SignedCms, EnvelopeCms and CNG Support

Oct 18, 2010 at 12:36 PM


many thanks for porting basic CNG support back to .NET 3.5. One thing I'm missing is CNG support for the EvelopedCms and SignedCms. Even .NET 4.0 does not support them.

This is increasingly becoming a problem as more and more certificates are created on Windows Server 2008 R2 machines. The problem is, that the private keys of these certificates are stored in CNG containers and thus, cannot be accessed by X509Certificate2.PrivateKey - this, in turn, breaks the signature and encryptions features of the EnvelopedCms and SignedCms. The certificates need to be imported and then exported on a Windows Server 2003 machine.

Will this be supported soon? An out-of-band update for this would be great :-)

Kind regards,
Henning Krause

Oct 18, 2010 at 4:55 PM

Hi Henning,

We have a feature request currently filed for adding CNG support to the CMS libraries.  Although we cannot comment as to if / when it will show up in a .NET Framework release, it is something that we are tracking on our side.   It is certainly possible that you could see some Codplex updates to enable this in the future as well.


Nov 23, 2010 at 2:26 PM
Edited Nov 23, 2010 at 2:29 PM

Hello Shawn,

I'm working on a project that requires RSA signing, SignedCms and EnvelopedCms functionality using CNG keys residing in a HSM. Thanks to the Security.Cryptography library we have the RSA signing and SignedCms (using the X509Certificate2 extensions and the fact that CAPI CMSG_SIGNER_ENCODE_INFO accepts a CNG key handle) but decoding Enveloped CMS messages totally eludes us (encoding an enveloped CMS message using CNG would be nice too but the .Net framework can do that already). I realize that a feature request has been filed for this functionality but that doesn't help us. We need a solution fast and I think the only way to do it is to submit a formal request for support to Microsoft. All CAPI functionality is supposedly ported to CNG so someone at Microsoft must have an idea of how to decode an enveloped CMS message, even if it's in VC++ code (but preferably in C#). We've already submitted a request for support concerning the fact that SignedCms couldn't hash above SHA1 and EnvelopedCms couldn't encrypt with AES when using a third-party (legacy) CSP. We were told that the .Net framework doesn't support third-party CSP's with this functionality and that we would have to use CNG to accomplish our goal. Oh yeah, and that they don't know anything about CNG.

Do you happen to have any names or names of departments we could refer to in our request for support in decoding enveloped CMS messages?

Kind regards,

Barry Carnahan

Dec 30, 2010 at 6:11 AM

It seems that performing EnvelopedCms with CNG keys is also possible using CAPI. When decrypting an enveloped message, structure CMSG_CTRL_DECRYPT_PARA accepts either a CAPI or a CNG key handle. We have successfully implemented a CAPI EnvelopedCms function that works with both Microsoft CNG keys and third-party CNG keys (HSM).