Layer7 API Management

  • Private Community
 View Only

 Validating a JWS using public key

vebi etem's profile image
vebi etem posted Jul 16, 2021 02:23 AM
Hi,

I need to validate a JWS using Decode Json Web Token assertion. (Source is not a JWE, just a signed payload with RSASSA-PKCS-v1_5 using SHA-256)
There will be different public keys I need to obtain from multiple third parties, I will get these public keys from a trust anchor in pem format.

Example of the Public Key format (NOT a Public Cert):
-----BEGIN PUBLIC KEY-----
MIIBIjANBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END PUBLIC KEY-----

These public keys that I will obtain may change in time, so I don't want to define these keys manually to API Gateway. I wonder if there is a way to validate JWS by using a public key in a context variable

I'm able to validate a JWS only if I use a JWK. It is also OK for me if I was able to convert pem public key context variable to JWK, but here I couldn't use 'Create Json Web Key' assertion either, because this assertion only allows me to select a recipient public key which is pre-defined in 'Manage Private Keys' task.

I want to know if there is a way to validate a JWS with just a public key in a context variable in .pem format, thanks for your advices.
Zhijun He's profile image
Broadcom Employee Zhijun He posted Jul 20, 2021 06:57 PM
Dear Vebi,
The jwt issuer should publish the needed public keys (usually jwks) on line, so we can download it from a url. 
It's expected the jwks will change in time, we can control it in policy logic, and download it when needed.
The policy structure below is just to explain the idea,
- At least folder
- \_ All folder
---- \_ lookup jwks in cache, use decode json web token assertion to validate jwt token, etc.
- \_ All folder
---- \_ route via http to jwks url, store to cache, etc.
---- |_ use decode json web token assertion to validate jwt token
- \_ All folder
---- \_ error handling for invalid jwt token


Note: for jwks, we need "kid" to find the correct public key in the key set, the kid will need to be extracted from the jwt -- use another Decode json web token assertion with "None" validation method to extract jwt header and then use json path to get the "kid" from jwt header. Product document has the sample code,
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/security-configuration-in-policy-manager/policy-manager-other-security/working-with-json-web-tokens.html
(start from line 32 in the screenshot of the sample policy)


Regards,
Mark