Failed to import RSA private key: "Bad Version of provider"

Question

I have a random private key ("C:\tmp\private.key"):

I tried to use the RSACryptoServiceProvider.ImportCspBlob to import it but it failed with the error:

System.Security.Cryptography.CryptographicException: Bad Version of provider.

Full stack trace:

Failed: System.Security.Cryptography.CryptographicException: Bad Version of provider.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.Utils._ImportCspBlob(Byte[] keyBlob, SafeProvHandle hProv, CspProviderFlags flags, SafeKeyHandle& hKey)
   at System.Security.Cryptography.Utils.ImportCspBlobHelper(CspAlgorithmType keyType, Byte[] keyBlob, Boolean publicOnly, CspParameters& parameters, Boolean randomKeyContainer, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.ImportCspBlob(Byte[] keyBlob)
   at ConsoleApplication3.Program.DecodeRSA(Byte[] data, Int32 c_data) in C:\Users\myuser\Documents\Visual Studio 2015\Projects\myproj\ConsoleApplication3\Program.cs:line 28
   at ConsoleApplication3.Program.Main(String[] args) in C:\Users\myuser\Documents\Visual Studio 2015\Projects\myproj\ConsoleApplication3\Program.cs:line 14
Press any key to continue . . .

Any idea what I am doing wrong?

This is my code:

using System;
using System.Security.Cryptography;

namespace ConsoleApplication3
{
    class Program
    {
        static public byte[] privateKey;
        static void Main(string[] args)
        {
            try
            {
                privateKey = System.IO.File.ReadAllBytes(@"C:\tmp\private.key");
                DecodeRSA(privateKey);
            }
            catch(Exception e)
            {
                Console.WriteLine("Failed: {0}", e);
            }
        }

        static public void DecodeRSA(byte[] data)
        {
            using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider())
            {
                rsa.ImportCspBlob(Program.privateKey);
            }
        }

    }
}

I'm not quite sure what you are expecting. You appear to be trying to decrypt the first byte of your private key using your private key. — spodger, May 30 '19 at 08:11
It stops before on the line `rsa.ImportCspBlob(Program.privateKey);`. I removed the rest of the code. You I want to understand why the above line fail. — E235, May 30 '19 at 08:55
@E235 can you edit and add complete stack trace? It helps us give a solution. — SUNIL DHAPPADHULE, May 30 '19 at 10:33
It fails because you are just reading the textual content of the private key file as a byte array but this is not compatible with the format that `ImportCspBlob`. — spodger, May 30 '19 at 10:44
Snuil Dhappadhule, I added stack trace. @spodger, any idea what is the format of the private key should be? — E235, May 30 '19 at 10:46
As you might expect, `ImportCSPBlob()` imports a key that is in "CSP blob" format, which is naturally an undocumented proprietary Microsoft format. You key is not even close to the right format. — President James K. Polk, May 30 '19 at 14:25

score 6 · Answer 1 · answered May 30 '19 at 22:38

Your private key has a PKCS1-PEM-Format. Private key BLOBs have another format. As already mentioned in the comments, the formats are very different and cannot be easily converted (see e.g. here). Of course you can use a PKCS1-PEM-key, but it is not that easy. Here are some options:

Possibility 1:

If you use .NET Core 3.0 there is a direct support for reading a PKCS1-key (see also here):

byte[] privateKeyPkcs1PEM = File.ReadAllBytes(@"C:\tmp\private.key"); // PKCS1 - PEM
byte[] privateKeyPkcs1DER = ConvertPKCS1PemToDer(Encoding.UTF8.GetString(privateKeyPkcs1PEM));
RSA rsa = RSA.Create();
rsa.ImportRSAPrivateKey(privateKeyPkcs1DER, out _);

// use e.g. rsa.Decrypt(...)

However, the ImportRSAPrivateKey-method can only process the DER-format which is essentially the binary format of the PEM-format (for more details see here or here). Thus, you have to convert the PEM-format into the DER-format with something like

private static byte[] ConvertPKCS1PemToDer(string pemContents)
{
    return Convert.FromBase64String(pemContents
        .TrimStart("-----BEGIN RSA PRIVATE KEY-----".ToCharArray())
        .TrimEnd("-----END RSA PRIVATE KEY-----".ToCharArray())
        .Replace("\r\n",""));
}

Alternatively, OpenSSL can also be used for the conversion:

openssl rsa -inform PEM -outform DER -in C:\tmp\private.key -out C:\tmp\private.der

Possibility 2:

