I tried to use the rsa bcrypt decrypt inside a kernel module and get the hresult of 0xd00000bb(HR_STATUS_NOT_SUPPORTED ) from BCryptImportKeyPair.
I first tested the routine in a user mode app and here it works fine.
I tried also BCRYPT_RSAPRIVATE_BLOB instead of LEGACY_RSAPRIVATE_BLOB but here it is not clear how the fields must be set.
If we use BCRYPT_RSAPRIVATE_BLOB we must build the struct of BCRYPT_RSAKEY_BLOB from (in my example) “privateBlobKey” below.
I’m no crypto-geek, but I do seem to recall that setting these things up is never trivial. Some of these fields need to be passed-in big endian, do they not?
I tried to use the rsa bcrypt decrypt inside a kernel module and get the hresult of 0xd00000bb(HR_STATUS_NOT_SUPPORTED ) from BCryptImportKeyPair.
How did you even get that far? bcrypt.dll is a user-mode DLL that links
to a number of user-mode APIs. It shouldn’t even have loaded in kernel
mode. Is there a separate bcrypt.dll for kernel use?
On the microsoft site is stated that for bcrypt a special driver exists which name is “ksecdd.sys”.
To call this function in kernel mode, use Cng.lib, which is part of the Driver Development Kit (DDK). For more information, see WDK and Developer Tools.Windows Server 2008 and Windows Vista: To call this function in kernel mode, use Ksecdd.lib.
I get it running. Yes, it is a little bit tricky. First the right format from the Pem must be created and then each field: modulo, private exponent and the primes must be correctly set in Big Endian format.
All you do to run it in kernel mode is link to cng.lib instead of bcrypt.lib. I’ve used bcrypt from kernel mode extensively, but I’ve never used the RSA features. I have wrapped a key using bcrypt and then reimported the wrapped key, which is similar to what you are doing.
I can answer general questions, but I do not have a solution to your specific problem.
Let’s start with, are you linking to cng.lib? That causes it to link to ksecdd.sys instead of the user mode dlls
rstruempf: No, if you read on ms it is said that you should link against “Ksecdd.lib”. I do this and it works.
For each function from bcrypt it is also exactly said in which level you can call which bcrypt function (DISPATCH or other). I think you should notice that.
The calls to cng.lib are not supported, I think.
Why do think you can link against cng.lib or bcrypt.lib. Have you done it? I think not.
rstruempf: Sorry, I dont read your post completely.
My orginal question was specific to RSA but as I mentioned above I have solved that.
I looked inside the Ksecdd.sys with dependency walker and there are all bcrypt functions exported. It can be that ms route directly to bcrypt.dll but it also can be that they do some driver specific things before they do that.
bcrypt.lib is an import library that links the bcrypt primitives to the usermode bcrypt.dll (and I think bcryptprimitives.dll). cng.lib is an import library that links the same bcrypt primitives to ksecdd.sys, a kernel mode “dll”. Just check out the Remarks section of any of the BCrypt primitive functions on docs.microsoft.com for information on using them in kernel mode (https://docs.microsoft.com/en-us/windows/desktop/api/bcrypt/nf-bcrypt-bcryptgenrandom).
I did not catch the first time that you had solved your issues by correcting the blob format. Good luck.