SHA-256 and Cryptographic Service Provider Types
SHA-256, SHA-384 and SHA-512 XML signatures require the Microsoft Enhanced RSA and AES Cryptographic Provider. When trying to sign data using SHA-256 on another provider type you may encounter the exception System.Security.Cryptography.CryptographicException: Invalid algorithm specified.
If the private key isn't associated with the correct Cryptographic Service Provider (CSP), it can be converted to specify the Microsoft Enhanced RSA and AES Cryptographic Provider.
One method to perform this conversion is to use OpenSSL.
Windows binaries are available for download. Refer to the OpenSSL Wiki.
The following command outputs information about the private key and certificate including the CSP.
openssl pkcs12 -in idp.pfx Enter Import Password: MAC verified OK Bag Attributes localKeyID: 01 00 00 00 Microsoft CSP Name: Microsoft Strong Cryptographic Provider friendlyName: PvkTmp:b143944f-c289-4e3c-b9cc-37ce1e8ada19 Key Attributes X509v3 Key Usage: 10 The Microsoft Strong Cryptographic Provider is suitable for SHA-1 XML signatures but doesn't support SHA-256 XML signatures.
The PFX can be recreated specifying the required CSP. Firstly, it must be converted from PKCS12 to PEM format.
openssl pkcs12 -in idp.pfx -out idp.pem Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
Then it must be converted back to PKCS12 specifying the Microsoft Enhanced RSA and AES Cryptographic Provider.
openssl pkcs12 -export -in idp.pem -out new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" Loading 'screen' into random state - done Enter pass phrase for idp.pem: Enter Export Password: Verifying - Enter Export Password:
The new PFX file is now ready for generating SHA-256, SHA-384 and SHA-512 XML signatures.
Last updated on: Tuesday 15th August 2017