Certificate linked to custom CSP issue

John Irving 1 Reputation point
2022-03-15T11:14:33.723+00:00

Hi,

I´m developing a custom CSP (not KSP). This CSP is type 24 (Microsoft Enhanced RSA and AES Cryptographic Provider). All registry entries are fine.

With it i´m creating the certificate container and adding a X509 certificate on it. This certificate has the link property CERT_KEY_PROV_INFO_PROP_ID that points to my CSP, as shown:

keyProvInfo.pwszContainerName = L"CONTAINER_NAME";
keyProvInfo.pwszProvName = L"Test";
keyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET;
keyProvInfo.dwProvType = PROV_RSA_AES;
keyProvInfo.cProvParam = 0;
keyProvInfo.rgProvParam = NULL;
keyProvInfo.dwKeySpec = AT_KEYEXCHANGE | AT_SIGNATURE;
CertSetCertificateContextProperty(certContext, CERT_KEY_PROV_INFO_PROP_ID, 0, &keyProvInfo);

Once the property is set the certificate is added to the store with "CertAddCertificateContextToStore".

Now I have my certificate installed and pointing to my CSP. In the Certificate Manager it shows that it has a private key, so I asume that the link to ths CSP is fine.

My problem is when I want to make use of that certificate. I´ve make a small main that calls "CryptSignMessage" with this certificate. The SignatureParameters I am passing to the method are:

SigParams.cbSize = sizeof(CRYPT_SIGN_MESSAGE_PARA);
SigParams.dwMsgEncodingType = MY_ENCODING_TYPE;
SigParams.pSigningCert = pCertContext;
SigParams.HashAlgorithm.pszObjId = szOID_RSA_SHA256RSA;
SigParams.HashAlgorithm.Parameters.cbData = NULL;
SigParams.cMsgCert = 1;
SigParams.rgpMsgCert = &pCertContext;
SigParams.cAuthAttr = 0;
SigParams.dwInnerContentType = 0;
SigParams.cMsgCrl = 0;
SigParams.cUnauthAttr = 0;
SigParams.dwFlags = 0;
SigParams.pvHashAuxInfo = NULL;
SigParams.rgAuthAttr = NULL;

But when I am calling to the function I have an error "(0xc0000225)" and in the event viewer, in NCRYPT I see the following error:

  • <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  • <System>
    <Provider Name="Microsoft-Windows-Crypto-NCrypt" Guid="{e8ed09dc-100c-45e2-9fc8-b53399ec1f70}" />
    <EventID>2</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>2</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000001</Keywords>
    <TimeCreated SystemTime="2022-03-15T11:10:13.7592746Z" />
    <EventRecordID>5872</EventRecordID>
    <Correlation />
    <Execution ProcessID="9416" ThreadID="21696" />
    <Channel>Microsoft-Windows-Crypto-NCrypt/Operational</Channel>
    <Computer>XXXXXX</Computer>
    <Security UserID="S-1-5-21-446980434-1216074887-3660355350-1396" />
    </System>
  • <EventData>
    <Data Name="ProviderName">Test</Data>
    <Data Name="Status">0xc0000225</Data>
    <Data Name="ProcessName">testCsp.exe</Data>
    </EventData>
    </Event>

Why is the reason of this error?

If in the SignatureParams I have "SigParams.HashAlgorithm.pszObjId = szOID_RSA_SHA1RSA" the CSP is called, but with SHA256 it isn´t. I need to hash in SHA256 and if I do the signature process with SHA1 all my CSP stuff is done and returns TRUE, but CryptSignMessage returns me FALSE to the main application (I supose is because the algorithm I am using internally).

Thanks everyone!

Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,448 questions
Microsoft Partner Center API
Microsoft Partner Center API
Microsoft Partner Center: A Microsoft website for partners that provides access to product support, a partner community, and other partner services.API: A software intermediary that allows two applications to interact with each other.
317 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,745 questions
{count} votes

4 answers

Sort by: Most helpful
  1. John Irving 1 Reputation point
    2022-03-15T11:15:39.773+00:00

    Another clue. If I try to sign with my certificate with Adobe PDF or Microsoft Word I see the same error in the event viewer

    0 comments No comments

  2. Xiaopo Yang - MSFT 11,506 Reputation points Microsoft Vendor
    2022-03-16T07:04:19.223+00:00

    Hello,

    Welcome to Microsoft Q&A!

    I call CryptSignMessage successfully with the certificate context created by MakeAndExportACert. Perhaps your key provider has some problem. Besides, There is a sample which uses MS_KEY_STORAGE_PROVIDER

    Thank you.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. John Irving 1 Reputation point
    2022-03-16T13:57:16.197+00:00

    Hi,

    First of all thanks for the reply @Xiaopo Yang - MSFT

    I have been trying code from the links you put in your answer below and no positive result. The problem is always the same when I try to make use of my cert when signing a Word document.

    If I recover my cert the CERT_KEY_PROV_INFO_PROP_ID is the one that I set when I installed the X509 in the store.

    CertGetCertificateContextProperty(pCertContext,
    CERT_KEY_PROV_INFO_PROP_ID,
    pKeyProvInfo,
    &dwSize);

    pKeyProvInfo->pwszProvName = MY_PROVIDER_NAME

    I get the certificate from a WS, I set the CERT_KEY_PROV_INFO_PROP_ID, the CERT_FRIENDLY_NAME_PROP_ID and I call the CertAddCertificateContextToStore ("MY" Store). A little pice of code of my process:

    memset(&keyProvInfo, 0, sizeof(CRYPT_KEY_PROV_INFO));
    keyProvInfo.pwszContainerName = contName;
    keyProvInfo.pwszProvName = cspName;
    keyProvInfo.dwProvType = PROV_RSA_AES;
    keyProvInfo.dwKeySpec = AT_SIGNATURE;
    CertSetCertificateContextProperty(certContext,
    CERT_KEY_PROV_INFO_PROP_ID, 0,
    & keyProvInfo);

    CertSetCertificateContextProperty(certContext,
    CERT_FRIENDLY_NAME_PROP_ID,
    0, (LPVOID)&cryptBlob);

    CertAddCertificateContextToStore(
    hMemStore, // Store handle
    certContext, // Pointer to a certificate
    CERT_STORE_ADD_NEW,
    NULL);

    As I said, when I try to use that certificate the error I posted is shown in event viewer

    0 comments No comments

  4. John Irving 1 Reputation point
    2022-03-16T13:59:47.51+00:00

    Other thing I missed in my description. If I use the Crypto functions like "CryptAcquireContext", etc. pointing to my Provider it works, but when I try to use the Provider linked to the certificate it fails.