Verify Firebase token failure

[fabiotavares]

I can't verify the signature of a valid token generated by Firebase. Using JWT.verify(token, RSAPublicKey(key)) gives the following conversion error:

type 'ASN1Integer' is not a subtype of type 'ASN1ObjectIdentifier' in type cast RSAPublicKey

I'm using a jwt.io validated token and the public key: '-----BEGIN CERTIFICATE-----\nMIIDHTTCCAgWgAwIBAgIJAN6IA4cSjd2+MA0GCSqGSIb3DQEBBQUAMDExLzAtBgNV\nBAMMJnNlY3VyZXRva2VuLnN5c3RlbS5nc2VydmljZWFjY291bnQuY29tMB4 XDTIz\nMDgwMjA5Mzk0MFoXDTIzMDgxODIxNTQ0MFowMTEvMC0GA1UEAwwmc2VjdXJldG9r\nZW4uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwA wggEKAoIBAQC09EdXFC4DxPlpxqJWl/0jwnenb7Ghp+zUDnkoV6Z9bt3w\n+fJWhz4aw2yGRdxc/ZWr7W3/8XA5rDPhMognuEHE8Pfoysn4T4mRzhB99y2DiIC7\nmmvuF+ty7jq6o0ToAZ8vV2 o6h3IYetNmtPO6vm8PFXBFnL8YgnhmFtPRGZeIuwty\ny+uaJsux/SjCf1OTQZRvRW+X0EiNspU4GpakCgUGLuIXfrrludzcCzUO65KtIbls\ nbsNqri7XbFgRTv1drnoHIB7qOztL/FuwjK00QZfxGfBgYVi83J18kVRp+Si0EN0i\nf6rzm3tYKpJuGf+aWTCRcIgNRfRtrl7pwg4IX7yxAgMBAAGjODA2MAwGA1UdEwEB\n/wQCMAAwDg YDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMA0G\nCSqGSIb3DQEBBQUAA4IBAQCb+IU6a+AVza7UfloHGwAvfYRCoOF80kYrkEH24zUF\ndxGrCqIJFrxhN5MXv0GiZ1Ij/TZcf RCZo+noFJzB/1sB2JEaSIijaLoohVWUR699\nW4yND6dpIUWlevaYKbrZJlX7+zid+eLNzcBMF9yd+y/vJdnCe0+jGiFDljHnDt32\nx9Y3GvMmKvu/Om/deK3oHegktWHK3udb8PX4u9x tQA5+ vuMWnIZ92HsinuglqMuX\ng8CoiXkjdRVkAukCPimp0iJkdaCCSk5Vd91uy8y1kDN81p0nxQj2E/7IA6Qz6yrU\nh8nuwArb0VS0DWcUVYaw2ZoSlVnHvFkAmZRV4MsqCoVg\n-----END CERTI STAY-----\n'

[Bkohler93]

Similar issue but occurring with a Google public key.

type 'ASN1Sequence' is not a subtype of type 'ASN1Integer' in type cast

Were you able to figure it out?

[fabiotavares]

I solved the problem after converting from CERTIFICATE to PUBLIC KEY with the following command in terminal:

openssl x509 -in cert.pem -pubkey -noout

I just haven't found a way to do this programmatically.

[jonasroussel]

Hey!

The package does not currently support PEM certificate parsing because only the public key is needed to validate the token.

I'll see if I can add a certificate parser in middleware to extract the public key before starting the validation.

[jonasroussel]

I just published a new version v2.9.1 that include RSA & EC public key creation with a PEM certificate https://pub.dev/packages/dart_jsonwebtoken/versions/2.9.1

Example of use:

final pem = '''-----BEGIN CERTIFICATE-----
MIIDkjCCAnoCCQDaA9WJheNX8DANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMC
RlIxFjAUBgNVBAgMDUlsZS1kZS1GcmFuY2UxDjAMBgNVBAcMBVBhcmlzMQ8wDQYD
VQQKDAZOb3RpY2UxFjAUBgNVBAMMDW5vdGljZS5zdHVkaW8xKjAoBgkqhkiG9w0B
CQEWG2pvbmFzLnJvdXNzZWxAbm90aWNlLnN0dWRpbzAeFw0yMzA4MjExNDM2NTZa
Fw0yNDA4MjAxNDM2NTZaMIGKMQswCQYDVQQGEwJGUjEWMBQGA1UECAwNSWxlLWRl
LUZyYW5jZTEOMAwGA1UEBwwFUGFyaXMxDzANBgNVBAoMBk5vdGljZTEWMBQGA1UE
AwwNbm90aWNlLnN0dWRpbzEqMCgGCSqGSIb3DQEJARYbam9uYXMucm91c3NlbEBu
b3RpY2Uuc3R1ZGlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5UVk
UjEjlffegXvD2doiwkb4h/VxemfujcO+TQ/okIbg1Y061TV56MqXYC/4sFBrYYcH
XW2nuESGK5humc26TZTGSc9P9zUso4AsG3IS2us/ArAGTwXUHNjwj/JQHv7ZZAzg
1Ln5iyxmmLNkyepxpXMy8/g9eVq9DhAcUYcURxpzl8vkDqondAktuaf50SxZtSob
vG3J4uCYROSYsq82f/XxrCKLXMgYKePRCE4PFCQLx7twd6hR68lATt2i5R7Vc42e
mN2T/R6WZQ0nI3rDQrQcB1flUCEb+37pgcNyzMGrz+qoCwJQ1OOt26h4y/1f1X0T
0PmCK4yHS6pjW/2F9wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCcQTsqWYJ04gbS
EuePfB4qbWZxR40oqPSnSmoJPzuIu2l6ZWyV/COIeEUBehpgnOTjT3qFW9pu7Lvt
2wnOmak7UcXtaB8GmEnZ/vzQZDzGvs9iDGmuwS6fnb+0jxOiXvHAkKn8EXIhCVNa
T1z3ya6qj55mOJMMoet8V53/IF76RtuL3WKgcWN8++bNaCl37Su8TTkuS1JIry0i
K6upDt5xtgmmHl0Ph+p5I+2/DkMuV379lBL1EPf6QSemo8dYq5L4nSY2DuwIFreV
Wb/zI4rNLYg8zhJLNYQ47QYaPFW42on5zS2M8gfPr1Cac7ybj0hm9LzIbY4K5raO
1ici8AF6
-----END CERTIFICATE-----
''';

final key = RSAPublicKey.cert(pem);
final token = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvbmFzIFJvdXNzZWwiLCJhZG1pbiI6dHJ1ZSwiaWF0IjoxNTE2MjM5MDIyfQ.TDYkxs1DmCv_nvReJu5hFqsU__x8gIZ3JFQzRixjKDthvpIkphhaot3cLDcDDoS57pgjf2mk6hifsiWHARSsD8VIRdUqBNkHk2AZxZcVAbHNPAGmQpIUwCJaBRyL51WLiDQw6JnqV1JYYuCBGahPQbX4CWJvDVaxxosiO65Q6cvzgV9xl-qX5om7OA2ruktnO1oz61k226mKYtR7d_mMCRDYcQouIHozj91TKRqn3YC3C5xnU4uBsJBhwbdj-F5vdE-3b56qQRQP8JDMoNDVGWU1XhGD_Ab8M7ysRerWnfIinMptoH6Jj4ZmdWfwu2Ec4Qo8tn7wTHaLSOLiyvuHPA';

final jwt = JWT.verify(token, key);

print(jwt.payload);

[jonasroussel]

Let me know if this new function works for you in the case of the Firebase certificate

[fabiotavares]

Let me know if this new function works for you in the case of the Firebase certificate

Hi, Worked perfectly! Thank you very much for your attention and commitment. Congratulations.