如何使用CryptoApi导入PKCS#8

分类:编程问答

如何解决如何使用CryptoApi导入PKCS#8

我有一个PKCS#8密钥,我拼命尝试导入CryptoAPI,但没有成功。我有:

-----BEGIN PRIVATE KEY-----
<privatekey>
-----END PRIVATE KEY-----

包含以下内容:

Private Key algo RSA
 Private Format  PKCS#8
 ASN1 Dump
RSA Private CRT Key [.....]
            modulus: .....
    public exponent: .....

我尝试这样导入密钥:

 if not CryptStringToBinaryA(
           PansiChar(aBase64PrivateKey),// pszString: LPCSTR;
           length(aBase64PrivateKey),// cchString: DWORD;
           CRYPT_STRING_BASE64HEADER,// dwFlags: DWORD;
           nil,// pbBinary: pByte;
           @cbPrivKey,// pcbBinary: PDWORD;
           nil,// pdwSkip: PDWORD;
           nil) then raiseLastOsError; // pdwFlags: PDWORD
  setlength(pPrivKey,cbPrivKey);
  if not CryptStringToBinaryA(
           PansiChar(aBase64PrivateKey),// dwFlags: DWORD;
           @pPrivKey[0],// pdwSkip: PDWORD;
           nil) then raiseLastOsError; // pdwFlags: PDWORD

  //init pKeyBlob
  if not CryptDecodeObjectEx(
           X509_ASN_ENCODING or PKCS_7_ASN_ENCODING,// dwCertEncodingType: DWORD;
           PKCS_PRIVATE_KEY_INFO,// lpszStructType: LPCSTR;
           @pPrivKey[0],// const pbEncoded: PBYTE;
           cbPrivKey,// cbEncoded: DWORD;
           0,// pDecodePara: PCRYPT_DECODE_PARA;
           nil,// pvStructInfo: Pointer;
           @cbKeyBlob) then raiseLastOsError; // pcbStructInfo: PDWORD
  setlength(pKeyBlob,cbKeyBlob);
  if not CryptDecodeObjectEx(
           X509_ASN_ENCODING or PKCS_7_ASN_ENCODING,// pDecodePara: PCRYPT_DECODE_PARA;
           @pKeyBlob[0],// pvStructInfo: Pointer;
           @cbKeyBlob) then raiseLastOsError; // pcbStructInfo: PDWORD

  //acquire a handle to a particular key container
  if (not CryptAcquireContextA(@hProv,// phProv: PHCRYPTPROV;
                               nil,// pszContainer: PAnsiChar;
                               nil,// pszProvider: PAnsiChar;
                               PROV_RSA_AES,// dwProvType: DWORD;
                               CRYPT_VERIFYCONTEXT)) then raiselastOsError; // dwFlags: DWORD
  try

    // Now import the key.
    if not CryptImportKey(hProv,// hProv: HCRYPTPROV;
                          @pKeyBlob[0],// const pbData: PBYTE;
                          cbKeyBlob,// dwDataLen: DWORD;
                          0,// hPubKey: HCRYPTKEY;
                          0,// dwFlags: DWORD;
                          @hRSAKey) then raiseLastOsError; // phKey: PHCRYPTKEY

但是CryptImportKey失败,并出现“提供程序的版本错误” ,我想是因为它正在等待PKCS#1密钥。如何导入 PKCS#8 密钥?

解决方法

要将 PKCS#8 格式转换为 legacy CNG 加密api需要几个步骤。

首先需要使用CryptStringToBinaryA通过CRYPT_STRING_BASE64HEADER将字符串转换为二进制

比用PKCS_PRIVATE_KEY_INFO调用CryptDecodeObjectEx(如果加密的私钥需要使用PKCS_ENCRYPTED_PRIVATE_KEY_INFO

再次需要使用CryptDecodeObjectEx来调用PKCS_RSA_PRIVATE_KEY(对于旧版加密api,而对于{em> CNG )则是CNG_RSA_PUBLIC_KEY_BLOB

