Crypt32
Crypt32.dll is where most of the CryptoAPI is implemented. It supports encryption, decryption, and manipulation of certificates and related data structures. The actual encryption and decryption routines are implemented by a Cryptographic Service Provider, or CSP. The RSA enhanced provider was added by MichaelJung. JuanLang is implementing the certificate stores.
Currently crypt32 supports encoding and decoding of certificates and certificate revocation lists (CRLs) in DER format, and a reasonable subset of certificate stores and cryptographic messages.
TODO
Messages
- Attribute certificates
- Message countersignatures
- Encrypted (aka enveloped) messages
- More simplified message functions
PFX
PFX is documented, sort of, in PKCS #12, and is implemented by the PFX functions in crypt32, e.g. PFXImportCertStore and PFXExportCertStore. These are used by native cryptui and by the importpfx tool (see bug 11070).
Certificate Chains
The Wine version of CertGetCertificateChain only builds simple chains. Complex chains depend on CTLs. CTLs are a Microsoft-proprietary cryptographic message. Perhaps because they're a Microsoft invention rather than a standard, they aren't much used in practice. (The only app I've seen call any of the CTL APIs is MSN Messenger, aka Windows Live Messenger, during installation.)
It also doesn't support the key usage extension. In particular, the keyCertSign bit must be asserted in the key usage extension in order for a cert to be a CA.
CertVerifyCertificateChainPolicy doesn't support the SSL policy (bug 18337.) The SSL policy allows you to check that the DNS name of the server matches the DNS name or common name of the certificate. I presume it also checks for an extended key usage extension to match whether the certificate is allowed to be used as a client or server.
RFC 3280 is the reference for certificate usage on the Internet.
Miscellaneous
- Lots more tests