[
https://issues.apache.org/jira/browse/KNOX-2146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17000996#comment-17000996
]
Matei C. edited comment on KNOX-2146 at 12/20/19 4:25 PM:
----------------------------------------------------------
Hello Larry,
First of all, thanks for taking the time to respond.
Regarding your statement:
* {color:#172b4d}"I am not following your assertion regarding public key vs
public cert - JWTProvider supports PEM encoded public cert or public key in PKI
terminology."{color}
I've tested the JWT provider topology using the IdP public certificate in PEM
format as a value for the 'knox.token.verification.pem' and it works.
I then proceeded to obtain the public key from the aforementioned certificate
using 'openssl' and try using it in the same topology, but get the exact same
error described in my original post.
{code:java}
// openssl x509 -pubkey -noout -in knox-cert.pem > knox-pubkey.pem
{code}
Is there any official document stating if Knox supports PEM encoded keys and
describing the way to use them ?
Thanks in advance!
was (Author: fortknox):
Hello Larry,
First of all, thanks for taking the time to respond.
Regarding your statement:
* {color:#172b4d}"I am not following your assertion regarding public key vs
public cert - JWTProvider supports PEM encoded public cert or public key in PKI
terminology."{color}
I've tested the JWT provider topology using the IdP public certificate in PEM
format as a value for the 'knox.token.verification.pem' and it works.
I then proceeded to obtain the public key from the aforementioned certificate
using 'openssl' and try using it in the same topology, but get the exact same
error described in my original post.
{code:java}
// openssl x509 -pubkey -noout -in knox-cert.pem > knox-pubkey.pem
{code}
Is there any official document stating if Knox supports PEM encoded keys and
describing the way to use them ?
Thanks in advance!
> Docs: Knox JWT token signature verification using public key
> ------------------------------------------------------------
>
> Key: KNOX-2146
> URL: https://issues.apache.org/jira/browse/KNOX-2146
> Project: Apache Knox
> Issue Type: Bug
> Components: Site
> Affects Versions: 1.0.0
> Environment: Ubuntu 18.04, HDP 3.1
> Reporter: Matei C.
> Assignee: Larry McCay
> Priority: Minor
> Fix For: 1.4.0
>
>
> Hello,
> I have configured an Apache Knox (1.0.0) topology to accept 3rd party JWTs
> by following this [Cloudera
> guide|[https://community.cloudera.com/t5/Community-Articles/Knox-Accept-third-party-JWT/ta-p/248488]].
>
> I would also like to verify the 3rd party JWts based on their signature by
> adding my IdP's public key in PEM format for the JWT provider, but in the
> guide it is specified that only PEM certificates are accepted (' [...] *In
> current Knox version, public key is not supported, have to configure public
> certificate [...]*') and I have not found any relevant documentation from
> Knox on this subject.
>
> Can you please tell me if there is any solution to use public keys for JWT
> verification in Knox 1.0.0 ? If not, are there any plans to support this in
> future Knox releases ?
> P.S.:
> When adding the 'knox.token.verification.pem' parameter with the public key
> in the JWT provider of my topology I noticed the below error in my
> gateway.log, which does seem to confirm the public key limitation.
>
> {code:java}
> javax.servlet.ServletException: javax.servlet.ServletException:
> CertificateException - PEM may be corrupt
> {code}
>
> Regards,
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
