小贝子编程

C++ CNG NCrypt:无法从密钥存储提供程序打开持久密钥



我有两个程序。一个是创建一个持久化密钥并将其保存到密钥存储提供程序,然后对散列进行签名并将签名写入regedit。第二个程序打开来自提供程序的密钥并验证从注册记录中获得的签名。但我的问题是在第二个程序NCryptOpenKey找不到密钥存储提供商的密钥!在浏览了几个小时的文档和互联网后,我仍然不知道为什么。请指出我做错了什么。代码示例:

变量和清理过程:

NCRYPT_PROV_HANDLE      hProv           = NULL;
NCRYPT_KEY_HANDLE       hKey            = NULL;
SECURITY_STATUS         secStatus       = ERROR_SUCCESS;
BCRYPT_ALG_HANDLE       hHashAlg        = NULL,
hSignAlg        = NULL;
BCRYPT_HASH_HANDLE      hHash           = NULL;
NTSTATUS                status          = STATUS_UNSUCCESSFUL;
DWORD                   cbData          = 0,
cbHash          = 0,
cbSignature     = 0,
cbHashObject    = 0;
PBYTE                   pbHashObject    = NULL;
PBYTE                   pbHash          = NULL,
pbSignature     = NULL;
static const WCHAR* KEY_NAME = TEXT("MyPersistedKey");
void Cleanup()
{
if (hHashAlg)
BCryptCloseAlgorithmProvider(hHashAlg, 0);
if (hSignAlg)
BCryptCloseAlgorithmProvider(hSignAlg, 0);
if (hHash)
BCryptDestroyHash(hHash);
if (pbHashObject)
HeapFree(GetProcessHeap(), 0, pbHashObject);
if (pbHash)
HeapFree(GetProcessHeap(), 0, pbHash);
if (pbSignature)
HeapFree(GetProcessHeap(), 0, pbSignature);
if (hKey)
NCryptDeleteKey(hKey, 0);
if (hProv)
NCryptFreeObject(hProv);
}

1日计划

// open handle to KSP
if (FAILED(secStatus = NCryptOpenStorageProvider(&hProv, MS_KEY_STORAGE_PROVIDER, 0))) {
Cleanup();
return {};
}
// key doesn't exists. create it
if (FAILED(secStatus = NCryptCreatePersistedKey(hProv, &hKey, NCRYPT_ECDSA_P256_ALGORITHM, KEY_NAME, 0, 0))) {
Cleanup();
return {};
}
// create key on disk
if (FAILED(secStatus = NCryptFinalizeKey(hKey, 0))) {
Cleanup();
return {};
}
// get the length of the signature
if (FAILED(secStatus = NCryptSignHash(hKey, NULL, pbHash, cbHash, NULL, 0, &cbSignature, 0))) {
Cleanup();
return {};
}
// allocate the signature buffer
pbSignature = (PBYTE)HeapAlloc(GetProcessHeap(), 0, cbSignature);
if (NULL == pbSignature) {
Cleanup();
return {};
}
// sign the hash
if (FAILED(secStatus = NCryptSignHash(hKey, NULL, pbHash, cbHash, pbSignature, cbSignature, &cbSignature, 0))) {
Cleanup();
return {};
}

2号项目

// open handle to KSP
if (FAILED(secStatus = NCryptOpenStorageProvider(&hProv, MS_KEY_STORAGE_PROVIDER, 0))) {
Cleanup();
return false;
}
// open key from KSP
if (FAILED(secStatus = NCryptOpenKey(hProv, &hKey, KEY_NAME, 0, 0))) {
Cleanup();
return false;
}
// verify signature with hash
status = NCryptVerifySignature(hKey, NULL, pbHash, cbHash, pbSignature, cbSignature, 0);
switch (status) {
case ERROR_SUCCESS:   // hash is verifyied
Cleanup();
return true;
case NTE_BAD_SIGNATURE:   // hash isn't verifyied
Cleanup();
return false;
default:
Cleanup();
return false;
}

根据NCryptVerifySignature,

密钥的句柄必须是相同的密钥(对称密钥)或公钥部分的密钥对(非对称密钥)用于使用NCryptSignHash函数对数据进行签名

需要导出公钥。请参阅使用CNG和SignHashWithPersistedKeys签名数据示例。
删除磁盘上的密钥文件,将句柄传递给NCryptDeleteKey函数。已删除Cleanup中的密钥。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium