[Bug]: Can not generate a `.p12` Certificate in AL

[StefanMaron]

Describe the issue

Some APIs require Client Certificate Authentication which means that I need to provide a certificate that contains the private key and is protected with a password.

The HTTPClient.AddCertificate() does support that already today.
https://learn.microsoft.com/en-us/dynamics365/business-central/dev-itpro/developer/methods-auto/httpclient/httpclient-addcertificate-secrettext-secrettext-method

If I let the user upload the .p12 certificate and the password, I can call the API with the client certificate auth without issues.

However, it would be much better if I create a Certificate Signing Request in AL (which is possible today), get the certificate created for me, and then create the .p12 certificate inside Business central.

That way, the primary key does not have to leave BC.

Expected behavior

Here is mock for how that could look like:

procedure CreateP12(CertBase64: Text; PrivateKey: SecretText; Password: SecretText)
var
    RSA: Codeunit RSA;
    X509Certificate2: Codeunit X509Certificate2;
    X509ContentType: Enum "X509 Content Type";
    P12CertBase64: Text;
begin
    RSA.FromSecretXmlString(PrivateKey);
    X509Certificate2.CreateFromPem(CertBase64, RSA);
    P12CertBase64 := X509Certificate2.Export(X509ContentType::Pkcs12, Password);
end;

The fix would include exposing RSA.FromSecretXmlString, X509Certificate2.CreateFromPem and X509Certificate2.Export with just small adjustments to use the X509ContentType Enum and return a base64 for easier handling

https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.rsa.fromxmlstring?view=net-9.0
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.createfrompem?view=net-9.0
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate.export?view=net-9.0#system-security-cryptography-x509certificates-x509certificate-export(system-security-cryptography-x509certificates-x509contenttype-system-security-securestring)

Steps to reproduce

See description above

Additional context

No response

I will provide a fix for a bug

• I will provide a fix for a bug

[JesperSchulz]

I like that idea, but it'll have to get past our security reviewers. @WaelAbuSeada / @darjoo, do your thing 😊 Can you approve this?

[JesperSchulz]

It's as such approved, but will you not run into the same problem as in these?

• Update RSA.Codeunit.al #2255
• [DRAFT] New function suggestion in RSACryptoServiceProvider #409

[darjoo]

Just putting it in writing here. Approved, and as Jesper linked, we have seen issues with methods that take in "ReadSpan " parameters.

[StefanMaron]

I am not sure yet, I have not given this a try.
I wanted to wait for approval first.

I will report back here if I can make a prototype work first, before even starting to work on a final version

[StefanMaron]

After some fiddling it seems like I am at a dead end because of the exact same problem:

[JesperSchulz]

We'll add it to the list of reasons why we need to look into this.

[JesperSchulz]

@SBalslev for info. This is the third issue blocked by the "ReadSpan issue". Mayday! We need compiler support 🤙

[JesperSchulz]

@StefanMaron, Steffen returned with the following suggestion, which can be implemented in the app:

"Create an app addin/dotnet wrapper that takes a string, converts it to the readspan and calls the required method.
Ex. BCInteropUtillities.CallImportEncryptedPcks8PrivateKey(provider, paramValue1)"

I haven't tried or thought this through in any way, but wondered if you'd be keep to give this a shot?

[StefanMaron]

@JesperSchulz Thanks for the recomendation, but I am afraid that this exceeds my C# skills. I might need to wait for this to be provided by someone else.

[StefanMaron]

I did it folks, its working now! 🥳