EldoS | Feel safer!

Software components for data protection, secure storage and transfer

FromX509Certificate not copying private key?

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#27992
Posted: 01/14/2014 12:12:27
by Peter Palotas (Basic support level)
Joined: 11/01/2012
Posts: 49

When running TElX509Certificate.FromX509Certificate2 on a certificate with a private key, the private key does not seem to be copied to the EldoS certificate. Couldn't find any documentation for these methods, but it seems a bit strange.

The ToX509Certificate2 method has a parameter explicitly specifying whether or not to copy the private key, but the FromX509Certificate2 method has no such parameter, so they do not seem to be completely symmetrical?

Is this by design, or is it a bug?

The code I tested with was the following:
Code
         TElX509Certificate eldosCert = storage.get_Certificates(3);
         Console.WriteLine("TElX509Certificate has private key: {0}", eldosCert.PrivateKeyExists);

         X509Certificate2 dotNetCert = eldosCert.ToX509Certificate2(true);
         Console.WriteLine("X509Certificate2 has private key: {0}", dotNetCert.HasPrivateKey);

         eldosCert = new TElX509Certificate();        
         eldosCert.FromX509Certificate2(dotNetCert);
         Console.WriteLine("TElX509Certificate has private key: {0}", eldosCert.PrivateKeyExists);


which generates the following output (on my system with this particular certificate anyway):

TElX509Certificate has private key: True
X509Certificate2 has private key: True
TElX509Certificate has private key: False



If it is not a bug, what is the best way to perform such a conversion and also getting the private key over? I tried the following code which seems to work, albeit a bit slow:
Code
byte[] buffer = dotNetCert.Export(X509ContentType.Pkcs12);
eldosCert.LoadFromBufferAuto(buffer, 0, buffer.Length, "");


Is there a better (faster) way to do this?
#27993
Posted: 01/14/2014 12:14:59
by Eugene Mayevski (EldoS Corp.)

Best way is not to use .NET certificates. There's nothing in .NET in regards to X.509 which you can't do in SecureBlackbox with less limitations and hassle.


Sincerely yours
Eugene Mayevski
#27994
Posted: 01/14/2014 12:24:28
by Peter Palotas (Basic support level)
Joined: 11/01/2012
Posts: 49

Yes, in a perfect world I could do that, but unfortunately I have to work with other code that I cannot change that use the X509Certificate format, so I need to be able to convert between these.
#27995
Posted: 01/14/2014 12:28:07
by Eugene Mayevski (EldoS Corp.)

Can you please describe what exactly that code does that you can't change or replace it?


Sincerely yours
Eugene Mayevski
#27996
Posted: 01/14/2014 12:29:08
by Eugene Mayevski (EldoS Corp.)

On a side note, we will surely check what happens with visibility and accessibility of the private key after the certificate is copied.


Sincerely yours
Eugene Mayevski
#27999
Posted: 01/14/2014 12:36:40
by Peter Palotas (Basic support level)
Joined: 11/01/2012
Posts: 49

Quote
Eugene Mayevski wrote:
Can you please describe what exactly that code does that you can't change or replace it?


Basically it is a requirement of the interface of the component I am currently working on, that it must return a standard .NET X509Certificate2, for interoperability with other code and the .NET framework.

Quote
Eugene Mayevski wrote:
On a side note, we will surely check what happens with visibility and accessibility of the private key after the certificate is copied.


Good, looking forward to hearing what you find out about this.

Regards, Peter.
#28004
Posted: 01/15/2014 01:10:07
by Ken Ivanov (EldoS Corp.)

Hello Peter,

Just wish to confirm that we reproduced the issue locally and are working on it at the moment. We will keep you updated on the status of the problem.
#28005
Posted: 01/15/2014 01:20:53
by Ken Ivanov (EldoS Corp.)

Peter,

To resolve the issue, please correct your code in the following way:

Code
TElX509Certificate eldosCert = storage.get_Certificates(3);
Console.WriteLine("TElX509Certificate has private key: {0}", eldosCert.PrivateKeyExists);
    
X509Certificate2 dotNetCert = eldosCert.ToX509Certificate2(true);
Console.WriteLine("X509Certificate2 has private key: {0}", dotNetCert.HasPrivateKey);
    
eldosCert = new TElX509Certificate();        
eldosCert.CryptoProvider = SBCryptoProvWin32.Unit.Win32CryptoProvider(); // <-- add this line
eldosCert.FromX509Certificate2(dotNetCert);
Console.WriteLine("TElX509Certificate has private key: {0}", eldosCert.PrivateKeyExists);


I think it makes sense to set the cryptoprovider automatically in the FromX509Certificate2() method. We will update the code accordingly.
#28006
Posted: 01/15/2014 02:07:19
by Peter Palotas (Basic support level)
Joined: 11/01/2012
Posts: 49

Thank you very much for this answer. This seems to work very well.

Sincerely, Peter.
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 2107 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!