How to create a self-signed certificate using CryptoAPI in C + +

CryptoAPI programming

(1) Microsoft Encryption Service System

The structure of the Microsoft cryptographic Service System CryptoAPI as shown in the following illustration, the Microsoft Encryption Service system consists of three-tier architecture and two interfaces, namely the application layer, the operating system layer (OS), the cryptographic service provider layer (cryptographic service PROVIDER,CSP), The CryptoAPI interface and the cryptographic service Provider Interface (the cryptographic service Provider INTERFACE,CSPF).

(2) CryptoAPI architecture

CryptoAPI architecture consists of five main parts: Basic encryption function, certificate encoding/decoding function, certificate Library management function, simple message function, bottom message function. The architecture is shown in the following diagram:

Basic cryptographic functions: for selecting CSPs, establishing CSP connections, generating keys, exchanging and transferring keys, and so on.

Certificate encoding/Decoding function: For data encryption, decryption, hashing, and other operations. Such functions support the encryption/decryption operations of data, compute hashes, create and verify digital signature operations, and implement encoding and decoding operations such as certificates, certificate revocation lists, certificate requests, and certificate extensions.

Certificate Library management functions: For digital certificates and certificate Library management operations. This set of functions is used to manage certificates, certificate revocation lists, and certificate trust lists for use, storage, access, and so on.

Simple message functions: For message processing, such as message encoding/decoding, message addition/decryption, digital signature and signature verification, and other operations. It is the use of multiple low-level message functions packaged together to accomplish a specific task, user-friendly.

The underlying message function: the underlying message function encodes the transmitted pkcs#7 data, decodes the received pkcs#7 data, and decodes and validates the received message. It implements all the functionality that simple message functions can achieve, and provides greater flexibility, but generally requires more function calls.

(3) CryptoAPI basic functions

With CryptoAPI, developers can add security services to windows-based applications, including: ASN.1 encoding/decoding, data encryption/decryption, identity authentication, digital certificate management, and support for PKI, symmetric cryptography technology.

Key Management

In CryptoAPI, two types of keys are supported: Session key, public/private key pair. The session key also becomes a symmetric key for symmetric cryptographic algorithms. In order to ensure the security of the key, in CryptoAPI, these keys are kept inside the CSP, and the user can export them by Cryptexpoetkey as the encryption key in a quick form. The public/private key pair is used for asymmetric encryption algorithms. Asymmetric encryption algorithms are mainly used to decrypt session keys and digital signatures. In CryptoAPI, in general, the key containers produced by most CSPs contain two pairs of key pairs, a pair used to encrypt session keys, called Exchange key pairs, and a pair to generate a digital signature, called a signature key pair. In CryptoAPI, all the keys are stored in the CSP, and the CSP is responsible for key creation, destruction, import and export operations.

Data encoding/decoding

CryptoAPI uses the encoding method is ASN.1, the coding rule is der, indicates that the sender sends the data first to abstract the data as the ASN.1 object, then uses the der coding rule to convert the ASN.1 object to the transmission 0, 1 string; After receiving the data, the receiver uses the DER decoding rule to put 0, The 1 strings are transformed into ASN.1 objects, and then the ASN.1 objects are converted to the data objects that are supported by the specific application.

Data Plus/decryption

The symmetric encryption algorithm is used in CryptoAPI to encrypt large blocks of data. The encryption and decryption functions are encapsulated to realize the data decryption operation.

Hashing and digital signatures

Hashing and digital signatures are generally used for data integrity verification and identification. In CryptoAPI, the related operation is realized by its encapsulated hash and digital signature function. The digital signatures generated by the Microsoft-provided CSP follow the RSA Standard (PKCS#6).

Digital certificate Management

Digital certificates are used primarily for identity identification in secure communications. In CryptoAPI, the use management function of digital certificate is divided into two parts: Certificate and certificate library function, certificate validation function.