(WIN32: 1400 ERROR_INVALID_WINDOW_HANDLE) while Signing a CSR with a SmartCard

0

I am trying to generate a CSR from a smartcard using the CertEnroll::CX509CertificateRequestPkcs10 library. It works fine if I just run it at the beginning. However if I run the ADAL login flow before hand I get the following error.

CertEnroll::CX509CertificateRequestPkcs10::Encode: Invalid window handle. 0x80070578 (WIN32: 1400 ERROR_INVALID_WINDOW_HANDLE)

I looked into the error and it seems that it is cause when you call a window that no longer exist. Since I cant control what window the CertEnroll::CX509CertificateRequestPkcs10::Encode calls is there a way to clear the pointers or something to avoid this error?

for reference here is my enroll code

var request = new CX509CertificateRequestPkcs10();
request.Initialize(X509CertificateEnrollmentContext.ContextUser);
request.PrivateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_NONE;
request.PrivateKey.Length = 2048;
request.PrivateKey.ProviderName = "Microsoft Base Smart Card Crypto Provider";
request.PrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;
request.PrivateKey.KeySpec = X509KeySpec.XCN_AT_KEYEXCHANGE;
request.PrivateKey.MachineContext = false;
if (!subjectName.StartsWith("CN="))
    subjectName = $"CN={subjectName}";
var subjectEncoded = new CX500DistinguishedNameClass();
subjectEncoded.Encode(subjectName);
request.Subject = subjectEncoded;
request.Encode();

and here is my Authentication Code

result = authContext.AcquireTokenAsync(ResourceId, clientId, redirectUri, new PlatformParameters(PromptBehavior.Always));
result.Wait();
_userName = result.Result.UserInfo.DisplayableId;
return result.Result.AccessToken;
c#
certificate
smartcard
certenroll
asked on Stack Overflow May 16, 2019 by pudm

1 Answer

1

I was able to go around this by changing my Provider to the newer version and the KeySec to None (since this is required for the new Gen Storage provder):

request.PrivateKey.ProviderName = "Microsoft Smart Card Key Storage Provider";
request.PrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;
request.PrivateKey.KeySpec = X509KeySpec.XCN_AT_NONE;
answered on Stack Overflow May 16, 2019 by pudm

User contributions licensed under CC BY-SA 3.0