Vault Transit : verify JWT signature with public key


Is it possible to use Transit to verify a JWT signature generated with ECDSA P-256 with its public key ?

JWT is created outside of Vault, and Vault should not be able to access its private key.

What do you mean by “verify”? Do you want to authenticate to Vault using that JWT or what exactly?

The Transit secret engine has a completely different purpose.

I mean verify signed data.

I am trying to assess if Vault is capable to answer my use case. I have devices with an embedded private key, generating a JWT token to authenticate to my backend. Private key cannot/must not be extracted from device. Public key is available on my backend.
I would like to check the JWT signature with the provided public key.

I do not think this is possible.

The biggest reason, is that none of the Transit secrets engine documentation makes any mention of importing a public key without the private key.

Even if this issue was circumvented, there remains the issue that the Transit verify API expects signature input in a Vault-specific format that starts with vault:v1:.

There is just the barest possible pathway, where if you somehow figured out to import only a public key, and figured out how to reformat the payload and signature of a JWT into forms that Vault expected, that you might be able to have Vault perform this operation.

However the complexity of doing so would far exceed just finding a JWT processing library for your language of choice, and verifying the signature without involving Vault.


@maxb thank you for your answer.

This is what I was afraid when reading the documentation.
I am not even sure going around it might work, since Transit might also be computing the signature from private and public keys to compare it.

As you mentioned, public keys are not really sensitive so a database with JWT processing library will be a good choice.