PEM_read_bio_PUBKEY failed when using pubkey option in apache2

Question

PEM_read_bio_PUBKEY failed when using pubkey option in apache2

WMP opened this issue 4 years ago · 10 comments

Hello, i using https://babelouest.github.io/glewlwyd/docs/OAUTH2.html server, with generated keys:

# RSA KEY
$ # private key
$ openssl genrsa -out private-rsa.key 4096
$ # public key
$ openssl rsa -in private-rsa.key -outform PEM -pubout -out public-rsa.pem

My public key in /pubkey.key is:

In apache configuration i have:

        <Location />
                AuthType oauth2
                OAuth2TokenVerify pubkey /pubkey.key
                Require valid-user              
        </Location>

When i start apache, i have error:

AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/000-default.conf:
PEM_read_bio_PUBKEY failed: error:0909006C:PEM routines:get_name:no start line
Action '-D FOREGROUND' failed.
The Apache error log may have more information.

Could you check if this certificate is good? I cannot change it.

Answer 1 · 2020-08-25T08:25:48.000Z

I see that the documentation for mod_auth2 in oauth2.conf is wrong: the value for the pubkey option should not be a filename but the PEM string representation itself, so:

<Location />
  AuthType oauth2
  OAuth2TokenVerify pubkey -----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3vNv0Zhc3VyUZTJPkO/
CUT\nE6poZZ4jxdNEG78Bq9oGXraJOtAokK3E36CLkFBqc68maV39JkEHpZ315iLIm8wv\nUpneLKgbapSfrPkNJWYqFWsCAwEAAQ==\n-----END PUBLIC KEY-----
  Require valid-user              
</Location>

let me know if that works.

Answer 2 · 2020-08-25T08:42:45.000Z

OAuth2TokenVerify pubkey -----BEGIN PUBLIC KEY-----\nMIICIjA CUT wEAAQ==\n-----END PUBLIC KEY-----

give me error:
OAuth2TokenVerify takes two or three arguments, Set token verification method and options.

When i trying to put key in ' or " i have:
PEM_read_bio_PUBKEY failed: error:0909006C:PEM routines:get_name:no start line

Answer 3 · 2020-08-25T09:28:07.000Z

hmm, I have an example here:
https://github.com/zmartzone/liboauth2/blob/master/test/check_oauth2.c#L845-L857
but it seems indeed hard to put it into something that works in an Apache config file...

As a temporary workaround, if you can transform the public key into a JWK you can use something like:

OAuth2TokenVerify jwk "{\"kty\":\"RSA\",\"kid\":\"one\",\"use\":\"sig\",\"n\":\"12SBWV_4xU8sBEC2IXcakiDe3IrrUcnIHexfyHG11Kw-EsrZvOy6PrrcqfTr1GcecyWFzQvUr61DWESrZWq96vd08_iTIWIny8pU5dlCoC7FsHU_onUQI1m4gQ3jNr00KhH878vrBVdr_T-zuOYQQOBRMEyFG-I4nb91zO1n2gcpQHeabJw3JIC9g65FCpu8DSw8uXQ1hVfGUDZAK6iwncNZ1uqN4HhRGNevFXT7KVG0cNS8S3oF4AhHafFurheVxh714R2EseTVD_FfLn2QTlCss_73YIJjzn047yKmAx5a9zuun6FKiISnMupGnHShwVoaS695rDmFvj7mvDppMQ\",\"e\":\"AQAB\" }"

(which I verified in an Apache config)

Answer 4 · 2020-08-25T09:54:16.000Z

With this workaround this works. Is possible, to get key from file?

Answer 5 · 2020-08-25T10:27:42.000Z

I added verify.iat: skip to this JSON:

OAuth2TokenVerify jwk "{\"kty\": \"RSA\", \"n\": \"q3vNv0Zhc CUT NJWYqFWs\", \"e\": \"AQAB\", \"verify.iat\": \"skip\"}"

But i still have error:

_oauth2_jose_jwt_validate_iat: "iat" validation failure (1598349119): JWT was issued more than 10 seconds ago

Answer 6 · 2020-09-01T07:43:53.000Z

Could you reply if i trying good set verify.iat parameter?

Answer 7 · 2020-09-01T08:48:54.000Z

you need to add it as a command primitive option, separately from the JWK value, like:

OAuth2TokenVerify jwk "{\"kty\": \"RSA\", \"n\": \"q3vNv0Zhc CUT NJWYqFWs\", \"e\": \"AQAB\" }" verify.iat=skip

Answer 8 · 2020-09-01T10:15:33.000Z

Thanks, now i have error:
oauth2_apache_set_request_user: remote user claim could not be found

Answer 9 · 2020-09-01T10:40:28.000Z

by default the token is expected to have a "sub" claim, you should be able to configure it with

OAuth2TargetPass remote_user_claim=anotherclaim
``

Answer 10 · 2020-09-01T11:22:30.000Z

Thanks, works!