Export CngKey in PKCS8 with encryption c#

3
votes

How can I export CngKey to PKCS#8 with encryption?

static void Main(string[] args)
    {
        CngKeyCreationParameters ckcParams = new CngKeyCreationParameters()
        {
            ExportPolicy = CngExportPolicies.AllowExport,
            KeyCreationOptions = CngKeyCreationOptions.None,
            KeyUsage = CngKeyUsages.AllUsages,                
        };
        ckcParams.Parameters.Add(new CngProperty("Length", BitConverter.GetBytes(2048), CngPropertyOptions.None));

        myCngKey = CngKey.Create(CngAlgorithm.Rsa, "theCngKey", ckcParams);

        byte[] privatePlainTextBlob = myCngKey.Export(CngKeyBlobFormat.Pkcs8PrivateBlob);
 }

Setting the ExportPolicy to AllowPlainTextExport allows the key to be exported, but only in plain text. I would like to create a PCKS8 blob which is encrypted with a symmetric key.

Thanks

1
c#encryptionencryption-asymmetriccng

1 Answers

1
votes

Since CngKey.Export doesn't accept a password, you'd have to manually P/Invoke to NCryptExportKey, providing a NCRYPTBUFFER_PKCS_SECRET value (Unicode/UCS-2 encoded password with explicit null terminator).

http://source.dot.net/#System.Security.Cryptography.Cng/Common/System/Security/Cryptography/ECCng.ImportExport.cs,8b172741466df7a1 can be used as an example of building the parameter list. It's not fun.