none
CertificateRequest support for other curves RRS feed

  • Question

  • I need to be able to create certificate requests with a specific curve.  25519 specifically.  

    ECCurve curve = ECCurve.CreateFromFriendlyName("curve25519");
    ECDsa eCDsa = ECDsa.Create(curve);
    CertificateRequest csr = new CertificateRequest(new X500DistinguishedName("CN=Test"), eCDsa , HashAlgorithmName.SHA256);

    The problem I get is the curve above is mostly just nulls and when I attempt to create the ECDsa I get "The specified curve 'curve25519' or its parameters are not valid for this platform."

    Can anyone point me to what I need to get curve 25519 to work on 4.7.2?  


    Thursday, July 5, 2018 5:49 PM

All replies

  • Hi John Liddlel,

    Thank you for posting here.

    According to your description, I installed the curve25519 via NuGet. My computer is on .net framework 4.7.1. The latest version of the curve2559 is targeting to .net framework 4.7.1. I an installing .net framework 4.7.2 and after installation, I will test again.

    But, based on my test, the code did not add reference of cure25519 package. It add reference of System.Security.Cryptography library. 

    Have you test your code? Does it could run well in another .net framework version?

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Tuesday, July 10, 2018 6:42 AM
    Moderator
  • I have tested my code and it is not able to get a curve in any framework version I tested.  The curve is basically all zeros so it's not able to retrieve the parameters of the curve from the name.  And when I manually define the parameters of the curve (similar to the code here )

    I get an exception:

    System.PlatformNotSupportedException: The specified curve 'PrimeMontgomery' or its parameters are not valid for this platform. ---> System.Security.Cryptography.CryptographicException: The requested operation is not supported.

       at System.Security.Cryptography.NCryptNative.CreatePersistedKey(SafeNCryptProviderHandle provider, String algorithm, String name, CngKeyCreationOptions options)
       at System.Security.Cryptography.CngKey.Create(CngAlgorithm algorithm, String keyName, CngKeyCreationParameters creationParameters)
       at System.Security.Cryptography.CngKey.Create(ECCurve curve, Func`2 algorithmResolver)
       --- End of inner exception stack trace ---
       at System.Security.Cryptography.CngKey.Create(ECCurve curve, Func`2 algorithmResolver)
       at System.Security.Cryptography.ECDsaCng.GenerateKey(ECCurve curve)
       at System.Security.Cryptography.ECDsa.Create(ECCurve curve)

    Sunday, July 15, 2018 6:51 AM
  • The nuget package for curve25519 is for manually doing curve25519 secrets etc.  See usage here: https://github.com/hanswolff/curve25519.  This isn't what I need.  I need to be able to use the curve for certificate operations so I can create a CSR (certificate request) which uses this curve.  
    Sunday, July 15, 2018 6:53 AM
  • Here is a code example which works for nist curve P521.

    ECDsa eCDsa = ECDsa.Create(ECCurve.NamedCurves.nistP521);
    CertificateRequest csr = new CertificateRequest(new X500DistinguishedName("CN=Test"), eCDsa, HashAlgorithmName.SHA256);

    But how do I do the same thing with curve25519 which is defined in RFC7748?  I assume it would be creating a new ECCurve() and passing in the parameters from the RFC like this:

    byte[] prime = (BigInteger.Pow(new BigInteger(2), 255) - 19).ToByteArray();
    byte[] a = BigInteger.Parse("486662").ToByteArray().PadBytes(32);
    byte[] b = BigInteger.Parse("37095705934669439343138083508754565189542113879843219016388785533085940283555").ToByteArray();
    byte[] order = (BigInteger.Pow(new BigInteger(2), 252)
    		+ new BigInteger(new byte[] { 0x14, 0xde, 0xf9, 0xde, 0xa2, 0xf7, 0x9c, 0xd6, 0x58, 0x12, 0x63, 0x1a, 0x5c, 0xf5, 0xd3, 0xed })
    		).ToByteArray();
    byte[] cofactor = new byte[] { 8 };
    byte[] gx = new byte[] { 9 }.PadBytes(32);
    byte[] gy = BigInteger.Parse("14781619447589544791020593568409986887264606134616475288964881837755586237401").ToByteArray();
    
    ECCurve curve = new ECCurve() {
    	CurveType = ECCurve.ECCurveType.PrimeMontgomery,
    	Prime = prime,
    	A = a,
    	Order = order,
    	Cofactor = cofactor,
    	B = b,
    	G = new ECPoint() {
    		X = gx,
    		Y = gy
    	}
    };
    curve.Validate();
    
    ECDsa eCDsa = ECDsa.Create(curve);
    CertificateRequest csr = new CertificateRequest(new X500DistinguishedName("CN=Test"), eCDsa, HashAlgorithmName.SHA256);

    This throws the exception I referenced before of 

    System.PlatformNotSupportedException: The specified curve 'PrimeMontgomery' or its parameters are not valid for this platform. ---> System.Security.Cryptography.CryptographicException: The requested operation is not supported.

       at System.Security.Cryptography.NCryptNative.CreatePersistedKey(SafeNCryptProviderHandle provider, String algorithm, String name, CngKeyCreationOptions options)
       at System.Security.Cryptography.CngKey.Create(CngAlgorithm algorithm, String keyName, CngKeyCreationParameters creationParameters)
       at System.Security.Cryptography.CngKey.Create(ECCurve curve, Func`2 algorithmResolver)
       --- End of inner exception stack trace ---
       at System.Security.Cryptography.CngKey.Create(ECCurve curve, Func`2 algorithmResolver)
       at System.Security.Cryptography.ECDsaCng.GenerateKey(ECCurve curve)
       at System.Security.Cryptography.ECDsa.Create(ECCurve curve)

    Seems like the PrimeMontgomery curves are not supported?  What am I missing to get certificate requests which use curve25519 instead of the named curves like nist 521?



    <style type="text/css">p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 9.5px Consolas; background-color: #000000} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 9.5px Consolas; color: #b4261a; background-color: #000000} p.p3 {margin: 0.0px 0.0px 0.0px 0.0px; font: 9.5px Consolas; background-color: #000000; min-height: 11.0px} span.s1 {color: #0433ff} span.s2 {color: #b4261a} span.s3 {color: #000000} span.Apple-tab-span {white-space:pre} </style>
    • Edited by John Liddle Thursday, July 19, 2018 4:56 PM
    Thursday, July 19, 2018 4:31 PM
  • I found the following article detailing ECC support in 4.6

    https://github.com/dotnet/corefx/issues/7688

    Is this the case for 4.7 as well?  Am I not going to be able to implement a PrimeMontgomery curve on 4.7.x for my certificates?

    Thursday, July 19, 2018 8:15 PM