I am migrating a .NetFramework 4.6.1 library to a .NetCore 2.2. But i am unable to set x509certificate.PrivateKey as shown below.
I have read that may be due to the RSAServiceProvider but i am unaware how to set this property. Even instantiating:
x509certificate.PrivateKey = new RSACryptoServiceProvider();
throws the PlatformNotSupportedException.
// selfsign certificate
Org.BouncyCastle.X509.X509Certificate certificate =
certificateGenerator.Generate(signatureFactory);
// correponding private key
PrivateKeyInfo info =
PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);
// merge into X509Certificate2
var x509certificate = new X509Certificate2(certificate.GetEncoded());
Asn1Sequence seq = (Asn1Sequence)
Asn1Object.FromByteArray(info.ParsePrivateKey().GetDerEncoded()
);
RsaPrivateKeyStructure rsa = RsaPrivateKeyStructure.GetInstance(seq);
RsaPrivateCrtKeyParameters rsaParams = new
RsaPrivateCrtKeyParameters(
rsa.Modulus,
rsa.PublicExponent,
rsa.PrivateExponent,
rsa.Prime1,
rsa.Prime2,
rsa.Exponent1,
rsa.Exponent2,
rsa.Coefficient);
x509certificate.PrivateKey = DotNetUtilities.ToRSA(rsaParams);
In the .NetCore library setting x509certificate.PrivateKey with the RSA from DotNetUtilities.ToRSA(rsaParams) throws an PlatformNotSupportedException.
System.PlatformNotSupportedException
HResult=0x80131539
Message=Operation is not supported on this platform.
Source=System.Security.Cryptography.X509Certificates
StackTrace:
at System.Security.Cryptography.X509Certificates.X509Certificate2.set_PrivateKey(AsymmetricAlgorithm value)
As LexLi said, setting the private key on an existing certificate is not possible by design in .net core.
Following what is described here, what you can do is use the method RSACertificateExtensions.CopyWithPrivateKey.
Instead of
x509certificate.PrivateKey = DotNetUtilities.ToRSA(rsaParams);
you could have
var rsa = DotNetUtilities.ToRSA(rsaParams);
var cert = x509certificate.CopyWithPrivateKey(rsa);
return cert;
To get access to the "CopyWithPrivateKey" extension method, add this using :
using System.Security.Cryptography.X509Certificates; /* for getting access to extension methods in RSACertificateExtensions */
"(CopyWithPrivateKey) Combines a private key with the public key of an RSA certificate to generate a new RSA certificate."
The provided solution did not help me, so I'll be leaving this solution here hoping it will help the next person having this problem.
Using CertBuilder().ConvertBouncyCert it's possible to convert a BouncyCastle X509Certificate to a X509Certificate2 with the public/private key embedded.
X509Certificate2 _x509certificate2 = new CertBuilder().ConvertBouncyCert(_bouncyCertificate, subjectKeyPair);
And the full example i'm using it in (based on the answer provided here: Bouncy Castle's X509V3CertificateGenerator.SetSignatureAlgorithm marked obsolete. What do I do?).
public static X509Certificate2 CreateSelfSignedCertificateBasedOnCertificateAuthorityPrivateKey(string ipAddress, string issuerName, AsymmetricKeyParameter issuerPrivKey)
{
const int keyStrength = 4096;
// Generating Random Numbers
CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
SecureRandom random = new SecureRandom(randomGenerator);
ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerPrivKey, random);
// The Certificate Generator
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage((new List<DerObjectIdentifier>() { new DerObjectIdentifier("1.3.6.1.5.5.7.3.1"), new DerObjectIdentifier("1.3.6.1.5.5.7.3.2") })));
// Serial Number
BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
certificateGenerator.SetSerialNumber(serialNumber);
// Issuer and Subject Name
X509Name subjectDN = new X509Name("CN=" + ipAddress);
X509Name issuerDN = new X509Name(issuerName);
certificateGenerator.SetIssuerDN(issuerDN);
certificateGenerator.SetSubjectDN(subjectDN);
// Valid For
DateTime notBefore = DateTime.UtcNow.Date;
DateTime notAfter = notBefore.AddYears(2);
certificateGenerator.SetNotBefore(notBefore);
certificateGenerator.SetNotAfter(notAfter);
// Subject Public Key
AsymmetricCipherKeyPair subjectKeyPair;
var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
var keyPairGenerator = new RsaKeyPairGenerator();
keyPairGenerator.Init(keyGenerationParameters);
subjectKeyPair = keyPairGenerator.GenerateKeyPair();
certificateGenerator.SetPublicKey(subjectKeyPair.Public);
GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.IPAddress, ipAddress));
certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
// self sign certificate
Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(signatureFactory);
X509Certificate2 certificate2 = new CertBuilder().ConvertBouncyCert(certificate, subjectKeyPair);
return certificate2;
}
Used nuget packages:
User contributions licensed under CC BY-SA 3.0