我正在尝试将持久性RSA公钥导入密钥存储区。我在CNG help page上读到了私钥的可能性,我想知道我是否也可以申请公钥(特别是BCRYPT_RSAPUBLIC_BLOB)。我尝试使用以下代码,但在导入部分,当我调用NCryptSetProperty将公共blob设置为属性时,我得到“错误0x80090029”这是NTE错误数据。无法调试此功能失败的原因。
NCRYPT_PROV_HANDLE providerHandle = NULL;
NCRYPT_KEY_HANDLE keyHandle = NULL;
NTSTATUS status = STATUS_UNSUCCESSFUL;
PBYTE blob = NULL;
DWORD blob_len = 0;
///////////////////Export Test (extract key from storage)///////////////////////////
// Open handle to the Key Storage Provider
if(FAILED(status = NCryptOpenStorageProvider(
&providerHandle, //OUT: provider handle
MS_KEY_STORAGE_PROVIDER, //IN: Microsoft key storage provider
0))) //IN: dwFlags (unused)
{
//report fail
}
// Open key in the Key Storage Provider
if (FAILED(status = NCryptOpenKey(
providerHandle,
&keyHandle,
keyName.c_str(),
0,
0)))
{
//report fail
}
// (2 step key extraction process) 1. Get size of key
if (FAILED(status = NCryptExportKey(
keyHandle, //IN: Handle of the key to export
NULL, //IN(opt): key used to encrypt exported BLOB data <-- potentially an safer way for key extraction, encrypt it with a key during extraction (decrypt with NCryptDecrypt)
BCRYPT_RSAPUBLIC_BLOB, //IN: BLOB type (https://msdn.microsoft.com/en-us/library/windows/desktop/aa376263%28v=vs.85%29.aspx)
NULL, //IN(opt): List of paramters for the key
NULL, //OUT(opt): Output byte buffer
0, //IN: Size of the output buffer
&blob_len, //OUT: Amount of bytes copied to the output buffer
0))) //IN: Flag to modify function behaviour (0 means no flag set)
{
//report fail
}
// Allocate data blob to store key in
blob = (PBYTE)malloc(blob_len);
if (NULL == blob) {
//report fail
}
// (2 step key extraction process) 2. Get key and store in byte array (Extracted key is in form of BCRYPT_RSAKEY_BLOB)
if (FAILED(status = NCryptExportKey(
keyHandle,
NULL,
BCRYPT_RSAPUBLIC_BLOB,
NULL,
blob,
blob_len,
&blob_len,
0)))
{
//report fail
}
///////////////Import Test (Store into storage)//////////////////////////////////////////////
// Create a persisted key
if(FAILED(status = NCryptCreatePersistedKey(
providerHandle, //IN: provider handle
&keyHandle, //OUT: Handle to key
NCRYPT_RSA_ALGORITHM, //IN: CNG Algorithm Identifiers. NCRYPT_RSA_ALGORITHM creates public key
keyName.c_str(), //IN: Key name. If NULL, the key does not persist
0, //IN: Key type
NCRYPT_OVERWRITE_KEY_FLAG)))//IN: Behaviour: 0 - apply to current user only, NCRYPT_MACHINE_KEY_FLAG - apply to local comp only, NCRYPT_OVERWRITE_KEY_FLAG - overwrite existing key
{
//report fail
}
// Set the size of the key
if(FAILED(status = NCryptSetProperty(
keyHandle, //IN: Handle to key
BCRYPT_RSAPUBLIC_BLOB, //IN: CNG Algorithm Identifiers. BCRYPT_RSAPUBLIC_BLOB allows me to use set this blob as the new key's blob
blob, //IN: Key name. If NULL, the key does not persist
blob_len, //IN: Key Length
0))) //IN: Bahaviour: 0 - apply to current user only, NCRYPT_MACHINE_KEY_FLAG - apply to local comp only, NCRYPT_OVERWRITE_KEY_FLAG - overwrite existing key
{
//report fail <<-------------------------- Fail here
}
// Finalize key generation (Key is now usable, but uneditable)
if(FAILED(status = NCryptFinalizeKey(keyHandle, 0))) {
//report fail
}
////////////////////////////////////////////////////////////////////////
答案 0 :(得分:0)
在创建非对称密钥时,可以设置的属性之一是NCRYPT_EXPORT_POLICY_PROPERTY。我用它来控制是否可以读取私有。
//... after NCryptCreatePersistedKey()
DWORD export_policy = NCRYPT_ALLOW_EXPORT_FLAG | NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
if(FAILED(status = NCryptSetProperty(
keyHandle,
NCRYPT_EXPORT_POLICY_PROPERTY,
(PBYTE)&export_policy,
static_cast<DWORD>(sizeof(DWORD)),
NCRYPT_PERSIST_FLAG | NCRYPT_SILENT_FLAG)))
{
//report error
}
//... before NCryptFinalizeKey()
此处定义属性。 https://msdn.microsoft.com/en-us/library/windows/desktop/aa376242(v=vs.85).aspx