You have a symmetric key stored in a CryptoAPI key object that you want to use with another API, such as OpenSSL.

The Microsoft CryptoAPI is designed to prevent unintentional disclosure of sensitive key information. To do this, key information is stored in opaque data objects by the Cryptographic Service Provider (CSP) used to create the key object. Key data is exportable from key objects, but the data must be encrypted with another key to prevent accidental disclosure of the raw key data.

To extract the raw key data from a CryptoAPI key, you must first export the key using the CryptoAPI function CryptoExportKey( ) . The key data obtained from this function will be encrypted with another key, which you can then use to decrypt the encrypted key data to obtain the raw key data that another API, such as OpenSSL, can use.

To export a key using the CryptoExportKey( ) function, you must provide the function with another key that will be used to encrypt the key data that’s to be exported. Recipe 5.26 includes a function, SpcGetExportableContext( ), that obtains a handle to a CSP context object suitable for exporting keys created with it. The CSP context object uses a “container” to store public key pairs. Every public key container can have a special public key pair known as an exchange key, which is the key that we’ll use to decrypt the exported key data.

The function CryptGetUserKey( ) is used to obtain ...