search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.22k stars 4.57k forks source link

[BUG]Failed to download PEM certificate from azure.keyvault with failure "The provided key does not match the public key for this certificate" #44596

Open cdlliuy opened 2 months ago

cdlliuy commented 2 months ago

Library name and version

Azure.Security.KeyVault.Certificates 4.6.0; Azure.Core 1.40.0; Azure.Identity 1.11.4

Describe the bug

when using CertifcatesClient to download certificates client.DownloadCertificateAsync(certname) for a PEM format cert in Azure keyvault, I got exception:


System.Reflection.TargetInvocationException
  HResult=0x80131604
  Message=Exception has been thrown by the target of an invocation.
  Source=System.Private.CoreLib
  StackTrace:
   at System.Reflection.MethodBaseInvoker.InvokeWithFewArgs(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Reflection.MethodBase.Invoke(Object obj, Object[] parameters)
   at Azure.Core.PemReader.CreateRsaCertificate(Byte[] cer, Byte[] key, X509KeyStorageFlags keyStorageFlags)
   at Azure.Core.PemReader.LoadCertificate(ReadOnlySpan`1 data, Byte[] cer, KeyType keyType, Boolean allowCertificateOnly, X509KeyStorageFlags keyStorageFlags)
   at Azure.Security.KeyVault.Certificates.CertificateClient.<DownloadCertificateAsync>d__19.MoveNext()
   at Azure.Security.KeyVault.Certificates.CertificateClient.<DownloadCertificateAsync>d__18.MoveNext()
 ..

  This exception was originally thrown at this call stack:
    [External Code]

Inner Exception 1:
ArgumentException: The provided key does not match the public key for this certificate. (Parameter 'privateKey')

For the cert itself, it is automated generated by Azure Keyvault When generating the cert with PKCS#12, the DownloadCertificate function works correctly. But when generating with PEM by just changing the content type to PME in below, the same code failed.

image

I read the code of DownloadCertificate . It looks like to have specific handling for PEM format already.
Anything wrong here? __

Expected behavior

see above description

Actual behavior

see above description

Reproduction Steps

  1. register a domain in One-Cert system with private AME issuer only
  2. generate a cert for this domain with PEM format
  3. do DownloadCertificate func

Environment

No response

github-actions[bot] commented 2 months ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

adelKhatib commented 1 month ago

I have the same issue!