CryptoApi Cert* functions on HPC2000

Hello All,

does anyone know why the eVC 3.0 HPC2000 SDK appears to be missing support for using the CryptoApi Cert* functions for managing certificate stores? They're defined in wincrypt.h, but the SDK has no corresponding crypt32.lib that actually implements them.

I eventually managed to accomplish what I was trying to do (load custom root certificates onto a Jornada 720) in a somewhat roundabout fashion after a lot of googling by:

- Finding the SQL Server CE 2.0 download at http://www.microsoft.com/sql/ce/downloads/ce20.asp (Incidentally, the SQLCE link on the HPC:Factor developer downloads page is broken)
- Copying the appropriate rootcert.exe binary to my device
- Converting the certificates I need from PEM to DER format using OpenSSL
- Running rootcert.exe xxxx-ca.cer on the device
- This appears to have done the right thing, since PIE now no longer complains on connecting to sites using my custom CAs, and the relevant certs have been installed in HKLM\Comm\SecurityProviders\SCHANNEL\CAs

However, I'd still like to know if the certificate store functions can actually be made to work, since if so then it should be possible to make a standalone tool for this, and also to update/replace expired root certificates in the system store. Downloading all 50MB of SQLCE just to grab an 8k EXE is a pain.

-mato

Hi Mato,
Did you try to build and run an app using the functions? I haven't but MSDN shows the functions to be in corelib, not crypt32.

Take care,
John

Never mind. I actually understand the question now

Nicely done Mato. I just had this same issue resolved for me a couple of days ago (the wiser and more experienced folks who moderate and frequent this site are great about that). I googled my head off, but needed a more experienced user to get me through it.

There is an app for the PPC2002 distributed by MS called Addcert.exe but it still required you to get the cert binary from the site manually. I guess Rootcert.exe is the equivalent? I believe the PPC registry stores the certificates differently. The process you managed to work out on your own is the way to go on the HPC as I understand it. Until you come out with the app you described, that is

I'm impressed.

insurgent: I did try to build an app using the functions, and they're certainly not in corelib.lib. If you find the Windows CE 3.0 CryptoAPI reference (don't have the link here, sorry) then it shows the functions as being in crypt32.lib.

Strangely,the HPC2000 SDK help does not list any of the Cert* functions at all, which suggests that they were left out of HPC2000 for some reason :-(

PDAfan: I know about AddRootCert, but this uses PPC-specific APIs for the GUI. I'm not a WIndows GUI programmer, so what I'm trying to build is just a simple WinCE console application. Rootcert.exe from SQLCE is just a more primitive version of AddRootCert.

One more tip in case someone else tries to follow this procedure: If you want to import more than one CA cert, make sure you give the CER files you pass to Rootcert.exe different names.It seems that Rootcert uses the file name as the registry key under ...\CAs.

Anyway, I'll keep looking. It's possible all I need is a WinCE crypt32.lib from some other SDK.

One more question (this is where my UNIX heritage shows): Is there something like 'nm' on Windows that would let me inspect a .lib file or it's individual objects to see what functions they export?

mato,
Yea, I had to edit the question. A lot of crypto api calls are in corelib but the ones you were asking about are indeed in crypt32.
From what I can tell, crypt32 is one of those "optional" packages that it's up to the OEM to decide whether to include them. Therefore the lib and the building of the dll is part of the Platform builder. As far as I can tell, HP didn't include the dll in the 720. If an OEM did include an optional dll, it was supposed to be up to them to distribute the lib to developers.
There are QFE's out from crypt32 which should contain the lib. However, without platform builder you still have no dll. And I downloaded the QFE's from MS (now a package of *all* QFE's) and, unlike the older version, it won't install the files without PB being installed. It may be possible to to fool it into installing or extract the files directly.
For the dll, it's possible there is an app out there has crypt32 as a redistributable but I haven't seen one in my limited looking around. It may be possible to use one from another wince 3 pda/hpc.

Insurgent,

2 things.
1) It is possible to trick them, I do it all the time
2) We legally own PB3

1) I know. I'm just too rusty to figure it out right now
2) Huh, thought that was a secret

And I just noticed that the CE4 SDK contains the lib as well so we wouldn't have to mess with the QFE's. You can pull the lib from that SDK but you also need to replace the hpc2000 wincrypt.h with the one from the CE4 SDK.

Now if Chris would just cough up a DLL from the (not so secret) PB3, you'd be all set!

yup, the sad thing PB3 is just collecting dust somewhere

C:Amie, can you enlighten me on how to get the QFE package to cough up it's contents w/o installing Platform Builder? Also, since Insurgent says you have a copy of PB, can I get a copy of crypt32? (.dll and .lib) I want to at least try and see if it'll function on my 720, 728.

Edit: Ok, it turns out my J728 has a crypt32.dll, but my J720 doesn't. So all I need now is the corresponding .lib file.

Edited by mato 2006-08-14 1:55 PM