUTED_HASH_PARAM can be got
//  before any CryptMsgUpdates to get its length.
//
//  The pvData type definition depends on the dwParamType value.
//
//  Elements pointed to by fields in the pvData structure follow the
//  structure. Therefore, *pcbData may exceed the size of the structure.
//
//  Upon input, if *pcbData == 0, then, *pcbData is updated with the length
//  of the data and the pvData parameter is ignored.
//
//  Upon return, *pcbData is updated with the length of the data.
//
//  The OBJID BLOBs returned in the pvData structures point to
//  their still encoded representation. The appropriate functions
//  must be called to decode the information.
//
//  See below for a list of the parameters to get.
//--------------------------------------------------------------------------

function CryptMsgGetParam(hCryptMsg :HCRYPTMSG;
                          dwParamType :DWORD;
                          dwIndex :DWORD;
                          pvData :PVOID;
                          pcbData :PDWORD):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Get parameter types and their corresponding data structure definitions.
//--------------------------------------------------------------------------

const 
  CMSG_TYPE_PARAM                  = 1;
  CMSG_CONTENT_PARAM               = 2;
  CMSG_BARE_CONTENT_PARAM          = 3;
  CMSG_INNER_CONTENT_TYPE_PARAM    = 4;
  CMSG_SIGNER_COUNT_PARAM          = 5;
  CMSG_SIGNER_INFO_PARAM           = 6;
  CMSG_SIGNER_CERT_INFO_PARAM      = 7;
  CMSG_SIGNER_HASH_ALGORITHM_PARAM = 8;
  CMSG_SIGNER_AUTH_ATTR_PARAM      = 9;
  CMSG_SIGNER_UNAUTH_ATTR_PARAM    = 10;
  CMSG_CERT_COUNT_PARAM            = 11;
  CMSG_CERT_PARAM                  = 12;
  CMSG_CRL_COUNT_PARAM             = 13;
  CMSG_CRL_PARAM                   = 14;
  CMSG_ENVELOPE_ALGORITHM_PARAM    = 15;
  CMSG_RECIPIENT_COUNT_PARAM       = 17;
  CMSG_RECIPIENT_INDEX_PARAM       = 18;
  CMSG_RECIPIENT_INFO_PARAM        = 19;
  CMSG_HASH_ALGORITHM_PARAM        = 20;
  CMSG_HASH_DATA_PARAM             = 21;
  CMSG_COMPUTED_HASH_PARAM         = 22;
  CMSG_ENCRYPT_PARAM               = 26;
  CMSG_ENCRYPTED_DIGEST            = 27;
  CMSG_ENCODED_SIGNER              = 28;
  CMSG_ENCODED_MESSAGE             = 29;

//+-------------------------------------------------------------------------
//  CMSG_TYPE_PARAM
//
//  The type of the decoded message.
//
//  pvData points to a DWORD
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_CONTENT_PARAM
//
//  The encoded content of a cryptographic message. Depending on how the
//  message was opened, the content is either the whole PKCS#7
//  message (opened to encode) or the inner content (opened to decode).
//  In the decode case, the decrypted content is returned, if enveloped.
//  If not enveloped, and if the inner content is of type DATA, the returned
//  data is the contents octets of the inner content.
//
//  pvData points to the buffer receiving the content bytes
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_BARE_CONTENT_PARAM
//
//  The encoded content of an encoded cryptographic message, without the
//  outer layer of ContentInfo. That is, only the encoding of the
//  ContentInfo.content field is returned.
//
//  pvData points to the buffer receiving the content bytes
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_INNER_CONTENT_TYPE_PARAM
//
//  The type of the inner content of a decoded cryptographic message,
//  in the form of a NULL-terminated object identifier string
//  (eg. "1.2.840.113549.1.7.1").
//
//  pvData points to the buffer receiving the object identifier string
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_SIGNER_COUNT_PARAM
//
//  Count of signers in a SIGNED or SIGNED_AND_ENVELOPED message
//
//  pvData points to a DWORD
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_SIGNER_CERT_INFO_PARAM
//
//  To get all the signers, repetitively call CryptMsgGetParam, with
//  dwIndex set to 0 .. SignerCount - 1.
//
//  pvData points to a CERT_INFO struct.
//
//  Only the following fields have been updated in the CERT_INFO struct:
//  Issuer and SerialNumber.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_SIGNER_INFO_PARAM
//
//  To get all the signers, repetitively call CryptMsgGetParam, with
//  dwIndex set to 0 .. SignerCount - 1.
//
//  pvData points to a CMSG_SIGNER_INFO struct.
//--------------------------------------------------------------------------

type
  PCMSG_SIGNER_INFO = ^CMSG_SIGNER_INFO;
  CMSG_SIGNER_INFO = record
    dwVersion :DWORD;
    Issuer :CERT_NAME_BLOB;
    SerialNumber :CRYPT_INTEGER_BLOB;
    HashAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
    HashEncryptionAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
    EncryptedHash :CRYPT_DATA_BLOB;
    AuthAttrs :CRYPT_ATTRIBUTES;
    UnauthAttrs :CRYPT_ATTRIBUTES;
  end;

//+-------------------------------------------------------------------------
//  CMSG_SIGNER_HASH_ALGORITHM_PARAM
//
//  This parameter specifies the HashAlgorithm that was used for the signer.
//
//  Set dwIndex to iterate through all the signers.
//
//  pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_SIGNER_AUTH_ATTR_PARAM
//
//  The authenticated attributes for the signer.
//
//  Set dwIndex to iterate through all the signers.
//
//  pvData points to a CMSG_ATTR struct.
//--------------------------------------------------------------------------

type
  CMSG_ATTR   = CRYPT_ATTRIBUTES;
  PCMSG_ATTR  = ^CRYPT_ATTRIBUTES;

//+-------------------------------------------------------------------------
//  CMSG_SIGNER_UNAUTH_ATTR_PARAM
//
//  The unauthenticated attributes for the signer.
//
//  Set dwIndex to iterate through all the signers.
//
//  pvData points to a CMSG_ATTR struct.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_CERT_COUNT_PARAM
//
//  Count of certificates in a SIGNED or SIGNED_AND_ENVELOPED message.
//
//  pvData points to a DWORD
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_CERT_PARAM
//
//  To get all the certificates, repetitively call CryptMsgGetParam, with
//  dwIndex set to 0 .. CertCount - 1.
//
//  pvData points to an array of the certificate's encoded bytes.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_CRL_COUNT_PARAM
//
//  Count of CRLs in a SIGNED or SIGNED_AND_ENVELOPED message.
//
//  pvData points to a DWORD
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_CRL_PARAM
//
//  To get all the CRLs, repetitively call CryptMsgGetParam, with
//  dwIndex set to 0 .. CrlCount - 1.
//
//  pvData points to an array of the CRL's encoded bytes.
//--------------------------------------------------------------------------


//+-------------------------------------------------------------------------
//  CMSG_ENVELOPE_ALGORITHM_PARAM
//
//  The ContentEncryptionAlgorithm that was used in
//  an ENVELOPED or SIGNED_AND_ENVELOPED message.
//
//  pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_RECIPIENT_COUNT_PARAM
//
//  Count of recipients in an ENVELOPED or SIGNED_AND_ENVELOPED message.
//
//  pvData points to a DWORD
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_RECIPIENT_INDEX_PARAM
//
//  Index of the recipient used to decrypt an ENVELOPED or SIGNED_AND_ENVELOPED
//  message.
//
//  pvData points to a DWORD
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_RECIPIENT_INFO_PARAM
//
//  To get all the recipients, repetitively call CryptMsgGetParam, with
//  dwIndex set to 0 .. RecipientCount - 1.
//
//  pvData points to a CERT_INFO struct.
//
//  Only the following fields have been updated in the CERT_INFO struct:
//  Issuer, SerialNumber and PublicKeyAlgorithm. The PublicKeyAlgorithm
//  specifies the KeyEncryptionAlgorithm that was used.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_HASH_ALGORITHM_PARAM
//
//  The HashAlgorithm in a HASHED message.
//
//  pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_HASH_DATA_PARAM
//
//  The hash in a HASHED message.
//
//  pvData points to an array of bytes.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_COMPUTED_HASH_PARAM
//
//  The computed hash for a HASHED message.
//
//  This may be called for either an encoded or decoded message.
//  It also may be called before any encoded CryptMsgUpdates to get its length.
//
//  pvData points to an array of bytes.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_ENCRYPT_PARAM
//
//  The ContentEncryptionAlgorithm that was used in an ENCRYPTED message.
//
//  pvData points to an CRYPT_ALGORITHM_IDENTIFIER struct.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CMSG_ENCODED_MESSAGE
//
//  The full encoded message. This is useful in the case of a decoded
//  message which has been modified (eg. a signed-data or
//  signed-and-enveloped-data message which has been countersigned).
//
//  pvData points to an array of the message's encoded bytes.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CryptMsg OID installable functions
//--------------------------------------------------------------------------

// If *phCryptProv is NULL upon entry, then, if supported, the installable
// function should acquire a default provider and return. Note, its up
// to the installable function to release at process detach.

const 
  CMSG_OID_GEN_ENCRYPT_KEY_FUNC = 'CryptMsgDllGenEncryptKey';

type
  PFN_CMSG_GEN_ENCRYPT_KEY = function (phCryptProv :PHCRYPTPROV;
                                       paiEncrypt :PCRYPT_ALGORITHM_IDENTIFIER;
                                       pvEncryptAuxInfo :PVOID;
                                       pPublicKeyInfo :PCERT_PUBLIC_KEY_INFO;
                                       phEncryptKey :PHCRYPTKEY
                                       ):BOOL ; stdcall;

const 
  CMSG_OID_EXPORT_ENCRYPT_KEY_FUNC = 'CryptMsgDllExportEncryptKey';

type
  PFN_CMSG_EXPORT_ENCRYPT_KEY = function (hCryptProv :HCRYPTPROV;
                                          hEncryptKey :HCRYPTKEY;
                                          pPublicKeyInfo :PCERT_PUBLIC_KEY_INFO;
                                          pbData :PBYTE;
                                          pcbData :PDWORD):BOOL ; stdcall;

const 
  CMSG_OID_IMPORT_ENCRYPT_KEY_FUNC = 'CryptMsgDllImportEncryptKey';

type
  PFN_CMSG_IMPORT_ENCRYPT_KEY = function (hCryptProv :HCRYPTPROV;
                                          dwKeySpec :DWORD;
                                          paiEncrypt :PCRYPT_ALGORITHM_IDENTIFIER;
                                          paiPubKey :PCRYPT_ALGORITHM_IDENTIFIER;
                                          pbEncodedKey :PBYTE;
                                          cbEncodedKey :DWORD;
                                          phEncryptKey :PHCRYPTKEY
                                          ):BOOL ; stdcall;

//+=========================================================================
//  Certificate Store Data Structures and APIs
//==========================================================================

//+-------------------------------------------------------------------------
//              In its most basic implementation, a cert store is simply a
//              collection of certificates and/or CRLs. This is the case when
//              a cert store is opened with all of its certificates and CRLs
//              coming from a PKCS #7 encoded cryptographic message.
//
//              Nonetheless, all cert stores have the following properties:
//               - A public key may have more than one certificate in the store.
//                 For example, a private/public key used for signing may have a
//                 certificate issued for VISA and another issued for
//                 Mastercard. Also, when a certificate is renewed there might
//                 be more than one certificate with the same subject and
//                 issuer.
//               - However, each certificate in the store is uniquely
//                 identified by its Issuer and SerialNumber.
//               - There's an issuer of subject certificate relationship. A
//                 certificate's issuer is found by doing a match of
//                 pSubjectCert->Issuer with pIssuerCert->Subject.
//                 The relationship is verified by using
//                 the issuer's public key to verify the subject certificate's
//                 signature. Note, there might be X.509 v3 extensions
//                 to assist in finding the issuer certificate.
//               - Since issuer certificates might be renewed, a subject
//                 certificate might have more than one issuer certificate.
//               - There's an issuer of CRL relationship. An
//                 issuer's CRL is found by doing a match of
//                 pIssuerCert->Subject with pCrl->Issuer.
//                 The relationship is verified by using
//                 the issuer's public key to verify the CRL's
//                 signature. Note, there might be X.509 v3 extensions
//                 to assist in finding the CRL.
//               - Since some issuers might support the X.509 v3 delta CRL
//                 extensions, an issuer might have more than one CRL.
//               - The store shouldn't have any redundant certificates or
//                 CRLs. There shouldn't be two certificates with the same
//                 Issuer and SerialNumber. There shouldn't be two CRLs with
//                 the same Issuer, ThisUpdate and NextUpdate.
//               - The store has NO policy or trust information. No
//                 certificates are tagged as being "root". Its up to
//                 the application to maintain a list of CertIds (Issuer +
//                 SerialNumber) for certificates it trusts.
//               - The store might contain bad certificates and/or CRLs.
//                 The issuer's signature of a subject certificate or CRL may
//                 not verify. Certificates or CRLs may not satisfy their
//                 time validity requirements. Certificates may be
//                 revoked.
//
//              In addition to the certificates and CRLs, properties can be
//              stored. There are two predefined property IDs for a user
//              certificate: CERT_KEY_PROV_HANDLE_PROP_ID and
//              CERT_KEY_PROV_INFO_PROP_ID. The CERT_KEY_PROV_HANDLE_PROP_ID
//              is a HCRYPTPROV handle to the private key assoicated
//              with the certificate. The CERT_KEY_PROV_INFO_PROP_ID contains
//              information to be used to call
//              CryptAcquireContext and CryptProvSetParam to get a handle
//              to the private key associated with the certificate.
//
//              There exists two more predefined property IDs for certificates
//              and CRLs, CERT_SHA1_HASH_PROP_ID and CERT_MD5_HASH_PROP_ID.
//              If these properties don't already exist, then, a hash of the
//              content is computed. (CERT_HASH_PROP_ID maps to the default
//              hash algorithm, currently, CERT_SHA1_HASH_PROP_ID).
//
//              There are additional APIs for creating certificate and CRL
//      contexts not in a store (CertCreateCertificateContext and
//      CertCreateCRLContext).
//
//--------------------------------------------------------------------------

type
  HCERTSTORE = PVOID;

//+-------------------------------------------------------------------------
//  Certificate context.
//
//  A certificate context contains both the encoded and decoded representation
//  of a certificate. A certificate context returned by a cert store function
//  must be freed by calling the CertFreeCertificateContext function. The
//  CertDuplicateCertificateContext function can be called to make a duplicate
//  copy (which also must be freed by calling CertFreeCertificateContext).
//--------------------------------------------------------------------------

type
  PCERT_CONTEXT = ^CERT_CONTEXT;
  CERT_CONTEXT = record
    dwCertEncodingType :DWORD;
    pbCertEncoded :PBYTE;
    cbCertEncoded :DWORD;
    pCertInfo :PCERT_INFO;
    hCertStore :HCERTSTORE;
  end;

type
  PCCERT_CONTEXT = ^CERT_CONTEXT;

//+-------------------------------------------------------------------------
//  CRL context.
//
//  A CRL context contains both the encoded and decoded representation
//  of a CRL. A CRL context returned by a cert store function
//  must be freed by calling the CertFreeCRLContext function. The
//  CertDuplicateCRLContext function can be called to make a duplicate
//  copy (which also must be freed by calling CertFreeCRLContext).
//--------------------------------------------------------------------------

type
  PCRL_CONTEXT = ^CRL_CONTEXT;
  CRL_CONTEXT = record
    dwCertEncodingType :DWORD;
    pbCrlEncoded :PBYTE;
    cbCrlEncoded :DWORD;
    pCrlInfo :PCRL_INFO;
    hCertStore :HCERTSTORE;
  end;

type
  PCCRL_CONTEXT = ^CRL_CONTEXT;

//+-------------------------------------------------------------------------
//  Certificate Trust List (CTL) context.
//
//  A CTL context contains both the encoded and decoded representation
//  of a CTL. Also contains an opened HCRYPTMSG handle to the decoded
//  cryptographic signed message containing the CTL_INFO as its inner content.
//  pbCtlContent is the encoded inner content of the signed message.
//
//  The CryptMsg APIs can be used to extract additional signer information.
//--------------------------------------------------------------------------

type
  PCTL_CONTEXT = ^CTL_CONTEXT;
  CTL_CONTEXT = record
    dwMsgAndCertEncodingType :DWORD;
    pbCtlEncoded :PBYTE;
    cbCtlEncoded :DWORD;
    pCtlInfo :PCTL_INFO;
    hCertStore :HCERTSTORE;
    hCryptMsg :HCRYPTMSG;
    pbCtlContent :PBYTE;
    cbCtlContent :DWORD;
  end;

type
  PCCTL_CONTEXT = ^CTL_CONTEXT;

//+-------------------------------------------------------------------------
//  Certificate, CRL and CTL property IDs
//
//  See CertSetCertificateContextProperty or CertGetCertificateContextProperty
//  for usage information.
//--------------------------------------------------------------------------

const 
  CERT_KEY_PROV_HANDLE_PROP_ID        = 1;
  CERT_KEY_PROV_INFO_PROP_ID          = 2;
  CERT_SHA1_HASH_PROP_ID              = 3;
  CERT_MD5_HASH_PROP_ID               = 4;
  CERT_HASH_PROP_ID                   = CERT_SHA1_HASH_PROP_ID;
  CERT_KEY_CONTEXT_PROP_ID            = 5;
  CERT_KEY_SPEC_PROP_ID               = 6;
  CERT_IE30_RESERVED_PROP_ID          = 7;
  CERT_PUBKEY_HASH_RESERVED_PROP_ID   = 8;
  CERT_ENHKEY_USAGE_PROP_ID           = 9;
  CERT_CTL_USAGE_PROP_ID              = CERT_ENHKEY_USAGE_PROP_ID;
  CERT_NEXT_UPDATE_LOCATION_PROP_ID   = 10;
  CERT_FRIENDLY_NAME_PROP_ID          = 11;
  CERT_PVK_FILE_PROP_ID               = 12;
// Note, 32 - 34 are reserved for the CERT, CRL and CTL file element IDs.
  CERT_FIRST_RESERVED_PROP_ID         = 13;

  CERT_LAST_RESERVED_PROP_ID          = $00007FFF;
  CERT_FIRST_USER_PROP_ID             = $00008000;
  CERT_LAST_USER_PROP_ID              = $0000FFFF;

function IS_CERT_HASH_PROP_ID( X :DWORD):BOOL ;

//+-------------------------------------------------------------------------
//  Cryptographic Key Provider Information
//
//  CRYPT_KEY_PROV_INFO defines the CERT_KEY_PROV_INFO_PROP_ID's pvData.
//
//  The CRYPT_KEY_PROV_INFO fields are passed to CryptAcquireContext
//  to get a HCRYPTPROV handle. The optional CRYPT_KEY_PROV_PARAM fields are
//  passed to CryptProvSetParam to further initialize the provider.
//
//  The dwKeySpec field identifies the private key to use from the container
//  For example, AT_KEYEXCHANGE or AT_SIGNATURE.
//--------------------------------------------------------------------------

type
  PCRYPT_KEY_PROV_PARAM = ^CRYPT_KEY_PROV_PARAM;
  CRYPT_KEY_PROV_PARAM = record
    dwParam :DWORD;
    pbData  :PBYTE;
    cbData  :DWORD;
    dwFlags :DWORD;
  end;

type
  PCRYPT_KEY_PROV_INFO = ^CRYPT_KEY_PROV_INFO;
  CRYPT_KEY_PROV_INFO = record
    pwszContainerName :LPWSTR;
    pwszProvName      :LPWSTR;
    dwProvType        :DWORD;
    dwFlags           :DWORD;
    cProvParam        :DWORD;
    rgProvParam       :PCRYPT_KEY_PROV_PARAM;
    dwKeySpec         :DWORD;
  end;

//+-------------------------------------------------------------------------
//  The following flag should be set in the above dwFlags to enable
//  a CertSetCertificateContextProperty(CERT_KEY_CONTEXT_PROP_ID) after a
//  CryptAcquireContext is done in the Sign or Decrypt Message functions.
//
//  The following define must not collide with any of the
//  CryptAcquireContext dwFlag defines.
//--------------------------------------------------------------------------

const 
  CERT_SET_KEY_PROV_HANDLE_PROP_ID = $00000001;
  CERT_SET_KEY_CONTEXT_PROP_ID     = $00000001;

//+-------------------------------------------------------------------------
//  Certificate Key Context
//
//  CERT_KEY_CONTEXT defines the CERT_KEY_CONTEXT_PROP_ID's pvData.
//--------------------------------------------------------------------------

type
  PCERT_KEY_CONTEXT = ^CERT_KEY_CONTEXT;
  CERT_KEY_CONTEXT = record
    cbSize     :DWORD;           // sizeof(CERT_KEY_CONTEXT)
    hCryptProv :HCRYPTPROV;
    dwKeySpec  :DWORD;
  end;

//+-------------------------------------------------------------------------
//  Certificate Store Provider Types
//--------------------------------------------------------------------------

const 
  CERT_STORE_PROV_MSG = (LPCSTR(1));
  CERT_STORE_PROV_MEMORY = (LPCSTR(2));
  CERT_STORE_PROV_FILE = (LPCSTR(3));
  CERT_STORE_PROV_REG = (LPCSTR(4));

  CERT_STORE_PROV_PKCS7 = (LPCSTR(5));
  CERT_STORE_PROV_SERIALIZED = (LPCSTR(6));
  CERT_STORE_PROV_FILENAME_A = (LPCSTR(7));
  CERT_STORE_PROV_FILENAME_W = (LPCSTR(8));
  CERT_STORE_PROV_FILENAME =  CERT_STORE_PROV_FILENAME_W;
  CERT_STORE_PROV_SYSTEM_A = (LPCSTR(9));
  CERT_STORE_PROV_SYSTEM_W =  (LPCSTR(10));
  CERT_STORE_PROV_SYSTEM = CERT_STORE_PROV_SYSTEM_W;

  sz_CERT_STORE_PROV_MEMORY = 'Memory';
  sz_CERT_STORE_PROV_FILENAME_W = 'File';
  sz_CERT_STORE_PROV_FILENAME = sz_CERT_STORE_PROV_FILENAME_W;
  sz_CERT_STORE_PROV_SYSTEM_W = 'System';
  sz_CERT_STORE_PROV_SYSTEM = sz_CERT_STORE_PROV_SYSTEM_W;
  sz_CERT_STORE_PROV_PKCS7 = 'PKCS7';
  sz_CERT_STORE_PROV_SERIALIZED = 'Serialized';

//+-------------------------------------------------------------------------
//  Certificate Store verify/results flags
//--------------------------------------------------------------------------

  CERT_STORE_SIGNATURE_FLAG = $00000001;
  CERT_STORE_TIME_VALIDITY_FLAG = $00000002;
  CERT_STORE_REVOCATION_FLAG = $00000004;
  CERT_STORE_NO_CRL_FLAG = $00010000;
  CERT_STORE_NO_ISSUER_FLAG = $00020000;

//+-------------------------------------------------------------------------
//  Certificate Store open/property flags
//--------------------------------------------------------------------------

  CERT_STORE_NO_CRYPT_RELEASE_FLAG = $00000001;
  CERT_STORE_READONLY_FLAG = $00008000;

//+-------------------------------------------------------------------------
//  Certificate Store Provider flags are in the HiWord (0xFFFF0000)
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  Certificate System Store Flag Values
//--------------------------------------------------------------------------
// Location of the system store in the registry:
//  HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE
  CERT_SYSTEM_STORE_LOCATION_MASK = $00030000;
  CERT_SYSTEM_STORE_CURRENT_USER  = $00010000;
  CERT_SYSTEM_STORE_LOCAL_MACHINE = $00020000;

