使用MS CryptoAPI保存/恢复证书使附加的私钥无效 [英] Saving/Restoring certs with MS CryptoAPI invalidates attached private key

问题描述

我写了一个程序，它应该使用Windows Crypto API保存和恢复用户证书。我的印象是，它是工作正常，但现在一个用户抱怨附加到证书的私钥在证书恢复后是无效的。

I've written a program which is supposed to save and restore a users certificates using the windows Crypto API. I was under the impression that it was working fine but now a user has complained that the private key that was attached to the certificate is invalid after the cert has been restored.

我正在使用以下方式保存证书：

I was saving the certificates using:

HCERTSTORE hCertStore =
    CertOpenStore(CERT_STORE_PROV_PHYSICAL_W,
    0,
    NULL,
    CERT_SYSTEM_STORE_CURRENT_USER |
    CERT_STORE_OPEN_EXISTING_FLAG |
    CERT_STORE_READONLY_FLAG |
    CERT_STORE_UPDATE_KEYID_FLAG,
    (PVOID) storeName.c_str());

然后：

if (!CertSaveStore(hCertStore,
    0,
    CERT_STORE_SAVE_AS_STORE,
    CERT_STORE_SAVE_TO_FILENAME,
    (PVOID) saveFile.c_str(),
    0))

我理解CERT_STORE_SAVE_AS_STORE标志应该意味着整个cert应该被序列化，包括私钥。虽然我注意到MSDN说：

I understand that the CERT_STORE_SAVE_AS_STORE flag should mean that the entire cert should get serialized including the private key. Although I note that MSDN says:

CERT_KEY_CONTEXT_PROP_ID属性
和相关的
CERT_KEY_PROV_HANDLE_PROP_ID和
CERT_KEY_SPEC_PROP_ID值不是
保存到序列化商店。

"The CERT_KEY_CONTEXT_PROP_ID property and the related CERT_KEY_PROV_HANDLE_PROP_ID and CERT_KEY_SPEC_PROP_ID values are not saved to a serialized store."

..我承认，我真的不明白。

..which I confess, I don't really understand.

当我恢复证书时，我使用CertFindCertificateInStore（）来查看证书是否已经存在，并且只有当它不是我：

When I restore the cert I use CertFindCertificateInStore() to see if the cert is already present and only if it isn't I do:

bOK = CertAddCertificateContextToStore(
    hDestinationStore,
    pCertContext,
    CERT_STORE_ADD_USE_EXISTING,
    NULL);

要添加证书...所以我的问题是，为什么私钥不能保存？我缺少一些东西？

To add the certificate back... So my question is, why might the private key not be preserved? Am I missing something?

推荐答案

您使用错误的CryptoAPI。您应该使用 PFXExportCertStoreEx 和 PFXImportCertStore 。

You use wrong CryptoAPI. You should use PFXExportCertStoreEx and PFXImportCertStore instead.

UPDATED ：这些功能很常见。您不能从SmartCard当然或其他不可导出的证书导出证书。 BLOG中的函数是没有什么更多的作为PFX文件的包含。例如，从PFX文件导入证书应该执行以下操作：

UPDATED: The functions are very common. You can not export certificates from the SmartCard of course or other non-exportable certificates. The BLOG in the function is nothing more as the contain of the PFX file. For example the import of the certificate from PFX file should do the following:

1. 打开PFX文件并在内存中读取完整的内容。


2. 您也可以使用 PFXIsPFXBlob 函数来验证文件是否确实包含了对应的文件


3. 使用 PFXImportCertStore 打开BLOB（PFX）作为源证书存储。


4. 您可以使用 CertOpenStore 或其他一些功能打开要保存PFX文件证书的目标证书库。


5. 使用 CertEnumCertificatesInStore 枚举源证书存储区（PFX）中的证书和所有证书使用 CertAddCertificateContextToStore 将证书从源证书存储添加到目标证书存储。


6. 您可以使用 CertCloseStore 关闭所有已开启的商店。

1. Open the PFX file and read full contain in the memory. You can use of course the file mapping instead.
2. Optionally you can use PFXIsPFXBlob function to verify that the file has really contain which corresponds to the PFX file.
3. You use PFXImportCertStore to open the BLOB (the PFX) as the source certificate store.
4. You use CertOpenStore or some other function to open the destination certificate store where you want save the certificates from the PFX file.
5. You use CertEnumCertificatesInStore to enumerate certificates from the source certificate store (PFX) and for all certificate use CertAddCertificateContextToStore to add certificate from the source certificate store to the destination certificate store. The certificates having private key will be imported with the private key.
6. You use CertCloseStore to close both opened stores.

这篇关于使用MS CryptoAPI保存/恢复证书使附加的私钥无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！