如何从 PFX 证书创建 JWK?
How do I create a JWK from PFX certificate?
背景:我正在尝试从 PFX 文件创建 JWK,以便能够使用 Okta SDK.
OktaClient 需要 JWK 形式的私钥。我从他们的单元测试中窃取的一个例子看起来像。
{
"p": "{{lots_of_characters}}",
"kty": "RSA",
"q": "{{lots_of_characters}}",
"d": "{{lots_of_characters}}",
"e": "AQAB",
"kid": "3d3062f5-16a4-42b5-837b-19b6ef1a0edc",
"qi": "{{lots_of_characters}}",
"dp": "{{lots_of_characters}}",
"dq": "{{lots_of_characters}}",
"n": "{{lots_of_characters}}"
}
我尝试过的所有操作都会导致异常“创建签名的 JWT 时出错。请验证您的私钥。”我相信这是因为当我使用 IdentityModel 转换方法(如下所示)时,我丢失了证书的私钥部分。
var signingCert = new X509Certificate2("{{my_cert}}.pfx", "{{my_passphrase}}");
var privateKey = signingCert.GetRSAPrivateKey();
var rsaSecurityKey = new RsaSecurityKey(privateKey);
// The "HasPrivateKey" flag is suddenly false on the resulting object from this method
var rsaJwk = JsonWebKeyConvert.ConvertFromRSASecurityKey(rsaSecurityKey);
var rsaJwkSerialized = JsonSerializer.Serialize(rsaJwk);
var oktaClientConfig = new OktaClientConfiguration
{
OktaDomain = "{{my_okta_domain}}",
ClientId = {{my_client_id}},
AuthorizationMode = AuthorizationMode.PrivateKey,
PrivateKey = new JsonWebKeyConfiguration(rsaJwkSerialized);,
Scopes = new List<string> {"okta.users.manage"}
};
var oktaClient = new OktaClient(oktaClientConfig);
// This throws when trying to self-sign the JWT using my private key
var oktaUsers = await oktaClient.Users.ListUsers().ToArrayAsync();
好吧,经过几天的努力,终于在 SO 上发布后几个小时就发现了它。
事实证明,您在创建 X509Certificate2 时设置了一些标志,这些标志可以告诉证书它是可导出的,这是 JsonWebKeyConverter 正确创建 JWK 所必需的。
var signingCert = new X509Certificate2("{{my_cert}}.pfx", "{{my_passphrase}}", X509KeyStorageFlags.Exportable);
背景:我正在尝试从 PFX 文件创建 JWK,以便能够使用 Okta SDK.
OktaClient 需要 JWK 形式的私钥。我从他们的单元测试中窃取的一个例子看起来像。
{
"p": "{{lots_of_characters}}",
"kty": "RSA",
"q": "{{lots_of_characters}}",
"d": "{{lots_of_characters}}",
"e": "AQAB",
"kid": "3d3062f5-16a4-42b5-837b-19b6ef1a0edc",
"qi": "{{lots_of_characters}}",
"dp": "{{lots_of_characters}}",
"dq": "{{lots_of_characters}}",
"n": "{{lots_of_characters}}"
}
我尝试过的所有操作都会导致异常“创建签名的 JWT 时出错。请验证您的私钥。”我相信这是因为当我使用 IdentityModel 转换方法(如下所示)时,我丢失了证书的私钥部分。
var signingCert = new X509Certificate2("{{my_cert}}.pfx", "{{my_passphrase}}");
var privateKey = signingCert.GetRSAPrivateKey();
var rsaSecurityKey = new RsaSecurityKey(privateKey);
// The "HasPrivateKey" flag is suddenly false on the resulting object from this method
var rsaJwk = JsonWebKeyConvert.ConvertFromRSASecurityKey(rsaSecurityKey);
var rsaJwkSerialized = JsonSerializer.Serialize(rsaJwk);
var oktaClientConfig = new OktaClientConfiguration
{
OktaDomain = "{{my_okta_domain}}",
ClientId = {{my_client_id}},
AuthorizationMode = AuthorizationMode.PrivateKey,
PrivateKey = new JsonWebKeyConfiguration(rsaJwkSerialized);,
Scopes = new List<string> {"okta.users.manage"}
};
var oktaClient = new OktaClient(oktaClientConfig);
// This throws when trying to self-sign the JWT using my private key
var oktaUsers = await oktaClient.Users.ListUsers().ToArrayAsync();
好吧,经过几天的努力,终于在 SO 上发布后几个小时就发现了它。
事实证明,您在创建 X509Certificate2 时设置了一些标志,这些标志可以告诉证书它是可导出的,这是 JsonWebKeyConverter 正确创建 JWK 所必需的。
var signingCert = new X509Certificate2("{{my_cert}}.pfx", "{{my_passphrase}}", X509KeyStorageFlags.Exportable);