BCryptGenerateKeyPair function (bcrypt.h)

  • Article

The BCryptGenerateKeyPair function creates an empty public/private key pair. After you create a key by using this function, you can use the BCryptSetProperty function to set its properties; however, the key cannot be used until the BCryptFinalizeKeyPair function is called.

Syntax

NTSTATUS BCryptGenerateKeyPair(
  [in, out] BCRYPT_ALG_HANDLE hAlgorithm,
  [out]     BCRYPT_KEY_HANDLE *phKey,
  [in]      ULONG             dwLength,
  [in]      ULONG             dwFlags
);

Parameters

[in, out] hAlgorithm

Handle of an algorithm provider that supports signing, asymmetric encryption, or key agreement. This handle must have been created by using the BCryptOpenAlgorithmProvider function.

[out] phKey

A pointer to a BCRYPT_KEY_HANDLE that receives the handle of the key. This handle is used in subsequent functions that require a key, such as BCryptEncrypt. This handle must be released when it is no longer needed by passing it to the BCryptDestroyKey function.

[in] dwLength

The length, in bits, of the key. Algorithm providers have different key size restrictions for each standard asymmetric algorithm.

Algorithm identifier Meaning
BCRYPT_DH_ALGORITHM
 The key size must be greater than or equal to 512 bits, less than or equal to 4096 bits, and must be a multiple of 64.
BCRYPT_DSA_ALGORITHM
 Prior to Windows 8, the key size must be greater than or equal to 512 bits, less than or equal to 1024 bits, and must be a multiple of 64.

Beginning with Windows 8, the key size must be greater than or equal to 512 bits, less than or equal to 3072 bits, and must be a multiple of 64. Processing for key sizes less than or equal to 1024 bits adheres to FIPS 186-2. Processing for key sizes greater than 1024 and less than or equal to 3072 adheres to FIPS 186-3.
BCRYPT_ECDH_P256_ALGORITHM
 The key size must be 256 bits.
BCRYPT_ECDH_P384_ALGORITHM
 The key size must be 384 bits.
BCRYPT_ECDH_P521_ALGORITHM
 The key size must be 521 bits.
BCRYPT_ECDSA_P256_ALGORITHM
 The key size must be 256 bits.
BCRYPT_ECDSA_P384_ALGORITHM
 The key size must be 384 bits.
BCRYPT_ECDSA_P521_ALGORITHM
 The key size must be 521 bits.
BCRYPT_RSA_ALGORITHM
 The key size must be greater than or equal to 512 bits, less than or equal to 16384 bits, and must be a multiple of 64.

[in] dwFlags

A set of flags that modify the behavior of this function. No flags are currently defined, so this parameter should be zero.

Return value

Returns a status code that indicates the success or failure of the function.

Possible return codes include, but are not limited to, the following.

Return code Description
STATUS_SUCCESS
 The function was successful.
STATUS_INVALID_HANDLE
 The algorithm handle in the hAlgorithm parameter is not valid.
STATUS_INVALID_PARAMETER
 One or more parameters are not valid.
STATUS_NOT_SUPPORTED
 The specified provider does not support asymmetric key encryption.

Remarks

Depending on what processor modes a provider supports, BCryptGenerateKeyPair can be called either from user mode or kernel mode. Kernel mode callers can execute either at PASSIVE_LEVEL IRQL or DISPATCH_LEVEL IRQL. If the current IRQL level is DISPATCH_LEVEL, the handle provided in the hAlgorithm parameter must have been opened by using the BCRYPT_PROV_DISPATCH flag, and any pointers passed to the BCryptGenerateKeyPair function must refer to nonpaged (or locked) memory.

To call this function in kernel mode, use Cng.lib, which is part of the Driver Development Kit (DDK). Windows Server 2008 and Windows Vista:  To call this function in kernel mode, use Ksecdd.lib.

Requirements

Requirement Value
Minimum supported client Windows Vista [desktop apps | UWP apps]
Minimum supported server Windows Server 2008 [desktop apps | UWP apps]
Target Platform Windows
Header bcrypt.h
Library Bcrypt.lib
DLL Bcrypt.dll

See also

BCryptDestroyKey