Re: CAPICOM decrypt/verify problem

From: Shawn Corey [MSFT] (shawncor_at_online.microsoft.com)
Date: 02/05/04 

Date: Thu, 5 Feb 2004 12:00:09 -0800

You can verify the signing certificate by using the SignedData.Signers
object, this will be populated during the Verify, if you want to do the cert
validation yourself then just pass in CAPICOM_VERIFY_SIGNATURE_ONLY to the
Verify and it will not check the cert just the signature. You can then go
through the list of Signer objects under Signers and use the
Signer.Certificate.IsValid to get a CertificateStatus object. Set the
CheckFlag property to whatever settings you want then retrieve the Result
property, this is a bool that will be true if the chain build properly.
For info on the CertificateStatus object look here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/Security/certificatestatus.asp

Sample in VBS:

oSignedData.Verify SomeSignedContent

for each oSigner in oSignedData.Signers
 set oCertStat = oSigner.Certificate.IsValid
 oCertStat.CheckFlag = CAPICOM_CHECK_TIME_VALIDITY and _
         CAPICOM_CHECK_SIGNATURE_VALIDITY and _
         CAPICOM_CHECK_ONLINE_REVOCATION_STATUS
 if oCertStat.Result then
  MsgBox "Cert is valid"
 else
  MsgBox "Cert is not valid"
 end if
next 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Michel Gallant" <neutron@NOSPAMistar.ca> wrote in message
news:eoS%23tv%236DHA.2720@TK2MSFTNGP09.phx.gbl...
> CAPICOM 2.0.0.3 unfortunately does not implement accessing the
> list of recipients during decryption (only implemented during the
> encryption phase).
>
> CA issuance switches are :
> makecert  ... -cy authority -ss MY -sp "Microsoft Enhanced Cryptographic
Provider v1.0" -n
> "CN=YourCAcn .."
>
> makecert ... -is MY   -in "JavaScience CA"   -n "CN=IssuedCn ... "
>
> - Mitch Gallant
>    MVP Security
>
>
> "bc" <bc_aux@usa.net> wrote in message
news:dfa9e38.0402050116.54cd7a8b@posting.google.com...
> > Hi,
> > I have some problems with CAPICOM wrt. decrypting and verifying
> > messages - determining the recipients/signers to be exact. I use
> > CAPICOM on WinXP and everything works fine except for the following
> > issues.
> >
> > How do I determine to whom EnvelopedData is intended?? When I do a
> > decrypt my MY_STORE is automatically scanned to find a private key
> > match. The MY_STORE could potentially contain several certificates.
> > Can I retrieve information about the certificate used for decryption
> > in order to determine the specific reciever ?? A previus post gave me
> > the impression that I could retrieve the recipients from the
> > Recipients attribute after a decrypt, but the count of this is always
> > zero - no recipients!
> > The code used in simply (correct certificate added to MY_STORE before
> > execution)
> >
> > ...
> > m_pEnvelopedData->Decrypt(bstrCipher);
> > bstrText = m_pEnvelopedData->GetContent();
> > int n = m_pEnvelopedData->Recipients->GetCount();  <---- always zero
> > ...
> >
> > I haven't fully explored verify (SignedData), but it is the same
> > problem I face. When verifying a signed data package the verify method
> > (called with CAPICOM_VERIFY_SIGNATURE_AND_CERTIFICATE) tries to build
> > a chain in order to authenticate the signer - as far as I know it
> > scans CA_STORE for a match, correct?? Is it possible to determine the
> > used certificate from the CA_STORE?? Is it possible to verify a
> > certificate (chain build) without having it or its root CA in the
> > CA_STORE (just in MY_STORE)??  The code used is
> >
> > ...
> > m_pSignedData->Content = bstrData;
> >
m_pSignedData->Verify(bstrSign,true,CAPICOM::CAPICOM_VERIFY_SIGNATURE_AND_CE
RTIFICATE);
> > ...
> >
> > To wrap it up, some makecert.exe questions. How do you create you own
> > CA certificate from which you can issue sub-certificates - which
> > swiches in makecert.exe?
> >
> > Best regards
> > Brian Christensen
>
>

Relevant Pages

  • RE: [Full-Disclosure] Openssl proof of concept code? / Neoteris
    ... its own built-in cert and offers it up without solicitation. ... SSL connection with the server with a corrupt cert like that. ... modify a copy of openssl such that it sends a client certificate ... verify error:num=20:unable to get local issuer certificate ...
    (Full-Disclosure)
  • Re: Unable to use stunnel with tin...
    ... Looks like you got an odd version of stunnel. ... was getting the certificate written correctly. ... Next verify you can connect to the server. ...
    (comp.os.linux.setup)
  • RE: Verifying X509Certificate signature
    ... issue--with that sort of data I know what data to pass to Verify. ... As you said that you want some information about verifying X509 certificate ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Digital verification of authentic documents ?
    ... > verify the certificate by checking the sources revocation list, ... > sure the cert is from a trusted source. ... that the certificate you see is faked. ... Depends on certificate issuer, if it's ...
    (comp.security.misc)
  • Re: certificates for signing documents
    ... but won't verify with is own cert because its root CA ... a public key certificate from a client certificate using makecert ...
    (microsoft.public.platformsdk.security)