Forums, Documentation & Knowledge Base - ComponentSpace

SHA-256 and Converting the Cryptographic Service Provider Type


https://componentspace.com/forums/Topic1578.aspx

By ComponentSpace - 7/17/2015

Checking the Cryptographic Service Provider
SHA-256, SHA-384 and SHA-512 XML signatures require the Microsoft Enhanced RSA and AES Cryptographic Provider.
SHA-256 and Cryptographic Service Provider Types

This can be checked using Microsoft's CertUtil.exe.
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil


certutil -dump idp.pfx
Enter PFX password:
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 74f0ebfe22358db8433138f9558c9af9
Issuer: CN=www.idp.com
NotBefore: 22/11/2013 6:20 PM
NotAfter: 1/01/2050 12:00 AM
Subject: CN=www.idp.com
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): a6 a4 ae 4e 0b 37 8e c7 36 78 e5 81 26 90 af 50 e3 ec 37 69
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
Encryption test passed
CertUtil: -dump command completed successfully.


The above private key specifies the correct provider and so may be used to generate SHA-256, SHA-384 and SHA-512 XML signatures.
If the private key isn't associated with the correct Cryptographic Service Provider (CSP), it can be converted to specify the Microsoft Enhanced RSA and AES Cryptographic Provider.
NB. The conversion does not modify the public or private key values or any other information apart from the CSP to use.
NB. It's safe to perform this conversion on self-signed as well as certificate authority issued certificate files.
Two option are listed for performing the conversion: CertUtil and OpenSSL. We recommend using CertUtil.

CertUtil
Dump the PFX file noting the certificate's serial number.


certutil.exe -p password -dump test.pfx

================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 3ddc6dbd5f1321bd4655ac8841875bfb
Issuer: CN=test
NotBefore: 4/06/2020 10:45 AM
NotAfter: 1/01/2050 12:00 AM
Subject: CN=test
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): fecf3e3a28ca80248ca76c1870cb36130d9b9def
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Software Key Storage Provider
Private key is NOT plain text exportable
Encryption test passed
CertUtil: -dump command completed successfully.



Import the PFX file into the Windows certificate store, specifying the cryptographic service provider.


certutil.exe -p password -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importPFX test.pfx

Certificate "test" added to store.
CertUtil: -importPFX command completed successfully.



Export the certificate and private key from the Windows certificate store to a PFX file. The certificate is identified by its serial number.


certutil.exe -p password -exportPFX 3ddc6dbd5f1321bd4655ac8841875bfb new.pfx NoChain,ExtendedProperties

MY "Personal"
================ Certificate 2 ================
Serial Number: 3ddc6dbd5f1321bd4655ac8841875bfb
Issuer: CN=test
NotBefore: 4/06/2020 10:45 AM
NotAfter: 1/01/2050 12:00 AM
Subject: CN=test
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): fecf3e3a28ca80248ca76c1870cb36130d9b9def
Key Container = test-21a25909-b8af-4883-a423-33f17871b48d
Unique container name: b067db77931cffe3810d1d2d8bb2062d_9ee80830-26bf-4602-b6a8-a0b873b2c8bb
Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
Encryption test passed
CertUtil: -exportPFX command completed successfully.



 Dump the PFX file again to confirm the correct cryptographic service provider is now specified.


certutil -p password -dump new.pfx

================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 3ddc6dbd5f1321bd4655ac8841875bfb
Issuer: CN=test
NotBefore: 4/06/2020 10:45 AM
NotAfter: 1/01/2050 12:00 AM
Subject: CN=test
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): fecf3e3a28ca80248ca76c1870cb36130d9b9def
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
Encryption test passed
CertUtil: -dump command completed successfully.



Delete the certificate from the Windows certificate store as it's no longer required.


certutil.exe -delStore My 3ddc6dbd5f1321bd4655ac8841875bfb

My "Personal"
Deleting Certificate 2: CN=test:fecf3e3a28ca80248ca76c1870cb36130d9b9def
CertUtil: -delstore command completed successfully.



OpenSSL

Specifying the correct CSP may also be done using OpenSSL.
Windows binaries are available for download. Refer to the OpenSSL Wiki.
The latest 64-bit Windows non-light installer at Shining Light Productions OpenSSL Installers is recommended.
The following command outputs information about the private key and certificate including the CSP.

openssl pkcs12 -in idp.pfx

Enter Import Password:
MAC verified OK
Bag Attributes
    localKeyID: 01 00 00 00
    Microsoft CSP Name: Microsoft Strong Cryptographic Provider
    friendlyName: PvkTmp:b143944f-c289-4e3c-b9cc-37ce1e8ada19
Key Attributes
    X509v3 Key Usage: 10

Enter Ctrl+C a couple of times to get back to the command prompt.
 
The Microsoft Strong Cryptographic Provider is suitable for SHA-1 XML signatures but doesn't support SHA-256 XML signatures.
The PFX can be recreated specifying the required CSP.
Firstly, it must be converted from PKCS12 to PEM format.

set RANDFILE=.\openssl.rnd

openssl pkcs12 -in idp.pfx -out idp.pem

Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Then it must be converted back to PKCS12 specifying the Microsoft Enhanced RSA and AES Cryptographic Provider.

openssl pkcs12 -export -in idp.pem -out new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"

Loading 'screen' into random state - done
Enter pass phrase for idp.pem:
Enter Export Password:
Verifying - Enter Export Password:

The new PFX file is now ready for generating SHA-256, SHA-384 and SHA-512 XML signatures.

By ComponentSpace - 1/4/2017

I suspect you're using a version of openssl that doesn't support specifying the CSP.
We use the Shining Light Productions openssl. We're currently using:
OpenSSL 1.1.0c 10 Nov 2016
The latest 64-bit Windows non-light installer at Shining Light Productions OpenSSL Installers is known to work.