Parts of the Windows Crypto API are quite well documented (particularly the original CAPI stuff). Other parts….. <\/p>\n
I’ve been trying to get PKCS8 files working between OpenSSL and Windows. The Import\/Export on Windows is so badly documented I eventually resorted to ASN.1 decodes and header file trawls to find what I needed. <\/p>\n
Anyway – if you need a password encrypted (using PBE) PKCS8 file that Windows can read, the best you’ll get is PBE-SHA1-3DES. So once you’ve generated your RSA key (let’s call it rsa.key) then you need to run openssl as follows: <\/p>\n
If you don\u2019t want to have a password \u2013 use \u2013nocrypt<\/em><\/font><\/p>\n Generating something that can go back the other way is just plain difficult.<\/p>\n You need to use NCryptExportKey (BCryptExportKey doesn\u2019t have the capability). You also need to specify the algorithm OID, parameters and password in the export parameters.<\/p>\n Some code to demonstrate. It\u2019s messy and it probably won\u2019t compile immediately as I\u2019ve just done a cut and paste \u2013 but hopefully it will be useful to someone.<\/p>\n \/\/ Generate the parameters \/\/ First some random for the salt \/\/ Now the params buffers[2].BufferType = NCRYPTBUFFER_PKCS_ALG_PARAM; buffers[1].BufferType = NCRYPTBUFFER_PKCS_ALG_OID; buffers[0].BufferType = NCRYPTBUFFER_PKCS_SECRET; params.cBuffers = 3; pparams = ¶ms;<\/p>\n \/* Do the export *\/ pkcs8_blob = (unsigned char *)malloc(pkcs8_blob_sz); }<\/code><\/p>\n","protected":false},"excerpt":{"rendered":" Parts of the Windows Crypto API are quite well documented (particularly the original CAPI stuff). Other parts….. I’ve been trying to get PKCS8 files working between OpenSSL and Windows. The Import\/Export on Windows is so badly documented I eventually resorted to ASN.1 decodes and header file trawls to find what I needed. Anyway – if… <\/span>Continue Reading PKCS8 files and Windows Crypto API<\/span><\/i><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[13,4,15],"tags":[12,30,27,29],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pX0hd-2G","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.wingsofhermes.org\/index.php?rest_route=\/wp\/v2\/posts\/166"}],"collection":[{"href":"https:\/\/blog.wingsofhermes.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wingsofhermes.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wingsofhermes.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wingsofhermes.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=166"}],"version-history":[{"count":4,"href":"https:\/\/blog.wingsofhermes.org\/index.php?rest_route=\/wp\/v2\/posts\/166\/revisions"}],"predecessor-version":[{"id":170,"href":"https:\/\/blog.wingsofhermes.org\/index.php?rest_route=\/wp\/v2\/posts\/166\/revisions\/170"}],"wp:attachment":[{"href":"https:\/\/blog.wingsofhermes.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wingsofhermes.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=166"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wingsofhermes.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}openssl pkcs8 \u2013in .\/rsa.key \u2013topk8 \u2013outform DER \u2013out .\/key.pk8 \u2013v1 PBE-SHA1-3DES<\/em><\/code> <\/p>\nNCryptBufferDesc params, *pparams;
NCryptBuffer buffers[3];
DWORD pkcs8_blob_sz;
unsigned char * pkcs8_blob;
CRYPT_PKCS12_PBE_PARAMS * pbe_params;
unsigned char * salt;<\/p>\n
pbe_params = (CRYPT_PKCS12_PBE_PARAMS *)malloc(sizeof(CRYPT_PKCS12_PBE_PARAMS) + 8);
memset(pbe_params, 0, sizeof(CRYPT_PKCS12_PBE_PARAMS) + 8);
salt = (unsigned char *) pbe_params + sizeof(CRYPT_PKCS12_PBE_PARAMS);<\/p>\n
if (!NT_SUCCESS(BCryptGenRandom(amp->amp_bcrypt_rng, salt, 8, 0)))
{
\/* ERROR STUFF HERE *\/
}<\/p>\n
pbe_params->cbSalt = 8;
pbe_params->iIterations = 2048;<\/p>\n
buffers[2].cbBuffer = sizeof(CRYPT_PKCS12_PBE_PARAMS) + 8;
buffers[2].pvBuffer = pbe_params;<\/p>\n
buffers[1].pvBuffer = szOID_PKCS_12_pbeWithSHA1And3KeyTripleDES;
buffers[1].cbBuffer = strlen(szOID_PKCS_12_pbeWithSHA1And3KeyTripleDES) + 1; \/\/ Terminator needed<\/p>\n
buffers[0].pvBuffer = L\u201dPASSWORD\u201d; \/\/ Yes you need to replace this :)
buffers[0].cbBuffer = 12; \/* Include bytes for the wchar terminator *\/<\/p>\n
params.pBuffers = buffers;
params.ulVersion = NCRYPTBUFFER_VERSION;<\/p>\n
if (NCryptExportKey(ncrypt_master_key, 0, NCRYPT_PKCS8_PRIVATE_KEY_BLOB,
pparams, NULL, 0, &pkcs8_blob_sz, NCRYPT_SILENT_FLAG) != ERROR_SUCCESS)
{
\/* ERROR CODE HERE *\/
return AUTHME_ERR_CRYPTO_OPERATION;
}<\/p>\n
if (NCryptExportKey(ncrypt_master_key, 0, NCRYPT_PKCS8_PRIVATE_KEY_BLOB,
pparams, pkcs8_blob, pkcs8_blob_sz, &pkcs8_blob_sz, NCRYPT_SILENT_FLAG) != ERROR_SUCCESS)
{
\/* ERROR CODE HERE *\/<\/p>\n