gennewext: System.Security.Cryptography.CryptographicException: The parameter is incorrect.

[mohagrabx]

Hello everybody

When I run ScepClient.exe gennewext with my parameters so something like:

ScepClient.exe gennewext http://scepman.server/static SeCrEtPaSSwOrD dnslist.txt keyUsages.txt "Great Server" greatserver.pfx greatserver.cer

i get the following error which I cannot tell from where it is coming:

Unhandled Exception: System.Security.Cryptography.CryptographicException: The parameter is incorrect. at System.Security.Cryptography.Pkcs.EnvelopedCms.DecryptContent(RecipientInfoCollection recipientInfos, X509Certificate2Collection extraStore) at System.Security.Cryptography.Pkcs.EnvelopedCms.Decrypt(X509Certificate2Collection extraStore) at ScepClient.ScepClient.<>c__DisplayClass27_0.<ParseScepResponse>b__4() at ScepClient.ScepClient.ExecuteCryptoMethodWithRetries(Action operation2Execute) at ScepClient.ScepClient.ParseScepResponse(X509Certificate2Collection caChain, X509Certificate2 ownKey, Byte[] data) at ScepClient.ScepClient.SubmitPkcs10ToScep(String scepURL, Byte[] pkcs10, X509Certificate2 signerCert, Boolean isRenewal) at ScepClient.ScepClient.GenerateNew(String scepURL, String pfxOutputPath, String certOutputPath, String pkcs10OutputPath, String challengePassword, String cN, IEnumerable1 additionalDNSEntries, IEnumerable1 keyPurposes) at ScepClient.ScepClient.Main(String[] args)

Does anybody have an idea what the issue might be because the scepman server seems to validate request and generate the certificate but it somehow cannot be decrypted or something similar?

[bb-froggy]

I couldn't reproduce it in my environment. The SCEP response is encrypted to the key that the client used for sending the request, so maybe it is in the wrong KSP or something like this?

Which OS are you running this on?

[mohagrabx]

I tried to replicate my problem with another server and could not replicate it. (Everything worked fine)

The server with the issue was:
.Net version would be 4.8
and OS would be Windows Server 2022 Datacenter Azure Edition

The other server had 4.7 .Net version and Windows Server 2019 Azure Edition as OS.

[bb-froggy]

Thank you for the additional tests.

Can you still replicate this on the first server? I'll also see whether we can reproduce the issue on Windows Server 2022.

[mohagrabx]

I still can replicate it on the first server but when i deployed a new vm with Windows Server 2022 I could not replicate it.

[bb-froggy]

Which version of SCEPclient are you using? The one for .NET 6 or for .NET Framework? Built from code or downloaded the release? It shouldn't make a difference, but it is interesting for debugging.

The server seems to have issues using the key to decrypt the SCEP message, so maybe something is going wrong with the CSP/KSP used to handle the private key. SCEPclient temporarily stores the key in Windows' key store for decryption, and assigns the name "SCEPclient Certificate". It lets Windows choose which CSP/KSP to use. It would be interesting to find out which one it is. However, after the exception, the key is deleted again already, so we can't find out where the key is. We could monitor with ProcMon, but this seems like much effort.

Hmm ... I will modify the application to print out some debug info if this specific exception occurs. I hope I can get it done tomorrow, but there's a bunch of urgent issues currently, so I can't make any promises.

[mohagrabx]

SCEPclient version 20240709-1034-framework. With .NET I mean .NET Framework. Downloaded from release. We are not in a hurry...you can take your time. Thank you so much for your immense help!

[bb-froggy]

I have just released SCEPclient version 20241002-1236-framework that prints out some additional information about the key which may or may not help us. Since I cannot reproduce the problem, I couldn't really test it, so chances are that the new code is not executed or it prints out the wrong information. Even if it works, I am not sure whether the new information pins down the issue, but its currently my best guess :-).

The output shouldn't be sensitive, so you can post it here, or send it directly to me directly if this is better for you.