Windows PKI blog

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

Certificate Path Validation in Bridge CA and Cross-Certification Environments

Certificate Path Validation in Bridge CA and Cross-Certification Environments

  • Comments 5
  • Likes

Recently, we’ve had a deluge of questions regarding chain building and selection, especially in the presence of cross-certified certificates. Hopefully, this post will make Crypto API 2 (CAPI2) chaining logic clearer and help enterprise admins design and troubleshoot their public key infrastructure.
 
While trying to validate an end entity, CAPI2 tries to select the best quality chain leading up to a certificate that the user trusts. Where multiple valid chains exist, this may not be the shortest chain found. It is also possible that CAPI2 could not construct complete chains – this can happen when intermediate CAs are not available on the client, and the client could not retrieve the certificates (due to server issues, proxy authentication failures, insufficient rights to access the network, and other issues).
 
Consider the following chain: the Contoso Root CA has issued an intermediate CA, Contoso InterCA, which in turn issues a signing cert to Bob. Now, another root CA, Super Root has issued an intermediate CA called Bridge CA, which cross certifies the Contoso Root CA.

Contoso Root CA ->
             Contoso InterCA ->
                                     Bob

Bridge CA cross certifies Contoso Root CA, resulting in

Super Root ->
             Bridge CA ->
                    X-Cert Contoso Root CA->
                                           Contoso InterCA ->
                                                                   Bob

There are two possible valid chains here – the original chain Contoso Root CA -> Contoso InterCA -> Bob, and the cross certified chain Super Root -> Bridge CA -> X-Cert Contoso Root CA -> Contoso InterCA -> Bob. Which chain will CAPI2 return? This isn’t as simple as returning the shortest chain. It is also affected by certificate discovery – can the client access all certificates in the chain?

Consider the simple case, in which the client has all certificates available. This means that it either performed a network retrieval to get the certificates, or they were already installed into the relevant certificate stores, or were available in the cache. Since the client now has two valid chains, CAPI2 need to select and return the “best” chain. Simply returning the shortest chain isn’t an option – the longer chain can be a “better” chain. The process of selecting a chain can be explained as follows.
 
CAPI2 starts by calculating the “quality” of each chain. The quality of the chain is derived from a number of factors, including:
         1. Certificate signatures are valid
         2. Certificate chain ends at a trusted root
         3. Chain has valid basic constraints
         4. Successful revocation check / not revoked
         5. Chain has name constraint policies
         6. Chain has certificate policies
         7. Chain has extended key usages
         8. Chain has SubjectKeyIdentifier / AuthorityKeyIdentifier match

In a nutshell, if a chain provides more information (i.e. valid policy constraints, revocation check succeeded) its quality increases; conversely, if it encounters errors (certificate is revoked / revocation status unknown, invalid name constraints) its quality decreases.
 
If there are multiple chains with the same quality score, CAPI2 uses the following tie breakers:
         1. Starting with the certificate of the end entity’s issuer on both chains, compare the NotBefore dates and NotAfter dates of certificates in the same position in the chain. The first chain with a later NotBefore date, or if the NotBefore dates are identical, the chain with the later NotAfter date is selected.
         2. If both chains have identical validity periods, then the shorter chain is selected.

When there are multiple valid chains possible, the above heuristics are used only when CAPI2 can successfully build the various valid chains. However, due to various issues during path discovery, CAPI2 may not even be able to build a certificate chain up to a particular root. For example, if the intermediate certificates or cross-certificates cannot be discovered, CAPI2 may only completely build one of the two valid chains in the example above. There are however some general guidelines which are recommended for a majority of PKI scenarios commonly encountered in the enterprise.

In order to facilitate a successful path discovery, you should use group policies to deploy cross-certificates and intermediate CA certificates in your environment. This would eliminate the need to perform network retrievals during path discovery (and potentially result in performance improvements).
 
Selection of particular chains can be forced by correct management of trusted roots and certificate policies. If you want a chain up to a particular root be always picked, you need to make sure that is the only trusted valid chain that can be built and remove the ambiguity. In the example above, if you want the chain up to the Contoso Root to be built, then it needs to be only valid chain possible.  If Super Root is distributed through automatic root update service, then you can either disable the Auto Root Update program in clients and push the selected third party roots via Group Policy, or place Super Root in the “Untrusted Certificates” store.
 
What if you can’t do either, because Super Root is required to be trusted for a different application? That’s where policy and name constraints come into play. By specifying these on the CA certificates, you can provide additional context for the chain validation client, thereby making a stronger case to restrict to a particular chain (assuming, of course, the constraints are valid throughout the chain). In our example, this could mean specifying a nameConstraint on the Contoso Root CA, which is satisfied by all certificates in the chain. The additional context provided by the shorter chain would cause CAPI2 to return the more restrictive chain.

-----

Siddarth Adukia
Windows Core Security Team 

 

Comments
  • Siddarth,

    You talk about how CAPI2 (Longhorn, Vista) calculate the cert chain, is the same algorithm used in CAPI (XP,SErver 2003)?

    Thanks

    WatermelonCurry

  • i just cannot find some place to get help! i tried msdn forum, stackoverflow, eggheadcafe... many sites, but got no answer. Please help me!!! Many thanks!

    when testing smart card minidriver in windows 7, got the following errors:

    "cmck exec Reconnect" always show that

    Testing through CAPI calls

    Submitting CSP PIN for reader \\.\DMWZ ESAFE 0\

    CryptAcquireContext - CRYPT_NEWKEYSET

    CryptGenKey

    Reconnecting

    CryptAcquireContext - CRYPT_DELETEKEYSET

    CryptAcquireContext failed unexpectedly

    d:\5429t\testsrc\dstest\security\core\credentials\smartcard\cmck\cmck\fnreconnect.cpp Line: 264

    WIN32

    0x80090016

    Keyset does not exist.

    in windows xp, it always passed. i have no idea!

    this is my log.

    in XP:

    /* P:608 T:3380 8-30-203 CardAcquireContext(): *BEGIN*

    /* P:608 T:3380 8-30-203 CardAcquireContext(): *SUCCESS*

    /* P:608 T:3380 8-30-203 CardAcquireContext(): *BEGIN*

    /* P:608 T:3380 8-30-203 CardAcquireContext(): *SUCCESS*

    /* P:608 T:3380 8-31-750 CardAcquireContext(): *BEGIN*

    /* P:608 T:3380 8-31-765 CardAcquireContext(): *SUCCESS*

    /* P:608 T:3380 8-31-765 CardDeleteContext(): *BEGIN*

    /* P:608 T:3380 8-31-765 CardDeleteContext(): *SUCCESS*

    /* P:608 T:3380 8-31-765 CardAcquireContext(): *BEGIN*

    /* P:608 T:3380 8-31-765 CardAcquireContext(): *SUCCESS*

    /* P:608 T:3380 8-31-765 CardDeleteContext(): *BEGIN*

    /* P:608 T:3380 8-31-781 CardDeleteContext(): *SUCCESS*

    /* P:608 T:3380 8-31-781 CardAcquireContext(): *BEGIN*

    /* P:608 T:3380 8-31-781 CardAcquireContext(): *SUCCESS*

    /* P:608 T:3380 8-31-781 CardGetChallenge(): *BEGIN*

    /* P:608 T:3380 CardGetChallenge(): Challenge = CE568537C1BC9318 */

    /* P:608 T:3380 8-31-781 CardGetChallenge(): *SUCCESS*

    /* P:608 T:3380 8-31-796 CardAuthenticateChallenge(): *BEGIN*

    /* P:608 T:3380 CardAuthenticateChallenge(): Response = B99E85F50E1F5C29 */

    /* P:608 T:3380 8-31-796 CardAuthenticateChallenge(): *SUCCESS*

    /* P:608 T:3380 8-31-812 CardDeauthenticate(): *BEGIN*

    /* P:608 T:3380 8-31-812 CardDeauthenticate(): *SUCCESS*

    /* P:608 T:3380 8-31-812 CardAuthenticatePin(): *BEGIN*

    /* P:608 T:3380 CardAuthenticatePin(): User PIN = 0000 */

    /* P:608 T:3380 8-31-828 CardAuthenticatePin(): *SUCCESS*

    /* P:608 T:3380 8-31-828 CardDeauthenticate(): *BEGIN*

    /* P:608 T:3380 8-31-843 CardDeauthenticate(): *SUCCESS*

    /* P:608 T:3380 8-31-843 CardDeleteContext(): *BEGIN*

    /* P:608 T:3380 8-31-843 CardDeleteContext(): *SUCCESS*

    /* P:608 T:3380 8-31-859 CardAcquireContext(): *BEGIN*

    /* P:608 T:3380 8-31-859 CardAcquireContext(): *SUCCESS*

    /* P:608 T:3380 8-31-859 CardAuthenticatePin(): *BEGIN*

    /* P:608 T:3380 CardAuthenticatePin(): User PIN = 0000 */

    /* P:608 T:3380 8-31-875 CardAuthenticatePin(): *SUCCESS*

    /* P:608 T:3380 8-31-875 CardQueryCapabilities(): *BEGIN*

    /* P:608 T:3380 8-31-875 CardQueryCapabilities(): *SUCCESS*

    /* P:608 T:3380 8-31-890 CardAuthenticatePin(): *BEGIN*

    /* P:608 T:3380 CardAuthenticatePin(): User PIN = 0000 */

    /* P:608 T:3380 8-31-906 CardAuthenticatePin(): *SUCCESS*

    /* P:608 T:3380 8-31-906 CardDeauthenticate(): *BEGIN*

    /* P:608 T:3380 8-31-921 CardDeauthenticate(): *SUCCESS*

    /* P:608 T:3380 8-31-921 CardDeleteContext(): *BEGIN*

    /* P:608 T:3380 8-31-921 CardDeleteContext(): *SUCCESS*

    /* P:608 T:3380 8-32-0 CardAcquireContext(): *BEGIN*

    /* P:608 T:3380 8-32-0 CardAcquireContext(): *SUCCESS*

    /* P:608 T:3380 8-32-0 CardReadFile(): *BEGIN*

    /* P:608 T:3380 CardReadFile(): Dir Name = ROOT, File Name = cardid */

    /* P:608 T:3380 CardReadFile(): cardid = 34646533393531342D643465662D3432 */

    /* P:608 T:3380 8-32-46 CardReadFile(): *SUCCESS*

    /* P:608 T:3380 8-32-62 CardReadFile(): *BEGIN*

    /* P:608 T:3380 CardReadFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:608 T:3380 CardReadFile(): cardcf = 000000000000 */

    /* P:608 T:3380 8-32-109 CardReadFile(): *SUCCESS*

    /* P:608 T:3380 8-32-109 CardReadFile(): *BEGIN*

    /* P:608 T:3380 CardReadFile(): Dir Name = mscp, File Name = cmapfile */

    /* P:608 T:3380 8-32-187 CardReadFile(): *BEGIN*

    /* P:608 T:3380 CardReadFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:608 T:3380 CardReadFile(): cardcf = 000000000000 */

    /* P:608 T:3380 8-32-234 CardReadFile(): *SUCCESS*

    /* P:608 T:3380 8-32-250 CardAuthenticatePin(): *BEGIN*

    /* P:608 T:3380 CardAuthenticatePin(): User PIN = 0000 */

    /* P:608 T:3380 8-32-265 CardAuthenticatePin(): *SUCCESS*

    /* P:608 T:3380 8-32-265 CardDeauthenticate(): *BEGIN*

    /* P:608 T:3380 8-32-281 CardDeauthenticate(): *SUCCESS*

    /* P:608 T:3380 8-32-281 CardReadFile(): *BEGIN*

    /* P:608 T:3380 CardReadFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:608 T:3380 CardReadFile(): cardcf = 000000000000 */

    /* P:608 T:3380 8-32-328 CardReadFile(): *SUCCESS*

    /* P:608 T:3380 8-32-343 CardQueryFreeSpace(): *BEGIN*

    /* P:608 T:3380 8-32-359 CardQueryFreeSpace(): *SUCCESS*

    /* P:608 T:3380 8-32-375 CardReadFile(): *BEGIN*

    /* P:608 T:3380 CardReadFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:608 T:3380 CardReadFile(): cardcf = 000000000000 */

    /* P:608 T:3380 8-32-421 CardReadFile(): *SUCCESS*

    /* P:608 T:3380 8-32-421 CardAuthenticatePin(): *BEGIN*

    /* P:608 T:3380 CardAuthenticatePin(): User PIN = 0000 */

    /* P:608 T:3380 8-32-453 CardAuthenticatePin(): *SUCCESS*

    /* P:608 T:3380 8-32-453 CardWriteFile(): *BEGIN*

    /* P:608 T:3380 CardWriteFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:608 T:3380 CardWriteFile(): cardcf = 000000000100 */

    /* P:608 T:3380 8-32-531 CardWriteFile(): *SUCCESS*

    /* P:608 T:3380 8-32-531 CardWriteFile(): *BEGIN*

    /* P:608 T:3380 CardWriteFile(): Dir Name = mscp, File Name = cmapfile */

    /* P:608 T:3380 CardWriteFile(): cmapfile = 660031006500300035003000300030002D0031003600380038002D0034006200380063002D0039006500300066002D003000310061006200300066006200340062003800660037000000000000000000010000000000 */

    /* P:608 T:3380 8-32-921 CardWriteFile(): *SUCCESS*

    /* P:608 T:3380 8-32-921 CardWriteFile(): *BEGIN*

    /* P:608 T:3380 CardWriteFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:608 T:3380 CardWriteFile(): cardcf = 000000000200 */

    /* P:608 T:3380 8-33-0 CardWriteFile(): *SUCCESS*

    /* P:608 T:3380 8-33-0 CardWriteFile(): *BEGIN*

    /* P:608 T:3380 CardWriteFile(): Dir Name = mscp, File Name = cmapfile */

    /* P:608 T:3380 CardWriteFile(): cmapfile = 660031006500300035003000300030002D0031003600380038002D0034006200380063002D0039006500300066002D003000310061006200300066006200340062003800660037000000000000000000030000000000 */

    /* P:608 T:3380 8-33-109 CardWriteFile(): *SUCCESS*

    /* P:608 T:3380 8-33-125 CardQueryCapabilities(): *BEGIN*

    /* P:608 T:3380 8-33-125 CardQueryCapabilities(): *SUCCESS*

    /* P:608 T:3380 8-33-125 CardWriteFile(): *BEGIN*

    /* P:608 T:3380 CardWriteFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:608 T:3380 CardWriteFile(): cardcf = 000001000200 */

    /* P:608 T:3380 8-33-203 CardWriteFile(): *SUCCESS*

    /* P:608 T:3380 8-33-203 CardCreateContainer(): *BEGIN*

    /* P:608 T:3380 8-35-515 CardCreateContainer(): *SUCCESS*

    /* P:608 T:3380 8-35-531 CardWriteFile(): *BEGIN*

    /* P:608 T:3380 CardWriteFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:608 T:3380 CardWriteFile(): cardcf = 000001000300 */

    /* P:608 T:3380 8-35-609 CardWriteFile(): *SUCCESS*

    /* P:608 T:3380 8-35-609 CardWriteFile(): *BEGIN*

    /* P:608 T:3380 CardWriteFile(): Dir Name = mscp, File Name = cmapfile */

    /* P:608 T:3380 CardWriteFile(): cmapfile = 660031006500300035003000300030002D0031003600380038002D0034006200380063002D0039006500300066002D003000310061006200300066006200340062003800660037000000000000000000030000040000 */

    /* P:608 T:3380 8-35-734 CardWriteFile(): *SUCCESS*

    /* P:608 T:3380 8-35-734 CardGetContainerInfo(): *BEGIN*

    /* P:608 T:3380 8-35-796 CardGetContainerInfo(): *SUCCESS*

    /* P:608 T:5764 8-37-296 CardDeauthenticate(): *BEGIN*

    /* P:608 T:5764 8-37-312 CardDeauthenticate(): *SUCCESS*

    /* P:608 T:3380 8-37-312 CardReadFile(): *BEGIN*

    /* P:608 T:3380 CardReadFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:608 T:3380 CardReadFile(): cardcf = 000001000300 */

    /* P:608 T:3380 8-37-375 CardReadFile(): *SUCCESS*

    /* P:608 T:3380 8-37-375 CardReadFile(): *BEGIN*

    /* P:608 T:3380 CardReadFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:608 T:3380 CardReadFile(): cardcf = 000001000300 */

    /* P:608 T:3380 8-37-437 CardReadFile(): *SUCCESS*

    /* P:608 T:3380 8-37-437 CardAuthenticatePin(): *BEGIN*

    /* P:608 T:3380 CardAuthenticatePin(): User PIN = 0000 */

    /* P:608 T:3380 8-37-468 CardAuthenticatePin(): *SUCCESS*

    /* P:608 T:3380 8-37-484 CardWriteFile(): *BEGIN*

    /* P:608 T:3380 CardWriteFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:608 T:3380 CardWriteFile(): cardcf = 000001000400 */

    /* P:608 T:3380 8-37-546 CardWriteFile(): *SUCCESS*

    /* P:608 T:3380 8-37-562 CardDeleteFile(): *BEGIN*

    /* P:608 T:3380 CardDeleteFile(): Dir Name = mscp, File Name = ksc00 */

    /* P:608 T:3380 8-37-625 CardDeleteFile(): SCARD_E_FILE_NOT_FOUND (0x80100024)

    /* P:608 T:3380 CardDeleteFile(): *FAILED*

    /* P:608 T:3380 8-37-625 CardReadFile(): *BEGIN*

    /* P:608 T:3380 CardReadFile(): Dir Name = mscp, File Name = cmapfile */

    /* P:608 T:3380 CardReadFile(): cmapfile = 660031006500300035003000300030002D0031003600380038002D0034006200380063002D0039006500300066002D003000310061006200300066006200340062003800660037000000000000000000030000040000 */

    /* P:608 T:3380 8-37-718 CardReadFile(): *SUCCESS*

    /* P:608 T:3380 8-37-718 CardWriteFile(): *BEGIN*

    /* P:608 T:3380 CardWriteFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:608 T:3380 CardWriteFile(): cardcf = 000001000500 */

    /* P:608 T:3380 8-37-796 CardWriteFile(): *SUCCESS*

    /* P:608 T:3380 8-37-796 CardDeleteFile(): *BEGIN*

    /* P:608 T:3380 CardDeleteFile(): Dir Name = mscp, File Name = kxc00 */

    /* P:608 T:3380 8-37-875 CardDeleteFile(): SCARD_E_FILE_NOT_FOUND (0x80100024)

    /* P:608 T:3380 CardDeleteFile(): *FAILED*

    /* P:608 T:3380 8-37-875 CardWriteFile(): *BEGIN*

    /* P:608 T:3380 CardWriteFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:608 T:3380 CardWriteFile(): cardcf = 000002000500 */

    /* P:608 T:3380 8-37-953 CardWriteFile(): *SUCCESS*

    /* P:608 T:3380 8-37-953 CardDeleteContainer(): *BEGIN*

    /* P:608 T:3380 8-38-578 CardDeleteContainer(): *SUCCESS*

    /* P:608 T:3380 8-38-593 CardReadFile(): *BEGIN*

    /* P:608 T:3380 CardReadFile(): Dir Name = mscp, File Name = cmapfile */

    /* P:608 T:3380 CardReadFile(): cmapfile = 660031006500300035003000300030002D0031003600380038002D0034006200380063002D0039006500300066002D003000310061006200300066006200340062003800660037000000000000000000030000040000 */

    /* P:608 T:3380 8-38-687 CardReadFile(): *SUCCESS*

    /* P:608 T:3380 8-38-687 CardWriteFile(): *BEGIN*

    /* P:608 T:3380 CardWriteFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:608 T:3380 CardWriteFile(): cardcf = 000002000600 */

    /* P:608 T:3380 8-38-781 CardWriteFile(): *SUCCESS*

    /* P:608 T:3380 8-38-781 CardWriteFile(): *BEGIN*

    /* P:608 T:3380 CardWriteFile(): Dir Name = mscp, File Name = cmapfile */

    /* P:608 T:3380 CardWriteFile(): cmapfile = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 */

    /* P:608 T:3380 8-38-906 CardWriteFile(): *SUCCESS*

    /* P:608 T:5764 8-40-406 CardDeauthenticate(): *BEGIN*

    /* P:608 T:5764 8-40-421 CardDeauthenticate(): *SUCCESS*

    /* P:608 T:3380 8-40-671 CardDeleteContext(): *BEGIN*

    /* P:608 T:3380 8-40-687 CardDeleteContext(): *SUCCESS*

    in windows 7:

    /* P:3368 T:3800 17-39-515 CardAcquireContext(): *BEGIN*

    /* P:3368 T:3800 17-39-515 CardAcquireContext(): *SUCCESS*

    /* P:3368 T:3800 17-39-515 CardAcquireContext(): *BEGIN*

    /* P:3368 T:3800 17-39-515 CardAcquireContext(): *SUCCESS*

    /* P:3368 T:3800 17-39-531 CardAcquireContext(): *BEGIN*

    /* P:3368 T:3800 17-39-531 CardAcquireContext(): *SUCCESS*

    /* P:3368 T:3800 17-39-531 CardAcquireContext(): *BEGIN*

    /* P:3368 T:3800 17-39-531 CardAcquireContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-187 CardAcquireContext(): *BEGIN*

