Failed to import RSA private key: "Bad Version of provider"

Asked 30/5, 2019 at 7:26 Answered 26/4 at 19:27

I have a random private key ("C:\tmp\private.key"):

I tried to use the RSACryptoServiceProvider.ImportCspBlob to import it but it failed with the error:

System.Security.Cryptography.CryptographicException: Bad Version of provider.

Full stack trace:

Failed: System.Security.Cryptography.CryptographicException: Bad Version of provider.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.Utils._ImportCspBlob(Byte[] keyBlob, SafeProvHandle hProv, CspProviderFlags flags, SafeKeyHandle& hKey)
   at System.Security.Cryptography.Utils.ImportCspBlobHelper(CspAlgorithmType keyType, Byte[] keyBlob, Boolean publicOnly, CspParameters& parameters, Boolean randomKeyContainer, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.ImportCspBlob(Byte[] keyBlob)
   at ConsoleApplication3.Program.DecodeRSA(Byte[] data, Int32 c_data) in C:\Users\myuser\Documents\Visual Studio 2015\Projects\myproj\ConsoleApplication3\Program.cs:line 28
   at ConsoleApplication3.Program.Main(String[] args) in C:\Users\myuser\Documents\Visual Studio 2015\Projects\myproj\ConsoleApplication3\Program.cs:line 14
Press any key to continue . . .

Any idea what I am doing wrong?

This is my code:

using System;
using System.Security.Cryptography;

namespace ConsoleApplication3
{
    class Program
    {
        static public byte[] privateKey;
        static void Main(string[] args)
        {
            try
            {
                privateKey = System.IO.File.ReadAllBytes(@"C:\tmp\private.key");
                DecodeRSA(privateKey);
            }
            catch(Exception e)
            {
                Console.WriteLine("Failed: {0}", e);
            }
        }

        static public void DecodeRSA(byte[] data)
        {
            using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
            {
                rsa.ImportCspBlob(Program.privateKey);
            }
        }

    }
}

Latinist answered 30/5, 2019 at 7:26 Comment(6)

I'm not quite sure what you are expecting. You appear to be trying to decrypt the first byte of your private key using your private key. – Anissaanita 30/5, 2019 at 8:11

It stops before on the line rsa.ImportCspBlob(Program.privateKey);. I removed the rest of the code. You I want to understand why the above line fail. – Latinist 30/5, 2019 at 8:55

@Latinist can you edit and add complete stack trace? It helps us give a solution. – Effusive 30/5, 2019 at 10:33

It fails because you are just reading the textual content of the private key file as a byte array but this is not compatible with the format that ImportCspBlob. – Anissaanita 30/5, 2019 at 10:44

Snuil Dhappadhule, I added stack trace. @spodger, any idea what is the format of the private key should be? – Latinist 30/5, 2019 at 10:46

As you might expect, ImportCSPBlob() imports a key that is in "CSP blob" format, which is naturally an undocumented proprietary Microsoft format. You key is not even close to the right format. – Daveen 30/5, 2019 at 14:25

-1

Thanks to the @Topaco answer, I understood that I need to find the CSP blob and like he mentioned, it is undocumented.

So I just used byte[] a = rsa.ExportCspBlob(true); to get it.
I converted the bytes to base64 and this is a correct key format in base64 that worked for me:

BwIAAACkAABSU0EyAAQAAAEAAQD99dvdVctFcYP6fGCvz/8QcoJqjpfKMPxCIsVRAZSCaKTB6Dl0DbEQBcaLNe8Cm31lzMYyf/2vh6gM+GUHmKcBYo2Z7JvauTGXFXEyv02ai8RINlvAGAicZwWoyGJb5h4sM881Q5+BuDTcoyefk+b7x7KBQjMD/wNuPCWijZ0lsP+Gt1tPryE757QDDl95jQk04ZS+70vGOAO836f+RCyeA6c0ZEA1eYzsM/PVsv+nLwh7pTj7KLFSha5CM304SdcDnyOnt1ARyv1BQsRhyN3IAOH/Se00OfWhcc0sZCjg+xvDebKuoODHDhUfHJPchOmyvhSxjyNACJuxg1uGh3XRmaPoceXXFCuNhFGheK5cQrfUGHpWeJKrpWM/+f3XcrYob0jQCloBIicXfvhhPnkPojiOquxmjy0rA8/JRjHov3+znJY+pQgFC5cUmvGWxhWygm+qDwYco6yCSRkkaIp/K39uJXQ2pQf9XapqjtAJipRo5xX0o/itiDyF1qPT7TumZROMUhU3znXGnxPelZ2bA7SgPiu6BBKADfqG1XJE1K50ydaEfyXYceYHIs7UAMLw9aTptqHbPPGp1hDL2xpWBR6hvqkPqouiVJ7VgPHkjxwT/hgXBvJbHOm/ghq/xA/1oTtXLJHXCASVdylt+nwauOp5qR0Dfdbz7IQGjChYzBHuqDuKorpmfHhZl+bDTHpJ1PjWrojoBfAt2v5zlBnw/ipjkD9MXKrNlPqbgeYXUAeAzfFKQhF2kr3zlmExIS8=

It is important to mentioned that I just need that this function will pass successfully because I am working on a blackbox application and I can't change the code, I need to provide it with the right input.

Latinist answered 3/6, 2019 at 7:47 Comment(2)

the question is about import and you have explained on export! – Personable 7/1, 2022 at 6:32

Explain how you imported that value that you exported here, I already had my key in this format, but the importCspBlob still gives a bad provider error. – Chellean 17/2, 2022 at 12:56

Your private key has a PKCS1-PEM-Format. Private key BLOBs have another format. As already mentioned in the comments, the formats are very different and cannot be easily converted (see e.g. here). Of course you can use a PKCS1-PEM-key, but it is not that easy. Here are some options:

Possibility 1:

If you use .NET Core 3.0 there is a direct support for reading a PKCS1-key (see also here):

byte[] privateKeyPkcs1PEM = File.ReadAllBytes(@"C:\tmp\private.key"); // PKCS1 - PEM
byte[] privateKeyPkcs1DER = ConvertPKCS1PemToDer(Encoding.UTF8.GetString(privateKeyPkcs1PEM));
RSA rsa = RSA.Create();
rsa.ImportRSAPrivateKey(privateKeyPkcs1DER, out _);

// use e.g. rsa.Decrypt(...)

However, the ImportRSAPrivateKey-method can only process the DER-format which is essentially the binary format of the PEM-format (for more details see here or here). Thus, you have to convert the PEM-format into the DER-format with something like

private static byte[] ConvertPKCS1PemToDer(string pemContents)
{
    return Convert.FromBase64String(pemContents
        .TrimStart("-----BEGIN RSA PRIVATE KEY-----".ToCharArray())
        .TrimEnd("-----END RSA PRIVATE KEY-----".ToCharArray())
        .Replace("\r\n",""));
}

Alternatively, OpenSSL can also be used for the conversion:

openssl rsa -inform PEM -outform DER -in C:\tmp\private.key -out C:\tmp\private.der

Possibility 2:

You can convert your PKCS1-PEM-key into an PKCS8-DER-key using OpenSSL. The appropriate command is:

openssl pkcs8 -topk8 -inform pem -in C:\tmp\private.key -outform der -nocrypt -out C:\tmp\privatepkcs8.der

The difference between PKCS1- and PKCS8-format is explained here. Then you can import the key with built-in .NET-methods (see also here, section PKCS#8 PrivateKeyInfo):

byte[] privateKeyPkcs8DER = File.ReadAllBytes(@"C:\tmp\privatepkcs8.der"); // PKCS8 - DER
CngKey cngKey = CngKey.Import(privateKeyPkcs8DER, CngKeyBlobFormat.Pkcs8PrivateBlob);
RSA rsa = new RSACng(cngKey);

// use e.g. rsa.Decrypt(...)

Possibility 3:

If third-party-libraries may be used, BouncyCastle is also a possibility:

StreamReader reader = File.OpenText(@"C:\tmp\private.key"); // PKCS1 - PEM
AsymmetricCipherKeyPair keyPair = (AsymmetricCipherKeyPair)new PemReader(reader).ReadObject();
Pkcs1Encoding pkcs1Encoding = new Pkcs1Encoding(new RsaEngine());

// E.g. decryption
pkcs1Encoding.Init(false, keyPair.Private);
byte[] decrypted = pkcs1Encoding.ProcessBlock(encrypted, 0, encrypted.Length);

Possibility 4:

Another possibility is the use of the DecodeRSAPrivateKey-method from JavaScience which can process a PKCS1-key. However, the DecodeRSAPrivateKey-method can only process the DER-format. Thus, you must first manually convert the PEM-format into the DER-format using e.g. ConvertPKCS1PemToDer or OpenSSL.

Caldarium answered 30/5, 2019 at 22:38 Comment(1)

great stuff but I need to be able to use the function ImportCspBlob because this is what is being on some blackbox application I am working on and need to understand how to provide it with the correct private key format. So I need to generate the correct private key format that the function ImportCspBlob will work on. I can't replace it. – Latinist 3/6, 2019 at 7:6

I didnt find any good answer to this in one place so here goes.

To generate a fully working CSP blob that works with for example https://github.com/Aimeast/FxSsh

Download openssl And perform these step to get the base64 blob

openssl genrsa -aes128 -out key.pem -passout pass:foobar 2048
openssl rsa -in key.pem -passin pass:foobar -outform "MS PRIVATEBLOB" -out my_rsa.pem
openssl base64 -in my_rsa.pem

Euchology answered 26/4 at 19:27 Comment(0)

-1

Thanks to the @Topaco answer, I understood that I need to find the CSP blob and like he mentioned, it is undocumented.

So I just used byte[] a = rsa.ExportCspBlob(true); to get it.
I converted the bytes to base64 and this is a correct key format in base64 that worked for me:

BwIAAACkAABSU0EyAAQAAAEAAQD99dvdVctFcYP6fGCvz/8QcoJqjpfKMPxCIsVRAZSCaKTB6Dl0DbEQBcaLNe8Cm31lzMYyf/2vh6gM+GUHmKcBYo2Z7JvauTGXFXEyv02ai8RINlvAGAicZwWoyGJb5h4sM881Q5+BuDTcoyefk+b7x7KBQjMD/wNuPCWijZ0lsP+Gt1tPryE757QDDl95jQk04ZS+70vGOAO836f+RCyeA6c0ZEA1eYzsM/PVsv+nLwh7pTj7KLFSha5CM304SdcDnyOnt1ARyv1BQsRhyN3IAOH/Se00OfWhcc0sZCjg+xvDebKuoODHDhUfHJPchOmyvhSxjyNACJuxg1uGh3XRmaPoceXXFCuNhFGheK5cQrfUGHpWeJKrpWM/+f3XcrYob0jQCloBIicXfvhhPnkPojiOquxmjy0rA8/JRjHov3+znJY+pQgFC5cUmvGWxhWygm+qDwYco6yCSRkkaIp/K39uJXQ2pQf9XapqjtAJipRo5xX0o/itiDyF1qPT7TumZROMUhU3znXGnxPelZ2bA7SgPiu6BBKADfqG1XJE1K50ydaEfyXYceYHIs7UAMLw9aTptqHbPPGp1hDL2xpWBR6hvqkPqouiVJ7VgPHkjxwT/hgXBvJbHOm/ghq/xA/1oTtXLJHXCASVdylt+nwauOp5qR0Dfdbz7IQGjChYzBHuqDuKorpmfHhZl+bDTHpJ1PjWrojoBfAt2v5zlBnw/ipjkD9MXKrNlPqbgeYXUAeAzfFKQhF2kr3zlmExIS8=

Latinist answered 3/6, 2019 at 7:47 Comment(2)

the question is about import and you have explained on export! – Personable 7/1, 2022 at 6:32

Explain how you imported that value that you exported here, I already had my key in this format, but the importCspBlob still gives a bad provider error. – Chellean 17/2, 2022 at 12:56

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags