internal static ECDsa MakeExportable(this ECDsa ecdsa)
{
if (ecdsa is ECDsaCng dsaCng)
{
const CngExportPolicies Exportability =
CngExportPolicies.AllowExport |
CngExportPolicies.AllowPlaintextExport;
if ((dsaCng.Key.ExportPolicy & Exportability) == CngExportPolicies.AllowExport)
{
ECDsa copy = ECDsa.Create();
copy.ImportEncryptedPkcs8PrivateKey(
nameof(MakeExportable),
ecdsa.ExportEncryptedPkcs8PrivateKey(
nameof(MakeExportable),
new PbeParameters(
PbeEncryptionAlgorithm.TripleDes3KeyPkcs12,
HashAlgorithmName.SHA1,
2048)),
out _);
return(copy);
}
}
return(ecdsa);
}
/// <summary>
/// Returns a byte array containing the private key in PEM format.
/// </summary>
public static byte[] ExportPrivateKeyAsPEM(
X509Certificate2 certificate,
string password = null
)
{
byte[] exportedPkcs8PrivateKey = null;
using (RSA rsaPrivateKey = certificate.GetRSAPrivateKey())
{
if (rsaPrivateKey != null)
{
// write private key as PKCS#8
exportedPkcs8PrivateKey = String.IsNullOrEmpty(password) ?
rsaPrivateKey.ExportPkcs8PrivateKey() :
rsaPrivateKey.ExportEncryptedPkcs8PrivateKey(password.ToCharArray(),
new PbeParameters(PbeEncryptionAlgorithm.TripleDes3KeyPkcs12, HashAlgorithmName.SHA1, 2000));
}
else
{
using (ECDsa ecdsaPrivateKey = certificate.GetECDsaPrivateKey())
{
if (ecdsaPrivateKey != null)
{
// write private key as PKCS#8
exportedPkcs8PrivateKey = String.IsNullOrEmpty(password) ?
ecdsaPrivateKey.ExportPkcs8PrivateKey() :
ecdsaPrivateKey.ExportEncryptedPkcs8PrivateKey(password.ToCharArray(),
new PbeParameters(PbeEncryptionAlgorithm.TripleDes3KeyPkcs12, HashAlgorithmName.SHA1, 2000));
}
}
}
}
return(EncodeAsPEM(exportedPkcs8PrivateKey,
String.IsNullOrEmpty(password) ? "PRIVATE KEY" : "ENCRYPTED PRIVATE KEY"));
}
private ECParameters PlaintextExportParametersIncludingPrivateRegardlessOfExportPolicy(ECDsa ecdsaKey)
{
if (ecdsaKey is ECDsaCng ecdsaCng && CngKeyNeedsPlaintextWorkaround(ecdsaCng.Key))
{
EnsureCanBeExported(ecdsaCng.Key);
// Workaround if AllowExport is set, but missing AllowPlaintextExport
var password = Encoding.UTF8.GetBytes(Guid.NewGuid().ToString());
var exportedKey = ecdsaKey.ExportEncryptedPkcs8PrivateKey(password, _pbeParameters);
using var tmpEcdsaKey = ECDsa.Create() ?? throw new CertificatePrivateKeyBytesLoaderException("Unable to create an instance of the default ECDsa implementation");
tmpEcdsaKey.ImportEncryptedPkcs8PrivateKey(password, exportedKey, out _);
return(tmpEcdsaKey.ExportParameters(true));
}
return(ecdsaKey.ExportParameters(true));
}
