IdentityServer3 - X509Certificate2 Constructor Err

2019-07-22 08:00发布

问题:

I am trying to get IdentityServer3 setup and am following along and using a Pluralsight video (https://app.pluralsight.com/library/courses/building-securing-restful-api-aspdotnet/table-of-contents) as reference. I'm at the point of basic IS3 setup and am stuck at the "SigningCertificate" assignment for the ".UseIdentityServer()" call.

I've seen similar code elsewhere on the Internet. My relevant code:

public X509Certificate2 LoadCertificate()
{
     var baseFolder = AppDomain.CurrentDomain.BaseDirectory;
     string certificatePath = $"{baseFolder}Certificates\\idsrv3test.pfx";

     //var certificateBytes = File.ReadAllBytes(certificatePath);

     //return new X509Certificate2(certificateBytes, "idsrv3test", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.UserProtected);
     return new X509Certificate2(certificatePath, "idsrv3test", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
}

public void Configuration(IAppBuilder app)
{
     app.Map("/identity", idSrvApp =>
     {
          idSrvApp.UseIdentityServer(new IdentityServerOptions

               SiteName = "My Identity Server",
               IssuerUri = Constants.IdServerIssuerUri,
               Factory = new IdentityServerServiceFactory()
                    .UseInMemoryUsers(Users.Get())
                    .UseInMemoryClients(Clients.Get())
                    .UseInMemoryScopes(Scopes.Get()),
               SigningCertificate = LoadCertificate()
           });
     });
}

It is blowing up on the return new X509Certificate2() line. As you can see, I've tried both reading the test certificate (downloaded from IS3's Github page: https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Certificates) in from a path as well as from a byte array. I've also tried every one of the X509KeyStorageFlags enum values. Both give this error:

[CryptographicException: Cannot find the requested object. ]
System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) +36
System.Security.Cryptography.X509Certificates.X509Utils._QueryCertFileType(String fileName) +0
System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags) +100
System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags) +110
MySecurityService.Startup.LoadCertificate() in D:\Documents\Projects\Test\MySecurityService\MySecurityService\Startup.cs:43 UpcarsSecurityService.Startup.b__0_0(IAppBuilder idSrvApp) in D:\Documents\Projects\Test\MySecurityService\MySecurityService\Startup.cs:22 Owin.MapExtensions.Map(IAppBuilder app, PathString pathMatch, Action`1 configuration) +178 Owin.MapExtensions.Map(IAppBuilder app, String pathMatch, Action1 configuration) +108
UpcarsSecurityService.Startup.Configuration(IAppBuilder app) in D:\Documents\Projects\Test\MySecurityService\MySecurityService\Startup.cs:20

The solution has a "Certificates" directory and the .pfx file is there. In Visual Studio, I have set the "Copy to Output Directory" property on the file to "Copy always."

I've spent several hours on this and really am not sure what to do. Just to be completely clear, I am just running this on my local machine through Visual Studio Debug (IIS Express) at this point. I am planning on it being hosted within IIS (alongside a website) when it is done and deployed. I am running on Windows 10.

Thank you so much for any help; I'm pretty lost here and am totally new to IS3.

回答1:

Oh for f's sake. The .pfx file I was using was 40 KB. As I said, this was originally downloaded from the IS3 Github site.

However, I just noticed when I clicked the "idsrv3test.pfx" link on Github that said it was 3.32 KB. So I clicked the "Download" button to the right and sure enough, on disk it was 4 KB.

I replaced the certificate with the newly downloaded one and voila! It works. I can't believe I wasted so much time on this asinine problem. Well... actually, I can believe it. Typical.