Correct usage of X509CertificateLoader with PEM

[Falco20019]

I know about the following pages related to this topic:

• https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificateloader.loadcertificatefromfile?view=net-9.0
• https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.createfromencryptedpem?view=net-9.0
• https://github.com/dotnet/core/blob/main/release-notes/9.0/preview/preview7/libraries.md#changes-to-x509-certificate-loading
• https://learn.microsoft.com/en-us/dotnet/fundamentals/syslib-diagnostics/syslib0057#workaround
• What is the replacement for `X509Certificate.CreateFromSignedFile`? #108740

In the past, I did something like this:

• Method called with certPath, keyPath (optional) and password (optional)
  • Try to parse it as PEM
    • Check if keyPath is given and contains a private key
    • Check if certPath is given and contains a certificate
      • Additionally check for private key if keyPath was not given
    • Use correct method to read PEM
      • X509Certificate2.CreateFromPem(certificateData) for single file with cert + key
      • X509Certificate2.CreateFromPem(certificateData, keyData) for two file variant without password
      • X509Certificate2.CreateFromEncryptedPem(certificateData, keyData, password) for two file variant with password
  • Fallback to new X509Certificate2(certificatePath, password) if not PEM
• Return X509Certificate2 instance

X509CertificateLoader.LoadCertificate currently only seem to be a replacement for X509Certificate2.CreateFromPem and X509CertificateLoader.LoadCertificateFromFile being an additional variant that allows to not manually read the file first.

Is there any recommended way on how to use X509CertificateLoader with PEM (besides the simplest case)? If not, are there plans to add more?

[bartonjs]

At this time we do not expect to migrate the PEM cert+key loading functionality over to X509CertificateLoader.

The new type only handles the two most common cases of the X509Certificate2(bytes) constructor (plain cert, PKCS#12/PFX), to help out those projects that really only ever expected it to be one or the other... then get surprised at runtime when they see the other, and "things happen".

Since the CreateFromPem and CreateFromEncryptedPem functions are already "single-format" (and, even better, single-encoding), they did not get marked as [Obsolete], and while "moving" them to X509CertificateLoader would allow for one kind of tidiness (all the load methods in one place) it would cause a dis-tidiness, too (two methods that do the exact same thing, causing people to wonder which one they should call, and, worse: "why" they should call "that one").

[Falco20019]

@bartonjs Speaking of dis-tidiness, would you then use X509Certificate2.CreateFromPem or X509CertificateLoader.LoadCertificate in the case of simple, non-encrypted PEM/DER certificates? I would have gone with X509Certificate2.CreateFromPem if X509Certificate2.GetCertContentType results with X509ContentType.Cert to use only the X509Certificate2.CreateFromPem* methods in the sub-routine.

[bartonjs]

CreateFromPem(bytes) will only load PEM input, not DER. It's main purpose is if you have a "multi-PEM" that had some other supported format in front of the certificate (which would basically just be PKCS#7/SignedCms) that you wanted to skip over.

X509CertificateLoader.LoadCertificate will load the same things CreateFromPem will load, except that it first tries to load the contents as a DER-encoded Certificate starting at the first byte.

So, if you want PEM-only, CreateFromPem. If you want PEM-or-DER, LoadCertificate.

[Falco20019]

Sorry, already mixing them up. Thanks. Read too many pages at the same time 🙈