2004-07-26 15:44:44 UTC
The short question is, how do I programatically import a pkcs12 file
into a certificate store without giving the user the option to settle
for medium or lower security?
A little background:
I've been previously told that this cannot be done in a satisfactory
manner, yet my customers are not accepting this answer. Here's a code
snippet, minus the error checks for clarification:
//Read pkcs12 file
/*(1)*/ ReadFile (hFile, pbBuffer, fileSize, &bytesRead, NULL);
//Create pkcs12 CRYPT_DATA_BLOB
//Make sure it's a real PFX blob
/*(2)*/if (PFXIsPFXBlob(&cryptBlob) == FALSE ) goto error;
//Import it, adding user protection
At (3), the PFXImportCertStore API brings up some dialogs which
permit, but do not force, the user to add extra protection to the
private key on his certificate. In principle, this could be recoded
to do the job without any user interaction, which is what I'm trying
1) I think this API decrypts the pkcs12 file by using its password,
and then reformats it into a special microsoft "certificate store"
format. I need to know more than is readily available about what an
HCERTSTORE is, or what it refers to.
2) Possibly, I could parse that PFX blob, and apply a DPAPI call to
just the private key, rewrite the blob and call (3) without the
CRYPT_USER_PROTECTED flag. Would this have the same effect? I.e.,
would the user be prompted for a password each time he requested use
of the private key?
3) Obviously I'm relying on guesswork here. I don't truly know what
goes on behind the scenes of the PFXImportCertStore API. Please tell
me any particulars you can of what this function truly does.
Thanks in advance for your help.