How to know what key pair to use when CPSignHash is called

Hi all,

when Microsoft Word wants to sign a document with a custom CSP, it calls
CPImportKey in the default KeyContainer, so the CSP knows exactly which key
is being used to make the signature.

However, for example in Adobe Acrobat or Internet Explorer the sequence of
calls is similar to:

CPAcquireContext with default key container
CPGetUserKey with AT_SIGNATURE
CPGetProvParam
CPCreateHash
CPSetHashParam
CPSignHash

My CSP has more than one key pair associated to the user, so my question is:
how is it possible to know which key are these applications willing to use?

Maybe I am missunderstanding some CSP concept....

In a similar case, when calling CryptDecrypt function, it is said that a

In a similar case, when calling CryptDecrypt function, it is said that a key
obtained from CryptGenKey or CryptImportKey must be passed as a parameter.

This is not happening when calling to CryptSignHash function. Why? :S

Hi,In your implementation of CryptSignHash, you will pick the right key

Hi,

In your implementation of CryptSignHash, you will pick the right key using
the value of the parameter dwKeySpec : if it is AT_KEYEXCHANGE, then you will
use the exchange key that resides on the current container associted with the
hProv parameters, and it it is AT_SIGNATURE, you will use the signature key
that resides on the current container associated with the hProv parameter.

I hope this clarifies things to you.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

To reach me: mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

I understand that, but I have two available AT_SIGNATURE key pairsassociated

I understand that, but I have two available AT_SIGNATURE key pairs
associated to my CSP, and when I am requested to sign a hash I do not know
which one to use.

I thought that maybe I could know it by the key container requested in the
hProv parameter, but whatever cert I use, I am always requested for the
default key container.

Just to clarify the situation, I have two (or more) certificates installed
in the machine and associated to my CSP. So when an application tries to sign
a document using any of those certs, my CSP is called, but I do not know which
certificate to use except in the case of Microsoft Word (as Word calls to
CPImportKey with the proper public key).

Hi,You can not have two AT_SIGNATURE keys in one container.

Hi,

You can not have two AT_SIGNATURE keys in one container. A container can
have only one AT_SIGNATURE key and one AT_KEYEXCHANGE key.
So, if your smart card contains two signature keys, you must expose two CSP
containers, one for each key, and each container will have a different name.
This is the first thing to do.

Concerning the default container, this is a notion that is merely used by
smart card logon scenarios under Windows 2000/XP where Winlogon acquires a
context on the default container in order to access the logon certificate and
the associated key. This default container is a logical container that is
mapped by the CSP to the right physical container depending on various
criteria.

For most other applications that use smart cards, they do not call CSPs
direcly because then they simply do not have any idea about them. In almost
all cases, an application looks into the Internet Explorer "MY" Certificate
Store in order to find the certificate it needs and from that it will call
CryptAcquireCertificatePrivateKey in order to get a context on the CSP
associated with this certificate for doing cryptographic operations.
It is the responsibility of the CSP provider to ensure that each time a
smart card is inserted, all the certificates present on the card are
correctly exported to the IE "MY" Certificate Store and that the
CERT_KEY_PROV_INFO_PROP_ID property of each certificate context contains the
right information about the CSP and the container name and its key specifier.

I hope this gives you more clues about the internals of Crypto API.
Starting from here, your CSP should ,for your card, export two named
containers and you have to choose which one of them will be the default one.
Also, you will have to ensure that the content of your card is correctly
synchronized with the IE "MY" Certificate Store.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

To reach me: mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

As Mounir said you need two containers.

As Mounir said you need two containers. Note that when you "associate" a
certificate with a CSP you associate it with a specific container of that
CSP. So once you created the two containers you have to go back and
re-associate the certificates with the proper container names. After that
this should work as now when your CSP is called with CPAcquireContext the
appropriate container name will also be present (as function parameter) and
you will know which AT_SIGNATURE ney to be used.

Laszlo Elteto
SafeNet, Inc.

Thank you!!I was missing exactly that point."lelteto" wrote:

Thank you!!

I was missing exactly that point.