Interop+AppleCrypto+AppleCFErrorCryptographicException: The operation couldn’t be completed. (Internal CSSM error error -2147416032 - Internal error #80010820 at SignTransform_block_invoke...

[jlf0dev]

Configuration

.Net Core SDK: 5.0.401
.Net Core Runtime: 5.0.10
System Version: macOS 11.6 (20G165)
Kernel Version: Darwin 20.6.0

Description

I am encountering a Interop+AppleCrypto+AppleCFErrorCryptographicException while running an ASP.NET Core on my Mac. I found a duplicate of this issue here, but their solution was to simply update the dotnet version. There was also another similar problem here, but their CSSM error was different and reinstalling dotnet did not solve my problem.

I have noticed that the first time I encounter the error after running my application, these show up in the Mac Console:

Stack Trace

crit: IdentityServer4.Hosting.IdentityServerMiddleware[0] Unhandled exception: The operation couldn’t be completed. (Internal CSSM error error -2147416032 - Internal error #80010820 at SignTransform_block_invoke /System/Volumes/Data/SWE/macOS/BuildRoots/38cf1d983f/Library/Caches/com.apple.xbs/Sources/Security/Security-59754.140.13/OSX/libsecurity_transform/lib/SecSignVerifyTransform.c:326) Interop+AppleCrypto+AppleCFErrorCryptographicException: The operation couldn’t be completed. (Internal CSSM error error -2147416032 - Internal error #80010820 at SignTransform_block_invoke /System/Volumes/Data/SWE/macOS/BuildRoots/38cf1d983f/Library/Caches/com.apple.xbs/Sources/Security/Security-59754.140.13/OSX/libsecurity_transform/lib/SecSignVerifyTransform.c:326) at Interop.AppleCrypto.ExecuteTransform(ReadOnlySpan1 source, SecKeyTransform transform)
at Interop.AppleCrypto.GenerateSignature(SafeSecKeyRefHandle privateKey, ReadOnlySpan1 dataHash, PAL_HashAlgorithm hashAlgorithm) at System.Security.Cryptography.RSAImplementation.RSASecurityTransforms.SignHash(Byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding) at Microsoft.IdentityModel.Tokens.AsymmetricAdapter.SignWithRsa(Byte[] bytes) at Microsoft.IdentityModel.Tokens.AsymmetricAdapter.Sign(Byte[] bytes) at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider.Sign(Byte[] input) at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateEncodedSignature(String input, SigningCredentials signingCredentials) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token) at IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync(JwtSecurityToken jwt) at IdentityServer4.Services.DefaultTokenCreationService.CreateTokenAsync(Token token) at IdentityServer4.Services.DefaultTokenService.CreateSecurityTokenAsync(Token token) at IdentityServer4.ResponseHandling.TokenResponseGenerator.CreateAccessTokenAsync(ValidatedTokenRequest request) at IdentityServer4.ResponseHandling.TokenResponseGenerator.ProcessTokenRequestAsync(TokenRequestValidationResult validationResult) at IdentityServer4.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request) at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Configuration

.Net Core SDK: 5.0.401
.Net Core Runtime: 5.0.10
System Version: macOS 11.6 (20G165)
Kernel Version: Darwin 20.6.0

Description

I am encountering a Interop+AppleCrypto+AppleCFErrorCryptographicException while running an ASP.NET Core on my Mac. I found a duplicate of this issue here, but their solution was to simply update the dotnet version. There was also another similar problem here, but their CSSM error was different and reinstalling dotnet did not solve my problem.

I have noticed that the first time I encounter the error after running my application, these show up in the Mac Console:

Stack Trace

crit: IdentityServer4.Hosting.IdentityServerMiddleware[0] Unhandled exception: The operation couldn’t be completed. (Internal CSSM error error -2147416032 - Internal error #80010820 at SignTransform_block_invoke /System/Volumes/Data/SWE/macOS/BuildRoots/38cf1d983f/Library/Caches/com.apple.xbs/Sources/Security/Security-59754.140.13/OSX/libsecurity_transform/lib/SecSignVerifyTransform.c:326) Interop+AppleCrypto+AppleCFErrorCryptographicException: The operation couldn’t be completed. (Internal CSSM error error -2147416032 - Internal error #80010820 at SignTransform_block_invoke /System/Volumes/Data/SWE/macOS/BuildRoots/38cf1d983f/Library/Caches/com.apple.xbs/Sources/Security/Security-59754.140.13/OSX/libsecurity_transform/lib/SecSignVerifyTransform.c:326) at Interop.AppleCrypto.ExecuteTransform(ReadOnlySpan1 source, SecKeyTransform transform)
at Interop.AppleCrypto.GenerateSignature(SafeSecKeyRefHandle privateKey, ReadOnlySpan1 dataHash, PAL_HashAlgorithm hashAlgorithm) at System.Security.Cryptography.RSAImplementation.RSASecurityTransforms.SignHash(Byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding) at Microsoft.IdentityModel.Tokens.AsymmetricAdapter.SignWithRsa(Byte[] bytes) at Microsoft.IdentityModel.Tokens.AsymmetricAdapter.Sign(Byte[] bytes) at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider.Sign(Byte[] input) at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateEncodedSignature(String input, SigningCredentials signingCredentials) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token) at IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync(JwtSecurityToken jwt) at IdentityServer4.Services.DefaultTokenCreationService.CreateTokenAsync(Token token) at IdentityServer4.Services.DefaultTokenService.CreateSecurityTokenAsync(Token token) at IdentityServer4.ResponseHandling.TokenResponseGenerator.CreateAccessTokenAsync(ValidatedTokenRequest request) at IdentityServer4.ResponseHandling.TokenResponseGenerator.ProcessTokenRequestAsync(TokenRequestValidationResult validationResult) at IdentityServer4.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request) at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)

Author:	jlf0dev
Assignees:	-
Labels:	area-System.Security, untriaged
Milestone:	-

[bartonjs]

Are you getting this deterministically? Without being able to see it and walk through a repro it's going to be very hard to identify, since it's macOS's internal state is messed up. (Is the key being used concurrently across multiple threads? 'cuz that's not supported)

[mityakoval]

Getting the same (similar?) error.

Interop+AppleCrypto+AppleCFErrorCryptographicException: The operation couldn’t be completed. (Internal CSSM error error -2147416063 - Internal error #80010801 at SignTransform_block_invoke /System/Volumes/Data/SWE/macOS/BuildRoots/38cf1d983f/Library/Caches/com.apple.xbs/Sources/Security/Security-59754.140.13/OSX/libsecurity_transform/lib/SecSignVerifyTransform.c:326)
   at Interop.AppleCrypto.ExecuteTransform(ReadOnlySpan`1 source, SecKeyTransform transform)
   at Interop.AppleCrypto.GenerateSignature(SafeSecKeyRefHandle privateKey, ReadOnlySpan`1 dataHash, PAL_HashAlgorithm hashAlgorithm)
   at System.Security.Cryptography.RSAImplementation.RSASecurityTransforms.SignHash(Byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
   at Microsoft.IdentityModel.Tokens.AsymmetricAdapter.SignWithRsa(Byte[] bytes)
   at Microsoft.IdentityModel.Tokens.AsymmetricAdapter.Sign(Byte[] bytes)
   at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider.Sign(Byte[] input)
   at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateEncodedSignature(String input, SigningCredentials signingCredentials)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token)
   at Test.mocks.VinxMock.GetToken() in /Users/dmytro.koval/code/vipps-login-token/Test/mocks/VinxMock.cs:line 62
   at Test.VinxAuthenticatorTest.ShouldReturnClaimsForValidToken() in /Users/dmytro.koval/code/vipps-login-token/Test/VinxAuthenticatorTest.cs:line 31

Reinstalling the runtime and the SDK didn't help.

Environment info:

.NET SDK (reflecting any global.json):
Version: 5.0.401
Commit: 4bef5f3dbf

Runtime Environment:
OS Name: Mac OS X
OS Version: 11.6
OS Platform: Darwin
RID: osx.11.0-x64
Base Path: /usr/local/share/dotnet/sdk/5.0.401/

Host (useful for support):
Version: 5.0.10
Commit: e1825b4

.NET SDKs installed:
3.1.413 [/usr/local/share/dotnet/sdk]
5.0.401 [/usr/local/share/dotnet/sdk]

.NET runtimes installed:
Microsoft.AspNetCore.App 3.1.19 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 5.0.10 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 3.1.19 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 5.0.10 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

[jlf0dev]

Solution

In my case, the project was throwing this error when trying to create tokens using a self-signed certificate I had generated.

When I created the certificate, I installed it into the login keychain, but somehow the certificate was installed and added as a trusted admin cert instead of a trusted user cert. So the project most likely couldn't access it.

There is no way that I can see in the Keychain Access GUI to specify admin vs user certs, so this is something I had to use the security command on mac to find.

For those running into the same issue, if you run security dump-trust-settings and you don't see the certificate, try running security dump-trust-settings -d too see admin certs. If you see the certificate there, that means it's been installed as admin.

In that case, run security trust-settings-export -d <filename> to export the admin certificates. Then import them into user with security trust-settings-import <filename>.