Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".


SonicOS Public Key Authentication

Is the current documentation for Public Key Authentication correct? The provided curl bash example is not working for me. Testing against a TZ470 running SonicOS 7.0.1-5119-R4713. I have the SonicOS API enabled, Public Key authentication enabled, PKCS#1 v2.0 OAEP selected with SHA256 for both the hash and mask method. I also tried to create a client in Ruby with the same results. I've successfully connected with Digest Auth and Basic Auth, but I'd prefer to use a Public Key if possible.

I've tried manually in a command window with:

curl -k -i -s -X POST https://$ADDR/api/sonicos/auth | grep 'WWW-Authenticate: SNWL-PK-AUTH' | sed -e 's/^.*key="/-----BEGIN PUBLIC KEY-----\n/' -e 's/"/\n-----END PUBLIC KEY-----/' >pk.pem
CIPHER=$(echo -n $PASSWORD | openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -pubin -inkey pk.pem | base64 -w 0)
curl -k -i -s -H "Authorization: SNWL-PK-AUTH user='$USER', data='$CIPHER'" -X POST https://$ADDR/api/sonicos/auth

But no matter what I try I am getting the following:

HTTP/1.0 400 Bad Request
Server: SonicWALL
Expires: -1
Cache-Control: no-cache
Content-type: application/json; charset=UTF-8
X-Content-Type-Options: nosniff
  "status": {
    "success": false,
    "info": [
      { "level": "error", "code": "E_INVALID_API_CALL", "message": "Unauthorized." }
Category: Developer Hub


  • Options
    JaimeJaime SonicWall Employee


    I may have a solution for you. Try this: 'Authorization: SNWL-PK-AUTH user="'$USER'", data="'$CIPHER'"' instead.

    Line from your post:

    curl -k -i -s -H "Authorization: SNWL-PK-AUTH user="'$USER'", data='$CIPHER'" -X POST https://$ADDR/api/sonicos/auth

    I modified the line to this:

    curl -k -i -s -H 'Authorization: SNWL-PK-AUTH user="'$USER'", data="'$CIPHER'"' -X POST https://$ADDR/api/sonicos/auth

    Hope this helps!

  • Options
    JaimeJaime SonicWall Employee

    I uploaded a couple of example scripts (Bash and Python) here:

  • Options
    sovapsovap Newbie ✭

    Thank you! Changing the quotes made the bash work, though I swear I had tried that way before as that is how it is in the docs that I originally copied and pasted. I can't explain it, but my ruby code is now also working without change. I have rebooted the device since I last tried so maybe it was bugged out. Or maybe in testing I wasn't actually grabbing a new public key before each auth attempt. I'm not sure, but it is working now.

Sign In or Register to comment.