Re: How to Add Attribute to a PKCS10 Request
From: krish shenoy[MS] (kshenoy@online.microsft.com)
Date: 10/31/02
- Next message: Alex Peake: "Microsoft Security Bulletin MS02-063"
- Previous message: Torgeir Bakken (MVP): "Re: Spamming with Administrative Pop Up Window"
- In reply to: Eric: "Re: How to Add Attribute to a PKCS10 Request"
- Next in thread: Eric: "Re: How to Add Attribute to a PKCS10 Request"
- Reply: Eric: "Re: How to Add Attribute to a PKCS10 Request"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "krish shenoy[MS]" <kshenoy@online.microsft.com> Date: Thu, 31 Oct 2002 12:31:55 -0800
The request generated by xenroll is in Base64 format. You need to convert it
to binary before calling CryptDecodeObjectEx.
You can use ICEnroll:cryptStringToBinary for that
-- This posting is provided "AS IS" with no warranties and confers no rights. Use of any included samples is subject to the terms specified at http://www.microsoft.com/info/copyright.htm" "Eric" <eric.h@netcourrier.com> wrote in message news:#0ZBe$KgCHA.1960@tkmsftngp08... > I'd like to use ICEnroll but the problem is whenever I try to decode a > PKCS10 request that has been issued by using ICEnroll it fails... > > I first simply do this call: > > if( (!CryptDecodeObjectEx( MY_ENCODING_TYPE, > X509_CERT_REQUEST_TO_BE_SIGNED, > pbRequest, > pcbRequest, > CRYPT_DECODE_TO_BE_SIGNED_FLAG, > NULL, > NULL,//sRequestInfo, > &pcbRequestInfo ))) > > { > DWORD n = GetLastError(); > return nError; > } > > where pbRequest is the data from the PKCS10 issued by ICEnroll but this > first call fails with the error: > > //MessageId:CRYPT_E_ASN1_BADTAG > //MessageText: > //ASN1 bad tag value met > #define CRYPT_E_ASN1_BADTAG_HRESULT_TYPEDEF _(0x8009310BL) > > So it's not a matter of ignoring the extra tags or not it just seems that > the CryptDecodeObject finds that the PKCS10 request generated by ICEnroll is > not a valid ASN1 format... and I had a confirmation by using the > "DumpAsn1.exe" that accepts the PKCS10 generated by using CryptEncodeObject, > CryptSignAndEncodeCertificate etc.. that is to say the code "Example C > Program: Making a Certificate Request" from the PSDK but it rejects the > PKCS10 generated by using ICEnroll.... > As I am not using Certificate Server on the CA side...I think I have no > choice I must do the hard way to build my request... > > Maybe I am wrong but in this case if someone can help me and tell me why my > PKCS10 generated by using ICEnroll fails when passed as parameter of the > CryptDecodeObject... > If you have any comment, confirmation, correction or experience about my > assumption please tell me!! > (Did someone already succeed in calling CryptDecodeObjectEx on a PKCS10 > generated by ICEnroll???) > > Thanks > Eric > > > > > "D. Cross [MS]" <dcross@online.microsoft.com> wrote in message > news:uDYOPJCgCHA.2636@tkmsftngp09... > > Almost every single PKI vendor in the world (over 150) that offers a CA > that > > services Microsoft clients through a web interface uses xenroll with > > ICEnroll. You can ignore the extra request parameters which is completely > > allowed in the standard. > > > > -- > > > > David B. Cross [MS] > > > > -- > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > > "Eric" <eric.h@netcourrier.com> wrote in message > > news:OdFVDn#fCHA.1432@tkmsftngp10... > > > Hi, > > > > > > Thanks for your answer, I'll try it and give you some feedback... > > > Maybe you can confirm it to me but the reason I'm not using ICEnroll is > > that > > > the PKCS10 which is generated is not really standard and have some extra > > > parameters used by MS Certificate Server that I'm not using...So if I > try > > to > > > decode it using the low level Crypto API functions it fails... > > > Thanks again > > > Eric > > > > > > "krish shenoy[MS]" <kshenoy@online.microsft.com> wrote in message > > > news:#nVJrD8fCHA.3596@tkmsftngp08... > > > > It would be harder if you are using CAPI rather than CAPICOM or > > ICEnroll. > > > > To add request attributes you would have to > > > > create a CERT_REQUEST_INFO structure > > > > typedef struct _CERT_REQUEST_INFO { > > > > DWORD dwVersion; > > > > CERT_NAME_BLOB Subject; > > > > CERT_PUBLIC_KEY_INFO SubjectPublicKeyInfo; > > > > DWORD cAttribute; > > > > PCRYPT_ATTRIBUTE rgAttribute; > > > > } CERT_REQUEST_INFO, *PCERT_REQUEST_INFO; > > > > > > > > This will have an array rgAttribute of request attributes each of > which > > > > should be created using CryptEncodeObject. > > > > The request should then be signed using > > > > if ( !CryptSignAndEncodeCertificate( > > > > hSignProv, > > > > dwKeySpec, > > > > X509_ASN_ENCODING |PKCS_7_ASN_ENCODING, > > > > X509_CERT_REQUEST_TO_BE_SIGNED, > > > > pReqInfo, > > > > pSignatureAlgorithm, > > > > NULL, > > > > NULL, > > > > &cbCertSigned ) ) { > > > > hr = GetLastError(); > > > > MlogArg1(g_myLog,EZLOG_SEV1,"CryptSignAndEncodeCertificate > > > > (0x%08x).\n > > > > r); > > > > goto ErrorReturn ; > > > > } > > > > > > > > pbReqSigned = ( BYTE* )malloc( cbCertSigned ) ; > > > > > > > > -- > > > > This posting is provided "AS IS" with no warranties and confers no > > rights. > > > > Use of any included samples is subject to the terms specified at > > > > http://www.microsoft.com/info/copyright.htm" > > > > "Eric" <eric.h@netcourrier.com> wrote in message > > > > news:O9V1N12fCHA.1744@tkmsftngp11... > > > > > Hi, > > > > > > > > > > I am using the CryptoAPI (not CAPICOM and not ICEnroll) to make a > > > > > certificate request using VC++ like the example in the PSDK... > > > > > I would like to add the purpose of the Certificate (Sign and > Exchange) > > > and > > > > > also the validity dates for this certificate but I really don't know > > how > > > > to > > > > > add some attributes from the PSDK example... > > > > > Can anyone help me please > > > > > Thanks > > > > > Eric > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Alex Peake: "Microsoft Security Bulletin MS02-063"
- Previous message: Torgeir Bakken (MVP): "Re: Spamming with Administrative Pop Up Window"
- In reply to: Eric: "Re: How to Add Attribute to a PKCS10 Request"
- Next in thread: Eric: "Re: How to Add Attribute to a PKCS10 Request"
- Reply: Eric: "Re: How to Add Attribute to a PKCS10 Request"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
