How to import PKCS1 keys from a PEM file containing Private / Public keys in .Net Core

Question

I am trying to load the Private and Public keys from a PEM file using .Net Core. My code looks like this:

var localPath = Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location);
var path = Path.Combine(localPath, this._configManager.JwtPem);
var rsaCryptoServiceProvider = new RSACryptoServiceProvider();

var linesList = File.ReadAllLines(path).ToList();
var line = string.Concat(linesList.GetRange(1, linesList.Count - 2));

rsaCryptoServiceProvider.ImportCspBlob(Convert.FromBase64String(line));

The exception I am getting is:

Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException : Bad Version of provider
   at Internal.NativeCrypto.CapiHelper.ImportKeyBlob(SafeProvHandle saveProvHandle, CspProviderFlags flags, Boolean addNoSaltFlag, Byte[] keyBlob, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.ImportCspBlob(Byte[] keyBlob)
   at StepNexusCA.ServiceLayer.Authorization.TokenService.GenerateToken(List`1 claims)

The PEM file containing the PKCS1 format of my development Private/Public keys is here:

Why can't I import the key using ImportCspBlob(...)? I have not found much info online regarding the exception but where is my code wrong? I am aware of BouncyCastle but I am trying to do this natively using .Net Core.

Very simply, you can't import it because it is not a supported format. — President James K. Polk, Nov 22 '18 at 16:34
But then what is the format supported? Not so clear here. https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.icspasymmetricalgorithm.importcspblob?view=netcore-2.1#System_Security_Cryptography_ICspAsymmetricAlgorithm_ImportCspBlob_System_Byte___ — VasilisP, Nov 22 '18 at 16:40
Not clear at all, is it? I believe the format is a Microsoft proprietary format that you'd get by calling ExportCspBlob. I'm not sure how to get from what you have, which is a PKCS#1 RSAPrivateKey object, into RSACryptoServiceProvider. — President James K. Polk, Nov 22 '18 at 16:48
If you are referring to the XML format and I have it all working using it. However the PKCS#1 format is industry accepted. I do not understand why MS is not supporting it... — VasilisP, Nov 22 '18 at 16:57
I think I read somewhere that one of these upcoming versions of .NET will support some of these more widely used formats, but I don't recall the details. — President James K. Polk, Nov 22 '18 at 17:02

score 9 · Accepted Answer · answered Nov 23 '18 at 00:18

The format for ImportCspBlob is the format from ExportCspBlob, which is the PRIVATEKEY blob format required by CryptImportKey. Since .NET just transparently passes that on to Windows CAPI, the ImportCspBlob method throws on non-Windows platforms.

Another answer that I've given in the past for importing private keys (including PKCS#1 RSAPrivateKey) is a bit of a meta-answer, which includes links to just get things working: Digital signature in c# without using BouncyCastle.

.NET Core 3.0's daily builds have the functionality built-in. Mostly. The PEM format is easy in practice, but somewhat annoying in the spec, so the methods leave it up to the caller to "un-PEM" the data... for the default formatting on a single-value payload with no attributes (like you have in your example) you can do it with daily builds via

private static RSA ReadKeyFromFile(string filename)
{
    string pemContents = System.IO.File.ReadAllText(filename);
    const string RsaPrivateKeyHeader = "-----BEGIN RSA PRIVATE KEY-----";
    const string RsaPrivateKeyFooter = "-----END RSA PRIVATE KEY-----";

    if (pemContents.StartsWith(RsaPrivateKeyHeader))
    {
        int endIdx = pemContents.IndexOf(
            RsaPrivateKeyFooter,
            RsaPrivateKeyHeader.Length,
            StringComparison.Ordinal);

        string base64 = pemContents.Substring(
            RsaPrivateKeyHeader.Length,
            endIdx - RsaPrivateKeyHeader.Length);

        byte[] der = Convert.FromBase64String(base64);
        RSA rsa = RSA.Create();
        rsa.ImportRSAPrivateKey(der, out _);
        return rsa;
    }

    // "BEGIN PRIVATE KEY" (ImportPkcs8PrivateKey),
    // "BEGIN ENCRYPTED PRIVATE KEY" (ImportEncryptedPkcs8PrivateKey),
    // "BEGIN PUBLIC KEY" (ImportSubjectPublicKeyInfo),
    // "BEGIN RSA PUBLIC KEY" (ImportRSAPublicKey)
    // could any/all be handled here.
    throw new InvalidOperationException();
}

Daily builds of the .NET Core SDK can be obtained from https://github.com/dotnet/core-sdk/#installers-and-binaries

Thanks for the answer. Are you suggesting this is not possible with .Net Core 2.1? Is that why I cannot resolve ImportRSAPrivateKey(...) or is that your own extension method? — VasilisP, Nov 23 '18 at 15:57
The method is new in .NET Core 3.0; .NET Core 2.1 doesn’t have built in public API for it — bartonjs, Nov 23 '18 at 17:16
Thank you. Obviously, that means I have to rely on a beta release to go to production. I expect once v3 is out, I will revisit this area. Thank you for your help. — VasilisP, Nov 29 '18 at 16:56

score 1 · Answer 2 · answered Jul 10 '19 at 05:27

1

There are a lot of Convert PEM to XML online tools, just convert your pem to xml, then

RSA.FromXmlString(string xmlString)

answered Jul 10 '19 at 05:27

huang

919
11
22

Lucas Martins · Answer 3 · 2018-11-23T01:25:52.200

0

If you don't need to convert from PEM to DER in the code, you can use openssl to get the DER encoded private key file:

openssl rsa -in key.pem -out key.der -outform der

edited Nov 23 '18 at 01:25

answered Nov 23 '18 at 01:19

Lucas Martins

553
3
8

score 0 · Answer 4 · answered Nov 29 '18 at 14:48

The .Net Cryptographic API does not support the industry widely used PEM files so we need to convert it to the XML format, introduced by Microsoft. Basically, the solution was found in another similar question here C# Extract public key from RSA PEM private key.

How to import PKCS1 keys from a PEM file containing Private / Public keys in .Net Core

4 Answers4

Linked