Delphi CGI WebService - Digital Certificates

Question

I Have a delphi 7 CGI webService (in windows XP but windows 7 is not out of the table) application in witch i need to access digital certificate to sign a XML document.

I Have imported CApicom_TLB and successfuly got to instanciate the certificate, but with some problems...

the apache server that runs my app runs it with a different windows user in wich i installed the certificate, wich leaves the Certificate Store empty when i query with CAPICOM_CURRENT_USER_STORE flag. I worked-arround it by installing the A1 certificate (Pfx with privatekey) in the local machine (Via MMC console, add new snap-in) and accessing the Certificate Store with the CAPICOM_LOCAL_MACHINE_STORE flag. I get the certificate (i can read its serial number, friendly name, valid to date) but when i try to sign a document, i get "Key Pair does not exist" error.

The same code works (successfuly sign XML) in a normal APP (Not-cgi) with the same PFx.

Code i use to get the certificate:

Store := CoStore.Create;
 Store.Open(CAPICOM_LOCAL_MACHINE_STORE, CAPICOM_STORE_NAME, CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED);

 Certs := Store.Certificates as ICertificates2;
 for i:= 1 to Certs.Count do
  begin
   Cert := IInterface(Certs.Item[i]) as ICertificate2;
   if Cert.SerialNumber = FNumeroSerie
    then begin
     if DFeUtil.EstaVazio(NumCertCarregado)
      then NumCertCarregado := Cert.SerialNumber;

     if CertStoreMem = nil
      then begin
       CertStoreMem := CoStore.Create;
       CertStoreMem.Open(CAPICOM_MEMORY_STORE, 'Memoria', CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED);
       CertStoreMem.Add(Cert);
      end;

Then i use the CertStoreMem to sign usign the folowing

OleCheck(IDispatch(Certificado.PrivateKey).QueryInterface(IPrivateKey,PrivateKey));
 xmldsig.store := CertStoreMem;

 dsigKey := xmldsig.createKeyFromCSP(PrivateKey.ProviderType, PrivateKey.ProviderName, PrivateKey.ContainerName, 0);

The error (Key pair) is in the last line of code.

There are two approaches: Make the CGI application read the certificate in the same user that installed it (code that works in non-cgi) OR make this work-arround with the localmachine-installed certificate work without key error.

If anyone could help would be much appreciated

Your best bet is to hope that Eugene Mayevski from ElDos sees this question and helps you out. http://stackoverflow.com/users/47961/eugene-mayevski-eldos-corp — Chris Thornton, Sep 09 '13 at 20:29

score 0 · Answer 1 · answered Sep 09 '13 at 21:28

0

If it is an issue with user authentication, and you have (total) control over the server, I would consider wrapping the signing bit in a Active X library, and adding it to a COM+ package; using the Component Services you can control activation and authentification so it runs with impersonation in a separate dllhost.exe

answered Sep 09 '13 at 21:28

Stijn Sanders

35,982
11
45
67

Its not about user autentication. I Use the certificate to sign an XML file... but thanks – Davi Sep 10 '13 at 12:01
Well, authentication might not be the right word, but I mean anything related to the user profile data such as the private certificate store. – Stijn Sanders Sep 10 '13 at 16:10

Delphi CGI WebService - Digital Certificates

1 Answers1