[xmlsec] Signing on Windows using SHA-256 hash

Miklos Vajna vmiklos at vmiklos.hu
Wed Mar 9 00:45:32 PST 2016


On Tue, Mar 08, 2016 at 09:21:37AM -0800, Aleksey Sanin <aleksey at aleksey.com> wrote:
> First, as I mentioned before, I would be happy to merge all the
> upstream patches that makes sense for the main xmlsec. Please
> don't hesitate to send pull requests :)

Yes, thanks for the enouragement. The only patches I did myself are
these SHA-256 and the relationship ones, so for the rest I need to work
out what they do, bring them up to date against master, and can only
submit them then, so it takes time. But that's my long-term goal.

> Unfortunately, I don't have a Windows environment anymore so I can't
> debug it myself. But I can give you a suggestion. As far as I recall,
> there is a function xmlSecMSCryptoFindProvider() which is used to
> find out the crypto provider for specific operation. I would suggest
> to put a breakpoint on this function and compare parameters for
> the cases of signing and verification.
> Let me know if it makes sense at all!

Right, I found that. At the end my problem was that I incorrectly
generated my test certificates. After reading tests/keys/README
carefully again, I found that I did not use -CSP, and that's why the
certificate was loaded from the old store, which doesn't support SHA2.

After using '-CSP "Microsoft Enhanced RSA and AES Cryptographic
Provider"' when generating the .p12 file my upgraded 1.2.15 + patches
result works as expected. :-)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20160309/d050803d/attachment.sig>

More information about the xmlsec mailing list