Aspnetcore: Support decrypting keys with a certificate not stored in the certificate store

Created on 1 Jan 2018  路  7Comments  路  Source: dotnet/aspnetcore

_From @nenadvicentic on Wednesday, December 13, 2017 2:07:26 AM_

Current implementation of EncryptedXmlDecryptor is dependent on the Windows certificate store.

While it is possible to specify "standalone" certificate for encryption for CertificateXmlEncryptor via constructor accepting X509Certificate2, EncryptedXmlDecryptor will search for the same certificate in the Windows certificate store based on it's thumbnail and crush.

All that is needed for this is to add additional line in Decrypt method of EncryptedXmlDecryptor:

            // Perform the decryption and update the document in-place.
            var encryptedXml = new EncryptedXml(xmlDocument);
            encryptedXml.AddKeyNameMapping(x509Certificate2.Thumbprint, x509Certificate2.PrivateKey); // new line
            _decryptor.PerformPreDecryptionSetup(encryptedXml);
            encryptedXml.DecryptDocument();

Only thing missing would be to pass X509Certificate2 to decryptor.

Currently, to achieve same thing, one has to make completely new implementation of IXmlEncryptor, IXmlDecryptor and related extension methods for IDataProtectBuilder configuration.

_Copied from original issue: aspnet/DataProtection#290_

Done area-dataprotection enhancement
Source
picture aspnet-hello

All 7 comments

_From @blowdart on Wednesday, December 13, 2017 2:37:17 PM_

@GrabYourPitchforks thoughts?

aspnet-hello picture aspnet-hello on 1 Jan 2018

_From @GrabYourPitchforks on Wednesday, December 13, 2017 2:45:40 PM_

Seems like a reasonable suggestion. The implementation isn't intended to be tied solely to the Windows cert store. It's just that nothing else was available when the APIs were created.

aspnet-hello picture aspnet-hello on 1 Jan 2018

_From @blowdart on Tuesday, December 19, 2017 2:58:43 PM_

@muratg Can we schedule this for 2.1?

aspnet-hello picture aspnet-hello on 1 Jan 2018

@blowdart I looked into this, and this is basically the same issue as https://github.com/aspnet/DataProtection/issues/286. When EncryptedXml was produced with an X509Certificate, the framework will _only_ use keys from the X509Store. Keys added via EncryptedXml.AddKeyNameMapping are not used. It may be possible to workaround it.

@bartonjs is there any reason that EncryptedXml _shouldn't_ use the private key from an X509Certificate that is not in an X509Store?

@nenadvicentic can you try this workaround? You should be able to add a X509Certificate2 to the "CurrentUser/My" store. This should work, even on Linux/macOS in .NET Core 2.0.
c# var store = new X509Store(StoreName.My, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadWrite); store.Add(new X509Certificate2(filePathToYourCert, "password", X509KeyStorageFlags.Exportable)); store.Close();

natemcmaster picture natemcmaster on 15 Feb 2018
🎉1

@muratg See that can we schedule it? We _should_

blowdart picture blowdart on 15 Feb 2018
👍1

@natemcmaster Nope. For the most part the class operates on keys, not certs. It's just the "convenience wrappers" that work with certs, and then don't accept a collection for "your decryption cert might be here".

bartonjs picture bartonjs on 15 Feb 2018

@blowdart Look, I gave an answer to a crypto-XML problem without complaining that someone was using it. Then blew it by making this comment. Consistency attained.

bartonjs picture bartonjs on 15 Feb 2018
😄1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

UweKeim picture UweKeim  路  3Comments
groogiam picture groogiam  路  3Comments
githubgitgit picture githubgitgit  路  3Comments
ermithun picture ermithun  路  3Comments
aurokk picture aurokk  路  3Comments