[.NET-SDK] - SET-Fallback signiert mit PKCS#1

Description of the bug:

1. Einen bestehenden Subscriber von FitConnect .NET SDK 2.3.8 auf ≥ 2.4.0 (getestet mit 2.4.2) aktualisieren und den bisher im Produktivbetrieb verwendeten Signaturschlüssel weiterverwenden.
2. Mit dieser Installation eine Einreichung in der FIT‑Connect‑Produktivumgebung quittieren (accept oder reject).
3. Beobachten, dass JwtSecurityTokenHandler.WriteToken eine NullReferenceException wirft. Dadurch greift der SDK‑Fallback für SET-Erzeugung, der mit RSASignaturePadding.Pkcs1 signiert. Der ZSD lehnt das SET mit 422 UnprocessableEntity "Error during SET validation"

Current behavior:

• Die reguläre Token-Erzeugung (JwtSecurityTokenHandler.WriteToken) schlägt mit NullReferenceException fehl.
• Der Fallback (JwtHelper.MakeJwt) signiert mit PKCS#1-Padding statt mit dem geforderten RSASSA-PSS (PS512).
• Der ZSD akzeptiert den Security Event Token nicht („The signature of the token could not be verified…“), sodass die Quittierung scheitert.

Expected behavior:

• Das SDK erzeugt den SET durchgängig mit RSASSA-PSS (alg: PS512), sodass das SET akzeptiert.

Environments:

PROD, STAGE

Additional Information:

• FitConnect .NET SDK 2.4.2 (Fehler seit 2.4.x)
• Mit SDK 2.3.8 tritt das Problem nicht auf, da das Padding im Fallback korrekt

Dependency / relationship to other issues:

Responsible person / team:

Transfer history to different teams

Contact persons including contact details:

Screenshots / Logs / Requests:

FitConnect.Exceptions.FitConnectSubscriberException: 'Error while completing submission' 2 of 2 Inner Exceptions HttpRequestException: POST - https://prod.fit-connect.fitko.net/submission-api/v1/cases/156e849b-78bf-48e2-a926-c37048c6388b/events - UnprocessableEntity {"type":"https://schema.fitko.de/fit-connect/submission-api/problems/security-event-token-validation", "title":"Error during SET validation", "status":422, "detail":"There was a problem during the processing of the provided SET", "instance":"/submission-api/v1/cases/156e849b-78bf-48e2-a926-c37048c6388b/events", "issue":"The signature of the token could not be verified with the specified key.", "errorcode":"102bdf82-f93d-4d47-8c45-03b3e7f4cdd0"}

2025-09-19 13:30:40.620 +02:00 [ERR] Regular token generation failed! System.NullReferenceException: Object reference not set to an instance of an object. at Microsoft.IdentityModel.Tokens.AsymmetricAdapter.SignRsa(Byte[] bytes) at Microsoft.IdentityModel.Tokens.AsymmetricAdapter.Sign(Byte[] input) at Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider.Sign(Byte[] input) at Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateEncodedSignature(String input, SigningCredentials signingCredentials) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken(SecurityToken token) at FitConnect.Encryption.FitEncryption.CreateSecurityEventToken(Guid submissionId, Guid destinationId, Events submissionEvent, Boolean skipSetValidation, String signingKeyJson)

2025-09-19 13:30:40.621 +02:00 [WRN] Fallback for Token generation. Manually creating token ... 2025-09-19 13:30:40.714 +02:00 [ERR] Error calling POST - /submission-api/v1/cases/156e849b-78bf-48e2-a926-c37048c6388b/events

Checklist:

• Add Severity label
• Add team label
• Related/affected issues/stories/epics linked and explained in the bug issue
• Creation of an automated test
• Bugfix deployed on DEV
• Bugfix tested on DEV
• Bugfix deployed on TEST
• Bugfix tested on TEST (possibly also by the connection project itself)
• Successful fix reported to Team Operations (Teams channel)
• Bugfix deployed on STAGE
• Bugfix tested on STAGE if necessary
• Bugfix deployed on PROD
• Bugfix tested on PROD (possibly also by the connection project itself)
• Final communication by Team Operations if necessary
• Internal documentation was checked and updated if necessary
• External documentation has been checked and updated if necessary
• Updated changelog if necessary

Approach/Solution:

JwtHelper.cs Zeile 42 RSASignaturePadding.Pkcs1 zu RSASignaturePadding.Pss ändern. Im Anschluss wird das durch den Fallback erzeugte SET vom ZSD akzeptiert. Getestet auf STAGE

Release version of the artifact: