The other day a customer of mine got this exception when trying to use SHA-2 algorithms with SignedCms class in their .NET 3.5 application: Exception type: System.Security.Cryptography.CryptographicExceptionMessage: An internal error occurred.
They got the exception on Windows Vista SP2/Server 2008 SP2 and later versions when using using a third-party CSP. Why?
SignedCMS class uses CAPI2 (CryptMsg* API) behind the scenes. CAPI2 requires a CNG provider for any algorithm that is not on this list:
CryptFindOIDInfo Function"Hash Algorithms:
Algorithms that are not listed are supported by using Cryptography API: Next Generation (CNG) only;"
In customer's scenario, third-party CSP was a legacy CSP and not a CNG provider.
Summing up, if you want to work with i.e. SHA256, SHA384 & SHA512 algorithms, you will need a CNG provider.
Now, I will post about this in greater detail soon, but SignedCMS class doesn't support CNG. So basically, we cannot use SHA-2 algorithms with that class under this scenario.
I hope this helps.Regards,
Alex (Alejandro Campos Magencio)
Hi, I have a similar problem. Since Vista, the SHA-2 algorithms are nominally supported by CryptoApi, but when it's time to sign the calculated hash, my CSP gets some strange CPxxx calls and then the upper layer returns 'internal error'.
That's what happens:
- when signing with SHA-1 or MD-5, simply the CPSignHash gets called
- when signing with SHA-256 instead I get a call to CPGetProvParam asking the CSP name (???) then
another call to CPGetProvParam (in both of these calls I'm careful to behave properly and return successfully) and then the upper layer usig cryptoapi fails.
To be precise, I get the failure in CryptMsgUpdate( msg, buffer, size, TRUE), the FINAL call, so at the time the actual signature is performed.
Please let me know what I can do for this... and if there's something to do! :)
Are you using a legacy CSP or a CNG provider? I guess you are using a legacy CSP. In that case, and as I said in the post, CryptMsg* only supports SHA-2 with CNG providers, and your CSP won't work even if it implements SHA-2 algorithms.
If you need more info or to confirm this officially by debugging the CryptoAPI, etc., I suggest you open a case with us, Microsoft Technical Support.
Hi Alex, thanks for the quick answer.
I use a self-developed CSP, which gets called by CryptoAPI (old-style I never used CNG)
The CryptoAPI on (Vista and higher) calculates the sha-256 hash, but at the time when it should
call CPSignHash into the CSP, it calls CPGetProvParam, asking the NAME of the CSP.
What I suppose is that the CryptoAPI somehow doesn't like that name... perhaps it should be registered somewhere into the registry as a valid sha-2 signature provider? Does it expect a KSP instead of a CSP?
David, CryptMsg* API requires a CNG provider on Vista and later when using SHA-2. So you won't be able to use your self-developed legacy CSP.
When using SHA-2, CryptMsgUpdate ends up calling NCryptOpenStorageProvider to access a CNG provider, and that function returns "An internal error occurred" for third-party legacy CSPs.
i believe there is a typo bug in CAPIBase:
internal const string szOID_OIWSEC_SHA256 = "2.16.8220.127.116.11.4.1";
internal const string szOID_OIWSEC_SHA384 = "2.16.818.104.22.168.4.2";
internal const string szOID_OIWSEC_SHA512 = "2.16.822.214.171.124.4.3";
Other discussion on this topic is here: social.msdn.microsoft.com/.../0cc90bdd-35f9-4a7d-8025-89f7ea9f9704