Jump to content
milan

OverbyteIcsPemTool: Import a Windows Ceritificate Store to…

Recommended Posts

I try code from OverbyteIcsPemTool to export certificate from 'MY' windows store:

    

            xTmp := f_d2i_X509(nil, @pCertContext.pbCertEncoded, pCertContext.cbCertEncoded);
            if Assigned(xTmp) then begin
                X.X509 := xTmp;
                f_X509_free(xTmp);

                …

            end;


however, this does not return private key (X.PrivateKey := nil). 

 

It does some additional code?

 

Milan

Edited by milan

Share this post


Link to post

The code exporting X509 certificates from the Windows store was designed to build Certificate Authority root bundles with which to verify SSL/TLS certificates in ICS applications, not to export server certificates with private keys, generally you already have those as PEM or PFX files from your certificate supplier. 

 

But Windows no longer has a complete CA store and downloads new roots on demand, so ICS stopped using exported certificates a while ago and builds it's CA bundles differently. 

 

If you don't have original PEM files, you can export certificates manually from the Windows store to create them, if they were originally installed with export allowed.

 

Angus

 

Share this post


Link to post

I need to solve this in the application,

because of clients that do not have a certificate file and do not want or cannot export it.

I'll do it with k and then take it through the buffer. 

 

Thank you!

Share this post


Link to post
On 8/28/2020 at 3:09 PM, Angus Robertson said:

generally you already have those as PEM or PFX files from your certificate supplier.

BUT: I do not have. Are on USB token.

So they can't use certificates from USB token, that can't be exported? Uf!

 

Milan

Share this post


Link to post

I never mentioned USB tokens, nor did you, no idea how they relate to a discussion about the windows store.  

 

Private keys are often stored on hardware security devices precisely to stop them being copied. 

 

Angus

 

Share this post


Link to post

But I need to communicate with a web service (REST), that requires certificate authorization.

And clients often have it on a USB token or in windows store without the possibility of export.

So ICS cannot be used?

Edited by milan

Share this post


Link to post

Sorry, currently ICS does not support using certificates other than those loaded from files using OpenSSL functions. 

 

ICS does have support for OpenSSL engines which are essentially DLLs designed to access secure hardware such as tokens, but I've never seen such a DLL and OpenSSL has changed a lot in the 10 years since engine support was added.  You can read the comments in WSocket on Apr 24, 2009 for more information.   You would need to build the Trusted Platform Module project in github but it might need ICS changes to maker it work. 

 

Engines are obsolete with the next release of OpenSSL 3.0 due soon and there is a new way to access secure hardware so we may revisit this if someone provides a TPM provider which is the new way.

 

I don't believe there is any possibility of OpenSSL accessing certificates and private keys in the Windows store. 

 

Not sure if Indy has current engine support. 

 

Angus

 

Share this post


Link to post

Using the pkcs11-tool available at this address: 

Quote

you should be able to extract the certificate (not the private ones of course) from the usb token.

 

This is a very old openssl discussion about that:

 

Quote

In that discussion (still true ?) they explain how to extract the certificate and convert it in "pem".

 

I think that the "pkcs11 module" needs to extract the certificate is a dll normally available with the USB Token (look in the system32 directory or in the syswow64 for something with *pki*.dll).

In Italy very often the dll is "bit4xpki.dll"  (used also by Firefox).

 

I hope these informations are useful to you, although I'm not sure.

 

Bye

Share this post


Link to post

Yes, the ICS comments about engines say you have to extract the certificate from the Trusted Platform Module and turn it into PEM for OpenSSL, and there are TPM tools to do that.  You can send commands to the TPM to query what it has.  My desktop has a TPM and the ICS code signing certificate is on a USB dongle.

 

Windows does have APIs to access the TPM, but I've never had a commercial need to look at them,  TPMs have become more important this year with so many people needing remote access to secure corporate networks.  

 

Angus

 

Share this post


Link to post

To complicate dongles even more, Windows shows my Trusted Platform Module as a Security Device, but my USB dongle with a signing certificate and key as a Smart Card Reader (ACR101 SIMicro), so it;s quite probably the OpenSSL TPM engine might not recognise the latter.  It comes with it's own windows drivers which work with Microsoft code signing. 

 

Angus

 

Share this post


Link to post
Quote

I don't believe there is any possibility of OpenSSL accessing certificates and private keys in the Windows store. 

I was wrong about this, OpenSSL 1.0.2 included an engine capi.dll which allowed access to private keys in the Windows store and dongles, but not their certificates.  It is not currently built for OpenSSL 1,1,1 but may work.  There are periodic questions in the OpenSSL mailing list about CAPI, but the original author of the engine is no longer updating it, and CAPI has been replaced by CNG by Microsoft.  So there is little evidence the CAPI engine still works.

 

Angus

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×