CryptoAPI, Signing data with SmartCards
Markus Stoeger
I'm writing a program using the Windows CryptoAPI to create digital
signatures with smart cards.
I have two smart card readers,
a 'Compaq Basic Serial Smart Card Reader'
and an 'Omnikey Cardman 2020 USB'.
The problem is that the signatures created with the Omnikey reader can not
be verified.
I'm confused because the only difference is the smart card reader. The
program used for signing/verifying and the smart card are the same.
I don't know where to start searching for the error. Hardware or software?
I'd be thankful for any suggestions helping me to figure out what's wrong!
The signing and verification routines work like that:
Signing:
CryptAcquireContext(...) -- get a handle to the key container within the CSP.
-- The container name is either
-- \\.\COMPAQ Basic Serial Smart Card Reader 0\
-- or \\.\OMNIKEY Cardman 2020 0\
-- depending on the connected smart card reader.
CryptCreateHash(...) -- create the SHA-1 hash of the data to be signed
CryptHashData(...)
CryptSignHash(...) -- create the signature using the generated hash
Verification:
... -- read the smart card's public key from a
-- central database
CryptAcquireContext(...) -- "Import" the public key to get a key handle of
CryptImportKey(...) -- the key used to verify the message
CryptCreateHash(...) -- create the SHA-1 hash of the data to be
CryptHashData(...) -- verified
CryptVerifySignature(...) -- verifiy the signature using the generated hash
-- and the provided public key
CryptVerifySignature() always fails with the error "NTE_BAD_SIGNATURE" when
the Omnikey reader is used.
I tend to believe that this is a software rather then a hardware problem. If
someone would like to take a look at the C source code of an example program
I can upload it to a website or send it by email.
thanks for any suggestions,
Markus
Tom Sarai
Hi Marcus
For me both reader worked fine. Send the code.
Tom
Daniel James
> I have two smart card readers,
> a 'Compaq Basic Serial Smart Card Reader'
> and an 'Omnikey Cardman 2020 USB'.
>
> The problem is that the signatures created with the Omnikey
reader can not
> be verified.
[Followups ignored]
There is more at play here than just the type of smartcard
reader. What kind of card are you using? Is it the same card with
each reader? What CSP are you using?
I suspect that the 'Omnikey Cardman 2020 USB' cardreader is a
rebadged Utimaco Cardman 2020. I have no experience with this
reader, but I have found in the past that one of Utimaco's serial
(not USB) Cardman readers had a hardware limitation that meant
that only about 50 bytes of data could be transferred in a single
APDU. Try to send any more and the data would be silently
corrupted and no error reported. This was some time ago and I
expect the newer Cardman readers have had this limitation removed
- but you should not rule out a hardware error or limitation as a
possible cause of your problem.
Cheers,
Daniel.
Markus Stoeger
> There is more at play here than just the type of smartcard
> reader. What kind of card are you using? Is it the same card with
> each reader? What CSP are you using?
The card was the same with every reader. It's some Infineon SLEx card
with their SiCrypt CSP (www.infineon.com/sicrypt/).
I have found out something new yesterday. The Cardman 2020 only produces
invalid signatures when the certificate on the smart card has expired. I
have tested it with two other cards that have valid certificates. They
work with both readers. So both readers produce the same signatures when
the cards contain valid certificates, but if a certificate is expired
the Cardman 2020 produces different output then the Compaq.
I know invalid certificates shouldn't be used to create signatures
anyway, yet I don't understand (and would like to figure out) why the
mere replacement of the smartcard reader can produce different results.
If this is a hardware problem with Cardman readers (50 byte limitation
or similar), is there some easy way how I could verify this?
thanks for your time,
Max
josemg
I have some questions.
Signing question:
1- In the code I found in Microsoft in some place appears
something about the certificates. I don't understand why
we don't use certificates in any place to sing a document.
2- When I write in a file the signature I dont't know if I
have to write it binary or hexadecial. I have some signed
files an I make doble-clik on them and a special window
appears.
thank´s
If you have an example please send it to me. I'll take a
look and find where is my problem.
>.
>
Daniel Sie [MS]
you signing (data or executable)? What do you mean "special window appear"?
Thanks.
--
Daniel Sie [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"josemg" <ea...@gisa.es> wrote in message
news:6cae01c2031b$0cb7af00$a5e62ecf@tkmsftngxa07...
Hi. I'm making the same program that you are doing and
I have some questions.
Signing question:
1- In the code I found in Microsoft in some place appears
something about the certificates. I don't understand why
we don't use certificates in any place to sing a document.
2- When I write in a file the signature I dont't know if I
have to write it binary or hexadecial. I have some signed
files an I make doble-clik on them and a special window
appears.
thank愀
josemg
want to generate a pkc7 file whith te signature of the
file.
I explain to you what we are doing and please tell me if
we make it rignt or we have to do something else.
Functions we call
CryptAcquireContext(...) We adquire the context.
CryptGetUserKey(...)
CryptExportKey(...)
CryptCreateHash(...)
CryptHashData(...)
CryptSignHash(...)
Now we have the signature of the file, and we thougnt
thats we want. We want a PKC7 file to store the signature
of this file. I don't know if I have to use the functions
to Encoding and Decoding because all of them uses a PKC7
stucture.
If you want the code I generate, I can sed it to you and
tell me what else I need.
Tanks
>-----Original Message-----
>Can you be more specific? Which code sample you were
referring to? What are
>you signing (data or executable)? What do you
mean "special window appear"?
>
>Thanks.
>
>--
>Daniel Sie [MS]
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
>"josemg" <ea...@gisa.es> wrote in message
>news:6cae01c2031b$0cb7af00$a5e62ecf@tkmsftngxa07...
> Hi. I'm making the same program that you are doing and
>I have some questions.
>Signing question:
>1- In the code I found in Microsoft in some place appears
>something about the certificates. I don't understand why
>we don't use certificates in any place to sing a document.
>2- When I write in a file the signature I dont't know if I
>have to write it binary or hexadecial. I have some signed
>files an I make doble-clik on them and a special window
>appears.
>
>
>thank´s
>.
>
Daniel Sie [MS]
look at CryptMsgXXX group of APIs or the equivalent high level messaing
APIs, such as CryptSignMessage.
Thanks,
--
Daniel Sie [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"josemg" <ea...@gisa.es> wrote in message
news:91fa01c2055f$cdc09ea0$35ef2ecf@TKMSFTNGXA11...
Tanks
>thank愀