ComponentSpace

Forums



Keyset does not exist error on Azure


Keyset does not exist error on Azure

Author
Message
gianny
gianny
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 3, Visits: 53
Hi ComponentSpace,

The following error has recently started showing up randomly for us on our Azure environment after running the below code in our .NET Core 2.2 application

var result = await SamlServiceProvider.ReceiveSsoAsync();

Receiving an SSO response from a partner identity provider has failed.
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist
 at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
 at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
 at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement)
 at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()


I've been told that it happens randomly. I've looked around on the forums and I see topics mentioning that it may be related to permissions
https://componentspace.com/Forums/8629/CryptographicException-Keyset-does-not-exist
https://www.componentspace.com/Forums/29/Troubleshooting-Loading-X.509-Certificates

We store our certificates in the database and load them through a custom ICertificateLoader implementation.

return new X509Certificate2(file, password, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);


Our ComponentSpace.Saml2.dll is version 2.0.6, and we recently updated our application to .NET Core 2.2.

On azure, we run our application in an App Service.

Do you have any suggestions? I believe it has only started happening recently.




ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)

Group: Administrators
Posts: 2K, Visits: 4.6K
Unfortunately the Windows crypto API, and consequently the .NET Core crypto API, don't provide very helpful error messages.
From the stack trace, I see that the SAML assertion is being decrypted. This is done using the private key associated with the X.509 certificate.
The most likely causes are either the private key is missing or the calling application doesn't have read access to the private key.
Make sure that the permissions are set on the associated private key container.
The following link refers to the private key container and setting permissions on it.
https://www.componentspace.com/Forums/29/Troubleshooting-Loading-X.509-Certificates
Is the X509Certificate2 constructor code you supplied how you're loading the certificate?
If the certificates are in a database, are you copying them to the file system?



Regards
ComponentSpace Development
gianny
gianny
New Member
New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)New Member (5 reputation)

Group: Forum Members
Posts: 3, Visits: 53
ComponentSpace - 6/3/2019
Unfortunately the Windows crypto API, and consequently the .NET Core crypto API, don't provide very helpful error messages.
From the stack trace, I see that the SAML assertion is being decrypted. This is done using the private key associated with the X.509 certificate.
The most likely causes are either the private key is missing or the calling application doesn't have read access to the private key.
Make sure that the permissions are set on the associated private key container.
The following link refers to the private key container and setting permissions on it.
https://www.componentspace.com/Forums/29/Troubleshooting-Loading-X.509-Certificates
Is the X509Certificate2 constructor code you supplied how you're loading the certificate?
If the certificates are in a database, are you copying them to the file system?


Yes, the constructor code is how we load the certificate.

In our custom ICertificateLoader implementation, we override LoadCertificateFromFileAsync


Task<X509Certificate2> ICertificateLoader.LoadCertificateFromFileAsync(string certificateFile, string certificatePassword)
{
    if (certificateFile.Equals("idp.cer", StringComparison.InvariantCultureIgnoreCase))
    {
        var samlKey = SamlKeyService.GetSamlKey();

        var certificate = LoadCertificate(samlKey.PublicKey, null);

        return Task.FromResult(certificate);
    }

    if (certificateFile.Equals("sp.pfx", StringComparison.InvariantCultureIgnoreCase))
    {
        var samlConfiguration = SamlConfigurationService.GetSamlConfiguration();

        if (samlConfiguration?.PrivateKey != null &&
            !string.IsNullOrEmpty(samlConfiguration?.PrivateKeyPassphrase))
        {
            var privateKeyPassphrase = DecryptPassphrase(samlConfiguration.PrivateKeyPassphrase);

            var certificate = LoadCertificate(samlConfiguration.PrivateKey, privateKeyPassphrase);

            return Task.FromResult(certificate);
        }
    }

    throw new ArgumentException($"Could not load unexpected certificate file {certificateFile}");
}

private X509Certificate2 LoadCertificate(byte[] file, string password)
{
    return new X509Certificate2(file, password, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
}


We also have an AbstractSamlConfigurationResolver implementation too, where we override GetLocalServiceProviderConfigurationAsync, GetPartnerIdentityProviderConfigurationAsync and GetPartnerIdentityProviderNamesAsync, because we get our certificates from the database.

Since we are just deploying on Azure App Services, are we able to set permissions on the private key container?

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)

Group: Administrators
Posts: 2K, Visits: 4.6K
Sorry, the "file" parameter threw me. I thought you were somehow loading a file rather than a byte[].
I'll do some experimenting with deployment as an app service to see if I can reproduce the issue.


Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)

Group: Administrators
Posts: 2K, Visits: 4.6K
I haven't been able to reproduce the issue. Perhaps you could create a small test app that simply loads the certificate and uses the private key in an attempt to reproduce the issue more consistently. Let me know what you find.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









ComponentSpace Forums


Search