We have stored our Digi certificates having a private key in HashiCorp Vault. It contains thee things: certificate, name, private key.
I am trying to read the data and return new x509 certificate using a .NET Core standard project:
var crypto = new RSACryptoServiceProvider(parms);
crypto.FromXmlString(Encoding.UTF8.GetString(Convert.FromBase64String(certificationvalue.Data.PrivateKey)));
x509.PrivateKey = crypto; // getting error that operation is not allowed on this platform.
How can I fix this error?
Related
Here is my code.
X509Certificate pXCert = new X509Certificate2(#"keyStore.p12", "password");
RSACryptoServiceProvider csp = (RSACryptoServiceProvider)pXCert.PrivateKey;
string id = CryptoConfig.MapNameToOID("SHA256");
return csp.SignData(File.ReadAllBytes(filePath), id);
On the last line I'm getting the exception:
System.Security.Cryptography.CryptographicException "Invalid algorithm specified."
What am I doing wrong?
UPDATE:
id = 2.16.840.1.101.3.4.2.1
For dot net framework 4.7.0 or higher is not taking the sha1 so configure the below in application start. it's worked fine for me.
AppContext.SetSwitch("Switch.System.Security.Cryptography.Xml.UseInsecureHashAlgorithms", true);
AppContext.SetSwitch("Switch.System.Security.Cryptography.Pkcs.UseInsecureHashAlgorithms", true);
There is no issue with .NET code or the CSP code you provided.
Your problem is that CSP just doesn’t support SHA 256. You can get further information here
You might have come here while you are migrating your application from .NET Framework 4.7 and earlier versions to 4.7.1 or later versions.
If you are getting the exception System.Security.Cryptography.CryptographicException: Invalid algorithm specified., the reason is that default SignedXML and SignedXMS algorithms changed to SHA256 for applications that target the .NET Framework 4.7.1 and later versions (from Microsoft .NET migration guide)
In that guide you'll also find the solution:
For applications that target the .NET Framework 4.7.1 and later versions, if the use of SHA256 is undesirable, you can restore the default to SHA1 by adding the following configuration switch to the runtime section of your app config file:
<AppContextSwitchOverrides value="Switch.System.Security.Cryptography.Xml.UseInsecureHashAlgorithms=true;
Switch.System.Security.Cryptography.Pkcs.UseInsecureHashAlgorithms=true" />
But this may not always work, especially for web applications, as you can read in this blog post, fortunately along with the answer as well. It is only necessary to add some lines in the Application_Start
protected void Application_Start(object sender, EventArgs e)
{
[...]
AppContext.SetSwitch("Switch.System.Security.Cryptography.Xml.UseInsecureHashAlgorithms", true);
AppContext.SetSwitch("Switch.System.Security.Cryptography.Pkcs.UseInsecureHashAlgorithms", true);
}
Note that I use SHA512 but SHA256 will work with the below examples:
"Invalid algorithm specified" Took me forever to figure out and I tried practically everything.
Step 1 - the certificate has to be SHA512 and use a CSP (Cryptographic Service Provider) that is SHA512 Capable. Here is a list of CSPs and their capabilities. If you look for SHA512 you'll find the "Microsoft Enhanced RSA and AES Cryptographic Provider". By default generating certificates don't use this (at least in Windows) so you have to specify it when you create the certificate.
If you create the certificate with openssl, you can use the option -CSP below to set the correct CSP that will make it work. If you have an existing pfx, you can convert it to a PEM file with openssl, and then back to a pfx to add the option.
Create private key and certificate - this step will ask you questions, state, region etc etc.
openssl req -x509 -nodes -sha512 -newkey rsa:2048 -keyout 512key.pem -out 512cert.pem -days 3650
Create PFX file to import into your certificate store using the Microsoft Enhanced RSA and AES Cryptographic Provider:
openssl pkcs12 –export –in 512cert.pem –inkey 512key.pem –CSP “Microsoft Enhanced RSA and AES Cryptographic Provider” –out 512pfx.pfx
Step 2 : Props to Gonzalo Gallotti for posting the link to the piece of code that helped me. I commented up my code to show what each step is doing. NOTE: this code won't work without a properly generated certificate as described in step 1
public void GetCertificate() {
// Get the Machine Cert Store
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
string alg = CryptoConfig.MapNameToOID("SHA512");
// Open the cert store
store.Open(OpenFlags.ReadWrite);
// Loop through each certificate within the store
foreach (X509Certificate2 myCert in store.Certificates)
{
// Get the certificate we are looking for
if (myCert.IssuerName.Name.Contains("CN=YourSite"))
{
// Check if the certificate has a private key
if (myCert.HasPrivateKey)
{
// Get your custom signature as a string
string mySignature = GetSignatureString();
// Convert signature to byte array
byte[] originalData = Encoding.UTF8.GetBytes(mySignature);
// Create RSA provider from private key
RSACryptoServiceProvider rsaProvider = (RSACryptoServiceProvider)myCert.PrivateKey;
// Sign the signature with SHA512
byte[] signedSignature = signedSignature = rsaProvider.SignData(originalData, alg);
if (rsaProvider.VerifyData(originalData, alg, signedSignature))
{
// Signature is verified Do Stuff
}
else
{
throw new Exception("The data does not match the signature.");
}
}
}
}
}
Which CSP your certificate is using can be checked with certutil tool (on windows)
certutil yourCertificate.p12
Examples:
Microsoft Enhanced Cryptographic Provider v1.0 => throws error with C# 4.7 and above
Microsoft Enhanced RSA and AES Cryptographic Provider => works
Having a similar issue but just resolved it. If you are not using X509 but just the plain RSACryptoServiceProvider to get the keys, then only SHA1 is supported.
You can set the AppContext switches in a web config via appSettings:
<appSettings>
<add key="AppContext.SetSwitch:Switch.System.Security.Cryptography.Xml.UseInsecureHashAlgorithms" value="true" />
<add key="AppContext.SetSwitch:Switch.System.Security.Cryptography.Pkcs.UseInsecureHashAlgorithms" value="true" />
</appSettings>
I fixed the issue by upgrading my dependencies.
Instead of relying on the GAC version I was previously using for years, I switched to the latest NuGet packages (v16.8.0) of:
Microsoft.Build.Tasks.Core
Microsoft.Build.Utilities.Core
Microsoft.Build.Framework
This fixed this issue for us.
I'm trying to import a certificate with private key into the Windows Certificate Store. I can successfully import the certificate using the below
X509Certificate2 certificate = new(certByteArray, certPassword, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet);
X509Store store = new(StoreName.TrustedPeople, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(certificate);
But the problem I've got is, how to give a user access to the private key programmatically.
I've found these links helpful:
https://www.pkisolutions.com/accessing-and-using-certificate-private-keys-in-net-framework-net-core/
CngKey Assign permission to machine key
Set Certificate PrivateKey Permissions in .NET 5
I can grant access via the UI with certlm.msc > Drag certificate to Personal store > Right click certificate > All Tasks > Manage private keys > Add the user and permission
But I need to do this programmatically
There are changes from .NET Full Framework which is where the examples come from. I've spent more than a day on it, tried multiple certificates, certificate is definitely marked as exportable and running VS as administrator. I'm happy with a Windows only solution
This is about as close as I've got
const string NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
const CngPropertyOptions DACL_SECURITY_INFORMATION = (CngPropertyOptions)4;
X509Store trustedPeopleStore = new(StoreName.TrustedPeople, StoreLocation.LocalMachine);
trustedPeopleStore.Open(OpenFlags.ReadWrite);
var certificates = trustedPeopleStore.Certificates.Find(X509FindType.FindByThumbprint, "xxxxxxxxxxxxxxxxxxxxxx", false);
RSA rsa = certificates[0].GetRSAPrivateKey();
RSACng rsaCng = rsa as RSACng;
CngProperty prop = rsaCng.Key.GetProperty(NCRYPT_SECURITY_DESCR_PROPERTY, DACL_SECURITY_INFORMATION);
I can see the rsaCng.Key present in debug, but it fails on the next line (it definitely is exportable) getting the property with
Internal.Cryptography.CryptoThrowHelper.WindowsCryptographicException: 'Key not valid for use in specified state.'
I've also read comments that you shouldn't try setting the acl directly on the file, but not sure if that is correct or not
See this code project post for some example code that grants access programmatically (specifically look at the "AddAccessToCertificate" method).
Check this for more info: Programmatically adding certificate to personal store
What I currently do is that I use OpenSSL to generate PFX file. This is causing an unwanted dependency, especially for Windows users. So I found some examples on how to create your own certificate using BouncyCastle, but this library is not .NET Core compatible (or I failed to find the compatible package).
So, is it possible to create your own self signed X509 certificate using just .NET core to avoid dependency on OpenSSL (or any other certificate generating external tool)?
EDIT: It was suggested by someone (editor?) that this SO question How to create a self-signed certificate using C#? provides an answer. Sadly again, this has nothing to do with .NET Core. The accepted answer there starts with This implementation uses the CX509CertificateRequestCertificate COM object (and friends - MSDN doc) from certenroll.dll to create a self signed certificate request and sign it, which is obviously NOT .NET Core ... In fact, none of the answers there is .NET Core compatible.
I found this other SO question that put me on the right track. Certificates API was added to .Net Core on 2.0 version. I have a function like the next one to create self signed certificates that I later import into My store to use them on IIS.
private X509Certificate2 buildSelfSignedServerCertificate()
{
SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
sanBuilder.AddIpAddress(IPAddress.Loopback);
sanBuilder.AddIpAddress(IPAddress.IPv6Loopback);
sanBuilder.AddDnsName("localhost");
sanBuilder.AddDnsName(Environment.MachineName);
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}");
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256,RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature , false));
request.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") }, false));
request.CertificateExtensions.Add(sanBuilder.Build());
var certificate= request.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.AddDays(-1)), new DateTimeOffset(DateTime.UtcNow.AddDays(3650)));
certificate.FriendlyName = CertificateName;
return new X509Certificate2(certificate.Export(X509ContentType.Pfx, "WeNeedASaf3rPassword"), "WeNeedASaf3rPassword", X509KeyStorageFlags.MachineKeySet);
}
}
If you want the pfx, the Export function on X509Certificate2 should do the trick. It returns a byte array with the raw pfx data.
The Microsoft way is doing this with makecert and pvk2pfx (from the windows SDK), and not in the .net code itself. Now Im not very familiar with .net core, but since the full blown .net doesn't have native support, it would surprise me very much if the core version does have the function.
here's a description of how to do that:
https://msdn.microsoft.com/en-us/library/ff699202.aspx
Edit: Let me rephrase it: Without external dependancies it is not available in .net (core)..
There are ways in full blown .net but you need external dll's for that.
I'm new to 2WaySSL.
What I'm trying to do:
1. Retrieve a Client certificate which is stored in a certificate store,
I'm managing to do that by such code:
certificates = store.Certificates.Find(X509FindType.FindBySerialNumber, serialNumber, false);
When attaching the certificate to the request, the authentication by the server fails,
since I the certificate object does not contain the private key.
I'm trying to find a way of associating the private key to the certificate (in c#),
Once I'll retrieve the key from where it's stored.
something like:
certificate.PrivateKey = key;
But I found no easy way of either initiating the key object, or assigning it to the certificate without getting some exception, even when the key is null, I'm getting an access denied exception.
Any help , especially followed by a code sample, would be appreciated.
AFter .NET 4.7.2, If you have the certificate with only public key and an RSA private key handy you can perform the below code
certificate= certificate.CopyWithPrivateKey(key);
you have to import System.Security.Cryptography.X509Certificates;
You have 2 easy options
import certificate with private key (usually a pfx file) to certificate store. Then store.Certificates.Find will retrieve the certificate with private key.
Load pfx file into X509Certificate2 istance with one of its constructors new X509Certificate2(pfx_filename, password_to_pfx)
Here is my code.
X509Certificate pXCert = new X509Certificate2(#"keyStore.p12", "password");
RSACryptoServiceProvider csp = (RSACryptoServiceProvider)pXCert.PrivateKey;
string id = CryptoConfig.MapNameToOID("SHA256");
return csp.SignData(File.ReadAllBytes(filePath), id);
On the last line I'm getting the exception:
System.Security.Cryptography.CryptographicException "Invalid algorithm specified."
What am I doing wrong?
UPDATE:
id = 2.16.840.1.101.3.4.2.1
For dot net framework 4.7.0 or higher is not taking the sha1 so configure the below in application start. it's worked fine for me.
AppContext.SetSwitch("Switch.System.Security.Cryptography.Xml.UseInsecureHashAlgorithms", true);
AppContext.SetSwitch("Switch.System.Security.Cryptography.Pkcs.UseInsecureHashAlgorithms", true);
There is no issue with .NET code or the CSP code you provided.
Your problem is that CSP just doesn’t support SHA 256. You can get further information here
You might have come here while you are migrating your application from .NET Framework 4.7 and earlier versions to 4.7.1 or later versions.
