Error setting X509Certificate2 PrivateKey

9

I am migrating a .NetFramework 4.6.1 library to a .NetCore 2.2. But i am unable to set x509certificate.PrivateKey as shown below.

I have read that may be due to the RSAServiceProvider but i am unaware how to set this property. Even instantiating:
x509certificate.PrivateKey = new RSACryptoServiceProvider();
throws the PlatformNotSupportedException.

// selfsign certificate
Org.BouncyCastle.X509.X509Certificate certificate = 
certificateGenerator.Generate(signatureFactory);

// correponding private key
PrivateKeyInfo info = 
PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);

// merge into X509Certificate2
var x509certificate = new X509Certificate2(certificate.GetEncoded());

Asn1Sequence seq = (Asn1Sequence)
Asn1Object.FromByteArray(info.ParsePrivateKey().GetDerEncoded() 
);

RsaPrivateKeyStructure rsa = RsaPrivateKeyStructure.GetInstance(seq);
RsaPrivateCrtKeyParameters rsaParams = new 
RsaPrivateCrtKeyParameters(
rsa.Modulus,
rsa.PublicExponent,
rsa.PrivateExponent,
rsa.Prime1,
rsa.Prime2,
rsa.Exponent1,
rsa.Exponent2,
rsa.Coefficient);

x509certificate.PrivateKey = DotNetUtilities.ToRSA(rsaParams);

In the .NetCore library setting x509certificate.PrivateKey with the RSA from DotNetUtilities.ToRSA(rsaParams) throws an PlatformNotSupportedException.

System.PlatformNotSupportedException
  HResult=0x80131539
  Message=Operation is not supported on this platform.
  Source=System.Security.Cryptography.X509Certificates
  StackTrace:
   at System.Security.Cryptography.X509Certificates.X509Certificate2.set_PrivateKey(AsymmetricAlgorithm value)
c#
.net-core
asked on Stack Overflow Feb 18, 2019 by John

2 Answers

19

As LexLi said, setting the private key on an existing certificate is not possible by design in .net core.

Following what is described here, what you can do is use the method RSACertificateExtensions.CopyWithPrivateKey.

Instead of 

x509certificate.PrivateKey = DotNetUtilities.ToRSA(rsaParams);

you could have

var rsa = DotNetUtilities.ToRSA(rsaParams);
var cert = x509certificate.CopyWithPrivateKey(rsa);
return cert;

To get access to the "CopyWithPrivateKey" extension method, add this using : 

using System.Security.Cryptography.X509Certificates; /* for getting access to extension methods in RSACertificateExtensions */

"(CopyWithPrivateKey) Combines a private key with the public key of an RSA certificate to generate a new RSA certificate."

https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.rsacertificateextensions.copywithprivatekey?view=netcore-3.0

answered on Stack Overflow Feb 19, 2019 by JCruz • edited Dec 4, 2019 by granadaCoder
2

The provided solution did not help me, so I'll be leaving this solution here hoping it will help the next person having this problem.

Using CertBuilder().ConvertBouncyCert it's possible to convert a BouncyCastle X509Certificate to a X509Certificate2 with the public/private key embedded.

X509Certificate2 _x509certificate2 = new CertBuilder().ConvertBouncyCert(_bouncyCertificate, subjectKeyPair);

And the full example i'm using it in (based on the answer provided here: Bouncy Castle's X509V3CertificateGenerator.SetSignatureAlgorithm marked obsolete. What do I do?).

        public static X509Certificate2 CreateSelfSignedCertificateBasedOnCertificateAuthorityPrivateKey(string ipAddress, string issuerName, AsymmetricKeyParameter issuerPrivKey)
    {
        const int keyStrength = 4096;

        // Generating Random Numbers            
        CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
        SecureRandom random = new SecureRandom(randomGenerator);
        ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerPrivKey, random);
        // The Certificate Generator
        X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
        certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage((new List<DerObjectIdentifier>() { new DerObjectIdentifier("1.3.6.1.5.5.7.3.1"), new DerObjectIdentifier("1.3.6.1.5.5.7.3.2") })));

        // Serial Number
        BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
        certificateGenerator.SetSerialNumber(serialNumber);

        // Issuer and Subject Name
        X509Name subjectDN = new X509Name("CN=" + ipAddress);
        X509Name issuerDN = new X509Name(issuerName);
        certificateGenerator.SetIssuerDN(issuerDN);
        certificateGenerator.SetSubjectDN(subjectDN);

        // Valid For
        DateTime notBefore = DateTime.UtcNow.Date;
        DateTime notAfter = notBefore.AddYears(2);

        certificateGenerator.SetNotBefore(notBefore);
        certificateGenerator.SetNotAfter(notAfter);

        // Subject Public Key
        AsymmetricCipherKeyPair subjectKeyPair;
        var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
        var keyPairGenerator = new RsaKeyPairGenerator();
        keyPairGenerator.Init(keyGenerationParameters);
        subjectKeyPair = keyPairGenerator.GenerateKeyPair();

        certificateGenerator.SetPublicKey(subjectKeyPair.Public);

        GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.IPAddress, ipAddress));
        certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);

        // self sign certificate
        Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(signatureFactory);

        X509Certificate2 certificate2 = new CertBuilder().ConvertBouncyCert(certificate, subjectKeyPair);
        return certificate2;
    }

Used nuget packages:

  • Portable.BouncyCastle by Oren Novotny version 1.8.5
  • CryptLink.CertBuilder by Jermy Peterson version 1.1.0
answered on Stack Overflow Feb 25, 2019 by Bresniv H. • edited Jul 19, 2019 by Bresniv H.

User contributions licensed under CC BY-SA 3.0