Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AmazonCloudFrontUrlSigner.GetCannedSignedURL always throw exception #3221

Closed
weilence opened this issue Mar 13, 2024 · 14 comments
Closed

AmazonCloudFrontUrlSigner.GetCannedSignedURL always throw exception #3221

weilence opened this issue Mar 13, 2024 · 14 comments
Labels
bug This issue is a bug. module/sdk-custom p1 This is a high priority issue queued v4

Comments

@weilence
Copy link

weilence commented Mar 13, 2024

Describe the bug

Test code

[Fact]
public void Test_RSAParameter()
{
    var reader = new StringReader("""
                                  -----BEGIN PRIVATE KEY-----
                                  MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCa5udYGtrIPUU5
                                  EA0uTAGIc/gPFKqk9rnx6ubTkkEErA6ZiIbG/lj4bSRHendy06qd1X5zuJ4k73oi
                                  SsXKzCOuJHAZA872+iIbFI5axdYH25E3LIzJZu7KHlL08QGsIl9ccx8usuSotsj2
                                  pvb+uswg6kM3sy6Kiqw6e+5GlR4i0CNtt9pOTPb1+5ZQGehx0oeAypV4vGRZIQBm
                                  aCYXo2sBMZI1nNhe6fW7jpNrtki+nh1CKpmxE2TEwfFNh8xCiZ4wCJ4Y8GE3Te9E
                                  8otXM4+15ksIdMzJi7WbtiPsrEc4bxkBD+Hor8bGgFxXAWRRM3ttzLsZrotgEgYO
                                  fu7y0EtXAgMBAAECggEALqqhx8lPYEQVNru/PNNpItLNSL3RKyGpo1hBcjv9moq7
                                  W0XmVM0LwMwgwegDVHSwUhyfm/1ip33+LZaZQB+AIFaZ7u9WytFQtRfcSzyO3o8n
                                  kJe7UnHQPtQj6ecxucohMJj+K/N5L9rhcG2cu+FK3h+1YHJ68wIUIQp1Ho6OJa5W
                                  6/ad/aEPnSH5vd3LmUTSiD/jOtpoSge1axwVoCY4sdK8aTSAld/KexVHb7S5V2m2
                                  IB1tZ+lE+5NyggKbop1ZtqsmJSbpNlHVDuboJMQppK8M/CENetykPe3L8BiIY3zU
                                  J6jylM3dPA+bjlOvylZsWmtAe3ItajftzYSrGXKuAQKBgQDOubkIYSj+O8a5h4Hw
                                  n/YequdduArKe/loKh2987mM2yqyU56XKoJ48GA6X3nZKPy5ZxcQD0maGUtf/6Bk
                                  0rQwq+Tyk2m5fShIhTNoCukjteLClfyw6F2I+3xqMJi7+o0l+t2XB2nFXjTJE8jS
                                  zL9uyDG+w45Q8PBbYhrrnMK9iQKBgQC/0vArSNkdrYf2gpVbGW15rWcCtloDm85l
                                  X1TFIRAh4dVQyonz5ZD5VVl3RYsm0VaH01q6G3pgY8gfVyxPTebm01MC2z5GQk1V
                                  1PWbeIbP4P1+wl1uFb4o9ksGGwhwUvm1JO/7PwmcClvdjvO3tv3rpotJAhJr2vBl
                                  UAp87fBp3wKBgGamxKHLlU6BIlH4Xua8l7tsxAy+meUoIJW/7BrpzqaKIi6A5UxN
                                  GJKzUiVKSbgy6SOrdEFORg8WJl6aEexe0Ikmoj5uQt6PrpQsSHWOjWxlIh/b2KmE
                                  CQY/Uu1sCju106cbZjNbxAL0n6OFhoBemWSKVmFSu/WnXsMR+SosImt5AoGBALXf
                                  UJkpi7low4WFEAj81eBM+WMH89aCDjHtLhltnLcTQMZGEoAtw8OzGY1NYX7fcjR7
                                  vwS/cssbMC4O39MdIHTwHj+SEbxZtqtPq8LJhsBoKNDbhewPL2n1AvL6BIlDEsCe
                                  Ee7cOMc6xxkNJaSlGqEoGd2R2ldqkQzt09PZYV1vAoGABLeRlh3Jw+T34o9xsCM3
                                  N2hU89VWIgvy5Tnz2CekZ7Lw9oL4dACM0LnAs2XG258H1eaVICBkYM/HYPrrTDuf
                                  CKahgTe2mWpYYIuX9FeuEde8/aCFjmx3Ex+QhApPRKh/Sjt/KDYklv/uM8yVwA0Z
                                  i6bFYQM/GnNZd4VnbUZ28ro=
                                  -----END PRIVATE KEY-----
                                  """);
    var pemReader = new PemReader(reader).ReadPrivatekey();
}

image
image

Expected Behavior

no exception

Current Behavior

throw exception

System.Exception: Unknown primitive tag

System.Exception
Unknown primitive tag
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.CreatePrimitiveDerObject(Int32 tagNo, Byte[] bytes)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.BuildObject(Int32 tag, Int32 tagNo, Int32 length)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.ReadObject()
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.BuildEncodableVector()
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.BuildDerEncodableVector(Stream dIn)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.CreateDerSequence(Stream dIn)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.BuildObject(Int32 tag, Int32 tagNo, Int32 length)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.ReadObject()
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.BuildEncodableVector()
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.BuildDerEncodableVector(Stream dIn)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.CreateDerSequence(Stream dIn)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.BuildObject(Int32 tag, Int32 tagNo, Int32 length)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.ReadObject()
   at ThirdParty.BouncyCastle.Asn1.Asn1Object.FromByteArray(Byte[] data)
   at ThirdParty.BouncyCastle.OpenSsl.PemReader.ReadPrivatekey()
   at Server.Api.Tests.Services.AmazonServiceTest.Test_RSAParameter()

Reproduction Steps

Run test code in xunit
PemReader is ThirdParty.BouncyCastle.OpenSsl.PemReader

Possible Solution

If i use Org.BouncyCastle.OpenSsl.PemReader(BouncyCastle.Cryptography 2.21), it does work.

Additional Information/Context

No response

AWS .NET SDK and/or Package version used

AWSSDK.CloudFront version is 3.7.301.50

Targeted .NET Platform

.Net 8

Operating System and version

Windows 11

@weilence weilence added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 13, 2024
@weilence weilence changed the title AmazonCloudFrontUrlSigner.GetCannedSignedURL always exception AmazonCloudFrontUrlSigner.GetCannedSignedURL always throw exception Mar 13, 2024
@ashishdhingra
Copy link
Contributor

@weilence Good morning. The above code snippet/screenshot that you shared in issue description does not demonstrate the issue in AmazonCloudFrontUrlSigner. Instead it is showing exception thrown by 3rd party dependency BouncyCastle.
Could you please share:

  • If you are demonstrating issue with one of the internal methods ConvertPEMToRSAParameters which makes use of BouncyCastle API and ultimately fails?
    • Kindly share the minimal reproducible end-to-end code (not screenshot) which demonstrates issue with the AmazonCloudFrontUrlSigner.
  • Was this working with any earlier version of AWSSDK.CloudFront package?
  • List of NuGet packages used in the project.

Thanks,
Ashish

@ashishdhingra ashishdhingra added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. module/sdk-custom and removed needs-triage This issue or PR still needs to be triaged. labels Mar 13, 2024
@weilence
Copy link
Author

@ashishdhingra

Was this working with any earlier version of AWSSDK.CloudFront package?

I don't know, this is my first time using this SDK, and I only tested versions 3.7.301.18 and 3.7.301.50.

Nuget:
AWSSDK.CloudFront 3.7.301.50

using Amazon.CloudFront;

var reader = new StringReader("""
                              -----BEGIN PRIVATE KEY-----
                              MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCa5udYGtrIPUU5
                              EA0uTAGIc/gPFKqk9rnx6ubTkkEErA6ZiIbG/lj4bSRHendy06qd1X5zuJ4k73oi
                              SsXKzCOuJHAZA872+iIbFI5axdYH25E3LIzJZu7KHlL08QGsIl9ccx8usuSotsj2
                              pvb+uswg6kM3sy6Kiqw6e+5GlR4i0CNtt9pOTPb1+5ZQGehx0oeAypV4vGRZIQBm
                              aCYXo2sBMZI1nNhe6fW7jpNrtki+nh1CKpmxE2TEwfFNh8xCiZ4wCJ4Y8GE3Te9E
                              8otXM4+15ksIdMzJi7WbtiPsrEc4bxkBD+Hor8bGgFxXAWRRM3ttzLsZrotgEgYO
                              fu7y0EtXAgMBAAECggEALqqhx8lPYEQVNru/PNNpItLNSL3RKyGpo1hBcjv9moq7
                              W0XmVM0LwMwgwegDVHSwUhyfm/1ip33+LZaZQB+AIFaZ7u9WytFQtRfcSzyO3o8n
                              kJe7UnHQPtQj6ecxucohMJj+K/N5L9rhcG2cu+FK3h+1YHJ68wIUIQp1Ho6OJa5W
                              6/ad/aEPnSH5vd3LmUTSiD/jOtpoSge1axwVoCY4sdK8aTSAld/KexVHb7S5V2m2
                              IB1tZ+lE+5NyggKbop1ZtqsmJSbpNlHVDuboJMQppK8M/CENetykPe3L8BiIY3zU
                              J6jylM3dPA+bjlOvylZsWmtAe3ItajftzYSrGXKuAQKBgQDOubkIYSj+O8a5h4Hw
                              n/YequdduArKe/loKh2987mM2yqyU56XKoJ48GA6X3nZKPy5ZxcQD0maGUtf/6Bk
                              0rQwq+Tyk2m5fShIhTNoCukjteLClfyw6F2I+3xqMJi7+o0l+t2XB2nFXjTJE8jS
                              zL9uyDG+w45Q8PBbYhrrnMK9iQKBgQC/0vArSNkdrYf2gpVbGW15rWcCtloDm85l
                              X1TFIRAh4dVQyonz5ZD5VVl3RYsm0VaH01q6G3pgY8gfVyxPTebm01MC2z5GQk1V
                              1PWbeIbP4P1+wl1uFb4o9ksGGwhwUvm1JO/7PwmcClvdjvO3tv3rpotJAhJr2vBl
                              UAp87fBp3wKBgGamxKHLlU6BIlH4Xua8l7tsxAy+meUoIJW/7BrpzqaKIi6A5UxN
                              GJKzUiVKSbgy6SOrdEFORg8WJl6aEexe0Ikmoj5uQt6PrpQsSHWOjWxlIh/b2KmE
                              CQY/Uu1sCju106cbZjNbxAL0n6OFhoBemWSKVmFSu/WnXsMR+SosImt5AoGBALXf
                              UJkpi7low4WFEAj81eBM+WMH89aCDjHtLhltnLcTQMZGEoAtw8OzGY1NYX7fcjR7
                              vwS/cssbMC4O39MdIHTwHj+SEbxZtqtPq8LJhsBoKNDbhewPL2n1AvL6BIlDEsCe
                              Ee7cOMc6xxkNJaSlGqEoGd2R2ldqkQzt09PZYV1vAoGABLeRlh3Jw+T34o9xsCM3
                              N2hU89VWIgvy5Tnz2CekZ7Lw9oL4dACM0LnAs2XG258H1eaVICBkYM/HYPrrTDuf
                              CKahgTe2mWpYYIuX9FeuEde8/aCFjmx3Ex+QhApPRKh/Sjt/KDYklv/uM8yVwA0Z
                              i6bFYQM/GnNZd4VnbUZ28ro=
                              -----END PRIVATE KEY-----
                              """);

AmazonCloudFrontUrlSigner.GetCannedSignedURL("http://example.com", reader, "keyPairId", DateTime.Now);

The privateKey generated by openssl genrsa -out private_key.pem 2048

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Mar 15, 2024
@dscpinheiro
Copy link
Contributor

What version of openssl are you using? I see the same exception on OpenSSL 3 but not on 1.x, so my guess is that our PemReader is not handling the new version correctly.

We'd need to update the BouncyCastle version included in the SDK (which has been around since v1 - years before OpenSSL 3 was released).

@weilence
Copy link
Author

@dscpinheiro The version of OpenSSL I'm using is 3.2.1.

@weilence
Copy link
Author

@dscpinheiro so...When will the BouncyCastle version be updated?

@ashishdhingra ashishdhingra added needs-review p1 This is a high priority issue queued and removed needs-review labels Mar 28, 2024
@cryptogrounds
Copy link

Any updates on this?

@peterrsongg peterrsongg added the v4 label Jul 1, 2024
@m0nzderr
Copy link

+1

@m0nzderr
Copy link

Is there a way to bypass the BouncyCastle implementation, providing the RSA object directly?

@iongion
Copy link

iongion commented Jul 16, 2024

Was anyone able to find a solution for this ? I am unable to create signed urls. I went on replacing BouncyCastle with Portable.BouncyCastle to no avail.

@dscpinheiro
Copy link
Contributor

We're planning to fix this in the next major version release of the SDK (being tracked in #3362). Our solution will be to move the CloudFront signer functionality to a new package (which will reference the BouncyCastle NuGet package directly - instead of relying on the outdated source version as we do today).

I can't commit to a date, but we are working on it and will update the issue I mentioned earlier as soon as the new package is available.

@peterrsongg
Copy link
Contributor

peterrsongg commented Aug 28, 2024

We ended up separating the CloudFront Signers to its own extension package which we just released in preview 4.0.0-preview.2

I added a unit test for this specific case, which passed but you should give it a try and see if it addresses your use case

@peterrsongg
Copy link
Contributor

peterrsongg commented Sep 5, 2024

Closing this off as we have released a fix for this in the preview version I listed above. Feel free to re-open if there are any additional issues. Feel free to track v4 progress here: #3362

Copy link

github-actions bot commented Sep 5, 2024

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@ferminolr
Copy link

ferminolr commented Dec 5, 2024

Hi
Following the guide of this url:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html
The generated private key did not work for me.
The solution is to add the -traditional parameter to the creation, it would look like this:
openssl genrsa -out private_key.pem -traditional 2048
So it works correctly in c#
If you already have the generated private key you can transform it to the correct format using:
openssl rsa -in private_key.pem -out private_key_traditional.pem -traditional
The step of generating the public key has worked correctly for me and the generated urls work correctly.
I use, on ubuntu in wsl
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. module/sdk-custom p1 This is a high priority issue queued v4
Projects
None yet
Development

No branches or pull requests

8 participants