Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

bcrypt rsa private key import in kernel

MakMak Member Posts: 50

I tried to use the rsa bcrypt decrypt inside a kernel module and get the hresult of 0xd00000bb(HR_STATUS_NOT_SUPPORTED ) from BCryptImportKeyPair.
I first tested the routine in a user mode app and here it works fine.

I tried also BCRYPT_RSAPRIVATE_BLOB instead of LEGACY_RSAPRIVATE_BLOB but here it is not clear how the fields must be set.
If we use BCRYPT_RSAPRIVATE_BLOB we must build the struct of BCRYPT_RSAKEY_BLOB from (in my example) "privateBlobKey" below.

pRsaBlob->BitLength = pKey->rsapubkey.bitlen;
pRsaBlob->cbPublicExp = cbExp;
pRsaBlob->cbModulus = cbModulus;
pRsaBlob->cbPrime1 = 0;
pRsaBlob->cbPrime2 = 0;

What is the way that the Decrypt can work in the kernel?

I do it in the following way:

        0)))) {
    goto cleanup;

hr = HRESULT_FROM_NT(BCryptImportKeyPair(

The blob comes from a struct
BYTE privateBlobKey[] =
{ 0x07,0x02,0x00,0x00,0x0


  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,796

    I'm no crypto-geek, but I do seem to recall that setting these things up is never trivial. Some of these fields need to be passed-in big endian, do they not?


    Peter Viscarola

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,398
    via Email
    Mak wrote:
    > I tried to use the rsa bcrypt decrypt inside a kernel module and get the hresult of 0xd00000bb(HR_STATUS_NOT_SUPPORTED ) from BCryptImportKeyPair.

    How did you even get that far?  bcrypt.dll is a user-mode DLL that links
    to a number of user-mode APIs.  It shouldn't even have loaded in kernel
    mode.  Is there a separate bcrypt.dll for kernel use?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,796

    Is there a separate bcrypt.dll for kernel use

    I dunno. But you certain can use the bcrypt library in kernel mode. It's part of CNG and you link against CNG.LIB, IIRC.


    Peter Viscarola

  • MakMak Member Posts: 50

    On the microsoft site is stated that for bcrypt a special driver exists which name is "ksecdd.sys".

    To call this function in kernel mode, use Cng.lib, which is part of the Driver Development Kit (DDK). For more information, see WDK and Developer Tools.Windows Server 2008 and Windows Vista: To call this function in kernel mode, use Ksecdd.lib.

  • MakMak Member Posts: 50

    I get it running. Yes, it is a little bit tricky. First the right format from the Pem must be created and then each field: modulo, private exponent and the primes must be correctly set in Big Endian format.

  • rstruempfrstruempf Member Posts: 103

    All you do to run it in kernel mode is link to cng.lib instead of bcrypt.lib. I've used bcrypt from kernel mode extensively, but I've never used the RSA features. I have wrapped a key using bcrypt and then reimported the wrapped key, which is similar to what you are doing.

    I can answer general questions, but I do not have a solution to your specific problem.

    Let's start with, are you linking to cng.lib? That causes it to link to ksecdd.sys instead of the user mode dlls

  • MakMak Member Posts: 50

    rstruempf: No, if you read on ms it is said that you should link against "Ksecdd.lib". I do this and it works.
    For each function from bcrypt it is also exactly said in which level you can call which bcrypt function (DISPATCH or other). I think you should notice that.
    The calls to cng.lib are not supported, I think.
    Why do think you can link against cng.lib or bcrypt.lib. Have you done it? I think not.

  • MakMak Member Posts: 50

    rstruempf: Sorry, I dont read your post completely.
    My orginal question was specific to RSA but as I mentioned above I have solved that.
    I looked inside the Ksecdd.sys with dependency walker and there are all bcrypt functions exported. It can be that ms route directly to bcrypt.dll but it also can be that they do some driver specific things before they do that.

  • rstruempfrstruempf Member Posts: 103
    edited December 2018

    bcrypt.lib is an import library that links the bcrypt primitives to the usermode bcrypt.dll (and I think bcryptprimitives.dll). cng.lib is an import library that links the same bcrypt primitives to ksecdd.sys, a kernel mode "dll". Just check out the Remarks section of any of the BCrypt primitive functions on for information on using them in kernel mode (

    I did not catch the first time that you had solved your issues by correcting the blob format. Good luck.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA