locked
CertGetPublicKeyLength callback? RRS feed

  • Question

  • Hi,

    By implementing and registered a CNG hash algorithm provider, I've successfully imported a certificate, whose signature algorithm is a 256bit ecc public key algorithm, into the windows key storage, the certificate can be enumerated in "MY" store and viewed by CryptUIDlgViewCertificate().

    The certificate can be verified by adding a custom CRYPT_OID_VERIFY_ENCODED_SIGNATURE_FUNC for its OID, but in the detail view of  CryptUIDlgViewCertificate, the public key is showed as "ECC (0 Bits)", and a public key parameter is showed as "1.xx.xx.xxxxx.xx".

    I guess the "(0 Bits)" thing is retrieved by CertGetPublicKeyLength, but since the public key parameter is unknown to windows, so windows can not get the public key length properly.

    My question is: Is there any callbacks can be registered into current system, which has a parameter such as (PCERT_PUBLIC_KEY_INFO) and return the key length of this public key, then, the callback can be used while CertGetPublicKeyLength() is called to get the right key bits?

    Thanks a lot.

    Saturday, March 17, 2012 2:23 AM

Answers

  • You might want to look into extending CertOpenStore functionality (http://msdn.microsoft.com/en-us/library/windows/desktop/aa382403%28v=vs.85%29.aspx). This will allow you to intercept the call to CertGetCertificateContextProperty through your registered CertStoreProvGetCertProperty callback. 

    ----
    Nima Sharifimehr.
    sbucsc at yahoo dot com

    Sunday, March 18, 2012 5:02 PM
  • 1) Is that "extending CertOpenStore functionality" means that I have to implement a cryptoapi physical store for my ecc certificates?

    The short answer is yes. There might be other ways of accomplishing what you need, but this is the one that I can think of right now.

    2) Does all callback functions in PCERT_STORE_PROV_INFO of CertDllOpenStoreProv must be implemented? What happens if I just implement "CERT_STORE_PROV_GET_CERT_PROPERTY_FUNC"?

    Not all the functions need to be implemented. But you will at least need to implement CERT_STORE_PROV_GET_CERT_PROPERTY_FUNC, CERT_STORE_PROV_FIND_CERT_FUNC, and CERT_STORE_PROV_FREE_FIND_CERT_FUNC.

    3) What is the difference between a CNG key storage provider and a extended cryptoapi certificate store? or what is the relation between the KSP and the store, one for private key and one for certificate?

    You answered your questions: A physical certificate store is for holding the certificates and a KSP is for holding your private keys. Though I should mention that KSPs can also hold certificates (i.e. Smartcard KSPs) which you can reach through calls to NCryptGetProperty with NCRYPT_USER_CERTSTORE_PROPERTY, NCRYPT_CERTIFICATE_PROPERTY, NCRYPT_ROOT_CERTSTORE_PROPERTY parameters.

    ----
    Nima Sharifimehr.
    sbucsc at yahoo dot com

    • Marked as answer by Paul Zhuang Sunday, March 25, 2012 4:49 AM
    Saturday, March 24, 2012 3:59 PM

All replies

  • You might want to look into extending CertOpenStore functionality (http://msdn.microsoft.com/en-us/library/windows/desktop/aa382403%28v=vs.85%29.aspx). This will allow you to intercept the call to CertGetCertificateContextProperty through your registered CertStoreProvGetCertProperty callback. 

    ----
    Nima Sharifimehr.
    sbucsc at yahoo dot com

    Sunday, March 18, 2012 5:02 PM
  • Thanks very much for the reply, that is really like a lightening in the dark :-)

    but one answer brings more questions, I am still wondering,

    1) Is that "extending CertOpenStore functionality" means that I have to implement a cryptoapi physical store for my ecc certificates?

    2) Does all callback functions in PCERT_STORE_PROV_INFO of CertDllOpenStoreProv must be implemented? What happens if I just implement "CERT_STORE_PROV_GET_CERT_PROPERTY_FUNC"?

    3) What is the difference between a CNG key storage provider and a extended cryptoapi certificate store? or what is the relation between the KSP and the store, one for private key and one for certificate?

    thanks a lot again.

    Saturday, March 24, 2012 1:52 PM
  • 1) Is that "extending CertOpenStore functionality" means that I have to implement a cryptoapi physical store for my ecc certificates?

    The short answer is yes. There might be other ways of accomplishing what you need, but this is the one that I can think of right now.

    2) Does all callback functions in PCERT_STORE_PROV_INFO of CertDllOpenStoreProv must be implemented? What happens if I just implement "CERT_STORE_PROV_GET_CERT_PROPERTY_FUNC"?

    Not all the functions need to be implemented. But you will at least need to implement CERT_STORE_PROV_GET_CERT_PROPERTY_FUNC, CERT_STORE_PROV_FIND_CERT_FUNC, and CERT_STORE_PROV_FREE_FIND_CERT_FUNC.

    3) What is the difference between a CNG key storage provider and a extended cryptoapi certificate store? or what is the relation between the KSP and the store, one for private key and one for certificate?

    You answered your questions: A physical certificate store is for holding the certificates and a KSP is for holding your private keys. Though I should mention that KSPs can also hold certificates (i.e. Smartcard KSPs) which you can reach through calls to NCryptGetProperty with NCRYPT_USER_CERTSTORE_PROPERTY, NCRYPT_CERTIFICATE_PROPERTY, NCRYPT_ROOT_CERTSTORE_PROPERTY parameters.

    ----
    Nima Sharifimehr.
    sbucsc at yahoo dot com

    • Marked as answer by Paul Zhuang Sunday, March 25, 2012 4:49 AM
    Saturday, March 24, 2012 3:59 PM