Cannot construct a X509SigningCredentials

Question

System.ArgumentException] = {"ID2057: Cannot construct a X509SigningCredentials instance for a certificate without the private key.\r\nParameter name: token"}   at Microsoft.IdentityModel.SecurityTokenService.X509SigningCredentials..ctor
(X509SecurityToken token, SecurityKeyIdentifier ski, String signatureAlgorithm, String digestAlgorithm)
   at Microsoft.IdentityModel.SecurityTokenService.X509SigningCredentials..ctor(X509Certificate2 certificate, SecurityKeyIdentifier ski)

I get this error when I create certificate using this cmd
"makecert.exe -sr LocalMachine -ss My -a sha1 -n CN=localhost -sky exchange -pe -sk 974877a3-6154-40e4-b688-25fe8962dc18 c:\test.cer"

 

 

X509SecurityToken token = new X509SecurityToken(_x509CertificateProvider.GetCertificate("test.cer"));
SecurityKeyIdentifier ski = GetSecurityKeyIdentifier(token);
descriptor.SigningCredentials = new X509SigningCredentials(token.Certificate, ski);

 

 

 

 How to provide private key to certificate? When I load it from store like

store.Certificates.Find(

X509FindType.FindBySubjectDistinguishedName, "CN=" + subjectName, false); it work fine. Why wont it work when loaded from file?

Answer 1

.cer does not contain a private key. You have to specify both the filename for the .cer and the .pvk in makecert. You can then package both files as a .pfx using Pvk2Pfx.exe. This now contains both keys and can be loaded using the X509Certificate2 ctor.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 2

I created .pfx file as described above but when I try to read token which is signed using this certificate I this error

ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
    (
    IsReadOnly = False,
    Count = 1,
    Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0xC2ACC11F435B8F0EA14EAF3C2D8EFC9CA71CF678)
    )
'. Ensure that the SecurityTokenResolver is populated with the required key.

Here is the code I am using to read the saml token

SecurityTokenHandlerConfiguration config = new SecurityTokenHandlerConfiguration();
            config.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
            config.CertificateValidator = X509CertificateValidator.None;
            config.IssuerNameRegistry = new SimpleIssuerNameRegistry();
            var handler = new SecurityTokenHandlerCollection(config);           
            handler.Add(new Saml2SecurityTokenHandler());       
            handler.Add(new EncryptedSecurityTokenHandler());                                 
            MemoryStream st = new MemoryStream(signedToken);
            XmlTextReader reader = new XmlTextReader(st);
            Saml2SecurityToken securityToken;
            securityToken = handler.ReadToken(reader) as Saml2SecurityToken;

Answer 3

Figured out the way to fix this by including signing key like this

 

 

RSACryptoServiceProvider rsa = signingCert.PrivateKey as RSACryptoServiceProvider;
RsaSecurityKey rsaKey = new RsaSecurityKey(rsa);
RsaKeyIdentifierClause rsaClause = new RsaKeyIdentifierClause(rsa);
SecurityKeyIdentifier signingSki = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { rsaClause });
SigningCredentials signingCredentials = new SigningCredentials(rsaKey, signatureAlgorithm, digestAlgorithm, signingSki);

But now I get this error when validating the token

{"ID4152: The Saml2SecurityToken cannot be validated because the IssuerToken property is not set. Unsigned SAML2:Assertions cannot be validated."}

Answer 4

try using  X509RawDataKeyIdentifierClause instead.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com