Re: Certificates received from Windows CertStore: wrong public key (and incorrec

From: Johannes Resch (jr_at_xor.at)
Date: 01/26/04 

Date: 26 Jan 2004 10:34:30 +0100

Mitch,

I've got .net framework v1.1 (with german language pack v1.1) installed.

I just did again a few tests with new generated certificates with larger
keysizes (4096, 8192 bit) - still the same results (oRSA.KeySize always
1024 bit, RSAParameters exported from oRSA always have sizes corresponding
to 1024 bit keys).

So this leaves me in the situation, that no valid signatures can be
created.
The bogus private RSAParameters would be used, so the signature is
worthless (and signature verification, which is based on the correct
X509Certificates taken from a CER-file or DecryptTo.recipcert, fails).

Since I need a working solution soon, I guess I have to take the long way
and get a PRIVATEKEYBLOB exported (with all that additional steps
(Q228786) required), which I can then parse to get the correct values for
the private RSA parameters.

I remember that you had a PRIVATEKEYBLOB parser for C# on your examples
page - could you consider making just that one example available again?
This would be great.

Best Regards,
Johannes Resch

Michel Gallant wrote:
> Are you using .NET Framework 1.0 ??
> There is a bug in 1.0 whereby oRSA.KeyLen is not properly updated
> (just tried this). There are some other bugs in .NET 1.0 Crypto (see clone
> code in EncryptTo.cs sample :-)
> ..NET 1.1 properly reports the correct key size.
> The DecryptTo.cs sample code in the MSDN article should work for
> both 1.0/1.1. The code in the DoRSADecrypt() method in that sample
> does not explicitly make use of KeyLen property, and 1.0 seems to maintain
the
> internal state of RSACryptoServiceProvider oRSA = new
RSACryptoServiceProvider(cp);
> so RSA decryption based on this oRSA should work properly (I haven't had any
problems in 1.0).

> I tried this in .NET 1.0 and 1.1, specifically using a 4096 bit keysize (and
many other
> size RSA keys also). Adding the following code at the very end of Main(), I
get identical
> key modulus data:
> ........
> Console.WriteLine("n*** Failed to decrypt file ****") ;
> CspParameters cp = new CspParameters();
> cp.KeyContainerName = oDec.keycontainer;
> cp.KeyNumber = oDec.RSAkeytype;

> RSACryptoServiceProvider oRSA = new RSACryptoServiceProvider(cp);
> Console.WriteLine("Key size {0} bits", oRSA.KeySize) ; //.NET 1.0 reports
1024 always (bug?)
> RSAParameters rsaParams = oRSA.ExportParameters(true);
> // --- Examine exported modulus ------------
> Console.WriteLine("Size of modulus {0}", rsaParams.Modulus.Length) ;
> Console.Write("rsaParams.Modulus = ", rsaParams.Modulus);
> DisplayByteArray(rsaParams.Modulus);
> } //end Main

> and the exported rsaParams.Modulus.Length and the detailed modulus bytes
exported
> are identical to oDec.certkeymodulus property extracted by
GetCertPublicKey() method
> in DecryptTo.cs sample.

> Cheers,
> - Mitch Gallant

> "Johannes Resch" <jr@xor.at> wrote in message
news:40124fd7$1@e-post.inode.at...
> > Hi Mitch,
> >
> > Michel Gallant wrote:
> > >
> > > I *can't* reproduce your results with the following code snippet. I get
> > identical
> > > properties for the first RSAParameters as for the exported 2nd object:
> >
> > [code snippet]
> >
> > > - Mitch Gallant
> >
> > Maybe I was a bit unclear - the way I do initialization of the
> > RSACryptoServiceProvider is like this (I need the private key part also
> > and haven't found a better way yet):
> >
> > CryptoAPI cA = new CryptoAPI();
> > if (holder == null)
> > throw new ArgumentNullException("holder", "passed null argument");
> >
> > if (cA.GetRecipientPVKProps(holder))
> > {
> > CspParameters cp = new CspParameters();
> > cp.KeyContainerName = cA.keycontainer;
> > cp.KeyNumber = cA.RSAkeytype;
> > RSACryptoServiceProvider oRSA = new RSACryptoServiceProvider(cp);
> > RSAParameters rsaParam = oRSA.ExportParameters(true); //for debuggging
> > return oRSA;
> > }
> >
> > The "CryptoAPI" class corresponds to your class "DecryptTo", with a few
> > additions.
> >
> > I'm currently debugging through that code. The certificate opened has a
> > 4096 Bit PK.
> >
> > If I take a look at the objects from code snippet above before the
> > function returns, the internal states are the following:
> >
> > The "cA.recipcert" property has a public key with size of 526 byte, so
> > that seems to be sane for a 4096 bit public key.
> >
> > However, oRSA.ALG_TYPE_RSA is 1024 and oRSA.KeyLen is 1024.
> > rsaParam.Modulus is 128 Byte.
> >
> >
> > Any ideas?
> >
> >
> > Best Regards,
> > Johannes Resch
> >
> >
> >
> >
> >

Relevant Pages

  • Re: Firewall security: Re: Problems with simple Samba file share
    ... > against is people who already stole the private keys using them to do ... > once they had access to backups, but I grant you there are diffeernt ... Peter, do I really have to go back through nearly 200 posts and prove to ...
    (comp.os.linux.misc)
  • Re: Can I implement an autofill feature with a textbox?
    ... the arrow keys, though. ... Private mAutoFill As New ArrayList ... Private mblnLockout As Boolean ...
    (microsoft.public.dotnet.framework.windowsforms)
  • Re: Encrypting files in XP
    ... You need to get the other user's public key (_not_ private key!). ... All that user has to do is encrypt one file on his PC and he ... if you lose your private keys you lose access to your files for good! ... This password protect user profile in which private ...
    (microsoft.public.windowsxp.security_admin)
  • Re: SPC and PVK creation
    ... cert public keys and associated private keys in CSP keycontainers ... and it will automatically find the associated private keycontainer. ... The same keycontainer can be used directly to SN code ... keycontainer into SPC and PVK files. ...
    (microsoft.public.dotnet.security)