Skip to content

Ensure 3DES Exports are actually 3DES on all versions of Windows #112806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 22, 2025
Merged

Ensure 3DES Exports are actually 3DES on all versions of Windows #112806

merged 1 commit into from
Feb 22, 2025

Conversation

@vcsjones
Copy link
Member

@vcsjones vcsjones commented Feb 21, 2025

Older Windows, namely Windows 8.1 and below, use RC2-40 when encrypting certificates in PKCS#12, so we cannot rely on the export being 3DES. This changes the export to re-encode if 3DES was explicitly asked for.

Copilot AI review requested due to automatic review settings February 21, 2025 23:28
@ghost ghost added the area-System.Security label Feb 21, 2025
Copilot AI reviewed Feb 21, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Overview

This pull request refactors the PKCS#12 export logic to ensure that when 3DES is explicitly requested on older versions of Windows, the exported certificate is properly re‐encoded.

  • Introduces a new helper method ExportPkcs12Core that consolidates export and re‐encoding logic.
  • Adjusts the export paths for both AES and 3DES formats based on platform capabilities.

Reviewed Changes

File Description
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/StorePal.Windows.Export.cs Refactored the export routines to call ExportPkcs12Core, simplifying the logic for handling both AES and 3DES re-encoding.

Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (1)

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/StorePal.Windows.Export.cs:102

  • [nitpick] Consider renaming ExportPkcs12Core to a more descriptive name (e.g. ExportAndReencodePkcs12) to clearly indicate its dual role in exporting and conditionally re-encoding PKCS#12 data.
private unsafe byte[] ExportPkcs12Core(Pkcs12ExportPbeParameters? exportParameters, SafePasswordHandle password)

Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more

@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Feb 21, 2025

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

This was referenced Feb 22, 2025
Open
Open
Open
@vcsjones vcsjones merged commit 4112020 into dotnet:main Feb 22, 2025
81 of 84 checks passed
@vcsjones vcsjones deleted the fix-obs-windows-pkcs12export branch February 22, 2025 13:29
@github-actions github-actions bot locked and limited conversation to collaborators Mar 25, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@bartonjs bartonjs bartonjs approved these changes

Assignees

@vcsjones vcsjones

Labels

area-System.Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vcsjones @bartonjs