Search code examples
.net-corecertificateauth0itfoxtec-identity-saml2

PEM_read_bio_PUBKEY failed while sending signed SAMLRequest to Auth0

I'm trying to sign the (ITfoxtec Identity SAML2) SAMLRequests and testing with Auth0 and I'm getting the following error on the Auth0 side:

invalid_request: PEM_read_bio_PUBKEY failed

I filled the public key in their config.

{
  "signatureAlgorithm": "rsa-sha256",
  "digestAlgorithm": "sha256",
  "signingCert": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqt7eddg/N9MgaivTEWif\n...\nnmEbAFKJtjieiwu1JjsMsdUCAwEAAQ==\n-----END PUBLIC KEY-----\n"
}

Here is how I generated the keys:

openssl req -x509 -sha256 -newkey rsa:4096 -keyout auth0samlprivate.key -out auth0samlpublic.pem -days 3650 -nodes -subj "/CN=mydomain.com"

# then i generate the public key to fill in the configuration of Auth0
openssl x509 -pubkey -noout -in auth0samlpublic.pem  > auth0samlpublickey.pem

# then I generate the .pfx file to use server side for the private key
openssl pkcs12 -export -out auth0saml.pfx -inkey auth0samlprivate.key -in auth0samlpublic.cer

Then in the code:

config.SignAuthnRequest = true;
config.SigningCertificate = CertificateUtil.Load("Path/To/auth0saml.pfx", "myPassword");

In the browser, I get redirected to the right URL that contains a Signature query parameter, so it seems to be handled correctly but Auth0 doesn't seem to be able to read it.

What did I miss? I'm new to the certificate part of it.

Solution

  • The issue was about the generated certificate.

    First, although the example in Auth0 is using a private key, using certificate is fine too.

    The following commands worked fine for me:

    openssl req -x509 -sha256 -newkey rsa:2048 -keyout auth0samlprivate.pem -out auth0samlpublic.pem -days 3650 -nodes -subj "/CN=thefiftyapp.com"

openssl pkcs12 -export -in auth0samlpublic.pem -inkey auth0samlprivate.pem -out auth0saml.pfx

    I think the real issue was about changing manually the pem file to a cer file without using a command line.

    And the Auth0 config:

    {
  "signatureAlgorithm": "rsa-sha256",
  "digestAlgorithm": "sha256",
  "signingCert": "-----BEGIN CERTIFICATE-----\nMIIDFTCCAf2gAwIBAgIUXg1jHZ9qRIrtySCsF/bK2JvYxMQwDQYJKoZIhvcNAQEL\n...\n53f63eKJn9PMmyqIYl9/K48ABR3Bf8exfvK4HRudkSU66pQsj8biIxl4MSDMg/6G\naHUZoTBJbJ/sXmoExGpltvFDcNMITfJMKGFCIBO9VnlsJrXdwalSTpxg/9Yi79GD\n5yMXEjicqion8KE0LMsk93LVS92bkujhSg==\n-----END CERTIFICATE-----\n"
}