Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement ExportPkcs12 #112569

Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open

Implement ExportPkcs12 #112569

wants to merge 16 commits into from
+1,406 −185

Conversation

vcsjones
Copy link
Member

This implements ExportPkcs12 on X509Certificate and X509Certificate2Collection.

Most of this pull request is minor shuffling to allow pulling Pkcs12Info and the related ASN.1 codecs in to Common.

  1. Non-Windows always exports things in terms of PbeParameters. Pkcs12ExportPbeParameters is mapped to the windows-equivalent.
  2. Windows, when using Pkcs12ExportPbeParameters, will rely on the Win32 API, if it can.
    • Pkcs12TripleDesSha1 is always exported by PFXExportCertStoreEx.
    • Pbes2Aes256Sha256 is exported by PFXExportCertStoreEx with PKCS12_PBES2_EXPORT_PARAMS, if it is available (Windows 10, 1709+).
    • If PKCS12_PBES2_EXPORT_PARAMS is not available on the platform, it is exported as Pkcs12TripleDesSha1 and re-created with Windows-equivalent parameters.
  3. Windows, when using PbeParamters, will export via PFXExportCertStoreEx, preferring PBES2 if it is available. It is then re-encoded with the specified PbeParameters.

Closes #80314

@dotnet-issue-labeler dotnet-issue-labeler

This comment was marked as off-topic.

Sign in to view
1 similar comment
@dotnet-issue-labeler dotnet-issue-labeler

This comment was marked as off-topic.

Sign in to view
@vcsjones vcsjones marked this pull request as ready for review February 14, 2025 21:18
@Copilot Copilot bot review requested due to automatic review settings February 14, 2025 21:18
Copilot
Copilot AI reviewed Feb 14, 2025
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Overview

This pull request implements the ExportPkcs12 functionality for X509Certificate and X509Certificate2Collection and refactors several ASN.1 codec types and interop structures to share common code. Key changes include:

  • Adding a new P/Invoke signature for PFXExportCertStoreEx and a corresponding struct for PKCS12_PBES2_EXPORT_PARAMS.
  • Enhancing the PkcsHelpers with new helper methods for BER decoding and attribute normalization.
  • Updating the visibility and namespace for types such as Pkcs12IntegrityMode and several ASN.1 types from the Pkcs to the Pkcs7 namespace.
  • Introducing a new flag (PKCS12_EXPORT_PBES2_PARAMS) in the PFXExportFlags enum.

Changes

File Description
src/libraries/Common/src/Interop/Windows/Crypt32/Interop.PFXExportCertStoreEx.cs Added new P/Invoke signature for certificate export.
src/libraries/Common/src/Interop/Windows/Crypt32/Interop.PKCS12_PBES2_EXPORT_PARAMS.cs Introduced new struct for PBES2 export parameters.
src/libraries/Common/src/Internal/Cryptography/PkcsHelpers.cs Added new BER decoding helper and attribute set normalization method.
src/libraries/Common/src/System/Security/Cryptography/Pkcs/Pkcs12IntegrityMode.cs Adjusted visibility based on build configuration.
src/libraries/Common/src/System/Security/Cryptography/Pkcs/Pkcs12Info.cs Modified access level and removed unused using statement.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pkcs7/*.xml.cs Updated various ASN.1 types to use the Pkcs7 namespace.
src/libraries/Common/src/Interop/Windows/Crypt32/Interop.PFXExportFlags.cs Added export flag for PBES2 parameters.

Copilot reviewed 61 out of 61 changed files in this pull request and generated no comments.

Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more
This was referenced Feb 14, 2025
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced Feb 15, 2025
Open
Open
This was referenced Feb 17, 2025
Open
Open
bartonjs
bartonjs approved these changes Feb 19, 2025
View reviewed changes
Copy link
Member

@bartonjs bartonjs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple of nits, but overall LGTM

@vcsjones vcsjones added the cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. label Feb 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@bartonjs bartonjs bartonjs approved these changes

Assignees

@vcsjones vcsjones

Labels
area-System.Security cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. new-api-needs-documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[API Proposal]: X509Certificate.ExportPkcs12 with PBE parameters
2 participants
@vcsjones @bartonjs