DigestInfo is missing in a CSR when SHA-1 is used in a signature algorithm

Symptoms
When you use the certutil.exe tool to verify certificate signing requests (CSRs), certutil.exe returns the following message, even though the CSRs contain only a signed hash value (without the DigestInfo ASN.1 structure):
Signature matches Public Key

Notes
  • Certutil.exe should not validate CSRs with only a signed hash value, because the expected DigestInfo ASN.1 structure contains more than only hash data.
  • Other tools, such as openssl, mark the CSRs as invalid.
This problem occurs when SHA-1 is used in a signature algorithm, such as "1.2.840.113549.1.1.5 sha1RSA."

When CSR is signed by using SHA-2, as in "1.2.840.113549.1.1.11 sha256RSA," certutil.exe returns the following expected error:

0xc000a000 (NT: 0xc000a000 STATUS_INVALID_SIGNATURE)

Note This problem is limited to signatures that are created by SHA-1.
Cause
This problem occurs because of the different methods that CAPI2 uses to interact with the underlying components in the CryptoAPI stack. The methods include the following:
  • CAPI 2 uses legacy Cryptography API 1 (CAPI 1) for SHA-1, and CAPI 1 allows the DigestInfo to be missing.
  • CAPI 2 uses Cryptography API Next Generation (CNG) for SHA-2, and CNG does not allow DigestInfo to be missing.  
Note Although this article describes only problems that occur when certutil.exe is used, any application that uses CryptoAPI will work exactly as certutil.exe does. 
More information

Verifying a CSR that's signed with "1.2.840.113549.1.1.5 sha1RSA" and without DigestInfo:

PKCS10 Certificate Request: Version: 1 Subject: CN=Test User Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA Algorithm Parameters: 05 00 Signature: UnusedBits=0 0000 88 fc ea 9b cb 35 17 b8 3c 4a be e1 c9 94 23 e3 00f0 71 5c 8f 81 5f 24 bd af 4b 00 ea e2 b4 08 6f 3f Signature matches Public Key Key Id Hash(rfc-sha1): b3 1c 76 1c d9 67 d2 8d 62 15 4a 1c 47 4d dd a6 65 03 9d 5d Key Id Hash(sha1): fb b1 8f 14 39 5c fb 63 81 90 56 e8 37 e1 9b bd e2 a6 79 64 CertUtil: -dump command completed successfully. 

Verifying a CSR that's signed with "1.2.840.113549.1.1.11 sha256RSA" and without DigestInfo:

PKCS10 Certificate Request: Version: 1 Subject: CN=Test User Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA Algorithm Parameters: 05 00 Signature: UnusedBits=0 0000 2c 23 b3 36 f4 10 10 94 99 02 95 8f 64 1d 71 0c 00f0 6c f4 13 ae 0e 6b b1 ef c4 1e 10 c0 1f 34 4d 16 Signature does not match Public key: c000a000 Cannot decode object: The cryptographic signature is invalid. 0xc000a000 (NT: 0xc000a000 STATUS_INVALID_SIGNATURE) CertUtil: -dump command FAILED: 0xc000a000 (NT: 0xc000a000 STATUS_INVALID_SIGNATURE) CertUtil: The cryptographic signature is invalid. 


Properties

Article ID: 3080171 - Last Review: 12/03/2015 10:27:00 - Revision: 2.0

Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Foundation, Windows Server 2012 R2 Essentials, Windows 8.1 Enterprise, Windows 8.1 Pro, Windows 8.1

  • kbsurveynew kbexpertiseadvanced kbprb kbtshoot KB3080171
Feedback