Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: Thu, 22 May 2008 00:24:27 -0700,    group: microsoft.public.platformsdk.security        back       


CryptSignHash with SHA2, hash size and OID    
Hi,

I want to sign a hashed data using a smart card csp with SHA2 (SHA 256). 
What I do is CryptCreateHash, set the data using CryptSetHashParam and sign 
this with CryptSignHash.  Data is hashed somewhere else and OID is also 
added, so I do not need the csp to hash data and add OID. CryptSignHash has a 
flag CRYPT_NOHASHOID used for excluding OID to be added to hash before 
signing.  However in msdn it says that SHA2 is not supported in windows XP, 
so it won't create hash object if ALG_ID passed as SHA256. In my scenario csp 
has nothing to do with algorithm id, so what I need is to set the size of the 
hash. This is because if I try passing SHA1 in CreateHash and set SHA2 hash 
(or SHA1 with OID) csp truncates the hash to 20 bytes, making the signature 
invalid. What I expected was if the user passes CRYPT_NOHASHOID, then he will 
add OID to hash so the hash size becomes 35 bytes (in case of SHA1). But this 
is not the case. I seached everything, but CryptSetHashParam does not have 
hash size param, or no way to sign arbitrary length of signature in 
CryptSignHash. If there was a way to hash data with one csp and sign this 
hash with the other, maybe it could be possible with writing a custom csp. 
But there isn't, is there?

I wonder if anybody signed SHA2 in smart card csp, or signed a hash with OID 
already added. 

Thanks.
date: Thu, 22 May 2008 00:24:27 -0700   author:   fmg

RE: CryptSignHash with SHA2, hash size and OID    
Hi,

Generally speaking, you can't force a CSP to use a hash of a unsupported 
type, value or length. There is no such concept in CSP of a generic hash 
object where you can specify you own ID or digest length. In your case, if 
the CSP you are using doesn't support SHA_256 as a hash algorithm, then there 
is no possibility for you to sign an SHA_256 digest. 

There are smart card CSPs that support SHA-256 on the market, so you should 
look for one that feet you needs, or may be you should ask your smart card 
vendor  for an updated version of their CSP. You can also develop you own CSP 
or ask someone to do it for you. Another possibility is to use the Pkcs#11 
library if it's provided with your smart card vendor. Pkcs#11 interface is 
more flexible and it enables you to perform more custom operations like 
signing arbitrary data.

Just one thing: are you using the Microsoft Base Smart Card Crypt Provider? 
In this case, there is no possibility to use SHA_256 under Windows XP even 
with an update from the smart card vendor. Under this platform, you should 
use directly the vendor CSP if it support SHA-256 which is more likely.

-- 
Mounir IDRASSI
IDRIX
http://www.idrix.fr

to reach : mounir_idrix_fr (replace the underscores with the at and dot 
characters respectively)


"fmg" wrote:

> Hi,
> 
> I want to sign a hashed data using a smart card csp with SHA2 (SHA 256). 
> What I do is CryptCreateHash, set the data using CryptSetHashParam and sign 
> this with CryptSignHash.  Data is hashed somewhere else and OID is also 
> added, so I do not need the csp to hash data and add OID. CryptSignHash has a 
> flag CRYPT_NOHASHOID used for excluding OID to be added to hash before 
> signing.  However in msdn it says that SHA2 is not supported in windows XP, 
> so it won't create hash object if ALG_ID passed as SHA256. In my scenario csp 
> has nothing to do with algorithm id, so what I need is to set the size of the 
> hash. This is because if I try passing SHA1 in CreateHash and set SHA2 hash 
> (or SHA1 with OID) csp truncates the hash to 20 bytes, making the signature 
> invalid. What I expected was if the user passes CRYPT_NOHASHOID, then he will 
> add OID to hash so the hash size becomes 35 bytes (in case of SHA1). But this 
> is not the case. I seached everything, but CryptSetHashParam does not have 
> hash size param, or no way to sign arbitrary length of signature in 
> CryptSignHash. If there was a way to hash data with one csp and sign this 
> hash with the other, maybe it could be possible with writing a custom csp. 
> But there isn't, is there?
> 
> I wonder if anybody signed SHA2 in smart card csp, or signed a hash with OID 
> already added. 
> 
> Thanks. 
> 
>
date: Thu, 22 May 2008 03:33:00 -0700   author:   Mounir IDRASSI am

RE: CryptSignHash with SHA2, hash size and OID    
Hi,

Thanks for the quick response, yes I know that it is not easily possible to 
sign with a hash algorithm that the card CSP does not support. Just wondering 
if there is a trick or another way that I missed. 

