Hi all

You may get an Access Violation exception when loading a certificate into a X509Certificate2 object, only after installing KB 938397 hotfix (crypt32.dll v5.131.3790.4095) at Applications that use the Cryptography API cannot validate an X.509 certificate in Windows Server 2003.

Note that the issue won't happen with Windows Server 2003 SP2 version of crypt32.dll (v5.131.3790.3959).

Note that the issue only happens with Base64 encoded certificate files. DER encoded certificate fileswork just fine.

The good news is that a newer hotfix, KB 950474, installs a newer version of crypt32.dll that fixes the issue:v5.131.3790.4271. You can get it here: Error message when you run the SharePoint Products and Technologies Configuration Wizard on a Windows Server 2003-based computer: "Application has generated an exception that could not be handled".

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

PS: What are you still doing with Windows Server 2003? Have you tried the new Windows Server 2008 R2? IT JUST ROCKS!!!!

Hi all,

CAPICOM has finally been deprecated, and it won't be supported on Windows 7. This link is up to date and proposes alternatives to CAPICOM classes by using .NET classes and CryptoAPI: Alternatives to Using CAPICOM.

The following article may help if you were using CAPICOM in your web site and you are planning on using .NET now: Writing an ActiveX Control in .NET.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

Hi all,

Do you want to work with CNG and .NET 3.5 and don't want to P/Invoke into CryptoAPI & CNG API? Check out Security.Cryptography.dlllibraryat CLR Security:

"
Security.Cryptography.dll provides a new set of algorithm implementations to augment the built in .NET framework supported algorithms. It also provides some APIs to extend the existing framework cryptography APIs. Within this project you will find:
§ A CNG implementation of the AES, RSA, and TripleDES encryption algorithms
§ A CNG implementation of a random number generator
§ A class that allows dynamically creating algorithms both from this library as well as all of the algorithms that ship with .NET 3.5
§ An enumerator over all of the installed CNG providers on the current machine
§ Extension methods that allow access to all of the keys installed in a CNG provider, as well as all of the algorithms the provider supports
"

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

Hi all,

Some time ago a customer of mine was getting the following CryptographicException when callingEncryptedXml.DecryptDocumentmethod to decrypt an XmlDocument in their .NET app:

[System.Security.Cryptography.CryptographicException] = {"The data to be decrypted exceeds the maximum for this modulus of 0 bytes"}
_HResult = -2146233296
_HResult = 0x80131430
No Inner Exception

This wasonly happening with a smart card certificate associated to a specific third-party CSP (non-MS).

In order to troubleshoot this, I used my CryptoAPI Tracer scriptto get some traces while reproducing the issue. Thanks to my script I could see these calls that .NET is making to the third-party CSP behind the scenes (I will omit key container and CSP names as they are not needed to understand the issue):

>>>>>>>>>>>>>>>>>>>>>>

CryptAcquireContextA (0x570)
IN

pszContainer

001bf1a0 "Cert Container Name"
pszProvider

001b4698 "Third-party CSP"
dwProvType

PROV_RSA_FULL
dwFlags

0
OUT

hProv

0x1bea28
RESULT

CryptAcquireContextA (0x570) SUCCEEDED
<<<<<<<<<<<<<<<<<<<<<<
>>>>>>>>>>>>>>>>>>>>>>
CryptGetUserKey (0x570)
IN

hProv

0x1bea28
dwKeySpec

AT_KEYEXCHANGE
OUT

hUserKey

0x1bf1a0
RESULT

CryptGetUserKey (0x570) SUCCEEDED
<<<<<<<<<<<<<<<<<<<<<<
>>>>>>>>>>>>>>>>>>>>>>
CryptGetKeyParam (0x570)
IN

hKey

0x1bf1a0
dwParam

KP_ALGID
pbData

NULL
dwDataLen

0
dwFlags

0
OUT

dwDataLen

4
RESULT

CryptGetKeyParam (0x570) SUCCEEDED
<<<<<<<<<<<<<<<<<<<<<<
>>>>>>>>>>>>>>>>>>>>>>
CryptGetKeyParam (0x570)
IN

hKey

0x1bf1a0
dwParam

KP_ALGID
pbData

0x1bd228
dwDataLen

4
dwFlags

0
OUT

bData

001bd228 0000a400
dwDataLen

4
RESULT

CryptGetKeyParam (0x570) SUCCEEDED
<<<<<<<<<<<<<<<<<<<<<<
>>>>>>>>>>>>>>>>>>>>>>
CryptGetKeyParam (0x570)
IN

hKey

0x1bf1a0
dwParam

KP_KEYLEN
pbData

NULL
dwDataLen

0
dwFlags

0
OUT

dwDataLen

4
RESULT

CryptGetKeyParam (0x570) SUCCEEDED
<<<<<<<<<<<<<<<<<<<<<<
>>>>>>>>>>>>>>>>>>>>>>
CryptGetKeyParam (0x570)
IN

hKey

0x1bf1a0
dwParam

KP_KEYLEN
pbData

0x1bd228
dwDataLen

4
dwFlags

0
OUT

bData

001bd228 00000000
dwDataLen

4
RESULT

CryptGetKeyParam (0x570) SUCCEEDED
<<<<<<<<<<<<<<<<<<<<<<

These calls mean the following: before .NET tries to decrypt the XML, it asks the CSP for some information on the key it will use to decrypt, like its length (CryptGetKeyParam API with KP_KEYLEN flag). For some unknown reason the third-party CSP is returning a length of 0 for the key(pbData points to 0), which is invalid, thus .NET won't continue with the decryption and will raise the exception we've seen. Why is the CSP returning an invalid length? Only the CSP developers can answer that question.

In my customer's particular case, the CSP developers quickly localized and fixed the issue.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

Hi all,

When creating an X509Certificate object inyour .NET application ("X509Certificate cert = new X509Certificate(certBytes);") you may see that two 0kb files are created in the Temp folder of your Windows Server 2003, and are never deleted. After creating many of those objects the Temp folder fills up and the app won't function properly.

The cause of this issue is the following bug:

On a Windows Server 2003-based client computer, the system does not delete a temporary file that is created when an application calls the "CryptQueryObject" function

X509Certificate class uses CryptQueryObject API behind the scenes. Fortunatelly there is a fix for this referenced on the link above.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)