This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Failing to generate JWT using a password protected private key.

Posted on 06-11-2019 04:22 AM
amitsharma
New Member
Reply posted on --/--/---- --:-- AM

I am not able to generate JWT using a password protected private key. I am getting following response:

{
    "fault": {
        "faultstring": "Failed to parse key: policy(Generate-JWT-Token) ",
        "detail": {
            "errorcode": "steps.jwt.KeyParsingFailed"
        }
    }
}

I am not sure if the policy is able to consume the password protected private key in this case. I might be missing something here. Please help.

Here is my setup

1. I have generated PEM (password protected private key) using following command

openssl pkcs12 -in tokensigning.pfx -nocerts -out token-private-key.pem

Here is the encryption method details from PFX

openssl pkcs12 -info -in tokensigning.pfx -nooutPKCS7 Data

Output:
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000

Private Key

Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00 
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
    friendlyName: some-friendly-name-16a8f7db122f
Key Attributes
    X509v3 Key Usage: 10 
-----BEGIN ENCRYPTED PRIVATE KEY-----
key data.......
-----END ENCRYPTED PRIVATE KEY-----

KeyValueMap Policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeyValueMapOperations name="KVM-GetTokenSigningPrivateKey" mapIdentifier="oauth-token-signing">
    <Scope>environment</Scope>
    <ExpiryTimeInSecs>15</ExpiryTimeInSecs>
    <Get assignTo="private.private-key">
        <Key>
            <Parameter>privatekey</Parameter>
        </Key>
    </Get>
    <Get assignTo="private.privatekey-password">
        <Key>
            <Parameter>privatekey-password</Parameter>
        </Key>
    </Get>
</KeyValueMapOperations>

Generate JWT policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GenerateJWT name="Generate-JWT-Token">
    <Algorithm>RS256</Algorithm>
    <PrivateKey>
        <Value ref="private.private-key"/>
        <Password ref="private.privatekey-password"/>
        <Id>unique-identifier-for-privatekey-here</Id>
    </PrivateKey>
    <Subject>ABCD</Subject>
    <Issuer>urn://1a4b40567d5a</Issuer>
    <Audience>urn://api.dev</Audience>
    <ExpiresIn>60m</ExpiresIn>
    <AdditionalClaims>
        <Claim name="apigee-proxy" ref="apiproxy.name"/>
        <Claim name="messageid" ref="messageid"/>
        <Claim name="request-path" ref="request.path"/>
        <Claim name="apigee-org" ref="organization.name"/>
        <Claim name="apigee-env" ref="environment.name"/>
    </AdditionalClaims>
    <OutputVariable>output-jwt</OutputVariable>
</GenerateJWT>
Solved Solved
0 10 1,914
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

The GenerateJWT policy in Apigee Edge is pretty limited in the kind of encryption you can use on your private key. In short, you need to use DES-EDE3-CBC, today, and you need to use the old serialization format, which looks like this: 

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,97B6E793909D97A345CB0CDBA89F8516

SyO+gWBhcwiqluLoETYkis1YkQsa7XiteXvsixgiu8NnQpOLbJc28WngSFc7Y0Qq
pARMGGqFZbaFfP91LYmZQv37p5rlWllGpOqQudYCdEWjR+MMSZ7eqRcc2gDKSDAz
+y7+0oYEkZG9qt1n2fkpsA_THIS_IS_NOT_A_REAL_KEY_87ctbqlW16fLM8fRbV
eGtYP0nb24tq9ZtO47jzlcMvGy9WTfYRCZAuYeZfmQo4nlBoWrVK7c/0+jprvvna
gmbQouafPH86qsC5UswSg7SuwFbReEiU25hPWxVN4BWoK7Yc/4lihFg/QLd+b6Zs
dog8hj5bFdRYH2rOuV6gKj0FNmYAlfVOuclV9c8Z7h0DyC2oBmF0T3MCUyl0S0gZ
-----END RSA PRIVATE KEY-----

As I type this, there is a release being rolled out to the Edge cloud that supports a wide variety of encryption algorithms. It also supports both the older serialization format, shown above, and the newer serialization format, which looks like this: 

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICXjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIH4x6YwuP+HICAggA
MBQGCCqGSIb3DQMHBAifETAsGQulyASCAhhiYS2ZyhBNMh6zVzYZwUdTfWGwOXIU
0oEkZG9qt1n2fkpsA_THIS_IS_ALSO_NOT_A_REAL_KEY_87ctbqlW16fLM8fRbV
gvaZfwfnWXGrBPmIZEdx8fL4NrfDHLs409BFAqWFgFPKyeJGTO9sIdpKjdRjD33X
8SxW+wORheOafjrZlLargzEDoA9cxuFglNcMXRyTp+0i3A/e9VU3OWCAG4j+xKAW
NnvBAT+97XcpOu1DMHBiH8UOcrNxXFuR38MwU8EIT8eMzmAnw5yTNS+un+tPPzcD
bDqOFr8NhZ9BYfxsQfu05mQwt6hgEPRDSoHVSTeyqWTUDw==
-----END ENCRYPTED PRIVATE KEY-----

There are other changes coming to the JWT policies, and I've written about them in some detail, here.

This updated release is being rolled to Asia Pacific and EU now, north and south america soon. Check the status page for details and updates.

When this release becomes available for you, you must specify the key PEM in a form like the above. It should not have extraneous material like so: 

Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00 
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
    friendlyName: some-friendly-name-16a8f7db122f
Key Attributes
    X509v3 Key Usage: 10 
-----BEGIN ENCRYPTED PRIVATE KEY-----
key data.......
-----END ENCRYPTED PRIVATE KEY-----

Just start with the header and end with the footer. 

-----BEGIN ENCRYPTED PRIVATE KEY-----
key data.......
-----END ENCRYPTED PRIVATE KEY-----

View solution in original post

Jump to Solution
10 REPLIES 10