Extending CryptoAPI

CryptoAPI has been designed to be easily extensible. New types and parameters can be defined by any cryptographic service provider (CSP) author to make CryptoAPI bend to the requirements of a wide variety of situations.

Extensible items Comment
Provider types
A provider type represents a particular family or type of cryptographic services. New provider types can be defined, each serving a particular niche.
Provider parameters
Provider parameters are sent and received using CPSetProvParam and CPGetProvParam, respectively. New provider parameters could allow a CSP to be configured in ways not foreseen by the CryptoAPI designers.
Algorithm identifiers
The enumeration facilities of CPGetProvParam allow applications to list algorithm identifiers dynamically. New symmetric, public key, and hash algorithms can be defined at any time.
Public/private key pair types
While new key pair types can be defined as needed, currently only signature and key exchange key pairs are used.
Key BLOB types
New key BLOB types could permit session keys, public keys, and public/private key pairs to be exchanged in a flexible manner using the CPExportKey and CPImportKey functions.
Key parameters
Key parameters are sent and retrieved using CPSetKeyParam and CPGetKeyParam. New key parameters could enable support for many different types of keys.
Hash object parameters
Hash object parameters are sent and retrieved using CPSetHashParam and CPGetHashParam. New hash object parameters could enable support for many different types of hashes.
Flag values
Most CryptoAPI/CryptoSPI functions have a dwFlags parameter. New dwFlags values could modify the behavior of functions as necessary.


Extensions to CryptoAPI must be made in a responsible manner. Before defining new parameters and algorithm types, a CSP developer should consult Microsoft Corporation, so that:

  • Common CryptoAPI extensions can be identified and placed into the standard Wincrypt.h file.
  • Namespace collisions can be avoided.
  • It can be determined whether the extension is required, or whether a particular operation can be achieved by using the current API.


For a CSP to be compatible with applications developed for the Microsoft Base Cryptographic Provider, it must support all of the preceding items as described in Base Cryptography Functions and in Cryptography Service Provider Functions.