0 votes
by (470 points)

Hi All,

I'm trying to sign a message in Outlook using SecureMail and RSAPSS.

I set the command like this:

Dim Parametros As New Rebex.Mail.MailSignatureParameters

Parametros.Silent = False
Parametros.PaddingScheme = MailSignaturePaddingScheme.Pss
Parametros.SaltLength = 8
Parametros.HashAlgorithm = MailHashingAlgorithm.SHA256

My Certificate is accessible in Windows Store but it requires just a Permission-Confirmation (not a password). It is loaded in SIGNER normally, without any error:

Dim Signer As Rebex.Security.Certificates.Certificate = Certificado(0)

(Certificado(0) is where my Certificate was loaded)
When trying to sign using:

MyMessage.sign(parametros, Signer)

I receive the error:

Unable to export private key in order to use a more capable algorithm. Err 0x80131430

Does anyone can help me to understand what is happening?
Thank you.

1 Answer

0 votes
by (69.8k points)
The error occurred when the library tried to export the private key to pass it to different cryptographic provider. This is attempted when the original provider does not support the requested operation.

I suppose you got the issue you when using the 2019R3 version. Can you please try whether the issue is also present in the previous version you used 2018R4?
I want to ensure we did not break some specific workarounds we made for you in the past (if I remember correctly).
Thank you.
by (470 points)
Hi Lukas!

The problem was specific with this algorithm (RSASSA-PSS) but I will try what you recommend.

Give me some minutes... and thanks for your attention into this.
by (470 points)
Lukas, the error was the same in version 2018r4, so, there is NOT any problem with 2019R3.

But, if I utilize the following code, the Windows is "forced" to ask for permission :

Dim cert2pss As System.Security.Cryptography.X509Certificates.X509Certificate2 = Signer

Dim pfx As Byte() = cert2pss.Export(System.Security.Cryptography.X509Certificates.X509ContentType.Pfx, "David")

Signer = Certificate.LoadPfx(pfx, "David", KeySetOptions.PreferCng Or KeySetOptions.Exportable)

But interestingly I have 2 scenarios:

- If just signing the message, Outlook shows me 100% signed but RSA/SHA256.

- If signing and encrypting the message (in this order), Outlook shows me RSASSA-PSS /SHA256 but also reports "an error" like "the message can be altered". The error is only in the SIGN layer, the encryption layer appears 100%.

If you want, I can send an image to you.
by (69.8k points)
It is very weird behavior. I will send you a test version to your mail, which will try to use different crypto provider.
by (470 points)
That's ok - Thank you!!