none
CNG new Hash algorithm provider. CreateHash with ECC public key

    Question

  • Hi,

    I'm trying to implement a new hash algorithm provider for CNG. the hash algorithm is for ecc signature. While the hash is computed, not only the plain data is involved, but also the public key of the ecc key pair is required.

    I've already implemented this algorithm in openssl, and successfully issued a certificate whose signature algorithm is [newhash + ecc]. Now i want to verify this certificate by using cryptoapi. (ie, while CryptUIDlgViewCertificate() is called, it will try to verify the certificate chain and display the result in the first property page)

    The only place where the ecc public key can be used by the new hash algorithm provider seems to be the CreateHash function in BCRYPT_HASH_FUNCTION_TABLE. the CreateHash function has 2 parameters (pbSecret, cbSecret), in which I think the ecc public key can be set.

    The new hash algorithm provider is successfully registered.

    the signature algorithm oid is also registered by the following codes:

        CRYPT_OID_INFO oidinfo;
        memset(&oidinfo, 0, sizeof(oidinfo));

        oidinfo.cbSize = sizeof(oidinfo);
        oidinfo.pszOID = szOID_ECDSA_NEWHASHNEWECC;
        oidinfo.pwszName = ECDSA_NEWHASHNEWECC_ALGID;
        oidinfo.dwGroupId = CRYPT_SIGN_ALG_OID_GROUP_ID;

        // Hash Algid
        oidinfo.Algid = CALG_OID_INFO_CNG_ONLY;
        oidinfo.pwszCNGAlgid = NEWHASH_ALGID;

        // Public Key Algid
        const DWORD aiECCPubKey = CALG_OID_INFO_PARAMETERS;
        oidinfo.ExtraInfo.cbData = sizeof(DWORD);
        oidinfo.ExtraInfo.pbData = (BYTE *) &aiECCPubKey;
        oidinfo.pwszCNGExtraAlgid = CRYPT_OID_INFO_ECC_PARAMETERS_ALGORITHM;

        if (!CryptRegisterOIDInfo(
                &oidinfo,
                CRYPT_INSTALL_OID_INFO_BEFORE_FLAG
                )) {
            return HError();
        }

    But while the CreateHash function in the new hash algorithm provider is called, the pbSecret is always NULL and cbSecret is 0. so, my question is:

    How can I retrieve the public key of the certificate and pass it to CreateHash function in the new hash algorithm provider?

    Should a CryptRegisterOIDFunction must be used to indicate windows to get the public key from the certificate and place it in pbSecret while CreateHash is called? If so, what are the parameters of such CryptRegisterOIDFunction?

    There is one restriction, while doing the verification, only CryptUIDlgViewCertificate() is called. no Bcryptxxxxx().

    Sorry for bad english, Any advices will be appreciated. Thanks.


    Thursday, March 15, 2012 4:35 PM