Identityserver4: Keyset does not exist

Created on 28 Sep 2017  路  6Comments  路  Source: IdentityServer/IdentityServer4
  • [x] I read and understood how to enable logging

Issue / Steps to reproduce the problem

  1. Installed .NET Core 2.0 Runtime and .NET Core 2.0 SDK
  2. git clone https://github.com/IdentityServer/IdentityServer4.git
  3. PS into IdentityServer4 directory
  4. .\build.ps1

Q: Is this build not yet compatible with .NET Core 2.0?

Relevant parts of the log file

Test run for C:\dev\IdentityServer\IdentityServer4\test\IdentityServer.UnitTests\bin\Release\netcoreapp2.0\IdentityServer.UnitTests.dll(.NETCoreApp,Version=v2.0)
Microsoft (R) Test Execution Command Line Tool Version 15.3.0-preview-20170628-02
Copyright (c) Microsoft Corporation.  All rights reserved.

Starting test execution, please wait...
[xUnit.net 00:00:00.5183147]   Discovering: IdentityServer.UnitTests
[xUnit.net 00:00:00.7433100]   Discovered:  IdentityServer.UnitTests
[xUnit.net 00:00:00.7498117]   Starting:    IdentityServer.UnitTests
[xUnit.net 00:00:02.4272941]     IdentityServer4.UnitTests.Validation.IdentityTokenValidation.Valid_IdentityToken_DefaultKeyType_no_ClientId_supplied [FAIL]
[xUnit.net 00:00:02.4285186]       Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException : Keyset does not exist
[xUnit.net 00:00:02.4311078]       Stack Trace:
[xUnit.net 00:00:02.4346402]            at Internal.NativeCrypto.CapiHelper.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
[xUnit.net 00:00:02.4347557]            at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeProvHandle()
[xUnit.net 00:00:02.4348234]            at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeKeyHandle()
[xUnit.net 00:00:02.4348635]            at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 keySize, CspParameters parameters, Boolean useDefaultKeySize)
[xUnit.net 00:00:02.4349363]            at System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameters parameters)
[xUnit.net 00:00:02.4349786]            at Internal.Cryptography.Pal.CertificatePal.<>c.<GetRSAPrivateKey>b__61_0(CspParameters csp)
[xUnit.net 00:00:02.4350117]            at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
[xUnit.net 00:00:02.4350431]            at Internal.Cryptography.Pal.CertificatePal.GetRSAPrivateKey()
[xUnit.net 00:00:02.4350774]            at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
[xUnit.net 00:00:02.4351310]            at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKey()
[xUnit.net 00:00:02.4351608]            at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_HasPrivateKey()
[xUnit.net 00:00:02.4352061]            at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String algorithm, Boolean willCreateSignatures)
[xUnit.net 00:00:02.4352975]            at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatu
res)
[xUnit.net 00:00:02.4353771]            at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateEncodedSignature(String input, SigningCredentials signingCredentials)
[xUnit.net 00:00:02.4354444]            at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token)
[xUnit.net 00:00:02.4354983]         C:\dev\IdentityServer\IdentityServer4\src\IdentityServer4\Services\DefaultTokenCreationService.cs(209,0): at IdentityServer4.Services.DefaultTo
kenCreationService.CreateJwtAsync(JwtSecurityToken jwt)
[xUnit.net 00:00:02.4355651]         C:\dev\IdentityServer\IdentityServer4\src\IdentityServer4\Services\DefaultTokenCreationService.cs(67,0): at IdentityServer4.Services.DefaultTok
enCreationService.<CreateTokenAsync>d__4.MoveNext()
[xUnit.net 00:00:02.4356247]         --- End of stack trace from previous location where exception was thrown ---
[xUnit.net 00:00:02.4356587]            at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
[xUnit.net 00:00:02.4356943]            at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
[xUnit.net 00:00:02.4357434]         C:\dev\IdentityServer\IdentityServer4\test\IdentityServer.UnitTests\Validation\IdentityTokenValidation.cs(41,0): at IdentityServer4.UnitTests.V
alidation.IdentityTokenValidation.<Valid_IdentityToken_DefaultKeyType_no_ClientId_supplied>d__3.MoveNext()
[xUnit.net 00:00:02.4358227]         --- End of stack trace from previous location where exception was thrown ---
[xUnit.net 00:00:02.4358592]            at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
[xUnit.net 00:00:02.4358887]            at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
[xUnit.net 00:00:02.4359147]         --- End of stack trace from previous location where exception was thrown ---
[xUnit.net 00:00:02.4359446]            at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
[xUnit.net 00:00:02.4359773]            at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
[xUnit.net 00:00:02.4360013]         --- End of stack trace from previous location where exception was thrown ---
[xUnit.net 00:00:02.4360334]            at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
[xUnit.net 00:00:02.4360626]            at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
[xUnit.net 00:00:02.4533529]     IdentityServer4.Tests.Validation.Secrets.PrivateKeyJwtSecretValidation.Invalid_Expired_Token [FAIL]
[xUnit.net 00:00:02.4534575]       Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException : Keyset does not exist
[xUnit.net 00:00:02.4535293]       Stack Trace:
[xUnit.net 00:00:02.4535816]            at Internal.NativeCrypto.CapiHelper.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
[xUnit.net 00:00:02.4536134]            at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeProvHandle()
[xUnit.net 00:00:02.4536403]            at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeKeyHandle()
[xUnit.net 00:00:02.4536724]            at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 keySize, CspParameters parameters, Boolean useDefaultKeySize)
[xUnit.net 00:00:02.4537228]            at System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameters parameters)
[xUnit.net 00:00:02.4537507]            at Internal.Cryptography.Pal.CertificatePal.<>c.<GetRSAPrivateKey>b__61_0(CspParameters csp)
[xUnit.net 00:00:02.4537828]            at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
[xUnit.net 00:00:02.4538113]            at Internal.Cryptography.Pal.CertificatePal.GetRSAPrivateKey()
[xUnit.net 00:00:02.4538418]            at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
[xUnit.net 00:00:02.4538938]            at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKey()
[xUnit.net 00:00:02.4539204]            at Microsoft.IdentityModel.Tokens.X509SecurityKey.get_HasPrivateKey()
[xUnit.net 00:00:02.4539525]            at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String algorithm, Boolean willCreateSignatures)
[xUnit.net 00:00:02.4540038]            at Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key, String algorithm, Boolean willCreateSignatu
res)
[xUnit.net 00:00:02.4540561]            at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateEncodedSignature(String input, SigningCredentials signingCredentials)
[xUnit.net 00:00:02.4541126]            at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token)
[xUnit.net 00:00:02.4541498]         C:\dev\IdentityServer\IdentityServer4\test\IdentityServer.UnitTests\Validation\Secrets\PrivateKeyJwtSecretValidation.cs(189,0): at IdentityServ
er4.Tests.Validation.Secrets.PrivateKeyJwtSecretValidation.<Invalid_Expired_Token>d__10.MoveNext()
[xUnit.net 00:00:02.4542082]         --- End of stack trace from previous location where exception was thrown ---
[xUnit.net 00:00:02.4542486]            at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
[xUnit.net 00:00:02.4542810]            at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
[xUnit.net 00:00:02.4543057]         --- End of stack trace from previous location where exception was thrown ---
[xUnit.net 00:00:02.4543400]            at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
[xUnit.net 00:00:02.4543779]            at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
[xUnit.net 00:00:02.4544058]         --- End of stack trace from previous location where exception was thrown ---
[xUnit.net 00:00:02.4544330]            at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
[xUnit.net 00:00:02.4544645]            at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
question
Source
picture mpaine-act

Most helpful comment

[xUnit.net 00:00:02.4285186] Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException : Keyset does not exist

This is the error and it's been asked many many times before. It means the identity running your IdentityServer process doesn't have read access to the private key in the signing certificate.

picture brockallen on 29 Sep 2017
👍10

All 6 comments

[xUnit.net 00:00:02.4285186] Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException : Keyset does not exist

This is the error and it's been asked many many times before. It means the identity running your IdentityServer process doesn't have read access to the private key in the signing certificate.

brockallen picture brockallen on 29 Sep 2017
👍10

I tried again using admin account and it worked OK. Perhaps your team can add testing the readability of the cert file and throwing an IOException on read-open error, would make it easier to diagnose the issue?

mpaine-act picture mpaine-act on 4 Oct 2017

Sure - we can add it to backlog.

OTOH this error message (even if it sounds strange) is very specific and quick googling would reveal the real issue.

leastprivilege picture leastprivilege on 5 Oct 2017

Googling the error message brings up this issue in first position. Kinda funny.

rushfrisby picture rushfrisby on 13 Aug 2018
👍5 😄3

Well, a missing hint (for beginners like me): a certificate can be broken/unuseable.

In that case you will get all the crypthographic exceptions in every flavor an none will say: your certificate can't be used. It just looks like the frameworks do not work as expected.

For further information: .NET Core X509Certificate2 usage (under Windows/IIS, Docker, Linux)

MontyGvMC picture MontyGvMC on 22 Nov 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 12 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wangkanai picture wangkanai  路  3Comments
osudude picture osudude  路  3Comments
ekarlso picture ekarlso  路  3Comments
osmankibar picture osmankibar  路  3Comments
agilenut picture agilenut  路  3Comments