[release/10.0] Improve compat for low rights users loading CAPI machine keys via PFX #119185
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1) Windows exhibits different behaviors between no provider attribute with PKCS12_PREFER_CNG_KSP than with specifying the KSP, so always specify the KSP. 2) Let's stop messing with provider attributes on non-Windows, since this change is making them more expensive. 3) If PreserveStorageProvider is false, the key would go to a machine store, the user can't write to the CNG machine store, and the key is from a known CAPI provider, don't upgrade it to CNG.
vcsjones
approved these changes
Aug 28, 2025
Contributor
|
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones |
jeffhandley
approved these changes
Sep 2, 2025
Member
|
@artl93 Can you merge this with your release branch permissions please? |
bartonjs
approved these changes
Sep 2, 2025
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #119124 to release/10.0
/cc @bartonjs
Customer Impact
When loading a PKCS#12/PFX that contains a key marked as belonging to a machine key-store, users/processes without administrator permissions on Windows can get a failure loading the file on .NET 10 when it succeeded on .NET 8.
Regression
This regression was introduced with X509CertificateLoader (#102167).
Windows CAPI RSA machine keys can be created by anyone on the computer, but Windows CNG RSA machine keys can only be created by administrators.
The administrator restriction does not apply to machine keys loaded as "ephemeral" keys, but test coverage incorrectly assumed that "ephemeral" and "persisted" had the same permissions model.
Testing
The fix was verified with a dedicated program that created PFXes with every known CAPI RSA CSP, alternated with machine keys and user keys, and imported them with all relevant X509KeyStorageFlags combinations. The program was run as an admin (everything worked before, and after) and a low-rights user (several tests failed before, succeeded after).
A simplified version of this verification program has been added to the test suite with this change.
Risk
Medium.
This change involves a mix of Windows documented material (the list of known CAPI CSPs),
generally accepted facts (MS_ENH_RSA_AES_PROV can load keys from all older RSA CSPs and offers more functionality),
and black-box observed behavior (the permissions differences between CAPI persisted, CNG persisted, and CNG ephemeral, and the behavior differences between PKCS12_PREFER_CNG_KSP and a key actually saying it should be loaded into CNG).
Test coverage says that known conditions are all in a same-or-better state, but it's difficult to state confidently that "unknown" conditions aren't abundant.