Loading PFX without admin causes CryptographicException #110217
Comments
dotnet-policy-service
bot
added
the
untriaged
|
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones |
|
I am facing the same. Works on .net8 but exception on .net9. Running it with admin mode solves it. |
|
Same issue here. |
|
Same issue here: dotnet/aspnetcore#59300 |
dotnet-policy-service
bot
removed
the
untriaged
|
@krwq Please investigate this. The repro in dotnet/aspnetcore#59300 looks like a good way to get started. |
|
I have a different scenario which is running into trouble with .NET9 and which is failing for potentially the same reason. I understand that ... now is obsolete with .NET9, which is why I replaced it by The certificate itself is used by the Kestrel server: This works fine if the Kestrel server is running on the target (Linux) server. However, for development and debugging purposes I'm running the Kestrel server on my local Windows 11 machine as well where a SSH script reroutes the remote server port to my local machine. Code above only works on my local machine if I'm running Visual Studio as administrator. The local Kestrel server can't be reached if running as non-admin. Can you please confirm/deny that the source of trouble is the same as reports above? |
|
@DierkDroth it's likely related to the same piece of code but IMO failing for different reason - it will be beneficial if you could share steps how to create cert similar to yours. The simple repro for this issue is just this (ASP.NET is not needed): Pkcs12LoaderLimits limits = new Pkcs12LoaderLimits()
{
PreserveStorageProvider = true // true => seeing access denied; false => works
};
X509CertificateLoader.LoadPkcs12(File.ReadAllBytes("cert.pfx"), "1234", loaderLimits: limits);which seems inconsistent with what you're describing. I'd be still interested in seeing steps how to create a cert you're describing. We also noticed that for some reason this didn't repro for everyone. This most likely regressed with: #107005 but it was also fixing another issue so we need to figure out solution which makes this work with both scenarios and most likely your test case as well (and therefore my request to share steps to create your cert). With that PR reverted locally I wasn't able to repro this problem anymore but I've additionally seen some more tests failing locally with |
|
@krwq additional details:
I can't comment on how this regression was introduced to the .NET code, since I'm not part of the .NET9 dev team |
|
@DierkDroth thanks for clarification - when you say it doesn't work on Windows does Kestrel log look normal as if it started correctly but it doesn't let you connect? How did you create a certificate a pfx/PKCS12 you're passing in? |
|
@krwq sorry I'm neither a Kestrel expert nor a certificate expert. I did not notice any Kestrel errors nor logs in VS. The certificate is a PFX format certificate which I loaded as embedded resource to a C# byte array (not sure why that would be relevant though...). |
|
@DierkDroth pfx can be created in multiple ways and format has some slight variations between implementations. Knowing how you created it (i.e. command line) will tell us more what we need to fix. |
|
@krwq I purchased the PFX from a certificate provider. Unfortunately I don't recall the details. |
Description
After upgrading to .Net 9.0 on a API project the following codes throws the error "System.Security.Cryptography.CryptographicException: 'Access denied.'" when not run as Admin. This works fine without admin on .net 8.0.
Reproduction Steps
Expected behavior
Project runs without issue
Actual behavior
Exception thrown: System.Security.Cryptography.CryptographicException: 'Access denied.'
Regression?
Yes, works on .Net 8.0
Known Workarounds
No response
Configuration
.Net 9.0
Windows 11 26100.2314 x64
Other information
No response
The text was updated successfully, but these errors were encountered: