September 1, 2014
Hot Topics:
RSS RSS feed Download our iPhone app

Mastering Windows Mobile Crypto API: Using Signatures and Certificates

  • November 29, 2005
  • By Alex Gusev
  • Send Email »
  • More Articles »

Certificates

A certificate is another face of cryptology. It is a set of data that is intended to identify a person or an organization (known as Certificate Subject). Certificate associates a public key with a person. An organization that creates a certificate is called a certification authority (CA).

Certificates can be issued either by some trusted organization or by yourself. In this last case, it can cause some trouble because not all targets will trust to your certificate by default. But, it can be fixed by installing a certificate at every required location.

My goal is neither to explain what the certificates are nor to dive deeply into this subject. RFC, MSDN, and SDK documentation have enough articles on this topic. I only want to provide this basic tutorial so you will be introduced to this technique.

Note: The Windows Mobile implementation of Crypto API doesn't support the same function set as at the desktop, so mobile applications can benefit from it only partially. Thus, you start from certificate creation.

Creating your own certificate

MS Visual Studio 2003 and later has a special utility called MakeCert that allows you to create a certificate. Below, you will find the content of a simple batch file that finally issues a certificate file DevCom.cer:

C:
cd "C:Program FilesMicrosoft Visual Studio 8SDKv2.0Bin"
makecert.exe -n "CN=Alex Gusev" -ss My -sr LocalMachine
             -sp "Microsoft Enhanced Cryptographic Provider v1.0"
             -sky exchange -r c:SamplesDevCom.cer

As a result, you will get a DevCom.cer file; copy it to your PDA and install it using regular File Explorer. Then, you will be able to see it among other installed certificates:

You can also find many certificate generation tools on the Web, for instance, like this: Crypto4 PKI. In any case, the certificate file will contain the issuer's public key and some other data that helps identify the issuer and set an expiration period for the certificate.

Verifying a certicicate

After such a certificate is installed, you can use Crypto API to perform various operations on the certificates store, setting and getting different data properties, and so forth. The accompanying zip file has several modified samples available from the Microsoft site; they perform different manipulations upon certificate stores and certificates themselves. Below is just one example:

void CCertDlg::OnButtonVerify()
{
   HCERTSTORE      hSystemStore;
   PCCERT_CONTEXT  pTargetCert=NULL;
   PCERT_INFO      pTargetCertInfo;
   TCHAR           szSubjectName[] = L"Alex Gusev";

   if ( hSystemStore = CertOpenSystemStore(NULL,L"ROOT") )
   {
      TRACE(L"CertOpenStore succeeded. The ROOT store is open. n");
   }
   else
   {
      HandleError(L"Error opening the Root store.");
   }

   if(pTargetCert = CertFindCertificateInStore(
      hSystemStore,
      X509_ASN_ENCODING,
      0,
      CERT_FIND_SUBJECT_STR,
      szSubjectName,
      pTargetCert))
   {
      TRACE(L"Found the certificate. n");
   }
   else
   {
      DWORD dwErr = GetLastError();
      HandleError(L"Could not find the required certificate");
   }

   pTargetCertInfo = pTargetCert->pCertInfo;
   switch(CertVerifyTimeValidity(
      NULL,
      pTargetCertInfo))
   {
   case -1 :
      {
         TRACE(L"Certificate is not valid yet. n");
         break;
      }
   case 1:
      {
         TRACE(L"Certificate is expired. n");
         break;
      }
   case 0:
      {
         TRACE(L"Certificate's time is valid. n");
         break;
      }
   };

   CFile cert;
   if ( !cert.Open(L"\DevCom.cer",CFile::modeRead) )
      return;

   CByteArray baCert;
   baCert.SetSize(cert.GetLength());
   cert.Read(baCert.GetData(),baCert.GetSize());
   cert.Close();

   PCCERT_CONTEXT pCertContext = CertCreateCertificateContext(
      X509_ASN_ENCODING,
      baCert.GetData(),
      baCert.GetSize());

   BOOL bRes1 = CertCompareCertificate(
      X509_ASN_ENCODING,
      pCertContext->pCertInfo,
      pTargetCertInfo);


   if (pCertContext)
      CertFreeCertificateContext(pCertContext);

   if (pTargetCert)
      CertFreeCertificateContext(pTargetCert);
   if(hSystemStore)
   {
      if (!CertCloseStore(
         hSystemStore,
         CERT_CLOSE_STORE_CHECK_FLAG))
         HandleError(L"Could not close the certificate store");
   }
}

The sample above illustrates the main route of manipulating the certificate stores and data. All this all is built similar to a native CE database. You have to open the store, search for desired certificate, obtain its context, query or set properties, and so forth. You also can read a certificate from some carrier—for example, from a file or from transmitted message—create a new certificate context, and finally compare it against that one from local certificate store. Crypto API has a lot of functions that allow you get your hands on all this business.

Windows Mobile 5.0 Security

Security has become much stronger under Windows Mobile 5.0; since this version, there have been several security configurations for mobile devices. These security models allow the OS to differentiate applications by trusting and privilege terms. Besides, in Win Mobile 2003, any application might run freely, making it potentially risky. In WM 5.0, every application has to have a signature of its publisher. The OS asks you (at least once) ehryhrt you really want to launch this particular application that was not signed.

Such a prompt appears only once, but this can cause problems if your application launches other ones silently. In general, all this starts to behave like desktop versions; for example, when you're going to install some control from the Internet and so forth. There is a link to a few fine articles in MSDN describing these WM 5.0 security features in more detail in the Useful Links section below.

Conclusion

These two articles have discussed Crypto API at its high level. Obviously, you have to play around with this API to get a basic feeling for what it is and what it is used for. The homework is on you, as always...

Download

Download the accompanying code's zip file here.

Useful Links

About the Author

Alex Gusev started to play with mainframes at the end of the 1980s, using Pascal and REXX, but soon switched to C/C++ and Java on different platforms. When mobile PDAs seriously rose their heads in the IT market, Alex did it too. Now, he works at an international retail software company as a team leader of the Mobile R department, making programmers' lives in the mobile jungles a little bit simpler.





Page 2 of 2



Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 


Sitemap | Contact Us

Rocket Fuel