Importing ECDH key blobs with the IX509PrivateKey::Import method

Other Resources Security Developer Center Cryptography Topics on MSDN Follow us on Twitter

The IX509PrivateKey::Import method cannot import ECDH key blobs without first setting the private key algorithm property, and cannot import ECDSA key blobs without first setting the private key algorithm and private key KeyUsage properties.

The private key class defaults to RSA when the algorithm is not specified, and defaults to preferring encryption algorithms when the ECC algorithms are used.

These defaults conflict with the algorithms used for ECDH and ECDSA private keys.

Resolution

To import an ECDH or ECDSA key using the IX509PrivateKey::Import method, you must first set the algorithm property to an IObjectId instance initialized for "1.2.840.10045.3.1.7" (the OID used for both ECDSA_P256 and ECDH_P256).

 To import an ECDSA key, you must also first set the private key KeyUsage property to XCN_NCRYPT_ALLOW_SIGNING_FLAG.

 Otherwise, the default algorithm and/or KeyUsage values will conflict with the imported private key blob algorithm and the import will fail.

Example

The following example creates an ECDSA private key, exports it, and re-imports it. 

    Option Explicit

    Public Const XCN_CRYPT_STRING_BASE64 = 1
    Public Const XCN_CRYPT_STRING_HEXASCII = 5
    Public Const XCN_CRYPT_STRING_HEXRAW = &Hc

    Public Const XCN_CRYPT_PUBKEY_ALG_OID_GROUP_ID = 3
    Public Const XCN_CRYPT_OID_INFO_PUBKEY_ANY = 0
    Public Const AlgorithmFlagsNone = 0

    ' AlgorithmOperationFlags:
    Public Const XCN_NCRYPT_NO_OPERATION                     = &H00000000
    Public Const XCN_NCRYPT_CIPHER_OPERATION                 = &H00000001
    Public Const XCN_NCRYPT_HASH_OPERATION                   = &H00000002
    Public Const XCN_NCRYPT_ASYMMETRIC_ENCRYPTION_OPERATION  = &H00000004
    Public Const XCN_NCRYPT_SECRET_AGREEMENT_OPERATION       = &H00000008
    Public Const XCN_NCRYPT_SIGNATURE_OPERATION              = &H00000010
    Public Const XCN_NCRYPT_RNG_OPERATION                    = &H00000020
    Public Const XCN_NCRYPT_ANY_ASYMMETRIC_OPERATION         = &H0000001c

    Public Const XCN_NCRYPT_PREFER_SIGNATURE_ONLY_OPERATION  = &H00200000
    Public Const XCN_NCRYPT_PREFER_NON_SIGNATURE_OPERATION   = &H00400000
    Public Const XCN_NCRYPT_EXACT_MATCH_OPERATION            = &H00800000
    Public Const XCN_NCRYPT_PREFERENCE_MASK_OPERATION        = &H00e00000

    ' X509PrivateKeyExportFlags:
    Public Const XCN_NCRYPT_ALLOW_EXPORT_FLAG = &H00000001
    Public Const XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG = &H00000002

    ' X509PrivateKeyUsageFlags:
    Public Const XCN_NCRYPT_ALLOW_DECRYPT_FLAG       = &H00000001
    Public Const XCN_NCRYPT_ALLOW_SIGNING_FLAG       = &H00000002
    Public Const XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG = &H00000004
    Public Const XCN_NCRYPT_ALLOW_ALL_USAGES         = &H00ffffff

SubDeleteKey( _
    ByVal ContainerName)

    DimPrivateKeyDelete

    SetPrivateKeyDelete = CreateObject("X509Enrollment.CX509PrivateKey")
    PrivateKeyDelete.ContainerName =ContainerName
    PrivateKeyDelete.ProviderName = "Microsoft Software Key Storage Provider"
    On Error Resume Next
    PrivateKeyDelete.Delete()
    On Error GoTo 0
End Sub

    DimContainerName
    DimPrivateKey
    Dim Algorithm
    DimExportedKey

    Dim PrivateKey2
    Dim ExportedKey2

    ContainerName = "TestECDSA"

    Wscript.echo "Deleting old test keys..."
    DeleteKey(ContainerName)
    DeleteKey(ContainerName & "2")

    Wscript.echo "Creating objects..."

    SetPrivateKey = CreateObject("X509Enrollment.CX509PrivateKey")
    PrivateKey.ContainerName =ContainerName
    PrivateKey.ProviderName = "Microsoft Software Key Storage Provider"

    Set Algorithm = CreateObject("X509Enrollment.CObjectId")
    Algorithm.InitializeFromAlgorithmName _
            XCN_CRYPT_PUBKEY_ALG_OID_GROUP_ID, _
            XCN_CRYPT_OID_INFO_PUBKEY_ANY, _
            AlgorithmFlagsNone, _
            "ECDSA_P256"
    PrivateKey.Algorithm = Algorithm
    PrivateKey.KeyUsage = XCN_NCRYPT_ALLOW_SIGNING_FLAG
    PrivateKey.ExportPolicy = XCN_NCRYPT_ALLOW_EXPORT_FLAG Or _
                XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG
    PrivateKey.Create()

    ExportedKey =PrivateKey.Export("PRIVATEBLOB", XCN_CRYPT_STRING_HEXASCII)
    Wscript.echo "Exported private key:"
    Wscript.echo ExportedKey

    Set PrivateKey2 = CreateObject("X509Enrollment.CX509PrivateKey")
    PrivateKey2.ContainerName =ContainerName & "2"
    PrivateKey2.LegacyCsp = False
    PrivateKey2.Algorithm = Algorithm
    PrivateKey2.KeyUsage = XCN_NCRYPT_ALLOW_SIGNING_FLAG
    PrivateKey2.ExportPolicy = XCN_NCRYPT_ALLOW_EXPORT_FLAG Or _
                XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG
    PrivateKey2.Import "PRIVATEBLOB", ExportedKey, XCN_CRYPT_STRING_HEXASCII
    ExportedKey2 = PrivateKey2.Export("PRIVATEBLOB", XCN_CRYPT_STRING_HEXASCII)
    Wscript.echo "Exported private key (after import):"
    Wscript.echo ExportedKey2

    Wscript.echo "Done."
    Wscript.Quit 0

Sample output

Deleting old test keys...
Creating objects...
Exported private key:
45 43 53 32 20 00 00 00  6f 31 07 ae 02 85 43 0b   ECS2 ...o1....C.
68 29 29 3c 40 9f 0b fb  d5 18 32 c4 1a d7 ac f4   h))<@.....2.....
81 68 03 cd 6e de 5b 39  3d b7 7a ce 8c 1a 57 21   .h..n.[9=.z...W!
e1 92 15 e5 d1 40 c4 9a  e8 92 99 28 13 8a e2 da   .....@.....(....
b4 3a 78 9a c5 d3 22 ea  2a fd 57 24 0e 0e b6 39   .:x...".*.W$...9
f8 3a ae 11 ff 46 80 82  86 2c cb 8b 49 98 e8 9c   .:...F...,..I...
93 af b4 21 5c 25 ec 3f                            ...!\%.?

Exported private key (after import):
45 43 53 32 20 00 00 00  6f 31 07 ae 02 85 43 0b   ECS2 ...o1....C.
68 29 29 3c 40 9f 0b fb  d5 18 32 c4 1a d7 ac f4   h))<@.....2.....
81 68 03 cd 6e de 5b 39  3d b7 7a ce 8c 1a 57 21   .h..n.[9=.z...W!
e1 92 15 e5 d1 40 c4 9a  e8 92 99 28 13 8a e2 da   .....@.....(....
b4 3a 78 9a c5 d3 22 ea  2a fd 57 24 0e 0e b6 39   .:x...".*.W$...9
f8 3a ae 11 ff 46 80 82  86 2c cb 8b 49 98 e8 9c   .:...F...,..I...
93 af b4 21 5c 25 ec 3f                            ...!\%.?

Done.

Deleting old test keys...
Creating objects...
Exported private key:
45 43 4b 32 20 00 00 00  92 84 36 ca 13 2e f9 a3   ECK2 .....6.....
d0 8e c4 52 4f 58 48 70  fe 71 16 7d a1 be 5b 08   ...ROXHp.q.}..[.
cc ad fb 9b 4d de fd 2e  0b c7 39 17 27 5f 06 66   ....M.....9.'_.f
83 74 e1 b2 f6 fd d8 1b  a7 3b a7 6b 59 69 11 e9   .t.......;.kYi..
6f 10 ac 35 98 2b be 16  45 34 40 b0 de 14 42 47   o..5.+..E4@...BG
c6 5d 63 d8 85 01 1a c6  92 c0 0f af 57 47 50 fd   .]c.........WGP.
a0 bd 03 7e 0a 60 c8 e2                            ...~.`..

Exported private key (after import):
45 43 4b 32 20 00 00 00  92 84 36 ca 13 2e f9 a3   ECK2 .....6.....
d0 8e c4 52 4f 58 48 70  fe 71 16 7d a1 be 5b 08   ...ROXHp.q.}..[.
cc ad fb 9b 4d de fd 2e  0b c7 39 17 27 5f 06 66   ....M.....9.'_.f
83 74 e1 b2 f6 fd d8 1b  a7 3b a7 6b 59 69 11 e9   .t.......;.kYi..
6f 10 ac 35 98 2b be 16  45 34 40 b0 de 14 42 47   o..5.+..E4@...BG
c6 5d 63 d8 85 01 1a c6  92 c0 0f af 57 47 50 fd   .]c.........WGP.
a0 bd 03 7e 0a 60 c8 e2                            ...~.`..

Done.

See Also List of Technologies and Related Topics Wiki: Development Portal