1

I'm having issues in acquiring private key handles when the key is backed by nCipher KSP. For example when calling

cert.GetECDsaPrivateKey();

the call succeeds and the key is usable, however this call generates 5 (five) entries in Windows EventLog:

ERROR: NCCNG_NCryptGetKeyProperty: unsupported flags 0x40000000 (supported 0x00000040)

a quick research suggested that .NET API calls NCryptGetProperty with NCRYPT_PERSIST_ONLY_FLAG flags in dwFlags parameter and nCipher KSP does not support NCRYPT_PERSIST_ONLY_FLAG. I was unable to find a way to suppress these errors in nCipher configuration.

Is this a .NET or nCipher issue? What are other workarounds apart from directly introping CryptAcquireCertificatePrivateKey, NCryptOpenStorageProvider and NCryptOpenKey CryptoAPI functions?

Crypt32
  • 12,850
  • 2
  • 41
  • 70
  • Logging them as an error sounds like an nCipher bug. I don't think there's any way that .NET can detect a KSP being that angry about a valid flag, and I'd guess that NCryptOpenKey followed by sending that value to CngKey/ECDsaCng will give the same reports to the event log. If you see a way that we can reliably cause less spam to the event log, please open an issue at https://github.com/dotnet/runtime/ – bartonjs Sep 19 '22 at 16:27
  • First problem is that the event is generated 5 times for some unknown reason. By calling `NCryptOpenKey` without flags, or only `NCRYPT_SILENT_FLAG` flag in `dwFlags` parameter it doesn't cause any issues nor event entries. I'm not sure why .NET pass `NCRYPT_PERSIST_ONLY_FLAG` to NCrypt functions. – Crypt32 Sep 19 '22 at 16:53

0 Answers0