Thanks Wouter,
Ill try it out in the next 24 hours against the Entrust CSP and let
you know. Thanks loads ; )
Ed
From: Wouter [mailto:wsh333 (AT) gmail (DOT) com]
Sent: Sunday, September 17, 2006 9:34 AM
To: Ed Shallow
Cc: 'Aleksey Sanin'; xmlsec (AT) aleksey (DOT) com
Subject: Re: [xmlsec] RE: Entrust CSP and XMLSec mscrypto - Part 5
Hi Ed,
Could you try the patch attached to this message? MSCrypto default keysstore
now looks up certificates with FriendlyName values as well. The lookup for
FriendlyName is case sensitive. I've tested the code myself, and
certificates I have in my local personal keystore are found successfully
with a given "friendlyname". Theoretically this should also work with
Entrust in your situation, but it would be nice if you could test it as
well.
Wouter
PS I've also attached the complete (and patched) src/mscrypto/keysstore.c,
since windows does not have a patch utility by default, it might be easier
for testing.
Ed Shallow wrote:
Hi Wouter,
Yes the direct fetch does look cleaner. The attached is really just
pseudo code I borrowed and modified from MSDN. I can send you another
snippet using the direct , but Id rather
let you do the polishing, testing, and check-in.
There is only 2 new API calls here and this really is not a big change.
to you Wouter. Are you willing to take a shot at it ?
Ed
From: Wouter [HYPERLINK "mailto:wsh333 (AT) gmail (DOT) com"mailto:wsh333 (AT) gmail (DOT) com]
Sent: Saturday, September 16, 2006 4:09 PM
To: Ed Shallow
Cc: 'Aleksey Sanin'; HYPERLINK "mailto:xmlsec (AT) aleksey (DOT) com"xmlsec (AT) aleksey (DOT) com
Subject: Re: [xmlsec] RE: Entrust CSP and XMLSec mscrypto - Part 5
Hi all,
I think that this should be added to the code base. It will at least give a
higher chance the mscrypto keystore will find the correct key. Looking at
the code I'm not sure I would enumerate the certificate properties, but
rather try to fetch the "Friendly name prop" directly, if that's possible.
Ed, did you test this approach with your Entrust sample already?
Wouter
Ed Shallow wrote:
Hi Guys,
Perhaps adding another cert find attempt. Something like the following
in
Current 1st attempt
/* first attempt: search by cert id == name */
Current 2nd attempt
/* We don't give up easily, now try to fetch the cert with a full blown
* subject dn
*/
Current 3rd attempt
/* We don't give up easily, now try to fetch the cert with a full blown
* subject dn, and try with a reversed dn
*/
Here we could add a 4th attempt which loops through the store's certificates
and for each context loops through the properties looking for the Friendly
Name and then return this cert context if Friendly Name matches.
while(pCertContext= CertEnumCertificatesInStore(
hStoreHandle,
pCertContext))
{
//
// Loop to find all of the property identifiers for the specified
// certificate. The loop continues until
// returns zero.
while(dwPropId = (
pCertContext, // The context whose properties are to be listed.
dwPropId)) // Number of the last property found.
// This must be zero to find the first
// property identifier.
{
// Use a switch in case we want to test for other properties in the future
// Wouter I think one could replace the loop thru the Properties above with
// a direct call to specifying
CERT_FRIENDLY_NAME_PRP_ID
// as the dwPropId argument. You may try this method if you like it better.
Ed
switch(dwPropId)
{
case CERT_FRIENDLY_NAME_PRP_ID:
{
// We found our property identifier
break;
}
} // End switch.
//
// Retrieve information on the property by first getting the
// property size.
if((
pCertContext,
dwPropId ,
NULL,
&cbData))
{
// Continue.
}
else {
// If the first call to the function failed,
// exit to an error routine.
xmlSecError(XMLSEC_ERRRS_HERE,
}
//
// The call succeeded. Use the size to allocate memory
// for the property.
if(pvData = (void*)malloc(cbData)) {
// Memory is allocated. Continue.
}
else {
// If memory allocation failed, exit to an error routine.
xmlSecError(XMLSEC_ERRRS_HERE,
}
// Allocation succeeded. Retrieve the property data.
if((
pCertContext,
dwPropId,
pvData,
&cbData)) {
if (pvData == name) { // is it name which contains the
incoming <KeyName>?
return pCertContext;
}
}
else {
// If an error occurred in the second call,
// exit to an error routine.
xmlSecError(XMLSEC_ERRRS_HERE,
}
//
// Free the certificate context property memory.
free(pvData); // or is it xmlFree(pvData)
} // End inner while.
} // End outer while.
Ed
Message
From: HYPERLINK
"mailto:xmlsec-bounces (AT) aleksey (DOT) com"xmlsec-bounces (AT) aleksey (DOT) com [HYPERLINK
"mailto:xmlsec-bounces (AT) aleksey (DOT) com"mailto:xmlsec-bounces (AT) aleksey (DOT) com]
Behalf Aleksey Sanin
Sent: Saturday, September 16, 2006 12:56 PM
To: Ed Shallow
Cc: 'Wouter'; HYPERLINK "mailto:xmlsec (AT) aleksey (DOT) com"xmlsec (AT) aleksey (DOT) com
Subject: Re: [xmlsec] RE: Entrust CSP and XMLSec mscrypto - Part 4
I can see in the code that Wouter is already trying several options to
get certificates out using the <KeyNamestring., this would simply be
one more.
I would vote for 1) above.
Would do you think ?
Sounds good to me Though, I can not say I am an expert
on MSCrypto API to understand the "little details" :) You know
that I love patches, don't you? :) :) :)
Aleksey
xmlsec mailing list
HYPERLINK "mailto:xmlsec (AT) aleksey (DOT) com"xmlsec (AT) aleksey (DOT) com
HYPERLINK
""http://www.aleksey.com/mailm
an/listinfo/xmlsec