-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple RSA object instances lead to failing signature validation #43087
Comments
Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @jeffhandley |
@secana, do you have a repro which doesn't involve JwtSecurityTokenHandler? |
Sry, don't have that. I ported a F# script as I was not sure if you prefer C#, so that's all I have. |
I can take a look at this soon. @secana to make sure I reproduce it as best as possible, can you tell me exactly which packages and versions are being used? |
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>netcoreapp3.1</TargetFramework>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.IdentityModel.Tokens" Version="6.7.1" />
<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.7.1" />
</ItemGroup>
</Project>
|
This is caused by how When you construct a Then the signature verifies, an the In the next loop, because it's the same key, the This exception is caught, and the Signature verification fails, but the disposed object is no longer in cache. In the next iteration, since a matching key is not in cache, we start all over again: it gets added to the cache, verify, dispose, etc etc etc. I'm not quite as familiar with the Azure SDKs as I am with anything anything else. One way you can work around this is to disable the cache by adding this before your loop: CryptoProviderFactory.Default.CacheSignatureProviders = false; Perhaps there are better recommendations or intentions with the behavior of the Azure SDK. However, the behavior you are seeing is entirely explained by the caching of |
@vcsjones thx for the help. With |
Opened AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1539 to see if the AzureAD folks have documentation on this behavior, and / or possibly adding documentation. |
Description
When multiple RSA object instances are created after each other, every second signature validation fails. The code below shows a simple example, where the behavior can be observed.
Ouput:
Moving the
using var rsa = RSA.Create();
out of the loop, such that it gets reused instead of a fresh instance, it works fine.Output:
It seems that the RSA object is not disposed correctly, or I'm using it wrong. My use-case is an Azure function where a signature is verified. Unfortunately every second time the verification fails as the function creates a new instance of the RSA object every time it's invoked.
Configuration
The text was updated successfully, but these errors were encountered: