App Specific Cert Store Security

Question

In order to perform cert based authentication, Windows store apps allows you to store certificate in app specific certificate store which will create a file like this:

\AppData\Local\Packages\fb8e0b0f-1159-44a7-a25e-ee1f3fcc0f28_6h554a31s3wew\AC\Microsoft\SystemCertificates\My\Certificates\8E9595468938E6D25F46E7EDF92D8359F50DB07C

Do you know if this file contains both public and private key? if it contains private key is it encrypted using something?

Edit: Background: Why use app-specific cert store?

 In order to do certificate based auth, you require to import a certificate into this store using this  API: CertificateEnrollmentManager.ImportPfxDataAsync and then you can construct HttpClient in following manner to perform the auth. 

  var httpClient = new HttpClient(new HttpClientHandler
                {
                    ClientCertificateOptions = ClientCertificateOption.Automatic
                });

Answer 1

Hi,

I am not very familiar with the problem. But as far as I know, X.509 certificates in windows store app contains both public key and private key. You can refer to the link below:

http://msdn.microsoft.com/en-us/library/windows/apps/xaml/hh464941.aspx

And you can refer to the link to know how to perform RSA data encryption in X.509 certificates:

http://blogs.msdn.com/b/stcheng/archive/2013/03/12/windows-store-app-how-to-perform-rsa-data-encryption-with-x509-certificate-based-key-in-windows-store-application.aspx

http://robdmoore.id.au/blog/2012/08/22/using-an-x-509-pfx-certificate-in-windows-8-metro-style-application-for-encryption-decryption-and-signing/

Best Wishes!

---

We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. <br/> Click <a href="http://support.microsoft.com/common/survey.aspx?showpage=1&scid=sw%3Ben%3B3559&theme=tech"> HERE</a> to participate the survey.

Answer 2

Correct. X.509 certificate will contain both public and private key since it's in PKCS#12 format, however, my question is around more around how that data gets stored within the app-specific certificate store. In order to do certificate based auth, you require to import a certificate into this store using this  API: CertificateEnrollmentManager.ImportPfxDataAsync and then you can construct HttpClient in following manner to perform the auth. 

  var httpClient = new HttpClient(new HttpClientHandler
                {
                    ClientCertificateOptions = ClientCertificateOption.Automatic
                });

 

Answer 3

Hi,

Do you mean you want to extract public key or private key from X.509 certificate? If so, in windows store app there is no direct API can do this. You can  write some standard .NET code to extract the public key data from X509 certificate and save it (for later using in windows store app):

private void btnFindCert_Click(object sender, EventArgs e)

{

    var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);

    store.Open(OpenFlags.ReadOnly);

 

    var certs = store.Certificates.Find(X509FindType.FindBySubjectName, txtSubjectName.Text, false);

 

    if (certs.Count <= 0)

    {

        MessageBox.Show("No Certificate found!");

        return;

    }

 

    var cert = certs[0];

    var sb = new StringBuilder();

 

    sb.AppendFormat("\r\nSubject Name:{0}\r\nThumbprint:{1}\r\nIssuer:{2}\r\n", cert.SubjectName.Name, cert.Thumbprint, cert.Issuer);

         

    var pubKeyStr = Convert.ToBase64String(cert.GetPublicKey());

    sb.AppendFormat("\r\nPublic Key (can be used in WinRT):{0}\r\n", pubKeyStr);

 

 

    txtOutput.AppendText(sb.ToString());

 

    store.Close();

}

The link below you can get more information:

http://blogs.msdn.com/b/stcheng/archive/2013/03/12/windows-store-app-how-to-perform-rsa-data-encryption-with-x509-certificate-based-key-in-windows-store-application.aspx

Best Wishes!

---

We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. <br/> Click <a href="http://support.microsoft.com/common/survey.aspx?showpage=1&scid=sw%3Ben%3B3559&theme=tech"> HERE</a> to participate the survey.