Hello! I would like to ask that when I want to write on auth/jwt/config use parameter "jwt_validation_pubkeys", either I use API OR CLI, it will return the error to me said: "error parsing public key: data does not contain any valid RSA or ECDSA public keys." I would like to know is vault require a fixed format of the public key? if it is, what should be the format? Thanks!
lindalovemusic
All 12 comments
anybody any help would be appreciated!! thanks again!!
lindalovemusic
on 16 Aug 2018
These public keys need to be PEM encoded and passed to the vault API. You can see an example of a public key in the unit test for the backend.
https://github.com/hashicorp/vault-plugin-auth-jwt/blob/master/path_config_test.go#L159
chrishoffman
on 16 Aug 2018
Hi chris thanks a lot for your help!! however my pubkey is already pem encoded and I write a json file to passed to the vault API. the curl is like this :"curl --header "X-Vault-Token: myroottoken" --request POST --data @jwt2config.json ip:port/v1/auth/jwt/config
{"errors":["error parsing public key: data does not contain any valid RSA or ECDSA public keys"]}
lindalovemusic
on 16 Aug 2018
Are you sure you the data is properly escaped in your JSON file?
chrishoffman
on 16 Aug 2018
this is how I write in the json file, I just paste a really long string of the pubkey, and there is no space in this string, is start with -----BEGIN PUBLIC KEY----- and end with -----END PUBLIC KEY-----
lindalovemusic
on 16 Aug 2018
I tried a lot of cases, and when I put \n after every row of the pubkey the vault did not output error, and when I check what have I wrote in my config, I could see a really long string with some \n in it. and that is exactly what I put in my json file. I would like to ask is that ok?
lindalovemusic
on 16 Aug 2018
Try from the CLI for a start, to be sure that your key is not corrupted:
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out pubkey.pem
vault write auth/jwt/config [email protected]
rfc1036
on 25 Aug 2018
Greetings, I arrived here courtesy of google, having the same problem.
I had assumed the line breaks in a PEM were ignored (well they are, except when they're not), but a line break after every 64 characters is part of RFC1421. Knowing that I couldn't put actual line breaks in the json, I had just stripped the whitespace from my pem. Vault doesn't appreciate that. When I replaced the line breaks with "\n" then it started working.
HTH
BrianDeacon
on 30 Oct 2018
Knowing that I couldn't put actual line breaks in the json, I had just stripped the whitespace from my pem. Vault doesn't appreciate that.
Go's libraries tend to be pretty RFC-conforming :-)
jefferai
on 31 Oct 2018
Actually I think the UI is broken. I was trying to add a second key once the first worked via API but I couldn't even save the first when I was copy pasting it to the input field below.
Steps to reproduce:
- Add a key successfully like this
- open http://localhost:8200/ui/vault/settings/auth/configure/jwt/configuration
- insert the key from the first JWT validation public keys input to the second input
- delete the first input field.
- upon save the result is:
error parsing public key: data does not contain any valid RSA or ECDSA public keys
Vault v1.1.3 ('9bc820f700f83a7c4bcab54c5323735a581b34eb')
0xC4N1
on 25 Jul 2019
@0xC4N1 it looks like you're running in to this: https://github.com/hashicorp/vault/issues/7187 - we're looking at a fix for that now
meirish
on 25 Jul 2019
i have added key using " vault write auth/jwt/config jwt_validation_pubkeys=@
i am able to use the key pair and encrypt decrypt with a java code. but
Login api to vault with jwt token is throwing error
{"errors":["no known key successfully validated the token signature"]}
nidhinfrancis
on 28 Apr 2020
Related issues
ngunia
路
3Comments
adamroddick
路
3Comments
gtmtech
路
3Comments
dwdraju
路
3Comments
trodemaster
路
3Comments
Most helpful comment
Try from the CLI for a start, to be sure that your key is not corrupted: