I am working on a key management application for the universal windows platform and would like to install CA certificates and trust anchors that can be used by system apps and 3rd-party apps. I have tried using a combination of CertificateStores.GetStoreByName and CertificateStore.Add as well as a call accessed via P/Invoke to CertAddEncodedCertificateToStore. Unfortunately, in both cases the calls succeed but the certificates are not visible using MMC and they do not appear to be used by other applications.
Is there a means of installing certificates such that they are usable system-wide (including outside the app container)? Is there any means of viewing what certificates have been installed within an app container?
By default no. Please check introduction to certificates article.
Shared certificate stores
UWP apps use the new isolationist application model introduced in Windows 8. In this model, apps run in
low-level operating system construct, called an app container, that
prohibits the app from accessing resources or files outside of itself
unless explicitly permitted to do so. The following sections describe
the implications this has on public key infrastructure (PKI).
Certificate storage per app container
Certificates that are intended for use in a specific app container are stored in per user,
per app container locations. An app running in an app container has
write access to only its own certificate storage. If the application
adds certificates to any of its stores, these certificates cannot be
read by other apps. If an app is uninstalled, any certificates
specific to it are also removed. An app also has read access to local
machine certificate stores other than the MY and REQUEST store.
Anyway, you can add a capability to your application in Package.appxmanifest. The sharedUserCertificates capability grants an app container read access to the certificates and keys contained in the user MY store and the Smart Card Trusted Roots store.
<Capabilities>
<uap:Capability Name="sharedUserCertificates" />
</Capabilities>
I just added it for testing purpose (UWP application) and the following code works fine. Certificate is added on user MY store.
string pfxCertificate = null;
string pfxPassword = "";
FileOpenPicker filePicker = new FileOpenPicker();
filePicker.FileTypeFilter.Add(".pfx");
filePicker.CommitButtonText = "Open";
try
{
StorageFile file = await filePicker.PickSingleFileAsync();
if (file != null)
{
// file was picked and is available for read
// try to read the file content
IBuffer buffer = await FileIO.ReadBufferAsync(file);
using (DataReader dataReader = DataReader.FromBuffer(buffer))
{
byte[] bytes = new byte[buffer.Length];
dataReader.ReadBytes(bytes);
// convert to Base64 for using with ImportPfx
pfxCertificate = System.Convert.ToBase64String(bytes);
}
await CertificateEnrollmentManager.UserCertificateEnrollmentManager.ImportPfxDataAsync(
pfxCertificate,
pfxPassword,
ExportOption.NotExportable,
KeyProtectionLevel.NoConsent,
InstallOptions.None,
"Test");
}
}
catch (Exception ex)
{
Debug.WriteLine(ex.Message);
}
A sample is available on 8.1 if it helps. Cryptography and Certificate sample
Related
I have a web API which simply
clone a .docx file
convert that cloned .docx to a .pdf format
using DocumentFormat.OpenXml.Packaging;
[HttpPost("clone")]
public IActionResult CloneBillFromTemplate()
{
var templateFilePath = System.IO.Path.Combine(Directory.GetCurrentDirectory(), "Bill", "PaymentTempl.docx");
var clonedFilePath = System.IO.Path.Combine(Directory.GetCurrentDirectory(), "Bill", "ClonedBill.docx");
var pdfFilePath = System.IO.Path.Combine(Directory.GetCurrentDirectory(), "Bill", "FinalBill.pdf");
using (WordprocessingDocument wordDoc = WordprocessingDocument.Open(templateFilePath, true))
{
var clonedDoc = wordDoc.Clone(clonedFilePath);
System.Threading.Thread.Sleep(500);
clonedDoc.Save();
clonedDoc.Close();
}
using (var converter = new OfficeConverter.Converter())
{
converter.Convert(clonedFilePath, pdfFilePath);
}
return Ok();
}
Everything works fine when debugging (for sure :3) and also on IIS
But when I deploy to Azure App service, I got this type of error (stack trace + exception message).
Could not read registry to check Word version
Could not find registry key Word.Application\CurVer
at OfficeConverter.Word..ctor()
at OfficeConverter.Converter.get_Word()
at OfficeConverter.Converter.Convert(String inputFile, String outputFile, Stream logStream) at ....
Could you guys help me on this? Thanks all!!!
**feel free to ask for more information you need to detect this issue
Update
Looks like this is the issue with the pdf converter pacakge I'm using, not the OpenXML
It seems your application is relying on the Windows registry in a way that is not supported. If you are running on a Linux App Service, that would be the first thing to swap out, though my guess is that you are already running on Windows.
Apps have read-only access to much (though not all) of the registry of the virtual machine they are running on. In practice, this means registry keys that allow read-only access to the local Users group are accessible by apps. One area of the registry that is currently not supported for either read or write access is the HKEY_CURRENT_USER hive.
Write-access to the registry is blocked, including access to any per-user registry keys.
https://learn.microsoft.com/en-us/azure/app-service/operating-system-functionality#registry-access
If you can't refactor your code to not rely on such dependencies, I would suggest you put your application inside a Windows docker container. If you can run that locally, it should run on App Service as well.
We are developing a C# UWP application using Visual Studio 2019. I have successfully setup monitoring of the YubiKey FIPS (4.4.5 firmware) being inserted/removed from the USB port. We setup the YubiKey to use PIV and have loaded a certificate into slot 9c (using YubiKey PIV Manager, I have not installed the mini driver). I do note that when the YubiKey is inserted into the USB, it auto loads my personal cert store with the certificate that is in slot 9c. We receive a challenge from our server and I need to use it to verify against the YubiKey. What is the next step to get the certificate from slot 9c (what if you have multiple certs on that key)? Yubico does not have an example showing how to integrate the key with an app (I don't believe Windows Hello is applicable here, no?). We are trying to use the Windows.Devices.SmartCards namespace. This namespace does not seem to have the concept of slots. Is that the correct direction or do we need to use Yubico libraries (mini driver) I'm not aware. The documentation is limited.
var yubiKeys = Readers.Where(r => r.Value.Name.Contains("Yubi", StringComparison.OrdinalIgnoreCase));
foreach (KeyValuePair<string, SmartCardReader> item in yubiKeys)
{
IReadOnlyList<SmartCard> cards = await item.Value.FindAllCardsAsync();
foreach(SmartCard card in cards)
{
SmartCardProvisioning prov = await SmartCardProvisioning.FromSmartCardAsync(card);
using (SmartCardChallengeContext context = await prov.GetChallengeContextAsync())
{
IBuffer yubiKeyChallenge = context.Challenge; // IS THIS THE CARDS ADMIN PIN?
// Challenge to acquire cert here perhaps?
// the card object has no concept of slots, would each slot be a card in the reader?
// if so, how would I use the Challenge for that card?
}
}
}
The Windows Smart Card components (including the Windows Inbox Smart Card Minidriver and the Yubico minidriver) don’t directly implement supported PIV concepts like slots or objects. Instead, the minidriver scans the PIV slots and converts any present keys to "key containers", which is how Windows deals with private keys and certificates. Each certificate in the Certificate Store has an associated key container, but since it has no concept of PIV, details like the key reference slot have been abstracted away.
As with most built-in Windows components, the app doesn’t talk to the smart card directly, instead it uses the certificate that the Certificate Propagation service adds to the personal store.
If you inspect the user's personal store with Certificate Manager (certmgr.msc), the certificate properties should have a note that you have a private key associated with the certificate.
To sign or encrypt with the private key, the app acquires the
certificate from the personal store and uses the appropriate .NET CSP
with that certificate.
In general, UWP apps have limited native interop capabilities and rely on using the rudimentary APIs of the smart card key storage provider (KSP) to later be called through the CNG interface.
Here’s an example of using the UserCertificateStore to interact with certificates within the user’s personal certificate store.
You can then use that certificate with your favorite CSP software library to sign or encrypt. A few examples here.
To access smartcard or usb token content like slots, keys in it, directly you may need to use PKCS#11.
But since you said smartcard content is being loaded by smartcard driver (CSP) to Windows Certificate store, you may use Windows.Security, X509 certificates and RSA Provider (I don't remember .NET namespaces exactly...) to give signing request using RSAProvider and CSP would in turn send that request to smartcard. You many not need to access smartcard directly for signing.
For browser based user authentication, please refer to so answer
I have a Windows Forms application installed using InnoSetup that my users download from my website. They install this software onto multiple PCs.
The application talks to a Web API which must be able to identify the user. I am creating a web application where the user can log in and download the app. I would like to embed a universally unique ID into the installer so that they do not have to login again after installation. I want them to download and run setup.exe, and have the application take care of itself.
I am considering a couple of options:
Embed a user-specific UUID into setup.exe and perform code-signing on-demand on the web serverDownside: not sure how to do this?
Embed a user-specific UUID into the name of the installer file (e.g. setup_08adfb12_2712_4f1e_8630_e202da352657.exe)Downside: this is not pretty and would fail if the installer is renamed
Wrap the installer and a settings file containing the UUID into a self-extracting zip
How can I embed user-specific data into a signed executable on the web server?
The entire PE is not signed. You can embed data into a signed PE by adding it to the signature table. This method is used by Webex and other tools to provide the one-click meeting utilities.
Technically, the PKCS#7 signature has a list of attributes that are specifically designated as unauthenticated which could be used, but I know of no easy way to write to these fields without a full PE parser. Luckily, we already have signtool, and adding an additional signature to an already signed file is a non-destructive operation that uses the unauthenticated fields.
I put together a demo which uses this technique to pass data from an MVC website to a downloadable windows forms executable.
The procedure is to:
Start with the authenticode signed and timestamped exe produced by standard processes(must be able to run without dependencies - ILMerge or similar)
Copy the unstamped exe to a temp file
Create an ephemeral code signing certificate which includes the auxiliary data as an X509 extension
Use signtool to add the auxiliary signature to the temp file
Return the temp file to the client, delete it after the download completes
On the client side, the app:
Reads the signing certificates from the currently executing exe
Finds the certificate with a known subject name
Finds the extension with a known OID
Alters its behavior based off of the data contained in the extension
The process has a number of advantages:
No monkeying with the PE layout
The publicly trusted code signing certificate can stay offline (or even in an HSM), only ephemeral certificates are used on the web server
No outbound traffic is generated from the web server (as would otherwise be required if timestamping were performed)
Fast (<50ms for a 1MB exe)
Can be run from within IIS
Usage
Client side retrieval of data (Demo Application\MainForm.cs)
try
{
var thisPath = Assembly.GetExecutingAssembly().Location;
var stampData = StampReader.ReadStampFromFile(thisPath, StampConstants.StampSubject, StampConstants.StampOid);
var stampText = Encoding.UTF8.GetString(stampData);
lbStamped.Text = stampText;
}
catch (StampNotFoundException ex)
{
MessageBox.Show(this, $"Could not locate stamp\r\n\r\n{ex.Message}", Text);
}
Server side stamping (Demo Website\Controllers\HomeController.cs)
var stampText = $"Server time is currently {DateTime.Now} at time of stamping";
var stampData = Encoding.UTF8.GetBytes(stampText);
var sourceFile = Server.MapPath("~/Content/Demo Application.exe");
var signToolPath = Server.MapPath("~/App_Data/signtool.exe");
var tempFile = Path.GetTempFileName();
bool deleteStreamOpened = false;
try
{
IOFile.Copy(sourceFile, tempFile, true);
StampWriter.StampFile(tempFile, signToolPath, StampConstants.StampSubject, StampConstants.StampOid, stampData);
var deleteOnClose = new FileStream(tempFile, FileMode.Open, FileAccess.Read, FileShare.Read | FileShare.Delete, 4096, FileOptions.DeleteOnClose);
deleteStreamOpened = true;
return File(deleteOnClose, "application/octet-stream", "Demo Application.exe");
}
finally
{
if (!deleteStreamOpened)
{
try
{
IOFile.Delete(tempFile);
}
catch
{
// no-op, opportunistic cleanup
Debug.WriteLine("Failed to cleanup file");
}
}
}
I'm trying to digitally sign a PDF document using Syncfusion PDF 10.4, like so:
PdfLoadedDocument document = new PdfLoadedDocument(inputStream);
PdfCertificate certificate = PdfCertificate.FindBySubject(certificateStoreType, certificateSubjectName);
PdfSignature signature = new PdfSignature(document, document.Pages[0], certificate, "Signatur");
signature.Bounds = new RectangleF(new PointF(5, 5), new SizeF(100, 100));
This works great for my local user account after installing a suitable certificate using MMC (adding the Certificates snap-in for My user account and storing it in Personal), but not for a service (choosing Service account this time, and picking my service). Running the same code results in no suitable certificate being found, i.e. certificate is null. Furthermore, PdfCertificate.GetCertificates() throws an AccessViolationException, which I assume is a bug on Syncfusion's end.
I can, however, reproduce the same problem without Syncfusion code:
var store = new System.Security.Cryptography.X509Certificates.X509Store("My");
store.Open(System.Security.Cryptography.X509Certificates.OpenFlags.ReadOnly);
foreach (var item in store.Certificates)
{
…
}
Run as my own user, the certificate shows up (as do all the others shown in MMC under Personal), but if I debug the service (by running it, then invoking System.Diagnostics.Debugger.Launch()), I only get a "CN=LOCAL SERVICE" certificate, which doesn't show up in MMC at all.
I'm assuming that I need to A) tell it to open the correct certificate store, or B) change something about the way the service is installed or run, such as giving it a different identity, enabling UserInteraction, etc. Currently, it runs using LocalService and with UserInteraction disabled.
From what I remember, Windows machine accounts (like LocalService) use the machine certificate store. This means that in your code, you have to access the store with StoreLocation.LocalMachine.
var store =
new System.Security.Cryptography.X509Certificates.X509Store(StoreLocation.LocalMachine);
Note that if you decide to run the service under specific identity, you should rather first login as the identity, then import the certificate to the Personal store and then, use StoreLocation.CurrentUser.
The answer appears to be that .NET doesn't support accessing service account certificate stores without P/Invoke or the like:
I don't think that any of the .NET APIs allow access to the Services Certificate store.
However, you can install the certificate into the CurrentUser store of the account that the service runs under.
I've changed the service to run under its own user (which doesn't need admin rights), ran mmc.exe as that user using runas, and imported the certificate to that user's personal store.
I ran into this problem, and to solve it had to allow the "Local Service" account to access the "Local Computer" certificate store using the tool "WinHttpCertCfg"
It is described in detail here:
https://support.microsoft.com/en-us/help/901183/how-to-call-a-web-service-by-using-a-client-certificate-for-authentication-in-an-asp-net-web-application
I use the "Sqlite for Windows Runtime" and sqlite-net (just as described at http://timheuer.com/blog/archive/2012/08/07/updated-how-to-using-sqlite-from-windows-store-apps.aspx) to develop a Windows 8 Metro-App, just . If I want to open a Database at the Program-Directory is no problem:
var dbPath = Path.Combine(Windows.Storage.ApplicationData.Current.LocalFolder.Path, "db.sqlite");
using (var db = new SQLite.SQLiteConnection(dbPath)) {
...
}
But when I want to use an extern Path like this:
var dbPath = "C:\\Users\\xxxxxx\\db.sqlite";
then an error occurs with "Cannot open database file". Why? Here I am using C#, normally I use C++, but for this problem I am sure it doesn't matter ;)
You cannot select arbitrary files on the file system. See here for details.
By default you can access these locations:
Application install directory
Application data locations
User’s Downloads folder
and
Additionally, your app can access some of the files on connected
devices by default. This is an option if your app uses the AutoPlay Device extension to launch automatically when users connect a device,
like a camera or USB thumb drive, to their system. The files your app
can access are limited to specific file types that are specified via
File Type Association declarations in your app manifest. Of course,
you can also gain access to files and folders on a removable device by
calling the file picker (using FileOpenPicker and FolderPicker) and
letting the user pick files and folders for your app to access. Learn
how to use the file picker in Quickstart: Accessing files with file pickers.
If you have the right capabilities declared you can also access:
Documents Library
Music Library
Picture Library
Videos Library
Homegroup Library
Removable devices
Media server devices (DLNA)
Universal Naming Convention (UNC) folders
A combination of the following capabilities is needed.
The home and work networks capability:
PrivateNetworkClientServer
And at least one internet and public networks capability:
InternetClient InternetClientServer
And, if applicable, the domain credentials capability:
EnterpriseAuthentication
Note You must add File Type Associations to your app manifest that declare specific file types that your app can access in this location.
In windows metro application...
It support only sandbox property of an application.
So you cant use
var dbPath = "C:\\Users\\xxxxxx\\db.sqlite";
U can only store data in local storage or application installed directory.
Please avoid to use any other path . it will not work .