BCryptSignHash function (bcrypt.h)

The BCryptSignHash function creates a signature of a hash value.


NTSTATUS BCryptSignHash(
  [in]           BCRYPT_KEY_HANDLE hKey,
  [in, optional] VOID              *pPaddingInfo,
  [in]           PUCHAR            pbInput,
  [in]           ULONG             cbInput,
  [out]          PUCHAR            pbOutput,
  [in]           ULONG             cbOutput,
  [out]          ULONG             *pcbResult,
  [in]           ULONG             dwFlags


[in] hKey

The handle of the key to use to sign the hash.

[in, optional] pPaddingInfo

A pointer to a structure that contains padding information. The actual type of structure this parameter points to depends on the value of the dwFlags parameter. This parameter is only used with asymmetric keys and must be NULL otherwise.

[in] pbInput

A pointer to a buffer that contains the hash value to sign. The cbInput parameter contains the size of this buffer.

[in] cbInput

The number of bytes in the pbInput buffer to sign.

[out] pbOutput

The address of a buffer to receive the signature produced by this function. The cbOutput parameter contains the size of this buffer.

If this parameter is NULL, this function will calculate the size required for the signature and return the size in the location pointed to by the pcbResult parameter.

[in] cbOutput

The size, in bytes, of the pbOutput buffer. This parameter is ignored if the pbOutput parameter is NULL.

[out] pcbResult

A pointer to a ULONG variable that receives the number of bytes copied to the pbOutput buffer.

If pbOutput is NULL, this receives the size, in bytes, required for the signature.

[in] dwFlags

A set of flags that modify the behavior of this function. The allowed set of flags depends on the type of key specified by the hKey parameter.

This can be one of the following values.

Value Meaning
Use the PKCS1 padding scheme. The pPaddingInfo parameter is a pointer to a BCRYPT_PKCS1_PADDING_INFO structure.
Use the Probabilistic Signature Scheme (PSS) padding scheme. The pPaddingInfo parameter is a pointer to a BCRYPT_PSS_PADDING_INFO structure.

Return value

Returns a status code that indicates the success or failure of the function.

Possible return codes include, but are not limited to, the following.

Return code Description
The function was successful.
The key handle specified by the hKey parameter is not valid.
The algorithm provider used to create the key handle specified by the hKey parameter is not a signing algorithm.
A memory allocation failure occurred.
The memory size specified by the cbOutput parameter is not large enough to hold the signature.


This function will encrypt the hash value with the specified key to create the signature.

To later verify that the signature is valid, call the BCryptVerifySignature function with an identical key and an identical hash of the original data.

Depending on what processor modes a provider supports, BCryptSignHash can be called either from user mode or kernel mode. Kernel mode callers can execute either at PASSIVE_LEVEL IRQL or DISPATCH_LEVEL IRQL. If the current IRQL level is DISPATCH_LEVEL, the handle provided in the hKey parameter must be derived from an algorithm handle returned by a provider that was opened with the BCRYPT_PROV_DISPATCH flag, and any pointers passed to the BCryptSignHash function must refer to nonpaged (or locked) memory.

To call this function in kernel mode, use Cng.lib, which is part of the Driver Development Kit (DDK). Windows Server 2008 and Windows Vista:  To call this function in kernel mode, use Ksecdd.lib.


Minimum supported client Windows Vista [desktop apps | UWP apps]
Minimum supported server Windows Server 2008 [desktop apps | UWP apps]
Target Platform Windows
Header bcrypt.h
Library Bcrypt.lib
DLL Bcrypt.dll

See also