locked
Windows.Security.Certificate API ? What is it good for? RRS feed

  • Question

  • I've used the System.Security.Cryptography.X509Certificate API's quite extensively in the .Net runtime for encryption purposes. The team has done a good job making an potentially complex operation actually quite easy.  My common use case for the X509Certificate API's are largely for encrypting symmetric keys for key exchanges, and signing data for integrity purposes.  As I dig into the Windows Runtime, I see that there is a Windows.Security.Cryptography.Certificates namespace full of classes, but I honestly don't see how it's used for .... well.... you know... Cryptographic purposes.  Is it possible to use the Certificate API's to

    1. Encrypt a symmetric key for key exchange purposes

    2. Sign/Validate hashes for integrity purposes?

    I did look at the Cryptography & Certificates sample (http://code.msdn.microsoft.com/windowsapps/Cryptography-and-3305467b) and it only showed me how to request/enroll certificates. It didn't do anything to actually USE the certificates. Can someone help me out?

    Wednesday, January 8, 2014 4:10 PM

Answers

All replies

  • Hi,

    The classes provided in the Windows.Security.Cryptography.Certificates namespace don't seem to provide access to a certificate's private key which is what is needed to perform the Cryptographic operations you're looking for.

    I'll ping some internal crypto folks and see what options you have.

    Regards,


    Carlos Lopez - Microsoft Escalation Engineer

    Wednesday, January 8, 2014 11:30 PM
    Moderator
  • I look forward to your reply. This is an additional problem I ran into while I was trying to find a solution to another problem in the WinRT Cryptography API.

    Also, can you ping them on what the intent of the Certificate API's is? It appears that it's not for cryptography, as I can figure out how to use it for that purpose. Maybe they had intentions for it, other than cryptography.

    • Edited by DPinTX Thursday, January 9, 2014 10:15 PM
    Thursday, January 9, 2014 10:14 PM
  • So there is a solution.  I got the following answer from one of the developers.

    The class they’re looking for is PersistedKeyProvider (http://msdn.microsoft.com/en-US/library/windows/apps/windows.security.cryptography.core.persistedkeyprovider).  They can use the CryptographicKey they get back from either of its methods with the CryptographicEngine (http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.core.cryptographicengine.aspx)  for all of the operations they’re looking for.

    Thanks


    Carlos Lopez - Microsoft Escalation Engineer

    Wednesday, January 15, 2014 12:50 AM
    Moderator