[Mono-dev] certmgr problem

Neale Ferguson neale at sinenomine.net
Mon Oct 19 15:07:49 UTC 2015


Further to this problem. This is how the certs/keys were created. It all
works under Windows including the certmgr —importKey but always gives the
MAC error on mono:

makecert.exe -n "CN=MonoTestCA" -cy authority -a sha1 -len 2048 -pe -r -sv
MonoTestCA.pvk MonoTestCA.cer
makecert.exe -n "CN=MonoTestCert" -b 01/01/2000 -e 12/31/2039 -eku
1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.3,1.3.6.1.5.5.7.3.4,1.3
.6.1.5.5.7.3.5,1.3.6.1.5.5.7.3.6,1.3.6.1.5.5.7.3.7,1.3.6.1.5.5.7.3.8,1.3.6.
1.5.5.7.3.9 -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -ic
MonoTestCA.cer -iv MonoTestCA.pvk -a sha1 -len 2048 -pe -sky exchange -sv
MonoTestCert.pvk MonoTestCert.cer
pvk2pfx.exe -pvk MonoTestCert.pvk -spc MonoTestCert.cer -pfx
MonoTestCert.pfx

I took the above makecert commands and, allowing for options not supported
on mono, ran them on linux. I transported the resulting files back to
windows so I could run the pvk2pfx and then attempted to import that key
back on mono.


Neale



On 10/16/15, 12:35 PM, "Neale Ferguson" <neale at sinenomine.net> wrote:

>When running certmgr to import a key I am getting the following error:
>
>System.Security.Cryptography.CryptographicException: Invalid MAC - file
>may have been tampered!
>
>
>I have verified that the key is ok:
>
>[neale at lneale3 - mono] openssl pkcs12 -info -in /tmp/MonoTestCert.pfx
>Enter Import Password:
>MAC Iteration 2000
>MAC verified OK
>PKCS7 Data
>Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
>Bag Attributes
>    localKeyID: 01 00 00 00
>    Microsoft CSP Name: Microsoft Strong Cryptographic Provider
>    friendlyName: PvkTmp:171f74c0-49c3-484a-90c0-a9453b04e318
>Key Attributes
>    X509v3 Key Usage: 10
>
>
>The calculated MAC that PCKS12.cs is generating is quite different. I
>added some debug code:
>
>MAC does not match calculated MAC
>	Lengths: 20 20
>57 AF 88 DD B6 40 07 24 56 A3 71 1C 25 F1 A9 8F 46 D0 E5 BA
>A7 4A 04 50 E5 67 39 5E D9 A6 B7 86 3D 00 09 DE 57 4F 2C FC
>
>
>Is this a known limitation of mono or some error on my part?
>
>Neale
>



More information about the Mono-devel-list mailing list