Bug 60836 - X509Certificate2 is unable to load DSA certificate with private key from P12/PFX files
Summary: X509Certificate2 is unable to load DSA certificate with private key from P12/...
Status: RESOLVED FEATURE
Alias: None
Product: Class Libraries
Classification: Mono
Component: System ()
Version: 5.4 (2017-06)
Hardware: PC Linux
: --- normal
Target Milestone: Untriaged
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2017-11-23 12:52 UTC by Rebex.NET
Modified: 2017-12-11 20:33 UTC (History)
2 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:


Attachments
Two test cases (see the bug description for details) (4.34 KB, application/x-zip-compressed)
2017-11-23 12:52 UTC, Rebex.NET
Details


Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FEATURE

Description Rebex.NET 2017-11-23 12:52:18 UTC
Created attachment 25818 [details]
Two test cases (see the bug description for details)

Mono's X509Certificate2 class from System.Security.Cryptography.X509Certificates is unable to properly load DSA certificates with private keys from PFX/P12 files. It does not fail, but the private key is not accessible, even though HasPrivateKey returns 'true'. Some of those certificates worked fine in Mono 4.6.

This is what we are doing:
    var cert = new X509Certificate2(certData, certPassword, X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.Exportable);
    Console.WriteLine("Has private key: {0}", cert.HasPrivateKey);
    Console.WriteLine("Private key type: {0}", (cert.PrivateKey != null) ? cert.PrivateKey.GetType().ToString() : "(null)");

See the attachment for full source code for two of our test cases.
Test02.cs used to work properly in Mono 4.6, but it no longer does in Mono 5.4.

Expected results for both test cases:
	Has private key: True
	Private key type: System.Security.Cryptography.DSACryptoServiceProvider

Observed results in .NET Framework 4.x for both test cases:
	Has private key: True
	Private key type: System.Security.Cryptography.DSACryptoServiceProvider
	(This is the correct behavior.)

Observed results on Mono 5.4 for both test cases:
	Has private key: True
	Private key type: (null)
	(Mono 5.4 indicates that the private key is present, but it is unable to return it.)

Observed results on Mono 4.6 for Test01.cs:
	Has private key: False
	Private key type: (null)
	(Mono 4.6 indicates that the private key is not present, even though it is.)

Observed results on Mono 4.6 for Test02.cs:
	Has private key: True
	Private key type: System.Security.Cryptography.DSACryptoServiceProvider
	(This is the correct behavior.)
Comment 1 Martin Baulig 2017-12-11 20:33:09 UTC
Related to https://bugzilla.xamarin.com/show_bug.cgi?id=60837, but going to close (RESOLVED / FEATURE) this one.

X509Certificate2 is now using the native TLS backend (BTLS / AppleTls) to load certificates from files.  The old managed P12/PFX code is now deprecated and may be removed in a future release.

Support for DSA Certificates has been removed from Google's BoringSSL a while a ago and I believe the same is true for Apple's Secure Transport - so you cannot use them for authentication anymore - and you really shouldn't.