Problem when use "X509Certificates.X509Certificate2"

Started by hienpham, October 25, 2013, 12:34:42 PM

Previous topic - Next topic

hienpham

Hi Deana,
   First I have to thank you for your article "Get Expiration Date of this X509v3 Certificate". It really helps me to work with the certificate, it's much easier than using CAPICOM.
In order to get the Thumbprint of the certificate, I tried to use X509Certificate2 (http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.thumbprint(v=vs.110).aspx)
but when I jump to X509Certificate2 in the following command:

X509Certificate2 =  ObjectClrNew( 'System.Security.Cryptography.X509Certificates.X509Certificate2' )
I got the Error:  1848: CLR: Type name not found

I do not have any single problem using: (from your script)
X509Certificate =  ObjectClrNew( 'System.Security.Cryptography.X509Certificates.X509Certificate' )

What did I do wrong?
FYI I use WinBatch 2013B version.

Thanks Deana for any help.

td

The class implementation is in a different assembly so
Code (winbatch) Select

ObjectClrOption("use", "System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
X509Certificate2 =  ObjectClrNew( 'System.Security.Cryptography.X509Certificates.X509Certificate2' )
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

hienpham

Thanks so much TD for your help. It really works.
But after taht I have problem with the next command.
My goal is to translate the following PowerShell script (that works correctly) to a WinBatch script (this one is just a short section of a long script)
=================
PS U:\> $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
PS U:\> $certPrint.import('d:\abcd.der')
PS U:\> $certprint.thumbprint
228EEE8099917D29735DF6B0B254AD79866D266E
=================
; with the following WinBatch
ObjectClrOption("use", "System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
X509Certi2 =  ObjectClrNew( 'System.Security.Cryptography.X509Certificates.X509Certificate2' )
cert2 = X509Certi2.import('d:\abcd.der');
thumb = cert2.Thumbprint
===================
at the command: 
       cert2 = X509Certi2.import('d:\abcd.der');
I got Error 1258: OLE: Unknown name
But Import method is legal
(http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.import.aspx)

What did I miss. Is the way I try to get the thumbprint is valid with WinBatch?

Thanks again for your help.

Deana

I suspect you need to uppercase the I in import. (http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.import.aspx)
 
Code (winbatch) Select
cert2 = X509Certi2.Import('...

The WinBatch code would look something like this:

Code (winbatch) Select

derfile = 'd:\abcd.der'
ObjectClrOption("use", "System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
X509Certi2 =  ObjectClrNew( 'System.Security.Cryptography.X509Certificates.X509Certificate2' )
If FileExist(derfile )
   X509Certi2.Import(derfile)
   thumb = X509Certi2.Thumbprint
   Pause('Thumbprint', thumb)
Endif
Exit
Deana F.
Technical Support
Wilson WindowWare Inc.

hienpham

I really don't know how to thank you Dean.
Your code works perfectly!  :)

If instead of extracting the thumbprint from an external cert file, we want to get it from the Active Directory, can we somehow as for the CERTUTIL provide the path that have the following format:
"ldap:///CN=aaa\, bbb,OU=A1Users,OU=OrangeCounty,OU=AMER,OU=Regions,DC=zzz,DC=xxx,DC=com?usercertificate?base?objectclass=user"

I tried:
X509Certi2.Import('ldap:///CN=aaa\, bbb,OU=A1Users,OU=OrangeCounty,OU=AMER,OU=Regions,DC=zzz,DC=xxx,DC=com?usercertificate?base?objectclass=user')
and
X509Certi2.Import('ldap:///CN=aaa\, bbb,OU=A1Users,OU=OrangeCounty,OU=AMER,OU=Regions,DC=zzz,DC=xxx,DC=com')
in both I got Error 1298: Ole: Error code not recognized

CertUtil does not provide the the thumbprint --- at least I could not find it.

Thanks again Deana for your very precious help.

Deana

Not sure. Maybe using COM. The code might looks something like this:

Code (winbatch) Select
objUserTemplate = ObjectGet("LDAP://cn=Sample,OU=Management,dc=NA,dc=fabrikam,dc=com") ;!!! MODIFY TO FIT YOUR NEEDS
arrUserCertificates = objUserTemplate.GetEx("userCertificate")

Deana F.
Technical Support
Wilson WindowWare Inc.

td

Quote from: hienpham on October 25, 2013, 02:30:38 PM
I really don't know how to thank you Dean.
Your code works perfectly!  :)

If instead of extracting the thumbprint from an external cert file, we want to get it from the Active Directory, can we somehow as for the CERTUTIL provide the path that have the following format:
"ldap:///CN=aaa\, bbb,OU=A1Users,OU=OrangeCounty,OU=AMER,OU=Regions,DC=zzz,DC=xxx,DC=com?usercertificate?base?objectclass=user"

I tried:
X509Certi2.Import('ldap:///CN=aaa\, bbb,OU=A1Users,OU=OrangeCounty,OU=AMER,OU=Regions,DC=zzz,DC=xxx,DC=com?usercertificate?base?objectclass=user')
and
X509Certi2.Import('ldap:///CN=aaa\, bbb,OU=A1Users,OU=OrangeCounty,OU=AMER,OU=Regions,DC=zzz,DC=xxx,DC=com')
in both I got Error 1298: Ole: Error code not recognized

CertUtil does not provide the the thumbprint --- at least I could not find it.

Thanks again Deana for your very precious help.

Putting it all together: you get the following
Code (winbatch) Select

; Get a user certificate using one of our test server VMs.
strUserPath = "LDAP://shamrock/CN=Bob Smith,CN=Users,DC=jclass,DC=org"

; Get the certificate from a AD test user account.
objLdap = GetObject("LDAP:")
objUser = objLdap.OpenDSObject(strUserPath, "shamrock\GuessWho","*TopSecret*", 1)
; Or the following when credentials not required.
;;; objUser = ObjectGet(strUserPath)
aCert   = objUser.Get("userCertificate")  ; Returns a byte array.

; Get an instance of our Handy-dandy FCL class.
ObjectClrOption("use", "System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089")
objCert2 =  ObjectClrNew( 'System.Security.Cryptography.X509Certificates.X509Certificate2' )

; Overloaded method accepts byte array as parameter.
objCert2.Import(aCert)
strThumb = objCert2.Thumbprint

Pause('Certificate Thumbprint', strThumb)
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

hienpham

Thanks TD, Your script works perfectly well. It's exactly what we need.
I have to learn more about using the ObjectClr set of commands.

Thanks again TD and Deana.