[xmlsec] xmlSecMSCryptoKeyDataAdoptCert

[Dmitry Belyavsky]

Greetings!

On Tue, 14 Feb 2006, Amiler Scumba wrote:

> >
> > We have our own token containing private key.
> >
> > The description of the scenario:
> > 1. We created 2 different keys using 2 different tokens.
> > 2. We formed the template passing the cert matching to the 1st key.
> > 3. We signed the template. When the provider asked for a token, we
> > plugged the token contained the key non-matching to the cert.
> >
> > The document was signed successfully but the signature couldn't be
> > verified with the cert from template.
>
> Which CSP are you using? It looks like the CSP does not implement support for
> key containers ver well. Each token should have each own key container (name
> is usually generated as a sequence of random characters). My guess is, that
> CryptAcquireCertificatePrivateKey only uses the container specified in the
> provider-info.

We are using our own CSP. Each token has its own container.
But until the token is plugged, the provider can only access the
certificate. It uses the container user has specified. So I don't
understand your argumentation.

> > And why do you use disk as
> > intermediate storage?
>
> Certificate Authority advices users, that the certificate should be first
> saved to disk and then imported to smart card (for backup reasons).

We had to write a special backup utility to copy the key from one token
to another. But it seems to be insecure to save the private key to disk.

> > Has the signing operation been really completed?
>
> Yes, the private key is still there. Look into C:\Documents and
> Settings\Amiler\Application Data\Microsoft\Crypto\RSA\(privateKeyName).
> IMHO, this is a serious bug on Internet Explorer.

I agree with you.

-- 
SY, Dmitry Belyavsky (ICQ UIN 11116575)