Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

IDX10614: AsymmetricSecurityKey.GetSignatureFormater exception #461

Closed
Yosi-Azulay opened this issue Oct 21, 2014 · 3 comments
Closed

IDX10614: AsymmetricSecurityKey.GetSignatureFormater exception #461

Yosi-Azulay opened this issue Oct 21, 2014 · 3 comments
Assignees
Labels

Comments

@Yosi-Azulay
Copy link

Hi

I'm new to identityServer and I'm tying to use it in our new project
we are using IdentityServer with EF.

I created all the tables nedded and plug all in.
we also implemented our on IUserService, IScopeStore, IClientStore and IConsentStore

we try to use grant_type: "password" and we get exception from TokenSigningService in handler.WriteToken(jwt);

the certificate is install currently

can you help me please?

the exception is:
{"Message":"An error has occurred.",
"ExceptionMessage":"IDX10614: AsymmetricSecurityKey.GetSignatureFormater( 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' ) threw an exception.
Key: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey'
SignatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', check to make sure the SignatureAlgorithm is supported.
Exception:'System.Security.Cryptography.CryptographicException: Keyset does not exist
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures) in c:\etc\Dropbox\source\Thinktecture\Thinktecture.IdentityServer.v3\Core\source\Core\Services\Default\DefaultClaimsProvider.cs:line 0'.
If you only need to verify signatures the parameter 'willBeUseForSigning' should be false if the private key is not be available.","ExceptionType":"System.InvalidOperationException","StackTrace":" at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures) in c:\etc\Dropbox\source\Thinktecture\Thinktecture.IdentityServer.v3\Core\source\Core\Services\Default\DefaultClaimsProvider.cs:line 0
at System.IdentityModel.Tokens.SignatureProviderFactory.CreateProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures) in c:\etc\Dropbox\source\Thinktecture\Thinktecture.IdentityServer.v3\Core\source\Core\Services\Default\DefaultClaimsProvider.cs:line 0
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.CreateSignature(String inputString, SecurityKey key, String algorithm, SignatureProvider signatureProvider) in c:\etc\Dropbox\source\Thinktecture\Thinktecture.IdentityServer.v3\Core\source\Core\Services\Default\DefaultClaimsProvider.cs:line 0
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.WriteToken(SecurityToken token) in c:\etc\Dropbox\source\Thinktecture\Thinktecture.IdentityServer.v3\Core\source\Core\Services\Default\DefaultClaimsProvider.cs:line 0
at Thinktecture.IdentityServer.Core.Services.DefaultTokenSigningService.CreateJsonWebToken(Token token, SigningCredentials credentials) in c:\etc\Dropbox\source\Thinktecture\Thinktecture.IdentityServer.v3\Core\source\Core\Services\Default\DefaultTokenSigningService.cs:line 68
at Thinktecture.IdentityServer.Core.Services.DefaultTokenSigningService.SignTokenAsync(Token token) in c:\etc\Dropbox\source\Thinktecture\Thinktecture.IdentityServer.v3\Core\source\Core\Services\Default\DefaultTokenSigningService.cs:line 43
at Thinktecture.IdentityServer.Core.Services.DefaultTokenService.d__d.MoveNext() in c:\etc\Dropbox\source\Thinktecture\Thinktecture.IdentityServer.v3\Core\source\Core\Services\Default\DefaultTokenService.cs:line 131
--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at Thinktecture.IdentityServer.Core.Connect.TokenResponseGenerator.<CreateAccessTokenAsync>d__20.MoveNext() in c:\\etc\\Dropbox\\source\\Thinktecture\\Thinktecture.IdentityServer.v3\\Core\\source\\Core\\Connect\esponseHandling\\TokenResponseGenerator.cs:line 180
--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Thinktecture.IdentityServer.Core.Connect.TokenResponseGenerator.<ProcessTokenRequestAsync>d__10.MoveNext() in c:\\etc\\Dropbox\\source\\Thinktecture\\Thinktecture.IdentityServer.v3\\Core\\source\\Core\\Connect\esponseHandling\\TokenResponseGenerator.cs:line 107
--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at Thinktecture.IdentityServer.Core.Connect.TokenResponseGenerator.<ProcessAsync>d__0.MoveNext() in c:\\etc\\Dropbox\\source\\Thinktecture\\Thinktecture.IdentityServer.v3\\Core\\source\\Core\\Connect\esponseHandling\\TokenResponseGenerator.cs:line 55
--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Thinktecture.IdentityServer.Core.Connect.TokenEndpointController.<ProcessAsync>d__4.MoveNext() in c:\\etc\\Dropbox\\source\\Thinktecture\\Thinktecture.IdentityServer.v3\\Core\\source\\Core\\Connect\\Endpoints\\TokenEndpointController.cs:line 78
--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Thinktecture.IdentityServer.Core.Connect.TokenEndpointController.<Post>d__0.MoveNext() in c:\\etc\\Dropbox\\source\\Thinktecture\\Thinktecture.IdentityServer.v3\\Core\\source\\Core\\Connect\\Endpoints\\TokenEndpointController.cs:line 51
--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Threading.Tasks.System.Web.Http684369.TaskHelpersExtensions.<CastToObject>d__3`1.MoveNext() in c:\\ballen\\github\\thinktecture\\Thinktecture.IdentityModel\\source\\Thinktecture.IdentityModel.Core\\AuthenticationInstantClaim.cs:line 0
--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__0.MoveNext() in c:\\ballen\\github\\thinktecture\\Thinktecture.IdentityModel\\source\\Thinktecture.IdentityModel.Core\\AuthenticationInstantClaim.cs:line 0
--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext() in c:\\ballen\\github\\thinktecture\\Thinktecture.IdentityModel\\source\\Thinktecture.IdentityModel.Core\\AuthenticationInstantClaim.cs:line 0
--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__5.MoveNext() in c:\\ballen\\github\\thinktecture\\Thinktecture.IdentityModel\\source\\Thinktecture.IdentityModel.Core\\AuthenticationInstantClaim.cs:line 0
--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.Http.Filters.ActionFilterAttribute.<ExecuteActionFilterAsyncCore>d__0.MoveNext() in c:\\ballen\\github\\thinktecture\\Thinktecture.IdentityModel\\source\\Thinktecture.IdentityModel.Core\\AuthenticationInstantClaim.cs:line 0
--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__2.MoveNext() in c:\\ballen\\github\\thinktecture\\Thinktecture.IdentityModel\\source\\Thinktecture.IdentityModel.Core\\AuthenticationInstantClaim.cs:line 0
--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at System.Web.Http.Dispatcher.HttpControllerDispatcher.<SendAsync>d__1.MoveNext() in c:\\ballen\\github\\thinktecture\\Thinktecture.IdentityModel\\source\\Thinktecture.IdentityModel.Core\\AuthenticationInstantClaim.cs:line 0","InnerException":{"Message":"An error has occurred.","ExceptionMessage":"Keyset does not exist
","ExceptionType":"System.Security.Cryptography.CryptographicException","StackTrace":"   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
at System.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(AsymmetricSecurityKey key, String algorithm, Boolean willCreateSignatures) in c:\\etc\\Dropbox\\source\\Thinktecture\\Thinktecture.IdentityServer.v3\\Core\\source\\Core\\Services\\Default\\DefaultClaimsProvider.cs:line 0"}}
@leastprivilege
Copy link
Member

Keyset does not exist is typically an indication that the account idsrv runs under has not read access to the private key of the signing certificate.

@Yosi-Azulay
Copy link
Author

I gave everyone full control and i added local service network service and computer users and not working
I'm on it for a week now, I install reinstall and nothing
can it be a client setting or code def ?

My client def are
AbsoluteRefreshTokenLifetime 2592000
AccessTokenLifetime 3600
AccessTokenType Jwt
AllowRememberConsent true
ApplicationType Web
AuthorizationCodeLifetime 300
ClientId "fte"
ClientName "Risko"
ClientSecret "564654sdf8454"
ClientUri "http://localhost/fte"
Enabled true
Flow ResourceOwner
IdentityTokenLifetime 3600
IdentityTokenSigningKeyType Default
LogoUri null
RedirectUris
[0] {http://localhost/fte}
RefreshTokenExpiration Sliding
RefreshTokenUsage OneTimeOnly
RequireConsent false
RequireSignedAuthorizeRequest false
ScopeRestrictions Count = 5
[0] "openid"
[1] "profile"
[2] "email"
[3] "read"
[4] "write"
SectorIdentifierUri null
SlidingRefreshTokenLifetime 259200
SubjectType Global

@Yosi-Azulay
Copy link
Author

Hi

It fixed!!! as you say it was permeation problem
we set up all permissions but the Application pool user

after changing the app pool to the current user (me on the def server) it is working

I hop that deploy to the azure web site will work

thanks

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants