Encrypt and sign data using PKCS #12 Certificates

Download source code - 482 Kb

Introduction

This article explains how we can encrypt/decrypt and sign/verify data using PKCS # 12 (.pfx) certificates in .NET 1.1 using Microsoft CryptoAPI 2.0. [However encryption and verification will work only if PKCS # 12 certificate private key is exportable].

Explanation

Since .NET 2.0 is in its final stages and we have .NET 2.0 beta 2 that provides full support for PKI (Public Key Infrastructure) which is encryption and signing data using certificates. But what about .NET 1.1? To use a functionality like PKI in it we need to have a solution of P/Invoke type that is in the Microsoft CryptoAPI (the other is CAPICOM 2.0). In this article, we will use some helpful certificate functions from MS CrypotAPI 2.0 to accomplish our task.

However there are some new certificate functions that are introduced with Windows XP professional to make certificates' user interface much easier, and hence our code will run only on Windows XP Professional or Windows 2003 Server. In the end, I will tell you a way of using this functionality on Windows 2000 Professional or 2000 Server.

I will discuss only two new MS CryptoAPI 2.0 functions, they are CryptUIDlgSelectCertificateFromStore and CryptUIDlgCertMgr, and the technique I have implemented for encryption and signing using PKCS12 certificates.

For the rest of the code please download the source code link. Don’t worry, it is well commented with embedded .chm help file to simplify the operations.

• CryptUIDlgSelectCertificateFromStore

  The CryptUIDlgSelectCertificateFromStore function displays a dialog box that allows the selection of a certificate from a specified store. The dialog box is shown below:

  

  The function runs on Windows XP professional or 2003 Server. See MSDN (Platform SDK > Security>CrypotAPIFunctions)

• CryptUIDlgCertMgr

  The CryptUIDlgCertMgr function displays a dialog box that allows the user to manage certificates. The dialog box is shown below:

  

  The function runs on Windows XP Professional or 2003 Server. See MSDN (Platform SDK > Security>CrypotAPIFunctions)

How encryption and decryption works

For Encryption the concept is simple. I initialize a new object of RijndaelManaged and generate its random key and IV (Initialization Vectors). Then I encrypt both the key and IV with the public key of PKCS12 certificate selected and export them as text files to “My documents” directory (person logged into current thread).

Similarly for Decryption both the key and IV are decrypted by the corresponding private key of the same PKCS12 certificate selected earlier.

Now if you want you can send these two files to some other person with the same PKCS12 certificate so that he can decrypt it using the corresponding private key of the same.

How signing and verification works

For Signing, I initialize the new object and encrypt the data to sign using the private key of the PKCS12 certificate selected and export it as a text file to the "My documents" directory (person logged into current thread).

Similarly for Verification, first I decrypt the signatures using the corresponding public key of the same PKCS12 certificate selected earlier.

However all the encrypted data in encryption and signing is shown in Base64 format.

How to run the code on Windows 2000 Professional or 2000 Server

As both CryptUIDlgSelectCertificateFromStore and CryptUIDlgCertMgr work only on Windows XP or 2003 Server, to use the above functionality on Windows 2000, the code requires a little tailoring. Instead of these two functions you have to build your own interface and use one of the CrypotAPI functions as follows:

1. CertEnumCertificatesInStore

   The CertEnumCertificatesInStore function retrieves the first or next certificate in a certificate store. Used in a loop, this function can retrieve in sequence all the certificates in a certificate store.

2. CertFindCertificateInStore

   The CertFindCertificateInStore function finds the first or next certificate context in a certificate store that matches a search criteria established by the dwFindType and its associated pvFindPara. This function can be used in a loop to find all the certificates in a certificate store that match the specified find criteria.

You can use either of them. If you use the first, then list the certificates in store and ask the user to select a PKCS12 certificate, and if you use the second, then ask the user to enter a search string for the certificate name in store, the rest of the code remains the same. Both the API functions are listed in the source code. The source code also contains a sample PKCS12 certificate with password sam.

Conclusion

I am always willing to help, so if you have any questions, suggestions about my article, feel free to email me at Adahmed911@hotmail.com. You can also reach me on MSN messenger with screen name “Maxima”.