CA Service Management

Hello everybody. I build up a webservice using vbscript and C# to get information from a specific CHG or Incident. It all worked fine until a new policy came in to squash my work. I used the login constructor to authenticate (User and PW) but now I must use a PKI auth. I know I must use the loginservicemanaged constructor and I have the certificate (.p12) locally for testing. But I am unable to properly authenticate. It gives me the error "invalid login policy encryption".

Here it is the main code:

private string GetCertificado()

        {

            // Certificados X509 Versão 3

            string strPKI = string.Empty;

            X509Certificate2 objCertificado = null;

            X509Store localiz_certif = new X509Store(StoreName.Root, StoreLocation.LocalMachine);

            localiz_certif.Open(OpenFlags.ReadOnly);

                    //-> strNomeCert="CN=ServiceDesk ZDACPolicy"

            X509Certificate2Collection Resultado =

                    localiz_certif.Certificates.Find(X509FindType.FindByIssuerDistinguishedName, _strNomeCertif, true);

            if (Resultado.Count != 0)

            {

                objCertificado = Resultado[0];

                //strPKI = objCertificado.PrivateKey.ToXmlString(false);

                strPKI = Convert.ToBase64String(objCertificado.Export(X509ContentType.Cert), Base64FormattingOptions.None);

                localiz_certif.Close();

            }

            return strPKI;

        }

public int Ligar(string strCertifPKI)

        {

            string strSID;

            try

            {

                strSID = objCAWebService.loginServiceManaged ("ZDACPolicy", strCertifPKI);

                int intSID = int.Parse(strSID);

                return intSID;

            }

            catch (Exception erro)

            {

                Console.WriteLine(erro);

                return 0;

            }

        }

Has anyone implemented code using a PKI with the loginservicemanaged?

Thanks in advance.

Hi, basicaly what you need to do is to extract private key from certificate and sign policy name with it. I do not see this hapening in your code. Please use C:\CA\SDM\samples\sdk\websvc\java\test1_pki\USDWSUtil.java for the reference

Hello Gutis. I do not have CA installed in my local machine, therefore I cannot view the USDWSUtil.java reference. After the signing of the policy what I have to do next? Encode it with Base64?

Thanks for the reply.

Yes you need to encode it.

I have attached USDWSUtil.java for you.

I am going to try. Thanks

Hello Gutis - I cannot implement the code you provided because it is JAVA and I am coding in C#. However the code gave me some insight but I am getting an "Invalid Login Policy Encryption" error.

Here's my code (I can get the certificate that is stored):

1. private string GetCertificado(string strNCertif)
2.         {
3.        
4.             string strPKI = string.Empty;
6.             X509Store stoLocalizCertif = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
7.             stoLocalizCertif.Open(OpenFlags.ReadOnly);
9.             X509Certificate2Collection Resultado =
10.                     stoLocalizCertif.Certificates.Find(X509FindType.FindByIssuerDistinguishedName, strNCertif, true);
11.             if (!(Resultado.Count.Equals(0)))
12.             {
14.                 byte[] bytCertifValor = Resultado.Export(X509ContentType.Cert);
16.                 SHA1 objSHA1 = new SHA1CryptoServiceProvider();
17.                 var rsaCSP = new RSACryptoServiceProvider();
19.                 byte[] bytCodific = objSHA1.ComputeHash(bytCertifValor);
21.                 bytCodific = rsaCSP.SignHash(bytCodific, CryptoConfig.MapNameToOID("SHA1"));
23.                 strPKI = Convert.ToBase64String(bytCodific);
25.                 stoLocalizCertif.Close();
26.             }
27.             return strPKI;
28.         }
31. strSID = objCAWebService.loginServiceManaged ("xxxxPolicy", strCertifPKI);

Maybe you can help me out.

Hello, i am not programer, but i don't see where in your code you have extracted private key from the certificate. As far as i understand you exporting certificate from localMachine store, but i don't see where you extracting private key from the certificate using policy name as password.

You are right - I've changed the code a little but the error msg still maintains.

1. private string GetCertificado(string strNCertif)
2.         {
3.             string strPKI = string.Empty;
5.             X509Store stoLocalizCertif = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
6.             stoLocalizCertif.Open(OpenFlags.ReadOnly);
8.             X509Certificate2Collection Resultado =
9.                     stoLocalizCertif.Certificates.Find(X509FindType.FindByIssuerDistinguishedName, strNCertif, true);
10.             if (!(Resultado.Count.Equals(0)))
11.             {
13.                 X509Certificate2 objCertificado = Resultado[0];
14.                 RSACryptoServiceProvider objChvPrv = objCertificado.PrivateKey as RSACryptoServiceProvider;
16.                 byte[] bytCertifValor = Resultado.Export(X509ContentType.Cert);
17.                 byte[] bytAssinatura = objChvPrv.SignData(bytCertifValor, new SHA1Managed());
19.                 byte[] bytCodific = SHA1Managed.Create().ComputeHash(bytCertifValor);
20.                 RSAPKCS1SignatureFormatter objFormata = new RSAPKCS1SignatureFormatter(objCertificado.PrivateKey);
21.                 objFormata.SetHashAlgorithm("SHA1");
22.                 bytAssinatura = objFormata.CreateSignature(bytCodific);
24.                 strPKI = Convert.ToBase64String(bytAssinatura);
26.                 stoLocalizCertif.Close();
27.             }
28.             return strPKI;
29.         }

strSID = objCAWebService.loginServiceManaged ("xxxxPolicy", strCertifPKI);

From your code it seems that you are signing certificate itself instead of policy name

Thank you for your help and effort Gutis - I shall introspect and code accordingly.

Hello Gutis, I changed the code, tried to do what you had written, but to no avail. It still gives me "Invalid policy encription"...

• private string GetCertificado(string strNCertif)
•         {
•             //Certificado RSA PKCS#12 (.P12)
•             // RSA 1024bit | SHA1 Algoritmo
•             string strPKI = string.Empty;
•             var objAlgoritRSA = new RSACryptoServiceProvider(1024);
•             var stoLocalizCertif = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
•             stoLocalizCertif.Open(OpenFlags.ReadOnly);
•             X509Certificate2Collection ccolCertificado =
•                     stoLocalizCertif.Certificates.Find(X509FindType.FindByIssuerDistinguishedName, strNCertif, true);
•             stoLocalizCertif.Close();
•             if (!(ccolCertificado.Count.Equals(0)))
•             {
•                 X509Certificate2 objCertificado = ccolCertificado[0];
•                 //Chave Privada do Certificado
•                 RSACryptoServiceProvider rsaChvPrv = objCertificado.PrivateKey as RSACryptoServiceProvider;
•                 byte[] bytCertificado = ccolCertificado.Export(X509ContentType.Cert,"name_policy");
•                 byte[] bytAssinatura = rsaChvPrv.SignData(bytCertificado, CryptoConfig.MapNameToOID("SHA1"));
•                 strPKI = Convert.ToBase64String(bytAssinatura);
•             }
•             return strPKI;
•         }

I have found an old test executable that we used to test this method. Since i was not able to find source i have decompiled it. So project most probably will not compile but it will give you some guidance

Hello Gutis and thank you very much for showing me such corporate project! I just look at it very fast but I think this could help alot, mainly the UsdList.cs tiny little file... It looks promising and I think you do not need to give me guidance. Thanks again for your big and opportune effort.

Hello Gutis and... THANK YOU!!!!!

I only used the file that I told you (UsdList.cs) to make it work.

But I had, offcourse to modify alot of code. Moreover, the uppercase and lowercase didn't worked at all. The code returned an uppercase string which it does not work in my case. I tested extensively and the policy string must be equal as it is displayed in the MMC's console of the certificate tree.

I searched and posted in other forums but nobody could help me out. You don't know how much did you helped me! Thank you so much Gutis!

You are welcome