win32crypt.CryptQueryObject not populating CertContext correctly when using AKV .cer file

[bgklein]

(custom2.cer) When calling this function with a locally generated .cer file, it properly fully populates the dictionary as such
{'MsgAndCertEncodingType': 1, 'ContentType': 1, 'FormatType': 1, 'CertStore': <PyCERTSTORE object at 0x000002860D6F9E00>, 'Msg': None, 'Context': <PyCERT_CONTEXT object at 0x000002860D6F9DD0>}

(PEM_67ae84c1718440f4a89ace79a22e262d.cer) When a certificate is generated from Azure Key Vault and then downloaded as a .cer, the given output does not populate its context instead just having what is likely the pointer.
{'MsgAndCertEncodingType': 1, 'ContentType': 1, 'FormatType': 2, 'CertStore': <PyCERTSTORE object at 0x0000020ABC8C3A90>, 'Msg': None, 'Context': 2245136194336}

I have provided cert.py and the two certificates mentioned at https://teststoragebrklein.blob.core.windows.net/pywin32crypto?sp=r&st=2022-04-13T21:29:17Z&se=2022-05-01T05:29:17Z&spr=https&sv=2020-08-04&sr=c&sig=ySVJ82Fr0oE48wV8y0JyeQDeb52yWmWIYHdUkAueFDc%3D
Additionally wrote a simple C# solution also utilizing C interop which works fine which makes me think this is either a pywin32 or python issue.

• Version of Python and pywin32
  Python 3.8.6
  python -m pip freeze
  pypiwin32==223
  pywin32==303

[mhammond]

This is due to the commented code at

pywin32/win32/src/win32crypt/win32cryptmodule.cpp

Lines 1097 to 1111 in 3ac6ddc

	switch (formattypeout) {
	case CERT_QUERY_CONTENT_CERT:
	case CERT_QUERY_CONTENT_SERIALIZED_CERT:
	obcontext = PyWinObject_FromCERT_CONTEXT((PCCERT_CONTEXT)context);
	break;
	case CERT_QUERY_CONTENT_CTL:
	case CERT_QUERY_CONTENT_SERIALIZED_CTL:
	// obcontext=new PyCTL_CONTEXT(context);
	obcontext = PyLong_FromVoidPtr(context);
	break;
	case CERT_QUERY_CONTENT_CRL:
	case CERT_QUERY_CONTENT_SERIALIZED_CRL:
	// obcontext=new PyCRL_CONTEXT(context);
	obcontext = PyLong_FromVoidPtr(context);
	break;

. It looks like support for those structs do exist, but I'm not sure why they aren't wired up.

I have provided cert.py and the two certificates

I'm getting an auth error trying to get them, but if I can get access and verify they work I can probably fix at least one of the cases commented out. It would be ideal if you know how to get a cert to test the other commented case too!

[mhammond]

(oh, and ideally permission to check the certs into the repo so I can add a test)

[bgklein]

Ah yea didn't realize that link didn't work but good catch on the commented-out bits. You should be able to download them from:
https://www.dropbox.com/sh/3fvsnh026ae1qgx/AAAuxk3MM3J--OF-gEIGmdVja?dl=0

You should be good to check them in for testing as they were solely made for this repro.