I made keys like this:
1- Generating a Private Key:
openssl genrsa -aes256 -out private_key.pem 2048
2- Generating a Public Key:
openssl rsa -pubout -in private_key.pem -out public_key.pem
Beginning of my private key:
"-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: AES-256-CBC,866CA08DD3019CB049289762A31601D2UG5.......lot of stuff here... "
And used this as guidance: https://medium.com/darwinlabs/authentication-in-rest-services-using-json-web-tokens-with-outsystems-772ae09eae98
So in JWTDemo create token preparation I am initializing RS256, see attachement. When CreateToken is called, it gives exeption: "Unable to open private key. Validate if private key's password is correct."
Is RS256 fully supported?
I am 100% sure about my private key password, so is my PEM file in wrong format or what is the problem and how to fix it?
When moving to different server, I faced another signing problem.
Solution for this is made by nobot and can be found here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/7ea48fd0-8d6b-43ed-b272-1a0249ae490f/systemsecuritycryptographycryptographicexception-the-system-cannot-find-the-file-specified?forum=clr#37d4d83d-0eb3-497a-af31-030f5278781a
In later versions of IIS user might not have keystore, so using machine keystore is workaround. Maybe there could be some parameter in JWT to conf which one to use?
Under further review, I am getting the same error "The system cannot find the file specified. at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)".
Is there anything we can do if we are using a hosted version of OutSystems? We don't have access to IIS.
Thanks!
Esa Saarinen wrote:
Hi Ryan, I haven't been able to implement Esa's solution to change the keystore, but I'm hoping that would fix that. I'll try to rush that and push another version of the component.
Ryan Miles wrote:
I added an option to use the machine keystore the the latest version, take a look to see if it works.
João Almeida wrote:
Hi João,
Can I check with you how to use the option for machine keystore? I am also having the same problem too.
Problem found. My Private key was stored in site properties and somehow line feeds were corrupted(even content seemed other ways Ok), when getting private key from there (And then pem parser was failing). Putting same content as local variable was fixing this, even I still not understand reason for this.
Great to know you were able to solve it, i still had no time to try to test your scenario. You have any idea how your key got corrupted? Was it only from saving on the site property?
Thanks for response, yes, I believe so, because fully followed your blog post mentioned above and I reused site properties variables in JWTDemo and after proving with unit test in Visual Studio, that extension is working just fine, with correct input in that context. Then I was pasting my private key direct to CreateToken parameter and it was working fine, so my final step was to make local variable in CreateSignedAsymmetricToken to store private key and use it from there and it still worked. For me it seemed, that Pem file line length was not fixed, when taking variable from site properties and probably that caused parser to fail. It would be interesting to know root cause for this to understand when site properties can not be used.
Thanks for the heads up! I'm about to release a new version of the component, I'll merge your input there.
Thank you João!
This component made my life easier! :-)
Thank you João!
I forgot to tag Sharepoint since this was only external component I needed for integrating Sharepoint to mobile app. I hope others will find this now faster when integrating Sharepoint.
Does the CreateSignedAsymmetricToken action require a password for the private key? I'm trying to integrate with the Adobe user management API and it requires a private key without password: https://www.adobe.io/apis/cloudplatform/console/authentication/createcert.html
I'm getting the following generic error with the JWT module, "Unexpected error while siging the token."
Any thoughts?
Thanks!-Ryan
Hello, had the same problem and following on the exception found some useful info, and managed to solve the problem by changing the settings of the OutSystemsApplications application pool (Load User Profile = true)
This worked for me! Thanks Sergio!
Sérgio Dias wrote:
Please check this if you have a farm:
https://blog.dotsmart.net/2011/01/26/solved-windows-identity-foundation-the-system-cannot-find-the-file-specified/
In a web farm environment the DPAPI keys for the App Pool identities across servers will be different, so if you don’t have sticky sessions enabled on your load balancer you run the risk of such federated logins not working 100% of the time.