0

Is there a easy to use (from .net) and commonly accepted file format for saving encryption keys (mainly for asymmetric keys, public and public/private). Does exists an API to create such files in .net (any version)?

I have looked at certificates, but this seems to be a overkill for only saving keys and as far as I have seen, not very easy to create.

HCL
  • 36,053
  • 27
  • 163
  • 213
  • Certificates, in one of several formats for the same data, *are* the commonly accepted file format for public (or public + private) keys. Be careful about reinventing the wheel badly. – Richard May 29 '11 at 10:27
  • @Richard: I have searched for a sulution in .net, but all the solutions I have found on the internet automate NGen for creating the certificates. Besides this, certificates contain a very lot of information (trust-hierarchies, company information...) which are in my case superfluous information. I only want to save 1 or 2 keys. Is a certificate really the right thing for this (Sorry the trivial question, I'm a newbee)? If it is, is there an API besides the automation of NGen? And which certificate type should I choose for this? – HCL May 29 '11 at 10:32
  • You have two options: 1. Use a commonly accepted file format -- that means certificates. 2. invent your own package. The second option will not be commonly accepted and crypto is very hard to get right so you'll find -- should the format be seriously attacked -- any protections can be bypassed. – Richard May 29 '11 at 10:35
  • Putty and SSH use relatively simple file formats which don't contain much additional information beyond the keys. – CodesInChaos May 29 '11 at 10:43
  • To create an `X509Certificate2` see [this Q](http://stackoverflow.com/questions/6128541/bouncycastle-privatekey-to-x509certificate2-privatekey) which uses [this library](http://www.bouncycastle.org/csharp/). – Richard May 29 '11 at 10:49
  • @Richard: certificates DO NOT contain private keys. They're public information only. Microsoft has somehow decided to model the association of certificate + private key into a single class `X509Certificate2`, but that has nothing to do with the certificate file format. – Bruno May 29 '11 at 10:52
  • @Bruno: certificates can certainly contain private keys (eg. when you get a code signing certificate from a CA, or when transferring a serrver cert from one server to another). – Richard May 29 '11 at 10:57
  • @Richard, this is the distinction between the certificate and the private key. The certificate is what has been signed by the CA (the public key + identifying data and attributes). When you get a certificate from a CA, you generate a private key locally, sign a certificate request (CSR, or in-browser equivalent), submit it to the CA which validates your identity and sends you back the certificate it has issued. Then you bundle certificate + private key into whatever format you choose (e.g. PKCS#12). – Bruno May 29 '11 at 11:04
  • @Bruno: I see what you mean... I agree I wasn't careful to distinguish the data format from "certificate", on the other hand in the context of this Q the distinction is unhelpful. – Richard May 29 '11 at 11:22
  • @Richard, actually, knowing the distinction between certificate and private key is helpful to anyone who uses them. The fact that .Net mixes up the terminology doesn't help. The problem is that users must know the difference between the two, otherwise, some will end up publishing their private key (which they should really protect) along with their certificate (which they can publish as much as they want). This does happen, unfortunately. – Bruno May 29 '11 at 11:27

1 Answers1

2

One of the most common formats used to store the combination of a chain of certificate (or just one certificate) and its associated private key is PKCS#12: it tends to use the extension .p12 or .pfx. Most browsers use this.

Alternatively, some tools use the PKCS#1 format (openssl rsa does, for example), if you just want the private key. (OpenSSL also supports PKCS#8.)

Both can be encrypted and protected by a password.

You should be able to use BouncyCastle to export them. (You might be interested in this question.)

EDIT : To be more specific, you could use Org.BouncyCastle.OpenSsl.PemWriter (WriteObject with a password can be used to protect the private key). It will also let you export a plain public key (without having to rely on certificates).

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376