I am no expert here, but through experimentation it appears that the new RsaUtils class cannot be used to decrypt data that was encrypted with a certificate that is marked with a non-exportable private key.
However it is possible to decrypt using the RSACryptoServiceProvider with a certificate that has a non-exportable private key.
I am suggesting that we add an overload for Decrypt, something like, for example:
Decrypt(string encryptedText, AsymmetricAlgorithm privateKey) or some such signature that works with current pattern.
Explanation:
Evidently, when a certificate is imported into a cert store as non-exportable (as is the case for Azure deployed certificates) it is not possible to either do:
ImportParameters() as in this overload https://github.com/ServiceStack/ServiceStack/blob/master/src/ServiceStack.Client/CryptUtils.cs#L162
nor, FromXmlString() as in this overload https://github.com/ServiceStack/ServiceStack/blob/master/src/ServiceStack.Client/CryptUtils.cs#L152
The new overload would simply look like this:
public static byte[] Decrypt(byte[] encryptedBytes, AsymmetricAlgorithm privateKey)
{
using (var rsa =(RSACryptoServiceProvider)privateKey)
{
byte[] bytes = rsa.Decrypt(encryptedBytes, DoOAEPPadding);
return bytes;
}
}
Don’t ask me to explain exactly why that works (i.e. how it uses the non-exportable private key) but it does.
Thoughts?