Creating cert key for CA: expand availibility of hash algoritms for signing certs

vletoux / OpenPGP-CSP

A CSP for the OpenPGP card - goal: add write support for certificate enrollment

39 stars 12 forks source link

Creating cert key for CA: expand availibility of hash algoritms for signing certs #6

Open techge opened 6 years ago

techge commented 6 years ago

When trying to create a root certificate on OpenPGP Card (signature slot) for a AD CS, only a few hash algorithms for signing certificates issued by the CA can be chosen. Vincent already suggest to fix it by:

Try to replace MS_STRONG_PROV with MS_ENH_RSA_AES_PROV (you may change PROV_RSA_FULL with PROV_RSA_AES).

screenshot_20171116_191513

I will try to do it, but as I have no working building environment set up yet, it may take some time...

vletoux commented 6 years ago

see 639d935680d71116b6f8e92ec8fb67fbea101e57

vletoux commented 6 years ago

Using SHA2 with MS CA requires a KSP and won't work with a CSP

As a proof, Ms Base Smart Card CSP supports only legacy algorithms

jans23 commented 6 years ago

I saw commit 2ab1db2d9d96a70bc4a9b40a2eddbc9cd62753a1. Is this worth retesting already or WIP?

vletoux commented 6 years ago

KSP is read only (no key generation). Not tested at all. No WIP for the moment.

vletoux commented 6 years ago

Please test the latest release