Skip to content

Instantly share code, notes, and snippets.

@mykeels

mykeels/RsaKeyService.cs

Last active January 26, 2024 03:47
Show Gist options
  • Save mykeels/408a26fb9411aff8fb7506f53c77c57a to your computer and use it in GitHub Desktop.
Save mykeels/408a26fb9411aff8fb7506f53c77c57a to your computer and use it in GitHub Desktop.
Download ZIP
For IdentityServer4's AddSigningCredentials in production
Raw
_README.md

AddSigningCredentials

The RsaKeyService.cs file is inspired by this repo.

In Startup.cs of an IdentityServer4 app written for dotnet core 2.x, you'll see code like:

if (Environment.IsDevelopment())
{
    builder.AddDeveloperSigningCredential();
}
else
{
    throw new Exception("need to configure key material");
}

An Exception will be thrown in production, because you're expected to specify a more secure signing credential in production.

I don't fully understand how signing credentials are used, so I am open to simple explanations on the subject, but considering that I spent quite a while coming up with this way to generate signing credentials for production, I thought to share.

Please give feedback if you know a better way, and be kind enough to explain why.

You can register the RsaKeyService class as a Singleton in your Startup.cs file like:

public void ConfigureServices(IServiceCollection services)
{
  var rsa = new RsaKeyService(Environment, TimeSpan.FromDays(30));
  services.AddSingleton<RsaKeyService>(provider => rsa);
}

This makes sure that at least 30 days passes before a new RSA key file is generated.

Next, rewrite the signing credential conditional snippet as:

if (Environment.IsDevelopment())
{
    builder.AddDeveloperSigningCredential();
}
else
{
    builder.AddSigningCredential(rsa.GetKey());
}

Holla in the comments, if this helps you.

Raw
RsaKeyService.cs
using Newtonsoft.Json;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Hosting;
using Microsoft.IdentityModel.Tokens;
namespace Mykeels.Services
{
public class RsaKeyService
{
/// <summary>
/// This points to a JSON file in the format:
/// {
/// "Modulus": "",
/// "Exponent": "",
/// "P": "",
/// "Q": "",
/// "DP": "",
/// "DQ": "",
/// "InverseQ": "",
/// "D": ""
/// }
/// </summary>
private string _file {
get {
return Path.Combine(_environment.ContentRootPath, "rsakey.json");
}
}
private readonly IHostingEnvironment _environment;
private readonly TimeSpan _timeSpan;
public RsaKeyService(IHostingEnvironment environment, TimeSpan timeSpan) {
_environment = environment;
_timeSpan = timeSpan;
}
public bool NeedsUpdate() {
if (File.Exists(_file)) {
var creationDate = File.GetCreationTime(_file);
return DateTime.Now.Subtract(creationDate) > _timeSpan;
}
return true;
}
public RSAParameters GetRandomKey()
{
using (var rsa = new RSACryptoServiceProvider(2048))
{
try
{
return rsa.ExportParameters(true);
}
finally
{
rsa.PersistKeyInCsp = false;
}
}
}
public RsaKeyService GenerateKeyAndSave(bool forceUpdate = false)
{
if (forceUpdate || NeedsUpdate()) {
var p = GetRandomKey();
RSAParametersWithPrivate t = new RSAParametersWithPrivate();
t.SetParameters(p);
File.WriteAllText(_file, JsonConvert.SerializeObject(t, Formatting.Indented));
}
return this;
}
/// <summary>
///
/// Generate
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public RSAParameters GetKeyParameters()
{
if (!File.Exists(_file)) throw new FileNotFoundException("Check configuration - cannot find auth key file: " + _file);
var keyParams = JsonConvert.DeserializeObject<RSAParametersWithPrivate>(File.ReadAllText(_file));
return keyParams.ToRSAParameters();
}
public RsaSecurityKey GetKey() {
if (NeedsUpdate()) GenerateKeyAndSave();
var provider = new System.Security.Cryptography.RSACryptoServiceProvider();
provider.ImportParameters(GetKeyParameters());
return new RsaSecurityKey(provider);
}
/// <summary>
/// Util class to allow restoring RSA parameters from JSON as the normal
/// RSA parameters class won't restore private key info.
/// </summary>
private class RSAParametersWithPrivate
{
public byte[] D { get; set; }
public byte[] DP { get; set; }
public byte[] DQ { get; set; }
public byte[] Exponent { get; set; }
public byte[] InverseQ { get; set; }
public byte[] Modulus { get; set; }
public byte[] P { get; set; }
public byte[] Q { get; set; }
public void SetParameters(RSAParameters p)
{
D = p.D;
DP = p.DP;
DQ = p.DQ;
Exponent = p.Exponent;
InverseQ = p.InverseQ;
Modulus = p.Modulus;
P = p.P;
Q = p.Q;
}
public RSAParameters ToRSAParameters()
{
return new RSAParameters()
{
D = this.D,
DP = this.DP,
DQ = this.DQ,
Exponent = this.Exponent,
InverseQ = this.InverseQ,
Modulus = this.Modulus,
P = this.P,
Q = this.Q
};
}
}
}
}
@Karql
Copy link

Karql commented Dec 13, 2022
edited
Loading

As AddSigningCredential method gets called only at stratup, is there any way to regenerate the key automatically to avoid periodical restart of the service? For example when a new signing request get received, the code check for the expiration of the last key.

Keys managment is not an easy topic.
You cannot just generate a new key and use it (because current tokens will be rejected).

If you want to do it right you should condider something like key rotation (future key, current key, expired key, retired key).
You can catch basic concept from here: https://www.identityserver.com/documentation/keymanagement/

Next check what AddSigingCredential does: https://github.com/IdentityServer/IdentityServer4/blob/3ff3b46698f48f164ab1b54d124125d63439f9d0/src/IdentityServer4/src/Configuration/DependencyInjection/BuilderExtensions/Crypto.cs#L30

and start with implementing your own ISigningCredentialStore, IValidationKeysStore.

@MasoudShah
Copy link

Thanks a lot @Karql , I will check it out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment