Forums, Documentation & Knowledge Base - ComponentSpace

Certificate error when running in Docker container


https://componentspace.com/forums/Topic9891.aspx

By andreasn - 4/2/2019

We are trying out your SAML component for .Net Core and we get this exception when loading the certificate.

It works fine when running the code in Windows developer machine, but in a Docker container (running Linux) it throws this exception.

Certificate is read from database as byte array and converted into Base64 string.

Do you know a solution to this problem?

Is it possible to pass a byte array certificate or X509Certificate2 instance into IdP configuration?

Exception:

The X.509 certificate could not be loaded from the string. - error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

at ComponentSpace.Saml2.Certificates.CertificateLoader.LoadCertificateFromStringAsync(String certificateString, String certificatePassword)
 at ComponentSpace.Saml2.Certificates.AbstractCachedCertificateLoader.LoadCertificateFromStringAsync(String certificateString, String certificatePassword)
 at ComponentSpace.Saml2.Certificates.CertificateManager.LoadCertificatesAsync(IList`1 certificates, CertificateUse certificateUse)
 at ComponentSpace.Saml2.Certificates.CertificateManager.GetPartnerIdentityProviderSignatureCertificatesAsync(String configurationID, String partnerIdentityProviderName)
 at ComponentSpace.Saml2.SamlServiceProvider.GetPartnerProviderSignatureCertificatesAsync(Boolean precondition)
 at ComponentSpace.Saml2.SamlServiceProvider.VerifySamlAssertionSignatureAsync(AssertionListItem assertionListItem)
 at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
 at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement)
 at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()

--- Inner exception stack trace ---
 at Internal.Cryptography.Pal.CertificatePal.FromBlob(Byte[] rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
 at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
 at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
 at ComponentSpace.Saml2.Certificates.CertificateLoader.LoadCertificateFromStringAsync(String certificateString, String certificatePassword)
By ComponentSpace - 7/15/2022

Hi Jagath,

The ICertificateLoader.LoadCertificateFromBytesAsync calls:

new X509Certificate2(certificateBytes, certificatePassword, x509KeyStorageFlags);

Do you get the same issue if you use the X509Certificate2 constructor directly rather than calling through our interface?

This is the same as the BouncyCastle code (ie same X509Certificate2 constructor being called) except for the the way the bytes are being loaded from the file.

I suggest saving the signingCertificate.CopyTo bytes to a file and compare this with the contents of the original uploaded file to see whether there are any differences.