SV: [Mono-list] Problem with crypto in assembly wrapped in COM

Hellan.Kim KHE KHE at kmd.dk
Tue Feb 14 04:44:46 EST 2006 

Hi again

We have been investigating this some more. Apparently the problem is "working as intended". Why it is so, is described here:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;322371

The solution is, instead of using:
  RSA rsa = RSA.Create();
use this:
  CspParameters CSPParam = new CspParameters();
  CSPParam.Flags = CspProviderFlags.UseMachineKeyStore;
  RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(CSPParam);
or maybe this:
  RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
  rsa.UseMachineKeyStore = true;

I don't think there is any way around this, other than to fix the Mono code as you (Sebastien) suggested.
Fortunately I think it is only in a few files that you do the RSA.Create(), and call ImportParameters() afterwards.

If you decide to make the fix, we would be happy to test it with our COM wrapped assembly immediately.
If you want a bugzilla report to initiate it, let me know and I will make one.

Thanks,
Kim


-----Oprindelig meddelelse-----
Fra: mono-list-bounces at lists.ximian.com [mailto:mono-list-bounces at lists.ximian.com] På vegne af Hellan.Kim KHE
Sendt: 10. februar 2006 09:35
Til: sebastien.pouliot at gmail.com
Cc: mono-list at lists.ximian.com
Emne: SV: [Mono-list] Problem with crypto in assembly wrapped in COM

Hi Sebastien,

Thank you for answering.
I didn't mean that Mono should adapt our code, it was just to show
something that worked for us.
We will try to see if we can find a solution for this problem.
I'll let you know what we find.

/Kim

-----Oprindelig meddelelse-----
Fra: Sebastien Pouliot [mailto:sebastien.pouliot at gmail.com] 
Sendt: 8. februar 2006 15:24
Til: Hellan.Kim KHE
Cc: mono-list at lists.ximian.com
Emne: Re: [Mono-list] Problem with crypto in assembly wrapped in COM

Hello Kim,

On Wed, 2006-02-08 at 13:24 +0100, Hellan.Kim KHE wrote:
> We have an assembly containing crypto functionality (X.509
certificates,
> PKCS#12, PKCS#7...) from Mono.Security.dll. So far it has been running
> fine in both WinForm and Webform environments (.NET 2.0).
> We have had to wrap this assembly in COM to allow it to be run from
old
> ASP platforms.

Nice. As far as I know you're the first to use Mono.Security.dll via
COM. I'm glad it works (even if not completely ;-)

> We now get the following errors when the .NET/COM component is called
> from a webpage:
> 
> Error: exception=System.Security.Cryptography.CryptographicException:
> The system cannot find the file specified.
> 
>    at
System.Security.Cryptography.Utils.CreateProvHandle(CspParameters
> parameters, Boolean randomKeyContainer)
>    at
>
System.Security.Cryptography.RSACryptoServiceProvider.ImportParameters(R
> SAParameters parameters)
>    at Mono.Security.Cryptography.PKCS8.PrivateKeyInfo.DecodeRSA(Byte[]
> keypair)
>    at Mono.Security.X509.PKCS12.AddPrivateKey(PrivateKeyInfo pki)
>    at Mono.Security.X509.PKCS12.ReadSafeBag(ASN1 safeBag)
>    at Mono.Security.X509.PKCS12.Decode(Byte[] data)
>    at Mono.Security.X509.PKCS12.LoadFromFile(String filename, String
> password)
> ....
> ....
> 
> 
> I have a theory what is happening...
> In DecodeRSA() you have the following lines:
> 
> RSA rsa = RSA.Create ();
> rsa.ImportParameters (param);
> 
> I have seen before that ImportParameters() had problems in
> webapplications, because it apparently tries to access some keystores,
> that the IIS user does not have access to. A COM wrapped assembly
> probably have even less rights than a standalone assembly.
> This is the code I used instead in my application to solve the
problem:

Yes. Even if the .NET API makes key containers optional (for importing
or using keyparis), MS implementation is dependent on CryptoAPI, which
is dependent on the key stores, which depends on the current user (and
its permissions).

> CspParameters CSPParam = new CspParameters();
> CSPParam.Flags = CspProviderFlags.UseMachineKeyStore;
> RSACryptoServiceProvider rsa;
> if(System.Web.HttpContext.Current == null)	// WinForm
>   rsa = new RSACryptoServiceProvider();
> else			// WebForm - Uses Machine store for keys
>   rsa = new RSACryptoServiceProvider(CSPParam);
> rsa.ImportParameters(rsaParam);

This will work for your own code. However Mono can't adopt this as this
would make Mono.Security.dll depends on System.Web (and create more
circular dependencies on Mono).

> Has anyone else had this problem and do you have a solution for it?

This is a well known problem (on Windows + .NET crypto). IIRC there is a
few knowledge base article on the subject. It is also a common question
on MS newsgroups. 

> Maybe you have to change some security settings in .NET or elsewhere
to
> allow this...I don't know.

Google should find them easily (kb + newsgroups). There may be a "fix"
for this. IIRC there was one .config trick that I think it works only
for WSE stuff... but I may be wrong.

> I'm a bit stuck since I can't control what Mono is doing.

Please do look at Google and see if and how this can be fixed. It would
be nice to report the finding on this mailing-list (i.e. giving Google
another chance to index the answer ;-).

If a fix isn't possible then I think I could change Mono.Security's
source code to trap the first ImportParameters for a
CryptographicException, then re-try the ImportParameters using the
UseMachineKeyStore (as a second/last chance).
-- 
Sebastien Pouliot  <sebastien at ximian.com>
Blog: http://pages.infinit.net/ctech/





_______________________________________________________________________________________
www.kmd.dk   www.kundenet.kmd.dk   www.eboks.dk   www.civitas.dk   www.netborger.dk www.organisator.dk

Hvis du har modtaget denne mail ved en fejl vil jeg gerne, at du informerer mig og sletter den.
KMD skaber it-services, der fremmer effektivitet hos det offentlige, erhvervslivet og borgerne.

If you received this e-mail by mistake, please notify me and delete it. Thank you.
Our mission is to enhance the efficiency of the public sector and improve its service of the general public. 

_______________________________________________
Mono-list maillist  -  Mono-list at lists.ximian.com
http://lists.ximian.com/mailman/listinfo/mono-list




_______________________________________________________________________________________
www.kmd.dk   www.kundenet.kmd.dk   www.eboks.dk   www.civitas.dk   www.netborger.dk www.organisator.dk

Hvis du har modtaget denne mail ved en fejl vil jeg gerne, at du informerer mig og sletter den.
KMD skaber it-services, der fremmer effektivitet hos det offentlige, erhvervslivet og borgerne.

If you received this e-mail by mistake, please notify me and delete it. Thank you.
Our mission is to enhance the efficiency of the public sector and improve its service of the general public. 





_______________________________________________________________________________________
www.kmd.dk   www.kundenet.kmd.dk   www.eboks.dk   www.civitas.dk   www.netborger.dk www.organisator.dk

Hvis du har modtaget denne mail ved en fejl vil jeg gerne, at du informerer mig og sletter den.
KMD skaber it-services, der fremmer effektivitet hos det offentlige, erhvervslivet og borgerne.

If you received this e-mail by mistake, please notify me and delete it. Thank you.
Our mission is to enhance the efficiency of the public sector and improve its service of the general public.

More information about the Mono-list mailing list