Quantcast
Channel: Public Key Infrastructure PowerShell module
Viewing all articles
Browse latest Browse all 729

New Post: Programmatically sign a PKCS#10 request with an officer certificate

$
0
0
Hello !

For some certificates templates in my company it is required to sign the requests by PKI officers certificates (on a smart card) before issuance of the certificate (this allows some double-factor authent/multi-party control for sensitive templates).

I would like to simplify the process and do most of the work programmatically but after some tries I did not succeed in creating the signed PKCS#7 request.

Since your own PKCS#7 classes are only for decoding, here is the code I came up with with the built-in classes:
$cert=# Get X509Certificate2 object used for signing (private key is on a smart card)$pkcs10= Get-CertificateRequest -Path "path_to_pkcs10.req"# object is OK$contentInfo= New-Object System.Security.Cryptography.Pkcs.ContentInfo (,$pkcs10.RawData)
$cmsSigner= New-Object System.Security.Cryptography.Pkcs.CmsSigner $cert$signedCms= New-Object System.Security.Cryptography.Pkcs.SignedCms $contentInfo$signedCms.ComputeSignature($cmsSigner)
$pkcs7Bytes=$signedCms.Encode()

[IO.File]::WriteAllBytes("path_to_pkcs7.req", $pkcs7Bytes)
$pkcs7= Get-CertificateRequest -RawRequest $pkcs7Bytes
When using certutil -dump on the generated file, it looks OK. But the last line generates the following error:
New-Object : Exception when calling ".ctor" with "1" argument(s): "Invalid data"
At character C:\Program Files\WindowsPowerShell\Modules\PSPKI\Client\Get-CertificateRequest.ps1:22 : 14
+ ...  "RawData" {New-Object Security.Cryptography.X509CertificateRequests. ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation : (:) [New-Object], MethodInvocationException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

    at System.Management.Automation.DotNetAdapter.AuxiliaryConstructorInvoke(MethodInformation methodInformation, Object[] arguments, Object[] 
originalArguments)
   at System.Management.Automation.DotNetAdapter.ConstructorInvokeDotNet(Type type, ConstructorInfo[] constructors, Object[] arguments)
   at Microsoft.PowerShell.Commands.NewObjectCommand.CallConstructor(Type type, ConstructorInfo[] constructors, Object[] args)
And trying to submit the generated file to the CA fails with this error:
Error Parsing Request  ASN1 unexpected end of data. 0x80093102 (ASN: 258 CRYPT_E_ASN1_EOD)
Should I maybe specify some particular OID when creating the ContentInfo object? Or maybe I need to encode the PKCS#10 in some way before simply signing it?

Thanks in advance for any help you can provide me.
Jordan

Viewing all articles
Browse latest Browse all 729

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>