Re: CSP DLL Signed by Microsoft: Signature not recognised by Certificate Services
From: Ryan Menezes [MSFT] (ryanmen_at_online.microsoft.com)
Date: 02/09/04
- Next message: Shawn Corey [MSFT]: "Re: CRL list"
- Previous message: Michel Gallant: "Manual RSA signatures/encryption"
- In reply to: RodSaund: "Re: CSP DLL Signed by Microsoft: Signature not recognised by Certificate Services"
- Next in thread: RodSaund: "Re: CSP DLL Signed by Microsoft: Signature not recognised by Certificate Services"
- Reply: RodSaund: "Re: CSP DLL Signed by Microsoft: Signature not recognised by Certificate Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 9 Feb 2004 13:15:05 -0800
To check if your CSP is registered correctly, please check the following
registry keys
HKLM\Software\Microsoft\Cryptography\Defaults\Providers
HKLM\Software\Microsoft\Cryptography\Defaults\Provider Types
Did you try calling CryptAcquireContext separately on your CSP in
VERIFY_CONTEXT mode and get that to work ?
If not please also run the CSPTestSuite on your CSP.
http://www.microsoft.com/downloads/details.aspx?FamilyID=5f3872f8-202e-4f13-b495-78ce6f17a84f&DisplayLang=en
Thanks,
Ryan[MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"RodSaund" <anonymous@discussions.microsoft.com> wrote in message
news:B304AD71-71D3-4A9E-8ADD-C1F19E2DA647@microsoft.com...
> Thanks for the updated info on test signing for Windows 2003 Server.
However, this is not the problem.
>
> We have had the CSP signed by Microsoft for Production. The Certificate
Services running on Windows Server 2003 do not recognise the signature.
>
> I'd guess there is something new we need to do to register the CSP for
Windows 2003 Server (as against Windows 2000), as the registry steps we took
for Windows 2000 used to work.
>
> Do you, or anyone, know of differences in registering signed CSPs in
Windows 2003 as against Windows 2000, or where we can find information on
this subject? We've scoured MSDN and this newsgroup, and even asked
Microsoft directly, but to no avail.
>
> Thanks
>
> Rod Saunders
>
> ----- Ryan Menezes [MSFT] wrote: -----
>
> CSP's which used proprietary signing earlier, now support
authenticode
> signatures with embedded PKCS-7 on WS2003. You can use signtool for
test
> signing your CSP. You can get away with attaching Kernel Debugger to
the
> machine (post W2K SP3) and test even an unsigned CSP.
>
> If you want to use a production version of your CSP, please submit it
to
> Microsoft for PRS signing at cspsign@microsoft.com
>
> Thanks,
> Ryan[MSFT]
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "RodSaund" <anonymous@discussions.microsoft.com> wrote in message
> news:B61B3D7B-A054-498E-971C-9BDC7AD32C7E@microsoft.com...
> > Thanks for your reply, but I don't think this tool is for the same
> purpose. I've also realised that my test using cspsign is irrelevant
as it
> will be trying to verify the Microsoft signature with a test key,
presumably
> built into cspsign or held in the operating system somewhere.
> >> The CSP DLL is signed by Microsoft so that it can be verified
before use
> by, for instance, the Microsoft Certificate Services.
> >> The Microsoft Certificate Services don't seem to recognise the
Microsoft
> signature, which means it is wrongly signed or we are not applying
the
> signature correctly, somehow.
> >> Does anyone know how the SIG file should be used?
> >> Can anyone tell me what steps need to be followed to register the
CSP DLL
> as a CSP. We've followed the same steps as we used for Windows 2000,
but
> they don't seem to be enough for windows 2003.
> >> Thanks
> >> Rod
> >> ----- Ryan Menezes [MSFT] wrote: -----
> >> Did you try signing using signtool.exe on Windows Server 2003
?
> >
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/signtool.asp
> >> Thanks,
> > Ryan[MSFT]
> > This posting is provided "AS IS" with no warranties, and
confers no
> rights.
> >>> "RodSaund" <anonymous@discussions.microsoft.com> wrote in
message
> > news:1F06DA5A-462C-4DBD-963D-31770DF338E6@microsoft.com...
> >> We had a CSP DLL "signed" by Microsoft, and the signature is not
> > recognised by the Certificate Services running on Windows 2003
Server
> OS.
> >>> Using the Microsoft CSP SDK signing tool (named as cspsign),
> >> I tried "cspsign s SurewareRSAFullProvider.dll
> > SurewareRSAFullProvider.sig"
> >> and then "cspsign v SurewareRSAFullProvider.dll
> > SurewareRSAFullProvider.sig"
> >> and this created a signature and verified it, which proves the dll
> > signature can be verified.
> >>> I then tried "cspsign v SurewareRSAFullProvider.dll
> > SurewareRSAFullProvider.sig"
> >> with the signed dll and sig files returned from Microsoft and this
> failed
> > to verify the signature.
> >>> Thus, it seems that if the signature received from Microsoft was
> correct,
> > it should be verified. It doesn't appear to be correct.
> >>> Can you advise?
> >>> Thanks
> >>>
- Next message: Shawn Corey [MSFT]: "Re: CRL list"
- Previous message: Michel Gallant: "Manual RSA signatures/encryption"
- In reply to: RodSaund: "Re: CSP DLL Signed by Microsoft: Signature not recognised by Certificate Services"
- Next in thread: RodSaund: "Re: CSP DLL Signed by Microsoft: Signature not recognised by Certificate Services"
- Reply: RodSaund: "Re: CSP DLL Signed by Microsoft: Signature not recognised by Certificate Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
