Error IDX10659 when using X509Certficate to decrypt a JWT token
I am creating a web service and an associated client that will use a JWT encrypted with X509Certficates. When I use a symmetric key to encrypt and decrypt tokens everything works fine. However, I want to use X509Certficates based encryption in production, and when I try one of these I get these exceptions:
When running on .NET Core:
Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException:
IDX10659: UnwrapKey failed, exception from crypto operation:
'Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException:
Key does not exist'
When running on .NET Framework 4.7 (note how the inner exception is different):
Microsoft.IdentityModel.Tokens.SecurityTokenKeyWrapException:
IDX10659: UnwrapKey failed, exception from crypto operation:
'System.Security.Cryptography.CryptographicException:
Error occurred while decoding OAEP padding.'
Switching from SymmetricSecurityKey
to X509SecurityKey
simply changes the value provided for the instance EncryptingCredentials
, so I expected everything to just work.
Here's my code for generating the token:
public string Generate(NodeEntitlements entitlements)
{
if (entitlements == null)
{
throw new ArgumentNullException(nameof(entitlements));
}
var claims = CreateClaims(entitlements);
var claimsIdentity = new ClaimsIdentity(claims);
var securityTokenDescriptor = new SecurityTokenDescriptor
{
Subject = claimsIdentity,
NotBefore = entitlements.NotBefore.UtcDateTime,
Expires = entitlements.NotAfter.UtcDateTime,
IssuedAt = DateTimeOffset.Now.UtcDateTime,
Issuer = "https://example.com",
Audience = "https://example.com",
SigningCredentials = SigningCredentials,
EncryptingCredentials = EncryptingCredentials
};
var handler = new JwtSecurityTokenHandler();
var token = handler.CreateToken(securityTokenDescriptor);
return handler.WriteToken(token);
}
And here is my code to validate the same token (I commented out the line where the exception is thrown):
public VerificationResult Verify(string tokenString)
{
var validationParameters = new TokenValidationParameters
{
ValidateAudience = true,
ValidAudience = "https://example.com",
ValidateIssuer = true,
ValidIssuer = "https://example.com",
ValidateLifetime = true,
RequireExpirationTime = true,
RequireSignedTokens = SigningKey != null,
ClockSkew = TimeSpan.FromSeconds(60),
IssuerSigningKey = SigningKey,
ValidateIssuerSigningKey = SigningKey != null,
TokenDecryptionKey = EncryptionKey
};
try
{
var handler = new JwtSecurityTokenHandler();
// Exception is thrown here
var principal =
handler.ValidateToken(tokenString, validationParameters, out var token);
var entitlementIdClaim = principal.FindFirst("id");
if (entitlementIdClaim == null)
{
return VerificationResult.IdentifierNotPresent;
}
return VerificationResult.Valid;
}
catch (SecurityTokenException ex)
{
Console.WriteLine(ex);
return VerificationResult.InvalidToken;
}
}
To create EncryptingCredentials
from a certificate:
public static EncryptingCredentials CreateCertificateEncryptionCredentials()
{
var certificate = FindCertificate();
var key = new X509SecurityKey(certificate);
var result = new EncryptingCredentials(
key, SecurityAlgorithms.RsaOAEP, SecurityAlgorithms.Aes256CbcHmacSha512);
return result;
}
These methods are from a minimal reproduction (GitHub link) that I pulled from the original codebase; there's a bit of code to post here, but most of it is just infrastructure. The reproduction works completely and doesn't use anything from ASP.NET.
I have reproduced the problem with several different X509Certficates on three different computers under two different user accounts, so I believe I excluded the certificate as the source of the problem. The signing works correctly end-to-end in every test, which I think shows that both the public and private keys from the certificate are available.
Why X509SecurityKey
does decryption fail with only s and not s SymmetricSecurityKey
?
What is the correct way to encrypt / decrypt JWT tokens using X509Certficates? Or, what's the workaround for this problem?
Update : Simplified code to reproduce the exception
source to share