How can I import an RSA public key from either XML or modulus/exponent in native code for use with Windows CAPI's CryptVerifySignature?

In C#, I am able to validate a hash against a public key in either of the following ways:

// Import from raw modulus and exponent
using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider()) {
    RSAParameters rsaKeyInfo = new RSAParameters {Modulus = modulus, Exponent = exponent};
    return rsa.VerifyHash(hash, CryptoConfig.MapNameToOID("SHA512"), signature);

// Import from XML
using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider()) {
    return rsa.VerifyHash(hash, CryptoConfig.MapNameToOID("SHA512"), signature);

What I need to know is how I can use CAPI to accomplish the same thing, given an inbound RSA public key?

I have most of the CAPI functions necessary to validate a hash, except for understanding how to import a public key into the cryptographic provider's context:


CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_RSA_FULL, 0);
CryptCreateHash(hCryptProv, CALG_SHA512, 0, 0, &hHash);
CryptHashData(hHash, pDataToHash, lenDataToHash, 0);
CryptVerifySignature(hHash, pSignature, sigLength, NULL, CRYPT_NOHASHOID);
CryptReleaseContext(hCryptProv, 0);



  • Use CryptImportKey with a PUBLICKEYBLOB:

    HCRYPTKEY hPublicKey;
    DWORD keyBlobLength = sizeof(BLOBHEADER)+sizeof(RSAPUBKEY)+modulusLengthInBytes;
    BYTE* keyBlob = malloc(keyBlobLength);
    BLOBHEADER* blobheader = (BLOBHEADER*) keyBlob;
    blobheader.bType    = PUBLICKEYBLOB;
    blobheader.bVersion = CUR_BLOB_VERSION;
    blobheader.reserved = 0;
    blobheader.aiKeyAlg = CALG_RSA_KEYX;
    RSAPUBKEY* rsapubkey = (RSAPUBKEY*) (keyBlob + sizeof(BLOBHEADER));
    rsapubkey.magic     = 0x31415352;
    rsapubkey.bitlen    = modulusLengthInBytes*8;
    rsapubkey.pubexp    = 65537;         // Or whatever your public exponent is.
    BYTE* modulus = keyBlob + sizeof(BLOBHEADER) + sizeof(RSAPUBKEY);
    memcpy(modulus, ..., modulusLengthInBytes); // NOTE: modulus must be in LSB form,
                                         //       which is the opposite of what you
                                         //        usually have. 
                                         //       .NET will give you the modulus in
                                         //       MSB form, so you will have to
                                         //       reverse the order of the bytes.
    CryptImportKey(hCryptProv, keyBlob, keyBlobLength, 0, 0, &hPublicKey);