azure-activedirectory-identitymodel-extensions-for-dotnet: X.509 Certificates with ECDSA based keys supported?

I have a x509 cert with an ECDsa based key - here’s the metadata:

{
"keys": [
{
"kty": "EC",
"use": "sig",
"kid": "68D797916CE7509DBC9CE7F601708CA16E367303",
"x5t": "aNeXkWznUJ28nOf2AXCMoW42cwM",
"x5c": [
"MIIDyjCCAjKgAwIBAgIQb62fi1RDUoKp8kStYW5uYDANBgkqhkiG9w0BAQsFADCBjTEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMTEwLwYDVQQLDChET01JTklDS0JBSUFFODBcZG9taW5pY2tARE9NSU5JQ0tCQUlBRTgwMTgwNgYDVQQDDC9ta2NlcnQgRE9NSU5JQ0tCQUlBRTgwXGRvbWluaWNrQERPTUlOSUNLQkFJQUU4MDAeFw0xOTA2MDEwMDAwMDBaFw0yOTExMDExMDQ0NTVaMIGAMScwJQYDVQQKEx5ta2NlcnQgZGV2ZWxvcG1lbnQgY2VydGlmaWNhdGUxMTAvBgNVBAsMKERPTUlOSUNLQkFJQUU4MFxkb21pbmlja0BET01JTklDS0JBSUFFODAxIjAgBgNVBAMTGWlkZW50aXR5c2VydmVyLmVjZHNhLnRlc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARYOEwgVXiaCl/Sj9GZDjOItFsTFRZ2B9VlBdYxzwgr52oyn1xMBlJbPMIu2nXptsy8Qssz34ODuEcUHOZ4PVCho3wwejAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRJVNNoaS/qJG2yyA1U5ZHxrnh5/TAkBgNVHREEHTAbghlpZGVudGl0eXNlcnZlci5lY2RzYS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBgQBWVwsGedFAgPNNWrm+kW31Kss1q2iQVxKDuupoGmRAUfmGSjtVMZgU56vaIbKo33wWIVkuEfh+prwv8/5CjMbY7TjUSpN710vIFEN13oPEcaSdyeanopkOyUxC/cRNH2WlSK2qpTeyluxpFU0sXCgJWZS149eNxqxb7jKjf3TN2R7KDdfkdU3wg6tqSycMhYaX4IefI2gyeOmhcV79jSJIVhoqePrSGHr0oQWgwOeQQ+o6rFU69kOT3juxtRm7fbbh1GQEzcMdWxc56m+WYhaZmAxKRLM8ydCILwJQktCblusR1EOov9fnstYe9Y6RO4s2IwjooWItkF4csFlkO5ps2ui8XXFewAUWJEJtML8pbev3K7Et6NpArItn7bOlUpno0e3h49PNF4UvkSRwT7uQ0hlvbnkxjTP6zpnD4NZeK1mgiMycH3WGi4K/tfNZyzsP2hubunLSy3AbykATK2nYoHxWRfoApt/guqQhZYMG6M478pwbt2lZFliP+9JN6cU="
],
"alg": "ES256",
"x": "WDhMIFV4mgpf0o_RmQ4ziLRbExUWdgfVZQXWMc8IK-c",
"y": "ajKfXEwGUls8wi7adem2zLxCyzPfg4O4RxQc5ng9UKE",
"crv": "P-256"
}
]
}

I can’t access the e.g. PublicKey property of the X509SecurityKey but worked around that using Certificate.GetECDsaPublicKey() - but the JWT handler also throws on singing:

An unhandled exception has occurred while executing the request.
System.NotSupportedException: The certificate key algorithm is not supported.
   at System.Security.Cryptography.X509Certificates.PublicKey.get_Key()
   at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PublicKey()
   at Microsoft.IdentityModel.Tokens.SupportedAlgorithms.IsSupportedAlgorithm(String algorithm, SecurityKey key)
   at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.IsSupportedAlgorithm(String algorithm, SecurityKey key)
   at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
   at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForSigning(SecurityKey key, String algorithm)
   at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateEncodedSignature(String input, SigningCredentials signingCredentials)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token)

Are these keys supported?

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 15 (11 by maintainers)

Most upvoted comments

@jaanclaeys @scottbrady91 @leastprivilege I agree with you folks, we should make this work. ECD is preferred by many people. We can’t fit this into our SignedHttpRequest effort (our next release), but will get it in the next one.

brentschmaltz on Dec 12, 2019

I see no reason not to support the ECDSA as an X509SecurityKey, as it is supported by using the ECDSASecurityKey.

Because you can actually do something like this:

var cert= new X509Certificate2("somedsa.pfx","somepassword");
var key = new ECDsaSecurityKey(cert.GetECDsaPrivateKey());
var signingCredentials = new SigningCredentials(key,"ES256");
 var header = new JwtHeader(signingCredentials);
var jwtToken = new JwtSecurityToken(header, somePayload);
var securityTokenHandler = new JwtSecurityTokenHandler();
securityTokenHandler.WriteToken(jwtToken);

However than you need to set the x5t and kid manually on the JWT, if using that. So kind of a mess.

jaanclaeys on Dec 12, 2019