Re: 3rd pary software interferes with the cryptographic services

• Previous message: William DePalo [MVP VC++]: "Re: Enumerating current login windows from LocalSystem"
• In reply to: Rhett Gong [MSFT]: "RE: 3rd pary software interferes with the cryptographic services"
• Next in thread: Rhett Gong [MSFT]: "Re: 3rd pary software interferes with the cryptographic services"
• Reply: Rhett Gong [MSFT]: "Re: 3rd pary software interferes with the cryptographic services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 5 Jun 2005 03:15:56 +0200

Hi Rhett and thanks for the answer.

I've done some tracing and here is what my app does to find the private
key's container (in simplified pseudocode).

hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,
CERT_SYSTEM_STORE_CURRENT_USER, "My");
pCertCtx = CertFindCertificateInStore(hStore, PKCS_7_ASN_ENCODING |
X509_ASN_ENCODING, 0, CERT_FIND_KEY_IDENTIFIER, blob, 0);
result = CryptAcquireCertificatePrivateKey(pCertCtx, 0, 0, out hCrytProv,
out keySpec, out freeProv);
CRYPT_KEY_PROV_INFO cpvi = .....
result = CertGetCertificateContextProperty(pCertCtx,
CERT_KEY_PROV_INFO_PROP_ID, cpvi, len)

This is the C# code (the certificate and it's private key container name
have beed found):

CspParameters params = new CspParameters();
params.KeyContainerName = cpvi.pwszContainerName;
params.ProviderName = null;
params.ProviderType = cpvi.dwProvType;
params.KeyNumber = cpvi.dwKeySpec;
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(params);
byte[] decrypted = rsa.Decrypt(encrypted, false); // FAILS HERE !!!

I've noticed that the KeyContainerName is different on both machines, which
is as expected. But the ProvName returned by
CertGetCertificateContextProperty is also different! On the machine where
things work, it returns "Microsoft Strong Cryptographic Provider", and on
the machine where things fail, it returns "CRYPTOMATHiC RSA Full Provider
1.2". This confirms what the developers at TDC (the certificate issuer)
wrote to me. Here's a rought translation:

"As default the digital signature is installed in MS CAPI in a special CSP
which we've developed. This is to ensure that a reasonable password is
required for the (private) key.

We have no knowledge of apps that use CAPI and can't use our digital
signature (and the CSP). The issue here is that we can't give access to the
private key without asking the end-user to enter his/her password" ....

-----------------

So, if I am correct, the RSA.Decrypt() method does not like the Cryptomatic
CSP. Can you tell me what the Decrypt method does and what I can do to trace
and get more info about the issue? BTW, the password dialog box is never
shown! Any ideas for work arounds? Is this a problem in the .NET framework,
the CAPI or the CSP or a combination?

Thanks!

-- Todor Todorov

"Rhett Gong [MSFT]" <v-raygon@online.microsoft.com> wrote in message
news:u8ApO3AaFHA.3896@TK2MSFTNGXA01.phx.gbl...
> Hello Todor,
> "Bad Data" exception will be thrown if either the binary data passed in to
> RSA.Decrypt() method is wrong or the imported RSA private key does not
> match with the RSA public key that is used for encryption.
>
> I noticed you are prompted whenever you used the cert, do you ever recieve
> any dialog to input password when your code runs? if you did not get any
> dialog and get this error, that may be because you failed to pass their
> auth and it fails silently. you may try your code to export private keys
> of
> these 2 test machines and see if they are identical.
>
> Thanks,
> Rhett Gong [MSFT]
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
> http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.asp
> &SD=msdn
>
> This posting is provided "AS IS" with no warranties and confers no rights.
>

• Previous message: William DePalo [MVP VC++]: "Re: Enumerating current login windows from LocalSystem"
• In reply to: Rhett Gong [MSFT]: "RE: 3rd pary software interferes with the cryptographic services"
• Next in thread: Rhett Gong [MSFT]: "Re: 3rd pary software interferes with the cryptographic services"
• Reply: Rhett Gong [MSFT]: "Re: 3rd pary software interferes with the cryptographic services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]