Using RevertToSelf in DLL to be used from classic ASP webapplication

  • Thread starter Thread starter Marja Ribbers-de Vroed
  • Start date Start date
M

Marja Ribbers-de Vroed

Hi,

I've developed a COM DLL in Visual C++ to generate a digital signature based on a certificate read from a PFX file.
This DLL is used in a classic ASP webapplication to digitally sign a XML message before sending it to another party.

To process the PFX file I use the CryptoAPI function PFXImportCertStore, but RevertToSelf must be called prior to calling PFXImportCertStore, and the virtual directory's Application Protection option must be set to Low. Otherwise I receive the error "The system cannot find the file specified".

I understand that RevertToSelf will 'impersonate' the System Account which is undesirable from a security point of view.

What can I do to go back to the IUSR_ account again after generating the signature?
 
use OpenThreadToken to obtain the current token. if i understand you
correctly, the process is running as system, but that specific thread is
running as another user.
if that is true, the thread will have its own token which you will now have.

then you call RevertToSelf, which reverts to the original process token, do
whatever you need to do and call ImpersonateLoggedOnUser with the thread
token you obtained earlier to get back to the security status you originally
had before reverting.

i don't know if RevertToSelf will close the original thread token. if it
does, you should call DuplicateToken to create a duplicate or the thread
token before you revert, and then use the duplicate when calling
ImpersonateLoggedOnUser.

that should do it.

kind regards,
Bruno.

Hi,

I've developed a COM DLL in Visual C++ to generate a digital signature based
on a certificate read from a PFX file.
This DLL is used in a classic ASP webapplication to digitally sign a XML
message before sending it to another party.

To process the PFX file I use the CryptoAPI function PFXImportCertStore, but
RevertToSelf must be called prior to calling PFXImportCertStore, and the
virtual directory's Application Protection option must be set to Low.
Otherwise I receive the error "The system cannot find the file specified".

I understand that RevertToSelf will 'impersonate' the System Account which
is undesirable from a security point of view.

What can I do to go back to the IUSR_ account again after generating the
signature?
 
Back
Top