Enumertating Certificates available only on the Smart Card

1
votes

I have to find whether Smart Card has a given certificate in it. For that I am first acquiring the HCRYPTPROV (handle to the CSP) using CryptAcquireContext and then using it to Open the system store (OpenSystemStore) and then enumerating the certificates.

It works perfectly on Windows XP. On Windows 7 it gives issue due to stale/old certs stored in store. Windows stores/copies the certificates in its store from Smart Card. That means if I have two certificates Cert1 and Cert2 on Smart Card and I have used smart card to logon into windows. then Windows stores these certs in its stores, we can see that by going to IE->Internet Options->Contents->Certificates. Then if I remove the Cert2 from the Smart Card, then also Cert2 is shown in Windows Store and this thing is breaking my code.

So I need to enumerate the certs which are available only on the Smart Card not in the Windows store.

1
certificatesmartcard
Haven't programmed Windows for a while, but normally a certificate on a smart card is accompanied by a private key to do the actual signing or decryption. Can you maybe try to access or use the private key and see what happens? - Maarten Bodewes
Thanks owlstead. It worked for me. I have used CryptAcquireCertificatePrivateKey API to check the corresponding Private Key for given cert. It will return it successfully if it is available on Smart Card - MLS
Glad to be of some help to you Mohammed. - Maarten Bodewes

1 Answers

2
votes

Assuming the HCRYPTPROV you acquire is for the smart card, use CryptGetProvParam with the PP_USER_CERTSTORE parameter:

Obtains the user certificate store for the smart card. This certificate store contains all of the user certificates that are stored on the smart card.

e.g.

HCERTSTORE hCertStore = NULL;
DWORD size = sizeof(hCertStore);
CryptGetProvParam(hProv, PP_USER_CERTSTORE, (PBYTE)&hCertStore, &size, 0);

You can then enumerate the smart card's certificates from the HCERTSTORE as with the system store.

The MSDN page states "Windows XP: This parameter is not supported." but it works fine on XP with the latest Service Pack.

The CNG equivalent is NCryptGetProperty with the NCRYPT_USER_CERTSTORE_PROPERTY parameter.