[Bug 49144] New: Opening a PFX certificate in a dotnet application using X509Certificate2
https://bugs.winehq.org/show_bug.cgi?id=49144 Bug ID: 49144 Summary: Opening a PFX certificate in a dotnet application using X509Certificate2 Product: Wine Version: 5.8 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs(a)winehq.org Reporter: petrov_lv(a)ekra.ru Distribution: --- Created attachment 67146 --> https://bugs.winehq.org/attachment.cgi?id=67146 output for wine There is a crash in the test application when opening the PFX certificate. The certificate contains a private key. Test application: using System; using System.Security.Cryptography.X509Certificates; namespace CheckPfx { class Program { static void Main(string[] args) { if (args.Length == 2) { var fileName = args[0]; var password = args[1]; var cert2 = new X509Certificate2(fileName, password); Console.WriteLine($"HasPrivateKey: {cert2.HasPrivateKey}"); } else { Console.WriteLine("using: <appName.exe> <pfx-file> <password>"); } } } } Сertificate creation: certtool --dsa --generate-privkey --outfile key.pem certtool --generate-self-signed --load-privkey key.pem --outfile cert.pem --template template.cfg certtool --load-certificate cert.pem --load-privkey key.pem --to-p12 --outder --outfile cert.pfx Output for windows: HasPrivateKey: True Output for wine: (in attached file) Unhandled Exception: System.Security.Cryptography.CryptographicException: Invalid parameter. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=49144 --- Comment #1 from Hans Leidekker <hans(a)meelstraat.net> --- Please attach a WINEDEBUG=+crypt trace. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=49144 --- Comment #2 from petrov_lv <petrov_lv(a)ekra.ru> --- Created attachment 67147 --> https://bugs.winehq.org/attachment.cgi?id=67147 WINEDEBUG=+crypt trace file -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=49144 --- Comment #3 from Hans Leidekker <hans(a)meelstraat.net> --- (In reply to petrov_lv from comment #2)
Created attachment 67147 [details] WINEDEBUG=+crypt trace file
0024:trace:crypt:CryptQueryObject (00000001, 0xb41f08, 00001522, 0000000e, 00000000, (nil), 0x31f400, (nil), (nil), (nil), (nil)) 0024:trace:crypt:CRYPT_ReadBlobFromFile L"C:\\program files\\test_pfx\\cert.pfx" 0024:trace:crypt:CRYPT_ReadBlobFromFile returning 0 CRYPT_ReadBlobFromFile returning 0 means it can't read the file. Make sure it exists in that place and is readable. For me it fails a little later because importing DSA keys from PFX blobs is currently not supported. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=49144 petrov_lv <petrov_lv(a)ekra.ru> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #67147|0 |1 is obsolete| | --- Comment #4 from petrov_lv <petrov_lv(a)ekra.ru> --- Created attachment 67151 --> https://bugs.winehq.org/attachment.cgi?id=67151 +crypto_dsa_key.log -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=49144 --- Comment #5 from petrov_lv <petrov_lv(a)ekra.ru> --- Created attachment 67152 --> https://bugs.winehq.org/attachment.cgi?id=67152 +crypto_rsa_key.log -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=49144 --- Comment #6 from petrov_lv <petrov_lv(a)ekra.ru> --- (In reply to Hans Leidekker from comment #3) Thank you for the quick and helpful answers. You are right, I did not provide access to the file. I gave access and the program gave the following logs (DEBUG+crypto_dsa_key.log):
0024:fixme:crypt:import_key key algorithm 2 not supported
This line, apparently confirms your comment
importing DSA keys from PFX blobs is currently not supported.
I decided to change the method of generating a private key from DSA to RSA
certtool --rsa --bits 4096 --generate-privkey --outfile key.pem
I modified the test application. Added logging of certificate fields:
Console.WriteLine($"IssuerName: {cert2.IssuerName.Name}"); Console.WriteLine($"SubjectName: {cert2.SubjectName.Name}");
Result (DEBUG+crypto_rsa4096_key.log):
HasPrivateKey: False IssuerName: C=RU, S=Test state, O=test org., OU=test unit, CN=Test User SubjectName: C=RU, S=Test state, O=test org., OU=test unit, CN=Test User
* NO exception is thrown * private key NOT loaded "Windows" output:
HasPrivateKey: True IssuerName: C=RU, S=Test state, O=test org., OU=test unit, CN=Test User SubjectName: C=RU, S=Test state, O=test org., OU=test unit, CN=Test User
A private key is required in the main application. Maybe I should create a new report? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=49144 --- Comment #7 from Hans Leidekker <hans(a)meelstraat.net> --- (In reply to petrov_lv from comment #6)
Result (DEBUG+crypto_rsa4096_key.log):
HasPrivateKey: False IssuerName: C=RU, S=Test state, O=test org., OU=test unit, CN=Test User SubjectName: C=RU, S=Test state, O=test org., OU=test unit, CN=Test User
* NO exception is thrown * private key NOT loaded
"Windows" output:
HasPrivateKey: True IssuerName: C=RU, S=Test state, O=test org., OU=test unit, CN=Test User SubjectName: C=RU, S=Test state, O=test org., OU=test unit, CN=Test User
A private key is required in the main application. Maybe I should create a new report?
It's a different issue but DSA support is already covered in other bug reports, so we might as well continue here. It's looking for CERT_KEY_PROV_INFO_PROP_ID on the imported cert, which isn't set. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=49144 jvm <jan-vm(a)outlook.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jan-vm(a)outlook.com -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
WineHQ Bugzilla