Runtime: CngKey.Export The requested operation is not supported [Windows]

Created on 29 Apr 2018 · 6Comments · Source: dotnet/runtime

Can't get RSAParameters on Windows.

Code to reproduce:
```C#
using System;
using System.Linq;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

namespace TestRSA
{
class Program
{
static void Main(string[] args)
{
try
{
X509Certificate2 cert = new X509Certificate2("certificate.pfx", "password");
RSAParameters rsaKey = cert.GetRSAPrivateKey().ExportParameters(true);
Console.WriteLine(string.Join("", rsaKey.P.Select(x => string.Format("{0:x2}", x))));
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
Console.WriteLine(ex.StackTrace);
}
}
}
}

on Windows 10/8.1 returns:

dotnet TestRSA.dll
The requested operation is not supported
at System.Security.Cryptography.CngKey.Export(CngKeyBlobFormat format)
at System.Security.Cryptography.RSACng.ExportKeyBlob(Boolean includePrivateParameters)
at System.Security.Cryptography.RSACng.ExportParameters(Boolean includePrivateParameters)
at TestRSA.Program.Main(String[] args) in D:VSTestRSATestRSAProgram.cs:line 15

on Ubuntu 16.04

$ dotnet TestRSA.dll
da32f2af4800f9f945bd0c8185e9a78b0e0.....

Additional info:

dotnet --info
.NET Command Line Tools (2.1.105)

Product Information:
Version: 2.1.105
Commit SHA-1 hash: 141cc8d976

Runtime Environment:
OS Name: Windows
OS Version: 10.0.16299
OS Platform: Windows
RID: win10-x64
Base Path: C:Program Filesdotnetsdk2.1.105

Microsoft .NET Core Shared Framework Host

Version : 2.0.7
Build : 2d61d0b043915bc948ebf98836fefe9ba942be11

$ dotnet --info

Microsoft .NET Core Shared Framework Host

Version : 2.0.5
Build : 17373eb129b3b05aa18ece963f8795d65ef8ea54
```

area-System.Security

Source

kitsor

👍2

Most helpful comment

When you opened the cert from a PFX you didn't specify X509KeyStorageFlags.Exportable. On Linux keys are always exportable, but on Windows and macOS they aren't always.

bartonjs on 30 Apr 2018

👍4 ❤2

All 6 comments

When you opened the cert from a PFX you didn't specify X509KeyStorageFlags.Exportable. On Linux keys are always exportable, but on Windows and macOS they aren't always.

bartonjs on 30 Apr 2018

👍4 ❤2

Thanks!
Now it works!
C# X509Certificate2 cert = new X509Certificate2("certificate.pfx", "password", X509KeyStorageFlags.Exportable);
I searched everywhere, but didn't find where the issue is. Error message isn't informative and I decided that isn't implemented on windows.

kitsor on 30 Apr 2018

👍1

When you opened the cert from a PFX you didn't specify X509KeyStorageFlags.Exportable. On Linux keys are always exportable, but on Windows and macOS they aren't always.

I have created a self signed RSA certificate and stored the Private key as .pfx file. Then from my .net core 3.1 code i'm trying to instantiate the X509Certificate2 object with the .pfx file. The X509Certificate2 instance is created successfully but from ExportParameters(true) i'm getting the same error though i have set the X509KeyStorageFlags.Exportable. please help me.

X509Certificate2 certificate2 = new X509Certificate2(privateKeyData, _privateKeyPwd, X509KeyStorageFlags.Exportable);
RSAParameters rSAParameters = certificate2.GetRSAPrivateKey().ExportParameters(true);

Exception:
Internal.Cryptography.CryptoThrowHelper.WindowsCryptographicException: 'The requested operation is not supported.

ajitsamanta on 13 May 2020

👍1

I'm experiencing the same issue as @ajitsamanta
Any guidance would be great.

@bartonjs Any updates on how this is supposed to work?

SCLDGit on 22 May 2020

Exportable ends up meaning two different things depending on if the key got loaded into Windows CAPI or Windows CNG. For CAPI it means ... exportable -- ExportParameters will work, and exporting as a PFX will work. For CNG it ends up meaning "exportable if encrypted", so PFX export works, and ExportEncryptedPkcs8PrivateKey works... but ExportParameters and ExportPkcs8PrivateKey do not.

One work-around is to do something like

C# using (RSA tmp = RSA.Create()) using (RSA key = cert.GetRSAPrivateKey()) { PbeParameters pbeParameters = ...; tmp.ImportPkcs8PrivateKey(key.ExportPkcs8PrivateKey(pwd, pbeParameters), pwd); return tmp.ExportParameters(true); }

We -could- do something like that in the platform when we get an error, but we've thus far resisted doing it. What's the scenario that requires you to use ExportParameters(true)?

bartonjs on 22 May 2020

👀1

@bartonjs Facing the same error I was on Framework not Core. But my scenario is extract from Windows Credential Store certificate and its private key in PEM format to use it as Client Certificate in GRPC Channel.
P.S. I know that in .Net Core it could be done natively.