Comments (8)
babelouest
commented on June 16, 2024
Hello,
I can't reproduce your issue as-is, my output is:
PRIV : {"keys":[{"kty":"EC","x":"AYHOB2c_v3wWwu5ZhMMNADtzSvcFWTw2dFRJ7GlBSxGKU82_dJyE7SVHD1G7zrHWSGdUPH526rgGIMVy-VIBzKMs","y":"ib476MkyyYgPk0BXZq3mq4zImTRNuaU9slj9TVJ3ScT3L1bXwVuPJDzpr5GOFpaj-WwMAl8G7CqwoJOsW7Kddns","d":"AYsgGu2kRxQwodqoGvbE1BiDROYxwBZ5jPMVnk_7p4uSOLTaoVeV8dKQ65glfZm66BbXxGtF1XyrjAMcX2eizP8i","crv":"P-521","kid":"CatmrLCuBa_kI3VMfembQnugtVauN35XuHIRRGZuXzY"}]}
PUB : {"keys":[{"kty":"EC","x":"AYHOB2c_v3wWwu5ZhMMNADtzSvcFWTw2dFRJ7GlBSxGKU82_dJyE7SVHD1G7zrHWSGdUPH526rgGIMVy-VIBzKMs","y":"ib476MkyyYgPk0BXZq3mq4zImTRNuaU9slj9TVJ3ScT3L1bXwVuPJDzpr5GOFpaj-WwMAl8G7CqwoJOsW7Kddns","crv":"P-521","kid":"CatmrLCuBa_kI3VMfembQnugtVauN35XuHIRRGZuXzY"}]}
CLAIM = {"expirationDate":1234567890,"msgChkA":12,"msgChkB":34,"tokenType":"S"}Although, if you add a private key to a JWT private keyset, its intention is to generate a new signed token. If you just want to verify a signature, you can only add the public key into the jwt's keyset, or even better, specify the public key when calling r_jwt_verify_signature.
from rhonabwy.
DedieuPY
commented on June 16, 2024
Hi @babelouest ,
First of all, thank you for your quick response. I have changed my code this way :
"eyJleHBpcmF0aW9uRGF0ZSI6MTIzNDU2Nzg5MCwibXNnQ2hrQSI6MTIsIm1zZ0Noa0IiOjM0LCJ0b2tlblR5cGUiOiJTIn0." // payload
"AOyZC-Jf2rt6BpSjzNHk0hyLBS96DpBWDol58gORVjTMpJNoU_ICE6ePLCBq24kW4CgN_XDV3cjtSl8CjG4HZ3zAAAAOForo1kNG5PjBzItBsf9AS5fq_E8DBi99o8xZvZBTqTunYLNXE048WG5r88AfnNLCnYCioiSIg47774r760Eu"; // signature
const unsigned char pubKey[] = "-----BEGIN PUBLIC KEY-----\n"
"MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBgc4HZz+/fBbC7lmEww0AO3NK9wVZ\n"
"PDZ0VEnsaUFLEYpTzb90nITtJUcPUbvOsdZIZ1Q8fnbquAYgxXL5UgHMoywAib47\n"
"6MkyyYgPk0BXZq3mq4zImTRNuaU9slj9TVJ3ScT3L1bXwVuPJDzpr5GOFpaj+WwM\n"
"Al8G7CqwoJOsW7Kddns=\n"
"-----END PUBLIC KEY-----\n";
const unsigned char privKey[] = "-----BEGIN PRIVATE KEY-----\n"
"MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIBiyAa7aRHFDCh2qga\n"
"9sTUGINE5jHAFnmM8xWeT/uni5I4tNqhV5Xx0pDrmCV9mbroFtfEa0XVfKuMAxxf\n"
"Z6LM/yKhgYkDgYYABAGBzgdnP798FsLuWYTDDQA7c0r3BVk8NnRUSexpQUsRilPN\n"
"v3SchO0lRw9Ru86x1khnVDx+duq4BiDFcvlSAcyjLACJvjvoyTLJiA+TQFdmrear\n"
"jMiZNE25pT2yWP1NUndJxPcvVtfBW48kPOmvkY4WlqP5bAwCXwbsKrCgk6xbsp12\n"
"ew==\n"
"-----END PRIVATE KEY-----\n";
r_global_init();
/* jwt_t * jwt;
r_jwt_init(&jwt); */
int iterations = 5000;
double sum = 0;
clock_t start, stop;
jwt_t * jwt;
jwk_t * jwk;
r_jwt_init(&jwt);
r_jwk_init(&jwk);
printf("=================== IS VERIFY WORKING ? ===================\n");
printf("ADD PEM : %d\n", r_jwt_add_sign_keys_pem_der(jwt, R_FORMAT_PEM, privKey, sizeof(privKey), pubKey, sizeof(pubKey)));
r_jwt_set_sign_alg(jwt, R_JWA_ALG_ES512);
//r_jwt_set_sign_alg(jwt, R_JWA_ALG_ES256);
printf("PRIV : %s\n", r_jwks_export_to_json_str(jwt->jwks_privkey_sign, 0));
printf("PUB : %s\n", r_jwks_export_to_json_str(jwt->jwks_pubkey_sign, 0));
printf("JWK ? %d\n", r_jwk_append_x5c(jwk, R_FORMAT_PEM, pubKey, sizeof(pubKey)));
r_jwt_parse(jwt, token, 0);
r_jwt_verify_signature(jwt, jwk, 0);and the output :
ADD PEM : 1
PRIV : {"keys":[{"kty":"EC","x":"AYHOB2c_v3wWwu5ZhMMNADtzSvcFWTw2dFRJ7GlBSxGKU82_dJyE7SVHD1G7zrHWSGdUPH526rgGIMVy-VIBzKMs","y":"ib476MkyyYgPk0BXZq3mq4zImTRNuaU9slj9TVJ3ScT3L1bXwVuPJDzpr5GOFpaj-WwMAl8G7CqwoJOsW7Kddns","d":"AYsgGu2kRxQwodqoGvbE1BiDROYxwBZ5jPMVnk_7p4uSOLTaoVeV8dKQ65glfZm66BbXxGtF1XyrjAMcX2eizP8i","crv":"P-521","kid":"CatmrLCuBa_kI3VMfembQnugtVauN35XuHIRRGZuXzY"}]}
PUB : {"keys":[]}
JWK ? 3
CLAIM = {"expirationDate":1234567890,"msgChkA":12,"msgChkB":34,"tokenType":"S"}
So I have apparently an error 3 (so RHN_ERROR_PARAM) but I don't really see why.
EDIT :
I added the log display (thanks yder) and I have this:
2023-03-28T12:29:11Z - Yder Tests ERROR: r_jwk_import_from_gnutls_pubkey ecdsa - Error curve
2023-03-28T12:29:11Z - Yder Tests ERROR: r_jwt_add_sign_keys_pem_der - Error parsing pubkey
ADD PEM : 1
PRIV : {"keys":[{"kty":"EC","x":"EVs_o5-uQbTjL3chynL4wXgUg2R9q9UU8I5mEovUf84","y":"kGe5DgSIycKp8w9aJmoHhB1sB3QTugfnRWm5nU_TzsY","d":"evZzL1gdAFr88hb2OF_2NxApJCzGCEDdfSp6VQO30hw","crv":"P-256","kid":"pA8PLil03HaoLfb_4I7Q15lVx5560MINl66Pkkat4cE"}]}
PUB : {"keys":[]}
2023-03-28T12:29:11Z - Yder Tests ERROR: r_jwk_append_x5c - Error gnutls_x509_crt_import: Base64 unexpected header error.
JWK ? 3
2023-03-28T12:29:11Z - Yder Tests ERROR: r_jwk_is_valid - Missing kty
2023-03-28T12:29:11Z - Yder Tests ERROR: r_jwk_is_valid - Invalid kty
CLAIM = {"expirationDate":1234567890,"msgChkA":789456123,"msgChkB":147852369,"tokenType":"S"}
from rhonabwy.
babelouest
commented on June 16, 2024
You're using r_jwk_append_x5c to import a public key, this function expects a x5 certificate, tha's why I also have the RHN_ERROR_PARAM.
Nevertheless, you should test all return values to make sure RHN_OK is always returned, otherwise you should stop the process.
You also shouldn't call r_jwt_set_sign_alg, the alg is set during the token parse. But you can verify that the alg set is the expected one: if (r_jwt_get_sign_alg(jwt) == R_JWA_ALG_ES512).
Are you using the last rhonabwy release? If not, you also should, that would explain our differences.
I refactored your code to make it more readable and so it won't continue after an error. Note that calling r_jwt_add_sign_keys_pem_der and r_jwt_set_sign_alg are useless and could lead to error in this case, so you should skip them.
#include <stdio.h>
#include <yder.h>
#include <rhonabwy.h>
int main() {
const char token[] = "eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9." // header
"eyJleHBpcmF0aW9uRGF0ZSI6MTIzNDU2Nzg5MCwibXNnQ2hrQSI6MTIsIm1zZ0Noa0IiOjM0LCJ0b2tlblR5cGUiOiJTIn0." // payload
"AOyZC-Jf2rt6BpSjzNHk0hyLBS96DpBWDol58gORVjTMpJNoU_ICE6ePLCBq24kW4CgN_XDV3cjtSl8CjG4HZ3zAAAAOForo1kNG5PjBzItBsf9AS5fq_E8DBi99o8xZvZBTqTunYLNXE048WG5r88AfnNLCnYCioiSIg47774r760Eu"; // signature
const unsigned char pubKey[] = "-----BEGIN PUBLIC KEY-----\n"
"MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBgc4HZz+/fBbC7lmEww0AO3NK9wVZ\n"
"PDZ0VEnsaUFLEYpTzb90nITtJUcPUbvOsdZIZ1Q8fnbquAYgxXL5UgHMoywAib47\n"
"6MkyyYgPk0BXZq3mq4zImTRNuaU9slj9TVJ3ScT3L1bXwVuPJDzpr5GOFpaj+WwM\n"
"Al8G7CqwoJOsW7Kddns=\n"
"-----END PUBLIC KEY-----\n";
const unsigned char privKey[] = "-----BEGIN PRIVATE KEY-----\n"
"MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIBiyAa7aRHFDCh2qga\n"
"9sTUGINE5jHAFnmM8xWeT/uni5I4tNqhV5Xx0pDrmCV9mbroFtfEa0XVfKuMAxxf\n"
"Z6LM/yKhgYkDgYYABAGBzgdnP798FsLuWYTDDQA7c0r3BVk8NnRUSexpQUsRilPN\n"
"v3SchO0lRw9Ru86x1khnVDx+duq4BiDFcvlSAcyjLACJvjvoyTLJiA+TQFdmrear\n"
"jMiZNE25pT2yWP1NUndJxPcvVtfBW48kPOmvkY4WlqP5bAwCXwbsKrCgk6xbsp12\n"
"ew==\n"
"-----END PRIVATE KEY-----\n";
r_global_init();
y_init_logs("issue 26", Y_LOG_MODE_CONSOLE, Y_LOG_LEVEL_DEBUG, NULL, "Starting issue 26 tester");
jwt_t * jwt = NULL;
jwk_t * jwk = NULL;
int ret;
do {
if ((ret = r_jwt_init(&jwt)) != RHN_OK) {
printf("r_jwt_init error: %d\n", ret);
break;
}
if ((ret = r_jwk_init(&jwk)) != RHN_OK) {
printf("r_jwk_init error: %d\n", ret);
break;
}
if ((ret = r_jwt_add_sign_keys_pem_der(jwt, R_FORMAT_PEM, privKey, sizeof(privKey), pubKey, sizeof(pubKey))) != RHN_OK) {
printf("r_jwt_add_sign_keys_pem_der error: %d\n", ret);
break;
}
if ((ret = r_jwt_set_sign_alg(jwt, R_JWA_ALG_ES512)) != RHN_OK) {
printf("r_jwt_set_sign_alg error: %d\n", ret);
break;
}
printf("PRIV : %s\n", r_jwks_export_to_json_str(jwt->jwks_privkey_sign, 0));
printf("PUB : %s\n", r_jwks_export_to_json_str(jwt->jwks_pubkey_sign, 0));
if ((ret = r_jwk_import_from_pem_der(jwk, R_X509_TYPE_PUBKEY, R_FORMAT_PEM, pubKey, sizeof(pubKey))) != RHN_OK) {
printf("r_jwk_append_x5c error: %d\n", ret);
break;
}
if ((ret = r_jwt_parse(jwt, token, 0)) != RHN_OK) {
printf("r_jwk_init error: %d\n", ret);
break;
}
if ((ret = r_jwt_verify_signature(jwt, jwk, 0)) != RHN_OK) {
printf("r_jwt_verify_signature error: %d\n", ret);
break;
} else {
printf("r_jwt_verify_signature ok\n");
}
} while (0);
r_jwk_free(jwk);
r_jwt_free(jwt);
y_close_logs();
}you can compile it with the following command: gcc -o test test.c -lrhonabwy -lyder.
With this code, I have the following output:
2021-07-09T02:11:00Z - issue 26 INFO: Starting issue 26 tester
PRIV : {"keys":[{"kty":"EC","x":"AYHOB2c_v3wWwu5ZhMMNADtzSvcFWTw2dFRJ7GlBSxGKU82_dJyE7SVHD1G7zrHWSGdUPH526rgGIMVy-VIBzKMs","y":"ib476MkyyYgPk0BXZq3mq4zImTRNuaU9slj9TVJ3ScT3L1bXwVuPJDzpr5GOFpaj-WwMAl8G7CqwoJOsW7Kddns","d":"AYsgGu2kRxQwodqoGvbE1BiDROYxwBZ5jPMVnk_7p4uSOLTaoVeV8dKQ65glfZm66BbXxGtF1XyrjAMcX2eizP8i","crv":"P-521","kid":"CatmrLCuBa_kI3VMfembQnugtVauN35XuHIRRGZuXzY"}]}
PUB : {"keys":[{"kty":"EC","x":"AYHOB2c_v3wWwu5ZhMMNADtzSvcFWTw2dFRJ7GlBSxGKU82_dJyE7SVHD1G7zrHWSGdUPH526rgGIMVy-VIBzKMs","y":"ib476MkyyYgPk0BXZq3mq4zImTRNuaU9slj9TVJ3ScT3L1bXwVuPJDzpr5GOFpaj-WwMAl8G7CqwoJOsW7Kddns","crv":"P-521","kid":"CatmrLCuBa_kI3VMfembQnugtVauN35XuHIRRGZuXzY"}]}
r_jwt_verify_signature okfrom rhonabwy.
DedieuPY
commented on June 16, 2024
With your code, I have the following output :
2023-03-28T12:44:25Z - issue 26 INFO: Starting issue 26 tester
2023-03-28T12:44:25Z - issue 26 ERROR: r_jwk_import_from_gnutls_pubkey ecdsa - Error curve
2023-03-28T12:44:25Z - issue 26 ERROR: r_jwt_add_sign_keys_pem_der - Error parsing pubkey
r_jwt_add_sign_keys_pem_der error: 1
Are you using the last rhonabwy release? If not, you also should, that would explain our differences.
I took the code of the branch master
from rhonabwy.
babelouest
commented on June 16, 2024
What system/version are you using?
What version of GnuTLS is installed?
from rhonabwy.
DedieuPY
commented on June 16, 2024
I'm using Yocto 2.5, with GnuTLS 3.6.1 (which is supposed to be the minimum version required for ECDSA if I understand correctly)
However, i tried this code but with the RS512 algo and it works correctly. So it seems to be a sepcific problem with ECDSA (or at least depending on the algo used)
from rhonabwy.
babelouest
commented on June 16, 2024
I'm using Yocto 2.5, with GnuTLS 3.6.1 (which is supposed to be the minimum version required for ECDSA if I understand correctly)
Maybe that's the problem with rhonabwy, I assumed ECDSA was supported since GnuTLS 3.6 but it's probably from a later version.
from rhonabwy.
DedieuPY
commented on June 16, 2024
Perhaps
If I can find out which version of GnuTLS ECDSA works, I'll tell you.
But thanks for taking the time to help me!
from rhonabwy.
Related Issues (19)
- maybe-uninitialized warning in r_jws_serialize HOT 2
- Flawed check that the "kty" member is present in JWKs HOT 3
- Suggestion: Special treatment for unsecured JWTs ("alg": "none") HOT 8
- Building with dependencies with non-standard PREFIX does not work HOT 3
- Disable the support for embedded JWKs or allow to disable it HOT 7
- [FeatureReq] Support for Windows HOT 5
- [Windows] Compilation errors HOT 1
- specify non-default path to CA cert when importing JWK(S) from remote server HOT 5
- undefined reference to `o_base64_encode_alloc' HOT 2
- Incorrect KDF for AxxxCBC with ECDH-ES
- Incorrect KDF for AxxxCBC with ECDH-ES HOT 7
- Build failed on FreeBSD-14 which use clang15 as cc HOT 1
- Build of rnbyc failed on Mac HOT 3
- Signature files are missing for the newest release (1.1.12) HOT 3
- validating array values HOT 2
- Question: is my code safe against `alg: null`? HOT 3
- Incorrect padding removal condition HOT 4
- Suggestion: Rename r_jwks_import_from_str() to r_jwks_import_from_json_str() HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rhonabwy.