locked
How to prevent PFXExportCertStoreEx from placing szOID_PKCS_12_KEY_PROVIDER_NAME_ATTR in a .P12 RRS feed

  • Question

  • I want to know how to prevent PFXExportCertStoreEx from placing szOID_PKCS_12_KEY_PROVIDER_NAME_ATTR in a newly created .P12.

    The CertStore has a Next Gen RSA private key, but I want the P12 to be readable with CryptoAPI too. 

    My observation is that the PKCS12_INCLUDE_EXTENDED_PROPERTIES flag makes no difference.

    The szOID_PKCS_12_KEY_PROVIDER_NAME_ATTR always appears with this call using a CryptNGKey:

    BOOL res = ::PFXExportCertStoreEx(itsStore, &cdb, password, 0, dwFlags | PKCS12_INCLUDE_EXTENDED_PROPERTIES);

      Attribute[2]: 1.3.6.1.4.1.311.17.1 (szOID_PKCS_12_KEY_PROVIDER_NAME_ATTR)
        Value[2][0], Length = 50
        Microsoft Software Key Storage Provider

    I use "certutil -dumpPFX file.p12" to examine the P12.

    The problem shows up when PFXImportCertStore is called.  It can't be told to ignore the attribute.  The documentation says:

    "When you import a certificate from the PFX packet, the CSP/KSP container name is determined by using the AttributeId with OID 1.3.6.1.4.1.311.17.1 of the PKCS8ShroudedKeyBag SafeBag [bagId: 1.2.840.113549.1.12.10.1.2] (see PKCS #12 for details about the ASN.1 structure of this).

    AttributeId: 1.3.6.1.4.1.311.17.1
    Value: The KSP name or CSP name

    If the AttributeId is not present and the PREFER_CNG flag is passed, MS_KEY_STORAGE_PROVIDER is picked. If the AttributeId is not present and the PREFER_CNG flag is not passed, the provider name is determined based on the public key algorithm (that is, the public key algorithm is determined by the AlgorithmIdentifier in PKCS #8):

    RSA: MS_ENHANCED_PROV_W
    DSA: MS_DEF_DSS_DH_PROV_W"

    Does anybody have experience with this issue?

    Monday, March 27, 2017 2:16 PM