RE: CryptExportKey questions

From: lelteto <lelteto@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 4 Apr 2008 10:43:00 -0700

1. You normally export a public key wrapped with a SYMMETRIC key (eg. AES
key). Either you inject that key, or generate within the container (eg.
derive it from a password).
1.b You usually import a public key (CryptImportKey) and that operation will
give you back a key handle.
2. No, you would need the handles within the same CSP. One CSP's handle
(just a value) means absolutely nothing in another CSP. Normally you would
have both keys within the same container (ie. within the same acquired
context). If one key is somewhere els, you would need to export it from there
and import it where you want to do your key wrap (CryptExportKey) operation.
3. That's correct. The point of the export key is to encrypt the other key
with it. So if it's NULL, the key you are exporting will be in cleartext.

Laszlo Elteto
SafeNet, Inc.

"necesito.burrito@xxxxxxxxx" wrote:

Hi there,

I am generating a key pair AT_SIGNATURE and I must export that public/
private key pair. Mtest code seems to work, but I have some questions
on CryptExportKey

1. I have only been able to export the blob (PRIVATEKEYBLOB) when I
set hExpKey to NULL. Otherwise, while I have a key pair AT_EXCHANGE
from the same CSP, the operation would fails with NTE_BAD_KEY. Does
CryptExportKey need a handle to a key container or to a public key as
hExpKey ? How can I obtain a handle to a public key with CAPI?
2. The documentation says that the hKey and hExpKey must come from the
same CSP. Is there a way to overcome that?
3. I assume that if hExpKey is NULL the blob won't be encrypted, will
it ?

Regards,

References:
- CryptExportKey questions
  - From: necesito . burrito

Prev by Date: RE: 'Access denied.' on OpenProcess() for NT Service under LocalSystem
Next by Date: Local Security Settings: Strange Behavior on Win2K
Previous by thread: CryptExportKey questions
Next by thread: CryptAcquireContext fails with ERROR_FILE_NOT_FOUND
Index(es):
- Date
- Thread

Relevant Pages

Re: Using the Public Key embedded in the Assembly?
... amongst them a keyblob parser. ... well that the keypair I retrieve from the container is not the same as the ... > approach you've been trying to get the private key out of the CSP is not ... >> the digest) with your public key, ...
(microsoft.public.dotnet.security)
RE: Sign and Verify with Different CSPs
... Unlike an RSA signature, which is a BIG NUMBER - and, hence, byte order is ... the purpose of the program was to test my CSP. ... What still confuses me is that the hash my CSP produces is also in big ... As for the public key: when you use CAPI to export the public key, ...
(microsoft.public.platformsdk.security)
Re: Using the Public Key embedded in the Assembly?
... assembly and to embed the public key in the assembly. ... When I send the assembly to a customer (together with the license file), ... and no csp container with such name and content exists on the machine of the ... > ImportCspBlob method on RSACryptoServiceProvider, ...
(microsoft.public.dotnet.security)
RE: Sign and Verify with Different CSPs
... the purpose of the program was to test my CSP. ... My CSP uses big endian representation for byte arrays. ... What still confuses me is that the hash my CSP produces is also in big ... As for the public key: when you use CAPI to export the public key, ...
(microsoft.public.platformsdk.security)
Re: storing keys
... Don't forget that RSA is largely about secure exchange of a PUBLIC key. ... not address by the classical public key object, ... There's no point in generating a private key only since one couldn't ... The CSP should not generate ...
(microsoft.public.platformsdk.security)