CNG signature provider registration problem

goatM19 0

Hello,

I've written a DLL which implements a signature algorithm using the example code from CPDK as a base. I cannot get Windows 10 certificate UI to honor calling my DLL when it gets the certificate. DLL works normally if you use BCryptOpenAlgorithmProvider() with my algorithm name, (which is unique), DLL gets loaded. Thus I presume the provider registration is fine. The separate part to DLL is OID registration where I get algorithm name in string in certificate UI (thus OID lookup in registry works), algorithm names match, but it isn't called.

There is no example for this class of provider in CPDK, nor for its OID registration. But there is for other kind(s) of providers.

There is CRYPT_OID_INFO structure in API for OID->algo registration but it seems to take two different 'names', pwszName labeled as 'provider name' and pwszCNGAlgid labeled as 'AlgId string passed to BCrypt API'. Setting these to same string which is algo name doesn't do anything. Setting the latter to algo name and former to something else just makes that something else appear in the certificate UI. Again I'm referring to HashProviderOIDRegistration example from CPDK which could be working differently.

Worth mentioning is that this chain of trust uses the custom algorithm through, thus CA/subCA will also be signed by it. The authority also uses same OID for algorithm and public key.

Xiaopo Yang - MSFT 11,496 Reputation points Microsoft Vendor

2023-05-26T01:56:58.38+00:00

Are CNG signature providers for the use of certificate UI? Have you registered OID Functions properly? Could It be the certificate UI doesn't find the proper provider?
goatM19 0 Reputation points

2023-05-27T23:18:07.41+00:00

That is unknown to me and I was hoping to find the answer here. Does certificate UI call CNG router by design?

I have included both your tips to no avail.

I'm not sure how CryptRegisterOIDFunction cohabitates with CNG. The way I understand it CNG routes by class and algorithm name. This is exactly how I'm able to open my provider DLL from some standalone client code using BCryptOpenAlgorithmProvider passing only my algorithm name.

From the DLL side this registration is done by exporting BCRYPT_SIGNATURE_FUNCTION_TABLE interface implementation. The mapping is done by "filling out" CRYPT_INTERFACE_REG struct, CRYPT_IMAGE_REG, CRYPT_PROVIDER_REG, and sending them to BCrypt API functions which in turn create the appropriate registry entries.

Why the need to re-register the DLL with CryptRegisterOIDFunction? What is the "name of the function", pszFuncName? I set that to exported symbol of a function that implements the BCryptVerifySignatureFn, no luck, the DLL isn't loaded from certificate UI.

I guess main thing that I want to know right now is if Cert UI uses CNG at all.
Xiaopo Yang - MSFT 11,496 Reputation points Microsoft Vendor

2023-05-29T08:51:14.7+00:00

Hello, What's the Windows 10 certificate UI? Also, there are some provider types.
goatM19 0 Reputation points

2023-05-29T16:47:27.7633333+00:00

cryptext.dll, the window you get when you double-click on a certificate file.

I do not have issues in writing and registering the provider. BCrypt API client can get to my provider.

https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/

What you linked above touches both CNG and CryptoAPI. There is a full documentation for CNG in a deliverable called "Cryptography Next Gen Development Kit" or CPDK. In the manual there is a prosaic explanation on signature providers that I followed to get my DLL working.

Can you please expand on OID registration functions API and how it interacts with CNG provider?
Xiaopo Yang - MSFT 11,496 Reputation points Microsoft Vendor

2023-06-01T05:08:47.7033333+00:00

Hello @goatM19,

The UI is Microsoft Windows Certificate UI, and you should confirm with Windows team to see if it supports customized providers. This is not a customized providers development issue, as you're able to make it work.