0

I'll start by saying I know very little about cryptography. I know what public/private keys are in theory. I generated some using openSSL for Windows. My plan is to sign a JWT with the private key so it can be verified with the public key.

The lines I used to generate the keys are came from https://www.claudiobernasconi.ch/2016/04/17/creating-a-self-signed-x509-certificate-using-openssl-on-windows/

openssl genrsa 2048 > private.key
openssl req -new -x509 -nodes -sha1 -days 1000 -key private.key > public.cer

I opened the private key in notepad++ and copy/pasted the strings into a variable in C# (I tried removing line breaks, and keeping linebreaks with @"").

I try to create the x509 using the variable like so:

var x509 = new X509Certificate2( Convert.FromBase64String( privateKey ) );

However, I am getting a WindowsCryptographicException with the message "Cannot find the requested object".

I know what I want to do is possible, because we use that exact same line (with a different string) in our PROD code to read a JWT (I assume this string is my company's public key). If I pass that string into my x509 constructor, the cert generates successfully, but of course I can't sign the JWT with it because it knows it's public.

The x509 ctor also seems to be working for the author of this post: Trouble signing a JWT token with an x509 Certificate, but I can't get as far as him.

So, what am I doing wrong? What can't be found, and how do I "draw a map" to it?

==EDIT==

I thought there was enough of an example already, but I guess here you go:

using System;
using System.Security.Cryptography.X509Certificates;

namespace LocalTokenApi.JWT
{
    public class JwtBuilder
    {
        public void GenerateJwt( string xmlUri )
        {
            var privateKey = @"
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDQrPEi4DwPJ65D
ZEybExHaslb2OZt+e/TRZAkO7LrlVf5aH7uiYYL42yGxhyBxQVbNDW8cAyD/r4o1
zRCCjBS1yk36YtZ+HzIc7X5c3YMmfC6k2r5GD6Ah9fkfhAbqzIiJo/GEJokCDkHS
tyniDDDnI6gteibuTRqS5qnA7YEhedqy5uOdb5TAKCLMCNJgkg9+lNTUPTg+D+Gj
94rSMJ9bpTEvU+sfta5UrDF2Owy15b9ExkELyJAWSTV/LcMrlhkZtkVQtNZM1xov
yNBPCu8+LsRnifjduS9MMh9z3RmnIE/MFl1XUnB/Ocf2HVQavP2U240kYrStVNz7
/twmPnUHAgMBAAECggEBAKw+Q9/ktM5Rk46+6FiMOg2JbSxaSpXxnReE+dEe5/nK
rGMZlFgpIuFkhwAxKD8zjoE82HyHvKIv8+YKuNj45VNUhF7rXF7IQyYLhmUC1nFa
yWl7wNi1pxjBHnu8D7WZVA5Ai2boI+jVedGDLIgQRgFTtkqrbB0A+bFNwcqkgBTv
MFYi8N5vJky3lnpivSY/hG7bOh9GacEDMqMy7aAe+15ppfHbzDcf5AUtHTwhtjc8
G/2VMdIUhozmz3b5XoSjuGeFSc/6CVsjKeLguRYr7Z4i0iaj89u60UPNwhxXTZlg
rrxfT7aZCgghSDLll/hH0Lqtwmd/ym9A2XRWxDabZtkCgYEA+Lt2P9CmoLun7/NN
i0IVnCaB4dpVaV7KgPtlWtE3oKB5wMhX18pJo5hB16UWfzBRRN3qL56iC1qJBAmW
pm/3ypcuzwm9PZrnPdb93cfWjW/GIMcK8oNUjpA2f/iLtZSO7iEua3Qtl1bJrJVv
MdVa+xdTViNR1TfhcJOnDmjH2mUCgYEA1sXaOYgi78S8m2LCyR5cJNTdW/7eBXVj
X48F1ZmpQGQ6+7258I43Gr2fHryAD9fidmi6YrRM+dDpk5FsIoVFK+Lqa4Oy79/y
oQt1HaByfvoBpDsCUY6yf/H4XhMUbZ/CF3tkceFvzBrrsAuuqh7OIsqe7hho9Sgd
/F8asP5exPsCgYA4wETtsISkPczGccPqlyxpEVwnFPLR9N/NaA6rFvtTOeots0hf
ovcETZQQSMmGQZb5WIy7Sr18S67hbfKijP+DiNUURguYh8RlFq2bsaHhaXRSPDfi
N1bOpFbbAfGWf4vRB18ZA0v3sMSZDQtu2lhE3ACWsb5VIMfeMMI4Bm47BQKBgQCP
/ljAB9D8lhepyj40HyHCI+FBg5ARctGsSLStr/c0z75n950Jdh/l0sozDkiB1sjj
gHWuJZoSR4nCwVYRku58bQekC8lVX/1JEeh0c5UwIqglFtcIHTb55x4Q3JPup5S2
r6j5XR7aZhYskriJIFwuIVEK6ty7uSjZgl3f2rtpLwKBgQC0BeuhdrQzrD8kg6cV
ZTvX12F5qJ1PFfbSpI9NwI5opqgCeGfUElEa32ig1v42taXNthWGGpFsUoSCoJG2
T2bDQ05TOItkg5/oVPJHS1ia26bxafTrXHtDoeuZ/G5oip2qULtQ62vUcazdsJ6x
zN6C1hsvJ4Kb3xPd2ZizjfDgAQ==";

            var x509 = new X509Certificate2( Convert.FromBase64String( privateKey ) );
        }
    }
}
emery.noel
  • 1,073
  • 1
  • 9
  • 24

1 Answers1

1

The data you provide to the constructor is not what the X509Certificate2 class expects. The X509Certificate2 expects the PKCS12 format.

In order to create data in the right format, the certificate including the private key as PKCS12, you missed one call to OpenSSL from the original source you linked to:

openssl pkcs12 -export -in public.cer -inkey private.key -out cert_key.p12

The data you have to pass to the X509Certificate2 constructor is then in the cert_key.p12 file. In case the private key is encrypted, you also have to specify the password as a second parameter to the X509Certificate2 constructor.

NineBerry
  • 26,306
  • 3
  • 62
  • 93
  • The article says that 3rd line is optional. I did try it, but it produces a file that was not openable in a text editor, and double-clicking it offered to "import" it, which is something I'm not sure I want to do. I'll google around to see if there's some way to get the .p12 data as a base64 string ... and it just occurred to me that I can turn the file _itself_ into a base64 string, so I'll give that a go too. – emery.noel Apr 14 '21 at 12:24
  • Yeah, OK! So yes, making the .p12 key file, and converting that entire file to a Base64 string, is exactly what I needed. Thanks! – emery.noel Apr 14 '21 at 12:31