SonarScanner for .Net - KeyStore/Certificate gives "ASN1 corrupted data" error

Mina_Bestawrous · December 13, 2022, 8:53pm

I am using the latest version of SonarQube server and the latest version of SonarScanner for .Net for my .net core project.

We are running the analysis as a part of a CI/CD pipeline. So, the build and analysis commands are executed on a linux server machine.

The command I execute is as follows:

dotnet /opt/sonar-scanner-msbuild/SonarScanner.MSBuild.dll begin \
  /k:"project-key" \
  /n:"Project Name" \
  /d:sonar.verbose=true \
  /d:sonar.login="login-token" \
  /d:sonar.clientcert.path="path/to/pkcs12/keystore" \
  /d:sonar.clientcert.password="keystore-password"

dotnet build .

dotnet /opt/sonar-scanner-msbuild/SonarScanner.MSBuild.dll end \
  /d:sonar.login="${{parameters.sonarLoginToken}}"

But I am getting the following error:

Unhandled exception. System.Security.Cryptography.CryptographicException: ASN1 corrupted data.
 ---> System.Formats.Asn1.AsnContentException: The encoded length exceeds the maximum supported by this library (Int32.MaxValue).
   at System.Formats.Asn1.AsnDecoder.ReadLength(ReadOnlySpan`1 source, AsnEncodingRules ruleSet, Int32& bytesConsumed)
   at System.Formats.Asn1.AsnDecoder.ReadEncodedValue(ReadOnlySpan`1 source, AsnEncodingRules ruleSet, Int32& contentOffset, Int32& contentLength, Int32& bytesConsumed)
   at Internal.Cryptography.Pal.UnixPkcs12Reader.ParsePkcs12(ReadOnlySpan`1 data)
   --- End of inner exception stack trace ---
   at Internal.Cryptography.Pal.OpenSslX509CertificateReader.FromFile(String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password)
   at SonarScanner.MSBuild.PreProcessor.PreprocessorObjectFactory.CreateHttpClient(String userName, String password, String clientCertPath, String clientCertPassword)
   at SonarScanner.MSBuild.PreProcessor.PreprocessorObjectFactory.CreateSonarWebService(ProcessedArgs args)
   at SonarScanner.MSBuild.PreProcessor.PreProcessor.DoExecute(ProcessedArgs localSettings)
   at SonarScanner.MSBuild.PreProcessor.PreProcessor.Execute(IEnumerable`1 args)
   at SonarScanner.MSBuild.BootstrapperClass.PreProcess()
   at SonarScanner.MSBuild.BootstrapperClass.Execute()
   at SonarScanner.MSBuild.Program.Execute(String[] args, ILogger logger)
   at SonarScanner.MSBuild.Program.Execute(String[] args)
   at SonarScanner.MSBuild.Program.Main(String[] args)
   at SonarScanner.MSBuild.Program.<Main>(String[] args)

According to the error description, it seems there is a problem with the keystore format. I have no clue what is the expected format.

Note that, the keystore used above is working perfectly with my other Java projects (and SonarScanner for Gradle) and web projects (and the generic SonarScanner).

Andrei_Epure · January 4, 2023, 10:51am

Hello @Mina_Bestawrous , sorry for the delay

We’ve seen this issue in the past and it’s probably related to the connection in general, rather than the scanner for dotnet.

I’ll talk with a colleague who investigated this in the past.

Andrei_Epure · January 4, 2023, 2:45pm

Hello @Mina_Bestawrous

In the past, this happened when users where using a server certificate instead of a client certificate to authenticate.

Our recommendation, in case you have difficulties using these parameters, is to instead remove the sonar.clientcert.path and sonar.clientcert.password options, and import the certificate into the keystore, as usual.

What do you think about that?