The CryptExportKey function is used to export cryptographic keys out of a cryptographic service provider in a secure manner.
A handle to the key to be exported is passed into the function and the function returns a key blob to the caller. This key blob can be sent over a nonsecure transport or stored in a nonsecure storage location. The key blob is useless until the intended recipient uses the CryptImportKey function on it, which will then import the key into the recipient's CSP.
#include <wincrypt.h>
BOOL WINAPI CryptExportKey(
HCRYPTKEY hKey, // in
HCRYPTKEY hExpKey, // in
DWORD dwBlobType, // in
DWORD dwFlags, // in
BYTE *pbData, // out
DWORD *pcbDataLen // in/out
);
Most often, this will be the key exchange public key of the destination user. However, certain protocols in some CSPs require that a session key belonging to the destination user be used for this purpose. (Neither the Microsoft Base Cryptographic Provider or the Microsoft Enhanced Cryptographic Provider currently support this.)
If the key blob type specified by dwBlobType is PUBLICKEYBLOB, then this parameter is unused and should be set to zero.
If the key blob type specified by dwBlobType is PRIVATEKEYBLOB, then this is typically a handle to a session key that is to be used to encrypt the key blob. Some CSPs allow this parameter to be zero, in which case the application should encrypt the private key blob manually so as to protect it.
To determine how Microsoft Cryptographic Providers respond to this parameter, see The Private-Key Blob sections of Microsoft Cryptographic Service Providers.
This parameter can be NULL to set the size of this information for memory allocation purposes. For more information, see Common In/Out Parameter Conventions.
Note When processing the data returned in the buffer, applications need to use the actual size of the data returned. The actual size may be slightly smaller than the size of the buffer specified on input. (On input, buffer sizes are usually specified large enough to insure that the largest possible output data will fit in the buffer.) On output, the variable pointed to by this parameter is updated to reflect the actual size of the data copied to the buffer.
If the function succeeds, the return value is TRUE. If it fails, the return value is FALSE. To retrieve extended error information, use the GetLastError function.
The following table lists the error codes most commonly returned by the GetLastError function. The error codes prefaced by "NTE" are generated by the particular CSP you are using.
Error code | Description |
---|---|
ERROR_INVALID_HANDLE | One of the parameters specifies an invalid handle. |
ERROR_INVALID_PARAMETER | One of the parameters contains an invalid value. This is most often an illegal pointer. |
ERROR_MORE_DATA | If the buffer specified by the pbData parameter is not large enough to hold the returned data, the function sets the ERROR_MORE_DATA code, and stores the required buffer size, in bytes, into the variable pointed to by pcbDataLen. |
NTE_BAD_FLAGS | The dwFlags parameter is nonzero. |
NTE_BAD_KEY | One or both of the keys specified by hKey and hExpKey are invalid. |
NTE_BAD_KEY_STATE | You do not have permission to export the key. That is, when the hKey key was created, the CRYPT_EXPORTABLE flag was not specified. |
NTE_BAD_PUBLIC_KEY | The key blob type specified by dwBlobType is PUBLICKEYBLOB, but hExpKey does not contain a public key handle. |
NTE_BAD_TYPE | The dwBlobType parameter specifies an unknown blob type. |
NTE_BAD_UID | The CSP context that was specified when the hKey key was created cannot be found. |
NTE_NO_KEY | A session key is being exported and the hExpKey parameter does not specify a public key. |
#include <wincrypt.h>
HCRYPTPROV hProv; // Handle to CSP
HCRYPTKEY hKey; // Handle to session key
HCRYPTKEY hXchgKey; // Handle to receiver's exchange public key
BYTE *pbKeyBlob = NULL;
DWORD dwBlobLen;
...
// Determine the size of the key blob and allocate memory.
if(!CryptExportKey(hKey, hXchgKey, SIMPLEBLOB, 0, NULL, &dwBlobLen)) {
printf("Error %x computing blob length!\n", GetLastError());
...
}
if((pbKeyBlob = malloc(dwBlobLen)) == NULL) {
printf("Out of memory!\n");
...
}
// Export the key into a simple key blob.
if(!CryptExportKey(hKey, hXchgKey, SIMPLEBLOB, 0, pbKeyBlob, &dwBlobLen)) {
printf("Error %x during CryptExportKey!\n", GetLastError());
...
}
Another example is located in Sender Code Example.
Windows NT: Requires version 4.0 or later.
Windows: Requires Windows 95 OSR2 or later (or Windows 95 with IE 3.02 or later).
Windows CE: Unsupported.
Header: Declared in wincrypt.h.
Import Library: Use advapi32.lib.