OAuth 2.0 with JSON Web Tokens (Server Authentication) || Issue

While creating application,clicked the “Generate Public/Private Keypair” & get the JSON file.
From the JSON file,we have copied the content from “privateKey” & create new file (Config.PEM) and updated the “privateKey” values.

the run the below code, getting an error.

from boxsdk import JWTAuth
from boxsdk import Client

auth = JWTAuth(
client_id=‘xxxxxx’,
client_secret=‘xxxxxxxx’,
enterprise_id=‘0’,
jwt_key_id=‘xxxxxx’,
rsa_private_key_file_sys_path=‘C:\Box\config.PEM’,
rsa_private_key_passphrase=‘xxxxxxxxxxx’,
)

access_token = auth.authenticate_instance()
client = Client(auth)

Issue : Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type

C:\Program Files (x86)\Python\Python310>python.exe “C:\Users\arulap\OneDrive - Symphony Summit\Working\Official\Dev\Box\summitorchestration@gmail.com\JWTAuth_Test.py”
Traceback (most recent call last):
File “C:\Users\arulap\OneDrive - Symphony Summit\Working\Official\Dev\Box\summitorchestration@gmail.com\JWTAuth_Test.py”, line 5, in
auth = JWTAuth(
File “C:\Users\arulap\AppData\Roaming\Python\Python310\site-packages\boxsdk\auth\jwt_auth.py”, line 108, in init
rsa_private_key = self._normalize_rsa_private_key(
File “C:\Users\arulap\AppData\Roaming\Python\Python310\site-packages\boxsdk\auth\jwt_auth.py”, line 207, in _normalize_rsa_private_key
return serialization.load_pem_private_key(
File “C:\Users\arulap\AppData\Roaming\Python\Python310\site-packages\cryptography\hazmat\primitives\serialization\base.py”, line 22, in load_pem_private_key
return ossl.load_pem_private_key(data, password)
File “C:\Users\arulap\AppData\Roaming\Python\Python310\site-packages\cryptography\hazmat\backends\openssl\backend.py”, line 921, in load_pem_private_key
return self._load_key(
File “C:\Users\arulap\AppData\Roaming\Python\Python310\site-packages\cryptography\hazmat\backends\openssl\backend.py”, line 1189, in _load_key
self._handle_key_loading_error()
File “C:\Users\arulap\AppData\Roaming\Python\Python310\site-packages\cryptography\hazmat\backends\openssl\backend.py”, line 1248, in _handle_key_loading_error
raise ValueError(
ValueError: (‘Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).’, [_OpenSSLErrorWithText(code=503841036, lib=60, reason=524556, reason_text=b’error:1E08010C:DECODER routines::unsupported’)])

C:\Program Files (x86)\Python\Python310>

Hi @SummitAI ! Welcome to the forum !

The error mentioned in the logs :

Issue : Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type

seems to indicate your code can’t read the content of your config.PEM file

Can you please check the content of your config.PEM file ?

Is it a JSON file or a Certificate ?

The fact you called it “config.PEM” is confusing because the name seems to indicate it’s a configuration file, but the PEM extension belongs to a certificate file.

If this file is a config file, then it should a JSON extension, and its content should looks like this :

{
  "boxAppSettings": {
    "clientID": "abc...123",
   "clientSecret": "def...234",
   "appAuth": {
      "publicKeyID": "abcd1234",
      "privateKey": "-----BEGIN ENCRYPTED PRIVATE KEY-----\n....\n-----END ENCRYPTED PRIVATE KEY-----\n",
      "passphrase": "ghi...345"
    }
  },
  "enterpriseID": "1234567"
}

On the oppostie, if it’s a Certificate, it should looks like this :

-----BEGIN ENCRYPTED PRIVATE KEY-----\n....\n-----END ENCRYPTED PRIVATE KEY-----\n

Hi @SummitAI , welcome to the forum.

This might be a private key formatting issue.

The configuration file you get from Box is in JSON format and the key has the new line escaped character \n. If you are reading the private key from a file rather than importing the config.json then the format might explain this behavior.

There is an easy test you can do with openssl to check if the private key can be decrypted.

For example:

openssl rsa -in your_encrypted_private-key-file.pem -out decrypted-private-key-file.pem  -passin pass:your-pass-phrase

If this returns an error then either the passphrase is incorrect or the encrypted private key is incorrect such as a bad formatting.

If so try replacing the \n with an actual end of line.

From something like this:

-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFDdasfasdAECAggA\nMBQGCCqGSIbasdftybT6TO\nKzzasdfNZG\nlCE=\n-----END ENCRYPTED PRIVATE KEY-----\n

To something like this:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDklkajshdlkjashdlkjfhaslkdjhflaksjdhflkasjdhfalksjdhKAECAggA
MBaklsjdhflaksjdhflkasjdhflkasjdhflkajsdhflkasjdhflkajshdlfknP5F
...
9vquHYklajsdhflkajshdlkfjhasdlkjhfalksdjhflkasjdhflkasddqncm+DLB
G+YPqt7uklasdjhflkasjdhflkasjdhflkasjdhlksjfhlksdlaskN+XUorJ6NZG
lCE=
-----END ENCRYPTED PRIVATE KEY-----

Alternatively, the SDK provides a method to read from the configuration JSON file.

For example:

from boxsdk import Client, JWTAuth

auth = JWTAuth.from_settings_file(
        settings.JWT_PATH,
    )
client = Client(auth)

Let us know if this helps

Cheers