Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

bcrypt rsa private key import in kernel

MakMak Member Posts: 39
in NTDEV

I tried to use the rsa bcrypt decrypt inside a kernel module and get the hresult of 0xd00000bb(HR_STATUS_NOT_SUPPORTED ) from BCryptImportKeyPair.
I first tested the routine in a user mode app and here it works fine.

I tried also BCRYPT_RSAPRIVATE_BLOB instead of LEGACY_RSAPRIVATE_BLOB but here it is not clear how the fields must be set.
If we use BCRYPT_RSAPRIVATE_BLOB we must build the struct of BCRYPT_RSAKEY_BLOB from (in my example) "privateBlobKey" below.

....
pRsaBlob->Magic = BCRYPT_RSAPRIVATE_MAGIC;
pRsaBlob->BitLength = pKey->rsapubkey.bitlen;
pRsaBlob->cbPublicExp = cbExp;
pRsaBlob->cbModulus = cbModulus;
pRsaBlob->cbPrime1 = 0;
pRsaBlob->cbPrime2 = 0;

What is the way that the Decrypt can work in the kernel?

I do it in the following way:

if (!SUCCEEDED(hr = HRESULT_FROM_NT(
    BCryptOpenAlgorithmProvider(
        &hAlgorithm,
        BCRYPT_RSA_ALGORITHM,
        MS_PRIMITIVE_PROVIDER, // MS_PLATFORM_CRYPTO_PROVIDER MS_PRIMITIVE_PROVIDER
        0)))) {
    goto cleanup;
}

hr = HRESULT_FROM_NT(BCryptImportKeyPair(
hAlgorithm,
NULL,
LEGACY_RSAPRIVATE_BLOB, // BCRYPT_RSAPRIVATE_BLOB
&hKey,
(PUCHAR)privateBlobKey,
sizeof(privateBlobKey),
0
));

The blob comes from a struct
BYTE privateBlobKey[] =
{ 0x07,0x02,0x00,0x00,0x0
...
};

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 6,836

    I'm no crypto-geek, but I do seem to recall that setting these things up is never trivial. Some of these fields need to be passed-in big endian, do they not?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 12,715
    via Email
    Mak wrote:
    > I tried to use the rsa bcrypt decrypt inside a kernel module and get the hresult of 0xd00000bb(HR_STATUS_NOT_SUPPORTED ) from BCryptImportKeyPair.

    How did you even get that far?  bcrypt.dll is a user-mode DLL that links
    to a number of user-mode APIs.  It shouldn't even have loaded in kernel
    mode.  Is there a separate bcrypt.dll for kernel use?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 6,836

    Is there a separate bcrypt.dll for kernel use

    I dunno. But you certain can use the bcrypt library in kernel mode. It's part of CNG and you link against CNG.LIB, IIRC.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • MakMak Member Posts: 39

    On the microsoft site is stated that for bcrypt a special driver exists which name is "ksecdd.sys".

    To call this function in kernel mode, use Cng.lib, which is part of the Driver Development Kit (DDK). For more information, see WDK and Developer Tools.Windows Server 2008 and Windows Vista: To call this function in kernel mode, use Ksecdd.lib.

  • MakMak Member Posts: 39

    I get it running. Yes, it is a little bit tricky. First the right format from the Pem must be created and then each field: modulo, private exponent and the primes must be correctly set in Big Endian format.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links

Categories