EncryptingDecrypting Data through PFX certificate on Windows Mobile

Some time ago I worked with a colleague of mine, a proud member of the CSS for Developers (Alejandro Campos Magencio) on a case where the developer wanted to encrypt and decrypt data on Windows Mobile 5.0 devices by using PFX certificates enrolled on the device. Crypto APIs are quite limited on this platform, however by using some basic (i.e. supported) APIs we were able to reach a satisfactory solution.

In very few words, PFX certificates contain a pair of public and private key: through the public you can encrypt, through the private you can decrypt. But... first of all, you need to register the certificate on the device's ROOT or Personal store. On Windows Mobile 6, an enroller was added to the platform therefore you can register PFX certificate by simply tapping on it, as it was already with .CER files on previous versions of the OS; but on Windows Mobile 5.0, you can't add a PFX certificate by doing so, nor you can use the documented way to add certificates by using the CertificateStore Configuration Service Provider, because contrarily to CER certificates, you can't export a .PFX to a Base-64 encoded X.509 stream (see Creating a Provisioning XML Document For The Root Certificate).

So, how to add a PFX certificate to the ROOT store of a Windows Mobile 5.0-based device? The answer is: develop your own enroller. Or, find out if anyone else already did it... and a sample 3^rd party enroller for .PFX files is the one described by Personal Certificate Import Utility for Pocket PC 2003 and Windows Mobile, which seems to be still valid for 5.0 as well. You can also use directly that 3rd party open-source product if you want, but in case you’ll have problems we couldn’t be able to support as this is not a Microsoft product.

In any case, remember that "[…] Whether a root certificate can be installed on the device depends on how the device was configured by the original equipment manufacturer (OEM) or by the Mobile Operator", in terms of Security Configuration (this was an excerpt from the KB Article How to install root certificates on a Windows Mobile-based device), so if you can't even install the SDK Certificates, for example, then you have a locked device and therefore you should ask you OEM or Mobile Operator how they require you to install new certificates, if they even provide this opportunity.

Recommended readings:

• Certificates for Windows Mobile 5.0 and Windows Mobile 6
• Encrypting and Decrypting Data

Finally, here it is some pseudo-code (provided 'AS IS', for didactic purposes, no error-checking and no example data included - just look at which Crypto APIs are needed):

- for encrypting:

 // Variables
HCERTSTORE hStoreHandle = NULL;
PCCERT_CONTEXT pSubjectCert = NULL;
HCRYPTKEY hPubKey = NULL;
wchar_t * SubjectName;
DWORD dwEncryptedLen = 0;
BYTE* pbData = NULL;

// Open the certificate store
hStoreHandle = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER, NULL);

// Get a certificate that matches the search criteria
pSubjectCert = CertFindCertificateInStore(hStoreHandle, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, SubjectName, pSubjectCert);

// Get the CSP
bResult = CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT);

// Get the public key from the certificate
bResult = CryptImportPublicKeyInfoEx(hCryptProv, X509_ASN_ENCODING, &pSubjectCert->pCertInfo->SubjectPublicKeyInfo, CALG_RSA_KEYX, 0, NULL, &hPubKey);

// Get lenght for encrypted data
bResult = CryptEncrypt(hPubKey, NULL, TRUE, 0, NULL, &dwEncryptedLen, 0);

// Create a buffer for encrypted data
pbData = (BYTE *)malloc(pbData, dwEncryptedLen);
    
// Encrypt data
bResult = CryptEncrypt(hPubKey, NULL, TRUE, 0, pbData, &dwEncryptedLen, dwEncryptedLen);

//CertFreeCertificateContext
//CertCloseStore

 

- for decrypting:

 // Variables
HCERTSTORE hStoreHandle = NULL;
PCCERT_CONTEXT pSubjectCert = NULL;
wchar_t * SubjectName;
HCRYPTPROV* phCryptProv = NULL;
DWORD* pdwKeySpec = NULL;
BOOL* pfCallerFreeProv = NULL;
HCRYPTKEY* phPrivateKey;
DWORD dwEncryptedLen = 0;
BYTE* pbData = NULL;

// Open the certificate store
hStoreHandle = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_CURRENT_USER, NULL);

// Get a certificate that matches the search criteria
pSubjectCert = CertFindCertificateInStore(hStoreHandle, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, SubjectName, pSubjectCert);

// Acquire the Private Key
bResult = CryptAcquireCertificatePrivateKey(pSubjectCert, CRYPT_ACQUIRE_COMPARE_KEY_FLAG, NULL, &phCryptProv, &pdwKeySpec, &pfCallerFreeProv);

// Get Private Key
bResult = CryptGetUserKey(phCryptProv, AT_KEYEXCHANGE, &phPrivateKey);
 
// Decrypt data
bResult = CryptDecrypt(phPrivateKey, 0, TRUE, 0, &pbData, &dwEncryptedLen);


//CertFreeCertificateContext
//CertCloseStore

 

Other sample code is available from MSDN, not specific to PFX Certificates:

• Sample Code: Encrypting a File
• Sample Code: Decrypting a File

 

Cheers,

~raffaele