rainer urian

Hello,

I'm experimenting with the Simple-STS sample on WindowsXP SP2.

Managed X509V3 cards work fine with software based certificates.

But SmartCard based X509v3 certificates won't work.

If I want to sign in with an InfoCard based on such a SmartCard certificate, a MessageBox appears, saying "The certificate associated with this card cannot be found"

On the other hand, I can see the certificate from the Smartcard token in the certificate MMC in the "MY" store on CurrentUser as well as on LocalMachine.

In order to check whether the certificate on the token is not broken, I used this certificate with a CryptoAPI sign function. Here it worked without any problems.

I'm using A.E.T SafeSign middleware on a StarSign Smartcard from Giesecke&Devrient



Re: Windows CardSpace (InfoCard) SmartCard based InfoCard on Windows XP SP2

Toland Hon - MSFT

A couple questions that might help better diagnose this situation:

Can you verify the thumbprint on the managed card does indeed matches the thumbprint on your smartcard certificate We use the thumbprint to locate the certificate in your personal store.

Does your smartcard use the Windows XP SmartCard CSP to enter your PIN or is there some other CSP (you mentioned "A.E.T SafeSign middleware", but I'm not too familiar with what that is).

Does your smartcard certificate chain up to a trusted root CA in your Local Machine

//Toland




Re: Windows CardSpace (InfoCard) SmartCard based InfoCard on Windows XP SP2

rainer urian

I perform the following to build a smartcard backed managed card:

I use certmgr to lookup the certifcates.

When the token is inserted I can see the tokens certificate in the "MY" store on "CurrentUser" and also on "LocalMachine".

The token automatically installs the intermediate and root certificate only in the "currentUser" tree. I copy the intermediate and root cert. to the "localmachine" tree.

Then I copy the thumbprint from the tokens certificate and put it in the value field of the FabrikamCertificate.ini from the Simple-STS sample.

Then I build a new card with cardwriter and import it in CardSpace.

But by using this card CardSpace complains that it cannot find the certificate. The EventLog shows nothing.

It looks like CardSpace doesn't even try to access the token. It is the same behaviour as if I had build a card with a wrong thumb print.

On the other hand, pure software based certificates work without problems.

Is it possible that this special token has problems with cardspace

Is there a compatibility list of SmartCard tokens which works on CardSpace

How can one debug CardSpace/CSP interactions





Re: Windows CardSpace (InfoCard) SmartCard based InfoCard on Windows XP SP2

Toland Hon - MSFT

I had asked this earlier, but don't see a response:

Does your smartcard use the Windows XP SmartCard CSP to enter your PIN or is there some custom CSP (you mentioned "A.E.T SafeSign middleware", but I'm not too familiar with what that is).

You also mention "special token", which I'm also not familiar with. What do you mean by a special token

What CardSpace supports is accessing your smartcard certificate and using its private key to sign a message. I'm also not familiar with what you mean by SmartCard tokens.

//Toland






Re: Windows CardSpace (InfoCard) SmartCard based InfoCard on Windows XP SP2

rainer urian

If I use the SmartCard with some CryptAPI functions, e.g. with the CryptSignMessage function, a MessageBox shows up asking for the pin. Actually, I can't tell if this MessageBox comes from the Microsoft CSP or from the A.E.T custom CSP. (How can this be determined )

But with CardSpace no MessageBox appears. Moreover , I cannot see that the SmartCard will be accessed at all.

I tried to debug the A.E.T. CSP in the following way:

1. patching ADVAPI.dll

2. building a stub CSP which simply logs all CSP calls and routes them to the A.E.T. CSP

There was no call to any CSP functions!

What I now think is that the A.E.T. CSP has some problems with its custom certificate store handling code.

Sorry, the word "SmartCard token" was a misnomer. I simply meant a smart card or a cryptographic USB stick (In germany we say "token" to this)





Re: Windows CardSpace (InfoCard) SmartCard based InfoCard on Windows XP SP2

Toland Hon - MSFT

If your SmartCard uses a custom CSP, I believe that might be the problem. In CardSpace today, I don't believe we allow custom CSPs to launch.

This is what a Windows SmartCard CSP dialog looks like:

http://img153.imageshack.us/my.php image=smartcarddialogvd4.png

//Toland