Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X509Certificate2.Export() in Linux adds a multiple localKeyID bag attribute #26750

Closed
iftahbe opened this issue Jul 10, 2018 · 2 comments · Fixed by dotnet/corefx#42226
Closed

X509Certificate2.Export() in Linux adds a multiple localKeyID bag attribute #26750

iftahbe opened this issue Jul 10, 2018 · 2 comments · Fixed by dotnet/corefx#42226
Labels
area-System.Security bug os-linux Linux OS (any supported distro)
Milestone
5.0.0

Comments

@iftahbe
Copy link

iftahbe commented Jul 10, 2018

Running on Ubuntu 16.04.

When exporting a certificate, Windows replaces the localKeyID bag attribute while in Linux it doesn't get replaced. Instead, another localKeyID attribute is added to the same bag but with a different value.
This is a problem when trying to load the exported certificate using BouncyCastle's Pkcs12Store.Load().

The following console app demonstrates the problem:

using System;
using System.Diagnostics;
using System.IO;
using System.Security.Cryptography.X509Certificates;

namespace ConsoleApp3
{
    class Program
    {
        static void Main(string[] args)
        {
            CheckFile(args[0]);

            var exported = new X509Certificate(args[0], (string)null, X509KeyStorageFlags.Exportable).Export(X509ContentType.Pfx);

            File.WriteAllBytes(args[1], exported);

            CheckFile(args[1]);
        }

        private static void CheckFile(string file)
        {
            var startInfo = new ProcessStartInfo("openssl", $"pkcs12 -in {file} -info")
            {
                RedirectStandardOutput = true,
                RedirectStandardError = true
            };

            var p = Process.Start(startInfo);
            var output = p.StandardOutput.ReadToEnd();

            p.WaitForExit();

            var count = Count("localKeyID", output);

            Console.WriteLine(output);
            Console.WriteLine();
            Console.WriteLine($"localKeyID shows up on {file}: {count} times");
        }

        private static int Count(string term, string str)
        {
            int index = 0;
            int count = 0;
            while (true)
            {
                index = str.IndexOf(term, index, StringComparison.Ordinal);
                if (index == -1)
                    break;
                count++;
                index++;
            }
            return count;
        }
    }
}

Output:

iftah@iftah-work:~$ dotnet run original.pfx exported-in-linux.pfx
Enter Import Password:
Enter PEM pass phrase:
Bag Attributes
    localKeyID: D4 BE 13 9F 9D B4 56 D2 25 A8 DC D2 96 94 79 D9 60 D2 51 4A
    friendlyName: CN=a.onenode.development.run
Key Attributes: <No Attributes>
Bag Attributes
    localKeyID: D4 BE 13 9F 9D B4 56 D2 25 A8 DC D2 96 94 79 D9 60 D2 51 4A
    friendlyName: CN=a.onenode.development.run
subject=/CN=a.onenode.development.run
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIHHTCCBgWgAwIBAgISA55DzJm8aomygzDVLiOfWfKqMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA1MTcwNjE1MTdaFw0x
ODA4MTUwNjE1MTdaMCQxIjAgBgNVBAMTGWEub25lbm9kZS5kZXZlbG9wbWVudC5y
dW4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwiZeSFe17ZdBS9joc
9i3G0ENi6G1TBO9l0OaRT87cwvVAC88vq1WZCAd615es1YNHPou3Fwe72l7sZyoa
j9Tg0QpsHVTHPR2YOFywJME8mLpKfVS8//a7bESk7o+zLH68YiHGDjXgEK7MnugX
FbJZGxJEAQuKWyAdmwBvCI/fW1yFkxdhIdjeINLfueM9QVaepXfJfKMaeu3ChGuI
ICinFu1aagnRilPvwNka6CKyBlmkmr4aYUSv4FydtJuqZOqC0LyBd76PQqoWJdgw
OEXYYj8BF2W1R0aBA6fW2k1904InZmWWjoEDJfO+4ain/yNtBWJuP540kaUE4Emc
iLhQvUL6moEB/Cr/lAE4KYcP8nYIOROPv3Y0P7CmxhTnHw3RdjhHxDazp3mvpJ32
ynJHUgEHxVJUt3BOsZ+ph5P1YDmlpIHjayoXc+OFO+S9gbeX/HdCl/eusBbP9JFH
nBQaCSmkbu/Z2UjRIR6jaGeMJ3OoncUFBiS0NNtcELccOsZJwavFd3FMnkfrNMTc
J4GCP805fflIBy2oIp1r7Jd/Bi6mO5p3adEF4/otyfI4Lbmm1zmjf3bkTeHa/cgs
VWqUQeFZTqg0ecx3tcr8wuxEr+f7wXLR+6slR4id8lO8yiZ4eDLcOTzQ3A7RT0xf
cGHyX87i8aTJlSrt6bsbolOrjQIDAQABo4IDITCCAx0wDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBTUvhOfnbRW0iWo3NKWlHnZYNJRSjAfBgNVHSMEGDAWgBSoSmpjBH3d
uubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6
Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6
Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMCQGA1UdEQQdMBuCGWEub25l
bm9kZS5kZXZlbG9wbWVudC5ydW4wgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYG
CysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNy
eXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBv
bmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBp
biBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBh
dCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQQGCisGAQQB
1nkCBAIEgfUEgfIA8AB2ANt0r+7LKeyx/so+cW0s5bmquzb3hHGDx12dTze2H79k
AAABY2zz9dYAAAQDAEcwRQIgetbbW0DMZ26qTbpx1+0KFBDh0RC+dzCNcIU0sAqx
NpYCIQDMACmYg/zSVY+hadpo3Mv6Mw1hfJNszNV815pE0xOVygB2ACk8UZZUyDll
uqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABY2zz9xEAAAQDAEcwRQIgQKJsznNL
e23N6+4Oad1M+iFPwwx9V3dSMD7eFEqhK88CIQDSeXhbkLyu1jUsgJkDAEZaf1Yi
Lv3b3H91+Kqm5vFcxDANBgkqhkiG9w0BAQsFAAOCAQEAebog+y1ngrGSlm+NnSGl
1BeCgXso34jdbTbivGSs3ahNVdqEI5X+dfboUpWSovepNAVHsYpztTp8kkP76/EH
MzPH65f2UPk4YTpVRfjydVd5H2TOvdzzCavRJCgXr1pri0Cuf7mHcIqeAuksup3i
PEmKffgm6m8ydTm+qedmcHSIOYyTMwJFoPYTIQF36EOOtRTMYcBUxGc7HNP6diED
x7IfeKi9AIF0pNkDLHzuxUOMb2JE69kaMLrg+CKq6ZT1g1DbUNRvtV5TKB9Atszb
vjBOZaDO0yCnCRhAPUbl8nEruAePgCkgxCZ7/hsqOjFCMnxSLAVdcu9VAs88B/s5
lg==
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
subject=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: CN=DST Root CA X3, O=Digital Signature Trust Co.
subject=/O=Digital Signature Trust Co./CN=DST Root CA X3
issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----


localKeyID shows up on original.pfx: 2 times
Enter Import Password:
Enter PEM pass phrase:
Bag Attributes
    localKeyID: 45 CB F1 11 6F B3 F3 8B 29 84 B3 C7 22 4C AE 70 A7 4F 77 89
    localKeyID: D4 BE 13 9F 9D B4 56 D2 25 A8 DC D2 96 94 79 D9 60 D2 51 4A
    friendlyName: CN=a.onenode.development.run
subject=/CN=a.onenode.development.run
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIHHTCCBgWgAwIBAgISA55DzJm8aomygzDVLiOfWfKqMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA1MTcwNjE1MTdaFw0x
ODA4MTUwNjE1MTdaMCQxIjAgBgNVBAMTGWEub25lbm9kZS5kZXZlbG9wbWVudC5y
dW4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwiZeSFe17ZdBS9joc
9i3G0ENi6G1TBO9l0OaRT87cwvVAC88vq1WZCAd615es1YNHPou3Fwe72l7sZyoa
j9Tg0QpsHVTHPR2YOFywJME8mLpKfVS8//a7bESk7o+zLH68YiHGDjXgEK7MnugX
FbJZGxJEAQuKWyAdmwBvCI/fW1yFkxdhIdjeINLfueM9QVaepXfJfKMaeu3ChGuI
ICinFu1aagnRilPvwNka6CKyBlmkmr4aYUSv4FydtJuqZOqC0LyBd76PQqoWJdgw
OEXYYj8BF2W1R0aBA6fW2k1904InZmWWjoEDJfO+4ain/yNtBWJuP540kaUE4Emc
iLhQvUL6moEB/Cr/lAE4KYcP8nYIOROPv3Y0P7CmxhTnHw3RdjhHxDazp3mvpJ32
ynJHUgEHxVJUt3BOsZ+ph5P1YDmlpIHjayoXc+OFO+S9gbeX/HdCl/eusBbP9JFH
nBQaCSmkbu/Z2UjRIR6jaGeMJ3OoncUFBiS0NNtcELccOsZJwavFd3FMnkfrNMTc
J4GCP805fflIBy2oIp1r7Jd/Bi6mO5p3adEF4/otyfI4Lbmm1zmjf3bkTeHa/cgs
VWqUQeFZTqg0ecx3tcr8wuxEr+f7wXLR+6slR4id8lO8yiZ4eDLcOTzQ3A7RT0xf
cGHyX87i8aTJlSrt6bsbolOrjQIDAQABo4IDITCCAx0wDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBTUvhOfnbRW0iWo3NKWlHnZYNJRSjAfBgNVHSMEGDAWgBSoSmpjBH3d
uubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6
Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6
Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMCQGA1UdEQQdMBuCGWEub25l
bm9kZS5kZXZlbG9wbWVudC5ydW4wgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYG
CysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNy
eXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBv
bmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBp
biBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBh
dCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQQGCisGAQQB
1nkCBAIEgfUEgfIA8AB2ANt0r+7LKeyx/so+cW0s5bmquzb3hHGDx12dTze2H79k
AAABY2zz9dYAAAQDAEcwRQIgetbbW0DMZ26qTbpx1+0KFBDh0RC+dzCNcIU0sAqx
NpYCIQDMACmYg/zSVY+hadpo3Mv6Mw1hfJNszNV815pE0xOVygB2ACk8UZZUyDll
uqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABY2zz9xEAAAQDAEcwRQIgQKJsznNL
e23N6+4Oad1M+iFPwwx9V3dSMD7eFEqhK88CIQDSeXhbkLyu1jUsgJkDAEZaf1Yi
Lv3b3H91+Kqm5vFcxDANBgkqhkiG9w0BAQsFAAOCAQEAebog+y1ngrGSlm+NnSGl
1BeCgXso34jdbTbivGSs3ahNVdqEI5X+dfboUpWSovepNAVHsYpztTp8kkP76/EH
MzPH65f2UPk4YTpVRfjydVd5H2TOvdzzCavRJCgXr1pri0Cuf7mHcIqeAuksup3i
PEmKffgm6m8ydTm+qedmcHSIOYyTMwJFoPYTIQF36EOOtRTMYcBUxGc7HNP6diED
x7IfeKi9AIF0pNkDLHzuxUOMb2JE69kaMLrg+CKq6ZT1g1DbUNRvtV5TKB9Atszb
vjBOZaDO0yCnCRhAPUbl8nEruAePgCkgxCZ7/hsqOjFCMnxSLAVdcu9VAs88B/s5
lg==
-----END CERTIFICATE-----
Bag Attributes
    localKeyID: 45 CB F1 11 6F B3 F3 8B 29 84 B3 C7 22 4C AE 70 A7 4F 77 89
Key Attributes: <No Attributes>


localKeyID shows up on exported-in-linux.pfx: 3 times

And if we export the same certificate in windows we get:

iftah@iftah-work:~$ openssl pkcs12 -in exported-in-windows.pfx -info
Enter Import Password:
MAC Iteration 2000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: {19E299AA-8375-4206-A623-262D846CF028}
    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
    X509v3 Key Usage: 10
Enter PEM pass phrase:
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
Certificate bag
Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: CN=a.onenode.development.run
subject=/CN=a.onenode.development.run
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIHHTCCBgWgAwIBAgISA55DzJm8aomygzDVLiOfWfKqMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA1MTcwNjE1MTdaFw0x
ODA4MTUwNjE1MTdaMCQxIjAgBgNVBAMTGWEub25lbm9kZS5kZXZlbG9wbWVudC5y
dW4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwiZeSFe17ZdBS9joc
9i3G0ENi6G1TBO9l0OaRT87cwvVAC88vq1WZCAd615es1YNHPou3Fwe72l7sZyoa
j9Tg0QpsHVTHPR2YOFywJME8mLpKfVS8//a7bESk7o+zLH68YiHGDjXgEK7MnugX
FbJZGxJEAQuKWyAdmwBvCI/fW1yFkxdhIdjeINLfueM9QVaepXfJfKMaeu3ChGuI
ICinFu1aagnRilPvwNka6CKyBlmkmr4aYUSv4FydtJuqZOqC0LyBd76PQqoWJdgw
OEXYYj8BF2W1R0aBA6fW2k1904InZmWWjoEDJfO+4ain/yNtBWJuP540kaUE4Emc
iLhQvUL6moEB/Cr/lAE4KYcP8nYIOROPv3Y0P7CmxhTnHw3RdjhHxDazp3mvpJ32
ynJHUgEHxVJUt3BOsZ+ph5P1YDmlpIHjayoXc+OFO+S9gbeX/HdCl/eusBbP9JFH
nBQaCSmkbu/Z2UjRIR6jaGeMJ3OoncUFBiS0NNtcELccOsZJwavFd3FMnkfrNMTc
J4GCP805fflIBy2oIp1r7Jd/Bi6mO5p3adEF4/otyfI4Lbmm1zmjf3bkTeHa/cgs
VWqUQeFZTqg0ecx3tcr8wuxEr+f7wXLR+6slR4id8lO8yiZ4eDLcOTzQ3A7RT0xf
cGHyX87i8aTJlSrt6bsbolOrjQIDAQABo4IDITCCAx0wDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBTUvhOfnbRW0iWo3NKWlHnZYNJRSjAfBgNVHSMEGDAWgBSoSmpjBH3d
uubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6
Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6
Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMCQGA1UdEQQdMBuCGWEub25l
bm9kZS5kZXZlbG9wbWVudC5ydW4wgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYG
CysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNy
eXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBv
bmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBp
biBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBh
dCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQQGCisGAQQB
1nkCBAIEgfUEgfIA8AB2ANt0r+7LKeyx/so+cW0s5bmquzb3hHGDx12dTze2H79k
AAABY2zz9dYAAAQDAEcwRQIgetbbW0DMZ26qTbpx1+0KFBDh0RC+dzCNcIU0sAqx
NpYCIQDMACmYg/zSVY+hadpo3Mv6Mw1hfJNszNV815pE0xOVygB2ACk8UZZUyDll
uqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABY2zz9xEAAAQDAEcwRQIgQKJsznNL
e23N6+4Oad1M+iFPwwx9V3dSMD7eFEqhK88CIQDSeXhbkLyu1jUsgJkDAEZaf1Yi
Lv3b3H91+Kqm5vFcxDANBgkqhkiG9w0BAQsFAAOCAQEAebog+y1ngrGSlm+NnSGl
1BeCgXso34jdbTbivGSs3ahNVdqEI5X+dfboUpWSovepNAVHsYpztTp8kkP76/EH
MzPH65f2UPk4YTpVRfjydVd5H2TOvdzzCavRJCgXr1pri0Cuf7mHcIqeAuksup3i
PEmKffgm6m8ydTm+qedmcHSIOYyTMwJFoPYTIQF36EOOtRTMYcBUxGc7HNP6diED
x7IfeKi9AIF0pNkDLHzuxUOMb2JE69kaMLrg+CKq6ZT1g1DbUNRvtV5TKB9Atszb
vjBOZaDO0yCnCRhAPUbl8nEruAePgCkgxCZ7/hsqOjFCMnxSLAVdcu9VAs88B/s5
lg==
-----END CERTIFICATE-----

The linux certificate is then not usable in BouncyCastle:

var rawData = File.ReadAllBytes(@"C:\work\exported-in-linux.pfx");
var store = new Pkcs12Store();
store.Load(new MemoryStream(rawData), Array.Empty<char>());

We get the exception

System.IO.IOException: attempt to add existing attribute with different value
   at Org.BouncyCastle.Pkcs.Pkcs12Store.Load(Stream input, Char[] password)
   at ConsoleApp3.Program.Main(String[] args) in /home/iftah/Program.cs:line 21

In the zip you can find all three certificates used here:
original.pfx
exported-in-linux.pfx
exported-in-windows.pfx
certs.zip
@bartonjs
Copy link
Member

Seems strange that the key id is actually changing, since I was under the impression that OpenSSL used the cert thumbprint as the key id.

Since we opaquely use PKCS12_parse and PKCS12_create this is probably best addressed by breaking up with those functions, which is on the near-ish-term list anyways, to solve things like the multiple-private-key export.

@ml054
Copy link

ml054 commented Mar 15, 2019

When reading such certificate in java using default security provider, it doesn't load public key. When I use bouncy castle then I get:

java.io.IOException: attempt to add existing attribute with different value

	at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown Source)
	at java.base/java.security.KeyStore.load(KeyStore.java:1479)

dnobori referenced this issue in IPA-CyberLab/IPA-DN-Cores Aug 15, 2019
.NET Core Linux 版の https://github.com/dotnet/corefx/issues/30946 バグに対応
3b7f708
dnobori referenced this issue in IPA-CyberLab/IPA-DN-Cores-Test-DaemonCenterClient Aug 15, 2019
.NET Core Linux 版の https://github.com/dotnet/corefx/issues/30946 バグに対応
a97b7bd
@msftgits msftgits transferred this issue from dotnet/corefx Jan 31, 2020
@msftgits msftgits added this to the 5.0 milestone Jan 31, 2020
@bartonjs bartonjs mentioned this issue Feb 1, 2020
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Dec 16, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Security bug os-linux Linux OS (any supported distro)
Projects
None yet
Milestone
5.0.0
Development

Successfully merging a pull request may close this issue.

Use a custom PFX reader/writer on Unix OSes bartonjs/corefx
4 participants
@ml054 @msftgits @bartonjs @iftahbe