[xmlsec] RE: Entrust CSP and XMLSec mscrypto - Part 3

Wouter wsh333 at gmail.com
Fri Sep 15 12:11:49 PDT 2006 

Hi Ed,

I can follow your reasoning (a bit), and it could be the cause, however 
when you try to use a key which is marked for signing (AT_SIGNATURE) for 
decrypting you get the following error (if I remember correctly): "Bad Key".

The error you got looks more like the entrust csp does not support the 
following function: CryptDuplicateKey which makes sense for a private 
key on a token, but not for a public key on a certificate. 
CryptDuplicateKey is also not supported on NT 4 systems (as I see in 
some comments of the mscrypto code), so perhaps you should try to build 
a XMLSEC_MSCRYPTO_NT4 enabled version of the library, to get more 
success....

Wouter

Ed Shallow wrote:
>
> Aleksey,
>
>     I have a hunch. Consider this which I observe with the 2-key pair 
> philosophy used by Entrust.
>
> - their proprietary KeyStore sits on the file system as an .epf file 
> which they call a Profile
>
> - they have a standard Microsoft CAPI-compliant CSP which hides this 
> proprietary-ness from Windows apps like Outlook and other CAPI 
> applications (like XMLSec mscrypto)
>
> - after you install their CSP and you login to their Profile the CSP 
> adds 3 certificates to the MS Crypto Store
>
> - 1 signing key/cert, 1 encryption key/cert, and the public issuer's 
> root to the Trusted Authorities
>
> - Now the specific thing to note here is that both the signing cert 
> and the encryption cert have the exact same RDN i.e. CN=..., O=..., 
> OU=,,, C=... even the CN= sub-fields are identical
>
> - they do differ in 2 respects and this is what makes them legitimate:
>
>           - there KeyUsage is different since one is for signature and 
> the other for encipherment
>
>           - their Friendly Names are different but Wouter doesn't 
> search on that
>
> - the MS Crypto Store allows duplicate certificate names since they 
> legitimately may be for different purposes
>
> - Microsoft calls these different purposes AT_SIGNATURE and 
> AT_KEYEXCHANGE and you can get them with a GetKeySpecFromKPI call to 
> MS CAPI
>
> - I believe the mscrypto code may be checking for duplicates but not 
> checking for key purpose
>
> - if the 2 certs have the same name, but one is for signing and the 
> other for encryption that should be OK
>
> - I can't delete one and re-test to corroborate this because the 
> Entrust CSP puts it back if you try to remove it !!!  
>
> Can you substantiate this in the mscrypto code ? Sorry I can barely 
> follow it.
>
> Ed  
>
>  
>
>  
>
>  
>
>  
>
> ------------------------------------------------------------------------
>
> *From:* Ed Shallow [mailto:ed.shallow at rogers.com]
> *Sent:* Friday, September 15, 2006 11:16 AM
> *To:* 'xmlsec at aleksey.com'
> *Subject:* Entrust CSP amd XMLSec mscrypto - Part 2
>
>  
>
> Aleksey,
>
>  
>
>      Here is some more to go on. The Encrypt works. mscrypto support 
> using the <KeyName> populated with the CN= field of the certificate works.
>
>      So mscrypto manages to find the certificate when reaching into 
> the MS Crypto Store for the Encrypt operation.
>
>      However when I send this encrypted file (attached) back in on a 
> Decrypt, I get the following. This should have worked.  
>
>  
>
> C:\XMLSec>xmlsec decrypt --crypto mscrypto --output 
> inout/decrypted-3des-kt-rsa-cert-Entrust.xml 
> inout/encrypted-3des-kt-rsa-cert-
>
> Entrust.xml
>
> func=xmlSecMSCryptoKeyDataCtxDuplicateKey:file=..\src\mscrypto\certkeys.c:line=182:obj=unknown:subj=CryptDuplicateKey:error=4:cryp
>
> to library function failed: ;last error=120 (0x00000078);last error 
> msg=This function is not supported on this system.
>
>  
>
> func=xmlSecMSCryptoKeyDataDuplicate:file=..\src\mscrypto\certkeys.c:line=621:obj=rsa:subj=xmlSecMSCryptoKeyDataCtxDuplicateKey:err
>
> or=1:xmlsec library function failed: ;last error=120 (0x00000078);last 
> error msg=This function is not supported on this system.
>
>  
>
> func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec 
> library function fail
>
> ed: ;last error=0 (0x00000000);last error msg=The operation completed 
> successfully.
>
>  
>
> func=xmlSecEncCtxEncDataNodeRead:file=..\src\xmlenc.c:line=885:obj=unknown:subj=unknown:error=45:key 
> is not found: ;last error=0 (
>
> 0x00000000);last error msg=The operation completed successfully.
>
>  
>
> func=xmlSecEncCtxDecryptToBuffer:file=..\src\xmlenc.c:line=643:obj=unknown:subj=xmlSecEncCtxEncDataNodeRead:error=1:xmlsec 
> library
>
>  function failed: ;last error=0 (0x00000000);last error msg=The 
> operation completed successfully.
>
>  
>
> func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec 
> library function fail
>
> ed: ;last error=0 (0x00000000);last error msg=The operation completed 
> successfully.
>
>  
>
> func=xmlSecEncCtxEncDataNodeRead:file=..\src\xmlenc.c:line=885:obj=unknown:subj=unknown:error=45:key 
> is not found: ;last error=0 (0x00000000);last error msg=The operation 
> completed successfully.
>
>  
>
> func=xmlSecEncCtxDecryptToBuffer:file=..\src\xmlenc.c:line=643:obj=unknown:subj=xmlSecEncCtxEncDataNodeRead:error=1:xmlsec 
> library function failed: ;last error=0 (0x00000000);last error msg=The 
> operation completed successfully.
>
>  
>
> func=xmlSecEncCtxDecrypt:file=..\src\xmlenc.c:line=582:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec 
> library function failed: ;last error=0 (0x00000000);last error msg=The 
> operation completed successfully.
>
>  
>
> Error: failed to decrypt file
>
> Error: failed to decrypt file 
> "inout/encrypted-3des-kt-rsa-cert-Entrust.xml"
>
>  
>
>  
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.405 / Virus Database: 268.12.4/448 - Release Date: 9/14/2006
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.405 / Virus Database: 268.12.4/448 - Release Date: 9/14/2006
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>   

-------------- next part --------------
Skipped content of type multipart/related

More information about the xmlsec mailing list