0

Based on this tutorial, I have successfully created the signature key pair and Key Container. The key container after creation will be stored in %AppData%\Roaming\Microsoft\Crypto\RSA folder.

Next, I want to use signature key pair to get CSR(certificate signing request). So how do I do this?

Thanks in advance.

sliva
  • 11
  • 4

1 Answers1

0
  1. Get NCRYPT_KEY_HANDLE key handle with NCryptOpenKey if use CNG (or get HCRYPTPROV handle with CryptAcquireContext if use CAPI);
  2. Export public key with CryptExportPublicKeyInfo;
  3. Encode subject name with CertStrToName, for example:
    DWORD EncodeCertificateName(const std::wstring& name_to_encode, const DWORD delim_flag, 
        std::vector<BYTE>& encoded_name)
    {
        DWORD encoded_name_len = 0;
        /* get length */
        if (!CertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
            name_to_encode.data(),
            CERT_X500_NAME_STR | delim_flag,
            NULL,
            NULL,
            &encoded_name_len,
            NULL))
        {
            return GetLastError();
        }
    
        encoded_name.resize(encoded_name_len);
        /* encode */
        if (!CertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
            name_to_encode.data(),
            CERT_X500_NAME_STR | delim_flag,
            NULL,
            encoded_name.data(),
            &encoded_name_len,
            NULL))
        {
            return GetLastError();
        }
    
        return ERROR_SUCCESS;
    }
    
    std::wstring subject = L"CN=Test_request, E=test@test.com";
    std::vector<BYTE> encoded_name;
    EncodeCertificateName(subject, CERT_NAME_STR_COMMA_FLAG, &encoded_name);
  1. Fill CERT_REQUEST_INFO structure:

    CERT_REQUEST_INFO cert_req_info;
    
    /* set attributes if any */
    cert_req_info.cAttribute = 0;
    cert_req_info.rgAttribute = nullptr;
    
    cert_req_info.dwVersion = CERT_REQUEST_V1;
    
    /* set encoded subject name */
    cert_req_info.Subject.cbData = static_cast<DWORD>(name_enc.size());
    cert_req_info.Subject.pbData = name_enc.data();
    
    /* set exported public key info */
    cert_req_info.SubjectPublicKeyInfo = pub_key_info;
  1. Fill CRYPT_ALGORITHM_IDENTIFIER structure:

    CRYPT_ALGORITHM_IDENTIFIER sig_alg;
    
    /* set signature algorithm, for example */ 
    sig_alg.pszObjId = szOID_RSA_SHA256RSA;
  1. Create certificate request with CryptSignAndEncodeCertificate and parameter lpszStructType = X509_CERT_REQUEST_TO_BE_SIGNED:
std::vector<BYTE> enc_req_val;
DWORD enc_req_len = 0;
/* get length */
if (!CryptSignAndEncodeCertificate(hProv,
    AT_SIGNATURE, 
    PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
    X509_CERT_REQUEST_TO_BE_SIGNED,
    &cert_req_info,
    &sig_alg,
    nullptr,
    nullptr,
    &enc_req_len))
{
    /* handle error */
}

enc_req_val.resize(enc_req_len);
/* create certificate request */
if (!CryptSignAndEncodeCertificate(hProv,
    AT_SIGNATURE, 
    PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
    X509_CERT_REQUEST_TO_BE_SIGNED,
    &cert_req_info,
    &sig_alg,
    nullptr,
    enc_req_val.data(),
    &enc_req_len))
{
    /* handle error */
}
plstryagain
  • 686
  • 5
  • 9