JWT module errors out on RSA 4096 length keys

Search Guard
1

I have the following test keys that I am using to perform JWT validation on:

-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAyzAnJJCV/ihJGhutqA1147elFKtDQ4pNpQjhIwNPc1YkHYqa
nThHbyejv5Nsfn4yC9wpuEnpnsmD1yrfsFuVnl8MymOKmL7FoLkT9vALDpPhnMtH
d9b4ffI6kZTrVpQBmd5yNud6buVPTjH+N3o7Y9yZhAMChc9X+6SyllnE55gBXR57
r1e0b+s0BKqswE/iUuvSNHUN+JyuJnF+TrUIE6pqQJpkyXQOgjGgKuE+/HZzY7XT
54PnUbZRH+CIReS2nJ9TholG4UtRnxCl2hPge21KcjFG0bYPFJfpS/+Js+XS1p2g
7ttPTLlPMdg5GZYa9cUbJvIu1CatudWvb7Kuc/FeNI5QKIe2nOKiTh+4CL9ENWsN
9e6IVXNPFwGGOOgklnL8tCy00lZTMoTkpD20eK830ZXRMHQ6E4D/fgbttL4CJYY3
BNwNRcuQEZGOuUS85kiDGVyqdrqK2oVUlfQ6ezU6qWRyrPuZJK2Kpmaq572VFJtZ
0yZYkQ/7mtLzcHhavKvnqeYV5nhqkmRHG+/qoqMLdrzhL04HGaWmPRe2kSrZnCAX
XD+qED7noDcbGdv521ioxrnBbv6LweGSoHoHogEU+ReQrst2nJijfxgGS5tHLct5
dRkztxcLXdt5WM0xydobqhp/sf1mLaXqRhwqhWevTP4OD4NFAqDi2IDFHZ0CAwEA
AQKCAgBaNT6rlSWCeRA7bx5iBdfZCadYzdBHJBfktVR+3vFfG1ddZjPOqTXNu6OP
YjxAzHYbndtH3kjCHmVSGc7F1WNPtJNRJ3BY8Bl9ia27bEb8ads4aWeJZP9dqzUl
fSAeiAdN8Nx0U8Cfi17yMG/U4YeMhlwBp/Ruw+cj6bL/3Ur2Jx4z4Vy4NA//wESP
7dZUayLn/ZqNf4p8XdNTbf/NocG8OWSC2gj1B3mJg87AOtBj9ZK1KfyyRHVmabMK
m/zkSu5oCrRifn/hdjb+j72SXFDFe3gZypbOdC2tzuPcwc6498frUIAqi2NhhMQM
NRrkqSe/BYtQdyUjOyjV4HDK/mFEfcd/O4yVBaSmrsWOf3dtUbVrEkmP7dVbyoYI
9iostAi9WN7FW4h0AivKkf22E3hd0+5zCMoZRV+vxrdLWqn1bPb75WZZdM/1tJSL
47XO7teyXdbXw10ad/D1Dqn4prWSp1v0Lt59ZouBzRfWTF0ZUUQOrbDjSTPSqptx
j23Wj0pMnTr1jSCEmzitYeE6NK+8FiitCfrVw+EQGg8EkqAnnxmj7QrU4an7Sbn2
Ko4zXezBzQV3VzlhOqCNt6Gvn37mIj8C2ElOSoPUWHnt94or1iRzH2+9R60rlNz5
AtooWxfTf6rUQye1POwgXgWq7GvD3eGpHUyFZ2fPRgRRzN3TYQKCAQEA6hyJCR1Y
gr6pul0ooBNoyoHiaf7zWLbQH53sFUDAuRpfeTgf7Yc2SYrL5BxKpKALr+J6fyr+
1ENN9vN7JXPshoRUc+FPdBJxYWFTNK1cTb8XIYjzr79NZNdwhLlL0ZC9HTobZwA8
Pr/qNHLFUCYZdSNtlba0yW38KjJbNxVZPN3lsEHEfLxnECPNLQ+r4sux1fTSpoQ4
Pw1RaxqY6BXYfYz+opfO98y5txqo/NoCQWxNyQUABq6+Qvr5bsmr2V4DF4pWW7su
NO8uV0muyslF+Ah/+8S4a0bvtyNb5JhrV1oEvF7YTrc1A19YO5wmO/oJ+AOAehAJ
PvHpcghWrD3WIwKCAQEA3i93RA5qyEeXM2yociWadLMmGXFAdhjzNABkvqHvA5AU
eLYGQSsUY8ikBo+L6i4bGUTO5R8aDLRZyi2javdsXsyksFXcBWyx4oaVUxTdGZBY
gBPKFOilhk7/TEgq8pqY4rsfCMGEwP5R1iGiH9m2t635pEt6M1M2zZbide8SZqC0
ASRbu4JOqoj/94cmp77ayc8HT4Tgi7aG4adQ1SNXVlwA46RG/ofYAtzNzMNT48FK
U0Dp2iG/1K2jkEhdJJUEnMYRh7XpJoYIb9JmxxQG1N2aa6jw14CieT2wLOiSVRxp
DbQymMmcZjNXrxdaxZgpI3aGNRvGUgEbvHEjbgwZPwKCAQEAuXCw+49LNQVh3EU+
kM3PC9mmRt+0Umk8ok6tWohYIEdLqPFUGQopbkeLCb1/QrejikaTUXf1Mp29fAeR
XDFfAY6AdunZzc9uD/zPs8I+gzcCU4XvwR5/Z4lfj0JXVECaDDSi0AvXrLzH/5OJ
x9rl/2t4ukZnHccJH0OUDSXT8eqyrdLqmQODf71cIH1xYcyHqTqsQUoqY4dhHr2K
sQvc2FZ+vLwTLSX1VZzAjskBUGFBnCFhy+lOvC+gtKj6fsuBF3x0u2ShTTzIMEwl
MGwOCFJzTjKdAhzGdQKFH6W8IQ0lAzD9lhx42ZsEgPNHNerxSos7kXRyXnGwwKrq
PLUekQKCAQAcAbWx8XNKXaPUipzNDqpijXZ+/ISYnlqBso8AbJ8ZPt8lvCQbsNd4
IIF0hkGnujoWPFMsFHiPI2iyEICp6hhR9s/HnnsGgAYIPNizyUx5fXV6Z4QwkIbU
4D5UGkC3pf8hjV7DFsmqHiSorkKmayYaDycJq63yrEmbLqrLHOCf6R/niPK7Nxi9
bFl/lRytRmSDzcHpJyG62r4z0Yhh5XuL2jsOdtWwHeV/rt+OMQzxB5tb1THlGh35
LA4TENwU0WfsbxckmSyTe4+ysL3d2EtoJ6rgaUI6l+9jAwCjGInhipw/avh5w+gg
BdbGrlX11FFTNAyEw0SDb7pUTZqes423AoIBABvffrM+TIKc3cIjQGlVw+RmYKBm
O+SyU80/eh2tEyZLZOg50R6CaIgWCKmEWODdlYiix/YdD0WgR5MBM3V8nb+BmV7m
FCZIqyH7flYCd9/FVLTpl6tCZ0YUHefSL+V09FvX9eLmnoXmwjNwR1kaZj3Ks6va
EqSxhtTxVs1aiffJ7vBvBUbXdNvnUcwoXwouJtFptSAApmnvfKMfnPN7e9zwSK6N
CLlFm24orAq0rH5x8xml/OzdMjiat3y0ZZRA2Bpuo1yfn015hkI2wrB+TQewU976
Tb2h49XJOwIv6npX6VhX6rVi4oHk+5DvNCYnYfGz3cyeV2mIVb9IVjAyJjw=
-----END RSA PRIVATE KEY-----


-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyzAnJJCV/ihJGhutqA11
47elFKtDQ4pNpQjhIwNPc1YkHYqanThHbyejv5Nsfn4yC9wpuEnpnsmD1yrfsFuV
nl8MymOKmL7FoLkT9vALDpPhnMtHd9b4ffI6kZTrVpQBmd5yNud6buVPTjH+N3o7
Y9yZhAMChc9X+6SyllnE55gBXR57r1e0b+s0BKqswE/iUuvSNHUN+JyuJnF+TrUI
E6pqQJpkyXQOgjGgKuE+/HZzY7XT54PnUbZRH+CIReS2nJ9TholG4UtRnxCl2hPg
e21KcjFG0bYPFJfpS/+Js+XS1p2g7ttPTLlPMdg5GZYa9cUbJvIu1CatudWvb7Ku
c/FeNI5QKIe2nOKiTh+4CL9ENWsN9e6IVXNPFwGGOOgklnL8tCy00lZTMoTkpD20
eK830ZXRMHQ6E4D/fgbttL4CJYY3BNwNRcuQEZGOuUS85kiDGVyqdrqK2oVUlfQ6
ezU6qWRyrPuZJK2Kpmaq572VFJtZ0yZYkQ/7mtLzcHhavKvnqeYV5nhqkmRHG+/q
oqMLdrzhL04HGaWmPRe2kSrZnCAXXD+qED7noDcbGdv521ioxrnBbv6LweGSoHoH
ogEU+ReQrst2nJijfxgGS5tHLct5dRkztxcLXdt5WM0xydobqhp/sf1mLaXqRhwq
hWevTP4OD4NFAqDi2IDFHZ0CAwEAAQ==
-----END PUBLIC KEY-----

and here is my request with the JWT:

curl -k -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTY1NjcyMzg3Mywic3ViIjoiYWRtaW4iLCJyb2xlcyI6ImFkbWluIn0.E0p_41R2qzm7UNioF8vW3Lt_OwGoCwo187c6Lt-LNSG8cnKNZTrEEkUCTV2iO-1BpWrekUY7v5WiTm0hV55YZqg62cHl5T_KVrQvTjO1ozLAfMiZnVeTCEI7EgR1xc_nKqmknhU6ogtVOrnGWBixU2lyPEGePa31niU98lyX4cWKtr2Ti4xNWrbeSwSXjqspEwG7-tmArUorgS5rJ20KtxAOj8FAXZhVPL1aC-VUTo9caXSgEl6-ktFKoDfm-lX7Snnsx5sPdX90zIugmllVPq_mUD75m5HiOhMlG4OkFVTc8aQ2WhrJqTOV4MFPYCSyz50RcTelqwG-MMKDrXzguUApyM4yVOynKhghdaEGDJBh6FIi8AOS8mHWxXwzd6VnZeLNmAFDw5Jm-IdI2T_tVeDc24BFJCG6zODiY3DAmOwLKpKSYeEU29sgeLA7M5-Q1BU4jF4LhelaE0E5kwtOO8MRWFAIsyoFCCuFqoP6W50achMQQi95h-KWtlHNKmrJs6Z2tCk7GwkyTgFPc76wAAioIhJnfXGNE_RQq0RRmtR6Kuzd-DPr4exrX6tmuUb2B3fGYkEeFXOWmXa1bg-DDLTWpVlkH3_Zsw3XS7wNwIMNzZQsDpXv5fzFtD3sajANPUjs0zsqE4asLBjMbSM4ohOrth6IV2JkBhrpuNYIHdU" https://localhost:9200

Here’s my sg_config.yml

jwt_auth_domain:


        http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: >
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyzAnJJCV/ihJGhutqA11
47elFKtDQ4pNpQjhIwNPc1YkHYqanThHbyejv5Nsfn4yC9wpuEnpnsmD1yrfsFuV
nl8MymOKmL7FoLkT9vALDpPhnMtHd9b4ffI6kZTrVpQBmd5yNud6buVPTjH+N3o7
Y9yZhAMChc9X+6SyllnE55gBXR57r1e0b+s0BKqswE/iUuvSNHUN+JyuJnF+TrUI
E6pqQJpkyXQOgjGgKuE+/HZzY7XT54PnUbZRH+CIReS2nJ9TholG4UtRnxCl2hPg
e21KcjFG0bYPFJfpS/+Js+XS1p2g7ttPTLlPMdg5GZYa9cUbJvIu1CatudWvb7Ku
c/FeNI5QKIe2nOKiTh+4CL9ENWsN9e6IVXNPFwGGOOgklnL8tCy00lZTMoTkpD20
eK830ZXRMHQ6E4D/fgbttL4CJYY3BNwNRcuQEZGOuUS85kiDGVyqdrqK2oVUlfQ6
ezU6qWRyrPuZJK2Kpmaq572VFJtZ0yZYkQ/7mtLzcHhavKvnqeYV5nhqkmRHG+/q
oqMLdrzhL04HGaWmPRe2kSrZnCAXXD+qED7noDcbGdv521ioxrnBbv6LweGSoHoH
ogEU+ReQrst2nJijfxgGS5tHLct5dRkztxcLXdt5WM0xydobqhp/sf1mLaXqRhwq
hWevTP4OD4NFAqDi2IDFHZ0CAwEAAQ==
-----END PUBLIC KEY-----
jwt_header: "Authorization"
jwt_url_parameter: null
roles_key: roles
subject_key: sub
authentication_backend:
type: noop

Both keys and the JWT token are valid when checked with [jwt.io](http://jwt.io), however JWT throws this error on runtime.

java.lang.IllegalArgumentException: Key bytes can only be specified for HMAC signatures. Please specify a PublicKey or PrivateKey instance.
    at io.jsonwebtoken.lang.Assert.isTrue(Assert.java:38) ~[jjwt-0.8.0.jar:0.8.0]
    at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:324) ~[jjwt-0.8.0.jar:0.8.0]
    at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481) ~[jjwt-0.8.0.jar:0.8.0]
    at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[jjwt-0.8.0.jar:0.8.0]
2

This is a little weird, If I hardcode the public key into the code like this inside the HTTPJwtAuthenticator, the whole thing works!



