Improve compat for low rights users loading CAPI machine keys via PFX #119124
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1) Windows exhibits different behaviors between no provider attribute with PKCS12_PREFER_CNG_KSP than with specifying the KSP, so always specify the KSP. 2) Let's stop messing with provider attributes on non-Windows, since this change is making them more expensive. 3) If PreserveStorageProvider is false, the key would go to a machine store, the user can't write to the CNG machine store, and the key is from a known CAPI provider, don't upgrade it to CNG.
Contributor
|
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR improves compatibility for low-privilege users loading CAPI machine keys via PFX files on Windows by modifying the cryptographic provider selection logic. The changes address permission issues where users cannot write to CNG machine stores but can write to CAPI machine stores.
Key changes:
- Remove default PKCS12_PREFER_CNG_KSP flag initialization and let Windows handle provider selection naturally
- Add intelligent provider selection logic that detects CAPI providers and user permissions
- Restrict provider attribute processing to Windows-only platforms for performance
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| X509CertificateLoader.Windows.cs | Removes default CNG preference flag to allow natural Windows provider selection |
| X509CertificateLoader.Pkcs12.cs | Adds comprehensive provider selection logic, permission checking, and Windows-specific attribute processing |
...ies/Common/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Pkcs12.cs
Outdated
Show resolved
Hide resolved
...ies/Common/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Pkcs12.cs
Show resolved
Hide resolved
...ies/Common/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Pkcs12.cs
Outdated
Show resolved
Hide resolved
Member
Author
|
Tested with {Default, User, Machine, User|Machine} x {0, Exportable} with all RSA type providers. The low rights user fails for MS_DEFAULT_PROV because it prohibits RSA "Exchange" keys over 1024-bit. (Windows says Access Denied, not us) Admin, with change: DetailsLow-rights user, with change: DetailsAdmin user, 10-p7: DetailsLow-rights user, 10-p7: DetailsSummary: Low rights machine key imports end up in MS_ENH_RSA_AES_PROV, rather than failing. |
vcsjones
reviewed
Aug 26, 2025
Member
vcsjones
left a comment
There was a problem hiding this comment.
Is there any way we can add test coverage for this?
...ies/Common/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Pkcs12.cs
Outdated
Show resolved
Hide resolved
...ies/Common/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Pkcs12.cs
Outdated
Show resolved
Hide resolved
...ies/Common/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Pkcs12.cs
Outdated
Show resolved
Hide resolved
...ies/Common/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Pkcs12.cs
Show resolved
Hide resolved
Member
Author
Not reliably for our CI, I don't think. We could add a test that imports a MS_STRONG_PROV key with MachineKeySet and see that it succeeds, and that the only two acceptable providers are MS_KSP and PROV_RSA_AES_ENH... but I don't know that we have a way to make CI run a test as both an admin and an unprivileged user. (If you do, I'm happy to learn) |
Member
Not really. In theory it might be possible to teach RemoteExecutor how to do it by creating a process with |
Member
|
We also have a few other tests conditioned on "IsElevated" or something like that. Some of the CNG tests have conditions for that for machine key writing. So we could write a test conditioned on that, but I don't know the odds that it will actually run in CI. |
vcsjones
reviewed
Aug 27, 2025
...ies/Common/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Pkcs12.cs
Outdated
Show resolved
Hide resolved
vcsjones
reviewed
Aug 27, 2025
...ies/Common/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Pkcs12.cs
Outdated
Show resolved
Hide resolved
Member
Author
I added a test that shows that the expected provider is returned in all 16 cases. Technically there are 32 cases (all the ones I added, but then again without a key having the machine key attribute), but I declare equivalency. The PfxTests class passes as a low-rights user, meaning the new test passes as a low rights user. |
vcsjones
reviewed
Aug 28, 2025
...ies/Common/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Pkcs12.cs
Outdated
Show resolved
Hide resolved
vcsjones
reviewed
Aug 28, 2025
src/libraries/System.Security.Cryptography/tests/X509Certificates/PfxTests.cs
Outdated
Show resolved
Hide resolved
vcsjones
approved these changes
Aug 28, 2025
Member
vcsjones
left a comment
There was a problem hiding this comment.
Looks good minus some nonblocking suggestions.
This was referenced Aug 28, 2025
Member
Author
|
/backport to release/10.0 |
Contributor
|
Started backporting to release/10.0: https://github.com/dotnet/runtime/actions/runs/17304209626 |
4 tasks
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Windows exhibits different behaviors between no provider attribute with PKCS12_PREFER_CNG_KSP than with specifying the KSP, so always specify the KSP instead of deleting the attribute.
Let's stop messing with provider attributes on non-Windows, since this change is making them more expensive.
If PreserveStorageProvider is false, the key would go to a machine store, the user can't write to the CNG machine store, and the key is from a known CAPI provider, don't upgrade it to CNG.
Fixes #117798.