Поделиться через


"An internal error ocurred" when using SHA-2 algorithms with SignedCMS

Hi all,

The other day a customer of mine got this exception when trying to use SHA-2 algorithms with SignedCms class in their .NET 3.5 application:

Exception type: System.Security.Cryptography.CryptographicException
Message: An internal error occurred.

They got the exception on Windows Vista SP2/Server 2008 SP2 and later versions when using using a third-party CSP. Why?

SignedCMS class uses CAPI2 (CryptMsg* API) behind the scenes. CAPI2 requires a CNG provider for any algorithm that is not on this list:

CryptFindOIDInfo Function
"
Hash Algorithms:

CALG_SHA1
CALG_MD5
CALG_MD4
CALG_MD2

Algorithms that are not listed are supported by using Cryptography API: Next Generation (CNG) only;
"

In customer's scenario, third-party CSP was a legacy CSP and not a CNG provider.

Summing up, if you want to work with i.e. SHA256, SHA384 & SHA512 algorithms, you will need a CNG provider.

Now, I will post about this in greater detail soon, but SignedCMS class doesn't support CNG. So basically, we cannot use SHA-2 algorithms with that class under this scenario.

I hope this helps.
Regards,

Alex (Alejandro Campos Magencio)

Comments

  • Anonymous
    June 16, 2010
    The comment has been removed
  • Anonymous
    June 16, 2010
    Hi David,Are you using a legacy CSP or a CNG provider? I guess you are using a legacy CSP. In that case, and as I said in the post, CryptMsg* only supports SHA-2 with CNG providers, and your CSP won't work even if it implements SHA-2 algorithms.If you need more info or to confirm this officially by debugging the CryptoAPI, etc., I suggest you open a case with us, Microsoft Technical Support.Regards,Alex
  • Anonymous
    June 16, 2010
    The comment has been removed
  • Anonymous
    June 16, 2010
    David, CryptMsg* API requires a CNG provider on Vista and later when using SHA-2. So you won't be able to use your self-developed legacy CSP.When using SHA-2, CryptMsgUpdate ends up calling NCryptOpenStorageProvider to access a CNG provider, and that function returns "An internal error occurred" for third-party legacy CSPs.
  • Anonymous
    August 01, 2012
    i believe there is a typo bug in CAPIBase:       internal const string szOID_OIWSEC_SHA256 = "2.16.840.1.101.3.4.1";       internal const string szOID_OIWSEC_SHA384 = "2.16.840.1.101.3.4.2";       internal const string szOID_OIWSEC_SHA512 = "2.16.840.1.101.3.4.3";Other discussion on this topic is here: social.msdn.microsoft.com/.../0cc90bdd-35f9-4a7d-8025-89f7ea9f9704
  • Anonymous
    December 21, 2014
    This problem still be there, but the question is that also using a Mindriver called by Microsoft Base Smart Card Crypto Provider", a MS provider that should supporto CNG too, there is the same problem.The only CSPs that are working fine with SHA256 when called by CryptMsg* functions are the classic/softonly CSPs "Microsoft Enhanced Cryptographic Provider v1.0", etc.