Welcome to MSDN Blogs Sign in | Join | Help

Decrypt my World

Cryptography, Security, Debugging and more!
CAPICOM support on Windows Vista

I know there has been a lot of confusion about this, because some articles on the web (i.e. MSDN) say CAPICOM is not supported on Vista, while others say it is.

I have good news for you people, especially for those who want to do cryptographic operations from scripting: CAPICOM is officially supported on Vista, but only on its version 2.1.0.2.

This version can be downloaded from here:

Platform SDK Redistributable: CAPICOM
http://www.microsoft.com/downloads/details.aspx?FamilyID=860ee43a-a843-462f-abb5-ff88ea5896f6&DisplayLang=en

(Note: at the time of this writing, this article DOES NOT say that CAPICOM is supported on Vista).

This new version of CAPICOM was released, among other reasons, because of a security update on CAPICOM:

Security Update for CAPICOM (KB931906)
http://www.microsoft.com/downloads/details.aspx?FamilyId=CA930018-4A66-4DA6-A6C5-206DF13AF316&displaylang=en

(Note: this article DOES say that CAPICOM is supported on Vista) 

 

If we try to use version 2.1.0.1 on Vista, for instance, a small .NET sample which uses CAPICOM like the following:
"
StoreClass store = new StoreClass();
store.Open(CAPICOM_STORE_LOCATION.CAPICOM_SMART_CARD_USER_STORE, null, CAPICOM_STORE_OPEN_MODE.CAPICOM_STORE_OPEN_READ_WRITE);
"
Will return the following exception:
"
System.Runtime.InteropServices.COMException (0x80880900): Exception from HRESULT: 0x80880900
"
Which means:
"
# for hex 0x80880900 / decimal -2138568448
  CAPICOM_E_NOT_SUPPORTED                                        capicom.h
"

Anyway, my recommendation is to use .NET Framework classes instead of CAPICOM whenever possible.

I hope this helps.

Cheers,

 

Alex (Alejandro Campos Magencio)

Posted: Friday, October 19, 2007 8:47 AM by alejacma
Filed under: ,

Comments

Christopher Painter said:

I'm writing an MSI that needs to install a certificate to the root local machine store.  I planned on using CAPICOM.Store Open and Load methods but the lack of the COM server on Vista led me to your blog.

My application already has a dependency on .NET 3.5.  Do you reccomend redistributing the CAPICOM component or do you reccomend using managed code to perform the certificate installation.

If your advise is the latter, which .NET Framework class is equivilant?  I'm sorry but I don't know my way around the BCL that well although once I find what I'm looking for I know how to take it from there.

# January 22, 2008 10:36 PM

alejacma said:

Sorry for the late response. Too busy these days. I will always recommend to use .NET instead of CAPICOM. X509Store (http://msdn2.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509store.aspx) would be the class you are seeking.

I hope this helps.

Regards,

Alex

# February 7, 2008 10:58 AM

colin said:

There are not everyone intalled .net Framework,and I must signed data on client,how to do?

# November 24, 2008 1:47 AM

Mark said:

Hi,

I wonder if anyone can help me.

Recently, a Vista machine running a VB6 application as Standard User failed to start up and there seems to be an error related to the capicom dll (note: on my development machine it works fine with UAC turned on).

The application on this Vista machine uses CAPICOM to verify the digital signature of a dll before loading the application.  However, when running the VB6 application elevated with Admin privileges the application loads successfully.

I don’t know why but maybe because of the standard/admin user token. Do you have and suggestions why it works if I elevate privilege?

# June 4, 2009 6:27 AM

alejacma said:

Sorry, but there is not enough info to know what's going on. You may use Process Explorer tool (you can download it for free from our web) to monitor the application and see if any access to the file system or registry returns Access Denied error. Maybe the standard user has no access to the file storing the signing keys...

# June 4, 2009 8:30 AM

Hari said:

Hi,

I have a web application in which I use capicom to sign HTML form data on client side using digital certificates installed on the client machine. How can I achieve same functionality with .NET code if I have to avoid using CAPICOM? Essentially is it possible to run classes in pkcs name space of .NET on client side from within browser? If yes, any samples for invoking .NET functionality on client from within a web application is very helpful.

Regards,

Hari

# June 8, 2009 8:10 AM
Leave a Comment

(required) 

(required) 

(optional)

(required) 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Page view tracker