CryptographicException: 'Invalid algorithm specified' when using SHA-512












1















In my WPF app (.NET 4.6), I am required to use a P12 certificate file to sign a string using the SHA-512 algorithm (to include in the header of a web request). I do so as follows:



using (var rsa = myX509Certificate2.GetRSAPrivateKey()) {

  myBytes = rsa.SignData(

    Encoding.UTF8.GetBytes(stringToSign), 

    HashAlgorithmName.SHA512, 

    RSASignaturePadding.Pkcs1

  );

}


This works in testing and for nearly all my customers, but the odd customer gets the following exception:



System.Security.Cryptography.CryptographicException: Invalid algorithm specified.

  at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)

  at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte hash, Int32 cbHash, ObjectHandleOnStack retSignature)

  at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte hash)

  at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte rgbHash, Int32 calgHash)

  at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)

  at System.Security.Cryptography.RSA.SignData(Byte data, Int32 offset, Int32 count, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)

  at System.Security.Cryptography.RSA.SignData(Byte data, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)


It has happened most recently to a customer on Windows 7 SP1.



I'm struggling to find an answer via existing SO questions or from google in general. From what I can tell, it may be due to an unsupported Windows cryptography service provider being used under-the-hood, but I'm not sure, as I can't replicate the error myself.



Any ideas how to solve this one, either via code or by having affected customers install any particular Windows updates?






c# .net windows x509certificate2 sha512







share|improve this question



























    1















    In my WPF app (.NET 4.6), I am required to use a P12 certificate file to sign a string using the SHA-512 algorithm (to include in the header of a web request). I do so as follows:



    using (var rsa = myX509Certificate2.GetRSAPrivateKey()) {
    
  myBytes = rsa.SignData(
    
    Encoding.UTF8.GetBytes(stringToSign), 
    
    HashAlgorithmName.SHA512, 
    
    RSASignaturePadding.Pkcs1
    
  );
    
}


    This works in testing and for nearly all my customers, but the odd customer gets the following exception:



    System.Security.Cryptography.CryptographicException: Invalid algorithm specified.
    
  at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
    
  at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte hash, Int32 cbHash, ObjectHandleOnStack retSignature)
    
  at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte hash)
    
  at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte rgbHash, Int32 calgHash)
    
  at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
    
  at System.Security.Cryptography.RSA.SignData(Byte data, Int32 offset, Int32 count, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
    
  at System.Security.Cryptography.RSA.SignData(Byte data, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)


    It has happened most recently to a customer on Windows 7 SP1.



    I'm struggling to find an answer via existing SO questions or from google in general. From what I can tell, it may be due to an unsupported Windows cryptography service provider being used under-the-hood, but I'm not sure, as I can't replicate the error myself.



    Any ideas how to solve this one, either via code or by having affected customers install any particular Windows updates?






    c# .net windows x509certificate2 sha512







    share|improve this question

























      1












      1








      1








      In my WPF app (.NET 4.6), I am required to use a P12 certificate file to sign a string using the SHA-512 algorithm (to include in the header of a web request). I do so as follows:



      using (var rsa = myX509Certificate2.GetRSAPrivateKey()) {
      
  myBytes = rsa.SignData(
      
    Encoding.UTF8.GetBytes(stringToSign), 
      
    HashAlgorithmName.SHA512, 
      
    RSASignaturePadding.Pkcs1
      
  );
      
}


      This works in testing and for nearly all my customers, but the odd customer gets the following exception:



      System.Security.Cryptography.CryptographicException: Invalid algorithm specified.
      
  at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
      
  at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte hash, Int32 cbHash, ObjectHandleOnStack retSignature)
      
  at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte hash)
      
  at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte rgbHash, Int32 calgHash)
      
  at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
      
  at System.Security.Cryptography.RSA.SignData(Byte data, Int32 offset, Int32 count, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
      
  at System.Security.Cryptography.RSA.SignData(Byte data, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)


      It has happened most recently to a customer on Windows 7 SP1.



      I'm struggling to find an answer via existing SO questions or from google in general. From what I can tell, it may be due to an unsupported Windows cryptography service provider being used under-the-hood, but I'm not sure, as I can't replicate the error myself.



      Any ideas how to solve this one, either via code or by having affected customers install any particular Windows updates?






      c# .net windows x509certificate2 sha512







      share|improve this question














      In my WPF app (.NET 4.6), I am required to use a P12 certificate file to sign a string using the SHA-512 algorithm (to include in the header of a web request). I do so as follows:



      using (var rsa = myX509Certificate2.GetRSAPrivateKey()) {
      
  myBytes = rsa.SignData(
      
    Encoding.UTF8.GetBytes(stringToSign), 
      
    HashAlgorithmName.SHA512, 
      
    RSASignaturePadding.Pkcs1
      
  );
      
}


      This works in testing and for nearly all my customers, but the odd customer gets the following exception:



      System.Security.Cryptography.CryptographicException: Invalid algorithm specified.
      
  at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
      
  at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte hash, Int32 cbHash, ObjectHandleOnStack retSignature)
      
  at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte hash)
      
  at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte rgbHash, Int32 calgHash)
      
  at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
      
  at System.Security.Cryptography.RSA.SignData(Byte data, Int32 offset, Int32 count, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
      
  at System.Security.Cryptography.RSA.SignData(Byte data, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)


      It has happened most recently to a customer on Windows 7 SP1.



      I'm struggling to find an answer via existing SO questions or from google in general. From what I can tell, it may be due to an unsupported Windows cryptography service provider being used under-the-hood, but I'm not sure, as I can't replicate the error myself.



      Any ideas how to solve this one, either via code or by having affected customers install any particular Windows updates?






      c# .net windows x509certificate2 sha512




      c# .net windows x509certificate2 sha512






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 2 at 21:20









      RossRoss

      3,32212049




      3,32212049
























          1 Answer
          1






          active

          oldest

          votes


















          0














          If you're using cert.GetRSAPrivateKey() and its giving back an RSACryptoServiceProvider instance that suggests it's not from a PFX, but is from a smart card with an old driver. Since you say it's from a .p12/.pfx, that could PFX contains a reference to an usual Cryptographic Service Provider name that CNG didn't take over (but I've never seen that in a software key). (Occam's Razor makes one inquire: Are you sure they're not accidentally using the wrong certificate?)



          If you know it's coming from a PFX, and you've imported it with the Exportable bit, you can manually transform it from RSACryptoServiceProvider to RSACng:



          using (RSA rsa = cert.GetRSAPrivateKey())
          
{
          
    byte toSign = Encoding.UTF8.GetBytes(stringToSign);
          
    myBytes = null;
          

          
    try
          
    {
          
        myBytes = rsa.SignData(
          
            toSign, 
          
            HashAlgorithmName.SHA512, 
          
            RSASignaturePadding.Pkcs1);
          
    }
          
    catch (CryptographicException)
          
    {
          
        try
          
        {
          
            using (RSA rsaCng = new RSACng())
          
            {
          
                rsaCng.ImportParameters(rsa.ExportParameters(true));
          

          
                myBytes = rsaCng.SignData(
          
                    toSign,
          
                    HashAlgorithmName.SHA512, 
          
                    RSASignaturePadding.Pkcs1);
          
            }
          
        }
          
        catch
          
        {
          
        }
          

          
        if (myBytes == null)
          
        {
          
            // Let the original exception continue
          
            throw;
          
        }
          
    }
          
}


          (As an alternative to the original exception throw, you could decide to let the "retry" exception be thrown instead)




          Alternatively, Windows 10 fixed a lot of the RSACryptoServiceProvider "invalid algorithm" behaviors, so they could always try upgrading.






          share|improve this answer
























          • Thanks – I'll make a build with that and give to the customer to try out.

            – Ross
            Jan 3 at 9:13












          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54013337%2fcryptographicexception-invalid-algorithm-specified-when-using-sha-512%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          If you're using cert.GetRSAPrivateKey() and its giving back an RSACryptoServiceProvider instance that suggests it's not from a PFX, but is from a smart card with an old driver. Since you say it's from a .p12/.pfx, that could PFX contains a reference to an usual Cryptographic Service Provider name that CNG didn't take over (but I've never seen that in a software key). (Occam's Razor makes one inquire: Are you sure they're not accidentally using the wrong certificate?)



          If you know it's coming from a PFX, and you've imported it with the Exportable bit, you can manually transform it from RSACryptoServiceProvider to RSACng:



          using (RSA rsa = cert.GetRSAPrivateKey())
          
{
          
    byte toSign = Encoding.UTF8.GetBytes(stringToSign);
          
    myBytes = null;
          

          
    try
          
    {
          
        myBytes = rsa.SignData(
          
            toSign, 
          
            HashAlgorithmName.SHA512, 
          
            RSASignaturePadding.Pkcs1);
          
    }
          
    catch (CryptographicException)
          
    {
          
        try
          
        {
          
            using (RSA rsaCng = new RSACng())
          
            {
          
                rsaCng.ImportParameters(rsa.ExportParameters(true));
          

          
                myBytes = rsaCng.SignData(
          
                    toSign,
          
                    HashAlgorithmName.SHA512, 
          
                    RSASignaturePadding.Pkcs1);
          
            }
          
        }
          
        catch
          
        {
          
        }
          

          
        if (myBytes == null)
          
        {
          
            // Let the original exception continue
          
            throw;
          
        }
          
    }
          
}


          (As an alternative to the original exception throw, you could decide to let the "retry" exception be thrown instead)




          Alternatively, Windows 10 fixed a lot of the RSACryptoServiceProvider "invalid algorithm" behaviors, so they could always try upgrading.






          share|improve this answer
























          • Thanks – I'll make a build with that and give to the customer to try out.

            – Ross
            Jan 3 at 9:13
















          0














          If you're using cert.GetRSAPrivateKey() and its giving back an RSACryptoServiceProvider instance that suggests it's not from a PFX, but is from a smart card with an old driver. Since you say it's from a .p12/.pfx, that could PFX contains a reference to an usual Cryptographic Service Provider name that CNG didn't take over (but I've never seen that in a software key). (Occam's Razor makes one inquire: Are you sure they're not accidentally using the wrong certificate?)



          If you know it's coming from a PFX, and you've imported it with the Exportable bit, you can manually transform it from RSACryptoServiceProvider to RSACng:



          using (RSA rsa = cert.GetRSAPrivateKey())
          
{
          
    byte toSign = Encoding.UTF8.GetBytes(stringToSign);
          
    myBytes = null;
          

          
    try
          
    {
          
        myBytes = rsa.SignData(
          
            toSign, 
          
            HashAlgorithmName.SHA512, 
          
            RSASignaturePadding.Pkcs1);
          
    }
          
    catch (CryptographicException)
          
    {
          
        try
          
        {
          
            using (RSA rsaCng = new RSACng())
          
            {
          
                rsaCng.ImportParameters(rsa.ExportParameters(true));
          

          
                myBytes = rsaCng.SignData(
          
                    toSign,
          
                    HashAlgorithmName.SHA512, 
          
                    RSASignaturePadding.Pkcs1);
          
            }
          
        }
          
        catch
          
        {
          
        }
          

          
        if (myBytes == null)
          
        {
          
            // Let the original exception continue
          
            throw;
          
        }
          
    }
          
}


          (As an alternative to the original exception throw, you could decide to let the "retry" exception be thrown instead)




          Alternatively, Windows 10 fixed a lot of the RSACryptoServiceProvider "invalid algorithm" behaviors, so they could always try upgrading.






          share|improve this answer
























          • Thanks – I'll make a build with that and give to the customer to try out.

            – Ross
            Jan 3 at 9:13














          0












          0








          0







          If you're using cert.GetRSAPrivateKey() and its giving back an RSACryptoServiceProvider instance that suggests it's not from a PFX, but is from a smart card with an old driver. Since you say it's from a .p12/.pfx, that could PFX contains a reference to an usual Cryptographic Service Provider name that CNG didn't take over (but I've never seen that in a software key). (Occam's Razor makes one inquire: Are you sure they're not accidentally using the wrong certificate?)



          If you know it's coming from a PFX, and you've imported it with the Exportable bit, you can manually transform it from RSACryptoServiceProvider to RSACng:



          using (RSA rsa = cert.GetRSAPrivateKey())
          
{
          
    byte toSign = Encoding.UTF8.GetBytes(stringToSign);
          
    myBytes = null;
          

          
    try
          
    {
          
        myBytes = rsa.SignData(
          
            toSign, 
          
            HashAlgorithmName.SHA512, 
          
            RSASignaturePadding.Pkcs1);
          
    }
          
    catch (CryptographicException)
          
    {
          
        try
          
        {
          
            using (RSA rsaCng = new RSACng())
          
            {
          
                rsaCng.ImportParameters(rsa.ExportParameters(true));
          

          
                myBytes = rsaCng.SignData(
          
                    toSign,
          
                    HashAlgorithmName.SHA512, 
          
                    RSASignaturePadding.Pkcs1);
          
            }
          
        }
          
        catch
          
        {
          
        }
          

          
        if (myBytes == null)
          
        {
          
            // Let the original exception continue
          
            throw;
          
        }
          
    }
          
}


          (As an alternative to the original exception throw, you could decide to let the "retry" exception be thrown instead)




          Alternatively, Windows 10 fixed a lot of the RSACryptoServiceProvider "invalid algorithm" behaviors, so they could always try upgrading.






          share|improve this answer













          If you're using cert.GetRSAPrivateKey() and its giving back an RSACryptoServiceProvider instance that suggests it's not from a PFX, but is from a smart card with an old driver. Since you say it's from a .p12/.pfx, that could PFX contains a reference to an usual Cryptographic Service Provider name that CNG didn't take over (but I've never seen that in a software key). (Occam's Razor makes one inquire: Are you sure they're not accidentally using the wrong certificate?)



          If you know it's coming from a PFX, and you've imported it with the Exportable bit, you can manually transform it from RSACryptoServiceProvider to RSACng:



          using (RSA rsa = cert.GetRSAPrivateKey())
          
{
          
    byte toSign = Encoding.UTF8.GetBytes(stringToSign);
          
    myBytes = null;
          

          
    try
          
    {
          
        myBytes = rsa.SignData(
          
            toSign, 
          
            HashAlgorithmName.SHA512, 
          
            RSASignaturePadding.Pkcs1);
          
    }
          
    catch (CryptographicException)
          
    {
          
        try
          
        {
          
            using (RSA rsaCng = new RSACng())
          
            {
          
                rsaCng.ImportParameters(rsa.ExportParameters(true));
          

          
                myBytes = rsaCng.SignData(
          
                    toSign,
          
                    HashAlgorithmName.SHA512, 
          
                    RSASignaturePadding.Pkcs1);
          
            }
          
        }
          
        catch
          
        {
          
        }
          

          
        if (myBytes == null)
          
        {
          
            // Let the original exception continue
          
            throw;
          
        }
          
    }
          
}


          (As an alternative to the original exception throw, you could decide to let the "retry" exception be thrown instead)




          Alternatively, Windows 10 fixed a lot of the RSACryptoServiceProvider "invalid algorithm" behaviors, so they could always try upgrading.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 2 at 22:00









          bartonjsbartonjs

          14.2k12759




          14.2k12759













          • Thanks – I'll make a build with that and give to the customer to try out.

            – Ross
            Jan 3 at 9:13



















          • Thanks – I'll make a build with that and give to the customer to try out.

            – Ross
            Jan 3 at 9:13

















          Thanks – I'll make a build with that and give to the customer to try out.

          – Ross
          Jan 3 at 9:13





          Thanks – I'll make a build with that and give to the customer to try out.

          – Ross
          Jan 3 at 9:13




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54013337%2fcryptographicexception-invalid-algorithm-specified-when-using-sha-512%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          MongoDB - Not Authorized To Execute Command

          Image
          .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I have successfully enabled authorization on MongoDB and I have created an account on the admin database and then I created an account for my database called test. The following connection string to connect to my test database works successfully: mongo --host 192.168.17.52 --port 27017 -u user1 -p password --authenticationDatabase test Only problem I have now is, I cannot execute commands such as: show dbs. I get the following error when I try to do so: "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0, lsid: { id: UUID("a1d5bc0d-bc58-485e-b232-270758a89455") }, $db: "admin...
          Read more

          How to fix TextFormField cause rebuild widget in Flutter

          Image
          .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I've got the same issue at #9280. I tried all solutions from that topic with/without GlobalKey for Scaffold and Form but the problem wasn't fixed. I tried to build a authentication form with login and signup. But the keyboard doesn't show when I tap the TextFormField at the first time. Then I try to input some letter from physical keyboard, the widget is rebuilt. Like this: login screen Nothing to be log when I run flutter run --verbose, so I logged manually. Every tapping on field, the widget called dispose -> init -> build. [√] Flutter (Channel beta, v1.0.0, on Microsoft Windows [Version 10.0.17763.195], ...
          Read more

          Npm cannot find a required file even through it is in the searched directory

          Image
          up vote 0 down vote favorite I got that error: users-Air:pdfuploader user$ npm run start client@0.1.0 start /Users/user/Documents/pdfuploader react-scripts start Could not find a required file. Name: index.html Searched in: /Users/user/Documents/pdfuploader/public npm ERR! code ELIFECYCLE npm ERR! errno 1 npm ERR! client@0.1.0 start: `react-scripts start` npm ERR! Exit status 1 npm ERR! npm ERR! Failed at the client@0.1.0 start script. npm ERR! This is probably not a problem with npm. There is likely additional logging output above. npm ERR! A complete log of this run can be found in: npm ERR! /Users/user/.npm/_logs/2018-11-19T10_19_14_555Z-debug.log users-Air:pdfuploader user$ And the file is in /Users/user/Documents/pdfuploader/public as you can see in my github repository: https://github.c...
          Read more