Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RSACng Decryption throwing Internal Error Occurred exception #97027

Open
aminemarckader opened this issue Jan 16, 2024 · 9 comments
Open

RSACng Decryption throwing Internal Error Occurred exception #97027

aminemarckader opened this issue Jan 16, 2024 · 9 comments
Labels
area-System.Security needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration tracking-external-issue The issue is caused by external problem (e.g. OS) - nothing we can do to fix it directly
Milestone
Future

Comments

@aminemarckader
Copy link

aminemarckader commented Jan 16, 2024
edited by bartonjs
Loading

I'm working with Safenet Token JC and I'm trying to deploy a service that interacts with it using .NET 8 and minimal API,
the encryption and decryption processes are being executed using asymmetric keys from a certificates stored in Safenet token and retreived as X509Certificate2 Object;
so far I go it to encrypt a string while debugging and decryption is fine but when I deploy the release exe as a service I always get this error

   at System.Security.Cryptography.RSACng.EncryptOrDecrypt(SafeNCryptKeyHandle key, ReadOnlySpan`1 input, AsymmetricPaddingMode paddingMode, Void* paddingInfo, Boolean encrypt)
   at System.Security.Cryptography.RSACng.EncryptOrDecrypt(Byte[] data, RSAEncryptionPadding padding, Boolean encrypt)
   at Program.<<Main>$>g__DecryptDataOaepSha1|0_12(X509Certificate2 cert, Byte[] data)

this is the exact method i'm using to run the decryption process

byte[]? DecryptData(X509Certificate2? cert, byte[] data)
{
	try
	{
        	using (RSACng? rSACng = cert?.GetRSAPrivateKey() as RSACng)
        {

            if (rSACng == null)
            {
                return null;
            }
            return rSACng.Decrypt(data, RSAEncryptionPadding.OaepSHA256);
        }
    }
    catch (CryptographicException ce)
    {
        EventLog.WriteEntry("Inside Decrypt try block decryption method RSACNG EXCEPTION CE", ce.Message, EventLogEntryType.Error);
        EventLog.WriteEntry("Inside Decrypt try block decryption method RSACNG EXCEPTION CE", ce.InnerException?.ToString(), EventLogEntryType.Error);
        EventLog.WriteEntry("Inside Decrypt try block decryption method RSACNG EXCEPTION CE", ce.StackTrace, EventLogEntryType.Error);
        throw;
    }
}
@ghost ghost added the untriaged New issue has not been triaged by the area owner label Jan 16, 2024
@ghost
Copy link

ghost commented Jan 16, 2024

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

I'm working with Safenet Token JC and I'm trying to deploy a service that interacts with it using .NET 8 and minimal API,
the encryption and decryption processes are being executed using asymmetric keys from a certificates stored in Safenet token and retreived as X509Certificate2 Object;
so far I go it to encrypt a string while debugging and decryption is fine but when I deploy the release exe as a service I always get this error
at System.Security.Cryptography.RSACng.EncryptOrDecrypt(SafeNCryptKeyHandle key, ReadOnlySpan`1 input, AsymmetricPaddingMode paddingMode, Void* paddingInfo, Boolean encrypt)
at System.Security.Cryptography.RSACng.EncryptOrDecrypt(Byte[] data, RSAEncryptionPadding padding, Boolean encrypt)
at Program.<

$>g__DecryptDataOaepSha1|0_12(X509Certificate2 cert, Byte[] data)

this is the exact method i'm using to run the decryption process

byte[]? DecryptData(X509Certificate2? cert, byte[] data)
{
try
{
using (RSACng? rSACng = cert?.GetRSAPrivateKey() as RSACng)
{

        if (rSACng == null)
        {
            return null;
        }
        return rSACng.Decrypt(data, RSAEncryptionPadding.OaepSHA256);
    }
}
catch (CryptographicException ce)
{
    EventLog.WriteEntry("Inside Decrypt try block decryption method RSACNG EXCEPTION CE", ce.Message, EventLogEntryType.Error);
    EventLog.WriteEntry("Inside Decrypt try block decryption method RSACNG EXCEPTION CE", ce.InnerException?.ToString(), EventLogEntryType.Error);
    EventLog.WriteEntry("Inside Decrypt try block decryption method RSACNG EXCEPTION CE", ce.StackTrace, EventLogEntryType.Error);
    throw;
}

}

Author: aminemarckader
Assignees: -
Labels:

area-System.Security
Milestone: -

@bartonjs
Copy link
Member

When using keys from something other than the builtin software key provider you're at the mercy of whatever error codes the provider-writer felt like offering.

Psychic debugging suggests either a) your service user doesn't have permission to the private key, or b) when running as a service the provider can't figure out a way to PIN prompt.

Try running as the same user account, but in a UI/interactive context; if that works, it's (b). If that fails, try as a different user (which might reveal (a)).

@aminemarckader
Copy link
Author

Actually, I'm using Microsoft X509Certificate2 store to lookup the certificate in question than since I'm using .NET8, I had to use RSACng to read the private key, my dilemma is when I run the debug everything works when I run release (I used the administrator account in order to avoid the permissions issues), I've tried windows 10 and 11 same story, if Am at the mercy of the vendor why it works on debug and not on release.
I'm willing to share my code with you to reproduce the issue!

@vcsjones
Copy link
Member

I had to use RSACng to read the private key

CNG is a Windows feature that is based on Providers. Windows itself comes with a few providers, however Providers can be provided by 3rd parties, and frequently so, when the need arises for a Provider to bridge between a piece of hardware like a token and CNG. Providers are free to do whatever they need to bridge this interface between CNG and the Hardware. Some themselves have something like a sub-Provider, like SmartCards have MiniDrivers.

All that is to say, CNG is doing a lot of things under the covers any there are many failure points.

One place for us to start is to figure out what Provider your certificate and key are actually using. You should be able to do something like this:

RSACng rsa = GetYourKey();
string provider = rsa.Key.Provider.Provider;

If you log the value of provider that should tell us what Provider you are using and where we can better start troubleshooting.

I'm willing to share my code with you to reproduce the issue!

As Jeremy alluded to, this is much more likely to be an issue with the token or CNG Provider. I don't know that sharing the code would help, but if you have a small program that reproduces the issue, it would not hurt to provide one.

@vcsjones vcsjones added the needs-author-action An issue or pull request that requires more info or actions from the author. label Jan 22, 2024
@ghost
Copy link

ghost commented Jan 22, 2024

This issue has been marked needs-author-action and may be missing some important information.

@aminemarckader
Copy link
Author

aminemarckader commented Jan 24, 2024
edited
Loading

the provider is eToken Base Cryptographic Provider.
My main issue is not the provider, my issue is when Ideploy the service and even change the service account to my own administrator account I can't access the private key to decrypt the data.
When I run the application in debug mode it works fine, but when I run production RELEASE I get the error.

@ghost ghost removed the needs-author-action An issue or pull request that requires more info or actions from the author. label Jan 24, 2024
@bartonjs bartonjs added the tracking-external-issue The issue is caused by external problem (e.g. OS) - nothing we can do to fix it directly label Jul 5, 2024
@bartonjs bartonjs added this to the Future milestone Jul 5, 2024
@jeffhandley jeffhandley added needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration and removed untriaged New issue has not been triaged by the area owner labels Jul 19, 2024
@jeffhandley
Copy link
Member

@bartonjs Do you suspect this is an issue with the provider itself?

@aminemarckader I know a lot of time has passed on this issue; did you find a way past it already?

@bartonjs
Copy link
Member

Either an issue with the provider, or with its permissions model, or something. And I definitely can't explain why it would change between debug and release (unless they are being launched from the IDE and have different launch profiles)

@aminemarckader
Copy link
Author

aminemarckader commented Nov 11, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-System.Security needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration tracking-external-issue The issue is caused by external problem (e.g. OS) - nothing we can do to fix it directly
Projects
None yet
Milestone
Future
Development

No branches or pull requests
4 participants
@vcsjones @jeffhandley @bartonjs @aminemarckader