Fix APN JWT signing on Windows Server/IIS and bump to v5.0.1

andrei-m-code · andrei-m-code · commit 37eb6e0a3315 · 2026-03-30T22:40:29.000-04:00
Extract EC private key from PKCS#8 envelope and use ImportECPrivateKey
instead of ImportPkcs8PrivateKey to avoid CNG failure when Load User
Profile is disabled.
diff --git a/CorePush/Apple/ApnSender.cs b/CorePush/Apple/ApnSender.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Concurrent;
 using System.Collections.Generic;
+using System.Formats.Asn1;
 using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Security.Cryptography;
@@ -131,16 +132,31 @@ private string CreateJwtToken()
         var unsignedJwtData = $"{headerBase64}.{payloadBase64}";
         var unsignedJwtBytes = Encoding.UTF8.GetBytes(unsignedJwtData);
 
-        var privateKeyBytes = Convert.FromBase64String(CryptoHelper.CleanP8Key(settings.P8PrivateKey));
+        var pkcs8Bytes = Convert.FromBase64String(CryptoHelper.CleanP8Key(settings.P8PrivateKey));
+        var ecPrivateKey = ExtractEcPrivateKey(pkcs8Bytes);
 
         using var dsa = ECDsa.Create();
-        dsa.ImportPkcs8PrivateKey(privateKeyBytes, out _);
+        dsa.ImportECPrivateKey(ecPrivateKey, out _);
 
         var signature = dsa.SignData(unsignedJwtBytes, HashAlgorithmName.SHA256);
         var signatureBase64 = Base64UrlEncode(signature);
         return $"{unsignedJwtData}.{signatureBase64}";
     }
 
+    /// <summary>
+    /// Extracts the inner EC private key (SEC 1 / RFC 5915) from a PKCS#8 envelope.
+    /// Using ImportECPrivateKey instead of ImportPkcs8PrivateKey avoids the CNG PKCS#8 import
+    /// path which fails on Windows Server/IIS when "Load User Profile" is disabled.
+    /// </summary>
+    internal static byte[] ExtractEcPrivateKey(byte[] pkcs8PrivateKey)
+    {
+        var reader = new AsnReader(pkcs8PrivateKey, AsnEncodingRules.DER);
+        var pkcs8 = reader.ReadSequence();
+        pkcs8.ReadEncodedValue(); // version
+        pkcs8.ReadSequence();     // algorithm identifier
+        return pkcs8.ReadOctetString(); // SEC 1 EC private key
+    }
+
     private static string Base64UrlEncode(string str)
     {
         var bytes = Encoding.UTF8.GetBytes(str);
diff --git a/CorePush/CorePush.csproj b/CorePush/CorePush.csproj
@@ -10,9 +10,9 @@
     <Summary>Server Side library for sending ✅Web, ✅Android and ✅iOS Push Notifications</Summary>
     <Authors>andrei-m-code</Authors>
 
-    <AssemblyVersion>5.0.0</AssemblyVersion>
-    <FileVersion>5.0.0</FileVersion>
-    <Version>5.0.0</Version>
+    <AssemblyVersion>5.0.1</AssemblyVersion>
+    <FileVersion>5.0.1</FileVersion>
+    <Version>5.0.1</Version>
     
     <PackageProjectUrl>https://github.com/andrei-m-code/CorePush</PackageProjectUrl>
     <RepositoryUrl>https://github.com/andrei-m-code/CorePush</RepositoryUrl>
@@ -25,6 +25,9 @@
     <PackageTags>push-notifications android-push-notifications ios-push-notifications web-push web-push-notifications apn fcm firebase</PackageTags>
 
     <PackageReleaseNotes>
+v5.0.1
+- Fix APN JWT signing failure on Windows Server/IIS when "Load User Profile" is disabled by extracting EC private key from PKCS#8 envelope
+
 v5.0.0
 - Remove BouncyCastle dependency in favor of built-in .NET cryptography
 - Upgrade to .NET 10
