include/wincrypt: update header file

Signed-off-by: Biswapriyo Nath <nathbappai@gmail.com>
Signed-off-by: Liu Hao <lh_mouse@126.com>
diff --git a/mingw-w64-headers/include/wincrypt.h b/mingw-w64-headers/include/wincrypt.h
index 0e84a35..1bcfac7 100644
--- a/mingw-w64-headers/include/wincrypt.h
+++ b/mingw-w64-headers/include/wincrypt.h
@@ -95,9 +95,19 @@
 #define ALG_TYPE_STREAM (4 << 9)
 #define ALG_TYPE_DH (5 << 9)
 #define ALG_TYPE_SECURECHANNEL (6 << 9)
+#if NTDDI_VERSION >= NTDDI_VISTA
+#define ALG_TYPE_ECDH (7 << 9)
+#endif
+#if NTDDI_VERSION >= NTDDI_WIN10_RS1
+#define ALG_TYPE_THIRDPARTY (8 << 9)
+#endif
 
 #define ALG_SID_ANY (0)
 
+#if NTDDI_VERSION >= NTDDI_WIN10_RS1
+#define ALG_SID_THIRDPARTY_ANY (0)
+#endif
+
 #define ALG_SID_RSA_ANY 0
 #define ALG_SID_RSA_PKCS 1
 #define ALG_SID_RSA_MSATWORK 2
@@ -107,7 +117,7 @@
 #define ALG_SID_DSS_ANY 0
 #define ALG_SID_DSS_PKCS 1
 #define ALG_SID_DSS_DMS 2
-#if NTDDI_VERSION >= 0x06000000
+#if NTDDI_VERSION >= NTDDI_VISTA
 #define ALG_SID_ECDSA 3
 #endif
 
@@ -123,10 +133,12 @@
 #define ALG_SID_TEK 11
 #define ALG_SID_CYLINK_MEK 12
 #define ALG_SID_RC5 13
+#if NTDDI_VERSION >= NTDDI_WINXP
 #define ALG_SID_AES_128 14
 #define ALG_SID_AES_192 15
 #define ALG_SID_AES_256 16
 #define ALG_SID_AES 17
+#endif
 
 #define CRYPT_MODE_CBCI 6
 #define CRYPT_MODE_CFBP 7
@@ -143,8 +155,9 @@
 #define ALG_SID_DH_EPHEM 2
 #define ALG_SID_AGREED_KEY_ANY 3
 #define ALG_SID_KEA 4
-#if NTDDI_VERSION >= 0x06000000
+#if NTDDI_VERSION >= NTDDI_VISTA
 #define ALG_SID_ECDH 5
+#define ALG_SID_ECDH_EPHEM 6
 #endif
 
 #define ALG_SID_MD2 1
@@ -158,10 +171,14 @@
 #define ALG_SID_SSL3SHAMD5 8
 #define ALG_SID_HMAC 9
 #define ALG_SID_TLS1PRF 10
+#if NTDDI_VERSION >= NTDDI_WINXP
 #define ALG_SID_HASH_REPLACE_OWF 11
+#endif
+#if NTDDI_VERSION > NTDDI_WINXPSP2
 #define ALG_SID_SHA_256 12
 #define ALG_SID_SHA_384 13
 #define ALG_SID_SHA_512 14
+#endif
 
 #define ALG_SID_SSL3_MASTER 1
 #define ALG_SID_SCHANNEL_MASTER_HASH 2
@@ -171,7 +188,7 @@
 #define ALG_SID_TLS1_MASTER 6
 #define ALG_SID_SCHANNEL_ENC_KEY 7
 
-#if NTDDI_VERSION >= 0x06000000
+#if NTDDI_VERSION >= NTDDI_VISTA
 #define ALG_SID_ECMQV 1
 #endif
 
@@ -190,7 +207,9 @@
 #define CALG_MAC (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_MAC)
 #define CALG_RSA_SIGN (ALG_CLASS_SIGNATURE | ALG_TYPE_RSA | ALG_SID_RSA_ANY)
 #define CALG_DSS_SIGN (ALG_CLASS_SIGNATURE | ALG_TYPE_DSS | ALG_SID_DSS_ANY)
+#if NTDDI_VERSION >= NTDDI_WINXP
 #define CALG_NO_SIGN (ALG_CLASS_SIGNATURE | ALG_TYPE_ANY | ALG_SID_ANY)
+#endif
 #define CALG_RSA_KEYX (ALG_CLASS_KEY_EXCHANGE|ALG_TYPE_RSA|ALG_SID_RSA_ANY)
 #define CALG_DES (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_DES)
 #define CALG_3DES_112 (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_3DES_112)
@@ -218,18 +237,44 @@
 #define CALG_RC5 (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_RC5)
 #define CALG_HMAC (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_HMAC)
 #define CALG_TLS1PRF (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_TLS1PRF)
+#if NTDDI_VERSION >= NTDDI_WINXP
 #define CALG_HASH_REPLACE_OWF (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_HASH_REPLACE_OWF)
 #define CALG_AES_128 (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_AES_128)
 #define CALG_AES_192 (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_AES_192)
 #define CALG_AES_256 (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_AES_256)
 #define CALG_AES (ALG_CLASS_DATA_ENCRYPT|ALG_TYPE_BLOCK|ALG_SID_AES)
+#endif
+#if NTDDI_VERSION > NTDDI_WINXPSP2
 #define CALG_SHA_256 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_256)
 #define CALG_SHA_384 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_384)
 #define CALG_SHA_512 (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SHA_512)
-#if NTDDI_VERSION >= 0x06000000
+#endif
+#if NTDDI_VERSION >= NTDDI_VISTA
 #define CALG_ECDH (ALG_CLASS_KEY_EXCHANGE | ALG_TYPE_DH | ALG_SID_ECDH)
+#define CALG_ECDH_EPHEM (ALG_CLASS_KEY_EXCHANGE | ALG_TYPE_ECDH | ALG_SID_ECDH_EPHEM)
 #define CALG_ECMQV (ALG_CLASS_KEY_EXCHANGE | ALG_TYPE_ANY | ALG_SID_ECMQV)
 #define CALG_ECDSA (ALG_CLASS_SIGNATURE | ALG_TYPE_DSS | ALG_SID_ECDSA)
+#define CALG_NULLCIPHER (ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_ANY | 0)
+#endif
+#if NTDDI_VERSION >= NTDDI_WIN10_RS1
+#define CALG_THIRDPARTY_KEY_EXCHANGE (ALG_CLASS_KEY_EXCHANGE | ALG_TYPE_THIRDPARTY | ALG_SID_THIRDPARTY_ANY)
+#define CALG_THIRDPARTY_SIGNATURE (ALG_CLASS_SIGNATURE | ALG_TYPE_THIRDPARTY | ALG_SID_THIRDPARTY_ANY)
+#define CALG_THIRDPARTY_CIPHER (ALG_CLASS_DATA_ENCRYPT | ALG_TYPE_THIRDPARTY | ALG_SID_THIRDPARTY_ANY)
+#define CALG_THIRDPARTY_HASH (ALG_CLASS_HASH | ALG_TYPE_THIRDPARTY | ALG_SID_THIRDPARTY_ANY)
+#endif
+
+#if NTDDI_VERSION < NTDDI_WINXP
+#define SIGNATURE_RESOURCE_NUMBER 0x29A
+
+  typedef struct _VTableProvStruc {
+    DWORD Version;
+    FARPROC FuncVerifyImage;
+    FARPROC FuncReturnhWnd;
+    DWORD dwProvType;
+    BYTE *pbContextInfo;
+    DWORD cbContextInfo;
+    LPSTR pszProvName;
+  } VTableProvStruc, *PVTableProvStruc;
 #endif
 
 /* In ncrypt.h too */
@@ -245,7 +290,7 @@
 #define CRYPT_DELETEKEYSET 0x10
 #define CRYPT_MACHINE_KEYSET 0x20
 #define CRYPT_SILENT 0x40
-#if NTDDI_VERSION >= 0x06000000
+#if NTDDI_VERSION >= NTDDI_VISTA
 #define CRYPT_DEFAULT_CONTAINER_OPTIONAL 0x80
 #endif
 
@@ -264,8 +309,10 @@
 #define CRYPT_DATA_KEY 0x800
 #define CRYPT_VOLATILE 0x1000
 #define CRYPT_SGCKEY 0x2000
+#if NTDDI_VERSION >= NTDDI_WINXP
 #define CRYPT_ARCHIVABLE 0x4000
-#if NTDDI_VERSION >= 0x06000000
+#endif
+#if NTDDI_VERSION >= NTDDI_VISTA
 #define CRYPT_FORCE_KEY_PROTECTION_HIGH 0x8000
 #endif
 #define CRYPT_USER_PROTECTED_STRONG 0x100000
@@ -279,13 +326,19 @@
 #define CRYPT_Y_ONLY 0x1
 #define CRYPT_SSL2_FALLBACK 0x2
 #define CRYPT_DESTROYKEY 0x4
+#if NTDDI_VERSION >= NTDDI_WS03
 #define CRYPT_DECRYPT_RSA_NO_PADDING_CHECK 0x20
+#endif
 #define CRYPT_OAEP 0x40
 #define CRYPT_BLOB_VER3 0x80
+#if NTDDI_VERSION >= NTDDI_WINXP
 #define CRYPT_IPSEC_HMAC_KEY 0x100
+#endif
 
 #define CRYPT_SECRETDIGEST 0x1
+#if NTDDI_VERSION >= NTDDI_WINXP
 #define CRYPT_OWF_REPL_LM_HASH 0x1
+#endif
 #define CRYPT_LITTLE_ENDIAN 0x1
 
 #define CRYPT_NOHASHOID 0x1
@@ -303,7 +356,9 @@
 #define OPAQUEKEYBLOB 0x9
 #define PUBLICKEYBLOBEX 0xa
 #define SYMMETRICWRAPKEYBLOB 0xb
+#if NTDDI_VERSION >= NTDDI_WS03
 #define KEYSTATEBLOB 0xc
+#endif
 
 #define AT_KEYEXCHANGE 1
 #define AT_SIGNATURE 2
@@ -344,14 +399,18 @@
 #define KP_KEYEXCHANGE_PIN 32
 #define KP_SIGNATURE_PIN 33
 #define KP_PREHASH 34
+#if NTDDI_VERSION >= NTDDI_WS03
 #define KP_ROUNDS 35
+#endif
 #define KP_OAEP_PARAMS 36
 #define KP_CMS_KEY_INFO 37
 #define KP_CMS_DH_KEY_INFO 38
 #define KP_PUB_PARAMS 39
 #define KP_VERIFY_PARAMS 40
 #define KP_HIGHEST_VERSION 41
+#if NTDDI_VERSION >= NTDDI_WS03
 #define KP_GET_USE_COUNT 42
+#endif
 #define KP_PIN_ID 43
 #define KP_PIN_INFO 44
 
@@ -373,7 +432,9 @@
 #define CRYPT_MAC 0x20
 #define CRYPT_EXPORT_KEY 0x40
 #define CRYPT_IMPORT_KEY 0x80
+#if NTDDI_VERSION >= NTDDI_WINXP
 #define CRYPT_ARCHIVE 0x100
+#endif
 
 #define HP_ALGID 0x1
 #define HP_HASHVAL 0x2
@@ -418,14 +479,16 @@
 #define PP_USE_HARDWARE_RNG 38
 #define PP_KEYSPEC 39
 #define PP_ENUMEX_SIGNING_PROT 40
+#if NTDDI_VERSION >= NTDDI_WS03
 #define PP_CRYPT_COUNT_KEY_USE 41
-#if NTDDI_VERSION >= 0x06000000
+#endif
+#if NTDDI_VERSION >= NTDDI_VISTA
 #define PP_USER_CERTSTORE 42
 #define PP_SMARTCARD_READER 43
 #define PP_SMARTCARD_GUID 45
 #define PP_ROOT_CERTSTORE 46
 #endif
-#if NTDDI_VERSION >= 0x06020000
+#if NTDDI_VERSION >= NTDDI_WIN8
 #define PP_SMARTCARD_READER_ICON 47
 #endif
 
@@ -460,11 +523,14 @@
 #define PP_KEYEXCHANGE_ALG 14
 #define PP_SIGNATURE_ALG 15
 #define PP_DELETEKEY 24
-#if NTDDI_VERSION >= 0x06000000
+#if NTDDI_VERSION >= NTDDI_VISTA
 #define PP_PIN_PROMPT_STRING 44
 #define PP_SECURE_KEYEXCHANGE_PIN 47
 #define PP_SECURE_SIGNATURE_PIN 48
 #endif
+#if NTDDI_VERSION >= NTDDI_WIN10_RS5
+#define PP_DISMISS_PIN_UI_SEC 49
+#endif
 
 #define PROV_RSA_FULL 1
 #define PROV_RSA_SIG 2
@@ -487,8 +553,10 @@
 #define PROV_SPYRUS_LYNKS 20
 #define PROV_RNG 21
 #define PROV_INTEL_SEC 22
+#if NTDDI_VERSION >= NTDDI_WINXP
 #define PROV_REPLACE_OWF 23
 #define PROV_RSA_AES 24
+#endif
 
 #if WINAPI_FAMILY_PARTITION (WINAPI_PARTITION_DESKTOP)
 
@@ -502,8 +570,10 @@
 #define MS_ENH_DSS_DH_PROV __MINGW_NAME_UAW(MS_ENH_DSS_DH_PROV)
 #define MS_DEF_DH_SCHANNEL_PROV __MINGW_NAME_UAW(MS_DEF_DH_SCHANNEL_PROV)
 #define MS_SCARD_PROV __MINGW_NAME_UAW(MS_SCARD_PROV)
+#if NTDDI_VERSION >= NTDDI_WINXP
 #define MS_ENH_RSA_AES_PROV_XP __MINGW_NAME_UAW(MS_ENH_RSA_AES_PROV_XP)
 #define MS_ENH_RSA_AES_PROV __MINGW_NAME_UAW(MS_ENH_RSA_AES_PROV)
+#endif
 
 #define MS_DEF_PROV_A "Microsoft Base Cryptographic Provider v1.0"
 #define MS_DEF_PROV_W L"Microsoft Base Cryptographic Provider v1.0"
@@ -525,10 +595,12 @@
 #define MS_DEF_DH_SCHANNEL_PROV_W L"Microsoft DH SChannel Cryptographic Provider"
 #define MS_SCARD_PROV_A "Microsoft Base Smart Card Crypto Provider"
 #define MS_SCARD_PROV_W L"Microsoft Base Smart Card Crypto Provider"
+#if NTDDI_VERSION >= NTDDI_WINXP
 #define MS_ENH_RSA_AES_PROV_A "Microsoft Enhanced RSA and AES Cryptographic Provider"
 #define MS_ENH_RSA_AES_PROV_W L"Microsoft Enhanced RSA and AES Cryptographic Provider"
 #define MS_ENH_RSA_AES_PROV_XP_A "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
 #define MS_ENH_RSA_AES_PROV_XP_W L"Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
+#endif
 
 #define MAXUIDLEN 64
 
@@ -542,11 +614,13 @@
 #define szKEY_CACHE_ENABLED "CachePrivateKeys"
 #define szKEY_CACHE_SECONDS "PrivateKeyLifetimeSeconds"
 
+#if NTDDI_VERSION >= NTDDI_WINXP
 #define szPRIV_KEY_CACHE_MAX_ITEMS "PrivKeyCacheMaxItems"
 #define cPRIV_KEY_CACHE_MAX_ITEMS_DEFAULT 20
 
 #define szPRIV_KEY_CACHE_PURGE_INTERVAL_SECONDS "PrivKeyCachePurgeIntervalSeconds"
 #define cPRIV_KEY_CACHE_PURGE_INTERVAL_SECONDS_DEFAULT 86400
+#endif
 
 #define CUR_BLOB_VERSION 2
 
@@ -648,6 +722,7 @@
     unsigned char CertLabel[36];
   } CERT_FORTEZZA_DATA_PROP;
 
+#if NTDDI_VERSION >= NTDDI_WS03
   typedef struct _CRYPT_RC4_KEY_STATE {
     unsigned char Key[16];
     unsigned char SBox[256];
@@ -666,8 +741,9 @@
     unsigned char IV[8];
     unsigned char Feedback[8];
   } CRYPT_3DES_KEY_STATE,*PCRYPT_3DES_KEY_STATE;
+#endif
 
-#if NTDDI_VERSION >= 0x06000000
+#if NTDDI_VERSION >= NTDDI_VISTA
   typedef struct _CRYPT_AES_128_KEY_STATE {
     unsigned char Key[16];
     unsigned char IV[16];
@@ -756,8 +832,10 @@
   WINIMPM WINBOOL WINAPI CryptContextAddRef (HCRYPTPROV hProv, DWORD *pdwReserved, DWORD dwFlags);
   WINIMPM WINBOOL WINAPI CryptDuplicateKey (HCRYPTKEY hKey, DWORD *pdwReserved, DWORD dwFlags, HCRYPTKEY *phKey);
   WINIMPM WINBOOL WINAPI CryptDuplicateHash (HCRYPTHASH hHash, DWORD *pdwReserved, DWORD dwFlags, HCRYPTHASH *phHash);
+#if NTDDI_VERSION >= NTDDI_WS03
   WINBOOL __cdecl GetEncSChannel (BYTE **pData, DWORD *dwDecSize);
 #endif
+#endif
 
 #ifndef _DDK_DRIVER_
   typedef ULONG_PTR HCRYPTPROV_OR_NCRYPT_KEY_HANDLE;
@@ -864,6 +942,55 @@
 #define szOID_ECC_CURVE_P256 "1.2.840.10045.3.1.7"
 #define szOID_ECC_CURVE_P384 "1.3.132.0.34"
 #define szOID_ECC_CURVE_P521 "1.3.132.0.35"
+
+#define szOID_ECC_CURVE_BRAINPOOLP160R1 "1.3.36.3.3.2.8.1.1.1"
+#define szOID_ECC_CURVE_BRAINPOOLP160T1 "1.3.36.3.3.2.8.1.1.2"
+#define szOID_ECC_CURVE_BRAINPOOLP192R1 "1.3.36.3.3.2.8.1.1.3"
+#define szOID_ECC_CURVE_BRAINPOOLP192T1 "1.3.36.3.3.2.8.1.1.4"
+#define szOID_ECC_CURVE_BRAINPOOLP224R1 "1.3.36.3.3.2.8.1.1.5"
+#define szOID_ECC_CURVE_BRAINPOOLP224T1 "1.3.36.3.3.2.8.1.1.6"
+#define szOID_ECC_CURVE_BRAINPOOLP256R1 "1.3.36.3.3.2.8.1.1.7"
+#define szOID_ECC_CURVE_BRAINPOOLP256T1 "1.3.36.3.3.2.8.1.1.8"
+#define szOID_ECC_CURVE_BRAINPOOLP320R1 "1.3.36.3.3.2.8.1.1.9"
+#define szOID_ECC_CURVE_BRAINPOOLP320T1 "1.3.36.3.3.2.8.1.1.10"
+#define szOID_ECC_CURVE_BRAINPOOLP384R1 "1.3.36.3.3.2.8.1.1.11"
+#define szOID_ECC_CURVE_BRAINPOOLP384T1 "1.3.36.3.3.2.8.1.1.12"
+#define szOID_ECC_CURVE_BRAINPOOLP512R1 "1.3.36.3.3.2.8.1.1.13"
+#define szOID_ECC_CURVE_BRAINPOOLP512T1 "1.3.36.3.3.2.8.1.1.14"
+
+#define szOID_ECC_CURVE_EC192WAPI "1.2.156.11235.1.1.2.1"
+#define szOID_CN_ECDSA_SHA256 "1.2.156.11235.1.1.1"
+
+#define szOID_ECC_CURVE_NISTP192 "1.2.840.10045.3.1.1"
+#define szOID_ECC_CURVE_NISTP224 "1.3.132.0.33"
+#define szOID_ECC_CURVE_NISTP256 szOID_ECC_CURVE_P256
+#define szOID_ECC_CURVE_NISTP384 szOID_ECC_CURVE_P384
+#define szOID_ECC_CURVE_NISTP521 szOID_ECC_CURVE_P521
+
+#define szOID_ECC_CURVE_SECP160K1 "1.3.132.0.9"
+#define szOID_ECC_CURVE_SECP160R1 "1.3.132.0.8"
+#define szOID_ECC_CURVE_SECP160R2 "1.3.132.0.30"
+#define szOID_ECC_CURVE_SECP192K1 "1.3.132.0.31"
+#define szOID_ECC_CURVE_SECP192R1 szOID_ECC_CURVE_NISTP192
+#define szOID_ECC_CURVE_SECP224K1 "1.3.132.0.32"
+#define szOID_ECC_CURVE_SECP224R1 szOID_ECC_CURVE_NISTP224
+#define szOID_ECC_CURVE_SECP256K1 "1.3.132.0.10"
+#define szOID_ECC_CURVE_SECP256R1 szOID_ECC_CURVE_P256
+#define szOID_ECC_CURVE_SECP384R1 szOID_ECC_CURVE_P384
+#define szOID_ECC_CURVE_SECP521R1 szOID_ECC_CURVE_P521
+
+#define szOID_ECC_CURVE_WTLS7 szOID_ECC_CURVE_SECP160R2
+#define szOID_ECC_CURVE_WTLS9 "2.23.43.1.4.9"
+#define szOID_ECC_CURVE_WTLS12 szOID_ECC_CURVE_NISTP224
+
+#define szOID_ECC_CURVE_X962P192V1 "1.2.840.10045.3.1.1"
+#define szOID_ECC_CURVE_X962P192V2 "1.2.840.10045.3.1.2"
+#define szOID_ECC_CURVE_X962P192V3 "1.2.840.10045.3.1.3"
+#define szOID_ECC_CURVE_X962P239V1 "1.2.840.10045.3.1.4"
+#define szOID_ECC_CURVE_X962P239V2 "1.2.840.10045.3.1.5"
+#define szOID_ECC_CURVE_X962P239V3 "1.2.840.10045.3.1.6"
+#define szOID_ECC_CURVE_X962P256V1 szOID_ECC_CURVE_P256
+
 #define szOID_ECDSA_SHA1 "1.2.840.10045.4.1"
 #define szOID_ECDSA_SPECIFIED "1.2.840.10045.4.3"
 #define szOID_ECDSA_SHA256 "1.2.840.10045.4.3.2"
@@ -1458,6 +1585,8 @@
 #define X509_CERT_BUNDLE ((LPCSTR) 81)
 #define X509_ECC_PRIVATE_KEY ((LPCSTR) 82)
 #define CNG_RSA_PRIVATE_KEY_BLOB ((LPCSTR) 83)
+#define X509_SUBJECT_DIR_ATTRS ((LPCSTR) 84)
+#define X509_ECC_PARAMETERS ((LPCSTR) 85)
 
 #define PKCS7_SIGNER_INFO ((LPCSTR) 500)
 #define CMS_SIGNER_INFO ((LPCSTR) 501)
@@ -1516,6 +1645,7 @@
 #define szOID_BIOMETRIC_EXT "1.3.6.1.5.5.7.1.2"
 #define szOID_QC_STATEMENTS_EXT "1.3.6.1.5.5.7.1.3"
 #define szOID_LOGOTYPE_EXT "1.3.6.1.5.5.7.1.12"
+#define szOID_TLS_FEATURES_EXT "1.3.6.1.5.5.7.1.24"
 
 #define szOID_CERT_EXTENSIONS "1.3.6.1.4.1.311.2.1.14"
 #define szOID_NEXT_UPDATE_LOCATION "1.3.6.1.4.1.311.10.2"
@@ -1613,6 +1743,7 @@
 #define szOID_EFS_RECOVERY "1.3.6.1.4.1.311.10.3.4.1"
 
 #define szOID_WHQL_CRYPTO "1.3.6.1.4.1.311.10.3.5"
+#define szOID_ATTEST_WHQL_CRYPTO "1.3.6.1.4.1.311.10.3.5.1"
 #define szOID_NT5_CRYPTO "1.3.6.1.4.1.311.10.3.6"
 #define szOID_OEM_WHQL_CRYPTO "1.3.6.1.4.1.311.10.3.7"
 #define szOID_EMBEDDED_NT_CRYPTO "1.3.6.1.4.1.311.10.3.8"
@@ -1624,6 +1755,8 @@
 #define szOID_KP_MOBILE_DEVICE_SOFTWARE "1.3.6.1.4.1.311.10.3.14"
 #define szOID_KP_SMART_DISPLAY "1.3.6.1.4.1.311.10.3.15"
 #define szOID_KP_CSP_SIGNATURE "1.3.6.1.4.1.311.10.3.16"
+#define szOID_KP_FLIGHT_SIGNING "1.3.6.1.4.1.311.10.3.27"
+#define szOID_PLATFORM_MANIFEST_BINARY_ID "1.3.6.1.4.1.311.10.3.28"
 
 #ifndef szOID_DRM
 #define szOID_DRM "1.3.6.1.4.1.311.10.5.1"
@@ -1648,9 +1781,35 @@
 #define szOID_KP_KERNEL_MODE_CODE_SIGNING "1.3.6.1.4.1.311.61.1.1"
 #define szOID_KP_KERNEL_MODE_TRUSTED_BOOT_SIGNING "1.3.6.1.4.1.311.61.4.1"
 #define szOID_REVOKED_LIST_SIGNER "1.3.6.1.4.1.311.10.3.19"
+#define szOID_WINDOWS_KITS_SIGNER "1.3.6.1.4.1.311.10.3.20"
+#define szOID_WINDOWS_RT_SIGNER "1.3.6.1.4.1.311.10.3.21"
+#define szOID_PROTECTED_PROCESS_LIGHT_SIGNER "1.3.6.1.4.1.311.10.3.22"
+#define szOID_WINDOWS_TCB_SIGNER "1.3.6.1.4.1.311.10.3.23"
+#define szOID_PROTECTED_PROCESS_SIGNER "1.3.6.1.4.1.311.10.3.24"
+#define szOID_WINDOWS_THIRD_PARTY_COMPONENT_SIGNER "1.3.6.1.4.1.311.10.3.25"
+#define szOID_WINDOWS_SOFTWARE_EXTENSION_SIGNER "1.3.6.1.4.1.311.10.3.26"
 #define szOID_DISALLOWED_LIST "1.3.6.1.4.1.311.10.3.30"
+#define szOID_PIN_RULES_SIGNER "1.3.6.1.4.1.311.10.3.31"
+#define szOID_PIN_RULES_CTL "1.3.6.1.4.1.311.10.3.32"
+#define szOID_PIN_RULES_EXT "1.3.6.1.4.1.311.10.3.33"
+#define szOID_PIN_RULES_DOMAIN_NAME "1.3.6.1.4.1.311.10.3.34"
+#define szOID_PIN_RULES_LOG_END_DATE_EXT "1.3.6.1.4.1.311.10.3.35"
+#define szOID_IUM_SIGNING "1.3.6.1.4.1.311.10.3.37"
+#define szOID_EV_WHQL_CRYPTO "1.3.6.1.4.1.311.10.3.39"
+#define szOID_BIOMETRIC_SIGNING "1.3.6.1.4.1.311.10.3.41"
+#define szOID_ENCLAVE_SIGNING "1.3.6.1.4.1.311.10.3.42"
+#define szOID_SYNC_ROOT_CTL_EXT "1.3.6.1.4.1.311.10.3.50"
+#define szOID_HPKP_DOMAIN_NAME_CTL "1.3.6.1.4.1.311.10.3.60"
+#define szOID_HPKP_HEADER_VALUE_CTL "1.3.6.1.4.1.311.10.3.61"
 #define szOID_KP_KERNEL_MODE_HAL_EXTENSION_SIGNING "1.3.6.1.4.1.311.61.5.1"
+#define szOID_WINDOWS_STORE_SIGNER "1.3.6.1.4.1.311.76.3.1"
+#define szOID_DYNAMIC_CODE_GEN_SIGNER "1.3.6.1.4.1.311.76.5.1"
+#define szOID_MICROSOFT_PUBLISHER_SIGNER "1.3.6.1.4.1.311.76.8.1"
 #define szOID_YESNO_TRUST_ATTR "1.3.6.1.4.1.311.10.4.1"
+#define szOID_SITE_PIN_RULES_INDEX_ATTR "1.3.6.1.4.1.311.10.4.2"
+#define szOID_SITE_PIN_RULES_FLAGS_ATTR "1.3.6.1.4.1.311.10.4.3"
+
+#define SITE_PIN_RULES_ALL_SUBDOMAINS_FLAG 0x1
 
 #define szOID_PKIX_POLICY_QUALIFIER_CPS "1.3.6.1.5.5.7.2.1"
 #define szOID_PKIX_POLICY_QUALIFIER_USERNOTICE "1.3.6.1.5.5.7.2.2"
@@ -1664,6 +1823,54 @@
 
 #define szOID_CERT_POLICIES_95_QUALIFIER1 "2.16.840.1.113733.1.7.1.1"
 
+#define szOID_RDN_TPM_MANUFACTURER "2.23.133.2.1"
+#define szOID_RDN_TPM_MODEL "2.23.133.2.2"
+#define szOID_RDN_TPM_VERSION "2.23.133.2.3"
+
+#define szOID_RDN_TCG_PLATFORM_MANUFACTURER "2.23.133.2.4"
+#define szOID_RDN_TCG_PLATFORM_MODEL "2.23.133.2.5"
+#define szOID_RDN_TCG_PLATFORM_VERSION "2.23.133.2.6"
+
+#define szOID_CT_CERT_SCTLIST "1.3.6.1.4.1.11129.2.4.2"
+
+#define szOID_ENROLL_EK_INFO "1.3.6.1.4.1.311.21.23"
+#define szOID_ENROLL_AIK_INFO "1.3.6.1.4.1.311.21.39"
+#define szOID_ENROLL_ATTESTATION_STATEMENT "1.3.6.1.4.1.311.21.24"
+
+#define szOID_ENROLL_KSP_NAME "1.3.6.1.4.1.311.21.25"
+
+#define szOID_ENROLL_EKPUB_CHALLENGE "1.3.6.1.4.1.311.21.26"
+#define szOID_ENROLL_CAXCHGCERT_HASH "1.3.6.1.4.1.311.21.27"
+#define szOID_ENROLL_ATTESTATION_CHALLENGE "1.3.6.1.4.1.311.21.28"
+#define szOID_ENROLL_ENCRYPTION_ALGORITHM "1.3.6.1.4.1.311.21.29"
+
+#define szOID_KP_TPM_EK_CERTIFICATE "2.23.133.8.1"
+#define szOID_KP_TPM_PLATFORM_CERTIFICATE "2.23.133.8.2"
+#define szOID_KP_TPM_AIK_CERTIFICATE "2.23.133.8.3"
+
+#define szOID_ENROLL_EKVERIFYKEY "1.3.6.1.4.1.311.21.30"
+#define szOID_ENROLL_EKVERIFYCERT "1.3.6.1.4.1.311.21.31"
+#define szOID_ENROLL_EKVERIFYCREDS "1.3.6.1.4.1.311.21.32"
+
+#define szOID_ENROLL_SCEP_ERROR "1.3.6.1.4.1.311.21.33"
+
+#define szOID_ENROLL_SCEP_SERVER_STATE "1.3.6.1.4.1.311.21.34"
+#define szOID_ENROLL_SCEP_CHALLENGE_ANSWER "1.3.6.1.4.1.311.21.35"
+#define szOID_ENROLL_SCEP_CLIENT_REQUEST "1.3.6.1.4.1.311.21.37"
+#define szOID_ENROLL_SCEP_SERVER_MESSAGE "1.3.6.1.4.1.311.21.38"
+#define szOID_ENROLL_SCEP_SERVER_SECRET "1.3.6.1.4.1.311.21.40"
+
+#define szOID_ENROLL_KEY_AFFINITY "1.3.6.1.4.1.311.21.41"
+
+#define szOID_ENROLL_SCEP_SIGNER_HASH "1.3.6.1.4.1.311.21.42"
+
+#define szOID_ENROLL_EK_CA_KEYID "1.3.6.1.4.1.311.21.43"
+
+#define szOID_ATTR_SUPPORTED_ALGORITHMS "2.5.4.52"
+#define szOID_ATTR_TPM_SPECIFICATION "2.23.133.2.16"
+#define szOID_ATTR_PLATFORM_SPECIFICATION "2.23.133.2.17"
+#define szOID_ATTR_TPM_SECURITY_ASSERTIONS "2.23.133.2.18"
+
   typedef struct _CERT_EXTENSIONS {
     DWORD cExtension;
     PCERT_EXTENSION rgExtension;
@@ -1698,6 +1905,7 @@
   } CERT_KEY_ATTRIBUTES_INFO,*PCERT_KEY_ATTRIBUTES_INFO;
 
 #define CERT_ENCIPHER_ONLY_KEY_USAGE 0x01
+#define CERT_CRL_SIGN_KEY_USAGE 0x02
 #define CERT_OFFLINE_CRL_SIGN_KEY_USAGE 0x02
 #define CERT_KEY_CERT_SIGN_KEY_USAGE 0x04
 #define CERT_KEY_AGREEMENT_KEY_USAGE 0x08
@@ -1893,6 +2101,8 @@
 #define CRL_REASON_CESSATION_OF_OPERATION 5
 #define CRL_REASON_CERTIFICATE_HOLD 6
 #define CRL_REASON_REMOVE_FROM_CRL 8
+#define CRL_REASON_PRIVILEGE_WITHDRAWN 9
+#define CRL_REASON_AA_COMPROMISE 10
 
   typedef struct _CRL_DIST_POINT_NAME {
     DWORD dwDistPointNameChoice;
@@ -1918,6 +2128,8 @@
 #define CRL_REASON_SUPERSEDED_FLAG 0x08
 #define CRL_REASON_CESSATION_OF_OPERATION_FLAG 0x04
 #define CRL_REASON_CERTIFICATE_HOLD_FLAG 0x02
+#define CRL_REASON_PRIVILEGE_WITHDRAWN_FLAG 0x01
+#define CRL_REASON_AA_COMPROMISE_FLAG 0x80
 
   typedef struct _CRL_DIST_POINTS_INFO {
     DWORD cDistPoint;
@@ -2097,6 +2309,15 @@
 
 #define szOID_VERISIGN_ISS_STRONG_CRYPTO "2.16.840.1.113733.1.8.1"
 
+#define szOIDVerisign_MessageType "2.16.840.1.113733.1.9.2"
+#define szOIDVerisign_PkiStatus "2.16.840.1.113733.1.9.3"
+#define szOIDVerisign_FailInfo "2.16.840.1.113733.1.9.4"
+
+#define szOIDVerisign_SenderNonce "2.16.840.1.113733.1.9.5"
+#define szOIDVerisign_RecipientNonce "2.16.840.1.113733.1.9.6"
+
+#define szOIDVerisign_TransactionID "2.16.840.1.113733.1.9.7"
+
 #define szOID_NETSCAPE "2.16.840.1.113730"
 #define szOID_NETSCAPE_CERT_EXTENSION "2.16.840.1.113730.1"
 #define szOID_NETSCAPE_CERT_TYPE "2.16.840.1.113730.1.1"
@@ -2467,6 +2688,18 @@
 #define OCSP_BASIC_BY_NAME_RESPONDER_ID 1
 #define OCSP_BASIC_BY_KEY_RESPONDER_ID 2
 
+  typedef struct _CERT_SUPPORTED_ALGORITHM_INFO {
+    CRYPT_ALGORITHM_IDENTIFIER Algorithm;
+    CRYPT_BIT_BLOB IntendedKeyUsage;
+    CERT_POLICIES_INFO IntendedCertPolicies;
+  } CERT_SUPPORTED_ALGORITHM_INFO, *PCERT_SUPPORTED_ALGORITHM_INFO;
+
+  typedef struct _CERT_TPM_SPECIFICATION_INFO {
+    LPWSTR pwszFamily;
+    DWORD dwLevel;
+    DWORD dwRevision;
+  } CERT_TPM_SPECIFICATION_INFO, *PCERT_TPM_SPECIFICATION_INFO;
+
   typedef void *HCRYPTOIDFUNCSET;
   typedef void *HCRYPTOIDFUNCADDR;
 
@@ -2572,6 +2805,8 @@
 
 #define CRYPT_OID_PUBKEY_ENCRYPT_ONLY_FLAG 0x40000000
 #define CRYPT_OID_PUBKEY_SIGN_ONLY_FLAG 0x80000000
+#define CRYPT_OID_USE_CURVE_NAME_FOR_ENCODE_FLAG 0x20000000
+#define CRYPT_OID_USE_CURVE_PARAMETERS_FOR_ENCODE_FLAG 0x10000000
 
   WINIMPM PCCRYPT_OID_INFO WINAPI CryptFindOIDInfo (DWORD dwKeyType, void *pvKey, DWORD dwGroupId);
 
@@ -2872,6 +3107,7 @@
 #define CMSG_CONTENTS_OCTETS_FLAG 0x10
 #define CMSG_MAX_LENGTH_FLAG 0x20
 #define CMSG_CMS_ENCAPSULATED_CONTENT_FLAG 0x40
+#define CMSG_SIGNED_DATA_NO_SIGN_FLAG 0x80
 #define CMSG_CRYPT_RELEASE_CONTEXT_FLAG 0x8000
 
   WINIMPM HCRYPTMSG WINAPI CryptMsgOpenToEncode (DWORD dwMsgEncodingType, DWORD dwFlags, DWORD dwMsgType, void const *pvMsgEncodeInfo, LPSTR pszInnerContentObjID, PCMSG_STREAM_INFO pStreamInfo);
@@ -3375,11 +3611,58 @@
 #define CERT_ROOT_PROGRAM_CHAIN_POLICIES_PROP_ID 105
 #define CERT_SMART_CARD_READER_NON_REMOVABLE_PROP_ID 106
 
+#define CERT_SHA256_HASH_PROP_ID 107
+
+#define CERT_SCEP_SERVER_CERTS_PROP_ID 108
+#define CERT_SCEP_RA_SIGNATURE_CERT_PROP_ID 109
+#define CERT_SCEP_RA_ENCRYPTION_CERT_PROP_ID 110
+#define CERT_SCEP_CA_CERT_PROP_ID 111
+#define CERT_SCEP_SIGNER_CERT_PROP_ID 112
+#define CERT_SCEP_NONCE_PROP_ID 113
+
+#define CERT_SCEP_ENCRYPT_HASH_CNG_ALG_PROP_ID 114
+#define CERT_SCEP_FLAGS_PROP_ID 115
+#define CERT_SCEP_GUID_PROP_ID 116
+#define CERT_SERIALIZABLE_KEY_CONTEXT_PROP_ID 117
+
+#define CERT_ISOLATED_KEY_PROP_ID 118
+
+#define CERT_SERIAL_CHAIN_PROP_ID 119
+#define CERT_KEY_CLASSIFICATION_PROP_ID 120
+
+#define CERT_OCSP_MUST_STAPLE_PROP_ID 121
+
+#define CERT_DISALLOWED_ENHKEY_USAGE_PROP_ID 122
+#define CERT_NONCOMPLIANT_ROOT_URL_PROP_ID 123
+
+#define CERT_PIN_SHA256_HASH_PROP_ID 124
+#define CERT_CLR_DELETE_KEY_PROP_ID 125
+#define CERT_NOT_BEFORE_FILETIME_PROP_ID 126
+#define CERT_NOT_BEFORE_ENHKEY_USAGE_PROP_ID 127
+
 #define CERT_FIRST_RESERVED_PROP_ID 107
 #define CERT_LAST_RESERVED_PROP_ID 0x00007fff
 #define CERT_FIRST_USER_PROP_ID 0x8000
 #define CERT_LAST_USER_PROP_ID 0x0000ffff
 
+#if defined(__cplusplus) && __cplusplus >= 201103L && !defined(SORTPP_PASS)
+#define WINCRYPT_DWORD_CPP_ONLY : DWORD
+#else
+#define WINCRYPT_DWORD_CPP_ONLY
+#endif
+
+  typedef enum CertKeyType WINCRYPT_DWORD_CPP_ONLY {
+    KeyTypeOther = 0,
+    KeyTypeVirtualSmartCard = 1,
+    KeyTypePhysicalSmartCard = 2,
+    KeyTypePassport = 3,
+    KeyTypePassportRemote = 4,
+    KeyTypePassportSmartCard = 5,
+    KeyTypeHardware = 6,
+    KeyTypeSoftware = 7,
+    KeyTypeSelfSigned = 8
+  } CertKeyType;
+
 #define IS_CERT_HASH_PROP_ID(X) (CERT_SHA1_HASH_PROP_ID == (X) || CERT_MD5_HASH_PROP_ID == (X) || CERT_SIGNATURE_HASH_PROP_ID == (X))
 #define IS_PUBKEY_HASH_PROP_ID(X) (CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID == (X) || CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID == (X))
 #define IS_CHAIN_HASH_PROP_ID(X) (CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID == (X) || CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID == (X) || CERT_ISSUER_SERIAL_NUMBER_MD5_HASH_PROP_ID == (X) || CERT_SUBJECT_NAME_MD5_HASH_PROP_ID == (X))
@@ -3552,6 +3835,7 @@
 #define CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY_ID 7
 #define CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY_ID 8
 #define CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE_ID 9
+#define CERT_SYSTEM_STORE_LOCAL_MACHINE_WCOS_ID 10
 
 #define CERT_SYSTEM_STORE_CURRENT_USER (CERT_SYSTEM_STORE_CURRENT_USER_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
 #define CERT_SYSTEM_STORE_LOCAL_MACHINE (CERT_SYSTEM_STORE_LOCAL_MACHINE_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
@@ -3561,6 +3845,7 @@
 #define CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY (CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
 #define CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY (CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
 #define CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE (CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
+#define CERT_SYSTEM_STORE_LOCAL_MACHINE_WCOS (CERT_SYSTEM_STORE_LOCAL_MACHINE_WCOS_ID << CERT_SYSTEM_STORE_LOCATION_SHIFT)
 
 #define CERT_GROUP_POLICY_SYSTEM_STORE_REGPATH L"Software\\Policies\\Microsoft\\SystemCertificates"
 
@@ -3599,9 +3884,15 @@
 #define CERT_DISABLE_ROOT_AUTO_UPDATE_REGPATH CERT_GROUP_POLICY_SYSTEM_STORE_REGPATH L"\\AuthRoot"
 #define CERT_DISABLE_ROOT_AUTO_UPDATE_VALUE_NAME L"DisableRootAutoUpdate"
 
+#define CERT_ENABLE_DISALLOWED_CERT_AUTO_UPDATE_VALUE_NAME L"EnableDisallowedCertAutoUpdate"
+
+#define CERT_DISABLE_PIN_RULES_AUTO_UPDATE_VALUE_NAME L"DisablePinRulesAutoUpdate"
+
 #define CERT_AUTO_UPDATE_LOCAL_MACHINE_REGPATH CERT_LOCAL_MACHINE_SYSTEM_STORE_REGPATH L"\\AuthRoot\\AutoUpdate"
 #define CERT_AUTO_UPDATE_ROOT_DIR_URL_VALUE_NAME L"RootDirUrl"
 
+#define CERT_AUTO_UPDATE_SYNC_FROM_DIR_URL_VALUE_NAME L"SyncFromDirUrl"
+
 #define CERT_AUTH_ROOT_AUTO_UPDATE_LOCAL_MACHINE_REGPATH CERT_AUTO_UPDATE_LOCAL_MACHINE_REGPATH
 #define CERT_AUTH_ROOT_AUTO_UPDATE_ROOT_DIR_URL_VALUE_NAME CERT_AUTO_UPDATE_ROOT_DIR_URL_VALUE_NAME
 #define CERT_AUTH_ROOT_AUTO_UPDATE_SYNC_DELTA_TIME_VALUE_NAME L"SyncDeltaTime"
@@ -3625,6 +3916,17 @@
 #define CERT_DISALLOWED_CERT_CAB_FILENAME L"disallowedcertstl.cab"
 #define CERT_DISALLOWED_CERT_AUTO_UPDATE_LIST_IDENTIFIER L"DisallowedCert_AutoUpdate_1"
 
