Digital Signature Mechanics
Applications sign or verify hash values by using the CryptSignHash and CryptVerifySignature functions. The application often specifies a description string, which must added to the hash object before it is signed or verified.
The signature process typically goes something like this:
-
The application creates a hash object by using CryptCreateHash.
-
The application adds data to the hash object by using CryptHashData, CryptHashSessionKey, or both.
-
The application calls the CryptSignHash function to sign the hash value, specifying a description string.
-
The operating system layer accepts the CryptSignHash invocation, converts the description string to Unicode (if it isn't Unicode already), and then hands off the task to the CSP via the CPSignHash function.
-
The CSP adds the Unicode description string to the hash object, via the CPHashData function. The terminating null character is not hashed in.
-
The CSP completes the hash and obtains the hash value to be signed by using the CPGetHashParam function.
-
The CSP takes the hash value, pads it out to the size of the public key modulus, and encrypts it by using the signature private key.
The padding around the hash value must be in the format specified by the Public-Key Cryptography Standards (PKCS), available from RSA Data Security. The hash algorithm used must be encoded as described in PKCS #1, Section 6.3.
-
The signature block is then returned to the application, via the operating system layer.