why CngKey.Import is not supported on ubuntu?

[agoretsky]

Is there any workaround to make this code working?

var keyContent = System.IO.File.ReadAllText("key.p8").Split('\n')[1];
var secretKeyBlob = Convert.FromBase64String(keyContent);
var key = CngKey.Import(secretKeyBlob, CngKeyBlobFormat.Pkcs8PrivateBlob);

[danmoseley]

What result do you get?

[agoretsky]

@danmosemsft

Unhandled Exception: System.PlatformNotSupportedException: Operation is not supported on this platform.
   at System.Security.Cryptography.CngKeyBlobFormat.get_Pkcs8PrivateBlob()
   at ConsoleApp1.Program.Main(String[] args)

Product Information:
 Version:            2.0.0-preview1-005825
 Commit SHA-1 hash:  b4a821109d

Runtime Environment:
 OS Name:     ubuntu
 OS Version:  16.04
 OS Platform: Linux
 RID:         ubuntu.16.04-x64
 Base Path:   /opt/dotnet/sdk/2.0.0-preview1-005825/

Microsoft .NET Core Shared Framework Host

  Version  : 2.0.0-preview1-002028-00
  Build    : 6d0caecf154d3398b9bc0e637089b6af9e250479

[bartonjs]

CngKey represents direct interop to the Windows CNG libraries (BCrypt.dll and NCrypt.dll), which is not available on non-Windows platforms. There are not any cross-platform APIs in .NET Core capable of reading a PKCS#8 blob.

[danmoseley]

Where is the exception coming from (I don't see) . we can add a more speicfic message.

[bartonjs]

CngKey (and CngKeyBlobFormat) is in the Cng library, so auto-generated PNSE: https://github.com/dotnet/corefx/blob/master/src/System.Security.Cryptography.Cng/src/System.Security.Cryptography.Cng.csproj#L11

So there's not really a place to add a message

[danmoseley]

Oh of course. We could modify GenAPI to add a message that we could define in the project (can't find its sources. @weshaggard ..). I guess Operations with CNG keys are only supported on Windows platforms.. That's only marginally better but at least it's a bit friendly for stack overflow.
Perhaps not worthwhile.

[weshaggard]

The code for GenAPI lives in BuildTools. It would take some work to allow for custom messages for everything but it wouldn't be too difficult to pass a common message for all of them. We would just need to plumb a parameter down into https://github.com/dotnet/buildtools/blob/73d034cddac9ed39af4c3acc4a030cc8598f1006/src/Microsoft.Cci.Extensions/Writers/CSharp/CSDeclarationWriter.Methods.cs#L204.

[danmoseley]

Now I see there are 21 libraries with this property and doing this would improve 100's of PNSE maybe it 's worth it.

[agoretsky]

X509Certificate2 has extension method GetECDsaPrivateKey which returns ECDsa - it is appropriate for me and it looks like ECDsa supported on ubuntu.
I have a PEM-encoded, unencrypted PKCS#8 file, which can be inspected with openssl pkcs8 -nocrypt -in key.p8. I am not an certificates expert, but maybe it's possible to convert this .p8 file to some format which can be loaded as X509Certificate2, so I could use GetECDsaPrivateKey method? @bartonjs

[bartonjs]

$ openssl req -new -x509 -key key.p8 -out selfsigned.cer
$ openssl pkcs12 -export -in selfsigned.cer -inkey key.p8  -out selfsigned.certandkey.pfx

Then you can load the cert with

using (var cert = new X509Certificate2(pfx, password))
{
    return cert.GetECDsaPrivateKey();
}

• pfx is either the bytes as a byte[], or the filename as a string.
• password is whatever you chose at the pkcs12 export prompt. If you left it blank you can use the constructor that just takes one argument.

[agoretsky]

@bartonjs thank you!