P
P
PitSullivan2014-09-26 05:05:50
API
PitSullivan, 2014-09-26 05:05:50

How to import cryptographic keys into a crypto provider context?

Let's go straight to the heart of the matter.
Given a PFX file. It is necessary to extract the key pair from it and write it to the eToken. It would seem that nothing complicated. Connect CryptoAPI , go to MSDN and figure it out. However, the abundance of various functions that this interface offers for implementing various cryptographic operations will surely turn the head of even an experienced developer (which, by the way, I am not yet). The SDK I'm working with has an example of how this could be done. However, my implementation, to put it mildly, for some reason does not work properly. To be honest, it doesn't work at all. The program terminates with an NTE_NO_KEY error . The error is generated by the CryptGetUserKey function .
Not the name of experience with CAPI, as well as ideas on how to extract keys, I began to study a ready-made example in order to understand the train of thought of the programmer who wrote it. Here is what I was able to extract from this code:
1. First, you need to verify the PFX container ( PFXIsPFXBlob and PFXVerifyPassword will help us with this).
2. Then you need to import the contents of the container into a temporary store (let's call it CertStore).
3. After that, you need to find a public key certificate in this store and get information about the required cryptographic provider (which can be done using the CertEnumCertificateInStore and CertGetCertificateContextProperty functions with the value CERT_KEY_PROV_INFO_PROP_IDargument dwPropId ).
4. Next, you need to get a handle to the required CSP ( CryptAquireContext for help).
5. Finally, we need to get a handle to the container with keys in the context of the crypto provider and extract them ( CryptGetUserKey and CryptExportKey will help us with this).
6. After that, we can do whatever we want with them (within the limits of what is permitted).
So, the program "falls" at the fifth step with the error "They key requested by the dwKeySpec parameter does not exist" ("The requested key with the characteristics specified by the dwKeySpec parameter does not exist"). The value of the dwKeySpec parameter can be either AT_KEYEXCHANGE orAT_SIGNATURE . The first value is passed as an argument.
After reading the description of the functions CryptAquireContext and CryptGetUserKey , I came to the conclusion that they only provide descriptors of the corresponding contexts (cryptoprovider and container with keys inside it). However, I didn't explicitly initialize the container context with the keys anywhere. So where do they get it from? This might explain the error that occurred. Then the question arises: if there are no missed steps in this sequence of actions, then how then do the keys get into the CSP container, and what is the reason for the error?
If something is missing, then what exactly?
I apologize for the size of the content. I tried to describe the problem in as much detail as possible.
IMPORTANT UPDATE: I'm sorry for misleading you, the example program still works correctly! My version does not work, which differs from the original only in that the libraries I need are connected dynamically. From this we can conclude that there are no missed steps here. However, the question of how the keys get into the container remains open.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
A
Andrew, 2014-09-26
@OLS

Did you parse the example from their SDK
samples\CAPI\ImportPFX\ImportPFX.cpp
?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question