Was solved

Was solved

• Bhanu Prakash Nunna - MSFT

  Ah, I'm glad to hear that. Thought I was going crazy there for a bit.
  
  
  I'm currently building up some STS functionality, as I'm working on several proof-of-concepts and demonstrations for my enterprise. It's coming along slowly, but I get the distinct feeling like I'm reinventing the wheel. And you guys mentioned open-sorucing the solution some time ago, which appears to be fairly refined. Why develop on a RYO codebase when there a soon-to-be open source solution I can build upon
  
  
  
  

• MongoBongo

  Thanks for that. I'm looking forward to it. I'll continue down my current path until I hear otherwise.
  
  

• OClaudiu

  Rammic, I'm developer and can answer technical questions for the moment. I will provide information for you about open-sourcing our Java-cardspace code ASAP. For the moment you can use the demo to check working SOAP exchanges for browser-based interactions of all types. The Kerberos need some extra environment efforts to replay in Internet, but all the rest should work. I will appreciate your feedback if something's wrong with the demo.
  
  

• Jeyaraj N

  Thanks for the response. I tried the example you cited without success- I input the SHA1 Hex hash of the certificate into the field, but got a card with a base64 value which didn't invoke the certificate. It may be just because the format I used for the thumbprint, but I couldn't get it to work.
  
  Anyway, I did my own hash of the cert with a base64 conversion which did finally work- generating a different hash value, though. This discussion does seem to contradict the document I was referencing for implementation, however:
  
  

  • For a Certificate backed card, the element <X509V3Credential> is used by managed card; the <KeyIdentifier> element contains the hash of the smartcard’s certificate. The <DisplayCredentialHint> element is the prompt that the user receives before displaying the smartcard.

    <UserCredential>
       <X509V3Credential>
         <X509Data xmlns="http://www.w3.org/2000/09/xmldsig#">
           <KeyIdentifier 
           ValueType="http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-soap-message-security-1.1#ThumbprintSHA1" 
           xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> 
               3ce25c9ef8b2d5d99a227e1ea1a28d7f001a3355
           </KeyIdentifier> 
         </ X509Data >
      </X509V3Credential>
    </UserCredential>

  http://msdn2.microsoft.com/en-us/library/aa967567.aspx
  
  Perhaps it's just outdated, but confusing nonetheless. Thanks for the help. On to the next problem... :)
  
  
  
  

• csi_hugh

  Please check out the working example that works both software and smartcard based certificates. Choose X509TransportEndpoint and Create .crd for it. Your software certificate should be in currentUser/Personal(checked to work other may also work), it should have private key. Use 20bytes SHA1 hash that you can find in certificate properties to create and install .crd. Check that it works on demo RP choosing the .crd in selector.
  
  Smartcard backed certificates work similar way.
  
  Also you can save the .crd as xml and analyse by your favorite tool. Key identifier is Base64 representation of certificate hash.
  

• testuser1

  Can you specify in details what was wrong with my demo site
  
  I create .crd for X509TransportEndpoint with "13 01 64 43 9e 41 2d 19 fd 2b 25 22 36 3c 7d da 6f 86 3b 04" hash copied right from certificate properties.
  ...
  <UserCredential>
  <DisplayCredentialHint>Enter username/password</DisplayCredentialHint>
  <X509V3Credential>
  <X509Data xmlns="http://www.w3.org/2000/09/xmldsig#">
  <KeyIdentifier xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis200401-wsssoap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-soap-message-security-1.1#ThumbprintSHA1">EwFkQ55BLRn9KyUiNjx92m+GOwQ=</KeyIdentifier>
  </X509Data>
  </X509V3Credential>
  </UserCredential>
  ...
  
  Then I go to demo RP , request appropriate claims, Login, choose just created .crd and get the interaction flow.
  
  Please specify the step and details things become wrong.
  
  

• Alpedk

  Rammic, thanks for details.
  It was real bug that appears only when first hex of hash >1f, so I miss it with my only test certificate .
  Will be fixed till tomorrow.
  
  

  So, are you guys going to be open-sourcing the STS code anytime soon
  
  
  

  Not on this week at least . What are you interesting for
  

  
  
  

• Mystagogue

  I provided a thumbprint of "ac a6 30 bf 4f 15 d8 40 6d 2a 74 74 8f 08 53 db 01 c8 c9 f6" and received the hash of "AKymML9PFdhAbSp0dI8IU9sByMn2" from the issued Infocard. The Base64(SHA1(Certificate)) value that I generated (and accepted by the CardSpace client) is "rKYwv08V2EBtKnR0jwhT2wHIyfY=".
  
  So, are you guys going to be open-sourcing the STS code anytime soon
  
  

• Mathew1972

  Similar problem here- I have a soft certificate installed in both the User and Local Machine space. The issued card identifies the SHA1 thumbprint, which I can find using findprivatekey.exe, though the CardSpace client claims it cannot find the associated certificate.
  
  I also tried issuing a card from a Smart Card with the same result. Can someone expand on how this problem was solved
  
  

• Andreas_M

  For me, when I find the key with the "findprivatekey" tool, cardspace also finds it.
  I tried cardspace with a smartcard, and I also refer to the thumbprint of the certificate found in the certificate store of Windows. While cardspace tries to access to key of the certificate, the smartcard middleware interacts with cardspace to enter your pin code.
  So cardspace itself does not have specific requirements regarding spartcard hardware (i think at least)
  
  
  
  
  
• Was solved