CSP review:
Well, other team need my assistant, while I haven’t tough the CSP for about two years, now do some revisions.
Setup debugging environment:
1, register the CSP into system. regsvr32 xxxcsp.dll.
2, if the DLL doesn’t support regsvr32, copy CSP dll, sig file, and sig files into system32:copy *.dll %windir%/system32,and change the register table manually.
3, output the debug dll into %windir%/system32
4, set the explorer as the debugging exe.
5, set breakpoint, run...
Notes if our dll haven’t been signed, we may use the creak way, which I will talk about later.
Step of certification applying:
Cause we don’t know too much detail of the Microsoft’s CSP code, we can only record what CSP function is called, and indicate its process. It’s certain that there must be a security protocol between the certification subscriber and the cert server.
Firstly we give the function called order(without SSL, and don’t demand certificate):
1. choose our CSP in the CSP list
a) CPAcquireContext(), dwFlags = CRYPT_VERIFYCONTEXT, just get the handle of CSP.
b) CPGetProvParam(),Confirm the CSP name, and algorithm supported.
i. PP_KEYSPEC, we return 3(AT_SIGNATURE | AT_KEYEXCHANGE; 1 + 2);
ii. PP_ENUMALGS_EX, many times
iii. PP_KEYX_KEYSIZE_INC, we return 0;
iv. PP_ENUMALGS, many many times
Till now, we don’t need hardware key function.
2. Fill the form and click the apply button, we choose to create a new container.
a) CPAcquireContext(), dwFlags = CRYPT_NEWKEYSET, we create new container.
b) CPGetProvParam(),
i. PP_NAME, CSP name
ii. PP_UNIQUE_CONTAINER, container name
iii. PP_PROVTYPE, we return 1
c) CPGetUserKey(), we don’t have any key in the new container, so return false, with error code: NTE_NO_KEY
d) CPGenKey(), dwFlags = 0x04004000 (RSA1024BIT_KEY | CRYPT_ARCHIVABLE); we don’t support CRYPT_ARCHIVABLE, so return false with error code: NTE_BAD_FLAGS
e) CPGenKey(), dwFlags = 0x04000000 (RSA1024BIT_KEY); we generate a key pair in key, and return the key handle.
f) CPGetProvParam(),
i. PP_KEYSET_SEC_DESCR, twice, we return NULL.
g) CPDestroyKey();release the key handle.
h) CPGetUserKey(),dwKeySpec == 1; read the pubkey from the key;
i) CPExportKey();twice, first pbData == NULL, just get pubkey length == 0x94, second time get the pubkey data.
j) CPDestroyKey(); release the key handle.
k) h to j again, export another time?
l) CPGetProvParam(), here maybe a process to decide the encrypt algorithm for security protocol.
i. PP_ENUMALGS_EX, many times
ii. PP_NAME, CSP name
iii. PP_ENUMALGS, many many times
m) CPCreateHash();
n) CPHashData(); cbDataLen = 0x2d7, the data is mixture of data such as CSP name, default brower, pubkey, CA name and so on.
o) CPSignHash()
p) CPDestroyHash()
q) m to p again, and the hash data is the same.
r) h to j again, export pubkey another two times?
s) CPReleaseContext() twice.
Then click install the cert:
t) CPAcquireContext(),dwFlags = 0.
u) CPGetProvParam(),
i. PP_NAME, CSP name
ii. PP_UNIQUE_CONTAINER, container name
iii. PP_PROVTYPE, we return 1
v) CPGetUserKey(),
w) CPSetKeyParam(),dwParam == KP_CERTIFICATE, we restore the cert into our key.
x) CPDestroyHash().
y) CPReleaseContext().
Well, it seems that when the cert is applied, first restored in memory, when install, then import the cert into system pool and in hardware key,
Summary:
There are always some new findings when review the old things:
1, When conduct the key handle, just use the key handle once then release it. By this we can use key handle with more security.
2, the key point of implement a CSP is the understanding of the key operation process.
扫一扫
1822
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
