[0.4.7][BCRYPT][CRYPT32][PSDK] Add ECDSA P256 to known algorithms CORE-16741

Add missing structs and handler in BCryptOpenAlgorithmProvider(). Fixes CORE-16741 and similar problems. The modern internet is not waiting for ReactOS, needed to keep the RAPPS URLs working. fix picked from: 0.4.15-dev-3603-g e0a47b7b5f [BCRYPT] Add BCRYPT_ECDSA_P256_ALGORITHM To make this work, we need to sync CRYPT32 to WineStaging-3.3, picked that from: 0.4.9-dev-214-g a8b9a43ae8 [PSDK] Fix the build for msvc 2010. wincrypt.h 0.4.9-dev-208-g dedd08c38d [PSDK] Fix wide string literals in bcrypt.h. Should fix VC2010 build 0.4.9-dev-207-g a6265fc4b0 [BCRYPT] Improve stubs for functions needed by crypt32 aka fix build 0.4.9-dev-194-g a6e1034289 [CRYPT32] Sync with Wine Staging 3.3 0.4.9-dev-193-g e129995058 [PSDK] Update bcrypt.h and wincrypt.h
2025-02-22 08:25:03 +00:00 · 2022-02-02 22:20:49 +01:00 · 2022-02-02 22:20:49 +01:00 · c0b4dd453d
commit c0b4dd453d
parent 14079279f7
35 changed files with 973 additions and 122 deletions
--- a/dll/win32/bcrypt/bcrypt.spec
+++ b/dll/win32/bcrypt/bcrypt.spec
@ -9,7 +9,7 @@
@ stub BCryptDeleteContext
@ stub BCryptDeriveKey
@ stdcall BCryptDestroyHash(ptr)
-@ stub BCryptDestroyKey
+@ stdcall -stub BCryptDestroyKey(ptr)
@ stub BCryptDestroySecret
@ stub BCryptDuplicateHash
@ stub BCryptDuplicateKey
@ -32,7 +32,7 @@
@ stdcall BCryptHash(ptr ptr long ptr long ptr long)
@ stdcall BCryptHashData(ptr ptr long long)
@ stub BCryptImportKey
-@ stub BCryptImportKeyPair
+@ stdcall -stub BCryptImportKeyPair(ptr ptr wstr ptr ptr long long)
@ stdcall BCryptOpenAlgorithmProvider(ptr wstr wstr long)
@ stub BCryptQueryContextConfiguration
@ stub BCryptQueryContextFunctionConfiguration
@ -50,7 +50,7 @@
@ stub BCryptSignHash
@ stub BCryptUnregisterConfigChangeNotify
@ stub BCryptUnregisterProvider
-@ stub BCryptVerifySignature
+@ stdcall -stub BCryptVerifySignature(ptr ptr ptr long ptr long long)
@ stub GetAsymmetricEncryptionInterface
@ stub GetCipherInterface
@ stub GetHashInterface
--- a/dll/win32/bcrypt/bcrypt_main.c
+++ b/dll/win32/bcrypt/bcrypt_main.c
@ -266,7 +266,8 @@ enum alg_id
    ALG_ID_SHA1,
    ALG_ID_SHA256,
    ALG_ID_SHA384,
-    ALG_ID_SHA512
+    ALG_ID_SHA512,
+    ALG_ID_ECDSA_P256
 };

 static const struct {
@ -278,7 +279,8 @@ static const struct {
    /* ALG_ID_SHA1   */ { 20, BCRYPT_SHA1_ALGORITHM },
    /* ALG_ID_SHA256 */ { 32, BCRYPT_SHA256_ALGORITHM },
    /* ALG_ID_SHA384 */ { 48, BCRYPT_SHA384_ALGORITHM },
-    /* ALG_ID_SHA512 */ { 64, BCRYPT_SHA512_ALGORITHM }
+    /* ALG_ID_SHA512 */ { 64, BCRYPT_SHA512_ALGORITHM },
+    /* ALG_ID_ECDSA_P256 */ { 0, BCRYPT_ECDSA_P256_ALGORITHM }
 };

 struct algorithm
@ -351,6 +353,7 @@ NTSTATUS WINAPI BCryptOpenAlgorithmProvider( BCRYPT_ALG_HANDLE *handle, LPCWSTR
    else if (!strcmpW( id, BCRYPT_SHA256_ALGORITHM )) alg_id = ALG_ID_SHA256;
    else if (!strcmpW( id, BCRYPT_SHA384_ALGORITHM )) alg_id = ALG_ID_SHA384;
    else if (!strcmpW( id, BCRYPT_SHA512_ALGORITHM )) alg_id = ALG_ID_SHA512;
+    else if (!strcmpW( id, BCRYPT_ECDSA_P256_ALGORITHM )) alg_id = ALG_ID_ECDSA_P256;
    else
    {
        FIXME( "algorithm %s not supported\n", debugstr_w(id) );
--- a/dll/win32/crypt32/CMakeLists.txt
+++ b/dll/win32/crypt32/CMakeLists.txt
@ -35,7 +35,7 @@ list(APPEND SOURCE
    sip.c
    store.c
    str.c
-    crypt32_private.h)
+    precomp.h)

 add_library(crypt32 SHARED
    ${SOURCE}
@ -46,6 +46,6 @@ add_library(crypt32 SHARED
 set_module_type(crypt32 win32dll)
 target_link_libraries(crypt32 wine ${PSEH_LIB} oldnames)
 add_delay_importlibs(crypt32 cryptnet)
-add_importlibs(crypt32 user32 advapi32 advapi32_vista msvcrt kernel32 ntdll)
-add_pch(crypt32 crypt32_private.h SOURCE)
+add_importlibs(crypt32 bcrypt user32 advapi32 advapi32_vista msvcrt kernel32 ntdll)
+add_pch(crypt32 precomp.h SOURCE)
 add_cd_file(TARGET crypt32 DESTINATION reactos/system32 FOR all)
--- a/dll/win32/crypt32/base64.c
+++ b/dll/win32/crypt32/base64.c
@ -19,7 +19,13 @@
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */

-#include "crypt32_private.h"
+#include <stdarg.h>
+#include "windef.h"
+#include "winbase.h"
+#include "winerror.h"
+#include "wincrypt.h"
+#include "wine/debug.h"
+#include "wine/unicode.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);

--- a/dll/win32/crypt32/cert.c
+++ b/dll/win32/crypt32/cert.c
@ -17,9 +17,23 @@
 *
 */

-#include "crypt32_private.h"
+#include <assert.h>
+#include <stdarg.h>

-#include <rpc.h>
+#define NONAMELESSUNION
+#include "ntstatus.h"
+#define WIN32_NO_STATUS
+#include "windef.h"
+#include "winbase.h"
+#include "wine/winternl.h"
+#define CRYPT_OID_INFO_HAS_EXTRA_FIELDS
+#include "wincrypt.h"
+#include "bcrypt.h"
+#include "winnls.h"
+#include "rpc.h"
+#include "wine/debug.h"
+#include "wine/unicode.h"
+#include "crypt32_private.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);

@ -1875,7 +1889,7 @@ PCCERT_CONTEXT WINAPI CertGetIssuerCertificateFromStore(HCERTSTORE hCertStore,
            CertFreeCertificateContext(ret);
            ret = NULL;
        }
-        if (CRYPT_IsCertificateSelfSigned(pSubjectContext))
+        if (CRYPT_IsCertificateSelfSigned(pSubjectContext, NULL))
        {
            CertFreeCertificateContext(ret);
            ret = NULL;
@ -2400,36 +2414,29 @@ BOOL WINAPI CryptVerifyCertificateSignature(HCRYPTPROV_LEGACY hCryptProv,
     CRYPT_VERIFY_CERT_SIGN_ISSUER_PUBKEY, pPublicKey, 0, NULL);
 }

-static BOOL CRYPT_VerifyCertSignatureFromPublicKeyInfo(HCRYPTPROV_LEGACY hCryptProv,
+static BOOL verify_signature_crypt(HCRYPTPROV_LEGACY hCryptProv,
    DWORD dwCertEncodingType, PCERT_PUBLIC_KEY_INFO pubKeyInfo,
- const CERT_SIGNED_CONTENT_INFO *signedCert)
+    const CERT_SIGNED_CONTENT_INFO *signedCert, PCCRYPT_OID_INFO info)
 {
-    BOOL ret;
-    HCRYPTKEY key;
-    PCCRYPT_OID_INFO info;
    ALG_ID pubKeyID, hashID;
+    HCRYPTHASH hash;
+    HCRYPTKEY key;
+    BOOL ret;

-    info = CryptFindOIDInfo(CRYPT_OID_INFO_OID_KEY,
-     signedCert->SignatureAlgorithm.pszObjId, 0);
-    if (!info || info->dwGroupId != CRYPT_SIGN_ALG_OID_GROUP_ID)
-    {
-        SetLastError(NTE_BAD_ALGID);
-        return FALSE;
-    }
    hashID = info->u.Algid;
    if (info->ExtraInfo.cbData >= sizeof(ALG_ID))
        pubKeyID = *(ALG_ID *)info->ExtraInfo.pbData;
    else
        pubKeyID = hashID;
+
    /* Load the default provider if necessary */
    if (!hCryptProv)
        hCryptProv = CRYPT_GetDefaultProvider();
+
    ret = CryptImportPublicKeyInfoEx(hCryptProv, dwCertEncodingType,
     pubKeyInfo, pubKeyID, 0, NULL, &key);
    if (ret)
    {
-        HCRYPTHASH hash;
-
        ret = CryptCreateHash(hCryptProv, hashID, 0, 0, &hash);
        if (ret)
        {
@ -2445,6 +2452,270 @@ static BOOL CRYPT_VerifyCertSignatureFromPublicKeyInfo(HCRYPTPROV_LEGACY hCryptP
    return ret;
 }

