4

Can I get the public/private key pair from a key container inside a smartcard using PKCS #11 or CryptoAPI?

poupou
  • 43,007
  • 6
  • 74
  • 172
tandaica0612
  • 341
  • 9
  • 23

2 Answers2

7

I'm no expert in this, but I think the whole point of a smartcard is that you can't extract the private key. You send the data to the card instead, and let it do the crypto operations on its own processor.

Wyzard
  • 31,764
  • 3
  • 60
  • 78
  • 1
    Downvoted because in CryptoAPI you can export the key using the CryptExportKey function if the key was marked as exportable. – KyleM Nov 18 '13 at 20:20
  • 1
    Upvoted because even that is "possible" to export the key if marked as exportable. The purpose of the card is to do the crypto math internally and allow the public key to be exported, but the private key always remain non-exportable (at least 90% of them, as this is the whole point of the card). – LeoPucciBr Mar 05 '17 at 16:34
5

It depends. Both CryptoAPI (well the CSP for the smart card) and PKCS#11 allows you to have exportable key pairs. However it's common to use non exportable private keys to use the smart card strength to its full potential.

So if you're writing an application it becomes your choice. Otherwise someone else already made that choice for you ;-)

poupou
  • 43,007
  • 6
  • 74
  • 172
  • *public* keys are readable. You can also look for certificates for public keys. – Martin Paljak Oct 21 '11 at 10:39
  • pretty sure you can have non-exportable public keys and certificates in pkcs#11 (even if I can't guess what they could be used for ;-) but that's beside the point since the question about **keypairs** making the private key the *deciding* factor – poupou Oct 25 '11 at 19:22
  • CKA_EXTRACTABLE in PKCS#11 2.20 applies to private and secret keys only, as described in the spec (as PKCS#11 is quite loose one can of course abuse the spec...). One can have private certificates and public keys (which require a login before being readable) but the actual key/certificate value would still be readable after that. But true, in the context of full keypairs it does not matter.. – Martin Paljak Oct 26 '11 at 09:22