A cryptographic service provider (CSP) DLL must be signed each time it is built. This includes each build of the CSP that is made for testing purposes. The CSP is signed digitally in a resource in the CSP DLL. This eliminates problems with signatures in the registry getting out of synchronization with the CSP binaries on the system.
Signature checking in the registry is still supported so that CSPs with signatures in that form continue to work. To support the same CSP binary on all operating systems, some CSPs may need to be signed both in the resource and in the registry by using the earlier signature form.
CSPs verify signatures on loaded DLLs by using the FuncVerifyImage callback function from the VTableProvStruc structure passed to the CSP with CPAcquireContext. To use the callback in this way, the pointer to the signature (the pSigData parameter of FuncVerifyImage) must be set to NULL.
The CSP must provide a 144-byte binary resource numbered 0x29A (decimal 666). The signature is placed in this resource.
To create a CSP, consider using a makefile that incorporates this signing and registering procedure so that no steps are forgotten.
Cspsign tool
The Cspsign.exe tool signs CSP DLLs. Given a DLL file, the tool produces a signature file whose contents can be placed into the registry as discussed earlier in this topic and in
Setting the User Default CSP.
Cspsign.exe takes three arguments:
cspsign {s|v} FileName SignatureFileName
The first argument must be s if a signature file is to be generated and v if an existing signature file is to be verified against the DLL file.
The second argument must be the fully qualified file name of the DLL file.
The third argument must be the fully qualified file name of the signature file.
For the CSP DLL file Myxcsp.dll, the following command generates a signature file. The signature file will be named Myxcsp.sig.
cspsign s myxcsp.dll myxcsp.sig
The Cspsign.exe file is part of the Cryptographic Service Provider Developer's Toolkit, which can be downloaded from Cryptographic Service Provider Developer's Toolkit.
Windows XP and Windows 2000: The Cryptographic Service Provider Developer's Toolkit is not supported. For testing purposes, you will need to use a kernel debugger. For more information, see Using a Kernel Debugger in
The Smart Card Cryptographic Service Provider Cookbook.
Send comments about this topic to Microsoft
Build date: 11/16/2009