0

Currently, I have source code that is calling external web services that is using SHA-1 cryptography and i'm currently calling these external WS by the following 

using System.Security.Cryptography.X509Certificates;
X509Certificate2 x509Certificate2 = new X509Certificate2("client.p12", "password");

and each time calling the WS I have to pass the variable as per below: 

 WebserviceName.Timeout = 20000000;
 WebserviceName.PreAuthenticate = true;
 WebserviceName.ClientCertificates.Add(x509Certificate2);

Now, I was wondering if .NET framework 4.0 supports SHA-2.

Please advise if X509Certificate2 could be used for SHA-2 and/or any other resource that I could use for this upgrade.

Thank you.

Theg8nj
  • 135
  • 1
  • 16
  • Yes, .net supports sha2 certs. You might need to be running windows 8+ to be able to load the certificates this way. – zaitsman Dec 03 '17 at 12:13
  • @zaitsman, I'm using windows server 2008 r2, but why windows 8+, I didn't get your point. Thank you for your answer – Theg8nj Dec 03 '17 at 12:16
  • 1
    For 2008R2, you need to install a Windows Update: https://learn.microsoft.com/en-us/security-updates/securityadvisories/2014/2949927 – zaitsman Dec 03 '17 at 12:45
  • @zaitsman, thank you, sir. Just one more question, in regards to source code, does (System.Security.Cryptography.X509Certificates) support SHA-2 ? or I would have to use another approach? – Theg8nj Dec 03 '17 at 13:13
  • 1
    The same managed api is used for both – zaitsman Dec 03 '17 at 13:15

1 Answers1

2

X.509 certificates themselves do not specify which algorithm is to be used for signature generation / verification. An RSA public key can be used for any RSA based algorithm.

Certificates can however be signed with an algorithm that uses SHA-1 (usually PKCS#1 v1.5 signatures; PSS signatures usually use SHA-2 but both are compatible with SHA-1 and SHA-2). So you must make sure that your certificate itself isn't considered invalid if SHA-1 is not considered secure enough anymore.

SHA-2 has been supported by .NET for a long time (the SHA256 is even in 1.1), but it never hurts to test your configuration.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263