Another clue. If I try to sign with my certificate with Adobe PDF or Microsoft Word I see the same error in the event viewer
Certificate linked to custom CSP issue
Hi,
I´m developing a custom CSP (not KSP). This CSP is type 24 (Microsoft Enhanced RSA and AES Cryptographic Provider). All registry entries are fine.
With it i´m creating the certificate container and adding a X509 certificate on it. This certificate has the link property CERT_KEY_PROV_INFO_PROP_ID that points to my CSP, as shown:
keyProvInfo.pwszContainerName = L"CONTAINER_NAME";
keyProvInfo.pwszProvName = L"Test";
keyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET;
keyProvInfo.dwProvType = PROV_RSA_AES;
keyProvInfo.cProvParam = 0;
keyProvInfo.rgProvParam = NULL;
keyProvInfo.dwKeySpec = AT_KEYEXCHANGE | AT_SIGNATURE;
CertSetCertificateContextProperty(certContext, CERT_KEY_PROV_INFO_PROP_ID, 0, &keyProvInfo);
Once the property is set the certificate is added to the store with "CertAddCertificateContextToStore".
Now I have my certificate installed and pointing to my CSP. In the Certificate Manager it shows that it has a private key, so I asume that the link to ths CSP is fine.
My problem is when I want to make use of that certificate. I´ve make a small main that calls "CryptSignMessage" with this certificate. The SignatureParameters I am passing to the method are:
SigParams.cbSize = sizeof(CRYPT_SIGN_MESSAGE_PARA);
SigParams.dwMsgEncodingType = MY_ENCODING_TYPE;
SigParams.pSigningCert = pCertContext;
SigParams.HashAlgorithm.pszObjId = szOID_RSA_SHA256RSA;
SigParams.HashAlgorithm.Parameters.cbData = NULL;
SigParams.cMsgCert = 1;
SigParams.rgpMsgCert = &pCertContext;
SigParams.cAuthAttr = 0;
SigParams.dwInnerContentType = 0;
SigParams.cMsgCrl = 0;
SigParams.cUnauthAttr = 0;
SigParams.dwFlags = 0;
SigParams.pvHashAuxInfo = NULL;
SigParams.rgAuthAttr = NULL;
But when I am calling to the function I have an error "(0xc0000225)" and in the event viewer, in NCRYPT I see the following error:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Crypto-NCrypt" Guid="{e8ed09dc-100c-45e2-9fc8-b53399ec1f70}" />
<EventID>2</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>2</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000001</Keywords>
<TimeCreated SystemTime="2022-03-15T11:10:13.7592746Z" />
<EventRecordID>5872</EventRecordID>
<Correlation />
<Execution ProcessID="9416" ThreadID="21696" />
<Channel>Microsoft-Windows-Crypto-NCrypt/Operational</Channel>
<Computer>XXXXXX</Computer>
<Security UserID="S-1-5-21-446980434-1216074887-3660355350-1396" />
</System> - <EventData>
<Data Name="ProviderName">Test</Data>
<Data Name="Status">0xc0000225</Data>
<Data Name="ProcessName">testCsp.exe</Data>
</EventData>
</Event>
Why is the reason of this error?
If in the SignatureParams I have "SigParams.HashAlgorithm.pszObjId = szOID_RSA_SHA1RSA" the CSP is called, but with SHA256 it isn´t. I need to hash in SHA256 and if I do the signature process with SHA1 all my CSP stuff is done and returns TRUE, but CryptSignMessage returns me FALSE to the main application (I supose is because the algorithm I am using internally).
Thanks everyone!
4 answers
Sort by: Most helpful
-
-
Xiaopo Yang - MSFT 12,726 Reputation points Microsoft Vendor
2022-03-16T07:04:19.223+00:00 Hello,
Welcome to Microsoft Q&A!
I call CryptSignMessage successfully with the certificate context created by MakeAndExportACert. Perhaps your key provider has some problem. Besides, There is a sample which uses MS_KEY_STORAGE_PROVIDER
Thank you.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. -
John Irving 1 Reputation point
2022-03-16T13:57:16.197+00:00 Hi,
First of all thanks for the reply @Xiaopo Yang - MSFT
I have been trying code from the links you put in your answer below and no positive result. The problem is always the same when I try to make use of my cert when signing a Word document.
If I recover my cert the CERT_KEY_PROV_INFO_PROP_ID is the one that I set when I installed the X509 in the store.
CertGetCertificateContextProperty(pCertContext,
CERT_KEY_PROV_INFO_PROP_ID,
pKeyProvInfo,
&dwSize);pKeyProvInfo->pwszProvName = MY_PROVIDER_NAME
I get the certificate from a WS, I set the CERT_KEY_PROV_INFO_PROP_ID, the CERT_FRIENDLY_NAME_PROP_ID and I call the CertAddCertificateContextToStore ("MY" Store). A little pice of code of my process:
memset(&keyProvInfo, 0, sizeof(CRYPT_KEY_PROV_INFO));
keyProvInfo.pwszContainerName = contName;
keyProvInfo.pwszProvName = cspName;
keyProvInfo.dwProvType = PROV_RSA_AES;
keyProvInfo.dwKeySpec = AT_SIGNATURE;
CertSetCertificateContextProperty(certContext,
CERT_KEY_PROV_INFO_PROP_ID, 0,
& keyProvInfo);CertSetCertificateContextProperty(certContext,
CERT_FRIENDLY_NAME_PROP_ID,
0, (LPVOID)&cryptBlob);CertAddCertificateContextToStore(
hMemStore, // Store handle
certContext, // Pointer to a certificate
CERT_STORE_ADD_NEW,
NULL);As I said, when I try to use that certificate the error I posted is shown in event viewer
-
John Irving 1 Reputation point
2022-03-16T13:59:47.51+00:00 Other thing I missed in my description. If I use the Crypto functions like "CryptAcquireContext", etc. pointing to my Provider it works, but when I try to use the Provider linked to the certificate it fails.