All geek questions in one place

Windows CryptoAPI: CryptSignHash with CALG_SHA_256 and private key from MY keystore

I am trying to create digital signatures on Windows (with XP SP3, but I'm currently testing with Windows 7) with CryptoAPI, which will be compatible with the following openssl commands:

openssl dgst -sha256 -sign <parameters> (for signing)
openssl dgst -sha256 -verify <parameters> (for validation)

I want to use the private key from the MY keystore for Windows.

I managed to sign the files using the SHA1 digest algorithm, using the following CryptoAPI functions (omitting the parameters for brevity):

CertOpenStore
CertFindCertificateInStore
CryptAcquireCertificatePrivateKey
CryptCreateHash (with CALG_SHA1)
CryptHashData
CryptSignHash

The generated signature is compatible with "openssl dgst -sha1 -verify" (as soon as the byte order is canceled).

: CALG_SHA_256 CryptCreateHash, 80090008 (NTE_BAD_ALGID). googling , , (PROV_RSA_AES) . , CryptAcquireCertificatePrivateKey CryptGetUserKey. , :

CryptAcquireContext (with PROV_RSA_AES)
CertOpenStore
CertFindCertificateInStore
CryptGetUserKey
CryptCreateHash (with CALG_SHA256)
CryptHashData
CryptSignHash

, , : CryptGetUserKey 8009000D (NTE_NO_KEY). CryptGetUserKey, CryptSignHash, 80090016 (NTE_BAD_KEYSET). , , SHA1.

, CertFindCertificateInStore: , , CryptGetUserKey, CryptSignHash .

, , 2048 , , , SHA1. , !

+3
5

, , Windows "", . , (, PROV_RSA_FULL), , , , .

, ( CertGetCertificateContextProperty CERT_KEY_PROV_HANDLE_PROP_ID). PROV_RSA_AES ( , ).

+1

80090008 - , SHA256, SHA384 SHA512, CryptAcquireContext(hProv, NULL, MS_ENH_RSA_AES_PROV, PROV_RSA_AES, 0);

+8

. - HCRYPTPROV, "Microsoft Enhanced RSA AES Cryptographic Provider",

CryptAcquireContext(&hCryptProv, <keyContainerName>, MS_ENH_RSA_AES_PROV, PROV_RSA_AES, CRYPT_SILENT)

hCryptProv , SHA2: 256, 384, 512.

CertGetCertificateContextProperty() CERT_KEY_PROV_INFO_PROP_ID, , CryptGetProvParam() PP_CONTAINER, HCRPYPTPROV (, CryptAcquireCertificatePrivateKey).

, .

+2

, , CertGetCertificateContextProperty CERT_KEY_PROV_INFO_PROP_ID, . CryptAcquireContext , PROV_RSA_AES .

"Microsoft Enhanced RSA AES Cryptographic Provider", , Microsoft.

0

, . , . , Google . 5 , , .

-, : OpenSSL 0.9.8 , SSL-, , Microsoft Windows SSL-, OpenSSL. /, . Microsoft Crypto-API, RSA_method OpenSSL . , OpenSSL 0.9.8 1.0.2 TLSv1.2. TLSv1.2 . , RSA_sign . - , SSL Client Verify. API CertFindCertificatePrivateKey/CryptCreateHash/CryptSetHashParam/CryptSignHash, . CryptCreateHash, - - SHA-384, hCryptoProv, CertFindCertificatePrivateKey, CSP (Microsoft Enhanced Cryptographic Provider v1.0), - SHA-2.

. , , . .

, SSL SHA-1, . , SHA-2 TLSv1.2. , , . Crypto-API ( , .) -: http://www.componentspace.com/Forums/Topic1578.aspx. . CSP, SHA-2, CSP, SHA-2, . , :

openssl pkcs12 -export -in idp.pem -out new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"

I just restored the .pfx certificate file as the web page said; re-import the certificate. Then the problem is solved.

Hope this is helpful. :-)

0
source

Source: https://habr.com/ru/post/1775110/

More articles:


All Articles