Functionality has been added to both providers so that a user can specify the value and length of the salt value to be used. With the Base Provider, the user can set a salt value by using the KP_SALT parameter value, but it is always assumed that 11 bytes are being set. To set a salt value with the Enhanced Provider, a user can call the CryptSetKeyParam function with the KP_SALT_EX parameter value specified and with the pbData parameter pointing to a CRYPTOAPI_BLOB structure containing the salt:
typedef struct _CRYPTOAPI_BLOB {
DWORD cbData;
BYTE* pbData;
} CRYPT_DATA_BLOB, *PCRYPT_DATA_BLOB;
Note When using the Enhanced Provider, the total length of a symmetric key and its salt value cannot be greater than 128 bits .
KP_SALT continues to be provided for backward compatibility with the Base Provider. Newer applications should use the KP_SALT_EX parameter value.
The example below shows the importation of a key and setting of a salt value.
// Example showing key importation with a salt value.
// [...] Assume an acquired context.
// Specify 4 bytes of salt.
BYTE rgbSalt[] = {0x01, 0x02, 0x03, 0x04};
CRYPT_DATA_BLOB sSaltData;
sSaltData.pbData = rgbSalt;
sSaltData.cbData = sizeof(rgbSalt);
// Import a key.
if (!CryptImportKey(
hDefProv,
pbKey,
cbKey,
NULL,
0,
&hKey))
goto Ret;
// Set the 4 bytes of salt required.
if (!CryptSetKeyParam(
hKey,
KP_SALT_EX,
(BYTE*)&sSaltData,
0))
goto Ret;
// [...] Use key.
// [...] Assume a destroyed key.
// [...] Assume a released context.