josephdecock
commented
1 month ago Labeling this internal for now - we have no reports of issues in the wild, so my hope is that we can fix this by generating the cert differently.
Open josephdecock opened 1 month ago
josephdecock
commented
1 month ago Labeling this internal for now - we have no reports of issues in the wild, so my hope is that we can fix this by generating the cert differently.
In the main host, if you comment in AddStaticSigningCredential and then make a jwks discovery request, an exception is thrown:
CryptographicException: m_safeCertContext is an invalid handle.In the debugger, at the point of loading the certificate, it looks good. E.g., in IdentityServerExtensions, after
using var rsaCert = new X509Certificate2("./testkeys/identityserver.test.rsa.p12", "changeit");, the rsaCert is good. However, at the point of using the cert in DiscoveryResponseGenerator, it appears to be invalid:var cert64 = Convert.ToBase64String(x509Key.Certificate.RawData);is where the exception is thrown, and the x509Key.Certificate in the debugger is completely invalid - all properties throw an exception.Note: hosts\main\TestKeys\identityserver.test.rsa.p12 and hosts\main\TestKeys\identityserver.test.ecdsa.p12 seem to have been generated with
mkcert -pkcs12 identityserver.test.rsaandmkcert -pkcs12 -ecdsa identityserver.test.ecdsaon Dom's machine, but he now reproduces the error, and the problem exists for me if I regenerate the keys with those commands. I've tested as far back as the 6.3.x release branch and reproduced this.