Home/ Questions/Q 4059322
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T15:11:37+00:00

This one may seem like a simple question, but it’s really got me scratching

  • 0

This one may seem like a simple question, but it’s really got me scratching my head. The trouble is that our code was working perfectly while running on the .NET framework 3.5, but now that we’ve switched to .NET 4.0 we’re getting this error. Here’s the relevant code:

SignedCms signed = new SignedCms(content, false);
CmsSigner signer = new CmsSigner(
    SubjectIdentifierType.IssuerAndSerialNumber,
    signingCertificate);

signed.ComputeSignature(signer);

Once again, on .NET 3.5 this works fine. But now that our project targets .NET 4.0, it throws a CryptographicException when using the exact same certificate.

[CryptographicException: Provider's public key is invalid.]
   at System.Security.Cryptography.Pkcs.PkcsUtils.CreateSignerEncodeInfo(CmsSigner signer, Boolean silent)
   at System.Security.Cryptography.Pkcs.SignedCms.Sign(CmsSigner signer, Boolean silent)
   at System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner signer, Boolean silent)
   at System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner signer)
   ...

Any ideas what could cause this?

UPDATE

After digging a little deeper, I’ve discovered that the problem only occurs when I deserialize the signing certificate myself. If I load it from the machine’s store, everything works. So, evidentally, there’s something wrong with my deserialization code. This code hasn’t changed. The only difference is that it’s now targeting .NET 4. Here’s the code:

var result = new X509Certificate2(certificate);

byte[] decryptedKey;

// Long ugly code to decrypt private key omitted...                

var rsa = new RSACryptoServiceProvider(new CspParameters
{
    Flags = CspProviderFlags.UseMachineKeyStore
});

try
{
    rsa.ImportCspBlob(decryptedKey);

    result.PrivateKey = rsa;

    return result;
}
catch
{
    rsa.Dispose();
    throw;
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It turns out the problem was a subtle, breaking change in the RSACryptoServiceProvider. Prior to .NET 4.0, a new instance of this class would have a randomly generated key container name (of the form “CLR{GUID}”). In .NET 4.0, it leaves the key container name as null. (Or perhaps it’s setting it to null because that’s what I passed with the CspParameters.)

    In any case, this means that each subsequent RSACryptoService provider overwrites the key pairs of any previous providers. When my code finally got around signing something, the key pair associated with the certificate had been overwritten by a different certificate’s key pair. (Thus the “public key is invalid” error.)

    The solution was to simply generate a random name myself. The change to my deserialization code is as follows:

    var rsa = new RSACryptoServiceProvider(new CspParameters
{
    Flags = CspProviderFlags.UseMachineKeyStore,

    KeyContainerName = String.Format("MyPrefix {{{0}}}", Guid.NewGuid())
});

try {
    rsa.PersistKeyInCsp = false; // ensure key is deleted when provider is disposed

    rsa.ImportCspBlob(decryptedKey);

    result.PrivateKey = rsa;

    return result;
}
    • 0