[JWT] JWT Problem wit Asymmetric RS256 signing

[JWT] JWT Problem wit Asymmetric RS256 signing

  
Forge Component
(3)
Published on 10 Oct (9 days ago) by João Almeida
3 votes
Published on 10 Oct (9 days ago) by João Almeida

I made keys like this: 

1- Generating a Private Key:

openssl genrsa -aes256 -out private_key.pem 2048

2- Generating a Public Key:

openssl rsa -pubout -in private_key.pem -out public_key.pem

Beginning of my private key: 

"-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,866CA08DD3019CB049289762A31601D2

UG5.......lot of stuff here... "

And used this as guidance: https://medium.com/darwinlabs/authentication-in-rest-services-using-json-web-tokens-with-outsystems-772ae09eae98

So in JWTDemo create token preparation I am initializing RS256, see attachement. When CreateToken is called, it gives exeption: "Unable to open private key. Validate if private key's password is correct."

Is RS256 fully supported?

I am 100% sure about my private key password, so is my PEM file in wrong format or what is the problem and how to fix it? 


Problem found. My Private key was stored in site properties and somehow line feeds were corrupted(even content seemed other ways Ok), when getting private key from there (And then pem parser was failing). Putting same content as local variable was fixing this, even I still not understand reason for this.

 

Esa Saarinen wrote:

Problem found. My Private key was stored in site properties and somehow line feeds were corrupted(even content seemed other ways Ok), when getting private key from there (And then pem parser was failing). Putting same content as local variable was fixing this, even I still not understand reason for this.

 

Great to know you were able to solve it, i still had no time to try to test your scenario. You have any idea how your key got corrupted? Was it only from saving on the site property?


Thanks for response, yes, I believe so, because fully followed your blog post mentioned above and I reused site properties variables in JWTDemo and after proving with unit test in Visual Studio, that extension is working just fine, with correct input in that context. Then I was pasting my private key direct to CreateToken parameter and it was working fine, so my final step was to make local variable in CreateSignedAsymmetricToken to store private key and use it from there and it still worked. For me it seemed, that Pem file line length was not fixed, when taking variable from site properties and probably that caused parser to fail. It would be interesting to know root cause for this to understand when site properties can not be used.    

Solution

When moving to different server, I faced another signing problem. 


The system cannot find the file specified.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.Utils._CreateCSP(CspParameters param, Boolean randomKeyContainer, SafeProvHandle& hProv)
   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
   at Org.BouncyCastle.Security.DotNetUtilities.CreateRSAProvider(RSAParameters rp)
   at OutSystems.NssJWT_Core.JwtAuth.CreateAsymmetricSigningCredentialsForSigning(String keyId, String signingAlgorithm, String privateKey, String privateKeyPassword)
   at OutSystems.NssJWT_Core.CssJWT_Core.MssCreateToken(RCSymmetricSigningCredentialsRecord ssSymmetricCredentials, RCAsymmetricSigningCredentialsRecord ssAsymmetricCredentials, String ssTokenId, String ssIssuer, String ssSubject, String ssAudience, DateTime ssExpiration, DateTime ssNotBefore, DateTime ssIssuedAt, RLNameValuePairRecordList ssClaims, String& ssResultMessage, String& ssPlainToken, String& ssSignedAndEncodedToken)
   at ssJWT.RssExtensionJWT_Core.MssCreateToken(HeContext heContext, IRecord inParamSymmetricCredentials, IRecord inParamAsymmetricCredentials, String inParamTokenId, String inParamIssuer, String inParamSubject, String inParamAudience, DateTime inParamExpiration, DateTime inParamNotBefore, DateTime inParamIssuedAt, RecordList inParamClaims, String& outParamResultMessage, String& outParamPlainToken, String& outParamSignedAndEncodedToken)


Solution for this is made by nobot and can be found here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/7ea48fd0-8d6b-43ed-b272-1a0249ae490f/systemsecuritycryptographycryptographicexception-the-system-cannot-find-the-file-specified?forum=clr#37d4d83d-0eb3-497a-af31-030f5278781a

In later versions of  IIS user might not have keystore, so using machine keystore is workaround. Maybe there could be some parameter in JWT to conf which one to use?