String signingKey = "-----BEGIN PUBLIC KEY-----\n" +
        "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApJubKdzjmxriryviTEPN\n" +
        "85qX8SzcDbseBjJXJzrt3Xn0mk7+7ZxWDnB5Qh/TvZoHGOcaVeoRIzBi1AdX20az\n" +
        "x7oAzfMLI48sDEptwJgd87Mg6UmvXlPOkvRypUSP8pFrOUg+aQ75qRsQkXBBWMIO\n" +
        "qBZiDXVrMHY1+Q1LOJR1aWFjIlL1WNZecTNJ9UfPhjxW7WJRmI3/EXPbD/OEeC7J\n" +
        "mD/nifofYUQUavggcirKI0KM17ENLdyZy3aWfpKOXqZJByfbp5AXmWoWcNZqsiHy\n" +
        "KL/sK/nmX86jwKRHvIOQv9IBlPCNSxNr6IQox/BHqZssvY2J65UHOaTJ408x7IQT\n" +
        "FQIDAQAB\n" +
        "-----END PUBLIC KEY-----";

However if I try reading it from sg_config.yml as shown above, it fails.

3

I think you need to use a different yaml syntax for multiline keys:

signing_key: |-

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjo
go3WojgGHFHYLugdUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bv

-----END PUBLIC KEY-----

``

Note the “|-” instead of “>”

···

On Thursday, May 10, 2018 at 11:50:55 PM UTC+2, .mni wrote:

This is a little weird, If I hardcode the public key into the code like this inside the HTTPJwtAuthenticator, the whole thing works!




String signingKey = "-----BEGIN PUBLIC KEY-----\n" +
        "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApJubKdzjmxriryviTEPN\n" +
        "85qX8SzcDbseBjJXJzrt3Xn0mk7+7ZxWDnB5Qh/TvZoHGOcaVeoRIzBi1AdX20az\n" +
        "x7oAzfMLI48sDEptwJgd87Mg6UmvXlPOkvRypUSP8pFrOUg+aQ75qRsQkXBBWMIO\n" +
        "qBZiDXVrMHY1+Q1LOJR1aWFjIlL1WNZecTNJ9UfPhjxW7WJRmI3/EXPbD/OEeC7J\n" +
        "mD/nifofYUQUavggcirKI0KM17ENLdyZy3aWfpKOXqZJByfbp5AXmWoWcNZqsiHy\n" +
        "KL/sK/nmX86jwKRHvIOQv9IBlPCNSxNr6IQox/BHqZssvY2J65UHOaTJ408x7IQT\n" +
        "FQIDAQAB\n" +
        "-----END PUBLIC KEY-----";

However if I try reading it from sg_config.yml as shown above, it fails.

4

Thanks! that helps!

···

On Friday, May 11, 2018 at 3:21:42 AM UTC-6, Jochen Kressin wrote:

I think you need to use a different yaml syntax for multiline keys:

signing_key: |-

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjo
go3WojgGHFHYLugdUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bv

-----END PUBLIC KEY-----

``

Note the “|-” instead of “>”

On Thursday, May 10, 2018 at 11:50:55 PM UTC+2, .mni wrote:

This is a little weird, If I hardcode the public key into the code like this inside the HTTPJwtAuthenticator, the whole thing works!




String signingKey = "-----BEGIN PUBLIC KEY-----\n" +
        "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApJubKdzjmxriryviTEPN\n" +
        "85qX8SzcDbseBjJXJzrt3Xn0mk7+7ZxWDnB5Qh/TvZoHGOcaVeoRIzBi1AdX20az\n" +
        "x7oAzfMLI48sDEptwJgd87Mg6UmvXlPOkvRypUSP8pFrOUg+aQ75qRsQkXBBWMIO\n" +
        "qBZiDXVrMHY1+Q1LOJR1aWFjIlL1WNZecTNJ9UfPhjxW7WJRmI3/EXPbD/OEeC7J\n" +
        "mD/nifofYUQUavggcirKI0KM17ENLdyZy3aWfpKOXqZJByfbp5AXmWoWcNZqsiHy\n" +
        "KL/sK/nmX86jwKRHvIOQv9IBlPCNSxNr6IQox/BHqZssvY2J65UHOaTJ408x7IQT\n" +
        "FQIDAQAB\n" +
        "-----END PUBLIC KEY-----";

However if I try reading it from sg_config.yml as shown above, it fails.