locked
How to enumerate windows certificates using CNG? RRS feed

  • Question

  • Hi,

    With CryptoAPI, I can open the Windows Cert Store and enumerate certificates using CertOpenStore() and CertEnumCertificatesInStore().  Does CNG offer any similar API to access certificates that are stored in the Windows Cert Store, or am I stuck with using CryptoAPI?

    Thanks!

    Dong

    Monday, March 26, 2012 8:50 AM

All replies

  • CertOpenStore and CertEnumCertificatesInStore are "Certificate Store Functions" and are not CryptoAPI functions. Certificate stores contain public portion of certificates and you can retrieve them using "Certificate Store Functions":

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa380252%28v=vs.85%29.aspx#certificate_and_certificate_store_functions

    CSP/CNG modules are responsible for storing private keys and also providing cryptography operations. Each certificate stored in the certificate store can have a relation to a CSP or CNG module which holds its private key (if any). However, in the case of Smartcard CSP and CNG (i.e. KSP) modules, then you may retrieve stored certificates on the smartcard using calls to CPGetProvParam(PP_ROOT_CERTSTORE) and CPGetProvParam(PP_USER_CERTSTORE) or (in case of CNG) calls to NCryptGetProperty(NCRYPT_CERTIFICATE_PROPERTY), NCryptGetProperty(NCRYPT_ROOT_CERTSTORE_PROPERTY), and NCryptGetProperty(NCRYPT_USER_CERTSTORE_PROPERTY).

    ----
    Nima Sharifimehr.
    sbucsc at yahoo dot com

    Monday, March 26, 2012 12:08 PM
  • Thank you very much, it is very useful for me.

    CertOpenStore() and CertEnumCertificatesInStore() can work at Windows 7 64bit, that's  really a good message.

     And I use function  CryptSignMessage to sign message,   create a PKCS#7 structure. But this function can't work at Windows 7 64 bit,

    The CNG funtion BCryptSignHash only create  PKCS#1 structure, is there any way to Create PKCS#7 But by Openssl ?

    Wednesday, March 28, 2012 10:02 AM
  • CryptSignMessage works with both CNG and CSP keys. The signing cert passed in CRYPT_SIGN_MESSAGE_PARA parameter to CryptSignMessage, just needs to have CERT_KEY_PROV_INFO_PROP_ID or CERT_KEY_CONTEXT_PROP_ID properties set. Then from there, CryptSignMessage will know where to get the private key required for signing operation. You can find the information you need to build your CERT_KEY_PROV_INFO property here:

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa381420%28v=vs.85%29.aspx

    ----
    Nima Sharifimehr.
    sbucsc at yahoo dot com


    Wednesday, March 28, 2012 12:24 PM
  • The function CryptSignMessage worked for me on a Windows 7 64 machine.  What led you to think it would not?
    • Edited by Andrew7Webb Wednesday, March 28, 2012 6:58 PM
    Wednesday, March 28, 2012 6:58 PM