Archived Forum Post

Index of archived forum posts

Question:

Crypt2.DecryptBytes returning 0 bytes on larger files in VB.NET

Dec 22 '15 at 12:14

Below is the code I am using in my VB.NET 4.0 application to decrypt an incoming certificate. Dim _signCert As New Chilkat.Cert Dim _crypt As New Chilkat.Crypt2 _signCert.LoadFromFile(SetPrivCert()) _crypt.SetDecryptCert(_signCert) _RawContent = _crypt.DecryptBytes(_Body.GetBodyBinary())

The loaded private certificate is correct. When I am loading an incoming file that is in few KBs to 6 or 8 MBs, I am able to decrypt the certificate. When I load a file that is more than 10 or 12 MB, the decryptBytes function returns 0 bytes. Is there a restrtiction on the size of file that the function uses to decrypt? I am using _crypt.CryptAlgorithm = "PKI". The version of ChilkatDotNet4 that I am using is 9.4.0.0. Is there a new version that I should use to decrypt? We have several customers affected by this problem and would like a solution ASAP for this.


Answer

Check the contents of the LastErrorText property. A return value of 0 bytes indicates failure. Information about any failure is always available in the LastErrorText property. (The LastErrorText will also contain information for success -- it always contains information about what transpired in the last method called.)

If posting the LastErrorText here, make sure to use "<pre>" tags so that it's not on one unbroken, unreadable line.

Also, the forum is not an official support channel. It is OK to post here, and I'll treat it the same as a support request sent via private email if your username/email address is such that I can identify you as a current customer with non-expired support. To the best of my knowledge, your support expired last year... (If I am incorrect because support was renewed using a different email account, then please accept my apology.)


Answer

Appreciate your quick response. I will surely check on the support information and see if I can extend the support. Here is the result from the LastErrorText (All I see here is a message "ASN1 out of memory"). Not sure if it makes sense to you, but you are the best judge here.

"<chilkatlog>" & vbCrLf & "<decryptbytes>" & vbCrLf & "<dlldate>Dec 12 2012</dlldate>" & vbCrLf & "<unlockprefix>MCKESSCrypt</unlockprefix>" & vbCrLf & "<username>ACNU3439DK7:eqs0neg</username>" & vbCrLf & "<architecture>Little Endian; 32-bit</architecture>" & vbCrLf & "<language>.NET 4.0</language>" & vbCrLf & "<verboselogging>0</verboselogging>" & vbCrLf & "<decryptpkcs7>" & vbCrLf & "<algorithm>pki</algorithm>" & vbCrLf & "<info>Using specific decrypt certificate.</info>" & vbCrLf & "<certserialnumber>080E1A3DF8FFB9894C453ADACD1BE138</certserialnumber>" & vbCrLf & "<certissuercn>MPS Customer #003692</certissuercn>" & vbCrLf & "<info>Getting pre-installed private key.</info>" & vbCrLf & "<info>Getting private key via Crypto API...</info>" & vbCrLf & "<info>Getting private key for key exchange (i.e. encryption)</info>" & vbCrLf & "<checkprivatekey>" & vbCrLf & "<info>Fetching key provider info...</info>" & vbCrLf & "<calledfrom>2</calledfrom>" & vbCrLf & "<dwkeyspec>0x1</dwkeyspec>" & vbCrLf & "<forkeyexchange>1</forkeyexchange>" & vbCrLf & "<forsignature>0</forsignature>" & vbCrLf & "<silent>0</silent>" & vbCrLf & "<mykeycontainer>b38fb22d-f1fe-4c0b-aae0-535c9d2abb06</mykeycontainer>" & vbCrLf & "</checkprivatekey>" & vbCrLf & "<exportprivatekeytoder>" & vbCrLf & "<getprivatekeytoder>" & vbCrLf & "<bexchangekey>1</bexchangekey>" & vbCrLf & "<error>(warning) Cannot access private key because when installed, it was not marked as exportable.</error>" & vbCrLf & "<error>(optional) Re-install the certificate and private key from a PFX.</error>" & vbCrLf & "<error>(optional) Make sure to mark the key as exportable.</error>" & vbCrLf & "<error>(warning) Cannot export private key.</error>" & vbCrLf & "</getprivatekeytoder>" & vbCrLf & "</exportprivatekeytoder>" & vbCrLf & "<info>Using pre-specified certificate for PKCS7 unenvelope.</info>" & vbCrLf & "<info>Decrypting using CryptoAPI to avoid private key export</info>" & vbCrLf & "<msdecrypt1>" & vbCrLf & "<windowserror>ASN1 out of memory.</windowserror>" & vbCrLf & "<windowserrorcode>0x80093106</windowserrorcode>" & vbCrLf & "<error>cryptoAPI decrypt failed (1)</error>" & vbCrLf & "<lowlevelmscryptoalternative>" & vbCrLf & "<windowserror>ASN1 out of memory.</windowserror>" & vbCrLf & "<windowserrorcode>0x80093106</windowserrorcode>" & vbCrLf & "<error>CryptMsgOpenToDecode failed.</error>" & vbCrLf & "</lowlevelmscryptoalternative>" & vbCrLf & "</msdecrypt1>" & vbCrLf & "<error>Failed to unenvelope PKCS7 message</error>" & vbCrLf & "</decryptpkcs7>" & vbCrLf & "<error>Failed to decrypt.</error>" & vbCrLf & "<error>Failed.</error>" & vbCrLf & "</decryptbytes>" & vbCrLf & "</chilkatlog>" & vbCrLf & ""

Thanks once again.


Answer

  1. You're using an old version of Chilkat, so I would recommend updating at the next good time in your development cycle.
  2. The private key is installed on your Windows system with security options that prevent export: Cannot access private key because when installed, it was not marked as exportable. Re-install the certificate and private key from a PFX. Make sure to mark the key as exportable.
  3. When Chilkat is not able to do the RSA decryption itself (because it does not have access to the private key material), it calls the Microsoft Crypto API to do the RSA decryption. It is the Microsoft CryptoAPI that fails -- because it cannot handle the size. If the private key was exportable, and accessible to Chilkat, then Chilkat would have no problem with it..

The only solution is to re-install the cert + private key so that the private key is exportable. The problem is within Microsoft's CryptoAPI. The solution is to avoid using Microsoft's CryptoAPI and this is only possible if the Chilkat implementation can access the private key.


Answer

Thanks for the response.

The issue with the private key may be because I had manually installed it in my system. WIll check and let correct it.

What is the latest version of Cryto I should be using? Currently it is 9.4.0.0.


Answer

Have used latest ChilkatDotNet4.dll (9.5.0.52) and also re-installed the certificate and private key from a PFX with marked as exportable.

By using the latest dll and installing the certs as exportable, we are not getting the following warnings which we used to get with older ChilkatDotNet4.dll (9.4.0.0) in LastErrorText property after DecryptBytes.

          (warning) Cannot access private key because when installed, it was not marked as exportable.
          (optional) Re-install the certificate and private key from a PFX.
          (optional) Make sure to mark the key as exportable.

Now the issue is the system is not able to decrypt the content of smaller files (11 Kb) itself , fails with below error, “Input length not equal to modulus length”

Below is the full extract of LastError message. Please advice if this is because it is a trial version or is the issue different.

ChilkatLog: DecryptBytes: DllDate: Aug 26 2015 ChilkatVersion: 9.5.0.52 UnlockPrefix: MCKESSCrypt Username: INBLRSE2701446:028193 Architecture: Little Endian; 32-bit Language: .NET 4.0 VerboseLogging: 0 decryptPkcs7: algorithm: pki Using specific decrypt certificate. certSerialNumber: 080E1A3DF8FFB9894C453ADACD1BE138 certIssuerCN: MPS Customer #003692 Getting pre-installed private key. certGetPrivateKeyAsDER: toPrivKeyDer: This is a public key, not a private key. --toPrivKeyDer msCertGetPrivateKey: kcExportPrivateKeyToDER: bExchangeKey: 1 --kcExportPrivateKeyToDER --msCertGetPrivateKey --certGetPrivateKeyAsDER loadPkcs7Der: loadPkcs7Xml: Pkcs7_EnvelopedData: AlgorithmIdentifier_loadXml: encryptionAlgorithmOid: 1.2.840.113549.3.7 IV: hEMrpt7z9xE= --AlgorithmIdentifier_loadXml numRecipients: 2 RecipientInfo: IssuerAndSerialNumber: serialNumber1: 080E1A3DF8FFB9894C453ADACD1BE138 issuerCommonName: issuerCountry: issuerState: issuerLocality: issuerOrganization: --IssuerAndSerialNumber encryptedKeyNumBytes: 128 --RecipientInfo RecipientInfo: IssuerAndSerialNumber: serialNumber1: 49BB1AE3F8C3FE797B1CF1131485FA49 issuerCommonName: COMODO High-Assurance Secure Server CA issuerCountry: GB issuerState: Greater Manchester issuerLocality: Salford issuerOrganization: COMODO CA Limited --IssuerAndSerialNumber encryptedKeyNumBytes: 256 --RecipientInfo --Pkcs7_EnvelopedData --loadPkcs7Xml --loadPkcs7Der Using pre-specified certificate for PKCS7 unenvelope. unEnvelope2: findMatchingRecipientInfo: NeedSerial: 080E1A3DF8FFB9894C453ADACD1BE138 NeedIssuerCN: MPS Customer #003692 NumRecipientInfos: 2 --findMatchingRecipientInfo Using the last RecipientInfo by default... AlgorithmIdentifier: oid: 1.2.840.113549.1.1.1 --AlgorithmIdentifier Decrypting symmetric key...(3) Input length not equal to modulus length ModulusLen: 128 InputLen: 256 Failed to decrypt symmetric key. --unEnvelope2 Failed to unenvelope PKCS7 message --decryptPkcs7 Failed to decrypt. Failed. --DecryptBytes --ChilkatLog