使用 dgrijalva/jwt-go golang 包解析 RS256 Public 密钥时出现问题

Problem when parsing RS256 Public key with dgrijalva/jwt-go golang package

我有一对生成的密钥:

ssh-keygen -t rsa -P "" -b 2048 -m PEM -f jwtRS256.key
ssh-keygen -e -m PEM -f jwtRS256.key > jwtRS256.key.pub

现在我尝试用 jwt.ParseRSAPrivateKeyFromPEMjwt.ParseRSAPublicKeyFromPEM 解析它们 它适用于私钥,但不适用于 Public 密钥。

我得到的错误是: 2021/04/07 13:34:22 errorPublic: asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:257 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificate @4

我的代码:

package main

import (
    "fmt"
    "log"

    "github.com/dgrijalva/jwt-go"
)

var key = `-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuMVb3lrWKlmGIzTaJqtVJi2rPIy7/BkRKlAZ7Q1u0VlyOhzI
cXq6zAGsh31uWeJBJFKrZdwA6b2LD5vscnuilHi0nfQZA5l+meQT9LJ7STnfJ7f8
1CniBIhj5g6dOva9o/ljrLCmRSE4MjJRl3LkydvrHNokzicOAvieq4BYgHVJ2DC7
r7cSWrHeIiBIEBb1zAghc1OxtkFkxumva2gmywq0zB0VfzsYrtSpWT77qSNA+UEH
H+UCahefkun1uaBcOrEIPUh/j95N3rFTAdIAzFvDqLvLdQbmm/NT78O7izSGvJ1K
4rM2fSiecALSROZqOeJy3pf2v6Caqlp2gdDHUQIDAQABAoIBAEeOBrnhq7bS3KOd
wC3hhCQ442ubhOFoQ8GDK8clwJjKbvYaV3W69cQzkcEWzjl46YlLipzzyla61LPC
ypq7Tob5B9lzwowmUWT/csr8o8oD42vaUMtJPQJMX4OkfTdsfpyV5AfokTuMVdr6
qaZhFEEoLbEKud4sObzk023PUnbMTMyz2weQsmVLT9gm64K9GHzauoEDWGpr3Boz
+mEKo9rhySeK73qXqJFFATl0IB50GpdKondere/XofLQ2kqUB2fFEWIeRXawFd4u
6yE5nxjhIvn9pqMhW48vPAYtwTUhY8OxpCwk9U+awBYMvkCnFlrO4TwCNFqE8j3/
r6YN5VECgYEA2c0GqQVfwbcgB+8pLmd8H7dq+HqHToTA00pgNAsl/LRFUhkIVyY1
YUJkr7nJ3ogzqyjNBz0K4JeaMbMxJRwbxu4SUBgmvc+3h0oa9ibTKtBH4KWAqwCC
3TLQFoMXJCf+YJOL8ZNeqQz4rEpCVvJj86p9F4iTRhl5bd7mYqiEjusCgYEA2S1U
19iAIEiSETtUWEzj/iAKOUZJKl4Kz6PVfUMT1lqodOHsNHexzcQs+W/LW/Z9Jr7u
JtdC0ZZl2UCQ8PBTirsA/gimisnmVhx3mvKXOOO/Cf8RpN1/faTnQJj/Tu+h3aV7
n53Av2wSQPoWnnNB9W515gTYqwiV//CX44lGS7MCgYEAmjSoj4kniB8hBZ0WOi24
2zfg+/a80CH76F1TieWOysHUBtGEbze1OZxpb2WKgQ1MD9Y+e+6DQgr0eFXX6N9i
51DuFFlVLLThy17zge5xOnHnQi3L0Mb24Kg2XooIG2hZmYU94xelQOnXMx0MpUTO
8dl24e+n3kzxBZJ46cdIu2sCgYBzz5yizazlik16Ku07eSVLasKI8FYr5aJWP8Ok
3JRDhmy2h5NyFzIVzDs/eMI09Cig9MgCpl/XbCA7zhZ8pWunWzmYPfyxniDaYqvV
UPAbQjepmP9Lr2JBGiLHa88ZxOfITmqyH2mdqn/BbpuJO2U8//6W/pab/iQfK6mT
iKyXyQKBgGb49CT+zi1VCa4jh0EH78odTwRb/PleAw25CLVSj35MqQCEA2/jU92g
P8iTDU5mDNEaQMvMYN1fKiAPm6hiKp9/5Q02zQWNVzOywgc0L41Yb9K/SqxGwITa
dFwwxhKgBqzgCeIpvKLCGrhMztzPjUL9o4MSdNa92vajcilr8ld6
-----END RSA PRIVATE KEY-----`

var pubkey = `-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAuMVb3lrWKlmGIzTaJqtVJi2rPIy7/BkRKlAZ7Q1u0VlyOhzIcXq6
zAGsh31uWeJBJFKrZdwA6b2LD5vscnuilHi0nfQZA5l+meQT9LJ7STnfJ7f81Cni
BIhj5g6dOva9o/ljrLCmRSE4MjJRl3LkydvrHNokzicOAvieq4BYgHVJ2DC7r7cS
WrHeIiBIEBb1zAghc1OxtkFkxumva2gmywq0zB0VfzsYrtSpWT77qSNA+UEHH+UC
ahefkun1uaBcOrEIPUh/j95N3rFTAdIAzFvDqLvLdQbmm/NT78O7izSGvJ1K4rM2
fSiecALSROZqOeJy3pf2v6Caqlp2gdDHUQIDAQAB
-----END RSA PUBLIC KEY-----
`

func main() {
    _, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(key))
    if err != nil {
        log.Println("errorPrivate:", err)
    }
    _, err = jwt.ParseRSAPublicKeyFromPEM([]byte(pubkey))
    if err != nil {
        log.Println("errorPublic:", err)
    }

    fmt.Println("Done")
}

我做错了什么?

jwt.ParseRSAPublicKeyFromPEM() internally calls the x509.ParsePKIXPublicKey() 导入 X.509/SPKI 格式的 PEM 编码密钥的方法。

X.509/SPKI 格式的 PEM 编码密钥可以使用选项 -e -m pkcs8 从具有 ssh-keygen 的私钥中导出。目前,选项-e -m pem被应用,生成PKCS#1格式的public密钥,jwt.ParseRSAPublicKeyFromPEM()无法处理。

如果使用 X.509/SPKI 格式的 PEM 编码密钥,public 密钥导入有效:

package main

import (
    "fmt"
    "log"
    "github.com/dgrijalva/jwt-go"
)

var key = `-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAo+fW9kv2Y5Fjky8TQLK3rYtjqCKIEf0Yjm1lXTnkpWVBjO7x
EzB7HYBkHnIA19HEdzjeKLlLcJevOU6G3p+t8/5vVhciPnhKpwU6ZzrR0P3Q2toC
+KgtrnPHXpm8Py/HVwBxHWZ352NNa5J3dHv6a7B1k7IMAaBT053P99l1NQrBCVJf
kXckQAUOnsYk/PKFFufNhlu3nAd+eUl0Iv1IAWsUb5lHKkIOOWxnlreFN5gdCgL6
YxLwXRBV010zu/Y9zF8zdhSZXWoIvD/JpOvkKh9ym1VE0YzYkSW+m0XnTa4VMdZf
mWcQNKhYZdNg0TqwRco893fVeo756JzOHQ0KcQIDAQABAoIBADnxO4zWTcPlIc5m
VegJReWT4ScPDgtN7eBry+mpDatqoEGyNocSHHPRb5NTufiRr2J2OBMtbf3foZIg
sI0C5fvbdoB4rSJoY/unXX4gzQuUrsCvUV2WFpAVXeWTc3ji6xVWkqZSExE5iaT9
oj0Llvt65hXQW243v2qP33U+6rBVC/2NozGzlq9uHvNJURF0/ZztIo47K6q+giZC
ONvycXVGT8h5PIzfQsnnrsaLYCNe+yJ1x9zPT32xStI8+rF/PFBO1T8umna6+kY2
pY5XQfiYH7gfUIqfjA48Ovnxdmyk9ib6DzcgB+vlY+4cgCGX27sbG99pxGKu8nGg
iJjBGAECgYEA1C4N+RweFi2vzCBLnrSCZ2U6XjFJyg9ugL+X01DM4r3ORVlFV5WZ
2ebKS0Efwh3Jg6fuvf/2/6sFPzH4x8GIKb8Wldsh9mAGUQzOJ+lURqaEnbw+5xSs
y77ORNUes/mdr5YmKpyFsKZXNDKasIeQ7/usp5BwcuOtk5F7+56u+80CgYEAxcGG
g3XNpbqW3mmGf59au+eofYbzliWXFKf3S6A1Mp2EAG02Lb7H2sNQKI2GXMABLeAf
ylNLigKnSBgc2n4Ice91ddkjJhz5zk1P6Rpjz4yChMfC0qqqDbrpwrjuzHRKtWNJ
xh+3qPiZzmpgfK87ddNo/4pTXYBj/rtWocWvjTUCgYBie7nqnV1tp+kIExlmYZyB
h1/PJot8aSs+QS+kWsWunLDoSWZBH+QYWuIcie7Gt/K31DOhJvSreOLnkTdK6I5d
6h7+kYazB6EG762kos2GOXYmjKCZu2P08exl0JH+sWa6gDPY5Wu8MYkaZj6cn1/r
s+JQqF85RGplq0pj4SSRJQKBgQCpFX4QutHZqP9ELc/tIPBwh3Nd2Nw+/eb+p1rf
U50IqPtrbfWMCXpSBvtroQ5IEXcwpVgpIy0MVJZ5IvzQqEBKQqcY206dUNsaVKpF
seWzWP1j0HU4sOlzkeQ7NOog8DHMg5dZilb7Z4wCnJvhH+bkKJ23GKuM37Ef5Uf+
S8t9HQKBgD3bw7YZpnpP05fMPVcpLLOdxOmd8h6kEKqzOu33PHreMl9GCK7J8eOF
oWqAK1ub7vYkke6teZlPjYyrqutTVCGBZXn2ctuDc/o4t17Qk8hXbQBn6W0+XggB
sV0tGy1CL+hkyk3EuUUDPapwXmSoA5P5eJqN16XiqSQCv7Cis0zr
-----END RSA PRIVATE KEY-----`

var pubkey = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo+fW9kv2Y5Fjky8TQLK3
rYtjqCKIEf0Yjm1lXTnkpWVBjO7xEzB7HYBkHnIA19HEdzjeKLlLcJevOU6G3p+t
8/5vVhciPnhKpwU6ZzrR0P3Q2toC+KgtrnPHXpm8Py/HVwBxHWZ352NNa5J3dHv6
a7B1k7IMAaBT053P99l1NQrBCVJfkXckQAUOnsYk/PKFFufNhlu3nAd+eUl0Iv1I
AWsUb5lHKkIOOWxnlreFN5gdCgL6YxLwXRBV010zu/Y9zF8zdhSZXWoIvD/JpOvk
Kh9ym1VE0YzYkSW+m0XnTa4VMdZfmWcQNKhYZdNg0TqwRco893fVeo756JzOHQ0K
cQIDAQAB
-----END PUBLIC KEY-----`

func main() {
    _, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(key))
    if err != nil {
        log.Println("errorPrivate:", err)
    }
    _, err = jwt.ParseRSAPublicKeyFromPEM([]byte(pubkey))
    if err != nil {
        log.Println("errorPublic:", err)
    }

    fmt.Println("Done")
}

请注意 dgrijalva/jwt-go does not seem to be maintained, s. #457,还有许多未解决的问题。