problem signing CMC request with Enrollment Agent certificate

From: Tory Eneboe (tjeneboe_at_blah.com)
Date: 06/05/04 

Date: Fri, 4 Jun 2004 17:25:36 -0700

I am trying to use an Enrollment Agent to request certificates on behalf of
other users. The process I am using is a follows:

1) Issue myself an Enrollment Agent certificate.
2) Create a CMC Request using XEnroll. I set the following XEnroll
attribute before calling the XEnroll method that actually creates the
request:

XEnroll.AddNameValuePairToSignature("RequesterName","somedomain\someaccount"
);
3) Use the C++ Crypto library to sign the CMC request with the Enrollment
Agent cert.
4) Submit the resulting request (PKCS7?) to the CA for processing.

I am stuck on step #3. I have included my code below. When my code runs,
it fails on the following line:
     CryptMsgUpdate(hMsg, pbCMCOld, cbCMCOld, TRUE);
with the all to common error:
     0x8009310B ASN1 bad tag value met

Does anyone have any ideas on what I'm doing wrong? Any help would be
greatly appreciated! Thanks. Tory.

----------------------------------------------------------------------------
-----------------

// Variable Declaration.
HCERTSTORE hSystemStore;
PCCERT_CONTEXT pSignerCertContext = NULL;
HCRYPTMSG hMsg;
CERT_BLOB CertBlob;

// Here is the original CMC request that XEnroll created for us.
BYTE* pbCMCOld = (BYTE*) "-----BEGIN NEW CERTIFICATE
REQUEST-----MIIFYgYJKoZIhvcNAQcCoIIFUzCCBU8CAQMxCzAJBgUrDgMCGgUAMIID6QYIKwYB
BQUHDAKgggPbBIID1zCCA9MwgYswWgIBAgYIKwYBBQUHBwgxSzBJAgEAMAMCAQEwPzA9BgkrBgEE
AYI3FQcEMDAuBiYrBgEEAYI3FQiD1a5UhM74P4b5mwCBjtsFgu2mGRmHr8sohI3MAwIBZAIBCDAt
AgEDBggrBgEFBQcHEjEeBBxSZXF1ZXN0ZXJOYW1lPUFNUlZNZG5pc2VuYm8mMIIDPaCCAzkCAQEw
ggMyMIICmwIBADAAMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7t/O9owY88S9FLh7x60b+
eVO9i3hAg2+t6DoQH/Bs3+WFbwGqEemjRecOY5ZcDe/aGUgfPi3KXOPplQW9tRSAAAo7HZLfscK8
AdqHUnFD8Vs8XX4up/R/ri0AA8ERuI8a1XGkco/BXgiyVZwC2INNB7Oy9JxDHFuT7TgxCs/saQID
AQABoIIB8DAaBgorBgEEAYI3DQIDMQwWCjUuMS4yNjAwLjIwUQYJKwYBBAGCNxUUMUQwQgIBAQwh
dGplbmVib2UtbW9ibDIuYW1yLmNvcnAuaW50ZWwuY29tDAxBTVJcdGplbmVib2UMDGlleHBsb3Jl
LmV4ZTB9BgkqhkiG9w0BCQ4xcDBuMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUtuxBrb5BNS7L
C2IveU0bCZB3lPEwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIg9WuVITO+D+G+ZsAgY7bBYLt
phkZh6/LKISNzAMCAWQCAQgwgf8GCisGAQQBgjcNAgIxgfAwge0CAQIeXABNAGkAYwByAG8AcwBv
AGYAdAAgAEUAbgBoAGEAbgBjAGUAZAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIA
bwB2AGkAZABlAHIAIAB2ADEALgAwA4GJAJ/4RhOTTKR5uxCCU3ASuY9IBYt2B8iM0dt4ceNEw6Mr
xUMBbRUbwtOqKT/1PEOK+uEtanHaJv+Xp1hZc9jbjVPnJTq/IRbVGxy89x6D3j6SCvBw0LWaEXlE
f9aqTXBNzSWDnzo8WTAD0AUkGxl0XiR2fnaPyzkUSGYZhEXYCLANAAAAAAAAAAAwDQYJKoZIhvcN
AQEFBQADgYEAVHNVdSiXYYpUjfQVEaS+y0E/+3qoWZDtR4j738nAKZs8SD6BYHYQZLw/6mxm2i4S
RzEj0/68SK39SDgmG3jgV/XJ9it859U1vhFj8oDC/TQWMea3AdzNSQjGqvd0FgMt/dUnIudBvYC9
/txVmSfEpFNuFe36LPhvD4rFeGviZuQwADAAMYIBTjCCAUoCAQOAFLbsQa2+QTUuywtiL3lNGwmQ
d5TxMAkGBSsOAwIaBQCggZEwFwYJKoZIhvcNAQkDMQoGCCsGAQUFBwwCMCMGCSqGSIb3DQEJBDEW
BBSq7MOc4L0MvMljm+6UleKODeqwHjBRBgkrBgEEAYI3FRQxRDBCAgEBDCF0amVuZWJvZS1tb2Js
Mi5hbXIuY29ycC5pbnRlbC5jb20MDEFNUlx0amVuZWJvZQwMaWV4cGxvcmUuZXhlMA0GCSqGSIb3
DQEBAQUABIGAgXx/K6iziKUqiXe5VDxe1DdLHqDla+Cn3irH3qSpfHNZKz50rASfQ4meH+KnZB9l
0nIbLlEgA4GzBrYiMh6Gp4U4CU7OL5JS5rZMUzHYTvU/A9LJ072PxJU+5K6qczuhVhCrd7GKjowt
X3tECtAZI37ww4TxQ3ZoHHtrlhydUK4=-----END NEW CERTIFICATE REQUEST-----";
DWORD cbCMCOld = strlen((char *) pbCMCOld)+1;

// Open the certificate store to be searched.
hSystemStore = CertOpenSystemStore(0, "MY");

// Since the only cert in my personal store is the
// enrollment agent cert, finding the first cert in
// the store (CERT_FIND_ANY) works just fine.
pSignerCertContext=CertFindCertificateInStore(hSystemStore,
MY_ENCODING_TYPE, 0, CERT_FIND_ANY, NULL, NULL);

CryptMsgOpenToDecode(MY_ENCODING_TYPE, 0, 0, NULL, NULL, NULL);

// >>>>>> This line is where it fails. <<<<<
CryptMsgUpdate(hMsg, pbCMCOld, cbCMCOld, TRUE);

// Initialize SignedEncodeInfo with the enrollment agent certificate info
CryptMsgControl(hMsg, 0, CMSG_CTRL_ADD_SIGNER,
pSignerCertContext->pCertInfo);

// Add the signing cert.
CertBlob.cbData = pSignerCertContext->cbCertEncoded;
CertBlob.pbData = pSignerCertContext->pbCertEncoded;
CryptMsgControl(hMsg, 0, CMSG_CTRL_ADD_CERT, &CertBlob);

// Get the size of the new CMC.
DWORD cbCMCNew;
CryptMsgGetParam(hMsg, CMSG_ENCODED_MESSAGE, 0, NULL, &cbCMCNew);

// Get the new CMC.
BYTE* pbCMCNew = (BYTE*) malloc(sizeof(BYTE)*cbCMCNew);
CryptMsgGetParam(hMsg, CMSG_ENCODED_MESSAGE, 0, pbCMCNew, &cbCMCNew);

// Submit the new CMC to the CA for processing.

Relevant Pages

  • Enrollment Agent Signed certificate request and key escrow
    ... Sign and Wrap the request using an enrollment agent certificate (PKCS7) ...
    (microsoft.public.dotnet.security)
  • Enrollment Agent Signed certificate request and key escrow
    ... Sign and Wrap the request using an enrollment agent certificate (PKCS7) ...
    (microsoft.public.dotnet.security)
  • Re: CERTREQ for smart card not working
    ... and inserted in the issued certificate. ... Subject in the request. ... (PROMPTED FOR PIN - ENTER PIN) ... (PROMPTED FOR PROPER ENROLLMENT AGENT CERT IN MY STORE) ...
    (microsoft.public.platformsdk.security)
  • Re: Computer and User Certificates Issues
    ... Enrollment of User Certificates using the custom v2 User Certificate Template ... I can NOT request the custom v2 Computer Cert nor the included v1 no ... Concerning permissions, these are the exact permissions I am using now: ...
    (microsoft.public.security)
  • Re: Cannot request computer certificate.
    ... request a computer certificate for about 9 months. ... and verify that you can get a computer/server certificate from it. ... List of NetBt transports currently bound to the Redir ... DNS Host Name: srvr3.domain.com ...
    (microsoft.public.windows.server.security)