New post
Question
· Apr 4, 2023

Why loading X509 credentials fails when called under context of a CSP request ?

#CSP #InterSystems IRIS

I use the following code to grab 509 certificate and show private key :

set x509 = ##class(%SYS.X509Credentials).GetByAlias("foo")
write x509,!
write x509.OwnerList,!
write x509.PrivateKey,!

It works perfectly fine under Studio (eg: when called from output window) :

29@%SYS.X509Credentials

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKC...

However, it fails when called in the context of a CSP request. I got a stack trace when displaying content of PrivateKey :

6@%SYS.X509Credentials

0??%Admin_Secure:USE MYNAMESPACE?-e^zPrivateKeyGet+2^%SYS.X509Credentials.1^1e^^User.www.1^1B^zOnPage+7^User.www.1^1e^zPage+8^User.www.1^2$e^CSPDispatch+484^%SYS.cspServer^2$d^CSPDispatch+274^%SYS.cspServer^1&d^zProcessRequest+1^%CSP.Session.1^1!d^Request+665^%SYS.cspServer2^1 d^Request+25^%SYS.cspServer2^1&d^zProcessRequest+1^%CSP.Request.1^1d^css+47^%SYS.cspServer2^1 d^SuperServer+56^%SYS.SERVER^3d^^^0

Any idea what is the issue, is this made on purpose ? (eg: because of security reasons)

I need to open x509 certificate in order to produce a JWT token :

set status = ##class(%OAuth2.JWKS).AddX509("RS256",x509,.tPrivate)
set status = ##class(%OAuth2.JWT).ObjectToJWT(.JOSE,payload,.tPrivate,,.jwt)

Code above perfectly in Studio but fails within a CSP request (probably because x509 object is invalid).

Product version: IRIS 2022.3
$ZV: IRIS for Windows (x86-64) 2021.1 (Build 215U) Wed Jun 9 2021 09:39:22 EDT
Discussion (5)2
Log in or sign up to continue