AmazonCloudFrontUrlSigner.GetCannedSignedURL always throw exception

[weilence]

Describe the bug

Test code

[Fact]
public void Test_RSAParameter()
{
    var reader = new StringReader("""
                                  -----BEGIN PRIVATE KEY-----
                                  MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCa5udYGtrIPUU5
                                  EA0uTAGIc/gPFKqk9rnx6ubTkkEErA6ZiIbG/lj4bSRHendy06qd1X5zuJ4k73oi
                                  SsXKzCOuJHAZA872+iIbFI5axdYH25E3LIzJZu7KHlL08QGsIl9ccx8usuSotsj2
                                  pvb+uswg6kM3sy6Kiqw6e+5GlR4i0CNtt9pOTPb1+5ZQGehx0oeAypV4vGRZIQBm
                                  aCYXo2sBMZI1nNhe6fW7jpNrtki+nh1CKpmxE2TEwfFNh8xCiZ4wCJ4Y8GE3Te9E
                                  8otXM4+15ksIdMzJi7WbtiPsrEc4bxkBD+Hor8bGgFxXAWRRM3ttzLsZrotgEgYO
                                  fu7y0EtXAgMBAAECggEALqqhx8lPYEQVNru/PNNpItLNSL3RKyGpo1hBcjv9moq7
                                  W0XmVM0LwMwgwegDVHSwUhyfm/1ip33+LZaZQB+AIFaZ7u9WytFQtRfcSzyO3o8n
                                  kJe7UnHQPtQj6ecxucohMJj+K/N5L9rhcG2cu+FK3h+1YHJ68wIUIQp1Ho6OJa5W
                                  6/ad/aEPnSH5vd3LmUTSiD/jOtpoSge1axwVoCY4sdK8aTSAld/KexVHb7S5V2m2
                                  IB1tZ+lE+5NyggKbop1ZtqsmJSbpNlHVDuboJMQppK8M/CENetykPe3L8BiIY3zU
                                  J6jylM3dPA+bjlOvylZsWmtAe3ItajftzYSrGXKuAQKBgQDOubkIYSj+O8a5h4Hw
                                  n/YequdduArKe/loKh2987mM2yqyU56XKoJ48GA6X3nZKPy5ZxcQD0maGUtf/6Bk
                                  0rQwq+Tyk2m5fShIhTNoCukjteLClfyw6F2I+3xqMJi7+o0l+t2XB2nFXjTJE8jS
                                  zL9uyDG+w45Q8PBbYhrrnMK9iQKBgQC/0vArSNkdrYf2gpVbGW15rWcCtloDm85l
                                  X1TFIRAh4dVQyonz5ZD5VVl3RYsm0VaH01q6G3pgY8gfVyxPTebm01MC2z5GQk1V
                                  1PWbeIbP4P1+wl1uFb4o9ksGGwhwUvm1JO/7PwmcClvdjvO3tv3rpotJAhJr2vBl
                                  UAp87fBp3wKBgGamxKHLlU6BIlH4Xua8l7tsxAy+meUoIJW/7BrpzqaKIi6A5UxN
                                  GJKzUiVKSbgy6SOrdEFORg8WJl6aEexe0Ikmoj5uQt6PrpQsSHWOjWxlIh/b2KmE
                                  CQY/Uu1sCju106cbZjNbxAL0n6OFhoBemWSKVmFSu/WnXsMR+SosImt5AoGBALXf
                                  UJkpi7low4WFEAj81eBM+WMH89aCDjHtLhltnLcTQMZGEoAtw8OzGY1NYX7fcjR7
                                  vwS/cssbMC4O39MdIHTwHj+SEbxZtqtPq8LJhsBoKNDbhewPL2n1AvL6BIlDEsCe
                                  Ee7cOMc6xxkNJaSlGqEoGd2R2ldqkQzt09PZYV1vAoGABLeRlh3Jw+T34o9xsCM3
                                  N2hU89VWIgvy5Tnz2CekZ7Lw9oL4dACM0LnAs2XG258H1eaVICBkYM/HYPrrTDuf
                                  CKahgTe2mWpYYIuX9FeuEde8/aCFjmx3Ex+QhApPRKh/Sjt/KDYklv/uM8yVwA0Z
                                  i6bFYQM/GnNZd4VnbUZ28ro=
                                  -----END PRIVATE KEY-----
                                  """);
    var pemReader = new PemReader(reader).ReadPrivatekey();
}

Expected Behavior

no exception

Current Behavior

throw exception

System.Exception: Unknown primitive tag

System.Exception
Unknown primitive tag
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.CreatePrimitiveDerObject(Int32 tagNo, Byte[] bytes)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.BuildObject(Int32 tag, Int32 tagNo, Int32 length)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.ReadObject()
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.BuildEncodableVector()
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.BuildDerEncodableVector(Stream dIn)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.CreateDerSequence(Stream dIn)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.BuildObject(Int32 tag, Int32 tagNo, Int32 length)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.ReadObject()
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.BuildEncodableVector()
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.BuildDerEncodableVector(Stream dIn)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.CreateDerSequence(Stream dIn)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.BuildObject(Int32 tag, Int32 tagNo, Int32 length)
   at ThirdParty.BouncyCastle.Asn1.Asn1InputStream.ReadObject()
   at ThirdParty.BouncyCastle.Asn1.Asn1Object.FromByteArray(Byte[] data)
   at ThirdParty.BouncyCastle.OpenSsl.PemReader.ReadPrivatekey()
   at Server.Api.Tests.Services.AmazonServiceTest.Test_RSAParameter()

Reproduction Steps

Run test code in xunit
PemReader is ThirdParty.BouncyCastle.OpenSsl.PemReader

Possible Solution

If i use Org.BouncyCastle.OpenSsl.PemReader(BouncyCastle.Cryptography 2.21), it does work.

Additional Information/Context

No response

AWS .NET SDK and/or Package version used

AWSSDK.CloudFront version is 3.7.301.50

Targeted .NET Platform

.Net 8

Operating System and version

Windows 11

[ashishdhingra]

@weilence Good morning. The above code snippet/screenshot that you shared in issue description does not demonstrate the issue in AmazonCloudFrontUrlSigner. Instead it is showing exception thrown by 3rd party dependency BouncyCastle.
Could you please share:

• If you are demonstrating issue with one of the internal methods ConvertPEMToRSAParameters which makes use of BouncyCastle API and ultimately fails?
  • Kindly share the minimal reproducible end-to-end code (not screenshot) which demonstrates issue with the AmazonCloudFrontUrlSigner.
• Was this working with any earlier version of AWSSDK.CloudFront package?
• List of NuGet packages used in the project.

Thanks,
Ashish

[weilence]

@ashishdhingra

Was this working with any earlier version of AWSSDK.CloudFront package?

I don't know, this is my first time using this SDK, and I only tested versions 3.7.301.18 and 3.7.301.50.

Nuget:
AWSSDK.CloudFront 3.7.301.50

using Amazon.CloudFront;

var reader = new StringReader("""
                              -----BEGIN PRIVATE KEY-----
                              MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCa5udYGtrIPUU5
                              EA0uTAGIc/gPFKqk9rnx6ubTkkEErA6ZiIbG/lj4bSRHendy06qd1X5zuJ4k73oi
                              SsXKzCOuJHAZA872+iIbFI5axdYH25E3LIzJZu7KHlL08QGsIl9ccx8usuSotsj2
                              pvb+uswg6kM3sy6Kiqw6e+5GlR4i0CNtt9pOTPb1+5ZQGehx0oeAypV4vGRZIQBm
                              aCYXo2sBMZI1nNhe6fW7jpNrtki+nh1CKpmxE2TEwfFNh8xCiZ4wCJ4Y8GE3Te9E
                              8otXM4+15ksIdMzJi7WbtiPsrEc4bxkBD+Hor8bGgFxXAWRRM3ttzLsZrotgEgYO
                              fu7y0EtXAgMBAAECggEALqqhx8lPYEQVNru/PNNpItLNSL3RKyGpo1hBcjv9moq7
                              W0XmVM0LwMwgwegDVHSwUhyfm/1ip33+LZaZQB+AIFaZ7u9WytFQtRfcSzyO3o8n
                              kJe7UnHQPtQj6ecxucohMJj+K/N5L9rhcG2cu+FK3h+1YHJ68wIUIQp1Ho6OJa5W
                              6/ad/aEPnSH5vd3LmUTSiD/jOtpoSge1axwVoCY4sdK8aTSAld/KexVHb7S5V2m2
                              IB1tZ+lE+5NyggKbop1ZtqsmJSbpNlHVDuboJMQppK8M/CENetykPe3L8BiIY3zU
                              J6jylM3dPA+bjlOvylZsWmtAe3ItajftzYSrGXKuAQKBgQDOubkIYSj+O8a5h4Hw
                              n/YequdduArKe/loKh2987mM2yqyU56XKoJ48GA6X3nZKPy5ZxcQD0maGUtf/6Bk
                              0rQwq+Tyk2m5fShIhTNoCukjteLClfyw6F2I+3xqMJi7+o0l+t2XB2nFXjTJE8jS
                              zL9uyDG+w45Q8PBbYhrrnMK9iQKBgQC/0vArSNkdrYf2gpVbGW15rWcCtloDm85l
                              X1TFIRAh4dVQyonz5ZD5VVl3RYsm0VaH01q6G3pgY8gfVyxPTebm01MC2z5GQk1V
                              1PWbeIbP4P1+wl1uFb4o9ksGGwhwUvm1JO/7PwmcClvdjvO3tv3rpotJAhJr2vBl
                              UAp87fBp3wKBgGamxKHLlU6BIlH4Xua8l7tsxAy+meUoIJW/7BrpzqaKIi6A5UxN
                              GJKzUiVKSbgy6SOrdEFORg8WJl6aEexe0Ikmoj5uQt6PrpQsSHWOjWxlIh/b2KmE
                              CQY/Uu1sCju106cbZjNbxAL0n6OFhoBemWSKVmFSu/WnXsMR+SosImt5AoGBALXf
                              UJkpi7low4WFEAj81eBM+WMH89aCDjHtLhltnLcTQMZGEoAtw8OzGY1NYX7fcjR7
                              vwS/cssbMC4O39MdIHTwHj+SEbxZtqtPq8LJhsBoKNDbhewPL2n1AvL6BIlDEsCe
                              Ee7cOMc6xxkNJaSlGqEoGd2R2ldqkQzt09PZYV1vAoGABLeRlh3Jw+T34o9xsCM3
                              N2hU89VWIgvy5Tnz2CekZ7Lw9oL4dACM0LnAs2XG258H1eaVICBkYM/HYPrrTDuf
                              CKahgTe2mWpYYIuX9FeuEde8/aCFjmx3Ex+QhApPRKh/Sjt/KDYklv/uM8yVwA0Z
                              i6bFYQM/GnNZd4VnbUZ28ro=
                              -----END PRIVATE KEY-----
                              """);

AmazonCloudFrontUrlSigner.GetCannedSignedURL("http://example.com", reader, "keyPairId", DateTime.Now);

The privateKey generated by openssl genrsa -out private_key.pem 2048

[dscpinheiro]

What version of openssl are you using? I see the same exception on OpenSSL 3 but not on 1.x, so my guess is that our PemReader is not handling the new version correctly.

We'd need to update the BouncyCastle version included in the SDK (which has been around since v1 - years before OpenSSL 3 was released).

[weilence]

@dscpinheiro The version of OpenSSL I'm using is 3.2.1.

[weilence]

@dscpinheiro so...When will the BouncyCastle version be updated?