Manually test static signing credentials from x509 certs #1602
Comments
|
Labeling this internal for now - we have no reports of issues in the wild, so my hope is that we can fix this by generating the cert differently. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the main host, if you comment in AddStaticSigningCredential and then make a jwks discovery request, an exception is thrown:
CryptographicException: m_safeCertContext is an invalid handle.In the debugger, at the point of loading the certificate, it looks good. E.g., in IdentityServerExtensions, after
using var rsaCert = new X509Certificate2("./testkeys/identityserver.test.rsa.p12", "changeit");, the rsaCert is good. However, at the point of using the cert in DiscoveryResponseGenerator, it appears to be invalid:var cert64 = Convert.ToBase64String(x509Key.Certificate.RawData);is where the exception is thrown, and the x509Key.Certificate in the debugger is completely invalid - all properties throw an exception.Note: hosts\main\TestKeys\identityserver.test.rsa.p12 and hosts\main\TestKeys\identityserver.test.ecdsa.p12 seem to have been generated with
mkcert -pkcs12 identityserver.test.rsaandmkcert -pkcs12 -ecdsa identityserver.test.ecdsaon Dom's machine, but he now reproduces the error, and the problem exists for me if I regenerate the keys with those commands. I've tested as far back as the 6.3.x release branch and reproduced this.The text was updated successfully, but these errors were encountered: