Stop using Windows user certificate store as default for data protection keys.

[dozer75]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

I was trying to figure out how UnprotectKeysWithAnyCertificate worked, but I did not manage any code without it to fail when trying to unprotect an old secret created by a another certificate than the one provided in ProtectKeysWithCertificate.

While trying to figure out why we have a UnprotectKeysWithAnyCertificate (which in my point at the time seem quite useless) I wrote the dotnet/AspNetCore.Docs#28213 issue. And after I got answer on that I realized that the problem was the fact that even though I hadn't referenced any relationships to the Windows user certificate store, the data protection key certificate logic still tries to search the certificate store on Windows operating systems. And if it finds the thumbprint there it uses that which gave me a great amount of wasted time trying to understand the usage of UnprotectKeysWithAnyCertificate.

Describe the solution you'd like

While (as the previous mentioned issue states) it can be documented better how the certificate key protection works and how it differs between operating environments, it would be nice if the logic is consistent in the fact that the certificate store isn't used unless defined to be doing this by the application.

I can see a couple of different ways that this could be done:

1. By not using the windows certificate store if the ProtectKeysWithCertificate is used with a X509Certificate2, only when a thumbnail is provided.
2. By having a another extension method called something like e.g. ProtectKeysWithCertificateStore that takes a thumbnail (and optional a X509Store if the user wants to override the store to be used) and let the ProtectKeysWithCertificate only accept a X509Certificate2 and thus not using certificate store at all.
3. Remove (or obsolete) the ProtectKeysWithCertificate version that takes a X509Certificate2 and create an extension method called something like ProtectKeysWithExplicitCertificate which make the certificate key protection ignore any certificate stores.

Either of these ways will (while will be breaking changes except for option 3 with obsoleting the method) make the certificate key protection a bit clearer how they work.

Also, note, as mentioned in option 2, it would be nice if you gave us the opportunity to somehow specify a X509Store for certificate retrieval.

Additional context

No response

[captainsafia]

Triage: Sticking this in .NET 8 Planning for now to evaluate whether this will bubble up as high-pri work in the data protection area.

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.