1

Is it possible to sign digitally from windows service? The same code, that works from console application, does not work from Windows service

I got folllowing error when I attempt to digitally sign:

System.InvalidOperationException: The current session is not interactive. at System.Security.Cryptography.CAPI.CryptUIDlgSelectCertificateW(CRYPTUI_SELECTCERTIFICATE_STRUCTW csc) at System.Security.Cryptography.X509Certificates.X509Certificate2UI.SelectFromStore(SafeCertStoreHandle safeSourceStoreHandle, String title, String message, X509SelectionFlag selectionFlags, IntPtr hwndParent) at System.Security.Cryptography.X509Certificates.X509Certificate2UI.SelectFromCollectionHelper(X509Certificate2Collection certificates, String title, String message, X509SelectionFlag selectionFlag, IntPtr hwndParent) at System.Security.Cryptography.X509Certificates.X509Certificate2UI.SelectFromCollection(X509Certificate2Collection certificates, String title, String message, X509SelectionFlag selectionFlag)

Seems like Windows Service cannot invoke GUI that offers list of certificates to choose or window for PIN? Service runs as LocalSystem which is Admin. I also added app.manifest with following settings:

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

Is it possible to use win service for this functionality?

nemke
  • 2,440
  • 3
  • 37
  • 57

2 Answers2

1

You might want to enable Interactive Services Detection (service name is UI0Detect).

Interactive Services Detection

This service will enable you to open dialog windows in special session 0. It works since Vista. A window will pop up to inform you (currently logged on user) that a service needs desktop interaction (i.e. input PIN for access to private key).

You can read more information about session 0 and interactive services detection here

pepo
  • 8,644
  • 2
  • 27
  • 42
  • Hm, I'll try that. I started porting win service to formless systray app. But curiosity mode is on :) – nemke Oct 09 '15 at 10:46
  • Well, first I solved this issue in my Win10 http://blogs.technet.com/b/home_is_where_i_lay_my_head/archive/2012/10/09/windows-8-interactive-services-detection-error-1-incorrect-function.aspx Then, message is shown, but it blocks my keyboard and mouse, background is blank. Also It could not find certificate, and GUI showed no certificate found. I think that I will drop WIn service development in favor of formless application. – nemke Oct 09 '15 at 11:54
  • 1
    I didn't have problems with it. But it was windows 2008 then and we dropped the concept of session 0 too in favor of service start parameters option. – pepo Oct 09 '15 at 12:33
0

The method you are using pops up a dialog to allow you to view and select certificates to use. A service cannot usually have a user interface (since they run outside of an interactive user session). I believe you can have interactive services but I wouldn't recommend it in this case. Use another way of selecting the certificate, perhaps based on the thumbprint of the required certificate e.g. How to get X509Certificate from certificate store and generate xml signature data?

Community
  • 1
  • 1
Ananke
  • 1,250
  • 9
  • 11
  • The problem is that user needs to choose certificate and sign it with private key on smart card. I don't know in front which certificate will be used. Also, when signing with private key, there is also a windows pop dialog that offers a key enter. – nemke Oct 07 '15 at 14:03
  • What's the motivation for running the application as a service? – Ananke Oct 07 '15 at 14:07
  • It's a HttpListener in win service which listens on localhost specific port and enables digital signatures from personal electronic ID from public web site. – nemke Oct 07 '15 at 14:09
  • Then it doesn't sound like it makes sense to call a method that pops up a dialog locally. The remote user won't be able to see it anyway. – Ananke Oct 07 '15 at 14:11
  • Of course he will, because he will first install win service before he can use the site. It is specific web site and it requires prerequisites. Here is proof of concept http://www.omatpysakit.fi/tester/HTML5-and-Digital-Signatures-2014-10-13.pdf and https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr03124/index_htm.html – nemke Oct 07 '15 at 14:13
  • So during installation run an application that allows the user to add or select a certificate. Store the thumbprint in the app.config (I don't have the full requirements so some speculation here), and select that certificate from the store in the way I suggested. – Ananke Oct 07 '15 at 14:16
  • No it must be used by multiple users and multiple cards. You can not save thumbprint, you can't even read certificate from some cards. I must use private key during signature process. Never mind I'll find another way. – nemke Oct 07 '15 at 14:33