[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problems using VeriSign trusted roots



I'm trying to use SFL with VeriSign trusted root certs, as obtained
from the Microsoft IE6.0 certificate database, via CAPI. Note
that the VeriSign certs use sha1RSA as the certificate signature
algorithm.

1. I do a CM session login:
    
    CM_CreateSessionExt(&CM_SessionID, &Settings)

   with all fields of Settings set to zero (including .trustedCerts)

2. I login to sm_free3 CTIL

    DLLfile = "sm_free3DLLd"
    string = "sm_Free3DLL NULL NULL NULL sm_Free"

3. I use AppLogin.FindCSInstAlgIds to check for support
    of various crypto algorithms, and have found the following
    to be available (after free3dll login): sha1, rsa (by themselves),
    sha1rsa, md2rsa, md5rsa, sha1 & rsa (in a single call). 
    md4rsa is NOT supported (even with login to capidll).

4. I open the "Root" certificate store with CertOpenSystemStore,
    then enumerate the certs with CertEnumCertificatesInStore
    (filtering for only ones from VeriSign), building an EncCert_LL
    linked list of the certs. I close the "Root" certificate store.

5. I  set these as the trust anchors with CM_SetTrustedCerts,
    but every one of them fails, with error 130 ("CM_NO_TOKENS_
    SUPPORT_CERT_SIG_ALG").

The certs (and the linked list) look fine in the debugger. The reported 
errors show the expected cert DNs.

I've tried the free3 CTIL login before & after the CM session login.

I've verified that it has found the hash algorithm to be sha1 (OID is
1.3.14.3.2.26) and enc. algorithm is RSA (1.2.840.113549.1.1.1),
just before it calls FindCSInstAlgIds (which returns "not supported")
These ARE supported individually and together in my test calls to
FindCSInstAlgs right after CTIL login to free3dll.

I've tried also logging into capidll, which doesn't appear to change
anything.

Loading the certs into certdb and doing a simple CM_CreateSession
results in the same error.

QUESTIONS:

Am I missing something? 

How do I use trust anchors with sha1RSA signatures? 

Is there some documentation somewhere on how to use the CTIL login? 

On how to create the structure required to specify the CTILs in the 
CM_CreateSession call?

I've checked the archives for anything about this with no luck.
Thanks in advance to anyone that will help.


Lawrence Hughes, InfoWeapons Inc. - lhughes@xxxxxxxxxxxxxxx