Re: WinCE 5.0 Web server SSL certificate problem
- From: "Michael" <Michael@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 11 Oct 2005 11:13:02 -0700
Yes! It works now!
That "Couldn't export key" message triggered something in my memory, so I
went back and looked at my PFXImportCertStore call, and sure enough, there is
a flag CRYPT_EXPORTABLE which I did not set. Once I set this flag, https
starts up and I am able to access the web site!
Thank you very much John for sticking with me and following up with others
when our first few tries failed. And thanks Ganapathy for the hint with
schannel! John had mentioned it, but for some reason I couldn't get it to
spew anything out until your email.
Michael
"Michael" wrote:
> Hi Ganapathy,
>
> Thanks for looking into this.
>
> Using control panel>Certificates GUI, I go to "MY" store, click on my
> certiificate, then click on "Subject" in the left column, and it says on the
> right column: "US, CA, Esocon, Test, medmon-12345, mwang25@xxxxxxxxx". If I
> click on "Private Key", it says on the right column: "Present".
>
> I set the schannel debug zone both in the registry and command line, and now
> I'm able to see the zones (not sure why I couldn't before). Anyways, the
> line with "couldn't export key" looks interesting:
>
> SCHANNEL:BEGIN:SPInitSessionCache
> 4294882420 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:Address space
> reserved for 50 cache entries.
> 4294882422 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:END Line 139
> 4294882424 PID:61dd1026 TID:41cc9206 0x81cc9b24:
> SCHANNEL:BEGIN:SPCreateCredential
> 4294882424 PID:61dd1026 TID:41cc9206 0x81cc9b24:
> SCHANNEL:BEGIN:SPFormatCredentials
> 4294882425 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:END Line 682
> 4294882427 PID:61dd1026 TID:41cc9206 0x81cc9b24:
> SCHANNEL:Container:9E3FD72A-BFA1-07C3-7DEA-AB4B71CFFD70
> 4294882428 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:Provider:
> Microsoft Base Cryptographic Provider v1.0
> 4294882429 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:KeySpec:0x00000001
> 4294882430 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:Type: 0x00000001
> 4294882431 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:Flags: 0x00000000
> 4294882511 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:Couldn't Export
> Key 8009000b
> 4294882512 PID:61dd1026 TID:41cc9206 0x81cc9b24:
> SCHANNEL:BEGIN:SPDeleteCredential
> 4294882513 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:END Line 463
> 4294882514 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:END Line 384
> 4294882515 PID:61dd1026 TID:41cc9206 0x81cc9b24: SCHANNEL:END Line 131
> 4294882516 PID:61dd1026 TID:41cc9206 0x81cc9b24: HTTPD:
> AcquireCredentialsHandle failed, no SSL will be performed. Error = 0x8009030d
>
> Here is the function that I wrote to import the .p12 cert+key to MY store.
> Maybe I'm not setting something correctly? I can also send you my .p12 key
> if you want.
>
> /**
> * Import the given PKCS12 buffer containing the device certificate and
> * private key into the "MY" store. As a side effect, also return the
> * SHA1 hash of the certificate.
> * Return TRUE on success, FALSE on failure.
> */
> BOOL
> PhysCertManager::addP12CertToMyStore(BYTE *p12Buf, DWORD p12BufLength, const
> WCHAR *passwordW, BYTE *sha1HashBuf)
> {
> HCERTSTORE hCertStore1, hCertStore2;
> CRYPT_DATA_BLOB certBlob;
> PCCERT_CONTEXT pCertContext=NULL;
> BOOL rval=TRUE;
>
> certBlob.pbData = p12Buf;
> certBlob.cbData = p12BufLength;
>
> if (PFXVerifyPassword(&certBlob, passwordW, 0)) {
> printf("PhysCertManager: p12 password is good!\n");
> }
> else {
> printf("PhysCertManager: password is bad!! Import will defaintely
> fail!\n");
> return FALSE;
> }
>
> // Is this just a temporary store?
> hCertStore1 = PFXImportCertStore(&certBlob, passwordW, CRYPT_USER_KEYSET);
> if (hCertStore1 == NULL) {
> wprintf(_T("PhysCertManager: PFXImportCertStore failed,
> lasterror=%d\n"), passwordW);
> return FALSE;
> }
>
> printf("PhysCertManager: User cert with key imported to tmp store!\n");
>
>
>
> // Get the certificate context
> pCertContext = CertEnumCertificatesInStore(hCertStore1, pCertContext);
> if (pCertContext == NULL) {
> printf("PhysCertManager: Could not enum cert context, abort");
> CertCloseStore(hCertStore1, CERT_CLOSE_STORE_CHECK_FLAG);
> return FALSE;
> }
>
>
> // Get the sha1 hash
> DWORD sha1HashBufLength=SHA1_HASH_LENGTH;
> if (!CertGetCertificateContextProperty(pCertContext, CERT_HASH_PROP_ID,
> sha1HashBuf, &sha1HashBufLength)) {
> printf("PhysCertManager: get sha1 hash failed, lasterror=%d\n",
> GetLastError());
> CertFreeCertificateContext(pCertContext);
> CertCloseStore(hCertStore1, CERT_CLOSE_STORE_CHECK_FLAG);
> return FALSE;
> }
>
>
> CertDuplicateCertificateContext(pCertContext); // this just increments
> reference count
>
> // Now open "MY" system cert store
> HCRYPTPROV hCryptProvider = NULL;
> hCertStore2 = CertOpenSystemStore(hCryptProvider, _T("MY"));
> if (hCertStore2 != NULL) {
> if (CertAddCertificateContextToStore(hCertStore2, pCertContext,
> CERT_STORE_ADD_REPLACE_EXISTING,
> NULL) == TRUE) {
> printf("PhysCertManager: device cert+key added to MY store");
> }
> else {
> printf("PhysCertManager: ERROR: Could not add device cert+key to
> MY store, lasterror=%d", GetLastError());
> rval = FALSE;
> }
> if (!CertCloseStore(hCertStore2, CERT_CLOSE_STORE_CHECK_FLAG))
> printf("PhysCertManager: ERROR: close of MY store failed,
> lasterror=%d\n", GetLastError());
> else
> printf("PhysCertManager: MY store closed.\n");
> }
> else {
> printf("PhysCertManager: ERROR: Could not open MY store,
> lasterror=%d", GetLastError());
> rval = FALSE;
> }
>
>
> // The close of the tmp store always return PENDING_CLOSE.
> // I guess this is OK since the cert context still exists in MY store.
> CertFreeCertificateContext(pCertContext);
> if (!CertCloseStore(hCertStore1, CERT_CLOSE_STORE_CHECK_FLAG)) {
> DWORD lasterror = GetLastError();
> if (lasterror == CRYPT_E_PENDING_CLOSE) {
> printf("PhysCertManager: close of tmp store returned pending
> close.");
> }
> else {
> wprintf(_T("PhysCertManager: ERROR: close of tmp store failed,
> lasterror=%d\n"), GetLastError());
> rval = FALSE;
> }
> }
> else {
> wprintf(_T("PhysCertManager: tmp store closed.\n"));
> }
>
> return rval;
> }
>
>
> I think we are getting close!
>
> Michael
>
>
> "Ganapathy Raman (MS)" wrote:
>
> > Michael
> >
> > If you have debug version of httpd it is highly likely you have debug
> > versions of schannel.dll
> > In the CE console, try 'gi proc' followed by 'zo m schannel.dll 0xffff' to
> > turn on all debug zones for schannel.
> >
> > Can you send the CertificateSubject value you are using?
> > Also how did you verify the successful import of the .p12(pfx) file.
> > Especially proper import of the private key and not just the certificate.
> > Did you use the 'certificates' control panel applet and check for the
> > 'private key present' attribute?
> >
> > --
> > Ganapathy Raman
> > Program Manager, Windows CE Security
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
>
.
- References:
- Re: WinCE 5.0 Web server SSL certificate problem
- From: Michael
- Re: WinCE 5.0 Web server SSL certificate problem
- From: John Spaith [MS]
- Re: WinCE 5.0 Web server SSL certificate problem
- From: Ganapathy Raman \(MS\)
- Re: WinCE 5.0 Web server SSL certificate problem
- From: Michael
- Re: WinCE 5.0 Web server SSL certificate problem
- Prev by Date: Re: WinCE 5.0 Web server SSL certificate problem
- Next by Date: Re: Send embedded app data to PC via USB
- Previous by thread: Re: WinCE 5.0 Web server SSL certificate problem
- Next by thread: Disable automatic key lock - Windows Mobile 2003 Sec.Edition
- Index(es):
Relevant Pages
|
