This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

GenerateJWT failing again when using password protected private key

Posted on 01-23-2020 04:10 AM
amitsharma
New Member
Reply posted on --/--/---- --:-- AM

I am facing a strange issue on GenerateJWT policy in which I am truing the using a password protected private key. I had a similar issue in July 2019 which was resolved when Apigee deployed support for different type key encryption algorithms. I followed exactly the same sets for creating password protected private key but i keep on getting following error when executing the api proxy.

{
    "fault": {
        "faultstring": "Failed to parse key: policy(Generate-JWT-Token) ",
        "detail": {
            "errorcode": "steps.jwt.KeyParsingFailed"
        }
    }
}

Here is my setup

1. I have generated PEM (password protected private key) using following command 

openssl pkcs12 -in tokensigning.pfx -nocerts -out token-private-key.pem

Here is the encryption method details from PFX

openssl pkcs12 -info -in tokensigning.pfx -nooutPKCS7 Data
Output:
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000

Create a encrypted Key Value Map using Portal with following keys

privatekey-password: *********


privatekey:

-----BEGIN ENCRYPTED PRIVATE KEY-----
key data.......
-----END ENCRYPTED PRIVATE KEY-----

Private Key

Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00 
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
    friendlyName: some-friendly-name-16a8f7db122f
Key Attributes
    X509v3 Key Usage: 10 
-----BEGIN ENCRYPTED PRIVATE KEY-----
key data.......
-----END ENCRYPTED PRIVATE KEY-----

KeyValueMap Policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeyValueMapOperations name="KVM-GetTokenSigningPrivateKey" mapIdentifier="oauth-token-signing">
    <Scope>environment</Scope>
    <ExpiryTimeInSecs>15</ExpiryTimeInSecs>
    <Get assignTo="private.private-key">
        <Key>
            <Parameter>privatekey</Parameter>
        </Key>
    </Get>
    <Get assignTo="private.privatekey-password">
        <Key>
            <Parameter>privatekey-password</Parameter>
        </Key>
    </Get>
</KeyValueMapOperations>

Generate JWT policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GenerateJWT name="Generate-JWT-Token">
    <Algorithm>RS256</Algorithm>
    <PrivateKey>
        <Value ref="private.private-key"/>
        <Password ref="private.privatekey-password"/>
        <Id>unique-identifier-for-privatekey-here</Id>
    </PrivateKey>
    <Subject>ABCD</Subject>
    <Issuer>urn://1a4b40567d5a</Issuer>
    <Audience>urn://api.dev</Audience>
    <ExpiresIn>60m</ExpiresIn>
    <AdditionalClaims>
        <Claim name="apigee-proxy" ref="apiproxy.name"/>
        <Claim name="messageid" ref="messageid"/>
        <Claim name="request-path" ref="request.path"/>
        <Claim name="apigee-org" ref="organization.name"/>
        <Claim name="apigee-env" ref="environment.name"/>
    </AdditionalClaims>
    <OutputVariable>output-jwt</OutputVariable>
</GenerateJWT>

Trace session are not providing any useful information. I have validate whether the KeyValueMapOperation is loading the values in variables by printing the variables using AssignMessage Policy. Similar setup is working fine in other tenants. I am not sure what is going wrong here. Please help.

0 6 470
Topic Labels
0 Likes
6 REPLIES 6
Top Solution Authors
View all