+#define CERT_PIN_RULES_AUTO_UPDATE_SYNC_DELTA_TIME_VALUE_NAME L"PinRulesSyncDeltaTime"
+#define CERT_PIN_RULES_AUTO_UPDATE_LAST_SYNC_TIME_VALUE_NAME L"PinRulesLastSyncTime"
+#define CERT_PIN_RULES_AUTO_UPDATE_ENCODED_CTL_VALUE_NAME L"PinRulesEncodedCtl"
+
+#define CERT_PIN_RULES_CTL_FILENAME L"pinrules.stl"
+#define CERT_PIN_RULES_CTL_FILENAME_A "pinrules.stl"
+
+#define CERT_PIN_RULES_CAB_FILENAME L"pinrulesstl.cab"
+
+#define CERT_PIN_RULES_AUTO_UPDATE_LIST_IDENTIFIER L"PinRules_AutoUpdate_1"
+
 #define CERT_REGISTRY_STORE_REMOTE_FLAG 0x10000
 #define CERT_REGISTRY_STORE_SERIALIZED_FLAG 0x20000
 #define CERT_REGISTRY_STORE_CLIENT_GPT_FLAG 0x80000000
@@ -4196,7 +4498,7 @@
   WINIMPM WINBOOL WINAPI CertIsStrongHashToSign (PCCERT_STRONG_SIGN_PARA pStrongSignPara, LPCWSTR pwszCNGHashAlgid, PCCERT_CONTEXT pSigningCert);
   WINIMPM WINBOOL WINAPI CryptHashToBeSigned (HCRYPTPROV_LEGACY hCryptProv, DWORD dwCertEncodingType, const BYTE *pbEncoded, DWORD cbEncoded, BYTE *pbComputedHash, DWORD *pcbComputedHash);
   WINIMPM WINBOOL WINAPI CryptHashCertificate (HCRYPTPROV_LEGACY hCryptProv, ALG_ID Algid, DWORD dwFlags, const BYTE *pbEncoded, DWORD cbEncoded, BYTE *pbComputedHash, DWORD *pcbComputedHash);
-#if NTDDI_VERSION >= 0x06000000
+#if NTDDI_VERSION >= NTDDI_VISTA
   WINIMPM WINBOOL WINAPI CryptHashCertificate2 (LPCWSTR pwszCNGHashAlgid, DWORD dwFlags, void *pvReserved, const BYTE *pbEncoded, DWORD cbEncoded, BYTE *pbComputedHash, DWORD *pcbComputedHash);
 #endif
   WINIMPM WINBOOL WINAPI CryptSignCertificate (HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, DWORD dwKeySpec, DWORD dwCertEncodingType, const BYTE *pbEncodedToBeSigned, DWORD cbEncodedToBeSigned, PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm, const void *pvHashAuxInfo, BYTE *pbSignature, DWORD *pcbSignature);
@@ -4221,7 +4523,7 @@
 
   typedef WINBOOL (WINAPI *PFN_CRYPT_EXPORT_PUBLIC_KEY_INFO_EX2_FUNC) (NCRYPT_KEY_HANDLE hNCryptKey, DWORD dwCertEncodingType, LPSTR pszPublicKeyObjId, DWORD dwFlags, void *pvAuxInfo, PCERT_PUBLIC_KEY_INFO pInfo, DWORD *pcbInfo);
 
-#if NTDDI_VERSION >= 0x06010000
+#if NTDDI_VERSION >= NTDDI_WIN7
 #define CRYPT_OID_EXPORT_PUBLIC_KEY_INFO_FROM_BCRYPT_HANDLE_FUNC "CryptDllExportPublicKeyInfoFromBCryptKeyHandle"
 
   typedef WINBOOL (WINAPI *PFN_CRYPT_EXPORT_PUBLIC_KEY_INFO_FROM_BCRYPT_HANDLE_FUNC) (BCRYPT_KEY_HANDLE hBCryptKey, DWORD dwCertEncodingType, LPSTR pszPublicKeyObjId, DWORD dwFlags, void *pvAuxInfo, PCERT_PUBLIC_KEY_INFO pInfo, DWORD *pcbInfo);
@@ -4260,7 +4562,7 @@
   WINIMPM WINBOOL WINAPI CryptImportPublicKeyInfo (HCRYPTPROV hCryptProv, DWORD dwCertEncodingType, PCERT_PUBLIC_KEY_INFO pInfo, HCRYPTKEY *phKey);
   WINIMPM WINBOOL WINAPI CryptImportPublicKeyInfoEx (HCRYPTPROV hCryptProv, DWORD dwCertEncodingType, PCERT_PUBLIC_KEY_INFO pInfo, ALG_ID aiKeyAlg, DWORD dwFlags, void *pvAuxInfo, HCRYPTKEY *phKey);
 
-#if NTDDI_VERSION >= 0x06000000
+#if NTDDI_VERSION >= NTDDI_VISTA
 #define CRYPT_OID_IMPORT_PUBLIC_KEY_INFO_EX2_FUNC "CryptDllImportPublicKeyInfoEx2"
 
   typedef WINBOOL (WINAPI *PFN_IMPORT_PUBLIC_KEY_INFO_EX2_FUNC) (DWORD dwCertEncodingType, PCERT_PUBLIC_KEY_INFO pInfo, DWORD dwFlags, void *pvAuxInfo, BCRYPT_KEY_HANDLE *phKey);
@@ -4568,6 +4870,8 @@
 #define CRYPT_OCSP_ONLY_RETRIEVAL 0x1000000
 #define CRYPT_NO_OCSP_FAILOVER_TO_CRL_RETRIEVAL 0x2000000
 #define CRYPT_RANDOM_QUERY_STRING_RETRIEVAL 0x4000000
+#define CRYPT_ENABLE_FILE_RETRIEVAL 0x08000000
+#define CRYPT_CREATE_NEW_FLUSH_ENTRY 0x10000000
 
   typedef struct _CRYPTNET_URL_CACHE_PRE_FETCH_INFO {
     DWORD cbSize;
@@ -4585,6 +4889,7 @@
 #define CRYPTNET_URL_CACHE_PRE_FETCH_OCSP 3
 #define CRYPTNET_URL_CACHE_PRE_FETCH_AUTOROOT_CAB 5
 #define CRYPTNET_URL_CACHE_PRE_FETCH_DISALLOWED_CERT_CAB 6
+#define CRYPTNET_URL_CACHE_PRE_FETCH_PIN_RULES_CAB 7
 
   typedef struct _CRYPTNET_URL_CACHE_FLUSH_INFO {
     DWORD cbSize;
@@ -4623,6 +4928,8 @@
     DWORD dwHttpStatusCode;
   } CRYPT_RETRIEVE_AUX_INFO,*PCRYPT_RETRIEVE_AUX_INFO;
 
+#define CRYPT_RETRIEVE_MAX_ERROR_CONTENT_LENGTH 0x1000
+
   WINIMPM WINBOOL WINAPI CryptRetrieveObjectByUrlA (LPCSTR pszUrl, LPCSTR pszObjectOid, DWORD dwRetrievalFlags, DWORD dwTimeout, LPVOID *ppvObject, HCRYPTASYNC hAsyncRetrieve, PCRYPT_CREDENTIALS pCredentials, LPVOID pvVerify, PCRYPT_RETRIEVE_AUX_INFO pAuxInfo);
   WINIMPM WINBOOL WINAPI CryptRetrieveObjectByUrlW (LPCWSTR pszUrl, LPCSTR pszObjectOid, DWORD dwRetrievalFlags, DWORD dwTimeout, LPVOID *ppvObject, HCRYPTASYNC hAsyncRetrieve, PCRYPT_CREDENTIALS pCredentials, LPVOID pvVerify, PCRYPT_RETRIEVE_AUX_INFO pAuxInfo);
 
@@ -4751,6 +5058,13 @@
 #define CERT_CHAIN_MAX_AIA_URL_RETRIEVAL_CERT_COUNT_DEFAULT 10
 #define CERT_CHAIN_OCSP_VALIDITY_SECONDS_VALUE_NAME L"OcspValiditySeconds"
 #define CERT_CHAIN_OCSP_VALIDITY_SECONDS_DEFAULT (12 *60 *60)
+#define CERT_CHAIN_DISABLE_SERIAL_CHAIN_VALUE_NAME L"DisableSerialChain"
+#define CERT_CHAIN_SERIAL_CHAIN_LOG_FILE_NAME_VALUE_NAME L"SerialChainLogFileName"
+#define CERT_CHAIN_DISABLE_SYNC_WITH_SSL_TIME_VALUE_NAME L"DisableSyncWithSslTime"
+#define CERT_CHAIN_MAX_SSL_TIME_UPDATED_EVENT_COUNT_VALUE_NAME L"MaxSslTimeUpdatedEventCount"
+#define CERT_CHAIN_MAX_SSL_TIME_UPDATED_EVENT_COUNT_DEFAULT 5
+#define CERT_CHAIN_MAX_SSL_TIME_UPDATED_EVENT_COUNT_DISABLE 0xFFFFFFFF
+#define CERT_CHAIN_SSL_HANDSHAKE_LOG_FILE_NAME_VALUE_NAME L"SslHandshakeLogFileName"
 #define CERT_CHAIN_ENABLE_WEAK_SIGNATURE_FLAGS_VALUE_NAME L"EnableWeakSignatureFlags"
 #define CERT_CHAIN_ENABLE_MD2_MD4_FLAG 0x1
 #define CERT_CHAIN_ENABLE_WEAK_RSA_ROOT_FLAG 0x2
@@ -4762,6 +5076,72 @@
 #define CERT_CHAIN_WEAK_RSA_PUB_KEY_TIME_VALUE_NAME L"WeakRsaPubKeyTime"
 #define CERT_CHAIN_WEAK_RSA_PUB_KEY_TIME_DEFAULT 0x01ca8a755c6e0000ULL
 #define CERT_CHAIN_WEAK_SIGNATURE_LOG_DIR_VALUE_NAME L"WeakSignatureLogDir"
+
+#define CERT_CHAIN_DEFAULT_CONFIG_SUBDIR L"Default"
+
+#define CERT_CHAIN_WEAK_PREFIX_NAME L"Weak"
+#define CERT_CHAIN_WEAK_THIRD_PARTY_CONFIG_NAME L"ThirdParty"
+#define CERT_CHAIN_WEAK_ALL_CONFIG_NAME L"All"
+#define CERT_CHAIN_WEAK_FLAGS_NAME L"Flags"
+#define CERT_CHAIN_WEAK_HYGIENE_NAME L"Hygiene"
+#define CERT_CHAIN_WEAK_AFTER_TIME_NAME L"AfterTime"
+#define CERT_CHAIN_WEAK_FILE_HASH_AFTER_TIME_NAME L"FileHashAfterTime"
+#define CERT_CHAIN_WEAK_TIMESTAMP_HASH_AFTER_TIME_NAME L"TimestampHashAfterTime"
+#define CERT_CHAIN_WEAK_MIN_BIT_LENGTH_NAME L"MinBitLength"
+#define CERT_CHAIN_WEAK_SHA256_ALLOW_NAME L"Sha256Allow"
+
+#define CERT_CHAIN_MIN_PUB_KEY_BIT_LENGTH_DISABLE 0xFFFFFFFF
+
+#define CERT_CHAIN_ENABLE_WEAK_SETTINGS_FLAG 0x80000000
+#define CERT_CHAIN_DISABLE_ALL_EKU_WEAK_FLAG 0x00010000
+#define CERT_CHAIN_ENABLE_ALL_EKU_HYGIENE_FLAG 0x00020000
+#define CERT_CHAIN_DISABLE_OPT_IN_SERVER_AUTH_WEAK_FLAG 0x00040000
+#define CERT_CHAIN_DISABLE_SERVER_AUTH_WEAK_FLAG 0x00100000
+#define CERT_CHAIN_ENABLE_SERVER_AUTH_HYGIENE_FLAG 0x00200000
+#define CERT_CHAIN_DISABLE_CODE_SIGNING_WEAK_FLAG 0x00400000
+#define CERT_CHAIN_DISABLE_MOTW_CODE_SIGNING_WEAK_FLAG 0x00800000
+#define CERT_CHAIN_ENABLE_CODE_SIGNING_HYGIENE_FLAG 0x01000000
+#define CERT_CHAIN_ENABLE_MOTW_CODE_SIGNING_HYGIENE_FLAG 0x02000000
+#define CERT_CHAIN_DISABLE_TIMESTAMP_WEAK_FLAG 0x04000000
+#define CERT_CHAIN_DISABLE_MOTW_TIMESTAMP_WEAK_FLAG 0x08000000
+#define CERT_CHAIN_ENABLE_TIMESTAMP_HYGIENE_FLAG 0x10000000
+#define CERT_CHAIN_ENABLE_MOTW_TIMESTAMP_HYGIENE_FLAG 0x20000000
+#define CERT_CHAIN_MOTW_IGNORE_AFTER_TIME_WEAK_FLAG 0x40000000
+#define CERT_CHAIN_DISABLE_FILE_HASH_WEAK_FLAG 0x00001000
+#define CERT_CHAIN_DISABLE_MOTW_FILE_HASH_WEAK_FLAG 0x00002000
+#define CERT_CHAIN_DISABLE_TIMESTAMP_HASH_WEAK_FLAG 0x00004000
+#define CERT_CHAIN_DISABLE_MOTW_TIMESTAMP_HASH_WEAK_FLAG 0x00008000
+#define CERT_CHAIN_DISABLE_WEAK_FLAGS ( CERT_CHAIN_DISABLE_ALL_EKU_WEAK_FLAG | CERT_CHAIN_DISABLE_SERVER_AUTH_WEAK_FLAG | CERT_CHAIN_DISABLE_OPT_IN_SERVER_AUTH_WEAK_FLAG | CERT_CHAIN_DISABLE_CODE_SIGNING_WEAK_FLAG | CERT_CHAIN_DISABLE_MOTW_CODE_SIGNING_WEAK_FLAG | CERT_CHAIN_DISABLE_TIMESTAMP_WEAK_FLAG | CERT_CHAIN_DISABLE_MOTW_TIMESTAMP_WEAK_FLAG )
+#define CERT_CHAIN_DISABLE_FILE_HASH_WEAK_FLAGS ( CERT_CHAIN_DISABLE_FILE_HASH_WEAK_FLAG | CERT_CHAIN_DISABLE_MOTW_FILE_HASH_WEAK_FLAG )
+#define CERT_CHAIN_DISABLE_TIMESTAMP_HASH_WEAK_FLAGS ( CERT_CHAIN_DISABLE_TIMESTAMP_HASH_WEAK_FLAG | CERT_CHAIN_DISABLE_MOTW_TIMESTAMP_HASH_WEAK_FLAG )
+#define CERT_CHAIN_ENABLE_HYGIENE_FLAGS ( CERT_CHAIN_ENABLE_ALL_EKU_HYGIENE_FLAG | CERT_CHAIN_ENABLE_SERVER_AUTH_HYGIENE_FLAG | CERT_CHAIN_ENABLE_CODE_SIGNING_HYGIENE_FLAG | CERT_CHAIN_ENABLE_MOTW_CODE_SIGNING_HYGIENE_FLAG | CERT_CHAIN_ENABLE_TIMESTAMP_HYGIENE_FLAG | CERT_CHAIN_ENABLE_MOTW_TIMESTAMP_HYGIENE_FLAG )
+#define CERT_CHAIN_MOTW_WEAK_FLAGS ( CERT_CHAIN_DISABLE_MOTW_CODE_SIGNING_WEAK_FLAG | CERT_CHAIN_DISABLE_MOTW_TIMESTAMP_WEAK_FLAG | CERT_CHAIN_ENABLE_MOTW_CODE_SIGNING_HYGIENE_FLAG | CERT_CHAIN_ENABLE_MOTW_TIMESTAMP_HYGIENE_FLAG | CERT_CHAIN_MOTW_IGNORE_AFTER_TIME_WEAK_FLAG)
+#define CERT_CHAIN_OPT_IN_WEAK_FLAGS ( CERT_CHAIN_DISABLE_OPT_IN_SERVER_AUTH_WEAK_FLAG)
+
+#define CERT_CHAIN_AUTO_CURRENT_USER 1
+#define CERT_CHAIN_AUTO_LOCAL_MACHINE 2
+#define CERT_CHAIN_AUTO_IMPERSONATED 3
+#define CERT_CHAIN_AUTO_PROCESS_INFO 4
+#define CERT_CHAIN_AUTO_PINRULE_INFO 5
+#define CERT_CHAIN_AUTO_NETWORK_INFO 6
+#define CERT_CHAIN_AUTO_SERIAL_LOCAL_MACHINE 7
+#define CERT_CHAIN_AUTO_HPKP_RULE_INFO 8
+
+#define CERT_CHAIN_AUTO_FLAGS_VALUE_NAME L"AutoFlags"
+
+#define CERT_CHAIN_AUTO_FLUSH_DISABLE_FLAG 0x00000001
+#define CERT_CHAIN_AUTO_LOG_CREATE_FLAG 0x00000002
+#define CERT_CHAIN_AUTO_LOG_FREE_FLAG 0x00000004
+#define CERT_CHAIN_AUTO_LOG_FLUSH_FLAG 0x00000008
+#define CERT_CHAIN_AUTO_LOG_FLAGS ( CERT_CHAIN_AUTO_LOG_CREATE_FLAG | CERT_CHAIN_AUTO_LOG_FREE_FLAG | CERT_CHAIN_AUTO_LOG_FLUSH_FLAG )
+
+#define CERT_CHAIN_AUTO_FLUSH_FIRST_DELTA_SECONDS_VALUE_NAME L"AutoFlushFirstDeltaSeconds"
+#define CERT_CHAIN_AUTO_FLUSH_FIRST_DELTA_SECONDS_DEFAULT (5 * 60)
+#define CERT_CHAIN_AUTO_FLUSH_NEXT_DELTA_SECONDS_VALUE_NAME L"AutoFlushNextDeltaSeconds"
+#define CERT_CHAIN_AUTO_FLUSH_NEXT_DELTA_SECONDS_DEFAULT (30 * 60)
+#define CERT_CHAIN_AUTO_LOG_FILE_NAME_VALUE_NAME L"AutoLogFileName"
+#define CERT_CHAIN_DISABLE_AUTO_FLUSH_PROCESS_NAME_LIST_VALUE_NAME L"DisableAutoFlushProcessNameList"
+
 #define CERT_SRV_OCSP_RESP_MIN_VALIDITY_SECONDS_VALUE_NAME L"SrvOcspRespMinValiditySeconds"
 #define CERT_SRV_OCSP_RESP_MIN_VALIDITY_SECONDS_DEFAULT (10 *60)
 #define CERT_SRV_OCSP_RESP_URL_RETRIEVAL_TIMEOUT_MILLISECONDS_VALUE_NAME L"SrvOcspRespUrlRetrievalTimeoutMilliseconds"
@@ -4772,6 +5152,10 @@
 #define CERT_SRV_OCSP_RESP_MIN_BEFORE_NEXT_UPDATE_SECONDS_DEFAULT (2 *60)
 #define CERT_SRV_OCSP_RESP_MIN_AFTER_NEXT_UPDATE_SECONDS_VALUE_NAME L"SrvOcspRespMinAfterNextUpdateSeconds"
 #define CERT_SRV_OCSP_RESP_MIN_AFTER_NEXT_UPDATE_SECONDS_DEFAULT (1 *60)
+#define CERT_SRV_OCSP_RESP_MIN_SYNC_CERT_FILE_SECONDS_VALUE_NAME L"SrvOcspRespMinSyncCertFileSeconds"
+#define CERT_SRV_OCSP_RESP_MIN_SYNC_CERT_FILE_SECONDS_DEFAULT 5
+#define CERT_SRV_OCSP_RESP_MAX_SYNC_CERT_FILE_SECONDS_VALUE_NAME L"SrvOcspRespMaxSyncCertFileSeconds"
+#define CERT_SRV_OCSP_RESP_MAX_SYNC_CERT_FILE_SECONDS_DEFAULT (1 * 60 * 60)
 #define CRYPTNET_MAX_CACHED_OCSP_PER_CRL_COUNT_VALUE_NAME L"CryptnetMaxCachedOcspPerCrlCount"
 #define CRYPTNET_MAX_CACHED_OCSP_PER_CRL_COUNT_DEFAULT 500
 #define CRYPTNET_OCSP_AFTER_CRL_DISABLE 0xffffffff
@@ -4804,6 +5188,24 @@
 #define CRYPTNET_PRE_FETCH_SCAN_AFTER_TRIGGER_DELAY_SECONDS_DEFAULT 30
 #define CRYPTNET_PRE_FETCH_RETRIEVAL_TIMEOUT_SECONDS_VALUE_NAME L"CryptnetPreFetchRetrievalTimeoutSeconds"
 #define CRYPTNET_PRE_FETCH_RETRIEVAL_TIMEOUT_SECONDS_DEFAULT (5 *60)
+#define CRYPTNET_CRL_PRE_FETCH_CONFIG_REGPATH CERT_CHAIN_CONFIG_REGPATH L"\\CrlPreFetch"
+#define CRYPTNET_CRL_PRE_FETCH_PROCESS_NAME_LIST_VALUE_NAME L"ProcessNameList"
+#define CRYPTNET_CRL_PRE_FETCH_URL_LIST_VALUE_NAME L"PreFetchUrlList"
+#define CRYPTNET_CRL_PRE_FETCH_DISABLE_INFORMATION_EVENTS_VALUE_NAME L"DisableInformationEvents"
+#define CRYPTNET_CRL_PRE_FETCH_LOG_FILE_NAME_VALUE_NAME L"LogFileName"
+#define CRYPTNET_CRL_PRE_FETCH_TIMEOUT_SECONDS_VALUE_NAME L"TimeoutSeconds"
+#define CRYPTNET_CRL_PRE_FETCH_TIMEOUT_SECONDS_DEFAULT (5 * 60)
+#define CRYPTNET_CRL_PRE_FETCH_MAX_AGE_SECONDS_VALUE_NAME L"MaxAgeSeconds"
+#define CRYPTNET_CRL_PRE_FETCH_MAX_AGE_SECONDS_DEFAULT (2 * 60 * 60)
+#define CRYPTNET_CRL_PRE_FETCH_MAX_AGE_SECONDS_MIN (5 * 60)
+#define CRYPTNET_CRL_PRE_FETCH_PUBLISH_BEFORE_NEXT_UPDATE_SECONDS_VALUE_NAME L"PublishBeforeNextUpdateSeconds"
+#define CRYPTNET_CRL_PRE_FETCH_PUBLISH_BEFORE_NEXT_UPDATE_SECONDS_DEFAULT (1 * 60 * 60)
+#define CRYPTNET_CRL_PRE_FETCH_PUBLISH_RANDOM_INTERVAL_SECONDS_VALUE_NAME L"PublishRandomIntervalSeconds"
+#define CRYPTNET_CRL_PRE_FETCH_PUBLISH_RANDOM_INTERVAL_SECONDS_DEFAULT (5 * 60)
+#define CRYPTNET_CRL_PRE_FETCH_MIN_BEFORE_NEXT_UPDATE_SECONDS_VALUE_NAME L"MinBeforeNextUpdateSeconds"
+#define CRYPTNET_CRL_PRE_FETCH_MIN_BEFORE_NEXT_UPDATE_SECONDS_DEFAULT (5 * 60)
+#define CRYPTNET_CRL_PRE_FETCH_MIN_AFTER_NEXT_UPDATE_SECONDS_VALUE_NAME L"MinAfterNextUpdateSeconds"
+#define CRYPTNET_CRL_PRE_FETCH_MIN_AFTER_NEXT_UPDATE_SECONDS_DEFAULT (5 * 60)
 #define CERT_GROUP_POLICY_CHAIN_CONFIG_REGPATH CERT_GROUP_POLICY_SYSTEM_STORE_REGPATH L"\\ChainEngine\\Config"
 #define CERT_CHAIN_URL_RETRIEVAL_TIMEOUT_MILLISECONDS_VALUE_NAME L"ChainUrlRetrievalTimeoutMilliseconds"
 #define CERT_CHAIN_URL_RETRIEVAL_TIMEOUT_MILLISECONDS_DEFAULT (15 *1000)
@@ -4827,6 +5229,7 @@
 
 #define HCCE_CURRENT_USER ((HCERTCHAINENGINE)NULL)
 #define HCCE_LOCAL_MACHINE ((HCERTCHAINENGINE)0x1)
+#define HCCE_SERIAL_LOCAL_MACHINE ((HCERTCHAINENGINE)0x2)
 
 #define CERT_CHAIN_CACHE_END_CERT 0x1
 #define CERT_CHAIN_THREAD_STORE_SYNC 0x2
@@ -4848,16 +5251,16 @@
     DWORD dwUrlRetrievalTimeout;
     DWORD MaximumCachedCertificates;
     DWORD CycleDetectionModulus;
-#if NTDDI_VERSION >= 0x06010000
+#if NTDDI_VERSION >= NTDDI_WIN7
     HCERTSTORE hExclusiveRoot;
     HCERTSTORE hExclusiveTrustedPeople;
 #endif
-#if NTDDI_VERSION >= 0x06020000
+#if NTDDI_VERSION >= NTDDI_WIN8
     DWORD dwExclusiveFlags;
 #endif
   } CERT_CHAIN_ENGINE_CONFIG,*PCERT_CHAIN_ENGINE_CONFIG;
 
-#if NTDDI_VERSION >= 0x06020000
+#if NTDDI_VERSION >= NTDDI_WIN8
 #define CERT_CHAIN_EXCLUSIVE_ENABLE_CA_FLAG 0x1
 #endif
 
@@ -4904,16 +5307,25 @@
 #define CERT_TRUST_AUTO_UPDATE_CA_REVOCATION 0x10
 #define CERT_TRUST_AUTO_UPDATE_END_REVOCATION 0x20
 #define CERT_TRUST_NO_OCSP_FAILOVER_TO_CRL 0x40
+#define CERT_TRUST_IS_KEY_ROLLOVER 0x00000080
+#define CERT_TRUST_SSL_HANDSHAKE_OCSP 0x00040000
+#define CERT_TRUST_SSL_TIME_VALID_OCSP 0x00080000
+#define CERT_TRUST_SSL_RECONNECT_OCSP 0x00100000
+
 #define CERT_TRUST_HAS_PREFERRED_ISSUER 0x100
 #define CERT_TRUST_HAS_ISSUANCE_CHAIN_POLICY 0x200
 #define CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS 0x400
 #define CERT_TRUST_IS_PEER_TRUSTED 0x800
 #define CERT_TRUST_HAS_CRL_VALIDITY_EXTENDED 0x1000
 #define CERT_TRUST_IS_FROM_EXCLUSIVE_TRUST_STORE 0x2000
-#if NTDDI_VERSION >= 0x06020000
-#define CERT_TRUST_IS_CA_TRUSTED 0x4000
+#if NTDDI_VERSION >= NTDDI_WIN8
+#define CERT_TRUST_IS_CA_TRUSTED 0x00004000
+#define CERT_TRUST_HAS_AUTO_UPDATE_WEAK_SIGNATURE 0x00008000
+#define CERT_TRUST_HAS_ALLOW_WEAK_SIGNATURE 0x00020000
 #endif
-#define CERT_TRUST_IS_COMPLEX_CHAIN 0x10000
+#define CERT_TRUST_IS_COMPLEX_CHAIN 0x00010000
+#define CERT_TRUST_SSL_TIME_VALID 0x01000000
+#define CERT_TRUST_NO_TIME_CHECK 0x02000000
 
   typedef struct _CERT_REVOCATION_INFO {
     DWORD cbSize;
@@ -5118,6 +5530,10 @@
 #define CERT_CHAIN_POLICY_NT_AUTH ((LPCSTR) 6)
 #define CERT_CHAIN_POLICY_MICROSOFT_ROOT ((LPCSTR) 7)
 #define CERT_CHAIN_POLICY_EV ((LPCSTR) 8)
+#define CERT_CHAIN_POLICY_SSL_F12 ((LPCSTR) 9)
+#define CERT_CHAIN_POLICY_SSL_HPKP_HEADER ((LPCSTR) 10)
+#define CERT_CHAIN_POLICY_THIRD_PARTY_ROOT ((LPCSTR) 11)
+#define CERT_CHAIN_POLICY_SSL_KEY_PIN ((LPCSTR) 12)
 
   typedef struct _AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA {
     DWORD cbSize;
@@ -5151,8 +5567,9 @@
 
 #define BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_CA_FLAG 0x80000000
 #define BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_END_ENTITY_FLAG 0x40000000
-#define MICROSOFT_ROOT_CERT_CHAIN_POLICY_ENABLE_TEST_ROOT_FLAG 0x10000
-#define MICROSOFT_ROOT_CERT_CHAIN_POLICY_CHECK_APPLICATION_ROOT_FLAG 0x20000
+#define MICROSOFT_ROOT_CERT_CHAIN_POLICY_ENABLE_TEST_ROOT_FLAG 0x00010000
+#define MICROSOFT_ROOT_CERT_CHAIN_POLICY_CHECK_APPLICATION_ROOT_FLAG 0x00020000
+#define MICROSOFT_ROOT_CERT_CHAIN_POLICY_DISABLE_FLIGHT_ROOT_FLAG 0x00040000
 
   typedef struct _EV_EXTRA_CERT_CHAIN_POLICY_PARA {
     DWORD cbSize;
@@ -5165,6 +5582,53 @@
     DWORD dwIssuanceUsageIndex;
   } EV_EXTRA_CERT_CHAIN_POLICY_STATUS,*PEV_EXTRA_CERT_CHAIN_POLICY_STATUS;
 
+#define SSL_F12_ERROR_TEXT_LENGTH 256
+  typedef struct _SSL_F12_EXTRA_CERT_CHAIN_POLICY_STATUS {
+    DWORD cbSize;
+    DWORD dwErrorLevel;
+    DWORD dwErrorCategory;
+    DWORD dwReserved;
+    WCHAR wszErrorText[SSL_F12_ERROR_TEXT_LENGTH];  // Localized
+  } SSL_F12_EXTRA_CERT_CHAIN_POLICY_STATUS, *PSSL_F12_EXTRA_CERT_CHAIN_POLICY_STATUS;
+
+#define CERT_CHAIN_POLICY_SSL_F12_SUCCESS_LEVEL 0
+#define CERT_CHAIN_POLICY_SSL_F12_WARNING_LEVEL 1
+#define CERT_CHAIN_POLICY_SSL_F12_ERROR_LEVEL 2
+
+#define CERT_CHAIN_POLICY_SSL_F12_NONE_CATEGORY 0
+#define CERT_CHAIN_POLICY_SSL_F12_WEAK_CRYPTO_CATEGORY 1
+#define CERT_CHAIN_POLICY_SSL_F12_ROOT_PROGRAM_CATEGORY 2
+
+#define SSL_HPKP_PKP_HEADER_INDEX 0
+#define SSL_HPKP_PKP_RO_HEADER_INDEX 1
+#define SSL_HPKP_HEADER_COUNT 2
+
+  typedef struct _SSL_HPKP_HEADER_EXTRA_CERT_CHAIN_POLICY_PARA {
+    DWORD cbSize;
+    DWORD dwReserved;
+    LPWSTR pwszServerName;
+    LPSTR rgpszHpkpValue[SSL_HPKP_HEADER_COUNT];
+  } SSL_HPKP_HEADER_EXTRA_CERT_CHAIN_POLICY_PARA, *PSSL_HPKP_HEADER_EXTRA_CERT_CHAIN_POLICY_PARA;
+
+  typedef struct _SSL_KEY_PIN_EXTRA_CERT_CHAIN_POLICY_PARA {
+    DWORD cbSize;
+    DWORD dwReserved;
+    PCWSTR pwszServerName;
+  } SSL_KEY_PIN_EXTRA_CERT_CHAIN_POLICY_PARA, *PSSL_KEY_PIN_EXTRA_CERT_CHAIN_POLICY_PARA;
+
+#define SSL_KEY_PIN_ERROR_TEXT_LENGTH   512
+  typedef struct _SSL_KEY_PIN_EXTRA_CERT_CHAIN_POLICY_STATUS {
+    DWORD cbSize;
+    LONG lError;
+    WCHAR wszErrorText[SSL_KEY_PIN_ERROR_TEXT_LENGTH];
+  } SSL_KEY_PIN_EXTRA_CERT_CHAIN_POLICY_STATUS, *PSSL_KEY_PIN_EXTRA_CERT_CHAIN_POLICY_STATUS;
+
+#define CERT_CHAIN_POLICY_SSL_KEY_PIN_MISMATCH_ERROR -2
+#define CERT_CHAIN_POLICY_SSL_KEY_PIN_MITM_ERROR -1
+#define CERT_CHAIN_POLICY_SSL_KEY_PIN_SUCCESS 0
+#define CERT_CHAIN_POLICY_SSL_KEY_PIN_MITM_WARNING 1
+#define CERT_CHAIN_POLICY_SSL_KEY_PIN_MISMATCH_WARNING 2
+
 #define CryptStringToBinary __MINGW_NAME_AW(CryptStringToBinary)
 #define CryptBinaryToString __MINGW_NAME_AW(CryptBinaryToString)
 
@@ -5186,7 +5650,13 @@
 #define CRYPT_STRING_HEXADDR 0x0000000a
 #define CRYPT_STRING_HEXASCIIADDR 0x0000000b
 #define CRYPT_STRING_HEXRAW 0x0000000c
+#define CRYPT_STRING_BASE64URI 0x0000000d
 
+#define CRYPT_STRING_ENCODEMASK 0x000000ff
+#define CRYPT_STRING_RESERVED100 0x00000100
+#define CRYPT_STRING_RESERVED200 0x00000200
+
+#define CRYPT_STRING_PERCENTESCAPE 0x08000000
 #define CRYPT_STRING_HASHDATA 0x10000000
 #define CRYPT_STRING_STRICT 0x20000000
 #define CRYPT_STRING_NOCRLF 0x40000000
@@ -5199,6 +5669,8 @@
 #define szOID_PKCS_12_pbeWithSHA1And2KeyTripleDES "1.2.840.113549.1.12.1.4"
 #define szOID_PKCS_12_pbeWithSHA1And128BitRC2 "1.2.840.113549.1.12.1.5"
 #define szOID_PKCS_12_pbeWithSHA1And40BitRC2 "1.2.840.113549.1.12.1.6"
+#define szOID_PKCS_5_PBKDF2 "1.2.840.113549.1.5.12"
+#define szOID_PKCS_5_PBES2 "1.2.840.113549.1.5.13"
 
   typedef struct _CRYPT_PKCS12_PBE_PARAMS {
     int iIterations;
@@ -5217,12 +5689,19 @@
 #define CRYPT_USER_KEYSET 0x1000
 #define PKCS12_PREFER_CNG_KSP 0x100
 #define PKCS12_ALWAYS_CNG_KSP 0x200
+#define PKCS12_ONLY_CERTIFICATES 0x00000400
+#define PKCS12_ONLY_NOT_ENCRYPTED_CERTIFICATES 0x00000800
 #define PKCS12_ALLOW_OVERWRITE_KEY 0x4000
 #define PKCS12_NO_PERSIST_KEY 0x8000
+#define PKCS12_VIRTUAL_ISOLATION_KEY 0x00010000
 #define PKCS12_IMPORT_RESERVED_MASK 0xffff0000
 
 #define PKCS12_OBJECT_LOCATOR_ALL_IMPORT_FLAGS (PKCS12_ALWAYS_CNG_KSP | PKCS12_NO_PERSIST_KEY | PKCS12_IMPORT_SILENT | PKCS12_INCLUDE_EXTENDED_PROPERTIES)
 
+#define PKCS12_ONLY_CERTIFICATES_PROVIDER_TYPE 0
+#define PKCS12_ONLY_CERTIFICATES_PROVIDER_NAME L"PfxProvider"
+#define PKCS12_ONLY_CERTIFICATES_CONTAINER_NAME L"PfxContainer"
+
   WINIMPM WINBOOL WINAPI PFXIsPFXBlob (CRYPT_DATA_BLOB *pPFX);
   WINIMPM WINBOOL WINAPI PFXVerifyPassword (CRYPT_DATA_BLOB *pPFX, LPCWSTR szPassword, DWORD dwFlags);
   WINIMPM WINBOOL WINAPI PFXExportCertStoreEx (HCERTSTORE hStore, CRYPT_DATA_BLOB *pPFX, LPCWSTR szPassword, void *pvPara, DWORD dwFlags);
@@ -5233,11 +5712,31 @@
 #define PKCS12_INCLUDE_EXTENDED_PROPERTIES 0x10
 #define PKCS12_PROTECT_TO_DOMAIN_SIDS 0x20
 #define PKCS12_EXPORT_SILENT 0x40
+#define PKCS12_EXPORT_PBES2_PARAMS 0x0080
+#define PKCS12_DISABLE_ENCRYPT_CERTIFICATES 0x0100
+#define PKCS12_ENCRYPT_CERTIFICATES 0x0200
+#define PKCS12_EXPORT_ECC_CURVE_PARAMETERS 0x1000
+#define PKCS12_EXPORT_ECC_CURVE_OID 0x2000
 #define PKCS12_EXPORT_RESERVED_MASK 0xffff0000
 
+#define PKCS12_PBKDF2_ID_HMAC_SHA1 "1.2.840.113549.2.7"
+#define PKCS12_PBKDF2_ID_HMAC_SHA256 "1.2.840.113549.2.9"
+#define PKCS12_PBKDF2_ID_HMAC_SHA384 "1.2.840.113549.2.10"
+#define PKCS12_PBKDF2_ID_HMAC_SHA512 "1.2.840.113549.2.11"
+
+  typedef struct _PKCS12_PBES2_EXPORT_PARAMS {
+    DWORD dwSize;
+    PVOID hNcryptDescriptor;
+    LPWSTR pwszPbes2Alg;
+  } PKCS12_PBES2_EXPORT_PARAMS, *PPKCS12_PBES2_EXPORT_PARAMS;
+
+#define PKCS12_PBES2_ALG_AES256_SHA256 L"AES256-SHA256"
+#define PKCS12_CONFIG_REGPATH L"Software\\Microsoft\\Windows\\CurrentVersion\\PFX"
+#define PKCS12_ENCRYPT_CERTIFICATES_VALUE_NAME L"EncryptCertificates"
+
   WINIMPM WINBOOL WINAPI PFXExportCertStore (HCERTSTORE hStore, CRYPT_DATA_BLOB *pPFX, LPCWSTR szPassword, DWORD dwFlags);
 
-#if NTDDI_VERSION >= 0x06000000
+#if NTDDI_VERSION >= NTDDI_VISTA
   typedef VOID *HCERT_SERVER_OCSP_RESPONSE;
 
   WINIMPM HCERT_SERVER_OCSP_RESPONSE WINAPI CertOpenServerOcspResponse (PCCERT_CHAIN_CONTEXT pChainContext, DWORD dwFlags, LPVOID pvReserved);
@@ -5256,6 +5755,20 @@
     DWORD cbEncodedOcspResponse;
   };
 
+  typedef VOID (CALLBACK *PFN_CERT_SERVER_OCSP_RESPONSE_UPDATE_CALLBACK)(PCCERT_CHAIN_CONTEXT pChainContext, PCCERT_SERVER_OCSP_RESPONSE_CONTEXT pServerOcspResponseContext, PCCRL_CONTEXT pNewCrlContext, PCCRL_CONTEXT pPrevCrlContext, PVOID pvArg, DWORD dwWriteOcspFileError);
+
+  typedef struct _CERT_SERVER_OCSP_RESPONSE_OPEN_PARA {
+    DWORD cbSize;
+    DWORD dwFlags;
+    DWORD *pcbUsedSize;
+    PWSTR pwszOcspDirectory;
+    PFN_CERT_SERVER_OCSP_RESPONSE_UPDATE_CALLBACK pfnUpdateCallback;
+    PVOID pvUpdateCallbackArg;
+  } CERT_SERVER_OCSP_RESPONSE_OPEN_PARA, *PCERT_SERVER_OCSP_RESPONSE_OPEN_PARA;
+
+#define CERT_SERVER_OCSP_RESPONSE_OPEN_PARA_READ_FLAG 0x00000001
+#define CERT_SERVER_OCSP_RESPONSE_OPEN_PARA_WRITE_FLAG 0x00000002
+
   WINIMPM PCCERT_SERVER_OCSP_RESPONSE_CONTEXT WINAPI CertGetServerOcspResponseContext (HCERT_SERVER_OCSP_RESPONSE hServerOcspResponse, DWORD dwFlags, LPVOID pvReserved);
   WINIMPM VOID WINAPI CertAddRefServerOcspResponseContext (PCCERT_SERVER_OCSP_RESPONSE_CONTEXT pServerOcspResponseContext);
   WINIMPM VOID WINAPI CertFreeServerOcspResponseContext (PCCERT_SERVER_OCSP_RESPONSE_CONTEXT pServerOcspResponseContext);
@@ -5271,7 +5784,7 @@
 #define CERT_RETRIEVE_BIOMETRIC_PICTURE_TYPE (CERT_RETRIEVE_BIOMETRIC_PREDEFINED_BASE_TYPE + CERT_BIOMETRIC_PICTURE_TYPE)
 #define CERT_RETRIEVE_BIOMETRIC_SIGNATURE_TYPE (CERT_RETRIEVE_BIOMETRIC_PREDEFINED_BASE_TYPE + CERT_BIOMETRIC_SIGNATURE_TYPE)
 
-#if NTDDI_VERSION >= 0x06010000
+#if NTDDI_VERSION >= NTDDI_WIN7
   typedef struct _CERT_SELECT_CHAIN_PARA {
     HCERTCHAINENGINE hChainEngine;
     PFILETIME pTime;
@@ -5303,6 +5816,9 @@
 #define CERT_SELECT_BY_ISSUER_NAME 9
 #define CERT_SELECT_BY_PUBLIC_KEY 10
 #define CERT_SELECT_BY_TLS_SIGNATURES 11
+#define CERT_SELECT_BY_ISSUER_DISPLAYNAME 12
+#define CERT_SELECT_BY_FRIENDLYNAME 13
+#define CERT_SELECT_BY_THUMBPRINT 14
 
 #define CERT_SELECT_LAST CERT_SELECT_BY_TLS_SIGNATURES
 #define CERT_SELECT_MAX (CERT_SELECT_LAST *3)
@@ -5315,12 +5831,13 @@
 #define CERT_SELECT_HAS_KEY_FOR_KEY_EXCHANGE 0x20
 #define CERT_SELECT_HARDWARE_ONLY 0x40
 #define CERT_SELECT_ALLOW_DUPLICATES 0x80
+#define CERT_SELECT_IGNORE_AUTOSELECT 0x00000100
 
   WINIMPM WINBOOL WINAPI CertSelectCertificateChains (LPCGUID pSelectionContext, DWORD dwFlags, PCCERT_SELECT_CHAIN_PARA pChainParameters, DWORD cCriteria, PCCERT_SELECT_CRITERIA rgpCriteria, HCERTSTORE hStore, PDWORD pcSelection, PCCERT_CHAIN_CONTEXT **pprgpSelection);
   WINIMPM VOID WINAPI CertFreeCertificateChainList (PCCERT_CHAIN_CONTEXT *prgpSelection);
 #endif
 
-#if NTDDI_VERSION >= 0x06010000
+#if NTDDI_VERSION >= NTDDI_WIN7
 #define TIMESTAMP_VERSION 1
 
   typedef struct _CRYPT_TIMESTAMP_REQUEST {
@@ -5402,7 +5919,7 @@
   WINBOOL WINAPI CryptVerifyTimeStampSignature (const BYTE *pbTSContentInfo, DWORD cbTSContentInfo, const BYTE *pbData, DWORD cbData, HCERTSTORE hAdditionalStore, PCRYPT_TIMESTAMP_CONTEXT *ppTsContext, PCCERT_CONTEXT *ppTsSigner, HCERTSTORE *phStore);
 #endif
 
-#if NTDDI_VERSION >= 0x06020000
+#if NTDDI_VERSION >= NTDDI_WIN8
 #define CRYPT_OBJECT_LOCATOR_SPN_NAME_TYPE 1
 #define CRYPT_OBJECT_LOCATOR_LAST_RESERVED_NAME_TYPE 32
 #define CRYPT_OBJECT_LOCATOR_FIRST_RESERVED_USER_NAME_TYPE 33
@@ -5434,6 +5951,14 @@
   } CRYPT_OBJECT_LOCATOR_PROVIDER_TABLE,*PCRYPT_OBJECT_LOCATOR_PROVIDER_TABLE;
 
   typedef WINBOOL (WINAPI *PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_INITIALIZE) (PFN_CRYPT_OBJECT_LOCATOR_PROVIDER_FLUSH pfnFlush, LPVOID pContext, DWORD *pdwExpectedObjectCount, PCRYPT_OBJECT_LOCATOR_PROVIDER_TABLE *ppFuncTable, void **ppPluginContext);
+
+  WINIMPM WINBOOL WINAPI CertIsWeakHash(DWORD dwHashUseType, LPCWSTR pwszCNGHashAlgid, DWORD dwChainFlags, PCCERT_CHAIN_CONTEXT pSignerChainContext, LPFILETIME pTimeStamp, LPCWSTR pwszFileName);
+
+  typedef WINBOOL (WINAPI *PFN_CERT_IS_WEAK_HASH)(DWORD dwHashUseType, LPCWSTR pwszCNGHashAlgid, DWORD dwChainFlags, PCCERT_CHAIN_CONTEXT pSignerChainContext, LPFILETIME pTimeStamp, LPCWSTR pwszFileName);
+
+#define CERT_FILE_HASH_USE_TYPE 1
+#define CERT_TIMESTAMP_HASH_USE_TYPE 2
+
 #endif
 #endif