Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ServiceAccountCredential fails for non-exportable CryptoAPI key

See original GitHub issue
  1. Create a certificate with a non-exportable CryptoAPI key
New-SelfSignedCertificate `
  -KeyUsage DigitalSignature `
  -FriendlyName "Sample CryptoAPI service account key" `
  -Subject "Sample CryptoAPI service account key" `
  -KeyExportPolicy NonExportable `
  -CertStoreLocation "cert:\CurrentUser\My" `
  -Provider "Microsoft Base Cryptographic Provider v1.0" `
  -KeySpec Signature
  1. Use they to initialize a ServiceAccountCredential:
  using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
  {
    store.Open(OpenFlags.ReadOnly);

    using (var certificate = store.Certificates
        .Cast<X509Certificate2>()
        .Where(c => c.FriendlyName == "Sample CryptoAPI service account key")
        .FirstOrDefault() 
      ?? throw new Exception("Certificate not found"))
    {
      //
      // Initialize a ServiceAccountCredential with the certificate.
      //
      var credential = new ServiceAccountCredential(
        new ServiceAccountCredential.Initializer(emailAddress)
        {
          Scopes = new[] { "https://www.googleapis.com/auth/cloud-platform" }
        }
        .FromCertificate(certificate));

    }
  }
  1. Run the code on .NET Core --> works
  2. Run the code on .NET Framework

Expected: Works too

Actual:

Unhandled Exception: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.Utils.ExportCspBlob(SafeKeyHandle hKey, Int32 blobType, ObjectHandleOnStack retBlob)
   at System.Security.Cryptography.Utils.ExportCspBlobHelper(Boolean includePrivateParameters, CspParameters parameters, SafeKeyHandle safeKeyHandle)
   at Google.Apis.Auth.OAuth2.ServiceAccountCredential.Initializer.FromCertificate(X509Certificate2 certificate) in C:\Apiary\2021-03-18.17-02-24\Src\Support\Google.Apis.Auth\OAuth2\ServiceAccountCredential.cs:line 128
   at CryptoApiNetFx.Program.Main(String[] args) in C:\...\Program.cs:line 33

For some reason, FromCertificate tries to export and re-import the key on .NET Framework. It’s marked as a workaround, but I am not sure for what.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
amanda-tarafacommented, Jun 15, 2021

FYI: This has been released on the v1.52.0 of the Google.Apis libraries.

0reactions
jpassingcommented, Jun 14, 2021

I agree with your analysis and would expect that a 4.6.1 target should let us fix both issues.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Extend ServiceAccountCredential to support CryptoNG ...
On .NET Framework, ServiceAccountCredential is hardcoded to use ... ServiceAccountCredential fails for non-exportable CryptoAPI key #1871.
Read more >
Using a CryptoAPI-backed key as service account key
NET Framework, ServiceAccountCredential tries to export the certificate's private key, which fails because we marked the key as NonExportable .
Read more >
Using a CNG-backed key as service account key
ServiceAccountCredential is trying to treat a CNG key as CryptoAPI key, which obviously doesn't work. Update: This issue has been fixed in v1....
Read more >
c# - Why does ServiceAccountCredential fail with invalid ...
I created my own service account, downloaded the .p12 key, enabled datastore. But I still get this error: Unhandled Exception: Google.
Read more >
Deploy Active Directory Federation Services on a Managed ...
This guide describes how you can deploy Microsoft Active Directory Federation Services (AD FS) for Windows Server 2019 in a Managed Microsoft AD...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Adding conferencing with ConferenceData.CreateConferenceRequest gives "Invalid conference data"

Next page

Current implementation of FilesResource.GetRequest's DownloadAsync with range parameter doesn't expose a way to modify used MediaDownloader.