The other day a customer of mine got this exception when trying to use SignedCms and EnvelopedCms class with a CNG provider in their .NET 3.5 application:
Exception type: System.Security.Cryptography.CryptographicExceptionMessage: Invalid provider type specified.
They needed to use SHA-2 and AES algorithms with those CMS classes, and we already saw that we need a CNG provider for that on Vista and later:
"An internal error ocurred" when using SHA-2 algorithms with SignedCMS
"An internal error ocurred" when using AES algorithms with EnvelopedCms
The reason for this exception is that .NET doesn't support CNG on those types yet. Current CNG support in the .NET Framework extends only to explicit algorithm wrappers with CNG suffixes (ECDsaCng, SHA256Cng, etc.). None of the higher level services have CNG plumbed through (for instance, CMS, SignedXml, X509Certificate, etc).
There are some open source .NET extensions in CodePlex site to work with CNG, but they don't support CMS stuff as far as I can tell: CLR Security.
So an alternative we have to work with CMS and SHA2 or AES algorithms, is to call CryptMsg API directly through p/invoke and use a CNG provider.
Sample on how to call CryptMsg API from .NET (no CNG included, sorry): How to call CryptMsg API in streaming mode (C#)
I hope this helps.
Alex (Alejandro Campos Magencio)