Create CSR request using SmartCard does not work RRS feed

  • Question

  • Confused in the IX500PrivateKey Initialization. Given the properties: CSP name, Container name, smart card reader name and user Pin.

    Here ise the steps

    1. Erase the smartcard using PKCS11  (Works fine)

    2. Create the key set container in the smartcard using crypto API (Works fine)

    3. Initialize an IX500PrivateKey as mentioned below, hangs when calling  Verify, open or Create 

    4. I guaranty the validity of the all given properties CSP name, container name, smartcard reader name, user pin.

    5. Using the same application under XP with xEnroll control works fine using container name as:

           \\.\Gemalto USB Smart Card Reader 1\e965e141-ccba-490b-9b27-39b6c08bb0a3

    The Verify or Open hangs with error: Key set does not exist 

    Create call hangs with error: The file exists

    Please suggest where am i Wrong? 

    Does the container name declaration is 

    /* Urls explored to read https://stackoverflow.com/questions/44731501/prepare-pkcs10-using-privatekey-does-not-work https://social.msdn.microsoft.com/Forums/sqlserver/en-US/8dec1108-e222-4521-b4ff-c8f551d09760/how-can-i-choose-from-multiple-smartcard-readers-and-install-to-an-existing-capi-container-with?forum=windowssecurity */

    BOOL eraseSmartCard (smartCardReaderName, userPin)


    // Using PKCS11 to erase or empty the smartcard

    // .....

    return TRUE;

    } BOOL createSmartCardKeyContainer (LPCSTR containerName, LPCSTR CSPName, LPCSTR smartCardReaderName, LPCSTR userPin) { HCRYPTPROV CryptoProvider = NULL;

    BOOL bRet = eraseSmartCard (smartCardReaderName, userPin);

    // 1. Create key set container BOOL bRet = CryptAcquireContext (&CryptoProvider, containerName, CSPName, PROV_RSA_FULL, CRYPT_NEWKEYSET | CRYPT_SILENT ); if (bRet == FALSE) goto leave; // 2. Set pincode to avoid UI pin prompt /* https://stackoverflow.com/questions/36714111/what-is-an-analog-cryptsetprovparampp-signature-pin-analog-in-cryptoapi-ng */ bRet = CryptSetProvParam(CryptoProvider, PP_KEYEXCHANGE_PIN, (BYTE*)userPin, 0) ; if (bRet == FALSE) goto leave; bRet = CryptSetProvParam(CryptoProvider, PP_SIGNATURE_PIN, (BYTE*)userPin, 0); leave: if (CryptoProvider != NULL) CryptReleaseContext (CryptoProvider, 0); return bRet; } HRESULT esm_privateKeyInitialize (LPCWSTR wszCSPName, LPCWSTR wszContainerName, LPCWSTR wszUserPin) { /* Inspired from : http://www.wou.edu/~rvitolo06/WATK/Demos/HPCImageRendering/code/ImageRendering/AppConfigure/CertificateGenerator.cs https://blogs.msdn.microsoft.com/alejacma/2008/09/05/how-to-create-a-certificate-request-with-certenroll-and-net-c/ */ HRESULT hr = S_OK; IX509CertificateRequestPkcs10* pPkcs10 = NULL; IX509PrivateKey* pPrivateKey = NULL; ICspInformation* objCSP = NULL; ICspInformations* objCSPs = NULL; BSTR bstrCSPName = NULL; BSTR bstrSmartCardReadName = NULL; BSTR bstrContainerNamePrefix = NULL; BSTR bstrContainerName = NULL; BSTR bstrUserPin = NULL; BSTR strProviderName = NULL; char containerName[512]; char CSPName[512]; char userPin[10]; bstrCSPName = SysAllocString(wszCSPName); bstrContainerName = SysAllocString(wszContainerName); bstrUserPin = SysAllocString(wszUserPin); // the container name on the smartcard // \\.\Gemalto USB Smart Card Reader 1\e965e141-ccba-490b-9b27-39b6c08bb0a3 bstrSmartCardReadName =SysAllocString(L"Gemalto USB Smart Card Reader 1"); bstrContainerName = SysAllocString(L"e965e141-ccba-490b-9b27-39b6c08bb0a3"); bstrContainerNamePrefix = SysAllocString(L"\\.\\Gemalto USB Smart Card Reader 1\\"); sprintf(CSPName, "%S", wszCSPName); // Charismathics Smart Security Interface CSP sprintf(containerName, "%S", wszContainerName); // \\.\Gemalto USB Smart Card Reader 1\e965e141-ccba-490b-9b27-39b6c08bb0a3 sprintf(userPin, "%S", wszUserPin); // 12345678

    // 1. Create key set container

    BOOL bRet = createSmartCardKeyContainer (containerName, CSPName, "Gemalto USB Smart Card Reader 1", userPin); //2. Initialize the COM hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED); if (FAILED(hr))goto leave; // 3. // Create a private key object hr = CoCreateInstance( __uuidof(CX509PrivateKey), NULL, CLSCTX_INPROC_SERVER, __uuidof(IX509PrivateKey), (void **) &pPrivateKey); // 4. Initialize the private key settings hr = pPrivateKey->put_ProviderName (bstrCSPName); hr = pPrivateKey->put_ReaderName (bstrSmartCardReadName); hr = pPrivateKey->put_ContainerName(bstrContainerName); hr = pPrivateKey->put_ContainerNamePrefix(bstrContainerNamePrefix); hr = pPrivateKey->put_Existing (VARIANT_TRUE); // see X509RequestInheritOptions enumeration, InheritPrivateKey hr = pPrivateKey->put_KeySpec(XCN_AT_KEYEXCHANGE); hr = pPrivateKey->put_KeySpec(XCN_AT_SIGNATURE); hr = pPrivateKey->put_KeyUsage(XCN_NCRYPT_ALLOW_ALL_USAGES); hr = pPrivateKey->put_ProviderType(XCN_PROV_RSA_FULL); hr = pPrivateKey->put_Silent(VARIANT_TRUE); hr = pPrivateKey->put_Pin(bstrUserPin); hr = pPrivateKey->put_MachineContext(VARIANT_FALSE); // I'm not sure if the following CSP init is required since we have declared above: pPrivateKey->put_ProviderName (bstrCSPName); hr = CoCreateInstance( __uuidof(CCspInformations), NULL, CLSCTX_INPROC_SERVER, __uuidof(ICspInformations), (void **)&objCSPs); hr = CoCreateInstance( __uuidof(CCspInformation), NULL, CLSCTX_INPROC_SERVER, __uuidof(ICspInformation), (void **) &objCSP); hr = objCSP->InitializeFromName(bstrCSPName); hr = objCSPs->Add(objCSP); hr = pPrivateKey->put_CspInformations(objCSPs); // Will call open to use the existing key as it's mentionned in MDSN // !!Here it bugs hr = pPrivateKey->Verify (VerifyAllowUI); if (S_OK != hr) goto leave; hr = pPrivateKey->Open(); // error: Key does not exist. if (S_OK != hr) goto leave; // hr = pPrivateKey->Create(); // error: The file exists. // if (S_OK != hr) goto leave; //5. Create IX509CertificateRequestPkcs10 hr = CoCreateInstance( __uuidof(CX509CertificateRequestPkcs10), NULL, CLSCTX_INPROC_SERVER, __uuidof(IX509CertificateRequestPkcs10), (void **) &pPkcs10); if (S_OK != hr) goto leave; //6. Initialize pPkcs10 using the private key hr = pPkcs10->InitializeFromPrivateKey(ContextUser, pPrivateKey, NULL); if (S_OK != hr) goto leave; leave: return S_OK; }


    Sunday, June 25, 2017 1:14 AM