Unable to verify access tokens due to "no start line" Open SSL Error

ardenchew · October 16, 2023, 8:42am

I’m looking to decode and perform signature verification on access tokens provided by Auth0 (tested with both my react-native-auth0 generated tokens from an application associate user, and test tokens created in the Auth0 management API).

When decoding without signature verification I do not run into any problems, but when including signature verification I receive an OpenSSLError indicating no start line.

Here’s a short code sample that I’ve run in a python venv mimicking my actual application:

from jwt import decode

token = "<redacted>"
auth0_domain = "<redacted>"
auth0_audience = "<redacted>"

# This works just fine.
payload = decode(
  token,
  options={"verify_signature": False, "verify_aud": True},
  audience=auth0_audience,
  issuer=auth0_domain
)

# This fails with an error listed below.
payload = decode(
  token,
  options={"verify_signature": True, "verify_aud": True},  # Changed verify_signature to True here.
  algorithms=["RS256"],
  audience=auth0_audience,
  issuer=auth0_domain
)

The error referenced

Traceback (most recent call last):
  File "/Users/achew/Library/Caches/pypoetry/virtualenvs/app-Z2_yh_DE-py3.11/lib/python3.11/site-packages/jwt/algorithms.py", line 350, in prepare_key
    RSAPrivateKey, load_pem_private_key(key_bytes, password=None)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/achew/Library/Caches/pypoetry/virtualenvs/app-Z2_yh_DE-py3.11/lib/python3.11/site-packages/cryptography/hazmat/primitives/serialization/base.py", line 25, in load_pem_private_key
    return ossl.load_pem_private_key(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/achew/Library/Caches/pypoetry/virtualenvs/app-Z2_yh_DE-py3.11/lib/python3.11/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 747, in load_pem_private_key
    return self._load_key(
           ^^^^^^^^^^^^^^^
  File "/Users/achew/Library/Caches/pypoetry/virtualenvs/app-Z2_yh_DE-py3.11/lib/python3.11/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 929, in _load_key
    self._handle_key_loading_error()
  File "/Users/achew/Library/Caches/pypoetry/virtualenvs/app-Z2_yh_DE-py3.11/lib/python3.11/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 984, in _handle_key_loading_error
    raise ValueError(
ValueError: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=503841036, lib=60, reason=524556, reason_text=unsupported)>])

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/achew/Library/Caches/pypoetry/virtualenvs/app-Z2_yh_DE-py3.11/lib/python3.11/site-packages/jwt/api_jwt.py", line 210, in decode
    decoded = self.decode_complete(
              ^^^^^^^^^^^^^^^^^^^^^
  File "/Users/achew/Library/Caches/pypoetry/virtualenvs/app-Z2_yh_DE-py3.11/lib/python3.11/site-packages/jwt/api_jwt.py", line 151, in decode_complete
    decoded = api_jws.decode_complete(
              ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/achew/Library/Caches/pypoetry/virtualenvs/app-Z2_yh_DE-py3.11/lib/python3.11/site-packages/jwt/api_jws.py", line 209, in decode_complete
    self._verify_signature(signing_input, header, signature, key, algorithms)
  File "/Users/achew/Library/Caches/pypoetry/virtualenvs/app-Z2_yh_DE-py3.11/lib/python3.11/site-packages/jwt/api_jws.py", line 307, in _verify_signature
    prepared_key = alg_obj.prepare_key(key)
                   ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/achew/Library/Caches/pypoetry/virtualenvs/app-Z2_yh_DE-py3.11/lib/python3.11/site-packages/jwt/algorithms.py", line 353, in prepare_key
    return cast(RSAPublicKey, load_pem_public_key(key_bytes))
                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/achew/Library/Caches/pypoetry/virtualenvs/app-Z2_yh_DE-py3.11/lib/python3.11/site-packages/cryptography/hazmat/primitives/serialization/base.py", line 35, in load_pem_public_key
    return ossl.load_pem_public_key(data)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/achew/Library/Caches/pypoetry/virtualenvs/app-Z2_yh_DE-py3.11/lib/python3.11/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 794, in load_pem_public_key
    self._handle_key_loading_error()
  File "/Users/achew/Library/Caches/pypoetry/virtualenvs/app-Z2_yh_DE-py3.11/lib/python3.11/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 984, in _handle_key_loading_error
    raise ValueError(
ValueError: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=75497580, lib=9, reason=108, reason_text=no start line)>])

dalton · January 10, 2024, 4:08pm

I was able to get it to decode if I set “verify” to “false”