none
How to achieve secure boot under windows ce 6.0? RRS feed

  • Question

  • Hi all,

    I have found one library under wince6.0,which called "mincrypt.lib",but I didn't find any document about these API, so I don't know how to use these API.

    By the way, if I sign my OS used Win32 API under PC, and then verify it with mincrypt API under eboot, whether it is feasible to do so?

    Last, if this min library supports SHA256 and key length is 2048bits or 4096bits?

    Thanks for your time and assistance.

    Best Regards,

    Gary

    Monday, June 29, 2015 2:01 AM

All replies

  • Hi JS_Gary,

    There is an MSDN page at https://msdn.microsoft.com/en-us/library/ee478123%28v=winembedded.60%29.aspx?f=255&MSPPError=-2147217396 that likely answers your questions. 

    Sincerely,

    IoTGirl

    Monday, June 29, 2015 8:22 PM
    Moderator
  • Hi ToTGirl,

    Thanks for your support first, but I still have some questions.

    1. Whether mincrypt API supports to verify the signature data which signed with the Win32 API (CryptHashData, CryptSignHash, and so on)?

    2. mincrypt API only supports SHA1, whether there is any update about this library to support SHA256?

    Thanks.

    Best Regards,

    Gary


    Tuesday, June 30, 2015 8:30 AM
  • Hi Gary,

    1. Documentation suggests SHA-256 is supported in mincrypt. See ALG_ID of CALG_SHA_256 https://msdn.microsoft.com/en-us/library/ms937014.aspx.  This doc is for CE 5 so I expect it still applies for CE 6.

    2. In general, if a feature is not in CE 6 it is unlikely to get added by Microsoft due to the age of the product. You would have better luck with Compact 7 or 2013 ( AKA CE 7 or CE 8).  However, you are always welcome to implement your own solution.

    PS: Another helpful white paper would be https://msdn.microsoft.com/en-us/library/bb643805.aspx that talks about implementing a SDBL.

    Sincerely,

    IoTGirl

    Tuesday, June 30, 2015 9:32 PM
    Moderator
  • Hi IoTGirl,

    Thanks for your support first.

    I used the mincrypt API to verify my signed data, it's invalid, I don't know which step I have done wrong, follow is about the detailed, please help to review, thanks very much.

    Follow is my private key and public key which gen by the CRYPTAPI.

    private key blob>>>>

    0x07,0x02,0x00,0x00,0x00,0x24,0x00,0x00,0x52,0x53,0x41,0x32,0x00,0x08,0x00,0x00,

    0x01,0x00,0x01,0x00,0xD1,0xD2,0x4D,0x7C,0x68,0x9C,0xFC,0x19,0x20,0xCD,0x1A,0x1F,

    0xB4,0x33,0x99,0x95,0x43,0xAC,0xB7,0xB5,0x00,0x1C,0x6F,0x8E,0x5B,0xD3,0x80,0x42,

    0x3E,0xE6,0x13,0x6B,0x3F,0x5A,0x9E,0x2F,0xF0,0x77,0xFF,0xDD,0x2E,0xF7,0x71,0xBF,

    0xA1,0x57,0x02,0x6B,0x62,0xA3,0xFD,0x3D,0x6F,0x9B,0x9A,0x54,0xBB,0x3D,0xEC,0x3C,

    0xA6,0x3A,0x3A,0x8A,0xE5,0x69,0x9F,0x02,0xA7,0xE1,0xE5,0x55,0xF0,0xDF,0x1E,0x8D,

    0x31,0xE8,0xC9,0xF6,0x93,0x08,0x3C,0xA2,0xBB,0x78,0x17,0x05,0x22,0x83,0x1D,0x06,

    0x7D,0x2F,0x1B,0x6C,0x5C,0x32,0x45,0x02,0x77,0x8C,0x04,0x81,0x76,0x62,0xBD,0x25,

    0x29,0x26,0x8B,0x26,0xDA,0x50,0x18,0xB2,0x74,0xC6,0x40,0x8C,0xD5,0x7B,0x83,0xD6,

    0x58,0x81,0xF4,0x74,0x5C,0xBC,0xCC,0xC0,0xD5,0xEC,0xA6,0x21,0x72,0x90,0x7E,0x7A,

    0x4E,0x48,0x82,0x1F,0x3E,0xCA,0x11,0xE9,0x4C,0x61,0x90,0x77,0x8C,0x5E,0x6A,0x0A,

    0x6C,0xB6,0xDC,0xF4,0xFF,0x76,0x51,0x7D,0x87,0x64,0xC3,0x34,0x6F,0xBF,0x57,0x46,

    0x99,0x8B,0x22,0x30,0x7F,0xF3,0x69,0xCB,0xBC,0xEE,0xAD,0xA9,0xFC,0x1E,0xF5,0xB4,

    0x87,0xC6,0x71,0x1D,0x12,0xB0,0xBA,0xBA,0xCB,0x17,0xF0,0x05,0x7D,0x9E,0x1D,0x13,

    0x78,0xCD,0x8B,0xCA,0xB2,0x1F,0xC2,0x9D,0xEF,0x1E,0x2F,0x35,0x7E,0xD1,0x85,0x12,

    0xF9,0xFC,0x13,0x8F,0x42,0x8A,0xCE,0x3F,0x81,0xC2,0xF7,0x32,0x5B,0x01,0xE0,0x06,

    0x7A,0x89,0x5F,0xE9,0xFB,0xD5,0xE7,0x48,0x21,0x57,0xC0,0x33,0xCB,0x1F,0x78,0x52,

    0x3F,0xAD,0xB0,0xD3,0x0B,0x8B,0x7D,0x4B,0xA4,0xC0,0x8B,0x76,0x2D,0xC6,0x9D,0xA7,

    0x19,0x1F,0x75,0x22,0x67,0xC6,0xE5,0x11,0x9F,0x5F,0xA3,0xC7,0x27,0xC5,0x1D,0xB1,

    0x08,0x90,0x76,0x79,0x3C,0x44,0xC7,0x9F,0xB7,0xA4,0x07,0xDC,0x47,0x84,0x35,0x5A,

    0x83,0xE6,0x72,0x39,0xA1,0xFE,0x35,0xED,0xD5,0xAF,0x86,0x5E,0xF8,0x2E,0x46,0x8D,

    0x2C,0xC7,0x1A,0x15,0x3A,0xE4,0xA3,0xC3,0x21,0xE5,0x41,0x5D,0x13,0x01,0x2C,0xE1,

    0xE2,0xEE,0xD8,0xC4,0x24,0x80,0x60,0x06,0xAB,0x0A,0xDB,0xAA,0x01,0xED,0xFF,0x92,

    0x68,0x6E,0x41,0x4C,0x1F,0xC4,0x0C,0x60,0xA0,0x55,0xBB,0xDF,0x85,0x55,0x5D,0x93,

    0x6F,0x7E,0x5E,0xE0,0x21,0x9A,0x3E,0x4B,0x34,0x67,0x74,0x8B,0x68,0x3A,0xD5,0x17,

    0x27,0x5E,0x30,0xEC,0x13,0x23,0x2E,0xB4,0xF6,0x95,0xD4,0xAA,0x5A,0x2A,0xEE,0x7A,

    0xCB,0x69,0x59,0x3A,0xA2,0x8F,0xE1,0x66,0x11,0xC3,0x3E,0xED,0xC9,0x77,0xCC,0x93,

    0x69,0x5A,0x15,0x73,0xCA,0x7D,0xF3,0xDB,0xE8,0x0C,0xE1,0xFC,0x9F,0x46,0x65,0xBE,

    0x28,0xFF,0x5F,0x01,0x8A,0x6B,0x83,0x73,0x8D,0x2F,0xCB,0xE2,0x57,0x1D,0x1F,0xC5,

    0x72,0x13,0xE4,0x17,0xA2,0x65,0x79,0x83,0x13,0xD9,0x9E,0xEE,0x2B,0xE1,0x21,0x17,

    0x0C,0xA2,0xAC,0xB1,0xFF,0x85,0x5E,0x79,0xD8,0x89,0xE0,0xBB,0x5E,0xA6,0x0A,0x94,

    0x65,0xD9,0x09,0xC4,0xD3,0x03,0xA5,0x17,0x80,0x24,0x97,0x24,0x41,0x90,0xA0,0x72,

    0x71,0xDE,0xDA,0x39,0x9A,0xA1,0xFE,0x4A,0x41,0x5A,0x8B,0x56,0x6D,0xFD,0x4C,0xC1,

    0x79,0x40,0x72,0xE5,0x89,0x6C,0x8B,0xF5,0xED,0x44,0x5F,0x2B,0x36,0x5F,0x5D,0xAD,

    0xA9,0x74,0x7D,0x15,0xD1,0x5C,0x8D,0x48,0xCF,0x1A,0x30,0x9C,0x01,0x40,0xCF,0x19,

    0x95,0x9D,0x0A,0x6B,0x82,0x62,0x6D,0xE8,0x5C,0x03,0x5A,0x5C,0x83,0xE9,0xE9,0xAE,

    0x8E,0x41,0x97,0x0D,0x1A,0xFC,0x58,0x93,0xA4,0xDF,0xE3,0xEB,0xCE,0xB2,0xDA,0x67,

    0x2F,0xE9,0xC5,0x86,0x35,0xFF,0x70,0x4A,0x0F,0x98,0xDB,0x91,0x21,0x4A,0x9B,0x66,

    0x51,0x3B,0x47,0xF8,0x7A,0x62,0x5A,0x20,0xE0,0xA3,0x4B,0x59,0x44,0x48,0x9A,0x45,

    0xE2,0x5E,0xB5,0xBE,0x11,0x5A,0x46,0xA5,0xAE,0x2E,0xC1,0x3B,0xF5,0xE0,0xCE,0x2A,

    0x1F,0xEF,0x88,0xDD,0x56,0x1E,0x6C,0x70,0x1E,0x23,0x39,0x72,0xA6,0x9C,0x51,0x71,

    0x15,0x3C,0xB6,0xAF,0x95,0x07,0xCA,0x2E,0xFE,0xCB,0x71,0x7F,0x79,0xF2,0x5B,0x5D,

    0x01,0x00,0x6A,0xBB,0x82,0xA0,0xEA,0xC1,0x67,0x5C,0xB3,0xFE,0x82,0x9F,0xFB,0x05,

    0x61,0x50,0x7D,0xBE,0xC8,0xDF,0x69,0x99,0x69,0xDC,0xCA,0xDE,0x9D,0x98,0x0B,0x3D,

    0x51,0xC3,0x34,0x14,0xEE,0x98,0xF9,0x1D,0xD8,0xE4,0x35,0x8E,0xDB,0x71,0x52,0x52,

    0x1E,0x28,0xC7,0xC1,0xDC,0x8C,0xAF,0x16,0x4B,0x15,0x7E,0x23,0xCB,0x6C,0x1A,0x2A,

    0xD9,0x4B,0xC8,0x11,0x1D,0xB5,0xC9,0xEC,0xD9,0x30,0x0A,0xED,0x60,0xB5,0x36,0xB1,

    0x4E,0x97,0x0E,0x78,0xD1,0x84,0x58,0x67,0x06,0x44,0x45,0x9D,0x10,0x90,0x0D,0x07,

