Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Hi all,
The other day a customer of mine got this exception when trying to use SHA-2 algorithms with SignedCms class in their .NET 3.5 application:
Exception type: System.Security.Cryptography.CryptographicException
Message: An internal error occurred.
They got the exception on Windows Vista SP2/Server 2008 SP2 and later versions when using using a third-party CSP. Why?
SignedCMS class uses CAPI2 (CryptMsg* API) behind the scenes. CAPI2 requires a CNG provider for any algorithm that is not on this list:
CryptFindOIDInfo Function
"
Hash Algorithms:
CALG_SHA1
CALG_MD5
CALG_MD4
CALG_MD2
Algorithms that are not listed are supported by using Cryptography API: Next Generation (CNG) only;
"
In customer's scenario, third-party CSP was a legacy CSP and not a CNG provider.
Summing up, if you want to work with i.e. SHA256, SHA384 & SHA512 algorithms, you will need a CNG provider.
Now, I will post about this in greater detail soon, but SignedCMS class doesn't support CNG. So basically, we cannot use SHA-2 algorithms with that class under this scenario.
I hope this helps.
Regards,
Alex (Alejandro Campos Magencio)
Comments
- Anonymous
June 16, 2010
The comment has been removed - Anonymous
June 16, 2010
Hi David,Are you using a legacy CSP or a CNG provider? I guess you are using a legacy CSP. In that case, and as I said in the post, CryptMsg* only supports SHA-2 with CNG providers, and your CSP won't work even if it implements SHA-2 algorithms.If you need more info or to confirm this officially by debugging the CryptoAPI, etc., I suggest you open a case with us, Microsoft Technical Support.Regards,Alex - Anonymous
June 16, 2010
The comment has been removed - Anonymous
June 16, 2010
David, CryptMsg* API requires a CNG provider on Vista and later when using SHA-2. So you won't be able to use your self-developed legacy CSP.When using SHA-2, CryptMsgUpdate ends up calling NCryptOpenStorageProvider to access a CNG provider, and that function returns "An internal error occurred" for third-party legacy CSPs. - Anonymous
August 01, 2012
i believe there is a typo bug in CAPIBase: internal const string szOID_OIWSEC_SHA256 = "2.16.840.1.101.3.4.1"; internal const string szOID_OIWSEC_SHA384 = "2.16.840.1.101.3.4.2"; internal const string szOID_OIWSEC_SHA512 = "2.16.840.1.101.3.4.3";Other discussion on this topic is here: social.msdn.microsoft.com/.../0cc90bdd-35f9-4a7d-8025-89f7ea9f9704 - Anonymous
December 21, 2014
This problem still be there, but the question is that also using a Mindriver called by Microsoft Base Smart Card Crypto Provider", a MS provider that should supporto CNG too, there is the same problem.The only CSPs that are working fine with SHA256 when called by CryptMsg* functions are the classic/softonly CSPs "Microsoft Enhanced Cryptographic Provider v1.0", etc.