Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CngKey.Export The requested operation is not supported [Windows] #26031

Closed
kitsor opened this issue Apr 29, 2018 · 6 comments
Closed

CngKey.Export The requested operation is not supported [Windows] #26031

kitsor opened this issue Apr 29, 2018 · 6 comments
Labels
area-System.Security
Milestone
3.0

Comments

@kitsor
Copy link

kitsor commented Apr 29, 2018

Can't get RSAParameters on Windows.

Code to reproduce:

using System;
using System.Linq;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

namespace TestRSA
{
  class Program
  {
    static void Main(string[] args)
    {
      try
      {
        X509Certificate2 cert = new X509Certificate2("certificate.pfx", "password");
        RSAParameters rsaKey = cert.GetRSAPrivateKey().ExportParameters(true);
        Console.WriteLine(string.Join("", rsaKey.P.Select(x => string.Format("{0:x2}", x))));
      }
      catch (Exception ex)
      {
        Console.WriteLine(ex.Message);
        Console.WriteLine(ex.StackTrace);
      }
    }
  }
}

on Windows 10/8.1 returns:

> dotnet TestRSA.dll
The requested operation is not supported
   at System.Security.Cryptography.CngKey.Export(CngKeyBlobFormat format)
   at System.Security.Cryptography.RSACng.ExportKeyBlob(Boolean includePrivateParameters)
   at System.Security.Cryptography.RSACng.ExportParameters(Boolean includePrivateParameters)
   at TestRSA.Program.Main(String[] args) in D:\VS\TestRSA\TestRSA\Program.cs:line 15

on Ubuntu 16.04

$ dotnet TestRSA.dll
da32f2af4800f9f945bd0c8185e9a78b0e0.....

Additional info:

> dotnet --info
.NET Command Line Tools (2.1.105)

Product Information:
 Version:            2.1.105
 Commit SHA-1 hash:  141cc8d976

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.16299
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\2.1.105\

Microsoft .NET Core Shared Framework Host

  Version  : 2.0.7
  Build    : 2d61d0b043915bc948ebf98836fefe9ba942be11

$ dotnet --info

Microsoft .NET Core Shared Framework Host

  Version  : 2.0.5
  Build    : 17373eb129b3b05aa18ece963f8795d65ef8ea54
@bartonjs
Copy link
Member

When you opened the cert from a PFX you didn't specify X509KeyStorageFlags.Exportable. On Linux keys are always exportable, but on Windows and macOS they aren't always.

@kitsor
Copy link
Author

kitsor commented Apr 30, 2018

Thanks!
Now it works!

X509Certificate2 cert = new X509Certificate2("certificate.pfx", "password", X509KeyStorageFlags.Exportable);

I searched everywhere, but didn't find where the issue is. Error message isn't informative and I decided that isn't implemented on windows.

@kitsor kitsor closed this as completed Apr 30, 2018
@msftgits msftgits transferred this issue from dotnet/corefx Jan 31, 2020
@msftgits msftgits added this to the 3.0 milestone Jan 31, 2020
@ajitsamanta
Copy link

ajitsamanta commented May 13, 2020
edited
Loading

When you opened the cert from a PFX you didn't specify X509KeyStorageFlags.Exportable. On Linux keys are always exportable, but on Windows and macOS they aren't always.

I have created a self signed RSA certificate and stored the Private key as .pfx file. Then from my .net core 3.1 code i'm trying to instantiate the X509Certificate2 object with the .pfx file. The X509Certificate2 instance is created successfully but from ExportParameters(true) i'm getting the same error though i have set the X509KeyStorageFlags.Exportable. please help me.

X509Certificate2 certificate2 = new X509Certificate2(privateKeyData, _privateKeyPwd, X509KeyStorageFlags.Exportable);
RSAParameters rSAParameters = certificate2.GetRSAPrivateKey().ExportParameters(true);

Exception:
Internal.Cryptography.CryptoThrowHelper.WindowsCryptographicException: 'The requested operation is not supported.

@SCLDGit
Copy link

SCLDGit commented May 22, 2020
edited
Loading

I'm experiencing the same issue as @ajitsamanta
Any guidance would be great.

@bartonjs Any updates on how this is supposed to work?

@bartonjs
Copy link
Member

Exportable ends up meaning two different things depending on if the key got loaded into Windows CAPI or Windows CNG. For CAPI it means ... exportable -- ExportParameters will work, and exporting as a PFX will work. For CNG it ends up meaning "exportable if encrypted", so PFX export works, and ExportEncryptedPkcs8PrivateKey works... but ExportParameters and ExportPkcs8PrivateKey do not.

One work-around is to do something like

using (RSA tmp = RSA.Create())
using (RSA key = cert.GetRSAPrivateKey())
{
    PbeParameters pbeParameters = ...;
    tmp.ImportPkcs8PrivateKey(key.ExportPkcs8PrivateKey(pwd, pbeParameters), pwd);
    return tmp.ExportParameters(true);
}

We -could- do something like that in the platform when we get an error, but we've thus far resisted doing it. What's the scenario that requires you to use ExportParameters(true)?

@bartonjs bartonjs mentioned this issue May 22, 2020
Closed
@Gladskih
Copy link

Gladskih commented Jul 31, 2020
edited
Loading

@bartonjs Facing the same error I was on Framework not Core. But my scenario is extract from Windows Credential Store certificate and its private key in PEM format to use it as Client Certificate in GRPC Channel.
P.S. I know that in .Net Core it could be done natively.

@ghost ghost locked as resolved and limited conversation to collaborators Dec 17, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Security
Projects
None yet
Milestone
3.0
Development

No branches or pull requests
6 participants
@kitsor @Gladskih @msftgits @bartonjs @ajitsamanta @SCLDGit