Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: PEM_read_bio_PUBKEY failed #185

Closed
louis-sanna opened this issue Jan 11, 2017 · 7 comments
Closed

Error: PEM_read_bio_PUBKEY failed #185

louis-sanna opened this issue Jan 11, 2017 · 7 comments

Comments

@louis-sanna
Copy link

We have an error when our AssertionConsumerServiceURL is called by an indentity provider using Azure AD (it works fine for our other clients, not sure whether or not it's linked to Azure).

Error: PEM_read_bio_PUBKEY failed
    at Error (native)
    at Verify.verify (crypto.js:311:23)
    at RSASHA256.verifySignature (/home/git/backend/node_modules/xml-crypto/lib/signed-xml.js:137:24)
    at SignedXml.validateSignatureValue (/home/git/backend/node_modules/xml-crypto/lib/signed-xml.js:273:20)
    at SignedXml.checkSignature (/home/git/backend/node_modules/xml-crypto/lib/signed-xml.js:261:13)
    at SAML.validateSignature (/home/git/backend/node_modules/passport-saml/lib/passport-saml/saml.js:498:14)
    at /home/git/backend/node_modules/passport-saml/lib/passport-saml/saml.js:545:17
    at _fulfilled (/home/git/backend/node_modules/passport-saml/node_modules/q/q.js:794:54)
    at self.promiseDispatch.done (/home/git/backend/node_modules/passport-saml/node_modules/q/q.js:823:30)
    at Promise.promise.promiseDispatch (/home/git/backend/node_modules/passport-saml/node_modules/q/q.js:756:13)
    at /home/git/backend/node_modules/passport-saml/node_modules/q/q.js:516:49
    at flush (/home/git/backend/node_modules/passport-saml/node_modules/q/q.js:110:17)
    at _combinedTickCallback (internal/process/next_tick.js:67:7)
    at process._tickDomainCallback (internal/process/next_tick.js:122:9)

The error is thrown by xml-crypto in the function "verify-signature"

var crypto = require("crypto");
var verifySignature = function(str, key, signatureValue) {
  var verifier = crypto.createVerify("RSA-SHA256");
  verifier.update(str);
  var res = verifier.verify(key, signatureValue, 'base64');
  return res
};

I was able to reproduce the error with the arguments passed:

var str = '<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference URI="#_55ead485-2e18-4a0d-996e-8c1e42ffa49c"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>nj39d54JP9LU4xUgqUa5uzJ7W/xzDAzXadgUy37Yunk=</ds:DigestValue></ds:Reference></ds:SignedInfo>';
var key = '-----BEGIN CERTIFICATE-----\n' +
'MxXh1Tdvj9Wx5VOV4WVunP81al6yvYwRph5F1CPgKRA=\n' +
'-----END CERTIFICATE-----\n';
var signatureValue = 'QhszIs1jyIQ/b+4kuAxoKNqmU2zk1Gwlzdc0N4V54pkrv+gPwautZMLZEcQCFq9Qt6Xb5oKZHA43OwQfy0kBO1Fy88XlpDu9D5o23pzddZh3x9p0OSjTLA6ycSUYftCKPoTRtIq1AJ9QcmahISPPWA89Vp5hpw2gwuyQsZYXVep8PZJFdlXf+jh35KJq0WOH+4UVRWHoYU5THHE9H7rKqlXzEma+jb78KWF/aNltRFS2yW0UT3bsYE0CKiJp/MokNB51IztwZYqueGBD2A2IcFF+PAq4cnwSzqIZ5sXCVWUSm6lQupyxA67nIA/asJ//WbYozCePSQKFaBNVJEz1Pg==';

Any idea how to fix it?
@louis-sanna
Copy link
Author

@bergie

@louis-sanna
Copy link
Author

There was a problem with the certificate.

@GGross5213
Copy link

@louis-sanna What was the problem with the cert? I am getting this error too.

@louis-sanna
Copy link
Author

@GGross5213 I don't remember exactly, but I managed to fix it with the function convertCertificate: auth0/node-jsonwebtoken#68

@compwright compwright mentioned this issue Aug 17, 2019
Closed
@uttamraj-pando
Copy link

To give more info:

  • The certificated download from azure active directory has the extension .cer
  • passport-saml needs value from a file with .pem extension
  • .cer can be converted into .pem file using the below command
    openssl x509 -inform der -in my_certificate.cer -out my_certificate.pem
  • After converting the file to .pem format, open the file and follow below instructions

The "BEGIN CERTIFICATE" and "END CERTIFICATE" lines should be stripped out and the certificate should be provided on a single line.

credits: All of this information is already mentioned in the page
https://www.npmjs.com/package/passport-saml#security-and-signatures

@mategvo
Copy link

mategvo commented Dec 11, 2020
edited
Loading

This works for me locally but doesn't work when deployed. I am testing the exact same private key and token:

  const { uid } = await jwt.verify(
    token,
    privateKey,
    {
      algorithms: ['RS256'],
    },
    function (err, decoded) {
      functions.logger.log('error verifying token', err);
      return decoded;
    },
  );

@jorg1piano
Copy link

@mategvo any luck? Ran into the same issue. Works locally, but not on the server

@snyk-bot snyk-bot mentioned this issue May 6, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@GGross5213 @mategvo @jorg1piano @louis-sanna @uttamraj-pando