Re: CSP DLL Signed by Microsoft: Signature not recognised by Certificate Services

From: RodSaund (anonymous_at_discussions.microsoft.com)
Date: 02/09/04 

Date: Mon, 9 Feb 2004 02:11:07 -0800

Thanks for the updated info on test signing for Windows 2003 Server. However, this is not the problem.

We have had the CSP signed by Microsoft for Production. The Certificate Services running on Windows Server 2003 do not recognise the signature.

I'd guess there is something new we need to do to register the CSP for Windows 2003 Server (as against Windows 2000), as the registry steps we took for Windows 2000 used to work.

Do you, or anyone, know of differences in registering signed CSPs in Windows 2003 as against Windows 2000, or where we can find information on this subject? We've scoured MSDN and this newsgroup, and even asked Microsoft directly, but to no avail.

Thanks

Rod Saunders
     
     ----- Ryan Menezes [MSFT] wrote: -----
     
     CSP's which used proprietary signing earlier, now support authenticode
     signatures with embedded PKCS-7 on WS2003. You can use signtool for test
     signing your CSP. You can get away with attaching Kernel Debugger to the
     machine (post W2K SP3) and test even an unsigned CSP.
     
     If you want to use a production version of your CSP, please submit it to
     Microsoft for PRS signing at cspsign@microsoft.com
     
     Thanks,
     Ryan[MSFT]
      This posting is provided "AS IS" with no warranties, and confers no rights.
     
     
     "RodSaund" <anonymous@discussions.microsoft.com> wrote in message
     news:B61B3D7B-A054-498E-971C-9BDC7AD32C7E@microsoft.com...
> Thanks for your reply, but I don't think this tool is for the same
     purpose. I've also realised that my test using cspsign is irrelevant as it
     will be trying to verify the Microsoft signature with a test key, presumably
     built into cspsign or held in the operating system somewhere.
>> The CSP DLL is signed by Microsoft so that it can be verified before use
     by, for instance, the Microsoft Certificate Services.
>> The Microsoft Certificate Services don't seem to recognise the Microsoft
     signature, which means it is wrongly signed or we are not applying the
     signature correctly, somehow.
>> Does anyone know how the SIG file should be used?
>> Can anyone tell me what steps need to be followed to register the CSP DLL
     as a CSP. We've followed the same steps as we used for Windows 2000, but
     they don't seem to be enough for windows 2003.
>> Thanks
>> Rod
>> ----- Ryan Menezes [MSFT] wrote: -----
>> Did you try signing using signtool.exe on Windows Server 2003 ?
>
     http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/signtool.asp
>> Thanks,
> Ryan[MSFT]
> This posting is provided "AS IS" with no warranties, and confers no
     rights.
>>> "RodSaund" <anonymous@discussions.microsoft.com> wrote in message
> news:1F06DA5A-462C-4DBD-963D-31770DF338E6@microsoft.com...
>> We had a CSP DLL "signed" by Microsoft, and the signature is not
> recognised by the Certificate Services running on Windows 2003 Server
     OS.
>>> Using the Microsoft CSP SDK signing tool (named as cspsign),
>> I tried "cspsign s SurewareRSAFullProvider.dll
> SurewareRSAFullProvider.sig"
>> and then "cspsign v SurewareRSAFullProvider.dll
> SurewareRSAFullProvider.sig"
>> and this created a signature and verified it, which proves the dll
> signature can be verified.
>>> I then tried "cspsign v SurewareRSAFullProvider.dll
> SurewareRSAFullProvider.sig"
>> with the signed dll and sig files returned from Microsoft and this
     failed
> to verify the signature.
>>> Thus, it seems that if the signature received from Microsoft was
     correct,
> it should be verified. It doesn't appear to be correct.
>>> Can you advise?
>>> Thanks
>>>

Relevant Pages

  • Re: CSP DLL Signed by Microsoft: Signature not recognised by Certificate Services
    ... CSP's which used proprietary signing earlier, ... signing your CSP. ... Microsoft for PRS signing at cspsign@microsoft.com ... will be trying to verify the Microsoft signature with a test key, ...
    (microsoft.public.platformsdk.security)
  • Re: CSP DLL Signed by Microsoft: Signature not recognised by Certificate Services
    ... To check if your CSP is registered correctly, ... Services running on Windows Server 2003 do not recognise the signature. ... Windows 2003 Server, as the registry steps we took ...
    (microsoft.public.platformsdk.security)
  • CSP and signature
    ... Microsoft for Vista 32bit and 64bit. ... all the documents I get tell me how to sign my CSP by ... proper signature that works (and not the test signature given in the ...
    (microsoft.public.platformsdk.security)
  • How does CA check the signature of a CSP?
    ... What is wrong and what signature is invalid? ... I guess that Microsoft signs a CSP to be used in CA with a specific signature other than a signature issued by cspsign@microsoft.com. ...
    (microsoft.public.platformsdk.security)
  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
Loading