You can convert your PKCS1-PEM-key into an PKCS8-DER-key using OpenSSL. The appropriate command is:

openssl pkcs8 -topk8 -inform pem -in C:\tmp\private.key -outform der -nocrypt -out C:\tmp\privatepkcs8.der

The difference between PKCS1- and PKCS8-format is explained here. Then you can import the key with built-in .NET-methods (see also here, section PKCS#8 PrivateKeyInfo):

byte[] privateKeyPkcs8DER = File.ReadAllBytes(@"C:\tmp\privatepkcs8.der"); // PKCS8 - DER
CngKey cngKey = CngKey.Import(privateKeyPkcs8DER, CngKeyBlobFormat.Pkcs8PrivateBlob);
RSA rsa = new RSACng(cngKey);

// use e.g. rsa.Decrypt(...)

Possibility 3:

If third-party-libraries may be used, BouncyCastle is also a possibility:

StreamReader reader = File.OpenText(@"C:\tmp\private.key"); // PKCS1 - PEM
AsymmetricCipherKeyPair keyPair = (AsymmetricCipherKeyPair)new PemReader(reader).ReadObject();
Pkcs1Encoding pkcs1Encoding = new Pkcs1Encoding(new RsaEngine());

// E.g. decryption
pkcs1Encoding.Init(false, keyPair.Private);
byte[] decrypted = pkcs1Encoding.ProcessBlock(encrypted, 0, encrypted.Length);

Possibility 4:

Another possibility is the use of the DecodeRSAPrivateKey-method from JavaScience which can process a PKCS1-key. However, the DecodeRSAPrivateKey-method can only process the DER-format. Thus, you must first manually convert the PEM-format into the DER-format using e.g. ConvertPKCS1PemToDer or OpenSSL.

great stuff but I need to be able to use the function `ImportCspBlob` because this is what is being on some blackbox application I am working on and need to understand how to provide it with the correct private key format. So I need to generate the correct private key format that the function `ImportCspBlob` will work on. I can't replace it. — E235, Jun 03 '19 at 07:06

E235 · Accepted Answer · 2019-06-03T08:10:31.260

Thanks to the @Topaco answer, I understood that I need to find the CSP blob and like he mentioned, it is undocumented.

So I just used byte[] a = rsa.ExportCspBlob(true); to get it.
I converted the bytes to base64 and this is a correct key format in base64 that worked for me:

BwIAAACkAABSU0EyAAQAAAEAAQD99dvdVctFcYP6fGCvz/8QcoJqjpfKMPxCIsVRAZSCaKTB6Dl0DbEQBcaLNe8Cm31lzMYyf/2vh6gM+GUHmKcBYo2Z7JvauTGXFXEyv02ai8RINlvAGAicZwWoyGJb5h4sM881Q5+BuDTcoyefk+b7x7KBQjMD/wNuPCWijZ0lsP+Gt1tPryE757QDDl95jQk04ZS+70vGOAO836f+RCyeA6c0ZEA1eYzsM/PVsv+nLwh7pTj7KLFSha5CM304SdcDnyOnt1ARyv1BQsRhyN3IAOH/Se00OfWhcc0sZCjg+xvDebKuoODHDhUfHJPchOmyvhSxjyNACJuxg1uGh3XRmaPoceXXFCuNhFGheK5cQrfUGHpWeJKrpWM/+f3XcrYob0jQCloBIicXfvhhPnkPojiOquxmjy0rA8/JRjHov3+znJY+pQgFC5cUmvGWxhWygm+qDwYco6yCSRkkaIp/K39uJXQ2pQf9XapqjtAJipRo5xX0o/itiDyF1qPT7TumZROMUhU3znXGnxPelZ2bA7SgPiu6BBKADfqG1XJE1K50ydaEfyXYceYHIs7UAMLw9aTptqHbPPGp1hDL2xpWBR6hvqkPqouiVJ7VgPHkjxwT/hgXBvJbHOm/ghq/xA/1oTtXLJHXCASVdylt+nwauOp5qR0Dfdbz7IQGjChYzBHuqDuKorpmfHhZl+bDTHpJ1PjWrojoBfAt2v5zlBnw/ipjkD9MXKrNlPqbgeYXUAeAzfFKQhF2kr3zlmExIS8=

It is important to mentioned that I just need that this function will pass successfully because I am working on a blackbox application and I can't change the code, I need to provide it with the right input.

the question is about import and you have explained on export! — Muzammil Tamboli, Jan 07 '22 at 06:32
Explain how you imported that value that you exported here, I already had my key in this format, but the importCspBlob still gives a bad provider error. — prw56, Feb 17 '22 at 12:56

Failed to import RSA private key: "Bad Version of provider"

2 Answers2

Linked