locked
Is it possible to export EC private key from certificate store? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I tried to export private key from certificate store by CNG API. It work fine when export RSA private key, but failed in EC private key.

    The NCryptSetProperty() always failed with 0x8009000b. I have no idea about this.

    Here is my code:

    	if (!CryptAcquireCertificatePrivateKey(
    		pSignerCert,
    		CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG,
    		NULL,
    		&hKey,
    		&dwKeySpec,
    		NULL))
    	{
    		MyHandleError(const_cast<LPTSTR>("AcquireCertificatePrivateKey Failed."));
    		goto End;
    	}
        KeyPolicy = NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG | NCRYPT_ALLOW_EXPORT_FLAG;
    if (FAILED(secStatus = NCryptSetProperty(
        hKey,
        NCRYPT_EXPORT_POLICY_PROPERTY,
        (PBYTE)&KeyPolicy,
        sizeof(KeyPolicy),
        0)))
    {
        wprintf(L"**** Error 0x%x returned by NCryptSetProperty\n", secStatus);
        goto End;
    }
    	if (FAILED(secStatus = NCryptExportKey(
    		hKey,
    		NULL,
    		BCRYPT_ECCPRIVATE_BLOB,
    		NULL,
    		NULL,
    		0,
    		&cbBlob,
    		0)))
    	{
    		wprintf(L"**** Error 0x%x returned by NCryptExportKey\n", secStatus);
    		goto End;
    	}

    	pbBlob = (PBYTE)HeapAlloc(GetProcessHeap(), 0, cbBlob);
    	if (NULL == pbBlob)
    	{
    		wprintf(L"**** memory allocation failed\n");
    		goto End;
    	}

    	if (FAILED(secStatus = NCryptExportKey(
    		hKey,
    		NULL,
    		BCRYPT_ECCPRIVATE_BLOB,
    		NULL,
    		pbBlob,
    		cbBlob,
    		&cbBlob,
    		0)))
    	{
    		//wprintf(L"**** Error 0x%x returned by NCryptExportKey\n", secStatus);
    		goto End;
    	}



    • Edited by _Wayne56 Tuesday, March 31, 2020 5:44 AM
    Tuesday, March 31, 2020 5:42 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello 頑張る,

    Sorry for the delay. I've consulted the related engineer for helping on this issue and he is working on it.

    Could you help to confirm that if you can export EC private key using certificate management application (certmgr)? Like this:

    Best regards,

    Rita

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Hi Rita,

    can export EC private key using certificate management application but can't export by CNG API.

    I found that the EC private key property (NCRYPT_EXPORT_POLICY_PROPERTY) didn't have "NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG". I tried to call NcryptSetProperty(), but failed.

    Then, I found a method to export EC private key, refer to this question and this page.

    I exported the pfx and imported again, then got the private key handle. I set property to this handle and exported private key!

    If you have better method, please share here.

    Thanks a lot.


    Tuesday, April 21, 2020 5:38 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello 頑張る,

    I can reproduce this issue.

    When query NCRYPT_EXPORT_POLICY_PROPERTY for ECC private key, it returns NCRYPT_ALLOW_EXPORT_FLAG indicate this key allow export. But when execute export using NCryptExportKey result in error 0x80090029 (The requested operation is not supported.)

    When I change BCRYPT_ECCPRIVATE_BLOB to BCRYPT_ECCPUBLIC_BLOB, it successes.

    So it seems public key is support export but private key isn't.

    Could you share your ECC private use case maybe we can find another way?

    Best regards,

    Rita

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, March 31, 2020 9:33 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello 頑張る,

    I can reproduce this issue.

    When query NCRYPT_EXPORT_POLICY_PROPERTY for ECC private key, it returns NCRYPT_ALLOW_EXPORT_FLAG indicate this key allow export. But when execute export using NCryptExportKey result in error 0x80090029 (The requested operation is not supported.)

    When I change BCRYPT_ECCPRIVATE_BLOB to BCRYPT_ECCPUBLIC_BLOB, it successes.

    So it seems public key is support export but private key isn't.

    Could you share your ECC private use case maybe we can find another way?

    Best regards,

    Rita

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Hi Rita,

    I tried to export private key as PKCS#8 format. Again, RSA OK, ECC failed. Do you have any idea?

    Is there any document from MS say: EC private key not support export?

    Code:

    	if (!CryptAcquireCertificatePrivateKey(
		pSignerCert,
		CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG,
		NULL,
		&hKey,
		&dwKeySpec,
		NULL))
	{
		MyHandleError(const_cast<LPTSTR>("AcquireCertificatePrivateKey Failed."));
		goto End;
	}


	if (FAILED(secStatus = NCryptExportKey(
		hKey,
		NULL,
		NCRYPT_PKCS8_PRIVATE_KEY_BLOB,
		NULL,
		NULL,
		0,
		&cbBlob,
		0)))
	{
		wprintf(L"**** Error 0x%x returned by NCryptExportKey\n", secStatus);
		goto End;
	}

	pbBlob = (PBYTE)HeapAlloc(GetProcessHeap(), 0, cbBlob);
	if (NULL == pbBlob)
	{
		wprintf(L"**** memory allocation failed\n");
		goto End;
	}


	if (FAILED(secStatus = NCryptExportKey(
		hKey,
		NULL,
		NCRYPT_PKCS8_PRIVATE_KEY_BLOB,
		NULL,
		pbBlob,
		cbBlob,
		&cbBlob,
		0)))
	{
		wprintf(L"**** Error 0x%x returned by NCryptExportKey\n", secStatus);
		goto End;
	}

    Tuesday, April 7, 2020 1:59 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello 頑張る,

    Sorry for the delay. I've consulted the related engineer for helping on this issue and he is working on it.

    Could you help to confirm that if you can export EC private key using certificate management application (certmgr)? Like this:

    Best regards,

    Rita

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, April 21, 2020 1:37 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello 頑張る,

    Sorry for the delay. I've consulted the related engineer for helping on this issue and he is working on it.

    Could you help to confirm that if you can export EC private key using certificate management application (certmgr)? Like this:

    Best regards,

    Rita

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Hi Rita,

    can export EC private key using certificate management application but can't export by CNG API.

    I found that the EC private key property (NCRYPT_EXPORT_POLICY_PROPERTY) didn't have "NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG". I tried to call NcryptSetProperty(), but failed.

    Then, I found a method to export EC private key, refer to this question and this page.

    I exported the pfx and imported again, then got the private key handle. I set property to this handle and exported private key!

    If you have better method, please share here.

    Thanks a lot.


    Tuesday, April 21, 2020 5:38 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello 頑張る,

    Thanks for your confirmation and glad to hear you export private key successfully!

    I'll consult the related engineer about if there is a better method or not.

    Best regards,

    Rita

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, April 22, 2020 3:47 AM