Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not able to get thumbprint in the Azure Linux Container App #111522

Closed
yogesh789 opened this issue Jan 17, 2025 · 4 comments
Closed

Not able to get thumbprint in the Azure Linux Container App #111522

yogesh789 opened this issue Jan 17, 2025 · 4 comments
Labels
area-System.Security needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration
Milestone
Future

Comments

@yogesh789
Copy link

yogesh789 commented Jan 17, 2025
edited
Loading

Description

new X509Certificate2(Convert.FromBase64String("CertificateString").Thumbprint.

above code statement returning below error (This code statement working fine for the windows environment). I've pasted my CertString below

Unhandled exception. System.Security.Cryptography.CryptographicException: ASN1 corrupted data.

MIIGDTCCBPWgAwIBAgITZ8/v/zrj/piNKb25CAAAANybOjANBgkqhkiG9w0BAQsF
ADCBjjELMAkGA1UEBhMCSUUxEDAOBgNVBAgTB0lyZWxhbmQxDTALBgNVBAcTBENv
cmsxKzApBgNVBAoTIkpvaG5zb24gQ29udHJvbHMgSW50ZXJuYXRpb25hbCBQTEMx
EzARBgNVBAsTClpzY2FsZXIgR08xHDAaBgNVBAMTE3pzY2xvdWQubmV0LTE4ODM3
OTMwHhcNMjUwMTE3MDYwNzQwWhcNMjUwMTMxMDcwNzQwWjCBlzELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMTswOQYDVQQDEzJzYWxt
b25pc2xhbmQtYTA2Y2I5MmEuZWFzdHVzLmF6dXJlY29udGFpbmVyYXBwcy5pbzEV
MBMGA1UECgwMWnNjYWxlciBJbmMuMRUwEwYDVQQLDAxac2NhbGVyIEluYy4wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIMvrrRH4lKBHM0Yjnj5cKZ+V+
wTOCIUR8AxRWg+KcaCA3ex+yH2xKGxupHYSbHwnlE9oacJrj0sPRLQDnK3bnG255
UT9knDki0GCC/DgJ+DzpqXT/XRzU8d3UVlTBYn9EtkQR3H9BePiuQYX+KsDXiVLQ
3YFMDCg6hrIX1yV46PUGeM2c4pzoAm5Z5oXRzu5aqw+UGyHp0h4Ollv/Lk7vHEGa
sX4GQDQs8Vf51QeQHmO0sAIlEDi55q5lVblvel/tYl3hoVi8zl+McNJOSFb4oOWU
wePrEFYbqw9xk5D9YFI1u9vwvjjqgA8DBcI6Ld+RTwCQlYrzjtngPK3zA4wNAgMB
AAGjggJXMIICUzAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUF
BwMBMDwGCSsGAQQBgjcVBwQvMC0GJSsGAQQBgjcVCIe91xuB5+tGgoGdLo7QDIfw
2h1dgqvnMIft8R8CAWQCAS0wDgYDVR0PAQH/BAQDAgWgMIIBKgYDVR0RBIIBITCC
AR2CNCouc2FsbW9uaXNsYW5kLWEwNmNiOTJhLmVhc3R1cy5henVyZWNvbnRhaW5l
cmFwcHMuaW+COCouc2NtLnNhbG1vbmlzbGFuZC1hMDZjYjkyYS5lYXN0dXMuYXp1
cmVjb250YWluZXJhcHBzLmlvgj0qLmludGVybmFsLnNhbG1vbmlzbGFuZC1hMDZj
YjkyYS5lYXN0dXMuYXp1cmVjb250YWluZXJhcHBzLmlvgjgqLmV4dC5zYWxtb25p
c2xhbmQtYTA2Y2I5MmEuZWFzdHVzLmF6dXJlY29udGFpbmVyYXBwcy5pb4Iyc2Fs
bW9uaXNsYW5kLWEwNmNiOTJhLmVhc3R1cy5henVyZWNvbnRhaW5lcmFwcHMuaW8w
DAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATBJBgNVHR8EQjBAMD6g
PKA6hjhodHRwOi8vZ2F0ZXdheS56c2Nsb3VkLm5ldC96c2NhbGVyLXpzY3JsLTE4
ODM3OTMtNzE0LmNybDAdBgNVHQ4EFgQUoDcniSELEcZYX+l54CnyKh3SpNEwHwYD
VR0jBBgwFoAU/ITDN1lpkgM+BbeyiGQc6nF50gcwDQYJKoZIhvcNAQELBQADggEB
AE6zxar3obAVmuHfcvh4JXKLI1RLO3V0aJAQxizp8rJZHzf+cpiQtn1Y2qCTKSaf
CazZRiv/v1+P51uFKmNt323tzTU8PTWkQfIhqHrRg6p3aAwnCfmv1WdMLD89+DiK
UproRdth5prkw0JiYD+0hDac36HSBWhgIt/K2+v3zqhnRanFhNghAJbSYoxNNvRX
8QKrOkti2fK4kMFhD0rlyfRKRjeYlZqQJNXio5wW64EJAfpMOvw75QE+Xx9+i2GP
mRcFdzteZjUNXOPi7Z1Yrdcvn8GlMYwkGRRXmcRXfKA2z2xKHd0OyhCcKfOfU2ur
AmpDYfUSnjeqBS4ykhcPBhM=

