How to get x509Certificate2 instance from SmartCard?

[Emre BAŞKALE]

I'm trying to get x509Certificate2 instance with PrivateKey using Pkcs11Interop and Pkcs11Interop.X509Store libraries.

Because x509Certificate2 object is required when WCF Soap sign configuration and Mimekit SMime signature and also many libraries requires x509Certificate2 object for digital signature.

Is that possible? Can i get x509Certificate2 instance with PrivateKey using Pkcs11Interop library or Pkcs11Interop extensions like X509Store?

Pkcs11Interop.X509Store supplies the x509Certificate2 instance without PrivateKey and separate RSA instance and I need to merge them into x509Certificate2...

[Jaroslav Imrich]

I'm trying to get x509Certificate2 instance with PrivateKey using Pkcs11Interop and Pkcs11Interop.X509Store libraries.

Because x509Certificate2 object is required when WCF Soap sign configuration and Mimekit SMime signature and also many libraries requires x509Certificate2 object for digital signature.

Is that possible? Can i get x509Certificate2 instance with PrivateKey using Pkcs11Interop library or Pkcs11Interop extensions like X509Store?

My current state of .NET understanding says this is impossible. Not because of Pkcs11Interop but because of how X509Certificate2 class is "hardcoded" and used throughout the whole .NET framework with only CSP/CNG backend in mind. There is also .NET Core bug opened for this issue [0] but personally I don't believe situation will change in a foreseeable future. The best thing Microsoft managed to do in years was introducing RSACertificateExtensions [1] in .NET 4.6 and ECDsaCertificateExtensions [2] in .NET 4.6.1. Note that both changes were applied with extension methods. They did not touch X509Certificate2 class directly.

 

Pkcs11Interop.X509Store supplies the x509Certificate2 instance without PrivateKey and separate RSA instance and I need to merge them into x509Certificate2...

The best thing I was able to come up with in Pkcs11Interop.X509Store [3] was to implement Pkcs11RsaProvider class derived from System.Security.Cryptography.RSA class which did not even have SignHash() method up until .NET 4.6. So even this basic integration was not possible with older .NET versions.

But please let me know if you manage to create more suitable integration layer for WCF, MimeKit, SignedCms and any of the others. I'll gladly review it and possibly also merge into Pkcs11Interop.X509Store codebase.

[0] https://github.com/dotnet/corefx/issues/22437

[1] https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.rsacertificateextensions(v=vs.110).aspx

[2] https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.ecdsacertificateextensions(v=vs.110).aspx

[3] https://github.com/Pkcs11Interop/Pkcs11Interop.X509Store/

Regards, Jaroslav