现在我们可以致电BCryptImportKeyPairCryptImportKey

对于导入公共密钥,需要使用X509_PUBLIC_KEY_INFO,对于来自cert的公共密钥-X509_CERT_TO_BE_SIGNED(对于 CNG ,+ CNG_RSA_PUBLIC_KEY_BLOB,对于旧版可以使用{{1 }})

code表示旧版

CryptImportPublicKeyInfo

code for CNG 

inline ULONG BOOL_TO_ERROR(BOOL f)
{
    return f ? NOERROR : GetLastError();
}

ULONG CryptImportPublicKey(_Out_ HCRYPTKEY *phKey,_In_ HCRYPTPROV hProv,_In_ PCUCHAR pbKeyOrCert,_In_ ULONG cbKeyOrCert,_In_ bool bCert)
{
    ULONG cb;

    union {
        PVOID pvStructInfo;
        PCERT_INFO pCertInfo;
        PCERT_PUBLIC_KEY_INFO PublicKeyInfo;
    };

    ULONG dwError = BOOL_TO_ERROR(CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,bCert ? X509_CERT_TO_BE_SIGNED : X509_PUBLIC_KEY_INFO,pbKeyOrCert,cbKeyOrCert,CRYPT_DECODE_ALLOC_FLAG|CRYPT_DECODE_NOCOPY_FLAG,&pvStructInfo,&cb));

    if (dwError == NOERROR)
    {
        PVOID pv = pvStructInfo;

        if (bCert)
        {
            PublicKeyInfo = &pCertInfo->SubjectPublicKeyInfo;
        }

        dwError = BOOL_TO_ERROR(CryptImportPublicKeyInfo(hProv,X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,PublicKeyInfo,phKey));

        LocalFree(pv);
    }

    return dwError;
}

ULONG CryptImportPrivateKey(_Out_ HCRYPTKEY* phKey,_In_ PCUCHAR pbKey,_In_ ULONG cbKey)
{
    ULONG cb;
    PCRYPT_PRIVATE_KEY_INFO PrivateKeyInfo;

    ULONG dwError = BOOL_TO_ERROR(CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,PKCS_PRIVATE_KEY_INFO,pbKey,cbKey,(void**)&PrivateKeyInfo,&cb));

    if (dwError == NOERROR)
    {
        PUBLICKEYSTRUC* ppks;  

        dwError = BOOL_TO_ERROR(CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,PKCS_RSA_PRIVATE_KEY,PrivateKeyInfo->PrivateKey.pbData,PrivateKeyInfo->PrivateKey.cbData,CRYPT_DECODE_ALLOC_FLAG,(void**)&ppks,&cb));

        LocalFree(PrivateKeyInfo);

        if (dwError == NOERROR)
        {
            dwError = BOOL_TO_ERROR(CryptImportKey(hProv,(PUCHAR)ppks,cb,CRYPT_EXPORTABLE,phKey));
            LocalFree(ppks);
        }
    }

    return dwError;
}

enum BLOB_TYPE { bt_priv,bt_pub,bt_cert };

ULONG CryptImportKey(_Out_ HCRYPTKEY *phKey,_In_ BLOB_TYPE bt,_In_ PCSTR szKey,_In_ ULONG cchKey)
{
    PUCHAR pbKey = 0;
    ULONG cbKey = 0;
    ULONG dwError;

    while (CryptStringToBinaryA(szKey,cchKey,CRYPT_STRING_BASE64HEADER,&cbKey,0))
    {
        if (pbKey)
        {
            switch (bt)
            {
            case bt_priv:
                dwError = CryptImportPrivateKey(phKey,hProv,cbKey);
                break;
            case bt_pub:
                dwError = CryptImportPublicKey(phKey,false);
                break;
            case bt_cert:
                dwError = CryptImportPublicKey(phKey,true);
                break;
            default: dwError = ERROR_INVALID_PARAMETER;
            }

            _freea(pbKey);

            return dwError;
        }

        if (!(pbKey = (PUCHAR)_malloca(cbKey)))
        {
            break;
        }
    }

    dwError = GetLastError();

    if (pbKey) _freea(pbKey);

    return dwError;
}

void DoLegacyTest(_In_ PCSTR szToBeSigned,_In_ PCSTR szPrivateKey,_In_ ULONG cchPrivateKey,_In_ PCSTR szPublicKeyOrCert,_In_ ULONG cchPublicKeyOrCert,_In_ bool bCert)
{
    HCRYPTPROV hProv;
    if (CryptAcquireContextW(&hProv,MS_ENH_RSA_AES_PROV,PROV_RSA_AES,CRYPT_VERIFYCONTEXT))
    {
        HCRYPTKEY hKey;
        HCRYPTHASH hHash;

        if (CryptCreateHash(hProv,CALG_SHA_256,&hHash))
        {
            if (CryptHashData(hHash,(PUCHAR)szToBeSigned,(ULONG)strlen(szToBeSigned),0))
            {
                PUCHAR pbSignature = 0;
                ULONG cbSignature = 0;
                BOOL fOk = false;

                if (NOERROR == CryptImportKey(&hKey,bt_priv,szPrivateKey,cchPrivateKey))
                {
                    ULONG dwKeySpec,cb; 

                    if (CryptGetKeyParam(hKey,KP_ALGID,(PUCHAR)&dwKeySpec,&(cb = sizeof(dwKeySpec)),0))
                    {
                        switch (dwKeySpec)
                        {
                        case CALG_RSA_KEYX:
                            dwKeySpec = AT_KEYEXCHANGE;
                            break;
                        case CALG_RSA_SIGN:
                            dwKeySpec = AT_SIGNATURE;
                            break;
                        default: dwKeySpec = 0;
                        }

                        if (CryptGetKeyParam(hKey,KP_BLOCKLEN,(PUCHAR)&cbSignature,&(cb = sizeof(cbSignature)),0))
                        {
                            pbSignature = (PUCHAR)alloca(cbSignature >>= 3);

                            fOk = CryptSignHashW(hHash,dwKeySpec,pbSignature,&cbSignature);
                        }
                    }

                    CryptDestroyKey(hKey);
                }

                if (fOk)
                {
                    if (NOERROR == CryptImportKey(&hKey,bCert ? bt_cert : bt_pub,szPublicKeyOrCert,cchPublicKeyOrCert))
                    {
                        if (!CryptVerifySignatureW(hHash,cbSignature,hKey,0))
                        {
                            __debugbreak();
                        }
                        CryptDestroyKey(hKey);
                    }
                }
            }

            CryptDestroyHash(hHash);
        }

        CryptReleaseContext(hProv,0);
    }
}

版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。

相关推荐

导入项目后报错问题
依赖报错 idea导入项目后依赖报错,解决方案:https://blog.csdn.net/weixin_42420249/article/details/81191861 依赖版本报错:更换其他版本 无法下载依赖可参考:https://blog.csdn.net/weixin_42628809/a
idea不能识别yaml文件
使用mybatis plus常见错误
错误1:代码生成器依赖和mybatis依赖冲突 启动项目时报错如下 2021-12-03 13:33:33.927 ERROR 7228 [ main] o.s.b.d.LoggingFailureAnalysisReporter : *************************** APPL
gradle常见问题与错误
错误1:gradle项目控制台输出为乱码 # 解决方案:https://blog.csdn.net/weixin_43501566/article/details/112482302 # 在gradle-wrapper.properties 添加以下内容 org.gradle.jvmargs=-Df
Mybatis Plus传入参数0不起作用
错误还原:在查询的过程中,传入的workType为0时,该条件不起作用 &lt;select id=&quot;xxx&quot;&gt; SELECT di.id, di.name, di.work_type, di.updated... &lt;where&gt; &lt;if test=&qu
linux中make编译源码包失败
报错如下,gcc版本太低 ^ server.c:5346:31: 错误:‘struct redisServer’没有名为‘server_cpulist’的成员 redisSetCpuAffinity(server.server_cpulist); ^ server.c: 在函数‘hasActiveC
微服务启动错误:Command line is too long. Shorten command line for
解决方案1 1、改项目中.idea/workspace.xml配置文件,增加dynamic.classpath参数 2、搜索PropertiesComponent,添加如下 &lt;property name=&quot;dynamic.classpath&quot; value=&quot;tru
vue常见错误
删除根组件app.vue中的默认代码后报错:Module Error (from ./node_modules/eslint-loader/index.js): 解决方案:关闭ESlint代码检测,在项目根目录创建vue.config.js,在文件中添加 module.exports = { lin
spark常见错误
查看spark默认的python版本 [root@master day27]# pyspark /home/software/spark-2.3.4-bin-hadoop2.7/conf/spark-env.sh: line 2: /usr/local/hadoop/bin/hadoop: No s
matplotlib报错:AttributeError: module 'backend_interagg' has no attribute 'FigureCanvas'. Did you mean: 'FigureCanvasAgg'?
使用本地python环境可以成功执行 import pandas as pd import matplotlib.pyplot as plt # 设置字体 plt.rcParams[&#39;font.sans-serif&#39;] = [&#39;SimHei&#39;] # 能正确显示负号 p
gitlab登录失败,报错:This challenge page was accidentally cached by an intermediary and is no longer available.
设置时间 控制面板
后端开发常见错误
错误1:Request method ‘DELETE‘ not supported 错误还原:controller层有一个接口,访问该接口时报错:Request method ‘DELETE‘ not supported 错误原因:没有接收到前端传入的参数,修改为如下 参考 错误2:cannot r
docker常见错误
错误1:启动docker镜像时报错:Error response from daemon: driver failed programming external connectivity on endpoint quirky_allen 解决方法:重启docker -&gt; systemctl r
idea常见错误
错误1:private field ‘xxx‘ is never assigned 按Altʾnter快捷键,选择第2项 参考:https://blog.csdn.net/shi_hong_fei_hei/article/details/88814070 错误2:启动时报错,不能找到主启动类 #
pip安装依赖失败
报错如下,通过源不能下载,最后警告pip需升级版本 Requirement already satisfied: pip in c:\users\ychen\appdata\local\programs\python\python310\lib\site-packages (22.0.4) Coll
maven常见错误
错误1:maven打包报错 错误还原:使用maven打包项目时报错如下 [ERROR] Failed to execute goal org.apache.maven.plugins:maven-resources-plugin:3.2.0:resources (default-resources)
cloud项目中常见错误
错误1:服务调用时报错 服务消费者模块assess通过openFeign调用服务提供者模块hires 如下为服务提供者模块hires的控制层接口 @RestController @RequestMapping(&quot;/hires&quot;) public class FeignControl
springboot常见错误
错误1:运行项目后报如下错误 解决方案 报错2:Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.8.1:compile (default-compile) on project sb 解决方案:在pom.
springmvc拦截器中使用redisTemplate报空指针异常
参考 错误原因 过滤器或拦截器在生效时,redisTemplate还没有注入 解决方案:在注入容器时就生效 @Component //项目运行时就注入Spring容器 public class RedisBean { @Resource private RedisTemplate&lt;String
vite报错:npm ERR! command C:WINDOWSsystem32cmd.exe /d /s /c C:UsersychenAppDataLocalTempnpx-dde1c848.cmd
使用vite构建项目报错 C:\Users\ychen\work&gt;npm init @vitejs/app @vitejs/create-app is deprecated, use npm init vite instead C:\Users\ychen\AppData\Local\npm-
pythonJavaScriptjavaHTMLPHPreactjsC#AndroidCSSNode.jssqlrpython-3.xMysqLjQueryc++pandasFlutterangularIOSdjangolinuxswifttypescript路由器JSON路由器设置无线路由器h3c华三华三路由器设置华三路由器电脑软件教程arraysdocker软件图文教程Cvue.jslaravelspring-boot