    0x2F,0x56,0xA4,0x4C,0x56,0x7B,0x40,0x64,0x6E,0x17,0xA1,0x70,0x22,0x17,0x5E,0x21,

    0xE1,0x2C,0xD2,0x3D,0x54,0xDE,0xCB,0xF6,0x16,0x48,0xF7,0x00,0x74,0x7D,0x34,0x55,

    0x99,0xC4,0x55,0x46,0x25,0x51,0x09,0x9D,0x5D,0x9B,0xD6,0xC9,0xCB,0x99,0xB0,0xD3,

    0x2C,0xC2,0x44,0xB6,0x29,0x78,0xC1,0x00,0xAC,0x70,0xBB,0x09,0xD6,0x84,0x8D,0x7E,

    0x8B,0x41,0x81,0x8A,0x80,0x4A,0x0D,0x51,0x8A,0xB4,0x1A,0x15,0x14,0xF0,0x84,0x6B,

    0xE2,0x4F,0x9A,0x47,0x1A,0xD5,0x0B,0xCE,0x01,0xCB,0xA9,0xDB,0xC7,0xF7,0xAF,0x12,

    0x4A,0x39,0x73,0xFF,0x35,0xD1,0xA9,0x93,0xD7,0x72,0xB5,0xA4,0xE3,0x74,0xBC,0xB9,

    0x19,0x9C,0xBD,0x92,0x82,0xB6,0x86,0xC7,0xAF,0x32,0x3F,0x6B,0x9C,0x25,0x5F,0x8E,

    0xB7,0x0C,0x68,0xC5,0xB9,0xC3,0x23,0xE0,0x81,0xEC,0x4D,0xF6,0xE4,0xEF,0x98,0x54,

    0x87,0x24,0xAB,0xAB,0x55,0x02,0xFE,0xF9,0xE3,0x59,0x6A,0xA7,0xFB,0xA6,0xEE,0x25,

    0xF9,0x53,0x35,0x6B,0x77,0xCF,0x56,0x17,0xC3,0xA4,0x87,0x2C,0xDF,0x49,0x5A,0xA0,

    0xDB,0x80,0x3F,0x20,0x27,0xBC,0x7F,0x45,0xFA,0x74,0xD6,0xCB,0xAF,0x0E,0x85,0x8A,

    0x97,0x57,0x7B,0x41,0xA8,0xBE,0x89,0x37,0x0A,0x1F,0x71,0x89,0x01,0x9D,0xED,0x65,

    0xC2,0xBB,0x96,0x33,0xE3,0xA7,0x73,0xC8,0x41,0xC7,0x0B,0x9F,0x2B,0xD6,0x41,0xAA,

    0x60,0xEE,0xCA,0xCE,0x3B,0xB4,0x21,0x51,0x95,0x12,0x94,0x1B,0x53,0x77,0xDE,0xEB,

    0x28,0xE6,0x75,0x2A,0xD3,0x8D,0xC1,0x0D,0x80,0x12,0x11,0x43,0xC9,0x0A,0xA0,0x5E,

    0x8F,0x71,0x83,0x93,0x73,0x23,0xAA,0x21,0x67,0xB0,0xDF,0x33,0xF3,0x0D,0x90,0x9B,

    0xDC,0xAB,0x59,0xB2,0xE8,0x09,0x56,0x50,0xFF,0x2D,0x3C,0x83,0x2F,0x0A,0xD1,0xB1,

    0xBF,0x1D,0xA4,0xE6,0x18,0xF6,0x1B,0x52,0x75,0xBE,0x62,0xFC,0x30,0x4E,0x38,0x71,

    0xBA,0x04,0xB7,0x87,0xD8,0xA2,0x6E,0x3A,0x43,0x4A,0xA9,0x6A,0x45,0x9F,0x16,0xD0,

    0x53,0x2A,0x82,0x4A,0x24,0xF2,0x99,0x6B,0x15,0x32,0x27,0x12,0x56,0xB0,0xA0,0x56,

    0x3E,0xB6,0xDB,0xA7,0x82,0xC0,0x34,0x32,0x5B,0xD0,0x90,0x0E,0x32,0x54,0xFE,0x24,

    0xD8,0xEB,0xEF,0xE6,0x0C,0x73,0x67,0x71,0xE0,0x1D,0x1B,0x87,0x85,0x1F,0xA7,0xD8,

    0x7B,0x49,0x03,0xB5,0x55,0xAC,0x03,0xDD,0xF3,0x78,0x41,0x09,0x42,0x59,0x28,0x25,

    0xDF,0x4E,0x43,0xF6,0x93,0xEE,0xD4,0x00,0x63,0x52,0x17,0x22,0xAC,0xF2,0x37,0xD0,

    0xDD,0x81,0x5F,0x54

    public key blob>>>

    0x06,0x02,0x00,0x00,0x00,0x24,0x00,0x00,0x52,0x53,0x41,0x31,0x00,0x08,0x00,0x00,
    0x01,0x00,0x01,0x00,0xD1,0xD2,0x4D,0x7C,0x68,0x9C,0xFC,0x19,0x20,0xCD,0x1A,0x1F,
    0xB4,0x33,0x99,0x95,0x43,0xAC,0xB7,0xB5,0x00,0x1C,0x6F,0x8E,0x5B,0xD3,0x80,0x42,
    0x3E,0xE6,0x13,0x6B,0x3F,0x5A,0x9E,0x2F,0xF0,0x77,0xFF,0xDD,0x2E,0xF7,0x71,0xBF,
    0xA1,0x57,0x02,0x6B,0x62,0xA3,0xFD,0x3D,0x6F,0x9B,0x9A,0x54,0xBB,0x3D,0xEC,0x3C,
    0xA6,0x3A,0x3A,0x8A,0xE5,0x69,0x9F,0x02,0xA7,0xE1,0xE5,0x55,0xF0,0xDF,0x1E,0x8D,
    0x31,0xE8,0xC9,0xF6,0x93,0x08,0x3C,0xA2,0xBB,0x78,0x17,0x05,0x22,0x83,0x1D,0x06,
    0x7D,0x2F,0x1B,0x6C,0x5C,0x32,0x45,0x02,0x77,0x8C,0x04,0x81,0x76,0x62,0xBD,0x25,
    0x29,0x26,0x8B,0x26,0xDA,0x50,0x18,0xB2,0x74,0xC6,0x40,0x8C,0xD5,0x7B,0x83,0xD6,
    0x58,0x81,0xF4,0x74,0x5C,0xBC,0xCC,0xC0,0xD5,0xEC,0xA6,0x21,0x72,0x90,0x7E,0x7A,
    0x4E,0x48,0x82,0x1F,0x3E,0xCA,0x11,0xE9,0x4C,0x61,0x90,0x77,0x8C,0x5E,0x6A,0x0A,
    0x6C,0xB6,0xDC,0xF4,0xFF,0x76,0x51,0x7D,0x87,0x64,0xC3,0x34,0x6F,0xBF,0x57,0x46,
    0x99,0x8B,0x22,0x30,0x7F,0xF3,0x69,0xCB,0xBC,0xEE,0xAD,0xA9,0xFC,0x1E,0xF5,0xB4,
    0x87,0xC6,0x71,0x1D,0x12,0xB0,0xBA,0xBA,0xCB,0x17,0xF0,0x05,0x7D,0x9E,0x1D,0x13,
    0x78,0xCD,0x8B,0xCA,0xB2,0x1F,0xC2,0x9D,0xEF,0x1E,0x2F,0x35,0x7E,0xD1,0x85,0x12,
    0xF9,0xFC,0x13,0x8F,0x42,0x8A,0xCE,0x3F,0x81,0xC2,0xF7,0x32,0x5B,0x01,0xE0,0x06,
    0x7A,0x89,0x5F,0xE9,0xFB,0xD5,0xE7,0x48,0x21,0x57,0xC0,0x33,0xCB,0x1F,0x78,0x52,
    0x3F,0xAD,0xB0,0xD3

    Follow is my sign>>>>

    CryptAcquireContext(&hCryptProv, _T("GARY_CSP"), NULL, PROV_RSA_FULL, 0);

    CryptImportKey(hCryptProv, pbPrivateKey, dwPrivateKeyLen, 0, 0, &hKey); // pbPrivateKey is as above

    CryptCreateHash(hCryptProv, CALG_SHA1, 0, 0, &hHash);

    CryptHashData(hHash, pbData, dwDataLen, 0); // pbData is "1234567890abcdef"

    CryptSignHash(hHash, AT_SIGNATURE, NULL, 0, pbSignature, &dwSigLen); //pbSignature is contain 256 bytes signature data

