[xmlsec] RE: Entrust CSP and XMLSec mscrypto - Part 5

Wouter wsh333 at gmail.com
Sat Sep 16 13:09:22 PDT 2006


Hi all,

I think that this should be added to the code base. It will at least 
give a higher chance the mscrypto keystore will find the correct key. 
Looking at the code I'm not sure I would enumerate the certificate 
properties, but rather try to fetch the "Friendly name prop" directly, 
if that's possible. Ed, did you test this approach with your Entrust 
sample already?

Wouter

Ed Shallow wrote:
>
> Hi Guys,
>
> Perhaps adding another cert find attempt. Something like the following
>
> in xmlSecMSCryptoKeysStoreFindCert ...
>
>  
>
> Current 1st attempt
>
>     /* first attempt: search by cert id == name */
>
>  
>
> Current 2nd attempt
>
>     /* We don't give up easily, now try to fetch the cert with a full 
> blown
>
>      * subject dn
>
>      */
>
>  
>
> Current 3rd attempt
>
>     /* We don't give up easily, now try to fetch the cert with a full 
> blown
>
>      * subject dn, and try with a reversed dn
>
>      */
>
>  
>
> Here we could add a 4th attempt which loops through the store's 
> certificates and for each context loops through the properties looking 
> for the Friendly Name and then return this cert context if Friendly 
> Name matches.
>
>  
>
> while(pCertContext= CertEnumCertificatesInStore(
>
>      hStoreHandle,
>
>      pCertContext))
>
> {
>
> //-------------------------------------------------------------------
>
> // Loop to find all of the property identifiers for the specified 
>
> // certificate. The loop continues until
>
> // CertEnumCertificateContextProperties returns zero.
>
>  
>
>     while(dwPropId = CertEnumCertificateContextProperties(
>
>            pCertContext, // The context whose properties are to be listed.
>
>            dwPropId))    // Number of the last property found. 
>
>                      // This must be zero to find the first
>
>                      // property identifier.
>
>     {
>
>  
>
> // Use a switch in case we want to test for other properties in the future
>
> // Wouter I think one could replace the loop thru the Properties above 
> with
>
> // a direct call to CertGetCertificateContextProperty specifying 
> CERT_FRIENDLY_NAME_PROP_ID
>
> // as the dwPropId argument. You may try this method if you like it 
> better. Ed
>
>  
>
>        switch(dwPropId)
>
>        {
>
>          case CERT_FRIENDLY_NAME_PROP_ID:
>
>          {
>
> // We found our property identifier
>
>            break;
>
>          }
>
>        } // End switch.
>
>  
>
> //-------------------------------------------------------------------
>
> // Retrieve information on the property by first getting the
>
> // property size.
>
>  
>
>        if(CertGetCertificateContextProperty(
>
>              pCertContext,
>
>              dwPropId ,
>
>              NULL,
>
>              &cbData))
>
>         {
>
>         //  Continue.
>
>         }
>
>         else { 
>
> // If the first call to the function failed,
>
> // exit to an error routine.
>
>           xmlSecError(XMLSEC_ERRORS_HERE, ……
>
>         }
>
> //-------------------------------------------------------------------
>
> // The call succeeded. Use the size to allocate memory
>
> // for the property.
>
>   
>
>         if(pvData = (void*)malloc(cbData)) {
>
>         // Memory is allocated. Continue.
>
>         }
>
>         else {
>
>         // If memory allocation failed, exit to an error routine.
>
>            xmlSecError(XMLSEC_ERRORS_HERE, ……
>
>         }
>
>         // Allocation succeeded. Retrieve the property data.
>
>   
>
>         if(CertGetCertificateContextProperty(
>
>             pCertContext,
>
>             dwPropId,
>
>             pvData,
>
>             &cbData)) {
>
>             if (pvData == name) {          // is it name which 
> contains the incoming <KeyName>?
>
>                 return pCertContext;
>
>             }
>
>         }
>
>         else {
>
>         // If an error occurred in the second call,
>
>         // exit to an error routine.
>
>           xmlSecError(XMLSEC_ERRORS_HERE, ……
>
>         }
>
>         //----------------------------------------------------------------
>
>         // Free the certificate context property memory.  
>
>         free(pvData);                        // or is it xmlFree(pvData)
>
>     }   // End inner while.
>
> } // End outer while.
>
>  
>
> Ed
>
>  
>
> -----Original Message-----
> From: xmlsec-bounces at aleksey.com [mailto:xmlsec-bounces at aleksey.com] 
> On Behalf Of Aleksey Sanin
> Sent: Saturday, September 16, 2006 12:56 PM
> To: Ed Shallow
> Cc: 'Wouter'; xmlsec at aleksey.com
> Subject: Re: [xmlsec] RE: Entrust CSP and XMLSec mscrypto - Part 4
>
>  
>
> > I can see in the code that Wouter is already trying several options to
>
> > get certificates out using the <KeyName> string., this would simply be
>
> > one more.
>
> >
>
> > I would vote for 1) above.
>
> >
>
> > Would do you think ?
>
>  
>
> Sounds good to me... Though, I can not say I am an expert
>
> on MSCrypto API to understand the "little details" :) You know
>
> that I love patches, don't you? :) :) :)
>
>  
>
> Aleksey
>
>  
>
> _______________________________________________
>
> xmlsec mailing list
>
> xmlsec at aleksey.com
>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>  
>
> -- 
>
> No virus found in this incoming message.
>
> Checked by AVG Free Edition.
>
> Version: 7.1.405 / Virus Database: 268.12.4/449 - Release Date: 9/15/2006
>
>  
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.405 / Virus Database: 268.12.4/449 - Release Date: 9/15/2006
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20060916/6b15938c/attachment-0001.htm


More information about the xmlsec mailing list