Reputation: 1561
PKCS#10 with Null Signature according to MS-WCCE
I am trying to create a sample Certificate Request Using CMS and CMC Request Formats with Null Signature as described in [MS-WCCE]: Windows Client Certificate Enrollment Protocol. According to the specification the request should consists the following:
With the PKCS#10 with Null Signature, as described here:
Is there a way how to obtain such PKCS#10 request with Null Signature from some Windows tools or programatically?
I was trying to use BouncyCastle with the following method, however, submitting such request always results in
Active Directory Certificate Services could not process request 976 due to an error: Invalid Signature. 0x80090006 (-2146893818 NTE_BAD_SIGNATURE). Additional information: Error Verifying Request Signature or Signing Certificate.
My code looks like this:
X500Name subject = new X500Name("CN=Test");
AlgorithmIdentifier subjectPublicAlg = new AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption);
SubjectPublicKeyInfo spki = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
// we need to create hash of the certification request info that will be used as signature
CertificationRequestInfo certificationRequestInfo = new CertificationRequestInfo(subject, spki, ats);
// sha256 object identifier
AlgorithmIdentifier algOid = new AlgorithmIdentifier(new ASN1ObjectIdentifier("2.16.840.1.101.3.4.2.1")); // sha256
// signature will be sha256 digest of certificationRequestInfo ASN.1 encoded
byte[] signature = digest(certificationRequestInfo.getEncoded());
// build certification request as PKCS#10 with Null Signature
CertificationRequest certificationRequest = new CertificationRequest(
subject,
subjectPublicAlg,
new DERBitString(spki),
ats,
algOid,
new DERBitString(signature)
);
TaggedAttribute[] taggedAttributes = new TaggedAttribute[0];
TaggedRequest[] taggedRequests = new TaggedRequest[] { taggedRequest };
TaggedContentInfo[] taggedContentInfos = new TaggedContentInfo[0];
OtherMsg[] otherMsgs = new OtherMsg[0];
PKIData pkiData = new PKIData(
taggedAttributes,
taggedRequests,
taggedContentInfos,
otherMsgs
);
ASN1ObjectIdentifier pkiDataOid = new ASN1ObjectIdentifier("1.3.6.1.5.5.7.12.2");
CMSProcessableByteArray cmsProcessableByteArray = new CMSProcessableByteArray(pkiDataOid, pkiData.getEncoded());
CMSSignedData cmsSignedData = Utils.createCmsSignedDataWithKeyAndCert(cmsProcessableByteArray, keyPair, cert, true);
Any advice what can be wrong? The logs and event on ADCS are not very helpfull, and I am not even sure that the PKCS#10 with Null Signature is supported in my ADCS or it needs to be updated or patched somehow.
Upvotes: 0
Views: 120
Answers (0)
Related Questions
- PKCS#7 signature of externally calculated hash in C#
- How to use PdfPkcs7 without a full X509 certificate?
- How to delay sign the certificate request using Bouncy Castle with ECDSA signature?
- Why does the Symantec CSR checker think my CSR is missing a NULL value in AlgorithmIdentifier? RFC3279
- Google JWT Invalid Signature from Salesforce
- Which data from a CMSSignedData object must I pass to generate a valid Timestamp?
- Sign file with .der-Certificate and create signature (pkcs#7)
- API secured by PKCS#7 cryptographic message
- From CRMF request into CertificateRequest (PKCS#10) Signature