1

I want to save an ECC Prvivate key in PKCS8 format but with explicit domain parameters instead of named curve parameters, which is what the code below does. CNG seems to give me the option of KeyFormat to be either PKCS8 (Pkcs8PrivateBlob) with named curve parameters or EccFullPrivateBlob with explicit Domain Parameters. But then it's not in PKCS8 format.

var curve = ECCurve.CreateFromOid(new Oid("1.3.36.3.3.2.8.1.1.7")); //oid for brain
using (var dsa = new ECDsaCng())
{
   dsa.GenerateKey(curve);
   var privateKey = dsa.Key.Export(CngKeyBlobFormat.Pkcs8PrivateBlob);
   //store privateKey as file...
}

Is there any way to have both explicit parameters and the pkcs8 format?

tzippy
  • 6,458
  • 30
  • 82
  • 151
  • The Microsoft "documentation" explains that EccFullPrivateBlob it is a blob with domain parameters... and that's it. It's a Mickeysoft proprietary format in case somebody gets their hope up. If I look it up it seems that "full" means that the public key is included rather than the domain parameters (but even ChatGPT 4.0 is pretty stupid, so I'm not 100% on that). – Maarten Bodewes Aug 11 '23 at 09:32
  • Thanks Maarten for the note. Since I know you're an expert, might I ask you this: The Private Key blob is actually intended for the Signature part of Terminal Authentication. Do you happen to know if it's actually mandatory to use a pkcs8 format with explicit domain parameters for this? – tzippy Aug 11 '23 at 09:48
  • Signatures don't contain domain parameters, and the parameters themselves are the same regardless if they are stored or named. So no. For Terminal Authentication you (only) need the domain parameters for the public key in the root / link certificates. Actually, that wasn't in spec EAC 0.97, I had to add them, slight error by BSI :) – Maarten Bodewes Aug 11 '23 at 12:00
  • 2
    For completeness: `EccFullPrivateBlob` corresponds to [`BCRYPT_ECCFULLKEY_BLOB`](https://github.com/tpn/winsdk-10/blob/9b69fd26ac0c7d0b83d378dba01080e93349c2ed/Include/10.0.16299.0/shared/bcrypt.h#L487]) with `dwMagic` is [0x56444345](https://github.com/tpn/winsdk-10/blob/9b69fd26ac0c7d0b83d378dba01080e93349c2ed/Include/10.0.16299.0/shared/bcrypt.h#L453). Among others, this type indeed encapsulates the curve parameters (p, a, b, Gx, Gy, n, h), the raw public key (x, y) and the raw private key (d). – Topaco Aug 11 '23 at 12:27
  • @Topaco thanks! So is there any way I can get a pkcs8 file *with* the domain parameters from cng? Or will I have to edit the ASN.1 structure myself? – tzippy Aug 13 '23 at 09:47
  • I don't know of any C# implementation (native or BC) that also exports the parameters for a PKCS#8 key (but that doesn't mean there aren't any). If there really is none, the obvious way would be to adapt the ASN.1/DER yourself. Whether you really need the parameters for your purpose with a key in PKCS#8 format, I can't say (intuitively I would rather guess no). – Topaco Aug 13 '23 at 11:49
  • [Here](https://www.jdoodle.com/ia/KPx) you can generate PKCS#8 keys with and without curve parameters. For ASN.1 decoding, use an ASN.1 parser like https://lapo.it/asn1js/ with disabled *with definitions* option. – Topaco Aug 13 '23 at 12:03
  • @Tapaco Thanks for the comments. Unfortunately, I do. Since I'm in the ICAO PKI environment where explicit domain parameters are mandatory. (Which also gives me a headache with the move to OpenSSL 3.0 on a different project) – tzippy Aug 13 '23 at 14:37

0 Answers0