[Mono-list] certmgr problems

Sébastien Pouliot spouliot@videotron.ca
Sat, 18 Dec 2004 11:48:35 -0500

Hello Davy,

> Hi.. I'm trying to use certmgr to import an offical Authenticode 
> (code-signing) cert from Verisign.
> I've created my .pfx file from my .csa and .pkv files and it's password 
> protected.
> This .pfx file can be read and added to the My store on win32 using M$'s 
> certmgr.exe
> Now I'm trying to add it to the My store on a linux box using mono's 
> certmgr.
> I run and get:
> $ certmgr -add -c My foo.pfx
> Mono Certificate Manager
> Copyright 2002, 2003 Motus Technologies. Copyright 2004 Novell. BSD 
> licensed.
> Unhandled Exception: 
> System.Security.Cryptography.CryptographicException: Invalid MAC - file 
> may have been tampered!
> in <0x005a9> Mono.Security.X509.PKCS12:.ctor (byte[],string)
> in <0x00012> Mono.Security.X509.PKCS12:.ctor (byte[])
> in <0x0005b> Mono.Security.X509.PKCS12:LoadFromFile (string)
> in <0x0022e> Mono.Tools.CertificateManager:LoadCertificates (string)
> in <0x00056> Mono.Tools.CertificateManager:Add 
> (Mono.Tools.CertificateManager/ObjectType,Mono.Security.X509.X509S
> tore,string,bool)
> in <0x0027f> Mono.Tools.CertificateManager:Main (string[])

The current code tries to open the file as a password-less PKCS12 file.
It should catch the exception and retry by asking a password. This isn't
implemented because, even for a non password protected PKCS#12 file, only
the certificate is imported into the store (not the private key).

Note: Actually I hate password with .NET console applications as there 
is no portable way to hide it when typed on the console.

> I don't get prompted for a password or anything, but it's my 
> understanding that you need a password to do the PKCS12 decoding.

Yes you're right. However certmgr doesn't really expects to see a PKCS#12
file in this version of Mono.

The 1.0/1.1 framework support for X.509 certificates is limited (when
compared to what is possible with Win32 CryptoAPI). The current Mono
(both stable/unstable) certificate stores have the framework "limits"
builtin. And this means that there is no relation between certificates 
and private keys.

Framework 2.0 (at least the 1.2 preview, 2.0 CTPs and betas) does a 
much better job at handling certificates and the related private keys.
So some (hopefully most) of these problems will be corrected when Mono
ships a (stable) 2.0 profile.

> Any help?

It depends on what you want to do.

To get your certificate into the store you'll need to export it as a
X.509 Certificate (DER) from Windows, then import it using Mono 
certmgr.exe tool.

But this won't help you to use signcode (to sign using your 
Authenticode certificate/key) because:

- signcode doesn't use the certificate store (as it wants the 
certificates in a SPC, PKCS#7, file);

- signcode use PVK files for private keys or "key containers" (but
not PKCS#12 files). Now your private key, inside the PKCS#12 file, can
be converted to either format (preference to the PVK as it still can
be password protected) but that will require a little coding to 
convert it.

Note: Right now most of the Mono's security tools (except certmgr) use
the same options as the corresponding MS tools. It make sense, most of
the time, except when a tool is "somewhat" incomplete (e.g. signcode).
In that case you need additional tools, in Windows, that doesn't (yet
or never will) exist for Mono.

It would be very nice of you to write a bug report for this situation
(http://bugzilla.ximian.com) and to include your own use case step by
step (e.g. what you received from Verisign, what you did on Windows, 
what you expected to do on Mono). I'll do my best to include a working
(or at least easier than coding your own) solution in the next Mono