BouncyCastle PrivateKey To X509Certificate2 PrivateKey (ECC)

0
votes

Using .NET Core 3.1 and BouncyCastle

I have a Private ECC key from Pkcs12. How can I store this in X509Certificate2 Private Key please? The reason I am trying it this way is because when I load the Pkcs12 as X509Certificate2, the X509Certificate2.PrivateKey method throws a "not implemented / algorithm not supported exception".

This is what I have so far:

        using var stream = new MemoryStream(myPkcs12);

        Pkcs12Store pstore = new Pkcs12Store(stream, password.ToCharArray());
        
        var name = "";
        foreach (string alias in store.Aliases)
        {
            if (pstore.IsKeyEntry(alias))
            {
                name = alias;
            }
        }

        var key = pstore.GetKey(name);

            var cert = new X509Certificate2(myPkcs12, "mypassword", X509KeyStorageFlags.EphemeralKeySet | X509KeyStorageFlags.Exportable);
          
                cert.PrivateKey = // key? I imagine it is incorrect to use  DotNetUtilities.ToRSA()?

Thank you!

UPDATE:

The reason for this post is due to this problem:

private const string EccTestCert = "MIINbQIBAzCCDSkGCSqGSIb3DQEHAaCCDRoEgg0WMIIN.... 9wQUpQgYbgB7yknIW7Oaz3hogAVihJoCAgfQ";
var cert = new X509Certificate2(Convert.FromBase64String(EccTestCert), "1");

//  If you inspect it, the PrivateKey throws an exception.  Whilst with an RSA cert, it will not.
1
c#.netcryptographycertificatebouncycastle
The PKCS#12 contains certificate and private key. So when importing the pkcs12 with new X509Certificate2(myPkcs12...) the instance is a certificate with the private key - so you can sign or decrypt with it. - Daniel Fisher lennybacon
@DanielFisherlennybacon Hi, when I attempt this with an ECC Cert, X509Certificate cannot return the PrivateKey for me to use. I'll update with an example Pkcs12. - PKCS12

1 Answers

2
votes

The source shows that, depending on the platform you run on the exception is thrown.

                    switch (GetKeyAlgorithm())
                    {
                        case Oids.Rsa:
                            _lazyPrivateKey = Pal.GetRSAPrivateKey();
                            break;
                        case Oids.Dsa:
                            _lazyPrivateKey = Pal.GetDSAPrivateKey();
                            break;
                        default:
                            // This includes ECDSA, because an Oids.EcPublicKey key can be
                            // many different algorithm kinds, not necessarily with mutual exclusion.
                            //
                            // Plus, .NET Framework only supports RSA and DSA in this property.
                            throw new NotSupportedException(SR.NotSupported_KeyAlgorithm);
                    }

The private key is of type AsymmetricAlgorithm witch needs to be casted anyway to RSA or ECDsa. I remember @bartonjs saying that one should use the GetXXXPrivateKey() methods. So you can do that on your own:

string EccTestCert = "{base64-pkcs-12-here}";
var cert = new X509Certificate2(Convert.FromBase64String(EccTestCert), "1");

if (cert.HasPrivateKey) {
  var key =
    (AsymmetricAlgorithm) cert.GetRSAPrivateKey()
      ?? cert.GetECDsaPrivateKey()
        ?? throw new NotSupportedException("Who still uses DSA?");

  if (key is ECDsa ecdsa) {
    var ecdsaSignature = ecdsa.SignData(new byte[]{ 0x00}, HashAlgorithmName.SHA256);
  } else if (key is RSA rsa) {
    var rsaSignature = rsa.SignData(new byte[]{ 0x00}, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
  } else {
    throw new NotSupportedException("Who still uses DSA?");
  }
}