Mac OS X .net core 3.1.1 Self Signed RSA Certificate Interop+AppleCrypto+AppleCFErrorCryptographicException

[umitgunduz]

ProductName: Mac OS X
ProductVersion: 10.15.5
BuildVersion: 19F101

.Net Core Info:

.NET Core SDK (reflecting any global.json):
Version: 3.1.101
Commit: b377529961

Runtime Environment:
OS Name: Mac OS X
OS Version: 10.15
OS Platform: Darwin
RID: osx.10.15-x64
Base Path: /usr/local/share/dotnet/sdk/3.1.101/

Host (useful for support):
Version: 3.1.1
Commit: a1388f194c

Exception:

[FATAL] i.h.IdentityServerMiddleware Unhandled exception: The operation couldn’t be completed. (Internal CSSM error error -2147416032 - Internal error #80010820 at SignTransform_block_invoke /AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/Security/Security-59306.120.7/OSX/libsecurity_transform/lib/SecSignVerifyTransform.c:324) Interop+AppleCrypto+AppleCFErrorCryptographicException: The operation couldn’t be completed. (Internal CSSM error error -2147416032 - Internal error #80010820 at SignTransform_block_invoke /AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/Security/Security-59306.120.7/OSX/libsecurity_transform/lib/SecSignVerifyTransform.c:324) at Interop.AppleCrypto.ExecuteTransform(ReadOnlySpan1 source, SecKeyTransform transform)
at Interop.AppleCrypto.GenerateSignature(SafeSecKeyRefHandle privateKey, ReadOnlySpan1 dataHash, PAL_HashAlgorithm hashAlgorithm) at System.Security.Cryptography.RSAImplementation.RSASecurityTransforms.SignHash(Byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding) at Microsoft.IdentityModel.Tokens.AsymmetricAdapter.SignWithRsa(Byte[] bytes) at Microsoft.IdentityModel.Tokens.AsymmetricAdapter.Sign(Byte[] bytes) at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider.Sign(Byte[] input) at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateEncodedSignature(String input, SigningCredentials signingCredentials) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token) at IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync(JwtSecurityToken jwt) at IdentityServer4.Services.DefaultTokenCreationService.CreateTokenAsync(Token token) at IdentityServer4.Services.DefaultTokenService.CreateSecurityTokenAsync(Token token) at IdentityServer4.ResponseHandling.TokenResponseGenerator.CreateAccessTokenAsync(ValidatedTokenRequest request) at IdentityServer4.ResponseHandling.TokenResponseGenerator.ProcessTokenRequestAsync(TokenRequestValidationResult validationResult) at IdentityServer4.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request) at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events) [INFO] i.h.l.LocalApiAuthenticationHandler IdentityServerAccessToken was not authenticated. Failure message: No Access Token is sent.

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq
Notify danmosemsft if you want to be subscribed.

[vcsjones]

@umitgunduz Thanks for the report. It looks like macOS is having trouble signing with the RSA key for some reason. A self-signed certificate should not produce this error (since RSA signing is completely unaware of the certificate). How did you generate the certificate and key? Is there any additional information or steps you can provide to help reproduce the issue?

[umitgunduz]

Hello @vcsjones, i created sample project for reproduce this case, you access project this address https://github.com/umitgunduz/AppleCFErrorCryptographicException
thanks.

[vcsjones]

@umitgunduz thanks for the repo. Perhaps I didn't follow the instructions correctly, but this appeared to work for me. Let me explain what I did:

1. Ran dotnet run --launch-profile=Test in Sample.Api.
2. Opened a new terminal, and in Sample.Api.Test, ran dotnet test.

The test passed and IdentityServer4 indicated that the token was issued successfully:

Did I miss a step or do something incorrectly?

[umitgunduz]

Hello @vcsjones, your step is ok. I get the error when I follow the same steps. Detailed information about macos version is as follows. I think there might be a problem with the macos version. I installed an macos update last week, then this problem started to occur.

Exception Screen

macos version detail

[vcsjones]

Thanks, I'm also on 10.15.5 and can't reproduce it, unfortunately.

That CCSM error code is CSSMERR_CSP_OPERATION_AUTH_DENIED. Are you using the same temporary certificate that I am using when you reproduce this, or are you using a certificate from the keychain?

Just for sanity sake, can you also confirm the issue still reproduces with the latest SDK (3.1.300) and Runtime? (3.1.4).

[umitgunduz]

Hello @vcsjones,
I'm using the rsaCert.pfx temporary certificate certificate in the sample project. We both run the same code and run the same test.
The sdk and runtime versions installed on my machine are as follows.

---

[vcsjones]

@umitgunduz the latest version of .NET Core 3.1 is 3.1.5. You appear to have 3.1.1 as the latest. Can you please install the latest of 3.1 to make sure it still reproduces in the latest version?

[umitgunduz]

Hello @vcsjones, thank you for your patience and support.
The problem was solved when I updated the dotnet sdk 3.1.301