如何从PFX证书创建JWK？

Question

背景:我正在尝试从PFX文件创建一个JWK，以便能够使用Okta SDK。

OktaClient需要JWK形式的私钥。我从他们的单元测试中窃取的一个示例如下所示。

{
    "p": "{{lots_of_characters}}",
    "kty": "RSA",
    "q": "{{lots_of_characters}}",
    "d": "{{lots_of_characters}}",
    "e": "AQAB",
    "kid": "3d3062f5-16a4-42b5-837b-19b6ef1a0edc",
    "qi": "{{lots_of_characters}}",
    "dp": "{{lots_of_characters}}",
    "dq": "{{lots_of_characters}}",
    "n": "{{lots_of_characters}}"
}

我尝试过的所有操作都会导致异常“创建签名的JWT时出错。验证您的私钥。”我相信这是因为当我使用IdentityModel转换方法(如下所述)时，我丢失了证书的私钥部分。

var signingCert = new X509Certificate2("{{my_cert}}.pfx", "{{my_passphrase}}");
var privateKey = signingCert.GetRSAPrivateKey();
var rsaSecurityKey = new RsaSecurityKey(privateKey);

// The "HasPrivateKey" flag is suddenly false on the resulting object from this method
var rsaJwk = JsonWebKeyConvert.ConvertFromRSASecurityKey(rsaSecurityKey);

var rsaJwkSerialized = JsonSerializer.Serialize(rsaJwk);

var oktaClientConfig = new OktaClientConfiguration
{
    OktaDomain = "{{my_okta_domain}}",
    ClientId = {{my_client_id}},
    AuthorizationMode = AuthorizationMode.PrivateKey,
    PrivateKey = new JsonWebKeyConfiguration(rsaJwkSerialized);,
    Scopes = new List<string> {"okta.users.manage"}
};

var oktaClient = new OktaClient(oktaClientConfig);

// This throws when trying to self-sign the JWT using my private key
var oktaUsers = await oktaClient.Users.ListUsers().ToArrayAsync();

Answer 1

嗯，经过几天的努力，终于在发布了几个小时后才发现这一点。

事实证明，您在创建X509Certificate2时设置了一些标志，可以告诉证书它是可导出的，这是JsonWebKeyConverter正确创建JWK所必需的。

var signingCert = new X509Certificate2("{{my_cert}}.pfx", "{{my_passphrase}}", X509KeyStorageFlags.Exportable);