Auth0 Home Blog Docs

Problem validating JWT with X509 cert/pubkey from /jwks



I am trying to implement my server side JWT access token validation (in java) into my API code using a restful service filter. I have my authorization bearer access_token for my audience and I have my signing certificate string from the client-advanced-setting-certificate in the auth0 UI (or from the downloaded .PEM file)

If I put the token and the certificate into if all looks good and the certificate validates the jwt

for the time being I am just trying to get it to execute once in the API to see it work with the String object called cert in the code
if I call my url to I get the json and the “x5c”: claim and I take that text and put it into a the string variable cert in my java code (or I take the string from the PEM file and either strip the header and footer or not)

	            byte[] keyBytes = Base64.decode(cert);
	            X509EncodedKeySpec spec =
	              new X509EncodedKeySpec(keyBytes);
	            KeyFactory kf = KeyFactory.getInstance("RSA");
	            PublicKey publicKey = kf.generatePublic(spec);

this generates this exception : IOException: ObjectIdentifier() – data isn’t an object ID (tag = -96)

I am trying to get the public key because I need it to validate the signature using the jjwt java library
which I chose over the Auth0 library because github indicated the latest build for java-jwt is failing ?
although I had some difficulty integrating the jjwt library into my eclipse projects as well.

I assume I will need the public key from the cert even if I switch to the auth0 library

Also I have run some test code from github that executes the same process, a diff pair of token and cert strings it executes fine, but not the ones I need to work with (and that work in

What am I doing wrong or understanding incorrectly ???
Is there any sample code in Java showing the extraction of the cert and public key from the /jwks.json endpoint and then converting the x5c to the java objects needed to perform the validation and signature verification ?
I looked all over and couldn’t find much



Hi Amalycky,

You can extract the public key from x5c certificate. Using this online tool, convert your x5c string to a valid x509 certificate. Then extract public key with openssl:

openssl x509 -in x5c-cert-formated.pem -pubkey -noout > public-key.pem

Then in your Java code:

         // strip of header, footer, newlines, whitespaces
         String publicKeyPEM = key
                 .replace("-----BEGIN PUBLIC KEY-----", "")
                 .replace("-----END PUBLIC KEY-----", "")
                 .replaceAll("\\s", "");

         // decode to get the binary DER representation
         byte[] publicKeyDER = Base64.getDecoder().decode(publicKeyPEM);
         X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyDER);

         KeyFactory keyFactory = KeyFactory.getInstance("RSA");
         return keyFactory.generatePublic(keySpec);

Hope that helps,