I wanted to use Azure Key Vault to store key which will be used to create signature for JwtTokens generated by my API.
For Jwt token authentication I use Microsoft.AspNet.Authentication.JwtBearer and i configured it like that:
app.UseJwtBearerAuthentication(options =>
{
options.TokenValidationParameters.IssuerSigningKey = this.tokenAuthKey;
options.TokenValidationParameters.ValidAudience = this.tokenOptions.Audience;
options.TokenValidationParameters.ValidIssuer = this.tokenOptions.Issuer;
options.TokenValidationParameters.ValidateSignature = true;
options.TokenValidationParameters.ValidateLifetime = false;
options.TokenValidationParameters.ClockSkew = TimeSpan.FromMinutes(0);
});
So, as you see, this configuration requires to provide full key with private part (IssureSigningKey property). It works fine when my key is stored unprotected in xml file, somewhere in file system and I'm just loading it during application startup. However, there is a problem when i try to store my key in Azure Key Vault (AKV). Since AKV only allows to withdraw public part of the key, Im struggling to make it all work together.
I found out that TokenValidationParameters class has delegate property that i can use to provide my own validator method which would use AKV encrypt/decrypt methods to determine if signature is valid.
The problem is I can't determine how to specify my own method that would generate signature part of JWT token, so that configuration of Microsoft.AspNet.Authentication.JwtBearer won't need private key.
My question is: is it possible somehow to specify my own method that creates signature for generated JWT token in JwtBearer configuration or during creation of token using JwtSecurityTokenHandler.CreateToken?
Related
I'm developing an external OAuth provider to be able to use our company login mechanism to let employees and customers connect to snowflakes.
Snowflake setup:
First, I created a database for the sake of testing :
use role accountadmin;
create database fred_ica_db;
create warehouse fred_ica_warehouse;
create role fred_ica_role;
create user fred_ica_user password = '******' login_name = 'upn';
grant usage on database fred_ica_db to role fred_ica_role;
grant usage on warehouse fred_ica_warehouse to role fred_ica_role;
grant role fred_ica_role to user fred_ica_user;
alter user fred_ica_user set DEFAULT_WAREHOUSE='FRED_ICA_WAREHOUSE', DEFAULT_ROLE='FRED_ICA_ROLE' , DEFAULT_NAMESPACE='FRED_ICA_DB.PUBLIC';
and created the security integration object in the snowflake database like this :
create or replace security integration fred_oauth_integration
type = external_oauth
enabled = true
external_oauth_type = custom
external_oauth_issuer = 'http://$(some_endpoint)/snowflakeAuth/accessToken'
external_oauth_jws_keys_url = 'https://$(aws_account).s3.us-west-2.amazonaws.com/$(public_key_filename)'
external_oauth_audience_list = ('https://xxxx.us-east-1.snowflakecomputing.com')
external_oauth_scope_mapping_attribute = 'scp'
external_oauth_token_user_mapping_claim='upn'
external_oauth_snowflake_user_mapping_attribute='login_name';
First attempt :
I created private/public key pair to handle token signature and uploaded the public key to AWS S3, which will also be our production target for this external OAuth provider. The file is currently available for grand public (checked on a public device). The public key is in the form of :
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKC...
...4oQIDAQAB
-----END RSA PUBLIC KEY-----
My OAuth server generates some valid JWT token (verified on jwt.io) + signature verified with public key :
(Base 64 url encoded)
eyJ0eXAi...wPgXvOtg
and decoded :
{
"typ": "JWT",
"alg": "RS256"
}
{
"aud": "https://xxxx.us-east-1.snowflakecomputing.com/",
"scp": [
"session:role:fred_ica_role"
],
"iss": "http://$(some_endpoint)/snowflakeAuth/accessToken",
"exp": 1632483169,
"iat": 1632475969
}
{
...signature...
}
when executing :
select SYSTEM$VERIFY_EXTERNAL_OAUTH_TOKEN('eyJ0eXAi...wPgXvOtg');
with some token created by the system
The system returns the error :
Token Validation finished.{"Validation Result":"Failed","Failure Reason":"EXTERNAL_OAUTH_JWS_CANT_RETRIEVE_PUBLIC_KEY"}
Second attempt
(after #Srinath Menon his feedback)
From the public key, I created a json web key(JWK). I created it using java code, and when I validated, I noticed it was also possible to use an online tool to do so.
https://8gwifi.org/jwkconvertfunctions.jsp
I uploaded the result as a file on AWS S3 and made sure it is grand publicly available and that the content-type is application/json :
JWKS :
{"keys":[{"kty":"RSA","e":"AQAB","kid":"5979064a-e202-4321-90ad-8a51329aad61","n":"2636yeJSQqyO5AegaIu6vEHg6w-MzGy1nPy2qj0zJfbDw6O0ATGkG_ibdfWqMHxU-JEBV1wiThv8_Mk67cst4W5U-fg-Miy8SDxYZtIkWFMAeVbamjpi_8BChCIJRVXvS6ZQofGgmFHlJAnWszL0hID8IaHigpBLTNEVHKuPeVGTYg3RcoWTjjB3WtaIj8XqKpQY47EUOiHOa3DZISXteYlfZu9yhQdB-7s0kQhdzk-RiQIHsLfnn-ksVzntmmwHVE5KVllMJt-23bH8c1TbtrMzWHflY85K3iSjhB3EHyeqhZnKuhAR5WVxPxkGIdr9qku1Q6L489R1wRkE2Rk4oQ"}]}
JWK :
{"kty":"RSA","e":"AQAB","kid":"5979064a-e202-4321-90ad-8a51329aad61","n":"2636yeJSQqyO5AegaIu6vEHg6w-MzGy1nPy2qj0zJfbDw6O0ATGkG_ibdfWqMHxU-JEBV1wiThv8_Mk67cst4W5U-fg-Miy8SDxYZtIkWFMAeVbamjpi_8BChCIJRVXvS6ZQofGgmFHlJAnWszL0hID8IaHigpBLTNEVHKuPeVGTYg3RcoWTjjB3WtaIj8XqKpQY47EUOiHOa3DZISXteYlfZu9yhQdB-7s0kQhdzk-RiQIHsLfnn-ksVzntmmwHVE5KVllMJt-23bH8c1TbtrMzWHflY85K3iSjhB3EHyeqhZnKuhAR5WVxPxkGIdr9qku1Q6L489R1wRkE2Rk4oQ"}
Both these approaches resulted in the same error :
Token Validation finished.{"Validation Result":"Failed","Failure Reason":"EXTERNAL_OAUTH_JWS_CANT_RETRIEVE_PUBLIC_KEY"}
Got it finally working but changed my solution a little bit :
Created a key pair using commands (under MacOS) :
openssl genrsa -out snowflakeExternalOAuth.pem 2048
openssl rsa -in snowflakeExternalOAuth.pem -pubout > snowflakeExternalOAuth.pub
I extracted the public key content (removed HEADER, FOOTER and new lines) to initialise property external_oauth_rsa_public_key
I defined the security integration like this :
create or replace security integration fred_oauth_integration
type = external_oauth
enabled = true
external_oauth_type = custom
external_oauth_issuer = 'http://$(some_endpoint)/snowflakeAuth/accessToken'
external_oauth_rsa_public_key = 'MIIBIjAN...hQIDAQAB'
external_oauth_audience_list = ('https://xxxx.us-east-1.snowflakecomputing.com')
external_oauth_scope_mapping_attribute = 'scp'
external_oauth_token_user_mapping_claim='upn'
external_oauth_snowflake_user_mapping_attribute='login_name';
I also noticed that I forgot to add some 'upn' claim in my token with the username previously defined ('fred_ica_user').
After those different changes, the system is working.
Hope this will be helpful.
I am using ASP.NET Core 2.2 and I need to generate custom tokens in my application.
Asp.Net Core Identity UserManager can generate classic tokens like EmailVerification, ...
But it has also a method to generate tokens with different purposes (MSFT Docs):
public virtual System.Threading.Tasks.Task<string> GenerateUserTokenAsync (TUser user, string tokenProvider, string purpose);
I need to generate a token with the following information:
Purpose = AddUserToProject
User = A given user
ProjectId = The Project Id to which the User should be added.
RoleId = The Role Id of the User in the Project
On GenerateUserTokenAsync I can add the User and the Purpose ...
But I'm not sure how to add (3) and (4) e.g. ProjectId and RoleId.
And how can I retrieve it later so I can actually perform the action.
How should I do this?
You can create a custom token provider, and then instruct ASP.NET Core to use that. Create a class that implements IUserTokenProvider<TUser, TKey>. Then, you can either explicitly use it:
var token = await _userManager.GenerateUserTokenAsync(user, "MyCustomTokenProvider", purpose);
Or you can sub it in for any or all of the Identity token providers in ConfigureServices:
services.AddIdentity<IdentityUser, IdentityRole>(o => {
o.Tokens.PasswordResetTokenProvider = nameof(MyCustomTokenProvider);
// rinse and repeat for other token providers you want to change
// see: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration?view=aspnetcore-2.2#tokens
})
.AddTokenProvider<MyCustomTokenProvider>(nameof(MyCustomTokenProvider));
[1]:
Summary
Use CNG or Pkcs11Interop or any other alternatives to login to an HSM, search for a privatekey then pass it on to a 3rd party application for use.
The key cannot be extracted from the HSM or stored in memory.
a 3rd Party application needs to make use of a private key that is stored on a Hardware Security Module (HSM).
I have looked into two methods CNG and Pkcs11Interop.
The code needs to accomplish the following:
1-Authenticate and establish a session with the HSM
2-Search for the key
3-Pass the private key to the 3rd party using RSACryptoServiceProvider or other methods.
Important: The key cannot be accessed extracted from the HSM or access directly (by design for security purposes).
Below are the two samples I've put together for both CNG and PKCS11Interop
The Problem:
1-CNG I am struggling to authenticate (if that's possible)
2-PKCS11Interop I've been able to login, search for the key but struggling to make use of the key.
Happy to use either of the methods, and I welcome any assistance, alternative solutions or advice.
CNG Code:
This code works when authentication is disabled on HSM
Q. Is there a way to authenticate using a password , open a session prior to using the key?
CngProvider provider = new CngProvider("CNGProvider");
const string KeyName = "somekey";
key = CngKey.Open(KeyName, provider);
Console.WriteLine("found the key!");
var cngRsa = new RSACng(key);
var privateSshKey = new SshPrivateKey(cngRsa);
PKCS11Interop, I managed to authenticate, search for the key and assign it to a handle..
Q. How do i go about passing the private key onto a standard .Net Framework type AsymmetricAlgorithm? while keeping in mind it not exportable?
can it be passed to RSACryptoServiceProvider? and then onto AsymmetricAlgorithm?
using (IPkcs11Library pkcs11Library = Settings.Factories.Pkcs11LibraryFactory.LoadPkcs11Library(Settings.Factories, Settings.Pkcs11LibraryPath, Settings.AppType))
{
ISlot slot = Helpers.GetUsableSlot(pkcs11Library);
using (ISession session = slot.OpenSession(SessionType.ReadWrite))
{
//search for key
try
{
const string keyname = "somekey";
// Login as normal user
session.Login(CKU.CKU_USER, Settings.NormalUserPin);
IObjectHandle publicKeyHandle = Helpers.CreateDataObject(session);
IObjectHandle privateKeyHandle = Helpers.CreateDataObject(session);
// Prepare attribute template that defines search criteria
List<IObjectAttribute> privateKeyAttributes = new List<IObjectAttribute>();
privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_CLASS, CKO.CKO_PRIVATE_KEY));
privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_KEY_TYPE, CKK.CKK_RSA));
privateKeyAttributes.Add(session.Factories.ObjectAttributeFactory.Create(CKA.CKA_LABEL, keyname));
List<IObjectHandle> foundPrivateKeys = session.FindAllObjects(privateKeyAttributes);
if (foundPrivateKeys == null || foundPrivateKeys.Count != 1)
throw new Exception("Unable to find private key");
// Use found object handles
privateKeyHandle = foundPrivateKeys[0];
session.FindObjectsFinal();
// How do i go about using the privatekey handle here?
session.DestroyObject(privateKeyHandle);
session.Logout();
}
catch (Exception ex)
{
Console.WriteLine("Crypto error: " + ex.Message);
}
Console.WriteLine("done!");
System.Console.Write("[Hit Enter to Continue]");
System.Console.ReadLine();
}
}
With an HSM, by design, you cannot "Pass the private key to a 3rd party app".
You also cannot pass the key handle between processes (although this might work in some implementations - a key handle should be PKCS11 session specific).
Your 3rd party app needs to offload cryptographic operations to the HSM by using a configurable cryptography library like OpenSSL (or similar) or if it is using CNG it should allow you to configure the provider.
Q. Is there a way to authenticate using a password , open a session prior to using the key?
A.: For an app that uses CNG, you should use the CNG Key Storage Provider (KSP) from the HSM Vendor after you have configured it.
The HSM Vendor KSP will then prompt for the password or, if you configured the provider (using a utility or configuration file from the HSM vendor) to store the password/pin, it will just work.
eHSM sample code using NCryptNative:
SafeNCryptProviderHandle handle;
NCryptOpenStorageProvider(handle, "eHSM Key Storage Provider",0);
...
Q. How do i go about passing the private key onto a standard .Net Framework type AsymmetricAlgorithm? while keeping in mind it not exportable? can it be passed to RSACryptoServiceProvider? and then onto AsymmetricAlgorithm?
A.: No, you cannot pass key material and you cannot pass the raw PKCS11 handle to the CNG Framework. You either have to use the PKCS11Interop functions to perform all cryptographic operations OR you have to do everything in CNG (correctly configured as above).
To directly use the PKCS11 interface you continue calling PKCS11 functions with the key handle, ie.
// How do i go about using the privatekey handle here?
// something like this
session.SignInit(mechanism, privateKeyHandle);
session.Sign(data, signature));
I am attempting to upload a file to S3 following the examples provided in your documentation and source files. Unfortunately, I'm receiving the following errors when attempting an upload:
[Fine Uploader 5.3.2] Invalid policy document or request headers!
[Fine Uploader 5.3.2] Policy signing failed. Invalid policy document
or request headers!
I found a few posts on here with similar errors, but those solutions didn't help me.
Here is my jQuery:
<script>
$('#fine-uploader').fineUploaderS3({
request: {
endpoint: "http://mybucket.s3.amazonaws.com",
accessKey: "changeme"
},
signature: {
endpoint: "endpoint.php"
},
uploadSuccess: {
endpoint: "success.html"
},
template: 'qq-template'
});
</script>
(Please note that I changed the keys/bucket names for security sake.)
I used your endpoint-cors.php as a model and have included the portions that I modified here:
require 'assets/aws/aws-autoloader.php';
use Aws\S3\S3Client;
// These assume you have the associated AWS keys stored in
// the associated system environment variables
$clientPrivateKey = $_ENV['changeme'];
// These two keys are only needed if the delete file feature is enabled
// or if you are, for example, confirming the file size in a successEndpoint
// handler via S3's SDK, as we are doing in this example.
$serverPublicKey = $_ENV['AWS_SERVER_PUBLIC_KEY'];
$serverPrivateKey = $_ENV['AWS_SERVER_PRIVATE_KEY'];
// The following variables are used when validating the policy document
// sent by the uploader.
$expectedBucketName = $_ENV['mybucket'];
// $expectedMaxSize is the value you set the sizeLimit property of the
// validation option. We assume it is `null` here. If you are performing
// validation, then change this to match the integer value you specified
// otherwise your policy document will be invalid.
// http://docs.fineuploader.com/branch/develop/api/options.html#validation-option
$expectedMaxSize = (isset($_ENV['S3_MAX_FILE_SIZE']) ? $_ENV['S3_MAX_FILE_SIZE'] : null);
I also changed this:
// Only needed in cross-origin setups
function handleCorsRequest() {
// If you are relying on CORS, you will need to adjust the allowed domain here.
header('Access-Control-Allow-Origin: http://test.mydomain.com');
}
The POST seems to work:
POST http://test.mydomain.com/somepath/endpoint.php 200 OK
318ms
...but that's where the success ends.
I think part of the problem is that I'm not sure what to enter for "clientPrivateKey". Is that my "Secret Access Key" I set up with IAM?
And I'm definitely unclear on where I get the serverPublicKey and serverPrivateKey. Where am I generating a key-pair on the S3? I've combed through the docs, and perhaps I missed it.
Thank you in advance for your assistance!
First off, you are using endpoint-cors.php in a non-CORS environment. Communication between the browser and your endpoint appears to be same-origin, based on the URL of your signature endpoint. Switch to the endpoint.php example.
Regarding your questions about the keys, you should have create two distinct IAM users: one for client-side operations (heavily restricted) and one for server-side operations (an admin user). For each user, you'll have an access key (public) and a secret key (private). You always supply Fine Uploader with your client-side public key, and use your client-side private key to sign requests server-side. To perform other, more restricted operations (such as deleting files), you should use your server user keys.
I like to ask a newbie question. By setting API key in JavaScript, wouldn't anyone can read the source and use the key freely?
Edited >>
Extracted the jsFiddle codes,
filepicker.setKey('8PbzrhP9Tr2r6wPlSqzS');
/* Unsecured */
/*
filepicker.pick(function(fpfile){
console.log(fpfile);
});
filepicker.read(fpfile, function(contents){
console.log(contents);
})
*/
var fpfile = {'url': 'https://www.filepicker.io/api/file/KW9EJhYtS6y48Whm2S6D'};
var policy = 'eyJoYW5kbGUiOiJLVzlFSmhZdFM2eTQ4V2htMlM2RCIsImV4cGlyeSI6MTUwODE0MTUwNH0=';
var signature = '4098f262b9dba23e4766ce127353aaf4f37fde0fd726d164d944e031fd862c18';
filepicker.read(fpfile, {policy: policy, signature:signature}, function(contents){
console.log(contents);
})
filepicker.pick({policy: policy, signature:signature}, function(fpfile){
console.log(fpfile);
});
How does it prevents anyone from using the key ONLY, to upload or read/download files from my account?
Because browser-side javascript is always publically readable, your API key will be visible to others. To increase the protection of your API key beyond simple url/hostname checking, you can use the rich policy-based security API we provide: https://developers.filepicker.io/docs/security/
Java bytecode is easily reversable with trivial amount of work. If you need to have it, pull it from a website using TLS and store it in RAM or at the very least, xor it with a password