validating a JWT generated by WSO2 APIM 1.9.0: what's the public key?

Question

I'm trying to do something that seemed simple but ends up being difficult because I lack the expertise.

I have an APIM deployed with no customisation security-wise (don't worry, it's not production!). So it's only got carbon.jks.

I authenticate users in an application with SAML2 against an IDS, then use the APIM with an app secret for a user token generated from the SAML2 token. I get from the APIM an OAuth token which I use to call APIs in the APIM. (note that I managed to resolve this thanks to another post here some time ago :-) )

The backend that implements the APIs receives a JWT as a result, with header, user information and app information, and a signature. For my first tests I write my own "hello world" backend, that logs the JWT.

I use http://jwt.io which manages to read my JWT without any problem. But it tells me the signature is invalid. To make the signature valid I would need a valid public key.

I don't know where to find that key.

I have run the command line described in RSA Public Key of WSO2carbon and generated a .cert file. I have examined the .cert file in portecle (http://portecle.sourceforge.net/) but found nothing of interest, however opening it in Windows gave me a field "public key", which looks like "30 81 89 02 81 81 00 94 a[...]", quite long and obviously hex.

I tried this, and also its base64-encoded representation, in http://jwt.io but no success.

Because I was wondering where my public key is, I have also read: How to validate a JWT from WSO2 API Manager (and the referenced link https://asankad.org/2013/12/05/obtaining-certificate-used-to-sign-a-jwt/ ) However the code provided is a bit on its own, with not even a mention of language. I assume it's node.js, but no info about libs or anything.

Here are some more precise questions:

• WSO2 APIM offers only SHA256withRSA (which is a flavor of SHA2 IIUC). wso2carbon.jks cert that I found were sha1. So I'm supposing that could not have worked anyway. How can APIM generate SHA256 with SHA1 certificates?
• WSO2 APIM offers only SHA256withRSA. http://jwt.io gives the choice between RS256 and HS256, one uses a key, the other a secret (public/private). I'm guessing I need to use RS256? (but again the only keys I have seem to come from SHA1 certs)
• has anyone succeeded in what I'm doing? Install WSO2 APIM, generate a JWT and validate the JWT against http://jwt.io, including signature?
• If I use a lib such as https://github.com/tymondesigns/jwt-auth to validate the JWT, will it work? I was told that this lib doesn't support SHA256.
• in the APIM I'm in a tenancy, called sandbox. If I go to the super-tenancy carbon I see wso2carbon.jks. If I go to my own tenancy's carbon I see sandbox.jks, but it's empty, and on the deployment machine there's no corresponding file. How does that work out, does the tenancy JKS exist only when used, or is it stored in the DB and not filesystem?
• how much can I show of my tokens, JWT etc on a public forum? :-) (if it helps to help me, I'm willing to share!)

Thanks for any tips! (maybe all I need is the default public key, seeing as I'm using the default keystore!)

Answer 1

Answering myself in case anyone has the same issue.

Two things helped me out:

• first, to validate in jwt.io, I needed to change the cert encoding by running the following command: openssl x509 -inform der -in somekey.cer -out somekey.pem
• then I was using the super-tenant keystore instead of the tenancy keystore. I had looked into this but not found any tenancy keystore on the APIM VM. I had to:
  1. log in as tenant admin in APIM carbon portal
  2. navigate to configure / keystores
  3. there was a keystore for the tenancy (called sandbox1.jks), click on public key
  4. save the downloaded sandbox1.cert and convert it to pem using the above command

The resulting pem worked fine with jwt.io using RS256

Hope this helps others!