WIF on Windows Server 2003
I was setting up Windows Identity Foundation (WIF, formerly known as Geneva) on Windows Server 2003 to reproduce a customer’s problem.
However, I got the following exception, even when trying one of the WIF SDK samples:
CryptographicException - Object identifier (OID) is unknown
System.Security.Cryptography.X509Certificates.X509Utils._GetAlgIdFromOid(String oid) +0
System.Security.Cryptography.X509Certificates.X509Utils.OidToAlgId(String oid) +37
System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[] rgbHash, String str) +61
System.Security.Cryptography.RSAPKCS1SignatureFormatter.CreateSignature(Byte[] rgbHash) +105
System.Security.Cryptography.AsymmetricSignatureFormatter.CreateSignature(HashAlgorithm hash) +48
...
This was the first time I saw this exception, and I haven’t found any previous reports from customers on this in our internal knowledgebase (most likely due to WIF being a quite new product). Fortunately, binging around brought me quickly to a thread on https://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/35c10fe5-9693-4f3a-9c5c-8afbb423ee95.
Phil Bolduc and Brent Schmaltz have found the cause for this issue. The encryption algorithm used by Geneva is not registered correctly on Windows Server 2003 for use by the .NET Framework. Indeed, the following steps resolved the issue:
1. Download Security.Cryptography.dll (either the binary of the source) from https://clrsecurity.codeplex.com/
2. Create a console application that references this Security.Cryptography.dll
3. Add the code below and execute the console application:
using Security.Cryptography;
class Program
{
static void Main(string[] args)
{
Oid2.RegisterSha2OidInformationForRsa();
}
}
Note that on an x64 OS, you need to create a 32-bit executable to register this for 32-bit processes.
Successful registration will create the following keys, respectively:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
These contain the 3 OIDs, which represent the 3 new SHA2 algorithms:
· SHA256 - "2.16.840.1.101.3.4.2.1!1"
· SHA384 - "2.16.840.1.101.3.4.2.2!1"
· SHA512 - "2.16.840.1.101.3.4.2.3!1"
As far as I can see, the issue is present on .NET 4.0 RTM as well.