Re: CertEnumCertificatesInStore() and IE
From: Oliver Young (none)
Date: 12/09/03
- Previous message: Bong Valdoz: "CryptoAPI v.s. SSL3.0/TSL 1.0"
- In reply to: Sergio Dutra [MS]: "Re: CertEnumCertificatesInStore() and IE"
- Next in thread: Oliver Young: "Re: CertEnumCertificatesInStore() and IE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 9 Dec 2003 12:16:54 +0100
> IE filters the certificates in the Personal store to list only those that
> contain an associated private key.
I've just found another security bug in CryptoAPI. :(
1. I have imported one certificate in Personal store (medium security
level),
2. I have exported that certificate (with private key) into file,
3. I have imported that certificate (with private key) into Personal store
(with high security level and password set),
4. Now, I'm able to sign using that certificate and there is no dialog
asking me for the password. For example, Outlook 2000 will ask me for the
password and my app will not!!! Signing is with the same certificate.
So, certificate is not password protected.
Best regards,
Milan Tomic
http://www.setcce.org
- Previous message: Bong Valdoz: "CryptoAPI v.s. SSL3.0/TSL 1.0"
- In reply to: Sergio Dutra [MS]: "Re: CertEnumCertificatesInStore() and IE"
- Next in thread: Oliver Young: "Re: CertEnumCertificatesInStore() and IE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
