问题
I want to get a private key from windows store and convert it to PEM in order to use it in OpenSSL. I've been looking for a way to do that for a few hours!
- I use CertFindCertificateInStore() to get CERT_CONTEXT (which I know it contains the private key using the search parameter).
- Next, I used CryptAcquireCertificatePrivateKey() to get HCRYPTPROV (just because of the name of the function).
- Now, I use CryptGetUserKey() to get HCRYPTKEY (just because it sounds right...?!)
But now I'm stuck again.
I think this is security by obscurity done by Microsoft to make sure we will never be able to get private keys.
回答1:
First two are fine. But you need to use CryptExportPKCS8. It will export the private key to a buffer in PKCS #8 DER encoded form. From PKCS #8, you can get it into X509 structure of OpenSSL (by using d2i functions and memory buffer as input in BIO structures).
However, if the private key is marked as non-exportable, this function will fail.
Only use you can do is to sign the data using such private key.
回答2:
I'm leaving the answer as it is (after all without dbasic I would've been stuck :-)), but I have more to add:
CryptExportPKCS8() end of support ended with XP/2003, so we have to use PFXExportCertStoreEx() , however this function exports the WHOLE store. So, in order to export just one certificate you need to use a memory store.
Check out this example on how to do that: http://msdn.microsoft.com/en-us/library/windows/desktop/aa382037(v=vs.85).aspx
Insert the certificate you want into the memory store, and then use PFXExportCertStoreEx() to export what you need.
来源:https://stackoverflow.com/questions/16775911/converting-private-key-in-windows-store-to-pem-for-openssl