Skip to content

Attempt to load X.509 keys as ECDH keys first #115249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vcsjones merged 2 commits into from
May 3, 2025
Merged

Attempt to load X.509 keys as ECDH keys first #115249

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ca3fc19
Attempt to load X.509 keys as ECDH keys first.
vcsjones May 2, 2025
3a398df
Code review feedback
vcsjones May 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 12 additions & 12 deletions ...curity.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Certificate2.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1172,18 +1172,18 @@ public static X509Certificate2 CreateFromPem(ReadOnlySpan<char> certPem, ReadOnl
s_DsaPublicKeyPrivateKeyLabels,
static keyPem => CreateAndImport(keyPem, DSA.Create),
certificate.CopyWithPrivateKey),
Oids.EcPublicKey when IsECDsa(certificate) =>
ExtractKeyFromPem<ECDsa>(
keyPem,
s_EcPublicKeyPrivateKeyLabels,
static keyPem => CreateAndImport(keyPem, ECDsa.Create),
certificate.CopyWithPrivateKey),
Oids.EcPublicKey when IsECDiffieHellman(certificate) =>
ExtractKeyFromPem<ECDiffieHellman>(
keyPem,
s_EcPublicKeyPrivateKeyLabels,
static keyPem => CreateAndImport(keyPem, ECDiffieHellman.Create),
certificate.CopyWithPrivateKey),
Oids.EcPublicKey when IsECDsa(certificate) =>
ExtractKeyFromPem<ECDsa>(
keyPem,
s_EcPublicKeyPrivateKeyLabels,
static keyPem => CreateAndImport(keyPem, ECDsa.Create),
certificate.CopyWithPrivateKey),
Oids.MlKem512 or Oids.MlKem768 or Oids.MlKem1024 =>
ExtractKeyFromPem<MLKem>(
keyPem,
Expand Down Expand Up @@ -1259,18 +1259,18 @@ public static X509Certificate2 CreateFromEncryptedPem(ReadOnlySpan<char> certPem
password,
static (keyPem, password) => CreateAndImportEncrypted(keyPem, password, DSA.Create),
certificate.CopyWithPrivateKey),
Oids.EcPublicKey when IsECDsa(certificate) =>
ExtractKeyFromEncryptedPem<ECDsa>(
keyPem,
password,
static (keyPem, password) => CreateAndImportEncrypted(keyPem, password, ECDsa.Create),
certificate.CopyWithPrivateKey),
Oids.EcPublicKey when IsECDiffieHellman(certificate) =>
ExtractKeyFromEncryptedPem<ECDiffieHellman>(
keyPem,
password,
static (keyPem, password) => CreateAndImportEncrypted(keyPem, password, ECDiffieHellman.Create),
certificate.CopyWithPrivateKey),
Oids.EcPublicKey when IsECDsa(certificate) =>
ExtractKeyFromEncryptedPem<ECDsa>(
keyPem,
password,
static (keyPem, password) => CreateAndImportEncrypted(keyPem, password, ECDsa.Create),
certificate.CopyWithPrivateKey),
Oids.MlKem512 or Oids.MlKem768 or Oids.MlKem1024 =>
ExtractKeyFromEncryptedPem<MLKem>(
keyPem,
Expand Down
48 changes: 48 additions & 0 deletions ...libraries/System.Security.Cryptography/tests/X509Certificates/X509Certificate2PemTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,54 @@ public static void CreateFromPem_ECDH_Pkcs8_Success()
}
}

[Fact]
public static void CreateFromPem_EC_Pkcs8_Success()
{
// ecPublicKey certificates that have no key usage restrictions should be allowed to be used as both
// an ECDsa key and an ECDiffieHellman key.

// For purposes of creating the certificate, it doesn't matter if we use an ECDSA or ECDH key, but starting
// with ECDSA means we can make a self-signed cert.
using ECDsa key = ECDsa.Create();
key.ImportFromPem(TestData.EcDhPkcs8Key);
CertificateRequest req = new("CN=radish", key, HashAlgorithmName.SHA256);
using X509Certificate2 cert = req.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.AddYears(1));
string pemAggregate = $"{cert.ExportCertificatePem()}\n{TestData.EcDhPkcs8Key}";
using X509Certificate2 reLoaded = X509Certificate2.CreateFromPem(pemAggregate, pemAggregate);

AssertKeysMatch(TestData.EcDhPkcs8Key, reLoaded.GetECDiffieHellmanPrivateKey);
AssertKeysMatch(TestData.EcDhPkcs8Key, reLoaded.GetECDsaPrivateKey);
AssertExtensions.SequenceEqual(cert.SerialNumberBytes.Span, reLoaded.SerialNumberBytes.Span);
}

[Fact]
public static void CreateFromEncryptedPem_EC_Pkcs8_Success()
{
// ecPublicKey certificates that have no key usage restrictions should be allowed to be used as both
// an ECDsa key and an ECDiffieHellman key.

// For purposes of creating the certificate, it doesn't matter if we use an ECDSA or ECDH key, but starting
// with ECDSA means we can make a self-signed cert.
using ECDsa key = ECDsa.Create();
key.ImportFromPem(TestData.EcDhPkcs8Key);
CertificateRequest req = new("CN=radish", key, HashAlgorithmName.SHA256);
using X509Certificate2 cert = req.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.AddYears(1));

PbeParameters pbe = new(PbeEncryptionAlgorithm.Aes128Cbc, HashAlgorithmName.SHA1, 32);
const string Password = "PLACEHOLDER";

string encryptedPrivateKey = PemEncoding.WriteString(
"ENCRYPTED PRIVATE KEY",
key.ExportEncryptedPkcs8PrivateKey(Password, pbe));

string pemAggregate = $"{cert.ExportCertificatePem()}\n{encryptedPrivateKey}";
using X509Certificate2 reLoaded = X509Certificate2.CreateFromEncryptedPem(pemAggregate, pemAggregate, Password);

AssertKeysMatch(encryptedPrivateKey, reLoaded.GetECDiffieHellmanPrivateKey, Password);
AssertKeysMatch(encryptedPrivateKey, reLoaded.GetECDsaPrivateKey, Password);
AssertExtensions.SequenceEqual(cert.SerialNumberBytes.Span, reLoaded.SerialNumberBytes.Span);
}

[ConditionalFact(typeof(MLKem), nameof(MLKem.IsSupported))]
public static void CreateFromPem_MLKem_Pkcs8_Success()
{
Expand Down
Loading