Using SHA256 with RSACryptoServiceProvider in a WebApplication - by MD7i

Status : 

  Fixed<br /><br />
		This item has been fixed in the current or upcoming version of this product.<br /><br />
		A more detailed explanation for the resolution of this particular item may have been provided in the comments section.


1
0
Sign in
to vote
ID 584754 Comments
Status Closed Workarounds
Type Bug Repros 1
Opened 8/9/2010 9:00:12 AM
Access Restriction Public

Description

Using RSACryptoServiceProvider or RSAPKCS1SignatureFormatter to create digital signatures with SHA256 does not work on Windows Server 2008R2.

According to the following posts:
- http://blogs.msdn.com/shawnfa/archive/2008/08/25/using-rsacryptoserviceprovider-for-rsa-sha256-signatures.aspx
- http://social.msdn.microsoft.com/Forums/en-US/clr/thread/f9d78789-223f-4134-a3e0-fab6bd09100f
- https://connect.microsoft.com/VisualStudio/feedback/details/411320/using-sha256-with-rsacryptoserviceprovider?wa=wsignin1.0

RSACryptoServiceProvider with SHA256 should be able to use SHA256 implementation of CSP or CNG. The last URL posted above also mentions that this issue would be fixed in .NET 4.0. Although, I am seeing this is NOT to be true.

The only SHA256 implementation I see working is SHA256Managed(). But, I am planning to use my application to run with the FIPS policy set to allow only FIPS validated algorithms to run. In such a case I am unable to use SHA256 for RSA signing purposes.

I should also mention this, creating SHA256 hashes from the implementation in CSP or CNG do work (in FIPS mode also). It is only when one passes SHA256 object to RSACryptoServiceProvider.SignData() function the problem re-surfaces.

Besides the codeplex workaround listed somewhere, is there any solution for creating RSA-SHA256 signatures in a FIPS validated manner on Windows Server 2008 R2? 

(I would want to avoid running the codeplex workaround to the extent possible)
Sign in to post a comment.
Posted by Microsoft on 9/15/2010 at 3:16 PM
Hi,

Please try the following work-around, which should provide RSA-SHA256 in a FIPS-compliant environment:
            const string Sha256Oid = "2.16.840.1.101.3.4.2.1";
            var rsaProvider = new RSACryptoServiceProvider();
            HashAlgorithm hAlg = new SHA256CryptoServiceProvider();
            var hash = hAlg.ComputeHash(data);
            var result = rsaProvider.SignHash(hash, Sha256Oid);

Mueez Siddiqui
SDE - CLR Team
Posted by Microsoft on 8/9/2010 at 8:13 PM
Thank you for reporting the issue.
We are routing this issue to the appropriate group within the Visual Studio Product Team for triage and resolution.These specialized experts will follow-up with your issue.