CSP

CSP configuration example settings
[CSP]
AcceptBothKeySet=0
:AlgorithmInfo=RC2,off;RC4,off;DES,off;MD5,off;ECDH,off;ECDSA,off
AllowCertificate=
:AllowEmptyMemoryStore=1
AllowSoftAtNewKeySet=0
AllowToken=0xFF
BlockDuringManagement=1
:CheckUpdateCounter=0
:CheckWinStationContainer=lsass.exe
ComponentDisable=0
ComponentEnable=1
ContainerNameMode=0
:DefaultCertificate=
:DefaultPin=
DeleteAtNewKeySet=0
DisableInsert=0
DisableRandom=0
DisableSilent=0
FriendlyName={subject:2.5.4.3} ({issuer:2.5.4.3})
:KeepConnected=0
:LoadMyself=0
NoInternalContainerName=0
:OtherStoreList=TrustedPeople;addressbook
ProviderName={product-name} - CSP
:ProviderType=1
RegisterCardPrefix={product-name} -
:RememberFailedAttempt=1
SortCertificate=0
StoreContainerName=1
UniqueContainerName=0
:UseCritical=1
VerifySignature=0

AcceptBothKeySet

Our CSP translates all certificates to unique containers, where the key type will be set based on the certificate key usage. Some applications have a problem understanding the use of key types and require the use of a specific key type instead of checking the certificate. This parameter allows both key types to be used and will return the same key.

[CSP]
AcceptBothKeySet=0

Values

0

off

1

on

AlgorithmInfo

The CSP supports all algorithms available from the PKCS#11 by default, but you can limit this list.

[CSP]
AlgorithmInfo=RC2,off;RC4,off;DES,off;MD5,off;ECDH,off;ECDSA,off

Values

RC2

Rivest Cipher 2

RC4

Rivest Cipher 4

DES

Data Encryption Standard

MD5

The MD5 message-digest algorithm.

ECDH

Elliptic-curve Diffie–Hellman

ECDSA

Elliptic Curve Digital Signature Algorithm

AllowCertificate

The CSP allows all certificates by default, but there are scenarios when some certificates should be ignored. This parameter specifies the matching condition to be fulfilled to allow a certificate.

[CSP]
AllowCertificate={MatchCertificateCSP}

Values

No matching condition allows all certificates. See Match for more information.

AllowEmptyMemoryStore

An application can ask the CSP for certificates using the memory store. The default behavior is to return success with an empty store, but it can also return an error when no certificates are found.

When calling CryptGetProvParam with the parameters PP_ROOT_CERTSTORE or PP_USER_CERTSTORE, this parameter controls the behavior when no certificates are available.

[CSP]
AllowEmptyMemoryStore=1

Values

0

CryptGetProvParam returns FALSE.

1

CryptGetProvParam returns TRUE, but the returned memory store is empty. 1 is the default value.

AllowSoftAtNewKeySet

Our CSP can create and generate new containers. This behavior is not very well documented. Thus, management applications have based their implementation on a specific CSP and expect the same behavior from other CSPs. This parameter was added to avoid the creation of unwanted soft tokens. Usually, the management software is only for smart cards.

[CSP]
AllowSoftAtNewKeySet=0

Values

0

off

1

on

AllowToken

The CSP allows all tokens by default, but there are scenarios when some tokens should be ignored. The AllowToken parameter specifies the matching condition.

[CSP]
AllowToken=0xFF

Values

See Tokens for more information.

BlockDuringManagement

During token management, there can be an eternal loop because of the behavior of the underlying security system. This parameter is added to avoid this loop.

[CSP]
BlockDuringManagement=1

Values

0

off

1

on

CheckUpdateCounter

There is no update detection included in the CSP specifications. Thus, we added a parameter that at least will read the current update counter to detect failures during diagnostics.

[CSP]
CheckUpdateCounter=0

Values

0

off

1

on

CheckWinStationContainer

The remote/virtual CSP will need to detect which desktop session is using a specific certificate. This is done automatically for processes running within a desktop, but it is not possible for the processes running as services.

[CSP]
CheckWinStationContainer=lsass.exe

Values

The value is a list of applications separated with a semicolon.

ComponentDisable, ComponentEnable

The ComponentDisable and ComponentEnable parameters allow the use of conditions to blacklist and whitelist an applications' use of the CSP.

[CSP]
ComponentDisable=0
ComponentEnable=1

Values

0

off

1

on

ContainerNameMode

The container name is usually generated from the certificate. But there are applications that have specific requirements on the container name format, so some container name modes are added.

[CSP]
ContainerNameMode=0

Values

0

"<certificate thumbprint> (<slotid>)"

1

"\\.\<slot name>\<certificate thumbprint> (<slotid>)"

3

"\\.\<slot name>\<certificate thumbprint>"

DefaultCertificate

Some applications require a default certificate. Use a matching condition to control the selection.

[CSP]
DefaultCertificate={Match}

DefaultPin

For diagnostic purposes, you can specify a default PIN value. This value is used instead of opening a PIN dialog.

[CSP]
DefaultPin=123456

DeleteAtNewKeySet

Some token management applications forget that smart cards have a limited store of potential private keys. This parameter always deletes an existing key before trying to generate a new key.

[CSP]
DeleteAtNewKeySet=0

Values

0

off

1

on

DisableInsert

There are situations when a calling application expects to use a smart card in a smart card reader, but the smart card is not present. Our CSP can show an insert smart card dialog or fail immediately.

[CSP]
DisableInsert=0

Values

0

off

1

on

DisableRandom

Earlier versions of Windows were able to speed up the logging on operations if the CSP did not provide any random values. The CSP can still disable the random generation but fill no purpose.

[CSP]
DisableRandom=0

Values

0

off

1

on

DisableSilent

The CRYPT_SILENT flag tells the CSP not to open any dialogs. But sometimes, the calling application has forgotten that a PIN dialog is needed, so a parameter is added to ignore this flag.

[CSP]
DisableSilent=0

Values

0

off

1

on

FriendlyName

The friendly name is the description that sometimes is used to represent the certificate. This parameter is used to specify the format of this text.

[CSP]
FriendlyName={subject:2.5.4.3} ({issuer:2.5.4.3})

KeepConnected

Set KeepConnected to 1 to always keep the PKCS11 component loaded.

Values

0

off

1

on

LoadMyself

The LoadMyself flag is used to load our library one extra time to avoid unloading. This was once recommended by Microsoft for performance reasons but is no longer recommended.

[CSP]
LoadMyself=0

Values

0

off

1

on

NoInternalContainerName

This parameter ignores all internal container names and only uses the default container name. This was needed for some long-forgotten applications.

[CSP]
NoInternalContainerName=0

Values

0

off

1

on

OtherStoreList

This parameter identifies the stores to use to read certificates that are not connected with the current user. That is when encrypting to other people.

[CSP]
OtherStoreList=TrustedPeople;addressbook

ProviderName

The provider name parameter specifies the name of the CSP.

[CSP]
ProviderName={product-name} - CSP

ProviderType

This parameter tells the provider type. There are some supported values according to CryptoAPI. We have been using RSA_FULL since the beginning, but we could also use RSA_AES.

#define PROV_RSA_FULL 1
#define PROV_RSA_AES 24

[CSP]
ProviderType=1

RegisterCardPrefix

The register card prefix tells the prefix to use when registering the supported smart cards.

[CSP]
RegisterCardPrefix={product-name} -

RememberFailedAttempt

A calling application can send the PIN to the CSP by using CryptSetProvParam. Normally each attempt will result in a call to the smart card. This parameter can be used to avoid the locking of the PIN. The last failed attempt with a specific PIN value and container will be remembered, and the call will return failed without an attempt to the smart card.

[CSP]
RememberFailedAttempt=1

Values

0

off

1

on

SortCertificate

The certificate can be sorted before it is returned to the calling application. This allows some kind of default certificate control but should probably not be used any longer since it only tells in what sequence the CSP will return certificates. The intended purpose is to control the sequence of certificates for a certificate selection dialog, but there are too many layers of interfaces to predict the outcome. For example, the order can be updated by CryptoAPI or the certificate selection dialog.

// 0x01 => Newest first
// 0x02 => Oldest first
// 0x04 => Invert

[CSP]
SortCertificate=0x00

StoreContainerName

The StoreContainerName parameter controls the token management application. The used container name can be stored and used later, or it can be ignored and only use the internal format.

[CSP]
StoreContainerName=1

Values

0

off

1

on

UniqueContainerName

A container name is used when opening a context towards the CSP (CryptAcquireContext). It is also possible to get the container name from the CSP (CryptGetProvParam) as either PP_CONTAINER or PP_UNIQUE_CONTAINER. This parameter allows for updating of the retrieved container name.

// 0x00 => Use container name specified at acquire context
// 0x1? => Both unique and non-unique name should be updated
// 0x?1 => Use "<unique container name>"
// 0x?2 => Use "\\.\<reader name>\<unique container name>"

[CSP]
UniqueContainerName=0

UseCritical

The UseCritical parameter adds a critical section for each CSP call. It blocks multi-threaded access and makes sure that each call is atomic.

[CSP]
UseCritical=1

Values

0

off

1

on

VerifySignature

The VerifySignature parameter verifies each created signature. It allows failed verifications but adds a warning message to the trace.

[CSP]
VerifySignature=0

Values

0

off

1

on