Key exchange between BHO and ActtiveX under IE 10 EPM Windows 8 64-bit Release Preview
-
21. června 2012 15:40
I developed BHO and ActiveX. ActiveX is a singleton that serves requests from multiple BHOs. Data transfer protocol between BHO and ActiveX is encrypted with a session key generated by ActiveX using CryptGenKey() and exported by CryptExportKey() and public user key generated with CryptGenKey(). I'm importing this session key in BHO using CryptImportKey() and public user key obtained with CryptGetUserKey().
This architecture works fine in IE7, IE8 and IE9, in both 32-bit and 64-bit versions. It also works fine in IE 10 w/o EPM, BHO(s) run in Low IL and ActiveX runs in Medium IL. However, once I switch EPM on, call to CryptImportKey() fails with NTE_BAD_DATA. Has anybody faced/knows such kind of problem?
Looking forward for any idea.
Best regards,
Sergey
Všechny reakce
-
22. června 2012 5:58Moderátor
Hello,
I think this blog can help you, it about the protected mode in IE10
http://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx
Best regards,
Jesse
Jesse Jiang [MSFT]
MSDN Community Support | Feedback to us
-
22. června 2012 7:25
Hello Jesse,
Thanks for suggestion, but I'm reviewed that link already before asking here. I didn't find anything that can clarify the problem there. Both BHO and ActiveX can be instantiated in EPM mode. The only particular call to CryptImportKey() fails. I wonder if anybody know about any restriction using Crypt API under EPM.
Best regards,
Sergey
- Upravený Sergey Kazakov 22. června 2012 7:26
- Upravený Sergey Kazakov 22. června 2012 8:04
-
22. června 2012 15:46
Finally I figure out the problem root is that Crypt API is not aware about LowIL restrictions. All CPS’s key containers are created under %USERPROFILE%\AppData\Roaming\Microsoft\Crypto\RSA folder. But this folder is not accessible (writable) in EPM. Now I’m looking for some way to redirect Crypt API calls to %USERPROFILE%\AppData\LocalLow\... folder.
Any ideas?
Best regards, Sergey
- Upravený Sergey Kazakov 22. června 2012 15:46
- Upravený Sergey Kazakov 22. června 2012 15:47
- Upravený Sergey Kazakov 22. června 2012 15:48
-
22. června 2012 16:54In Vista and later, brokers process were needed to write protected resources, and in EPM, they are required to read protected resources.
The following is signature, not part of post
Please mark the post answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.
Visual C++ MVP -
25. června 2012 14:07
In Vista and later, brokers process were needed to write protected resources, and in EPM, they are required to read protected resources.
Actually, I've a broker already - this is my ActiveX which is responsible for key generation. The only problem is to transfer this key from ActiveX (Medium IL) to BHO (Low IL). Crypt API provides CryptImportKey() method (that fails) for this purpose. So question is: Is there any way exchange key between Medium IL and Low IL?
Best regards, Sergey
-
27. června 2012 9:32 Finally I resolved EPM running problem by migrating from CryptImportKey() to CryptDeriveKey() API.
I wonder if MSFT can publish some information regarding to all APIs restrictions under Low IL.Best regards, Sergey
- Označen jako odpověď Sergey Kazakov 27. června 2012 9:32
