Certificate upload is broken #468
Description
In the current version of the Secrets Broker it does not seem possible to upload certificates, either directly nor by pulling them from Safeguard.
This is the error message we are getting:
025-09-04 07:45:33.240 [E] Failed to import certificate CN=testingA2A 26667A2565F426247A582B15E83268803E27D263 from Safeguard. Failed to add the certificate: ASN1 corrupted data.
OneIdentity.DevOps.Exceptions.DevOpsException: Failed to add the certificate: ASN1 corrupted data.
---> System.Security.Cryptography.CryptographicException: ASN1 corrupted data.
---> System.Formats.Asn1.AsnContentException: The provided data is tagged with 'Universal' class value '16', but it should have been 'Universal' class value '2'.
at System.Formats.Asn1.AsnDecoder.CheckExpectedTag(Asn1Tag tag, Asn1Tag expectedTag, UniversalTagNumber tagNumber)
at System.Formats.Asn1.AsnDecoder.GetPrimitiveContentSpan(ReadOnlySpan`1 source, AsnEncodingRules ruleSet, Asn1Tag expectedTag, UniversalTagNumber tagNumber, Int32& bytesConsumed)
at System.Formats.Asn1.AsnDecoder.GetIntegerContents(ReadOnlySpan`1 source, AsnEncodingRules ruleSet, Asn1Tag expectedTag, UniversalTagNumber tagNumber, Int32& bytesConsumed)
at System.Formats.Asn1.AsnDecoder.TryReadSignedInteger(ReadOnlySpan`1 source, AsnEncodingRules ruleSet, Int32 sizeLimit, Asn1Tag expectedTag, UniversalTagNumber tagNumber, Int64& value, Int32& bytesConsumed)
at System.Formats.Asn1.AsnDecoder.TryReadInt32(ReadOnlySpan`1 source, AsnEncodingRules ruleSet, Int32& value, Int32& bytesConsumed, Nullable`1 expectedTag)
at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.DecodeCore(AsnValueReader& reader, Asn1Tag expectedTag, ReadOnlyMemory`1 rebind, PfxAsn& decoded)
at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.Decode(Asn1Tag expectedTag, ReadOnlyMemory`1 encoded, AsnEncodingRules ruleSet)
--- End of inner exception stack trace ---
at System.Security.Cryptography.Asn1.Pkcs12.PfxAsn.Decode(Asn1Tag expectedTag, ReadOnlyMemory`1 encoded, AsnEncodingRules ruleSet)
at System.Security.Cryptography.X509Certificates.X509CertificateLoader.ReadCertsAndKeys(BagState& bagState, ReadOnlyMemory`1 data, ReadOnlySpan`1& password, Pkcs12LoaderLimits loaderLimits)
at System.Security.Cryptography.X509Certificates.X509CertificateLoader.LoadPkcs12(ReadOnlyMemory`1 data, ReadOnlySpan`1 password, X509KeyStorageFlags keyStorageFlags, Pkcs12LoaderLimits loaderLimits)
at System.Security.Cryptography.X509Certificates.X509CertificateLoader.LoadPkcs12(Byte[] data, String password, X509KeyStorageFlags keyStorageFlags, Pkcs12LoaderLimits loaderLimits)
at OneIdentity.DevOps.Logic.SafeguardLogic.AddTrustedCertificate(String base64CertificateData, String passPhrase) in D:\a\1\s\SafeguardDevOpsService\Logic\SafeguardLogic.cs:line 2306
--- End of inner exception stack trace ---
at OneIdentity.DevOps.Logic.SafeguardLogic.AddTrustedCertificate(String base64CertificateData, String passPhrase) in D:\a\1\s\SafeguardDevOpsService\Logic\SafeguardLogic.cs:line 2334
at OneIdentity.DevOps.Logic.SafeguardLogic.ImportTrustedCertificates(ISafeguardConnection sgConnection) in D:\a\1\s\SafeguardDevOpsService\Logic\SafeguardLogic.cs:line 2393
I think the problem is we are trying to load the certificate data as PKCS12 encoding, but the certificates are PEM-encoded. Seems to me, this is the wrong function for the job.
In the screenshot you see the problematic lines from the latest commit that modified that file.