0

PFXExportCertStoreEx fails when I try to export ECDSA certificate from Windows Store. I need to get both the public key and private key of the certificate. Is the API usage wrong for ECDSA certificate? I am able to export cert and key for a RSA certificate from Windows Store.

Thanks in advance.

Edit - Psuedo code will be as below:

-CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_MAXIMUM_ALLOWED_FLAG, L"MY"); // Open certificate store 
-CertEnumCertificatesInStore() // Get certificate context
-hStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, CERT_STORE_CREATE_NEW_FLAG, 0) // Open a memory store 
-CertAddCertificateContextToStore // Add certificate context to memory store
-PFXExportCertStoreEx(hStore, &blob, "export_password", NULL, EXPORT_PRIVATE_KEYS | REPORT_NOT_ABLE_TO_EXPORT_PRIVATE_KEY) // Try to get certificate blob
Amal Jesudas
  • 43
  • 7
  • As the first level of debugging, see if you can export via the Local/User Certificates UI. Maybe the private key is not exportable. – Seva Alekseyev Apr 29 '22 at 15:01
  • It is exportable via certificates UI. I need to export it through C++ code - WinCrypt and openssl. – Amal Jesudas Apr 29 '22 at 15:42
  • Openssl, last time I checked, doesn't work with Windows keystores. What does `GetLastError()` after failed `PFXExportCertStoreEx` return? Just in case, paste your code. – Seva Alekseyev Apr 29 '22 at 18:40
  • Yes, Openssl does not have APIs to directly access Windows key store. I am trying to use WinCrypt APIs to get the cert and key from store. GetLastError() returns 0x80090016. – Amal Jesudas May 02 '22 at 09:57
  • The error means "keyset doesn't exist", but it's also consistent with the user's inability to get to the private key. The private key is a securable object in Windows, with an ACL and everything. Another thing to check, NCrypt vs legacy provider. Yet another, strong key protection and whether the operation is allowed to pop the UI, – Seva Alekseyev May 02 '22 at 23:28
  • @SevaAlekseyev I am pretty sure about the first and last points because I faced those issues when trying to export RSA based keys too. But I didn't your second point related to NCrypt vs legacy provider. Can you shed some more light on the same? This is the first time I am dealing with Windows key store. So have a big learning curve to cover. – Amal Jesudas May 04 '22 at 08:50
  • Paste you code please. The relevant parts. – Seva Alekseyev May 04 '22 at 13:27
  • @SevaAlekseyev I have updated my question to include the relevant code for the same. – Amal Jesudas May 04 '22 at 14:22
  • Here is one debugging step I'd try: so you copy the cert from the user store to the temporary memory store. Try calling `CertGetCertificateContextProperty()` with `CERT_KEY_CONTEXT_PROP_ID` for the cert context in the user store, then in the memory store. I mean to check if the key is not lost on cert copy. – Seva Alekseyev May 04 '22 at 14:36
  • @SevaAlekseyev CertGetCertificateContextProperty fails with CERT_KEY_CONTEXT_PROP_ID for the cert context got from store. But I am not reading too much into this failure, as it fails even for the RSA certificate from which I am still able to extract both private and public keys. – Amal Jesudas May 04 '22 at 15:26
  • Here is another idea: set a symbol breakpoint on `SetLastError`, and run until the failing `PFXExportCertStoreEx` call. See what call chain leads to the error; it might give you some insights. MS Symbol Server is your friend :) – Seva Alekseyev May 04 '22 at 16:09

0 Answers0