Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Could not deserialize key data" #257

Closed
abcondas opened this issue Apr 19, 2017 · 2 comments
Closed

"Could not deserialize key data" #257

abcondas opened this issue Apr 19, 2017 · 2 comments

Comments

@abcondas
Copy link

abcondas commented Apr 19, 2017
edited
Loading

Hi. I'm receiving a "Could not deserialize key data" error in the following code. What am I doing wrong? I have investigated high/low trying to figure out if this public_key is in PEM format and it appears as if it is but I'm not sure (how can I verify this?). The decoding (and encoding also) works in the jwt.io debugger. Also, I traced through the pyjwt code and it's bombing during the verification of the signature. If I specify "verify=False" then the payload is returned just fine. I'm using the latest version of all packages. Thanks for the help.

UPDATE: I got this to work by adding line separators in the public key as follows:

  • Right after the begin public key: -----BEGIN PUBLIC KEY-----\n
  • And another one right before the end public key: \n-----END PUBLIC KEY-----

I figured this out after I dove into the openssl library a little. The following command failed with an "Error: offset too large" after I simply copied and pasted the entire string into my public.key file:
openssl asn1parse -inform PEM -i -in public.key
After adding the line separators into the file then it worked.

import jwt

payload = {
    "sub": "1234567890",
    "name": "John Doe",
    "iss": "xena princess warrior",
    "aud": "very cool aud"
}

private_key = '-----BEGIN RSA PRIVATE KEY-----MIICWwIBAAKBgQDdlatRjRjogo3WojgGHFHYLugdUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQsHUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5Do2kQ+X5xK9cipRgEKwIDAQABAoGAD+onAtVye4ic7VR7V50DF9bOnwRwNXrARcDhq9LWNRrRGElESYYTQ6EbatXS3MCyjjX2eMhu/aF5YhXBwkppwxg+EOmXeh+MzL7Zh284OuPbkglAaGhV9bb6/5CpuGb1esyPbYW+Ty2PC0GSZfIXkXs76jXAu9TOBvD0ybc2YlkCQQDywg2R/7t3Q2OE2+yo382CLJdrlSLVROWKwb4tb2PjhY4XAwV8d1vy0RenxTB+K5Mu57uVSTHtrMK0GAtFr833AkEA6avx20OHo61Yela/4k5kQDtjEf1N0LfI+BcWZtxsS3jDM3i1Hp0KSu5rsCPb8acJo5RO26gGVrfAsDcIXKC+bQJAZZ2XIpsitLyPpuiMOvBbzPavd4gY6Z8KWrfYzJoI/Q9FuBo6rKwl4BFoToD7WIUS+hpkagwWiz+6zLoX1dbOZwJACmH5fSSjAkLRi54PKJ8TFUeOP15h9sQzydI8zJU+upvDEKZsZc/UhT/SySDOxQ4G/523Y0sz/OZtSWcol/UMgQJALesy++GdvoIDLfJX5GBQpuFgFenRiRDabxrE9MNUZ2aPFaFp+DyAe+b4nDwuJaW2LURbr8AEZga7oQj0uYxcYw==-----END RSA PRIVATE KEY-----'
public_key = '-----BEGIN PUBLIC KEY-----MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugdUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQsHUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5Do2kQ+X5xK9cipRgEKwIDAQAB-----END PUBLIC KEY-----'
token = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaXNzIjoieGVuYSBwcmluY2VzcyB3YXJyaW9yIiwiYXVkIjoidmVyeSBjb29sIGF1ZCJ9.KHQbQ_FSUKISBVM7WbESA5k2r3D1W02VKnmiWpIvyAST4ysP_1zRH2fd-f1_Sb4uagI9u7PiFQqtPZcLflLjLqH5I1rzjb21FTfdL2nR2v8Ra3r-6AcbjFTgdmjrf9qAZ-Ii689wP1-hjJeg8gCZmg0lkyEcMtECopFaqd5jUxY'

decoded_payload = jwt.decode(token, key=public_key, algorithms=['RS256'], audience="very cool aud")
@mark-adams
Copy link
Contributor

mark-adams commented Apr 20, 2017
edited
Loading

That's correct. RFC 7468 says that a key in PEM format should be in the following format:

...
textualmsg = preeb *WSP eol
               *eolWSP
               base64text
               posteb *WSP [eol]

  preeb      = "-----BEGIN " label "-----"
  posteb     = "-----END " label "-----"
...

What this says is that the first line of the key is expected to contain "preeb", possibly some whitespace, and a newline. "preeb" is the -----BEGIN... label. The definition for "base64text" also includes a newline (not shown above for brevity) so that a parser can detect the presence of the "posteb" -----END....

In other words, you are correct. The newlines are important and the key is not valid without them.

@aseem-hegshetye
Copy link

aseem-hegshetye commented Jun 13, 2018
edited
Loading

I had the same error. I copy pasted pem file from my mac to ec2 ubuntu using nano editor.
Instead if you copy the entire pem file using scp from mac to ec2 ubuntu, it works.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html

@styk-tv styk-tv mentioned this issue Sep 10, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mark-adams @aseem-hegshetye @abcondas