Solution

Thanks for the heads up! I'm about to release a new version of the component, I'll merge your input there.

Thank you João!

This component made my life easier! :-)

Esa Saarinen wrote:

Thank you João!

This component made my life easier! :-)

I forgot to tag Sharepoint since this was only external component I needed for integrating Sharepoint to mobile app. I hope others will find this now faster when integrating Sharepoint.


Hi João,

Does the CreateSignedAsymmetricToken action require a password for the private key? I'm trying to integrate with the Adobe user management API and it requires a private key without password: https://www.adobe.io/apis/cloudplatform/console/authentication/createcert.html

I'm getting the following generic error with the JWT module, "Unexpected error while siging the token."

Any thoughts?

Thanks!
-Ryan

Under further review, I am getting the same error "The system cannot find the file specified. at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)".

Is there anything we can do if we are using a hosted version of OutSystems? We don't have access to IIS.

Thanks!

Esa Saarinen wrote:

When moving to different server, I faced another signing problem. 


The system cannot find the file specified.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.Utils._CreateCSP(CspParameters param, Boolean randomKeyContainer, SafeProvHandle& hProv)
   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
   at Org.BouncyCastle.Security.DotNetUtilities.CreateRSAProvider(RSAParameters rp)
   at OutSystems.NssJWT_Core.JwtAuth.CreateAsymmetricSigningCredentialsForSigning(String keyId, String signingAlgorithm, String privateKey, String privateKeyPassword)
   at OutSystems.NssJWT_Core.CssJWT_Core.MssCreateToken(RCSymmetricSigningCredentialsRecord ssSymmetricCredentials, RCAsymmetricSigningCredentialsRecord ssAsymmetricCredentials, String ssTokenId, String ssIssuer, String ssSubject, String ssAudience, DateTime ssExpiration, DateTime ssNotBefore, DateTime ssIssuedAt, RLNameValuePairRecordList ssClaims, String& ssResultMessage, String& ssPlainToken, String& ssSignedAndEncodedToken)
   at ssJWT.RssExtensionJWT_Core.MssCreateToken(HeContext heContext, IRecord inParamSymmetricCredentials, IRecord inParamAsymmetricCredentials, String inParamTokenId, String inParamIssuer, String inParamSubject, String inParamAudience, DateTime inParamExpiration, DateTime inParamNotBefore, DateTime inParamIssuedAt, RecordList inParamClaims, String& outParamResultMessage, String& outParamPlainToken, String& outParamSignedAndEncodedToken)


Solution for this is made by nobot and can be found here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/7ea48fd0-8d6b-43ed-b272-1a0249ae490f/systemsecuritycryptographycryptographicexception-the-system-cannot-find-the-file-specified?forum=clr#37d4d83d-0eb3-497a-af31-030f5278781a

In later versions of  IIS user might not have keystore, so using machine keystore is workaround. Maybe there could be some parameter in JWT to conf which one to use?



Hi Ryan, I haven't been able to implement Esa's solution to change the keystore, but I'm hoping that would fix that. I'll try to rush that and push another version of the component.


Ryan Miles wrote:

Under further review, I am getting the same error "The system cannot find the file specified. at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)".

Is there anything we can do if we are using a hosted version of OutSystems? We don't have access to IIS.

Thanks!

Esa Saarinen wrote:

When moving to different server, I faced another signing problem. 


The system cannot find the file specified.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.Utils._CreateCSP(CspParameters param, Boolean randomKeyContainer, SafeProvHandle& hProv)
   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
   at Org.BouncyCastle.Security.DotNetUtilities.CreateRSAProvider(RSAParameters rp)
   at OutSystems.NssJWT_Core.JwtAuth.CreateAsymmetricSigningCredentialsForSigning(String keyId, String signingAlgorithm, String privateKey, String privateKeyPassword)
   at OutSystems.NssJWT_Core.CssJWT_Core.MssCreateToken(RCSymmetricSigningCredentialsRecord ssSymmetricCredentials, RCAsymmetricSigningCredentialsRecord ssAsymmetricCredentials, String ssTokenId, String ssIssuer, String ssSubject, String ssAudience, DateTime ssExpiration, DateTime ssNotBefore, DateTime ssIssuedAt, RLNameValuePairRecordList ssClaims, String& ssResultMessage, String& ssPlainToken, String& ssSignedAndEncodedToken)
   at ssJWT.RssExtensionJWT_Core.MssCreateToken(HeContext heContext, IRecord inParamSymmetricCredentials, IRecord inParamAsymmetricCredentials, String inParamTokenId, String inParamIssuer, String inParamSubject, String inParamAudience, DateTime inParamExpiration, DateTime inParamNotBefore, DateTime inParamIssuedAt, RecordList inParamClaims, String& outParamResultMessage, String& outParamPlainToken, String& outParamSignedAndEncodedToken)


Solution for this is made by nobot and can be found here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/7ea48fd0-8d6b-43ed-b272-1a0249ae490f/systemsecuritycryptographycryptographicexception-the-system-cannot-find-the-file-specified?forum=clr#37d4d83d-0eb3-497a-af31-030f5278781a

In later versions of  IIS user might not have keystore, so using machine keystore is workaround. Maybe there could be some parameter in JWT to conf which one to use?






I added an option to use the machine keystore the the latest version, take a look to see if it works.


Ryan Miles wrote:

Under further review, I am getting the same error "The system cannot find the file specified. at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)".

Is there anything we can do if we are using a hosted version of OutSystems? We don't have access to IIS.

Thanks!

Esa Saarinen wrote:

When moving to different server, I faced another signing problem. 


The system cannot find the file specified.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.Utils._CreateCSP(CspParameters param, Boolean randomKeyContainer, SafeProvHandle& hProv)
   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
   at Org.BouncyCastle.Security.DotNetUtilities.CreateRSAProvider(RSAParameters rp)
   at OutSystems.NssJWT_Core.JwtAuth.CreateAsymmetricSigningCredentialsForSigning(String keyId, String signingAlgorithm, String privateKey, String privateKeyPassword)
   at OutSystems.NssJWT_Core.CssJWT_Core.MssCreateToken(RCSymmetricSigningCredentialsRecord ssSymmetricCredentials, RCAsymmetricSigningCredentialsRecord ssAsymmetricCredentials, String ssTokenId, String ssIssuer, String ssSubject, String ssAudience, DateTime ssExpiration, DateTime ssNotBefore, DateTime ssIssuedAt, RLNameValuePairRecordList ssClaims, String& ssResultMessage, String& ssPlainToken, String& ssSignedAndEncodedToken)
   at ssJWT.RssExtensionJWT_Core.MssCreateToken(HeContext heContext, IRecord inParamSymmetricCredentials, IRecord inParamAsymmetricCredentials, String inParamTokenId, String inParamIssuer, String inParamSubject, String inParamAudience, DateTime inParamExpiration, DateTime inParamNotBefore, DateTime inParamIssuedAt, RecordList inParamClaims, String& outParamResultMessage, String& outParamPlainToken, String& outParamSignedAndEncodedToken)


Solution for this is made by nobot and can be found here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/7ea48fd0-8d6b-43ed-b272-1a0249ae490f/systemsecuritycryptographycryptographicexception-the-system-cannot-find-the-file-specified?forum=clr#37d4d83d-0eb3-497a-af31-030f5278781a

In later versions of  IIS user might not have keystore, so using machine keystore is workaround. Maybe there could be some parameter in JWT to conf which one to use?





Hello, had the same problem and following on the exception found some useful info, and managed to solve the problem by changing the settings of the OutSystemsApplications application pool (Load User Profile = true)