Reproduction Steps

We are passing the certificate string in the below statement and try to generate the thumbprint in the .Net Core 8

new X509Certificate2(Convert.FromBase64String("CertificateString").Thumbprint.

added certificate using cert.crt file and further pushed the image having cert file to container app in azure

Expected behavior

It should generate the Thumbprint.

Actual behavior

It is returning the below error.

Unhandled exception. System.Security.Cryptography.CryptographicException: ASN1 corrupted data.

Regression?

No response

Known Workarounds

No response

Configuration

No response

Other information

No response
@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Jan 17, 2025
@vcsjones
Copy link
Member

I'm not able to reproduce this on Linux:

using System;
using System.Security.Cryptography.X509Certificates;

X509Certificate2 cert = new X509Certificate2(Convert.FromBase64String("""
MIIGDTCCBPWgAwIBAgITZ8/v/zrj/piNKb25CAAAANybOjANBgkqhkiG9w0BAQsF
ADCBjjELMAkGA1UEBhMCSUUxEDAOBgNVBAgTB0lyZWxhbmQxDTALBgNVBAcTBENv
cmsxKzApBgNVBAoTIkpvaG5zb24gQ29udHJvbHMgSW50ZXJuYXRpb25hbCBQTEMx
EzARBgNVBAsTClpzY2FsZXIgR08xHDAaBgNVBAMTE3pzY2xvdWQubmV0LTE4ODM3
OTMwHhcNMjUwMTE3MDYwNzQwWhcNMjUwMTMxMDcwNzQwWjCBlzELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMTswOQYDVQQDEzJzYWxt
b25pc2xhbmQtYTA2Y2I5MmEuZWFzdHVzLmF6dXJlY29udGFpbmVyYXBwcy5pbzEV
MBMGA1UECgwMWnNjYWxlciBJbmMuMRUwEwYDVQQLDAxac2NhbGVyIEluYy4wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIMvrrRH4lKBHM0Yjnj5cKZ+V+
wTOCIUR8AxRWg+KcaCA3ex+yH2xKGxupHYSbHwnlE9oacJrj0sPRLQDnK3bnG255
UT9knDki0GCC/DgJ+DzpqXT/XRzU8d3UVlTBYn9EtkQR3H9BePiuQYX+KsDXiVLQ
3YFMDCg6hrIX1yV46PUGeM2c4pzoAm5Z5oXRzu5aqw+UGyHp0h4Ollv/Lk7vHEGa
sX4GQDQs8Vf51QeQHmO0sAIlEDi55q5lVblvel/tYl3hoVi8zl+McNJOSFb4oOWU
wePrEFYbqw9xk5D9YFI1u9vwvjjqgA8DBcI6Ld+RTwCQlYrzjtngPK3zA4wNAgMB
AAGjggJXMIICUzAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUF
BwMBMDwGCSsGAQQBgjcVBwQvMC0GJSsGAQQBgjcVCIe91xuB5+tGgoGdLo7QDIfw
2h1dgqvnMIft8R8CAWQCAS0wDgYDVR0PAQH/BAQDAgWgMIIBKgYDVR0RBIIBITCC
AR2CNCouc2FsbW9uaXNsYW5kLWEwNmNiOTJhLmVhc3R1cy5henVyZWNvbnRhaW5l
cmFwcHMuaW+COCouc2NtLnNhbG1vbmlzbGFuZC1hMDZjYjkyYS5lYXN0dXMuYXp1
cmVjb250YWluZXJhcHBzLmlvgj0qLmludGVybmFsLnNhbG1vbmlzbGFuZC1hMDZj
YjkyYS5lYXN0dXMuYXp1cmVjb250YWluZXJhcHBzLmlvgjgqLmV4dC5zYWxtb25p
c2xhbmQtYTA2Y2I5MmEuZWFzdHVzLmF6dXJlY29udGFpbmVyYXBwcy5pb4Iyc2Fs
bW9uaXNsYW5kLWEwNmNiOTJhLmVhc3R1cy5henVyZWNvbnRhaW5lcmFwcHMuaW8w
DAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATBJBgNVHR8EQjBAMD6g
PKA6hjhodHRwOi8vZ2F0ZXdheS56c2Nsb3VkLm5ldC96c2NhbGVyLXpzY3JsLTE4
ODM3OTMtNzE0LmNybDAdBgNVHQ4EFgQUoDcniSELEcZYX+l54CnyKh3SpNEwHwYD
VR0jBBgwFoAU/ITDN1lpkgM+BbeyiGQc6nF50gcwDQYJKoZIhvcNAQELBQADggEB
AE6zxar3obAVmuHfcvh4JXKLI1RLO3V0aJAQxizp8rJZHzf+cpiQtn1Y2qCTKSaf
CazZRiv/v1+P51uFKmNt323tzTU8PTWkQfIhqHrRg6p3aAwnCfmv1WdMLD89+DiK
UproRdth5prkw0JiYD+0hDac36HSBWhgIt/K2+v3zqhnRanFhNghAJbSYoxNNvRX
8QKrOkti2fK4kMFhD0rlyfRKRjeYlZqQJNXio5wW64EJAfpMOvw75QE+Xx9+i2GP
mRcFdzteZjUNXOPi7Z1Yrdcvn8GlMYwkGRRXmcRXfKA2z2xKHd0OyhCcKfOfU2ur
AmpDYfUSnjeqBS4ykhcPBhM=
"""));

Console.WriteLine(cert.Thumbprint);

This prints a thumbprint.

I suspect the only way this is possible is if the value that you are actually using in your container service is not getting passed as expected.

added certificate using cert.crt file and further pushed the image having cert file to container app in azure

It's not exactly clear to me what you are doing, but your code sample does not make use of a file named cert.crt anywhere.

I would

  1. Make sure that the value going in to new X509Certificate2 is what you expect with logging or some other diagnostic mechanism.
  2. If are still having trouble, please provide a full and complete example of code demonstrating the issue.

@vcsjones vcsjones added needs-author-action An issue or pull request that requires more info or actions from the author. and removed untriaged New issue has not been triaged by the area owner labels Jan 17, 2025
@vcsjones vcsjones added this to the Future milestone Jan 17, 2025
@yogesh789
Copy link
Author

yogesh789 commented Jan 20, 2025
edited
Loading

This issue has been marked needs-author-action and may be missing some important information.

Thanks for the looking into the issue. Sorry to not mentioned the details. I'm adding below further details to reproduce issue.

new X509Certificate2(Convert.FromBase64String("certificate string").Thumbprint.

We've also tested above code is working fine in the Linux environment but when we've tried to deploy this using the Azure Linux container app getting the below error.

Image

There is one Online tool(https://www.jdoodle.com/compile-c-sharp-online) where I've also tried Certificate String -1(Cert-1.txt) is working fine in both the Language version Mono (4.2.2, 5.0.0, 5.10.1, 6.0.0, 6.12.0) and Dot Net 7.0.13. (below screenshots)

Image

Image

But When I tried using Certificate String - 2(Cert-2.txt
it is working fine in the Mono Version (below screenshot)

Image

and when I tried with DotNet 7.0.13 getting error (below screenshot) which is same as Azure Linux Container App error.

Image

Could you Please Guide to follow further steps to resolves this issue.

@dotnet-policy-service dotnet-policy-service bot added needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration and removed needs-author-action An issue or pull request that requires more info or actions from the author. labels Jan 20, 2025
@vcsjones
Copy link
Member

LS0t

Your base64 encoded value is a PEM encoded value, not DER. The byte[] (and Span, for that matter) don't accept a byte interpretation of PEM. This is an unfortunate inconsistency, but on Windows I believe it will work, whereas on macOS and Linux it will not.

I don't quite see why you are trying to load a base64-encoded value for a PEM, which already contains a base64 encoded X.509 certificate. The easiest thing to do is to make sure the certificate contents that are DER (The ones that start with MII) are passed to Convert.FromBase64String.

If you really need it to work, you can do something like this:

byte[] data = Convert.FromBase64String("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0...etc");
string s = Encoding.UTF8.GetString(data);
using X509Certificate2 cert = X509Certificate2.CreateFromPem(s);
Console.WriteLine(cert.Thumbprint);

@yogesh789
Copy link
Author

LS0t

Your base64 encoded value is a PEM encoded value, not DER. The byte[] (and Span, for that matter) don't accept a byte interpretation of PEM. This is an unfortunate inconsistency, but on Windows I believe it will work, whereas on macOS and Linux it will not.

I don't quite see why you are trying to load a base64-encoded value for a PEM, which already contains a base64 encoded X.509 certificate. The easiest thing to do is to make sure the certificate contents that are DER (The ones that start with MII) are passed to Convert.FromBase64String.

If you really need it to work, you can do something like this:

byte[] data = Convert.FromBase64String("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0...etc");
string s = Encoding.UTF8.GetString(data);
using X509Certificate2 cert = X509Certificate2.CreateFromPem(s);
Console.WriteLine(cert.Thumbprint);

Hi vcsjones,

Provided Solution Worked for US. Thanks for the Quick solution. It's appreciable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-System.Security needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration
Projects
None yet
Milestone
Future
Development

No branches or pull requests
2 participants
@vcsjones @yogesh789