Need help setting up APIGEE JWT example from iloveapis2015 on github.

Not applicable

@Dino

I am attempting to get the sample create JWT and parse / verify sample to work from (Iloveapis2015-jwt-jwe-jws). But no success with either the RS256 create or parse. I am using the keys provided in the github project as well as the pre-compiled java JARs. Here is my create using those components:

<JavaCallout async="false" continueOnError="false" enabled="true" name="JavaCallout-JWT-Create-RS256-2">
  <DisplayName>JavaCallout-JWT-Create-RS256-2</DisplayName>
  <Properties>
    <Property name="algorithm">RS256</Property>
    <!-- <Property name="pemfile">public-private-keypair1.pem</Property> -->
    <Property name="private-key-password">deecee123</Property>
    <Property name="private-key">
      -----BEGIN RSA PRIVATE KEY-----
      Proc-Type: 4,ENCRYPTED
      DEK-Info: DES-EDE3-CBC,049E6103F40FBE84
      EZVWs5v4FoRrFdK+YbpjCmW0KoHUmBAW7XLvS+vK3BdSM2Yx/hPhDO9URCVl9Oar
      ApEZC1CxzsyRfvKDtiKWfQKdYKLccl8pA4Jj0sCxVgL4MBFDNDDEau4vRfXBv2EF
      eGVZiG0/oaGbOUI9bgPKXmDsZQ3LHM9JONTOxaBapc06Gxcj0btkkzwB/dZQVRvb
      XQFMzySgly1OOcnVkl8CDfKI4TwOERlhXjnnjN8vsDrpZXuSqniR9ARJEK41ZDAV
      JpkvWnvEYl3oMozgF6NHCFXahefbP8lysMSknhtQwiJUaDZSkoBMMdMfQyfPpPME
      tgJ4nkPBbSmwpWlTMPSgfth1kAkFvtmYCdV1UVglS+CE1/VDeuTeqkj5f7X/MvEx
      FuWAkbZ3Gmqy04MvTOL8iy9A1wQo9E9U/6CgPqILcn49ZIOWilW6OzoGKK0F95KO
      mx5r7MOkq21ltzCTmjt200YM/D5fq78ST7UzqetTFqNbgfraZxawcZf9L0xL2cwa
      U9MJtPqCRLk4066+I2RkOZ8Zz1bro1nfCS99fayZ1AY/Ohw7+neviyuXIFSMTxsL
      eiyPVBi6rrWjXIFITafK1oIoELimMbUHS9UOgJt7wkbKVYazcC9sQ4B1am1UQRe1
      XQWtsYVySiId9iHA2UG+yc/l8GDmsKWAzlhFv5NyuCMAdfXbM1ERFaghPFx3RcZW
      qtSkso/kFWrH6369ADN8fUAh6GOLrVAC06W6STzLEhoxNDyyS6RW9s/i9qhJWIX9
      sMuDK2Zg+TRJ+nZbdljhglVLzMLPv3MCxhlji7H4y8YIVD738rpJLOY3LBqh9ilo
      1HHGlMNkfBDkaSIwT2cBHdC38USyV2fgqlcukzj3a3NvUdmvARtnfEL6gLeSXmHJ
      HNC6HqihWnBuizX9I9MwYaz9GQw7HN7oZJLBbBatsbxcP9ll/27VZY8BJwwLtuSy
      /JJRB1ALjBFVKeBo5nHSc7cKld0glnWt+E5yfgQcI/2kpgfqJRb0yAPcMjOQyLJ9
      xWKl7qDENSKSdy3VMKvj2xxqmkk7eTLbIFRfjioLLCnkfQsCPVdQMrG0Kt67W/F2
      rZlGqeJtTDIefiQCwSR18t/8SUTqm4SRKDvBFRKhpn6JOl561vp5j3PoD52+ZFCX
      160sbfqsKqJ/TqqP0BWdSOyYNSmlUQAn3JYZlj3dYM4dTQTADpCWo3ZmDAiFho/y
      dCwtNpnjWoICcDfyr34G01xCVeyEjkozePLMZ7chOmX87KfVEujgul1qAHHgMAid
      4l+btMOR8D0od2ZF+DdYllyDSU1fp1EQXXrbkYaFccgYVs8MtBQvCcJtSnayf3L+
      jUxp3vjF9HE3wVDVTFeCUJGacGIMuoD0RlsT2VFMOjOf4p0F7adPse7aLBhyoLMI
      N7GMYGDSG6jbWP18bNDWwFDrtPsvSXIZnirZeQNR7P8stVcxrWaphiPXivsHwJE2
      z9SnpM5YjEoVI/1Cr8XY4QySFR1S72gkOO2WRi6m0kc98F/C3iwCMJ/RXvKfBVrj
      7ZOF1UXVaoldDs+izZo5biVF/NNIBtg2FkZd4hh/cFlF1PV+M5+5mA==
      -----END RSA PRIVATE KEY-----
    </Property>
  </Properties>
  <ClassName>com.apigee.callout.jwtsigned.JwtCreatorCallout</ClassName>
  <ResourceURL>java://jwt-signed-edge-callout.jar</ResourceURL>
</JavaCallout><br>

Here is my parse using those components--although I do not have a JWT from the create to test with yet.

<JavaCallout async="false" continueOnError="false" enabled="true" name="JavaCallout-JWT-Parse-RS256"> 
  <DisplayName>JavaCallout-JWT-Parse-RS256</DisplayName> 
  <Properties> 
    <Property name="algorithm">RS256</Property> 
    <Property name="jwt">{request.header.jwt}</Property> 
    <Property name="timeAllowance">30000</Property>
    <!-- public-key used only for algorithm = RS256 -->
    <Property name="public-key">
      -----BEGIN PUBLIC KEY-----
      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtxlohiBDbI/jejs5WLKe
      Vpb4SCNM9puY+poGkgMkurPRAUROvjCUYm2g9vXiFQl+ZKfZ2BolfnEYIXXVJjUm
      zzaX9lBnYK/v9GQz1i2zrxOnSRfhhYEb7F8tvvKWMChK3tArrOXUDdOp2YUZBY2b
      sl1iBDkc5ul/UgtjhHntA0r2FcUE4kEj2lwU1di9EzJv7sdE/YKPrPtFoNoxmthI
      OvvEC45QxfNJ6OwpqgSOyKFwE230x8UPKmgGDQmED3PNrio3PlcM0XONDtgBewL0
      3+OgERo/6JcZbs4CtORrpPxpJd6kvBiDgG07pUxMNKC2EbQGxkXer4bvlyqLiVzt
      bwIDAQAB
      -----END PUBLIC KEY-----
    </Property>

  </Properties>

  <ClassName>com.apigee.callout.jwtsigned.JwtParserCallout</ClassName>
  <ResourceURL>java://jwt-signed-edge-callout.jar</ResourceURL>
</JavaCallout>


jwt_error:
java.util.concurrent.ExecutionException: org.apache.commons.ssl.ProbablyNotPKCS8Exception: asn1 parse failure: java.io.IOException: DER length more than 4 bytes


jwt_reason:

org.apache.commons.ssl.ProbablyNotPKCS8Exception: asn1 parse failure: java.io.IOException: DER length more than 4 bytes


I am using the public-private-keypair1.pem in my create as Dino has in his example.

Solved Solved
1 4 666
1 ACCEPTED SOLUTION

Sorry to hear you're having trouble. Also, sorry about the misunderstandings with Apigee Support. This is not something the support staff are currently supporting. We're working on embedding JWT verification and generation "officially" into the product rather than via sample code available on github. Until that time, community support is the way to go for that sample.

Now...regarding your problem.

You say you are getting an error. When? Which policy generates the error? The parse or the generation?

Under what circumstances?

You said you can get the example from github to work. That's good. The error you are mentioning indicates a failure to de-serialize the string from the base64 encoded version into a Java object that represents a public or private key. But I'm not clear whether you're doing the generation or verification when you see the error.

I recommend that you check and double-check the public and private key that you have embedded into these policies. The spacing should mostly not matter, but it is important to have a newline in the private key after the line that begins "DEK-Info". Follow the example in github. The pasted code you provided didn't really have correct formatting, but I suspect that was caused by the paste, and the code you are actually using is different.

I have seen that error when there are errors in the serialized keys.

Let me know.

View solution in original post

4 REPLIES 4

Not applicable

I got the example from github APIGEE iloveapis2015-jwt-jwe-jws to work - I did find it odd that APIGEE support will not work with you at all if you have an issue with this example on github.

Sorry to hear you're having trouble. Also, sorry about the misunderstandings with Apigee Support. This is not something the support staff are currently supporting. We're working on embedding JWT verification and generation "officially" into the product rather than via sample code available on github. Until that time, community support is the way to go for that sample.

Now...regarding your problem.

You say you are getting an error. When? Which policy generates the error? The parse or the generation?

Under what circumstances?

You said you can get the example from github to work. That's good. The error you are mentioning indicates a failure to de-serialize the string from the base64 encoded version into a Java object that represents a public or private key. But I'm not clear whether you're doing the generation or verification when you see the error.

I recommend that you check and double-check the public and private key that you have embedded into these policies. The spacing should mostly not matter, but it is important to have a newline in the private key after the line that begins "DEK-Info". Follow the example in github. The pasted code you provided didn't really have correct formatting, but I suspect that was caused by the paste, and the code you are actually using is different.

I have seen that error when there are errors in the serialized keys.

Let me know.

Hi Dino,

On that github sample, there is a policy "JWT-Create-RS256", which actually works in creating and verifying JWT's.

There are 2 properties mentioned in that java call out policy:

<Property name="pemfile">public-private-keypair1.pem</Property>

<Property name="private-key-password">deecee123</Property>

I would like to know, how apigee gets public-private-keypair1.pem ? This is included a resource file in sample from github(jwt_signed\callout\src\main\resources\resources), however, it is not included in the apiproxy folder.

Say for instance, if I want to use my own certificates for creating and validating JWT's, how can I upload them to the proxy?

Hi OFS

Since this is a totally new question, can you please ask it with the Ask A Question button?

I will be pleased to help you if you do that.

4076-ask-a-question-2.png