+static BOOL calculate_hash_bcrypt(const WCHAR *algorithm,
+    const CERT_SIGNED_CONTENT_INFO *signedCert, BYTE **hash_value, DWORD *hash_len)
+{
+    BCRYPT_HASH_HANDLE hash = NULL;
+    BCRYPT_ALG_HANDLE alg = NULL;
+    NTSTATUS status;
+    DWORD size;
+    BOOL ret = FALSE;
+
+    if ((status = BCryptOpenAlgorithmProvider(&alg, algorithm, NULL, 0)))
+        goto done;
+
+    if ((status = BCryptCreateHash(alg, &hash, NULL, 0, NULL, 0, 0)))
+        goto done;
+
+    if ((status = BCryptHashData(hash, signedCert->ToBeSigned.pbData, signedCert->ToBeSigned.cbData, 0)))
+        goto done;
+
+    if ((status = BCryptGetProperty(hash, BCRYPT_HASH_LENGTH, (BYTE *)hash_len, sizeof(*hash_len), &size, 0)))
+        goto done;
+
+    if (!(*hash_value = CryptMemAlloc(*hash_len)))
+    {
+        status = STATUS_NO_MEMORY;
+        goto done;
+    }
+
+    if ((status = BCryptFinishHash(hash, *hash_value, *hash_len, 0)))
+    {
+        CryptMemFree(*hash_value);
+        goto done;
+    }
+
+    ret = TRUE;
+
+done:
+    if (hash) BCryptDestroyHash(hash);
+    if (alg)  BCryptCloseAlgorithmProvider(alg, 0);
+    if (status) SetLastError(RtlNtStatusToDosError(status));
+    return ret;
+}
+
+static BOOL import_bcrypt_pubkey_ecc(PCERT_PUBLIC_KEY_INFO pubKeyInfo, BCRYPT_KEY_HANDLE *key)
+{
+    DWORD blob_magic, ecckey_len, size;
+    NTSTATUS status = STATUS_SUCCESS;
+    BCRYPT_ECCKEY_BLOB *ecckey;
+    const WCHAR *sign_algo;
+    BCRYPT_ALG_HANDLE alg;
+    LPSTR *ecc_curve;
+
+    if (!pubKeyInfo->PublicKey.cbData)
+    {
+        SetLastError(NTE_BAD_ALGID);
+        return FALSE;
+    }
+
+    if (pubKeyInfo->PublicKey.pbData[0] != 0x4)
+    {
+        FIXME("Compressed ECC curves (%02x) not yet supported\n", pubKeyInfo->PublicKey.pbData[0]);
+        SetLastError(NTE_BAD_ALGID);
+        return FALSE;
+    }
+
+    if (!CryptDecodeObjectEx(X509_ASN_ENCODING, X509_OBJECT_IDENTIFIER,
+                             pubKeyInfo->Algorithm.Parameters.pbData,
+                             pubKeyInfo->Algorithm.Parameters.cbData,
+                             CRYPT_DECODE_ALLOC_FLAG, NULL, &ecc_curve, &size))
+        return FALSE;
+
+    if (!strcmp(*ecc_curve, szOID_ECC_CURVE_P256))
+    {
+        sign_algo = BCRYPT_ECDSA_P256_ALGORITHM;
+        blob_magic = BCRYPT_ECDSA_PUBLIC_P256_MAGIC;
+    }
+    else if(!strcmp(*ecc_curve, szOID_ECC_CURVE_P384))
+    {
+        sign_algo = BCRYPT_ECDSA_P384_ALGORITHM;
+        blob_magic = BCRYPT_ECDSA_PUBLIC_P384_MAGIC;
+    }
+    else
+    {
+        FIXME("Unsupported ecc curve type: %s\n", *ecc_curve);
+        sign_algo = NULL;
+        blob_magic = 0;
+    }
+    LocalFree(ecc_curve);
+
+    if (!sign_algo)
+    {
+        SetLastError(NTE_BAD_ALGID);
+        return FALSE;
+    }
+
+    if ((status = BCryptOpenAlgorithmProvider(&alg, sign_algo, NULL, 0)))
+    {
+        SetLastError(RtlNtStatusToDosError(status));
+        return FALSE;
+    }
+
+    ecckey_len = sizeof(BCRYPT_ECCKEY_BLOB) + pubKeyInfo->PublicKey.cbData - 1;
+    if (!(ecckey = CryptMemAlloc(ecckey_len)))
+    {
+        BCryptCloseAlgorithmProvider(alg, 0);
+        SetLastError(ERROR_OUTOFMEMORY);
+        return FALSE;
+    }
+
+    ecckey->dwMagic = blob_magic;
+    ecckey->cbKey = (pubKeyInfo->PublicKey.cbData - 1) / 2;
+    memcpy(ecckey + 1, pubKeyInfo->PublicKey.pbData + 1, pubKeyInfo->PublicKey.cbData - 1);
+
+    status = BCryptImportKeyPair(alg, NULL, BCRYPT_ECCPUBLIC_BLOB, key, (BYTE*)ecckey, ecckey_len, 0);
+    BCryptCloseAlgorithmProvider(alg, 0);
+    if (status)
+    {
+        SetLastError(RtlNtStatusToDosError(status));
+        return FALSE;
+    }
+
+    return TRUE;
+}
+
+static BOOL import_bcrypt_pubkey(PCERT_PUBLIC_KEY_INFO pubKeyInfo, BCRYPT_KEY_HANDLE *key)
+{
+    if (!strcmp(pubKeyInfo->Algorithm.pszObjId, szOID_ECC_PUBLIC_KEY))
+        return import_bcrypt_pubkey_ecc(pubKeyInfo, key);
+
+    FIXME("Unsupported public key type: %s\n", debugstr_a(pubKeyInfo->Algorithm.pszObjId));
+    SetLastError(NTE_BAD_ALGID);
+    return FALSE;
+}
+
+static BOOL prepare_bcrypt_signature_ecc(BYTE *encoded_sig, DWORD encoded_size,
+    BYTE **sig_value, DWORD *sig_len)
+{
+    CERT_ECC_SIGNATURE *ecc_sig;
+    DWORD size;
+    int i;
+
+    if (!CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ECC_SIGNATURE,
+                             encoded_sig, encoded_size,
+                             CRYPT_DECODE_ALLOC_FLAG, NULL, &ecc_sig, &size))
+        return FALSE;
+
+    if (!ecc_sig->r.cbData || !ecc_sig->s.cbData)
+    {
+        LocalFree(ecc_sig);
+        SetLastError(ERROR_INVALID_DATA);
+        return FALSE;
+    }
+
+    *sig_len = ecc_sig->r.cbData + ecc_sig->s.cbData;
+    if (!(*sig_value = CryptMemAlloc(*sig_len)))
+    {
+        LocalFree(ecc_sig);
+        SetLastError(ERROR_OUTOFMEMORY);
+        return FALSE;
+    }
+
+    for (i = 0; i < ecc_sig->r.cbData; i++)
+        (*sig_value)[i] = ecc_sig->r.pbData[ecc_sig->r.cbData - i - 1];
+    for (i = 0; i < ecc_sig->s.cbData; i++)
+        (*sig_value)[ecc_sig->r.cbData + i] = ecc_sig->s.pbData[ecc_sig->s.cbData - i - 1];
+
+    LocalFree(ecc_sig);
+    return TRUE;
+}
+
+static BOOL prepare_bcrypt_signature(PCERT_PUBLIC_KEY_INFO pubKeyInfo,
+    const CERT_SIGNED_CONTENT_INFO *signedCert, BYTE **sig_value, DWORD *sig_len)
+{
+    BYTE *encoded_sig;
+    BOOL ret = FALSE;
+    int i;
+
+    if (!signedCert->Signature.cbData)
+    {
+        SetLastError(ERROR_INVALID_DATA);
+        return FALSE;
+    }
+
+    if (!(encoded_sig = CryptMemAlloc(signedCert->Signature.cbData)))
+    {
+        SetLastError(ERROR_OUTOFMEMORY);
+        return FALSE;
+    }
+
+    for (i = 0; i < signedCert->Signature.cbData; i++)
+        encoded_sig[i] = signedCert->Signature.pbData[signedCert->Signature.cbData - i - 1];
+
+    if (!strcmp(pubKeyInfo->Algorithm.pszObjId, szOID_ECC_PUBLIC_KEY))
+        ret = prepare_bcrypt_signature_ecc(encoded_sig, signedCert->Signature.cbData, sig_value, sig_len);
+    else
+    {
+        FIXME("Unsupported public key type: %s\n", debugstr_a(pubKeyInfo->Algorithm.pszObjId));
+        SetLastError(NTE_BAD_ALGID);
+    }
+
+    CryptMemFree(encoded_sig);
+    return ret;
+}
+
+static BOOL verify_signature_bcrypt(HCRYPTPROV_LEGACY hCryptProv,
+    DWORD dwCertEncodingType, PCERT_PUBLIC_KEY_INFO pubKeyInfo,
+    const CERT_SIGNED_CONTENT_INFO *signedCert, PCCRYPT_OID_INFO info)
+{
+    BCRYPT_KEY_HANDLE key = NULL;
+    BYTE *hash_value, *sig_value;
+    DWORD hash_len, sig_len;
+    NTSTATUS status;
+
+    if (!calculate_hash_bcrypt(info->pwszCNGAlgid, signedCert, &hash_value, &hash_len))
+        return FALSE;
+
+    if (!import_bcrypt_pubkey(pubKeyInfo, &key))
+    {
+        CryptMemFree(hash_value);
+        return FALSE;
+    }
+
+    if (!prepare_bcrypt_signature(pubKeyInfo, signedCert, &sig_value, &sig_len))
+    {
+        CryptMemFree(hash_value);
+        BCryptDestroyKey(key);
+        return FALSE;
+    }
+
+    status = BCryptVerifySignature(key, NULL, hash_value, hash_len, sig_value, sig_len, 0);
+
+    BCryptDestroyKey(key);
+    CryptMemFree(hash_value);
+    CryptMemFree(sig_value);
+
+    if (status)
+    {
+        FIXME("Failed to verify signature: %08x\n", status);
+        SetLastError(RtlNtStatusToDosError(status));
+        return FALSE;
+    }
+
+    return TRUE;
+}
+
+static BOOL CRYPT_VerifyCertSignatureFromPublicKeyInfo(HCRYPTPROV_LEGACY hCryptProv,
+    DWORD dwCertEncodingType, PCERT_PUBLIC_KEY_INFO pubKeyInfo,
+    const CERT_SIGNED_CONTENT_INFO *signedCert)
+{
+    PCCRYPT_OID_INFO info;
+
+    info = CryptFindOIDInfo(CRYPT_OID_INFO_OID_KEY,
+     signedCert->SignatureAlgorithm.pszObjId, 0);
+    if (!info || info->dwGroupId != CRYPT_SIGN_ALG_OID_GROUP_ID)
+    {
+        SetLastError(NTE_BAD_ALGID);
+        return FALSE;
+    }
+
+    if (info->u.Algid == CALG_OID_INFO_CNG_ONLY)
+        return verify_signature_bcrypt(hCryptProv, dwCertEncodingType, pubKeyInfo, signedCert, info);
+    else
+        return verify_signature_crypt(hCryptProv, dwCertEncodingType, pubKeyInfo, signedCert, info);
+}
+
 BOOL WINAPI CryptVerifyCertificateSignatureEx(HCRYPTPROV_LEGACY hCryptProv,
 DWORD dwCertEncodingType, DWORD dwSubjectType, void *pvSubject,
 DWORD dwIssuerType, void *pvIssuer, DWORD dwFlags, void *pvReserved)
--- a/dll/win32/crypt32/chain.c
+++ b/dll/win32/crypt32/chain.c
@ -16,11 +16,18 @@
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 *
 */
-
+#include <stdarg.h>
+#define NONAMELESSUNION
+#include "windef.h"
+#include "winbase.h"
+#define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS
+#define CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS
+#include "wincrypt.h"
+#include "wininet.h"
+#include "wine/debug.h"
+#include "wine/unicode.h"
 #include "crypt32_private.h"

-#include <wininet.h>
-
 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
 WINE_DECLARE_DEBUG_CHANNEL(chain);

@ -258,7 +265,7 @@ typedef struct _CertificateChain
    LONG ref;
 } CertificateChain;

-BOOL CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert)
+BOOL CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert, DWORD *type)
 {
    PCERT_EXTENSION ext;
    DWORD size;
@ -293,6 +300,7 @@ BOOL CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert)
                     &directoryName->u.DirectoryName, &cert->pCertInfo->Issuer)
                     && CertCompareIntegerBlob(&info->AuthorityCertSerialNumber,
                     &cert->pCertInfo->SerialNumber);
+                     if (type) *type = CERT_TRUST_HAS_NAME_MATCH_ISSUER;
                }
                else
                {
@ -314,6 +322,7 @@ BOOL CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert)
                         CERT_KEY_IDENTIFIER_PROP_ID, buf, &size);
                        ret = !memcmp(buf, info->KeyId.pbData, size);
                        CryptMemFree(buf);
+                        if (type) *type = CERT_TRUST_HAS_KEY_MATCH_ISSUER;
                    }
                    else
                        ret = FALSE;
@ -341,6 +350,7 @@ BOOL CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert)
                 &info->CertIssuer, &cert->pCertInfo->Issuer) &&
                 CertCompareIntegerBlob(&info->CertSerialNumber,
                 &cert->pCertInfo->SerialNumber);
+                if (type) *type = CERT_TRUST_HAS_NAME_MATCH_ISSUER;
            }
            else if (info->KeyId.cbData)
            {
@ -356,6 +366,7 @@ BOOL CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert)
                         CERT_KEY_IDENTIFIER_PROP_ID, buf, &size);
                        ret = !memcmp(buf, info->KeyId.pbData, size);
                        CryptMemFree(buf);
+                        if (type) *type = CERT_TRUST_HAS_KEY_MATCH_ISSUER;
                    }
                    else
                        ret = FALSE;
@ -369,8 +380,11 @@ BOOL CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert)
        }
    }
    else
+    {
        ret = CertCompareCertificateName(cert->dwCertEncodingType,
         &cert->pCertInfo->Subject, &cert->pCertInfo->Issuer);
+        if (type) *type = CERT_TRUST_HAS_NAME_MATCH_ISSUER;
+    }
    return ret;
 }

@ -1313,7 +1327,7 @@ static void CRYPT_CheckChainNameConstraints(PCERT_SIMPLE_CHAIN chain)
                     * constraints checked unless they're the end cert.
                     */
                    if (j == 0 || !CRYPT_IsCertificateSelfSigned(
-                     chain->rgpElement[j]->pCertContext))
+                     chain->rgpElement[j]->pCertContext, NULL))
                    {
                        CRYPT_CheckNameConstraints(nameConstraints,
                         chain->rgpElement[j]->pCertContext->pCertInfo,
@ -1886,6 +1900,7 @@ static void CRYPT_CheckSimpleChain(CertificateChainEngine *engine,
    int i;
    BOOL pathLengthConstraintViolated = FALSE;
    CERT_BASIC_CONSTRAINTS2_INFO constraints = { FALSE, FALSE, 0 };
+    DWORD type;

    TRACE_(chain)("checking chain with %d elements for time %s\n",
     chain->cElement, filetime_to_str(time));
@ -1897,7 +1912,7 @@ static void CRYPT_CheckSimpleChain(CertificateChainEngine *engine,
            dump_element(chain->rgpElement[i]->pCertContext);
        if (i == chain->cElement - 1)
            isRoot = CRYPT_IsCertificateSelfSigned(
-             chain->rgpElement[i]->pCertContext);
+             chain->rgpElement[i]->pCertContext, NULL);
        else
            isRoot = FALSE;
        if (!CRYPT_IsCertVersionValid(chain->rgpElement[i]->pCertContext))
@ -1973,10 +1988,10 @@ static void CRYPT_CheckSimpleChain(CertificateChainEngine *engine,
    }
    CRYPT_CheckChainNameConstraints(chain);
    CRYPT_CheckChainPolicies(chain);
-    if (CRYPT_IsCertificateSelfSigned(rootElement->pCertContext))
+    if (CRYPT_IsCertificateSelfSigned(rootElement->pCertContext, &type))
    {
        rootElement->TrustStatus.dwInfoStatus |=
-         CERT_TRUST_IS_SELF_SIGNED | CERT_TRUST_HAS_NAME_MATCH_ISSUER;
+         CERT_TRUST_IS_SELF_SIGNED | type;
        CRYPT_CheckRootCert(engine->hRoot, rootElement);
    }
    CRYPT_CombineTrustStatus(&chain->TrustStatus, &rootElement->TrustStatus);
@ -2188,7 +2203,7 @@ static BOOL CRYPT_BuildSimpleChain(const CertificateChainEngine *engine,
    PCCERT_CONTEXT cert = chain->rgpElement[chain->cElement - 1]->pCertContext;

    while (ret && !CRYPT_IsSimpleChainCyclic(chain) &&
-     !CRYPT_IsCertificateSelfSigned(cert))
+     !CRYPT_IsCertificateSelfSigned(cert, NULL))
    {
        PCCERT_CONTEXT issuer = CRYPT_GetIssuer(engine, world, cert, NULL, flags,
         &chain->rgpElement[chain->cElement - 1]->TrustStatus.dwInfoStatus);
--- a/dll/win32/crypt32/collectionstore.c
+++ b/dll/win32/crypt32/collectionstore.c
@ -15,7 +15,11 @@
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */
-
+#include <stdarg.h>
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "wine/debug.h"
 #include "crypt32_private.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
@ -160,7 +164,6 @@ static context_t *CRYPT_CollectionAdvanceEnum(WINE_COLLECTIONSTORE *store,
        Context_AddRef(child);
        child = contextFuncs->enumContext(storeEntry->store, child);
        Context_Release(prev);
-        prev = NULL;
    }
    else
    {
--- a/dll/win32/crypt32/context.c
+++ b/dll/win32/crypt32/context.c
@ -15,7 +15,12 @@
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */
-
+#include <assert.h>
+#include <stdarg.h>
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "wine/debug.h"
 #include "crypt32_private.h"

 WINE_DEFAULT_DEBUG_CHANNEL(context);
--- a/dll/win32/crypt32/crl.c
+++ b/dll/win32/crypt32/crl.c
@ -17,6 +17,14 @@
 *
 */

+#include <assert.h>
+#include <stdarg.h>
+#define NONAMELESSUNION
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "wine/debug.h"
+#include "wine/unicode.h"
 #include "crypt32_private.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
--- a/dll/win32/crypt32/crypt32.rc
+++ b/dll/win32/crypt32/crypt32.rc
@ -27,7 +27,7 @@
 #define WINE_PRODUCTVERSION 5,131,2600,1243
 #define WINE_PRODUCTVERSION_STR "5.131.2600.1243"

-#include <wine/wine_common_ver.rc>
+#include "wine/wine_common_ver.rc"

 /* UTF-8 */
 #pragma code_page(65001)
--- a/dll/win32/crypt32/crypt32.spec
+++ b/dll/win32/crypt32/crypt32.spec
@ -92,6 +92,7 @@
@ stdcall CertSetStoreProperty(ptr long long ptr)
@ stdcall CertStrToNameA(long str long ptr ptr ptr ptr)
@ stdcall CertStrToNameW(long wstr long ptr ptr ptr ptr)
+@ stdcall CertUnregisterPhysicalStore(ptr long wstr)
@ stdcall CertUnregisterSystemStore(ptr long)
@ stdcall CertVerifyCRLRevocation(long ptr long ptr)
@ stdcall CertVerifyCRLTimeValidity(ptr ptr)
--- a/dll/win32/crypt32/crypt32_private.h
+++ b/dll/win32/crypt32/crypt32_private.h
@ -19,36 +19,7 @@
 #ifndef __CRYPT32_PRIVATE_H__
 #define __CRYPT32_PRIVATE_H__

-#include <wine/config.h>
-#include <wine/port.h>
-
-#include <assert.h>
-#include <stdarg.h>
-#include <stdio.h>
-
-#define _INC_WINDOWS
-#define COM_NO_WINDOWS_H
-
-#define NONAMELESSUNION
-
-#include <windef.h>
-#include <winbase.h>
-#include <winuser.h>
-#include <winreg.h>
-#include <snmp.h>
-
-#define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS
-#define CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS
-#include <wincrypt.h>
-
-#include <mssip.h>
-
-#include <wine/unicode.h>
-#include <wine/list.h>
-#include <wine/exception.h>
-#include <wine/debug.h>
-
-#include "cryptres.h"
+#include "wine/list.h"

 /* a few asn.1 tags we need */
 #define ASN_BOOL            (ASN_UNIVERSAL | ASN_PRIMITIVE | 0x01)
@ -370,7 +341,7 @@ void CRYPT_ImportSystemRootCertsToReg(void) DECLSPEC_HIDDEN;
 BOOL CRYPT_SerializeContextsToReg(HKEY key, DWORD flags, const WINE_CONTEXT_INTERFACE *contextInterface,
    HCERTSTORE memStore) DECLSPEC_HIDDEN;

-BOOL CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert) DECLSPEC_HIDDEN;
+BOOL CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert, DWORD *type) DECLSPEC_HIDDEN;

 /* Allocates and initializes a certificate chain engine, but without creating
 * the root store.  Instead, it uses root, and assumes the caller has done any
@ -479,4 +450,4 @@ void init_empty_store(void) DECLSPEC_HIDDEN;
 */
 #define IS_INTOID(x)    (((ULONG_PTR)(x) >> 16) == 0)

-#endif /* __CRYPT32_PRIVATE_H__ */
+#endif
--- a/dll/win32/crypt32/cryptres.h
+++ b/dll/win32/crypt32/cryptres.h
@ -15,10 +15,11 @@
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */
-
 #ifndef __WINE_CRYPTRES_H__
 #define __WINE_CRYPTRES_H__

+#include <windef.h>
+
 #define IDS_AUTHORITY_KEY_ID 1000
 #define IDS_KEY_ATTRIBUTES 1001
 #define IDS_KEY_USAGE_RESTRICTION 1002
--- a/dll/win32/crypt32/ctl.c
+++ b/dll/win32/crypt32/ctl.c
@ -17,6 +17,13 @@
 *
 */

+#include <assert.h>
+#include <stdarg.h>
+
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "wine/debug.h"
 #include "crypt32_private.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
--- a/dll/win32/crypt32/decode.c
+++ b/dll/win32/crypt32/decode.c
@ -30,6 +30,23 @@
 * MSDN, especially "Constants for CryptEncodeObject and CryptDecodeObject"
 */

+#include "config.h"
+#include "wine/port.h"
+
+#include <assert.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#define NONAMELESSUNION
+
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "winnls.h"
+#include "snmp.h"
+#include "wine/debug.h"
+#include "wine/exception.h"
 #include "crypt32_private.h"

 /* This is a bit arbitrary, but to set some limit: */
@ -68,7 +85,7 @@ static BOOL CRYPT_AsnDecodeAlgorithmId(const BYTE *pbEncoded, DWORD cbEncoded,
 static BOOL CRYPT_AsnDecodeBool(const BYTE *pbEncoded, DWORD cbEncoded,
 DWORD dwFlags, void *pvStructInfo, DWORD *pcbStructInfo, DWORD *pcbDecoded);
 /* Assumes the CRYPT_DATA_BLOB's pbData member has been initialized */
-static BOOL CRYPT_AsnDecodeOctetsInternal(const BYTE *pbEncoded,
+static BOOL CRYPT_AsnDecodeOctets(const BYTE *pbEncoded,
 DWORD cbEncoded, DWORD dwFlags, void *pvStructInfo, DWORD *pcbStructInfo,
 DWORD *pcbDecoded);
 /* Doesn't check the tag, assumes the caller does so */
@ -462,6 +479,7 @@ static BOOL CRYPT_AsnDecodeSequence(struct AsnDecodeSequenceItem items[],
            {
                dataLen = cbEncoded;
                indefinite = TRUE;
+                lenBytes += 2;
            }
            else if (cbEncoded < dataLen)
            {
@ -1404,7 +1422,7 @@ static BOOL CRYPT_AsnDecodeExtension(const BYTE *pbEncoded, DWORD cbEncoded,
     { ASN_BOOL, offsetof(CERT_EXTENSION, fCritical), CRYPT_AsnDecodeBool,
       sizeof(BOOL), TRUE, FALSE, 0, 0 },
     { ASN_OCTETSTRING, offsetof(CERT_EXTENSION, Value),
-       CRYPT_AsnDecodeOctetsInternal, sizeof(CRYPT_OBJID_BLOB), FALSE, TRUE,
+       CRYPT_AsnDecodeOctets, sizeof(CRYPT_OBJID_BLOB), FALSE, TRUE,
       offsetof(CERT_EXTENSION, Value.pbData) },
    };
    BOOL ret = TRUE;
@ -2166,7 +2184,7 @@ static BOOL CRYPT_AsnDecodeCTLEntry(const BYTE *pbEncoded, DWORD cbEncoded,
 {
    struct AsnDecodeSequenceItem items[] = {
     { ASN_OCTETSTRING, offsetof(CTL_ENTRY, SubjectIdentifier),
-       CRYPT_AsnDecodeOctetsInternal, sizeof(CRYPT_DATA_BLOB), FALSE, TRUE,
+       CRYPT_AsnDecodeOctets, sizeof(CRYPT_DATA_BLOB), FALSE, TRUE,
       offsetof(CTL_ENTRY, SubjectIdentifier.pbData), 0 },
     { ASN_CONSTRUCTOR | ASN_SETOF, offsetof(CTL_ENTRY, cAttribute),
       CRYPT_AsnDecodeCTLEntryAttributes,
@ -2259,7 +2277,7 @@ static BOOL WINAPI CRYPT_AsnDecodeCTL(DWORD dwCertEncodingType,
           CRYPT_AsnDecodeCTLUsage, sizeof(CTL_USAGE), FALSE, TRUE,
           offsetof(CTL_INFO, SubjectUsage.rgpszUsageIdentifier), 0 },
         { ASN_OCTETSTRING, offsetof(CTL_INFO, ListIdentifier),
-           CRYPT_AsnDecodeOctetsInternal, sizeof(CRYPT_DATA_BLOB), TRUE,
+           CRYPT_AsnDecodeOctets, sizeof(CRYPT_DATA_BLOB), TRUE,
           TRUE, offsetof(CTL_INFO, ListIdentifier.pbData), 0 },
         { ASN_INTEGER, offsetof(CTL_INFO, SequenceNumber),
           CRYPT_AsnDecodeIntegerInternal, sizeof(CRYPT_INTEGER_BLOB),
@ -3120,11 +3138,11 @@ static BOOL WINAPI CRYPT_AsnDecodeAuthorityKeyId(DWORD dwCertEncodingType,
    {
        struct AsnDecodeSequenceItem items[] = {
         { ASN_CONTEXT | 0, offsetof(CERT_AUTHORITY_KEY_ID_INFO, KeyId),
-           CRYPT_AsnDecodeOctetsInternal, sizeof(CRYPT_DATA_BLOB),
+           CRYPT_AsnDecodeOctets, sizeof(CRYPT_DATA_BLOB),
           TRUE, TRUE, offsetof(CERT_AUTHORITY_KEY_ID_INFO, KeyId.pbData), 0 },
         { ASN_CONTEXT | ASN_CONSTRUCTOR| 1,
           offsetof(CERT_AUTHORITY_KEY_ID_INFO, CertIssuer),
-           CRYPT_AsnDecodeOctetsInternal, sizeof(CERT_NAME_BLOB), TRUE, TRUE,
+           CRYPT_AsnDecodeOctets, sizeof(CERT_NAME_BLOB), TRUE, TRUE,
           offsetof(CERT_AUTHORITY_KEY_ID_INFO, CertIssuer.pbData), 0 },
         { ASN_CONTEXT | 2, offsetof(CERT_AUTHORITY_KEY_ID_INFO,
           CertSerialNumber), CRYPT_AsnDecodeIntegerInternal,
@ -3155,7 +3173,7 @@ static BOOL WINAPI CRYPT_AsnDecodeAuthorityKeyId2(DWORD dwCertEncodingType,
    {
        struct AsnDecodeSequenceItem items[] = {
         { ASN_CONTEXT | 0, offsetof(CERT_AUTHORITY_KEY_ID2_INFO, KeyId),
-           CRYPT_AsnDecodeOctetsInternal, sizeof(CRYPT_DATA_BLOB),
+           CRYPT_AsnDecodeOctets, sizeof(CRYPT_DATA_BLOB),
           TRUE, TRUE, offsetof(CERT_AUTHORITY_KEY_ID2_INFO, KeyId.pbData), 0 },
         { ASN_CONTEXT | ASN_CONSTRUCTOR| 1,
           offsetof(CERT_AUTHORITY_KEY_ID2_INFO, AuthorityCertIssuer),
@ -3370,7 +3388,7 @@ BOOL CRYPT_AsnDecodePKCSDigestedData(const BYTE *pbEncoded, DWORD cbEncoded,
       sizeof(CRYPT_CONTENT_INFO), FALSE, TRUE, offsetof(CRYPT_DIGESTED_DATA,
       ContentInfo.pszObjId), 0 },
     { ASN_OCTETSTRING, offsetof(CRYPT_DIGESTED_DATA, hash),
-       CRYPT_AsnDecodeOctetsInternal, sizeof(CRYPT_HASH_BLOB), FALSE, TRUE,
+       CRYPT_AsnDecodeOctets, sizeof(CRYPT_HASH_BLOB), FALSE, TRUE,
       offsetof(CRYPT_DIGESTED_DATA, hash.pbData), 0 },
    };

@ -4062,7 +4080,7 @@ static BOOL WINAPI CRYPT_AsnDecodeRsaPrivKey(DWORD dwCertEncodingType,
    return ret;
 }

-static BOOL CRYPT_AsnDecodeOctetsInternal(const BYTE *pbEncoded,
+static BOOL CRYPT_AsnDecodeOctets(const BYTE *pbEncoded,
 DWORD cbEncoded, DWORD dwFlags, void *pvStructInfo, DWORD *pcbStructInfo,
 DWORD *pcbDecoded)
 {
@ -4111,7 +4129,99 @@ static BOOL CRYPT_AsnDecodeOctetsInternal(const BYTE *pbEncoded,
    return ret;
 }

-static BOOL WINAPI CRYPT_AsnDecodeOctets(DWORD dwCertEncodingType,
+static BOOL CRYPT_AsnDecodeOctetStringInternal(const BYTE *encoded, DWORD encoded_size,
+    DWORD flags, void *buf, DWORD *buf_size, DWORD *ret_decoded)
+{
+    DWORD decoded = 0, indefinite_len_depth = 0, len_size, len, bytes_needed;
+    CRYPT_DATA_BLOB *blob;
+    const BYTE *string;
+
+    while (encoded[0] == (ASN_CONSTRUCTOR | ASN_OCTETSTRING))
+    {
+        if (!CRYPT_GetLengthIndefinite(encoded, encoded_size, &len))
+            return FALSE;
+
+        len_size = GET_LEN_BYTES(encoded[1]);
+        encoded += 1 + len_size;
+        encoded_size -= 1 + len_size;
+        decoded += 1 + len_size;
+
+        if (len == CMSG_INDEFINITE_LENGTH)
+        {
+            indefinite_len_depth++;
+            if (encoded_size < 2)
+            {
+                SetLastError(CRYPT_E_ASN1_EOD);
+                return FALSE;
+            }
+            encoded_size -= 2;
+            decoded += 2;
+        }
+    }
+
+    if (encoded[0] != ASN_OCTETSTRING)
+    {
+        WARN("Unexpected tag %02x\n", encoded[0]);
+        SetLastError(CRYPT_E_ASN1_BADTAG);
+        return FALSE;
+    }
+
+    if (!CRYPT_GetLen(encoded, encoded_size, &len))
+        return FALSE;
+    len_size = GET_LEN_BYTES(encoded[1]);
+    decoded += 1 + len_size + len;
+    encoded_size -= 1 + len_size;
+
+    if (len > encoded_size)
+    {
+        SetLastError(CRYPT_E_ASN1_EOD);
+        return FALSE;
+    }
+    if (ret_decoded)
+        *ret_decoded = decoded;
+
+    encoded += 1 + len_size;
+    string = encoded;
+    encoded += len;
+
+    while (indefinite_len_depth--)
+    {
+        if (encoded[0] || encoded[1])
+        {
+            TRACE("expected 0 TLV, got %02x %02x\n", encoded[0], encoded[1]);
+            SetLastError(CRYPT_E_ASN1_CORRUPT);
+            return FALSE;
+        }
+    }
+
+    bytes_needed = sizeof(*blob);
+    if (!(flags & CRYPT_DECODE_NOCOPY_FLAG)) bytes_needed += len;
+    if (!buf)
+    {
+        *buf_size = bytes_needed;
+        return TRUE;
+    }
+    if (*buf_size < bytes_needed)
+    {
+        SetLastError(ERROR_MORE_DATA);
+        *buf_size = bytes_needed;
+        return FALSE;
+    }
+
+    *buf_size = bytes_needed;
+    blob = buf;
+    blob->cbData = len;
+    if (flags & CRYPT_DECODE_NOCOPY_FLAG)
+        blob->pbData = (BYTE*)string;
+    else if (blob->cbData)
+        memcpy(blob->pbData, string, blob->cbData);
+
+    if (ret_decoded)
+        *ret_decoded = decoded;
+    return TRUE;
+}
+
+static BOOL WINAPI CRYPT_AsnDecodeOctetString(DWORD dwCertEncodingType,
 LPCSTR lpszStructType, const BYTE *pbEncoded, DWORD cbEncoded, DWORD dwFlags,
 PCRYPT_DECODE_PARA pDecodePara, void *pvStructInfo, DWORD *pcbStructInfo)
 {
@ -4120,21 +4230,17 @@ static BOOL WINAPI CRYPT_AsnDecodeOctets(DWORD dwCertEncodingType,
    TRACE("%p, %d, %08x, %p, %p, %d\n", pbEncoded, cbEncoded, dwFlags,
     pDecodePara, pvStructInfo, *pcbStructInfo);

+    if (!cbEncoded)
+    {
+        SetLastError(CRYPT_E_ASN1_CORRUPT);
+        return FALSE;
+    }
+
    __TRY
    {
        DWORD bytesNeeded = 0;

-        if (!cbEncoded)
-        {
-            SetLastError(CRYPT_E_ASN1_CORRUPT);
-            ret = FALSE;
-        }
-        else if (pbEncoded[0] != ASN_OCTETSTRING)
-        {
-            SetLastError(CRYPT_E_ASN1_BADTAG);
-            ret = FALSE;
-        }
-        else if ((ret = CRYPT_AsnDecodeOctetsInternal(pbEncoded, cbEncoded,
+        if ((ret = CRYPT_AsnDecodeOctetStringInternal(pbEncoded, cbEncoded,
         dwFlags & ~CRYPT_DECODE_ALLOC_FLAG, NULL, &bytesNeeded, NULL)))
        {
            if (!pvStructInfo)
@ -4148,7 +4254,7 @@ static BOOL WINAPI CRYPT_AsnDecodeOctets(DWORD dwCertEncodingType,
                    pvStructInfo = *(BYTE **)pvStructInfo;
                blob = pvStructInfo;
                blob->pbData = (BYTE *)pvStructInfo + sizeof(CRYPT_DATA_BLOB);
-                ret = CRYPT_AsnDecodeOctetsInternal(pbEncoded, cbEncoded,
+                ret = CRYPT_AsnDecodeOctetStringInternal(pbEncoded, cbEncoded,
                 dwFlags & ~CRYPT_DECODE_ALLOC_FLAG, pvStructInfo,
                 &bytesNeeded, NULL);
                if (!ret && (dwFlags & CRYPT_DECODE_ALLOC_FLAG))
@ -5467,7 +5573,7 @@ static BOOL CRYPT_AsnDecodePKCSSignerInfoInternal(const BYTE *pbEncoded,
       FALSE, TRUE, offsetof(CMSG_SIGNER_INFO,
       HashEncryptionAlgorithm.pszObjId), 0 },
     { ASN_OCTETSTRING, offsetof(CMSG_SIGNER_INFO, EncryptedHash),
-       CRYPT_AsnDecodeOctetsInternal, sizeof(CRYPT_DER_BLOB),
+       CRYPT_AsnDecodeOctets, sizeof(CRYPT_DER_BLOB),
       FALSE, TRUE, offsetof(CMSG_SIGNER_INFO, EncryptedHash.pbData), 0 },
     { ASN_CONSTRUCTOR | ASN_CONTEXT | 1,
       offsetof(CMSG_SIGNER_INFO, UnauthAttrs),
@ -5592,7 +5698,7 @@ static BOOL CRYPT_AsnDecodeCMSSignerId(const BYTE *pbEncoded,
    }
    else if (*pbEncoded == (ASN_CONTEXT | 0))
    {
-        ret = CRYPT_AsnDecodeOctetsInternal(pbEncoded, cbEncoded, dwFlags,
+        ret = CRYPT_AsnDecodeOctets(pbEncoded, cbEncoded, dwFlags,
         id ? &id->u.KeyId : NULL, pcbStructInfo, pcbDecoded);
        if (ret)
        {
@ -5636,7 +5742,7 @@ static BOOL CRYPT_AsnDecodeCMSSignerInfoInternal(const BYTE *pbEncoded,
       FALSE, TRUE, offsetof(CMSG_CMS_SIGNER_INFO,
       HashEncryptionAlgorithm.pszObjId), 0 },
     { ASN_OCTETSTRING, offsetof(CMSG_CMS_SIGNER_INFO, EncryptedHash),
-       CRYPT_AsnDecodeOctetsInternal, sizeof(CRYPT_DER_BLOB),
+       CRYPT_AsnDecodeOctets, sizeof(CRYPT_DER_BLOB),
       FALSE, TRUE, offsetof(CMSG_CMS_SIGNER_INFO, EncryptedHash.pbData), 0 },
     { ASN_CONSTRUCTOR | ASN_CONTEXT | 1,
       offsetof(CMSG_CMS_SIGNER_INFO, UnauthAttrs),
@ -5774,7 +5880,7 @@ static BOOL CRYPT_AsnDecodeRecipientInfo(const BYTE *pbEncoded, DWORD cbEncoded,
       offsetof(CMSG_KEY_TRANS_RECIPIENT_INFO,
       KeyEncryptionAlgorithm.pszObjId), 0 },
     { ASN_OCTETSTRING, offsetof(CMSG_KEY_TRANS_RECIPIENT_INFO, EncryptedKey),
-       CRYPT_AsnDecodeOctetsInternal, sizeof(CRYPT_DATA_BLOB), FALSE, TRUE,
+       CRYPT_AsnDecodeOctets, sizeof(CRYPT_DATA_BLOB), FALSE, TRUE,
       offsetof(CMSG_KEY_TRANS_RECIPIENT_INFO, EncryptedKey.pbData), 0 },
    };

@ -5830,7 +5936,7 @@ static BOOL CRYPT_AsnDecodeEncryptedContentInfo(const BYTE *pbEncoded,
       offsetof(CRYPT_ENCRYPTED_CONTENT_INFO,
       contentEncryptionAlgorithm.pszObjId), 0 },
     { ASN_CONTEXT | 0, offsetof(CRYPT_ENCRYPTED_CONTENT_INFO,
-       encryptedContent), CRYPT_AsnDecodeOctetsInternal,
+       encryptedContent), CRYPT_AsnDecodeOctets,
       sizeof(CRYPT_DATA_BLOB), TRUE, TRUE,
       offsetof(CRYPT_ENCRYPTED_CONTENT_INFO, encryptedContent.pbData) },
    };
@ -5873,6 +5979,75 @@ BOOL CRYPT_AsnDecodePKCSEnvelopedData(const BYTE *pbEncoded, DWORD cbEncoded,
    return ret;
 }

+static BOOL WINAPI CRYPT_AsnDecodeObjectIdentifier(DWORD dwCertEncodingType,
+ LPCSTR lpszStructType, const BYTE *pbEncoded, DWORD cbEncoded, DWORD dwFlags,
+ PCRYPT_DECODE_PARA pDecodePara, void *pvStructInfo, DWORD *pcbStructInfo)
+{
+    DWORD bytesNeeded = 0;
+    BOOL ret;
+
+    __TRY
+    {
+        ret = CRYPT_AsnDecodeOidInternal(pbEncoded, cbEncoded, dwFlags & ~CRYPT_DECODE_ALLOC_FLAG,
+                                         NULL, &bytesNeeded, NULL);
+        if (ret)
+        {
+            if (!pvStructInfo)
+                *pcbStructInfo = bytesNeeded;
+            else if ((ret = CRYPT_DecodeEnsureSpace(dwFlags, pDecodePara, pvStructInfo, pcbStructInfo, bytesNeeded)))
+            {
+                LPSTR *info;
+
+                if (dwFlags & CRYPT_DECODE_ALLOC_FLAG)
+                    pvStructInfo = *(BYTE **)pvStructInfo;
+
+                info = pvStructInfo;
+                *info = (void *)((BYTE *)info + sizeof(*info));
+                ret = CRYPT_AsnDecodeOidInternal(pbEncoded, cbEncoded, dwFlags & ~CRYPT_DECODE_ALLOC_FLAG,
+                                                 pvStructInfo, &bytesNeeded, NULL);
+                if (!ret && (dwFlags & CRYPT_DECODE_ALLOC_FLAG))
+                    CRYPT_FreeSpace(pDecodePara, info);
+            }
+        }
+    }
+    __EXCEPT_PAGE_FAULT
+    {
+        SetLastError(STATUS_ACCESS_VIOLATION);
+        ret = FALSE;
+    }
+    __ENDTRY
+    return ret;
+}
+
+static BOOL WINAPI CRYPT_AsnDecodeEccSignature(DWORD dwCertEncodingType,
+ LPCSTR lpszStructType, const BYTE *pbEncoded, DWORD cbEncoded, DWORD dwFlags,
+ PCRYPT_DECODE_PARA pDecodePara, void *pvStructInfo, DWORD *pcbStructInfo)
+{
+    BOOL ret;
+    struct AsnDecodeSequenceItem items[] = {
+     { ASN_INTEGER, offsetof(CERT_ECC_SIGNATURE, r),
+       CRYPT_AsnDecodeUnsignedIntegerInternal, sizeof(CRYPT_UINT_BLOB), FALSE,
+       TRUE, offsetof(CERT_ECC_SIGNATURE, r.pbData), 0 },
+     { ASN_INTEGER, offsetof(CERT_ECC_SIGNATURE, s),
+       CRYPT_AsnDecodeUnsignedIntegerInternal, sizeof(CRYPT_UINT_BLOB), FALSE,
+       TRUE, offsetof(CERT_ECC_SIGNATURE, s.pbData), 0 },
+    };
+
+    __TRY
+    {
+        ret = CRYPT_AsnDecodeSequence(items, sizeof(items) / sizeof(items[0]),
+         pbEncoded, cbEncoded, dwFlags, pDecodePara, pvStructInfo,
+         pcbStructInfo, NULL, NULL);
+    }
+    __EXCEPT_PAGE_FAULT
+    {
+        SetLastError(STATUS_ACCESS_VIOLATION);
+        ret = FALSE;
+    }
+    __ENDTRY
+    return ret;
+}
+
 static CryptDecodeObjectExFunc CRYPT_GetBuiltinDecoder(DWORD dwCertEncodingType,
 LPCSTR lpszStructType)
 {
@ -5940,7 +6115,7 @@ static CryptDecodeObjectExFunc CRYPT_GetBuiltinDecoder(DWORD dwCertEncodingType,
            decodeFunc = CRYPT_AsnDecodeUnicodeNameValue;
            break;
        case LOWORD(X509_OCTET_STRING):
-            decodeFunc = CRYPT_AsnDecodeOctets;
+            decodeFunc = CRYPT_AsnDecodeOctetString;
            break;
        case LOWORD(X509_BITS):
        case LOWORD(X509_KEY_USAGE):
@ -6012,6 +6187,12 @@ static CryptDecodeObjectExFunc CRYPT_GetBuiltinDecoder(DWORD dwCertEncodingType,
        case LOWORD(CMS_SIGNER_INFO):
            decodeFunc = CRYPT_AsnDecodeCMSSignerInfo;
            break;
+        case LOWORD(X509_OBJECT_IDENTIFIER):
+            decodeFunc = CRYPT_AsnDecodeObjectIdentifier;
+            break;
+        case LOWORD(X509_ECC_SIGNATURE):
+            decodeFunc = CRYPT_AsnDecodeEccSignature;
+            break;
        }
    }
    else if (!strcmp(lpszStructType, szOID_CERT_EXTENSIONS))
@ -6031,7 +6212,7 @@ static CryptDecodeObjectExFunc CRYPT_GetBuiltinDecoder(DWORD dwCertEncodingType,
    else if (!strcmp(lpszStructType, szOID_KEY_USAGE))
        decodeFunc = CRYPT_AsnDecodeBits;
    else if (!strcmp(lpszStructType, szOID_SUBJECT_KEY_IDENTIFIER))
-        decodeFunc = CRYPT_AsnDecodeOctets;
+        decodeFunc = CRYPT_AsnDecodeOctetString;
    else if (!strcmp(lpszStructType, szOID_BASIC_CONSTRAINTS))
        decodeFunc = CRYPT_AsnDecodeBasicConstraints;
    else if (!strcmp(lpszStructType, szOID_BASIC_CONSTRAINTS2))
@ -6066,6 +6247,8 @@ static CryptDecodeObjectExFunc CRYPT_GetBuiltinDecoder(DWORD dwCertEncodingType,
        decodeFunc = CRYPT_AsnDecodePolicyQualifierUserNotice;
    else if (!strcmp(lpszStructType, szOID_CTL))
        decodeFunc = CRYPT_AsnDecodeCTL;
+    else if (!strcmp(lpszStructType, szOID_ECC_PUBLIC_KEY))
+        decodeFunc = CRYPT_AsnDecodeObjectIdentifier;
    return decodeFunc;
 }

--- a/dll/win32/crypt32/encode.c
+++ b/dll/win32/crypt32/encode.c
@ -30,6 +30,23 @@
 * MSDN, especially "Constants for CryptEncodeObject and CryptDecodeObject"
 */

+#include "config.h"
+#include "wine/port.h"
+
+#include <assert.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#define NONAMELESSUNION
+
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "snmp.h"
+#include "wine/debug.h"
+#include "wine/exception.h"
+#include "wine/unicode.h"
 #include "crypt32_private.h"

 WINE_DEFAULT_DEBUG_CHANNEL(cryptasn);
--- a/dll/win32/crypt32/filestore.c
+++ b/dll/win32/crypt32/filestore.c
@ -15,7 +15,13 @@
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */
-
+#include <stdarg.h>
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "winnls.h"
+#include "wine/debug.h"
+#include "wine/unicode.h"
 #include "crypt32_private.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
--- a/dll/win32/crypt32/main.c
+++ b/dll/win32/crypt32/main.c
@ -17,9 +17,18 @@
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */

-#include "crypt32_private.h"
+#include "config.h"
+#include <stdarg.h>
+#include <stdio.h>

+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "winreg.h"
+#include "winuser.h"
 #include "i_cryptasn1tls.h"
+#include "crypt32_private.h"
+#include "wine/debug.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);

--- a/dll/win32/crypt32/message.c
+++ b/dll/win32/crypt32/message.c
@ -16,7 +16,12 @@
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */

-#include "crypt32_private.h"
+#include <stdarg.h>
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+
+#include "wine/debug.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);

--- a/dll/win32/crypt32/msg.c
+++ b/dll/win32/crypt32/msg.c
@ -16,6 +16,18 @@
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */

+#include "config.h"
+#include "wine/port.h"
+
+#include <stdarg.h>
+#define NONAMELESSUNION
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "snmp.h"
+
+#include "wine/debug.h"
+#include "wine/exception.h"
 #include "crypt32_private.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
@ -2715,12 +2727,10 @@ static BOOL CRYPT_CopySignerInfo(void *pvData, DWORD *pcbData,
    size += CRYPT_SizeOfAttributes(&in->UnauthAttrs);
    if (!pvData)
    {
-        *pcbData = size;
        ret = TRUE;
    }
    else if (*pcbData < size)
    {
-        *pcbData = size;
        SetLastError(ERROR_MORE_DATA);
        ret = FALSE;
    }
@ -2753,6 +2763,7 @@ static BOOL CRYPT_CopySignerInfo(void *pvData, DWORD *pcbData,
            CRYPT_CopyAttributes(&out->UnauthAttrs, &in->UnauthAttrs, &nextData);
        }
    }
+    *pcbData = size;
    TRACE("returning %d\n", ret);
    return ret;
 }
--- a/dll/win32/crypt32/object.c
+++ b/dll/win32/crypt32/object.c
@ -17,10 +17,18 @@
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */
-
+#include <stdarg.h>
+#define NONAMELESSUNION
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "mssip.h"
+#include "winuser.h"
+#include "wintrust.h"
 #include "crypt32_private.h"
-
-#include <wintrust.h>
+#include "cryptres.h"
+#include "wine/unicode.h"
+#include "wine/debug.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);

--- a/dll/win32/crypt32/oid.c
+++ b/dll/win32/crypt32/oid.c
@ -17,7 +17,22 @@
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */

+#include "config.h"
+#include "wine/port.h"
+
+#include <stdio.h>
+#include <stdarg.h>
+#define NONAMELESSUNION
+#include "windef.h"
+#include "winbase.h"
+#define CRYPT_OID_INFO_HAS_EXTRA_FIELDS
+#include "wincrypt.h"
+#include "winreg.h"
+#include "winuser.h"
+#include "wine/debug.h"
+#include "wine/list.h"
 #include "crypt32_private.h"
+#include "cryptres.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);

@ -1066,6 +1081,8 @@ static const WCHAR sha384RSA[] = { 's','h','a','3','8','4','R','S','A',0 };
 static const WCHAR sha512RSA[] = { 's','h','a','5','1','2','R','S','A',0 };
 static const WCHAR mosaicUpdatedSig[] =
 { 'm','o','s','a','i','c','U','p','d','a','t','e','d','S','i','g',0 };
+static const WCHAR sha256ECDSA[] = { 's','h','a','2','5','6','E','C','D','S','A',0 };
+static const WCHAR sha384ECDSA[] = { 's','h','a','3','8','4','E','C','D','S','A',0 };
 static const WCHAR CN[] = { 'C','N',0 };
 static const WCHAR L[] = { 'L',0 };
 static const WCHAR O[] = { 'O',0 };
@ -1112,12 +1129,16 @@ static const DWORD dssSign[2] = { CALG_DSS_SIGN,
 static const DWORD mosaicSign[2] = { CALG_DSS_SIGN,
 CRYPT_OID_INHIBIT_SIGNATURE_FORMAT_FLAG |
 CRYPT_OID_NO_NULL_ALGORITHM_PARA_FLAG };
+static const DWORD ecdsaSign[2] = { CALG_OID_INFO_PARAMETERS,
+ CRYPT_OID_NO_NULL_ALGORITHM_PARA_FLAG };
 static const CRYPT_DATA_BLOB rsaSignBlob = { sizeof(rsaSign),
 (LPBYTE)&rsaSign };
 static const CRYPT_DATA_BLOB dssSignBlob = { sizeof(dssSign),
 (LPBYTE)dssSign };
 static const CRYPT_DATA_BLOB mosaicSignBlob = { sizeof(mosaicSign),
 (LPBYTE)mosaicSign };
+static const CRYPT_DATA_BLOB ecdsaSignBlob = { sizeof(ecdsaSign),
+ (LPBYTE)ecdsaSign };

 static const DWORD ia5String[] = { CERT_RDN_IA5_STRING, 0 };
 static const DWORD numericString[] = { CERT_RDN_NUMERIC_STRING, 0 };
@ -1139,6 +1160,8 @@ static const struct OIDInfoConstructor {
    UINT    Algid;
    LPCWSTR pwszName;
    const CRYPT_DATA_BLOB *blob;
+    LPCWSTR pwszCNGAlgid;
+    LPCWSTR pwszCNGExtraAlgid;
 } oidInfoConstructors[] = {
 { 1, szOID_OIWSEC_sha1,               CALG_SHA1,     sha1, NULL },
 { 1, szOID_OIWSEC_sha1,               CALG_SHA1,     sha, NULL },
@ -1146,6 +1169,7 @@ static const struct OIDInfoConstructor {
 { 1, szOID_RSA_MD5,                   CALG_MD5,      md5, NULL },
 { 1, szOID_RSA_MD4,                   CALG_MD4,      md4, NULL },
 { 1, szOID_RSA_MD2,                   CALG_MD2,      md2, NULL },
+ /* NOTE: Windows Vista+ uses -1 instead of CALG_SHA_* following SHA entries. */
 { 1, szOID_NIST_sha256,               CALG_SHA_256,  sha256, NULL },
 { 1, szOID_NIST_sha384,               CALG_SHA_384,  sha384, NULL },
 { 1, szOID_NIST_sha512,               CALG_SHA_512,  sha512, NULL },
@ -1193,6 +1217,10 @@ static const struct OIDInfoConstructor {
 { 4, szOID_OIWSEC_dsaSHA1,            CALG_SHA1,     dsaSHA1, &dssSignBlob },
 { 4, szOID_INFOSEC_mosaicUpdatedSig,  CALG_SHA1,     mosaicUpdatedSig,
   &mosaicSignBlob },
+ { 4, szOID_ECDSA_SHA256,              CALG_OID_INFO_CNG_ONLY, sha256ECDSA, &ecdsaSignBlob,
+   BCRYPT_SHA256_ALGORITHM, CRYPT_OID_INFO_ECC_PARAMETERS_ALGORITHM },
+ { 4, szOID_ECDSA_SHA384,              CALG_OID_INFO_CNG_ONLY, sha384ECDSA, &ecdsaSignBlob,
+   BCRYPT_SHA384_ALGORITHM, CRYPT_OID_INFO_ECC_PARAMETERS_ALGORITHM },

 { 5, szOID_COMMON_NAME,              0, CN, NULL },
 { 5, szOID_LOCALITY_NAME,            0, L, NULL },
@ -1408,6 +1436,8 @@ static void init_oid_info(void)
                    info->info.ExtraInfo.pbData =
                     oidInfoConstructors[i].blob->pbData;
                }
+                info->info.pwszCNGAlgid = oidInfoConstructors[i].pwszCNGAlgid;
+                info->info.pwszCNGExtraAlgid = oidInfoConstructors[i].pwszCNGExtraAlgid;
                list_add_tail(&oidInfo, &info->entry);
            }
        }
@ -1440,6 +1470,8 @@ static void init_oid_info(void)
                        info->info.ExtraInfo.pbData =
                         oidInfoConstructors[i].blob->pbData;
                    }
+                    info->info.pwszCNGAlgid = oidInfoConstructors[i].pwszCNGAlgid;
+                    info->info.pwszCNGExtraAlgid = oidInfoConstructors[i].pwszCNGExtraAlgid;
                    list_add_tail(&oidInfo, &info->entry);
                }
            }
--- a/dll/win32/crypt32/precomp.h
+++ b/dll/win32/crypt32/precomp.h
@ -0,0 +1,40 @@
+
+#ifndef __CRYPT32_PRECOMP_H__
+#define __CRYPT32_PRECOMP_H__
+
+#include <wine/config.h>
+#include <wine/port.h>
+
+#include <assert.h>
+#include <stdarg.h>
+#include <stdio.h>
+
+#define _INC_WINDOWS
+#define COM_NO_WINDOWS_H
+
+#define NONAMELESSUNION
+
+#include <ntstatus.h>
+#define WIN32_NO_STATUS
+#include <windef.h>
+#include <winbase.h>
+#include <wine/winternl.h>
+#include <winuser.h>
+#include <winreg.h>
+#include <snmp.h>
+
+#define CERT_CHAIN_PARA_HAS_EXTRA_FIELDS
+#define CERT_REVOCATION_PARA_HAS_EXTRA_FIELDS
+#define CRYPT_OID_INFO_HAS_EXTRA_FIELDS
+#include <wincrypt.h>
+
+#include <mssip.h>
+
+#include <wine/unicode.h>
+#include <wine/exception.h>
+#include <wine/debug.h>
+
+#include "crypt32_private.h"
+#include "cryptres.h"
+
+#endif /* !__CRYPT32_PRECOMP_H__ */
--- a/dll/win32/crypt32/proplist.c
+++ b/dll/win32/crypt32/proplist.c
@ -15,7 +15,13 @@
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */
-
+#include <assert.h>
+#include <stdarg.h>
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "wine/debug.h"
+#include "wine/list.h"
 #include "crypt32_private.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
--- a/dll/win32/crypt32/protectdata.c
+++ b/dll/win32/crypt32/protectdata.c
@ -34,7 +34,15 @@
 *
 */

-#include "crypt32_private.h"
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "wine/debug.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);

--- a/dll/win32/crypt32/provstore.c
+++ b/dll/win32/crypt32/provstore.c
@ -16,6 +16,13 @@
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */

+#include <stdarg.h>
+#include <assert.h>
+
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "wine/debug.h"
 #include "crypt32_private.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
--- a/dll/win32/crypt32/regstore.c
+++ b/dll/win32/crypt32/regstore.c
@ -15,11 +15,16 @@
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */
-
+#include <assert.h>
+#include <stdarg.h>
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "winreg.h"
+#include "winuser.h"
+#include "wine/debug.h"
 #include "crypt32_private.h"

-#include <shlwapi.h>
-
 WINE_DEFAULT_DEBUG_CHANNEL(crypt);

 typedef struct _WINE_HASH_TO_DELETE
--- a/dll/win32/crypt32/rootstore.c
+++ b/dll/win32/crypt32/rootstore.c
@ -15,9 +15,9 @@
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */
-
-#include "crypt32_private.h"
-
+#include "config.h"
+#include <stdarg.h>
+#include <stdio.h>
 #include <sys/types.h>
 #ifdef HAVE_SYS_STAT_H
 #include <sys/stat.h>
@ -34,6 +34,15 @@
 #ifdef HAVE_SECURITY_SECURITY_H
 #include <Security/Security.h>
 #endif
+#include "ntstatus.h"
+#define WIN32_NO_STATUS
+#include "windef.h"
+#include "winbase.h"
+#include "winreg.h"
+#include "wincrypt.h"
+#include "wine/winternl.h"
+#include "wine/debug.h"
+#include "crypt32_private.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);

--- a/dll/win32/crypt32/serialize.c
+++ b/dll/win32/crypt32/serialize.c
@ -16,6 +16,15 @@
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */

+#include "config.h"
+#include "wine/port.h"
+
+#include <stdarg.h>
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "wine/debug.h"
+#include "wine/exception.h"
 #include "crypt32_private.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
--- a/dll/win32/crypt32/sip.c
+++ b/dll/win32/crypt32/sip.c
@ -18,7 +18,19 @@
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */

-#include "crypt32_private.h"
+#include <stdarg.h>
+#include <stdio.h>
+
+#include "windef.h"
+#include "winbase.h"
+#include "wincrypt.h"
+#include "winreg.h"
+#include "winnls.h"
+#include "mssip.h"
+#include "winuser.h"
+
+#include "wine/debug.h"
+#include "wine/list.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);

--- a/dll/win32/crypt32/store.c
+++ b/dll/win32/crypt32/store.c
@ -23,6 +23,19 @@
 * - Many flags, options and whatnot are unimplemented.
 */

+#include "config.h"
+#include "wine/port.h"
+
+#include <assert.h>
+#include <stdarg.h>
+#include "windef.h"
+#include "winbase.h"
+#include "winnls.h"
+#include "winreg.h"
+#include "winuser.h"
+#include "wincrypt.h"
+#include "wine/debug.h"
+#include "wine/exception.h"
 #include "crypt32_private.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);
@ -1371,6 +1384,13 @@ BOOL WINAPI CertRegisterPhysicalStore(const void *pvSystemStore, DWORD dwFlags,
    return FALSE;
 }

+BOOL WINAPI CertUnregisterPhysicalStore(const void *pvSystemStore, DWORD dwFlags,
+ LPCWSTR pwszStoreName)
+{
+    FIXME("(%p, %08x, %s): stub\n", pvSystemStore, dwFlags, debugstr_w(pwszStoreName));
+    return TRUE;
+}
+
 BOOL WINAPI CertRegisterSystemStore(const void *pvSystemStore, DWORD dwFlags,
  PCERT_SYSTEM_STORE_INFO pStoreInfo, void *pvReserved)
 {
@ -1394,7 +1414,7 @@ BOOL WINAPI CertRegisterSystemStore(const void *pvSystemStore, DWORD dwFlags,
    return FALSE;
 }

-BOOL WINAPI CertUnregisterSystemStore(void *pvSystemStore, DWORD dwFlags)
+BOOL WINAPI CertUnregisterSystemStore(const void *pvSystemStore, DWORD dwFlags)
 {
    HCERTSTORE hstore;

--- a/dll/win32/crypt32/str.c
+++ b/dll/win32/crypt32/str.c
@ -15,8 +15,17 @@
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
 */
+#include <stdarg.h>

-#include "crypt32_private.h"
+#define NONAMELESSUNION
+
+#include "windef.h"
+#include "winbase.h"
+#include "winnls.h"
+#include "winuser.h"
+#include "wincrypt.h"
+#include "wine/debug.h"
+#include "wine/unicode.h"

 WINE_DEFAULT_DEBUG_CHANNEL(crypt);

--- a/media/doc/README.WINE
+++ b/media/doc/README.WINE
@ -58,7 +58,7 @@ reactos/dll/win32/comctl32            # Synced to WineStaging-2.16
 reactos/dll/win32/comdlg32            # Synced to WineStaging-2.16
 reactos/dll/win32/compstui            # Synced to WineStaging-2.9
 reactos/dll/win32/credui              # Synced to WineStaging-2.9
-reactos/dll/win32/crypt32             # Synced to WineStaging-2.16
+reactos/dll/win32/crypt32             # Synced to WineStaging-3.3
 reactos/dll/win32/cryptdlg            # Synced to WineStaging-2.9
 reactos/dll/win32/cryptdll            # Synced to WineStaging-2.9
 reactos/dll/win32/cryptnet            # Synced to WineStaging-2.9
--- a/sdk/include/psdk/bcrypt.h
+++ b/sdk/include/psdk/bcrypt.h
@ -58,6 +58,14 @@ typedef NTSTATUS *PNTSTATUS;
 #define BCRYPT_PROVIDER_HANDLE L"ProviderHandle"
 #define BCRYPT_SIGNATURE_LENGTH L"SignatureLength"

+#define BCRYPT_OPAQUE_KEY_BLOB   L"OpaqueKeyBlob"
+#define BCRYPT_KEY_DATA_BLOB     L"KeyDataBlob"
+#define BCRYPT_AES_WRAP_KEY_BLOB L"Rfc3565KeyWrapBlob"
+#define BCRYPT_ECCPUBLIC_BLOB    L"ECCPUBLICBLOB"
+#define BCRYPT_ECCPRIVATE_BLOB   L"ECCPRIVATEBLOB"
+#define BCRYPT_RSAPUBLIC_BLOB    L"RSAPUBLICBLOB"
+#define BCRYPT_RSAPRIVATE_BLOB   L"RSAPRIVATEBLOB"
+
 #define MS_PRIMITIVE_PROVIDER L"Microsoft Primitive Provider"
 #define MS_PLATFORM_CRYPTO_PROVIDER L"Microsoft Platform Crypto Provider"

@ -67,6 +75,16 @@ typedef NTSTATUS *PNTSTATUS;
 #define BCRYPT_SHA256_ALGORITHM     L"SHA256"
 #define BCRYPT_SHA384_ALGORITHM     L"SHA384"
 #define BCRYPT_SHA512_ALGORITHM     L"SHA512"
+#define BCRYPT_ECDSA_P256_ALGORITHM L"ECDSA_P256"
+#define BCRYPT_ECDSA_P384_ALGORITHM L"ECDSA_P384"
+#define BCRYPT_ECDSA_P521_ALGORITHM L"ECDSA_P521"
+
+#define BCRYPT_ECDSA_PUBLIC_P256_MAGIC  0x31534345
+#define BCRYPT_ECDSA_PRIVATE_P256_MAGIC 0x32534345
+#define BCRYPT_ECDSA_PUBLIC_P384_MAGIC  0x33534345
+#define BCRYPT_ECDSA_PRIVATE_P384_MAGIC 0x34534345
+#define BCRYPT_ECDSA_PUBLIC_P521_MAGIC  0x35534345
+#define BCRYPT_ECDSA_PRIVATE_P521_MAGIC 0x36534345

 typedef struct _BCRYPT_ALGORITHM_IDENTIFIER
 {
@ -75,7 +93,77 @@ typedef struct _BCRYPT_ALGORITHM_IDENTIFIER
    ULONG  dwFlags;
 } BCRYPT_ALGORITHM_IDENTIFIER;

+typedef struct __BCRYPT_KEY_LENGTHS_STRUCT
+{
+    ULONG dwMinLength;
+    ULONG dwMaxLength;
+    ULONG dwIncrement;
+} BCRYPT_KEY_LENGTHS_STRUCT, BCRYPT_AUTH_TAG_LENGTHS_STRUCT;
+
+typedef struct _BCRYPT_KEY_DATA_BLOB_HEADER
+{
+    ULONG dwMagic;
+    ULONG dwVersion;
+    ULONG cbKeyData;
+} BCRYPT_KEY_DATA_BLOB_HEADER, *PBCRYPT_KEY_DATA_BLOB_HEADER;
+
+typedef struct _BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO
+{
+    ULONG cbSize;
+    ULONG dwInfoVersion;
+    UCHAR *pbNonce;
+    ULONG cbNonce;
+    UCHAR *pbAuthData;
+    ULONG cbAuthData;
+    UCHAR *pbTag;
+    ULONG cbTag;
+    UCHAR *pbMacContext;
+    ULONG cbMacContext;
+    ULONG cbAAD;
+    ULONGLONG cbData;
+    ULONG dwFlags;
+} BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO, *PBCRYPT_AUTHENTICATED_CIPHER_MODE_INFO;
+
+typedef struct _BCRYPT_ECCKEY_BLOB
+{
+    ULONG dwMagic;
+    ULONG cbKey;
+} BCRYPT_ECCKEY_BLOB, *PBCRYPT_ECCKEY_BLOB;
+
+#define BCRYPT_RSAPUBLIC_MAGIC      0x31415352
+#define BCRYPT_RSAPRIVATE_MAGIC     0x32415352
+#define BCRYPT_RSAFULLPRIVATE_MAGIC 0x33415352
+
+typedef struct _BCRYPT_RSAKEY_BLOB
+{
+    ULONG Magic;
+    ULONG BitLength;
+    ULONG cbPublicExp;
+    ULONG cbModulus;
+    ULONG cbPrime1;
+    ULONG cbPrime2;
+} BCRYPT_RSAKEY_BLOB;
+
+typedef struct _BCRYPT_PKCS1_PADDING_INFO
+{
+    LPCWSTR pszAlgId;
+} BCRYPT_PKCS1_PADDING_INFO;
+
+#define BCRYPT_PAD_NONE   0x00000001
+#define BCRYPT_PAD_PKCS1  0x00000002
+#define BCRYPT_PAD_OAEP   0x00000004
+#define BCRYPT_PAD_PSS    0x00000008
+
+#define BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_VERSION 1
+
+#define BCRYPT_AUTH_MODE_CHAIN_CALLS_FLAG 0x00000001
+#define BCRYPT_AUTH_MODE_IN_PROGRESS_FLAG 0x00000002
+
+#define BCRYPT_KEY_DATA_BLOB_MAGIC    0x4d42444b
+#define BCRYPT_KEY_DATA_BLOB_VERSION1 1
+
 typedef PVOID BCRYPT_ALG_HANDLE;
+typedef PVOID BCRYPT_KEY_HANDLE;
 typedef PVOID BCRYPT_HANDLE;
 typedef PVOID BCRYPT_HASH_HANDLE;

@ -85,14 +173,22 @@ typedef PVOID BCRYPT_HASH_HANDLE;

 NTSTATUS WINAPI BCryptCloseAlgorithmProvider(BCRYPT_ALG_HANDLE, ULONG);
 NTSTATUS WINAPI BCryptCreateHash(BCRYPT_ALG_HANDLE, BCRYPT_HASH_HANDLE *, PUCHAR, ULONG, PUCHAR, ULONG, ULONG);
+NTSTATUS WINAPI BCryptDecrypt(BCRYPT_KEY_HANDLE, PUCHAR, ULONG, VOID *, PUCHAR, ULONG, PUCHAR, ULONG, ULONG *, ULONG);
 NTSTATUS WINAPI BCryptDestroyHash(BCRYPT_HASH_HANDLE);
+NTSTATUS WINAPI BCryptDestroyKey(BCRYPT_KEY_HANDLE);
+NTSTATUS WINAPI BCryptEncrypt(BCRYPT_KEY_HANDLE, PUCHAR, ULONG, VOID *, PUCHAR, ULONG, PUCHAR, ULONG, ULONG *, ULONG);
 NTSTATUS WINAPI BCryptEnumAlgorithms(ULONG, ULONG *, BCRYPT_ALGORITHM_IDENTIFIER **, ULONG);
 NTSTATUS WINAPI BCryptFinishHash(BCRYPT_HASH_HANDLE, PUCHAR, ULONG, ULONG);
+NTSTATUS WINAPI BCryptGenerateSymmetricKey(BCRYPT_ALG_HANDLE, BCRYPT_KEY_HANDLE *, PUCHAR, ULONG, PUCHAR, ULONG, ULONG);
 NTSTATUS WINAPI BCryptGenRandom(BCRYPT_ALG_HANDLE, PUCHAR, ULONG, ULONG);
 NTSTATUS WINAPI BCryptGetFipsAlgorithmMode(BOOLEAN *);
 NTSTATUS WINAPI BCryptGetProperty(BCRYPT_HANDLE, LPCWSTR, PUCHAR, ULONG, ULONG *, ULONG);
 NTSTATUS WINAPI BCryptHash(BCRYPT_ALG_HANDLE, PUCHAR, ULONG, PUCHAR, ULONG, PUCHAR, ULONG);
 NTSTATUS WINAPI BCryptHashData(BCRYPT_HASH_HANDLE, PUCHAR, ULONG, ULONG);
+NTSTATUS WINAPI BCryptImportKeyPair(BCRYPT_ALG_HANDLE, BCRYPT_KEY_HANDLE, LPCWSTR, BCRYPT_KEY_HANDLE *, UCHAR *, ULONG, ULONG);
 NTSTATUS WINAPI BCryptOpenAlgorithmProvider(BCRYPT_ALG_HANDLE *, LPCWSTR, LPCWSTR, ULONG);
+NTSTATUS WINAPI BCryptSetProperty(BCRYPT_HANDLE, LPCWSTR, PUCHAR, ULONG, ULONG);
+NTSTATUS WINAPI BCryptDuplicateHash(BCRYPT_HASH_HANDLE, BCRYPT_HASH_HANDLE *, UCHAR *, ULONG, ULONG);
+NTSTATUS WINAPI BCryptVerifySignature(BCRYPT_KEY_HANDLE, void *, UCHAR *, ULONG, UCHAR *, ULONG, ULONG);

 #endif  /* __WINE_BCRYPT_H */
--- a/sdk/include/psdk/wincrypt.h
+++ b/sdk/include/psdk/wincrypt.h
@ -295,6 +295,11 @@ typedef struct _CERT_KEY_ATTRIBUTES_INFO {
    PCERT_PRIVATE_KEY_VALIDITY pPrivateKeyUsagePeriod;
 } CERT_KEY_ATTRIBUTES_INFO, *PCERT_KEY_ATTRIBUTES_INFO;

+typedef struct _CERT_ECC_SIGNATURE {
+    CRYPT_UINT_BLOB r;
+    CRYPT_UINT_BLOB s;
+} CERT_ECC_SIGNATURE, *PCERT_ECC_SIGNATURE;
+
 /* byte 0 */
 #define CERT_DIGITAL_SIGNATURE_KEY_USAGE 0x80
 #define CERT_NON_REPUDIATION_KEY_USAGE   0x40
@ -1365,6 +1370,35 @@ typedef BOOL

 #define CRYPT_MATCH_ANY_ENCODING_TYPE 0xffffffff

+#define CALG_OID_INFO_CNG_ONLY   0xffffffff
+#define CALG_OID_INFO_PARAMETERS 0xfffffffe
+
+#if defined(__GNUC__)
+#define CRYPT_OID_INFO_HASH_PARAMETERS_ALGORITHM     (const WCHAR []){'C','r','y','p','t','O','I','D','I','n','f','o','H','a','s','h','P','a','r','a','m','e','t','e','r','s',0}
+#define CRYPT_OID_INFO_ECC_PARAMETERS_ALGORITHM      (const WCHAR []){'C','r','y','p','t','O','I','D','I','n','f','o','E','C','C','P','a','r','a','m','e','t','e','r','s',0}
+#define CRYPT_OID_INFO_MGF1_PARAMETERS_ALGORITHM     (const WCHAR []){'C','r','y','p','t','O','I','D','I','n','f','o','M','g','f','1','P','a','r','a','m','e','t','e','r','s',0}
+#define CRYPT_OID_INFO_NO_SIGN_ALGORITHM             (const WCHAR []){'C','r','y','p','t','O','I','D','I','n','f','o','N','o','S','i','g','n',0}
+#define CRYPT_OID_INFO_OAEP_PARAMETERS_ALGORITHM     (const WCHAR []){'C','r','y','p','t','O','I','D','I','n','f','o','O','A','E','P','P','a','r','a','m','e','t','e','r','s',0}
+#define CRYPT_OID_INFO_ECC_WRAP_PARAMETERS_ALGORITHM (const WCHAR []){'C','r','y','p','t','O','I','D','I','n','f','o','E','C','C','W','r','a','p','P','a','r','a','m','e','t','e','r','s',0}
+#define CRYPT_OID_INFO_NO_PARAMETERS_ALGORITHM       (const WCHAR []){'C','r','y','p','t','O','I','D','I','n','f','o','N','o','P','a','r','a','m','e','t','e','r','s',0}
+#elif defined(_MSC_VER)
+#define CRYPT_OID_INFO_HASH_PARAMETERS_ALGORITHM     L"CryptOIDInfoHashParameters"
+#define CRYPT_OID_INFO_ECC_PARAMETERS_ALGORITHM      L"CryptOIDInfoECCParameters"
+#define CRYPT_OID_INFO_MGF1_PARAMETERS_ALGORITHM     L"CryptOIDInfoMgf1Parameters"
+#define CRYPT_OID_INFO_NO_SIGN_ALGORITHM             L"CryptOIDInfoNoSign"
+#define CRYPT_OID_INFO_OAEP_PARAMETERS_ALGORITHM     L"CryptOIDInfoOAEPParameters"
+#define CRYPT_OID_INFO_ECC_WRAP_PARAMETERS_ALGORITHM L"CryptOIDInfoECCWrapParameters"
+#define CRYPT_OID_INFO_NO_PARAMETERS_ALGORITHM       L"CryptOIDInfoNoParameters"
+#else
+static const WCHAR CRYPT_OID_INFO_HASH_PARAMETERS_ALGORITHM[] =     {'C','r','y','p','t','O','I','D','I','n','f','o','H','a','s','h','P','a','r','a','m','e','t','e','r','s',0};
+static const WCHAR CRYPT_OID_INFO_ECC_PARAMETERS_ALGORITHM[] =      {'C','r','y','p','t','O','I','D','I','n','f','o','E','C','C','P','a','r','a','m','e','t','e','r','s',0};
+static const WCHAR CRYPT_OID_INFO_MGF1_PARAMETERS_ALGORITHM[] =     {'C','r','y','p','t','O','I','D','I','n','f','o','M','g','f','1','P','a','r','a','m','e','t','e','r','s',0};
+static const WCHAR CRYPT_OID_INFO_NO_SIGN_ALGORITHM[] =             {'C','r','y','p','t','O','I','D','I','n','f','o','N','o','S','i','g','n',0};
+static const WCHAR CRYPT_OID_INFO_OAEP_PARAMETERS_ALGORITHM[] =     {'C','r','y','p','t','O','I','D','I','n','f','o','O','A','E','P','P','a','r','a','m','e','t','e','r','s',0};
+static const WCHAR CRYPT_OID_INFO_ECC_WRAP_PARAMETERS_ALGORITHM[] = {'C','r','y','p','t','O','I','D','I','n','f','o','E','C','C','W','r','a','p','P','a','r','a','m','e','t','e','r','s',0};
+static const WCHAR CRYPT_OID_INFO_NO_PARAMETERS_ALGORITHM[] =       {'C','r','y','p','t','O','I','D','I','n','f','o','N','o','P','a','r','a','m','e','t','e','r','s',0};
+#endif
+
 typedef struct _CRYPT_OID_INFO {
    DWORD   cbSize;
    LPCSTR  pszOID;
@ -1376,6 +1410,10 @@ typedef struct _CRYPT_OID_INFO {
        DWORD  dwLength;
    } DUMMYUNIONNAME;
    CRYPT_DATA_BLOB ExtraInfo;
+#ifdef CRYPT_OID_INFO_HAS_EXTRA_FIELDS
+    LPCWSTR         pwszCNGAlgid;
+    LPCWSTR         pwszCNGExtraAlgid;
+#endif
 } CRYPT_OID_INFO, *PCRYPT_OID_INFO;
 typedef const CRYPT_OID_INFO CCRYPT_OID_INFO, *PCCRYPT_OID_INFO;

@ -2191,6 +2229,12 @@ static const WCHAR MS_ENH_RSA_AES_PROV_XP_W[] = { 'M','i','c','r','o','s','o','f
 #define CRYPTPROTECT_AUDIT              0x0010
 #define CRYPTPROTECT_VERIFY_PROTECTION  0x0040

+/* Crypt{Protect,Unprotect}Memory */
+#define CRYPTPROTECTMEMORY_BLOCK_SIZE     16
+#define CRYPTPROTECTMEMORY_SAME_PROCESS   0x0000
+#define CRYPTPROTECTMEMORY_CROSS_PROCESS  0x0001
+#define CRYPTPROTECTMEMORY_SAME_LOGON     0x0002
+
 /* Blob Types */
 #define SIMPLEBLOB              0x1
 #define PUBLICKEYBLOB           0x6
@ -3014,6 +3058,12 @@ typedef struct _CTL_FIND_SUBJECT_PARA
 #define szOID_X957                          "1.2.840.10040"
 #define szOID_X957_DSA                      "1.2.840.10040.4.1"
 #define szOID_X957_SHA1DSA                  "1.2.840.10040.4.3"
+#define szOID_ECC_PUBLIC_KEY                "1.2.840.10045.2.1"
+#define szOID_ECC_CURVE_P256                "1.2.840.10045.3.1.7"
+#define szOID_ECDSA_SPECIFIED               "1.2.840.10045.4.3"
+#define szOID_ECDSA_SHA256                  "1.2.840.10045.4.3.2"
+#define szOID_ECDSA_SHA384                  "1.2.840.10045.4.3.3"
+#define szOID_ECDSA_SHA512                  "1.2.840.10045.4.3.4"
 #define szOID_DS                            "2.5"
 #define szOID_DSALG                         "2.5.8"
 #define szOID_DSALG_CRPT                    "2.5.8.1"
@ -3055,6 +3105,8 @@ typedef struct _CTL_FIND_SUBJECT_PARA
 #define szOID_OIWDIR_SIGN                   "1.3.14.7.2.3"
 #define szOID_OIWDIR_md2                    "1.3.14.7.2.2.1"
 #define szOID_OIWDIR_md2RSA                 "1.3.14.7.2.3.1"
+#define szOID_ECC_CURVE_P384                "1.3.132.0.34"
+#define szOID_ECC_CURVE_P521                "1.3.132.0.35"
 #define szOID_INFOSEC                       "2.16.840.1.101.2.1"
 #define szOID_INFOSEC_sdnsSignature         "2.16.840.1.101.2.1.1.1"
 #define szOID_INFOSEC_mosaicSignature       "2.16.840.1.101.2.1.1.2"
@ -3360,6 +3412,7 @@ typedef struct _CTL_FIND_SUBJECT_PARA
 #define X509_PKIX_POLICY_QUALIFIER_USERNOTICE ((LPCSTR)46)
 #define X509_DH_PUBLICKEY                    X509_MULTI_BYTE_UINT
 #define X509_DH_PARAMETERS                   ((LPCSTR)47)
+#define X509_ECC_SIGNATURE                   ((LPCSTR)47)
 #define PKCS_ATTRIBUTES                      ((LPCSTR)48)
 #define PKCS_SORTED_CTL                      ((LPCSTR)49)
 #define X942_DH_PARAMETERS                   ((LPCSTR)50)
@ -3377,6 +3430,7 @@ typedef struct _CTL_FIND_SUBJECT_PARA
 #define CMC_ADD_EXTENSIONS                   ((LPCSTR)62)
 #define CMC_ADD_ATTRIBUTES                   ((LPCSTR)63)
 #define X509_CERTIFICATE_TEMPLATE            ((LPCSTR)64)
+#define X509_OBJECT_IDENTIFIER               ((LPCSTR)73)
 #define PKCS7_SIGNER_INFO                    ((LPCSTR)500)
 #define CMS_SIGNER_INFO                      ((LPCSTR)501)

@ -4710,6 +4764,20 @@ CertEnumSystemStore(
  _Inout_opt_ void *pvArg,
  __callback PFN_CERT_ENUM_SYSTEM_STORE pfnEnum);

+BOOL
+WINAPI
+CertRegisterSystemStore(
+  _In_ const void *pvSystemStore,
+  _In_ DWORD dwFlags,
+  _In_opt_ PCERT_SYSTEM_STORE_INFO pStoreInfo,
+  _Reserved_ void *pvReserved);
+
+BOOL
+WINAPI
+CertUnregisterSystemStore(
+  _In_ const void *pvSystemStore,
+  _In_ DWORD dwFlags);
+
 BOOL
 WINAPI
 CertEnumPhysicalStore(