CryptoAPI issue (?) RRS feed

  • Question

  • Hi,
    [If this forum is unappropriate for the question below, please let me know which one does.]
    I experience the following thing. I installed Norton Internet Security under WinXP, and this product added 2 certificates (Symantec Corporation and VeriSign Class 3 Code Signing) to the Trusted Publishers. I can observe these in the registry under HKLM\Software\Microsoft\SystemCertificates\TrustedPublishers\Certificates key, as well as within IE's list of trusted publishers.
    My software (which is written in Pascal/Delphi) uses SecureBlackbox component, and I need to enumerate installed certificates for trusted publishers. So, this component does something like this with the CryptoAPI internally:

      hSystemStore := CertOpenStore(PChar(CERT_STORE_PROV_SYSTEM), X509_ASN_ENCODING,
        0, CERT_SYSTEM_STORE_CURRENT_USER, 'TrustedPublishers');
      if hSystemStore <> nil then
        pDesiredCert := CertEnumCertificatesInStore(hSystemStore, nil);
        while pDesiredCert <> nil do
          pContextCopy := CertDuplicateCertificateContext(pDesiredCert);
          pDesiredCert := CertEnumCertificatesInStore(hSystemStore, pDesiredCert);

    I expect that it only should enumerate certificates for the current user because of the CERT_SYSTEM_STORE_CURRENT_USER, right? But for some reason NIS certificates are among those that CertEnumCertificatesInStore() returns. Does anybody know why? Is it a CryptoAPI bug? A feature? Or should I do something differently to get certificates for the current user only?

    Well, it would be ok to have all those certificates enumerated (I mean both the current user and the local machine), if I could handle the local machine certificates the same way as I do the current user ones. In my software user should be able to remove trusted publishers, and for the certificates from the local machine I get 'access denied' error (CertDeleteCertificateFromStore() returns NULL/False). I checked the registry, and the user that tries to remove the certificate from the local machine has full control for all corresponding registry keys (this user belongs to the Administrators). Also, under the same user I can remove those certificates using the IE without problems. Do you know what should I do to be able to remove the certificates that belong to the local machine and were enumerated as for the current user? My guess is that I should open the storage for the local machine and handle this via this handle. but maybe there is another way?

    Thanks in advance.
    Monday, May 5, 2008 11:39 PM


All replies

  • Did you try in Visual C++ forum?

    Tuesday, May 6, 2008 3:11 PM
  • Do you think that it would be convenient to post it there? Its description says: "General questions about Visual C++ , including the development environment, libraries, setup, debugger, samples, and documentation." I'll try to give a link to this topic there though, just in case anybody is familiar with the issue.
    Wednesday, May 7, 2008 11:39 PM
  • You may try with some of the .NET development related forums


    If the CryptoAPI is part of the base class library (I guess so, not sure, actually) you may try with that one specifically




    Hope that helps

    Tuesday, June 17, 2008 7:09 PM