CNG API: using primitive function with key stored in Microsoft KSP RRS feed

  • Question

  • My question is about use case with CNG API and Microsoft providers. I don't write code sample because I ask for your help about the best way to use CNG API in my application compared to CSP API.

    I built an application which use symetric keys stored using these steps:

    • enumerate certificates in "My" store using CertFindCertificateInStore
    • for each certificate found, asking for private key informations using CertGetCertificateContextProperty
    • for each private key informations found, storing provider name pwszProvName and container name pwszContainerName

    Then, when a key is found, my application performs signature function using private key found using CSP API:

    • Initialize provider operation using CryptAcquireContext with pwszProvName and pwszContainerName
    • Compute signature using CSP functions: CryptCreateHash, CryptHashData and CryptSignHash

    All is OK with CSP function.

    Now I try signature operation using CNG API:

    • Initialize provider operation using NCryptOpenStorageProvider with pwszProvName
    • Open algorithm provider using CNG function BCryptOpenAlgorithmProvider fails with STATUS_NOT_FOUND

    This error happens when the private key is stored in Microsoft Software Key Storage Provider. Reading Microsoft documentation I understand that type of provider is KSP provider, and only functions about key management. That's why it fails when I try a primitive function, I need to use a "Primitive Provider".

    I found the way to use CNG provider following these setps:

    • Windows Server 2008: create a certificate template with provider requirement (on "encryption" tab). And the only one provider availabe is "Microsoft Software Key Storage Provider
    • Windows 7: user ask for key generation, the key is stored in Microsoft KSP.

    So here are my questions:

    • Is it normal I can't perform primitive function with "Microsoft Software Key Storage Provider" ?

    • If I can't perform primitive functions (signature, encryption, decryption, hash) with Microsoft KSP (which is KSP provider), how can I make my private key stored and managed in a Microsoft Primitive Provider?

    My trouble here, is that with CSP API, default Microsoft CSP provider performs signature (and decyrption, encryption, etc) function. But with CNG API, default provider only performs key storage management.

    Friday, January 23, 2015 3:34 PM