This is a migrated thread and some comments may be shown as answers.

Fiddler.BCCertMaker> Failed to create certificate

5 Answers 137 Views
FiddlerCore
This is a migrated thread and some comments may be shown as answers.
Failed
Top achievements
Rank 1
Failed asked on 06 Mar 2019, 08:44 PM

Hello,

 

I've been using FiddlerCore on Windows for some time now and it's been great. However some of my users have recently started to report

issues where the proxy fails to connect to anything. I've checked the logs and every time this user happens is because of BCCertMaker.

This is what's shown in the log:

Fiddler.BCCertMaker> Failed to create certificate for localhost: Key not valid for use in specified state. at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at BCCertMaker.BCCertMaker.ConvertBCPrivateKeyToDotNet(RsaPrivateCrtKeyParameters bcPVK, String sKeyName) at BCCertMaker.BCCertMaker.CreateCertificateFromCA(String sCN, X509Certificate caCert, AsymmetricKeyParameter caKey) at BCCertMaker.BCCertMaker.MakeNewCert(String sHostname)

 

I've done research on this error and it's not clear what it's cause is but I've found that it can be solved by deleting

the "Crypto" folder in %AppData%\Microsoft\. This is clearly not ideal and would appreciate if someone had an idea on how to work

around this issue in the future.

 

Thanks.

5 Answers, 1 is accepted

Sort by
0
Failed
Top achievements
Rank 1
answered on 18 Mar 2019, 10:50 PM

I understand this issue is hard to debug without further information, so I've been investigating it further and a StackOverflow answer was brought to my attention that explains this issue really well as well as a way to reproduce it. https://stackoverflow.com/a/4294877
This seems to be a bug affecting both CertMaker.exe and the CertMaker.dll/BCMakeCert.dll combo.

This can be reproduced with any FiddlerCore application that wants to decrypt HTTPS traffic, such as the sample app that ships with the API package.

1. Create a test Windows account with a password (doesn't matter what it is).
2. Log into the test account and run the sample application. Verify that HTTPS traffic is decrypted correctly.
3. Log off and switch over to the Administrator account.
4. Remove the password from the test account.
5. Log off once more and switch over to the test account, run the sample application again.

The application should no longer be able to decrypt HTTPS traffic and might become unstable.
If you check FiddlerCore's log, the error should be "Key not valid for use in specified state.":
https://i.imgur.com/Idbdve3.png

No notification is currently provided to developers or any kind of solution to handle this outcome, such a scenario should be handled gracefully. The StackOverflow answer above proposes a couple solutions to this problem, such as removing the obsolete key container file.

 

Look forward to hearing back from you.

0
Failed
Top achievements
Rank 1
answered on 18 Mar 2019, 10:55 PM
When I say it affects "CertMaker.exe" I really mean "MakeCert.exe", got the names mixed up.
0
Failed
Top achievements
Rank 1
answered on 24 Mar 2019, 05:57 PM

For the time being, we've opted for a workaround that attempts to access the key container before starting the proxy and deletes the corrupted file if a CryptographicException is thrown.

https://github.com/FailedShack/USBHelperLauncher/commit/33d2f825e447d416b678415581fbd8bc03175182


0
Failed
Top achievements
Rank 1
answered on 22 May 2019, 08:05 PM

Any thoughts on this? I had hoped to get some kind of response.

It would be helpful to have a proper way of handling this case. Let me know if you need any other information.

 

 

 

0
Simeon
Telerik team
answered on 27 May 2019, 03:09 PM
Hello,

Sorry for the late reply and thank you for bringing this issue to our attention.

It seems that renaming/deleting the encrypted key container file with the old user password and generating a new one with the new password is the only sensible solution to the problem.

I am adding this issue in our backlog to think about how to avoid this problem or how to handle it gracefully.

Regards,
Simeon
Progress Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Tags
FiddlerCore
Asked by
Failed
Top achievements
Rank 1
Answers by
Failed
Top achievements
Rank 1
Simeon
Telerik team
Share this question
or