Skip to content

Comments

New cert loader should load into CNG by default#107005

Merged
bartonjs merged 2 commits intodotnet:mainfrom
bartonjs:correct_ksp
Aug 27, 2024
Merged

New cert loader should load into CNG by default#107005
bartonjs merged 2 commits intodotnet:mainfrom
bartonjs:correct_ksp

Conversation

@bartonjs
Copy link
Member

@bartonjs bartonjs commented Aug 27, 2024

When no provider attribute is present on a key, Windows loads the key into the CAPI Base provider unless PKCS12_PREFER_CNG_KSP is set. So, set that flag.

On .NET Framework (or .NET Standard running on .NET Framework) we don't have the power to set that flag (without completely redefining how the PFX load loads), so inject a synthetic attribute to force keys into the CNG KSP when PreserveStorageProvider isn't set.

Technically these two approaches differ when the incoming PFX has no name and PreserveStorageProvider is set (CoreFX: CNG, NetFX: CAPI Base), but that's unlikely, and consistent with .NET Framework imports.

Fixes the problem identified in #104487.

@bartonjs
New cert loader should load into CNG by default
6f72108 
When no provider attribute is present on a key, Windows loads the key into the
CAPI Base provider unless PKCS12_PREFER_CNG_KSP is set.  So, set that flag.

On .NET Framework (or .NET Standard running on .NET Framework) we don't
have the power to set that flag (without completely redefining how the PFX load
loads), so inject a synthetic attribute to force keys into the CNG KSP when
PreserveStorageProvider isn't set.

Technically these two approaches differ when the incoming PFX has no name
and PreserveStorageProvider is set (CoreFX: CNG, NetFX: CAPI Base), but that's
unlikely, and consistent with .NET Framework imports.
@bartonjs bartonjs self-assigned this Aug 27, 2024
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Aug 27, 2024

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@bartonjs bartonjs added the cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. label Aug 27, 2024
@teo-tsirpanis
Copy link
Contributor

teo-tsirpanis commented Aug 27, 2024

BTW I've heard that the NCrypt APIs perform an RPC call to a system process and I was wondering if the same happens with a key obtained from PFXImportCertStore and if yes, whether passing PKCS12_NO_PERSIST_KEY and/or using the earlier Crypto API to get the certificate's private key would change anything.

vcsjones
vcsjones approved these changes Aug 27, 2024
View reviewed changes
Copy link
Member

@vcsjones vcsjones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine to me. Some non-blocking feedback for clarity in a test, but functionally looks good.

@build-analysis build-analysis bot mentioned this pull request Aug 27, 2024
Open
3 tasks
@vcsjones
Copy link
Member

vcsjones commented Aug 27, 2024
edited
Loading

I've heard that the NCrypt APIs perform an RPC call to a system process and I was wondering if the same happens with a key obtained from PFXImportCertStore

Yes it does.

whether passing PKCS12_NO_PERSIST_KEY and/or using the earlier Crypto API to get the certificate's private key would change anything.

It does. If that is the behavior people want, they can specify X509KeyStorageFlags.EphemeralKeySet when loading the PKCS12. That gets mapped to PKCS12_NO_PERSIST_KEY (among other things).

Hedging against likely follow up question..

Why is that not the default?

I think the idea was entertained when X509CertificateLoader` was being spiked out, but it can't work for two reasons.

  1. macOS does not support ephemeral key loads. X509KeyStorageFlags.EphemeralKeySet throws on that platform, and it doesn't make sense for the API to do ephemeral on one OS, and persisted on another, as a default behavior.

  2. It changes the behavior of certain Windows APIs. For example, an X509Certificate2 that is used by SslStream must have a persisted key. That's a Win32 thing.

So, if you know your scenarios work with ephemeral keys, you can opt-in to it.

@bartonjs
Copy link
Member Author

bartonjs commented Aug 27, 2024

/ba-g The tests appear to have run successfully on all legs (infrastructure issue preventing them from uploading results?)

@bartonjs bartonjs merged commit 5d3bac1 into dotnet:main Aug 27, 2024
@bartonjs bartonjs deleted the correct_ksp branch August 27, 2024 21:49
@bartonjs
Copy link
Member Author

bartonjs commented Aug 27, 2024

/backport to release/9.0

@github-actions
Copy link
Contributor

github-actions bot commented Aug 27, 2024

Started backporting to release/9.0: https://github.com/dotnet/runtime/actions/runs/10586588721

@github-actions github-actions bot mentioned this pull request Aug 27, 2024
Merged
4 tasks
@github-actions github-actions bot locked and limited conversation to collaborators Sep 28, 2024
@bartonjs bartonjs added this to the 9.0.0 milestone Oct 23, 2024
@bartonjs bartonjs added the tracking This issue is tracking the completion of other related issues. label Oct 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@vcsjones vcsjones vcsjones approved these changes

Assignees

@bartonjs bartonjs

Labels

area-System.Security cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. tracking This issue is tracking the completion of other related issues.

Projects

None yet

Milestone

9.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@bartonjs @teo-tsirpanis @vcsjones