Is there a System.IdentityModel.Tokens.Jwt; solution to Jose.JWT.Decode(JwtTokenAsAString, RSA.ImportPkcs8PrivateKey)?

Question

I have working code to decrypt a JWE encrypted Token payload in Jose.JWT, where the encrypted ciphertext is done using a PKCS 8 public key and the private key is in PEM format. But cannot find any working examples for System.IdentityModel.Tokens.Jwt.

Here is the working Jose.JWT code:

        public static string DecryptJwt(string jweTokenBase64Url, string rsaPrivateKey)
        {
            Console.WriteLine("JWT JWE RSA-OAEP-256 AES GCM 256 encryption");
            // https://www.nuget.org/packages/jose-jwt/
            // https://github.com/dvsekhvalnov/jose-jwt


            Console.WriteLine("\n* * * decrypt the payload with recipient\'s private key * * *");
            string jweDecryptedPayload = jweRsaDecryptFromBase64UrlToken(rsaPrivateKey, jweTokenBase64Url);
            Console.WriteLine("jweDecryptedPayload: " + jweDecryptedPayload);

            return jweDecryptedPayload;


        }

        
        public static string jweRsaDecryptFromBase64UrlToken(string rsaPrivateKey, string jweTokenBase64Url)
        {
            RSA rsaAlg = RSA.Create();
            byte[] privateKeyByte = getRsaPrivateKeyEncodedFromPem(rsaPrivateKey);
            int _out;
            rsaAlg.ImportPkcs8PrivateKey(privateKeyByte, out _out);
            string json = "";
            try
            {
                json = Jose.JWT.Decode(jweTokenBase64Url, rsaAlg);
            }
            catch (Jose.EncryptionException)
            {
                Console.WriteLine("*** Error: payload corrupted or wrong private key ***");
                // throws: Jose.EncryptionException: Unable to decrypt content or authentication tag do not match.
            }
            return json;
        }


        static byte[] Base64Decoding(string input)
        {
            return Convert.FromBase64String(input);
        }

        private static byte[] getRsaPrivateKeyEncodedFromPem(string rsaPrivateKeyPem)
        {
            string rsaPrivateKeyHeaderPem = "-----BEGIN PRIVATE KEY-----\r\n";
            string rsaPrivateKeyFooterPem = "-----END PRIVATE KEY-----";
            string rsaPrivateKeyDataPem = rsaPrivateKeyPem.Replace(rsaPrivateKeyHeaderPem, "").Replace(rsaPrivateKeyFooterPem, "").Replace("\n", "");
            return Base64Decoding(rsaPrivateKeyDataPem);
        }

Here is the JWT Token:
eyJraWQiOiI2YjZkMWE1MzI3MzI2MGU5ZjA4MzMzMzhiNzJiMjE0YjczMmYzOTA0IiwiY3R5IjoianNvbiIsInR5cCI6IkpXVCIsImVuYyI6IkEyNTZHQ00iLCJhbGciOiJSU0EtT0FFUC0yNTYifQ.zZ6HO756d4NYjcHIpbvdLPzQ1XkLZi1eCsfh_oHuCB44DF3jewiQ5gTI_5SXJqWKpKIId52nMki29MbTMqOUH2iWNQIV8NYl_ERm8UGcJgr5IASMgZ-WyCgX-NQ_J7CONrTcyKvlsdyDvX1Jkp5MZfnpZuAbSzZsLWOwdqdrZHHMMRMeqwkinRrgvIobQPEN5qqVhy7saoBTHmqdTJzYopM1URFPmBcDVDuwkW4w4-mN-4JpkNpi5HGiad2_ZevVwy_e9Fgdwdjoj7D1pwfSZ7_BiriAymKdJ3LOn5H0x4d0F_CcNe6VzdIbVXj_ry1dp3S2ThW8Whq8j7Ja3vf3JA.jCBNb8g7girLmdqC.ZlfbFXVtnJoy0-OObmNMiNVQ89u0iPelznhrMPEuyNQ5esrHWGOuCzIWrwlFZXeKHmUDSl0cdgoBRzhQc4e5UoWfCyEtu24zpdMlUomFdG_k_sIhnWsEtWHaxMmvdpXMJgBmeJVrUtYj8vW6DrYTpMpgkjvaGH04lc50TE2ZxPYG550_kHL_2tqXlzHCL1q7wCF4qeS0trPLQAMT_SdzNWXl0xijE-u3A-G9NwfpKjoydil9DukWPd5fndvV24OzmvpYGz9r62XKbvfQUvzvhM0cLpXBpHKUM9pZBiq8Fat3fJubvXV2YcRREU__zzkFKcpCNvsIiRDXO9VEFSytcQLh8b4VKK5zsg8JYlauIf_K_yOg0FnOirwWbFIpA1P3-GD6KBFVhbjwDtpMXjT6K4ty7_GD_sMCUkbKffuRhfpxdEg1yOykpgA-XcBX-tRME5BDd9ZiJBm2EKXbcUT8COX54idTIiKxRftQKWRzqyD8VpvD6ixo9dsOwShzZrUenfrYDGJvncqYcRWdIcWFnJe5vxSxErAq1jwAgUe8eSQUQQ6aMZvDETmvpIrshGYWwCyGpUWEJFbT2PqfwJTsxi3a_ybegfRB36nHjyWt-kuSB6MyIP0VXFi1_kB3s_wdhbMZv_2CapyvjTXj-2jdcrxGz-72yIPEgjwa-vxB3MJq6rg1YWHyexv7pn9fpaerzwZlytMxa4iAO358bBrpj_vaQdfbeSsQr_uvgL3bDk4BkJvopKM9VL3kqPGUIZPpSWQCR2PJXdeRG1SjmzUA7ziL6FGrKpEXJfjCrzwsvWYQtWNPxdcwcg560EJqAT5G-Cru0ht4g4FmZHj7gEOnF7wxKtAD3wch-rixkP9SPSQRNzYu3mlSmpFJoCQvSu7cWD_Q7b4OFXlSswX0Mgs65oT1gg4m8bn7rbLYJZDylqKORIgMAZJPyLLykpY7NFgTVFkTo5c8QZix6FiGkBI.J8y8Uha83orFurzu-w4pAw


Here is the private key:

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDoT7Bef+L5Siww
zIeYK1LJkvMoXn7akq4UaRbdGRg7YDexMtPjrOsBXmXwiqDSG7FnbkwB2p0wSidX
TOaKmnW15BAmXenyauPXMe4NV+dEfn1ODkebBb9G71Qi4BWthT4WAswC/E5/YwMo
w0/QoIh5I1Iq7DzkFY7PS/xKSbaFRVpjrefsKWRvRoX6JHciWIfQ8AYZy4kYH3Da
Z8bV2eyAintufVHHsqWWjhDPWuzaGXHYWljBY3NOmTfr40GaXQknvEypoor41DOb
YWLsoqhIvhqCc36ajfq3qlV7g42hkJvCxa/VVhgDDz49Lu7CtvIAmKp/rH+kO9k7
fc7gW3BbAgMBAAECggEAZiUj12lD03jZlVtZA3+JFziV0do6zMBR6oeKlgzCqtjT
pAZFRIZzjlaDXBCYRcoHZwMISIhnNSRlx+z4MVlZCHEO6M/CXeTB6Yz6rsNH3MYB
MqD0uyT7xaTVyb/dyD4d3m+8ZFOr8DcI3JOENKdhWmI9bsIQw/j2og83DzL6Hf5a
GqFqxkviEKVPtRGCkmgjcmRgA97zpElluQdKqs+4YYYrZxHcC3A2vBuom3s3ZM01
YYEwi4U/hpIS76ipH1W5YfiFrXT7wE7FasUiulvlfsv6JM8FSjpLwHgFCmTB0VqZ
b1sdwBDXLqT/MvmTkOiLrffIaCvryZxjIHcY1yVVAQKBgQD1DihhczLtfLfCGF8T
UL+Ir9wVirdEgg9vskK9lsJKygHyV/Iw6lCQRB5jpL34Kjj8rs8SCmmpNxwmbVvQ
ZabhNPMQnDTQUq0aoicspybW+ZhA14hzcx3QSVuCCC1W4qIlqXOn+0WbPWJqKxs3
yeTv0yfXrDk29e57RRaZqENiowKBgQDyr9KE1yUDanYHcyw713j2XWtWHjoC4yFm
MvldhMrYkbsqcfdFj85gjGjPyTYEv8GFqY6G/iNW2ci/CShpme2DtF5GYDQUS18x
esSuh3NKUfpGZnc/zpov4PvoUvuzxxDDnuUIUjAe9lJxx1+0CTOMkTHMJUlRBKcW
onKjibNO6QKBgQCk8mep2JHSGx3RbvgoFzUlO0JH2bwsR+M+Ct4zoROcpcaTqjDi
TgX2ZXOTHKOmND1xj/TfrtSaSvcOwpOHfbTLaAmoB4zhIJVWFQmLW+Of1hdupeU5
2KWbupT2vKxQDHKaKSopSs/6g2IIFoXWknYgG6B44nsMjJN+s+1XdlQNQwKBgBtf
eX9CRQp9l5J/ix200A/5uYGdJy3sMHg2h6nksHx88392G03dSonZTHkjWNRwTIOm
/Ex9nb7OEbZ6cfR3SDLyxS9q6nTfi30pO8XzwS1A0dne9NRdmUaNOdyaf4lnipyF
749gtczIO8RZmJHV99qDBfrgucRJog8Lg6KuhWsBAoGBAOw69r23f+8XLYK2/CpO
hWxywjr0eQvBKSAhsyJ3mbu8RDYBlJUwabFocnd+p+gE/I+ygXGur73mSHZ/my2l
b9GremYECY55TtOpZtqSKh7dva+MYhYddc75GbPTeH9waAhxavgLXObpt/Rc1VAL
jSFPTXON8KhaCj6tf92zOAEk
-----END PRIVATE KEY-----