//+-------------------------------------------------------------------------
//  Open the cert store using the specified store provider.
//
//  hCryptProv specifies the crypto provider to use to create the hash
//  properties or verify the signature of a subject certificate or CRL.
//  The store doesn't need to use a private
//  key. If the CERT_STORE_NO_CRYPT_RELEASE_FLAG isn't set, hCryptProv is
//  CryptReleaseContext'ed on the final CertCloseStore.
//
//  Note, if the open fails, hCryptProv is released if it would have been
//  released when the store was closed.
//
//  If hCryptProv is zero, then, the default provider and container for the
//  PROV_RSA_FULL provider type is CryptAcquireContext'ed with
//  CRYPT_VERIFYCONTEXT access. The CryptAcquireContext is deferred until
//  the first create hash or verify signature. In addition, once acquired,
//  the default provider isn't released until process exit when crypt32.dll
//  is unloaded. The acquired default provider is shared across all stores
//  and threads.
//
//  After initializing the store's data structures and optionally acquiring a
//  default crypt provider, CertOpenStore calls CryptGetOIDFunctionAddress to
//  get the address of the CRYPT_OID_OPEN_STORE_PROV_FUNC specified by
//  lpszStoreProvider. Since a store can contain certificates with different
//  encoding types, CryptGetOIDFunctionAddress is called with dwEncodingType
//  set to 0 and not the dwEncodingType passed to CertOpenStore.
//  PFN_CERT_DLL_OPEN_STORE_FUNC specifies the signature of the provider's
//  open function. This provider open function is called to load the
//  store's certificates and CRLs. Optionally, the provider may return an
//  array of functions called before a certificate or CRL is added or deleted
//  or has a property that is set.
//
//  Use of the dwEncodingType parameter is provider dependent. The type
//  definition for pvPara also depends on the provider.
//
//  Store providers are installed or registered via
//  CryptInstallOIDFunctionAddress or CryptRegisterOIDFunction, where,
//  dwEncodingType is 0 and pszFuncName is CRYPT_OID_OPEN_STORE_PROV_FUNC.
//
//  Here's a list of the predefined provider types (implemented in crypt32.dll):
//
//  CERT_STORE_PROV_MSG:
//      Gets the certificates and CRLs from the specified cryptographic message.
//      dwEncodingType contains the message and certificate encoding types.
//      The message's handle is passed in pvPara. Given,
//          HCRYPTMSG hCryptMsg; pvPara = (const void *) hCryptMsg;
//
//  CERT_STORE_PROV_MEMORY
//  sz_CERT_STORE_PROV_MEMORY:
//      Opens a store without any initial certificates or CRLs. pvPara
//      isn't used.
//
//  CERT_STORE_PROV_FILE:
//      Reads the certificates and CRLs from the specified file. The file's
//      handle is passed in pvPara. Given,
//          HANDLE hFile; pvPara = (const void *) hFile;
//
//      For a successful open, the file pointer is advanced past
//      the certificates and CRLs and their properties read from the file.
//      Note, only expects a serialized store and not a file containing
//      either a PKCS #7 signed message or a single encoded certificate.
//
//      The hFile isn't closed.
//
//  CERT_STORE_PROV_REG:
//      Reads the certificates and CRLs from the registry. The registry's
//      key handle is passed in pvPara. Given,
//          HKEY hKey; pvPara = (const void *) hKey;
//
//      The input hKey isn't closed by the provider. Before returning, the
//      provider opens/creates "Certificates" and "CRLs" subkeys. These
//      subkeys remain open until the store is closed.
//
//      If CERT_STORE_READONLY_FLAG is set, then, the registry subkeys are
//      RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry subkeys
//      are RegCreateKey'ed with KEY_ALL_ACCESS.
//
//      This provider returns the array of functions for reading, writing,
//      deleting and property setting certificates and CRLs.
//      Any changes to the opened store are immediately pushed through to
//      the registry. However, if CERT_STORE_READONLY_FLAG is set, then,
//      writing, deleting or property setting results in a
//      SetLastError(E_ACCESSDENIED).
//
//      Note, all the certificates and CRLs are read from the registry
//      when the store is opened. The opened store serves as a write through
//      cache. However, the opened store isn't notified of other changes
//      made to the registry. Note, RegNotifyChangeKeyValue is supported
//      on NT but not supported on Windows95.
//
//  CERT_STORE_PROV_PKCS7:
//  sz_CERT_STORE_PROV_PKCS7:
//      Gets the certificates and CRLs from the encoded PKCS #7 signed message.
//      dwEncodingType specifies the message and certificate encoding types.
//      The pointer to the encoded message's blob is passed in pvPara. Given,
//          CRYPT_DATA_BLOB EncodedMsg; pvPara = (const void *) &EncodedMsg;
//
//      Note, also supports the IE3.0 special version of a
//      PKCS #7 signed message referred to as a "SPC" formatted message.
//
//  CERT_STORE_PROV_SERIALIZED:
//  sz_CERT_STORE_PROV_SERIALIZED:
//      Gets the certificates and CRLs from memory containing a serialized
//      store.  The pointer to the serialized memory blob is passed in pvPara.
//      Given,
//          CRYPT_DATA_BLOB Serialized; pvPara = (const void *) &Serialized;
//
//  CERT_STORE_PROV_FILENAME_A:
//  CERT_STORE_PROV_FILENAME_W:
//  CERT_STORE_PROV_FILENAME:
//  sz_CERT_STORE_PROV_FILENAME_W:
//  sz_CERT_STORE_PROV_FILENAME:
//      Opens the file and first attempts to read as a serialized store. Then,
//      as a PKCS #7 signed message. Finally, as a single encoded certificate.
//      The filename is passed in pvPara. The filename is UNICODE for the
//      "_W" provider and ASCII for the "_A" provider. For "_W": given,
//          LPCWSTR pwszFilename; pvPara = (const void *) pwszFilename;
//      For "_A": given,
//          LPCSTR pszFilename; pvPara = (const void *) pszFilename;
//
//      Note, the default (without "_A" or "_W") is unicode.
//
//      Note, also supports the reading of the IE3.0 special version of a
//      PKCS #7 signed message file referred to as a "SPC" formatted file.
//
//  CERT_STORE_PROV_SYSTEM_A:
//  CERT_STORE_PROV_SYSTEM_W:
//  CERT_STORE_PROV_SYSTEM:
//  sz_CERT_STORE_PROV_SYSTEM_W:
//  sz_CERT_STORE_PROV_SYSTEM:
//      Opens the specified "system" store. Currently, all the system
//      stores are stored in the registry. The upper word of the dwFlags
//      parameter is used to specify the location of the system store. It
//      should be set to either CERT_SYSTEM_STORE_CURRENT_USER for
//      HKEY_CURRENT_USER or CERT_SYSTEM_STORE_LOCAL_MACHINE for
//      HKEY_LOCAL_MACHINE.
//
//      After opening the registry key associated with the system name,
//      the CERT_STORE_PROV_REG provider is called to complete the open.
//
//      The system store name is passed in pvPara. The name is UNICODE for the
//      "_W" provider and ASCII for the "_A" provider. For "_W": given,
//          LPCWSTR pwszSystemName; pvPara = (const void *) pwszSystemName;
//      For "_A": given,
//          LPCSTR pszSystemName; pvPara = (const void *) pszSystemName;
//
//      Note, the default (without "_A" or "_W") is UNICODE.
//
//      If CERT_STORE_READONLY_FLAG is set, then, the registry is
//      RegOpenKey'ed with KEY_READ_ACCESS. Otherwise, the registry is
//      RegCreateKey'ed with KEY_ALL_ACCESS.
//
//      The "root" store is treated differently from the other system
//      stores. Before a certificate is added to or deleted from the "root"
//      store, a pop up message box is displayed. The certificate's subject,
//      issuer, serial number, time validity, sha1 and md5 thumbprints are
//      displayed. The user is given the option to do the add or delete.
//      If they don't allow the operation, LastError is set to E_ACCESSDENIED.
//--------------------------------------------------------------------------

function CertOpenStore(lpszStoreProvider :LPCSTR;
                       dwEncodingType :DWORD;
                       hCryptProv :HCRYPTPROV;
                       dwFlags :DWORD;
                 const pvPara :PVOID):HCERTSTORE ; stdcall;

//+-------------------------------------------------------------------------
//  OID Installable Certificate Store Provider Data Structures
//--------------------------------------------------------------------------

// Handle returned by the store provider when opened.
type 
  HCERTSTOREPROV = PVOID;

// Store Provider OID function's pszFuncName.
const 
  CRYPT_OID_OPEN_STORE_PROV_FUNC = 'CertDllOpenStoreProv';

// Note, the Store Provider OID function's dwEncodingType is always 0.

// The following information is returned by the provider when opened. Its
// zeroed with cbSize set before the provider is called. If the provider
// doesn't need to be called again after the open it doesn't need to
// make any updates to the CERT_STORE_PROV_INFO.

type
  PCERT_STORE_PROV_INFO = ^CERT_STORE_PROV_INFO;
  CERT_STORE_PROV_INFO = record
    cbSize :DWORD;
    cStoreProvFunc :DWORD;
    rgpvStoreProvFunc :PPVOID;
    hStoreProv :HCERTSTOREPROV;
    dwStoreProvFlags :DWORD;
  end;

// Definition of the store provider's open function.
//
// *pStoreProvInfo has been zeroed before the call.
//
// Note, pStoreProvInfo->cStoreProvFunc should be set last.  Once set,
// all subsequent store calls, such as CertAddSerializedElementToStore will
// call the appropriate provider callback function.

type
  PFN_CERT_DLL_OPEN_STORE_PROV_FUNC = function (lpszStoreProvider :LPCSTR;
                                                dwEncodingType :DWORD;
                                                hCryptProv :HCRYPTPROV;
                                                dwFlags :DWORD;
                                          const pvPara :PVOID;
                                                hCertStore :HCERTSTORE;
                                                pStoreProvInfo :PCERT_STORE_PROV_INFO
                                                ):BOOL ; stdcall;

// Indices into the store provider's array of callback functions.
//
// The provider can implement any subset of the following functions. It
// sets pStoreProvInfo->cStoreProvFunc to the last index + 1 and any
// preceding not implemented functions to NULL.

const 
  CERT_STORE_PROV_CLOSE_FUNC = 0;
  CERT_STORE_PROV_READ_CERT_FUNC = 1;
  CERT_STORE_PROV_WRITE_CERT_FUNC = 2;
  CERT_STORE_PROV_DELETE_CERT_FUNC = 3;
  CERT_STORE_PROV_SET_CERT_PROPERTY_FUNC = 4;
  CERT_STORE_PROV_READ_CRL_FUNC = 5;
  CERT_STORE_PROV_WRITE_CRL_FUNC = 6;
  CERT_STORE_PROV_DELETE_CRL_FUNC = 7;
  CERT_STORE_PROV_SET_CRL_PROPERTY_FUNC = 8;
  CERT_STORE_PROV_READ_CTL_FUNC = 9;
  CERT_STORE_PROV_WRITE_CTL_FUNC = 10;
  CERT_STORE_PROV_DELETE_CTL_FUNC = 11;
  CERT_STORE_PROV_SET_CTL_PROPERTY_FUNC = 12;

// Called by CertCloseStore when the store's reference count is
// decremented to 0.

type
  PFN_CERT_STORE_PROV_CLOSE = procedure(hStoreProv :HCERTSTOREPROV;
                                        dwFlags :DWORD) ; stdcall;

// Currently not called directly by the store APIs. However, may be exported
// to support other providers based on it.
//
// Reads the provider's copy of the certificate context. If it exists,
// creates a new certificate context.

type
  PFN_CERT_STORE_PROV_READ_CERT = function (hStoreProv :HCERTSTOREPROV;
                                            pStoreCertContext :PCCERT_CONTEXT;
                                            dwFlags :DWORD;
                                        var ppProvCertContext :PCCERT_CONTEXT
                                            ):BOOL ; stdcall;

const 
  CERT_STORE_PROV_WRITE_ADD_FLAG = $1;

// Called by CertAddEncodedCertificateToStore,
// CertAddCertificateContextToStore or CertAddSerializedElementToStore before
// adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
// addition to the encoded certificate, the added pCertContext might also
// have properties.
//
// Returns TRUE if its OK to update the the store.

type
  PFN_CERT_STORE_PROV_WRITE_CERT = function (hStoreProv :HCERTSTOREPROV;
                                             pCertContext :PCCERT_CONTEXT;
                                             dwFlags :DWORD):BOOL ; stdcall;

// Called by CertDeleteCertificateFromStore before deleting from the
// store.
//
// Returns TRUE if its OK to delete from the store.

type
  PFN_CERT_STORE_PROV_DELETE_CERT = function (hStoreProv :HCERTSTOREPROV;
                                              pCertContext :PCCERT_CONTEXT;
                                              dwFlags :DWORD):BOOL ; stdcall;

// Called by CertSetCertificateContextProperty before setting the
// certificate's property. Also called by CertGetCertificateContextProperty,
// when getting a hash property that needs to be created and then persisted
// via the set.
//
// Upon input, the property hasn't been set for the pCertContext parameter.
//
// Returns TRUE if its OK to set the property.

type
  PFN_CERT_STORE_PROV_SET_CERT_PROPERTY = function (hStoreProv :HCERTSTOREPROV;
                                                    pCertContext :PCCERT_CONTEXT;
                                                    dwPropId :DWORD;
                                                    dwFlags :DWORD;
                                              const pvData :PVOID
                                                    ):BOOL ; stdcall;

// Currently not called directly by the store APIs. However, may be exported
// to support other providers based on it.
//
// Reads the provider's copy of the CRL context. If it exists,
// creates a new CRL context.

type
  PFN_CERT_STORE_PROV_READ_CRL = function (hStoreProv :HCERTSTOREPROV;
                                           pStoreCrlContext :PCCRL_CONTEXT;
                                           dwFlags :DWORD;
                                       var ppProvCrlContext :PCCRL_CONTEXT
                                           ):BOOL ; stdcall;

// Called by CertAddEncodedCRLToStore,
// CertAddCRLContextToStore or CertAddSerializedElementToStore before
// adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
// addition to the encoded CRL, the added pCertContext might also
// have properties.
//
// Returns TRUE if its OK to update the the store.

type
  PFN_CERT_STORE_PROV_WRITE_CRL = function (hStoreProv :HCERTSTOREPROV;
                                            pCrlContext :PCCRL_CONTEXT;
                                            dwFlags :DWORD):BOOL ; stdcall;

// Called by CertDeleteCRLFromStore before deleting from the store.
//
// Returns TRUE if its OK to delete from the store.

type
  PFN_CERT_STORE_PROV_DELETE_CRL = function (hStoreProv :HCERTSTOREPROV;
                                             pCrlContext :PCCRL_CONTEXT;
                                             dwFlags :DWORD):BOOL ; stdcall;

// Called by CertDeleteCRLFromStore before deleting from the store.
//
// Returns TRUE if its OK to delete from the store.

type
  PFN_CERT_STORE_PROV_SET_CRL_PROPERTY = function (hStoreProv :HCERTSTOREPROV;
                                                   pCrlContext :PCCRL_CONTEXT;
                                                   dwPropId :DWORD;
                                                   dwFlags :DWORD;
                                                   pvData :PVOID):BOOL ; stdcall;

// Currently not called directly by the store APIs. However, may be exported
// to support other providers based on it.
//
// Reads the provider's copy of the CTL context. If it exists,
// creates a new CTL context.

type
  PFN_CERT_STORE_PROV_READ_CTL = function (hStoreProv :HCERTSTOREPROV;
                                           pStoreCtlContext :PCCTL_CONTEXT;
                                           dwFlags :DWORD;
                                       var ppProvCtlContext :PCCTL_CONTEXT
                                           ):BOOL ; stdcall;

// Called by CertAddEncodedCTLToStore,
// CertAddCTLContextToStore or CertAddSerializedElementToStore before
// adding to the store. The CERT_STORE_PROV_WRITE_ADD_FLAG is set. In
// addition to the encoded CTL, the added pCertContext might also
// have properties.
//
// Returns TRUE if its OK to update the the store.

type
  PFN_CERT_STORE_PROV_WRITE_CTL = function (hStoreProv :HCERTSTOREPROV;
                                            pCtlContext :PCCTL_CONTEXT;
                                            dwFlags :DWORD):BOOL ; stdcall;

// Called by CertDeleteCTLFromStore before deleting from the store.
//
// Returns TRUE if its OK to delete from the store.

type
  PFN_CERT_STORE_PROV_DELETE_CTL = function (hStoreProv :HCERTSTOREPROV;
                                             pCtlContext :PCCTL_CONTEXT;
                                             dwFlags :DWORD):BOOL ; stdcall;

// Called by CertSetCTLContextProperty before setting the
// CTL's property. Also called by CertGetCTLContextProperty,
// when getting a hash property that needs to be created and then persisted
// via the set.
//
// Upon input, the property hasn't been set for the pCtlContext parameter.
//
// Returns TRUE if its OK to set the property.

type
  PFN_CERT_STORE_PROV_SET_CTL_PROPERTY = function (hStoreProv :HCERTSTOREPROV;
                                                   pCtlContext :PCCTL_CONTEXT;
                                                   dwPropId :DWORD;
                                                   dwFlags :DWORD;
                                             const pvData :PVOID
                                                   ):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Duplicate a cert store handle
//--------------------------------------------------------------------------

function CertDuplicateStore(hCertStore :HCERTSTORE):HCERTSTORE ; stdcall;

const CERT_STORE_SAVE_AS_STORE = 1;
const CERT_STORE_SAVE_AS_PKCS7 = 2;

const CERT_STORE_SAVE_TO_FILE = 1;
const CERT_STORE_SAVE_TO_MEMORY = 2;
const CERT_STORE_SAVE_TO_FILENAME_A = 3;
const CERT_STORE_SAVE_TO_FILENAME_W = 4;
const CERT_STORE_SAVE_TO_FILENAME = CERT_STORE_SAVE_TO_FILENAME_W;

//+-------------------------------------------------------------------------
//  Save the cert store. Extended version with lots of options.
//
//  According to the dwSaveAs parameter, the store can be saved as a
//  serialized store (CERT_STORE_SAVE_AS_STORE) containing properties in
//  addition to encoded certificates, CRLs and CTLs or the store can be saved
//  as a PKCS #7 signed message (CERT_STORE_SAVE_AS_PKCS7) which doesn't
//  include the properties or CTLs.
//
//  Note, the CERT_KEY_CONTEXT_PROP_ID property (and its
//  CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't saved into
//  a serialized store.
//
//  For CERT_STORE_SAVE_AS_PKCS7, the dwEncodingType specifies the message
//  encoding type. The dwEncodingType parameter isn't used for
//  CERT_STORE_SAVE_AS_STORE.
//
//  The dwFlags parameter currently isn't used and should be set to 0.
//
//  The dwSaveTo and pvSaveToPara parameters specify where to save the
//  store as follows:
//    CERT_STORE_SAVE_TO_FILE:
//      Saves to the specified file. The file's handle is passed in
//      pvSaveToPara. Given,
//          HANDLE hFile; pvSaveToPara = (void *) hFile;
//
//      For a successful save, the file pointer is positioned after the
//      last write.
//
//    CERT_STORE_SAVE_TO_MEMORY:
//      Saves to the specified memory blob. The pointer to
//      the memory blob is passed in pvSaveToPara. Given,
//          CRYPT_DATA_BLOB SaveBlob; pvSaveToPara = (void *) &SaveBlob;
//      Upon entry, the SaveBlob's pbData and cbData need to be initialized.
//      Upon return, cbData is updated with the actual length.
//      For a length only calculation, pbData should be set to NULL. If
//      pbData is non-NULL and cbData isn't large enough, FALSE is returned
//      with a last error of ERRROR_MORE_DATA.
//
//    CERT_STORE_SAVE_TO_FILENAME_A:
//    CERT_STORE_SAVE_TO_FILENAME_W:
//    CERT_STORE_SAVE_TO_FILENAME:
//      Opens the file and saves to it. The filename is passed in pvSaveToPara.
//      The filename is UNICODE for the "_W" option and ASCII for the "_A"
//      option. For "_W": given,
//          LPCWSTR pwszFilename; pvSaveToPara = (void *) pwszFilename;
//      For "_A": given,
//          LPCSTR pszFilename; pvSaveToPara = (void *) pszFilename;
//
//      Note, the default (without "_A" or "_W") is UNICODE.
//
//--------------------------------------------------------------------------

function CertSaveStore(hCertStore :HCERTSTORE;
                       dwEncodingType :DWORD;
                       dwSaveAs :DWORD;
                       dwSaveTo :DWORD;
                       pvSaveToPara :PVOID;
                       dwFlags :DWORD):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Certificate Store close flags
//--------------------------------------------------------------------------
const CERT_CLOSE_STORE_FORCE_FLAG = $00000001;
const CERT_CLOSE_STORE_CHECK_FLAG = $00000002;

//+-------------------------------------------------------------------------
//  Close a cert store handle.
//
//  There needs to be a corresponding close for each open and duplicate.
//
//  Even on the final close, the cert store isn't freed until all of its
//  certificate and CRL contexts have also been freed.
//
//  On the final close, the hCryptProv passed to CertStoreOpen is
//  CryptReleaseContext'ed.
//
//  To force the closure of the store with all of its memory freed, set the
//  CERT_STORE_CLOSE_FORCE_FLAG. This flag should be set when the caller does
//  its own reference counting and wants everything to vanish.
//
//  To check if all the store's certificates and CRLs have been freed and that
//  this is the last CertCloseStore, set the CERT_CLOSE_STORE_CHECK_FLAG. If
//  set and certs, CRLs or stores still need to be freed/closed, FALSE is
//  returned with LastError set to CRYPT_E_PENDING_CLOSE. Note, for FALSE,
//  the store is still closed. This is a diagnostic flag.
//
//  LastError is preserved unless CERT_CLOSE_STORE_CHECK_FLAG is set and FALSE
//  is returned.
//--------------------------------------------------------------------------

function CertCloseStore(hCertStore :HCERTSTORE; dwFlags :DWORD):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Get the subject certificate context uniquely identified by its Issuer and
//  SerialNumber from the store.
//
//  If the certificate isn't found, NULL is returned. Otherwise, a pointer to
//  a read only CERT_CONTEXT is returned. CERT_CONTEXT must be freed by calling
//  CertFreeCertificateContext. CertDuplicateCertificateContext can be called to make a
//  duplicate.
//
//  The returned certificate might not be valid. Normally, it would be
//  verified when getting its issuer certificate (CertGetIssuerCertificateFromStore).
//--------------------------------------------------------------------------

function CertGetSubjectCertificateFromStore(hCertStore :HCERTSTORE;
                                            dwCertEncodingType :DWORD;
                                            pCertId :PCERT_INFO         // Only the Issuer and SerialNumber
                                            ):PCCERT_CONTEXT ; stdcall; // fields are used

//+-------------------------------------------------------------------------
//  Enumerate the certificate contexts in the store.
//
//  If a certificate isn't found, NULL is returned.
//  Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
//  must be freed by calling CertFreeCertificateContext or is freed when passed as the
//  pPrevCertContext on a subsequent call. CertDuplicateCertificateContext
//  can be called to make a duplicate.
//
//  pPrevCertContext MUST BE NULL to enumerate the first
//  certificate in the store. Successive certificates are enumerated by setting
//  pPrevCertContext to the CERT_CONTEXT returned by a previous call.
//
//  NOTE: a NON-NULL pPrevCertContext is always CertFreeCertificateContext'ed by
//  this function, even for an error.
//--------------------------------------------------------------------------

function CertEnumCertificatesInStore(hCertStore :HCERTSTORE;
                                     pPrevCertContext :PCCERT_CONTEXT
                                     ):PCCERT_CONTEXT ; stdcall;

//+-------------------------------------------------------------------------
//  Find the first or next certificate context in the store.
//
//  The certificate is found according to the dwFindType and its pvFindPara.
//  See below for a list of the find types and its parameters.
//
//  Currently dwFindFlags is only used for CERT_FIND_SUBJECT_ATTR,
//  CERT_FIND_ISSUER_ATTR or CERT_FIND_CTL_USAGE. Otherwise, must be set to 0.
//
//  Usage of dwCertEncodingType depends on the dwFindType.
//
//  If the first or next certificate isn't found, NULL is returned.
//  Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
//  must be freed by calling CertFreeCertificateContext or is freed when passed as the
//  pPrevCertContext on a subsequent call. CertDuplicateCertificateContext
//  can be called to make a duplicate.
//
//  pPrevCertContext MUST BE NULL on the first
//  call to find the certificate. To find the next certificate, the
//  pPrevCertContext is set to the CERT_CONTEXT returned by a previous call.
//
//  NOTE: a NON-NULL pPrevCertContext is always CertFreeCertificateContext'ed by
//  this function, even for an error.
//--------------------------------------------------------------------------

function CertFindCertificateInStore(hCertStore :HCERTSTORE;
                                    dwCertEncodingType :DWORD;
                                    dwFindFlags :DWORD;
                                    dwFindType :DWORD;
                              const pvFindPara :PVOID;
                                    pPrevCertContext :PCCERT_CONTEXT
                                    ):PCCERT_CONTEXT ; stdcall;

//+-------------------------------------------------------------------------
// Certificate comparison functions
//--------------------------------------------------------------------------

const CERT_COMPARE_SHIFT = 16;
const CERT_COMPARE_ANY = 0;
const CERT_COMPARE_SHA1_HASH = 1;
const CERT_COMPARE_NAME = 2;
const CERT_COMPARE_ATTR = 3;
const CERT_COMPARE_MD5_HASH  = 4;
const CERT_COMPARE_PROPERTY = 5;
const CERT_COMPARE_PUBLIC_KEY = 6;
const CERT_COMPARE_HASH = CERT_COMPARE_SHA1_HASH;
const CERT_COMPARE_NAME_STR_A = 7;
const CERT_COMPARE_NAME_STR_W = 8;
const CERT_COMPARE_KEY_SPEC = 9;
const CERT_COMPARE_ENHKEY_USAGE = 10;
const CERT_COMPARE_CTL_USAGE = CERT_COMPARE_ENHKEY_USAGE;

//+-------------------------------------------------------------------------
//  dwFindType
//
//  The dwFindType definition consists of two components:
//   - comparison function
//   - certificate information flag
//--------------------------------------------------------------------------

const CERT_FIND_ANY = (CERT_COMPARE_ANY shl CERT_COMPARE_SHIFT);
const CERT_FIND_SHA1_HASH = (CERT_COMPARE_SHA1_HASH shl CERT_COMPARE_SHIFT);
const CERT_FIND_MD5_HASH = (CERT_COMPARE_MD5_HASH shl CERT_COMPARE_SHIFT);
const CERT_FIND_HASH = CERT_FIND_SHA1_HASH;
const CERT_FIND_PROPERTY = (CERT_COMPARE_PROPERTY shl CERT_COMPARE_SHIFT);
const CERT_FIND_PUBLIC_KEY = (CERT_COMPARE_PUBLIC_KEY shl CERT_COMPARE_SHIFT);

const CERT_FIND_SUBJECT_NAME = (CERT_COMPARE_NAME shl CERT_COMPARE_SHIFT or CERT_INFO_SUBJECT_FLAG);
const CERT_FIND_SUBJECT_ATTR = (CERT_COMPARE_ATTR shl CERT_COMPARE_SHIFT or  CERT_INFO_SUBJECT_FLAG);
const CERT_FIND_ISSUER_NAME = (CERT_COMPARE_NAME shl CERT_COMPARE_SHIFT or  CERT_INFO_ISSUER_FLAG);
const CERT_FIND_ISSUER_ATTR = (CERT_COMPARE_ATTR shl CERT_COMPARE_SHIFT or   CERT_INFO_ISSUER_FLAG);
const CERT_FIND_SUBJECT_STR_A =  (CERT_COMPARE_NAME_STR_A shl CERT_COMPARE_SHIFT or   CERT_INFO_SUBJECT_FLAG);
const CERT_FIND_SUBJECT_STR_W =  (CERT_COMPARE_NAME_STR_W shl CERT_COMPARE_SHIFT or   CERT_INFO_SUBJECT_FLAG);
const CERT_FIND_SUBJECT_STR = CERT_FIND_SUBJECT_STR_W;
const CERT_FIND_ISSUER_STR_A = (CERT_COMPARE_NAME_STR_A shl CERT_COMPARE_SHIFT or  CERT_INFO_ISSUER_FLAG);
const CERT_FIND_ISSUER_STR_W =  (CERT_COMPARE_NAME_STR_W shl CERT_COMPARE_SHIFT or  CERT_INFO_ISSUER_FLAG);
const CERT_FIND_ISSUER_STR = CERT_FIND_ISSUER_STR_W;
const CERT_FIND_KEY_SPEC = (CERT_COMPARE_KEY_SPEC shl CERT_COMPARE_SHIFT);
const CERT_FIND_ENHKEY_USAGE = (CERT_COMPARE_ENHKEY_USAGE shl CERT_COMPARE_SHIFT);
const CERT_FIND_CTL_USAGE = CERT_FIND_ENHKEY_USAGE;

//+-------------------------------------------------------------------------
//  CERT_FIND_ANY
//
//  Find any certificate.
//
//  pvFindPara isn't used.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CERT_FIND_HASH
//
//  Find a certificate with the specified hash.
//
//  pvFindPara points to a CRYPT_HASH_BLOB.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CERT_FIND_PROPERTY
//
//  Find a certificate having the specified property.
//
//  pvFindPara points to a DWORD containing the PROP_ID
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CERT_FIND_PUBLIC_KEY
//
//  Find a certificate matching the specified public key.
//
//  pvFindPara points to a CERT_PUBLIC_KEY_INFO containing the public key
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CERT_FIND_SUBJECT_NAME
//  CERT_FIND_ISSUER_NAME
//
//  Find a certificate with the specified subject/issuer name. Does an exact
//  match of the entire name.
//
//  Restricts search to certificates matching the dwCertEncodingType.
//
//  pvFindPara points to a CERT_NAME_BLOB.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CERT_FIND_SUBJECT_ATTR
//  CERT_FIND_ISSUER_ATTR
//
//  Find a certificate with the specified subject/issuer attributes.
//
//  Compares the attributes in the subject/issuer name with the
//  Relative Distinguished Name's (CERT_RDN) array of attributes specified in
//  pvFindPara. The comparison iterates through the CERT_RDN attributes and looks
//  for an attribute match in any of the subject/issuer's RDNs.
//
//  The CERT_RDN_ATTR fields can have the following special values:
//    pszObjId == NULL              - ignore the attribute object identifier
//    dwValueType == RDN_ANY_TYPE   - ignore the value type
//    Value.pbData == NULL          - match any value
//
//  Currently only an exact, case sensitive match is supported.
//
//  CERT_UNICODE_IS_RDN_ATTRS_FLAG should be set in dwFindFlags if the RDN was
//  initialized with unicode strings as for
//  CryptEncodeObject(X509_UNICODE_NAME).
//
//  Restricts search to certificates matching the dwCertEncodingType.
//
//  pvFindPara points to a CERT_RDN (defined in wincert.h).
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CERT_FIND_SUBJECT_STR_A
//  CERT_FIND_SUBJECT_STR_W | CERT_FIND_SUBJECT_STR
//  CERT_FIND_ISSUER_STR_A
//  CERT_FIND_ISSUER_STR_W  | CERT_FIND_ISSUER_STR
//
//  Find a certificate containing the specified subject/issuer name string.
//
//  First, the certificate's subject/issuer is converted to a name string
//  via CertNameToStrA/CertNameToStrW(CERT_SIMPLE_NAME_STR). Then, a
//  case insensitive substring within string match is performed.
//
//  Restricts search to certificates matching the dwCertEncodingType.
//
//  For *_STR_A, pvFindPara points to a null terminated character string.
//  For *_STR_W, pvFindPara points to a null terminated wide character string.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CERT_FIND_KEY_SPEC
//
//  Find a certificate having a CERT_KEY_SPEC_PROP_ID property matching
//  the specified KeySpec.
//
//  pvFindPara points to a DWORD containing the KeySpec.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CERT_FIND_ENHKEY_USAGE
//
//  Find a certificate having the szOID_ENHANCED_KEY_USAGE extension or
//  the CERT_ENHKEY_USAGE_PROP_ID and matching the specified pszUsageIdentifers.
//
//  pvFindPara points to a CERT_ENHKEY_USAGE data structure. If pvFindPara
//  is NULL or CERT_ENHKEY_USAGE's cUsageIdentifier is 0, then, matches any
//  certificate having enhanced key usage.
//
//  The CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG can be set in dwFindFlags to
//  also match a certificate without either the extension or property.
//
//  If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set in dwFindFlags, finds
//  certificates without the key usage extension or property. Setting this
//  flag takes precedence over pvFindPara being NULL.
//
//  If the CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG is set, then, only does a match
//  using the extension. If pvFindPara is NULL or cUsageIdentifier is set to
//  0, finds certificates having the extension. If
//  CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set, also matches a certificate
//  without the extension. If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set, finds
//  certificates without the extension.
//
//  If the CERT_FIND_EXT_PROP_ENHKEY_USAGE_FLAG is set, then, only does a match
//  using the property. If pvFindPara is NULL or cUsageIdentifier is set to
//  0, finds certificates having the property. If
//  CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG is set, also matches a certificate
//  without the property. If CERT_FIND_NO_ENHKEY_USAGE_FLAG is set, finds
//  certificates without the property.
//--------------------------------------------------------------------------

const CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG = $1;
const CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG = $2;
const CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG = $4;
const CERT_FIND_NO_ENHKEY_USAGE_FLAG = $8;
const CERT_FIND_OPTIONAL_CTL_USAGE_FLAG = CERT_FIND_OPTIONAL_ENHKEY_USAGE_FLAG;
const CERT_FIND_EXT_ONLY_CTL_USAGE_FLAG = CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG;
const CERT_FIND_PROP_ONLY_CTL_USAGE_FLAG = CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG;
const CERT_FIND_NO_CTL_USAGE_FLAG = CERT_FIND_NO_ENHKEY_USAGE_FLAG;

//+-------------------------------------------------------------------------
//  Get the certificate context from the store for the first or next issuer
//  of the specified subject certificate. Perform the enabled
//  verification checks on the subject. (Note, the checks are on the subject
//  using the returned issuer certificate.)
//
//  If the first or next issuer certificate isn't found, NULL is returned.
//  Otherwise, a pointer to a read only CERT_CONTEXT is returned. CERT_CONTEXT
//  must be freed by calling CertFreeCertificateContext or is freed when passed as the
//  pPrevIssuerContext on a subsequent call. CertDuplicateCertificateContext
//  can be called to make a duplicate.
//
//  For a self signed subject certificate, NULL is returned with LastError set
//  to CERT_STORE_SELF_SIGNED. The enabled verification checks are still done.
//
//  The pSubjectContext may have been obtained from this store, another store
//  or created by the caller application. When created by the caller, the
//  CertCreateCertificateContext function must have been called.
//
//  An issuer may have multiple certificates. This may occur when the validity
//  period is about to change. pPrevIssuerContext MUST BE NULL on the first
//  call to get the issuer. To get the next certificate for the issuer, the
//  pPrevIssuerContext is set to the CERT_CONTEXT returned by a previous call.
//
//  NOTE: a NON-NULL pPrevIssuerContext is always CertFreeCertificateContext'ed by
//  this function, even for an error.
//
//  The following flags can be set in *pdwFlags to enable verification checks
//  on the subject certificate context:
//      CERT_STORE_SIGNATURE_FLAG     - use the public key in the returned
//                                      issuer certificate to verify the
//                                      signature on the subject certificate.
//                                      Note, if pSubjectContext->hCertStore ==
//                                      hCertStore, the store provider might
//                                      be able to eliminate a redo of
//                                      the signature verify.
//      CERT_STORE_TIME_VALIDITY_FLAG - get the current time and verify that
//                                      its within the subject certificate's
//                                      validity period
//      CERT_STORE_REVOCATION_FLAG    - check if the subject certificate is on
//                                      the issuer's revocation list
//
//  If an enabled verification check fails, then, its flag is set upon return.
//  If CERT_STORE_REVOCATION_FLAG was enabled and the issuer doesn't have a
//  CRL in the store, then, CERT_STORE_NO_CRL_FLAG is set in addition to
//  the CERT_STORE_REVOCATION_FLAG.
//
//  If CERT_STORE_SIGNATURE_FLAG or CERT_STORE_REVOCATION_FLAG is set, then,
//  CERT_STORE_NO_ISSUER_FLAG is set if it doesn't have an issuer certificate
//  in the store.
//
//  For a verification check failure, a pointer to the issuer's CERT_CONTEXT
//  is still returned and SetLastError isn't updated.
//--------------------------------------------------------------------------
function CertGetIssuerCertificateFromStore(hCertStore :HCERTSTORE;
                                           pSubjectContext :PCCERT_CONTEXT;
                                           pPrevIssuerContext :PCCERT_CONTEXT; //OPTIONAL
                                           pdwFlags :PDWORD):PCCERT_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
//  Perform the enabled verification checks on the subject certificate
//  using the issuer. Same checks and flags definitions as for the above
//  CertGetIssuerCertificateFromStore.
//
//  If you are only checking CERT_STORE_TIME_VALIDITY_FLAG, then, the
//  issuer can be NULL.
//
//  For a verification check failure, SUCCESS is still returned.
//--------------------------------------------------------------------------

function CertVerifySubjectCertificateContext(pSubject :PCCERT_CONTEXT;
                                             pIssuer :PCCERT_CONTEXT; //OPTIONAL
                                             pdwFlags :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Duplicate a certificate context
//--------------------------------------------------------------------------

function CertDuplicateCertificateContext(pCertContext :PCCERT_CONTEXT):PCCERT_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
//  Create a certificate context from the encoded certificate. The created
//  context isn't put in a store.
//
//  Makes a copy of the encoded certificate in the created context.
//
//  If unable to decode and create the certificate context, NULL is returned.
//  Otherwise, a pointer to a read only CERT_CONTEXT is returned.
//  CERT_CONTEXT must be freed by calling CertFreeCertificateContext.
//  CertDuplicateCertificateContext can be called to make a duplicate.
//
//  CertSetCertificateContextProperty and CertGetCertificateContextProperty can be called
//  to store properties for the certificate.
//--------------------------------------------------------------------------
function CertCreateCertificateContext(dwCertEncodingType :DWORD;
                                      pbCertEncoded :PBYTE;
                                      cbCertEncoded :DWORD):PCCERT_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
//  Free a certificate context
//
//  There needs to be a corresponding free for each context obtained by a
//  get, find, duplicate or create.
//--------------------------------------------------------------------------
function CertFreeCertificateContext(pCertContext :PCCERT_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Set the property for the specified certificate context.
//
//  The type definition for pvData depends on the dwPropId value. There are
//  five predefined types:
//      CERT_KEY_PROV_HANDLE_PROP_ID - a HCRYPTPROV for the certificate's
//      private key is passed in pvData. Updates the hCryptProv field
//      of the CERT_KEY_CONTEXT_PROP_ID. If the CERT_KEY_CONTEXT_PROP_ID
//      doesn't exist, its created with all the other fields zeroed out. If
//      CERT_STORE_NO_CRYPT_RELEASE_FLAG isn't set, HCRYPTPROV is implicitly
//      released when either the property is set to NULL or on the final
//      free of the CertContext.
//
//      CERT_KEY_PROV_INFO_PROP_ID - a PCRYPT_KEY_PROV_INFO for the certificate's
//      private key is passed in pvData.
//
//      CERT_SHA1_HASH_PROP_ID -
//      CERT_MD5_HASH_PROP_ID  - normally, either property is implicitly
//      set by doing a CertGetCertificateContextProperty. pvData points to a
//      CRYPT_HASH_BLOB.
//
//      CERT_KEY_CONTEXT_PROP_ID - a PCERT_KEY_CONTEXT for the certificate's
//      private key is passed in pvData. The CERT_KEY_CONTEXT contains both the
//      hCryptProv and dwKeySpec for the private key.
//      See the CERT_KEY_PROV_HANDLE_PROP_ID for more information about
//      the hCryptProv field and dwFlags settings. Note, more fields may
//      be added for this property. The cbSize field value will be adjusted
//      accordingly.
//
//      CERT_KEY_SPEC_PROP_ID - the dwKeySpec for the private key. pvData
//      points to a DWORD containing the KeySpec
//
//      CERT_ENHKEY_USAGE_PROP_ID - enhanced key usage definition for the
//      certificate. pvData points to a CRYPT_DATA_BLOB containing an
//      ASN.1 encoded CERT_ENHKEY_USAGE (encoded via
//      CryptEncodeObject(X509_ENHANCED_KEY_USAGE).
//
//      CERT_NEXT_UPDATE_LOCATION_PROP_ID - location of the next update.
//      Currently only applicable to CTLs. pvData points to a CRYPT_DATA_BLOB
//      containing an ASN.1 encoded CERT_ALT_NAME_INFO (encoded via
//      CryptEncodeObject(X509_ALTERNATE_NAME)).
//
//      CERT_FRIENDLY_NAME_PROP_ID - friendly name for the cert, CRL or CTL.
//      pvData points to a CRYPT_DATA_BLOB. pbData is a pointer to a NULL
//      terminated unicode, wide character string.
//      cbData = (wcslen((LPWSTR) pbData) + 1) * sizeof(WCHAR).
//
//  For all the other PROP_IDs: an encoded PCRYPT_DATA_BLOB is passed in pvData.
//
//  If the property already exists, then, the old value is deleted and silently
//  replaced. Setting, pvData to NULL, deletes the property.
//--------------------------------------------------------------------------
function CertSetCertificateContextProperty(pCertContext :PCCERT_CONTEXT;
                                           dwPropId :DWORD;
                                           dwFlags :DWORD;
                                           pvData :PVOID):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Get the property for the specified certificate context.
//
//  For CERT_KEY_PROV_HANDLE_PROP_ID, pvData points to a HCRYPTPROV.
//
//  For CERT_KEY_PROV_INFO_PROP_ID, pvData points to a CRYPT_KEY_PROV_INFO structure.
//  Elements pointed to by fields in the pvData structure follow the
//  structure. Therefore, *pcbData may exceed the size of the structure.
//
//  For CERT_KEY_CONTEXT_PROP_ID, pvData points to a CERT_KEY_CONTEXT structure.
//
//  For CERT_KEY_SPEC_PROP_ID, pvData points to a DWORD containing the KeySpec.
//  If the CERT_KEY_CONTEXT_PROP_ID exists, the KeySpec is obtained from there.
//  Otherwise, if the CERT_KEY_PROV_INFO_PROP_ID exists, its the source
//  of the KeySpec.
//
//  For CERT_SHA1_HASH_PROP_ID or CERT_MD5_HASH_PROP_ID, if the hash
//  doesn't already exist, then, its computed via CryptHashCertificate()
//  and then set. pvData points to the computed hash. Normally, the length
//  is 20 bytes for SHA and 16 for MD5.
//
//  For all other PROP_IDs, pvData points to an encoded array of bytes.
//--------------------------------------------------------------------------
function CertGetCertificateContextProperty(pCertContext :PCCERT_CONTEXT;
                                           dwPropId :DWORD;
                                           pvData :PVOID;
                                           pcbData :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Enumerate the properties for the specified certificate context.
//
//  To get the first property, set dwPropId to 0. The ID of the first
//  property is returned. To get the next property, set dwPropId to the
//  ID returned by the last call. To enumerate all the properties continue
//  until 0 is returned.
//
//  CertGetCertificateContextProperty is called to get the property's data.
//
//  Note, since, the CERT_KEY_PROV_HANDLE_PROP_ID and CERT_KEY_SPEC_PROP_ID
//  properties are stored as fields in the CERT_KEY_CONTEXT_PROP_ID
//  property, they aren't enumerated individually.
//--------------------------------------------------------------------------
function CertEnumCertificateContextProperties(pCertContext :PCCERT_CONTEXT;
                                              dwPropId :DWORD):DWORD ; stdcall;
//+-------------------------------------------------------------------------
//  Get the first or next CRL context from the store for the specified
//  issuer certificate. Perform the enabled verification checks on the CRL.
//
//  If the first or next CRL isn't found, NULL is returned.
//  Otherwise, a pointer to a read only CRL_CONTEXT is returned. CRL_CONTEXT
//  must be freed by calling CertFreeCRLContext. However, the free must be
//  pPrevCrlContext on a subsequent call. CertDuplicateCRLContext
//  can be called to make a duplicate.
//
//  The pIssuerContext may have been obtained from this store, another store
//  or created by the caller application. When created by the caller, the
//  CertCreateCertificateContext function must have been called.
//
//  If pIssuerContext == NULL, finds all the CRLs in the store.
//
//  An issuer may have multiple CRLs. For example, it generates delta CRLs
//  using a X.509 v3 extension. pPrevCrlContext MUST BE NULL on the first
//  call to get the CRL. To get the next CRL for the issuer, the
//  pPrevCrlContext is set to the CRL_CONTEXT returned by a previous call.
//
//  NOTE: a NON-NULL pPrevCrlContext is always CertFreeCRLContext'ed by
//  this function, even for an error.
//
//  The following flags can be set in *pdwFlags to enable verification checks
//  on the returned CRL:
//      CERT_STORE_SIGNATURE_FLAG     - use the public key in the
//                                      issuer's certificate to verify the
//                                      signature on the returned CRL.
//                                      Note, if pIssuerContext->hCertStore ==
//                                      hCertStore, the store provider might
//                                      be able to eliminate a redo of
//                                      the signature verify.
//      CERT_STORE_TIME_VALIDITY_FLAG - get the current time and verify that
//                                      its within the CRL's ThisUpdate and
//                                      NextUpdate validity period.
//
//  If an enabled verification check fails, then, its flag is set upon return.
//
//  If pIssuerContext == NULL, then, an enabled CERT_STORE_SIGNATURE_FLAG
//  always fails and the CERT_STORE_NO_ISSUER_FLAG is also set.
//
//  For a verification check failure, a pointer to the first or next
//  CRL_CONTEXT is still returned and SetLastError isn't updated.
//--------------------------------------------------------------------------
function CertGetCRLFromStore(hCertStore :HCERTSTORE;
                             pIssuerContext :PCCERT_CONTEXT; //OPTIONAL
                             pPrevCrlContext :PCCRL_CONTEXT;
                             pdwFlags :PDWORD):PCCRL_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
//  Duplicate a CRL context
//--------------------------------------------------------------------------
function CertDuplicateCRLContext(pCrlContext :PCCRL_CONTEXT):PCCRL_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
//  Create a CRL context from the encoded CRL. The created
//  context isn't put in a store.
//
//  Makes a copy of the encoded CRL in the created context.
//
//  If unable to decode and create the CRL context, NULL is returned.
//  Otherwise, a pointer to a read only CRL_CONTEXT is returned.
//  CRL_CONTEXT must be freed by calling CertFreeCRLContext.
//  CertDuplicateCRLContext can be called to make a duplicate.
//
//  CertSetCRLContextProperty and CertGetCRLContextProperty can be called
//  to store properties for the CRL.
//--------------------------------------------------------------------------
function CertCreateCRLContext(dwCertEncodingType :DWORD;
                              pbCrlEncoded :PBYTE;
                              cbCrlEncoded :DWORD):PCCRL_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
//  Free a CRL context
//
//  There needs to be a corresponding free for each context obtained by a
//  get, duplicate or create.
//--------------------------------------------------------------------------
function CertFreeCRLContext(pCrlContext :PCCRL_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Set the property for the specified CRL context.
//
//  Same Property Ids and semantics as CertSetCertificateContextProperty.
//--------------------------------------------------------------------------
function CertSetCRLContextProperty(pCrlContext :PCCRL_CONTEXT;
                                   dwPropId :DWORD;
                                   dwFlags :DWORD;
                             const pvData :PVOID):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Get the property for the specified CRL context.
//
//  Same Property Ids and semantics as CertGetCertificateContextProperty.
//
//  CERT_SHA1_HASH_PROP_ID or CERT_MD5_HASH_PROP_ID is the predefined
//  property of most interest.
//--------------------------------------------------------------------------
function CertGetCRLContextProperty(pCrlContext :PCCRL_CONTEXT;
                                   dwPropId :DWORD;
                                   pvData :PVOID;
                                   pcbData :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Enumerate the properties for the specified CRL context.
//
//  To get the first property, set dwPropId to 0. The ID of the first
//  property is returned. To get the next property, set dwPropId to the
//  ID returned by the last call. To enumerate all the properties continue
//  until 0 is returned.
//
//  CertGetCRLContextProperty is called to get the property's data.
//--------------------------------------------------------------------------
function CertEnumCRLContextProperties(pCrlContext :PCCRL_CONTEXT;
                                      dwPropId :DWORD):DWORD ; stdcall;
//+-------------------------------------------------------------------------
// Add certificate/CRL, encoded, context or element disposition values.
//--------------------------------------------------------------------------
const CERT_STORE_ADD_NEW = 1;
const CERT_STORE_ADD_USE_EXISTING = 2;
const CERT_STORE_ADD_REPLACE_EXISTING = 3;
const CERT_STORE_ADD_ALWAYS = 4;

//+-------------------------------------------------------------------------
//  Add the encoded certificate to the store according to the specified
//  disposition action.
//
//  Makes a copy of the encoded certificate before adding to the store.
//
//  dwAddDispostion specifies the action to take if the certificate
//  already exists in the store. This parameter must be one of the following
//  values:
//    CERT_STORE_ADD_NEW
//      Fails if the certificate already exists in the store. LastError
//      is set to CRYPT_E_EXISTS.
//    CERT_STORE_ADD_USE_EXISTING
//      If the certifcate already exists, then, its used and if ppCertContext
//      is non-NULL, the existing context is duplicated.
//    CERT_STORE_ADD_REPLACE_EXISTING
//      If the certificate already exists, then, the existing certificate
//      context is deleted before creating and adding the new context.
//    CERT_STORE_ADD_ALWAYS
//      No check is made to see if the certificate already exists. A
//      new certificate context is always created. This may lead to
//      duplicates in the store.
//
//  CertGetSubjectCertificateFromStore is called to determine if the
//  certificate already exists in the store.
//
//  ppCertContext can be NULL, indicating the caller isn't interested
//  in getting the CERT_CONTEXT of the added or existing certificate.
//--------------------------------------------------------------------------
function CertAddEncodedCertificateToStore(hCertStore :HCERTSTORE;
                                          dwCertEncodingType :DWORD;
                                    const pbCertEncoded :PBYTE;
                                          cbCertEncoded :DWORD;
                                          dwAddDisposition :DWORD;
                                      var ppCertContext :PCCERT_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Add the certificate context to the store according to the specified
//  disposition action.
//
//  In addition to the encoded certificate, the context's properties are
//  also copied.  Note, the CERT_KEY_CONTEXT_PROP_ID property (and its
//  CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't copied.
//
//  Makes a copy of the certificate context before adding to the store.
//
//  dwAddDispostion specifies the action to take if the certificate
//  already exists in the store. This parameter must be one of the following
//  values:
//    CERT_STORE_ADD_NEW
//      Fails if the certificate already exists in the store. LastError
//      is set to CRYPT_E_EXISTS.
//    CERT_STORE_ADD_USE_EXISTING
//      If the certifcate already exists, then, its used and if ppStoreContext
//      is non-NULL, the existing context is duplicated. Iterates
//      through pCertContext's properties and only copies the properties
//      that don't already exist. The SHA1 and MD5 hash properties aren't
//      copied.
//    CERT_STORE_ADD_REPLACE_EXISTING
//      If the certificate already exists, then, the existing certificate
//      context is deleted before creating and adding a new context.
//      Properties are copied before doing the add.
//    CERT_STORE_ADD_ALWAYS
//      No check is made to see if the certificate already exists. A
//      new certificate context is always created and added. This may lead to
//      duplicates in the store. Properties are
//      copied before doing the add.
//
//  CertGetSubjectCertificateFromStore is called to determine if the
//  certificate already exists in the store.
//
//  ppStoreContext can be NULL, indicating the caller isn't interested
//  in getting the CERT_CONTEXT of the added or existing certificate.
//--------------------------------------------------------------------------
function CertAddCertificateContextToStore(hCertStore :HCERTSTORE;
                                          pCertContext :PCCERT_CONTEXT;
                                          dwAddDisposition :DWORD;
                                      var ppStoreContext :PCCERT_CONTEXT //OPTIONAL
                                          ):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Certificate Store Context Types
//--------------------------------------------------------------------------
const CERT_STORE_CERTIFICATE_CONTEXT = 1;
const CERT_STORE_CRL_CONTEXT = 2;
const CERT_STORE_CTL_CONTEXT = 3;

//+-------------------------------------------------------------------------
//  Certificate Store Context Bit Flags
//--------------------------------------------------------------------------
const CERT_STORE_ALL_CONTEXT_FLAG = (not ULONG(0));
const CERT_STORE_CERTIFICATE_CONTEXT_FLAG = (1 shl CERT_STORE_CERTIFICATE_CONTEXT);
const CERT_STORE_CRL_CONTEXT_FLAG =  (1 shl CERT_STORE_CRL_CONTEXT);
const CERT_STORE_CTL_CONTEXT_FLAG = (1 shl CERT_STORE_CTL_CONTEXT);

//+-------------------------------------------------------------------------
//  Add the serialized certificate or CRL element to the store.
//
//  The serialized element contains the encoded certificate, CRL or CTL and
//  its properties, such as, CERT_KEY_PROV_INFO_PROP_ID.
//
//  If hCertStore is NULL, creates a certificate, CRL or CTL context not
//  residing in any store.
//
//  dwAddDispostion specifies the action to take if the certificate or CRL
//  already exists in the store. See CertAddCertificateContextToStore for a
//  list of and actions taken.
//
//  dwFlags currently isn't used and should be set to 0.
//
//  dwContextTypeFlags specifies the set of allowable contexts. For example, to
//  add either a certificate or CRL, set dwContextTypeFlags to:
//      CERT_STORE_CERTIFICATE_CONTEXT_FLAG | CERT_STORE_CRL_CONTEXT_FLAG
//
//  *pdwContextType is updated with the type of the context returned in
//  *ppvContxt. pdwContextType or ppvContext can be NULL, indicating the
//  caller isn't interested in getting the output. If *ppvContext is
//  returned it must be freed by calling CertFreeCertificateContext or
//  CertFreeCRLContext.
//--------------------------------------------------------------------------
function CertAddSerializedElementToStore(hCertStore :HCERTSTORE;
                                         pbElement :PBYTE;
                                         cbElement :DWORD;
                                         dwAddDisposition :DWORD;
                                         dwFlags :DWORD;
                                         dwContextTypeFlags :DWORD;
                                         pdwContextType :PDWORD;
                                     var ppvContext : array of PVOID):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Delete the specified certificate from the store.
//
//  All subsequent gets or finds for the certificate will fail. However,
//  memory allocated for the certificate isn't freed until all of its contexts
//  have also been freed.
//
//  The pCertContext is obtained from a get, enum, find or duplicate.
//
//  Some store provider implementations might also delete the issuer's CRLs
//  if this is the last certificate for the issuer in the store.
//
//  NOTE: the pCertContext is always CertFreeCertificateContext'ed by
//  this function, even for an error.
//--------------------------------------------------------------------------
function CertDeleteCertificateFromStore(pCertContext :PCCERT_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Add the encoded CRL to the store according to the specified
//  disposition option.
//
//  Makes a copy of the encoded CRL before adding to the store.
//
//  dwAddDispostion specifies the action to take if the CRL
//  already exists in the store. See CertAddEncodedCertificateToStore for a
//  list of and actions taken.
//
//  Compares the CRL's Issuer to determine if the CRL already exists in the
//  store.
//
//  ppCrlContext can be NULL, indicating the caller isn't interested
//  in getting the CRL_CONTEXT of the added or existing CRL.
//--------------------------------------------------------------------------
function CertAddEncodedCRLToStore(hCertStore :HCERTSTORE;
                                  dwCertEncodingType :DWORD;
                                  pbCrlEncoded :PBYTE;
                                  cbCrlEncoded :DWORD;
                                  dwAddDisposition :DWORD;
                              var ppCrlContext :PCCRL_CONTEXT
                                  ):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Add the CRL context to the store according to the specified
//  disposition option.
//
//  In addition to the encoded CRL, the context's properties are
//  also copied.  Note, the CERT_KEY_CONTEXT_PROP_ID property (and its
//  CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't copied.
//
//  Makes a copy of the encoded CRL before adding to the store.
//
//  dwAddDispostion specifies the action to take if the CRL
//  already exists in the store. See CertAddCertificateContextToStore for a
//  list of and actions taken.
//
//  Compares the CRL's Issuer, ThisUpdate and NextUpdate to determine
//  if the CRL already exists in the store.
//
//  ppStoreContext can be NULL, indicating the caller isn't interested
//  in getting the CRL_CONTEXT of the added or existing CRL.
//--------------------------------------------------------------------------
function CertAddCRLContextToStore(hCertStore :HCERTSTORE;
                                  pCrlContext :PCCRL_CONTEXT;
                                  dwAddDisposition :DWORD;
                              var ppStoreContext :PCCRL_CONTEXT
                                  ):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Delete the specified CRL from the store.
//
//  All subsequent gets for the CRL will fail. However,
//  memory allocated for the CRL isn't freed until all of its contexts
//  have also been freed.
//
//  The pCrlContext is obtained from a get or duplicate.
//
//  NOTE: the pCrlContext is always CertFreeCRLContext'ed by
//  this function, even for an error.
//--------------------------------------------------------------------------
function CertDeleteCRLFromStore(pCrlContext :PCCRL_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Serialize the certificate context's encoded certificate and its
//  properties.
//--------------------------------------------------------------------------
function CertSerializeCertificateStoreElement(pCertContext :PCCERT_CONTEXT;
                                              dwFlags :DWORD;
                                              pbElement :PBYTE;
                                              pcbElement :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Serialize the CRL context's encoded CRL and its properties.
//--------------------------------------------------------------------------
function CertSerializeCRLStoreElement(pCrlContext :PCCRL_CONTEXT;
                                      dwFlags :DWORD;
                                      pbElement :PBYTE;
                                      pcbElement :PDWORD):BOOL ; stdcall;
//+=========================================================================
//  Certificate Trust List (CTL) Store Data Structures and APIs
//==========================================================================

//+-------------------------------------------------------------------------
//  Duplicate a CTL context
//--------------------------------------------------------------------------
function CertDuplicateCTLContext(pCtlContext :PCCTL_CONTEXT):PCCTL_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
//  Create a CTL context from the encoded CTL. The created
//  context isn't put in a store.
//
//  Makes a copy of the encoded CTL in the created context.
//
//  If unable to decode and create the CTL context, NULL is returned.
//  Otherwise, a pointer to a read only CTL_CONTEXT is returned.
//  CTL_CONTEXT must be freed by calling CertFreeCTLContext.
//  CertDuplicateCTLContext can be called to make a duplicate.
//
//  CertSetCTLContextProperty and CertGetCTLContextProperty can be called
//  to store properties for the CTL.
//--------------------------------------------------------------------------
function CertCreateCTLContext(dwMsgAndCertEncodingType :DWORD;
                        const pbCtlEncoded :PBYTE;
                              cbCtlEncoded :DWORD):PCCTL_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
//  Free a CTL context
//
//  There needs to be a corresponding free for each context obtained by a
//  get, duplicate or create.
//--------------------------------------------------------------------------
function CertFreeCTLContext(pCtlContext :PCCTL_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Set the property for the specified CTL context.
//
//  Same Property Ids and semantics as CertSetCertificateContextProperty.
//--------------------------------------------------------------------------
function CertSetCTLContextProperty(pCtlContext :PCCTL_CONTEXT;
                                   dwPropId :DWORD;
                                   dwFlags :DWORD;
                             const pvData :PVOID):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Get the property for the specified CTL context.
//
//  Same Property Ids and semantics as CertGetCertificateContextProperty.
//
//  CERT_SHA1_HASH_PROP_ID or CERT_NEXT_UPDATE_LOCATION_PROP_ID are the
//  predefined properties of most interest.
//--------------------------------------------------------------------------
function CertGetCTLContextProperty(pCtlContext :PCCTL_CONTEXT;
                                   dwPropId :DWORD;
                                   pvData :PVOID;
                                   pcbData :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Enumerate the properties for the specified CTL context.
//--------------------------------------------------------------------------
function CertEnumCTLContextProperties(pCtlContext :PCCTL_CONTEXT;
                                      dwPropId :DWORD):DWORD ; stdcall;
//+-------------------------------------------------------------------------
//  Enumerate the CTL contexts in the store.
//
//  If a CTL isn't found, NULL is returned.
//  Otherwise, a pointer to a read only CTL_CONTEXT is returned. CTL_CONTEXT
//  must be freed by calling CertFreeCTLContext or is freed when passed as the
//  pPrevCtlContext on a subsequent call. CertDuplicateCTLContext
//  can be called to make a duplicate.
//
//  pPrevCtlContext MUST BE NULL to enumerate the first
//  CTL in the store. Successive CTLs are enumerated by setting
//  pPrevCtlContext to the CTL_CONTEXT returned by a previous call.
//
//  NOTE: a NON-NULL pPrevCtlContext is always CertFreeCTLContext'ed by
//  this function, even for an error.
//--------------------------------------------------------------------------
function CertEnumCTLsInStore(hCertStore :HCERTSTORE;
                             pPrevCtlContext :PCCTL_CONTEXT
                             ):PCCTL_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
//  Attempt to find the specified subject in the CTL.
//
//  For CTL_CERT_SUBJECT_TYPE, pvSubject points to a CERT_CONTEXT. The CTL's
//  SubjectAlgorithm is examined to determine the representation of the
//  subject's identity. Initially, only SHA1 or MD5 hash will be supported.
//  The appropriate hash property is obtained from the CERT_CONTEXT.
//
//  For CTL_ANY_SUBJECT_TYPE, pvSubject points to the CTL_ANY_SUBJECT_INFO
//  structure which contains the SubjectAlgorithm to be matched in the CTL
//  and the SubjectIdentifer to be matched in one of the CTL entries.
//
//  The certificate's hash or the CTL_ANY_SUBJECT_INFO's SubjectIdentifier
//  is used as the key in searching the subject entries. A binary
//  memory comparison is done between the key and the entry's SubjectIdentifer.
//
//  dwEncodingType isn't used for either of the above SubjectTypes.
//--------------------------------------------------------------------------
function CertFindSubjectInCTL(dwEncodingType :DWORD;
                              dwSubjectType :DWORD;
                              pvSubject :PVOID;
                              pCtlContext :PCCTL_CONTEXT;
                              dwFlags :DWORD):PCTL_ENTRY ; stdcall;
// Subject Types:
//  CTL_ANY_SUBJECT_TYPE, pvSubject points to following CTL_ANY_SUBJECT_INFO.
//  CTL_CERT_SUBJECT_TYPE, pvSubject points to CERT_CONTEXT.
const CTL_ANY_SUBJECT_TYPE = 1;
const CTL_CERT_SUBJECT_TYPE = 2;

type
  PCTL_ANY_SUBJECT_INFO = ^CTL_ANY_SUBJECT_INFO;
  CTL_ANY_SUBJECT_INFO = record
    SubjectAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
    SubjectIdentifier :CRYPT_DATA_BLOB;
  end;

//+-------------------------------------------------------------------------
//  Find the first or next CTL context in the store.
//
//  The CTL is found according to the dwFindType and its pvFindPara.
//  See below for a list of the find types and its parameters.
//
//  Currently dwFindFlags isn't used and must be set to 0.
//
//  Usage of dwMsgAndCertEncodingType depends on the dwFindType.
//
//  If the first or next CTL isn't found, NULL is returned.
//  Otherwise, a pointer to a read only CTL_CONTEXT is returned. CTL_CONTEXT
//  must be freed by calling CertFreeCTLContext or is freed when passed as the
//  pPrevCtlContext on a subsequent call. CertDuplicateCTLContext
//  can be called to make a duplicate.
//
//  pPrevCtlContext MUST BE NULL on the first
//  call to find the CTL. To find the next CTL, the
//  pPrevCtlContext is set to the CTL_CONTEXT returned by a previous call.
//
//  NOTE: a NON-NULL pPrevCtlContext is always CertFreeCTLContext'ed by
//  this function, even for an error.
//--------------------------------------------------------------------------
function CertFindCTLInStore(hCertStore :HCERTSTORE;
                            dwMsgAndCertEncodingType :DWORD;
                            dwFindFlags :DWORD;
                            dwFindType :DWORD;
                      const pvFindPara :PVOID;
                            pPrevCtlContext :PCCTL_CONTEXT):PCCTL_CONTEXT ; stdcall;

const CTL_FIND_ANY = 0;
const CTL_FIND_SHA1_HASH = 1;
const CTL_FIND_MD5_HASH = 2;
const CTL_FIND_USAGE = 3;
const CTL_FIND_SUBJECT = 4;

type
  PCTL_FIND_USAGE_PARA = ^CTL_FIND_USAGE_PARA;
  CTL_FIND_USAGE_PARA = record
    cbSize :DWORD;
    SubjectUsage :CTL_USAGE;         // optional
    ListIdentifier :CRYPT_DATA_BLOB; // optional
    pSigner :PCERT_INFO;             // optional
  end;

const CTL_FIND_NO_LIST_ID_CBDATA = $FFFFFFFF;
const CTL_FIND_NO_SIGNER_PTR     = (PCERT_INFO($FFFFFFFF));

const CTL_FIND_SAME_USAGE_FLAG   = $1;

type
  PCTL_FIND_SUBJECT_PARA = ^CTL_FIND_SUBJECT_PARA;
  CTL_FIND_SUBJECT_PARA = record
    cbSize :DWORD;
    pUsagePara :PCTL_FIND_USAGE_PARA; // optional
    dwSubjectType :DWORD;
    pvSubject :PVOID;
  end;

//+-------------------------------------------------------------------------
//  CTL_FIND_ANY
//
//  Find any CTL.
//
//  pvFindPara isn't used.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CTL_FIND_SHA1_HASH
//  CTL_FIND_MD5_HASH
//
//  Find a CTL with the specified hash.
//
//  pvFindPara points to a CRYPT_HASH_BLOB.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CTL_FIND_USAGE
//
//  Find a CTL having the specified usage identifiers, list identifier or
//  signer. The CertEncodingType of the signer is obtained from the
//  dwMsgAndCertEncodingType parameter.
//
//  pvFindPara points to a CTL_FIND_USAGE_PARA data structure. The
//  SubjectUsage.cUsageIdentifer can be 0 to match any usage. The
//  ListIdentifier.cbData can be 0 to match any list identifier. To only match
//  CTLs without a ListIdentifier, cbData must be set to
//  CTL_FIND_NO_LIST_ID_CBDATA. pSigner can be NULL to match any signer. Only
//  the Issuer and SerialNumber fields of the pSigner's PCERT_INFO are used.
//  To only match CTLs without a signer, pSigner must be set to
//  CTL_FIND_NO_SIGNER_PTR.
//
//  The CTL_FIND_SAME_USAGE_FLAG can be set in dwFindFlags to
//  only match CTLs with the same usage identifiers. CTLs having additional
//  usage identifiers aren't matched. For example, if only "1.2.3" is specified
//  in CTL_FIND_USAGE_PARA, then, for a match, the CTL must only contain
//  "1.2.3" and not any additional usage identifers.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  CTL_FIND_SUBJECT
//
//  Find a CTL having the specified subject. CertFindSubjectInCTL can be
//  called to get a pointer to the subject's entry in the CTL.  pUsagePara can
//  optionally be set to enable the above CTL_FIND_USAGE matching.
//
//  pvFindPara points to a CTL_FIND_SUBJECT_PARA data structure.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  Add the encoded CTL to the store according to the specified
//  disposition option.
//
//  Makes a copy of the encoded CTL before adding to the store.
//
//  dwAddDispostion specifies the action to take if the CTL
//  already exists in the store. See CertAddEncodedCertificateToStore for a
//  list of and actions taken.
//
//  Compares the CTL's SubjectUsage, ListIdentifier and any of its signers
//  to determine if the CTL already exists in the store.
//
//  ppCtlContext can be NULL, indicating the caller isn't interested
//  in getting the CTL_CONTEXT of the added or existing CTL.
//--------------------------------------------------------------------------
function CertAddEncodedCTLToStore(hCertStore :HCERTSTORE;
                                  dwMsgAndCertEncodingType :DWORD;
                            const pbCtlEncoded :PBYTE;
                                  cbCtlEncoded :DWORD;
                                  dwAddDisposition :DWORD;
                              var ppCtlContext :PCCTL_CONTEXT //OPTIONAL
                                  ):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Add the CTL context to the store according to the specified
//  disposition option.
//
//  In addition to the encoded CTL, the context's properties are
//  also copied.  Note, the CERT_KEY_CONTEXT_PROP_ID property (and its
//  CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_SPEC_PROP_ID) isn't copied.
//
//  Makes a copy of the encoded CTL before adding to the store.
//
//  dwAddDispostion specifies the action to take if the CTL
//  already exists in the store. See CertAddCertificateContextToStore for a
//  list of and actions taken.
//
//  Compares the CTL's SubjectUsage, ListIdentifier and any of its signers
//  to determine if the CTL already exists in the store.
//
//  ppStoreContext can be NULL, indicating the caller isn't interested
//  in getting the CTL_CONTEXT of the added or existing CTL.
//--------------------------------------------------------------------------
function CertAddCTLContextToStore(hCertStore :HCERTSTORE;
                                  pCtlContext :PCCTL_CONTEXT;
                                  dwAddDisposition :DWORD;
                              var ppStoreContext :PCCTL_CONTEXT
                                  ):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Serialize the CTL context's encoded CTL and its properties.
//--------------------------------------------------------------------------
function CertSerializeCTLStoreElement(pCtlContext :PCCTL_CONTEXT;
                                      dwFlags :DWORD;
                                      pbElement :PBYTE;
                                      pcbElement :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Delete the specified CTL from the store.
//
//  All subsequent gets for the CTL will fail. However,
//  memory allocated for the CTL isn't freed until all of its contexts
//  have also been freed.
//
//  The pCtlContext is obtained from a get or duplicate.
//
//  NOTE: the pCtlContext is always CertFreeCTLContext'ed by
//  this function, even for an error.
//--------------------------------------------------------------------------
function CertDeleteCTLFromStore(pCtlContext :PCCTL_CONTEXT):BOOL ; stdcall;
//+=========================================================================
//  Enhanced Key Usage Helper Functions
//==========================================================================

//+-------------------------------------------------------------------------
//  Get the enhanced key usage extension or property from the certificate
//  and decode.
//
//  If the CERT_FIND_EXT_ONLY_ENHKEY_USAGE_FLAG is set, then, only get the
//  extension.
//
//  If the CERT_FIND_PROP_ONLY_ENHKEY_USAGE_FLAG is set, then, only get the
//  property.
//--------------------------------------------------------------------------
function CertGetEnhancedKeyUsage(pCertContext :PCCERT_CONTEXT;
                                 dwFlags :DWORD;
                                 pUsage :PCERT_ENHKEY_USAGE;
                                 pcbUsage :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Set the enhanced key usage property for the certificate.
//--------------------------------------------------------------------------
function CertSetEnhancedKeyUsage(pCertContext :PCCERT_CONTEXT;
                                 pUsage :PCERT_ENHKEY_USAGE
                                 ):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Add the usage identifier to the certificate's enhanced key usage property.
//--------------------------------------------------------------------------
function CertAddEnhancedKeyUsageIdentifier(pCertContext :PCCERT_CONTEXT;
                                           pszUsageIdentifier :LPCSTR
                                           ):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Remove the usage identifier from the certificate's enhanced key usage
//  property.
//--------------------------------------------------------------------------
function CertRemoveEnhancedKeyUsageIdentifier(pCertContext :PCCERT_CONTEXT;
                                              pszUsageIdentifier :LPCSTR
                                              ):BOOL ; stdcall;

//+=========================================================================
//  Cryptographic Message helper functions for verifying and signing a
//  CTL.
//==========================================================================

//+-------------------------------------------------------------------------
//  Get and verify the signer of a cryptographic message.
//
//  To verify a CTL, the hCryptMsg is obtained from the CTL_CONTEXT's
//  hCryptMsg field.
//
//  If CMSG_TRUSTED_SIGNER_FLAG is set, then, treat the Signer stores as being
//  trusted and only search them to find the certificate corresponding to the
//  signer's issuer and serial number.  Otherwise, the SignerStores are
//  optionally provided to supplement the message's store of certificates.
//  If a signer certificate is found, its public key is used to verify
//  the message signature. The CMSG_SIGNER_ONLY_FLAG can be set to
//  return the signer without doing the signature verify.
//
//  If CMSG_USE_SIGNER_INDEX_FLAG is set, then, only get the signer specified
//  by *pdwSignerIndex. Otherwise, iterate through all the signers
//  until a signer verifies or no more signers.
//
//  For a verified signature, *ppSigner is updated with certificate context
//  of the signer and *pdwSignerIndex is updated with the index of the signer.
//  ppSigner and/or pdwSignerIndex can be NULL, indicating the caller isn't
//  interested in getting the CertContext and/or index of the signer.
//--------------------------------------------------------------------------
function CryptMsgGetAndVerifySigner(hCryptMsg :HCRYPTMSG;
                                    cSignerStore :DWORD;
                                var rghSignerStore :HCERTSTORE;
                                    dwFlags :DWORD;
                                var ppSigner :PCCERT_CONTEXT;
                                    pdwSignerIndex :PDWORD):BOOL ; stdcall;

const CMSG_TRUSTED_SIGNER_FLAG   = $1;
const CMSG_SIGNER_ONLY_FLAG      = $2;
const CMSG_USE_SIGNER_INDEX_FLAG = $4;

//+-------------------------------------------------------------------------
//  Sign an encoded CTL.
//
//  The pbCtlContent can be obtained via a CTL_CONTEXT's pbCtlContent
//  field or via a CryptEncodeObject(PKCS_CTL).
//--------------------------------------------------------------------------
function CryptMsgSignCTL(dwMsgEncodingType :DWORD;
                         pbCtlContent :PBYTE;
                         cbCtlContent :DWORD;
                         pSignInfo :PCMSG_SIGNED_ENCODE_INFO;
                         dwFlags :DWORD;
                         pbEncoded :PBYTE;
                         pcbEncoded :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Encode the CTL and create a signed message containing the encoded CTL.
//--------------------------------------------------------------------------
function CryptMsgEncodeAndSignCTL(dwMsgEncodingType :DWORD;
                                  pCtlInfo :PCTL_INFO;
                                  pSignInfo :PCMSG_SIGNED_ENCODE_INFO;
                                  dwFlags :DWORD;
                                  pbEncoded :PBYTE;
                                  pcbEncoded :PDWORD):BOOL ; stdcall;

//+=========================================================================
//  Certificate Verify CTL Usage Data Structures and APIs
//==========================================================================
type
  PHCERTSTORE = ^HCERTSTORE;

type
  PCTL_VERIFY_USAGE_PARA = ^CTL_VERIFY_USAGE_PARA;
  CTL_VERIFY_USAGE_PARA = record
    cbSize :DWORD;
    ListIdentifier :CRYPT_DATA_BLOB;// OPTIONAL
    cCtlStore :DWORD;
    rghCtlStore :PHCERTSTORE;       // OPTIONAL
    cSignerStore :DWORD;
    rghSignerStore :PHCERTSTORE;    // OPTIONAL
  end;

type
  PCTL_VERIFY_USAGE_STATUS = ^CTL_VERIFY_USAGE_STATUS;
  CTL_VERIFY_USAGE_STATUS = record
    cbSize :DWORD;
    dwError :DWORD;
    dwFlags :DWORD;
    ppCtl :PPCCTL_CONTEXT;             // IN OUT OPTIONAL
    dwCtlEntryIndex :DWORD;
    ppSigner :PPCCERT_CONTEXT ;        // IN OUT OPTIONAL
    dwSignerIndex :DWORD;
  end;

const CERT_VERIFY_INHIBIT_CTL_UPDATE_FLAG = $1;
const CERT_VERIFY_TRUSTED_SIGNERS_FLAG = $2;
const CERT_VERIFY_NO_TIME_CHECK_FLAG = $4;
const CERT_VERIFY_ALLOW_MORE_USAGE_FLAG = $8;

const CERT_VERIFY_UPDATED_CTL_FLAG = $1;

//+-------------------------------------------------------------------------
//  Verify that a subject is trusted for the specified usage by finding a
//  signed and time valid CTL with the usage identifiers and containing the
//  the subject. A subject can be identified by either its certificate context
//  or any identifier such as its SHA1 hash.
//
//  See CertFindSubjectInCTL for definition of dwSubjectType and pvSubject
//  parameters.
//
//  Via pVerifyUsagePara, the caller can specify the stores to be searched
//  to find the CTL. The caller can also specify the stores containing
//  acceptable CTL signers. By setting the ListIdentifier, the caller
//  can also restrict to a particular signer CTL list.
//
//  Via pVerifyUsageStatus, the CTL containing the subject, the subject's
//  index into the CTL's array of entries, and the signer of the CTL
//  are returned. If the caller is not interested, ppCtl and ppSigner can be set
//  to NULL. Returned contexts must be freed via the store's free context APIs.
//
//  If the CERT_VERIFY_INHIBIT_CTL_UPDATE_FLAG isn't set, then, a time
//  invalid CTL in one of the CtlStores may be replaced. When replaced, the
//  CERT_VERIFY_UPDATED_CTL_FLAG is set in pVerifyUsageStatus->dwFlags.
//
//  If the CERT_VERIFY_TRUSTED_SIGNERS_FLAG is set, then, only the
//  SignerStores specified in pVerifyUsageStatus are searched to find
//  the signer. Otherwise, the SignerStores provide additional sources
//  to find the signer's certificate.
//
//  If CERT_VERIFY_NO_TIME_CHECK_FLAG is set, then, the CTLs aren't checked
//  for time validity.
//
//  If CERT_VERIFY_ALLOW_MORE_USAGE_FLAG is set, then, the CTL may contain
//  additional usage identifiers than specified by pSubjectUsage. Otherwise,
//  the found CTL will contain the same usage identifers and no more.
//
//  CertVerifyCTLUsage will be implemented as a dispatcher to OID installable
//  functions. First, it will try to find an OID function matching the first
//  usage object identifier in the pUsage sequence. Next, it will dispatch
//  to the default CertDllVerifyCTLUsage functions.
//
//  If the subject is trusted for the specified usage, then, TRUE is
//  returned. Otherwise, FALSE is returned with dwError set to one of the
//  following:
//      CRYPT_E_NO_VERIFY_USAGE_DLL
//      CRYPT_E_NO_VERIFY_USAGE_CHECK
//      CRYPT_E_VERIFY_USAGE_OFFLINE
//      CRYPT_E_NOT_IN_CTL
//      CRYPT_E_NO_TRUSTED_SIGNER
//--------------------------------------------------------------------------
function CertVerifyCTLUsage(dwEncodingType :DWORD;
                            dwSubjectType :DWORD;
                            pvSubject :PVOID;
                            pSubjectUsage :PCTL_USAGE;
                            dwFlags :DWORD;
                            pVerifyUsagePara :PCTL_VERIFY_USAGE_PARA;
                            pVerifyUsageStatus:PCTL_VERIFY_USAGE_STATUS
                            ):BOOL ; stdcall;

//+=========================================================================
//  Certificate Revocation Data Structures and APIs
//==========================================================================

//+-------------------------------------------------------------------------
//  The following data structure may be passed to CertVerifyRevocation to
//  assist in finding the issuer of the context to be verified.
//
//  When pIssuerCert is specified, pIssuerCert is the issuer of
//  rgpvContext[cContext - 1].
//
//  When cCertStore and rgCertStore are specified, these stores may contain
//  an issuer certificate.
//--------------------------------------------------------------------------
type
  PCERT_REVOCATION_PARA = ^CERT_REVOCATION_PARA;
  CERT_REVOCATION_PARA = record
    cbSize :DWORD;
    pIssuerCert :PCCERT_CONTEXT;
    cCertStore :DWORD;
    rgCertStore :PHCERTSTORE ;
  end;

//+-------------------------------------------------------------------------
//  The following data structure is returned by CertVerifyRevocation to
//  specify the status of the revoked or unchecked context. Review the
//  following CertVerifyRevocation comments for details.
//
//  Upon input to CertVerifyRevocation, cbSize must be set to a size
//  >= sizeof(CERT_REVOCATION_STATUS). Otherwise, CertVerifyRevocation
//  returns FALSE and sets LastError to E_INVALIDARG.
//
//  Upon input to the installed or registered CRYPT_OID_VERIFY_REVOCATION_FUNC
//  functions, the dwIndex, dwError and dwReason have been zero'ed.
//--------------------------------------------------------------------------
type
  PCERT_REVOCATION_STATUS = ^CERT_REVOCATION_STATUS;
  CERT_REVOCATION_STATUS = record
    cbSize :DWORD;
    dwIndex :DWORD;
    dwError :DWORD;
    dwReason :DWORD;
  end;
//+-------------------------------------------------------------------------
//  Verifies the array of contexts for revocation. The dwRevType parameter
//  indicates the type of the context data structure passed in rgpvContext.
//  Currently only the revocation of certificates is defined.
//
//  If the CERT_VERIFY_REV_CHAIN_FLAG flag is set, then, CertVerifyRevocation
//  is verifying a chain of certs where, rgpvContext[i + 1] is the issuer
//  of rgpvContext[i]. Otherwise, CertVerifyRevocation makes no assumptions
//  about the order of the contexts.
//
//  To assist in finding the issuer, the pRevPara may optionally be set. See
//  the CERT_REVOCATION_PARA data structure for details.
//
//  The contexts must contain enough information to allow the
//  installable or registered revocation DLLs to find the revocation server. For
//  certificates, this information would normally be conveyed in an
//  extension such as the IETF's AuthorityInfoAccess extension.
//
//  CertVerifyRevocation returns TRUE if all of the contexts were successfully
//  checked and none were revoked. Otherwise, returns FALSE and updates the
//  returned pRevStatus data structure as follows:
//    dwIndex
//      Index of the first context that was revoked or unable to
//      be checked for revocation
//    dwError
//      Error status. LastError is also set to this error status.
//      dwError can be set to one of the following error codes defined
//      in winerror.h:
//        ERROR_SUCCESS - good context
//        CRYPT_E_REVOKED - context was revoked. dwReason contains the
//           reason for revocation
//        CRYPT_E_REVOCATION_OFFLINE - unable to connect to the
//           revocation server
//        CRYPT_E_NOT_IN_REVOCATION_DATABASE - the context to be checked
//           was not found in the revocation server's database.
//        CRYPT_E_NO_REVOCATION_CHECK - the called revocation function
//           wasn't able to do a revocation check on the context
//        CRYPT_E_NO_REVOCATION_DLL - no installed or registered Dll was
//           found to verify revocation
//    dwReason
//      The dwReason is currently only set for CRYPT_E_REVOKED and contains
//      the reason why the context was revoked. May be one of the following
//      CRL reasons defined by the CRL Reason Code extension ("2.5.29.21")
//          CRL_REASON_UNSPECIFIED              0
//          CRL_REASON_KEY_COMPROMISE           1
//          CRL_REASON_CA_COMPROMISE            2
//          CRL_REASON_AFFILIATION_CHANGED      3
//          CRL_REASON_SUPERSEDED               4
//          CRL_REASON_CESSATION_OF_OPERATION   5
//          CRL_REASON_CERTIFICATE_HOLD         6
//
//  For each entry in rgpvContext, CertVerifyRevocation iterates
//  through the CRYPT_OID_VERIFY_REVOCATION_FUNC
//  function set's list of installed DEFAULT functions.
//  CryptGetDefaultOIDFunctionAddress is called with pwszDll = NULL. If no
//  installed functions are found capable of doing the revocation verification,
//  CryptVerifyRevocation iterates through CRYPT_OID_VERIFY_REVOCATION_FUNC's
//  list of registered DEFAULT Dlls. CryptGetDefaultOIDDllList is called to
//  get the list. CryptGetDefaultOIDFunctionAddress is called to load the Dll.
//
//  The called functions have the same signature as CertVerifyRevocation. A
//  called function returns TRUE if it was able to successfully check all of
//  the contexts and none were revoked. Otherwise, the called function returns
//  FALSE and updates pRevStatus. dwIndex is set to the index of
//  the first context that was found to be revoked or unable to be checked.
//  dwError and LastError are updated. For CRYPT_E_REVOKED, dwReason
//  is updated. Upon input to the called function, dwIndex, dwError and
//  dwReason have been zero'ed. cbSize has been checked to be >=
//  sizeof(CERT_REVOCATION_STATUS).
//
//  If the called function returns FALSE, and dwError isn't set to
//  CRYPT_E_REVOKED, then, CertVerifyRevocation either continues on to the
//  next DLL in the list for a returned dwIndex of 0 or for a returned
//  dwIndex > 0, restarts the process of finding a verify function by
//  advancing the start of the context array to the returned dwIndex and
//  decrementing the count of remaining contexts.
//--------------------------------------------------------------------------
function CertVerifyRevocation(dwEncodingType :DWORD;
                              dwRevType :DWORD;
                              cContext :DWORD;
                              rgpvContext :array of PVOID;
                              dwFlags :DWORD;
                              pRevPara :PCERT_REVOCATION_PARA;
                              pRevStatus :PCERT_REVOCATION_STATUS
                              ):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Revocation types
//--------------------------------------------------------------------------
const CERT_CONTEXT_REVOCATION_TYPE = 1;

//+-------------------------------------------------------------------------
//  When the following flag is set, rgpvContext[] consists of a chain
//  of certificates, where rgpvContext[i + 1] is the issuer of rgpvContext[i].
//--------------------------------------------------------------------------
const CERT_VERIFY_REV_CHAIN_FLAG = $1;

//+-------------------------------------------------------------------------
//  CERT_CONTEXT_REVOCATION_TYPE
//
//  pvContext points to a const CERT_CONTEXT.
//--------------------------------------------------------------------------

//+=========================================================================
//  Certificate Helper APIs
//==========================================================================


//+-------------------------------------------------------------------------
//  Compare two multiple byte integer blobs to see if they are identical.
//
//  Before doing the comparison, leading zero bytes are removed from a
//  positive number and leading 0xFF bytes are removed from a negative
//  number.
//
//  The multiple byte integers are treated as Little Endian. pbData[0] is the
//  least significant byte and pbData[cbData - 1] is the most significant
//  byte.
//
//  Returns TRUE if the integer blobs are identical after removing leading
//  0 or 0xFF bytes.
//--------------------------------------------------------------------------
function CertCompareIntegerBlob(pInt1 :PCRYPT_INTEGER_BLOB;
                                pInt2 :PCRYPT_INTEGER_BLOB
                                ):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Compare two certificates to see if they are identical.
//
//  Since a certificate is uniquely identified by its Issuer and SerialNumber,
//  these are the only fields needing to be compared.
//
//  Returns TRUE if the certificates are identical.
//--------------------------------------------------------------------------
function CertCompareCertificate(dwCertEncodingType :DWORD;
                                pCertId1 :PCERT_INFO;
                                pCertId2 :PCERT_INFO):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Compare two certificate names to see if they are identical.
//
//  Returns TRUE if the names are identical.
//--------------------------------------------------------------------------
function CertCompareCertificateName(dwCertEncodingType :DWORD;
                                    pCertName1 :PCERT_NAME_BLOB;
                                    pCertName2 :PCERT_NAME_BLOB):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Compare the attributes in the certificate name with the specified
//  Relative Distinguished Name's (CERT_RDN) array of attributes.
//  The comparison iterates through the CERT_RDN attributes and looks for an
//  attribute match in any of the certificate name's RDNs.
//  Returns TRUE if all the attributes are found and match.
//
//  The CERT_RDN_ATTR fields can have the following special values:
//    pszObjId == NULL              - ignore the attribute object identifier
//    dwValueType == RDN_ANY_TYPE   - ignore the value type
//
//  Currently only an exact, case sensitive match is supported.
//
//  CERT_UNICODE_IS_RDN_ATTRS_FLAG should be set if the pRDN was initialized
//  with unicode strings as for CryptEncodeObject(X509_UNICODE_NAME).
//--------------------------------------------------------------------------
function CertIsRDNAttrsInCertificateName(dwCertEncodingType :DWORD;
                                         dwFlags :DWORD;
                                         pCertName :PCERT_NAME_BLOB;
                                         pRDN :PCERT_RDN):BOOL ; stdcall;

const CERT_UNICODE_IS_RDN_ATTRS_FLAG = $1;

//+-------------------------------------------------------------------------
//  Compare two public keys to see if they are identical.
//
//  Returns TRUE if the keys are identical.
//--------------------------------------------------------------------------
function CertComparePublicKeyInfo(dwCertEncodingType :DWORD;
                                  pPublicKey1 :PCERT_PUBLIC_KEY_INFO;
                                  pPublicKey2 :PCERT_PUBLIC_KEY_INFO
                                  ):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Get the public/private key's bit length.
//
//  Returns 0 if unable to determine the key's length.
//--------------------------------------------------------------------------
function CertGetPublicKeyLength(dwCertEncodingType :DWORD;
                                pPublicKey :PCERT_PUBLIC_KEY_INFO
                                ):DWORD ; stdcall;
//+-------------------------------------------------------------------------
//  Verify the signature of a subject certificate or a CRL using the
//  public key info
//
//  Returns TRUE for a valid signature.
//
//  hCryptProv specifies the crypto provider to use to verify the signature.
//  It doesn't need to use a private key.
//--------------------------------------------------------------------------
function CryptVerifyCertificateSignature(hCryptProv :HCRYPTPROV;
                                         dwCertEncodingType :DWORD;
                                   const pbEncoded :PBYTE;
                                         cbEncoded :DWORD;
                                         pPublicKey :PCERT_PUBLIC_KEY_INFO
                                         ):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Compute the hash of the "to be signed" information in the encoded
//  signed content (CERT_SIGNED_CONTENT_INFO).
//
//  hCryptProv specifies the crypto provider to use to compute the hash.
//  It doesn't need to use a private key.
//--------------------------------------------------------------------------
function CryptHashToBeSigned(hCryptProv :HCRYPTPROV;
                             dwCertEncodingType :DWORD;
                       const pbEncoded :PBYTE;
                             cbEncoded :DWORD;
                             pbComputedHash :PBYTE;
                             pcbComputedHash :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Hash the encoded content.
//
//  hCryptProv specifies the crypto provider to use to compute the hash.
//  It doesn't need to use a private key.
//
//  Algid specifies the CAPI hash algorithm to use. If Algid is 0, then, the
//  default hash algorithm (currently SHA1) is used.
//--------------------------------------------------------------------------
function CryptHashCertificate(hCryptProv :HCRYPTPROV;
                              Algid :ALG_ID;
                              dwFlags :DWORD;
                        const pbEncoded :PBYTE;
                              cbEncoded :DWORD;
                              pbComputedHash :PBYTE;
                              pcbComputedHash :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Sign the "to be signed" information in the encoded signed content.
//
//  hCryptProv specifies the crypto provider to use to do the signature.
//  It uses the specified private key.
//--------------------------------------------------------------------------
function CryptSignCertificate(hCryptProv :HCRYPTPROV;
                              dwKeySpec :DWORD;
                              dwCertEncodingType :DWORD;
                        const pbEncodedToBeSigned :PBYTE;
                              cbEncodedToBeSigned :DWORD;
                              pSignatureAlgorithm :PCRYPT_ALGORITHM_IDENTIFIER;
                        const pvHashAuxInfo :PVOID;
                              pbSignature :PBYTE;
                              pcbSignature:PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Encode the "to be signed" information. Sign the encoded "to be signed".
//  Encode the "to be signed" and the signature.
//
//  hCryptProv specifies the crypto provider to use to do the signature.
//  It uses the specified private key.
//--------------------------------------------------------------------------
function CryptSignAndEncodeCertificate(hCryptProv :HCRYPTPROV;
                                       dwKeySpec :DWORD;
                                       dwCertEncodingType :DWORD;
                                 const lpszStructType :LPCSTR; // "to be signed"
                                       pvStructInfo :PVOID;
                                       pSignatureAlgorithm :PCRYPT_ALGORITHM_IDENTIFIER;
                                 const pvHashAuxInfo :PVOID;
                                       pbEncoded :PBYTE;
                                       pcbEncoded :PDWORD):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Verify the time validity of a certificate.
//
//  Returns -1 if before NotBefore, +1 if after NotAfter and otherwise 0 for
//  a valid certificate
//
//  If pTimeToVerify is NULL, uses the current time.
//--------------------------------------------------------------------------
function CertVerifyTimeValidity(pTimeToVerify :PFILETIME;
                                pCertInfo :PCERT_INFO):LONG ; stdcall;

//+-------------------------------------------------------------------------
//  Verify the time validity of a CRL.
//
//  Returns -1 if before ThisUpdate, +1 if after NextUpdate and otherwise 0 for
//  a valid CRL
//
//  If pTimeToVerify is NULL, uses the current time.
//--------------------------------------------------------------------------
function CertVerifyCRLTimeValidity(pTimeToVerify :PFILETIME;
                                   pCrlInfo :PCRL_INFO):LONG ; stdcall;
//+-------------------------------------------------------------------------
//  Verify that the subject's time validity nests within the issuer's time
//  validity.
//
//  Returns TRUE if it nests. Otherwise, returns FALSE.
//--------------------------------------------------------------------------
function CertVerifyValidityNesting(pSubjectInfo :PCERT_INFO;
                                   pIssuerInfo :PCERT_INFO):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Verify that the subject certificate isn't on its issuer CRL.
//
//  Returns true if the certificate isn't on the CRL.
//--------------------------------------------------------------------------
function CertVerifyCRLRevocation(dwCertEncodingType :DWORD;
                                 pCertId :PCERT_INFO;    // Only the Issuer and SerialNumber
                                 cCrlInfo :DWORD;        // fields are used
                                 rgpCrlInfo :array of PCRL_INFO):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Convert the CAPI AlgId to the ASN.1 Object Identifier string
//
//  Returns NULL if there isn't an ObjId corresponding to the AlgId.
//--------------------------------------------------------------------------
function CertAlgIdToOID(dwAlgId :DWORD):LPCSTR ; stdcall;
//+-------------------------------------------------------------------------
//  Convert the ASN.1 Object Identifier string to the CAPI AlgId.
//
//  Returns 0 if there isn't an AlgId corresponding to the ObjId.
//--------------------------------------------------------------------------
function CertOIDToAlgId(pszObjId :LPCSTR):DWORD ; stdcall;
//+-------------------------------------------------------------------------
//  Find an extension identified by its Object Identifier.
//
//  If found, returns pointer to the extension. Otherwise, returns NULL.
//--------------------------------------------------------------------------
function CertFindExtension(pszObjId :LPCSTR;
                           cExtensions :DWORD;
                           rgExtensions :array of CERT_EXTENSION):PCERT_EXTENSION ; stdcall;
//+-------------------------------------------------------------------------
//  Find the first attribute identified by its Object Identifier.
//
//  If found, returns pointer to the attribute. Otherwise, returns NULL.
//--------------------------------------------------------------------------
function CertFindAttribute(pszObjId :LPCSTR;
                           cAttr :DWORD;
                           rgAttr :array of CRYPT_ATTRIBUTE):PCRYPT_ATTRIBUTE ; stdcall;
//+-------------------------------------------------------------------------
//  Find the first CERT_RDN attribute identified by its Object Identifier in
//  the name's list of Relative Distinguished Names.
//
//  If found, returns pointer to the attribute. Otherwise, returns NULL.
//--------------------------------------------------------------------------
function CertFindRDNAttr(pszObjId :LPCSTR;
                         pName :PCERT_NAME_INFO ):PCERT_RDN_ATTR ; stdcall;
//+-------------------------------------------------------------------------
//  Get the intended key usage bytes from the certificate.
//
//  If the certificate doesn't have any intended key usage bytes, returns FALSE
//  and *pbKeyUsage is zeroed. Otherwise, returns TRUE and up through
//  cbKeyUsage bytes are copied into *pbKeyUsage. Any remaining uncopied
//  bytes are zeroed.
//--------------------------------------------------------------------------
function CertGetIntendedKeyUsage(dwCertEncodingType :DWORD;
                                 pCertInfo :PCERT_INFO;
                                 pbKeyUsage :PBYTE;
                                 cbKeyUsage :DWORD):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//  Export the public key info associated with the provider's corresponding
//  private key.
//
//  Calls CryptExportPublicKeyInfo with pszPublicKeyObjId = szOID_RSA_RSA,
//  dwFlags = 0 and pvAuxInfo = NULL.
//--------------------------------------------------------------------------
function CryptExportPublicKeyInfo(hCryptProv :HCRYPTPROV;
                                  dwKeySpec :DWORD;
                                  dwCertEncodingType :DWORD;
                                  pInfo :PCERT_PUBLIC_KEY_INFO;
                                  pcbInfo :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Export the public key info associated with the provider's corresponding
//  private key.
//
//  Uses the dwCertEncodingType and pszPublicKeyObjId to call the
//  installable CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC. The called function
//  has the same signature as CryptExportPublicKeyInfoEx.
//
//  If unable to find an installable OID function for the pszPublicKeyObjId,
//  attempts to export as a RSA Public Key (szOID_RSA_RSA).
//
//  The dwFlags and pvAuxInfo aren't used for szOID_RSA_RSA.
//--------------------------------------------------------------------------
const CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FUNC = 'CryptDllExportPublicKeyInfoEx';

function CryptExportPublicKeyInfoEx(hCryptProv :HCRYPTPROV;
                                    dwKeySpec :DWORD;
                                    dwCertEncodingType :DWORD;
                                    pszPublicKeyObjId :LPSTR;
                                    dwFlags :DWORD;
                                    pvAuxInfo :PVOID;
                                    pInfo :PCERT_PUBLIC_KEY_INFO;
                                    pcbInfo :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Convert and import the public key info into the provider and return a
//  handle to the public key.
//
//  Calls CryptImportPublicKeyInfoEx with aiKeyAlg = 0, dwFlags = 0 and
//  pvAuxInfo = NULL.
//--------------------------------------------------------------------------
function CryptImportPublicKeyInfo(hCryptProv :HCRYPTPROV;
                                  dwCertEncodingType :DWORD;
                                  pInfo :PCERT_PUBLIC_KEY_INFO;
                                  phKey :PHCRYPTKEY):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Convert and import the public key info into the provider and return a
//  handle to the public key.
//
//  Uses the dwCertEncodingType and pInfo->Algorithm.pszObjId to call the
//  installable CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC. The called function
//  has the same signature as CryptImportPublicKeyInfoEx.
//
//  If unable to find an installable OID function for the pszObjId,
//  attempts to import as a RSA Public Key (szOID_RSA_RSA).
//
//  For szOID_RSA_RSA: aiKeyAlg may be set to CALG_RSA_SIGN or CALG_RSA_KEYX.
//  Defaults to CALG_RSA_KEYX. The dwFlags and pvAuxInfo aren't used.
//--------------------------------------------------------------------------
const CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_FUNC = 'CryptDllImportPublicKeyInfoEx';

function CryptImportPublicKeyInfoEx(hCryptProv :HCRYPTPROV;
                                    dwCertEncodingType :DWORD;
                                    pInfo :PCERT_PUBLIC_KEY_INFO;
                                    aiKeyAlg :ALG_ID;
                                    dwFlags :DWORD;
                                    pvAuxInfo :PVOID;
                                    phKey :PHCRYPTKEY
                                    ):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Compute the hash of the encoded public key info.
//
//  The public key info is encoded and then hashed.
//--------------------------------------------------------------------------
function CryptHashPublicKeyInfo(hCryptProv :HCRYPTPROV;
                                Algid :ALG_ID;
                                dwFlags :DWORD;
                                dwCertEncodingType :DWORD;
                                pInfo :PCERT_PUBLIC_KEY_INFO;
                                pbComputedHash :PBYTE;
                                pcbComputedHash :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Convert a Name Value to a null terminated char string
//
//  Returns the number of characters converted including the terminating null
//  character. If psz is NULL or csz is 0, returns the required size of the
//  destination string (including the terminating null char).
//
//  If psz != NULL && csz != 0, returned psz is always NULL terminated.
//
//  Note: csz includes the NULL char.
//--------------------------------------------------------------------------
function CertRDNValueToStrA(dwValueType :DWORD;
                            pValue :PCERT_RDN_VALUE_BLOB;
                            psz :LPSTR;                   //OPTIONAL
                            csz :DWORD):DWORD ; stdcall;
//+-------------------------------------------------------------------------
//  Convert a Name Value to a null terminated char string
//
//  Returns the number of characters converted including the terminating null
//  character. If psz is NULL or csz is 0, returns the required size of the
//  destination string (including the terminating null char).
//
//  If psz != NULL && csz != 0, returned psz is always NULL terminated.
//
//  Note: csz includes the NULL char.
//--------------------------------------------------------------------------
function CertRDNValueToStrW(dwValueType :DWORD;
                            pValue :PCERT_RDN_VALUE_BLOB;
                            psz :LPWSTR;                   //OPTIONAL
                            csz :DWORD):DWORD ; stdcall;

function CertRDNValueToStr(dwValueType :DWORD;
                           pValue :PCERT_RDN_VALUE_BLOB;
                           psz :LPAWSTR;     //OPTIONAL
                           csz :DWORD):DWORD ; stdcall;

//+-------------------------------------------------------------------------
//  Convert the certificate name blob to a null terminated char string.
//
//  Follows the string representation of distinguished names specified in
//  RFC 1779. (Note, added double quoting "" for embedded quotes, quote
//  empty strings and don't quote strings containing consecutive spaces).
//  RDN values of type CERT_RDN_ENCODED_BLOB or CERT_RDN_OCTET_STRING are
//  formatted in hexadecimal (e.g. #0A56CF).
//
//  The name string is formatted according to the dwStrType:
//    CERT_SIMPLE_NAME_STR
//      The object identifiers are discarded. CERT_RDN entries are separated
//      by ", ". Multiple attributes per CERT_RDN are separated by " + ".
//      For example:
//          Microsoft, Joe Cool + Programmer
//    CERT_OID_NAME_STR
//      The object identifiers are included with a "=" separator from their
//      attribute value. CERT_RDN entries are separated by ", ".
//      Multiple attributes per CERT_RDN are separated by " + ". For example:
//          2.5.4.11=Microsoft, 2.5.4.3=Joe Cool + 2.5.4.12=Programmer
//    CERT_X500_NAME_STR
//      The object identifiers are converted to their X500 key name. Otherwise,
//      same as CERT_OID_NAME_STR. If the object identifier doesn't have
//      a corresponding X500 key name, then, the object identifier is used with
//      a "OID." prefix. For example:
//          OU=Microsoft, CN=Joe Cool + T=Programmer, OID.1.2.3.4.5.6=Unknown
//
//  We quote the RDN value if it contains leading or trailing whitespace
//  or one of the following characters: ",", "+", "=", """, "\n",  "<", ">",
//  "#" or ";". The quoting character is ". If the the RDN Value contains
//  a " it is double quoted (""). For example:
//      OU="  Microsoft", CN="Joe ""Cool""" + T="Programmer, Manager"
//
//  CERT_NAME_STR_SEMICOLON_FLAG can be or'ed into dwStrType to replace
//  the ", " separator with a "; " separator.
//
//  CERT_NAME_STR_CRLF_FLAG can be or'ed into dwStrType to replace
//  the ", " separator with a "\r\n" separator.
//
//  CERT_NAME_STR_NO_PLUS_FLAG can be or'ed into dwStrType to replace the
//  " + " separator with a single space, " ".
//
//  CERT_NAME_STR_NO_QUOTING_FLAG can be or'ed into dwStrType to inhibit
//  the above quoting.
//
//  Returns the number of characters converted including the terminating null
//  character. If psz is NULL or csz is 0, returns the required size of the
//  destination string (including the terminating null char).
//
//  If psz != NULL && csz != 0, returned psz is always NULL terminated.
//
//  Note: csz includes the NULL char.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//--------------------------------------------------------------------------
function CertNameToStrA(dwCertEncodingType :DWORD;
                        pName :PCERT_NAME_BLOB;
                        dwStrType :DWORD;
                        psz :LPSTR; //OPTIONAL
                        csz :DWORD):DWORD ; stdcall;
//+-------------------------------------------------------------------------
//--------------------------------------------------------------------------
function CertNameToStrW(dwCertEncodingType :DWORD;
                        pName :PCERT_NAME_BLOB;
                        dwStrType :DWORD;
                        psz :LPWSTR; //OPTIONAL
                        csz :DWORD):DWORD ; stdcall;

function CertNameToStr(dwCertEncodingType :DWORD;
                       pName :PCERT_NAME_BLOB;
                       dwStrType :DWORD;
                       psz :LPAWSTR; //OPTIONAL
                       csz :DWORD):DWORD ; stdcall;

//+-------------------------------------------------------------------------
//  Certificate name string types
//--------------------------------------------------------------------------
const CERT_SIMPLE_NAME_STR = 1;
const CERT_OID_NAME_STR = 2;
const CERT_X500_NAME_STR = 3;

//+-------------------------------------------------------------------------
//  Certificate name string type flags OR'ed with the above types
//--------------------------------------------------------------------------
const CERT_NAME_STR_SEMICOLON_FLAG = $40000000;
const CERT_NAME_STR_NO_PLUS_FLAG = $20000000;
const CERT_NAME_STR_NO_QUOTING_FLAG = $10000000;
const CERT_NAME_STR_CRLF_FLAG = $08000000;
const CERT_NAME_STR_COMMA_FLAG = $04000000;


//+-------------------------------------------------------------------------
//  Convert the null terminated X500 string to an encoded certificate name.
//
//  The input string is expected to be formatted the same as the output
//  from the above CertNameToStr API.
//
//  The CERT_SIMPLE_NAME_STR type isn't supported. Otherwise, when dwStrType
//  is set to 0, CERT_OID_NAME_STR or CERT_X500_NAME_STR, allow either a
//  case insensitive X500 key (CN=), case insensitive "OID." prefixed
//  object identifier (OID.1.2.3.4.5.6=) or an object identifier (1.2.3.4=).
//
//  If no flags are OR'ed into dwStrType, then, allow "," or ";" as RDN
//  separators and "+" as the multiple RDN value separator. Quoting is
//  supported. A quote may be included in a quoted value by double quoting,
//  for example (CN="Joe ""Cool"""). A value starting with a "#" is treated
//  as ascii hex and converted to a CERT_RDN_OCTET_STRING. Embedded whitespace
//  is skipped (1.2.3 = # AB CD 01  is the same as 1.2.3=#ABCD01).
//
//  Whitespace surrounding the keys, object identifers and values is removed.
//
//  CERT_NAME_STR_COMMA_FLAG can be or'ed into dwStrType to only allow the
//  "," as the RDN separator.
//
//  CERT_NAME_STR_SEMICOLON_FLAG can be or'ed into dwStrType to only allow the
//  ";" as the RDN separator.
//
//  CERT_NAME_STR_CRLF_FLAG can be or'ed into dwStrType to only allow
//  "\r" or "\n" as the RDN separator.
//
//  CERT_NAME_STR_NO_PLUS_FLAG can be or'ed into dwStrType to ignore "+"
//  as a separator and not allow multiple values per RDN.
//
//  CERT_NAME_STR_NO_QUOTING_FLAG can be or'ed into dwStrType to inhibit
//  quoting.
//
//  Support the following X500 Keys:
//
//  Key         Object Identifier               RDN Value Type(s)
//  ---         -----------------               -----------------
//  CN          szOID_COMMON_NAME               Printable, T61
//  L           szOID_LOCALITY_NAME             Printable, T61
//  O           szOID_ORGANIZATION_NAME         Printable, T61
//  OU          szOID_ORGANIZATIONAL_UNIT_NAME  Printable, T61
//  Email       szOID_RSA_emailAddr             Only IA5
//  C           szOID_COUNTRY_NAME              Only Printable
//  S           szOID_STATE_OR_PROVINCE_NAME    Printable, T61
//  ST          szOID_STATE_OR_PROVINCE_NAME    Printable, T61
//  STREET      szOID_STREET_ADDRESS            Printable, T61
//  T           szOID_TITLE                     Printable, T61
//  Title       szOID_TITLE                     Printable, T61
//  G           szOID_GIVEN_NAME                Printable, T61
//  GivenName   szOID_GIVEN_NAME                Printable, T61
//  I           szOID_INITIALS                  Printable, T61
//  Initials    szOID_INITIALS                  Printable, T61
//  SN          szOID_SUR_NAME                  Printable, T61
//  DC          szOID_DOMAIN_COMPONENT          Only IA5
//
//  The T61 types are UTF-8 encoded.
//
//  Returns TRUE if successfully parsed the input string and encoded
//  the name.
//
//  If the input string is detected to be invalid, *ppszError is updated
//  to point to the beginning of the invalid character sequence. Otherwise,
//  *ppszError is set to NULL. *ppszError is updated with a non-NULL pointer
//  for the following errors:
//      CRYPT_E_INVALID_X500_STRING
//      CRYPT_E_INVALID_NUMERIC_STRING
//      CRYPT_E_INVALID_PRINTABLE_STRING
//      CRYPT_E_INVALID_IA5_STRING
//
//  ppszError can be set to NULL if not interested in getting a pointer
//  to the invalid character sequence.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//--------------------------------------------------------------------------
function CertStrToNameA(dwCertEncodingType :DWORD;
                        pszX500 :LPCSTR;
                        dwStrType :DWORD;
                        pvReserved :PVOID;
                        pbEncoded :PBYTE;
                        pcbEncoded :PDWORD;
                     var ppszError :array of LPCSTR):BOOL ; stdcall;  {--max-- iniziato qui}
//+-------------------------------------------------------------------------
//--------------------------------------------------------------------------
function CertStrToNameW(dwCertEncodingType :DWORD;
                        pszX500 :LPCWSTR;
                        dwStrType :DWORD;
                        pvReserved :PVOID;
                        pbEncoded :PBYTE;
                        pcbEncoded :PDWORD;
                    var ppszError :array of LPWSTR):BOOL ; stdcall;

function CertStrToName(dwCertEncodingType :DWORD;
                       pszX500 :LPAWSTR;
                       dwStrType :DWORD;
                       pvReserved :PVOID;
                       pbEncoded :PBYTE;
                       pcbEncoded :PDWORD;
                   var ppszError :array of LPAWSTR):BOOL ; stdcall;

//+-------------------------------------------------------------------------
//--------------------------------------------------------------------------
function CertGetNameStringA(pCertContext :PCCERT_CONTEXT;
                            dwType :DWORD;
                            dwFlags :DWORD;
                            pvTypePara :PVOID;
                            pszNameString :LPSTR;
                            cchNameString :DWORD):DWORD ; stdcall;
//+-------------------------------------------------------------------------
//--------------------------------------------------------------------------
function CertGetNameStringW(pCertContext :PCCERT_CONTEXT;
                            dwType :DWORD;
                            dwFlags :DWORD;
                            pvTypePara :PVOID;
                            pszNameString :LPWSTR;
                            cchNameString :DWORD):DWORD ; stdcall;

function CertGetNameString(pCertContext :PCCERT_CONTEXT;
                           dwType :DWORD;
                           dwFlags :DWORD;
                           pvTypePara :PVOID;
                           pszNameString :LPAWSTR;
                           cchNameString :DWORD):DWORD ; stdcall;
//+-------------------------------------------------------------------------
//  Certificate name types
//--------------------------------------------------------------------------
const
  CERT_NAME_EMAIL_TYPE            = 1;
  CERT_NAME_RDN_TYPE              = 2;
  CERT_NAME_ATTR_TYPE             = 3;
  CERT_NAME_SIMPLE_DISPLAY_TYPE   = 4;
  CERT_NAME_FRIENDLY_DISPLAY_TYPE = 5;
  CERT_NAME_DNS_TYPE              = 6;
  CERT_NAME_URL_TYPE              = 7;
  CERT_NAME_UPN_TYPE              = 8;

//+-------------------------------------------------------------------------
//  Certificate name flags
//--------------------------------------------------------------------------
  CERT_NAME_ISSUER_FLAG           = $1;
  CERT_NAME_DISABLE_IE4_UTF8_FLAG = $00010000;


// Following is only applicable to CERT_NAME_DNS_TYPE. When set returns
// all names not just the first one. Returns a multi-string. Each string
// will be null terminated. The last string will be double null terminated.
  CERT_NAME_SEARCH_ALL_NAMES_FLAG = $2;


//+=========================================================================
//  Simplified Cryptographic Message Data Structures and APIs
//==========================================================================


//+-------------------------------------------------------------------------
//              Conventions for the *pb and *pcb output parameters:
//
//              Upon entry to the function:
//                  if pcb is OPTIONAL && pcb == NULL, then,
//                      No output is returned
//                  else if pb == NULL && pcb != NULL, then,
//                      Length only determination. No length error is
//                      returned.
//                  otherwise where (pb != NULL && pcb != NULL && *pcb != 0)
//                      Output is returned. If *pcb isn't big enough a
//                      length error is returned. In all cases *pcb is updated
//                      with the actual length needed/returned.
//--------------------------------------------------------------------------


//+-------------------------------------------------------------------------
//  Type definitions of the parameters used for doing the cryptographic
//  operations.
//--------------------------------------------------------------------------

//+-------------------------------------------------------------------------
//  Callback to get and verify the signer's certificate.
//
//  Passed the CertId of the signer (its Issuer and SerialNumber) and a
//  handle to its cryptographic signed message's cert store.
//
//  For CRYPT_E_NO_SIGNER, called with pSignerId == NULL.
//
//  For a valid signer certificate, returns a pointer to a read only
//  CERT_CONTEXT. The returned CERT_CONTEXT is either obtained from a
//  cert store or was created via CertCreateCertificateContext. For either case,
//  its freed via CertFreeCertificateContext.
//
//  If a valid certificate isn't found, this callback returns NULL with
//  LastError set via SetLastError().
//
//  The NULL implementation tries to get the Signer certificate from the
//  message cert store. It doesn't verify the certificate.
//--------------------------------------------------------------------------

type
    PFN_CRYPT_GET_SIGNER_CERTIFICATE = function (pvGetArg :PVOID;
                                                 dwCertEncodingType :DWORD;
                                                 pSignerId :PCERT_INFO;        // Only the Issuer and SerialNumber
                                                 hMsgCertStore :HCERTSTORE     // fields have been updated
                                                 ):PCCERT_CONTEXT ; stdcall;
//+-------------------------------------------------------------------------
//  The CRYPT_SIGN_MESSAGE_PARA are used for signing messages using the
//  specified signing certificate contexts. (Note, allows multiple signers.)
//
//  Either the CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID must
//  be set for each rgpSigningCert[]. Either one specifies the private
//  signature key to use.
//
//  If any certificates and/or CRLs are to be included in the signed message,
//  then, the MsgCert and MsgCrl parameters need to be updated. If the
//  rgpSigningCerts are to be included, then, they must also be in the
//  rgpMsgCert array.
//
//  cbSize must be set to the sizeof(CRYPT_SIGN_MESSAGE_PARA) or else
//  LastError will be updated with E_INVALIDARG.
//
//  pvHashAuxInfo currently isn't used and must be set to NULL.
//
//  dwFlags normally is set to 0. However, if the encoded output
//  is to be a CMSG_SIGNED inner content of an outer cryptographic message,
//  such as a CMSG_ENVELOPED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
//  should be set. If not set, then it would be encoded as an inner content
//  type of CMSG_DATA.
//
//  dwInnerContentType is normally set to 0. It needs to be set if the
//  ToBeSigned input is the encoded output of another cryptographic
//  message, such as, an CMSG_ENVELOPED. When set, it's one of the cryptographic
//  message types, for example, CMSG_ENVELOPED.
//
//  If the inner content of a nested cryptographic message is data (CMSG_DATA
//  the default), then, neither dwFlags or dwInnerContentType need to be set.
//--------------------------------------------------------------------------

type
  PCRYPT_SIGN_MESSAGE_PARA = ^CRYPT_SIGN_MESSAGE_PARA;
  CRYPT_SIGN_MESSAGE_PARA = record
    cbSize :DWORD;
    dwMsgEncodingType :DWORD;
    pSigningCert :PCCERT_CONTEXT;
    HashAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
    pvHashAuxInfo :PVOID;
    cMsgCert :DWORD;
    rgpMsgCert :PPCCERT_CONTEXT;// pointer to array of PCCERT_CONTEXT
    cMsgCrl :DWORD;
    rgpMsgCrl :PPCCRL_CONTEXT; // pointer to array of PCCERT_CO
    cAuthAttr :DWORD;
    rgAuthAttr :PCRYPT_ATTRIBUTE;
    cUnauthAttr :DWORD;
    rgUnauthAttr :PCRYPT_ATTRIBUTE;
    dwFlags :DWORD;
    dwInnerContentType :DWORD;
  end;
const CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG = $1;

//+-------------------------------------------------------------------------
//  The CRYPT_VERIFY_MESSAGE_PARA are used to verify signed messages.
//
//  hCryptProv is used to do hashing and signature verification.
//
//  The dwCertEncodingType specifies the encoding type of the certificates
//  and/or CRLs in the message.
//
//  pfnGetSignerCertificate is called to get and verify the message signer's
//  certificate.
//
//  cbSize must be set to the sizeof(CRYPT_VERIFY_MESSAGE_PARA) or else
//  LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
type
  PCRYPT_VERIFY_MESSAGE_PARA = ^CRYPT_VERIFY_MESSAGE_PARA;
  CRYPT_VERIFY_MESSAGE_PARA = record
    cbSize :DWORD;
    dwMsgAndCertEncodingType :DWORD;
    hCryptProv :HCRYPTPROV;
    pfnGetSignerCertificate :PFN_CRYPT_GET_SIGNER_CERTIFICATE;
    pvGetArg :PVOID;
  end;

//+-------------------------------------------------------------------------
//  The CRYPT_ENCRYPT_MESSAGE_PARA are used for encrypting messages.
//
//  hCryptProv is used to do content encryption, recipient key
//  encryption, and recipient key export. Its private key
//  isn't used.
//
//  pvEncryptionAuxInfo currently isn't used and must be set to NULL.
//
//  cbSize must be set to the sizeof(CRYPT_ENCRYPT_MESSAGE_PARA) or else
//  LastError will be updated with E_INVALIDARG.
//
//  dwFlags normally is set to 0. However, if the encoded output
//  is to be a CMSG_ENVELOPED inner content of an outer cryptographic message,
//  such as a CMSG_SIGNED, then, the CRYPT_MESSAGE_BARE_CONTENT_OUT_FLAG
//  should be set. If not set, then it would be encoded as an inner content
//  type of CMSG_DATA.
//
//  dwInnerContentType is normally set to 0. It needs to be set if the
//  ToBeEncrypted input is the encoded output of another cryptographic
//  message, such as, an CMSG_SIGNED. When set, it's one of the cryptographic
//  message types, for example, CMSG_SIGNED.
//
//  If the inner content of a nested cryptographic message is data (CMSG_DATA
//  the default), then, neither dwFlags or dwInnerContentType need to be set.
//--------------------------------------------------------------------------
type
  PCRYPT_ENCRYPT_MESSAGE_PARA = ^CRYPT_ENCRYPT_MESSAGE_PARA;
  CRYPT_ENCRYPT_MESSAGE_PARA = record
    cbSize :DWORD;
    dwMsgEncodingType :DWORD;
    hCryptProv :HCRYPTPROV;
    ContentEncryptionAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
    pvEncryptionAuxInfo :PVOID;
    dwFlags :DWORD;
    dwInnerContentType :DWORD;
  end;

//+-------------------------------------------------------------------------
//  The CRYPT_DECRYPT_MESSAGE_PARA are used for decrypting messages.
//
//  The CertContext to use for decrypting a message is obtained from one
//  of the specified cert stores. An encrypted message can have one or
//  more recipients. The recipients are identified by their CertId (Issuer
//  and SerialNumber). The cert stores are searched to find the CertContext
//  corresponding to the CertId.
//
//  Only CertContexts in the store with either
//  the CERT_KEY_PROV_HANDLE_PROP_ID or CERT_KEY_PROV_INFO_PROP_ID set
//  can be used. Either property specifies the private exchange key to use.
//
//  cbSize must be set to the sizeof(CRYPT_DECRYPT_MESSAGE_PARA) or else
//  LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
type
  PCRYPT_DECRYPT_MESSAGE_PARA = ^CRYPT_DECRYPT_MESSAGE_PARA;
  CRYPT_DECRYPT_MESSAGE_PARA = record
    cbSize :DWORD;
    dwMsgAndCertEncodingType :DWORD;
    cCertStore :DWORD;
    rghCertStore :PHCERTSTORE;
  end;
//+-------------------------------------------------------------------------
//  The CRYPT_HASH_MESSAGE_PARA are used for hashing or unhashing
//  messages.
//
//  hCryptProv is used to compute the hash.
//
//  pvHashAuxInfo currently isn't used and must be set to NULL.
//
//  cbSize must be set to the sizeof(CRYPT_HASH_MESSAGE_PARA) or else
//  LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
type
  PCRYPT_HASH_MESSAGE_PARA = ^CRYPT_HASH_MESSAGE_PARA;
  CRYPT_HASH_MESSAGE_PARA = record
    cbSize :DWORD;
    dwMsgEncodingType :DWORD;
    hCryptProv :HCRYPTPROV;
    HashAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
    pvHashAuxInfo :PVOID;
  end;

//+-------------------------------------------------------------------------
//  The CRYPT_KEY_SIGN_MESSAGE_PARA are used for signing messages until a
//  certificate has been created for the signature key.
//
//  pvHashAuxInfo currently isn't used and must be set to NULL.
//
//  If PubKeyAlgorithm isn't set, defaults to szOID_RSA_RSA.
//
//  cbSize must be set to the sizeof(CRYPT_KEY_SIGN_MESSAGE_PARA) or else
//  LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
type
  PCRYPT_KEY_SIGN_MESSAGE_PARA = ^CRYPT_KEY_SIGN_MESSAGE_PARA;
  CRYPT_KEY_SIGN_MESSAGE_PARA = record
    cbSize :DWORD;
    dwMsgAndCertEncodingType :DWORD;
    hCryptProv :HCRYPTPROV;
    dwKeySpec :DWORD;
    HashAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
    pvHashAuxInfo :PVOID;
    PubKeyAlgorithm :CRYPT_ALGORITHM_IDENTIFIER;
  end;

//+-------------------------------------------------------------------------
//  The CRYPT_KEY_VERIFY_MESSAGE_PARA are used to verify signed messages without
//  a certificate for the signer.
//
//  Normally used until a certificate has been created for the key.
//
//  hCryptProv is used to do hashing and signature verification.
//
//  cbSize must be set to the sizeof(CRYPT_KEY_VERIFY_MESSAGE_PARA) or else
//  LastError will be updated with E_INVALIDARG.
//--------------------------------------------------------------------------
type
  PCRYPT_KEY_VERIFY_MESSAGE_PARA = ^CRYPT_KEY_VERIFY_MESSAGE_PARA;
  CRYPT_KEY_VERIFY_MESSAGE_PARA = record
    cbSize :DWORD;
    dwMsgEncodingType :DWORD;
    hCryptProv :HCRYPTPROV;
  end;

//+-------------------------------------------------------------------------
//  Sign the message.
//
//  If fDetachedSignature is TRUE, the "to be signed" content isn't included
//  in the encoded signed blob.
//--------------------------------------------------------------------------
function CryptSignMessage(pSignPara :PCRYPT_SIGN_MESSAGE_PARA;
                          fDetachedSignature :BOOL;
                          cToBeSigned :DWORD;
                    const rgpbToBeSigned :array of PBYTE;
                          rgcbToBeSigned :array of DWORD;
                          pbSignedBlob :PBYTE;
                          pcbSignedBlob :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Verify a signed message.
//
//  If pbDecoded == NULL, then, *pcbDecoded is implicitly set to 0 on input.
//  For *pcbDecoded == 0 && ppSignerCert == NULL on input, the signer isn't
//  verified.
//
//  A message might have more than one signer. Set dwSignerIndex to iterate
//  through all the signers. dwSignerIndex == 0 selects the first signer.
//
//  pVerifyPara's pfnGetSignerCertificate is called to get the signer's
//  certificate.
//
//  For a verified signer and message, *ppSignerCert is updated
//  with the CertContext of the signer. It must be freed by calling
//  CertFreeCertificateContext. Otherwise, *ppSignerCert is set to NULL.
//
//  ppSignerCert can be NULL, indicating the caller isn't interested
//  in getting the CertContext of the signer.
//
//  pcbDecoded can be NULL, indicating the caller isn't interested in getting
//  the decoded content. Furthermore, if the message doesn't contain any
//  content or signers, then, pcbDecoded must be set to NULL, to allow the
//  pVerifyPara->pfnGetCertificate to be called. Normally, this would be
//  the case when the signed message contains only certficates and CRLs.
//  If pcbDecoded is NULL and the message doesn't have the indicated signer,
//  pfnGetCertificate is called with pSignerId set to NULL.
//
//  If the message doesn't contain any signers || dwSignerIndex > message's
//  SignerCount, then, an error is returned with LastError set to
//  CRYPT_E_NO_SIGNER. Also, for CRYPT_E_NO_SIGNER, pfnGetSignerCertificate
//  is still called with pSignerId set to NULL.
//
//  Note, an alternative way to get the certificates and CRLs from a
//  signed message is to call CryptGetMessageCertificates.
//--------------------------------------------------------------------------
function CryptVerifyMessageSignature(pVerifyPara :PCRYPT_VERIFY_MESSAGE_PARA;
                                     dwSignerIndex :DWORD;
                               const pbSignedBlob :PBYTE;
                                     cbSignedBlob :DWORD;
                                     pbDecoded :PBYTE;
                                     pcbDecoded :DWORD;
                                     ppSignerCert :PCCERT_CONTEXT
                                     ):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Returns the count of signers in the signed message. For no signers, returns
//  0. For an error returns -1 with LastError updated accordingly.
//--------------------------------------------------------------------------
function CryptGetMessageSignerCount(dwMsgEncodingType :DWORD;
                              const pbSignedBlob :PBYTE;
                                    cbSignedBlob :DWORD):LONG ; stdcall;
//+-------------------------------------------------------------------------
//  Returns the cert store containing the message's certs and CRLs.
//  For an error, returns NULL with LastError updated.
//--------------------------------------------------------------------------
function CryptGetMessageCertificates(dwMsgAndCertEncodingType :DWORD;
                                     hCryptProv :HCRYPTPROV; // passed to CertOpenStore
                                     dwFlags :DWORD;  // passed to CertOpenStore
                               const pbSignedBlob :PBYTE;
                                     cbSignedBlob :DWORD):HCERTSTORE ; stdcall;
//+-------------------------------------------------------------------------
//  Verify a signed message containing detached signature(s).
//  The "to be signed" content is passed in separately. No
//  decoded output. Otherwise, identical to CryptVerifyMessageSignature.
//--------------------------------------------------------------------------
function CryptVerifyDetachedMessageSignature(pVerifyPara :PCRYPT_VERIFY_MESSAGE_PARA;
                                             dwSignerIndex :DWORD;
                                       const pbDetachedSignBlob :PBYTE;
                                             cbDetachedSignBlob :DWORD;
                                             cToBeSigned :DWORD;
                                       const rgpbToBeSigned :array of PBYTE;
                                             rgcbToBeSigned :array of DWORD;
                                             ppSignerCert :PPCCERT_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Encrypts the message for the recipient(s).
//--------------------------------------------------------------------------
function CryptEncryptMessage(pEncryptPara :PCRYPT_ENCRYPT_MESSAGE_PARA;
                             cRecipientCert :DWORD;
                             rgpRecipientCert :array of PCCERT_CONTEXT;
                             const pbToBeEncrypted :PBYTE;
                             cbToBeEncrypted :DWORD;
                             pbEncryptedBlob :PBYTE;
                             pcbEncryptedBlob :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Decrypts the message.
//
//  If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
//  For *pcbDecrypted == 0 && ppXchgCert == NULL on input, the message isn't
//  decrypted.
//
//  For a successfully decrypted message, *ppXchgCert is updated
//  with the CertContext used to decrypt. It must be freed by calling
//  CertStoreFreeCert. Otherwise, *ppXchgCert is set to NULL.
//
//  ppXchgCert can be NULL, indicating the caller isn't interested
//  in getting the CertContext used to decrypt.
//--------------------------------------------------------------------------
function CryptDecryptMessage(pDecryptPara :PCRYPT_DECRYPT_MESSAGE_PARA;
                       const pbEncryptedBlob :PBYTE;
                             cbEncryptedBlob :DWORD;
                             pbDecrypted :PBYTE;
                             pcbDecrypted :PDWORD;
                             ppXchgCert :PPCCERT_CONTEXT):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Sign the message and encrypt for the recipient(s). Does a CryptSignMessage
//  followed with a CryptEncryptMessage.
//
//  Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
//  inside of an CMSG_ENVELOPED.
//--------------------------------------------------------------------------
function CryptSignAndEncryptMessage(pSignPara :PCRYPT_SIGN_MESSAGE_PARA;
                                    pEncryptPara :PCRYPT_ENCRYPT_MESSAGE_PARA;
                                    cRecipientCert :DWORD;
                                    rgpRecipientCert :array of PCCERT_CONTEXT;
                              const pbToBeSignedAndEncrypted :PBYTE;
                                    cbToBeSignedAndEncrypted :DWORD;
                                    pbSignedAndEncryptedBlob :PBYTE;
                                    pcbSignedAndEncryptedBlob :PDWORD
                                    ):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Decrypts the message and verifies the signer. Does a CryptDecryptMessage
//  followed with a CryptVerifyMessageSignature.
//
//  If pbDecrypted == NULL, then, *pcbDecrypted is implicitly set to 0 on input.
//  For *pcbDecrypted == 0 && ppSignerCert == NULL on input, the signer isn't
//  verified.
//
//  A message might have more than one signer. Set dwSignerIndex to iterate
//  through all the signers. dwSignerIndex == 0 selects the first signer.
//
//  The pVerifyPara's VerifySignerPolicy is called to verify the signer's
//  certificate.
//
//  For a successfully decrypted and verified message, *ppXchgCert and
//  *ppSignerCert are updated. They must be freed by calling
//  CertStoreFreeCert. Otherwise, they are set to NULL.
//
//  ppXchgCert and/or ppSignerCert can be NULL, indicating the
//  caller isn't interested in getting the CertContext.
//
//  Note: this isn't the CMSG_SIGNED_AND_ENVELOPED. Its a CMSG_SIGNED
//  inside of an CMSG_ENVELOPED.
//
//  The message always needs to be decrypted to allow access to the
//  signed message. Therefore, if ppXchgCert != NULL, its always updated.
//--------------------------------------------------------------------------
function CryptDecryptAndVerifyMessageSignature(pDecryptPara :PCRYPT_DECRYPT_MESSAGE_PARA;
                                               pVerifyPara :PCRYPT_VERIFY_MESSAGE_PARA;
                                               dwSignerIndex :DWORD;
                                         const pbEncryptedBlob :PBYTE;
                                               cbEncryptedBlob :DWORD;
                                               pbDecrypted :PBYTE;
                                               pcbDecrypted :PDWORD;
                                           var ppXchgCert :array of PCCERT_CONTEXT;
                                           var ppSignerCert :array of PCCERT_CONTEXT
                                               ):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Decodes a cryptographic message which may be one of the following types:
//    CMSG_DATA
//    CMSG_SIGNED
//    CMSG_ENVELOPED
//    CMSG_SIGNED_AND_ENVELOPED
//    CMSG_HASHED
//
//  dwMsgTypeFlags specifies the set of allowable messages. For example, to
//  decode either SIGNED or ENVELOPED messages, set dwMsgTypeFlags to:
//      CMSG_SIGNED_FLAG | CMSG_ENVELOPED_FLAG.
//
//  dwProvInnerContentType is only applicable when processing nested
//  crytographic messages. When processing an outer crytographic message
//  it must be set to 0. When decoding a nested cryptographic message
//  its the dwInnerContentType returned by a previous CryptDecodeMessage
//  of the outer message. The InnerContentType can be any of the CMSG types,
//  for example, CMSG_DATA, CMSG_SIGNED, ...
//
//  The optional *pdwMsgType is updated with the type of message.
//
//  The optional *pdwInnerContentType is updated with the type of the inner
//  message. Unless there is cryptographic message nesting, CMSG_DATA
//  is returned.
//
//  For CMSG_DATA: returns decoded content.
//  For CMSG_SIGNED: same as CryptVerifyMessageSignature.
//  For CMSG_ENVELOPED: same as CryptDecryptMessage.
//  For CMSG_SIGNED_AND_ENVELOPED: same as CryptDecryptMessage plus
//      CryptVerifyMessageSignature.
//  For CMSG_HASHED: verifies the hash and returns decoded content.
//--------------------------------------------------------------------------
function CryptDecodeMessage(dwMsgTypeFlags :DWORD;
                            pDecryptPara   :PCRYPT_DECRYPT_MESSAGE_PARA;
                            pVerifyPara    :PCRYPT_VERIFY_MESSAGE_PARA ;
                            dwSignerIndex  :DWORD;
                      const pbEncodedBlob  :PBYTE;
                            cbEncodedBlob  :DWORD;
                            dwPrevInnerContentType :DWORD;
                            pdwMsgType     :PDWORD;
                            pdwInnerContentType :PDWORD;
                            pbDecoded      :PBYTE;
                            pcbDecoded     :PDWORD;
                        var ppXchgCert     :array of PCCERT_CONTEXT;
                        var ppSignerCert   :array of PCCERT_CONTEXT
                            ):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Hash the message.
//
//  If fDetachedHash is TRUE, only the ComputedHash is encoded in the
//  pbHashedBlob. Otherwise, both the ToBeHashed and ComputedHash
//  are encoded.
//
//  pcbHashedBlob or pcbComputedHash can be NULL, indicating the caller
//  isn't interested in getting the output.
//--------------------------------------------------------------------------
function CryptHashMessage(pHashPara :PCRYPT_HASH_MESSAGE_PARA;
                          fDetachedHash :BOOL;
                          cToBeHashed :DWORD;
                    const rgpbToBeHashed :array of PBYTE;
                          rgcbToBeHashed :array of DWORD;
                          pbHashedBlob :PBYTE;
                          pcbHashedBlob :PDWORD;
                          pbComputedHash :PBYTE;
                          pcbComputedHash :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Verify a hashed message.
//
//  pcbToBeHashed or pcbComputedHash can be NULL,
//  indicating the caller isn't interested in getting the output.
//--------------------------------------------------------------------------
function CryptVerifyMessageHash(pHashPara :PCRYPT_HASH_MESSAGE_PARA;
                                pbHashedBlob :PBYTE;
                                cbHashedBlob :DWORD;
                                pbToBeHashed :PBYTE;
                                pcbToBeHashed :PDWORD;
                                pbComputedHash :PBYTE;
                                pcbComputedHash :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Verify a hashed message containing a detached hash.
//  The "to be hashed" content is passed in separately. No
//  decoded output. Otherwise, identical to CryptVerifyMessageHash.
//
//  pcbComputedHash can be NULL, indicating the caller isn't interested
//  in getting the output.
//--------------------------------------------------------------------------
function CryptVerifyDetachedMessageHash(pHashPara :PCRYPT_HASH_MESSAGE_PARA;
                                        pbDetachedHashBlob :PBYTE;
                                        cbDetachedHashBlob :DWORD;
                                        cToBeHashed :DWORD;
                                        rgpbToBeHashed :array of PBYTE;
                                        rgcbToBeHashed :array of DWORD;
                                        pbComputedHash :PBYTE;
                                        pcbComputedHash :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Sign the message using the provider's private key specified in the
//  parameters. A dummy SignerId is created and stored in the message.
//
//  Normally used until a certificate has been created for the key.
//--------------------------------------------------------------------------
function CryptSignMessageWithKey(pSignPara :PCRYPT_KEY_SIGN_MESSAGE_PARA;
                           const pbToBeSigned :PBYTE;
                                 cbToBeSigned :DWORD;
                                 pbSignedBlob :PBYTE;
                                 pcbSignedBlob :PDWORD):BOOL ; stdcall;
//+-------------------------------------------------------------------------
//  Verify a signed message using the specified public key info.
//
//  Normally called by a CA until it has created a certificate for the
//  key.
//
//  pPublicKeyInfo contains the public key to use to verify the signed
//  message. If NULL, the signature isn't verified (for instance, the decoded
//  content may contain the PublicKeyInfo).
//
//  pcbDecoded can be NULL, indicating the caller isn't interested
//  in getting the decoded content.
//--------------------------------------------------------------------------
function CryptVerifyMessageSignatureWithKey(pVerifyPara :PCRYPT_KEY_VERIFY_MESSAGE_PARA;
                                            pPublicKeyInfo :PCERT_PUBLIC_KEY_INFO;
                                      const pbSignedBlob :PBYTE;
                                            cbSignedBlob :DWORD;
                                            pbDecoded :PBYTE;
                                            pcbDecoded :PDWORD):BOOL ; stdcall;

//+=========================================================================
//  System Certificate Store Data Structures and APIs
//==========================================================================


//+-------------------------------------------------------------------------
//  Get a system certificate store based on a subsystem protocol.
//
//  Current examples of subsystems protocols are:
//      "MY"    Cert Store hold certs with associated Private Keys
//      "CA"    Certifying Authority certs
//      "ROOT"  Root Certs
//      "SPC"   Software publisher certs
//
//
//  If hProv is NULL the default provider "1" is opened for you.
//  When the store is closed the provider is release. Otherwise
//  if hProv is not NULL, no provider is created or released.
//
//  The returned Cert Store can be searched for an appropriate Cert
//  using the Cert Store API's (see certstor.h)
//
//  When done, the cert store should be closed using CertStoreClose
//--------------------------------------------------------------------------

function CertOpenSystemStoreA(hProv :HCRYPTPROV;
                              szSubsystemProtocol :LPCSTR):HCERTSTORE ; stdcall;

function CertOpenSystemStoreW(hProv :HCRYPTPROV;
                              szSubsystemProtocol :LPCWSTR):HCERTSTORE ; stdcall;

function CertOpenSystemStore(hProv :HCRYPTPROV;
                             szSubsystemProtocol :LPAWSTR):HCERTSTORE ; stdcall;

function CertAddEncodedCertificateToSystemStoreA(szCertStoreName :LPCSTR;
                                           const pbCertEncoded :PBYTE;
                                                cbCertEncoded :DWORD):BOOL ; stdcall;

function CertAddEncodedCertificateToSystemStoreW(szCertStoreName :LPCWSTR;
                                           const pbCertEncoded :PBYTE;
                                                 cbCertEncoded :DWORD):BOOL ; stdcall;

function CertAddEncodedCertificateToSystemStore(szCertStoreName :LPAWSTR;
                                          const pbCertEncoded :PBYTE;
                                                cbCertEncoded :DWORD):BOOL ; stdcall;


//+-------------------------------------------------------------------------
//  Find all certificate chains tying the given issuer name to any certificate
//  that the current user has a private key for.
//
//  If no certificate chain is found, FALSE is returned with LastError set
//  to CRYPT_E_NOT_FOUND and the counts zeroed.
//
//  IE 3.0 ASSUMPTION:
//   The client certificates are in the "My" system store. The issuer
//   cerificates may be in the "Root", "CA" or "My" system stores.
//--------------------------------------------------------------------------
type
  PCERT_CHAIN = ^CERT_CHAIN;
  CERT_CHAIN = record
    cCerts :DWORD;     // number of certs in chain
    certs :PCERT_BLOB;      // pointer to array of cert chain blobs representing the certs
    keyLocatorInfo :CRYPT_KEY_PROV_INFO; // key locator for cert
  end;


// WINCRYPT32API    This is not exported by crypt32, it is exported by softpub
function FindCertsByIssuer(pCertChains :PCERT_CHAIN;
                           pcbCertChains :PDWORD;
                           pcCertChains :PDWORD;       // count of certificates chains returned
                           pbEncodedIssuerName :PBYTE;   // DER encoded issuer name
                           cbEncodedIssuerName :DWORD; // count in bytes of encoded issuer name
                           pwszPurpose :LPCWSTR; // "ClientAuth" or "CodeSigning"
                           dwKeySpec :DWORD  // only return signers supporting this keyspec
                           ):HRESULT ; stdcall;

