Invalid JWKS certificate

neil.gentleman · September 12, 2019, 10:28pm

Newer versions of OpenSSL reject the certificate returned from https://newhippo.auth0.com/.well-known/jwks.json.

curl -s https://newhippo.auth0.com/.well-known/jwks.json | jq -r .keys[0].x5c[0] | base64 --decode | openssl x509 -inform der -noout -text -in /dev/stdin
unable to load certificate
140174787252288:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal padding:../crypto/asn1/a_int.c:187:
140174787252288:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:626:Field=serialNumber, Type=X509_CINF
140174787252288:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:626:Field=cert_info, Type=X509

Older versions of OpenSSL correct show the certificate information:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 9096867982294606615 (0x7e3e913b8d4b6317)

It looks like the serial number has the high bit set, as in these other reports:

github.com/pyca/cryptography

Debugging `ValueError: Unable to load certificate` error

opened 11:08PM - 15 Jan 18 UTC

closed 11:37PM - 15 Jan 18 UTC

dbinetti

I'm getting a `ValueError: Unable to load certificate` when trying to read a PEM… cert. However, after reading and searching in vain I'm unable to determine why I'm getting the error or how to debug. The certificate appears valid, but I don't know how to check that. Any guidance would be appreciated. On MacOS High Sierra 10.13.2, Python 3.6.4, cryptography 2.1.4 and everything else up-to-date. ``` >>> from cryptography import x509 >>> from cryptography.hazmat.backends import default_backend cert = x509.load_pem_x509_certificate(open('barberscore.pem', 'rb').read(), default_backend()) >>> cert = x509.load_pem_x509_certificate(open('barberscore.pem', 'rb').read(), default_backend()) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/Users/dbinetti/Repos/pycryptography-test-load-x509/.venv/lib/python3.6/site-packages/cryptography/x509/base.py", line 43, in load_pem_x509_certificate return backend.load_pem_x509_certificate(data) File "/Users/dbinetti/Repos/pycryptography-test-load-x509/.venv/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1139, in load_pem_x509_certificate raise ValueError("Unable to load certificate") ValueError: Unable to load certificate ```

github.com/openssl/openssl

Unable to decode negative serial number

opened 08:23PM - 01 Sep 17 UTC

closed 08:22PM - 03 Sep 17 UTC

hsheth2

OpenSSL 1.1.0f is unable to decode a certificate: ``` $ openssl x509 -inform p…em -in '1914312.crt' -noout -text unable to load certificate 140735234723840:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal padding:crypto/asn1/a_int.c:187: 140735234723840:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:609:Field=serialNumber, Type=X509_CINF 140735234723840:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:609:Field=cert_info, Type=X509 140735234723840:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:crypto/pem/pem_oth.c:33: ``` Older versions of OpenSSL were able to handle this certificate correctly: ``` $ /usr/bin/openssl version OpenSSL 0.9.8zh 14 Jan 2016 $ /usr/bin/openssl x509 -inform pem -in '1914312.crt' -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: (Negative)2a:2a:ba:c2:cd:b1:6a:74:80:3a:2f:b8:88:24:42 Signature Algorithm: sha1WithRSAEncryption [...] ``` For reference, the certificate in question can be found online: https://crt.sh/?id=1914312.

Could a new certificate be added to our tenant?

James.Morrison · September 13, 2019, 1:24pm

Hey there @neil.gentleman, I wanted to let you know I am looking into this and will relay what I find. Thank you.

James.Morrison · September 13, 2019, 2:10pm

After talking with the team it sounds like you worked with Tim on this and had a ticket open in regards to getting this resolved. As not to duplicate effort I will let our support team handle this but will share the resolution here for historical sake. Thanks!

James.Morrison · October 18, 2019, 2:35pm

To follow up on this front, it appears the support case was resolved after the tenant signing key had now been rotated.

Please let us know if we can be of any help in the future!

system · November 2, 2019, 2:35pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JWK Certificate thumbprint is invalid Help jwt , jwks , certificate	21	10292	April 23, 2020
JWK is not verified in debugger Help jwks , x509 , pem	9	2126	November 16, 2022
Certificate thumbprint is longer than 20 bytes Help jwks , x509	11	11228	April 23, 2020
Invalid token error: illegal padding error 0D0E20DD JWT.io	3	4909	September 3, 2019
Token validation with python Help jwt , jwt-validation , python	6	20776	August 29, 2019

Invalid JWKS certificate

Related Topics