Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Can not generate a .p12 Certificate in AL #2516

Open
1 task done
StefanMaron opened this issue Dec 11, 2024 · 8 comments
Open
1 task done

[Bug]: Can not generate a .p12 Certificate in AL #2516

StefanMaron opened this issue Dec 11, 2024 · 8 comments
Labels
Approved The issue is approved Integration GitHub request for Integration area

Comments

@StefanMaron
Copy link
Contributor

Describe the issue

Some APIs require Client Certificate Authentication which means that I need to provide a certificate that contains the private key and is protected with a password.

The HTTPClient.AddCertificate() does support that already today.
https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/methods-auto/httpclient/httpclient-addcertificate-secrettext-secrettext-method

If I let the user upload the .p12 certificate and the password, I can call the API with the client certificate auth without issues.

However, it would be much better if I create a Certificate Signing Request in AL (which is possible today), get the certificate created for me, and then create the .p12 certificate inside Business central.

That way, the primary key does not have to leave BC.

Expected behavior

Here is mock for how that could look like:

procedure CreateP12(CertBase64: Text; PrivateKey: SecretText; Password: SecretText)
var
    RSA: Codeunit RSA;
    X509Certificate2: Codeunit X509Certificate2;
    X509ContentType: Enum "X509 Content Type";
    P12CertBase64: Text;
begin
    RSA.FromSecretXmlString(PrivateKey);
    X509Certificate2.CreateFromPem(CertBase64, RSA);
    P12CertBase64 := X509Certificate2.Export(X509ContentType::Pkcs12, Password);
end;

The fix would include exposing RSA.FromSecretXmlString, X509Certificate2.CreateFromPem and X509Certificate2.Export with just small adjustments to use the X509ContentType Enum and return a base64 for easier handling

https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.rsa.fromxmlstring?view=net-9.0
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.createfrompem?view=net-9.0
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate.export?view=net-9.0#system-security-cryptography-x509certificates-x509certificate-export(system-security-cryptography-x509certificates-x509contenttype-system-security-securestring)

Steps to reproduce

See description above

Additional context

No response

I will provide a fix for a bug

  • I will provide a fix for a bug
@JesperSchulz
Copy link
Contributor

I like that idea, but it'll have to get past our security reviewers. @WaelAbuSeada / @darjoo, do your thing 😊 Can you approve this?

@JesperSchulz JesperSchulz added Integration GitHub request for Integration area Approved The issue is approved labels Dec 12, 2024
@JesperSchulz
Copy link
Contributor

It's as such approved, but will you not run into the same problem as in these?

@darjoo
Copy link
Contributor

darjoo commented Dec 13, 2024

Just putting it in writing here. Approved, and as Jesper linked, we have seen issues with methods that take in "ReadSpan " parameters.

@StefanMaron
Copy link
Contributor Author

I am not sure yet, I have not given this a try.
I wanted to wait for approval first.

I will report back here if I can make a prototype work first, before even starting to work on a final version

@StefanMaron
Copy link
Contributor Author

After some fiddling it seems like I am at a dead end because of the exact same problem:

Image

@JesperSchulz
Copy link
Contributor

We'll add it to the list of reasons why we need to look into this.

@JesperSchulz
Copy link
Contributor

@SBalslev for info. This is the third issue blocked by the "ReadSpan issue". Mayday! We need compiler support 🤙

@JesperSchulz
Copy link
Contributor

@StefanMaron, Steffen returned with the following suggestion, which can be implemented in the app:

"Create an app addin/dotnet wrapper that takes a string, converts it to the readspan and calls the required method.
Ex. BCInteropUtillities.CallImportEncryptedPcks8PrivateKey(provider, paramValue1)"

I haven't tried or thought this through in any way, but wondered if you'd be keep to give this a shot?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Approved The issue is approved Integration GitHub request for Integration area
Projects
None yet
Development

No branches or pull requests

3 participants