[Mono-dev] Adding privatekey support to X509Store

Pablo Ruiz pablo.ruiz at gmail.com
Wed Oct 20 10:06:48 EDT 2010

Hi Sebastien,

Great you replied, as you were the first one on my (short) list of 'people
to ask in case of emergency' ;)

Actually my (medium-long term) goal it's adding support for non-software
based crypto devices to mono, however I know this it's not a simple task to
undertake, so I will try to implement it on a step-by-step basis.

In fact, here it's, an initial short list of what I would like to do, it's
an initial list of goals, which has not been analyzed in deep.. so any
comment/ideas/proposals would be great:

   - Adding (software-based) privateKey support to X509Stores, so one can
   get an X509Certificate2 from an store and sign with it, just the same way it
   works in MS.Net.
   - Adding privateKey support to X509Stores, but using some sort of
   provider model, similar to what has been done at mono's System.Messaging,
   allowing user to switch certificate store's (or *CryptoServiceProvider's)
   implementation.. (and or allowing us to have different x509store mechanism
   on different OSs)
   - Implementing one of such x509store/CSP sub-systems which allows to use
   a hardware HSM, maybe by using pkcs11 or openssl-engine under the hood.

I already have knowledge on x509 programing on both win32 (c++/.net) and
linux/openssl, however, as you said, how things are assembled in mono can be
challenging as AFAIK there's also support for MacOSX/iPhone/etc.

As such, being able to add support for (software based) privateKey handling
to X509Stores looks like an not-so-hard initial task which will allow me to
start hacking around Mono.Security & System.Security so I can learn how all
those bits are put in place on mono.

I have already started hacking a bit, and by now I have it's just added (to
Mono.Security.dll) the ability to store private key's along with public x509
certificate files, however I have a few doubts which:

   - My initial idea was extending Mono.Security.X509.X509Store::Import so
   if a certificate with exportable parameters are passed as input, it will
   create (along with the DER certificate file) a new file ($UniqueName$.key),
   which will contain the PKCS8 privateKey (encrypted using
   ProtectedData.Protect). Obviously when accessing the certificate, the
   oposite operation will be done to return a certificate with it's
   corresponding privateKey if available.. However, I'm not completelly sure
   about this approach.. ¿any recomendation in this area?
   - Also, I would like to control which key's cannot be exported (just the
   same as on win32), where would you store this infomartion (a bool or
   something indicating that a key it's exportable).. ¿a $UniqueName$.xml file
   along with cert and key?
   - Also, I have doubts about how to associate certs and privateKeys within
   the store. My current solution looks great for software based privateKey,
   however, if/when at some point we do support hardware based privateKey.. how
   can our X509Store know that a certificate's privateKey it's 'usable' by
   using one specific x509-provider? Just storing this info on an ¿XML? file
   along with the certificate itself seems a viable solution, but I would like
   to share ideas with others..
   - As far as I can see, a few Mono.Security's classes (X509Store among
   them) are duplicated at mcs/class/corlib/Mono.Security.X509/.. ¿should I
   copy my updated classes back to corlib/Mono.Security.X509?
   - Regarding RSAManaged and RSACryptoServiceProvider, I know that on MS
   side of things, X509Certificate2 has a CAPI binding (via PrivateKey
   property) to the CSP store which holds the certificate (and it's
   privateKey).. Right now I have not made a deep analisys of what it's the
   best path to provide the same functionality, and any pointer on this subject
   would be great ;)

This is what I have by now.. but undoubtly more issues will come.. ;)

I'm also available at irc (#mono) and I guess I will ask you some questions
there at some point, however, I will submit of our conclusions here, of
course ;)


On Wed, Oct 20, 2010 at 2:33 PM, Sebastien Pouliot <
sebastien.pouliot at gmail.com> wrote:

> Hello Pablo,
> On Wed, 2010-10-20 at 00:23 +0200, Pablo Ruiz wrote:
> > Hi,
> >
> >
> > I'm thinking on adding privateKey support for Mono.Security.X509Store,
> > so it can be (later) used as part of
> > System.Security.Cryptography.X509Certificates (on 2.0+). This is one
> > of the x509 related improvements I would like to add to mono's trunk.
> >
> >
> > However, I would like to discuss (by email and/or irc?) some of the
> > details first with some core member (some sort of mentoring) in order
> > to start in a good direction.
> You can either discuss this here, on this mailing-list, since it will
> leave a google-able trace of the discussion. Otherwise you can try to
> ping me on IRC (e.g. #monodev on GIMPNet) and we can post a resume later
> here.
> There are quite a few things to be aware in order to implement this
> (since it involves OS level features, tools and the class libraries). I
> think the best step would be, for you, to describe your understanding of
> the issues and I'll fill the blanks (in any :-).
> Thanks,
> Sebastien
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ximian.com/pipermail/mono-devel-list/attachments/20101020/39a21e85/attachment-0001.html 

More information about the Mono-devel-list mailing list