    /* P:3368 T:3800 17-41-187 CardAcquireContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-187 CardDeleteContext(): *BEGIN*

    /* P:3368 T:3800 17-41-187 CardDeleteContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-187 CardAcquireContext(): *BEGIN*

    /* P:3368 T:3800 17-41-187 CardAcquireContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-187 CardDeleteContext(): *BEGIN*

    /* P:3368 T:3800 17-41-203 CardDeleteContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-203 CardAcquireContext(): *BEGIN*

    /* P:3368 T:3800 17-41-203 CardAcquireContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-203 CardDeleteContext(): *BEGIN*

    /* P:3368 T:3800 17-41-203 CardDeleteContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-203 CardAcquireContext(): *BEGIN*

    /* P:3368 T:3800 17-41-203 CardAcquireContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-218 CardDeleteContext(): *BEGIN*

    /* P:3368 T:3800 17-41-218 CardDeleteContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-218 CardAcquireContext(): *BEGIN*

    /* P:3368 T:3800 17-41-218 CardAcquireContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-218 CardGetChallenge(): *BEGIN*

    /* P:3368 T:3800 CardGetChallenge(): Challenge = BF830855CDCA4F0D */

    /* P:3368 T:3800 17-41-234 CardGetChallenge(): *SUCCESS*

    /* P:3368 T:3800 17-41-234 CardAuthenticateChallenge(): *BEGIN*

    /* P:3368 T:3800 CardAuthenticateChallenge(): Response = A2DB6F882D402D94 */

    /* P:3368 T:3800 17-41-234 CardAuthenticateChallenge(): *SUCCESS*

    /* P:3368 T:3800 17-41-234 CardDeauthenticate(): *BEGIN*

    /* P:3368 T:3800 17-41-250 CardDeauthenticate(): *SUCCESS*

    /* P:3368 T:3800 17-41-250 CardAuthenticatePin(): *BEGIN*

    /* P:3368 T:3800 CardAuthenticatePin(): User PIN = 0000 */

    /* P:3368 T:3800 17-41-265 CardAuthenticatePin(): *SUCCESS*

    /* P:3368 T:3800 17-41-265 CardDeauthenticate(): *BEGIN*

    /* P:3368 T:3800 17-41-265 CardDeauthenticate(): *SUCCESS*

    /* P:3368 T:3800 17-41-265 CardDeleteContext(): *BEGIN*

    /* P:3368 T:3800 17-41-281 CardDeleteContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-281 CardAcquireContext(): *BEGIN*

    /* P:3368 T:3800 17-41-281 CardAcquireContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-281 CardAuthenticatePin(): *BEGIN*

    /* P:3368 T:3800 CardAuthenticatePin(): User PIN = 0000 */

    /* P:3368 T:3800 17-41-296 CardAuthenticatePin(): *SUCCESS*

    /* P:3368 T:3800 17-41-296 CardQueryCapabilities(): *BEGIN*

    /* P:3368 T:3800 17-41-296 CardQueryCapabilities(): *SUCCESS*

    /* P:3368 T:3800 17-41-296 CardAuthenticatePin(): *BEGIN*

    /* P:3368 T:3800 CardAuthenticatePin(): User PIN = 0000 */

    /* P:3368 T:3800 17-41-312 CardAuthenticatePin(): *SUCCESS*

    /* P:3368 T:3800 17-41-312 CardDeauthenticate(): *BEGIN*

    /* P:3368 T:3800 17-41-328 CardDeauthenticate(): *SUCCESS*

    /* P:3368 T:3800 17-41-328 CardDeleteContext(): *BEGIN*

    /* P:3368 T:3800 17-41-328 CardDeleteContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-359 CardAcquireContext(): *BEGIN*

    /* P:3368 T:3800 17-41-359 CardAcquireContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-359 CardReadFile(): *BEGIN*

    /* P:3368 T:3800 CardReadFile(): Dir Name = ROOT, File Name = cardid */

    /* P:3368 T:3800 CardReadFile(): cardid = 34363438653733652D346430342D3463 */

    /* P:3368 T:3800 17-41-406 CardReadFile(): *SUCCESS*

    /* P:3368 T:3800 17-41-406 CardReadFile(): *BEGIN*

    /* P:3368 T:3800 CardReadFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:3368 T:3800 CardReadFile(): cardcf = 000000000000 */

    /* P:3368 T:3800 17-41-453 CardReadFile(): *SUCCESS*

    /* P:3368 T:3800 17-41-453 CardReadFile(): *BEGIN*

    /* P:3368 T:3800 CardReadFile(): Dir Name = mscp, File Name = cmapfile */

    /* P:3368 T:3800 17-41-531 CardReadFile(): *BEGIN*

    /* P:3368 T:3800 CardReadFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:3368 T:3800 CardReadFile(): cardcf = 000000000000 */

    /* P:3368 T:3800 17-41-593 CardReadFile(): *SUCCESS*

    /* P:3368 T:3800 17-41-593 CardAuthenticatePin(): *BEGIN*

    /* P:3368 T:3800 CardAuthenticatePin(): User PIN = 0000 */

    /* P:3368 T:3800 17-41-609 CardAuthenticatePin(): *SUCCESS*

    /* P:3368 T:3800 17-41-609 CardDeauthenticate(): *BEGIN*

    /* P:3368 T:3800 17-41-609 CardDeauthenticate(): *SUCCESS*

    /* P:3368 T:3800 17-41-609 CardDeleteContext(): *BEGIN*

    /* P:3368 T:3800 17-41-625 CardDeleteContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-625 CardAcquireContext(): *BEGIN*

    /* P:3368 T:3800 17-41-625 CardAcquireContext(): *SUCCESS*

    /* P:3368 T:3800 17-41-625 CardReadFile(): *BEGIN*

    /* P:3368 T:3800 CardReadFile(): Dir Name = ROOT, File Name = cardid */

    /* P:3368 T:3800 CardReadFile(): cardid = 34363438653733652D346430342D3463 */

    /* P:3368 T:3800 17-41-671 CardReadFile(): *SUCCESS*

    /* P:3368 T:3800 17-41-687 CardReadFile(): *BEGIN*

    /* P:3368 T:3800 CardReadFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:3368 T:3800 CardReadFile(): cardcf = 000000000000 */

    /* P:3368 T:3800 17-41-734 CardReadFile(): *SUCCESS*

    /* P:3368 T:3800 17-41-734 CardQueryFreeSpace(): *BEGIN*

    /* P:3368 T:3800 17-41-750 CardQueryFreeSpace(): *SUCCESS*

    /* P:3368 T:3800 17-41-750 CardAuthenticatePin(): *BEGIN*

    /* P:3368 T:3800 CardAuthenticatePin(): User PIN = 0000 */

    /* P:3368 T:3800 17-41-765 CardAuthenticatePin(): *SUCCESS*

    /* P:3368 T:3800 17-41-765 CardWriteFile(): *BEGIN*

    /* P:3368 T:3800 CardWriteFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:3368 T:3800 CardWriteFile(): cardcf = 000000000100 */

    /* P:3368 T:3800 17-41-828 CardWriteFile(): *SUCCESS*

    /* P:3368 T:3800 17-41-828 CardWriteFile(): *BEGIN*

    /* P:3368 T:3800 CardWriteFile(): Dir Name = mscp, File Name = cmapfile */

    /* P:3368 T:3800 CardWriteFile(): cmapfile = 370062003800640030006200390031002D0063003600650064002D0034003000650033002D0062006100610037002D006200620032003800640063003800610035003300330032000000000000000000010000000000 */

    /* P:3368 T:3800 17-42-218 CardWriteFile(): *SUCCESS*

    /* P:3368 T:3800 17-42-234 CardWriteFile(): *BEGIN*

    /* P:3368 T:3800 CardWriteFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:3368 T:3800 CardWriteFile(): cardcf = 000000000200 */

    /* P:3368 T:3800 17-42-296 CardWriteFile(): *SUCCESS*

    /* P:3368 T:3800 17-42-296 CardWriteFile(): *BEGIN*

    /* P:3368 T:3800 CardWriteFile(): Dir Name = mscp, File Name = cmapfile */

    /* P:3368 T:3800 CardWriteFile(): cmapfile = 370062003800640030006200390031002D0063003600650064002D0034003000650033002D0062006100610037002D006200620032003800640063003800610035003300330032000000000000000000030000000000 */

    /* P:3368 T:3800 17-42-390 CardWriteFile(): *SUCCESS*

    /* P:3368 T:3800 17-42-406 CardQueryCapabilities(): *BEGIN*

    /* P:3368 T:3800 17-42-406 CardQueryCapabilities(): *SUCCESS*

    /* P:3368 T:3800 17-42-406 CardWriteFile(): *BEGIN*

    /* P:3368 T:3800 CardWriteFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:3368 T:3800 CardWriteFile(): cardcf = 000001000200 */

    /* P:3368 T:3800 17-42-468 CardWriteFile(): *SUCCESS*

    /* P:3368 T:3800 17-42-468 CardCreateContainer(): *BEGIN*

    /* P:3368 T:3800 17-48-421 CardCreateContainer(): *SUCCESS*

    /* P:3368 T:3800 17-48-437 CardWriteFile(): *BEGIN*

    /* P:3368 T:3800 CardWriteFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:3368 T:3800 CardWriteFile(): cardcf = 000001000300 */

    /* P:3368 T:3800 17-48-484 CardWriteFile(): *SUCCESS*

    /* P:3368 T:3800 17-48-500 CardWriteFile(): *BEGIN*

    /* P:3368 T:3800 CardWriteFile(): Dir Name = mscp, File Name = cmapfile */

    /* P:3368 T:3800 CardWriteFile(): cmapfile = 370062003800640030006200390031002D0063003600650064002D0034003000650033002D0062006100610037002D006200620032003800640063003800610035003300330032000000000000000000030000040000 */

    /* P:3368 T:3800 17-48-593 CardWriteFile(): *SUCCESS*

    /* P:3368 T:3800 17-48-593 CardGetContainerInfo(): *BEGIN*

    /* P:3368 T:3800 17-48-640 CardGetContainerInfo(): *SUCCESS*

    /* P:3368 T:288 17-50-140 CardDeauthenticate(): *BEGIN*

    /* P:3368 T:288 17-50-140 CardDeauthenticate(): *SUCCESS*

    /* P:3368 T:3800 17-50-140 CardReadFile(): *BEGIN*

    /* P:3368 T:3800 CardReadFile(): Dir Name = ROOT, File Name = cardid */

    /* P:3368 T:3800 CardReadFile(): cardid = 34363438653733652D346430342D3463 */

    /* P:3368 T:3800 17-50-187 CardReadFile(): *SUCCESS*

    /* P:3368 T:3800 17-50-187 CardReadFile(): *BEGIN*

    /* P:3368 T:3800 CardReadFile(): Dir Name = ROOT, File Name = cardcf */

    /* P:3368 T:3800 CardReadFile(): cardcf = 000001000300 */

    /* P:3368 T:3800 17-50-234 CardReadFile(): *SUCCESS*

    /* P:3368 T:3800 17-50-234 CardReadFile(): *BEGIN*

    /* P:3368 T:3800 CardReadFile(): Dir Name = ROOT, File Name = cardid */

    /* P:3368 T:3800 CardReadFile(): cardid = 34363438653733652D346430342D3463 */

    /* P:3368 T:3800 17-50-296 CardReadFile(): *SUCCESS*

    /* P:3368 T:3800 17-50-296 CardReadFile(): *BEGIN*

    /* P:3368 T:3800 CardReadFile(): Dir Name = ROOT, File Name = cardid */

    /* P:3368 T:3800 CardReadFile(): cardid = 34363438653733652D346430342D3463 */

    /* P:3368 T:3800 17-50-343 CardReadFile(): *SUCCESS*

    Comparing the two logs, it seems that in win 7 cmck always read file, read file, read file... and fail,

    never get into CardDeleteContainer or CardWriteFile :(

  • Siddarth,

          Need some help with this issue where in my application I need to verify that the X509 certificate is cross-certified with the FEDERAL BRIDGED CA.  So I assume that my certificate will have multiple certificate paths.  I am using C#.NET 4.0 framework's X509Chain to validate the chain.  As I understand that X509Chain.Build() function will validate the certificate with the highest quality chain.  The problem is that it doesn't specify what path it chose to validate the certificate.  Is there any way I can enumerate between multiple chains?  Or specify some settings on X509Chain to always validate the certificate on the Federal PKI?  Please advice.

  • I am trying get into the training section to take the P-US261-HB course.  I am not allowed to do due to a communication issue.

  • can you please assist me in accessing an account

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment