Page 20

Microsoft Windows Server 2008 R2 Kernel Mode Cryptographic Primitives Library (cng.sys) Security Policy

Document

This Security Policy is non-proprietary and may be reproduced only in its original entirety (without revision)

The BCryptDestroyHash() function destroys a hash object.

5.8

Signing and Verification

5.8.1 BCryptSignHash

NTSTATUS WINAPI BCryptSignHash(

BCRYPT_KEY_HANDLE hKey,

VOID

*pPaddingInfo,

PUCHAR pbInput,

ULONG cbInput,

PUCHAR pbOutput,

ULONG cbOutput,

ULONG *pcbResult,

ULONG dwFlags);

The BCryptSignHash() function creates a signature of a hash value.

hKey [in] is the handle of the key to use to sign the hash.

pPaddingInfo [in, optional] is a pointer to a structure that contains padding information. The actual type

of structure this parameter points to depends on the value of the dwFlags parameter. This parameter is

only used with asymmetric keys and must be NULL otherwise.

pbInput [in] is a pointer to a buffer that contains the hash value to sign. The cbInput parameter contains

the size of this buffer.

cbInput [in] is the number of bytes in the pbInput buffer to sign.

pbOutput [out] is the address of a buffer to receive the signature produced by this function. The

cbOutput parameter contains the size of this buffer. If this parameter is NULL, this function will calculate

the size required for the signature and return the size in the location pointed to by the pcbResult

parameter.

cbOutput [in] is the size, in bytes, of the pbOutput buffer. This parameter is ignored if the pbOutput

parameter is NULL.

pcbResult [out] is a pointer to a ULONG variable that receives the number of bytes copied to the

pbOutput buffer. If pbOutput is NULL, this receives the size, in bytes, required for the signature.

dwFlags [in] is a set of flags that modify the behavior of this function. The allowed set of flags depends

on the type of key specified by the hKey parameter. If the key is a symmetric key, this parameter is not

used and should be set to zero. If the key is an asymmetric key, this can be one of the following values:

BCRYPT_PAD_PKCS1, BCRYPT_PAD_PSS.

5.8.2 BCryptVerifySignature

NTSTATUS WINAPI BCryptVerifySignature(

BCRYPT_KEY_HANDLE hKey,

VOID

*pPaddingInfo,

PUCHAR pbHash,

ULONG cbHash,

PUCHAR pbSignature,

ULONG cbSignature,

ULONG dwFlags);

The BCryptVerifySignature() function verifies that the specified signature matches the specified hash.

hKey [in] is the handle of the key to use to decrypt the signature. This must be an identical key or the

public key portion of the key pair used to sign the data with the BCryptSignHash function.

pPaddingInfo [in, optional] is a pointer to a structure that contains padding information. The actual type

of structure this parameter points to depends on the value of the

dwFlags parameter. This parameter is

only used with asymmetric keys and must be NULL otherwise.

pbHash [in] is the address of a buffer that contains the hash of the data. The cbHash parameter contains

the size of this buffer.

cbHash [in] is the size, in bytes, of the pbHash buffer.