[Mono-dev] certmgr problem
Neale Ferguson
neale at sinenomine.net
Mon Oct 19 15:07:49 UTC 2015
Further to this problem. This is how the certs/keys were created. It all
works under Windows including the certmgr —importKey but always gives the
MAC error on mono:
makecert.exe -n "CN=MonoTestCA" -cy authority -a sha1 -len 2048 -pe -r -sv
MonoTestCA.pvk MonoTestCA.cer
makecert.exe -n "CN=MonoTestCert" -b 01/01/2000 -e 12/31/2039 -eku
1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.3,1.3.6.1.5.5.7.3.4,1.3
.6.1.5.5.7.3.5,1.3.6.1.5.5.7.3.6,1.3.6.1.5.5.7.3.7,1.3.6.1.5.5.7.3.8,1.3.6.
1.5.5.7.3.9 -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -ic
MonoTestCA.cer -iv MonoTestCA.pvk -a sha1 -len 2048 -pe -sky exchange -sv
MonoTestCert.pvk MonoTestCert.cer
pvk2pfx.exe -pvk MonoTestCert.pvk -spc MonoTestCert.cer -pfx
MonoTestCert.pfx
I took the above makecert commands and, allowing for options not supported
on mono, ran them on linux. I transported the resulting files back to
windows so I could run the pvk2pfx and then attempted to import that key
back on mono.
Neale
On 10/16/15, 12:35 PM, "Neale Ferguson" <neale at sinenomine.net> wrote:
>When running certmgr to import a key I am getting the following error:
>
>System.Security.Cryptography.CryptographicException: Invalid MAC - file
>may have been tampered!
>
>
>I have verified that the key is ok:
>
>[neale at lneale3 - mono] openssl pkcs12 -info -in /tmp/MonoTestCert.pfx
>Enter Import Password:
>MAC Iteration 2000
>MAC verified OK
>PKCS7 Data
>Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
>Bag Attributes
> localKeyID: 01 00 00 00
> Microsoft CSP Name: Microsoft Strong Cryptographic Provider
> friendlyName: PvkTmp:171f74c0-49c3-484a-90c0-a9453b04e318
>Key Attributes
> X509v3 Key Usage: 10
>
>
>The calculated MAC that PCKS12.cs is generating is quite different. I
>added some debug code:
>
>MAC does not match calculated MAC
> Lengths: 20 20
>57 AF 88 DD B6 40 07 24 56 A3 71 1C 25 F1 A9 8F 46 D0 E5 BA
>A7 4A 04 50 E5 67 39 5E D9 A6 B7 86 3D 00 09 DE 57 4F 2C FC
>
>
>Is this a known limitation of mono or some error on my part?
>
>Neale
>
More information about the Mono-devel-list
mailing list