EldoS | Feel safer!

Software components for data protection, secure storage and transfer

how to create signatures with sha256 hash

Posted: 11/26/2010 07:40:59
by Christoph Moar (Standard support level)
Joined: 08/28/2009
Posts: 46

Hi all,
sorry if I ask such a maybe simple question, but I am a little confused about the various properties on the CMSSignature object (I use VCL C++ Builder version).

The point is that for legal reasons in Italy, from 01/01/2011 onto, the only hash function to be used for legal digital signatures is SHA256 (and not SHA-1 anymore).

I would like to be sure that I am correctly doing that, so please have a very short look at my code.

1) With CMS Signatures

With CMS Signatures I do something like this:

// now sign the message
int aNr = aMessage->AddSignature();
TElCMSSignature *aSignature = aMessage->Signatures[aNr];
// setting up some signature options
aSignature->UsePSS = false;
aSignature->SigningOptions = (TSBCMSSigningOptions)0;
aSignature->SigningOptions << csoInsertMessageDigests << csoInsertSigningTime << csoIncludeCertToMessage;

// configure and sign signature
aSignature->SigningTime = UTCNow();
aSignature->DigestAlgorithm = mSignatureHashMethod; // SHA256
aSignature->Sign(mCertificate, aMemoryCertStorage.get());

// check values
long aTest1 = aSignature->SignatureAlgorithm;
long aTest2 = aSignature->DigestAlgorithm;
long aTest3 = aSignature->PublicKeyAlgorithm;
long aTest4 = aSignature->FingerprintAlgorithm;

If I check the "SignatureAlgorithm" it does show "RSA" (0x0)
If I check the "DigestAlgorithm", it does show "SHA256" (0x7104)
If I check the "PublicKeyAlgorithm" it does show 0x7fff
If I check the "FingerprintAlgorithm" it does show "SHA1" (0x7101)

Is this signature thus effectively generated with a SHA256 Hash?
If I look at the signature DigestAlgorithm it is SHA256.
But if I look at the Certificate->SignatureAlgorithm it does say RSA-SHA1.

So please, give me a hint: am I doing all right and is my signature safe there?
I hope that Certificate->SignatureAlgorithm is the signature used by the CA that emitted my certificate.

But how can I check that the signature I applied is effectively RSA-SHA256?
Is "DigestAlgorithm" the right thing to do?

2) With PDF?

With PDFs i do something like:

// adding the signature and setting up property values
int aIndex = aPdfDocument->AddSignature();
aSignature = aPdfDocument->Signatures[aIndex];
aSignature->Handler = aSecurityHandler.get();
aSecurityHandler->SignatureType = pstPKCS7SHA1;

So here's the catch: how can I force the signature in pdf to use SHA256 hashing? Please help me on this.

Thanks for your help,

Posted: 11/26/2010 08:13:17
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

In case of using CMSSignature everithing is ok. You will get SHA-256 based signature in the result.


I hope that Certificate->SignatureAlgorithm is the signature used by the CA that emitted my certificate.

Yes this is the signature used by the CA that emitted your certificate.

In case of PDF you should use ElPDFPublicKeySecurityHandler.HashAlgoritm property to specify the algoritm used for hashing. So you should add next line to your code: aSecurityHandler->HashAlgoritm = SB_ALGORITHM_DGST_SHA256;



Topic viewed 2387 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!