    I use follow mincrypt APIs to do verified action under wince 6.0. MinCryptVerifySignedHash API returns 0x80090006 error code, which means signature is verified failed.Follow is my sample code:

    lReturn = MinCryptCreateHashMemory(CALG_SHA1, &hHash);
    if (lReturn != 0)
    {
    RETAILMSG(1, (L"MinCryptCreateHashMemory:0x%x",lReturn));
    return 1;
    }
    blob.cbData = 16;
    blob.pbData = (BYTE *)pbData; // pbData is "1234567890abcdef" which is the same as above.
    lReturn = MinCryptUpdateHashMemory(CALG_SHA1, hHash, 1, &blob);
    if (lReturn != 0)
    {
    RETAILMSG(1, (L"MinCryptCreateHashMemory:0x%x",lReturn));
    return 1;
    }
    lReturn = MinCryptGetHashParam(CALG_SHA1, hHash, bHash, &dwHashLen);
    if (lReturn != 0)
    {
    RETAILMSG(1, (L"MinCryptGetHashParam:0x%x",lReturn));
    return 1;
    }

    #ifdef GARY_DEBUG
    RETAILMSG(1, (L"Hash = ["));
    for (i = 0; i < dwHashLen; i++)
    {
    RETAILMSG(1, (L"%x ", bHash[i])); // I have checked the hash value is right.
    }
    RETAILMSG(1, (L"]\r\n\r\n"));
    #endif

    blobKey.cbData = 294;
    blobKey.pbData = g_pbKey; // The public key blob is as below.

    blobSig.cbData = 256;
    blobSig.pbData = g_pbSig;  // It's the same as pbSignature 

    lReturn = MinCryptVerifySignedHash(CALG_SHA1,bHash,dwHashLen,&blobSig,&blobKey);
    if (lReturn != 0)
    {
    RETAILMSG(1, (L"MinCryptVerifySignedHash:0x%x",lReturn));
    return 1;
    }
    else
    {
    RETAILMSG(1, (L"Verify OK\r\n"));
    }

    BYTE g_pbKey[294] = {0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, \
    0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, \
    0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, \
    0x01, 0x01, 0x00,\
    0xD1,0xD2,0x4D,0x7C,0x68,0x9C,0xFC,0x19,0x20,0xCD,0x1A,0x1F,0xB4,0x33,0x99,0x95,\
    0x43,0xAC,0xB7,0xB5,0x00,0x1C,0x6F,0x8E,0x5B,0xD3,0x80,0x42,0x3E,0xE6,0x13,0x6B,\
    0x3F,0x5A,0x9E,0x2F,0xF0,0x77,0xFF,0xDD,0x2E,0xF7,0x71,0xBF,0xA1,0x57,0x02,0x6B,\
    0x62,0xA3,0xFD,0x3D,0x6F,0x9B,0x9A,0x54,0xBB,0x3D,0xEC,0x3C,0xA6,0x3A,0x3A,0x8A,\
    0xE5,0x69,0x9F,0x02,0xA7,0xE1,0xE5,0x55,0xF0,0xDF,0x1E,0x8D,0x31,0xE8,0xC9,0xF6,\
    0x93,0x08,0x3C,0xA2,0xBB,0x78,0x17,0x05,0x22,0x83,0x1D,0x06,0x7D,0x2F,0x1B,0x6C,\
    0x5C,0x32,0x45,0x02,0x77,0x8C,0x04,0x81,0x76,0x62,0xBD,0x25,0x29,0x26,0x8B,0x26,\
    0xDA,0x50,0x18,0xB2,0x74,0xC6,0x40,0x8C,0xD5,0x7B,0x83,0xD6,0x58,0x81,0xF4,0x74,\
    0x5C,0xBC,0xCC,0xC0,0xD5,0xEC,0xA6,0x21,0x72,0x90,0x7E,0x7A,0x4E,0x48,0x82,0x1F,\
    0x3E,0xCA,0x11,0xE9,0x4C,0x61,0x90,0x77,0x8C,0x5E,0x6A,0x0A,0x6C,0xB6,0xDC,0xF4,\
    0xFF,0x76,0x51,0x7D,0x87,0x64,0xC3,0x34,0x6F,0xBF,0x57,0x46,0x99,0x8B,0x22,0x30,\
    0x7F,0xF3,0x69,0xCB,0xBC,0xEE,0xAD,0xA9,0xFC,0x1E,0xF5,0xB4,0x87,0xC6,0x71,0x1D,\
    0x12,0xB0,0xBA,0xBA,0xCB,0x17,0xF0,0x05,0x7D,0x9E,0x1D,0x13,0x78,0xCD,0x8B,0xCA,\
    0xB2,0x1F,0xC2,0x9D,0xEF,0x1E,0x2F,0x35,0x7E,0xD1,0x85,0x12,0xF9,0xFC,0x13,0x8F,\
    0x42,0x8A,0xCE,0x3F,0x81,0xC2,0xF7,0x32,0x5B,0x01,0xE0,0x06,0x7A,0x89,0x5F,0xE9,\
    0xFB,0xD5,0xE7,0x48,0x21,0x57,0xC0,0x33,0xCB,0x1F,0x78,0x52,0x3F,0xAD,0xB0,0xD3,\
    0x02, 0x03, 0x01, 0x00, 0x01};

