How to digitally sign a Cryptographic Service Provider (CSP)


  1. Posts : 5
    Windows 7 Professional x86
       #1

    How to digitally sign a Cryptographic Service Provider (CSP)


    Hi,

    We are in the process of developing a Cryptographic Service Provider (CSP) and a Key Storage Provider (KSP) which are implemented as Dynamic-link libraries (.dll). The final product needs to be digitally signed in order for Windows to accept and use our implementations.

    I read on MSDN that developers used to send an email to cspsign@microsoft.com and request that Microsoft do the signing. I sent an email to them, requesting more information about the process, but haven't received any feedback in about three months.

    I figured an alternative would be to buy a "Code Signing certificate for Microsoft Authenticode" from a trusted CA, such as Symantec, and use that to sign the appropriate files ourselves. Would this be possible? I am just not sure whether it is permitted that security products, such as CSPs and KSPs, can be signed by the developers themselves and whether Microsoft wants to look at the implementations first.

    Can anyone shed some light on this?
      My Computer


  2. Posts : 53,363
    Windows 10 Home x64
       #2

    A search seems to indicate that email address is still correct. There is also indications you must download a Cryptographic Provider Development Kit

    Cryptographic Service Providers (Windows)

    Hopefully someone with hands on experience will also respond.

    A Guy
      My Computer


  3. Posts : 5
    Windows 7 Professional x86
    Thread Starter
       #3

    It seems like there is very little information on this topic so I will share what I have learnt.

    After waiting roughly 6 months the guys at "cspsign@microsoft.com" finally responded and sent me my signed CSP. The response email from Microsoft however indicated that the signing service of a CSP is coming to an end An update is available that allows Authenticode Signing for CSP signatures in Windows XP SP3 and Windows Server 2003 SP2.

    Following up on what Microsoft said in the link posted above, we bought a certificate for Microsoft Authenticode from VeriSign, $499 for a year, and used that to sign the CSP. The signing process however is not documented at all (or at least at the time of this post) so I will provide some pointers that might prove useful.

    The signing of a CSP is similar to signing a kernel mode driver. I used the SignTool.exe application that comes with the Windows Driver Kit to sign the CSP. Note that for the CSP to be accepted by Microsoft you have to add the appropriate cross certificate during the signing process. Use the Issuer and Thumb print information of your code signing certificate's root certificate to locate the appropriate cross certificate or ask google for "Cross-Certificates for Kernel Mode Code Signing" which should put you on the right track. Also ensure that ALL the required intermediate certificates are installed on the PC that will be used to sign files.

    Finally sign the CSP using the following command,
    signtool sign /v /ac "C:\path\to\cross\certificate\file.cer" /a /t "http://timestamp.verisign.com/scripts/timestamp.dll" C:\path\to\csp\file.dll
    You can verify the signing process was successful using the following command,
    signtool verify /v /kp C:\path\to\csp\file.dll

    Note that the signature will be recognized if you do not include the appropriate cross certificate BUT the CSP will not load. The CryptAcquireContext function will fail with an "Invalid signature" error code EVEN THOUGH the file has been signed. The cross certificate needs to be included for Windows to accept the CSP.
      My Computer


  4. Posts : 53,363
    Windows 10 Home x64
       #4

    Good info, hopefully it will help someone else

    A Guy
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 01:47.
Find Us