Vista Banter - View Single Post - Fixed hash algorithm in CertEnroll library

**Roman Sedov** · August 29th 06, 08:32 AM posted to microsoft.public.windows.vista.security

Hello!

The problem is fixed hash algorithm (SHA1) used in CertEnroll library.

That's why we can't create a certificate request using our Cryptographic
Provider (CSP), that implements Russian Crypto-algorithms but not SHA1.

X509Enrollment.IX509CertificateRequestPkcs10 interface has HashAlgorithm
property that is used for signing PKCS#10. But after creating PKCS#10
CertEnroll creates "dummy-certificate" for the "Request" store (like XEnroll
does). And it tries to sign this certificate with fixed in
CertEnroll::CX509SignatureInformation::SetDefaultV alues SHA1. We think that
it is more correct to use the same hash algorithm as for signing PKCS#10.

And several comments for "Certificate Enrollment" wizard from
"Certificates" snap-in:

First of all there is similar problem. User can't choose hash algorithm for
request signing. So, there is no UI for HashAlgorithm property.

The last build of Windows Vista we looked at is 5536.

Related links a

http://www.ietf.org/rfc/rfc4357.txt

http://www.ietf.org/rfc/rfc4357.txt

http://www.ietf.org/rfc/rfc4491.txt

P.S. If such behavior won't be corrected in release version of Vista, we
will have to resolve it in any way, this is critical for us. So, we will
request a fix for Vista using our benefits as Microsoft Gold Certified
Partner. So, we want to ask Microsoft to help us to avoid this process!

Thank you!

Roman Sedov
Crypto-Pro Company
Phone: +7(495)933-1168, +7(495)689-43-67
WWW: http://www.cryptopro.ru
e-mail: