Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: How to digitally sign a Cryptographic Service Provider (CSP)


03 Sep 2013   #1

Windows 7 Professional x86
 
 
How to digitally sign a Cryptographic Service Provider (CSP)

Hi,

We are in the process of developing a Cryptographic Service Provider (CSP) and a Key Storage Provider (KSP) which are implemented as Dynamic-link libraries (.dll). The final product needs to be digitally signed in order for Windows to accept and use our implementations.

I read on MSDN that developers used to send an email to cspsign@microsoft.com and request that Microsoft do the signing. I sent an email to them, requesting more information about the process, but haven't received any feedback in about three months.

I figured an alternative would be to buy a "Code Signing certificate for Microsoft Authenticode" from a trusted CA, such as Symantec, and use that to sign the appropriate files ourselves. Would this be possible? I am just not sure whether it is permitted that security products, such as CSPs and KSPs, can be signed by the developers themselves and whether Microsoft wants to look at the implementations first.

Can anyone shed some light on this?


My System SpecsSystem Spec
.

08 Sep 2013   #2

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 

A search seems to indicate that email address is still correct. There is also indications you must download a Cryptographic Provider Development Kit

Cryptographic Service Providers (Windows)

Hopefully someone with hands on experience will also respond.

A Guy
My System SpecsSystem Spec
13 Mar 2014   #3

Windows 7 Professional x86
 
 

It seems like there is very little information on this topic so I will share what I have learnt.

After waiting roughly 6 months the guys at "cspsign@microsoft.com" finally responded and sent me my signed CSP. The response email from Microsoft however indicated that the signing service of a CSP is coming to an end An update is available that allows Authenticode Signing for CSP signatures in Windows XP SP3 and Windows Server 2003 SP2.

Following up on what Microsoft said in the link posted above, we bought a certificate for Microsoft Authenticode from VeriSign, $499 for a year, and used that to sign the CSP. The signing process however is not documented at all (or at least at the time of this post) so I will provide some pointers that might prove useful.

The signing of a CSP is similar to signing a kernel mode driver. I used the SignTool.exe application that comes with the Windows Driver Kit to sign the CSP. Note that for the CSP to be accepted by Microsoft you have to add the appropriate cross certificate during the signing process. Use the Issuer and Thumb print information of your code signing certificate's root certificate to locate the appropriate cross certificate or ask google for "Cross-Certificates for Kernel Mode Code Signing" which should put you on the right track. Also ensure that ALL the required intermediate certificates are installed on the PC that will be used to sign files.

Finally sign the CSP using the following command,
signtool sign /v /ac "C:\path\to\cross\certificate\file.cer" /a /t "http://timestamp.verisign.com/scripts/timestamp.dll" C:\path\to\csp\file.dll
You can verify the signing process was successful using the following command,
signtool verify /v /kp C:\path\to\csp\file.dll

Note that the signature will be recognized if you do not include the appropriate cross certificate BUT the CSP will not load. The CryptAcquireContext function will fail with an "Invalid signature" error code EVEN THOUGH the file has been signed. The cross certificate needs to be included for Windows to accept the CSP.
My System SpecsSystem Spec
.


13 Mar 2014   #4

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 

Good info, hopefully it will help someone else

A Guy
My System SpecsSystem Spec
Reply

 How to digitally sign a Cryptographic Service Provider (CSP)




Thread Tools



Similar help and support threads for2: How to digitally sign a Cryptographic Service Provider (CSP)
Thread Forum
How to debug a Cryptographic Service Provider? Software
How to digitally sign my own .sys file? Drivers
Getting error ' cryptographic service not running ' Browsers & Mail
Internet Service Provider Chillout Room
New Scareware Leverages the Layered Service Provider. Security News
digitally sign System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 11:32 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33