[xmlsec] RE: Entrust CSP and XMLSec mscrypto - Part 3

Wouter wsh333 at gmail.com
Sat Sep 16 00:20:53 PDT 2006 

Hi Ed,

I'm not sure what the exact differences are between WITH_NT4=1 and the 
default build. Now the decrypt function does not work because probably 
the wrong certificate and key is selected (the signing certificate), 
like you suggested already. This cannot be solved with the current 
certificate selection mechanism, I think. If the certificate itself has 
properties (extensions) that indicate signing or encryption, you can at 
least select the certificate at application level (your own application) 
and then use that as encryption certificate. With the xmlsec tool I see 
no option in working around this issue....
I think this should be noted as a bug... :(
Somehow the current keymanager key selection interface in combination 
with mscrypto is not sufficient enough in selecting the appropriate 
certificate. Any suggestions how this can be approved?

Wouter

ed.shallow at rogers.com wrote:
> Hi Wouter,
>  
>      Getting farther but not all the way.
>  
> Same 3 command line operations below against compiled 1.2.10 
> WITH_NT4=1 as you suggested.
>  
>  
> 1) Encrypt worked (as it did before)
>  
> 2) Decrypt gets the Bad Key you mentioned
>  
> 3) Sign now works
>  
>  
> So I think I was half right and you were half right.
>  
> AT_SIGNATURE encountered before AT_KEYEXCHANGE so Decrypt fails but 
> Sign works.
>  
> This is a valid valid duplication of SubjectName it seems ?
>  
> Ed
>  
>     
>  
> C:\XMLSec>xmlsec encrypt --crypto mscrypto --session-key des-192 
> --xml-data inout/encrypt-doc.xml --node-name Salary --output 
> inout/encrypted-3des-kt-rsa-cert-Entrust.xml 
> tmpl/tmpl-EPM-encrypt-3des-kt-rsa-Entrust.xml
> C:\XMLSec>PAUSE
> Press any key to continue . . .
>  
> C:\XMLSec>xmlsec decrypt --crypto mscrypto --output 
> inout/decrypted-3des-kt-rsa-cert-Entrust.xml 
> inout/encrypted-3des-kt-rsa-cert-Entrust.xml
> func=xmlSecMSCryptoRsaPkcs1Process:file=..\src\mscrypto\kt_rsa.c:line=376:obj=rsa-1_5:subj=CryptDecrypt:error=4:crypto 
> library function failed: ;last error=-2146893821 (0x80090003);last 
> error msg=Bad Key.
> func=xmlSecMSCryptoRsaPkcs1Execute:file=..\src\mscrypto\kt_rsa.c:line=213:obj=rsa-1_5:subj=xmlSecMSCryptoRsaPkcs1Process:error=1:xmlsec 
> library function failed: ;last error=-2146893821 (0x80090003);last 
> error msg=Bad Key.
> func=xmlSecTransformDefaultPushBin:file=..\src\transforms.c:line=2173:obj=rsa-1_5:subj=xmlSecTransformExecute:error=1:xmlsec 
> library function failed:final=1;last error=-2146893821 
> (0x80090003);last error msg=Bad Key.
> func=xmlSecTransformDefaultPushBin:file=..\src\transforms.c:line=2200:obj=rsa-1_5:subj=xmlSecTransformPushBin:error=1:xmlsec 
> library function failed:final=1;outSize=33;last error=-2146893821 
> (0x80090003);last error msg=Bad Key.
> func=xmlSecTransformCtxBinaryExecute:file=..\src\transforms.c:line=1089:obj=unknown:subj=xmlSecTransformCtxPushBin:error=1:xmlsec
> library function failed:dataSize=174;last error=-2146893821 
> (0x80090003);last error msg=Bad Key.
> func=xmlSecEncCtxDecryptToBuffer:file=..\src\xmlenc.c:line=669:obj=unknown:subj=xmlSecTransformCtxBinaryExecute:error=1:xmlsec 
> library function failed: ;last error=-2146893821 (0x80090003);last 
> error msg=Bad Key.
> func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec 
> library function failed: ;last error=-2146893821 (0x80090003);last 
> error msg=Bad Key.
> func=xmlSecEncCtxEncDataNodeRead:file=..\src\xmlenc.c:line=885:obj=unknown:subj=unknown:error=45:key 
> is not found: ;last error=-2146893821 (0x80090003);last error msg=Bad Key.
> func=xmlSecEncCtxDecryptToBuffer:file=..\src\xmlenc.c:line=643:obj=unknown:subj=xmlSecEncCtxEncDataNodeRead:error=1:xmlsec 
> library
>  function failed: ;last error=-2146893821 (0x80090003);last error 
> msg=Bad Key.
> func=xmlSecEncCtxDecrypt:file=..\src\xmlenc.c:line=582:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec 
> library function failed: ;last error=-2146893821 (0x80090003);last 
> error msg=Bad Key.
> Error: failed to decrypt file
> Error: failed to decrypt file 
> "inout/encrypted-3des-kt-rsa-cert-Entrust.xml"
> C:\XMLSec>PAUSE
> Press any key to continue . . .
>  
> C:\XMLSec>xmlsec sign --crypto mscrypto --output 
> inout/edsigned-enveloped-Entrust.xml 
> tmpl/tmpl-EPM-sign-enveloped-Entrust.xml
>
>
> ----- Original Message ----
> From: Wouter <wsh333 at gmail.com>
> To: Ed Shallow <ed.shallow at rogers.com>
> Cc: xmlsec at aleksey.com
> Sent: Friday, September 15, 2006 3:11:49 PM
> Subject: Re: [xmlsec] RE: Entrust CSP and XMLSec mscrypto - Part 3
>
> Hi Ed,
>
> I can follow your reasoning (a bit), and it could be the cause, 
> however when you try to use a key which is marked for signing 
> (AT_SIGNATURE) for decrypting you get the following error (if I 
> remember correctly): "Bad Key".
>
> The error you got looks more like the entrust csp does not support the 
> following function: CryptDuplicateKey which makes sense for a private 
> key on a token, but not for a public key on a certificate. 
> CryptDuplicateKey is also not supported on NT 4 systems (as I see in 
> some comments of the mscrypto code), so perhaps you should try to 
> build a XMLSEC_MSCRYPTO_NT4 enabled version of the library, to get 
> more success....
>
> Wouter
>
> Ed Shallow wrote:
>>
>> Aleksey,
>>
>>     I have a hunch. Consider this which I observe with the 2-key pair 
>> philosophy used by Entrust.
>>
>> - their proprietary KeyStore sits on the file system as an .epf file 
>> which they call a Profile
>>
>> - they have a standard Microsoft CAPI-compliant CSP which hides this 
>> proprietary-ness from Windows apps like Outlook and other CAPI 
>> applications (like XMLSec mscrypto)
>>
>> - after you install their CSP and you login to their Profile the CSP 
>> adds 3 certificates to the MS Crypto Store
>>
>> - 1 signing key/cert, 1 encryption key/cert, and the public issuer’s 
>> root to the Trusted Authorities
>>
>> - Now the specific thing to note here is that both the signing cert 
>> and the encryption cert have the exact same RDN i.e. CN=…, O=…, 
>> OU=,,, C=… even the CN= sub-fields are identical
>>
>> - they do differ in 2 respects and this is what makes them legitimate:
>>
>>           - there KeyUsage is different since one is for signature 
>> and the other for encipherment
>>
>>           - their Friendly Names are different but Wouter doesn’t 
>> search on that
>>
>> - the MS Crypto Store allows duplicate certificate names since they 
>> legitimately may be for different purposes
>>
>> - Microsoft calls these different purposes AT_SIGNATURE and 
>> AT_KEYEXCHANGE and you can get them with a GetKeySpecFromKPI call to 
>> MS CAPI
>>
>> - I believe the mscrypto code may be checking for duplicates but not 
>> checking for key purpose
>>
>> - if the 2 certs have the same name, but one is for signing and the 
>> other for encryption that should be OK
>>
>> - I can’t delete one and re-test to corroborate this because the 
>> Entrust CSP puts it back if you try to remove it !!!  
>>
>> Can you substantiate this in the mscrypto code ? Sorry I can barely 
>> follow it.
>>
>> Ed  
>>
>>  
>>
>>  
>>
>>  
>>
>>  
>>
>> ------------------------------------------------------------------------
>>
>> *From:* Ed Shallow [mailto:ed.shallow at rogers.com]
>> *Sent:* Friday, September 15, 2006 11:16 AM
>> *To:* 'xmlsec at aleksey.com'
>> *Subject:* Entrust CSP amd XMLSec mscrypto - Part 2
>>
>>  
>>
>> Aleksey,
>>
>>  
>>
>>      Here is some more to go on. The Encrypt works. mscrypto support 
>> using the <KeyName> populated with the CN= field of the certificate 
>> works.
>>
>>      So mscrypto manages to find the certificate when reaching into 
>> the MS Crypto Store for the Encrypt operation.
>>
>>      However when I send this encrypted file (attached) back in on a 
>> Decrypt, I get the following. This should have worked.  
>>
>>  
>>
>> C:\XMLSec>xmlsec decrypt --crypto mscrypto --output 
>> inout/decrypted-3des-kt-rsa-cert-Entrust.xml 
>> inout/encrypted-3des-kt-rsa-cert-
>>
>> Entrust.xml
>>
>> func=xmlSecMSCryptoKeyDataCtxDuplicateKey:file=..\src\mscrypto\certkeys.c:line=182:obj=unknown:subj=CryptDuplicateKey:error=4:cryp
>>
>> to library function failed: ;last error=120 (0x00000078);last error 
>> msg=This function is not supported on this system.
>>
>>  
>>
>> func=xmlSecMSCryptoKeyDataDuplicate:file=..\src\mscrypto\certkeys.c:line=621:obj=rsa:subj=xmlSecMSCryptoKeyDataCtxDuplicateKey:err
>>
>> or=1:xmlsec library function failed: ;last error=120 
>> (0x00000078);last error msg=This function is not supported on this 
>> system.
>>
>>  
>>
>> func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec 
>> library function fail
>>
>> ed: ;last error=0 (0x00000000);last error msg=The operation completed 
>> successfully.
>>
>>  
>>
>> func=xmlSecEncCtxEncDataNodeRead:file=..\src\xmlenc.c:line=885:obj=unknown:subj=unknown:error=45:key 
>> is not found: ;last error=0 (
>>
>> 0x00000000);last error msg=The operation completed successfully.
>>
>>  
>>
>> func=xmlSecEncCtxDecryptToBuffer:file=..\src\xmlenc.c:line=643:obj=unknown:subj=xmlSecEncCtxEncDataNodeRead:error=1:xmlsec 
>> library
>>
>>  function failed: ;last error=0 (0x00000000);last error msg=The 
>> operation completed successfully.
>>
>>  
>>
>> func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec 
>> library function fail
>>
>> ed: ;last error=0 (0x00000000);last error msg=The operation completed 
>> successfully.
>>
>>  
>>
>> func=xmlSecEncCtxEncDataNodeRead:file=..\src\xmlenc.c:line=885:obj=unknown:subj=unknown:error=45:key 
>> is not found: ;last error=0 (0x00000000);last error msg=The operation 
>> completed successfully.
>>
>>  
>>
>> func=xmlSecEncCtxDecryptToBuffer:file=..\src\xmlenc.c:line=643:obj=unknown:subj=xmlSecEncCtxEncDataNodeRead:error=1:xmlsec 
>> library function failed: ;last error=0 (0x00000000);last error 
>> msg=The operation completed successfully.
>>
>>  
>>
>> func=xmlSecEncCtxDecrypt:file=..\src\xmlenc.c:line=582:obj=unknown:subj=xmlSecEncCtxDecryptToBuffer:error=1:xmlsec 
>> library function failed: ;last error=0 (0x00000000);last error 
>> msg=The operation completed successfully.
>>
>>  
>>
>> Error: failed to decrypt file
>>
>> Error: failed to decrypt file 
>> "inout/encrypted-3des-kt-rsa-cert-Entrust.xml"
>>
>>  
>>
>>  
>>
>>
>> --
>> No virus found in this outgoing message.
>> Checked by AVG Free Edition.
>> Version: 7.1.405 / Virus Database: 268.12.4/448 - Release Date: 9/14/2006
>>
>>
>> --
>> No virus found in this outgoing message.
>> Checked by AVG Free Edition.
>> Version: 7.1.405 / Virus Database: 268.12.4/448 - Release Date: 9/14/2006
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>   
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>

-------------- next part --------------
Skipped content of type multipart/related

More information about the xmlsec mailing list