On 2010-11-26 13:20 PDT, [email protected] wrote: [snip] > And to save you a bit of trouble/pain: for CryptoAPI, you cannot > simply sign raw data - you can only sign previously hashed data. I > understand this to mean that you cannot write a pure PKCS#11 -> > CryptoAPI mapper, whether .NET or at the raw Win32 level, because the > CryptoAPI specifically forbids signing raw data of arbitrary length, > while PKCS#11 permits it [7]. Your best bet, and a common approach for > the specific case of TLS client authentication, is to combine > CryptCreateHash/CryptSetHashParam(HP_HASHVAL)/CryptSignHash. [snip] > [7] http://msdn.microsoft.com/en-us/library/aa380280(VS.85).aspx
Ryan, Thanks for your comprehensive answer to Matej's question. I suspect that not many readers of this list are very familiar with the crypto capabilities of .NET. Speaking of CryptSetHashParam(HP_HASHVAL), http://msdn.microsoft.com/en-us/library/aa380270(VS.85).aspx says: > HP_HASHVAL. > > A byte array that contains a hash value to place directly into the hash > object. [snip] > > Some cryptographic service providers (CSPs) do not support this > capability. Do you know which, if any, of Microsoft's CSPs do not support it? -- /Nelson Bolyard -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
