Importing PKCS#8 encrypted key to RSACng?

Question

If I have encrypted RSA key in PKCS#8, can I somehow import it to RSACng as CngKeyBlobFormat.Pkcs8PrivateBlob? Or does this CngKeyBlobFormat.Pkcs8PrivateBlob just shows the CngKey that during import the key must be decoded from DER to get key parameters and then they are imported into RSACng, thus the answer is no?

Answer 1

CNG understands how to decrypt encrypted PKCS#8, but you need to give it a password. Since .NET doesn't ask you for the password (and it gets passed via a manner other than the properties) there isn't a good way to do it.

Your options are pretty much:

• P/Invoke so you can specify the NCRYPTBUFFER_PKCS_SECRET value.
• Change your process so that you have an unencrypted PKCS#8.
• Change your process so that you have a PFX/PKCS#12 instead of an encrypted PKCS#8 (and then change to reading it via X509Certificate2).
• Wait for a future version of .NET Core, which will have the ability to load a PKCS#8, encrypted PKCS#8, and some other formats, directly into the RSA/DSA/ECDsa/ECDiffieHellman objects (feature is currently in the master branch).
• Find a library which can decrypt it for you. Bouncy Castle can probably do it.

See also: Digital signature in c# without using BouncyCastle