5.27. Extracting Raw Key Data from a CryptoAPI Key Object
Problem
You have a symmetric key stored in a CryptoAPI key object that you want to use with another API, such as OpenSSL.
Solution
The Microsoft CryptoAPI is designed to prevent unintentional disclosure of sensitive key information. To do this, key information is stored in opaque data objects by the Cryptographic Service Provider (CSP) used to create the key object. Key data is exportable from key objects, but the data must be encrypted with another key to prevent accidental disclosure of the raw key data.
To extract the raw key data from a CryptoAPI key, you must first
export the key using the CryptoAPI function CryptoExportKey(
)
. The key data obtained from this function
will be encrypted with another key, which you can then use to decrypt
the encrypted key data to obtain the raw key data that another API,
such as OpenSSL, can use.
Discussion
To export a key using the CryptoExportKey( )
function, you must provide the function with another key that will be
used to encrypt the key data that’s to be exported.
Recipe 5.26 includes a function, SpcGetExportableContext(
)
, that obtains a handle to a CSP context object suitable
for exporting keys created with it. The CSP context object uses a
“container” to store public key
pairs. Every public key container can have a special public key pair
known as an exchange key, which is the key that
we’ll use to decrypt the exported key data.
The function CryptGetUserKey(
)
is used to obtain ...
Get Secure Programming Cookbook for C and C++ now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.