none
Fixed hash algorithm in CertEnroll library RRS feed

  • General discussion

  • Hello!

    The problem is fixed hash algorithm (SHA1) used in CertEnroll library.

    That's why  we can't create a certificate request using our Cryptographic Provider (CSP), that implements Russian Crypto-algorithms but not SHA1.

    X509Enrollment.IX509CertificateRequestPkcs10 interface has HashAlgorithm property that is used for signing PKCS#10. But after creating PKCS#10 CertEnroll creates "dummy-certificate" for the "Request" store (like XEnroll does). And it tries to sign this certificate with fixed in CertEnroll::CX509SignatureInformation::SetDefaultValues SHA1. We think that it is more correct to use the same hash algorithm as for signing PKCS#10.

    And several  comments for "Certificate Enrollment" wizard from "Certificates" snap-in:
    First of all there is similar problem. User can't choose hash algorithm for request signing. So, there is no UI for HashAlgorithm property.

    The last build of Windows Vista we looked at is 5536.

    Related links are:
    http://www.ietf.org/rfc/rfc4357.txt
    http://www.ietf.org/rfc/rfc4357.txt
    http://www.ietf.org/rfc/rfc4491.txt

    P.S. If such behavior won't be corrected in release version of Vista, we will have to resolve it in any way, this is critical for us. So, we will request a fix for Vista using our benefits as Microsoft Gold Certified Partner. So, we want to ask Microsoft to help us to avoid this process!


    Thank you!

    Roman Sedov
    Crypto-Pro Company
    Phone: +7(495)933-1168, +7(495)689-43-67
    WWW: http://www.cryptopro.ru
    e-mail: sedov@cryptopro.ru
    Tuesday, August 29, 2006 11:52 AM