[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    Verification of ActiveX controls using CSPs
From:       Rasmus Faber Larsen <Rasmus.Faber () CRYPTOMATHIC ! COM>
Date:       2001-10-16 9:00:57
[Download RAW message or body]


Hi,

While testing our software CSP I have run into some small problems.
When viewing a page containg ActiveX controls (eg.
http://www.microsoft.com/msdownload/platformsdk/sdkupdate/update.htm) from
Internet Explorer, the CPVerifySignature function is called.
Unfortunately the signature to be verified (a MD5 RSA signature) does not
contain an OID, and the CRYPT_NOOID flag is not set.
It has previously been reported, that the Microsoft CSPs has a security
flaw, in that they will accept signatures without OID as valid (even
though the CRYPT_NOOID is not set); but should it be necessary to emulate
this behaviour in order to work with the CryptoAPI?

If it can be of any use, here is the stacktrace while calling
CPVerifySignature with the bad signature:
CPVerifySignature(unsigned long * 0x02a81370, unsigned long * 0x02a770e0,
const unsigned char * 0x024deee8, unsigned long 256, unsigned long *
0x02a87a60, const unsigned short * 0x02509490, unsigned long 0) line 1316
ADVAPI32! 4c308b5b()
ADVAPI32! 4c308c49()
CRYPT32! 5cf32658()
CRYPT32! 5cf3432e()
SOFTPUB! 47a88a19()
SOFTPUB! 47a88407()
WINTRUST! 47605e12()
SDKINST! 0232f5e2()
SDKINST! 0232f6a5()
SDKINST! 0232efb6()
MSHTML! 70c5a3d0()
MSHTML! 70d19caa()
MSHTML! 70cdb7e2()
MSHTML! 70cdb71d()
JSCRIPT! 712d86e3()
JSCRIPT! 71328838()

Best regards,
Rasmus Faber Larsen.

Systems Engineer                CRYPTOMAThIC A/S
Rasmus Faber Larsen             Kannikegade 14, 3.
Tel:    +(45) 86 13 90 20       DK-8000 Aarhus C
Direct: +(45) 86 76 22 85       Denmark
Fax:    +(45) 86 20 29 75
Web:    http://www.cryptomathic.com

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM

[prev in list] [next in list] [prev in thread] [next in thread]