You are right, I already did this one with Pkcs#11 in java platform, but in 
.NET I wanted to use the native counterpart (CSP). What I wanted to do is a 
general signing infrastructure, only signs whatever it gets (arbitrary data), 
so looking for cards which support SHA_256 is not appropriate, because user 
may already have incompatible card, and here in Turkey it seems that all 
cards distributed by Qualified CAs has CSPs not supporting SHA_256. 

Actually the card support SHA_256 digets signing, but most propably the CSP 
writer just delegated hashing calls to MS CSP and that one does not support 
as you mentioned. If there would be a soultion I can develop CSP (I did it 
before), but I get provider handles with CryptAcquireCertificatePrivateKey, 
so if I develop another CSP, this CSP must be registered for certificates, 
and again the problem is same, how am I going to modify hash algorithms.

Anyway, like you said, switching to Pkcs#11 seems the best choice for 
signing arbitrary data. Do you know any open source (or free) pkcs#11 wrapper 
for .NET, as far as I googled, I could not come up with any candidate.

Thank you so much.

"Mounir IDRASSI" wrote:

> Hi,
> 
> Generally speaking, you can't force a CSP to use a hash of a unsupported 
> type, value or length. There is no such concept in CSP of a generic hash 
> object where you can specify you own ID or digest length. In your case, if 
> the CSP you are using doesn't support SHA_256 as a hash algorithm, then there 
> is no possibility for you to sign an SHA_256 digest. 
> 
> There are smart card CSPs that support SHA-256 on the market, so you should 
> look for one that feet you needs, or may be you should ask your smart card 
> vendor  for an updated version of their CSP. You can also develop you own CSP 
> or ask someone to do it for you. Another possibility is to use the Pkcs#11 
> library if it's provided with your smart card vendor. Pkcs#11 interface is 
> more flexible and it enables you to perform more custom operations like 
> signing arbitrary data.
> 
> Just one thing: are you using the Microsoft Base Smart Card Crypt Provider? 
> In this case, there is no possibility to use SHA_256 under Windows XP even 
> with an update from the smart card vendor. Under this platform, you should 
> use directly the vendor CSP if it support SHA-256 which is more likely.
> 
> -- 
> Mounir IDRASSI
> IDRIX
> http://www.idrix.fr
> 
> to reach : mounir_idrix_fr (replace the underscores with the at and dot 
> characters respectively)
> 
> 
> "fmg" wrote:
> 
> > Hi,
> > 
> > I want to sign a hashed data using a smart card csp with SHA2 (SHA 256). 
> > What I do is CryptCreateHash, set the data using CryptSetHashParam and sign 
> > this with CryptSignHash.  Data is hashed somewhere else and OID is also 
> > added, so I do not need the csp to hash data and add OID. CryptSignHash has a 
> > flag CRYPT_NOHASHOID used for excluding OID to be added to hash before 
> > signing.  However in msdn it says that SHA2 is not supported in windows XP, 
> > so it won't create hash object if ALG_ID passed as SHA256. In my scenario csp 
> > has nothing to do with algorithm id, so what I need is to set the size of the 
> > hash. This is because if I try passing SHA1 in CreateHash and set SHA2 hash 
> > (or SHA1 with OID) csp truncates the hash to 20 bytes, making the signature 
> > invalid. What I expected was if the user passes CRYPT_NOHASHOID, then he will 
> > add OID to hash so the hash size becomes 35 bytes (in case of SHA1). But this 
> > is not the case. I seached everything, but CryptSetHashParam does not have 
> > hash size param, or no way to sign arbitrary length of signature in 
> > CryptSignHash. If there was a way to hash data with one csp and sign this 
> > hash with the other, maybe it could be possible with writing a custom csp. 
> > But there isn't, is there?
> > 
> > I wonder if anybody signed SHA2 in smart card csp, or signed a hash with OID 
> > already added. 
> > 
> > Thanks. 
> > 
> >
date: Thu, 22 May 2008 04:28:03 -0700   author:   fmg

RE: CryptSignHash with SHA2, hash size and OID    
Hi,

when I talked about developing a custom CSP, I was thinking about developing 
CSP based on the Pkcs#11 interface: This way, you don't have to interact 
directly with the card at the APDU level or use the vendor CSP with its 
limitations. I have already seen on the Internet open source implementations 
of CSP using the Pkcs#11 interface.

Concerning the .NET wrapper for Pkcs#11, I have developed one a long time 
ago.  I'll try to find it and post a link to it for you to download.

Cheers,
-- 
Mounir IDRASSI
IDRIX
http://www.idrix.fr

to reach : mounir_idrix_fr (replace the underscores with the at and dot 
characters respectively)


"fmg" wrote:

> Hi,
> 
> Thanks for the quick response, yes I know that it is not easily possible to 
> sign with a hash algorithm that the card CSP does not support. Just wondering 
> if there is a trick or another way that I missed. 
> 
> You are right, I already did this one with Pkcs#11 in java platform, but in 
> .NET I wanted to use the native counterpart (CSP). What I wanted to do is a 
> general signing infrastructure, only signs whatever it gets (arbitrary data), 
> so looking for cards which support SHA_256 is not appropriate, because user 
> may already have incompatible card, and here in Turkey it seems that all 
> cards distributed by Qualified CAs has CSPs not supporting SHA_256. 
> 
> Actually the card support SHA_256 digets signing, but most propably the CSP 
> writer just delegated hashing calls to MS CSP and that one does not support 
> as you mentioned. If there would be a soultion I can develop CSP (I did it 
> before), but I get provider handles with CryptAcquireCertificatePrivateKey, 
> so if I develop another CSP, this CSP must be registered for certificates, 
> and again the problem is same, how am I going to modify hash algorithms.
> 
> Anyway, like you said, switching to Pkcs#11 seems the best choice for 
> signing arbitrary data. Do you know any open source (or free) pkcs#11 wrapper 
> for .NET, as far as I googled, I could not come up with any candidate.
> 
> Thank you so much.
> 
> "Mounir IDRASSI" wrote:
> 
> > Hi,
> > 
> > Generally speaking, you can't force a CSP to use a hash of a unsupported 
> > type, value or length. There is no such concept in CSP of a generic hash 
> > object where you can specify you own ID or digest length. In your case, if 
> > the CSP you are using doesn't support SHA_256 as a hash algorithm, then there 
> > is no possibility for you to sign an SHA_256 digest. 
> > 
> > There are smart card CSPs that support SHA-256 on the market, so you should 
> > look for one that feet you needs, or may be you should ask your smart card 
> > vendor  for an updated version of their CSP. You can also develop you own CSP 
> > or ask someone to do it for you. Another possibility is to use the Pkcs#11 
> > library if it's provided with your smart card vendor. Pkcs#11 interface is 
> > more flexible and it enables you to perform more custom operations like 
> > signing arbitrary data.
> > 
> > Just one thing: are you using the Microsoft Base Smart Card Crypt Provider? 
> > In this case, there is no possibility to use SHA_256 under Windows XP even 
> > with an update from the smart card vendor. Under this platform, you should 
> > use directly the vendor CSP if it support SHA-256 which is more likely.
> > 
> > -- 
> > Mounir IDRASSI
> > IDRIX
> > http://www.idrix.fr
> > 
> > to reach : mounir_idrix_fr (replace the underscores with the at and dot 
> > characters respectively)
> > 
> > 
> > "fmg" wrote:
> > 
> > > Hi,
> > > 
> > > I want to sign a hashed data using a smart card csp with SHA2 (SHA 256). 
> > > What I do is CryptCreateHash, set the data using CryptSetHashParam and sign 
> > > this with CryptSignHash.  Data is hashed somewhere else and OID is also 
> > > added, so I do not need the csp to hash data and add OID. CryptSignHash has a 
> > > flag CRYPT_NOHASHOID used for excluding OID to be added to hash before 
> > > signing.  However in msdn it says that SHA2 is not supported in windows XP, 
> > > so it won't create hash object if ALG_ID passed as SHA256. In my scenario csp 
> > > has nothing to do with algorithm id, so what I need is to set the size of the 
> > > hash. This is because if I try passing SHA1 in CreateHash and set SHA2 hash 
> > > (or SHA1 with OID) csp truncates the hash to 20 bytes, making the signature 
> > > invalid. What I expected was if the user passes CRYPT_NOHASHOID, then he will 
> > > add OID to hash so the hash size becomes 35 bytes (in case of SHA1). But this 
> > > is not the case. I seached everything, but CryptSetHashParam does not have 
> > > hash size param, or no way to sign arbitrary length of signature in 
> > > CryptSignHash. If there was a way to hash data with one csp and sign this 
> > > hash with the other, maybe it could be possible with writing a custom csp. 
> > > But there isn't, is there?
> > > 
> > > I wonder if anybody signed SHA2 in smart card csp, or signed a hash with OID 
> > > already added. 
> > > 
> > > Thanks. 
> > > 
> > >
date: Thu, 22 May 2008 05:50:01 -0700   author:   Mounir IDRASSI am

RE: CryptSignHash with SHA2, hash size and OID    
That'd be great, thank you!

"Mounir IDRASSI" wrote:

> Hi,
> 
> when I talked about developing a custom CSP, I was thinking about developing 
> CSP based on the Pkcs#11 interface: This way, you don't have to interact 
> directly with the card at the APDU level or use the vendor CSP with its 
> limitations. I have already seen on the Internet open source implementations 
> of CSP using the Pkcs#11 interface.
> 
> Concerning the .NET wrapper for Pkcs#11, I have developed one a long time 
> ago.  I'll try to find it and post a link to it for you to download.
> 
> Cheers,
> -- 
> Mounir IDRASSI
> IDRIX
> http://www.idrix.fr
> 
> to reach : mounir_idrix_fr (replace the underscores with the at and dot 
> characters respectively)
> 
> 
> "fmg" wrote:
> 
> > Hi,
> > 
> > Thanks for the quick response, yes I know that it is not easily possible to 
> > sign with a hash algorithm that the card CSP does not support. Just wondering 
> > if there is a trick or another way that I missed. 
> > 
> > You are right, I already did this one with Pkcs#11 in java platform, but in 
> > .NET I wanted to use the native counterpart (CSP). What I wanted to do is a 
> > general signing infrastructure, only signs whatever it gets (arbitrary data), 
> > so looking for cards which support SHA_256 is not appropriate, because user 
> > may already have incompatible card, and here in Turkey it seems that all 
> > cards distributed by Qualified CAs has CSPs not supporting SHA_256. 
> > 
> > Actually the card support SHA_256 digets signing, but most propably the CSP 
> > writer just delegated hashing calls to MS CSP and that one does not support 
> > as you mentioned. If there would be a soultion I can develop CSP (I did it 
> > before), but I get provider handles with CryptAcquireCertificatePrivateKey, 
> > so if I develop another CSP, this CSP must be registered for certificates, 
> > and again the problem is same, how am I going to modify hash algorithms.
> > 
> > Anyway, like you said, switching to Pkcs#11 seems the best choice for 
> > signing arbitrary data. Do you know any open source (or free) pkcs#11 wrapper 
> > for .NET, as far as I googled, I could not come up with any candidate.
> > 
> > Thank you so much.
> > 
> > "Mounir IDRASSI" wrote:
> > 
> > > Hi,
> > > 
> > > Generally speaking, you can't force a CSP to use a hash of a unsupported 
> > > type, value or length. There is no such concept in CSP of a generic hash 
> > > object where you can specify you own ID or digest length. In your case, if 
> > > the CSP you are using doesn't support SHA_256 as a hash algorithm, then there 
> > > is no possibility for you to sign an SHA_256 digest. 
> > > 
> > > There are smart card CSPs that support SHA-256 on the market, so you should 
> > > look for one that feet you needs, or may be you should ask your smart card 
> > > vendor  for an updated version of their CSP. You can also develop you own CSP 
> > > or ask someone to do it for you. Another possibility is to use the Pkcs#11 
> > > library if it's provided with your smart card vendor. Pkcs#11 interface is 
> > > more flexible and it enables you to perform more custom operations like 
> > > signing arbitrary data.
> > > 
> > > Just one thing: are you using the Microsoft Base Smart Card Crypt Provider? 
> > > In this case, there is no possibility to use SHA_256 under Windows XP even 
> > > with an update from the smart card vendor. Under this platform, you should 
> > > use directly the vendor CSP if it support SHA-256 which is more likely.
> > > 
> > > -- 
> > > Mounir IDRASSI
> > > IDRIX
> > > http://www.idrix.fr
> > > 
> > > to reach : mounir_idrix_fr (replace the underscores with the at and dot 
> > > characters respectively)
> > > 
> > > 
> > > "fmg" wrote:
> > > 
> > > > Hi,
> > > > 
> > > > I want to sign a hashed data using a smart card csp with SHA2 (SHA 256). 
> > > > What I do is CryptCreateHash, set the data using CryptSetHashParam and sign 
> > > > this with CryptSignHash.  Data is hashed somewhere else and OID is also 
> > > > added, so I do not need the csp to hash data and add OID. CryptSignHash has a 
> > > > flag CRYPT_NOHASHOID used for excluding OID to be added to hash before 
> > > > signing.  However in msdn it says that SHA2 is not supported in windows XP, 
> > > > so it won't create hash object if ALG_ID passed as SHA256. In my scenario csp 
> > > > has nothing to do with algorithm id, so what I need is to set the size of the 
> > > > hash. This is because if I try passing SHA1 in CreateHash and set SHA2 hash 
> > > > (or SHA1 with OID) csp truncates the hash to 20 bytes, making the signature 
> > > > invalid. What I expected was if the user passes CRYPT_NOHASHOID, then he will 
> > > > add OID to hash so the hash size becomes 35 bytes (in case of SHA1). But this 
> > > > is not the case. I seached everything, but CryptSetHashParam does not have 
> > > > hash size param, or no way to sign arbitrary length of signature in 
> > > > CryptSignHash. If there was a way to hash data with one csp and sign this 
> > > > hash with the other, maybe it could be possible with writing a custom csp. 
> > > > But there isn't, is there?
> > > > 
> > > > I wonder if anybody signed SHA2 in smart card csp, or signed a hash with OID 
> > > > already added. 
> > > > 
> > > > Thanks. 
> > > > 
> > > >
date: Thu, 22 May 2008 23:01:01 -0700   author:   fmg

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us