Re: How to Add Attribute to a PKCS10 Request
From: Eric (eric.h@netcourrier.com)
Date: 11/07/02
- Next message: Me: "Re: FTP Problem... ITS SOLVED"
- Previous message: Bill Sanderson: "Re: WinMgmt events"
- In reply to: krish shenoy[MS]: "Re: How to Add Attribute to a PKCS10 Request"
- Next in thread: krish shenoy[MS]: "Re: How to Add Attribute to a PKCS10 Request"
- Reply: krish shenoy[MS]: "Re: How to Add Attribute to a PKCS10 Request"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Eric" <eric.h@netcourrier.com> Date: Thu, 7 Nov 2002 10:30:40 +0100
Ok thanks for all your answers...
I think it's quite risky for us to do this way so I think I will go the hard
way by encoding the request using the low level CAPI functions...
I told you there is an example in the PSDK but it does not show how to use
the extra parameters like validity, cert usage etc... Is there a place where
I could find such an example?
Many thanks for your help and time
Eric
"krish shenoy[MS]" <kshenoy@online.microsft.com> wrote in message
news:ebZ#FWhhCHA.3752@tkmsftngp08...
> 1) Yes Microsoft does not support redistribution of DLLs so it would not
be
> supported
> 2) xenroll.dll for .NET Server would have the CryptStringToBinary function
> that ought to be in crypt32.dll if the crypt32.dll does not contain that
> function so yes it would work with win2k crypt32.dll
>
>
>
> --
> This posting is provided "AS IS" with no warranties and confers no rights.
> Use of any included samples is subject to the terms specified at
> http://www.microsoft.com/info/copyright.htm"
> "Eric" <eric.h@netcourrier.com> wrote in message
> news:#2PhgEYhCHA.1356@tkmsftngp11...
> > Do you mean that I can copy the latest xenroll.dll file into my
> application
> > folder and so then I can use ICEnroll4 instead of ICEnroll3 ??? (If I do
> not
> > download it as an ActiveX I guess I have to register it on the system as
> it
> > is a COM dll?)
> > Yes it would be great but:
> > 1. Is it sure that I will not have any trouble since ICEnroll4 is not
> > supposed to be supported by Win2K?
> > 2. Does ICEnroll4::stringToBinary call the crypt32.dll file? I just ask
> > because in the ICEnroll4::stringToBinary PSDK doc it is written that
this
> > function actually calls the CAPI CryptStringToBinary function which is
> part
> > of the crypt32.dll file ON XP and .NET servers ONLY!! So if I install
the
> > latest XEnroll, try to use stringToBinary and this function calls
> > CryptStrnigToBinary fron crypt32.dll this will fail because
> > CryptStringToBinary is not included in the crypt32.dll version of Win2K
> > (even SP3, I have just checked..)
> >
> > Thanks for your time..I really appreciate it...
> > Eric
> >
> > "krish shenoy[MS]" <kshenoy@online.microsft.com> wrote in message
> > news:Ol$IdlShCHA.1712@tkmsftngp11...
> > > The xenroll.dll contains the required CryptoAPI functions that it
would
> > > require for implementing the extra functionality in ICEnroll4. If you
> can
> > > download the new xenroll to the W2k machine say as a web download of
an
> > > activex control or package it with the application that you are
building
> > > then it should work even on Win2k. Would that satisfy your
requirement?
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties and confers no
> rights.
> > > Use of any included samples is subject to the terms specified at
> > > http://www.microsoft.com/info/copyright.htm"
> > > "Eric" <eric.h@netcourrier.com> wrote in message
> > > news:#eBGMs9gCHA.3708@tkmsftngp08...
> > > > Oops and just to follow your answer...stringToBinary is part of
> > ICEnroll4
> > > > but not ICEnroll3 or previous versions...
> > > > If I am right, ICEnroll4 cannot be used on Win2k...so I cannot use
it,
> > > > right?
> > > > Does it mean that I can definitely not use it on Win2K or do I also
> have
> > > to
> > > > install the latest Uuid.lib and Xenroll.h on my system and then I
will
> > be
> > > > able to use ICEnroll4?
> > > > Thanks
> > > > Eric
> > > >
> > > > "krish shenoy[MS]" <kshenoy@online.microsft.com> wrote in message
> > > > news:#dGMqmegCHA.1432@tkmsftngp10...
> > > > > stringToBinary is just a wrapper for the CAPI function
> > > cryptStringToBinary
> > > > > and is used to make CryptStringToBinary available on downlevels.
> > > > > -krish
> > > > >
> > > > >
> > > > > --
> > > > > This posting is provided "AS IS" with no warranties and confers no
> > > rights.
> > > > > Use of any included samples is subject to the terms specified at
> > > > > http://www.microsoft.com/info/copyright.htm"
> > > > > "Eric" <eric.h@netcourrier.com> wrote in message
> > > > > news:O7vKnFZgCHA.1656@tkmsftngp11...
> > > > > > Hi Krish,
> > > > > >
> > > > > > So I'm happy I can use ICEnroll...Thanks for help...
> > > > > > Unfortunately the PKI we are building is based on Windows 2000
and
> > it
> > > > > seems
> > > > > > that StringToBinary (whether talking about ICEnroll or the low
> level
> > > > CAPI
> > > > > > function) is not supported on Win2K...
> > > > > > Is there a function in the CAPI or in other Windows 2K API
> allowing
> > me
> > > > to
> > > > > > convert my PKCS10 Request to ASN1 binary blob?
> > > > > > Thanks
> > > > > > Eric
> > > > > >
> > > > > > "krish shenoy[MS]" <kshenoy@online.microsft.com> wrote in
message
> > > > > > news:#rP7cxRgCHA.2068@tkmsftngp12...
> > > > > > > The request generated by xenroll is in Base64 format. You need
> to
> > > > > convert
> > > > > > it
> > > > > > > to binary before calling CryptDecodeObjectEx.
> > > > > > > You can use ICEnroll:cryptStringToBinary for that
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > This posting is provided "AS IS" with no warranties and
confers
> no
> > > > > rights.
> > > > > > > Use of any included samples is subject to the terms specified
at
> > > > > > > http://www.microsoft.com/info/copyright.htm"
> > > > > > > "Eric" <eric.h@netcourrier.com> wrote in message
> > > > > > > news:#0ZBe$KgCHA.1960@tkmsftngp08...
> > > > > > > > I'd like to use ICEnroll but the problem is whenever I try
to
> > > decode
> > > > a
> > > > > > > > PKCS10 request that has been issued by using ICEnroll it
> > fails...
> > > > > > > >
> > > > > > > > I first simply do this call:
> > > > > > > >
> > > > > > > > if( (!CryptDecodeObjectEx( MY_ENCODING_TYPE,
> > > > > > > > X509_CERT_REQUEST_TO_BE_SIGNED,
> > > > > > > > pbRequest,
> > > > > > > > pcbRequest,
> > > > > > > > CRYPT_DECODE_TO_BE_SIGNED_FLAG,
> > > > > > > > NULL,
> > > > > > > > NULL,//sRequestInfo,
> > > > > > > > &pcbRequestInfo )))
> > > > > > > >
> > > > > > > > {
> > > > > > > > DWORD n = GetLastError();
> > > > > > > > return nError;
> > > > > > > > }
> > > > > > > >
> > > > > > > > where pbRequest is the data from the PKCS10 issued by
ICEnroll
> > but
> > > > > this
> > > > > > > > first call fails with the error:
> > > > > > > >
> > > > > > > > //MessageId:CRYPT_E_ASN1_BADTAG
> > > > > > > > //MessageText:
> > > > > > > > //ASN1 bad tag value met
> > > > > > > > #define CRYPT_E_ASN1_BADTAG_HRESULT_TYPEDEF _(0x8009310BL)
> > > > > > > >
> > > > > > > > So it's not a matter of ignoring the extra tags or not it
just
> > > seems
> > > > > > that
> > > > > > > > the CryptDecodeObject finds that the PKCS10 request
generated
> by
> > > > > > ICEnroll
> > > > > > > is
> > > > > > > > not a valid ASN1 format... and I had a confirmation by using
> the
> > > > > > > > "DumpAsn1.exe" that accepts the PKCS10 generated by using
> > > > > > > CryptEncodeObject,
> > > > > > > > CryptSignAndEncodeCertificate etc.. that is to say the code
> > > "Example
> > > > C
> > > > > > > > Program: Making a Certificate Request" from the PSDK but it
> > > rejects
> > > > > the
> > > > > > > > PKCS10 generated by using ICEnroll....
> > > > > > > > As I am not using Certificate Server on the CA side...I
think
> I
> > > have
> > > > > no
> > > > > > > > choice I must do the hard way to build my request...
> > > > > > > >
> > > > > > > > Maybe I am wrong but in this case if someone can help me and
> > tell
> > > me
> > > > > why
> > > > > > > my
> > > > > > > > PKCS10 generated by using ICEnroll fails when passed as
> > parameter
> > > of
> > > > > the
> > > > > > > > CryptDecodeObject...
> > > > > > > > If you have any comment, confirmation, correction or
> experience
> > > > about
> > > > > my
> > > > > > > > assumption please tell me!!
> > > > > > > > (Did someone already succeed in calling CryptDecodeObjectEx
on
> a
> > > > > PKCS10
> > > > > > > > generated by ICEnroll???)
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > > Eric
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > "D. Cross [MS]" <dcross@online.microsoft.com> wrote in
message
> > > > > > > > news:uDYOPJCgCHA.2636@tkmsftngp09...
> > > > > > > > > Almost every single PKI vendor in the world (over 150)
that
> > > offers
> > > > a
> > > > > > CA
> > > > > > > > that
> > > > > > > > > services Microsoft clients through a web interface uses
> > xenroll
> > > > with
> > > > > > > > > ICEnroll. You can ignore the extra request parameters
which
> > is
> > > > > > > completely
> > > > > > > > > allowed in the standard.
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > >
> > > > > > > > > David B. Cross [MS]
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > This posting is provided "AS IS" with no warranties, and
> > confers
> > > > no
> > > > > > > > rights.
> > > > > > > > >
> > > > > > > > > "Eric" <eric.h@netcourrier.com> wrote in message
> > > > > > > > > news:OdFVDn#fCHA.1432@tkmsftngp10...
> > > > > > > > > > Hi,
> > > > > > > > > >
> > > > > > > > > > Thanks for your answer, I'll try it and give you some
> > > > feedback...
> > > > > > > > > > Maybe you can confirm it to me but the reason I'm not
> using
> > > > > ICEnroll
> > > > > > > is
> > > > > > > > > that
> > > > > > > > > > the PKCS10 which is generated is not really standard and
> > have
> > > > some
> > > > > > > extra
> > > > > > > > > > parameters used by MS Certificate Server that I'm not
> > > using...So
> > > > > if
> > > > > > I
> > > > > > > > try
> > > > > > > > > to
> > > > > > > > > > decode it using the low level Crypto API functions it
> > fails...
> > > > > > > > > > Thanks again
> > > > > > > > > > Eric
> > > > > > > > > >
> > > > > > > > > > "krish shenoy[MS]" <kshenoy@online.microsft.com> wrote
in
> > > > message
> > > > > > > > > > news:#nVJrD8fCHA.3596@tkmsftngp08...
> > > > > > > > > > > It would be harder if you are using CAPI rather than
> > > CAPICOM
> > > > or
> > > > > > > > > ICEnroll.
