.net 6 preview 5, The certificate data cannot be read with the provided password, the password may be incorrect.

[CeSiumUA]

Hi, dear .NET developers!
I've made an ASP.NET web application, using dotnet 6.0.100-preview.5.21302.13
This was an Angular template app with Authentication, so it has an IdentityServer underhood.
After making a publish, I've stucked on a strange issue with certificate: while running on Windows, everything works fine, but while I was trying to launch it in Linux VPS, I'm getting this issue:

The certificate data cannot be read with the provided password, the password may be incorrect.
 ---> System.Security.Cryptography.CryptographicException: The certificate data cannot be read with the provided password, the password may be incorrect.

I know about this issue: #44535, but a workaround provided there seems not fit my case :(

The certificate was generated using these commands:

$ sudo openssl req -x509 -newkey rsa:4096 -keyout ts.key -out ts.crt -days 3650 -nodes -subj "/CN=mysite.com"
$ openssl pkcs12 -export -out ts.pfx -inkey ts.key -in ts.crt -name "mysite.com"

And it is loaded using this code:

            var certBytes = File.ReadAllBytes(Configuration["CertPath"]);
            string password = Configuration["CertPassword"];
            X509Certificate2 cert = new X509Certificate2(certBytes, password);
            services.AddIdentityServer()
                .AddSigningCredential(cert)
                .AddApiAuthorization<ApplicationUser, ApplicationDbContext>();

My specs:
.NET version: dotnet 6.0.100-preview.5.21302.13
OS: Windows 10 (works fine), Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-71-generic x86_64) (gives the following issue)
Publish type: Self-Contained, linux-x64, Release

Full stack trace:

The certificate data cannot be read with the provided password, the password may be incorrect.
 ---> System.Security.Cryptography.CryptographicException: The certificate data cannot be read with the provided password, the password may be incorrect.
   at Internal.Cryptography.Pal.UnixPkcs12Reader.VerifyAndDecrypt(ReadOnlySpan`1 password, ReadOnlyMemory`1 authSafeContents) in System.Security.Cryptography.X509Certificates.dll:token 0x6000315+0x90
   at Internal.Cryptography.Pal.UnixPkcs12Reader.Decrypt(SafePasswordHandle password) in System.Security.Cryptography.X509Certificates.dll:token 0x6000314+0x39
   --- End of inner exception stack trace ---
   at Internal.Cryptography.Pal.UnixPkcs12Reader.Decrypt(SafePasswordHandle password) in System.Security.Cryptography.X509Certificates.dll:token 0x6000314+0xa9
   at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(OpenSslPkcs12Reader pfx, SafePasswordHandle password, Boolean single, ICertificatePal& readPal, List`1& readCerts) in System.Security.Cryptography.X509Certificates.dll:token 0x6000288+0x0
   at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(ReadOnlySpan`1 rawData, SafePasswordHandle password, Boolean single, ICertificatePal& readPal, List`1& readCerts, Exception& openSslException) in System.Security.Cryptography.X509Certificates.dll:token 0x6000287+0x17
   at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromBlob(ReadOnlySpan`1 rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) in System.Security.Cryptography.X509Certificates.dll:token 0x60001d9+0x28
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(ReadOnlySpan`1 data) in System.Security.Cryptography.X509Certificates.dll:token 0x6000419+0x2c
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData) in System.Security.Cryptography.X509Certificates.dll:token 0x6000461+0x0
   at TeeSender.Startup.ConfigureServices(IServiceCollection services) in G:\repos\TeeSender\TeeSender\Startup.cs:line 59
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Span`1& arguments, Signature sig, Boolean constructor, Boolean wrapExceptions)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) in System.Private.CoreLib.dll:token 0x6004d1e+0x23
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.InvokeCore(Object instance, IServiceCollection services) in Microsoft.AspNetCore.Hosting.dll:token 0x60000e4+0x6b
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass9_0.<Invoke>g__Startup|0(IServiceCollection serviceCollection) in Microsoft.AspNetCore.Hosting.dll:token 0x6000230+0x0
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.Invoke(Object instance, IServiceCollection services) in Microsoft.AspNetCore.Hosting.dll:token 0x60000e3+0x26
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass8_0.<Build>b__0(IServiceCollection services) in Microsoft.AspNetCore.Hosting.dll:token 0x600022e+0x0
   at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.UseStartup(Type startupType, HostBuilderContext context, IServiceCollection services, Object instance) in Microsoft.AspNetCore.Hosting.dll:token 0x600009b+0xb7
   at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.<>c__DisplayClass13_0.<UseStartup>b__0(HostBuilderContext context, IServiceCollection services) in Microsoft.AspNetCore.Hosting.dll:token 0x600020e+0x13
   at Microsoft.Extensions.Hosting.HostBuilder.CreateServiceProvider() in Microsoft.Extensions.Hosting.dll:token 0x600002b+0xbc
   at Microsoft.Extensions.Hosting.HostBuilder.Build() in Microsoft.Extensions.Hosting.dll:token 0x6000025+0x32
   at MySite.Program.Main(String[] args) in G:\repos\MySite\MySite\Program.cs:line 16
Aborted

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Hi, dear .NET developers!
I've made an ASP.NET web application, using dotnet 6.0.100-preview.5.21302.13
This was an Angular template app with Authentication, so it has an IdentityServer underhood.
After making a publish, I've stucked on a strange issue with certificate: while running on Windows, everything works fine, but while I was trying to launch it in Linux VPS, I'm getting this issue:
The certificate data cannot be read with the provided password, the password may be incorrect. ---> System.Security.Cryptography.CryptographicException: The certificate data cannot be read with the provided password, the password may be incorrect.

I know about this issue: #44535, but a workaround provided there seems not fit my case :(

The certificate was generated using these commands:
sudo openssl req -x509 -newkey rsa:4096 -keyout ts.key -out ts.crt -days 3650 -nodes -subj "/CN=mysite.com"

openssl pkcs12 -export -out ts.pfx -inkey ts.key -in ts.crt -name "mysite.com"

And it is loaded using this code:

`
#region CertLoad
var certBytes = File.ReadAllBytes(Configuration["CertPath"]);
string password = Configuration["CertPassword"];
X509Certificate2 cert = new X509Certificate2(certBytes, password);
#endregion

        services.AddIdentityServer()
            .AddSigningCredential(cert)
            .AddApiAuthorization<ApplicationUser, ApplicationDbContext>();`

My specs:
.NET version: dotnet 6.0.100-preview.5.21302.13
OS: Windows 10 (works fine), Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-71-generic x86_64) (gives the following issue)
Publish type: Self-Contained, linux-x64, Release

Full stack trace:

The certificate data cannot be read with the provided password, the password may be incorrect. ---> System.Security.Cryptography.CryptographicException: The certificate data cannot be read with the provided password, the password may be incorrect. at Internal.Cryptography.Pal.UnixPkcs12Reader.VerifyAndDecrypt(ReadOnlySpan1 password, ReadOnlyMemory1 authSafeContents) in System.Security.Cryptography.X509Certificates.dll:token 0x6000315+0x90 at Internal.Cryptography.Pal.UnixPkcs12Reader.Decrypt(SafePasswordHandle password) in System.Security.Cryptography.X509Certificates.dll:token 0x6000314+0x39 --- End of inner exception stack trace --- at Internal.Cryptography.Pal.UnixPkcs12Reader.Decrypt(SafePasswordHandle password) in System.Security.Cryptography.X509Certificates.dll:token 0x6000314+0xa9 at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(OpenSslPkcs12Reader pfx, SafePasswordHandle password, Boolean single, ICertificatePal& readPal, List1& readCerts) in System.Security.Cryptography.X509Certificates.dll:token 0x6000288+0x0
at Internal.Cryptography.Pal.PkcsFormatReader.TryReadPkcs12(ReadOnlySpan1 rawData, SafePasswordHandle password, Boolean single, ICertificatePal& readPal, List1& readCerts, Exception& openSslException) in System.Security.Cryptography.X509Certificates.dll:token 0x6000287+0x17
at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromBlob(ReadOnlySpan1 rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) in System.Security.Cryptography.X509Certificates.dll:token 0x60001d9+0x28 at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(ReadOnlySpan1 data) in System.Security.Cryptography.X509Certificates.dll:token 0x6000419+0x2c
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData) in System.Security.Cryptography.X509Certificates.dll:token 0x6000461+0x0
at TeeSender.Startup.ConfigureServices(IServiceCollection services) in G:\repos\TeeSender\TeeSender\Startup.cs:line 59
at System.RuntimeMethodHandle.InvokeMethod(Object target, Span1& arguments, Signature sig, Boolean constructor, Boolean wrapExceptions) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) in System.Private.CoreLib.dll:token 0x6004d1e+0x23 at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.InvokeCore(Object instance, IServiceCollection services) in Microsoft.AspNetCore.Hosting.dll:token 0x60000e4+0x6b at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass9_0.<Invoke>g__Startup|0(IServiceCollection serviceCollection) in Microsoft.AspNetCore.Hosting.dll:token 0x6000230+0x0 at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.Invoke(Object instance, IServiceCollection services) in Microsoft.AspNetCore.Hosting.dll:token 0x60000e3+0x26 at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass8_0.<Build>b__0(IServiceCollection services) in Microsoft.AspNetCore.Hosting.dll:token 0x600022e+0x0 at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.UseStartup(Type startupType, HostBuilderContext context, IServiceCollection services, Object instance) in Microsoft.AspNetCore.Hosting.dll:token 0x600009b+0xb7 at Microsoft.AspNetCore.Hosting.GenericWebHostBuilder.<>c__DisplayClass13_0.<UseStartup>b__0(HostBuilderContext context, IServiceCollection services) in Microsoft.AspNetCore.Hosting.dll:token 0x600020e+0x13 at Microsoft.Extensions.Hosting.HostBuilder.CreateServiceProvider() in Microsoft.Extensions.Hosting.dll:token 0x600002b+0xbc at Microsoft.Extensions.Hosting.HostBuilder.Build() in Microsoft.Extensions.Hosting.dll:token 0x6000025+0x32 at MySite.Program.Main(String[] args) in G:\repos\MySite\MySite\Program.cs:line 16 Aborted

Author:	CeSiumUA
Assignees:	-
Labels:	area-System.Security, untriaged
Milestone:	-

[vcsjones]

I am not able to reproduce this using 6.0.0-preview.6.21276.13 on Linux or macOS. Can you make sure that the password and PFX that are in configuration are the ones that you are expecting?

If you continue to run in to this, can you put together a console application along with a test PFX that reproduces the issue?

[bartonjs]

The exception coming out of VerifyAndDecrypt means that the password didn't successfully validate the MAC. I've never seen a case where an openssl pkcs12-generated file verifies improperly... except when the password wasn't the same on both sides.

My best guess (other than the obvious things like the config file didn't get updated) is a non-printable character entered the equation. Like that a newline was considered as part of the password at generation time, but didn't get provided to the X509Certificate2 ctor. Or vice versa. Or some bad \r\n to \n normalization occurred.

With a repro PFX and the expected password some further discovery could be made.

This issue has been automatically marked no recent activity because it has been marked as needs author feedback but has not had any activity for 14 days. It will be closed if no further activity occurs within 7 more days. Any new comment (by anyone, not necessarily the author) will remove no recent activity