JWT - java.security.InvalidKeyException: IOException: DerInputStream.getLength(): lengthTag=105, too

11,601 views
Skip to first unread message

cmou...@redhat.com

unread,
Dec 19, 2016, 12:09:56 PM12/19/16
to vert.x
Hi,

The following code 

String REALM = System.getenv("REALM");
String PUBLIC_KEY = System.getenv("PUBLIC_KEY");
String AUTH_SERVER_URL = System.getenv("AUTH_SERVER_URL");
String RESOURCE = System.getenv("RESOURCE");
String CREDENTIALS = System.getenv("CREDENTIALS");

// Configure the AuthHandler to process JWToken
JWTAuthHandler jwtHandler = JWTAuthHandler.create(
        JWTAuth.create(vertx,new JsonObject(
                "{\n" +
                        "  \"realm\": "  + "\"" + REALM  + "\"" + ",\n" +
                        "  \"public-key\": " + "\"" + PUBLIC_KEY + "\"" + ",\n" +
                        "  \"auth-server-url\": "  + "\"" + AUTH_SERVER_URL + "\"" + ",\n" +
                        "  \"ssl-required\": \"external\",\n" +
                        "  \"resource\": " + "\"" + RESOURCE + "\"" + ",\n" +
                        "  \"credentials\": {\n" +
                        "    \"secret\": "  + "\"" + CREDENTIALS + "\"" + "\n" +
                        "  }\n" +
                        "}"
        ))

);

router.route("/greeting").handler(jwtHandler);

works perfectly when it is issued against a Keycloak Server running on my machine (= MacOs) but when Vert.x is deployed as a pod I get this error 

java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException: DerInputStream.getLength(): lengthTag=105, too big.
        at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:205)
        at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
        at io.vertx.ext.auth.jwt.impl.JWT.<init>(JWT.java:108)
        at io.vertx.ext.auth.jwt.impl.JWTAuthProviderImpl.<init>(JWTAuthProviderImpl.java:73)
        at io.vertx.ext.auth.jwt.JWTAuth.create(JWTAuth.java:41)
        at org.obsidiantoaster.quickstart.RestApplication.start(RestApplication.java:50)
        at io.vertx.core.impl.DeploymentManager.lambda$doDeploy$8(DeploymentManager.java:434)
        at io.vertx.core.impl.ContextImpl.lambda$wrapTask$2(ContextImpl.java:316)
        at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:418)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:440)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.InvalidKeyException: IOException: DerInputStream.getLength(): lengthTag=105, too big.
        at sun.security.x509.X509Key.decode(X509Key.java:398)
        at sun.security.x509.X509Key.decode(X509Key.java:403)
        at sun.security.rsa.RSAPublicKeyImpl.<init>(RSAPublicKeyImpl.java:84)
        at sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.java:298)
        at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:201)
        ... 12 more

Here is the public key generated by Keycloak

Key : MIICmzCCAYMCBgFYtMCdCTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMTYxMTMwMTAxOTMxWhcNMjYxMTMwMTAyMTExWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCOhWDrXnSiqHtyysYyy227uv6zhgGRgOQquDa/oZ3k2EnD00qcWWiM+cs+gNKXGk2k3axZ6B7FywV0N2a24zNPFDeGeQVYcMNezJ+PZ8pDAOOBzGD3mdFpoj784aFZsSwZ238DmPGDZ/hWnhUtPAKPtSOriFXHru87/NsnaTRwPa7PlPvfW2+rB4Lsf86z4bwHX4+kfl7WMaQM9miF7gREIR3A1wL0gC3W0+v8sp+H7ziE6QTeL2YYb8sZSIlKG3DuJraNdMxvUkSuUmwsk6OH6C7Po7O1A4gI3//6tEDgAAIH//4h4nyav+M393DD5F9jJ4B39Ih3npp7wfhITgdBAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEEZ77pOStwVQ6Y9QEoSJHF9zCqktvSRwIorZm+N3GBYgjyS4/+84ziq6euJvrAB9uvkziA2FCdtuca3mm2T9bzsCY5sa0AFaG0+ULu06hGBolxUBc4IMQSzOD+Uf67HNyP9UvunxxA0KhXzdynCDE/ZwQTlbLxLRRo//o4DfDQkWEBzxUecWhgwPEk+5pVU3Y85VStE0Bs6obigBbf9Ku9vwIxmC5VHtOF1DVos8wnn0qLeJ1/6X7tlpaa3CrjjFCoXjhfjFhIBo7zKW8qGzTmkUFbFdx7GrQdxl/izy+BWQOCRR74IKe9X+gGqWw1c95QlDdZPgXN5j0EJoUgYHQI=

Version used of Vertx : 3.3.3, Keycloak : 1.9.4

This error is generated here within the JWT Class

try {
  X509EncodedKeySpec spec = new X509EncodedKeySpec(Base64.getDecoder().decode(publicKey));
  KeyFactory kf = KeyFactory.getInstance("RSA");
  tmp.put("RS256", new CryptoPublicKey("SHA256withRSA",  kf.generatePublic(spec)));
} catch (InvalidKeySpecException | NoSuchAlgorithmException | RuntimeException e) {
  e.printStackTrace();
  log.warn("RS256 not supported");
}


Regards,

Charles

Paulo Lopes

unread,
Dec 22, 2016, 6:40:04 AM12/22/16
to vert.x
The error is coming from the JDK classes:

X509EncodedKeySpec spec = new X509EncodedKeySpec(Base64.getDecoder().decode(publicKey));
  KeyFactory kf = KeyFactory.getInstance("RSA");

This means that the key is invalid/corrupted. Or the JDK does not have the required crypto extensions installed. In this case I say it is corrupted since its what the JDK is reporting:

java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException: ObjectIdentifier() -- data isn't an object ID (tag = 2)

Paulo Lopes
unread,
Dec 22, 2016, 7:16:18 AM12/22/16
to vert.x
This works for me:

1) start keycloak 1.9.4 Final (as reported)

sudo docker run --rm -it -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 8080:8080 jboss/keycloak:1.9.4.Final

2) wait for up and boot... open browser http://localhost:8080

3) login administration console with : admin/amin

4) goto clients, add a new one named "test"

5) select "installation" pick json format and you get something like:


{
  "realm": "master",
  "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqMIufM8dSnqH/EceTUOepwKEH1TjZT7Hg9S3GlgRY+Z28AciQF0EGP4u7WcVt3/ViuOqZvX6A5FO/TcKNjKqSOTVXeVGenIokAU0pN41MSs2tDU37r2o325gMbwn0+iONNec09ohthHwWgy8xLdadoXnO1En/3g0WJIpU45+wq8sjGzN4RyJU9+56OgpLX1MZLPib0cre07z8FHJTYHh31jJl6qR4lDe9auvleRevyR5RItf73zu0qMuFWZm2CWFxqm3ZB8BGUKGwoDTqfjFyCOO0NTWpIP5BtNmLbdtkTYDUoW0kboZ5ayPwV/qS7hkG1gKB09YgGjoufzXuRh3EQIDAQAB",
  "auth-server-url": "http://localhost:8080/auth",
  "ssl-required": "external",
  "resource": "test",
  "public-client": true
}

Pick the public key and run the code to check:

String key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqMIufM8dSnqH/EceTUOepwKEH1TjZT7Hg9S3GlgRY+Z28AciQF0EGP4u7WcVt3/ViuOqZvX6A5FO/TcKNjKqSOTVXeVGenIokAU0pN41MSs2tDU37r2o325gMbwn0+iONNec09ohthHwWgy8xLdadoXnO1En/3g0WJIpU45+wq8sjGzN4RyJU9+56OgpLX1MZLPib0cre07z8FHJTYHh31jJl6qR4lDe9auvleRevyR5RItf73zu0qMuFWZm2CWFxqm3ZB8BGUKGwoDTqfjFyCOO0NTWpIP5BtNmLbdtkTYDUoW0kboZ5ayPwV/qS7hkG1gKB09YgGjoufzXuRh3EQIDAQAB";
X509EncodedKeySpec spec = new X509EncodedKeySpec(Base64.getDecoder().decode(key));

KeyFactory kf = KeyFactory.getInstance("RSA");
kf.generatePublic(spec);


Works!

Now note that the key provided in this report is way longer than the one I've just generated.
Charles Moulliard
unread,
Dec 22, 2016, 7:33:01 AM12/22/16
to ve...@googlegroups.com
Many thanks. I will ask Ales to check the key part of the Red Hat SSO Image that we are using : https://github.com/obsidian-toaster-quickstarts/quick_secured_rest-springboot/blob/master/sso/src/main/fabric8/sso-deploymentconfig.yml#L27-L41








-- 

You received this message because you are subscribed to a topic in the Google Groups "vert.x" group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/vertx/x6JDQ2lDmh0/unsubscribe.

To unsubscribe from this group and all its topics, send an email to vertx+unsubscribe@googlegroups.com.

Visit this group at https://groups.google.com/group/vertx.

To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/6626be64-390d-425b-bfc2-ae62385757cd%40googlegroups.com.


For more options, visit https://groups.google.com/d/optout.





Reply all
Reply to author
Forward
0 new messages