> > > > > > > > > > > To add request attributes you would have to
> > > > > > > > > > > create a CERT_REQUEST_INFO structure
> > > > > > > > > > > typedef struct _CERT_REQUEST_INFO {
> > > > > > > > > > > DWORD dwVersion;
> > > > > > > > > > > CERT_NAME_BLOB Subject;
> > > > > > > > > > > CERT_PUBLIC_KEY_INFO SubjectPublicKeyInfo;
> > > > > > > > > > > DWORD cAttribute;
> > > > > > > > > > > PCRYPT_ATTRIBUTE rgAttribute;
> > > > > > > > > > > } CERT_REQUEST_INFO, *PCERT_REQUEST_INFO;
> > > > > > > > > > >
> > > > > > > > > > > This will have an array rgAttribute of request
> attributes
> > > each
> > > > > of
> > > > > > > > which
> > > > > > > > > > > should be created using CryptEncodeObject.
> > > > > > > > > > > The request should then be signed using
> > > > > > > > > > > if ( !CryptSignAndEncodeCertificate(
> > > > > > > > > > > hSignProv,
> > > > > > > > > > > dwKeySpec,
> > > > > > > > > > > X509_ASN_ENCODING |PKCS_7_ASN_ENCODING,
> > > > > > > > > > > X509_CERT_REQUEST_TO_BE_SIGNED,
> > > > > > > > > > > pReqInfo,
> > > > > > > > > > > pSignatureAlgorithm,
> > > > > > > > > > > NULL,
> > > > > > > > > > > NULL,
> > > > > > > > > > > &cbCertSigned ) ) {
> > > > > > > > > > > hr = GetLastError();
> > > > > > > > > > >
> > > > > MlogArg1(g_myLog,EZLOG_SEV1,"CryptSignAndEncodeCertificate
> > > > > > > > > > > (0x%08x).\n
> > > > > > > > > > > r);
> > > > > > > > > > > goto ErrorReturn ;
> > > > > > > > > > > }
> > > > > > > > > > >
> > > > > > > > > > > pbReqSigned = ( BYTE* )malloc( cbCertSigned ) ;
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > This posting is provided "AS IS" with no warranties
and
> > > > confers
> > > > > no
> > > > > > > > > rights.
> > > > > > > > > > > Use of any included samples is subject to the terms
> > > specified
> > > > at
> > > > > > > > > > > http://www.microsoft.com/info/copyright.htm"
> > > > > > > > > > > "Eric" <eric.h@netcourrier.com> wrote in message
> > > > > > > > > > > news:O9V1N12fCHA.1744@tkmsftngp11...
> > > > > > > > > > > > Hi,
> > > > > > > > > > > >
> > > > > > > > > > > > I am using the CryptoAPI (not CAPICOM and not
> ICEnroll)
> > to
> > > > > make
> > > > > > a
> > > > > > > > > > > > certificate request using VC++ like the example in
the
> > > > PSDK...
> > > > > > > > > > > > I would like to add the purpose of the Certificate
> (Sign
> > > and
> > > > > > > > Exchange)
> > > > > > > > > > and
> > > > > > > > > > > > also the validity dates for this certificate but I
> > really
> > > > > don't
> > > > > > > know
> > > > > > > > > how
> > > > > > > > > > > to
> > > > > > > > > > > > add some attributes from the PSDK example...
> > > > > > > > > > > > Can anyone help me please
> > > > > > > > > > > > Thanks
> > > > > > > > > > > > Eric
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Me: "Re: FTP Problem... ITS SOLVED"
- Previous message: Bill Sanderson: "Re: WinMgmt events"
- In reply to: krish shenoy[MS]: "Re: How to Add Attribute to a PKCS10 Request"
- Next in thread: krish shenoy[MS]: "Re: How to Add Attribute to a PKCS10 Request"
- Reply: krish shenoy[MS]: "Re: How to Add Attribute to a PKCS10 Request"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
