Re: CardSignData: verify signature failed



On Apr 20, 3:35 am, Mounir IDRASSI <mooni...@xxxxxxxxxxxxxxxxx> wrote:
Hi,

Your code should work now, so I'm beginning to think that my first statement
about byte ordering may be wrong. Can you remove the byte order swaping from
your code (both at the begining and the end) and then do another test?

--
Mounir IDRASSI
IDRIXhttp://www.idrix.fr

To reach me: mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

"Duy Nguyen" wrote:
On Apr 19, 5:54 pm, Mounir IDRASSI <mooni...@xxxxxxxxxxxxxxxxx> wrote:
Hi,

Don't hard code CRYPT_NOHASHOID or pass pInfo->dwSigningFlags: As I said,
either you pass CRYPT_NOHASHOID if (pInfo->dwSigningFlags & CRYPT_NOHASHOID)
!= 0 , or you just pass 0.

You can use the padding callback on the input data at the begining of your
function. In this case, you can't use CryptSignHash : you must use
CryptDecrypt with the flag CRYPT_DECRYPT_RSA_NO_PADDING_CHECK to perform a
raw RSA exponentiation because you have done the padding yourself.

--
Mounir IDRASSI
IDRIXhttp://www.idrix.fr

To reach me: mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

"Duy Nguyen" wrote:

In capiRSASign function above, when calling CryptSignHash, I first
passed pInfo->dwSigningFlags, it doesn't work, so I hardcoded as
CRYPT_NOHASHOID and it also failed.

OK, here is the updated capiRSASign function, I called
CryptGetHashParam with HP_HASHSIZE to before calling CryptSetHashParam
as described in MSND. But I still got the same error "Invalid
Signature", don't know whether I missed anything :(

static int capiRSASign(PBYTE keyBlob, DWORD blobSize, ALG_ID algID,
DWORD signingFlags, PBYTE in, DWORD inSize, PBYTE *out, DWORD
*outSize)
{
   int ret=0;
   HCRYPTPROV hProv;
   HCRYPTHASH hHash;
   HCRYPTKEY hKey;
   DWORD hashSize,len;

   ret=CryptAcquireContext(&hProv, "testcsp", NULL, PROV_RSA_FULL, 0);
   if(!ret){
           DWORD detail=GetLastError();
           if(detail==NTE_BAD_KEYSET){
                   detail=CryptAcquireContext(&hProv, "testcsp", NULL, PROV_RSA_FULL,
CRYPT_NEWKEYSET);
                   if(!detail){
                           return ret;
                   }
           } else {
                   return ret;
           }
   }

   ret=CryptImportKey(hProv, keyBlob, blobSize, 0, 0, &hKey);
   if(!ret){
           return ret;
   }

   ret=CryptCreateHash(hProv, algID, 0, 0, &hHash);
   if(!ret){
           goto done;
   }

    len=sizeof(hashSize);
   ret=CryptGetHashParam(hHash, HP_HASHSIZE, (PBYTE)&hashSize, &len, 0);
    if(!ret){
           goto done;
   }
    if(hashSize!=inSize){
           goto done;
    }

   ret=CryptSetHashParam(hHash, HP_HASHVAL, in, 0);
   if(!ret){
           goto done;
   }

   *outSize=0;
   if(signingFlags & CRYPT_NOHASHOID){
           ret=CryptSignHash(hHash, AT_KEYEXCHANGE, NULL, CRYPT_NOHASHOID,
NULL, outSize);
   } else {
           ret=CryptSignHash(hHash, AT_KEYEXCHANGE, NULL, 0, NULL, outSize);
   }
   if(!ret){
           goto done;
   }

   if(NULL==(*out=(BYTE *)malloc(*outSize))){
           goto done;
   }

   if(signingFlags & CRYPT_NOHASHOID){
           ret=CryptSignHash(hHash, AT_KEYEXCHANGE, NULL, CRYPT_NOHASHOID,
*out, outSize);
   } else {
           ret=CryptSignHash(hHash, AT_KEYEXCHANGE, NULL, 0, *out, outSize);
   }
   if(!ret){
           goto done;
   }
   ret=1;

done:
   if(hHash){
           CryptDestroyHash(hHash);
   }
   if(hKey){
           CryptDestroyKey(hKey);
   }
   CryptReleaseContext(hProv, 0);

   return ret;
}

Finally, it works, I can enroll certificate successfully.

Now I'm testing my card with IIS (HTTPS server with require client
authentication option).

Did you experience problem with the Insert Smart Card dialog? It says:
"The card is being shared by another process. However, the card is not
the one being requested, and cannot be used for the current
operation".

I guess it's OK to have the card shared by another process (the
current process is IE, I guess the other one is Winlogon.exe), but
maybe the certificate I enrolled cannot be used for web client
authentication, is it correct?

When doing enrollment, I chose "Smart Card User" template.
.



Relevant Pages

  • Re: *** rec.gambling.blackjack FAQ ***
    ... Q02 What special terminology is used by blackjack players? ... Q03 What special terminology is used by card counters? ...      valuable to the player, but rarely offered by the casinos. ...
    (rec.gambling.blackjack)
  • Re: Help! Major Memory Installation Issue
    ... It's interesting that you mention the video card. ... fan of its own, over and above the CPU fan and the case fans. ...     usage of all four slots for memory DIMMs, ...
    (alt.comp.periphs.mainboard.asus)
  • Re: SD Card Reader problem - Seems to be solved.
    ... Card Reader. ...   And to tell you the truth, I don't know when this started as I ... the ding dong and it disappears. ... Right Click on th "SD card reader" icon ...
    (microsoft.public.windowsxp.hardware)
  • Re: old people are so difficult
    ... "benefits" for the new card. ... enrolled with one of those credit protection companies. ...   If not..... ...
    (soc.retirement)
  • Re: BYO Storyline idea - Faction struggle
    ... way to turn titled vampires Anarch, ... In the centre of the table is the Faction deck; ... Faction cards are ignored, the card are always immediately replaced from the ...   ...
    (rec.games.trading-cards.jyhad)