error_description: Client registration metadata malformed or invalid. / unparseable X.509 certificate in x5c chain

[Arthur Didion]

I'm running visual studio and I'm trying to do JWT based Client Registration.  I'm relatively new to using JWTs.  I'm stuck and I'm hoping someone can offer me some help.  I'm getting a "Client registration metadata malformed or invalid" error.  

Given the .p12 and .crt file from EMR, I was able to create a RS256 key using opesSSL.  

Using C# I was able to build my JWT as follows:  

            var headerDictionary = new Dictionary<string, object>()

            {

                // {"alg", "RS256"},

                {"x5c", new string[]{"-----BEGIN CERTIFICATE-----MIIFMTCCBBmgAwIBAgIIfKGvOzF0T1wwDQYJKoZIhvcNAQELBQAwgbMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTYW4gRGllZ28xEzARBgNVBAoMCkVNUiBEaXJlY3QxPzA9BgNVBAsMNlRlc3QgUEtJIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IChjZXJ0cy5lbXJkaXJlY3QuY29tKTElMCMGA1UEAwwcRU1SIERpcmVjdCBUZXN0IENsaWVudCBTdWJDQTAeFw0yMDEwMDgyMjQzMjZaFw0yMzEwMDgyMjQzMjZaMIG1MQswCQYDVQQGEwJVUzERMA8GA1UECAwIT2tsYWhvbWExKDAmBgNVBAoMH1FWSCBTeXN0ZW1zIExMQyAoc2VsZi1hc3NlcnRlZCkxMzAxBgNVBAsMKlVEQVAgVGVzdCBDZXJ0aWZpY2F0ZSBOT1QgRk9SIFVTRSBXSVRIIFBISTE0MDIGA1UEAwwraHR0cHM6Ly90ZXN0LmhlYWx0aHRvZ28ubWUvdWRhcC1zYW5kYm94L3F2aDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALVcPb6jq5gKMzhI5teDbIXdblklAs+B+uhDpfDPQmY7fgy4s6JLMmDaADuD+tvXQhprnBfdrC6+bb5/rYyeuoKUb3r4oJUsj7SP9nxPxqpR+mC2m4m2vTDjvzjIX3Sn79zUqSW+U6nR6v/DXb/NGxk7sB+i41kCPFpnzqcpbGrRoUXp2fG9vqtETcfE/WoePP9JXyPOjfxpTC7m0DEIiP8A/4cUSRb5GiYVmZTi+yf1RnaRUl3wqZNDf35DNv8f8oKBo4SAfUN9a2mYwNMZvFcZnP/hgto+cVt7I/jUcGZTUxRGy+PTe0SbNv8q3/s338YTcpVZE+mTtFxK9fDeFekCAwEAAaOCAUMwggE/MFkGCCsGAQUFBwEBBE0wSzBJBggrBgEFBQcwAoY9aHR0cDovL2NlcnRzLmVtcmRpcmVjdC5jb20vY2VydHMvRU1SRGlyZWN0VGVzdENsaWVudFN1YkNBLmNydDAdBgNVHQ4EFgQUZ0dzX9/3sNCSENKclmPcin8NeTwwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSjlW1rvStRzeHP5ZBv1yZPv90+3jBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY2VydHMuZW1yZGlyZWN0LmNvbS9jcmwvRU1SRGlyZWN0VGVzdENsaWVudFN1YkNBLmNybDAOBgNVHQ8BAf8EBAMCB4AwNgYDVR0RBC8wLYYraHR0cHM6Ly90ZXN0LmhlYWx0aHRvZ28ubWUvdWRhcC1zYW5kYm94L3F2aDANBgkqhkiG9w0BAQsFAAOCAQEAXRPWC72Vi7E4UZVkKH0Hb1krpKXNdup69pWGxfbGRayDm35izA0vQ9rcQIOGgjQrRQuRo4I4cMBb6odiWbVLyqKyfAW/rNPvdNlmkTWHfPiDUXISRQqhTMKsviY3SQ+1S111uxJYTm75IncX41w+FOuvrDcb1xqw6XGOVKZ+Tq05FL3TL7yWkNtgo1x7u5qfcz3AD3Dobn5T30gLmsu12TAhR9Ay37h5H1ZfAQkDcdlu93Y4RAfeqsMkcv/6lniZKbakI46ZnMNeVbN6OToEGvw6NQlE68CLx0QPtVO5pfbcUApzkhVNgqZDFjXm7sMrJeEtfVimsUo/PSfwsSEA2g==-----END CERTIFICATE-----"}},

                {"typ", "JWT"}

            };

            // The claims are sometimes referred to as the payload

            var claimDictionary = new Dictionary<string, object>

            {

                {"iss", "https://test.healthtogo.me/udap-sandbox/qvh"},

                {"sub", "https://test.healthtogo.me/udap-sandbox/qvh"},

                {"aud", "https://test.udap.org/oauth/stage/authz"},  

                {"exp", DateTimeOffset.Now.ToUnixTimeSeconds()+240},

                {"iat", DateTimeOffset.Now.ToUnixTimeSeconds()},

                {"jti", "QVHSInfinedi123"},

                {"client_name", "qvh"},

                {"redirect_uris","https://httpbin.org/anything"},

                {"grant_types","authorization_code"},

                {"response_types","code"},   // not sure about response_types

                {"token_endpoint_auth_method","private_key_jwt"},

                {"scope","test"}

            };

            JWTService.Managers.JWTService jwtService = new JWTService.Managers.JWTService();

            var myJwt = jwtService.GenerateJWTToken(rsaPrivateKey, headerDictionary, claimDictionary);

I decoded my JWT using JWT.IO my header looks like:

and my payload looks like:

The Signature is Verified.

Using the UDAPTestTool I selected Grant Type:  cleint_cerdentials with Client IP 199.277.9.180 ip address and start test 3 Trusted dyn client registration.  I'm getting a unparseable x.509 certificate in x5c chain.

Do you have any clue what's causing this error?

[UDAP]

Hi Art,

The certificate is unparseable because the "----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" should not be included in your JWT, just the Base64 encoded part as noted in UDAP DCR Section 2. So, you should remove those two pieces from the string in your x5c array.  

--The UDAP Team

UDAP.org