format of FabrikamCertificate.ini
I am trying to read the certificate from the smart card, but I am not sure what to put in for the value?
Q1. what is the format of the value? (in FabrikamCertificate.ini)
I tried the thumbprint of the certificate in the value.value=cdcff4a6d29f3f3b9fc63cd76cffe6c2103363a5 But i got problem when trying to use this infocard.
Error from CardSpace: "Your data could not be retrieve from the managed card provider. Check your network connection, and verify that you have supplied the correct authenticationcredentials."
Base on the comment, the sample of the value is Certificate Path(Localmachine/my/www.fabrikam.com), hash, filename (in which case you may need certificatepassword=)
Then I tryvalue=currentUser/my/angela,cdcff4a6d29f3f3b9fc63cd76cffe6c2103363a5 and the card cannot be installed.
Note: the certificate in the smartcard is not a HA certificate, and the CA of the certificate in the smart card is already installed in the Trust CA store.
Q2. Must the certificate in the smartcard a HA certificate.
Please advice.
Ronghwa
[1453 byte] By [
Ronghwa] at [2008-2-7]
Q1. Format of the .ini file is that only one of the options hash,path,fileName should be specified. For example you should type:
value=cdcff4a6d29f3f3b9fc63cd76cffe6c2103363a5
or
value=currentUser/my/angela
but NOT value=currentUser/my/angela,cdcff4a6d29f3f3b9fc63cd76cffe6c2103363a5
Please note tha cert name (angela) is case snsitive.
Q2. Certificate shouldn't be HA because it's personal certificate that you should use with your card and HA certificates are intended for company use.
Regarding your problem, I faced simular issue and found workaround to set "AnonymousForCertificate" binding security option instead of "MutualCertificate". The problem with "MutualCertificate" option is that STS needs to authenticate your (ie. angela) certificate and I didn't find any documentation on how to do that.
Hmmm.
What was the output of CardWriter?. It should tell you if it finds the certificate.
if you use the currentuser/my/angela format, you don't specify the certificate hash.
And no, you don't need an HA certificate for the smartcard (HA certificates aren't even availible yet).
The CardWriter is a bit loose with what it expects for the value (look at the code that digs it out):
if (card.CardType == DefaultValues.CardType.SmartCard)
{
X509Certificate2 smartcardcertificate = null;
f = new FileInfo(spec["Credentials"]["value"].value);
if (f.Exists)
{
try
{
smartcardcertificate = new X509Certificate2(spec["Credentials"]["value"].value);
}
catch (System.Security.Cryptography.CryptographicException)
{
try
{
smartcardcertificate = new X509Certificate2(spec["Credentials"]["value"].value, spec["Credentials"]["certificatepassword"].value);
}
catch (Exception)
{
throw new Exception("Could not open the smartcard certificate file:" + spec["Credentials"]["value"].value + ". Make sure the file exists and the password is correct");
}
}
}
StoreName storeName = StoreName.My;
StoreLocation storeLocation = StoreLocation.CurrentUser;
if (smartcardcertificate == null && spec["Credentials"]["value"].value.Split("/".ToCharArray(), StringSplitOptions.RemoveEmptyEntries).Length == 3 )
{
//load from store
string[] certspec = spec["Credentials"]["value"].value.Split("/".ToCharArray(), StringSplitOptions.RemoveEmptyEntries);
try
{
storeLocation = (StoreLocation)Enum.Parse(typeof(StoreLocation), certspec[0], true);
}
catch (Exception)
{
throw new Exception("No Smartcard Certificate Location: " + certspec[0]);
}
try
{
storeName = (StoreName)Enum.Parse(typeof(StoreName), certspec[1], true);
}
catch (Exception)
{
throw new Exception("No Smartcard Certificate Store: " + certspec[1] + " in " + certspec[0]);
}
X509Store s = new X509Store(storeName, storeLocation);
s.Open(OpenFlags.MaxAllowed);
foreach (X509Certificate2 xCert in s.Certificates)
{
if (xCert.Subject.StartsWith("CN=" + certspec[2]))
{
smartcardcertificate = xCert;
break;
}
}
}
if (smartcardcertificate == null)
{
X509Store s = new X509Store(storeName, storeLocation);
s.Open(OpenFlags.MaxAllowed);
foreach (X509Certificate2 xCert in s.Certificates)
{
if (xCert.Thumbprint.Equals(spec["Credentials"]["value"].value, StringComparison.CurrentCultureIgnoreCase))
{
smartcardcertificate = xCert;
break;
}
}
if (smartcardcertificate == null)
{
Console.WriteLine("Did not find smart card certificate, setting smartcard certificate hash to [" + spec["Credentials"]["value"].value + "]");
card.CredentialIdentifier = spec["Credentials"]["value"].value;
}
else
{
Console.WriteLine("Found smart card certificate, setting smartcard certificate hash to [" + Convert.ToBase64String(smartcardcertificate.GetCertHash()) + "]");
card.CredentialIdentifier = Convert.ToBase64String(smartcardcertificate.GetCertHash());
}
}
else
{
Console.WriteLine("Found smart card certificate, setting smartcard certificate hash to [" + Convert.ToBase64String(smartcardcertificate.GetCertHash()) + "]");
card.CredentialIdentifier = Convert.ToBase64String(smartcardcertificate.GetCertHash());
}
}
