CNG: Get BCRYPT_ECCPRIVATE_BLOB from PFX, PKCS#12 (PFXImportCertStore, NCryptExportKey) RRS feed

  • Question

  • I want to import a ECC DSA key from a PFX file into a 3rd party key storage provider (hardware security device). I try to PFXImportCertStore and NCryptExportKey in order to get hold of a BCRYPT_ECCPRIVATE_BLOB that could be imported to the target key storage provider.

    1. PFXImportCertStore to import the PFX

    2. Get certificate context

    3. CertGetCertificateContextProperty

    3. NCryptOpenStorageProvider

    4. NCryptOpenKey

    5. NCryptExportKey

    Currently I am facing the following problems:

    PFXImportCertStore accepts a CRYPT_EXPORTABLE flag. However there is no means of setting NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG on the resulting key object. NCRYPT_EXPORT_POLICY_PROPERTY is set to NCRYPT_ALLOW_EXPORT_FLAG. That means NCryptExportKey cannot be used with hExportKey = 0. (I was able to successfully export keys created with NCryptCreatePersistedKey and setting NCRYPT_EXPORT_POLICY_PROPERTY = NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG. It is also possible to export an NCRYPT_OPAQUETRANSPORT_BLOB with hExportKey = 0. NCRYPT_OPAQUETRANSPORT_BLOB seems to contain the private key as it can be used to restore the key into another Microsoft KSP - but of course it is useless with a 3rd party KSP.).

    I understand that I should use an export key to wrap the ECC private key. It is not possible to use symmetric keys for wrapping as Microsoft Key Storage Provider does not support symmetric keys. Is NCRYPT_PKCS7_ENVELOPE_BLOB an option? I played around a bit with this but did not get to a solution.

    Can anyone provide a working example of this?

    Tuesday, April 3, 2012 6:06 PM

All replies

  • if you can't find a simple way to export the key, you might try the approach of http://support.microsoft.com/kb/228786  

    "Because the key exponent is one, both the encryption and decryption do nothing to the plain text, and thus essentially leave the session key in plain text."

    Tuesday, April 3, 2012 8:45 PM
  • Unfortunately the example is for CAPI not CNG.

    Currently I am not even able to export the ECC private key as wrapped key using CNG. The documentation for NCryptExportKey() using either NCRYPT_PKCS7_ENVELOPE_BLOB or NCRYPT_PKCS8_PRIVATE_KEY_BLOB is quite poor. Therefore I am looking for an example of NCryptExportKey().

    Wednesday, April 4, 2012 8:17 AM
  • It is true that PFXImport will import the key and set its export policy to NCRYPT_ALLOW_EXPORT_FLAG if CRYPT_EXPORTABLE is set on the call to PFXImport.

    If I understand you correctly, you are having trouble exporting the key you just imported using NCryptExportKey. I haven't actually done this, but can't you just get another key [let's say an RSA key pair] and call NCryptOpenKey on it to get the key handle and then pass that into NCryptExportKey hExportKey parameter. I think you would want the blob type to be NCRYPT_OPAQUETRANSPORT_BLOB. It seems straightforward enough, but I haven't done this so maybe I am missing out on some details.


    Friday, April 6, 2012 12:21 AM
  • Have you found a solution? I am trying to do the same thing. I am wondering if I should parse the PFX file to extract the private key.

    Monday, December 9, 2013 8:03 PM