Why loading X509 credentials fails when called under context of a CSP request ?
set x509 = ##class(%SYS.X509Credentials).GetByAlias("foo")
write x509,!
write x509.OwnerList,!
write x509.PrivateKey,!ObjectScriptObjectScriptIt works perfectly fine under Studio (eg: when called from output window) :
29@%SYS.X509Credentials
-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKC...
However, it fails when called in the context of a CSP request. I got a stack trace when displaying content of PrivateKey :
6@%SYS.X509Credentials
0??%Admin_Secure:USE MYNAMESPACE?-e^zPrivateKeyGet+2^%SYS.X509Credentials.1^1e^^User.www.1^1B^zOnPage+7^User.www.1^1e^zPage+8^User.www.1^2$e^CSPDispatch+484^%SYS.cspServer^2$d^CSPDispatch+274^%SYS.cspServer^1&d^zProcessRequest+1^%CSP.Session.1^1!d^Request+665^%SYS.cspServer2^1 d^Request+25^%SYS.cspServer2^1&d^zProcessRequest+1^%CSP.Request.1^1d^css+47^%SYS.cspServer2^1 d^SuperServer+56^%SYS.SERVER^3d^^^0
Any idea what is the issue, is this made on purpose ? (eg: because of security reasons)
I need to open x509 certificate in order to produce a JWT token :
set status = ##class(%OAuth2.JWKS).AddX509("RS256",x509,.tPrivate)
set status = ##class(%OAuth2.JWT).ObjectToJWT(.JOSE,payload,.tPrivate,,.jwt)ObjectScriptObjectScriptCode above perfectly in Studio but fails within a CSP request (probably because x509 object is invalid).
Try to output %oblasterror:
zw %objlasterrorBased on "%Admin_Secure:USE" it seems like user who runs the CSP page lack USE privilege on %Admin_Secure resource
This fixed the issue. Thanks. As Info :
zw %objlasterrorThis does not output anything.
Did you try to run this after failed
set x509 = ##class(%SYS.X509Credentials).GetByAlias("foo")?Yes I did. Btw : is there a way, using code, to temporarily elevate current user to perform a specific task ? (eg: to call a function that require %Admin_Secure)
Yes. See privileged routines
https://docs.intersystems.com/iris20223/csp/docbook/DocBook.UI.Page.cls?...