This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 28.000000000000004%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJI%3C/text%3E%3C/svg%3E)
Hi,
I´m developing a custom CSP (not KSP). This CSP is type 24 (Microsoft Enhanced RSA and AES Cryptographic Provider). All registry entries are fine.
With it i´m creating the certificate container and adding a X509 certificate on it. This certificate has the link property CERT_KEY_PROV_INFO_PROP_ID that points to my CSP, as shown:
keyProvInfo.pwszContainerName = L"CONTAINER_NAME";
keyProvInfo.pwszProvName = L"Test";
keyProvInfo.dwFlags = CRYPT_MACHINE_KEYSET;
keyProvInfo.dwProvType = PROV_RSA_AES;
keyProvInfo.cProvParam = 0;
keyProvInfo.rgProvParam = NULL;
keyProvInfo.dwKeySpec = AT_KEYEXCHANGE | AT_SIGNATURE;
CertSetCertificateContextProperty(certContext, CERT_KEY_PROV_INFO_PROP_ID, 0, &keyProvInfo);
Once the property is set the certificate is added to the store with "CertAddCertificateContextToStore".
Now I have my certificate installed and pointing to my CSP. In the Certificate Manager it shows that it has a private key, so I asume that the link to ths CSP is fine.
My problem is when I want to make use of that certificate. I´ve make a small main that calls "CryptSignMessage" with this certificate. The SignatureParameters I am passing to the method are:
SigParams.cbSize = sizeof(CRYPT_SIGN_MESSAGE_PARA);
SigParams.dwMsgEncodingType = MY_ENCODING_TYPE;
SigParams.pSigningCert = pCertContext;
SigParams.HashAlgorithm.pszObjId = szOID_RSA_SHA256RSA;
SigParams.HashAlgorithm.Parameters.cbData = NULL;
SigParams.cMsgCert = 1;
SigParams.rgpMsgCert = &pCertContext;
SigParams.cAuthAttr = 0;
SigParams.dwInnerContentType = 0;
SigParams.cMsgCrl = 0;
SigParams.cUnauthAttr = 0;
SigParams.dwFlags = 0;
SigParams.pvHashAuxInfo = NULL;
SigParams.rgAuthAttr = NULL;
But when I am calling to the function I have an error "(0xc0000225)" and in the event viewer, in NCRYPT I see the following error:
Why is the reason of this error?
If in the SignatureParams I have "SigParams.HashAlgorithm.pszObjId = szOID_RSA_SHA1RSA" the CSP is called, but with SHA256 it isn´t. I need to hash in SHA256 and if I do the signature process with SHA1 all my CSP stuff is done and returns TRUE, but CryptSignMessage returns me FALSE to the main application (I supose is because the algorithm I am using internally).
Thanks everyone!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 34%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXY%3C/text%3E%3C/svg%3E)
Can you get the certificate with CERT_KEY_PROV_INFO_PROP_ID set properly? And Could you please show a minimal, reproducible sample without private information?
Another clue. If I try to sign with my certificate with Adobe PDF or Microsoft Word I see the same error in the event viewer
Hello,
Welcome to Microsoft Q&A!
I call CryptSignMessage successfully with the certificate context created by MakeAndExportACert. Perhaps your key provider has some problem. Besides, There is a sample which uses MS_KEY_STORAGE_PROVIDER
Thank you.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi,
First of all thanks for the reply @Xiaopo Yang - MSFT
I have been trying code from the links you put in your answer below and no positive result. The problem is always the same when I try to make use of my cert when signing a Word document.
If I recover my cert the CERT_KEY_PROV_INFO_PROP_ID is the one that I set when I installed the X509 in the store.
CertGetCertificateContextProperty(pCertContext,
CERT_KEY_PROV_INFO_PROP_ID,
pKeyProvInfo,
&dwSize);
pKeyProvInfo->pwszProvName = MY_PROVIDER_NAME
I get the certificate from a WS, I set the CERT_KEY_PROV_INFO_PROP_ID, the CERT_FRIENDLY_NAME_PROP_ID and I call the CertAddCertificateContextToStore ("MY" Store). A little pice of code of my process:
memset(&keyProvInfo, 0, sizeof(CRYPT_KEY_PROV_INFO));
keyProvInfo.pwszContainerName = contName;
keyProvInfo.pwszProvName = cspName;
keyProvInfo.dwProvType = PROV_RSA_AES;
keyProvInfo.dwKeySpec = AT_SIGNATURE;
CertSetCertificateContextProperty(certContext,
CERT_KEY_PROV_INFO_PROP_ID, 0,
& keyProvInfo);
CertSetCertificateContextProperty(certContext,
CERT_FRIENDLY_NAME_PROP_ID,
0, (LPVOID)&cryptBlob);
CertAddCertificateContextToStore(
hMemStore, // Store handle
certContext, // Pointer to a certificate
CERT_STORE_ADD_NEW,
NULL);
As I said, when I try to use that certificate the error I posted is shown in event viewer
Other thing I missed in my description. If I use the Crypto functions like "CryptAcquireContext", etc. pointing to my Provider it works, but when I try to use the Provider linked to the certificate it fails.
When I use the default key provider pwszProvName = NULL or Microsoft key provider pwszProvName = MS_KEY_STORAGE_PROVIDER, there is no problem. Perhaps The key provider cspName has some problems. How can I reproduce your custom CSP condition?