Re: cxertificates on smart card

From: Elisa (elisa.vacchieroNO_at_SPAMcystem.it)
Date: 10/30/03

• Next message: Sergio Dutra [MS]: "Re: CryptoAPI: forcing CRL checking - Errata corrige"
• Previous message: Sergio Dutra [MS]: "Re: Can't disable "Trusted" for Certificates Issued by MS Certificate Server"
• In reply to: Eric Perlin [MS]: "Re: cxertificates on smart card"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 30 Oct 2003 16:13:29 +0100

The problem is that I want the other key (AT_SIGNATURE not AT_KEYEXCHANGE!)
in the same key container..
I've been trying to import this key, but I have some problems with
CryptGetUserKey.
It doesn't fail, but the value and the lenght of the key in memory aren't
correct!

So following functiones that use these key fail with
Error number 57
Description: The parameter is incorrect.

here is the code I wrote for the import:

// -------------------------------------------------
// acquire context

  hProv = 0 ;
 BOOL bCryptAcquireContext = FALSE ;
 bCryptAcquireContext = CryptAcquireContext(
           &hProv,
           "TODO-GUID", // name obtained with CryptGetProvParam
           "IPMCSP32",
           PROV_RSA_FULL,
           // CRYPT_NEWKEYSET
           0
           );

 if (bCryptAcquireContext)
  {
  printf("\n\nProvider created.\n");
  Wait("Press any key to continue.");
  }

 else
  {
   HandleError("Error during CryptAcquireContext!");
  }

// -------------------------------------------------
// CryptGetUserKey (AT_SIGNATURE)

 if (CryptGetUserKey(hProv,
           AT_SIGNATURE,
           &hKey))
  {
  printf("\n\nCryptGetUserKey.\n");
  Wait("Press any key to continue.");
  }

 else
  {
  HandleError("Error during CryptGetUserKey!");
  }

// -----------------------------------------------------
// CryptGetKeyParam (KP_CERTIFICATE)

  if(CryptGetKeyParam(hKey,
           KP_CERTIFICATE,
           NULL, // prima chiamata solo per avere dim
           &dwCertificate,
           0))
  {
  printf("\n\nCryptGetKeyParam.\n");
  Wait("Press any key to continue.");
  }

 else
  {
   HandleError("Error during CryptGetKeyParam!");
  }

// -----------------------------------------------------
// Malloc

  BYTE* pbCert = NULL;
 pbCert = (BYTE*)malloc(dwCertificate);

// -----------------------------------------------------
// CryptGetKeyParam (KP_CERTIFICATE)

 if(CryptGetKeyParam(hKey,
           KP_CERTIFICATE,
           pbCertificate,
           &dwCertificate,
           0))
  {
  printf("\n\n CryptGetKeyParam.\n");
  Wait("Press any key to continue.");
  }

 else
  {
  HandleError("Error during CryptGetKeyParam!");
  }

// ------------------------------------------------
// CertOpenStore(MY)

  if (hCertStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A,
                                 MY_TYPE,
                                 0,
                                 CERT_SYSTEM_STORE_CURRENT_USER
                                 szStore))
  {
  printf("\n\nCertOpenStore.\n");
  Wait("Press any key to continue.");
  }

 else
  {
  HandleError("Error during CertOpenStore!");
  }

// -------------------------------------------------
// CertAddEncodedCertificateToStore

 if (fResult = CertAddEncodedCertificateToStore(hCertStore,
                                                 MY_TYPE,
                                                 pbCertificate,
                                                 dwCertificate,
                         CERT_STORE_ADD_REPLACE_EXISTING,
                                                 &pCertContext))
  {
  printf("\n\nCertAddEncodedCertificateToStore.\n");
  Wait("Press any key to continue.");
  }

 else
  {
  HandleError("Error during CertAddEncodedCertificateToStore!");
  }

// -------------------------------------------------

    ZeroMemory(&KeyProvInfo, sizeof(KeyProvInfo));
    KeyProvInfo.pwszProvName = (WCHAR*)"IPMCSP32";
    KeyProvInfo.pwszContainerName = (WCHAR*)"TODO-GUID";
    KeyProvInfo.dwKeySpec = AT_SIGNATURE; ;
    KeyProvInfo.dwProvType = dwProvType;

// -------------------------------------------------
// CertSetCertificateContextProperty
 if( fResult = CertSetCertificateContextProperty(pCertContext,
                         CERT_KEY_PROV_INFO_PROP_ID,
                                                  0,
                                                  &KeyProvInfo))
  {
  printf("\n\nCertSetCertificateContextProperty.\n");
  Wait("Press any key to continue.");
  }

 else
  {
  HandleError("Error during CertSetCertificateContextProperty!");
  }

what could be the problem?

thanks...

elisa

"Eric Perlin [MS]" <ericperl@online.microsoft.com> wrote in message
news:#VGEA4nmDHA.2080@TK2MSFTNGP10.phx.gbl...
> If the certificate from the default container is not what you want, you
need
> to enumerate containers on the card (CryptGetProvParam with
> PP_ENUMCONTAINERS). For these additional containers, you can follow the
> procedure found in propcert.
> --
> Eric Perlin [MS]
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> ---
>
> "Elisa" <elisa.vacchieroNO@SPAMcsystem.it> wrote in message
> news:#wufz7jmDHA.988@TK2MSFTNGP10.phx.gbl...
> > hi,
> > I'm writing an application to sign documents with a certificate located
in
> a
> > smart card.
> > I'm using a csp given by the card producer.
> >
> > The program I wrote so far can sign documents with the private key
> > associated to a certificate that has yet been imported from the smart
card
> > to "MY" personal store by another program (also given by the card
> producer).
> >
> > My problem is: the certificate this program exports is not the one I
want
> to
> > use to sign!
> >
> > So my question :
> > How can I have a direct access to the smart card to select the right
> > certificate ?
> > (As suggested in another post, I looked at PropCert.cpp but it doesn't
> work)
> >
> > Is there a simple cryptoapi function to use?
> >
> > Thanks for your attention
> >
> >
> > elisa
> >
> >
>
>

---

• Next message: Sergio Dutra [MS]: "Re: CryptoAPI: forcing CRL checking - Errata corrige"
• Previous message: Sergio Dutra [MS]: "Re: Can't disable "Trusted" for Certificates Issued by MS Certificate Server"
• In reply to: Eric Perlin [MS]: "Re: cxertificates on smart card"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Usage of CRYPT_VERIFYCONTEXT with Smart Cards ... CRYPT_VERIFYCONTEXT for SC CSPs means no access to private keys. ... Thus container enumeration is OK. ... you're not targetting a particular card so it should ... > pszContainer and CRYPT_VERIFYCONTEXT for smart card CSPs. ... (microsoft.public.platformsdk.security) Re: CryptAcquireContext failw with SCARD_E_DIR_NOT_FOUND error ... The card has user certificate created using Microsoft ... And what is a fully qualified container name? ... For smart cards, a container is associated with the smart card (and ... therefore indirectly with the reader that holds the smart card). ... (microsoft.public.platformsdk.security) Re: CryptAcquireContext failw with SCARD_E_DIR_NOT_FOUND error ... GemSAFE Card CSP then.... ... the Microsoft Base Smart Card CSP and the Gemalto minidriver) and the Sony ... And what is a fully qualified container name? ... (microsoft.public.platformsdk.security) Re: cxertificates on smart card ... the certificate you are looking for may already be in MyStore. ... are you saying that the first call to CryptGetKeyParam ... If you are sure that there is a certificate for this key in this container, ... >>> smart card. ... (microsoft.public.platformsdk.security) RE: Default certificate on a SmartCard ... To get the default CONTAINER on the smart card you can use ... > "If the card has just one container then it should be default container. ... > containing the Login OID or EA OID should be the default container. ... (microsoft.public.platformsdk.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.platformsdk.security  > 2003-10