|
|
|
date: Fri, 2 May 2008 08:56:00 -0700,
group: microsoft.public.platformsdk.security
back
RE: Diagnosing crypto problem
Thanks for your feedback Mounir.
The problem at heart is a configuration one.
At the very least I need to get my self signed cert into a named system
certrificate store (e.g. 'Iains Store'). However, I don't seem to be able to
work out how to do that (except just possibly in code, but I'm not entirely
sure if this is the problem).
Another solution and a better one is to transfer all the certs from my named
system stores on the old machine. But I can't (so far) find out how to back
up and restore a store from one machine to another. I've just found out how
to use CertMgr to view these, but not worked out how to export them en-mass.
Any pointers gratefully received.
Iain
"Mounir IDRASSI" wrote:
> Hi,
>
> The information you gave are clearly insufficient to diagnose your problem.
> One way to understand better what is happening is to trace all the calls from
> your application to CryptoAPI. This can be done using classical hook or
> hijacking techniques. Unfortunately, there is no out of the box solution for
> doing that but you can find useful links by googling around using the
> keyworks I mentioned earlier.
>
> Good luck,
> --
> Mounir IDRASSI
> IDRIX
> http://www.idrix.fr
>
>
> "Iain" wrote:
>
> > This is embarrasing.
> >
> > I wrote quite a complicated DRM type system some 5 years ago and it work
> > fine (after a fair amount of sweat). In fact it still does.
> >
> > However, I'm now in the process of moving it on to a new machine and I'm
> > struggling. Of course I cannot find the documentation I wrote (possibly the
> > victim of a hard disk crash) and I can barely remember how it works.
> >
> > The first part of this is for remote machines to register with the server.
> >
> > What I think should be happening is that I have a self signed cert (created
> > in '03!) which should be stored in a named store on the server. The public
> > key for this is exported via an include file in my code.
> >
> > A request is packaged up on the local machine and sent up to the server via
> > SOAP. once there it is unpacked, validated and then a response assembled
> > with the local machines 'permissions'.
> >
> > Sounds nice and easy!
> >
> > What's happening is that when the server comes to decrypt the message from
> > the client CryptDecrypt returns an HRESULT of 0x8009200c (which is somewhat
> > sparsely documented).
> >
> > I expect this is because of a configuration issue. In fact I suspect that
> > one cert/key or another has simply not being registered on the server.
> >
> > I've a pfx file which appears to be the selfsigned cert. I've also got a
> > number of .cer files who's provenance is less certain.
> >
> > I have a test/initialisation program which I have run with the obvious
> > initialisation options.
> >
> > I've added the .pfx file to the certificate store on the new server (by
> > double clicking) and that seems to have worked - I picked the default
> > location as I couldn't see my store in there. However, I can't find the cert
> > with CertMgr.exe. Nor can I in the old machine. Nor can I find the cert
> > using ListCerts in the dedicated store (on either machine).
> >
> > I know it's pretty hard to ask 'what on EARTH was going through my head',
> > but I really have no idea how to diagnose this without reading more or less
> > all the code :(
> >
> > Any pointers would be very much appreciated.
> >
> > Thanks
> >
> > Iain
date: Mon, 5 May 2008 04:30:01 -0700
author: Iain
RE: Diagnosing crypto problem
1. Your problem may be EXPIRED cert - since you created your self-signed cert
several years ago. Check the cert's expiration date. If it is, in fact,
expired, you should create a new self-signed cert.
2. If you need to do automatic cert store backup or restore, you will need
to write your own program using CAPI functions. What you need are mostly the
CertXxx functions, but if you need to migrate private key as well, you would
also have to use the CryptXxx functions. All these are documented in the
Platform SDK.
Laszlo Elteto
SafeNet, Inc.
"Iain" wrote:
> Thanks for your feedback Mounir.
>
> The problem at heart is a configuration one.
>
> At the very least I need to get my self signed cert into a named system
> certrificate store (e.g. 'Iains Store'). However, I don't seem to be able to
> work out how to do that (except just possibly in code, but I'm not entirely
> sure if this is the problem).
>
> Another solution and a better one is to transfer all the certs from my named
> system stores on the old machine. But I can't (so far) find out how to back
> up and restore a store from one machine to another. I've just found out how
> to use CertMgr to view these, but not worked out how to export them en-mass.
>
> Any pointers gratefully received.
>
>
> Iain
>
>
>
>
> "Mounir IDRASSI" wrote:
>
> > Hi,
> >
> > The information you gave are clearly insufficient to diagnose your problem.
> > One way to understand better what is happening is to trace all the calls from
> > your application to CryptoAPI. This can be done using classical hook or
> > hijacking techniques. Unfortunately, there is no out of the box solution for
> > doing that but you can find useful links by googling around using the
> > keyworks I mentioned earlier.
> >
> > Good luck,
> > --
> > Mounir IDRASSI
> > IDRIX
> > http://www.idrix.fr
> >
> >
> > "Iain" wrote:
> >
> > > This is embarrasing.
> > >
> > > I wrote quite a complicated DRM type system some 5 years ago and it work
> > > fine (after a fair amount of sweat). In fact it still does.
> > >
> > > However, I'm now in the process of moving it on to a new machine and I'm
> > > struggling. Of course I cannot find the documentation I wrote (possibly the
> > > victim of a hard disk crash) and I can barely remember how it works.
> > >
> > > The first part of this is for remote machines to register with the server.
> > >
> > > What I think should be happening is that I have a self signed cert (created
> > > in '03!) which should be stored in a named store on the server. The public
> > > key for this is exported via an include file in my code.
> > >
> > > A request is packaged up on the local machine and sent up to the server via
> > > SOAP. once there it is unpacked, validated and then a response assembled
> > > with the local machines 'permissions'.
> > >
> > > Sounds nice and easy!
> > >
> > > What's happening is that when the server comes to decrypt the message from
> > > the client CryptDecrypt returns an HRESULT of 0x8009200c (which is somewhat
> > > sparsely documented).
> > >
> > > I expect this is because of a configuration issue. In fact I suspect that
> > > one cert/key or another has simply not being registered on the server.
> > >
> > > I've a pfx file which appears to be the selfsigned cert. I've also got a
> > > number of .cer files who's provenance is less certain.
> > >
> > > I have a test/initialisation program which I have run with the obvious
> > > initialisation options.
> > >
> > > I've added the .pfx file to the certificate store on the new server (by
> > > double clicking) and that seems to have worked - I picked the default
> > > location as I couldn't see my store in there. However, I can't find the cert
> > > with CertMgr.exe. Nor can I in the old machine. Nor can I find the cert
> > > using ListCerts in the dedicated store (on either machine).
> > >
> > > I know it's pretty hard to ask 'what on EARTH was going through my head',
> > > but I really have no idea how to diagnose this without reading more or less
> > > all the code :(
> > >
> > > Any pointers would be very much appreciated.
> > >
> > > Thanks
> > >
> > > Iain
date: Tue, 6 May 2008 10:06:05 -0700
author: lelteto
|
|
