CODEWITHSUNDEEP
c#openid-connectidentityserver3owin-middleware.net-4.7
puri
puri

Reputation: 1849

IdentityServer3 upgrade to .NET Framework 4.7 Error - "The provided RSA key is invalid"

We are trying to upgrade our IdentityServer3 instance from targeting .NET Framework 4.5 to 4.7 but stumbled on the following exception when running.

The error seems to be occurring due to the absence of a cookie that OWIN Middleware is supposed to be creating although we're not entirely sure.

System.InvalidOperationException: ID6041: The provided RSA key is invalid.

   at System.IdentityModel.RsaEncryptionCookieTransform.Encode(Byte[] value)

   at IdentityServer3.Core.Configuration.X509CertificateDataProtector.Protect(Byte[] data, String entropy) in c:\local\identity\server3\IdentityServer3\source\Core\Configuration\X509CertificateDataProtector.cs:line 48

   at IdentityServer3.Core.Extensions.IDataProtectorExtensions.Protect(IDataProtector protector, String data, String entropy) in c:\local\identity\server3\IdentityServer3\source\Core\Extensions\IDataProtectorExtensions.cs:line 38

   at IdentityServer3.Core.Configuration.Hosting.MessageCookie`1.Protect(IDataProtector protector, TMessage message) in c:\local\identity\server3\IdentityServer3\source\Core\Configuration\Hosting\MessageCookie.cs:line 73

   at IdentityServer3.Core.Configuration.Hosting.MessageCookie`1.Protect(TMessage message) in c:\local\identity\server3\IdentityServer3\source\Core\Configuration\Hosting\MessageCookie.cs:line 118

   at IdentityServer3.Core.Configuration.Hosting.MessageCookie`1.Write(TMessage message) in c:\local\identity\server3\IdentityServer3\source\Core\Configuration\Hosting\MessageCookie.cs:line 142

   at IdentityServer3.Core.Extensions.OwinEnvironmentExtensions.CreateSignInRequest(IDictionary`2 env, SignInMessage message) in c:\local\identity\server3\IdentityServer3\source\Core\Extensions\OwinEnvironmentExtensions.cs:line 138

   at IdentityServer3.Core.Results.LoginResult.Execute() in c:\local\identity\server3\IdentityServer3\source\Core\Results\LoginResult.cs:line 57

   at IdentityServer3.Core.Results.LoginResult.ExecuteAsync(CancellationToken cancellationToken) in c:\local\identity\server3\IdentityServer3\source\Core\Results\LoginResult.cs:line 48

   at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__0.MoveNext() in c:\local\identity\server3\IdentityServer3\source\Core\Configuration\Hosting\ClientListCookie.cs:line

Upvotes: 3

Views: 442

Answers (1)

Vladimir Khvostov
Vladimir Khvostov

Reputation: 156

I know the question was asked 5 years ago. Answering, in case someone else runs into it.

We noticed this problem when we changed httpRuntime targetFramework from 4.6 to 4.8 in the web.config.

How to address this issue?

Add the following to your web.config:

<configuration>
  <appSettings>
    <add key="AppContext.SetSwitch:Switch.System.IdentityModel.DisableCngCertificates" value="true" />
  </appSettings>
</configuration>

What is going on?

This exception is thrown from the RsaEncryptionCookieTransform.Encode method:

https://referencesource.microsoft.com/#System.IdentityModel/System/IdentityModel/RsaEncryptionCookieTransform.cs,303

RSACryptoServiceProvider provider = encryptionKey as RSACryptoServiceProvider;
 
if ( provider == null )
{
    throw DiagnosticUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID6041 ) );
}

On line 72 This class calls X509Util.EnsureAndGetPrivateRSAKey, which calls CngLightup.GetRSAPrivateKey when DisableCngCertificates is false.

CngLightup.GetRSAPrivateKey creates RCACng, which is derived from RSA, but not RSACryptoServiceProvider

Thanks,

--Vladimir

Upvotes: 1

Related Questions