Add easy way to create a certificate from a multi-PEM or cert-PEM + key-PEM

[bartonjs]

Something like

namespace System.Security.Cryptography.X509Certificates {
    partial class X509Certificate2 {
        public static X509Certificate2 CreateFromPemFile(string certPemFilePath, string keyPemFilePath = default);
        public static X509Certificate2 CreateFromEncryptedPemFile(string certPemFilePath, ReadOnlySpan<char> password, string keyPemFilePath = default);
        public static X509Certificate2 CreateFromEncryptedPemFile(string certPemFilePath, ReadOnlySpan<byte> passwordBytes, string keyPemFilePath = default);

        public static X509Certificate2 CreateFromPem(ReadOnlySpan<char> certPem, ReadOnlySpan<char> keyPem);
        public static X509Certificate2 CreateFromEncryptedPem(ReadOnlySpan<char> certPem, ReadOnlySpan<char> keyPem, ReadOnlySpan<char> password);
        public static X509Certificate2 CreateFromEncryptedPem(ReadOnlySpan<char> certPem, ReadOnlySpan<char> keyPem, ReadOnlySpan<byte> passwordBytes);
    }

    partial class X509Certificate2Collection {
        public void ImportFromPemFile(string certPemFilePath);
        public void ImportFromPem(ReadOnlySpan<char> certPem);
    }
}

If no keyPemFile is specified, certPemFile is searched for both the cert and the key.

certPemFile probably should be "loads the first CERTIFICATE" entry from it; but if there are popular Unix-ish utilities that read multi-PEMs backwards, or "whichever one matched a private key", then we can consider a different behavior.

The keyPemFile is only allowed to specify one of the possible private key formats.

[los93sol]

If this supported openssl encrypted key files from pem that would be great as well. Hopefully people don't have unprotected pem files laying around with keys in them :)

Exporting to a pem object would be nice as well, from X509Certificate2 it seems like it would be pretty trivial to give back and object with the cert pem and the key pem, but when you have an X509CertificateCollection with intermediate/root certs in it things are quite a bit more difficult, maybe a collection with the chain certs as pem, then the leaf and key as properties....just tossing some ideas around since I have a TON of code to deal with certs in various formats

[rynowak]

just tossing some ideas around since I have a TON of code to deal with certs in various formats

Can you share some more about what kinds of things you commonly need to do? Code samples are great 👍

[rynowak]

@bartonjs - another example I've come across where .pem files are in use: https://github.com/kubernetes-client/csharp/blob/master/src/KubernetesClient/CertUtils.cs

[damienbod]

We have an implementation for this here

https://github.com/damienbod/AspNetCoreCertificates/blob/master/Documentation.md#exporting-importing-pem

or here:

https://github.com/oocx/ReadX509CertificateFromPem

The import works for most types

[vcsjones]

A lot of PEM bundles I run in to are basically

leaf
intermediate1
IntermediateN
private-key-for-leaf

Where the private key can appear at either the end of the bundle or immediately after the leaf, if it is present at all.

Is there any big value in getting the intermediates out as well in a single go? Perhaps return an array of X509Certificate2 in the order of the aggregate and match the private key up to the right certificate? Or some tuple of X509Certificate2 (Leaf) and X509Certificate2Collection (Additional certs)?

[bartonjs]

I think the accelerator on X509Certificate2 would be just like the X509Certificate2 ctors, it produces just one cert. X509Certificate2Collection could add a new instance ImportFromPem method and/or static CreateFromPem; and could do a semi-complex instance method to match additional keyfiles against existing certs... if that seems useful.

[bgrainger]

Can you share some more about what kinds of things you commonly need to do?

MySqlConnector needs to load certificates to establish a (possibly mutually-authenticated) secure connection to a server.

• Load client certificate: read PEM file; create X509Certificate2
• Load server certificate chain where the bundle is in the format mentioned by @vcsjones; cf Allow multiple certificates in CACertificateFile mysql-net/MySqlConnector#499

[vcsjones]

@bartonjs What about something like this?

namespace System.Security.Cryptography.X509Certificates {
    partial class X509Certificate2 {
        public static X509Certificate2 CreateFromPemFile(string certPemFilePath, string keyPemFilePath = default);
        public static X509Certificate2 CreateFromEncryptedPemFile(string certPemFilePath, ReadOnlySpan<char> password, string keyPemFilePath = default);
        public static X509Certificate2 CreateFromEncryptedPemFile(string certPemFilePath, ReadOnlySpan<byte> passwordBytes, string keyPemFilePath = default);

        public static X509Certificate2 CreateFromPem(ReadOnlySpan<char> certPem, ReadOnlySpan<char> keyPem);
        public static X509Certificate2 CreateFromEncryptedPem(ReadOnlySpan<char> certPem, ReadOnlySpan<char> keyPem, ReadOnlySpan<char> password);
        public static X509Certificate2 CreateFromEncryptedPem(ReadOnlySpan<char> certPem, ReadOnlySpan<char> keyPem, ReadOnlySpan<byte> passwordBytes);
    }

    partial class X509Certificate2Collection {
        public void ImportFromPemFile(string certPemFilePath);
        public void ImportFromPem(ReadOnlySpan<char> certPem);
    }
}

[bartonjs]

@vcsjones Seems like a reasonable starting point.

Probably wants some symmetric API on X509Certificate2Collection for loading a chain/chain+key. I'm not sure if it needs to be able to support private keys from extra files, or if that's too far off the main scenario and it'll just opportunistically load them from within the same multipem.