You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The following code fails with an ArgumentException "The CNG key handle being opened was detected to be ephemeral, but the EphemeralKey open option was not specified"
This only throws an exception when the certificate is stored in the windows certificate store and is marked as non-exportable (Which means the private key cannot be exported).
Without this non-exportable constraint, the tokenHandler.WriteToken works and can create a signature.
The code did work in a previous version (Based on .net 4.8)
usingSystem.IdentityModel.Tokens.Jwt;usingSystem.Security.Cryptography.X509Certificates;usingMicrosoft.IdentityModel.Tokens;internalclassProgram{publicstaticvoidMain(string[]args){conststringcertName="CN=CertificateName";using(varcertStore=newX509Store(StoreName.My,StoreLocation.CurrentUser)){certStore.Open(OpenFlags.ReadOnly);varjwtCerts=certStore.Certificates.Find(X509FindType.FindBySubjectDistinguishedName,certName,false);if(jwtCerts.Count==0)thrownewException($"Certificate {certName} not found");if(jwtCerts.Count>1)thrownewException($"More than one Certificate with Subject {certName} found");X509Certificate2jwtCert=jwtCerts[0];DateTimenow=DateTime.Now;JwtSecurityTokenHandlertokenHandler=newJwtSecurityTokenHandler();vartoken=newJwtSecurityToken($"MyIssuerName","MyAudienceName",null,// valid for a timeframe of 20 minute (-10min/+10min)now.AddMinutes(-10),now.AddMinutes(+10),// the certificate to sign the tokennewMySigningCredentials(jwtCert));// Create the token. // Results in an exception when the certificate in the windows certificate store is marked as non-exportable// Exception message: The CNG key handle being opened was detected to be ephemeral, but the EphemeralKey open option was not specifiedstring?createdToken=tokenHandler.WriteToken(token);}}/// <summary>/// Custom implementation of <see cref="SigningCredentials"/> to use an <see cref="X509Certificate2"/> for signing./// Required since the constructor of <see cref="SigningCredentials"/> is protected./// </summary>privatesealedclassMySigningCredentials:SigningCredentials{internalMySigningCredentials(X509Certificate2certificate):base(certificate){}}}
Expected behavior
tokenHandler.WriteToken should work with a certificate loaded from the windows certificate store even when the private key is marked as non-eportable
Actual behavior
tokenHandler.WriteToken fails with the error "The CNG key handle being opened was detected to be ephemeral, but the EphemeralKey open option was not specified"
The text was updated successfully, but these errors were encountered:
Which version of Microsoft.IdentityModel are you using?
System.IdentityModel.Tokens.Jwt 8.2.0 (dotnet 8)
Where is the issue?
Is this a new or an existing app?
New application. Same worked in .net 4.8
Repro
The following github repository can be used for reproducing this isuse: https://github.com/suntsu42/JwtDemoCertIssue
The following code fails with an ArgumentException "The CNG key handle being opened was detected to be ephemeral, but the EphemeralKey open option was not specified"
This only throws an exception when the certificate is stored in the windows certificate store and is marked as non-exportable (Which means the private key cannot be exported).
Without this non-exportable constraint, the tokenHandler.WriteToken works and can create a signature.
The code did work in a previous version (Based on .net 4.8)
Expected behavior
tokenHandler.WriteToken should work with a certificate loaded from the windows certificate store even when the private key is marked as non-eportable
Actual behavior
tokenHandler.WriteToken fails with the error "The CNG key handle being opened was detected to be ephemeral, but the EphemeralKey open option was not specified"
The text was updated successfully, but these errors were encountered: