Private key from windows keyring

+1 vote
asked Mar 8, 2012 by sarevok (250 points)
edited Jun 11, 2012

Hello!

I am testing trial version of your SFTP library.

Is it possible to use a certificate with private key stored in Windows Certificate Store in SshPrivateKey constructor? Such certificate can be loaded to X509Certificate2 object. But i have no idea how to export the private key included in X509Certificate2 object to the byte array that is accepted by SshPrivateKey constructor and then can be used by Login(String, SshPrivateKey) method.

It would be nice if you can write code snippet with such transformation.

Best regards, Staszek

Applies to: Rebex SFTP

2 Answers

+1 vote
answered Mar 8, 2012 by Lukas Pokorny (116,670 points)
edited Jun 11, 2012

Update: This feature has been added to Rebex SFTP 2012 R2. Please check out the other answer for more information.

In the current version of Rebex SFTP, this is only possible if the certificate's private key can be exported. In that case, the following code can be used:

        X509Certificate2 cert = ...;

        // get certificate's private key RSA CSP
        RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)cert.PrivateKey;

        // export parameters, including the private ones
        RSAParameters parameters = rsa.ExportParameters(true);

        // create a SSH key from the exported parameters
        SshPrivateKey key = SshPrivateKey.CreateFrom(parameters);

However, the exportable parameters requirement is only due to missing API. We could easily add a method that only takes X509Certificate2.PrivateKey on input and creates a fully working SshPrivateKey based on that, regardless the exportable status. If you can afford to wait until next week, we can add this feature straight away and send you a beta to try. Please let me know if you are interested.

commented Mar 8, 2012 by sarevok (250 points)
edited Mar 20, 2012

Thank you for a fast response. Of course I am interested in testing such modified API. It is nice that you want to add a method which makes the certificate management easier in my project. So I am waiting until you send me the beta version to try.

By the way I am considering replacing my old sftp library from another supplier with Rebex SFTP library. It is because of high transfer rate offered by your solution.

0 votes
answered Mar 14, 2012 by Lukas Pokorny (116,670 points)
edited Jun 11, 2012

The modified API is ready and I just sent a link to a beta version to your e-mail. Please give it a try and let me know how it works. Use the following code:

    X509Certificate2 cert = ...;

    // get certificate's private key RSA CSP
    RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)cert.PrivateKey;

    // create a SSH key based on that RSA CSP
    SshPrivateKey key = new SshPrivateKey(rsa);

Update: This feature has been released as part of Rebex SFTP / Rebex SSH Shell 2012 R2. Once again, thanks for your suggestion!

commented Mar 16, 2012 by sarevok (250 points)
edited Mar 27, 2012

It is working fine with my code. I did not notice any issues and the certificate handling is now much easier.

I also have some offtopic question. I find the Rebex SFTP easy to integrate with my project but I see one feature is missing. I can not found the way to set extended attributes (xattrs) or ACL's using your library. In the library I am using now there are apropriate methods to do it. Could you tell me if it is possible with Rebex SFTP? And if it is not, do you plan to implement such functionality?

commented Mar 16, 2012 by Lukas Pokorny (116,670 points)
edited Mar 16, 2012

This is not supported at the moment, but I guess adding it would be quite simple. However, please let me know which server you use - we have found that most servers don't support these advanced features (which is why it's not supported yet).

commented Mar 19, 2012 by sarevok (250 points)
edited Mar 19, 2012

Currently we are using Openssh 5.0 with no xattr support. But we found a patch to enable this feature (but we do not try it). We have to consider if we really need xattr support. Maybe changing the sftp server will be complicated in our enviroment and we will make some workaround.

commented Mar 19, 2012 by Lukas Pokorny (116,670 points)
edited Mar 19, 2012

OK, and what about the ACLs? Does these work with OpenSSH 5.0?

commented Mar 20, 2012 by sarevok (250 points)
edited Mar 20, 2012

No, it does not work with OpenSSH 5.0. But probably we will change the SFTP server, because xattrs are one of the possible options of storing some meta-data in our file system we are considering.

commented Mar 20, 2012 by Lukas Pokorny (116,670 points)
edited Mar 20, 2012

Well, if we can get an SSH/SFTP server with xattr support up and running, we could easily add support for it to Rebex SFTP. Just let us know when you find one!

Is this the OpenSSH xattr patch you was talking about, by the way?

commented Mar 21, 2012 by sarevok (250 points)
edited Mar 21, 2012

Yes it is the patch i was writing about. Yesterday we have a developer meeting in my departament and we decided to stay with OpenSSH. The maturity and ease of update is more important for us than the additional xattr and acl support (Patching OpenSSH can be tricky and complicated). So thank you for your willingness to implement xattr's and acl's but we decide that we do not need this functionality.

commented Mar 21, 2012 by sarevok (250 points)
edited Mar 21, 2012

The more important thing is the posix rename function which i mentioned in another post. If we get posix rename then I can recommend Rebex SFTP to my team leader as the solution wich will replace the library we are using now.

commented Mar 21, 2012 by Lukas Pokorny (116,670 points)
edited Mar 27, 2012

I just sent you a link to the current build with POSIX rename support, please give it a try.

commented Mar 21, 2012 by sarevok (250 points)
edited Mar 21, 2012

I did not receive a mail with link to the new library version with POSIX rename. Could you send it again?

commented Mar 22, 2012 by Lukas Pokorny (116,670 points)
edited Mar 22, 2012

I already tried 3 times, but your mailserver is rejecting the message without specifying any reason. Try using the link from my previous e-mail, but replace the build number of 4457 with 4464.

To enable POSIX rename, set Sftp object's Settings.UsePosixRename property to true before calling the Rename method.

commented Mar 26, 2012 by sarevok (250 points)
edited Mar 26, 2012

Thank you for a fast implementation of the POSIX rename method. It works perfectly in our envirnoment. Now we have all SFTP functionality we need.

commented Mar 27, 2012 by Lukas Pokorny (116,670 points)
edited Mar 27, 2012

Thanks for letting us know and for testing these new features! Both POSIX rename and RSACryptoServiceProvider-based SshPrivateKey will be part of the next release (2012 R2).

...