[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    Re: IE 5.5 cannot use AT_SIGNATURE key for ClientAuth on 95/NT
From:       John Banes <jbanes () WINDOWS ! MICROSOFT ! COM>
Date:       2002-08-21 18:43:09
[Download RAW message or body]


This is a known issue. When signing the certificate_verify message, old
versions of schannel.dll didn't know what type of key was being used
(don't ask) and so it would first try to sign using AT_KEYEXCHANGE, and
if this failed then it would fall back to using AT_SIGNATURE. Your CSP
should just fail the CPSignHash call when the wrong key is used, and
then things should get back on track.

Regards,
John

-----Original Message-----
From: Hans Schupp [mailto:schupp@SECUDE.COM]=20
Sent: Wednesday, August 21, 2002 6:07 AM
To: CryptoAPI@DISCUSS.MICROSOFT.COM
Subject: IE 5.5 cannot use AT_SIGNATURE key for ClientAuth on 95/NT


Hi,

while testing some strange behaviour, which seemed to be caused by my
own CSP, I stumbled over something, which I think is a bug in
InternetExplorer (or one of its components).

When I try to do SSL with ClientAuthentication with InternetExplorer 5.5
on Windows 95 or Windows NT 4.0 (SP6a), I cannot use a certificate for
which the key is stored in the AT_SIGNATURE slot of any CSP (doesn't
even work with the MS Enhanced CSP).

Both mentioned systems have an schannel.dll version 5.00.1877.6
installed. On my Windows 2000 system (schannel.dll version 5.1.2195.0)
this problem doesn't exist.

Detailed description:

In the "MY" certificate store I have installed the KeyExchange and the
Signature certificate of my smartcard. They are stored in the same
container of the CSP, the first uses AT_KEYEXCHANGE and the other
AT_SIGNATURE as dwKeySpec (in the CERT_KEY_PROV_INFO_PROP_ID property of
the certificate context).

When I open the https page (with ClientAuth) in IE and select the
Signature certificate in the subsequent dialog box, my CSP is asked to
perform a signature, but is passed AT_KEYEXCHANGE as dwKeySpec (so that
the digital signature doesn't fit to the selected certificate). On W2k I
get a proper request for AT_SIGNATURE at this point.

Has anybody else experienced this problem before?
Can anyone from Microsoft confirm this to be a problem?

I know that Windows 95 is not officially supported anymore, but NT4 is
also affected by this problem.

regards, Hans Schupp

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html . To unsubscribe,
mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM

----------------------------------------------------------------
Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
contains important info. Save time, search the archives at
http://discuss.microsoft.com/archives/index.html .
To unsubscribe, mailto:CryptoAPI-signoff-request@DISCUSS.MICROSOFT.COM

[prev in list] [next in list] [prev in thread] [next in thread]