Re: parsing PKCS#7 returnedy by ICertAdmin2::GetArchivedKey in .NET
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 07/12/04
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: method level authorization using roles defined in database in concert with CAS"
- In reply to: Nicole: "Re: parsing PKCS#7 returnedy by ICertAdmin2::GetArchivedKey in .NET"
- Next in thread: Michel Gallant: "Re: parsing PKCS#7 returnedy by ICertAdmin2::GetArchivedKey in .NET"
- Reply: Michel Gallant: "Re: parsing PKCS#7 returnedy by ICertAdmin2::GetArchivedKey in .NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 12 Jul 2004 13:56:44 -0500
I followed up with someone else on this via email, but here was my response:
--------------
I'm not sure I can help you with this. I'm not really a big PKCS#7 expert,
so I'm not sure what I would expect to see here. Normally you wouldn't have
a private key in a signed data blob, but just an encrypted hash value that
you decrypt with the public key from the enclosed signing cert. If the
private key is in the underlying data that was signed, that would be oqaque
to the signed data message.
I'd suggest posting your question back to the newsgroup directly. Also, you
might try contact Mitch Gallant directly or through the newsgroup as he is
the true expert in crypto API and .NET integration. That was his sample you
were using there.
HTH,
Joe
"Nicole" <nicole@nowhere.com> wrote in message
news:%23V%23sn7$ZEHA.2972@TK2MSFTNGP12.phx.gbl...
> Thanks for the link. Now I can see the certificates but I can't seem to
get
> to the private key. MS documentation says key archival blob should have
the
> following format. I don't know how Crypto API works. Which field should I
> look into to get the private key ?
>
> The recovery blob consists of wrapping the encrypted PKCS#7 in the
database
> in another (signed) PKCS#7 to allow a number of certificates to be
included
> in the recovery blob. The returned certificates include the full chain of
> the user certificate being recovered, the chain of the signing CA
> certificate (which may differ from the CA certificate under which the user
> certificate was issued), and the KRA certificates to which the key was
> encrypted. The szOID_ARCHIVED_KEY_CERT_HASH(1.3.6.1.4.1.311.21.16) is an
> attribute containing the SHA-1 hash of the cert for the key being
recovered,
> attached as an authenticated attribute to the CA signature of the recovery
> blob.
>
> Thanks.
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:%23M775YiZEHA.2388@TK2MSFTNGP11.phx.gbl...
> > Mitch has a cool sample doing p/invoke to the crypto API in C# that
shows
> > how to get the certs and authenticated attributes on a PKCS#7 Signed
Data
> > message here:
> >
> > http://www.jensign.com/JavaScience/dotnet/AuthAttr/index.html
> >
> > This should be much easier in future versions of the Framework.
> >
> > Joe K.
> >
> > "Sengul Vurgun" <svurgun@yahoo.com> wrote in message
> > news:ePjV8XfZEHA.3092@tk2msftngp13.phx.gbl...
> > > I am trying to parse the PKCS#7 package returned by
> > > ICertAdmin2::GetArchivedKey method of certadm.dll in .NET using
runtime
> > > callable wrappers. I tried using CAPICOM's SignedDataClass but I
> couldn't
> > > get it working. When I try to access the certificates, I get "Message
> has
> > > not been signed" error. Do you know how to (or have example code to)
> parse
> > > PKCS#7 .NET?
> > >
> > > Thanks.
> > >
> > >
> >
> >
>
>
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: method level authorization using roles defined in database in concert with CAS"
- In reply to: Nicole: "Re: parsing PKCS#7 returnedy by ICertAdmin2::GetArchivedKey in .NET"
- Next in thread: Michel Gallant: "Re: parsing PKCS#7 returnedy by ICertAdmin2::GetArchivedKey in .NET"
- Reply: Michel Gallant: "Re: parsing PKCS#7 returnedy by ICertAdmin2::GetArchivedKey in .NET"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
