TMS Cryptography Pack and Windows CertStore Certificate

Hi, could You make an example how to use certificate taken from Windows Cert Store by CertFindCertificateInStrore from WinCrypt API with the component from the framework?
Best regards
Piotrek

Hi,
I have just write a blog post about this example: https://www.cyberens.fr/from-windows-certificate-store-to-tms-cryptography-pack-tx509certificate-component/
Best regards,
Marion

Great, Thank You, I think it could be usefull to add is to the package :slight_smile:
All the best
Piotrek

Hi,
I use that procedure to take the certificate from the windows certificate store and it works well, but when the certificate is with private key it is not decoded and finally it is impossible to sign a document. Could You help (exchange the procedure) to take (if exists) the private key too?

Hi Piotr,
Your first question was to use CertFindCertificateInStore from WinCryptAPI with TMS CP. I wrote a post to do that and finally it is not useful?!
I can help but I need to know what you need exactly. Do you know the function from WinCryptAPI to extract certificate AND private key?
Best regards,
Marion

Hi, Marion. The idea is to sign a document by certificate from windows cert store. I know that certificate coud be with and without a private key. I have one with private key imported from pfx (pfx signing works well).Your's function take a certificate from cert store but without a private key also where the certificate have it. This is why finally document could not be signed. I set a private key manually by use a pfx, becouse I have it and then document is signed properly. Probably to get a private key I should use CryptAcquireCertificatePrivateKey and may be some more ... I could not find any sucessul working example or instruction how to do it in that case.

Hi Piotr,
How could I have guessed that you would have liked to sign with the certificate from your first question?
I will take a look when I have some time.
Marion

Thank you. It was obvious to me that since I sign the document using the TMS Cryptography Pack and the pfx certificate, I would like to take the certificate from the windows certificate store and sign a document in the same way, but sorry if it was unclear.

Hi, is there any chanse to look at this problem?

Hi Piotr,
I took a look two months ago and CryptAcquireCertificatePrivateKey is a complex function, I had failed to use it to extract the private key. Maybe I can take some time later to retry other options or functions to do that.
Best regards,
Marion

Ok, thank you.

Hello!

I would need the same function. Also - could be that upon installing the PFX into the store the user must check "Export private key.." checkbox?

Hello,
I note that you would like the same function, but I do not understand your question. Could you clarify that?
Marion

Sorry, here's more info:

I would like to get the certificate by the serial number

The certificate always have a private key (this is used for XML signing). I tried to get the certificate via find parameter CERT_FIND_ANY, but it returns a totally different certificate.

Cert := CertFindCertificateInStore(Store, X509_ASN_ENCODING, 0, CERT_FIND_ANY_STR, PChar(SerialNumber), nil)

The thing is a little confusing, because there's also a serial number in the Subject field, but that's not the right one!

After retrieving the certificate from the store I would like to sign an XML file (xmldsign, RSA-SHA256).

Please take in account that I have almost no knowledge in criptogtaphy, I'm forced to do this because in our country each reicept has to be sent to the tax agency (signed XML to web service).

so my question is:

  1. Is possible to get the certificate from the Windows Cert store by the serial number?
  2. Is possible to use this certificate to sign an XML file?

I hope I gave you enough info this time :)

Kind regards,
Dino

Some progression.. CERT_FIND_ANY will return the next certificate

Trying CERT_FIND_CERT_ID, but can't create the structure needed for pvFindPara.. :frowning:

Hi Dino,
Thank you for the detailed explanation of what you want.

I can try to extract the certificate from the serial number (it will be more complicated because the pvFindPara needs to be a PCERT_ID and it is a structure https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_id), but we need to use other microsoft functions to extract the private key, needed to sign.

Moreover, we do not have XMLDSig in our library, only XAdES. I do not know if the tax agency accepts this signature format.

Best regards,
Marion

Hi!

Unfortunately our tax agency (and all other state institutions) accept only XMLDSig, so this library can't be used for my purpose. It's a pity :frowning:

Is XMLDSig in any plan?

Thanx anyway!

We will study the amount of work to be done, but we do not promise anything.

Thank you. I'll check for additional info here or on other TMS channels.

1 Like