Not working with certificate

[johnsnelson]

I'm working with an authentication system that has given me a x509 certificate for the public key and when I try to decode the token using this library, I get this error: "Invalid RSA public key encoding."
I am able to successfully validate the signature on the jwt.io decoder so I'm pretty sure it's not a problem with the tokens or the certificate, but rather something in the Java being used by Coldfusion. I've tried tweaking it as much as I know how and I've gotten nowhere. Do you have any suggestions?

I'm pretty sure my code should work:
<cfset jwt = new lib.JsonWebTokens()>
<cfset payload = jwt.decode( token, "RS256", "#certString#" )>
Or am I missing something?
Thanks!

[luggage66]

I had that error and it was (for me) because it was expecting PKCS#8 format and I had PKCS#1. This SO issue helped: https://stackoverflow.com/questions/18039401/how-can-i-transform-between-the-two-styles-of-public-key-format-one-begin-rsa/27930720#27930720

To convert from PKCS#1 to PKCS#8:

openssl rsa -RSAPublicKey_in -in <filename> -pubout

[thesourav123]

@johnsnelson
I too have a x509 certificate which is giving the below error. Did you find a solution to this issue
My Certificate Starts with

----BEGIN CERTIFICATE----
----END CERTIFICATE------

Whenever i am calling jwt.decode method i am getting the below error
java.security.InvalidKeyException: IOException: ObjectIdentifier() -- data isn't an object ID (tag = -96)

[coffeeburrito]

Trying to decode Azure JWTs, I kept getting "Invalid RSA public key encoding." both with and without BouncyCastle provider. For me, the solution was an alternate method of loading the public key. The 'RSASigner.cfc' file now looks like this:

public any function setPublicKeyFromText( required string newPublicKeyText ) {
	testKey( newPublicKeyText );

	var bais = createObject("java", "java.io.ByteArrayInputStream").init(
		binaryDecode( stripKeyDelimiters( newPublicKeyText ), "base64" )
	);

	cf = createObject("java", "java.security.cert.CertificateFactory").getInstance("X.509");
	cert = cf.generateCertificate(bais);
	publicKey = cert.getPublicKey();

	return( this );
}

Edit: I just noticed there's a pull request to fix this already (#3)

Also, the Microsoft cert I was trying to load was this: "MIIDBTCCAe2gAwIBAgIQWcq84CdVhKVEcKbZdMOMGjANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE5MDMxNDAwMDAwMFoXDTIxMDMxNDAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANGnwmoj3f8Zf3sGRnzpMSsGD3yOBH7tAjn82oyv4J74lpO8N0fvPA5m9I9uA0p9alUd6bQpwNfkFH1DMob5fKU+fre6EZCzT86dIVVfnQBt2aDGkhDFtMGqbIQOi1RkTqQZ3A5nOuocefrd3jhQNuH4in0Ir9kybYd2PY4R5y3uxgTqKJlmMf6SYhBt5oWBSLe7IWhMDXBI6N+L69Vls0ZvA/IKII6yVndZqMnhn7Vi8736fXu/UMB2Cb/dO70Gxa0+y2LsvIO/kacbo4LpsNpsewnsHAmV8D4mfq2jNwKdRYSDYhqXeZm22KxQwxSFgI1j1GOijb17XNuMlH2a+DECAwEAAaMhMB8wHQYDVR0OBBYEFIkZ5wrSV8lohIsreOmig7h5wQDkMA0GCSqGSIb3DQEBCwUAA4IBAQAd8sKZLwZBocM4pMIRKarK60907jQCOi1m449WyToUcYPXmU7wrjy9fkYwJdC5sniItVBJ3RIQbF/hyjwnRoIaEcWYMAftBnH+c19WIuiWjR3EHnIdxmSopezl/9FaTNghbKjZtrKK+jL/RdkMY9uWxwUFLjTAtMm24QOt2+CGntBA9ohQUgiML/mlUpf4qEqa2/Lh+bjiHl3smg4TwuIl0i/TMN9Rg7UgQ6BnqfgiuMl6BtBiatNollwgGNI2zJEi47MjdeMf8+C3tXs//asqqlqJCyVLwN7AN47ynYmkl89MleOfKIojhrGRxryZG2nRjD9u/kZbPJ8e3JE9px67"

[tomchiverton]

This no longer works anyway, because the private key has to be passed into decode() :(

[tomchiverton]

But you can do something like this, as long as you change setAlgorithm() to be public, which I think is an oversight that it's private.

var signer = createObject('JSONWebTokens_4dac726.lib.sign.RSASigner')
signer.setAlgorithm('SHA256withRSA')
signer.setPublicKeyFromText( public_key )

var jwt_lib = createObject('JSONWebTokens_4dac726.lib.client.JsonWebTokensClient');
jwt_lib.setJsonEncoder( new JSONWebTokens_4dac726.lib.encode.JsonEncoder() )
jwt_lib.setBase64urlEncoder( new JSONWebTokens_4dac726.lib.encode.Base64urlEncoder() )
jwt_lib.setSigner( signer ) 

var usr = jwt_lib.decode( token );