TMS Cryptography Pack and Windows CertStore Certificate

Murawski_Piotr · September 30, 2020, 8:21pm

Hi, could You make an example how to use certificate taken from Windows Cert Store by CertFindCertificateInStrore from WinCrypt API with the component from the framework?
Best regards
Piotrek

Marion · October 1, 2020, 2:00pm

Hi,
I have just write a blog post about this example: https://www.cyberens.fr/from-windows-certificate-store-to-tms-cryptography-pack-tx509certificate-component/
Best regards,
Marion

Murawski_Piotr · October 1, 2020, 5:24pm

Great, Thank You, I think it could be usefull to add is to the package
All the best
Piotrek

Murawski_Piotr · October 9, 2020, 5:27pm

Hi,
I use that procedure to take the certificate from the windows certificate store and it works well, but when the certificate is with private key it is not decoded and finally it is impossible to sign a document. Could You help (exchange the procedure) to take (if exists) the private key too?

Marion · October 12, 2020, 7:28am

Hi Piotr,
Your first question was to use CertFindCertificateInStore from WinCryptAPI with TMS CP. I wrote a post to do that and finally it is not useful?!
I can help but I need to know what you need exactly. Do you know the function from WinCryptAPI to extract certificate AND private key?
Best regards,
Marion

Murawski_Piotr · October 12, 2020, 8:04am

Hi, Marion. The idea is to sign a document by certificate from windows cert store. I know that certificate coud be with and without a private key. I have one with private key imported from pfx (pfx signing works well).Your's function take a certificate from cert store but without a private key also where the certificate have it. This is why finally document could not be signed. I set a private key manually by use a pfx, becouse I have it and then document is signed properly. Probably to get a private key I should use CryptAcquireCertificatePrivateKey and may be some more ... I could not find any sucessul working example or instruction how to do it in that case.

Marion · October 12, 2020, 8:33am

Hi Piotr,
How could I have guessed that you would have liked to sign with the certificate from your first question?
I will take a look when I have some time.
Marion

Murawski_Piotr · October 12, 2020, 9:01am

Thank you. It was obvious to me that since I sign the document using the TMS Cryptography Pack and the pfx certificate, I would like to take the certificate from the windows certificate store and sign a document in the same way, but sorry if it was unclear.

Murawski_Piotr · November 30, 2020, 5:12pm

Hi, is there any chanse to look at this problem?

Marion · December 1, 2020, 7:53am

Hi Piotr,
I took a look two months ago and CryptAcquireCertificatePrivateKey is a complex function, I had failed to use it to extract the private key. Maybe I can take some time later to retry other options or functions to do that.
Best regards,
Marion

Murawski_Piotr · December 11, 2020, 8:30pm

Ok, thank you.

GOMEZEL_DINO · December 14, 2020, 10:15am

Hello!

I would need the same function. Also - could be that upon installing the PFX into the store the user must check "Export private key.." checkbox?

Marion · December 14, 2020, 10:25am

Hello,
I note that you would like the same function, but I do not understand your question. Could you clarify that?
Marion

GOMEZEL_DINO · December 14, 2020, 10:57am

Sorry, here's more info:

I would like to get the certificate by the serial number

The certificate always have a private key (this is used for XML signing). I tried to get the certificate via find parameter CERT_FIND_ANY, but it returns a totally different certificate.

Cert := CertFindCertificateInStore(Store, X509_ASN_ENCODING, 0, CERT_FIND_ANY_STR, PChar(SerialNumber), nil)

The thing is a little confusing, because there's also a serial number in the Subject field, but that's not the right one!

After retrieving the certificate from the store I would like to sign an XML file (xmldsign, RSA-SHA256).

Please take in account that I have almost no knowledge in criptogtaphy, I'm forced to do this because in our country each reicept has to be sent to the tax agency (signed XML to web service).

so my question is:

Is possible to get the certificate from the Windows Cert store by the serial number?
Is possible to use this certificate to sign an XML file?

I hope I gave you enough info this time :)

Kind regards,
Dino

GOMEZEL_DINO · December 14, 2020, 12:08pm

Some progression.. CERT_FIND_ANY will return the next certificate

Trying CERT_FIND_CERT_ID, but can't create the structure needed for pvFindPara..

Marion · December 15, 2020, 8:19am

Hi Dino,
Thank you for the detailed explanation of what you want.

I can try to extract the certificate from the serial number (it will be more complicated because the pvFindPara needs to be a PCERT_ID and it is a structure https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_id), but we need to use other microsoft functions to extract the private key, needed to sign.

Moreover, we do not have XMLDSig in our library, only XAdES. I do not know if the tax agency accepts this signature format.

Best regards,
Marion

GOMEZEL_DINO · December 15, 2020, 9:51am

Hi!

Unfortunately our tax agency (and all other state institutions) accept only XMLDSig, so this library can't be used for my purpose. It's a pity

Is XMLDSig in any plan?

Thanx anyway!

Marion · December 15, 2020, 12:37pm

We will study the amount of work to be done, but we do not promise anything.

GOMEZEL_DINO · December 16, 2020, 12:03pm

Thank you. I'll check for additional info here or on other TMS channels.

GOMEZEL_DINO · May 17, 2023, 9:33am

Any decisions regarding this..? :)