I have tried a lot of ways to use them without Jose.JWT but none have worked.

*...But cannot find any working examples for System.IdentityModel.Tokens.Jwt...* [JSON Web Encryption (JWE) in .NET](https://www.scottbrady91.com/c-sharp/json-web-encryption-jwe-in-dotnet-core) is the first hit of a Google search with *.net jwe*. From this post: *...The IdentityModel library will always create a JWE containing a Nested JWT. This means that your JWT is signed and then encrypted,...*. Does your Jose code also generate a Nested JWT? If not, the two may not be compatible. — Topaco, Aug 31 '23 at 08:02
Even if the Jose code creates a nested JWT, the post lacks a link to the Jose library used and lacks non-productive test data (JWE token and private key) that can be successfully processed with the posted code. — Topaco, Aug 31 '23 at 08:04
It isn't a nested JWT but the payload is encrypted with a public PKCS public key. The payload is actually a credit card PAN in network token format. However I would be having the same issue if it was a nested JWT that was encrypted as a JWE. — Adam Williams, Aug 31 '23 at 16:26
I'm not sure that would work at all. Apart from that: According to your JWE token header, `"enc":"A256GCM","alg":"RSA-OAEP-256"` is used. If you try to create a JWE token with *IdentityModel.Tokens.Jwt* with this enc/alg combination, you get the error message: *IDX10617: Encryption failed. Keywrap is only supported for: 'A128CBC-HS256', 'A192CBC-HS384' and 'A256CBC-HS512'. The content encryption specified is: 'A256GCM'.* If you apply `A256CBC-HS512` instead of `A256GCM`, it works. Apparently, in addition, the enc/alg combination used by your JWE Token is not supported. — Topaco, Aug 31 '23 at 17:40
This is also confirmed by the post linked in my first comment: *...This is using RSA-OAEP as the wrapping algorithm and A256CBC-HS512 as the encryption algorithm. A256GCM (AES-GCM) would be a better choice for authenticated encryption, but unfortunately, the .NET JWT libraries only support AES-CBC...* — Topaco, Aug 31 '23 at 19:22

Is there a System.IdentityModel.Tokens.Jwt; solution to Jose.JWT.Decode(JwtTokenAsAString, RSA.ImportPkcs8PrivateKey)?

0 Answers0