Re: How to Add Attribute to a PKCS10 Request
From: Eric (eric.h@netcourrier.com)
Date: 10/31/02
- Next message: Jacek Trzcinski: "Re: GINA and network providers"
- Previous message: pkirill: "Security and Configuration Errors"
- In reply to: D. Cross [MS]: "Re: How to Add Attribute to a PKCS10 Request"
- Next in thread: krish shenoy[MS]: "Re: How to Add Attribute to a PKCS10 Request"
- Reply: krish shenoy[MS]: "Re: How to Add Attribute to a PKCS10 Request"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Eric" <eric.h@netcourrier.com> Date: Thu, 31 Oct 2002 08:41:39 +0100
I'd like to use ICEnroll but the problem is whenever I try to decode a
PKCS10 request that has been issued by using ICEnroll it fails...
I first simply do this call:
if( (!CryptDecodeObjectEx( MY_ENCODING_TYPE,
X509_CERT_REQUEST_TO_BE_SIGNED,
pbRequest,
pcbRequest,
CRYPT_DECODE_TO_BE_SIGNED_FLAG,
NULL,
NULL,//sRequestInfo,
&pcbRequestInfo )))
{
DWORD n = GetLastError();
return nError;
}
where pbRequest is the data from the PKCS10 issued by ICEnroll but this
first call fails with the error:
//MessageId:CRYPT_E_ASN1_BADTAG
//MessageText:
//ASN1 bad tag value met
#define CRYPT_E_ASN1_BADTAG_HRESULT_TYPEDEF _(0x8009310BL)
So it's not a matter of ignoring the extra tags or not it just seems that
the CryptDecodeObject finds that the PKCS10 request generated by ICEnroll is
not a valid ASN1 format... and I had a confirmation by using the
"DumpAsn1.exe" that accepts the PKCS10 generated by using CryptEncodeObject,
CryptSignAndEncodeCertificate etc.. that is to say the code "Example C
Program: Making a Certificate Request" from the PSDK but it rejects the
PKCS10 generated by using ICEnroll....
As I am not using Certificate Server on the CA side...I think I have no
choice I must do the hard way to build my request...
Maybe I am wrong but in this case if someone can help me and tell me why my
PKCS10 generated by using ICEnroll fails when passed as parameter of the
CryptDecodeObject...
If you have any comment, confirmation, correction or experience about my
assumption please tell me!!
(Did someone already succeed in calling CryptDecodeObjectEx on a PKCS10
generated by ICEnroll???)
Thanks
Eric
"D. Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:uDYOPJCgCHA.2636@tkmsftngp09...
> Almost every single PKI vendor in the world (over 150) that offers a CA
that
> services Microsoft clients through a web interface uses xenroll with
> ICEnroll. You can ignore the extra request parameters which is completely
> allowed in the standard.
>
> --
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Eric" <eric.h@netcourrier.com> wrote in message
> news:OdFVDn#fCHA.1432@tkmsftngp10...
> > Hi,
> >
> > Thanks for your answer, I'll try it and give you some feedback...
> > Maybe you can confirm it to me but the reason I'm not using ICEnroll is
> that
> > the PKCS10 which is generated is not really standard and have some extra
> > parameters used by MS Certificate Server that I'm not using...So if I
try
> to
> > decode it using the low level Crypto API functions it fails...
> > Thanks again
> > Eric
> >
> > "krish shenoy[MS]" <kshenoy@online.microsft.com> wrote in message
> > news:#nVJrD8fCHA.3596@tkmsftngp08...
> > > It would be harder if you are using CAPI rather than CAPICOM or
> ICEnroll.
> > > To add request attributes you would have to
> > > create a CERT_REQUEST_INFO structure
> > > typedef struct _CERT_REQUEST_INFO {
> > > DWORD dwVersion;
> > > CERT_NAME_BLOB Subject;
> > > CERT_PUBLIC_KEY_INFO SubjectPublicKeyInfo;
> > > DWORD cAttribute;
> > > PCRYPT_ATTRIBUTE rgAttribute;
> > > } CERT_REQUEST_INFO, *PCERT_REQUEST_INFO;
> > >
> > > This will have an array rgAttribute of request attributes each of
which
> > > should be created using CryptEncodeObject.
> > > The request should then be signed using
> > > if ( !CryptSignAndEncodeCertificate(
> > > hSignProv,
> > > dwKeySpec,
> > > X509_ASN_ENCODING |PKCS_7_ASN_ENCODING,
> > > X509_CERT_REQUEST_TO_BE_SIGNED,
> > > pReqInfo,
> > > pSignatureAlgorithm,
> > > NULL,
> > > NULL,
> > > &cbCertSigned ) ) {
> > > hr = GetLastError();
> > > MlogArg1(g_myLog,EZLOG_SEV1,"CryptSignAndEncodeCertificate
> > > (0x%08x).\n
> > > r);
> > > goto ErrorReturn ;
> > > }
> > >
> > > pbReqSigned = ( BYTE* )malloc( cbCertSigned ) ;
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties and confers no
> rights.
> > > Use of any included samples is subject to the terms specified at
> > > http://www.microsoft.com/info/copyright.htm"
> > > "Eric" <eric.h@netcourrier.com> wrote in message
> > > news:O9V1N12fCHA.1744@tkmsftngp11...
> > > > Hi,
> > > >
> > > > I am using the CryptoAPI (not CAPICOM and not ICEnroll) to make a
> > > > certificate request using VC++ like the example in the PSDK...
> > > > I would like to add the purpose of the Certificate (Sign and
Exchange)
> > and
> > > > also the validity dates for this certificate but I really don't know
> how
> > > to
> > > > add some attributes from the PSDK example...
> > > > Can anyone help me please
> > > > Thanks
> > > > Eric
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Jacek Trzcinski: "Re: GINA and network providers"
- Previous message: pkirill: "Security and Configuration Errors"
- In reply to: D. Cross [MS]: "Re: How to Add Attribute to a PKCS10 Request"
- Next in thread: krish shenoy[MS]: "Re: How to Add Attribute to a PKCS10 Request"
- Reply: krish shenoy[MS]: "Re: How to Add Attribute to a PKCS10 Request"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
