[xmlsec] RE: Entrust CSP and XMLSec mscrypto - Part 5
Ed Shallow
ed.shallow at rogers.com
Sun Sep 17 19:31:25 PDT 2006
Thanks Wouter,
Ill try it out in the next 24 hours against the Entrust CSP and let
you know. Thanks loads ; )
Ed
_____
From: Wouter [mailto:wsh333 at gmail.com]
Sent: Sunday, September 17, 2006 9:34 AM
To: Ed Shallow
Cc: 'Aleksey Sanin'; xmlsec at aleksey.com
Subject: Re: [xmlsec] RE: Entrust CSP and XMLSec mscrypto - Part 5
Hi Ed,
Could you try the patch attached to this message? MSCrypto default keysstore
now looks up certificates with FriendlyName values as well. The lookup for
FriendlyName is case sensitive. I've tested the code myself, and
certificates I have in my local personal keystore are found successfully
with a given "friendlyname". Theoretically this should also work with
Entrust in your situation, but it would be nice if you could test it as
well.
Wouter
PS I've also attached the complete (and patched) src/mscrypto/keysstore.c,
since windows does not have a patch utility by default, it might be easier
for testing.
Ed Shallow wrote:
Hi Wouter,
Yes the direct fetch does look cleaner. The attached is really just
pseudo code I borrowed and modified from MSDN. I can send you another
snippet using the direct CertGetCertificateContextProperty, but Id rather
let you do the polishing, testing, and check-in.
There is only 2 new API calls here and this really is not a big change.
Over to you Wouter. Are you willing to take a shot at it ?
Ed
_____
From: Wouter [HYPERLINK "mailto:wsh333 at gmail.com"mailto:wsh333 at gmail.com]
Sent: Saturday, September 16, 2006 4:09 PM
To: Ed Shallow
Cc: 'Aleksey Sanin'; HYPERLINK "mailto:xmlsec at aleksey.com"xmlsec at aleksey.com
Subject: Re: [xmlsec] RE: Entrust CSP and XMLSec mscrypto - Part 5
Hi all,
I think that this should be added to the code base. It will at least give a
higher chance the mscrypto keystore will find the correct key. Looking at
the code I'm not sure I would enumerate the certificate properties, but
rather try to fetch the "Friendly name prop" directly, if that's possible.
Ed, did you test this approach with your Entrust sample already?
Wouter
Ed Shallow wrote:
Hi Guys,
Perhaps adding another cert find attempt. Something like the following
in xmlSecMSCryptoKeysStoreFindCert ...
Current 1st attempt
/* first attempt: search by cert id == name */
Current 2nd attempt
/* We don't give up easily, now try to fetch the cert with a full blown
* subject dn
*/
Current 3rd attempt
/* We don't give up easily, now try to fetch the cert with a full blown
* subject dn, and try with a reversed dn
*/
Here we could add a 4th attempt which loops through the store's certificates
and for each context loops through the properties looking for the Friendly
Name and then return this cert context if Friendly Name matches.
while(pCertContext= CertEnumCertificatesInStore(
hStoreHandle,
pCertContext))
{
//-------------------------------------------------------------------
// Loop to find all of the property identifiers for the specified
// certificate. The loop continues until
// CertEnumCertificateContextProperties returns zero.
while(dwPropId = CertEnumCertificateContextProperties(
pCertContext, // The context whose properties are to be listed.
dwPropId)) // Number of the last property found.
// This must be zero to find the first
// property identifier.
{
// Use a switch in case we want to test for other properties in the future
// Wouter I think one could replace the loop thru the Properties above with
// a direct call to CertGetCertificateContextProperty specifying
CERT_FRIENDLY_NAME_PROP_ID
// as the dwPropId argument. You may try this method if you like it better.
Ed
switch(dwPropId)
{
case CERT_FRIENDLY_NAME_PROP_ID:
{
// We found our property identifier
break;
}
} // End switch.
//-------------------------------------------------------------------
// Retrieve information on the property by first getting the
// property size.
if(CertGetCertificateContextProperty(
pCertContext,
dwPropId ,
NULL,
&cbData))
{
// Continue.
}
else {
// If the first call to the function failed,
// exit to an error routine.
xmlSecError(XMLSEC_ERRORS_HERE,
}
//-------------------------------------------------------------------
// The call succeeded. Use the size to allocate memory
// for the property.
if(pvData = (void*)malloc(cbData)) {
// Memory is allocated. Continue.
}
else {
// If memory allocation failed, exit to an error routine.
xmlSecError(XMLSEC_ERRORS_HERE,
}
// Allocation succeeded. Retrieve the property data.
if(CertGetCertificateContextProperty(
pCertContext,
dwPropId,
pvData,
&cbData)) {
if (pvData == name) { // is it name which contains the
incoming <KeyName>?
return pCertContext;
}
}
else {
// If an error occurred in the second call,
// exit to an error routine.
xmlSecError(XMLSEC_ERRORS_HERE,
}
//----------------------------------------------------------------
// Free the certificate context property memory.
free(pvData); // or is it xmlFree(pvData)
} // End inner while.
} // End outer while.
Ed
-----Original Message-----
From: HYPERLINK
"mailto:xmlsec-bounces at aleksey.com"xmlsec-bounces at aleksey.com [HYPERLINK
"mailto:xmlsec-bounces at aleksey.com"mailto:xmlsec-bounces at aleksey.com] On
Behalf Of Aleksey Sanin
Sent: Saturday, September 16, 2006 12:56 PM
To: Ed Shallow
Cc: 'Wouter'; HYPERLINK "mailto:xmlsec at aleksey.com"xmlsec at aleksey.com
Subject: Re: [xmlsec] RE: Entrust CSP and XMLSec mscrypto - Part 4
> I can see in the code that Wouter is already trying several options to
> get certificates out using the <KeyName> string., this would simply be
> one more.
>
> I would vote for 1) above.
>
> Would do you think ?
Sounds good to me... Though, I can not say I am an expert
on MSCrypto API to understand the "little details" :) You know
that I love patches, don't you? :) :) :)
Aleksey
_______________________________________________
xmlsec mailing list
HYPERLINK "mailto:xmlsec at aleksey.com"xmlsec at aleksey.com
HYPERLINK
"http://www.aleksey.com/mailman/listinfo/xmlsec"http://www.aleksey.com/mailm
an/listinfo/xmlsec
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.12.4/449 - Release Date: 9/15/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.12.4/449 - Release Date: 9/15/2006
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.12.4/449 - Release Date: 9/15/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.12.4/449 - Release Date: 9/15/2006
_____
_______________________________________________
xmlsec mailing list
HYPERLINK "mailto:xmlsec at aleksey.com"xmlsec at aleksey.com
HYPERLINK
"http://www.aleksey.com/mailman/listinfo/xmlsec"http://www.aleksey.com/mailm
an/listinfo/xmlsec
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.12.4/449 - Release Date: 9/15/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.12.4/449 - Release Date: 9/15/2006
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20060917/9dbdd97a/attachment-0001.htm
More information about the xmlsec
mailing list