Z
Zach McCain via .NET 247
The Basics
---------------------------------------
1) Created a class to communicate with a remote raw SSL socket.We initiate communication using a PFX file which contains bothpublic and private key :
objCert = Certificate.CreateFromPfxFile(pfxcertpath,"conus");
2) Class tested succesfully when incorporated into a consoleapplication but failed on 2 of 3 computers when used in a .NetWebService.
----------------------------------------
The Specifics
----------------------------------------
1)Exception:
Couldnt Acquire Crypto Service Provider context. Occuring whensocket does its first Send.
2)Stack Trace:
StackTrace "
atOrg.Mentalis.Security.Cryptography.CAPIProvider.CreateInternalHandle(Int32& handle, String container)\r\n
atOrg.Mentalis.Security.Cryptography.CAPIProvider.get_Handle()\r\n
atOrg.Mentalis.Security.Certificates.Certificate.get_PublicKey()\r\n
atOrg.Mentalis.Security.Ssl.Shared.ClientHandshakeLayer.ProcessServerHelloDone(HandshakeMessage message)\r\n
atOrg.Mentalis.Security.Ssl.Shared.ClientHandshakeLayer.ProcessMessage(HandshakeMessage message)\r\n
atOrg.Mentalis.Security.Ssl.Shared.HandshakeLayer.ProcessMessages(RecordMessage message)\r\n
atOrg.Mentalis.Security.Ssl.Shared.RecordLayer.ProcessBytes(Byte[]buffer, Int32 offset, Int32 size)\r\n
atOrg.Mentalis.Security.Ssl.Shared.SocketController.OnReceive(IAsyncResult ar)" string
3)Steps Taken
Being that this error occurs only within a .Net WebServiceenvironment (remember our multiple console applications workfine) and that 1 of the 3 WebService environments tested on hadno problem when using the class, we assumed there was an issuewith the IUSER account context. We changed the IUSER group toadmin but still experienced the error. Going on our initialassumption we then decided that in the event that the error wascaused by some permission needed by IUSER in order to access thePFX file (we are guessing here) , we used the Mentalis libraryto create strings of our PFX file and hardcoded these into ourapplication...
we created the string by calling the CreateFromBase64 stringfunction on our original certificate object.
objCert=Certificate.CreateFromBase64String(sCert);
This worked fine on the console apps and the webserver runningthe webservice that had previously worked with our socketclass.
However, it continued to fail with the same error on the other 2webservers we were testing on (again the console apps on these 2webservers both worked).
But, there was a difference in the error thrown this time.Instead of throwing the 'Crypto Service Provider' error it threwa 'if a certificate is specified it must have a private key'exception. We find this odd in that if a private key was absentthis would not have worked on our 1 webserver which up to thispoint has had no problems using the secure socket ; also thehasPrivateKey property of the Certificate object returns truewhen instantiated from the base64 string. But for fullness oftesting we decided to export the private string to XML
...
deerscert.PrivateKey.ToXmlString(false)
...
and then reconstitute it from string...
...
ObjCert.PrivateKey.FromXmlString("<RSAKeyValue><Modu .....AKeyValue>");
...
This worked fine on all console apps and on the 'Golden'WebServer. However it again failed on the WebService running onthe problematic servers, but with an error message this time of'Could Not Acquire Private Key'!
Now we know the private key is there and proper as we just had 4applications use the XML encoding of that key properly.
So....that is where we are now. Ive read these forums and Iveseen several people mention similiar problems but no realsolution that I wish to bank on. Any help would be greatlyappreciated.
Thanks
---------------------------------------
1) Created a class to communicate with a remote raw SSL socket.We initiate communication using a PFX file which contains bothpublic and private key :
objCert = Certificate.CreateFromPfxFile(pfxcertpath,"conus");
2) Class tested succesfully when incorporated into a consoleapplication but failed on 2 of 3 computers when used in a .NetWebService.
----------------------------------------
The Specifics
----------------------------------------
1)Exception:
Couldnt Acquire Crypto Service Provider context. Occuring whensocket does its first Send.
2)Stack Trace:
StackTrace "
atOrg.Mentalis.Security.Cryptography.CAPIProvider.CreateInternalHandle(Int32& handle, String container)\r\n
atOrg.Mentalis.Security.Cryptography.CAPIProvider.get_Handle()\r\n
atOrg.Mentalis.Security.Certificates.Certificate.get_PublicKey()\r\n
atOrg.Mentalis.Security.Ssl.Shared.ClientHandshakeLayer.ProcessServerHelloDone(HandshakeMessage message)\r\n
atOrg.Mentalis.Security.Ssl.Shared.ClientHandshakeLayer.ProcessMessage(HandshakeMessage message)\r\n
atOrg.Mentalis.Security.Ssl.Shared.HandshakeLayer.ProcessMessages(RecordMessage message)\r\n
atOrg.Mentalis.Security.Ssl.Shared.RecordLayer.ProcessBytes(Byte[]buffer, Int32 offset, Int32 size)\r\n
atOrg.Mentalis.Security.Ssl.Shared.SocketController.OnReceive(IAsyncResult ar)" string
3)Steps Taken
Being that this error occurs only within a .Net WebServiceenvironment (remember our multiple console applications workfine) and that 1 of the 3 WebService environments tested on hadno problem when using the class, we assumed there was an issuewith the IUSER account context. We changed the IUSER group toadmin but still experienced the error. Going on our initialassumption we then decided that in the event that the error wascaused by some permission needed by IUSER in order to access thePFX file (we are guessing here) , we used the Mentalis libraryto create strings of our PFX file and hardcoded these into ourapplication...
we created the string by calling the CreateFromBase64 stringfunction on our original certificate object.
objCert=Certificate.CreateFromBase64String(sCert);
This worked fine on the console apps and the webserver runningthe webservice that had previously worked with our socketclass.
However, it continued to fail with the same error on the other 2webservers we were testing on (again the console apps on these 2webservers both worked).
But, there was a difference in the error thrown this time.Instead of throwing the 'Crypto Service Provider' error it threwa 'if a certificate is specified it must have a private key'exception. We find this odd in that if a private key was absentthis would not have worked on our 1 webserver which up to thispoint has had no problems using the secure socket ; also thehasPrivateKey property of the Certificate object returns truewhen instantiated from the base64 string. But for fullness oftesting we decided to export the private string to XML
...
deerscert.PrivateKey.ToXmlString(false)
...
and then reconstitute it from string...
...
ObjCert.PrivateKey.FromXmlString("<RSAKeyValue><Modu .....AKeyValue>");
...
This worked fine on all console apps and on the 'Golden'WebServer. However it again failed on the WebService running onthe problematic servers, but with an error message this time of'Could Not Acquire Private Key'!
Now we know the private key is there and proper as we just had 4applications use the XML encoding of that key properly.
So....that is where we are now. Ive read these forums and Iveseen several people mention similiar problems but no realsolution that I wish to bank on. Any help would be greatlyappreciated.
Thanks