TechQA.

IdentityServer3 upgrade to .NET Framework 4.7 Error - "The provided RSA key is invalid"

370 views Asked by At

We are trying to upgrade our IdentityServer3 instance from targeting .NET Framework 4.5 to 4.7 but stumbled on the following exception when running.

The error seems to be occurring due to the absence of a cookie that OWIN Middleware is supposed to be creating although we're not entirely sure.

System.InvalidOperationException: ID6041: The provided RSA key is invalid.

   at System.IdentityModel.RsaEncryptionCookieTransform.Encode(Byte[] value)

   at IdentityServer3.Core.Configuration.X509CertificateDataProtector.Protect(Byte[] data, String entropy) in c:\local\identity\server3\IdentityServer3\source\Core\Configuration\X509CertificateDataProtector.cs:line 48

   at IdentityServer3.Core.Extensions.IDataProtectorExtensions.Protect(IDataProtector protector, String data, String entropy) in c:\local\identity\server3\IdentityServer3\source\Core\Extensions\IDataProtectorExtensions.cs:line 38

   at IdentityServer3.Core.Configuration.Hosting.MessageCookie`1.Protect(IDataProtector protector, TMessage message) in c:\local\identity\server3\IdentityServer3\source\Core\Configuration\Hosting\MessageCookie.cs:line 73

   at IdentityServer3.Core.Configuration.Hosting.MessageCookie`1.Protect(TMessage message) in c:\local\identity\server3\IdentityServer3\source\Core\Configuration\Hosting\MessageCookie.cs:line 118

   at IdentityServer3.Core.Configuration.Hosting.MessageCookie`1.Write(TMessage message) in c:\local\identity\server3\IdentityServer3\source\Core\Configuration\Hosting\MessageCookie.cs:line 142

   at IdentityServer3.Core.Extensions.OwinEnvironmentExtensions.CreateSignInRequest(IDictionary`2 env, SignInMessage message) in c:\local\identity\server3\IdentityServer3\source\Core\Extensions\OwinEnvironmentExtensions.cs:line 138

   at IdentityServer3.Core.Results.LoginResult.Execute() in c:\local\identity\server3\IdentityServer3\source\Core\Results\LoginResult.cs:line 57

   at IdentityServer3.Core.Results.LoginResult.ExecuteAsync(CancellationToken cancellationToken) in c:\local\identity\server3\IdentityServer3\source\Core\Results\LoginResult.cs:line 48

   at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__0.MoveNext() in c:\local\identity\server3\IdentityServer3\source\Core\Configuration\Hosting\ClientListCookie.cs:line
c# openid-connect identityserver3 owin-middleware .net-4.7
Original Q&A
1

There are 1 answers

0
Vladimir Khvostov On

I know the question was asked 5 years ago. Answering, in case someone else runs into it.

We noticed this problem when we changed httpRuntime targetFramework from 4.6 to 4.8 in the web.config.

How to address this issue?

Add the following to your web.config:

<configuration>
  <appSettings>
    <add key="AppContext.SetSwitch:Switch.System.IdentityModel.DisableCngCertificates" value="true" />
  </appSettings>
</configuration>

What is going on?

This exception is thrown from the RsaEncryptionCookieTransform.Encode method:

https://referencesource.microsoft.com/#System.IdentityModel/System/IdentityModel/RsaEncryptionCookieTransform.cs,303

RSACryptoServiceProvider provider = encryptionKey as RSACryptoServiceProvider;
 
if ( provider == null )
{
    throw DiagnosticUtility.ThrowHelperInvalidOperation( SR.GetString( SR.ID6041 ) );
}

On line 72 This class calls X509Util.EnsureAndGetPrivateRSAKey, which calls CngLightup.GetRSAPrivateKey when DisableCngCertificates is false.

CngLightup.GetRSAPrivateKey creates RCACng, which is derived from RSA, but not RSACryptoServiceProvider

Thanks,

--Vladimir

Related Questions in C#

Related Questions in OPENID-CONNECT

Related Questions in IDENTITYSERVER3

Related Questions in OWIN-MIDDLEWARE

Related Questions in .NET-4.7

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions