Skip to content

[release/10.0] Fix EC-DSA / EC-DH PEM key loading with PKCS#8 key load attributes #123036

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
github-actions wants to merge 8 commits into
base: release/10.0
Choose a base branch
from
Open

[release/10.0] Fix EC-DSA / EC-DH PEM key loading with PKCS#8 key load attributes #123036

github-actions wants to merge 8 commits into from
+511 −40

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Jan 9, 2026
edited by vcsjones
Loading

Backport of #122997 to release/10.0

/cc @vcsjones

Customer Impact

  • Customer reported
  • Found internally

Customer reported in #122925. Customers that use X509Certificate2.CreateFromPem may receive an error when importing an EC-DSA on Windows, preventing them from importing the key.

This is because the key import mechanism only observed the key usages on the certificate. It did not observe the usages on the key itself.

Regression

  • Yes
  • No

This regressed in .NET 10 from #115249. That pull request fixed a similar issue with EC-DH, but caused the EC-DSA scenario to regress.

Testing

New tests were added to cover all new scenarios. Existing tests were in place to ensure known scenarios continued to work.

Risk

Low. Between the previous certificate-based test variance and the new key-based test variance, both sides of the cert+key pairing are covered.

@vcsjones vcsjones requested a review from bartonjs January 9, 2026 19:47
@vcsjones vcsjones added this to the 10.0.x milestone Jan 9, 2026
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Jan 9, 2026

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

This was referenced Jan 9, 2026
Open
Open
@bartonjs bartonjs added the Servicing-consider Issue for next servicing release review label Jan 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bartonjs bartonjs bartonjs approved these changes

Assignees

@vcsjones vcsjones

Labels

area-System.Security Servicing-consider Issue for next servicing release review

Projects

None yet

Milestone

10.0.x

Development

Successfully merging this pull request may close these issues.

3 participants

@bartonjs @vcsjones