Solved How to digitally sign a Cryptographic Service Provider (CSP)

PietBen

New member
Local time
6:12 AM
Messages
5
Hi,

We are in the process of developing a Cryptographic Service Provider (CSP) and a Key Storage Provider (KSP) which are implemented as Dynamic-link libraries (.dll). The final product needs to be digitally signed in order for Windows to accept and use our implementations.

I read on MSDN that developers used to send an email to [email protected] and request that Microsoft do the signing. I sent an email to them, requesting more information about the process, but haven't received any feedback in about three months.

I figured an alternative would be to buy a "Code Signing certificate for Microsoft Authenticode" from a trusted CA, such as Symantec, and use that to sign the appropriate files ourselves. Would this be possible? I am just not sure whether it is permitted that security products, such as CSPs and KSPs, can be signed by the developers themselves and whether Microsoft wants to look at the implementations first.

Can anyone shed some light on this?
 

My Computer My Computer

At a glance

Windows 7 Professional x86
OS
Windows 7 Professional x86
A search seems to indicate that email address is still correct. There is also indications you must download a Cryptographic Provider Development Kit

Cryptographic Service Providers (Windows)

Hopefully someone with hands on experience will also respond.

A Guy
 

My Computer My Computer

At a glance

Windows 10 Home x64INTEL Core i5-750 Quad-Core 3.37GHzHyperX Fury Black Series 8GB (2 x 4GB) 1866MhzEVGA GeForce GTX 750 Superclocked 1GB 128-Bit...
Computer type
PC/Desktop
OS
Windows 10 Home x64
CPU
INTEL Core i5-750 Quad-Core 3.37GHz
Motherboard
ASUS P7P55D
Memory
HyperX Fury Black Series 8GB (2 x 4GB) 1866Mhz
Graphics Card(s)
EVGA GeForce GTX 750 Superclocked 1GB 128-Bit GDDR5
Monitor(s) Displays
LG 32MA68HY 32" IPS
Screen Resolution
1920 x 1080
Hard Drives
Samsung 840 Evo 120GB, SEAGATE 500GB Barracuda® 7200.12, SATA 3 Gb/s, 7200 RPM, 16MB cache
PSU
ANTEC TruePower New TP-550, 80 PLUS, 550W
Case
ANTEC Three Hundred Illusion
Cooling
COOLER MASTER Hyper 212 Plus, 4 x 120mm 1 x 140mm Noctua's
Internet Speed
85 + Mbps
Antivirus
Avast
Browser
Vivaldi
It seems like there is very little information on this topic so I will share what I have learnt.

After waiting roughly 6 months the guys at "[email protected]" finally responded and sent me my signed CSP. The response email from Microsoft however indicated that the signing service of a CSP is coming to an end An update is available that allows Authenticode Signing for CSP signatures in Windows XP SP3 and Windows Server 2003 SP2.

Following up on what Microsoft said in the link posted above, we bought a certificate for Microsoft Authenticode from VeriSign, $499 for a year, and used that to sign the CSP. The signing process however is not documented at all (or at least at the time of this post) so I will provide some pointers that might prove useful.

The signing of a CSP is similar to signing a kernel mode driver. I used the SignTool.exe application that comes with the Windows Driver Kit to sign the CSP. Note that for the CSP to be accepted by Microsoft you have to add the appropriate cross certificate during the signing process. Use the Issuer and Thumb print information of your code signing certificate's root certificate to locate the appropriate cross certificate or ask google for "Cross-Certificates for Kernel Mode Code Signing" which should put you on the right track. Also ensure that ALL the required intermediate certificates are installed on the PC that will be used to sign files.

Finally sign the CSP using the following command,
signtool sign /v /ac "C:\path\to\cross\certificate\file.cer" /a /t "http://timestamp.verisign.com/scripts/timestamp.dll" C:\path\to\csp\file.dll
You can verify the signing process was successful using the following command,
signtool verify /v /kp C:\path\to\csp\file.dll

Note that the signature will be recognized if you do not include the appropriate cross certificate BUT the CSP will not load. The CryptAcquireContext function will fail with an "Invalid signature" error code EVEN THOUGH the file has been signed. The cross certificate needs to be included for Windows to accept the CSP.
 

My Computer My Computer

At a glance

Windows 7 Professional x86
OS
Windows 7 Professional x86
Good info, hopefully it will help someone else ;)

A Guy
 

My Computer My Computer

At a glance

Windows 10 Home x64INTEL Core i5-750 Quad-Core 3.37GHzHyperX Fury Black Series 8GB (2 x 4GB) 1866MhzEVGA GeForce GTX 750 Superclocked 1GB 128-Bit...
Computer type
PC/Desktop
OS
Windows 10 Home x64
CPU
INTEL Core i5-750 Quad-Core 3.37GHz
Motherboard
ASUS P7P55D
Memory
HyperX Fury Black Series 8GB (2 x 4GB) 1866Mhz
Graphics Card(s)
EVGA GeForce GTX 750 Superclocked 1GB 128-Bit GDDR5
Monitor(s) Displays
LG 32MA68HY 32" IPS
Screen Resolution
1920 x 1080
Hard Drives
Samsung 840 Evo 120GB, SEAGATE 500GB Barracuda® 7200.12, SATA 3 Gb/s, 7200 RPM, 16MB cache
PSU
ANTEC TruePower New TP-550, 80 PLUS, 550W
Case
ANTEC Three Hundred Illusion
Cooling
COOLER MASTER Hyper 212 Plus, 4 x 120mm 1 x 140mm Noctua's
Internet Speed
85 + Mbps
Antivirus
Avast
Browser
Vivaldi
Back
Top