Starting from https://github.com/dotnet/runtime/pull/104961 we can open keys from the provider. Some providers (most notably tpm2) will not allow to use private key for Verify and Encrypt operations but this is not consistent with what we do on other platforms.
Current workaround is that public key can be exported and imported into new instance which will use default provider and allow for this operation.
This issue is tracking discussion whether we want to override the behavior (this can be done by either getting public key and using it or just directly forcing default provider by passing in NULL LIB_CTX* to API creating EVP_PKEY_CTX).
Here are some points against:
chosen provider will not be used for the operations even if explicitly chosen by the user - that would force it to use default always
private keys are meant for Sign/Decrypt only and it's frequently a bug that private key is used for verification which is most likely the reason tpm2 provider blocks that in the first place
Starting from https://github.com/dotnet/runtime/pull/104961 we can open keys from the provider. Some providers (most notably
tpm2
) will not allow to use private key for Verify and Encrypt operations but this is not consistent with what we do on other platforms.Current workaround is that public key can be exported and imported into new instance which will use
default
provider and allow for this operation.This issue is tracking discussion whether we want to override the behavior (this can be done by either getting public key and using it or just directly forcing
default
provider by passing in NULLLIB_CTX*
to API creatingEVP_PKEY_CTX
).Here are some points against:
default
alwaystpm2
provider blocks that in the first placeRef: https://github.com/dotnet/runtime/pull/104961#discussion_r1683613752