CSP development basics-how to register a certificate in USB key to a Windows system

This article has been transferred from Hexun's blog.
Http://zyf860825.blog.hexun.com/61812512_d.html

USB key is a hardware device with a USB interface. For example, the et199auto of Jianshi integrity has 16 Built-in high-performance Smart Card chips imported from abroad. It has a certain storage space and can store users' private keys and digital certificates, use the RSA Public/Private Key algorithm built in USB key to authenticate user identities. Because the user's private key is stored in et199auto, and the smart card can effectively prevent physical attacks, edge frequency attacks, and other theft means, the private key in et199auto cannot be read in any way, this ensures the security of user authentication.
At present, USB key has been widely used in many systems such as online banking, online office, securities trading, and online games. So how does the USB key connect to the application system for identity authentication? In fact, the digital certificate stored by the USB key represents the user identity. A digital certificate includes: Certificate Information + Public Key + private key. The certificate + public key can be made public. The private key is in USB key and cannot be obtained by anyone. After the USB key is inserted into the computer, the middleware program provided by the USB key manufacturer registers the certificate information to the Windows system, and finds the user certificate through the windows system during authentication in the application system, the certificate finds the corresponding private key in the USB key through the middleware of the USB key manufacturer, and then uses the private key in the USB key for signature calculation, and passes the result to the server for authentication. The process is as follows:
In the Windows system, user certificates, USB key middleware, private key signatures, and server verification are provided.
This article describes how to use the Microsoft CAPI interface to register the Certificate in USB key to Windows.
(1) obtain the CSP handle.
Cryptacquirecontext (& htokenprov, null, "entersafe et199auto CSP V1.0", prov_rsa_full, null)
(2) obtain the key handle in the USB key. Note that the type of the key in the lock is signature key (at_signature) or exchange key (at_keyexchange ).
Cryptgetuserkey (htokenprov, at_keyexchange, & hkeycapi)
(3) obtain the certificate data (only the certificate information data, excluding the private key). You can call the data twice to obtain the length of the certificate data, allocate space, and then call the data again.
Cryptgetkeyparam (hkeycapi, kp_certificate, pbcert, & dwcertlen, 0)
(4) create a cert_context Structure
Pcertcontext =

Certcreatecertificatecontext (pkcs_7_asn_encoding | x509_asn_encoding,

Pbcert,
Dwcertlen );
(5) open my storage, which is the region where the "personal" certificate is stored in windows.
Hsysstore = certopenstore (
Cert_store_prov_system_registry,
0,
0,
Cert_system_store_current_user,
L "my ");
(6) set the certificate context attributes. The crypt_key_prov_info structure must be declared first.
Crypt_key_prov_info ckpi = {0 };
Ckpi. pwszprovname = l "entersafe et199auto CSP V1.0 ";
Ckpi. pwszcontainername = pbwidecontainer;
Ckpi. dwprovtype = prov_rsa_full;
Ckpi. dwkeyspec = at_keyexchange;
Ckpi. dwflags = cert_key_context_prop_id;
Ckpi. cprovparam = 0;
Ckpi. rgprovparam = NULL;
Certsetcertificatecontextproperty (
Pcertcontext,
Cert_key_prov_info_prop_id,

Cert_store_no_crypt_release_flag,

& Ckpi)
(7) register the certificate to Windows.
Certaddcertificatecontexttostore (
Hsysstore,
Pcertcontext,
Cert_store_add_replace_existing,
Null );
(8) release the CSP handle.
Cryptreleasecontext (htokenprov, 0)
After completing the preceding steps, you can register the Certificate in et199auto to Windows. You can view the Certificate in et199auto under ie -- Internet option -- content -- certificate -- individual.