Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: SHA256RSA data signing


This question is answered. Helpful answers available: 1. Correct answers available: 1.


Permlink Replies: 8 - Last Post: Mar 18, 2014 7:28 AM Last Post By: Roy Gaber Threads: [ Previous | Next ]
Roy Gaber

Posts: 6
Registered: 10/30/01
SHA256RSA data signing  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Nov 4, 2013 1:30 PM
I have code which will sign data using crypt32.dll using the CryptSignMessage API, the code works flawlessly when employing SHA1RSA as the HashAlgorithm, however, when changing over to SHA256RSA the API call fails with a non-descriptive error, An internal error has occurred .

Does anyone have any experience with cryptography and Delphi, specifically using wcrypt2.pas from the JEDI project and SHA256RSA for data signing?

Does anyone know how I could go about debugging the call to the dll? I have been unsuccessful in finding debug symbols for Microsoft's crypt32.dll

Any help would be greatly appreciated.

Edited by: Roy Gaber on Nov 4, 2013 1:31 PM

Edited by: Roy Gaber on Nov 4, 2013 1:32 PM
Henrick Hellström

Posts: 144
Registered: 12/18/00
Re: SHA256RSA data signing [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Nov 5, 2013 7:24 AM   in response to: Roy Gaber in response to: Roy Gaber
Roy Gaber wrote:

I have code which will sign data using crypt32.dll using the
CryptSignMessage API, the code works flawlessly when employing
SHA1RSA as the HashAlgorithm, however, when changing over to
SHA256RSA the API call fails with a non-descriptive error, An
internal error has occurred .

Wrong group. Try the groups at news://news.jedi-delphi.org or
embarcadero.public.delphi.platformspecific.win32 on this server.

FWIW, there is nothing wrong with the sha256rsa algorithm. I have
implemented sha256WithRSAEncryption myself, and Windows has no problems
verifying the signatures generated with my code. :)
Roy Gaber

Posts: 6
Registered: 10/30/01
Re: SHA256RSA data signing [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Nov 5, 2013 8:04 AM   in response to: Henrick Hellström in response to: Henrick Hellström
Thank you, I didn't realize this was the wrong forum, thank you for setting me in the right direction.

Regarding your code using SHA256RSA, would you mind sharing that with me, my project is Delphi-based (XE4) and like I mentioned, I can use SHA1RSA without error, it is only when I change the algorithm to SHA256RSA that the problem occurs. I have been to the JEDI site and have relentlessly searched the web for an answer. I figured the Algorithm group would be the place to post this question. Do you have any insight as to which data types may need to change, if any, when I switch to the SHA256 algorithm?


Henrick Hellström wrote:
Roy Gaber wrote:

I have code which will sign data using crypt32.dll using the
CryptSignMessage API, the code works flawlessly when employing
SHA1RSA as the HashAlgorithm, however, when changing over to
SHA256RSA the API call fails with a non-descriptive error, An
internal error has occurred .

Wrong group. Try the groups at news://news.jedi-delphi.org or
embarcadero.public.delphi.platformspecific.win32 on this server.

FWIW, there is nothing wrong with the sha256rsa algorithm. I have
implemented sha256WithRSAEncryption myself, and Windows has no problems
verifying the signatures generated with my code. :)
Henrick Hellström

Posts: 144
Registered: 12/18/00
Re: SHA256RSA data signing [Edit]
Helpful
Click to report abuse...   Click to reply to this thread Reply
  Posted: Nov 5, 2013 8:21 AM   in response to: Roy Gaber in response to: Roy Gaber
Roy Gaber wrote:

I have been to the JEDI site and have relentlessly searched the web
for an answer.

I gave you the URL for their nntp server. I don't think their support
forum is mirrored as a web page.

I figured the Algorithm group would be the place to post this
question. Do you have any insight as to which data types may need to
change, if any, when I switch to the SHA256 algorithm?

If you use it for signing and provide the API function with a digest
value, that digest value has to be 32 bytes in size (256 bits), as
opposed to the 20 bytes (160 bits) of SHA-1. That is all I can think
of, but then again, I haven't paid much attention to the specifics of
CryptoAPI.
Roy Gaber

Posts: 6
Registered: 10/30/01
Re: SHA256RSA data signing [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Nov 8, 2013 9:28 AM   in response to: Henrick Hellström in response to: Henrick Hellström
Would you mind sharing the code you used for this, I can compare it to mine to see if I can find the differences in the setup of the digest?

Like I said, it works for SHA1RSA, I change nothing in the CRYPT_SIGN_MESSAGE_PARA structure except for the HashAlogorithm, I can use the certs for signing word documents and PDF's without a problem.

Henrick Hellström wrote:
Roy Gaber wrote:

I have been to the JEDI site and have relentlessly searched the web
for an answer.

I gave you the URL for their nntp server. I don't think their support
forum is mirrored as a web page.

I figured the Algorithm group would be the place to post this
question. Do you have any insight as to which data types may need to
change, if any, when I switch to the SHA256 algorithm?

If you use it for signing and provide the API function with a digest
value, that digest value has to be 32 bytes in size (256 bits), as
opposed to the 20 bytes (160 bits) of SHA-1. That is all I can think
of, but then again, I haven't paid much attention to the specifics of
CryptoAPI.
Henrick Hellström

Posts: 144
Registered: 12/18/00
Re: SHA256RSA data signing [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Nov 8, 2013 10:26 AM   in response to: Roy Gaber in response to: Roy Gaber
Roy Gaber wrote:

Would you mind sharing the code you used for this, I can compare it
to mine to see if I can find the differences in the setup of the
digest?

Well, sure, but it is not likely to help with your problem: I use
StreamSec Tools for generating certificates with a
sha256WithRSAEncryption signature. These certificates are verified OK
by the Windows certificate manager (which uses CryptoAPI under the
hood), as well as other implementations, such as Mozilla, OpenSSL etc.

Like I said, it works for SHA1RSA, I change nothing in the
CRYPT_SIGN_MESSAGE_PARA structure except for the HashAlogorithm, I
can use the certs for signing word documents and PDF's without a
problem.

Is the RSA key 2048 bits or more? Do you accomodate for differences in
the blob output sizes (due to different attributes and object
identifiers)?
Roy Gaber

Posts: 6
Registered: 10/30/01
Re: SHA256RSA data signing [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Dec 13, 2013 12:17 PM   in response to: Henrick Hellström in response to: Henrick Hellström
Henrick Hellström wrote:
Roy Gaber wrote:

Would you mind sharing the code you used for this, I can compare it
to mine to see if I can find the differences in the setup of the
digest?

Well, sure, but it is not likely to help with your problem: I use
StreamSec Tools for generating certificates with a
sha256WithRSAEncryption signature. These certificates are verified OK
by the Windows certificate manager (which uses CryptoAPI under the
hood), as well as other implementations, such as Mozilla, OpenSSL etc.

Like I said, it works for SHA1RSA, I change nothing in the
CRYPT_SIGN_MESSAGE_PARA structure except for the HashAlogorithm, I
can use the certs for signing word documents and PDF's without a
problem.

Is the RSA key 2048 bits or more? Do you accomodate for differences in
the blob output sizes (due to different attributes and object
identifiers)?

The size is 2264

I have tried everything I can think of and still no luck. Which parameters in the CRYPT_SIGN_MESSAGE_PARA structure would need to change, if any, when changing the hash algorithm from SHA1RSA to SHA256RSA? The structure looks like this for both calls to CryptSignMessage

aSignMsgParam.CbSize := Sizeof(CRYPT_SIGN_MESSAGE_PARA);
aSignMsgParam.PvHashAuxInfo := nil;
aSignMsgParam.cMsgCert := 0;
aSignMsgParam.RgpMsgCert := nil;
aSignMsgParam.CMsgCrl := 0;
aSignMsgParam.RgpMsgCrl := nil;
aSignMsgParam.CAuthAttr := 0;
aSignMsgParam.RgAuthAttr := nil;
aSignMsgParam.CUnauthAttr := 0;
aSignMsgParam.RgUnauthAttr := nil;
aSignMsgParam.DwFlags := 0;
aSignMsgParam.DwInnerContentType := 0;
aSignMsgParam.PSigningCert := aPCertContext;
aSignMsgParam.DwMsgEncodingType := PKI_ENCODING_TYPE;

{ The line commented out below is causing a Crypto error which needs
to be tracked down in order to satisfy SHA256 signing }

//aSignMsgParam.HashAlgorithm.PszObjId := szOID_RSA_SHA256RSA;
aSignMsgParam.HashAlgorithm.PszObjId := szOID_RSA_SHA1RSA;
aSignMsgParam.HashAlgorithm.Parameters.CbData := 0;

// The Signing Cert
aSignMsgParam.cMsgCert := 1;
aSignMsgParam.RgpMsgCert := @aPCertContext;

// The data to be signed and its length
aHashValue := aPKIEncryptionDataEx.getHashValue;
aHashValueLength := Length(aHashValue);

RgpbToBeSigned[0] := @aHashValue;
RgcbToBeSigned[0] := @aHashValueLength;

aSignatureLength := 0;

{ Get the size of the signature first }
if CryptSignMessage(@aSignMsgParam, False, 1, RgpbToBeSigned[0], RgcbToBeSigned[0], nil, @aSignatureLength) then
fOnLogEvent('Successfully retrieved the required size of the signature: ' + IntToStr(aSignatureLength))
else
raise EPKIEncryptionError.Create(getLastSystemError);

With SHA1RSA this works flawlessly, when I comment out the SHA1RSA line and uncomment the SHA265RSA line the CryptSignMessage call fails with no real error message, other than

an internal error occurred.

Edited by: Roy Gaber on Dec 13, 2013 2:22 PM

Roy Gaber

Posts: 6
Registered: 10/30/01
Re: SHA256RSA data signing  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Mar 18, 2014 7:27 AM   in response to: Roy Gaber in response to: Roy Gaber
Roy Gaber wrote:
I have code which will sign data using crypt32.dll using the CryptSignMessage API, the code works flawlessly when employing SHA1RSA as the HashAlgorithm, however, when changing over to SHA256RSA the API call fails with a non-descriptive error, An internal error has occurred .

Does anyone have any experience with cryptography and Delphi, specifically using wcrypt2.pas from the JEDI project and SHA256RSA for data signing?

Does anyone know how I could go about debugging the call to the dll? I have been unsuccessful in finding debug symbols for Microsoft's crypt32.dll

Any help would be greatly appreciated.

Edited by: Roy Gaber on Nov 4, 2013 1:31 PM

Edited by: Roy Gaber on Nov 4, 2013 1:32 PM

It turns out that there was nothing wrong with the code, it was the CSP being used, the version I was using was not capable of SHA-2, an upgrade of the CSP allowed to code to work as designed.
Roy Gaber

Posts: 6
Registered: 10/30/01
Re: SHA256RSA data signing  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Mar 18, 2014 7:28 AM   in response to: Roy Gaber in response to: Roy Gaber
See last post.
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02