J
JamesPMiller
I have a certificate and key pair on a smart card. The certificate was
obtained from a Microsoft 2003 CA on my local domain. It was created using
the SmartcardUser template and I can use it for all the usual things (log
onto Windows, sign/encrypt e-mail, sign Word documents, etc).
I can successfully use this cert and key pair to sign Word documents with
Word 2003, but I get an error when I use this same cert/key pair to sign
documents with Word 2007. I traced the CSP calls that Word 2007 makes and it
seems that Word 2007 is passing an incorrect parameter to CryptGetUserKey
when it attempts to get a handle to the key pair associated with my
certificate. Word 2007 passes a keySpec value AT_SIGNATURE to
CryptGetUserKey. Since my cert and key pair is a AT_KEYEXCHANGE cert and key
pair the call to CryptGetUserKey returns NTE_NO_KEY and Word 2007 errors out.
Word 2003 correctly passes the keySpec value AT_KEYEXCHANGE to
CryptGetUserKey and thus finds the key pair and successfully signs the
document.
It's been my experience with Word 2003 and previous versions of Word that
the keySpec value passed to CryptGetUserKey is taken from the keySpec
property of the certificate selected for signing. However, despite the fact
that the 'keySpec' property on my cert is AT_KEYEXCHANGE, Word 2007 passes a
keySpec value AT_SIGNATURE to CryptGetUserKey.
I can successfully sign a document with Word 2007 only if I use signing-only
(i.e. AT_SIGNATURE) cert/key pairs. I can't sign a document with Word 2007
with dual-use (i.e. AT_KEYEXCHANGE) cert/key pairs
Is this new behavior intentional or is it a bug?
Thanks,
Jim Miller
P.S. The Word 2007 tests were done on a Vista machine. The Word 2003 tests
were done on both Vista and Windows XP.
obtained from a Microsoft 2003 CA on my local domain. It was created using
the SmartcardUser template and I can use it for all the usual things (log
onto Windows, sign/encrypt e-mail, sign Word documents, etc).
I can successfully use this cert and key pair to sign Word documents with
Word 2003, but I get an error when I use this same cert/key pair to sign
documents with Word 2007. I traced the CSP calls that Word 2007 makes and it
seems that Word 2007 is passing an incorrect parameter to CryptGetUserKey
when it attempts to get a handle to the key pair associated with my
certificate. Word 2007 passes a keySpec value AT_SIGNATURE to
CryptGetUserKey. Since my cert and key pair is a AT_KEYEXCHANGE cert and key
pair the call to CryptGetUserKey returns NTE_NO_KEY and Word 2007 errors out.
Word 2003 correctly passes the keySpec value AT_KEYEXCHANGE to
CryptGetUserKey and thus finds the key pair and successfully signs the
document.
It's been my experience with Word 2003 and previous versions of Word that
the keySpec value passed to CryptGetUserKey is taken from the keySpec
property of the certificate selected for signing. However, despite the fact
that the 'keySpec' property on my cert is AT_KEYEXCHANGE, Word 2007 passes a
keySpec value AT_SIGNATURE to CryptGetUserKey.
I can successfully sign a document with Word 2007 only if I use signing-only
(i.e. AT_SIGNATURE) cert/key pairs. I can't sign a document with Word 2007
with dual-use (i.e. AT_KEYEXCHANGE) cert/key pairs
Is this new behavior intentional or is it a bug?
Thanks,
Jim Miller
P.S. The Word 2007 tests were done on a Vista machine. The Word 2003 tests
were done on both Vista and Windows XP.