1

Using Microsoft Password (Windows Hello), a user is given a public/private keypair when they set up a PIN for their local account. This keypair is stored on the computer's TPM.

You can create a certificate for your account by asking the Start Menu to "Set up PIN Sign-in".

The following article describes the APIs used in a UWP ("Metro") app: https://msdn.microsoft.com/en-us/windows/uwp/security/microsoft-passport

There are APIs for fetching the user's public key, and signing a message:

var openKeyResult = await KeyCredentialManager.OpenAsync(AccountId);

if (openKeyResult.Status == KeyCredentialStatus.Success)
{
    var userKey = openKeyResult.Credential;
    var publicKey = userKey.RetrievePublicKey();
    var signResult = await userKey.RequestSignAsync(message);

    if (signResult.Status == KeyCredentialStatus.Success)
    {
        return signResult.Result;
    }
    else if (signResult.Status == KeyCredentialStatus.UserPrefersPassword)
    {

    }
}

How do I fetch the public key and sign a message using a desktop app (Win32)?

I have checked using certmgr.msc: the Microsoft Passport certificate sadly does not appear in the user's "Personal" certificate store, so I can't see a way to access it using the CryptoAPI/CNG, which my app already supports.

Ideally I would like to make a standalone signature. It would be interesting/useful to know if it's possible to use the Passport certificate with SChannel as a client certificate.

Nicholas Wilson
  • 9,435
  • 1
  • 41
  • 80
  • Isn't the `Windows.Security` namespace available to Desktop Win32 applications? In that case you can simply use the UWP types (with C++/CX, the [Windows Runtime C++ Template Library](https://msdn.microsoft.com/en-us/library/hh438466.aspx), or [C++/WinRT](https://github.com/Microsoft/cppwinrt)). – IInspectable Oct 25 '16 at 10:22
  • Ah, interesting - the async callbacks could be tricky, I'll look into that. In the meantime, I've also noticed that there's a CryptoAPI KSP on my system called "Microsoft Passport Key Storage Provider", so I'll see if I can access the CNG key handle by selecting the KSP explicitly. – Nicholas Wilson Oct 25 '16 at 10:24
  • Asynchronous operations are fully supported by either of the above, although with C++/WinRT it is still a bit tedious (will be addressed in a future update; see [More details on "specializing" IAsyncOperation<*> and friends](https://github.com/Microsoft/cppwinrt/issues/19)). – IInspectable Oct 25 '16 at 10:29
  • Any updates on this? I've found the [UwpDesktop](https://www.nuget.org/packages/UwpDesktop) NuGet ([src](https://github.com/ljw1004/uwp-desktop)) that would allow a .NET desktop app to use UWP APIs. Unfortunately the [KeyCredential](https://learn.microsoft.com/en-us/uwp/api/Windows.Security.Credentials.KeyCredential) class doesn't seem to be in the [list of available classes](https://msdn.microsoft.com/en-us/library/windows/desktop/dn554295(v=vs.85).aspx). Did you get this working somehow? – Marc Mar 07 '18 at 10:43
  • I never got it working :( – Nicholas Wilson Mar 07 '18 at 13:10

0 Answers0