BCryptSignHash function

The BCryptSignHash function creates a signature of a hash value.


  _In_     BCRYPT_KEY_HANDLE hKey,
  _In_opt_ VOID              *pPaddingInfo,
  _In_     PBYTE             pbInput,
  _In_     DWORD             cbInput,
  _Out_    PBYTE             pbOutput,
  _In_     DWORD             cbOutput,
  _Out_    DWORD             *pcbResult,
  _In_     ULONG             dwFlags


hKey [in]

The handle of the key to use to sign the hash.

pPaddingInfo [in, optional]

A pointer to a structure that contains padding information. The actual type of structure this parameter points to depends on the value of the dwFlags parameter. This parameter is only used with asymmetric keys and must be NULL otherwise.

pbInput [in]

A pointer to a buffer that contains the hash value to sign. The cbInput parameter contains the size of this buffer.

cbInput [in]

The number of bytes in the pbInput buffer to sign.

pbOutput [out]

The address of a buffer to receive the signature produced by this function. The cbOutput parameter contains the size of this buffer.

If this parameter is NULL, this function will calculate the size required for the signature and return the size in the location pointed to by the pcbResult parameter.

cbOutput [in]

The size, in bytes, of the pbOutput buffer. This parameter is ignored if the pbOutput parameter is NULL.

pcbResult [out]

A pointer to a ULONG variable that receives the number of bytes copied to the pbOutput buffer.

If pbOutput is NULL, this receives the size, in bytes, required for the signature.

dwFlags [in]

A set of flags that modify the behavior of this function. The allowed set of flags depends on the type of key specified by the hKey parameter.

This can be one of the following values.


Use the PKCS1 padding scheme. The pPaddingInfo parameter is a pointer to a BCRYPT_PKCS1_PADDING_INFO structure.


Use the Probabilistic Signature Scheme (PSS) padding scheme. The pPaddingInfo parameter is a pointer to a BCRYPT_PSS_PADDING_INFO structure.


Return value

Returns a status code that indicates the success or failure of the function.

Possible return codes include, but are not limited to, the following.

Return codeDescription

The function was successful.


The key handle specified by the hKey parameter is not valid.


The algorithm provider used to create the key handle specified by the hKey parameter is not a signing algorithm.


A memory allocation failure occurred.


The memory size specified by the cbOutput parameter is not large enough to hold the signature.



This function will encrypt the hash value with the specified key to create the signature.

To later verify that the signature is valid, call the BCryptVerifySignature function with an identical key and an identical hash of the original data.

Depending on what processor modes a provider supports, BCryptSignHash can be called either from user mode or kernel mode. Kernel mode callers can execute either at PASSIVE_LEVEL IRQL or DISPATCH_LEVEL IRQL. If the current IRQL level is DISPATCH_LEVEL, the handle provided in the hKey parameter must be derived from an algorithm handle returned by a provider that was opened with the BCRYPT_PROV_DISPATCH flag, and any pointers passed to the BCryptSignHash function must refer to nonpaged (or locked) memory.

To call this function in kernel mode, use Cng.lib, which is part of the Driver Development Kit (DDK). For more information, see WDK and Developer Tools.

Windows Server 2008 and Windows Vista:  To call this function in kernel mode, use Ksecdd.lib.


Minimum supported client

Windows Vista [desktop apps | Windows Store apps]

Minimum supported server

Windows Server 2008 [desktop apps | Windows Store apps]







See also