Closed drolevar closed 1 year ago
ebourg
commented
1 year ago Thank you for the PR. Out of curiosity, what legacy cases do you have in mind? Signing applications for old Windows versions?
Azure requires SHA-1 hashes to be wrapped in a DigestInfo, but not the other digest algorithms? That's odd, there is no mention of that in the API documentation, how did you find out?
ebourg
commented
1 year ago I've found this info:
https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys-details#rsa-algorithms
The DigestInfo is constructed on the server side for Sign operations that algorithms RS256, RS384 and RS512 generate.
So indeed, for RSNULL, the DigestInfo is constructed on the client side. And probably for the other algorithms too.
ebourg
commented
1 year ago Looking at the Azure SDK, the hash is never wrapped in a DigestInfo, even for EC and RSA-PSS signatures:
So this looks very specific to RSNULL. I wonder if RSNULL could work with other algorithms and not just SHA-1.
ebourg
commented
1 year ago This is also supported by AzureSignTool: https://github.com/vcsjones/AzureSignTool/issues/28
drolevar
commented
1 year ago This is also supported by AzureSignTool: vcsjones/AzureSignTool#28
It is, but AzureSignTool relies on mssign32 which is a pain in the ...
drolevar
commented
1 year ago Azure requires SHA-1 hashes to be wrapped in a DigestInfo, but not the other digest algorithms? That's odd, there is no mention of that in the API documentation, how did you find out?
I found out by lots of searching on Github and stackoverflow :)
drolevar
commented
1 year ago So this looks very specific to RSNULL. I wonder if RSNULL could work with other algorithms and not just SHA-1.
It actually does, at least for SHA-256, I checked now.
ebourg
commented
1 year ago Merged, thank you!
Despite the fact that SHA-1 signatures are being deprecated, they are still necessary in some legacy cases. This PR enables to perform SHA-1 signing with Azure KeyVault.