|03 Sep 2013||#1|
| || |
How to digitally sign a Cryptographic Service Provider (CSP)
We are in the process of developing a Cryptographic Service Provider (CSP) and a Key Storage Provider (KSP) which are implemented as Dynamic-link libraries (.dll). The final product needs to be digitally signed in order for Windows to accept and use our implementations.
I read on MSDN that developers used to send an email to firstname.lastname@example.org and request that Microsoft do the signing. I sent an email to them, requesting more information about the process, but haven't received any feedback in about three months.
I figured an alternative would be to buy a "Code Signing certificate for Microsoft Authenticode" from a trusted CA, such as Symantec, and use that to sign the appropriate files ourselves. Would this be possible? I am just not sure whether it is permitted that security products, such as CSPs and KSPs, can be signed by the developers themselves and whether Microsoft wants to look at the implementations first.
Can anyone shed some light on this?
|My System Specs|
|13 Mar 2014||#3|
| || |
It seems like there is very little information on this topic so I will share what I have learnt.
After waiting roughly 6 months the guys at "email@example.com" finally responded and sent me my signed CSP. The response email from Microsoft however indicated that the signing service of a CSP is coming to an end An update is available that allows Authenticode Signing for CSP signatures in Windows XP SP3 and Windows Server 2003 SP2.
Following up on what Microsoft said in the link posted above, we bought a certificate for Microsoft Authenticode from VeriSign, $499 for a year, and used that to sign the CSP. The signing process however is not documented at all (or at least at the time of this post) so I will provide some pointers that might prove useful.
The signing of a CSP is similar to signing a kernel mode driver. I used the SignTool.exe application that comes with the Windows Driver Kit to sign the CSP. Note that for the CSP to be accepted by Microsoft you have to add the appropriate cross certificate during the signing process. Use the Issuer and Thumb print information of your code signing certificate's root certificate to locate the appropriate cross certificate or ask google for "Cross-Certificates for Kernel Mode Code Signing" which should put you on the right track. Also ensure that ALL the required intermediate certificates are installed on the PC that will be used to sign files.
Finally sign the CSP using the following command,
signtool sign /v /ac "C:\path\to\cross\certificate\file.cer" /a /t "http://timestamp.verisign.com/scripts/timestamp.dll" C:\path\to\csp\file.dll
You can verify the signing process was successful using the following command,
signtool verify /v /kp C:\path\to\csp\file.dll
Note that the signature will be recognized if you do not include the appropriate cross certificate BUT the CSP will not load. The CryptAcquireContext function will fail with an "Invalid signature" error code EVEN THOUGH the file has been signed. The cross certificate needs to be included for Windows to accept the CSP.
|My System Specs|
|Similar help and support threads for2: How to digitally sign a Cryptographic Service Provider (CSP)|
|How to debug a Cryptographic Service Provider?||Software|
|How to digitally sign my own .sys file?||Drivers|
|Getting error ' cryptographic service not running '||Browsers & Mail|
|Internet Service Provider||Chillout Room|
|New Scareware Leverages the Layered Service Provider.||Security News|
|digitally sign||System Security|
|Our Sites ||Site Links ||About Us ||Find Us |
© Designer Media Ltd
All times are GMT -5. The time now is 11:32 PM.