Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
X.509 Certificates with ECDSA based keys supported?
See original GitHub issueI have a x509 cert with an ECDsa based key - here’s the metadata:
{
"keys": [
{
"kty": "EC",
"use": "sig",
"kid": "68D797916CE7509DBC9CE7F601708CA16E367303",
"x5t": "aNeXkWznUJ28nOf2AXCMoW42cwM",
"x5c": [
"MIIDyjCCAjKgAwIBAgIQb62fi1RDUoKp8kStYW5uYDANBgkqhkiG9w0BAQsFADCBjTEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMTEwLwYDVQQLDChET01JTklDS0JBSUFFODBcZG9taW5pY2tARE9NSU5JQ0tCQUlBRTgwMTgwNgYDVQQDDC9ta2NlcnQgRE9NSU5JQ0tCQUlBRTgwXGRvbWluaWNrQERPTUlOSUNLQkFJQUU4MDAeFw0xOTA2MDEwMDAwMDBaFw0yOTExMDExMDQ0NTVaMIGAMScwJQYDVQQKEx5ta2NlcnQgZGV2ZWxvcG1lbnQgY2VydGlmaWNhdGUxMTAvBgNVBAsMKERPTUlOSUNLQkFJQUU4MFxkb21pbmlja0BET01JTklDS0JBSUFFODAxIjAgBgNVBAMTGWlkZW50aXR5c2VydmVyLmVjZHNhLnRlc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARYOEwgVXiaCl/Sj9GZDjOItFsTFRZ2B9VlBdYxzwgr52oyn1xMBlJbPMIu2nXptsy8Qssz34ODuEcUHOZ4PVCho3wwejAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRJVNNoaS/qJG2yyA1U5ZHxrnh5/TAkBgNVHREEHTAbghlpZGVudGl0eXNlcnZlci5lY2RzYS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBgQBWVwsGedFAgPNNWrm+kW31Kss1q2iQVxKDuupoGmRAUfmGSjtVMZgU56vaIbKo33wWIVkuEfh+prwv8/5CjMbY7TjUSpN710vIFEN13oPEcaSdyeanopkOyUxC/cRNH2WlSK2qpTeyluxpFU0sXCgJWZS149eNxqxb7jKjf3TN2R7KDdfkdU3wg6tqSycMhYaX4IefI2gyeOmhcV79jSJIVhoqePrSGHr0oQWgwOeQQ+o6rFU69kOT3juxtRm7fbbh1GQEzcMdWxc56m+WYhaZmAxKRLM8ydCILwJQktCblusR1EOov9fnstYe9Y6RO4s2IwjooWItkF4csFlkO5ps2ui8XXFewAUWJEJtML8pbev3K7Et6NpArItn7bOlUpno0e3h49PNF4UvkSRwT7uQ0hlvbnkxjTP6zpnD4NZeK1mgiMycH3WGi4K/tfNZyzsP2hubunLSy3AbykATK2nYoHxWRfoApt/guqQhZYMG6M478pwbt2lZFliP+9JN6cU="
],
"alg": "ES256",
"x": "WDhMIFV4mgpf0o_RmQ4ziLRbExUWdgfVZQXWMc8IK-c",
"y": "ajKfXEwGUls8wi7adem2zLxCyzPfg4O4RxQc5ng9UKE",
"crv": "P-256"
}
]
}
I can’t access the e.g. PublicKey property of the X509SecurityKey but worked around that using Certificate.GetECDsaPublicKey() - but the JWT handler also throws on singing:
An unhandled exception has occurred while executing the request.
System.NotSupportedException: The certificate key algorithm is not supported.
at System.Security.Cryptography.X509Certificates.PublicKey.get_Key()
at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PublicKey()
at Microsoft.IdentityModel.Tokens.SupportedAlgorithms.IsSupportedAlgorithm(String algorithm, SecurityKey key)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.IsSupportedAlgorithm(String algorithm, SecurityKey key)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForSigning(SecurityKey key, String algorithm)
at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateEncodedSignature(String input, SigningCredentials signingCredentials)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token)
Are these keys supported?
Issue Analytics
- State:
- Created 4 years ago
- Comments:13 (10 by maintainers)
Top Results From Across the Web
RSA or ECDHE for x.509 certificates-what does each do?
The certificate contains a public signature key, metadata describing its owner, and signatures to help the recipient authenticate that the ...
Read more >Explicitly Parameterized ECDSA X.509 Certificates
The issue is that explicitly defined EC parameters could replicate known public keys — using legitimate, but different, private keys — if the ......
Read more >x.509 vs ECDSA vs RSA
X.509 is a standard that defines the structure and hierarchy of public key certificates. It relies on an hierarchical system of certificate ......
Read more >X.509
An X.509 certificate binds an identity to a public key using a digital signature. A certificate contains an identity (a hostname, or an...
Read more >X.509 client certificates - AWS IoT Core
AWS IoT supports these types of X.509 client certificates: X.509 certificates ... X.509 certificates enable asymmetric keys to be used with devices.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@jaanclaeys @scottbrady91 @leastprivilege I agree with you folks, we should make this work. ECD is preferred by many people. We can’t fit this into our SignedHttpRequest effort (our next release), but will get it in the next one.
I see no reason not to support the ECDSA as an X509SecurityKey, as it is supported by using the ECDSASecurityKey.
Because you can actually do something like this:
However than you need to set the x5t and kid manually on the JWT, if using that. So kind of a mess.