locked
SignerInfo vs LDAP RRS feed

  • Question

  • Hi, 

    When using the UnsignedAttributes of the System.Security.Cryptography.Pkcs.SignerInfo, this is trigging many LDAP / SASL network request, which could finish in timeout ?

    This behavior is very surprising. How could we disable it ?

    Thanks & Best regards,

    JP

    Tuesday, July 21, 2015 10:05 AM

Answers

  • Hi Kristin,

    I've finally find the issue. It come from implementation of SignerInfo that create OID. When manipulating/creating ODI, implementation will call CryptFindOIDInfo without setting CRYPT_OID_DISABLE_SEARCH_DS_FLAG . So, If the OID is not well know by Windows, it will try to find definition on network through LDAP. In case of network failure, it drive to a timeout (60s) not acceptable in my application.

    I find a workaround, that consist to preregister OID in registry. But it will be better if .NET implementation avoid such kind of issue.

    Thanks & Best regards,

    JP

    Wednesday, July 22, 2015 2:20 PM

All replies

  • Hi JP,

    I am sorry I am not well know LDAP / SASL netwwork, Could you elaborate more details about your scenario? Why this behavior could finish in timeout? Do you have any code to reproduce this issue?

    I would suggest you provide a simplified sample about this issue, It would be better to help us to figure out the root cause.Thanks,

    Regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    • Edited by Kristin Xie Wednesday, July 22, 2015 7:30 AM
    Wednesday, July 22, 2015 7:29 AM
  • Hi Kristin,

    I've finally find the issue. It come from implementation of SignerInfo that create OID. When manipulating/creating ODI, implementation will call CryptFindOIDInfo without setting CRYPT_OID_DISABLE_SEARCH_DS_FLAG . So, If the OID is not well know by Windows, it will try to find definition on network through LDAP. In case of network failure, it drive to a timeout (60s) not acceptable in my application.

    I find a workaround, that consist to preregister OID in registry. But it will be better if .NET implementation avoid such kind of issue.

    Thanks & Best regards,

    JP

    Wednesday, July 22, 2015 2:20 PM
  • Hi JP,

    Glad to hear you worked it out , and thanks for sharing your solution here. It could be helpful for someone who has the same issue.

    Best regards,

    Kristin


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, July 23, 2015 1:18 AM