1

I tried to sign and verify by C++ cryptoAPI and it works well. The cryptoAPI use the certificate from the store(Personal) on windows to do this. Could I do the same thing by python without export private key or input passphrase?

I tried pycrypto, oscrypto, wincertstore module, but they can't do this.

Assam
  • 179
  • 1
  • 13
  • https://cryptography.io has all of the abilities of openssl and has a full suite of tools to work with x509 certs. Also 1) PyCrypto is deprecated; use PyCryptoDome instead. 2) This question is off topic which is why I must vote to close this. – Legorooj Jan 20 '20 at 23:34
  • @Legorooj I can't find the relative API to request the certificate from 'My' certificate store to sign and verify signature. Could you show me the page? And why this question is off topic? – Assam Jan 21 '20 at 01:23
  • My apologies I just re-read the question. `cryptography` doesn't support loading certs from the windows certificate store - but the `pywin32` module might do that for you, then you can use `cryptography` to manipulate the cert. The Q is off topic because it is `"Asking for ... software libraries or other off-site resources. This could lead to opinonated answers."` See [here](http://timgolden.me.uk/pywin32-docs/contents.html) for the `pywin32` docs. – Legorooj Jan 21 '20 at 04:04
  • I tried to use `pywin32`, it can open cert store, but there isn't an API to find the specific certificate I wanted. It's `CertFindCertificateInStore()` in CryptoAPI. Am i missing something? – Assam Jan 21 '20 at 05:24
  • 1
    Hmm. Just found that you can list all of the certs with the build in `ssl` lib; `ssl.enum_certificates(store_name)` where store name is `CA`, `ROOT`, or `MY`. I'm assuming the last on - would this help? it returns lists. You could search those and then load the cert out of the store? – Legorooj Jan 21 '20 at 05:52
  • 1
    @Legorooj That would of course not help with the signing part. Note that signing is not a function of the certificate. Microsoft however treats the private key within the store as *part of the certificate*. This is a stupid design mistake - there are many within their under specified API unfortunately. – Maarten Bodewes Jan 21 '20 at 11:40
  • Why does the windows core have to be so confusing? The top level part is an awesome OS. I have an idea... – Legorooj Jan 21 '20 at 23:03
  • 1
    @Assam ok it's harder but the only solution that I can think of now appears to be; write a custom C++ extension. https://docs.python.org/3/extending/extending.html – Legorooj Jan 21 '20 at 23:06
  • hmm..write a custom c++ extension may take some time :P. Thanks Legorooj and Maarten – Assam Jan 22 '20 at 02:18
  • @Assam better method; `CryptoAPI` is a `dll` file. So you can call that with `ctypes`. Example https://stackoverflow.com/questions/252417/how-can-i-use-a-dll-file-from-python https://docs.python.org/3/library/ctypes.html – Legorooj Jan 22 '20 at 07:05

1 Answers1

1

You can interface with the Crypt32 dll Using ctypes to access it's functions.

How can I use a DLL file from Python? provides a good idea, but is written in python 2.5, so see the tutorial in the docs for info and a reference.

Legorooj
  • 2,646
  • 2
  • 15
  • 35