    By the way,if I used the Win32 CRYPTAPI to verify above signed data, it's OK.

    Best Regards,

    Gary

    Thursday, July 2, 2015 9:23 AM
  • Hi Gary,

    1. Documentation suggests SHA-256 is supported in mincrypt. See ALG_ID of CALG_SHA_256 https://msdn.microsoft.com/en-us/library/ms937014.aspx.  This doc is for CE 5 so I expect it still applies for CE 6.

    2. In general, if a feature is not in CE 6 it is unlikely to get added by Microsoft due to the age of the product. You would have better luck with Compact 7 or 2013 ( AKA CE 7 or CE 8).  However, you are always welcome to implement your own solution.

    PS: Another helpful white paper would be https://msdn.microsoft.com/en-us/library/bb643805.aspx that talks about implementing a SDBL.

    Sincerely,

    IoTGirl

    Hi IoTGirl,

    Could you help to double check with microsoft about this issue?

    I have shared my test code, I don't know why MinCryptVerifySignedHash always return error.

    Thanks,

    Gary

    Monday, July 6, 2015 8:32 AM
  • Hi Gary,

    I do not have your setup.  You are going to have to dig into the error code for insight into why your calls are failing.  Please review the samples to see how others have achieved Secure boot.

    Sincerely,

    IoTGirl

    Monday, July 6, 2015 5:38 PM
    Moderator
  • Hi Gary,

    I do not have your setup.  You are going to have to dig into the error code for insight into why your calls are failing.  Please review the samples to see how others have achieved Secure boot.

    Sincerely,

    IoTGirl

    Hi IoGirl,

    I only have one mincrypt.lib and loadauth.lib, don't have their source code, and you also didn't share any user manual, so I can't dig into error code to do more debug. 

    And now I only stuck in "MinCryptVerifySignedHash", I have shared my source code in my old reply in 2015-7-2.Could you help me to check this API, or make other expert help to check.

    Thanks,

    Gary

    Tuesday, July 7, 2015 3:12 AM
  • Hi Gary,

    The return code is in winerror.h and tells you exactly what you need to know.

    #define NTE_BAD_SIGNATURE                _HRESULT_TYPEDEF_(0x80090006L)

    The NTE Return Codes that are around this error from MinCrypt are:

    NTE_BAD_ALGID       - unsupported hash or public key algorithm

    NTE_BAD_SIGNATURE   - bad PKCS #7 or signer chain signature

    NTE_BAD_PUBLIC_KEY  - not a valid RSA public key

    Some older docs have more details on this error:

    NTE_BAD_SIGNATURE The signature failed to verify. This could be because the data itself has changed, the description string did not match, or the wrong public key was specified by hPubKey.
    This error can also be returned if the hashing or signature algorithms do not match the ones used to create the signature.

    Sincerely,

    IoTGirl

    Wednesday, July 22, 2015 5:31 PM
    Moderator
  • A bit of a necroposting but I hope it can help Gary

    Look here: https://social.msdn.microsoft.com/Forums/en-US/509b3942-4efa-4912-a1b9-5fd551794284/problem-with-mincryptverifysignedhash-on-winec7-bootloader?forum=winembplatdev&prof=required

    Hope you experienced the same issue.

    Wednesday, December 16, 2015 5:43 PM