The jwtgenerate policy is able to generate token if I use the following private key formats.I'm storing the private key in encrypted KVM and referring that variable in the JWT policy
-----BEGIN RSA PRIVATE KEY-----
....
-----END RSA PRIVATE KEY-----
PKCS#8(unencrypted)
-----BEGIN PRIVATE KEY-----
....
-----END PRIVATE KEY-----
But if I encrypt these keys with passwords and use the encrypted private keys to generate, JWT trace tool shows the following "cannot instantiate private key" error
Encrypted key formats
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4, ENCRYPTED
DEK-Info: AES-256-CBC,1E9B7BE131CB1452DA691AF29A321E4D
-----END RSA PRIVATE KEY-----
PKCS#8(encrypted)
-----BEGIN ENCRYPTED PRIVATE KEY-----
....
-----END ENCRYPTED PRIVATE KEY-----
So,
1. Does JWT policy has any preferred format for the PEM encoded private key
2. Why is it failing to parse the encrypted private key?
I'm not sure why it's failing. Can you show your policy configuration?
Policy configurations
KVM policy
JWTgenerate
Thanks, let me look into it.
I did as suggested in documentation like getting variables from KVM and providing the correct format but I can't get the exact reason why it is failing.
Sorry! See my answer below.
Update: 2019 December 20
Support for alternative encryption algorithms has been added to Apigee.
----------
Regrettably, today the only key encryption algorithm supported is the default "TripleDES", aka des-ede3-cbc.
With openssl, you could generate such a key like this:
openssl genrsa -des3 -out private-encrypted-rsa-des3.pem 2048
If you use a different encryption algorithm, the policy will not successfully read the private key. For example, if you use this command to generate a private key:
openssl genrsa -aes256 -out private-encrypted-rsa-aes256.pem 2048
...then the key will not be parsed successfully by the policy. Similarly, if you use the genpkey command, like this:
openssl genpkey -algorithm RSA -out key.pem -aes-256-cbc -pkeyopt rsa_keygen_bits:4096
..then the key will not be parsed successfully by the policy.
This is an arbitrary limitation in the policy and I've filed a ticket (b/79526748) to request that the limitation be lifted.
The fix is relatively simple, so I would hope we would be able to deliver that pretty quickly, possibly in the next cloud release.
Hi DIno
I am facing same issue. Is the fix applied
The fix has been applied but is not yet available in the public cloud. It will deploy to the cloud only later this month. In the meantime you should use the des3 encryption.
I am using pvt key given by google api console. So cant change the key
ps: here's an article describing how to store these keys in the KVM
Hi Dino,
We are facing the same issue as discussed in the above conversation.
Also we are facing passing the keys in the same format and using the procedure.
Thanks,
Lakshmi Motupalli.
Hi Lakshmi
Can you please ask a new question? Click the button on the upper right labeled "Ask a Question". When you do that, provide as much information as is relevant:
I'll try to help.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |