Essential questions about Microsoft CryptoAPI
I have been looking through MSDN trying to understand crytoapi. Below are some questions and guesses about how things might work. Any answers or confirmation or refutation of my guess is greatly appreciated.
As per the note I found at http://msdn.microsoft.com/en-us/library/ms867086.aspx , CSP maintains public private key pairs between sessions.
* Does that mean they are kept indefinitely? If so, whatever signature or exchange key pairs are extant when the CSP is closed remain.
* Of what value are these containers and any key pairs they contain? I guess they could be used to sign things without obtaining a handle to a key pair.
* Is there any way to get a handle to one of the key pairs?
It looks to me like a key container might contain:
* 1 signature key pair
* 1 key exchange key pair
* any number of PUBLIC keys of either signature or key_exchange type
* any number of session keys
It is right? Are the paired keys destroyed when the container is closed?
What is the common method for creating / naming key containers? How to keep from stomping on some other application container? I need a container with public / private keys, so the temporary container mentioned in the cryptacquirecontext notes section is not applicable. Perhaps use a creation name consisting of some fixed part and a sequential number. Remove container when done.
cryptsignhash indicates that either a private signing key or a key exchange key is used to sign the hash. I assume this means that cryptsignkey will find the private key generated by cryptkeygen with the appropriate Alg_id parmer (CALG_RSA_KEYX or CALG_RSA_SIGN values).
If I export a key, does the key block contain information, which key?
if i export PUBLICKEYBLOB and transfer it to another environment. Do I have to import this blob into a new environment before I can use it to verify the signature? cryptverifysignature requires a key descriptor, so it looks like it needs to be imported first. Does PUBLICKEYBLOB affect the public key replacement of any existing public / private key pair? I guess NOT.
source to share
There were many questions. Let me try to answer them:
The CSP maintains public private key pairs between sessions. Does this mean that they are stored indefinitely?
Yes, until they are explicitly removed by calling CryptAcquireContext with the CRYPT_DELETEKEYSET flag.
What is the meaning of these containers and any key pairs they contain?
These are persistent keys that can be reused. If you get a certificate for a private key, you want to keep the private key - and you don't want to export the private key if you can avoid it: a CSP can potentially protect the key much better than you can.
Is there a way to get a handle to one of the key pairs?
CryptAcquireContext followed by CryptGetUserKey.
It seems to me that the key container can contain: 1 signing key pair, 1 exchange key pair, any number of PUBLIC keys such as signature or key_exchange, any number of session keys. Is it correct?
Yes and no. Imported public and session keys are not logically in any particular key container.
Are unpaired keys destroyed when the container is closed?
Yes.
What is the usual method for creating / naming key containers? How is someone else holding the app container?
Most applications use a GUID.
this means that cryptsignkey will find the private key generated by cryptkeygen with the appropriate Alg_id parameter (CALG_RSA_KEYX or CALG_RSA_SIGN values).
Yes.
If I export a key, will the keyblob contain information about what kind of key it is?
It depends on the blob type you choose, but most key blocks start with BLOBHEADER , which contains the key type.
if i export PUBLICKEYBLOB and transport it to some other environment. Do I have to import this blob in a new environment before I can use it to verify the signature?
Yes.
Will the PUBLICKEYBLOB import replace the public key of any existing public / private key pair?
Not.
source to share