//////////////////////////// VERSION 2 ////////////////////////////////////////////////////////////////////

implementation

{Macro inplementation}
function GET_ALG_CLASS(x:integer) :integer;
begin
  Result:=(x and (7 shl 13));
end;

function GET_ALG_TYPE(x:integer) :integer;
begin
  Result:=(x and (15 shl 9));
end;

function GET_ALG_SID(x:integer) :integer;
begin
  Result:=(x and (511));
end;

function RCRYPT_SUCCEEDED(rt:BOOL):BOOL;
begin
  Result:= rt = CRYPT_SUCCEED;
end;

function RCRYPT_FAILED(rt:BOOL):BOOL;
begin
  Result:= rt = CRYPT_FAILED;
end ;

function  GET_CERT_UNICODE_RDN_ERR_INDEX(X :integer):integer;
begin
    Result :=  ((X shr CERT_UNICODE_RDN_ERR_INDEX_SHIFT) and CERT_UNICODE_RDN_ERR_INDEX_MASK);
end;

function  GET_CERT_UNICODE_ATTR_ERR_INDEX(X :integer):integer;
begin
    Result := ((X shr CERT_UNICODE_ATTR_ERR_INDEX_SHIFT) and CERT_UNICODE_ATTR_ERR_INDEX_MASK);
end;

function  GET_CERT_UNICODE_VALUE_ERR_INDEX(X :integer):integer;
begin
    Result := (X and CERT_UNICODE_VALUE_ERR_INDEX_MASK);
end;

function GET_CERT_ALT_NAME_ENTRY_ERR_INDEX(X :DWORD):DWORD;
begin
    Result := ((X shr CERT_ALT_NAME_ENTRY_ERR_INDEX_SHIFT) and CERT_ALT_NAME_ENTRY_ERR_INDEX_MASK);
end;

function GET_CERT_ALT_NAME_VALUE_ERR_INDEX(X :DWORD):DWORD;
begin
    Result := (X and CERT_ALT_NAME_VALUE_ERR_INDEX_MASK);
end;

function GET_CRL_DIST_POINT_ERR_INDEX(X :DWORD):DWORD;
begin
Result := ((X shr CRL_DIST_POINT_ERR_INDEX_SHIFT) and CRL_DIST_POINT_ERR_INDEX_MASK);
end;

function IS_CRL_DIST_POINT_ERR_CRL_ISSUER(X :DWORD):BOOL;
begin
    Result := (0 <> (X and CRL_DIST_POINT_ERR_CRL_ISSUER_BIT));
end;
///////////////////////////////////////version 2 /////////////////////////

function IS_CERT_RDN_CHAR_STRING(X :DWORD) :BOOL;
begin
    Result :=BOOL(X >= CERT_RDN_NUMERIC_STRING);
 end;

function GET_CERT_ENCODING_TYPE(X :DWORD):DWORD;
begin
    Result := (X and CERT_ENCODING_TYPE_MASK);
end;

function GET_CMSG_ENCODING_TYPE(X :DWORD):DWORD;
begin
    Result := (X and CMSG_ENCODING_TYPE_MASK);
end;

function IS_CERT_HASH_PROP_ID( X :DWORD):BOOL ;
begin
    if (X = CERT_SHA1_HASH_PROP_ID) or (X = CERT_MD5_HASH_PROP_ID) then
        Result := True
    else
        Result := False;
end;
{end Macro}

function CryptAcquireContextA    ;external ADVAPI32 name 'CryptAcquireContextA';
{$IFDEF UNICODE}
function CryptAcquireContext     ;external ADVAPI32 name 'CryptAcquireContextW';
{$ELSE}
function CryptAcquireContext     ;external ADVAPI32 name 'CryptAcquireContextA';
{$ENDIF}
function CryptAcquireContextW    ;external ADVAPI32 name 'CryptAcquireContextW';
function CryptReleaseContext     ;external ADVAPI32 name 'CryptReleaseContext';
function CryptGenKey             ;external ADVAPI32 name 'CryptGenKey';
function CryptDeriveKey          ;external ADVAPI32 name 'CryptDeriveKey';
function CryptDestroyKey         ;external ADVAPI32 name 'CryptDestroyKey';
function CryptSetKeyParam        ;external ADVAPI32 name 'CryptSetKeyParam';
function CryptGetKeyParam        ;external ADVAPI32 name 'CryptGetKeyParam';
function CryptSetHashParam       ;external ADVAPI32 name 'CryptSetHashParam';
function CryptGetHashParam       ;external ADVAPI32 name 'CryptGetHashParam';
function CryptSetProvParam       ;external ADVAPI32 name 'CryptSetProvParam';
function CryptGetProvParam       ;external ADVAPI32 name 'CryptGetProvParam';
function CryptGenRandom          ;external ADVAPI32 name 'CryptGenRandom';
function CryptGetUserKey         ;external ADVAPI32 name 'CryptGetUserKey';
function CryptExportKey          ;external ADVAPI32 name 'CryptExportKey';
function CryptImportKey          ;external ADVAPI32 name 'CryptImportKey';
function CryptEncrypt            ;external ADVAPI32 name 'CryptEncrypt';
function CryptDecrypt            ;external ADVAPI32 name 'CryptDecrypt';
function CryptCreateHash         ;external ADVAPI32 name 'CryptCreateHash';
function CryptHashData           ;external ADVAPI32 name 'CryptHashData';
function CryptHashSessionKey     ;external ADVAPI32 name 'CryptHashSessionKey';
function CryptDestroyHash        ;external ADVAPI32 name 'CryptDestroyHash';
function CryptSignHashA          ;external ADVAPI32 name 'CryptSignHashA';
function CryptSignHashW          ;external ADVAPI32 name 'CryptSignHashW';
function CryptSignHashU          ;external CRYPT32 name 'CryptSignHashU';
{$IFDEF UNICODE}
function CryptSignHash           ;external ADVAPI32 name 'CryptSignHashW';
{$ELSE}
function CryptSignHash           ;external ADVAPI32 name 'CryptSignHashA';
{$ENDIF}
function CryptVerifySignatureA   ;external ADVAPI32 name 'CryptVerifySignatureA';
function CryptVerifySignatureW   ;external ADVAPI32 name 'CryptVerifySignatureW';
{$IFDEF UNICODE}
function CryptVerifySignature    ;external ADVAPI32 name 'CryptVerifySignatureW';
{$ELSE}
function CryptVerifySignature    ;external ADVAPI32 name 'CryptVerifySignatureA';
{$ENDIF}
function CryptSetProviderW       ;external ADVAPI32 name 'CryptSetProviderW';
function CryptSetProviderA       ;external ADVAPI32 name 'CryptSetProviderA';
function CryptSetProviderU       ;external CRYPT32 name 'CryptSetProviderU';
{$IFDEF UNICODE}
function CryptSetProvider        ;external ADVAPI32 name 'CryptSetProviderW';
{$ELSE}
function CryptSetProvider        ;external ADVAPI32 name 'CryptSetProviderA';
{$ENDIF}

{$IFDEF NT5}
function CryptSetProviderExA ;external ADVAPI32NT5 name 'CryptSetProviderExA';//nt5 advapi32
function CryptSetProviderExW ;external ADVAPI32NT5 name 'CryptSetProviderExW';
{$IFDEF UNICODE}
function CryptSetProviderEx ;external ADVAPI32NT5 name 'CryptSetProviderExW';
{$ELSE}
function  CryptSetProviderEx  ;external ADVAPI32NT5 name 'CryptSetProviderExA';
{$ENDIF} // !UNICODE

function CryptGetDefaultProviderA ; external ADVAPI32NT5 name 'CryptGetDefaultProviderA';//nt5 advapi32
function CryptGetDefaultProviderW ; external ADVAPI32NT5 name 'CryptGetDefaultProviderW';
{$IFDEF UNICODE}
function CryptGetDefaultProvider ; external ADVAPI32NT5 name 'CryptGetDefaultProviderW';
{$ELSE}
function CryptGetDefaultProvider; external ADVAPI32NT5 name 'CryptGetDefaultProviderA';
{$ENDIF} // !UNICODE

function CryptEnumProviderTypesA ; external ADVAPI32NT5 name 'CryptEnumProviderTypesA';//nt5 advapi32
function CryptEnumProviderTypesW ; external ADVAPI32NT5 name 'CryptEnumProviderTypesW';
{$IFDEF UNICODE}
function CryptEnumProviderTypes ; external ADVAPI32NT5 name 'CryptEnumProviderTypesW';
{$ELSE}
function CryptEnumProviderTypes ; external ADVAPI32NT5 name 'CryptEnumProviderTypesA';
{$ENDIF} // !UNICODE

function CryptEnumProvidersA; external ADVAPI32NT5 name 'CryptEnumProvidersA';//nt5 advapi32
function CryptEnumProvidersW; external ADVAPI32NT5 name 'CryptEnumProvidersW';

{$IFDEF UNICODE}
function CryptEnumProviders; external ADVAPI32NT5 name 'CryptEnumProvidersW';
{$ELSE}
function CryptEnumProviders; external ADVAPI32NT5 name 'CryptEnumProvidersA';
{$ENDIF} // !UNICODE
function CryptContextAddRef; external ADVAPI32NT5 name 'CryptContextAddRef';//nt5 advapi32
function CryptDuplicateKey; external ADVAPI32NT5 name 'CryptDuplicateKey';//nt5 advapi32
function CryptDuplicateHash; external ADVAPI32NT5 name 'CryptDuplicateHash';//nt5 advapi32
{$ENDIF NT5}

function CryptEnumProvidersU; external CRYPT32 name 'CryptEnumProvidersU';
function CryptFormatObject; external CRYPT32 name 'CryptFormatObject';
function CryptEncodeObject; external CRYPT32 name 'CryptEncodeObject';
function CryptDecodeObject; external CRYPT32 name 'CryptDecodeObject';
function CryptInstallOIDFunctionAddress; external CRYPT32 name 'CryptInstallOIDFunctionAddress';
function CryptInitOIDFunctionSet; external CRYPT32 name 'CryptInitOIDFunctionSet';
function CryptGetOIDFunctionAddress; external CRYPT32 name 'CryptGetOIDFunctionAddress';
function CryptGetDefaultOIDDllList; external CRYPT32 name 'CryptGetDefaultOIDDllList';
function CryptGetDefaultOIDFunctionAddress; external CRYPT32 name 'CryptGetDefaultOIDFunctionAddress';
function CryptFreeOIDFunctionAddress; external CRYPT32 name 'CryptFreeOIDFunctionAddress';
function CryptRegisterOIDFunction; external CRYPT32 name 'CryptRegisterOIDFunction';
function CryptUnregisterOIDFunction; external CRYPT32 name 'CryptUnregisterOIDFunction';
function CryptRegisterDefaultOIDFunction; external CRYPT32 name 'CryptRegisterDefaultOIDFunction';
function CryptUnregisterDefaultOIDFunction; external CRYPT32 name 'CryptUnregisterDefaultOIDFunction';
function CryptSetOIDFunctionValue; external CRYPT32 name 'CryptSetOIDFunctionValue';
function CryptGetOIDFunctionValue; external CRYPT32 name 'CryptGetOIDFunctionValue';
function CryptEnumOIDFunction; external CRYPT32 name 'CryptEnumOIDFunction';
function CryptFindOIDInfo; external CRYPT32 name 'CryptFindOIDInfo';

function CryptRegisterOIDInfo; external CRYPT32 name 'CryptRegisterOIDInfo';
function CryptUnregisterOIDInfo; external CRYPT32 name 'CryptUnregisterOIDInfo';
function CryptMsgOpenToEncode; external CRYPT32 name 'CryptMsgOpenToEncode';
function CryptMsgCalculateEncodedLength; external CRYPT32 name 'CryptMsgCalculateEncodedLength';
function CryptMsgOpenToDecode; external CRYPT32 name 'CryptMsgOpenToDecode';
function CryptMsgClose; external CRYPT32 name 'CryptMsgClose';
function CryptMsgUpdate; external CRYPT32 name 'CryptMsgUpdate';
function CryptMsgControl; external CRYPT32 name 'CryptMsgControl';
function CryptMsgVerifyCountersignatureEncoded; external CRYPT32 name 'CryptMsgVerifyCountersignatureEncoded';
function CryptMsgCountersign; external CRYPT32 name 'CryptMsgCountersign';
function CryptMsgCountersignEncoded; external CRYPT32 name 'CryptMsgCountersignEncoded';
function CryptMsgGetParam; external CRYPT32 name 'CryptMsgGetParam';
function CertOpenStore; external CRYPT32 name 'CertOpenStore';
function CertDuplicateStore; external CRYPT32 name 'CertDuplicateStore';
function CertSaveStore; external CRYPT32 name 'CertSaveStore';
function CertCloseStore; external CRYPT32 name 'CertCloseStore';
function CertGetSubjectCertificateFromStore; external CRYPT32 name 'CertGetSubjectCertificateFromStore';
function CertEnumCertificatesInStore; external CRYPT32 name 'CertEnumCertificatesInStore';
function CertFindCertificateInStore; external CRYPT32 name 'CertFindCertificateInStore';
function CertGetIssuerCertificateFromStore; external CRYPT32 name 'CertGetIssuerCertificateFromStore';
function CertVerifySubjectCertificateContext; external CRYPT32 name 'CertVerifySubjectCertificateContext';
function CertDuplicateCertificateContext; external CRYPT32 name 'CertDuplicateCertificateContext';
function CertCreateCertificateContext; external CRYPT32 name 'CertCreateCertificateContext';
function CertFreeCertificateContext; external CRYPT32 name 'CertFreeCertificateContext';
function CertSetCertificateContextProperty; external CRYPT32 name 'CertSetCertificateContextProperty';
function CertGetCertificateContextProperty; external CRYPT32 name 'CertGetCertificateContextProperty';
function CertEnumCertificateContextProperties; external CRYPT32 name 'CertEnumCertificateContextProperties';
function CertGetCRLFromStore; external CRYPT32 name 'CertGetCRLFromStore';
function CertDuplicateCRLContext; external CRYPT32 name 'CertDuplicateCRLContext';
function CertCreateCRLContext; external CRYPT32 name 'CertCreateCRLContext';
function CertFreeCRLContext; external CRYPT32 name 'CertFreeCRLContext';
function CertSetCRLContextProperty; external CRYPT32 name 'CertSetCRLContextProperty';
function CertGetCRLContextProperty; external CRYPT32 name 'CertGetCRLContextProperty';
function CertEnumCRLContextProperties; external CRYPT32 name 'CertEnumCRLContextProperties';
function CertAddEncodedCertificateToStore; external CRYPT32 name 'CertAddEncodedCertificateToStore';
function CertAddCertificateContextToStore; external CRYPT32 name 'CertAddCertificateContextToStore';
function CertAddSerializedElementToStore; external CRYPT32 name 'CertAddSerializedElementToStore';
function CertDeleteCertificateFromStore; external CRYPT32 name 'CertDeleteCertificateFromStore';
function CertAddEncodedCRLToStore; external CRYPT32 name 'CertAddEncodedCRLToStore';
function CertAddCRLContextToStore; external CRYPT32 name 'CertAddCRLContextToStore';
function CertDeleteCRLFromStore; external CRYPT32 name 'CertDeleteCRLFromStore';
function CertSerializeCertificateStoreElement; external CRYPT32 name 'CertSerializeCertificateStoreElement';
function CertSerializeCRLStoreElement; external CRYPT32 name 'CertSerializeCRLStoreElement';
function CertDuplicateCTLContext; external CRYPT32 name 'CertDuplicateCTLContext';
function CertCreateCTLContext; external CRYPT32 name 'CertCreateCTLContext';
function CertFreeCTLContext; external CRYPT32 name 'CertFreeCTLContext';
function CertSetCTLContextProperty; external CRYPT32 name 'CertSetCTLContextProperty';
function CertGetCTLContextProperty; external CRYPT32 name 'CertGetCTLContextProperty';
function CertEnumCTLContextProperties; external CRYPT32 name 'CertEnumCTLContextProperties';
function CertEnumCTLsInStore; external CRYPT32 name 'CertEnumCTLsInStore';
function CertFindSubjectInCTL; external CRYPT32 name 'CertFindSubjectInCTL';
function CertFindCTLInStore; external CRYPT32 name 'CertFindCTLInStore';
function CertAddEncodedCTLToStore; external CRYPT32 name 'CertAddEncodedCTLToStore';
function CertAddCTLContextToStore; external CRYPT32 name 'CertAddCTLContextToStore';
function CertSerializeCTLStoreElement; external CRYPT32 name 'CertSerializeCTLStoreElement';
function CertDeleteCTLFromStore; external CRYPT32 name 'CertDeleteCTLFromStore';
function CertGetEnhancedKeyUsage; external CRYPT32 name 'CertGetEnhancedKeyUsage';
function CertSetEnhancedKeyUsage; external CRYPT32 name 'CertSetEnhancedKeyUsage';
function CertAddEnhancedKeyUsageIdentifier; external CRYPT32 name 'CertAddEnhancedKeyUsageIdentifier';
function CertRemoveEnhancedKeyUsageIdentifier; external CRYPT32 name 'CertRemoveEnhancedKeyUsageIdentifier';
function CryptMsgGetAndVerifySigner; external CRYPT32 name 'CryptMsgGetAndVerifySigner';
function CryptMsgSignCTL; external CRYPT32 name 'CryptMsgSignCTL';
function CryptMsgEncodeAndSignCTL; external CRYPT32 name 'CryptMsgEncodeAndSignCTL';
function CertVerifyCTLUsage; external CRYPT32 name 'CertVerifyCTLUsage';
function CertVerifyRevocation; external CRYPT32 name 'CertVerifyRevocation';
function CertCompareIntegerBlob; external CRYPT32 name 'CertCompareIntegerBlob';
function CertCompareCertificate; external CRYPT32 name 'CertCompareCertificate';
function CertCompareCertificateName; external CRYPT32 name 'CertCompareCertificateName';
function CertIsRDNAttrsInCertificateName; external CRYPT32 name 'CertIsRDNAttrsInCertificateName';
function CertComparePublicKeyInfo; external CRYPT32 name 'CertComparePublicKeyInfo';
function CertGetPublicKeyLength; external CRYPT32 name 'CertGetPublicKeyLength';
function CryptVerifyCertificateSignature; external CRYPT32 name 'CryptVerifyCertificateSignature';
function CryptHashToBeSigned; external CRYPT32 name 'CryptHashToBeSigned';
function CryptHashCertificate; external CRYPT32 name 'CryptHashCertificate';
function CryptSignCertificate; external CRYPT32 name 'CryptSignCertificate';
function CryptSignAndEncodeCertificate; external CRYPT32 name 'CryptSignAndEncodeCertificate';
function CertVerifyTimeValidity; external CRYPT32 name 'CertVerifyTimeValidity';
function CertVerifyCRLTimeValidity; external CRYPT32 name 'CertVerifyCRLTimeValidity';
function CertVerifyValidityNesting; external CRYPT32 name 'CertVerifyValidityNesting';
function CertVerifyCRLRevocation; external CRYPT32 name 'CertVerifyCRLRevocation';
function CertAlgIdToOID; external CRYPT32 name 'CertAlgIdToOID';
function CertOIDToAlgId; external CRYPT32 name 'CertOIDToAlgId';
function CertFindExtension; external CRYPT32 name 'CertFindExtension';
function CertFindAttribute; external CRYPT32 name 'CertFindAttribute';
function CertFindRDNAttr; external CRYPT32 name 'CertFindRDNAttr';
function CertGetIntendedKeyUsage; external CRYPT32 name 'CertGetIntendedKeyUsage';
function CryptExportPublicKeyInfo; external CRYPT32 name 'CryptExportPublicKeyInfo';
function CryptExportPublicKeyInfoEx; external CRYPT32 name 'CryptExportPublicKeyInfoEx';
function CryptImportPublicKeyInfo; external CRYPT32 name 'CryptImportPublicKeyInfo';
function CryptImportPublicKeyInfoEx; external CRYPT32 name 'CryptImportPublicKeyInfoEx';
function CryptHashPublicKeyInfo; external CRYPT32 name 'CryptHashPublicKeyInfo';
function CertRDNValueToStrA; external CRYPT32 name 'CertRDNValueToStrA';
function CertRDNValueToStrW; external CRYPT32 name 'CertRDNValueToStrW';
{$IFDEF UNICODE}
function CertRDNValueToStr; external CRYPT32 name 'CertRDNValueToStrW';
{$ELSE}
function CertRDNValueToStr; external CRYPT32 name 'CertRDNValueToStrA';
{$ENDIF} // !UNICODE
function CertNameToStrA; external CRYPT32 name 'CertNameToStrA';
function CertNameToStrW; external CRYPT32 name 'CertNameToStrW';
{$IFDEF UNICODE}
function CertNameToStr; external CRYPT32 name 'CertNameToStrW';
{$ELSE}
function CertNameToStr; external CRYPT32 name 'CertNameToStrA';
{$ENDIF} // !UNICODE
function CertStrToNameW; external CRYPT32 name 'CertStrToNameW';
function CertStrToNameA; external CRYPT32 name 'CertStrToNameA';
{$IFDEF UNICODE}
function CertStrToName; external CRYPT32 name 'CertStrToNameW';
{$ELSE}
function CertStrToName; external CRYPT32 name 'CertStrToNameA';
{$ENDIF} // !UNICODE
function CertGetNameStringW; external CRYPT32 name 'CertGetNameStringW';
function CertGetNameStringA; external CRYPT32 name 'CertGetNameStringA';
{$IFDEF UNICODE}
function CertGetNameString; external CRYPT32 name 'CertGetNameStringW';
{$ELSE}
function CertGetNameString; external CRYPT32 name 'CertGetNameStringA';
{$ENDIF} // !UNICODE
function CryptSignMessage; external CRYPT32 name 'CryptSignMessage';
//function CryptSignMessageWithKey; external CRYPT32 name 'CryptSignMessageWithKey';
function CryptVerifyMessageSignature; external CRYPT32 name 'CryptVerifyMessageSignature';
//function CryptVerifyMessageSignatureWithKey; external CRYPT32 name 'CryptVerifyMessageSignatureWithKey';
function CryptGetMessageSignerCount; external CRYPT32 name 'CryptGetMessageSignerCount';
function CryptGetMessageCertificates; external CRYPT32 name 'CryptGetMessageCertificates';
function CryptVerifyDetachedMessageSignature; external CRYPT32 name 'CryptVerifyDetachedMessageSignature';
function CryptEncryptMessage; external CRYPT32 name 'CryptEncryptMessage';
function CryptDecryptMessage; external CRYPT32 name 'CryptDecryptMessage';
function CryptSignAndEncryptMessage; external CRYPT32 name 'CryptSignAndEncryptMessage';
function CryptDecryptAndVerifyMessageSignature; external CRYPT32 name 'CryptDecryptAndVerifyMessageSignature';
function CryptDecodeMessage; external CRYPT32 name 'CryptDecodeMessage';
function CryptHashMessage; external CRYPT32 name 'CryptHashMessage';
function CryptVerifyMessageHash; external CRYPT32 name 'CryptVerifyMessageHash';
function CryptVerifyDetachedMessageHash; external CRYPT32 name 'CryptVerifyDetachedMessageHash';
function CryptSignMessageWithKey; external CRYPT32 name 'CryptSignMessageWithKey';
function CryptVerifyMessageSignatureWithKey; external CRYPT32 name 'CryptVerifyMessageSignatureWithKey';
function CertOpenSystemStoreA; external CRYPT32 name 'CertOpenSystemStoreA';
function CertOpenSystemStoreW; external CRYPT32 name 'CertOpenSystemStoreW';
{$IFDEF UNICODE}
function CertOpenSystemStore; external CRYPT32 name 'CertOpenSystemStoreW';
{$ELSE}
function CertOpenSystemStore; external CRYPT32 name 'CertOpenSystemStoreA';
{$ENDIF} // !UNICODE
function CertAddEncodedCertificateToSystemStoreA; external CRYPT32 name 'CertAddEncodedCertificateToSystemStoreA';
function CertAddEncodedCertificateToSystemStoreW; external CRYPT32 name 'CertAddEncodedCertificateToSystemStoreW';
{$IFDEF UNICODE}
function CertAddEncodedCertificateToSystemStore; external CRYPT32 name 'CertAddEncodedCertificateToSystemStoreW';
{$ELSE}
function CertAddEncodedCertificateToSystemStore; external CRYPT32 name 'CertAddEncodedCertificateToSystemStoreA';
{$ENDIF} // !UNICODE
function FindCertsByIssuer; external SOFTPUB name 'FindCertsByIssuer';
end.