microsoft-graph-apiazure-keyvaultx509certificate2mailkitmimekit
Mimekit - Access is denied trying to decrypt
I'm getting this error when trying to decrypt a MIME message:
When I decrypt it in my local machine I can decrypt the mail without any problem, but the app deployed in server can't decrypt and results in this error. this is the code I'm using for decrypting
GraphServiceClient graphClient = new GraphServiceClient(clientSecretCredential, new string[] { _laCaixaSettings.GraphApiSettings.Scope });
var streamMessage = await graphClient.GetMessage(_laCaixaSettings.GraphApiSettings.UserId, pasarelaSettings.FicheroId);
using var message = await MimeMessage.LoadAsync(streamMessage);
var decryptedStream = await MimeMailUtils.Decrypt(message, _laCaixaSettings.GraphApiSettings.PrivateCertificate);
public static async Task<Stream> GetMessage(this GraphServiceClient graphServiceClient, string userId, string messageId)
{
var request = graphServiceClient.Users[userId].Messages[messageId].Request().GetHttpRequestMessage();
request.RequestUri = new Uri(request.RequestUri.OriginalString + "/$value");
var response = await graphServiceClient.HttpProvider.SendAsync(request);
response.EnsureSuccessStatusCode();
var content = await response.Content.ReadAsStreamAsync();
content.Position = 0;
return content;
}
public static async Task<MimeEntity> Decrypt(MimeMessage message, X509Certificate2 certificate)
{
var encryptedContent = (ApplicationPkcs7Mime)message.Body;
using var context = new WindowsSecureMimeContext(StoreLocation.CurrentUser);
context.Import(StoreName.CertificateAuthority, certificate);
return await encryptedContent.DecryptAsync(context);
}
And this is how I get the certificate
public void SetSecrets()
{
using KeyVaultClient client = VaultClientExtensions.GetKeyVaultClient(AzureVaultManagerSettings.ClientId, AzureVaultManagerSettings.ClientSecret);
var secret = AsyncUtil.RunSync(() => client.GetSecret<string>(AzureVaultManagerSettings.SecretUrl));
GraphApiSettings.PrivateCertificate = new X509Certificate2(
Convert.FromBase64String(secret),
string.Empty,
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
}
I believe the problem could be that this certificate is not installed in the server. Could anyone help me with this? Thanks in advance!
Solution
You don't have access to StoreName.CertificateAuthority.
If you look at the stack trace in the exception, it is failing in System.Security.Cryptography.X509Certificates.X509Store.Open()
Generally, the StoreName.CertificateAuthority is only accessible to admin users.
- Powershell - find last logon activity for a specific device
- How to generate a SkypeToken for Teams native APIs?
- How to retrieve a specific SharePoint online site using graph api and PowerShell
- Azure AD B2C problem with Self-Service password reset
- Moving emails to Deleted Items using Microsoft Graph API
- Unable to run C# application with Microsoft Graph 3.2.0 due to issues with system.net.http missing reference
- Grant admin consent for app registration API permission
- How to use OdataNextLink in Microsoft Graph API Beta 5
- Powershell script intended to pull all users' emails and manager's emails that belong to a specific security group in AD, is creating a blank csv
- How to search the group by the DisplayName using Microsoft Graph?
- How can I get the siteId of the current site with Microsoft Graph API?
- How do I connect to Exchange Online using OAuth 2.0 in MailKit?
- MS Graph api : using filter with orderby
- Mock MS Graph SDK in Golang unit test?
- How to get authorizationCode in MS Graph API 6.12
- "ODataError: One of the provided arguments is not acceptable" when trying to list DocumentSetVersions using Microsoft Graph SDK
- How to use createUploadSession from Microsoft Graph with an ASP.NET Core Web API
- Download SharePoint file from Microsoft Graph API using "sourcedoc" ID
- I got error 404 Not Found when adding metadata to file in sharepoint via Microsoft Graph API SDK Java
- Microsoft Graph API - "Decline event" call fails
- Error : AADSTS50059: No tenant-identifying information found in either the > request or implied by any provided credentials
- How to convert message to EML file
- Graph API returns 0 drives for a SharePoint Team Site, on which there is a shared folder and its subfolders with files
- API request Azure DevOps, Find the project group list and their descriptor
- API request Azure DevOps, add group to a new project with automate flow
- Does Microsoft Graph API support 'createddatetime' property for contacts?
- Graph API SharePoint site file upload: complile error DriveItemRequestBuilder does not contain a definition for Root
- Graph Items.GetAsync() requires Filter opposite to Documentation
- Wrong Token on the send mail API on microsoft graph
- User presence/status in Azure communication service (Teams)