CODEWITHSUNDEEP
securitycryptographyx509certificatecertificatex509certificate2
Paul Stovell
Paul Stovell

Reputation: 32715

Why do multiple calls to X509Certificate2.Export(Pkcs12) return different results?

Here is a test:

var decoded = Convert.FromBase64String(certificateBase64Encoded);
var certificate = new X509Certificate2(decoded, (string)null, X509KeyStorageFlags.Exportable);

var x = Convert.ToBase64String(certificate.Export(X509ContentType.Pkcs12));
var y = Convert.ToBase64String(certificate.Export(X509ContentType.Pkcs12));

Console.WriteLine(x == y);

When called using X509ContentType.Cert, the value is always the same, and so the console prints 'True'. But when using the Pkcs12 option, the value is always quite different. Why is that, and is there a way to make them the same?

Upvotes: 3

Views: 575

Answers (1)

poupou
poupou

Reputation: 43553

The PKCS#12 file (data) is encrypted, even if you supplied a null password, so a new initialization vector (IV) will be generated each time (from random data) so the output will never be the same. As such you'll not be able to make them identical, from multiple calls to Export.

OTOH the certificates are signed from a certificate authority (CA) and cannot be changed without breaking their signature. They will always be identical.

Note: I don't recall offhand but there could be other random structures defined (e.g. bag-related), PKCS#12 specification is a bit large.

Upvotes: 6

Related Questions