[xmlsec] xmlSecMSCryptoKeyDataAdoptCert

Amiler Scumba amiler_scumba at hotmail.com
Tue Feb 14 03:42:22 PST 2006

>We have our own token containing private key.
>The description of the scenario:
>1. We created 2 different keys using 2 different tokens.
>2. We formed the template passing the cert matching to the 1st key.
>3. We signed the template. When the provider asked for a token, we
>plugged the token contained the key non-matching to the cert.
>The document was signed successfully but the signature couldn't be
>verified with the cert from template.

Which CSP are you using? It looks like the CSP does not implement support 
for key containers ver well. Each token should have each own key container 
(name is usually generated as a sequence of random characters). My guess is, 
that CryptAcquireCertificatePrivateKey only uses the container specified in 
the provider-info.

>Which token do you use? Which CSP do you use?
We were using ActivIdentity HW tokens (http://www.actividentity.com/) and 
coresponding CSP-

>And why do you use disk as
>intermediate storage?

Certificate Authority advices users, that the certificate should be first 
saved to disk and then imported to smart card (for backup reasons).

>What do you use to bind cert whis corresponding
>private key?

The manufacture has a utlity that binds the key container (smart card) to 
the certificate. You can also look up the Microsoft SDK - it has a sample 
that does something similar.

>Has the signing operation been really completed?

Yes, the private key is still there. Look into C:\Documents and 
Settings\Amiler\Application Data\Microsoft\Crypto\RSA\(privateKeyName).
IMHO, this is a serious bug on Internet Explorer.


FREE pop-up blocking with the new MSN Toolbar - get it now! 

More information about the xmlsec mailing list