Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.
Announcements
The Intel sign-in experience has changed to support enhanced security controls. If you sign in, click here for more information.
1370 Discussions

Upgrade Intel IPT with PKI, then CryptImportKey does not work

Kiyoung_K_
Beginner
‎08-30-2015 04:16 AM
830 Views
Solved Jump to solution

I recently upgrade IPT with PKI  from v3.1.0.182 to v4.0.5.25, then I can not use CryptImportKey  any more.

Because it returns 0x000000b7(maybe ERROR_ALREADY_EXISTS) after PIN setting PTD displayed.

Only container created.

I set dwFlags as CRYPT_USER_PROTECTED to use PKI with PTD.

I did not change any source codes, but only changed provider from Intel IPT Enhanced Cryptographic Provider to Intel IPT CSP - Non-Exportable Keys

What is wrong with it? or any misuse?

Is there any solution to it? 

Thank you in advance.

0 Kudos
1 Solution
Gael_H_Intel
Moderator
‎09-02-2015 08:53 AM
823 Views
Solved Jump to solution

Hello,

In version 4.x, the secure import and secure export functionality is not supported in the “Intel IPT CSP – Non-Exportable Keys” CSP.

To use secure import or secure export, you must use the new “Intel IPT CSP – Exportable Keys” CSP.

Please let me know if this helps you,

Gael

View solution in original post

0 Kudos
Copy link

Link Copied

10 Replies
Gael_H_Intel
Moderator
‎08-31-2015 02:06 PM
830 Views
Solved Jump to solution

Hello,

As indicated in the attached Release Notes for v4.0.5.25 and the excerpt below, the name of the Cryptographic Service Providers (CSP) in v4 has changed, and the “Intel IPT Cryptographic Provider” CSP has been removed.  You will need to change your code to use the new CSP names.

Preview file
121 KB
0 Kudos
Copy link
Kiyoung_K_
Beginner
‎08-31-2015 02:42 PM
823 Views
Solved Jump to solution
Yes. I changed provider name. It works when I try to generate a new one. But It fails when I try to import a certificate at CryptImportKey step with 0x000000b7 code after CryptAcquireContext success.
0 Kudos
Copy link
Gael_H_Intel
Moderator
‎09-02-2015 08:53 AM
824 Views
Solved Jump to solution

Hello,

In version 4.x, the secure import and secure export functionality is not supported in the “Intel IPT CSP – Non-Exportable Keys” CSP.

To use secure import or secure export, you must use the new “Intel IPT CSP – Exportable Keys” CSP.

Please let me know if this helps you,

Gael

0 Kudos
Copy link
Kiyoung_K_
Beginner
‎09-02-2015 09:19 AM
823 Views
Solved Jump to solution

Hello,

I was looking forward to your response :) 

You mean that I cannot use certificates in the form of pkcs#12 any more with PTD?

Actually I tried to import through “Intel IPT CSP – Exportable Keys”, but the result was same.

If "secure import" means import through a migration authority,

Then how can I import certificates securely?

There is any technical documents of secure import or detail of changed specification of IPT with PKI?

I am so sorry for too many questions.

 

I really appreciate your kind and detail answer.

 

Kiyoung

0 Kudos
Copy link
Gael_H_Intel
Moderator
‎09-02-2015 09:53 AM
823 Views
Solved Jump to solution

I am talking to the experts on this - so that is why there is a delay in my responses.  They are wondering if you are integrating this into a product or if this is a Proof of Concept?

Thanks,

Gael

0 Kudos
Copy link
Kiyoung_K_
Beginner
‎09-02-2015 10:23 AM
830 Views
Solved Jump to solution

In Korea, almost people have one or more certificates already.

So if it is impossible to import certificate, we can not use IPT even though it is a wonderful technology.

I hope I can make many people, companies, and government use Intel IPT with PKI.

Next week. I have to show manufacturers it is possible with a 6th generation machine of them.

Our company finished development with  Intel IPT Enhanced Cryptographic Provider on Broadwell PC.

I tried to use 3.x IPT on new machine, but it was impossible to install on the machine.

Is there any solution?

 

Kiyoung

0 Kudos
Copy link
Kiyoung_K_
Beginner
‎09-03-2015 05:59 AM
830 Views
Solved Jump to solution

Gael Hofemeier (Intel) wrote:

I am talking to the experts on this - so that is why there is a delay in my responses.  They are wondering if you are integrating this into a product or if this is a Proof of Concept?

Thanks,

Gael

Yes, We are using IPT with PKI as a main secure certificate storage in our product.

If we can not use it, manufacturers do not make a vPro product line.

 

Thanks,

Kiyoung

0 Kudos
Copy link
Kiyoung_K_
Beginner
‎09-04-2015 03:50 AM
830 Views
Solved Jump to solution

According to the Release Notes,

 

Intel IPT Enhanced Cryptographic Provider     The name of this CSP has been changed to: “Intel IPT CSP – Non-Exportable Keys”.
                                                                         The functionality of the CSP has not changed.

 

I think that certificate import should be allowed. if not, it is bug.

0 Kudos
Copy link
Gael_H_Intel
Moderator
‎09-04-2015 11:06 AM
830 Views
Solved Jump to solution

Hi - could you send me your email in a private message?  I need to connect you to our folks who can help you.

Gael

0 Kudos
Copy link
Kiyoung_K_
Beginner
‎09-09-2015 06:53 AM
830 Views
Solved Jump to solution

Gael Hofemeier (Intel) wrote:

Hi - could you send me your email in a private message?  I need to connect you to our folks who can help you.

Gael

Hello,

I did not receive any message from your folks.

Did you received my message? if not, my email address is kiyoung.kky  at gmail.com.

I have not much time, I have to answer to my customers - manufacturers.

Would you let me know what is going on inside the team?

 

Thank you,

Kiyoung

0 Kudos
Copy link
Reply

For more complete information about compiler optimizations, see our Optimization Notice.