EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Signature Algorithm

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#33587
Posted: 06/06/2015 22:14:51
by Charlie Jimenez (Standard support level)
Joined: 08/14/2012
Posts: 38

I created a self-signed CA Cert using RSA2048 / SHA256. I then created a certificate signing request also using RSA 2048 and SHA256. When I use the Generate method to sign the CSR with the CA Cert, the resulting certificate always has a SHA1 signature. Why is this?

I am using code from one of your samples. Here is my code:

CreatedCert = New SBX509Ex.TElX509CertificateEx(Nothing)
CreatedCert.CAAvailable = True
CreatedCert.SetCACertificate(CACert.CertificateBinary)
CreatedCert.ValidFrom = Me.ValidFrom
CreatedCert.ValidTo = Me.ValidTo
CACert.Generate(CertReq, CreatedCert)

'CertReq' is a SBPKCS10.TElCertificateRequest previously read from a file. It was created specifying SHA256 as stated above, yet after .Generate, 'CreatedCert' has a signature algorithm of SHA1.

I cannot set the signature algorithm property of CreatedCert since it is Read-Only.

What am I doing wrong?

Thank you in advance for your assistance.

Charlie
#33588
Posted: 06/07/2015 00:00:45
by Eugene Mayevski (EldoS Corp.)

Thank you for your question.

There's PreferredHashAlgorithm property in TElX509CertificateEx class, please set it to SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION .


Sincerely yours
Eugene Mayevski
#33612
Posted: 06/09/2015 10:59:33
by Charlie Jimenez (Standard support level)
Joined: 08/14/2012
Posts: 38

I tried it and unfortunately, it did not work. The CreatedCert still gets created with SignatureAlgorithm = 3 all the time, no matter what I do.
#33616
Posted: 06/09/2015 13:44:25
by Eugene Mayevski (EldoS Corp.)

Are you setting PreferredHashAlgorithm for CA certificate (as it should be) or for CreatedCert (not correct)? Please check this. I am sorry for not specifying the proper object before.


Sincerely yours
Eugene Mayevski
#33617
Posted: 06/09/2015 15:08:18
by Charlie Jimenez (Standard support level)
Joined: 08/14/2012
Posts: 38

I tried on the CA Cert and then on both, and no change. I still does not work. BTW, the CA Cert uses SHA256 itself, in case that makes any difference, which it shouldn't.

Thanks,
#33618
Posted: 06/09/2015 15:52:30
by Ken Ivanov (EldoS Corp.)

Hi Charlie,

First, let's clean up your code a little, as it contains some fragments which are irrelevant for scenarios where the certificate is generated from a CSR. In particular, CAAvailable and SetCACertificate settings are not needed for the CSR case.

Next, the PreferredHashAlgorithm expects you to provide a hash algorithm constant (SB_ALGORITHM_DGST_something), not a signature algorithm one (SB_CERT_ALGORITHM_hash_pkalg).

So the correct code for generating a SHA256-signed certificate from a request would look like:

Code
CACert = New SBX509Ex.TElX509CertificateEx(Nothing)
CACert.LoadFromFileAuto(...)

CreatedCert = New SBX509Ex.TElX509CertificateEx(Nothing)
CreatedCert.ValidFrom = Me.ValidFrom
CreatedCert.ValidTo = Me.ValidTo
CreatedCert.PreferredHashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256

CACert.Generate(CertReq, CreatedCert)


Hope this helps.

Cheers,

Ken
#33619
Posted: 06/09/2015 17:44:29
by Charlie Jimenez (Standard support level)
Joined: 08/14/2012
Posts: 38

Hi Ken,

This code comes from the sample application. I am actually trying to sign a Cert created by the sample application. In any case, I tried signing a CSR as indicated above and I get the same results.
#33622
Posted: 06/10/2015 03:30:52
by Ken Ivanov (EldoS Corp.)

Charlie,

I've sketched a sample VB.NET code for you. Please use it as a guide for generating SHA256-signed certificates:

Code
        ' Preparing certificate request
        Dim req As New TElCertificateRequest
        req.Subject.Add(SBConstants.Unit.SB_CERT_OID_COMMON_NAME, SBStrUtils.Unit.StrToUTF8("Sherlock Holmes"), SBASN1Tree.Unit.SB_ASN1_UTF8STRING)
        req.Generate(SBConstants.Unit.SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION, 2048, SBConstants.Unit.SB_CERT_ALGORITHM_SHA1_RSA_ENCRYPTION)

        ' Loading CA certificate from file
        Dim cert As New TElX509CertificateEx()
        Dim res = cert.LoadFromFileAuto("D:\Temp\cert.pfx", "password")
        If res <> 0 Then
            Throw New Exception("Failed to load CA certificate, error " + res.ToString)
        End If

        ' Generating new certificate with SHA256 signature algorithm
        Dim newCert As New TElX509CertificateEx()
        newCert.ValidFrom = DateTime.UtcNow
        newCert.ValidTo = newCert.ValidFrom.AddDays(30)
        cert.PreferredHashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256
        cert.Generate(req, newCert)

        ' Checking new certificate's signature algorithm
        MessageBox.Show(SBConstants.Unit.GetAlgorithmNameByAlgorithm(newCert.SignatureAlgorithm))


Ken
#33626
Posted: 06/10/2015 13:32:52
by Charlie Jimenez (Standard support level)
Joined: 08/14/2012
Posts: 38

Ken,

It's working now and would have worked the last time around but I forgot to change the PreferredHashAlgorithm to SBConstants.Unit.SB_ALGORITHM_DGST_SHA256 instead of the previous SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION.

I must say, these algorithm values are very confusing. It is difficult to know which one to use when they are all basically just byte, short or integer values.

For the future, I would suggest you use ENUMS instead of constants. It makes development much easier when properties or variables are specified as ENUMs because the Visual Studio IDE intellisense helps you select the correct group of values. And numerical enums can be easily converted to/from the integer values. Also enums have a built-in .ToString function which returns the name of the value and eliminates the need for functions like GetAlgorithmNameByAlgorithm.

Thanks for everyone's help.

Charlie
#33627
Posted: 06/10/2015 14:04:44
by Ken Ivanov (EldoS Corp.)

Charlie,

Great, thank you for confirming that.

We understand that using integer constants as algorithm identifiers may be confusing, but there were a couple of reasons for implementing them in that way. Still, your suggestion makes perfect sense, and we'll check what we can do about that in future.

Cheers,

Ken
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 714 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!