Hello !
For some certificates templates in my company it is required to sign the requests by PKI officers certificates (on a smart card) before issuance of the certificate (this allows some double-factor authent/multi-party control for sensitive templates).
I would like to simplify the process and do most of the work programmatically but after some tries I did not succeed in creating the signed PKCS#7 request.
Since your own PKCS#7 classes are only for decoding, here is the code I came up with with the built-in classes:
When using
Thanks in advance for any help you can provide me.
Jordan
For some certificates templates in my company it is required to sign the requests by PKI officers certificates (on a smart card) before issuance of the certificate (this allows some double-factor authent/multi-party control for sensitive templates).
I would like to simplify the process and do most of the work programmatically but after some tries I did not succeed in creating the signed PKCS#7 request.
Since your own PKCS#7 classes are only for decoding, here is the code I came up with with the built-in classes:
$cert=# Get X509Certificate2 object used for signing (private key is on a smart card)$pkcs10= Get-CertificateRequest -Path "path_to_pkcs10.req"# object is OK$contentInfo= New-Object System.Security.Cryptography.Pkcs.ContentInfo (,$pkcs10.RawData) $cmsSigner= New-Object System.Security.Cryptography.Pkcs.CmsSigner $cert$signedCms= New-Object System.Security.Cryptography.Pkcs.SignedCms $contentInfo$signedCms.ComputeSignature($cmsSigner) $pkcs7Bytes=$signedCms.Encode() [IO.File]::WriteAllBytes("path_to_pkcs7.req", $pkcs7Bytes) $pkcs7= Get-CertificateRequest -RawRequest $pkcs7Bytes
certutil -dump
on the generated file, it looks OK. But the last line generates the following error:New-Object : Exception when calling ".ctor" with "1" argument(s): "Invalid data"
At character C:\Program Files\WindowsPowerShell\Modules\PSPKI\Client\Get-CertificateRequest.ps1:22 : 14
+ ... "RawData" {New-Object Security.Cryptography.X509CertificateRequests. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation : (:) [New-Object], MethodInvocationException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
at System.Management.Automation.DotNetAdapter.AuxiliaryConstructorInvoke(MethodInformation methodInformation, Object[] arguments, Object[]
originalArguments)
at System.Management.Automation.DotNetAdapter.ConstructorInvokeDotNet(Type type, ConstructorInfo[] constructors, Object[] arguments)
at Microsoft.PowerShell.Commands.NewObjectCommand.CallConstructor(Type type, ConstructorInfo[] constructors, Object[] args)
And trying to submit the generated file to the CA fails with this error:Error Parsing Request ASN1 unexpected end of data. 0x80093102 (ASN: 258 CRYPT_E_ASN1_EOD)
Should I maybe specify some particular OID when creating the ContentInfo object? Or maybe I need to encode the PKCS#10 in some way before simply signing it?Thanks in advance for any help you can provide me.
Jordan