Search code examples

Difficulty signing JWT in .NET Framework 4.5 using pre-generated ES512 private key

The goal

I'm trying to make a simple HTTP Post request to an e-payment processing API, and their specifications require me to add a Bearer token to the payload. I.e., rest_request.AddHeader("Authorization", "Bearer " + myToken), the token being a JWT like "abcdefg.hijklmop.qrstuvwxyz".

They have provided an ES512 private PEM key to encode into the JWT as a secret, but I have struggled to understand what exactly I need to do to my key (formatted like below).



I am using .NET Framework 4.5 (it's a legacy system), VB.NET for language, and I have been given a key ID and private key by the API provider.

The API provider needs iss, aud, iat, exp, kid, and jti values in the headers and claims. (I'm not 100% sure what the issuer and audience values should be or why they should be what they are, so any pointers there would also be helpful.)


  • I have been able generate tokens with NuGet libraries JWT, BouncyCastle, jose-jwt, and the generic Microsoft.IdentityModel ones, but without fail tells me my tokens are invalid.
    • The Microsoft libraries don't support ES512
    • JWT, BouncyCastle, and jose-jwt have given me complete tokens though claimed to be "invalid" by the debugger.
  • A significant bummer is that though ECDSa.ImportFromPem does exist, but only in .NET 6.
  • I have basically zero understanding of all this encryption mess, so explain it like I'm 5.
  • All the "similar" questions and form posts I have found don't account for a pre-existing PEM key.

Things I've tried

  • This is the most similar SO question I have found, but I still cannot get anything to work. What is the message string used for? Does it matter?
  • This also seemed close, but used a public key and some magic numbers I don't understand.
  • This looks promising, but lacks some key information about getting/using x, y, and d parameters.
  • I've tried using the BouncyCastle PemReader to no avail.
  • jose-jwt has this section on ES512 keys, and got me inches closer using CNG Keys. However, I don't have a method (or don't understand how to) store the PEM key in order to load it into a CngKey object. (This is my best lead so far.)

Tldr, I have an ES512 PEM key stored as a string that I need to encode as a secret in a JWT Bearer token, but I am stuck in .NET Framework 4.5 and know very little about encryption. Everything I've tried has either crashed or resulted in a 401 unauthorized error response from the API endpoint.


  • Many thanks to Topaco for pointing me in the right direction. Using their code, I was able to make some more progress. But, when I tried their solution, I still ran into this weird could not find file specified error. However, all I needed to do was adjust some IIS settings to resolve that issue. I set up a new app pool, enabled 32-bit applications, and set "Load user profile" to True.

    Unfortunately, I still couldn't generate valid tokens. One issue was getting the right date format, so after some more Googling I modified some code I found to get dates generating in the correct format.

    Later, after meeting with a developer from the payment processor, I realized I was trying to validate my tokens incorrectly. I didn't have the public key to go with my private key, so I was doomed to get "Invalid Token" on I then checked the tokens generated with Topaco's first solution using CngKey's, and my token was indeed valid. Once I knew there wasn't an issue with the tokens, I also fixed the API link I was using and voila, my requests were going through!

    All in all, here's a simplified version of the code I have ended up with. All this requires is installing jose-jwt and RestSharp NuGet packages.

    Imports Jose
    Imports RestSharp
    Imports System.Net
    Imports System.Net.Http
    Imports System.Security.Cryptography
    Imports System.Web.Http
    Module MyModule
        Public Const KEY_ID = "...."
        Public Const PRIVATE_KEY =
    "-----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----"
        'Gets proper format for JWT time
        Public Function GetSecondsSinceEpoch(utcTime As DateTime) As Int64
            Return (utcTime - New DateTime(1970, 1, 1, 0, 0, 0)).TotalSeconds
        End Function
        'Removes the enclosure and any whitespace
        Public Shared Function ConvertPkcs8PemToDer(ByVal pkcs8Pem As String) As Byte()
            Dim body As String = pkcs8Pem.Replace("-----BEGIN PRIVATE KEY-----", "").Replace("-----END PRIVATE KEY-----", "").Replace(Environment.NewLine, "")
            Dim reg = New Regex("\s")
            body = reg.Replace(body, "")
            Return Convert.FromBase64String(body)
        End Function
        'Creates a UUID-formatted string.
        Public Shared Function CreateJti() As String
            Return Guid.NewGuid().ToString()
        End Function
        Public Function MakeMyRequest(uri As String, json_body As String) As String
            'Fixes a weird .NET bug
            ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 Or SecurityProtocolType.Tls12 Or SecurityProtocolType.Tls11 Or SecurityProtocolType.Tls
            'Create RestRequest things 
            Dim rest_uri As New Uri(uri) 'Uri of the API to call
            Dim rest_client As New RestClient With {.BaseUrl = rest_uri}
            Dim rest_request As New RestRequest With {.Method = Method.POST} 'Or whatever Method your API requires
            Dim rest_response As New RestResponse
            'Add JSON body and headers
            rest_request.AddJsonBody(json_body) 'Make sure this matches the API specifications
            rest_request.AddHeader("accept", "application/json")
            rest_request.AddHeader("Content-Type", "application/json")
            'Conver the PEM string to Pkcs8 format, acceptable to CngKey.Import()
            Dim privatePkcs8Der As Byte() = ConvertPkcs8PemToDer(PRIVATE_KEY)
            Dim privateEcKey As CngKey = CngKey.Import(privatePkcs8Der, CngKeyBlobFormat.Pkcs8PrivateBlob)
            'Claims and headers
            Dim iss = "MyIssuer"
            Dim aud = "MyAudience"
            Dim iat = GetSecondsSinceEpoch(Now().ToUniversalTime()) '.ToUniversalTime ensures your local UTC offset doesn't affect the timestamp
            Dim exp = GetSecondsSinceEpoch(Now().AddMinutes(5).ToUniversalTime())
            Dim kid = KEY_ID
            Dim headers = New Dictionary(Of String, Object)() From {
                {"alg", "ES512"},
                {"typ", "JWT"},
                {"kid", KEY_ID} 'Key ID may not be necessary for your scenario, but put whatever extra parameters are required here like username, password, etc
            Dim payload = New Dictionary(Of String, Object)() From {
                {"iss", iss},
                {"aud", aud},
                {"iat", iat},
                {"exp", exp},
                {"jti", CreateJti()}
            'Generate the token using the payload, CngKey, ES512 algorithm, and extra headers
            Dim token = Jose.JWT.Encode(payload, privateEcKey, JwsAlgorithm.ES512, headers)
            'Excecute the request
            rest_request.AddHeader("Authorization", "Bearer " & token)
            rest_response = rest_client.Execute(rest_request)
            'Check for your API's designated response code
            If rest_response.StatusCode <> 201 Then Throw New Exception("An error occurred processing the request.")
            Return rest_response.Content
        End Function
    End Module