I want to sign my toklens using RSA256. For that I've generated public and private PEM keys, where private key create with x509.MarshalPKCS1PrivateKey and public key with x509.MarshalPKCS1PublicKey.

And when I'm using jwt.ParseRSAPublicKeyFromPEM, I've go an error x509: malformed tbs certificate. I thought that I did something wrong while generating keys, but I didn't. The answer was inside the jwt.ParseRSAPublicKeyFromPEM, it's using x509.ParsePKIXPublicKey istead of x509.ParsePKCS1PublicKey. So I should change the algorythm to generate public key with x509.MarshalPKIXPublicKey.

But it's not obvious! Can someone explain to me why is it done in such way(using x509.ParsePKIXPublicKey), but not using x509.ParsePKCS1PublicKey if name of the function(ParseRSAPublicKeyFromPEM) is telling me to use RSA PUBLIC KEY which will be the pair to my private key?

Hi!

The problem was that these functions were never really meant to be part of the public API and they are a little bit of a mess. I know that there is an outstanding issue on these functions, I did not have the time and muse to look into them honestly.

There is a (stale) PR that tries to correct this here: #120. It is slightly out of sync with the main branch. I can try to see whether it makes sense to pick it up again and try to understand the error better.