Welcome to MSDN Blogs Sign in | Join | Help

Decrypt my World

Cryptography, Security, Debugging and more!

News

  • Any of my posts is supported under any Microsoft standard support program or service. They are provided "AS IS" without warranty of any kind, and confer no rights.

Where are my readers?

Locations of visitors to this page

Favorite Posts

How to import a certificate without user interaction (C++ & C#)

Hi, welcome back,

Today I'm posting a CryptoAPI sample which uses CryptUIWizImport to import a certificate without any user interaction:

 

<SAMPLE Language="C++">

CRYPTUI_WIZ_IMPORT_SRC_INFO importSrc;
memset(&importSrc, 0, sizeof(CRYPTUI_WIZ_IMPORT_SRC_INFO));
importSrc.dwSize = sizeof(CRYPTUI_WIZ_IMPORT_SRC_INFO);
importSrc.dwSubjectChoice = CRYPTUI_WIZ_IMPORT_SUBJECT_FILE;
importSrc.pwszFileName = L"C:\\PathToPFX\\cert.pfx";
importSrc.pwszPassword = L"PasswordToDecryptPFX";
importSrc.dwFlags = CRYPT_EXPORTABLE | CRYPT_USER_PROTECTED;
 
if (CryptUIWizImport(
  CRYPTUI_WIZ_NO_UI,
  NULL,
  NULL,
  &importSrc,
  NULL
) == 0)
{
  printf("CryptUIWizImport error 0x%x\n", GetLastError());
}

</SAMPLE>

<SAMPLE Language="C#">

using System;
using System.Collections.Generic;
using System.Text;
using System.Runtime.InteropServices;
 
namespace ImportCertNet
{
    class Program
    {
        public struct CRYPTUI_WIZ_IMPORT_SRC_INFO
        {
            public Int32 dwSize;
            public Int32 dwSubjectChoice;
            [MarshalAs(UnmanagedType.LPWStr)]public String pwszFileName;
            public Int32 dwFlags;
            [MarshalAs(UnmanagedType.LPWStr)]public String pwszPassword;
        }
 
        [DllImport("CryptUI.dll", CharSet = CharSet.Auto, SetLastError = true)]
        public static extern Boolean CryptUIWizImport(
            Int32 dwFlags,
            IntPtr hwndParent,
            IntPtr pwszWizardTitle,
            ref CRYPTUI_WIZ_IMPORT_SRC_INFO pImportSrc,
            IntPtr hDestCertStore
        );
 
        public const Int32 CRYPTUI_WIZ_IMPORT_SUBJECT_FILE = 1;
        public const Int32 CRYPT_EXPORTABLE = 0x00000001;
        public const Int32 CRYPT_USER_PROTECTED = 0x00000002;
        public const Int32 CRYPTUI_WIZ_NO_UI = 0x0001;
 
        static void Main(string[] args)
        {
              CRYPTUI_WIZ_IMPORT_SRC_INFO importSrc = new CRYPTUI_WIZ_IMPORT_SRC_INFO();
              importSrc.dwSize = Marshal.SizeOf(importSrc);
              importSrc.dwSubjectChoice = CRYPTUI_WIZ_IMPORT_SUBJECT_FILE;
              importSrc.pwszFileName = "C:\\alex.pfx";
              importSrc.pwszPassword = "password";
              importSrc.dwFlags = CRYPT_EXPORTABLE | CRYPT_USER_PROTECTED;
 
              if (!CryptUIWizImport(
                CRYPTUI_WIZ_NO_UI,
                    IntPtr.Zero,
                    IntPtr.Zero,
                    ref importSrc,
                    IntPtr.Zero
              ))
              {
                    Console.WriteLine("CryptUIWizImport error " + Marshal.GetLastWin32Error());
              }
 
              Console.WriteLine("<< Press any key to continue >>");
              Console.ReadKey();
        }
    }
}

</SAMPLE>

 

Note: if you enable High protection mode for the private keys of the certificates via policy, when installing a cert in a machine you will be requested for a password which will be used every time the private key is accessed. When using CryptUIWizImport, a dialog will appear requesting us to enter the High protection password, even if we said we don’t want any UI.

I hope this helps.

Cheers,

 

Alex (Alejandro Campos Magencio)

Posted: Thursday, January 31, 2008 11:36 AM by alejacma
Filed under:

Comments

Jebus said:

Hi,

Very interesting article! I'm in need of something similar. I want to export a private key from a certificate using C#.net. The problem is that I don't want that dialog box to appear when accessing the private key, but supply the password in code. Could I use the same approach as the code above?

If so, do you have me some hints for me? I don't have any experience on P/invoke what so ever :s

# February 18, 2008 9:04 AM

alejacma said:

Do you have High protection mode enabled for your private keys?

# February 18, 2008 9:28 AM

Jebus said:

Yes, that's the reason I get dialog box. I'd like to export the certificate keys to a RSAParameters-object.

Turning high protection off is one solution, but then the security of the certificates on server-side is compromised...

# February 19, 2008 11:06 AM

alejacma said:

Sorry, I haven't seen a way to pass the high protection password programmatically, with any CryptoAPI I've ever used. You should have the same issues I commented with CryptUIWizImport in the article above.

# February 19, 2008 11:40 AM

Asif Alam said:

Using the above code I still get a security warning box..asking me If I would want to install the certificate or not..

Please tell how to do away with this..

# July 26, 2008 4:50 AM

alejacma said:

Hi Alam,

I don't know right now why you may be getting that security warning box. CRYPTUI_WIZ_NO_UI should get rid of it. If it doesn't maybe you can open a case with us, Technical Support, and we'll be more than happy to assist you.

Cheers,

Alex

# August 26, 2008 7:22 AM

Steven said:

This is exactly what I am looking for, however, I need to code it using VBA.  Is this possible?

# September 11, 2008 10:15 AM

Lux said:

Hi,

i've done something similar program; but i don't know how to enable High protection mode with pass via c#.

if i use CRYPT_USER_PROTECTED my program show the dialog, in this dialog i select high protection and i digit the password.

do you have me some hints for me?

thanks

LuX

# October 6, 2008 5:46 AM

Leonardo Maldonado said:

There is any way to import a certificate revocation list without user interaction? do you have any example?

# April 20, 2009 1:22 PM

Bruno said:

Thanks, that's exactly what I was looking for.

# May 27, 2009 2:21 PM
Leave a Comment

(required) 

(required) 

(optional)

(required) 

  
Enter Code Here: Required

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Page view tracker