SQL-APIConsumer icon indicating copy to clipboard operation
SQL-APIConsumer copied to clipboard
verified publisher icon geral2

Create certificate from file does not work

Open CoenVanWoerkom opened this issue 5 years ago • 2 comments

As Salomon Rutzky explains in numerous posts on stack exchange and elsewhere (for example https://dba.stackexchange.com/questions/223976/assembly-deployment-with-permission-unsafe-or-external-access-using-asymmetric-k), there is a method to create assemblies without setting trustworthy = ON. This involves creating a certificate or asymmetric key from the executable, creating a login for that key/certificate, and then creating the assembly.

However, I can't get it to work for the APIConsumer. As soon as I try to create the certificate or asymmetric key (tried both), I get the following error message:

The certificate, asymmetric key, or private key file is not valid or does not exist; or you do not have permissions for it.

Here is the code I used for that:

CREATE ASYMMETRIC KEY [FrameworkAPI_Consumer] FROM EXECUTABLE FILE = 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CLR\API_Consumer.dll'

Or:

CREATE CERTIFICATE [FrameworkAPI_Consumer] FROM EXECUTABLE FILE = 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CLR\API_Consumer.dll';

The method works for the other required assemblies, and creating the assembly does work when setting the trustworthy = ON, so the issue does not seem to come from permissions related issues. I have even tried moving the CLR folder that has to be created to the C:\Windows\Microsoft.NET\Framework64\v4.0.30319 folder, as creating the assembly for newtonsoft.JSON.dll did work from that path.

So that leaves me with the first part of the error message: The certificate, asymmetric key, or private key file is not valid or does not exist. I have very little experience with assemblies, so I have no clue how to verify what exactly is the issue here. I am hoping you could help me out, as I am hoping to use this assembly without having to set trustworthy ON.

CoenVanWoerkom avatar Aug 26 '20 09:08 CoenVanWoerkom

Hi @CoenVanWoerkom,

I read the entire serie of these awesome blog. I tried making it External_Access, but since it depends on anothers dll like; [Newtonsoft.Json] [System.Runtime.Serialization.dll] [SMDiagnostics] [System.ServiceModel.Internals]

It doesn't work. So, what we could do is customize the SQL-ApiConsumer for you, removing JsonConvert objects. What kind of URL would you calling?.

geral2 avatar Aug 28 '20 21:08 geral2

Hello geral2,

Thank you for your quick response and willingness to help. We are looking for a way to implement the APIConsumer without having to turn TRUSTWORTHY ON. To circumvent the trustworthy option, we applied the methods described in the articles (creating a certificate or key). After which we tried to create the assembly granting unsafe access. This results in the error message stated above. Would it be possible to create a certificate or asymmetric key for the APIConsumer without having to customize anything and without having to turn trustworthy on?

MyraR avatar Sep 10 '20 09:09 MyraR