no start line - RS256

[freman]

Greetings.

I'm not sure if it's something I'm completely borking up, but I can't see another way to do it.

We use your library to send JWT's from our frontends to our backends out of paranoia - this is working great, php has no trouble decoding these.

I am now trying to use your library to accept a JWT from a different provider (encoded with go-jwt)

This is the public key

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0UJybPz2/GQAGh/Ri3rvsv60h
fYB3JzoZpWzKBPPXeHC/w7rnOSdOjeqLT4evgfRXjsld9Rx5GYXARiEicTl1l9DU
+P9xk0eptU/Cawz003/XT5tPX+uhmFcC3zIa3oUb/25Kq+IPeq1AUTK9PcJsohFk
pcgtuZvphRLKvFA8uQIDAQAB
-----END PUBLIC KEY-----

This is the token

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NDQ2OTQxNzksImlhdCI6MTQ0NDY1MDk3OSwiaXAiOiIxNzIuMTYuMjAzLjEiLCJuYmYiOjE0NDQ2NTA5NzksInVzZXIiOiJzaGFubm9uLnd5bnRlciJ9.PLEe64xKFGpkwrX2OameIT6_xSpl5mW_BxFmI4sz20SS_jOaemWrwUBB4gMIUm9LwhxUWTAr5wdLMF30bDJLSfQamf2VeggGMzvjKMQdbJcOPzT6QPmuITAju7bn6WzLzEE5cThIXhOCEdNGKf1xDp9om9T8HVZ15nWpuwwvqwo

This is the output

{"payload":{"nbf":1444650979,"ip":"172.16.203.1","exp":1444694179,"user":"shannon.wynter","iat":1444650979},"reason":"no start line","raw_header":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9","valid":true,"header":{"alg":"RS256","typ":"JWT"},"signature":"PLEe64xKFGpkwrX2OameIT6_xSpl5mW_BxFmI4sz20SS_jOaemWrwUBB4gMIUm9LwhxUWTAr5wdLMF30bDJLSfQamf2VeggGMzvjKMQdbJcOPzT6QPmuITAju7bn6WzLzEE5cThIXhOCEdNGKf1xDp9om9T8HVZ15nWpuwwvqwo","verified":false,"raw_payload":"eyJleHAiOjE0NDQ2OTQxNzksImlhdCI6MTQ0NDY1MDk3OSwiaXAiOiIxNzIuMTYuMjAzLjEiLCJuYmYiOjE0NDQ2NTA5NzksInVzZXIiOiJzaGFubm9uLnd5bnRlciJ9"}```

And this is how I get that

local cookie_value = ngx.var.cookie_lda
if (cookie_value == nil) then
    ngx.exit(401)
else
    local public_key = [[-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0UJybPz2/GQAGh/Ri3rvsv60h
fYB3JzoZpWzKBPPXeHC/w7rnOSdOjeqLT4evgfRXjsld9Rx5GYXARiEicTl1l9DU
+P9xk0eptU/Cawz003/XT5tPX+uhmFcC3zIa3oUb/25Kq+IPeq1AUTK9PcJsohFk
pcgtuZvphRLKvFA8uQIDAQAB
-----END PUBLIC KEY-----]]

    local jwt_obj = jwt:verify(public_key, cookie_value)
    ngx.log(ngx.ERR, cjson.encode(jwt_obj))
end

The debug tool at jwt.io says it's a verified signature but this library won't verify it saying "no start line"

Any help?

[SkyLothar]

got this, i'll look at it in few hours.

[tanica]

Has it been resolved? I am getting the same reason "no start line". If I remove the start line of the key, I get "wrong tag"

[tanica]

For all the poor lost souls out there, who were brought up here by google search: no start line - in this case I needed a certificate file rather than a public key. Turn your public key in certificate and you are good to go!

[SkyLothar]

For all the poor lost souls out there, who were brought up here by google search: no start line - in this case I needed a certificate file rather than a public key. Turn your public key in certificate and you are good to go!

thanks @tanica !

[swynter-ladbrokes]

We knew this was a solution, but with other libraries (and indeed jwt.io) it's not a requirement.

[nicklathe]

Is there an example of how people here accomplished this? I have the same problem as @freman. I'd love to know how @tanica went about creating a certificate file from a public key. Also, how are you passing in that file to the verify function? Are you reading it with io.read and saving that to a variable? Thanks.

[bdmesh]

@tanica @swynter-ladbrokes @SkyLothar - I'm working with Nick, so just adding more to his question as we've found ourselves a bit up against the clock... we've tried all kinds of different openssl calls to try to generate a crt from a pem, but are seeing the same "no start line" error from openssl when we try that. And we've been searching online for how-to's but can't seem to find anything that works for going from a public key to a cert. We know we've at least got the pem generally right as we can use it to perform a working validity check in node. We're also guessing that the requirement here is not that the key is read specifically from a file in the lua code, but rather the reference to a cert file has to do with how the data is converted... and that if we wanted (though not really desired) we could hardcode the resultant content of a cert into our lua module variable directly and it should still work. Is that correct? But the primary question is still specifically how can we covert our pem key to the necessary form that this module requires. Thanks in advance for any help!!

[atanasova]

So I created a shell script in which I put these commands, because I needed some different types of keys. Here is what I had:

#!/bin/bash
KEYNAME=$1
openssl genrsa -out $KEYNAME.pem 2048
openssl rsa -in $KEYNAME.pem -outform PEM -pubout -out $KEYNAME.pub
openssl pkcs8 -topk8 -inform PEM -outform DER -in $KEYNAME.pem -out $KEYNAME.pkcs8 -nocrypt
openssl rsa -in $KEYNAME.pem -pubout -outform DER -out $KEYNAME.pub.der

openssl req -new -days 3600 -key $KEYNAME.pem -out pubcert
RANDFILE=temp openssl x509 -req -in pubcert -signkey $KEYNAME.pem -out certificate

The file you will need to use will be called certificate. Run the script like this: ./shell_script.sh mykeyname
where mykeyname is your key pair name.
Good luck!

[theganyo]

Is there any movement on this? Or has anyone been able to convert a PEM public key to a format accepted by this library?

[atanasova]

Both tanica & atanasova users are me, I posted the reply with my work account. The shell script above should work! good luck!

[theganyo]

@atanasova Thanks! That's a great script to create a new cert and all the associate assets and that will work well for testing.

However, unless I'm missing something, I don't think that solves the issue of converting an existing PEM to a certificate that can be used. I need to use a PEM public key I've been given. So either I need to convert it to a format that this library takes or I need to modify the library to accept the PEM.

[atanasova]

unfortunately no, it won't work with PEM. You can use openssl to convert to Certificate. Unfortunately this is the only Lua lib I found that will validate RSA keys

[WuTheFWasThat]

i ran into this problem as well - luckily i had access to the private key and could generate a certificate. I do think the library should accept a public key, though. it looks like all it does with the certificate is get a public key from it: https://github.com/SkyLothar/lua-resty-jwt/blob/master/lib/resty/evp.lua. so maybe the fix isn't too bad?

[theganyo]

I've made some mods to make this work you are welcome to try.
https://github.com/theganyo/lua-resty-jwt

Just use as normal but pass in your public_key (PEM string):

local jwt_obj = jet:verify(public_key, jwt_token)

It has worked for me, but I haven't spent much time testing it.

[clwang]

@theganyo - I've pulled down your fork since I need to do some verification of the JWT using the PEM file. From what I have tested it seems to work.

[theganyo]

@clwang Great! Thanks for verifying!