milan 0 Posted August 28, 2020 (edited) I try code from OverbyteIcsPemTool to export certificate from 'MY' windows store: xTmp := f_d2i_X509(nil, @pCertContext.pbCertEncoded, pCertContext.cbCertEncoded); if Assigned(xTmp) then begin X.X509 := xTmp; f_X509_free(xTmp); … end; however, this does not return private key (X.PrivateKey := nil). It does some additional code? Milan Edited August 28, 2020 by milan Share this post Link to post
Angus Robertson 577 Posted August 28, 2020 The code exporting X509 certificates from the Windows store was designed to build Certificate Authority root bundles with which to verify SSL/TLS certificates in ICS applications, not to export server certificates with private keys, generally you already have those as PEM or PFX files from your certificate supplier. But Windows no longer has a complete CA store and downloads new roots on demand, so ICS stopped using exported certificates a while ago and builds it's CA bundles differently. If you don't have original PEM files, you can export certificates manually from the Windows store to create them, if they were originally installed with export allowed. Angus Share this post Link to post
milan 0 Posted August 28, 2020 I need to solve this in the application, because of clients that do not have a certificate file and do not want or cannot export it. I'll do it with k and then take it through the buffer. Thank you! Share this post Link to post
milan 0 Posted September 17, 2020 On 8/28/2020 at 3:09 PM, Angus Robertson said: generally you already have those as PEM or PFX files from your certificate supplier. BUT: I do not have. Are on USB token. So they can't use certificates from USB token, that can't be exported? Uf! Milan Share this post Link to post
Angus Robertson 577 Posted September 17, 2020 I never mentioned USB tokens, nor did you, no idea how they relate to a discussion about the windows store. Private keys are often stored on hardware security devices precisely to stop them being copied. Angus Share this post Link to post
milan 0 Posted September 17, 2020 (edited) But I need to communicate with a web service (REST), that requires certificate authorization. And clients often have it on a USB token or in windows store without the possibility of export. So ICS cannot be used? Edited September 17, 2020 by milan Share this post Link to post
Angus Robertson 577 Posted September 17, 2020 Sorry, currently ICS does not support using certificates other than those loaded from files using OpenSSL functions. ICS does have support for OpenSSL engines which are essentially DLLs designed to access secure hardware such as tokens, but I've never seen such a DLL and OpenSSL has changed a lot in the 10 years since engine support was added. You can read the comments in WSocket on Apr 24, 2009 for more information. You would need to build the Trusted Platform Module project in github but it might need ICS changes to maker it work. Engines are obsolete with the next release of OpenSSL 3.0 due soon and there is a new way to access secure hardware so we may revisit this if someone provides a TPM provider which is the new way. I don't believe there is any possibility of OpenSSL accessing certificates and private keys in the Windows store. Not sure if Indy has current engine support. Angus Share this post Link to post
DelphiUdIT 188 Posted September 17, 2020 Using the pkcs11-tool available at this address: Quote https://github.com/OpenSC/OpenSC/blob/master/src/tools/pkcs11-tool.c you should be able to extract the certificate (not the private ones of course) from the usb token. This is a very old openssl discussion about that: Quote https://mta.openssl.org/pipermail/openssl-users/2015-July/001830.html In that discussion (still true ?) they explain how to extract the certificate and convert it in "pem". I think that the "pkcs11 module" needs to extract the certificate is a dll normally available with the USB Token (look in the system32 directory or in the syswow64 for something with *pki*.dll). In Italy very often the dll is "bit4xpki.dll" (used also by Firefox). I hope these informations are useful to you, although I'm not sure. Bye Share this post Link to post
Angus Robertson 577 Posted September 18, 2020 Yes, the ICS comments about engines say you have to extract the certificate from the Trusted Platform Module and turn it into PEM for OpenSSL, and there are TPM tools to do that. You can send commands to the TPM to query what it has. My desktop has a TPM and the ICS code signing certificate is on a USB dongle. Windows does have APIs to access the TPM, but I've never had a commercial need to look at them, TPMs have become more important this year with so many people needing remote access to secure corporate networks. Angus Share this post Link to post
Angus Robertson 577 Posted September 18, 2020 To complicate dongles even more, Windows shows my Trusted Platform Module as a Security Device, but my USB dongle with a signing certificate and key as a Smart Card Reader (ACR101 SIMicro), so it;s quite probably the OpenSSL TPM engine might not recognise the latter. It comes with it's own windows drivers which work with Microsoft code signing. Angus Share this post Link to post
Angus Robertson 577 Posted October 28, 2020 Quote I don't believe there is any possibility of OpenSSL accessing certificates and private keys in the Windows store. I was wrong about this, OpenSSL 1.0.2 included an engine capi.dll which allowed access to private keys in the Windows store and dongles, but not their certificates. It is not currently built for OpenSSL 1,1,1 but may work. There are periodic questions in the OpenSSL mailing list about CAPI, but the original author of the engine is no longer updating it, and CAPI has been replaced by CNG by Microsoft. So there is little evidence the CAPI engine still works. Angus Share this post Link to post