From 0e725a334097a823627d03dc1fce9bcc24434b26 Mon Sep 17 00:00:00 2001 From: Erlend Oksvoll Date: Thu, 26 Mar 2026 12:18:27 +0100 Subject: [PATCH 1/2] changed cert loading to support oed-messaging --- Dan.Core/Config/KeyVault.cs | 2 +- Dan.Core/Program.cs | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/Dan.Core/Config/KeyVault.cs b/Dan.Core/Config/KeyVault.cs index 654e411..24b0556 100644 --- a/Dan.Core/Config/KeyVault.cs +++ b/Dan.Core/Config/KeyVault.cs @@ -42,7 +42,7 @@ public async Task GetCertificate(string key) var base64Certificate = await Get(key); var certBytes = Convert.FromBase64String(base64Certificate); - var cert = X509CertificateLoader.LoadPkcs12(certBytes, string.Empty, X509KeyStorageFlags.MachineKeySet); + var cert = X509CertificateLoader.LoadPkcs12(certBytes, string.Empty, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable); if (X509CertificateHelper.GetValidOrgNumberFromCertificate(cert) == null) { diff --git a/Dan.Core/Program.cs b/Dan.Core/Program.cs index 6cdc17a..c533146 100644 --- a/Dan.Core/Program.cs +++ b/Dan.Core/Program.cs @@ -260,7 +260,10 @@ void AddAltinn3Messaging(IServiceCollection services) { - var encodedCert = Settings.AltinnCertificateb64; + // Load cert via our working code path and re-export as passwordless PKCS#12 + // to avoid CryptographicException in Maskinporten library on Azure + var cert = Settings.AltinnCertificate; + var encodedCert = Convert.ToBase64String(cert.Export(X509ContentType.Pkcs12)); services.AddDdCorrespondenceService(options => { @@ -268,11 +271,11 @@ void AddAltinn3Messaging(IServiceCollection services) { ClientId = Settings.MaskinportenClientId, Environment = Settings.MaskinportenUrl.Contains("test") ? "test" : "prod", - EnableDebugLogging = Settings.MaskinportenUrl.Contains("test") ? true : false, + EnableDebugLogging = Settings.MaskinportenUrl.Contains("test"), EncodedX509 = encodedCert }; options.ResourceId = "digdir-data-altinn-no-melding"; - options.Environment = Settings.MaskinportenUrl.Contains("test") ? ApiEnvironment.Staging : ApiEnvironment.Production; + options.Environment = Settings.MaskinportenUrl.Contains("test") ? ApiEnvironment.Staging : ApiEnvironment.Production; }); } From cf26eca33194dba03d135649b98b4d6940e12ec4 Mon Sep 17 00:00:00 2001 From: Erlend Oksvoll Date: Fri, 27 Mar 2026 13:12:17 +0100 Subject: [PATCH 2/2] Use EphemeralKeySet for in-memory certificate loading Replaced MachineKeySet and Exportable flags with EphemeralKeySet when loading PKCS#12 certificates. This ensures private keys are only stored in memory and not persisted to disk, improving security. --- Dan.Core/Config/KeyVault.cs | 2 +- Dan.Core/Program.cs | 7 +------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/Dan.Core/Config/KeyVault.cs b/Dan.Core/Config/KeyVault.cs index 24b0556..654e411 100644 --- a/Dan.Core/Config/KeyVault.cs +++ b/Dan.Core/Config/KeyVault.cs @@ -42,7 +42,7 @@ public async Task GetCertificate(string key) var base64Certificate = await Get(key); var certBytes = Convert.FromBase64String(base64Certificate); - var cert = X509CertificateLoader.LoadPkcs12(certBytes, string.Empty, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable); + var cert = X509CertificateLoader.LoadPkcs12(certBytes, string.Empty, X509KeyStorageFlags.MachineKeySet); if (X509CertificateHelper.GetValidOrgNumberFromCertificate(cert) == null) { diff --git a/Dan.Core/Program.cs b/Dan.Core/Program.cs index c533146..a068fd6 100644 --- a/Dan.Core/Program.cs +++ b/Dan.Core/Program.cs @@ -260,11 +260,6 @@ void AddAltinn3Messaging(IServiceCollection services) { - // Load cert via our working code path and re-export as passwordless PKCS#12 - // to avoid CryptographicException in Maskinporten library on Azure - var cert = Settings.AltinnCertificate; - var encodedCert = Convert.ToBase64String(cert.Export(X509ContentType.Pkcs12)); - services.AddDdCorrespondenceService(options => { options.MaskinportenSettings = new MaskinportenSettings @@ -272,7 +267,7 @@ void AddAltinn3Messaging(IServiceCollection services) ClientId = Settings.MaskinportenClientId, Environment = Settings.MaskinportenUrl.Contains("test") ? "test" : "prod", EnableDebugLogging = Settings.MaskinportenUrl.Contains("test"), - EncodedX509 = encodedCert + EncodedX509 = Convert.ToBase64String(Settings.AltinnCertificate.Export(X509ContentType.Pkcs12)) }; options.ResourceId = "digdir-data-altinn-no-melding"; options.Environment = Settings.MaskinportenUrl.Contains("test") ? ApiEnvironment.Staging : ApiEnvironment.Production;