If you are getting the exception System.Security.Cryptography.CryptographicException: Invalid algorithm specified., the reason is that default SignedXML and SignedXMS algorithms changed to SHA256 for applications that target the .NET Framework 4.7.1 and later versions (from Microsoft .NET migration guide)
In that guide you'll also find the solution:
For applications that target the .NET Framework 4.7.1 and later versions, if the use of SHA256 is undesirable, you can restore the default to SHA1 by adding the following configuration switch to the runtime section of your app config file:
<AppContextSwitchOverrides value="Switch.System.Security.Cryptography.Xml.UseInsecureHashAlgorithms=true;
Switch.System.Security.Cryptography.Pkcs.UseInsecureHashAlgorithms=true" />
But this may not always work, especially for web applications, as you can read in this blog post, fortunately along with the answer as well. It is only necessary to add some lines in the Application_Start
protected void Application_Start(object sender, EventArgs e)
{
[...]
AppContext.SetSwitch("Switch.System.Security.Cryptography.Xml.UseInsecureHashAlgorithms", true);
AppContext.SetSwitch("Switch.System.Security.Cryptography.Pkcs.UseInsecureHashAlgorithms", true);
}
Note that I use SHA512 but SHA256 will work with the below examples:
"Invalid algorithm specified" Took me forever to figure out and I tried practically everything.
Step 1 - the certificate has to be SHA512 and use a CSP (Cryptographic Service Provider) that is SHA512 Capable. Here is a list of CSPs and their capabilities. If you look for SHA512 you'll find the "Microsoft Enhanced RSA and AES Cryptographic Provider". By default generating certificates don't use this (at least in Windows) so you have to specify it when you create the certificate.
If you create the certificate with openssl, you can use the option -CSP below to set the correct CSP that will make it work. If you have an existing pfx, you can convert it to a PEM file with openssl, and then back to a pfx to add the option.
Create private key and certificate - this step will ask you questions, state, region etc etc.
openssl req -x509 -nodes -sha512 -newkey rsa:2048 -keyout 512key.pem -out 512cert.pem -days 3650
Create PFX file to import into your certificate store using the Microsoft Enhanced RSA and AES Cryptographic Provider:
openssl pkcs12 –export –in 512cert.pem –inkey 512key.pem –CSP “Microsoft Enhanced RSA and AES Cryptographic Provider” –out 512pfx.pfx
Step 2 : Props to Gonzalo Gallotti for posting the link to the piece of code that helped me. I commented up my code to show what each step is doing. NOTE: this code won't work without a properly generated certificate as described in step 1
public void GetCertificate() {
// Get the Machine Cert Store
var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
string alg = CryptoConfig.MapNameToOID("SHA512");
// Open the cert store
store.Open(OpenFlags.ReadWrite);
// Loop through each certificate within the store
foreach (X509Certificate2 myCert in store.Certificates)
{
// Get the certificate we are looking for
if (myCert.IssuerName.Name.Contains("CN=YourSite"))
{
// Check if the certificate has a private key
if (myCert.HasPrivateKey)
{
// Get your custom signature as a string
string mySignature = GetSignatureString();
// Convert signature to byte array
byte[] originalData = Encoding.UTF8.GetBytes(mySignature);
// Create RSA provider from private key
RSACryptoServiceProvider rsaProvider = (RSACryptoServiceProvider)myCert.PrivateKey;
// Sign the signature with SHA512
byte[] signedSignature = signedSignature = rsaProvider.SignData(originalData, alg);
if (rsaProvider.VerifyData(originalData, alg, signedSignature))
{
// Signature is verified Do Stuff
}
else
{
throw new Exception("The data does not match the signature.");
}
}
}
}
}
Which CSP your certificate is using can be checked with certutil tool (on windows)
certutil yourCertificate.p12
Examples:
Microsoft Enhanced Cryptographic Provider v1.0 => throws error with C# 4.7 and above
Microsoft Enhanced RSA and AES Cryptographic Provider => works
Having a similar issue but just resolved it. If you are not using X509 but just the plain RSACryptoServiceProvider to get the keys, then only SHA1 is supported.
You can set the AppContext switches in a web config via appSettings:
<appSettings>
<add key="AppContext.SetSwitch:Switch.System.Security.Cryptography.Xml.UseInsecureHashAlgorithms" value="true" />
<add key="AppContext.SetSwitch:Switch.System.Security.Cryptography.Pkcs.UseInsecureHashAlgorithms" value="true" />
</appSettings>
I fixed the issue by upgrading my dependencies.
Instead of relying on the GAC version I was previously using for years, I switched to the latest NuGet packages (v16.8.0) of:
Microsoft.Build.Tasks.Core
Microsoft.Build.Utilities.Core
Microsoft.Build.Framework
This fixed this issue for us.