We are currently developing a custom KSP (Key Storage Provider) for remote RSA keys. We successfully developed a CSP (CryptoNG) and a KSP (CryptoNG) provider, and both work really fine for digital signatures and SSL on Outlook, Google Chrome, Microsoft Office,
Java Applets and any other application that we have tested.
However, we are having problems with Internet Explorer 11 (latest version), when we try to use the certificate associated to our CSP/KSP to client SSL authentication. The certificate does appear, however after selecting it the page just fails to load.
In the event log, there is the following event after the fail (sorry, the log message is in portuguese, I cant find how to change event log language settings - but error codes should help anyway)
Nome do Log: System
Fonte: Schannel
Data: 05/01/2016 12:42:38
Identificação do Evento:36870
Categoria da Tarefa:Nenhum
Nível: Erro
Palavras-chave:
Usuário: SISTEMA
Computador: CRISTIAN-PC
Descrição:
Erro fatal ao tentar acessar a chave privada da credencial cliente do SSL. O código de erro retornado pelo módulo de criptografia é 0x8009030D. O estado do erro interno é 10003.
XML de Evento:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
<EventID>36870</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-01-05T14:42:38.057891600Z" />
<EventRecordID>251108</EventRecordID>
<Correlation />
<Execution ProcessID="792" ThreadID="884" />
<Channel>System</Channel>
<Computer>CRISTIAN-PC</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Type">cliente</Data>
<Data Name="ErrorCode">0x8009030d</Data>
<Data Name="ErrorStatus">10003</Data>
</EventData>
</Event>
I´ve searched the internet and found many related problems with Microsoft provider keys permission issues, mostly with answers for SERVER keys and not CLIENT keys, that have similar error codes but are not the same problem. Please note also that the problem
is with a custom KSP, not default Microsoft software implementations.
Some extra info that may be relevant:
1) The KSP should be wrinting some logs to the user folder just after it is loaded. But that does not seem to work, there are no logs. I´m not sure if it is not being loaded at all or just cant´t write to the system. It also should read a config file from
the same location.
2) The KSP shows dialogs and also uses internet (webservices). Maybe some IE restriction on that that I could not find any documentation about?
3) The KSP is signed with a Windows recognized software signing certificate;
4) Remember it works with any other software we have tried, including Microsoft ones. I´m also able do debug it using Visual Studio attached to other softwares, but it does not work on Internet Explorer.
If I can provide any more helpfull info for this, ask me. Please do not post links to the same internet resources related to event id 36870 and error code 0x8009030d, I´ve spent a lot of time looking at them before posting this and the proposed solutions
always involve permissions on Microsoft provider folder (does not apply) or are related to server, and not client keys. Links are appreciated if they add information that is not associated to those more common, but unrelated issues.