Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

why CngKey.Import is not supported on ubuntu? #18733

Closed
agoretsky opened this issue Apr 21, 2017 · 11 comments

Comments

Projects
None yet
5 participants
@agoretsky
Copy link

commented Apr 21, 2017

Is there any workaround to make this code working?

var keyContent = System.IO.File.ReadAllText("key.p8").Split('\n')[1];
var secretKeyBlob = Convert.FromBase64String(keyContent);
var key = CngKey.Import(secretKeyBlob, CngKeyBlobFormat.Pkcs8PrivateBlob);
@danmosemsft

This comment has been minimized.

Copy link
Member

commented Apr 21, 2017

What result do you get?

@agoretsky

This comment has been minimized.

Copy link
Author

commented Apr 21, 2017

@danmosemsft

Unhandled Exception: System.PlatformNotSupportedException: Operation is not supported on this platform.
   at System.Security.Cryptography.CngKeyBlobFormat.get_Pkcs8PrivateBlob()
   at ConsoleApp1.Program.Main(String[] args)

Product Information:
 Version:            2.0.0-preview1-005825
 Commit SHA-1 hash:  b4a821109d

Runtime Environment:
 OS Name:     ubuntu
 OS Version:  16.04
 OS Platform: Linux
 RID:         ubuntu.16.04-x64
 Base Path:   /opt/dotnet/sdk/2.0.0-preview1-005825/

Microsoft .NET Core Shared Framework Host

  Version  : 2.0.0-preview1-002028-00
  Build    : 6d0caecf154d3398b9bc0e637089b6af9e250479

@bartonjs bartonjs added the question label Apr 21, 2017

@bartonjs

This comment has been minimized.

Copy link
Member

commented Apr 21, 2017

CngKey represents direct interop to the Windows CNG libraries (BCrypt.dll and NCrypt.dll), which is not available on non-Windows platforms. There are not any cross-platform APIs in .NET Core capable of reading a PKCS#8 blob.

@danmosemsft

This comment has been minimized.

Copy link
Member

commented Apr 21, 2017

Where is the exception coming from (I don't see) . we can add a more speicfic message.

@bartonjs

This comment has been minimized.

Copy link
Member

commented Apr 21, 2017

CngKey (and CngKeyBlobFormat) is in the Cng library, so auto-generated PNSE: https://github.com/dotnet/corefx/blob/master/src/System.Security.Cryptography.Cng/src/System.Security.Cryptography.Cng.csproj#L11

So there's not really a place to add a message

@danmosemsft

This comment has been minimized.

Copy link
Member

commented Apr 21, 2017

Oh of course. We could modify GenAPI to add a message that we could define in the project (can't find its sources. @weshaggard ..). I guess Operations with CNG keys are only supported on Windows platforms.. That's only marginally better but at least it's a bit friendly for stack overflow.
Perhaps not worthwhile.

@weshaggard

This comment has been minimized.

Copy link
Member

commented Apr 21, 2017

The code for GenAPI lives in BuildTools. It would take some work to allow for custom messages for everything but it wouldn't be too difficult to pass a common message for all of them. We would just need to plumb a parameter down into https://github.com/dotnet/buildtools/blob/73d034cddac9ed39af4c3acc4a030cc8598f1006/src/Microsoft.Cci.Extensions/Writers/CSharp/CSDeclarationWriter.Methods.cs#L204.

@danmosemsft

This comment has been minimized.

Copy link
Member

commented Apr 21, 2017

Now I see there are 21 libraries with this property and doing this would improve 100's of PNSE maybe it 's worth it.

@agoretsky

This comment has been minimized.

Copy link
Author

commented Apr 24, 2017

X509Certificate2 has extension method GetECDsaPrivateKey which returns ECDsa - it is appropriate for me and it looks like ECDsa supported on ubuntu.
I have a PEM-encoded, unencrypted PKCS#8 file, which can be inspected with openssl pkcs8 -nocrypt -in key.p8. I am not an certificates expert, but maybe it's possible to convert this .p8 file to some format which can be loaded as X509Certificate2, so I could use GetECDsaPrivateKey method? @bartonjs

@bartonjs

This comment has been minimized.

Copy link
Member

commented Apr 24, 2017

$ openssl req -new -x509 -key key.p8 -out selfsigned.cer
$ openssl pkcs12 -export -in selfsigned.cer -inkey key.p8  -out selfsigned.certandkey.pfx

Then you can load the cert with

using (var cert = new X509Certificate2(pfx, password))
{
    return cert.GetECDsaPrivateKey();
}
  • pfx is either the bytes as a byte[], or the filename as a string.
  • password is whatever you chose at the pkcs12 export prompt. If you left it blank you can use the constructor that just takes one argument.
@agoretsky

This comment has been minimized.

Copy link
Author

commented Apr 25, 2017

@bartonjs thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.