locked
How can I open a .pfx certificate through WinRT Crypto APIs, which is placed in app's local-storage RRS feed

  • Question

  • Hi,

    I have a .pfx certificate in my local-storage and I want to access its information by giving its password, how can I achieve this using WinRT Crypto APIs.

    Thanks & regards

    JZ

    Friday, August 2, 2013 11:26 AM

All replies

  • You can use code that looks something like this:

            private async void FindCertificateInfo()
            {
                Windows.Storage.StorageFile file = await Windows.Storage.ApplicationData.Current.LocalFolder.GetFileAsync("testcertificate.pfx");           
                IBuffer buffer = await Windows.Storage.FileIO.ReadBufferAsync(file);
                String encodedString = Windows.Security.Cryptography.CryptographicBuffer.EncodeToBase64String(buffer);

                await Windows.Security.Cryptography.Certificates.CertificateEnrollmentManager.ImportPfxDataAsync(encodedString,
                    "test",
                    ExportOption.Exportable,
                    KeyProtectionLevel.NoConsent,
                    InstallOptions.DeleteExpired,
                    "overwrite Friendly name if necessary");

                IReadOnlyList<Certificate> certs = await CertificateStores.FindAllAsync();
                foreach (Certificate cert in certs)
                {
                    // use the information returned in the cert object
                }
            }


    Windows Store Developer Solutions #WSDevSol || Want more solutions? See our blog, http://aka.ms/t4vuvz

    Friday, August 2, 2013 9:23 PM
    Moderator
  • Hi,

    Thanks for your reply, I have seen this in the sdk samples, but how would I know which certificate is mine when I dont know any info about the certificate. Secondly I want to check if the pin that user enters is valid for the certificate or not, how do I check that, actually I am using certificate pin as the application login.

    Thanks

    JZ

    Monday, August 5, 2013 7:30 AM
  • When you ImportPfxDataAsync, you are only importing the certificate information in your app's certificate storage context. Your app does not share certificates with any other apps. On the same note, if you have Shared User Certificates capability enabled, you will be able to see the certificates in the user's context (not other app context).

    That way you can loop through the Certificate collection when FindAllAsync() returns and then check the properties such as SerialNumber or Subject to check if it is your certificate.

    When you have the PFX file in your app's local-storage, you already know what certificate it is unless you are trying to open another certificate which your app has no knowledge about.

    As far as the password check option goes, the ImprtPfxDataAsync will return an error/exception if you supply a wrong password.


    Windows Store Developer Solutions #WSDevSol || Want more solutions? See our blog, http://aka.ms/t4vuvz

    Monday, August 5, 2013 8:41 PM
    Moderator
  • Hi,

    Thanks for reply, I can compare friendly-name property and find which cert is mine, other than that unless I open the cert I cant find other properties, yes you are right my app have no knowledge of cert before it gets installed.

    As I mentioned before I am using cert pin as login password for my app and to verify my login I need to check if the pin is valid for cert

    I want something like BouncyCastle API provides for opening cert, but I cant use that, I want native C# API or any other opensource API for that.

    Thanks

    JZ

    Tuesday, August 6, 2013 7:52 AM
  • Hello,

    What exactly are you trying to do here? I could not quite understand by the following statement:

    "As I mentioned before I am using cert pin as login password for my app and to verify my login I need to check if the pin is valid for cert"

    Can you please clarify your problem statement for better understanding?

     

    Thanks,

    Prashant


    Windows Store Developer Solutions #WSDevSol || Want more solutions? See our blog, http://aka.ms/t4vuvz

    Thursday, August 22, 2013 11:07 PM
    Moderator
  • Hi Prashant,

    If you read the thread from the start, you would be able to understand the statement. I just want a way (API) (whether MS API or any 3rd party, other than bouncy-castle) through which I can provide cert-path and cert-pin and it returns me cert info. I need to verify if the pin provided is valid or not.

    Thanks

    JZ

    Monday, August 26, 2013 7:53 AM
  • I am not sure about 3rd party libraries. You can check the support/ product pages of the 3rd party libraries you are looking for.

    For your particular question, why doesn't the above code work? Doesn't the above code open the certificate file, get the encoded blob and try to ImportPfxDataAsync? When you ImportPfxDataAsync, you can give an "input" value to the friendly name which you can then use to distinguish between the certificate that was just imported v/s other certificates that may be present in the app container MY store.

    If you give a wrong password to the certificate you are trying to import, you will get an exception.

    http://msdn.microsoft.com/en-us/library/windows/apps/hh779821.aspx

    friendlyName

    Type: String [JavaScript] | System.String [.NET] | Platform::String [C++]

    The display name of the enrolled certificate.  This value  overwrites the FriendlyName property inside the PFX message.


    Windows Store Developer Solutions #WSDevSol || Want more solutions? See our blog, http://aka.ms/t4vuvz

    Monday, August 26, 2013 5:19 PM
    Moderator
  • Hi,

    Yes u r right, but this means every-time I want to login to my app, I need to do importCert, although its already imported. Secondly, the MS Api provides limited info about the cert, i want more access to cert. Thirdly, how would I change the Cert pin, if the user wants to change the login password.

    Thanks

    JZ

    Wednesday, August 28, 2013 11:18 AM
  • Regarding:

    >>every-time I want to login to my app, I need to do importCert, although its already imported

    Is there any problem with calling ImportPfxDataAsync over and over again? That is the only functionality that is available which will let you check whether the password of the PFX is right/wrong.

    Alternately, once your user logs-in with the right password, you can "cache" the credentials using a Credential Vault and prevent calling ImportPfxDataAsync over and over again.

    Yet another approach is to customer set strong protection on the cert installed in the app cert store. This way, every time app launches and uses the key, user will be asked for pin. Plus, the UI is provided by OS and is standard.

    >>the MS Api provides limited info about the cert, i want more access to cert

    What properties are you specifically looking for that the Windows.Security.Cryptography.Certificates.Certificate class does not provide you?

    >> how would I change the Cert pin, if the user wants to change the login password.

    There is no WinRT API available that will let you change the password of the PFX file.


    Windows Store Developer Solutions #WSDevSol || Want more solutions? See our blog, http://aka.ms/t4vuvz



    Thursday, August 29, 2013 12:18 AM
    Moderator
  • Hi,

    Thanks for your suggestions, they were really helpful. One thing regarding

    >>the MS Api provides limited info about the cert, i want more access to cert

    I wanted to know the Username or emailID of certificate-user in the certificate.

    Regards

    JZ

    Friday, August 30, 2013 1:21 PM
  • Which Username and EmailID of the certificate property are you referring to? For example, when you open CertMgr.msc, expand your Personal certificate store, double click a certificate and look at the Details tab of the certificate, you will see the available properties for the certificate. From those fields, which property are you referring to that maps to a Username and EmailID?

    Windows Store Developer Solutions #WSDevSol || Want more solutions? See our blog, http://aka.ms/t4vuvz

    Friday, August 30, 2013 5:18 PM
    Moderator
  • Hi,

    I am talking about the property like 'Subject Alternative Name', which contains value Other Name: Principal Name=xxxxxxxxxxxxxxxx

    Regards

    JZ

    Monday, September 2, 2013 9:16 AM
  • Retrieving Subject Alternative Name/ SAN is not supported in WinRT on Windows 8.1.

    Why does the "Subject" property or "FriendlyName" not work for you? What scenario are you trying to achieve by using SAN? If you can explain the scenario, I can pass the feedback to the appropriate team for future consideration.


    Windows Store Developer Solutions #WSDevSol || Want more solutions? See our blog, http://aka.ms/t4vuvz

    Tuesday, September 3, 2013 6:36 PM
    Moderator