On Fri, 2010-02-19 at 15:00 +0100, Mathias Tausig wrote: > Am 19.02.2010 14:17, schrieb Sebastien Pouliot: > > [...] > > > >> but I am > >> facing a slight problem. > >> In Mono's implementation of X509Certificate2, when the key is accessed > >> via the PrivateKey property, the ExportParameter method of > >> AssymetricAlgorithm ist invoked (see > >> http://anonsvn.mono-project.com/viewvc/tags/mono-2-6-1/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Certificate2.cs > >> , line 213). When I implemented my Pkcs11RsaKey class, derived from RSA, > >> I chose to throw a CryptographicException whenever ExportParamters(true) > >> is called (since there is no possibility to actually read the private > >> parameters off a token). But if I do so, X509Certificate2.PrivateKey > >> returns null and the whole https - login process fails. > >> > >> Since you wrote the whole Cryptographic namespace, maybe you could shed > >> some light, why this call to ExportParameters is neccesary. > >> Do you see any workaround for this, apart from simply returning the > >> public parameters from ExportParameters(true), as I have done now, to > >> make it work as a proof of concept? > > > > It's a FX design flaw. The cryptographic hierarchy is sound (mostly) but > > some types (like RSACryptoServiceProvider) are short-circuiting the > > logic (which is a CryptoAPI limitation - or at least a mismatch with the > > FX design). > > > > IOW it means that RSACryptoServiceProvider (with its limitations) is > > unusable to some tasks (like SSL/TLS) unless you export the private key > > and re-load it into a (more compliant) RSAManaged instance. Sadly that > > does not play well with other, custom RSA instance. > > OK, thanks for the explanation > > > > > The fix is not overly complicated (i.e. detect if the instance is not a > > RSACryptoServiceProvider and use it without the current hack) unless > > your RSA implementation cannot provide [Decrypt|Encrypt]Value methods. > > I think we have a small misunderstanding. My actual problem is within > X509Certifiacte2, and I cannot change anything there (apart from > patching and recompiling the whole framework, which would be a bit of an > overkill). And since X509Certificate2.PrivateKey is not even virtual, > overloading won't help me either.
There's no misunderstanding. X509Certificate2 needs to be fixed to work in your use case (custom RSA). I can't think of any workaround (short of re-compiling the assembly with the fix). > ExportParameters(true) is called and I have the choice of either > returning a bogus value, what might lead to problems in other areas, or > throwing an exception, which results in the X509Certificate2 instance > not beeing able to access its PrivateKey. > And I still don't quite understand this call to ExportParameters(true). > You are doing after you have already checked for the type and know, that > it's neither a RSACryptoServiceProvider nor a RSAManaged. That was too long ago ;-) but it looks like I wanted to get the exception if no private key was present in a custom RSA|DSA implementation (which is likely the right behavior - but I need to check the tests to be sure). IIRC that's because the PublicOnly property is not (or was not) defined in the AsymmetricAlgorithm type. However your case is a bit different in that the private key is available but not exportable. Again that's not something that is easy to know in X509Certificate2 (maybe fx 3.5+, or the 2.0 service packs, made this easier). > > > This happens on some smartcards (I recall some of the G&D Starcos 2.3 > > about 10 years ago ;-) which insist on doing all padding operations > > inside the card. Those cards (unless they have a PKCS11 mode or support > > the special SSL padding*) are unusable for this purpose. > > No, EncryptValue and DecryptValue work just fine (at least with the card > I tried so far). But good to know, that there might be other troubles on > the horizon. Great! Sebastien _______________________________________________ Mono-list maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-list
