Error reading exported certificate private key on some machines.

[Marcioztec]

Description

On several machines with new and old Windows 10/11, an error is occurring when requesting the private key of a previously exported certificate.

Reproduction Steps

//code for testing
using System;
using System.Security.Cryptography.X509Certificates;
using System.Security.Cryptography;
using System.Text;

public class Program
{
	public static void Main()
	{ 
		string password = "F@dr4PaeE#2a";
		byte[] certData;
		StringBuilder dn = new StringBuilder();
		dn.Append("CN=64d9f3dd-23ba-0101-a802-a4893a4b9695,O=TESTE,OU=Gene,L=Realeza,S=PR,C=BR");
		X500DistinguishedName d = new X500DistinguishedName(dn.ToString());
		using (RSA a = RSA.Create(2048))
		{
			CertificateRequest r3 = new CertificateRequest(d, a, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);
			 r3.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyCertSign, false));
			r3.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection {
				new Oid("1.3.6.1.5.5.7.3.8"),
				new Oid("1.3.6.1.5.5.7.3.2"),
			}, false));
			
			SubjectAlternativeNameBuilder ss = new SubjectAlternativeNameBuilder();
			r3.CertificateExtensions.Add(ss.Build());
			X509Certificate2 objCert = r3.CreateSelfSigned(new DateTimeOffset(DateTime.UtcNow.Date), new DateTimeOffset(DateTime.UtcNow.AddYears(1)));

			 RSA keyw = objCert.GetRSAPrivateKey();
			 Console.WriteLine("1 " + keyw.ExportSubjectPublicKeyInfoPem());
			 Console.WriteLine("1 " + keyw.ExportPkcs8PrivateKeyPem());//ok works
			certData = objCert.Export(X509ContentType. Pfx, password);
		}
		X509Certificate2 objCertificado = new X509Certificate2(certData, password);
		RSA aww = objCertificado.GetRSAPrivateKey();
		Console.WriteLine("2 " + aww.ExportSubjectPublicKeyInfoPem());
		Console.WriteLine("2 " + aww.ExportPkcs8PrivateKeyPem());//error on some machines windows 10/11 but works on https://dotnetfiddle.net/
		Console.WriteLine("Sucesso");
	}
}

Expected behavior

When calling the method "keyw3.ExportPkcs8PrivateKeyPem()" the error "System.Security.Cryptography.CryptographicException HResult=0x80090029 Message=The requested operation is not supported....."

Actual behavior

not necessary, run the example

Regression?

No response

Known Workarounds

I am saving the private key to another file and rebuilding later

Configuration

No response

Other information

No response

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[vcsjones]

What version of .NET is this?

Can you share the output dotnet --info?

[Marcioztec]

The version is the .Net Core 8 rutime and SDK, but it also occurs in version 7, on new and old machines.

dotnet --info

.NET SDK:
Version: 8.0.404
Commit: 7b190310f2
Workload version: 8.0.400-manifests.c6df56b6
MSBuild version: 17.11.9+a69bbaaf5

Ambiente de runtime:
OS Name: Windows
OS Version: 10.0.22621
OS Platform: Windows
RID: win-x64
Base Path: C:\Program Files\dotnet\sdk\8.0.404\

Cargas de trabalho do .NET instaladas:
Configurado para usar loose manifests ao instalar novos manifestos.
[wasm-tools-net6]
Origem da Instalação: VS 17.11.35431.28
Versão do Manifesto: 8.0.11/8.0.100
Caminho do Manifesto: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.workload.mono.toolchain.net6\8.0.11\WorkloadManifest.json
Tipo de Instalação: FileBased

[wasm-tools-net7]
Origem da Instalação: VS 17.11.35431.28
Versão do Manifesto: 8.0.11/8.0.100
Caminho do Manifesto: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.workload.mono.toolchain.net7\8.0.11\WorkloadManifest.json
Tipo de Instalação: FileBased

[wasm-tools]
Origem da Instalação: VS 17.11.35431.28
Versão do Manifesto: 8.0.11/8.0.100
Caminho do Manifesto: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.workload.mono.toolchain.current\8.0.11\WorkloadManifest.json
Tipo de Instalação: FileBased

[aspire]
Origem da Instalação: VS 17.11.35431.28
Versão do Manifesto: 8.2.2/8.0.100
Caminho do Manifesto: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.aspire\8.2.2\WorkloadManifest.json
Tipo de Instalação: FileBased

Host:
Version: 8.0.11
Architecture: x64
Commit: 9cb3b72

.NET SDKs installed:
5.0.408 [C:\Program Files\dotnet\sdk]
6.0.428 [C:\Program Files\dotnet\sdk]
8.0.404 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
Microsoft.AspNetCore.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 6.0.36 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 6.0.36 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 6.0.36 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 8.0.11 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

Other architectures found:
x86 [C:\Program Files (x86)\dotnet]
registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]

Environment variables:
Not set

global.json file:
Not found

Learn more:
https://aka.ms/dotnet/info

Download .NET:
https://aka.ms/dotnet/download

[jeffhandley]

Assigned to @krwq to finish triaging this.

[krwq]

I confirm this repros for me on .NET 8 and .NET 9. I also tried to find a workaround with X509CertificateLoader but I wasn't lucky. This certainly looks like something I'd expect to work. I'll mark it as .NET 10 for now to further investigate this.

[Marcioztec]

How long for the correction?

[krwq]

I can't give you exact timeline neither can guarantee we will fix this in this release - we currently prioritize regression and serious bugs - unfortunately we don't have infinite resources. I can guarantee only that we will take a further look but that's not equivalent with fixing. .NET 10 milestone means we will take another look in this release to understand this further - if fix is easy and doesn't involve any risky changes then it might be fixed as part of that investigation otherwise this might need to wait a bit.