Basic questions on Microsoft CryptoAPI

Question

I've been looking through the MSDN trying to understand the crytoapi. Below are some questions and guesses as to how things might work. Any answers or confirmations or refuting of my surmises much appreciated.

According to the note I found at http://msdn.microsoft.com/en-us/library/ms867086.aspx, the CSP keeps public private key pairs between sessions.

* Does that mean they are kept indefinitely? If so, whatever signature or exchange key pairs are extant when the CSP is closed remain. 
* Of what value are these containers and any key pairs they contain?  I guess they could be used to sign things without obtaining a handle to a key pair. 
* Is there any way to get a handle to one of the key pairs?

It looks to me as if a key container can contain:

* 1 signature key pair
* 1 key exchange key pair
* any number of PUBLIC keys of either signature or key_exchange type
* any number of session keys

Is this correct? Are the non paired keys destroyed when the container is closed?

What is the usual method of creating/naming key containers? How does one keep from stomping on some other applications container? I need a container with public/private keys so the temporary container mentioned in the remarks section of cryptacquirecontext isn't applicable. Maybe use create name consisting of some fixed portion plus a sequence number. Could delete container when done.

cryptsignhash specifies that either the signature or key exchange private key is to be used to sign the hash. I guess this means cryptsignkey will find the private key created by cryptkeygen with the appropriate Alg_id parmeter (values CALG_RSA_KEYX or CALG_RSA_SIGN).

If I export a key, does the keyblob contain information telling what kind of key it is?

if I export a PUBLICKEYBLOB and transport it to some other environment. Do I have to import that blob in the new environment before I can use it to verify a signature? cryptverifysignature needs a handle to the key so it looks like it must be first imported. Does importing a PUBLICKEYBLOB replace the public key of any extant public/private key pair? I assume NOT.

Answer 1

That was a lot of questions. Let me try to answer them:

the CSP keeps public private key pairs between sessions. Does that mean they are kept indefinitely?

Yes, until they are explicitly deleted by calling CryptAcquireContext with the CRYPT_DELETEKEYSET flag.

Of what value are these containers and any key pairs they contain?

They are persistent keys that you can reuse. If you get a certificate on a private key, you want to keep the private key around - and you do not want to export the private key if you can avoid it: the CSP can potentially protect the key much better than you can.

Is there any way to get a handle to one of the key pairs?

CryptAcquireContext followed by CryptGetUserKey.

It looks to me as if a key container can contain: 1 signature key pair, 1 key exchange key pair, any number of PUBLIC keys of either signature or key_exchange type, any number of session keys. Is this correct?

Yes and no. The imported public keys and the session keys are not logically in any particular key container.

Are the non paired keys destroyed when the container is closed?

Yes.

What is the usual method of creating/naming key containers? How does one keep from stomping on some other applications container?

Most applications use a GUID.

this means cryptsignkey will find the private key created by cryptkeygen with the appropriate Alg_id parmeter (values CALG_RSA_KEYX or CALG_RSA_SIGN).

Yes.

If I export a key, does the keyblob contain information telling what kind of key it is?

That depends on the selected blob-type, but most keyblobs starts with a BLOBHEADER that contains the key type.

if I export a PUBLICKEYBLOB and transport it to some other environment. Do I have to import that blob in the new environment before I can use it to verify a signature?

Yes.

Does importing a PUBLICKEYBLOB replace the public key of any extant public/private key pair?

No.