Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Type of certificate from PCCERT_CONTEXT

732 views
Skip to first unread message

Kiran Thandra

unread,
Aug 30, 2004, 10:18:37 AM8/30/04
to
Hi,
 
We are automating cert import process. Need help in understanding the following.
 
After Importing a pfx blob using PFXIMPORTCERTSTORE i'll get a enumeration of certs(pctx) .How do i dynamically import these certs into appropriate stores based on Type.  How to define which cert context should be added to which store .
 
 While installing a .pfx files In to I.E using the import WIZARD  we
get an option like "Automatically Select Store Based on Certificate
Type".
How can we set this option programatically.

 
Sample : 

  HCERTSTORE pfxStore = PFXImportCertStore&blob,password,CRYPT_EXPORTABLE);
 
while(pctx= CertEnumCertificatesInStore(pfxStore,pctx)){
CertAddCertificateContextToStore(myStore, pctx, CERT_STORE_ADD_REPLACE_EXISTING, 0);
    CertCloseStore(myStore,0);
 
How to define mystore dynamically....
 
}
 
Appreciate any suggestions.
 
Regards,
Kiran Thandra
 

Hao Zhuang [MSFT]

unread,
Aug 30, 2004, 10:53:51 PM8/30/04
to
there is no easy API to use for the time being. basically you can do the
following:

1. if the cert has an associated private key (KEY_PROV_INFO exists), put it
into the MY store; otherwise
2. if the cert is self-signed, put it into the ROOT store; otherwise
3. if the cert is a CA cert, put it into the CA store; otherwise
4. put it in "AddressBook" store.

- hao

--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Kiran Thandra" <Kiran....@gedas.com> wrote in message
news:uKhN$wpjEH...@TK2MSFTNGP11.phx.gbl...

Kiran Thandra

unread,
Aug 31, 2004, 10:30:55 AM8/31/04
to
Hi Hao,

Thanks for your reply. Just wondering how do i check the following

Whether KEY_PROV_INFO exists

Whether a Cert is Self Signed

Whether it's CA.

Do i need to decode the PCCERT_INFO from Cert context for this. Because we
only have API for getting the subject
name---CertGetNameString(pctx,CERT_NAME_SIMPLE_DISPLAY_TYPE,0,NULL,pszNameSt
ring,128);

Do you have any sample code for this ..

Appreciate your time.

Regards,

Kiran Thandra

"Hao Zhuang [MSFT]" <hzh...@online.microsoft.com> wrote in message
news:uouoAXwj...@tk2msftngp13.phx.gbl...

Hao Zhuang [MSFT]

unread,
Aug 31, 2004, 1:52:02 PM8/31/04
to
1. CryptFindCertificateKeyProvInfo() can be used to check whether the cert
has a KEY_PROV_INFO matching a key in the system.

2. to verify if its self-signed, the following can be used:

if (!(CertCompareCertificateName(encoding, &pCtx->pCertInfo->Issuer,
&pCtx->pCertInfo->Subject)))
return not_self_signed;

dwFlag = CERT_STORE_SIGNATURE_FLAG;

if (!(CertVerifySubjectCertificateContext(pCtx, pCtx, &dwFlag)))
return not_self_signed;

if (dwFlags != 0)
return not_self_signed;

return self_signed;

3. to check if it is a CA cert:

pBC = CertFindExtension(szOID_BASIC_CONSTRAINTS2,
pCtx->pCertInfo->cExtension, pCtx->pCertInfo->rgExtension);
PCERT_BASIC_CONSTRAINTS2_INFO pInfo = LocalAlloc(LPTR, cbInfo);
CryptDecodeObject(X509_ASN_ENCODING, X509_BASIC_CONSTRAINTS2,
pBC->Value.pbData, pBC->Value.cbData, 0, pInfo, cbInfo);
BOOL fCA = pInfo->fCA;
LocalFree(pInfo);
return fCA;

hope this helps !

- hao

--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Kiran Thandra" <Kiran....@gedas.com> wrote in message

news:#ziXic2j...@TK2MSFTNGP15.phx.gbl...

Kiran Thandra

unread,
Sep 1, 2004, 5:28:11 PM9/1/04
to
Hi Hao,

Great .Thanks a lot. The advised approach helps me .

Regards,
Kiran Thandra

"Hao Zhuang [MSFT]" <hzh...@online.microsoft.com> wrote in message

news:uc2u5M4j...@TK2MSFTNGP10.phx.gbl...

0 new messages