0

I'm writing a code that would create a certificate in Certificate Store, and I'm using CNG. Actually not really writing, but adapting an example from MSDN. My code compiles, it creates keys for some algorithms, but none of those keys can be used to create a certificate. For most it says "Unknown cryptographic algorithm".

Here is the part of my code that tries all available algorithms and creates a key and certificate for each:

    NCRYPT_PROV_HANDLE ncrypt_prov;
    err = NCryptOpenStorageProvider(
          &ncrypt_prov
        , NULL // provider name - use default
        , 0    // flags - none exist as of 2019
        ); RAISE_ERRCODE(err);

    NCRYPT_KEY_HANDLE key;

    for (const auto* algo : algos)
    {
        std::cout << "trying ";
        std::wcout << algo << std::endl;
        err = NCryptCreatePersistedKey(
              ncrypt_prov
            , &key
            , algo
            , NULL // create ephemeral key
            , 0 // legacy key spec param
            , 0 // flags
            );
        if (err != ERROR_SUCCESS)
        {
            std::cout << "when creating a key: ";
            print_error(err);
            continue;
        }
        PCCERT_CONTEXT cert = CertCreateSelfSignCertificate(
              key
            , &subject_name
            , 0
            , NULL
            , NULL
            , NULL
            , NULL
            , NULL
            );
        if (cert == 0)
        {
            auto err = GetLastError();
            std::cout << "when crafting a certificate: ";
            print_error(err);
            continue;
        }

        std::cout << "certificate created with algo " << algo << std::endl;
    }

List of algorithms I've got from here.

Here are error outputs for all algorithms tried:

trying 3DES
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying 3DES_112
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying AES
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying AES-CMAC
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying AES-GMAC
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying CAPI_KDF
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying DES
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying DESX
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying DH
when crafting a certificate: Errcode 32
Details: The request is not supported.

trying DSA
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying ECDH_P256
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying ECDH_P384
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying ECDH_P521
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying ECDSA_P256
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying ECDSA_P384
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying ECDSA_P521
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying MD2
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying MD4
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying MD5
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying RC2
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying RC4
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying RNG
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying DUALECRNG
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying FIPS186DSARNG
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying RSA
when crafting a certificate: Errcode 8009000b
Details: Key not valid for use in specified state.

trying RSA_SIGN
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying SHA1
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying SHA256
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying SHA384
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying SHA512
when creating a key: Errcode 80090029
Details: The requested operation is not supported.

trying SP800_108_CTR_HMAC
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying SP800_56A_CONCAT
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

trying PBKDF2
when crafting a certificate: Errcode 80091002
Details: Unknown cryptographic algorithm.

Maybe I'm just misusing the new API? It worked fine when using old wincrypt32.

MorJ
  • 566
  • 4
  • 14
  • Only RSA/ECDSA/DSA will work. After creating the key you should set properties (key length for RSA) then call NCryptFinalizeKey. Your error is probably that you didn’t call NCryptFinalizeKey (confident speculation) – bartonjs Dec 05 '19 at 17:11
  • You're right, I didn't. Let me verify if finalizing the key would work. – MorJ Dec 06 '19 at 04:49
  • @bartonjs you were ritght twice: only those algorithms work, and I forgot to finalize the keys. Thanks. – MorJ Dec 06 '19 at 06:23

0 Answers0