4

I have a CERT_CONTEXT structure which I've extracted from a smart card on Windows via the CryptoAPI. I need to convert this structure into a DER encoded byte array which is consistent with OpenSSL. The closest match I've got so far is via CryptEncodeObject using X509_ASN_ENCODING and the X509_CERT_TO_BE_SIGNED modifier which takes the CERT_INFO structure as input.

The problem is that it doesn't match with the output produced by the OpenSSL i2d_X509 function. Using a 2048 bit x509 certificate as input, OpenSSL produces 1789 bytes of encoded output whilst the Windows CryptoAPI produces 1638 bytes of encoded output.

The only option left that I can see is to create an X509 cert on the fly using the values from the CERT_CONTEXT structure and the encode the resulting object directly with the i2d_X509 function. The only problem with this is that I can't extract the private key from the smart card, so this may cause problems with the x509 cert creation routines.

If anyone can provide any insight/advice/tips into these matters, I'd be much obliged.

Gearoid Murphy
  • 11,834
  • 17
  • 68
  • 86

1 Answers1

6

DER encoded certificate can be obtained from (ctx->pbCertEncoded, ctx->cbCertEncoded) buffer where ctx is a PCCERT_CONTEXT object. Still you won't be able to recover the private key.

Ken Ivanov
  • 456
  • 2
  • 3
  • Argh!, right in front of me the whole time :), Thanks, I would never have found this otherwise, I had my mind set on using the CryptEncodeObject function. I don't need the private key, I'm using the public key encoding as the source data for a signing operation. – Gearoid Murphy Feb 01 '11 at 21:20