tdbhacks
commented
1 year ago Hello,
I am not familiar with this flow, but per the CNG spec, the pPaddingInfo parameter should really only be used when passing in structs of type BCRYPT_PKCS1_PADDING_INFO or BCRYPT_PSS_PADDING_INFO.
I guess the parameter description leaves some room for interpretation because it says "This parameter is only used with asymmetric keys and must be NULL otherwise", and ECDSA is an asymmetric algorithm, but we are expecting it to be NULL in our provider because it doesn't really make sense to specify it for ECDSA algorithms (unless my reading of the spec is wrong).
Just to confirm, are you trying to use this with an ECDSA key or an RSA-PKCS1 / RSA-PSS key? See the limitations section. If you are indeed using an ECDSA key, I'll tweak the provider logging when I have some time and try to go through the same flow to understand what it's trying to set it to. Thanks for bringing this up!
obones
ysichrisdag
Hello,
Because of the absence of an x86 version of the provider (See #18), I'm trying a workaround by using the following steps:
get the file digest by using the
/dgoptionSign the generated digest with the CNG provider and the
/dsoptionIntegrate the signed digest with the
/dioptionTimestamp the generated signature
When using a certificate whose private key is stored on a physical usb token (Yubikey), this works fine. But when I use the CNG provider, I get the following error:
Looking at bridge.cc:421 the error seems to be created on purpose but I'm not sure what to make of this. I would simply remove the test as it seems
pPaddingInfois not used at all in that function, but this must be a very naive approach.Any help would be most welcome.