After understanding the related concepts of CryptoAPI and CSP, we analyzed the related functions of CryptoAPI, and realized the process of writing certificates, private keys and renewing certificates.
Scenarios for writing certificates and private keys to CSP:
The certificates and private keys returned by the CA to RA are encapsulated, encapsulated as P12 fabric certificates, and then imported into a temporary certificate library by the P12 fabric certificate. The context of the certificate is found in the temporary library, a temporary CSP handle is obtained through the certificate context and the type of the private key corresponding to the certificate, and the corresponding private key handle is obtained based on this CSP handle and the private key type. The private key is Privatekeyblob from the CSP using the previously obtained CSP handle and the private key handle. Use the CryptAcquireContext function to create a key container and obtain a handle to the Usbkey CSP, and then import the private key in the previously derived blob form into the key container of the Usbkey CSP, and obtain a handle to the private key in the key container. The corresponding certificate is written into the key container through the private key handle, which completes the writing of the certificate and the private key.
The specific process is implemented as follows:
(1) Encapsulate the certificate and private key returned by the CA to RA and encapsulate them into a P12 structure certificate.
(2) Use the Pfximportcertstore function to import the P12 structure certificate into a temporary memory-type Certificate library and obtain a handle to the library Himportstore.
(3) using the CertFindCertificateInStore function to obtain the Himportstore. Certificate Context Pcertcontext in the certificate library.
(4) using the certificate obtained above Pcertcontext, the Cryptacquirecertificateprivatekey function obtains the temporary CSP handle Hcryptprov, the certificate corresponds to the type dwkeyspec of the private key.
(5) using the temporary CSP handle Hcryptprov, the type of the private key Dwkeyspec, Cryptgetuserkey obtains the certificate corresponding private key handle Huserkey.
(6) Using the private key handle Huserkey, the private key is exported in the form of Privatekeyblob by CryptExportKey, and the blob and the length of the private key are obtained.
(7) through the CryptAcquireContext function, create a key container and obtain a handle to the Usbkey CSP Hprov.
(8) using the Hprov and the private key blob and length obtained above, the private key is directed into the Usbkey CSP via the Cryptimportkey function and the private key handle HKEY is returned.
(9) Using the private key handle hkey, and the contents of the certificate context Pcertcontext obtained earlier, the certificate is written into the corresponding key container through the CryptSetKeyParam function.
(10) To this end, the process of writing the certificate and private key into the Usbkey CSP has been implemented.
Process Scenarios for certificate updates:
The CA sends the updated certificate to Ra,ra with the serial number before the certificate update to find the corresponding certificate in the system library, and after the certificate is found, the certificate context is used to obtain the Usbkey CSP handle and key type to obtain the private key handle to update the certificate. The certificate update process is completed by writing the updated certificate to the key container corresponding to the private key, using the obtained private key handle. To prevent the system library from having multiple certificates of the same serial number issued by the CA Center, after RA has found the same serial number certificate, compare the updated certificate with the Akid (issuer key identifier) of the found certificate, and if the two are the same, locate the certificate to be updated, and if not, continue looking.
The implementation process is as follows:
(1) Obtain the Usbkey CSP handle Hprov through the CryptAcquireContext function.
(2) using Hprov, open the system library through the CertOpenStore function, get the system library handle Hcertstore.
(3) Using Hcertstore, the certificate context (Pcertcontext) is obtained through the CertEnumCertificatesInStore function of the proof library, and the corresponding certificate sequence number and the serial number given by RA are taken, if the same, The updated certificate is then compared to the akid of this certificate context, and if it is still the same, it is considered to have found the certificate to be updated. Conversely, the search continues. Also releases the Usbkey CSP handle Hprov.
(4) using Pcertcontext, the Usbkey CSP handle Hprov is obtained through the Cryptacquirecertificateprivatekey function, and the certificate corresponds to the type of the private key Dwkeyspec.
(5) using the temporary CSP handle Hprov, the type of the private key Dwkeyspec, Cryptgetuserkey obtains the certificate corresponding private key handle Huserkey.
(6) Using the private key handle Huserkey and the updated certificate, the update certificate is written into the corresponding key container through the CryptSetKeyParam function.
(7) At this point, the process of updating the certificate is completed.
The development platform above is win2000+vc.6.0. The above scenario was tested with a certificate issued by a Microsoft Certificate Services Authority, and the certificate and private key that was written were passed through the secure Web site access and secure e-mail tests, indicating that the scheme was feasible.
CAPI write key pair to Usbkey CSP
