RSACng Certificate Support

[chekm8]

I'm attempting to use MailKit to send a signed email and when attempting to do this I am getting an Exception "'RSACng' is currently not supported.". With further tracing This error is coming from within MimeKit. Specifically when a call to AsAsymmetricKeyParameter() is made. This error is only occurring when I use the prebuilt Nuget Packages. I pulled the source code form both Mailkit and MimeKit and when I build it locally the code works correctly, without any code changes.

The only thing I can think is that somehow the Nuget package version isn’t hitting the "#if NET46 || NET47 || NET48 || NETCOREAPP3_0 || __MOBILE__" directives that support RSACng.

I have minimized the local csproj's code to only load the NetStandard versions of both mail and mime kit. My unit test project is a simple Net Core 3.0 unit test project.

Platform (please complete the following information):

• OS: Windows 10
• .NET Framework: .Net Core
• MimeKit Version: Tried with 2.5.1.0. as well as 2.6

To Reproduce
Steps to reproduce the behavior:
I am using a RSACng certificate that is located in the Windows Certificate store and has a private key associated with it.
Create a unit test
Grab the certificate from the cert store:

var mycert = null;
using (var store = new X509Store(StoreName.My))
            {
                store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
                var matches = store.Certificates.Find(X509FindType.FindBySerialNumber, <YOURCERTIFICATESERIAL>, true); 
                if (matches.Count > 0)
                {
                    foreach (X509Certificate2 cert in matches)
                    {
                        mycert = cert; //TODO returning first for fun, need to do better filtering
                    }
                }
            }
        }

Attempt to get the AsymmetricKeyParameter:
var key = mycert.PrivateKey.AsAsymmetricKeyParameter();
Error Message:

System.NotSupportedException : 'RSACng' is currently not supported.

Stack Trace:
AsymmetricAlgorithmExtensions.AsAsymmetricKeyParameter(AsymmetricAlgorithm key)
SMTPTests.Test() line 68

Expected behavior
I should not get the error, RSACng should be supported

[jstedfast]

Right now, MimeKit is not built for NETCOREAPP3_0 so that is a #define that never gets used.

When you use the nugets, you are probably referencing the netstandard20 assembly which does not support it.

[chekm8]

Thanks for the quick response. Any idea on when there might be a build for 3.0? Anything I can contribute to help?

Best recommendation is to use a local build for now?

[jstedfast]

If you could figure out the proper framework for MimeKit to target (which afaict isn't really netcoreapp3.0), that would be awesome. I'm guessing it's some sort of library framework because *app frameworks are for, well, apps ;-)

My guess is that locally, your project must be using the net47 or net48 framework version of MimeKit or something?

[jstedfast]

Looks like I can target .NETStandard2.1

[jstedfast]

Oooooh, even better, I can target netstandard2.0 if I add a System.Security.Cryptography.Cng package reference.

[chekm8]

@jstedfast Thanks! I was planning on getting back to this this week but, you already knocked it out. Much appreciated!

[jstedfast]

No problem.

[jstedfast]

MimeKit 2.8.0 has just been released with support for RSACng and DSACng. Let me know if things are still broken for you.

[jstedfast]

Ugh, I'm having to back this out: xamarin/xamarin-macios#8772

You need to target net46, net47 or net48 to use this feature. I can't support it in netstandard2.0

[chekm8]

well this ruined my weekend :) Thanks and understood. If the underlying libraries can't support it you cant be expected to. Its a shame since I already pulled and validated 2.8 was working great.

[jstedfast]

Yea, it sucks :(

If I could check the support at runtime, I could have tried to do that, but alas, that's not possible because this was an AOT issue.

The sooner net5/net6 comes, the better ;-)

[jstedfast]

Okay, so I think I found a solution that will work. I don't need access to the RSACng or DSACng types, I can just manipulate them via the abstract RSA/DSA classses.