NCryptExportKey function

The NCryptExportKey function exports a CNG key to a memory BLOB.

Syntax


SECURITY_STATUS WINAPI NCryptExportKey(
  _In_       NCRYPT_KEY_HANDLE hKey,
  _In_opt_   NCRYPT_KEY_HANDLE hExportKey,
  _In_       LPCWSTR pszBlobType,
  _In_opt_   NCryptBufferDesc *pParameterList,
  _Out_opt_  PBYTE pbOutput,
  _In_       DWORD cbOutput,
  _Out_      DWORD *pcbResult,
  _In_       DWORD dwFlags
);

Parameters

hKey [in]

A handle of the key to export.

hExportKey [in, optional]

A handle to a cryptographic key of the destination user. The key data within the exported key BLOB is encrypted by using this key. This ensures that only the destination user is able to make use of the key BLOB.

pszBlobType [in]

A null-terminated Unicode string that contains an identifier that specifies the type of BLOB to export. This can be one of the following values.

BCRYPT_DH_PRIVATE_BLOB

Export a Diffie-Hellman public/private key pair. The pbOutput buffer receives a BCRYPT_DH_KEY_BLOB structure immediately followed by the key data.

BCRYPT_DH_PUBLIC_BLOB

Export a Diffie-Hellman public key. The pbOutput buffer receives a BCRYPT_DH_KEY_BLOB structure immediately followed by the key data.

BCRYPT_DSA_PRIVATE_BLOB

Export a DSA public/private key pair. The pbOutput buffer receives a BCRYPT_DSA_KEY_BLOB structure immediately followed by the key data.

BCRYPT_DSA_PUBLIC_BLOB

Export a DSA public key. The pbOutput buffer receives a BCRYPT_DSA_KEY_BLOB structure immediately followed by the key data.

BCRYPT_ECCPRIVATE_BLOB

Export an elliptic curve cryptography (ECC) private key. The pbOutput buffer receives a BCRYPT_ECCKEY_BLOB structure immediately followed by the key data.

BCRYPT_ECCPUBLIC_BLOB

Export an ECC public key. The pbOutput buffer receives a BCRYPT_ECCKEY_BLOB structure immediately followed by the key data.

BCRYPT_PUBLIC_KEY_BLOB

Export a generic public key of any type. The type of key in this BLOB is determined by the Magic member of the BCRYPT_KEY_BLOB structure.

BCRYPT_PRIVATE_KEY_BLOB

Export a generic private key of any type. The private key does not necessarily contain the public key. The type of key in this BLOB is determined by the Magic member of the BCRYPT_KEY_BLOB structure.

BCRYPT_RSAFULLPRIVATE_BLOB

Export a full RSA public/private key pair. The pbOutput buffer receives a BCRYPT_RSAKEY_BLOB structure immediately followed by the key data. This BLOB will include additional key material compared to the BCRYPT_RSAPRIVATE_BLOB type.

BCRYPT_RSAPRIVATE_BLOB

Export an RSA public/private key pair. The pbOutput buffer receives a BCRYPT_RSAKEY_BLOB structure immediately followed by the key data.

BCRYPT_RSAPUBLIC_BLOB

Export an RSA public key. The pbOutput buffer receives a BCRYPT_RSAKEY_BLOB structure immediately followed by the key data.

LEGACY_DH_PRIVATE_BLOB

Export a legacy Diffie-Hellman Version 3 Private Key BLOB that contains a Diffie-Hellman public/private key pair that can be imported by using CryptoAPI.

LEGACY_DH_PUBLIC_BLOB

Export a legacy Diffie-Hellman Version 3 Private Key BLOB that contains a Diffie-Hellman public key that can be imported by using CryptoAPI.

LEGACY_DSA_PRIVATE_BLOB

Export a DSA public/private key pair in a form that can be imported by using CryptoAPI.

LEGACY_DSA_PUBLIC_BLOB

Export a DSA public key in a form that can be imported by using CryptoAPI.

LEGACY_RSAPRIVATE_BLOB

Export an RSA public/private key pair in a form that can be imported by using CryptoAPI.

LEGACY_RSAPUBLIC_BLOB

Export an RSA public key in a form that can be imported by using CryptoAPI.

NCRYPT_CIPHER_KEY_BLOB

Export a cipher key in a NCRYPT_KEY_BLOB_HEADER structure.

Windows 8 and Windows Server 2012:  Support for this value begins.

NCRYPT_OPAQUETRANSPORT_BLOB

Export a key in a format that is specific to a single CSP and is suitable for transport. Opaque BLOBs are not transferable and must be imported by using the same CSP that generated the BLOB.

NCRYPT_PKCS7_ENVELOPE_BLOB

Export a PKCS #7 envelope BLOB. The parameters identified by the pParameterList parameter either can or must contain the following parameters, as indicated by the Required or optional column.

ParameterRequired or optional

NCRYPTBUFFER_CERT_BLOB

Required

NCRYPTBUFFER_PKCS_ALG_OID

Required

NCRYPTBUFFER_PKCS_ALG_PARAM

Optional

 

NCRYPT_PKCS8_PRIVATE_KEY_BLOB

Export a PKCS #8 private key BLOB. The parameters identified by the pParameterList parameter either can or must contain the following parameters, as indicated by the Required or optional column.

ParameterRequired or optional

NCRYPTBUFFER_PKCS_ALG_OID

Optional

NCRYPTBUFFER_PKCS_ALG_PARAM

Optional

NCRYPTBUFFER_PKCS_SECRET

Optional

 

NCRYPT_PROTECTED_KEY_BLOB

Export a protected key in a NCRYPT_KEY_BLOB_HEADER structure.

Windows 8 and Windows Server 2012:  Support for this value begins.

pParameterList [in, optional]

The address of an NCryptBufferDesc structure that receives parameter information for the key. This parameter can be NULL if this information is not needed.

pbOutput [out, optional]

The address of a buffer that receives the key BLOB. The cbOutput parameter contains the size of this buffer. If this parameter is NULL, this function will place the required size, in bytes, in the DWORD pointed to by the pcbResult parameter.

cbOutput [in]

The size, in bytes, of the pbOutput buffer.

pcbResult [out]

The address of a DWORD variable that receives the number of bytes copied to the pbOutput buffer. If the pbOutput parameter is NULL, this function will place the required size, in bytes, in the DWORD pointed to by this parameter.

dwFlags [in]

Flags that modify function behavior. This can be zero or a combination of one or more of the following values. The set of valid flags is specific to each key storage provider. The following flag applies to all providers.

ValueMeaning
NCRYPT_SILENT_FLAG

Requests that the key service provider (KSP) not display any user interface. If the provider must display the UI to operate, the call fails and the KSP should set the NTE_SILENT_CONTEXT error code as the last error.

 

Return value

Returns a status code that indicates the success or failure of the function.

Possible return codes include, but are not limited to, the following.

Return codeDescription
ERROR_SUCCESS

The function was successful.

NTE_BAD_FLAGS

The dwFlags parameter contains a value that is not valid.

NTE_BAD_KEY_STATE

The key specified by the hKey parameter is not valid. The most common cause of this error is that the key was not completed by using the NCryptFinalizeKey function.

NTE_BAD_TYPE

The key specified by the hKey parameter cannot be exported into the BLOB type specified by the pszBlobType parameter.

NTE_INVALID_HANDLE

The hKey or the hExportKey parameter is not valid.

NTE_INVALID_PARAMETER

One or more parameters are not valid.

 

Remarks

A service must not call this function from its StartService Function. If a service calls this function from its StartService function, a deadlock can occur, and the service may stop responding.

Requirements

Minimum supported client

Windows Vista [desktop apps only]

Minimum supported server

Windows Server 2008 [desktop apps only]

Header

Ncrypt.h

Library

Ncrypt.lib

DLL

Ncrypt.dll

See also

NCryptBuffer

 

 

Community Additions

ADD
Show:
© 2014 Microsoft