Closed drolevar closed 1 year ago
Thank you for the PR. Out of curiosity, what legacy cases do you have in mind? Signing applications for old Windows versions?
Azure requires SHA-1 hashes to be wrapped in a DigestInfo, but not the other digest algorithms? That's odd, there is no mention of that in the API documentation, how did you find out?
I've found this info:
https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys-details#rsa-algorithms
The DigestInfo is constructed on the server side for Sign operations that algorithms RS256, RS384 and RS512 generate.
So indeed, for RSNULL, the DigestInfo is constructed on the client side. And probably for the other algorithms too.
Looking at the Azure SDK, the hash is never wrapped in a DigestInfo, even for EC and RSA-PSS signatures:
So this looks very specific to RSNULL. I wonder if RSNULL could work with other algorithms and not just SHA-1.
This is also supported by AzureSignTool: https://github.com/vcsjones/AzureSignTool/issues/28
This is also supported by AzureSignTool: vcsjones/AzureSignTool#28
It is, but AzureSignTool relies on mssign32 which is a pain in the ...
Azure requires SHA-1 hashes to be wrapped in a DigestInfo, but not the other digest algorithms? That's odd, there is no mention of that in the API documentation, how did you find out?
I found out by lots of searching on Github and stackoverflow :)
So this looks very specific to RSNULL. I wonder if RSNULL could work with other algorithms and not just SHA-1.
It actually does, at least for SHA-256, I checked now.
Merged, thank you!
Despite the fact that SHA-1 signatures are being deprecated, they are still necessary in some legacy cases. This PR enables to perform SHA-1 signing with Azure KeyVault.