Can we access legacy CSP with CNG?

Question

Can we access legacy CSP with CNG?

sabrina hou 1

Our product enables the user to login with Smart Card certificate and local stored certificate. We are enhancing our application to support the certificates which are issued from CNG Key Storage Provider.

For Smart Card minidriver, it can register on both legacy CSP and KSP. So we can sign/encrypt the data with Smart Card using CryptoAPI or CNG API.
But for the local installed certificate, we need to detect the certificate's credential provider and invoke CryptoAPI or CNG API to perform crypto-operation. For the certificate issued with legacy CSP, it needs to invoke the deprecated CryptoAPI to perform perform crypto-operation. For the certificate issued with KSP, it can invoke the NCG to perform perform crypto-operation. If we still want to support the certificate issued from legacy CSP, we still need to use the CryptoAPI. Because the customer may not migrate their issued certificate from legacy CSP to KSP. So what is best practice to handle this use case.

My question is whether the Microsoft provider the similar way for Smart Card to handle software certificate. In this case, we can invoke CNG API to perform crypto-operation for the certficate issued with legacy CSP.

My questions:

Can we access legacy CSP with CNG?
What's is the Microsoft's plan to remove the legacy CSP support?
Why some CryptoAPI are deprecated? But we still allow the customer to issue certificate from the legacy CSP.

Anonymous

2020-10-26T09:10:43.363+00:00

Hi,
According to your description, this question is more related to Winapi security. So, I will change the tag to winapi-security. Thanks for your understanding.
Rita Han - MSFT 2,171 Reputation points

2020-10-26T09:36:13.787+00:00

There is an API can translate a CryptoAPI handle into a CNG key handle: NCryptTranslateHandle. No ETA for removing the legacy CSP support. Which CryptoAPI is deprecated? We can check if there is an alternative.

If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
sabrina hou 1 Reputation point

2020-11-01T02:41:07.59+00:00

Hi Rita,

Thanks for your reply.

I want to know whether we can use the new CNG to handle the certificate that is issued with the legacy CSP certificate template. In that case, we don't need to provide two code logics to handle the legacy certificate and CNG certificate.

According to the current Microsoft document, it seems I only can use CNG API to encrypt/decrypt with CNG certificate(not CSP certificate) and use CAPI to encrypt/decrypt CSP certificate (not CNG certificate). This makes our code logic more complex because we can to use both CAPI and CNG to support certificate authentication.

I'd like to confirm with Microsoft.
Rita Han - MSFT 2,171 Reputation points

2020-11-02T09:46:54.837+00:00

For encrypt or decrypt you need get the handle of the key firstly. For the key handle you can either generate or import it. So I want to make clear that if you have issue with importing key contained in certificate? Could you give an example of using CNG API to encrypt/decrypt with CSP certificate you have problem to handle it?
Sabrina Hou 1 Reputation point

2020-11-04T09:01:03.877+00:00
Hi Rita,

Let's see below sample code. We get the certificate's provider, if the provider type is zero that means this is a CNG certificate. We may invoke CNG api to sign the data. Else wise it invoke the Crypt API to sign the data.
So my question is what is the best practice to perform the signature operation which can support legacy certificate issued with legacy CSP template and CNG certificate.
In below sample code, it needs to detect the provider type and invoke CryptAPI or CNG to perform signature.
{
if (CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID,
&info[0], &infoSize) == FALSE) {
return false;
}

CRYPT_KEY_PROV_INFO *pInfo = reinterpret_cast<CRYPT_KEY_PROV_INFO*>(&info[0]); if (pInfo->dwProvType == 0) { ... NCryptSignHash(...) ... } else { ... CryptSignHash(...) }
Qi Sun 1 Reputation point

2021-02-02T09:49:21.65+00:00

@UnicornLady Han - MSFT, do you have more comments on Sabrina's sample code. I have the same confusion that I have to write the "if... else..." to support the customer who still uses the legacy CSP certificate.

Your answer

Anonymous

2020-10-26T09:10:43.363+00:00

Hi,
According to your description, this question is more related to Winapi security. So, I will change the tag to winapi-security. Thanks for your understanding.
Rita Han - MSFT 2,171 Reputation points

2020-10-26T09:36:13.787+00:00

There is an API can translate a CryptoAPI handle into a CNG key handle: NCryptTranslateHandle. No ETA for removing the legacy CSP support. Which CryptoAPI is deprecated? We can check if there is an alternative.

If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
sabrina hou 1 Reputation point

2020-11-01T02:41:07.59+00:00

Hi Rita,

Thanks for your reply.

I want to know whether we can use the new CNG to handle the certificate that is issued with the legacy CSP certificate template. In that case, we don't need to provide two code logics to handle the legacy certificate and CNG certificate.

According to the current Microsoft document, it seems I only can use CNG API to encrypt/decrypt with CNG certificate(not CSP certificate) and use CAPI to encrypt/decrypt CSP certificate (not CNG certificate). This makes our code logic more complex because we can to use both CAPI and CNG to support certificate authentication.

I'd like to confirm with Microsoft.
Rita Han - MSFT 2,171 Reputation points

2020-11-02T09:46:54.837+00:00

For encrypt or decrypt you need get the handle of the key firstly. For the key handle you can either generate or import it. So I want to make clear that if you have issue with importing key contained in certificate? Could you give an example of using CNG API to encrypt/decrypt with CSP certificate you have problem to handle it?
Sabrina Hou 1 Reputation point

2020-11-04T09:01:03.877+00:00

Hi Rita,

Let's see below sample code. We get the certificate's provider, if the provider type is zero that means this is a CNG certificate. We may invoke CNG api to sign the data. Else wise it invoke the Crypt API to sign the data.
So my question is what is the best practice to perform the signature operation which can support legacy certificate issued with legacy CSP template and CNG certificate.
In below sample code, it needs to detect the provider type and invoke CryptAPI or CNG to perform signature.
{
if (CertGetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID,
&info[0], &infoSize) == FALSE) {
return false;
}

CRYPT_KEY_PROV_INFO *pInfo = reinterpret_cast<CRYPT_KEY_PROV_INFO*>(&info[0]); if (pInfo->dwProvType == 0) { ... NCryptSignHash(...) ... } else { ... CryptSignHash(...) }
Qi Sun 1 Reputation point

2021-02-02T09:49:21.65+00:00

@UnicornLady Han - MSFT, do you have more comments on Sabrina's sample code. I have the same confusion that I have to write the "if... else..." to support the customer who still uses the legacy CSP certificate.

Share via

Can we access legacy CSP with CNG?

Your answer