Clever Geek Handbook

Error IDX10659 when using X509Certficate to decrypt a JWT token

I am creating a web service and an associated client that will use a JWT encrypted with X509Certficates. When I use a symmetric key to encrypt and decrypt tokens everything works fine. However, I want to use X509Certficates based encryption in production, and when I try one of these I get these exceptions:

When running on .NET Core:

Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException: 
IDX10659: UnwrapKey failed, exception from crypto operation: 
'Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: 
Key does not exist'

When running on .NET Framework 4.7 (note how the inner exception is different):

Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException: 
IDX10659: UnwrapKey failed, exception from crypto operation: 
'System.Security.Cryptography.CryptographicException: 
Error occurred while decoding OAEP padding.'

Switching from SymmetricSecurityKey

to X509SecurityKey

simply changes the value provided for the instance EncryptingCredentials

, so I expected everything to just work.

Here's my code for generating the token:

public string Generate(NodeEntitlements entitlements)
{
    if (entitlements == null)
    {
        throw new ArgumentNullException(nameof(entitlements));
    }

    var claims = CreateClaims(entitlements);
    var claimsIdentity = new ClaimsIdentity(claims);

    var securityTokenDescriptor = new SecurityTokenDescriptor
    {
        Subject = claimsIdentity,
        NotBefore = entitlements.NotBefore.UtcDateTime,
        Expires = entitlements.NotAfter.UtcDateTime,
        IssuedAt = DateTimeOffset.Now.UtcDateTime,
        Issuer = "https://example.com",
        Audience = "https://example.com",
        SigningCredentials = SigningCredentials,
        EncryptingCredentials = EncryptingCredentials
    };

    var handler = new JwtSecurityTokenHandler();
    var token = handler.CreateToken(securityTokenDescriptor);
    return handler.WriteToken(token);
}

And here is my code to validate the same token (I commented out the line where the exception is thrown):

public VerificationResult Verify(string tokenString)
{
    var validationParameters = new TokenValidationParameters
    {
        ValidateAudience = true,
        ValidAudience = "https://example.com",
        ValidateIssuer = true,
        ValidIssuer = "https://example.com",
        ValidateLifetime = true,
        RequireExpirationTime = true,
        RequireSignedTokens = SigningKey != null,
        ClockSkew = TimeSpan.FromSeconds(60),
        IssuerSigningKey = SigningKey,
        ValidateIssuerSigningKey = SigningKey != null,
        TokenDecryptionKey = EncryptionKey
    };

    try
    {
        var handler = new JwtSecurityTokenHandler();

        // Exception is thrown here
        var principal = 
            handler.ValidateToken(tokenString, validationParameters, out var token);

        var entitlementIdClaim = principal.FindFirst("id");
        if (entitlementIdClaim == null)
        {
            return VerificationResult.IdentifierNotPresent;
        }

        return VerificationResult.Valid;
    }
    catch (SecurityTokenException ex)
    {
        Console.WriteLine(ex);
        return VerificationResult.InvalidToken;
    }
}

To create EncryptingCredentials

from a certificate:

public static EncryptingCredentials CreateCertificateEncryptionCredentials()
{
    var certificate = FindCertificate();
    var key = new X509SecurityKey(certificate);
    var result = new EncryptingCredentials(
        key, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes256CbcHmacSha512);
    return result;
}

These methods are from a minimal reproduction (GitHub link) that I pulled from the original codebase; there's a bit of code to post here, but most of it is just infrastructure. The reproduction works completely and doesn't use anything from ASP.NET.

I have reproduced the problem with several different X509Certficates on three different computers under two different user accounts, so I believe I excluded the certificate as the source of the problem. The signing works correctly end-to-end in every test, which I think shows that both the public and private keys from the certificate are available.

Why X509SecurityKey

does decryption fail with only s and not s SymmetricSecurityKey

?

What is the correct way to encrypt / decrypt JWT tokens using X509Certficates? Or, what's the workaround for this problem?

Update : Simplified code to reproduce the exception

+3


source to share


1 answer


Try using:

new RsaSecurityKey(certificate.GetRSAPrivateKey().ExportParameters(true));


instead of X509SecurityKey

.

It seems like a bug in the implementation where it does not allow JIT deployment of RSA keys.

0


source






More articles:


All Articles