Am 19.02.2010 14:17, schrieb Sebastien Pouliot: > [...] > >> but I am >> facing a slight problem. >> In Mono's implementation of X509Certificate2, when the key is accessed >> via the PrivateKey property, the ExportParameter method of >> AssymetricAlgorithm ist invoked (see >> http://anonsvn.mono-project.com/viewvc/tags/mono-2-6-1/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Certificate2.cs >> , line 213). When I implemented my Pkcs11RsaKey class, derived from RSA, >> I chose to throw a CryptographicException whenever ExportParamters(true) >> is called (since there is no possibility to actually read the private >> parameters off a token). But if I do so, X509Certificate2.PrivateKey >> returns null and the whole https - login process fails. >> >> Since you wrote the whole Cryptographic namespace, maybe you could shed >> some light, why this call to ExportParameters is neccesary. >> Do you see any workaround for this, apart from simply returning the >> public parameters from ExportParameters(true), as I have done now, to >> make it work as a proof of concept? > > It's a FX design flaw. The cryptographic hierarchy is sound (mostly) but > some types (like RSACryptoServiceProvider) are short-circuiting the > logic (which is a CryptoAPI limitation - or at least a mismatch with the > FX design). > > IOW it means that RSACryptoServiceProvider (with its limitations) is > unusable to some tasks (like SSL/TLS) unless you export the private key > and re-load it into a (more compliant) RSAManaged instance. Sadly that > does not play well with other, custom RSA instance.
OK, thanks for the explanation > > The fix is not overly complicated (i.e. detect if the instance is not a > RSACryptoServiceProvider and use it without the current hack) unless > your RSA implementation cannot provide [Decrypt|Encrypt]Value methods. I think we have a small misunderstanding. My actual problem is within X509Certifiacte2, and I cannot change anything there (apart from patching and recompiling the whole framework, which would be a bit of an overkill). And since X509Certificate2.PrivateKey is not even virtual, overloading won't help me either. ExportParameters(true) is called and I have the choice of either returning a bogus value, what might lead to problems in other areas, or throwing an exception, which results in the X509Certificate2 instance not beeing able to access its PrivateKey. And I still don't quite understand this call to ExportParameters(true). You are doing after you have already checked for the type and know, that it's neither a RSACryptoServiceProvider nor a RSAManaged. > This happens on some smartcards (I recall some of the G&D Starcos 2.3 > about 10 years ago ;-) which insist on doing all padding operations > inside the card. Those cards (unless they have a PKCS11 mode or support > the special SSL padding*) are unusable for this purpose. No, EncryptValue and DecryptValue work just fine (at least with the card I tried so far). But good to know, that there might be other troubles on the horizon. cheers Mathias _______________________________________________ Mono-list maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-list
