Re: How do we get the private key to do digital signature?



<antonyliu2002@xxxxxxxxx> wrote in message
news:1176162759.810886.45140@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Apr 9, 3:48 pm, "Mitch Gallant" <jensig...@xxxxxxxxxxxxxxxx> wrote:
My existing client side script inVBScriptcan already send the
selected cert successfully to my web application. I will post the
script when I have access to my work station later today, so that you
can see how the selected cert is sent.

Maybe it is possible to modify the existing script in such a way that
I can get to know which cert has been selected.

AL- Hide quoted text -

- Show quoted text -

For right now, my web application knows whose cert was submitted after
it parses the intercepted cert. I wish I could do this on the client
side.

I don't think you can intercept the IE cert-selection dialog if IE
initiates
the SSL session with the server and invokes the client-authorization
cert-selection process. As I said earlier, you'd have to invoke the SSL
session from vbs itself and then select the cert and pass to SSL
negotiatio
that way.

- Mitch- Hide quoted text -

- Show quoted text -

Hmm, it looks like you are right.

I just checked the source code of the Login HTML page and there is
nothing special there!

Look, this is the source code screen snapshot:

http://farm1.static.flickr.com/248/453147844_430f70367a_o.png

And this is how this web form appears in IE:

http://farm1.static.flickr.com/192/453147858_57d693694d_o.png

And the the source code in plain text (nothing special!)

<form action="https://www.myhost.com:8443/mybank/LoginServlet";
method="post" name="bankloginform" id="bankloginform" onSubmit="return
emailCheck(bankloginform.email.value) &&

passwordCheck()">
<p>Please login using your email address and the password you
supplied the time
you signed up with the bank.
</p>
<p>Please note that you need a valid certificate to login. If you do
not have
a certificate yet, you can apply one for free right now.
</p>
<p>Your browser never knows if your certificate is revoked, but we
do know.
So, if your certificate has been revoked, you won't be able to
login.</p>
<table width="39%" border="0">
<tr>
<td width="21%" height="26"> <p align="right">e-mail:</td>
<td width="79%"><input name="email" type="text" id="email"
size="48"></td>
</tr>
<tr>
<td rowspan="2" valign="top"><div align="right">Password:</div></
td>
<td><input name="password" type="password" id="password"
size="48" maxlength="48"></td>
</tr>
<tr>
<td><input name=login type=submit id="login2" value="Login"></
td>
</tr>
</table>
</form>

OK, let's turn back to your suggestion: you'd have to invoke the SSL
session from vbs itself and then select the cert and pass to SSL
negotiation that way.

How do we invoke SSL from vbs? I have never done this.

AL

OK first of all, I'll reiterate that I have been able to do this from a
standalone .NET 1.1 client using basic code like this:
--------- .NET 1.1 snippet to connect to SSL server requiring
client-certificate authentication -----
X509Certificate jscert = X509Certificate.CreateFromCertFile(certfile);
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
req.ClientCertificates.Add(jscert);
HttpWebResponse resp = (HttpWebResponse)req.GetResponse();
------------------------
and with .NET 2, you can use all the support for searching and finding
certificates (so you wouldn't need to use CAPICOM from .NET).

I think that you could use the WinHttpRequest COM object like so:

--- VBScript sample to connect to SSL server requiring client-cert
authentication --------
......
Dim HttpReq As Object
' Instantiate the WinHTTPRequest ActiveX Object.
Set HttpReq = New WinHttpRequest

' Open an HTTP connection.
HttpReq.Open "GET", "https://somesecureurl/";, False

'Select a client certificate.
HttpReq.SetClientCertificate "LOCAL_MACHINE\Personal\My Middle-Tier
Certificate"

' Send the HTTP Request.
HttpReq.Send
-----------------------

check out MSDN docs on WinHttpRequest COM object (part of Windows HTTP
Services) at:
http://msdn2.microsoft.com/en-us/library/aa384106.aspx

- Mitch



.



Relevant Pages

  • Re: Failure installing SSL certificate on SBS2003PremSP1 (incl. IS
    ... I decided to purchase a CA SSL key and replace the self cert on ... Basically I think the SBS web listener needs to be ... since both are working off the same certificate store. ...
    (microsoft.public.windows.server.sbs)
  • Re: 400 Bad Request Error
    ... Thanks for the reply,it does not look like the partner is using 2 different ... I have that cert imported into my trusted people certificate store for the ... I tried adding a client cert and without one and it is the same result.I do ... use a SSL connection on a different certificate. ...
    (microsoft.public.biztalk.server)
  • Heads Up: SSL defeated in IE and Konqueror
    ... SSL defeated in IE and Konqueror ... VeriSign SSL site certificate to forge any other VeriSign SSL site certificate, ... tricky site owner signs an intermediate cert with another valid cert, ...
    (comp.os.linux.security)
  • Re: Publishing SSL WebSite....Arghhhh
    ... "Revocation Information for the Security Certificate is not ... (yes/no/view cert). ... The SSL cert appears to be working fine now. ... he mentioned he saw an SSL session and no error message - go figure? ...
    (microsoft.public.isa)
  • Re: Publishing SSL WebSite....Arghhhh
    ... to web publishing that site and SSL so I entered my site's name in the ... certificate; when you export the web server certificate, ... I tried to re-export the cert from the web server but the options it ... How to export a certificate with the private key: ...
    (microsoft.public.isa)