Develop Reference

c# - validating signed XML

I have a problem with validating signed XML.
Maybe you can help me :)
I have an ASP.NET MVC service, which receives an XML and I need to validate if signature in this XML is valid.
Certificate I'm using for validation looks like this:
cert.crt file:
-----BEGIN CERTIFICATE-----
MIIDcjCCAlqgAwIBAgIFALVBJRQwDQYJKoZIhvcNAQEFBQAwaTELMAkGA1UEBhMCREUxDz ............
-----END CERTIFICATE-----
My code for signature validation:
var xmlDoc = new XmlDocument { PreserveWhitespace = true };
xmlDoc.LoadXml(samlXML);
var signedXml = new SignedXml(xmlDoc);
var certPath = HostingEnvironment.MapPath(#"~/App_Data/cert.crt");
var readAllBytes = File.ReadAllBytes(certPath);
X509Certificate2 certificate = new X509Certificate2(readAllBytes);
XmlNodeList signatureElement = xmlDoc.GetElementsByTagName("ds:Signature");
signedXml.LoadXml((XmlElement)signatureElement[0]);
var isValid = signedXml.CheckSignature(certificate, true);
XML is signed by :
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
This line
X509Certificate2 certificate = new X509Certificate2(readAllBytes);
Throws an error
Object was not found.
What am I doing wrong?

According to the docs the byte array must be either binary encoded (DER format) or Base64-encoded X.509 data. You have something else on your hands, which is why the constructor can't handle your data.
Check the docs for more information.

Get Timestamp of signature in X509Certificate in C#

Where can I get the date and the time of a signature?
Now I get the certificate information with this code:
var signer = X509Certificate2.CreateFromSignedFile(fileName);
var certificate = new X509Certificate2(signer);
And I can read some properties, but I cannot find WHEN the file was signed.
Thank you

Problems loading a pfx file programmatically

I am trying to create a self-signed certificate and then reading it at some point.
This is the code for creating the pfx file: (source)
public static void CreateSelfSignedCertificate(string subjectName)
{
string pathToCertificate = CommonHelper.MapPath($"path_to_certificate/{TokenSigningCertificateName}");
if (!File.Exists(pathToCertificate))
{
// create DN for subject and issuer
var dn = new CX500DistinguishedName();
dn.Encode("CN=" + subjectName, X500NameFlags.XCN_CERT_NAME_STR_NONE);
// create a new private key for the certificate
CX509PrivateKey privateKey = new CX509PrivateKey();
privateKey.ProviderName = "Microsoft Base Cryptographic Provider v1.0";
privateKey.MachineContext = true;
privateKey.Length = 2048;
privateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; // use is not limited
privateKey.ExportPolicy = X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG;
privateKey.Create();
// Use the stronger SHA512 hashing algorithm
var hashobj = new CObjectId();
hashobj.InitializeFromAlgorithmName(ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID,
ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY,
AlgorithmFlags.AlgorithmFlagsNone, "SHA512");
// add extended key usage if you want - look at MSDN for a list of possible OIDs
var oid = new CObjectId();
oid.InitializeFromValue("1.3.6.1.5.5.7.3.1"); // SSL server
var oidlist = new CObjectIds();
oidlist.Add(oid);
var eku = new CX509ExtensionEnhancedKeyUsage();
eku.InitializeEncode(oidlist);
// Create the self signing request
var cert = new CX509CertificateRequestCertificate();
cert.InitializeFromPrivateKey(X509CertificateEnrollmentContext.ContextMachine, privateKey, "");
cert.Subject = dn;
cert.Issuer = dn; // the issuer and the subject are the same
cert.NotBefore = DateTime.Now;
// this cert expires immediately. Change to whatever makes sense for you
cert.NotAfter = DateTime.Now;
cert.X509Extensions.Add((CX509Extension) eku); // add the EKU
cert.HashAlgorithm = hashobj; // Specify the hashing algorithm
cert.Encode(); // encode the certificate
// Do the final enrollment process
var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert); // load the certificate
enroll.CertificateFriendlyName = subjectName; // Optional: add a friendly name
string csr = enroll.CreateRequest(); // Output the request in base64
// and install it back as the response
enroll.InstallResponse(InstallResponseRestrictionFlags.AllowUntrustedCertificate,
csr, EncodingType.XCN_CRYPT_STRING_BASE64, ""); // no password
// output a base64 encoded PKCS#12 so we can import it back to the .Net security classes
var base64encoded = enroll.CreatePFX("", // no password, this is for internal consumption
PFXExportOptions.PFXExportChainWithRoot);
File.WriteAllText(pathToCertificate, base64encoded);
}
}
And this is the code for loading it:
public static X509Certificate2 GetTokenSigningCertificate()
{
string pathToCertificate = CommonHelper.MapPath($"path_to_certificate/{TokenSigningCertificateName}");
X509Certificate2 certificate = new X509Certificate2(pathToCertificate, "");
return certificate;
}
The problem is I am getting:
An error occurred during encode or decode operation.
System.Security.Cryptography.CryptographicException
at
System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32
hr) at
System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String
fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet,
SafeCertContextHandle& pCertCtx) at
System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String
fileName, Object password, X509KeyStorageFlags keyStorageFlags) at
System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String
fileName, String password)
Any ideas?

You seem to be exporting your PFX as base64. Unlike certificates, keys, PKCS#7 blobs, and PKCS#8 blobs, PKCS#12/PFX blobs have no defined PEM header. As a consequence, the PFX reading pipeline probably doesn't have a Base64-decode attached to it.
So the simple answer is likely to emit it with the binary encoding (and thus File.WriteAllBytes()) instead of base64.

Loading X509Certificate2 certificate chain from store

I have a file (.p12) that contains 3 certificates (chained together) password-protected, that i have installed on my store.
I'm trying to load them to my code.
The way I load them from the file is like this:
var clientCert = new X509Certificate2(#"myfile.p12", "mypassword");
How can i achieve the same result while loading them from the store?
I've tried:
var computerCaStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
computerCaStore.Open(OpenFlags.ReadOnly);
var certificates = computerCaStore.Certificates.OfType<X509Certificate2>().ToLi‌​st();
var certFromStore = certificates.Single(c => c.Thumbprint == thumbprintMerchant);
var newCert = new X509Certificate2(certFromStore.RawData, "mypassword");

certFromStore should be equivalent to clientCert, the last line is what's breaking you.
The RawData property on X509Certificate2 returns the DER-encoded value for the certificate, not the original file bytes. A certificate does not have a private key, so the last line strips it away. Your question had previously mentioned a TLS exception, and that is because your cert no longer has a private key.
If certFromStore.HasPrivateKey is false, then whatever you did to put the certificate into the store didn't work the way you think it did. It's pretty unusual for a certificate with a private key to be in the Root store.

How to serialize and deserialize a PFX certificate in Azure Key Vault?

I have a bunch of strings and pfx certificates, which I want to store in Azure Key vault, where only allowed users/apps will be able to get them. It is not hard to do store a string as a Secret, but how can I serialize a certificate in such way that I could retrieve it and deserialize as an X509Certificate2 object in C#?
I tried to store it as a key. Here is the Azure powershell code
$securepfxpwd = ConvertTo-SecureString -String 'superSecurePassword' -AsPlainText -Force
$key = Add-AzureKeyVaultKey -VaultName 'UltraVault' -Name 'MyCertificate' -KeyFilePath 'D:\Certificates\BlaBla.pfx' -KeyFilePassword $securepfxpwd
But when I tried to get it with GetKeyAsync method, I couldn't use it.

Here's a PowerShell script for you. Replace the file path, password, vault name, secret name.
$pfxFilePath = 'C:\mycert.pfx'
$pwd = '123'
$flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$collection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$collection.Import($pfxFilePath, $pwd, $flag)
$pkcs12ContentType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12
$clearBytes = $collection.Export($pkcs12ContentType)
$fileContentEncoded = [System.Convert]::ToBase64String($clearBytes)
$secret = ConvertTo-SecureString -String $fileContentEncoded -AsPlainText –Force
$secretContentType = 'application/x-pkcs12'
Set-AzureKeyVaultSecret -VaultName 'myVaultName' -Name 'mySecretName' -SecretValue $Secret -ContentType $secretContentType
This is a common question, so we are going to polish this up and release as a helper.
The script above strips the password because there's no value in having a password protected PFX and then storing the password next to it.

The original question asked how to retrieve the stored PFX as an X509Certificate2 object. Using a Base64 process similar to that posted by Sumedh Barde above (which has the advantage of stripping the password), the following code will return a X509 object. In a real application, the KeyVaultClient should be cached if you're retrieving multiple secrets, and the individual secrets should also be cached.
public static async Task<X509Certificate2> GetSecretCertificateAsync(string secretName)
{
string baseUri = #"https://xxxxxxxx.vault.azure.net/secrets/";
var provider = new AzureServiceTokenProvider();
var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback));
var secretBundle = await client.GetSecretAsync($"{baseUri}{secretName}").ConfigureAwait(false);
string pfx = secretBundle.Value;
var bytes = Convert.FromBase64String(pfx);
var coll = new X509Certificate2Collection();
coll.Import(bytes, "certificatePassword", X509KeyStorageFlags.Exportable);
return coll[0];
}

Here is how I solved this. First, convert your PFX file to a base64 string. You can do that with these two simple PowerShell commands:
$fileContentBytes = get-content 'certificate.pfx' -Encoding Byte
[System.Convert]::ToBase64String($fileContentBytes) | Out-File 'certificate_base64.txt'
Create a secret in Azure Key Vault via the Azure Portal. Copy the certificate base64 string that you created previously and paste it in the secret value field in your Azure Key Vault via the Azure Portal. Then simply call the Azure Key Vault from the code to get the base64 string value and convert that to a X509Certificate2:
private async Task<X509Certificate2> GetCertificateAsync()
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync("https://path/to/key/vault").ConfigureAwait(false);
var pfxBase64 = secret.Value;
var bytes = Convert.FromBase64String(pfxBase64);
var coll = new X509Certificate2Collection();
coll.Import(bytes, "certificatePassword", X509KeyStorageFlags.Exportable);
return coll[0];
}

See the following answer, which describes how to do this using the latest .NET Azure SDK client libraries:
How can I create an X509Certificate2 object from an Azure Key Vault KeyBundle

Here is the script for uploading pfx certificate in python using azure cli
azure keyvault secret set --vault-name <Valut name> --secret-name <Secret Name> --value <Content of PFX file>
Getting the content of PFX file in python
fh = open(self.getPfxFilePath(), 'rb')
try:
ba = bytearray(fh.read())
cert_base64_str = base64.b64encode(ba)
password = self.getPassword()
json_blob = {
'data': cert_base64_str,
'dataType': 'pfx',
'password': password
}
blob_data= json.dumps(json_blob)
content_bytes= bytearray(blob_data)
content = base64.b64encode(content_bytes)
return content
finally:
fh.close
fh.close()