SN v2.0 Works With PFX Files


One enhancement to the v2.0 SN tool that may not get noticed right away is that it now has the ability to work with PKCS #12 PFX files in addition to SNK files.  The logic here is that a self signed certificate stored in a PFX file is the moral equivalent of an SNK key, except that it gives you the added benefit of storing your key in encrypted form rather than in the SNK’s plain text format.


This feature should be entirely transparent — anywhere that SN takes a key file as input, you can now specify a PFX file instead. SN will detect this and prompt you for a password:



C:\Build>sn -R DelaySigned.exe KeyPair.pfx

Microsoft (R) .NET Framework Strong Name Utility Version 2.0.50727.42
Copyright (c) Microsoft Corporation. All rights reserved.

Enter the password for the PKCS#12 key file:
Assembly ‘DelaySigned.exe’ successfully re-signed

Your password will not echo to the screen as you type it.


There are a few limitations to this feature however.  Since it was designed with self signed certificates in mind, SN will not accept a PFX file which contains multiple certificates (there’s no way to tell it which certificate you wish to use).


Also, SN will not allow you to redirect standard input and load the password from a pipe.  (In this case it gives a rather cryptic error message “Failed to parse the PKCS#12 blob in KeyPair.pfx — The handle is invalid.”  … we’ll replace that message with something a bit more descriptive in a future release).


Finally, the PFX file must have a password, even if that password is blank.  SN will never attempt to read a certificate with a NULL password.


If you want to create a self signed PFX key, the easiest way is to use Visual Studio 2005.  In the project properties Signing tab, tell Visual Studio to create a new strong name key file.  VS will show you this dialog:



Selecting “Protect my key file with a password”, the default option, creates a PFX file.  If you uncheck that option, you’ll create a traditional SNK file.  VS will enforce that your password be at least six characters long.  It also provides the ability for you to change the password of an existing key pair.

Comments (10)

  1. .NET Framework 2.0 sn tool has the ability to work with PKCS #12 PFX files in addition to SNK files. …

  2. Harris says:

    Shawn,

    Great post!  While I have yet to use this feature of VS2k5/SN yet, I look forward to in the future.

    I really appreciate your clarification regarding self-signed certs.  This was/is something that I’ve struggled with when it came to strong-naming/signing assemblies: where do the keys come from??  Any Joe can use SN to generate key pairs and the Fx 1.1 docs did not go into much detail as to where the keys came from – just generate them using the took and sign away.

    I take it that the real intent here is for companies to sign their binaries using their cert they purchase from Thawte http://www.thawte.com/ssl-digital-certificates/code-signing/index.html, or whomever), or if you’re so fortunate enough to have a robust PKI implementation – use your own.

    Is this correct?

    Thanks again!  Your blog is awesome.

    Harris

  3. Miha Markic says:

    What about getting the key from the store? There is no UI support plus using AssemblyKeyName attribute yields a warning.

  4. shawnfa says:

    Hi Miha,

    You need to use the /keyname command line switch to do this.  Since VS doesn’t have store browsing UI, you might want to consider filing them a feature request on the MSDN Product Feedback Center.

    -Shawn

  5. shawnfa says:

    Hi Harris,

    The keys generated with the sn -k command are actually randomly generated.  We ask the default CSP to give us a new key, and it goes ahead and creates one for us :-)

    -Shawn

  6. It kills me that the names for these processes are "Code signing" and "Strong Name signing". So this

  7. HC says:

    Hi, how about the C# compiler?  Does the /keyfile option of csc accept a pfx file?  I tried the 3.5 version and it keeps saying ‘CS1548: Cryptographic failure … Bad version of provider.’

  8. Zian Choy says:

    >C:Build>sn -R DelaySigned.exe KeyPair.pfx

    That will not work unless sn.exe is inside C:Build.

  9. shawnfa says:

    No, the C# compiler does not work with PFX files.  In order to use a PFX file with C#, you need to do a few steps:

    1. Use SN to extract the public key from the PFX file:

    sn -p Key.pfx PublicKey.snk

    2. Use C# to delay sign your assembly

    csc /delaysign /keyfile:PublicKey.snk YourAssembly.cs

    3. Use SN to complete the signing process

    sn -R YourAssembly.exe Key.pfx

    -Shawn