locked
CRYPT_SILENT RRS feed

  • Question

  • Hi,
    I am trying to avoid the screen that asks for the PIN of a certificate when it needs the private key. The only way I found to do this was using the API:

    [

    DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool CryptSetProvParam(
    IntPtr hProv,
    uint dwParam,
    [
    In] byte[] pbData,
    uint dwFlags);

    I invoke it as follows:

    CryptSetProvParam(hProv, 32, pin, 0)

    The pin is passed as a byte array appended with "(char)0". For some reason the error that I get always is "Invalid type specified".

    Any clues?

    Thanks,


    Federico Benitez
    My blog
    • Moved by nobugz Tuesday, September 22, 2009 1:07 PM not a clr q (From:Common Language Runtime)
    Tuesday, September 22, 2009 11:07 AM

Answers

  • Hi,

    I confirm that PP_SIGNATURE_PIN and PP_KEYEXCHANGE_PIN are not supported by Microsoft CSPs. They are only intended for hardware based CSPs.

    These flags can not be used to bypass the notification dialog for software keys created with CRYPT_USER_PROTECTED. Actually, there is no way to bypass this notification dialog.

    Cheers,
    --
    Mounir IDRASSI
    IDRIX
    http://www.idrix.fr
    • Proposed as answer by Michael Koster Wednesday, September 23, 2009 6:09 AM
    • Marked as answer by Federico Benitez Wednesday, September 23, 2009 11:14 AM
    Tuesday, September 22, 2009 11:52 PM

All replies

  • I am trying to avoid the screen that asks for the PIN of a certificate when it needs the private key.

    Federico Benitez
    My blog

    Hi,

    from my security-knowledge, it sounds like your trying to do something illegal, 
    according to what your saying here. 

    Sorry, I will [NOT] help you, either you specify details...or somebody else, 
    can try out. 

    Also read this [IMPORTANT] = MSDN - Information on Terms Of Use:
    http://msdn.microsoft.com/en-us/cc300389.aspx#K

    Have a nice day...

    Best regards,
    Fisnik 
    Coder24.com
    Tuesday, September 22, 2009 5:59 PM
  • Hi Fisnik
    I think you are really confused. What I want to do is to use an API (CryptoAPI) exposed by Microsoft. The API should work but I am getting an error when I call the function "CryptSetProvParam" and I use the parameter PP_SIGNATURE_PIN which allows you to specify the PIN of the certificate programatically instead of displaying a popup screen where you have to type it manually. This works for other CSPs but for some reason the Microsoft Enhanced Cryptographic Service Provider is not working and returning the error "Invalid type specified".

    My guess is that Microsoft Enhanced CSP doesnt support this.

    Can anyone confirm this or let me know the way to do it.

    Regards,

    Federico Benitez
    My blog
    Tuesday, September 22, 2009 6:12 PM
  • Hi,

    I confirm that PP_SIGNATURE_PIN and PP_KEYEXCHANGE_PIN are not supported by Microsoft CSPs. They are only intended for hardware based CSPs.

    These flags can not be used to bypass the notification dialog for software keys created with CRYPT_USER_PROTECTED. Actually, there is no way to bypass this notification dialog.

    Cheers,
    --
    Mounir IDRASSI
    IDRIX
    http://www.idrix.fr
    • Proposed as answer by Michael Koster Wednesday, September 23, 2009 6:09 AM
    • Marked as answer by Federico Benitez Wednesday, September 23, 2009 11:14 AM
    Tuesday, September 22, 2009 11:52 PM
  • Hi Mounir,
    Thanks a lot.

    So I have no way to avoid prompting for the PIN. Can I use any alternative CSP??

    Regards,
    Federico Benitez
    My blog
    Wednesday, September 23, 2009 11:15 AM
  • Hi,

    If you want to avoid user interaction while using the key, you have to make a choice :
    • either don't specify CRYPT_USER_PROTECTED when creating the key on a Microsoft CSP
    • Or use a hardware based CSP like the ones you get when you buy a smart card (Microsoft Base Smart Card Provider fits in this category)
    Since it seems that protecting private key access with a PIN is important for you, this leaves you with the second option that is moving your private keys to hardware tokens.

    This being said, you can always develop your own CSP that has its own protection mechanisms for private key access but this kind of development can be heavy and I'm not sure if this fits into your scope.

    Cheers,
    --
    Mounir IDRASSI
    IDRIX
    http://www.idrix.fr
    Wednesday, September 23, 2009 3:25 PM
  • Thanks a lot Mounir.

    Regards,
    Federico Benitez
    My blog
    Wednesday, September 23, 2009 3:46 PM
  • Hi Mounir,
    One last question. If Microsoft is showing the popup screen, its because that screen someway sets the PIN, is this a Microsoft hidden API then?

    Regards,
    Federico Benitez
    My blog
    Wednesday, September 23, 2009 4:32 PM
  • Hi,

    Of course Microsoft has an API that enables the popup dialog to unlock the key using the given password, but it is not documented and it is part of the block-box process used by Microsoft to protected all sort of credentials stored on the Windows operating systems.

    Cheers,
    --
    Mounir IDRASSI
    IDRIX
    http://www.idrix.fr
    • Proposed as answer by 执大象 Sunday, March 7, 2010 3:02 PM
    Sunday, October 4, 2009 10:34 AM