Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT.Encode works fine on local machine in .NET7.0 Windows 11 , on windows server 2012 throw exception: Unable to sign content., inner exception: The requested operation is not supported.| #227

Open
RafalSzczerba opened this issue Jun 21, 2023 · 4 comments
Open

JWT.Encode works fine on local machine in .NET7.0 Windows 11 , on windows server 2012 throw exception: Unable to sign content., inner exception: The requested operation is not supported.| #227

RafalSzczerba opened this issue Jun 21, 2023 · 4 comments

Comments

@RafalSzczerba
Copy link

I'm using this packange in my project in .NET7.0 and is wokring fine on my local machine, but after deployment this on the server problem occures while calling method Jose.JWT.Encode(payload, privateKey, JwsAlgorithm.ES256, headers, options: new JwtOptions {DetachPayload = true, EncodePayload = false });
where:

payload: jsonBody,
priavteKey: is made from .pem and creation object with fullfilled following properites:
new Jwk (crv, , x, y, d: );
I've compared content of payload, header, private key , algorithm, options and there are exactly the same in local machine and on the server.

The exception pop up:
CreateJWSSignature: ex: Unable to sign content., inner exception: The requested operation is not supported.

Could you tell me if this method need to have some extra access to the some resources which I have on local machine but not available on the server? Or maybe you know how to fix this in the code? I'm using windows 11 on local machine, server is windows server 2012
@dvsekhvalnov
Copy link
Owner

Hi @RafalSzczerba ,

can you post full stack trace? And if you have code that showing how do you load your privateKey, can be helpful as well.

@RafalSzczerba
Copy link
Author

Hello @dvsekhvalnov
Full stack trace:

Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The requested operation is not supported. at System.Security.Cryptography.ECCng.ImportKeyBlob(String blobType, ReadOnlySpan1 keyBlob, String curveName, SafeNCryptProviderHandle provider) at System.Security.Cryptography.CngKeyLite.ImportKeyBlob(String blobType, Byte[] keyBlob, String curveName) at System.Security.Cryptography.ECDsaImplementation.ECDsaCng.ImportKeyBlob(Byte[] ecKeyBlob, String curveName, Boolean includePrivateParameters) at System.Security.Cryptography.ECDsaImplementation.ECDsaCng.ImportParameters(ECParameters parameters) at Jose.Jwk.ECDsaKey() at Jose.netstandard1_4.EcdsaUsingSha.Sign(Byte[] securedInput, Object key) --- End of inner exception stack trace --- at Jose.netstandard1_4.EcdsaUsingSha.Sign(Byte[] securedInput, Object key) at Jose.JWT.EncodeBytes(Byte[] payload, Object key, JwsAlgorithm algorithm, IDictionary2 extraHeaders, JwtSettings settings, JwtOptions options) at Jose.JWT.Encode(String payload, Object key, JwsAlgorithm algorithm, IDictionary`2 extraHeaders, JwtSettings settings, JwtOptions options)

PrivateKey creation:

            var sPrivKey = File.ReadAllText(privateKeyFile);   // here is a EC Priave key in .pem format
            var pemReaderPriv = new Org.BouncyCastle.OpenSsl.PemReader(new StringReader(sPrivKey));
            var pemPriv = pemReaderPriv.ReadObject();
            ECPrivateKeyParameters privKeyParams;
            var keyPair = pemPriv as Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair;
            if (keyPair == null)
            {
                privKeyParams = pemPriv as ECPrivateKeyParameters;
            }
            else
            {
                privKeyParams = keyPair.Private as ECPrivateKeyParameters;
            }
            var xCord = privKeyParams.Parameters.G.XCoord.ToBigInteger().ToByteArray();
            var yCord = privKeyParams.Parameters.G.YCoord.ToBigInteger().ToByteArray();    
            var dCord = privKeyParams.D.ToByteArray();               
            var privateKey = new Jwk(
                crv: "P-256",
                x: Base64Url.Encode(xCord),
                y: Base64Url.Encode(yCord),
                d: Base64Url.Encode(dCord[0] == 0
                    ? dCord.Skip(1).ToArray()
                    : dCord)
            );
            
                                var token = Jose.JWT.Encode(payload, privateKey, JwsAlgorithm.ES256, headers, options: new JwtOptions {DetachPayload = true, EncodePayload = false });

@RafalSzczerba
Copy link
Author

Additionally I've found place where exception is made. It is in JWK.cs during attempt to import parameters: ecdsaKey.ImportParameters(param);

@dvsekhvalnov
Copy link
Owner

dvsekhvalnov commented Jun 22, 2023
edited

Hm.. interesting, let's try simple thing first:

Jwk eccKey = new Jwk(
    crv: "P-256",
    x: "BHId3zoDv6pDgOUh8rKdloUZ0YumRTcaVDCppUPoYgk",
    y: "g3QIDhaWEksYtZ9OWjNHn9a6-i_P9o5_NrdISP0VWDU",
    d: "KpTnMOHEpskXvuXHFCfiRtGUHUZ9Dq5CCcZQ-19rYs4"
);

will your code work with key above ^^ ?

Also, on .NET 5+ you can use built-in functions to read PEM files, see here: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.ecalgorithm.importfrompem?view=net-7.0#system-security-cryptography-ecalgorithm-importfrompem(system-readonlyspan((system-char)))

you can probably do something like (no explicit need to convert to Jwk, library can take different key formats directly):

var eccPem = File.ReadAllText("my-key.pem");

var key = ECDsa.Create();
key.ImportFromPem(eccPem);

Jose.JWT.Encode(payload, key, ....);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dvsekhvalnov @RafalSzczerba