Problem with RSA.ImportParameters() under ASP .NET
Kim Hellan
RSA.ImportParameters().
If the assembly is used in a WinForm application it's fine, but I'm having
troubles when it's used in ASP .NET.
The code is something like this:
....
....
RSA rsa = RSA.Create ();
rsa.ImportParameters (param);
I know it has got something to do with the IIS user not having the same
access rights to key stores and files as a normal user.
Unfortunately I can't change the code (not my assembly), so can anyone tell
me what I can tweak on the PC to make this work?
Thanks!
/Kim
Mitch Gallant
the private key in any way (for signing or RSA encryption) then you will
need to ACL the associated privatekey file with READ permissions for
the IUSR_<machinename> account which is what asp and asp.net runs as.
For RSA keypairs that are associated with a certificate (probably not your case),
there is a very handy CAPICOM tool which greatly facilitates this:
<capicominstalldir>\samples\vbs\CSetKeyPerm.vbs
- Mitch Gallant
MVP Security
www.jensign.com
"Kim Hellan" <som...@nowhere.com> wrote in message news:ONk3njjL...@TK2MSFTNGP11.phx.gbl...
Kim Hellan
I'm not trying to access a private key or certificate in a specific store.
I have already gotten a private key earlier from a PKCS#12 and extracted the
key parameters.
And then a brand new key is created and I'm just trying to import the key
parameters into a new key:
RSA rsa = RSA.Create ();
rsa.ImportParameters (param);
But ImportParameters throws a:
System.Security.Cryptography.CryptographicException:
The system cannot find the file specified.
I think I read somewhere that ImportParameters actually creates a temporary
keyfile, so that may be the problem.
But when I'm not accessing a key/certificate in neither a store nor on disk,
I have no idea what I should give access to.
It's probably the IUSR_xxx user that should be granted access to something,
but what?
Any hints appreciated!
/Kim
"Mitch Gallant" <jens...@community.nospam> skrev i en meddelelse
news:uFsoc%23jLGH...@TK2MSFTNGP14.phx.gbl...
Mitch Gallant
file (in Machine CU store) since you don't specify a persistence.
Not sure how accessing that key is managed..
You could look for a transient (private key file) created .. during your asp process
(put a pause in it .. look for new files created in
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
I don't know how the ACL's would work in this case. I'm pretty sure that exception
is a disguised access denial reference.
- Mitch Gallant
"Kim Hellan" <som...@nowhere.com> wrote in message news:%23z0HVMk...@tk2msftngp13.phx.gbl...
Kim Hellan
access for writing that temporary file is denied.
With a filemonitor we can see that everytime we get the error, some entries
are written in
C:\WINNT\Debug\UserMode\Userenv.log by dllhost.exe
Those are:
USERENV(b88.ac4) 14:52:43:395 ImpersonateUser: Failed to impersonate user
with 5.
USERENV(b88.ac4) 14:52:43:395 GetUserGuid: Failed to impersonate user with
5.
USERENV(b88.ac4) 14:52:43:395 GetProfileSid: No Guid -> Sid Mapping
available
USERENV(b88.ac4) 14:52:43:395 GetProfileType: Profile is not loaded.
I have no idea what they mean, but it looks as if they could be related to
the problem?
/Kim
"Mitch Gallant" <jens...@community.nospam> skrev i en meddelelse
news:uHj9Bdk...@TK2MSFTNGP12.phx.gbl...
Henning Krause [MVP]
one common cause for this problem is that the RSA object tries to create the
CryptoConatiner in the user profile. For performance reasons, that part of
the profile is not loaded in ASP.NET applications.
See http://support.microsoft.com/default.aspx?scid=KB;EN-US;322371 for more
on this topic.
The solution given in the article is to create the RSA object with a custom
CspParameters object, specifying the machine store to use.
If this is indeed your problem, there seems no solution without a code
change...
Greetings,
Henning
"Kim Hellan" <som...@nowhere.com> wrote in message
news:%23z0HVMk...@tk2msftngp13.phx.gbl...
Kim Hellan
In one of my own projects I have actually done the change in code that you
suggest.
Unfortunately I can't change the code that's causing problems, since it's a
3rd party DLL.
Another question about this...
Are there any performance issues to observe regarding the different ways to
create the RSA object?
I was under the impression that:
RSA rsa = RSA.Create ();
... just creates an empty object without doing anything, while
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(CSPParam);
...actually generates an RSA dummy key, which of course has a huge impact on
performance.
Is that correct?
Regards,
Kim
"Henning Krause [MVP]" <newsgrou...@this.infinitec.de> skrev i en
meddelelse news:egQVTIqL...@TK2MSFTNGP15.phx.gbl...
Henning Krause [MVP]
I just took another look at the documentation of these objects.
It seems that you can set the RSACryptoServiceProvider.UseMachineKeyStore to
true. This should be (according to the docs) equivalent to using the Csp
Parameters.
Greetings,
Henning Krause
"Kim Hellan" <som...@nowhere.com> wrote in message
news:uvQOLRHM...@TK2MSFTNGP12.phx.gbl...
Kim Hellan
Regarding my previous question...
Do you know if there are any performance issues involved using
RSACryptoServiceProvider instead of just RSA?
Thank you,
Kim
"Henning Krause [MVP]" <newsgrou...@this.infinitec.de> skrev i en
meddelelse news:%23j74YVJ...@TK2MSFTNGP11.phx.gbl...