Comments (8)
Thalhammer
commented on July 21, 2024
1
How did you extract the public key?
It seems like somehow openssl is unable to correctly read it.
If I extract the public key from the private key you provided it works fine, but the private key looks totally different.
You can use the following command to extract it:
openssl rsa -in private.pem -pubout > key.pub
Note: If you specify a private key, the public one is ignored (infact you could even specify an empty string for it), thats why it worked when signing.
from jwt-cpp.
StiviiK
commented on July 21, 2024
I've used PuTTYgen, but as it seem i fucked something up there.
Thanks π
from jwt-cpp.
PhilippeFerreiraDeSousa
commented on July 21, 2024
Hi, I have a similar issue. The verification works with private key but fails without private key:
auto verifier = jwt::verify().allow_algorithm(jwt::algorithm::rs256{ public_key, private_key });
verifier.verify(decoded);
works but
auto verifier = jwt::verify().allow_algorithm(jwt::algorithm::rs256{ public_key });
verifier.verify(decoded);
raises evp verify final failed: 0 error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding
like if EVP_VerifyFinal was trying to read the default private_key value "" as a PEM key.
I need to verify without private_key. Is it due to my version of openssl or something?
Thank you.
from jwt-cpp.
PhilippeFerreiraDeSousa
commented on July 21, 2024
Also I get the same exception if I give a wrong private key just for the sake of a giving a valid key. Which doesn't make sense as this is an invalid padding error...
Keys are given this way
string private_key = R"(-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5NhJbNEsniIRtc6Ys+4eRdqi6r6I/CdZ1pFuvFU+eV+c8dYV
2CYkv2JQgVrhj+ucZ8vmMrfHgBxq6Fdf2JtEmYmow859fzwiLy0clCnmmZaPEhwU
Lgd7fTrThRhif+dwCFmHLMNMFwKEbVRH78TrOHPPnM6XvRNRofSjBfUhJ2OkVDSu
7wMjqy8MgoY5CWK0cdNZBvanMmAvRrf4qQH0YOrnZ5drlqVnft9iawLGuvJNlCwR
5Bmzkz5rTLSNqaWJTYBAkTLOi88wf4oxSAyY8gpqGn05etSemXdsqE15rTDhhkls
UQT5bVb8bxP2lvmioyQjdxiB54LIDIkHcWUVWwIDAQABAoIBAQCjNIkw/QDYCi4d
PijzcafPY7z6s0YYpqvQdcnGsPisMP9KDcdobtOYVjJZ/omNTZgvAmC63Qx/lkS8
TMwDO8Cxy1Y7xwEDg8xRXtfZ5wQZlyGT5ciShy2Pwytk6V4eH91rZwYba3DRnC77
lbb0Dbk/eoCfMUtQQf3fBgxZzFeHsZPogqQTdpu13Hwkog+Y9y0mDFt2z1X+yfEe
3u6OwRpSvipv4z6CbHJRthj9ueLAsINndZlK5IKfwYSiNqpMsH4Fhb557pOR7fyj
NBgltdmGi/mJneWYsddfhG9y/GzGtoxrKEVEoaH/VzN7NytIWu91VBsnJjVWBRfE
DgyFClW5AoGBAPp7Kqa1351ILxrKnJvMwKxiO8vI7cdY9EL1AnNrUHH3/llf5Qsj
64qSOEeqxuQw0wJypmxlhvpkUnjrupYBZrshMLDVntj3Stv0rpJ9QbT6dvmDsyCx
pOKzm+UnXTJkxOQp7Zb7BzK8PDxVnXIJ7S5H47CH17GIqM3ctxYvlB2dAoGBAOnj
FNdIm7G96kghxnXKK895dsdYA6UM9QYmml98+qbfYf2xpr2u68Rzib+KJwk2CNB+
/EM5j6oMWqficgflLjudCfDCEA3UnSOTMhkniG22LjyVw0gwIkxH8dlkLxCvZyAM
teufjnQeCNGlbgwZNEOV9uoiT1TXZyBlJblwLolXAoGALOiEPxuAmgxlFaKZ7X0K
Vl3OZr0BlKooMREIfXUSGTzjR1bgE90+z7tjh8Xgnuz6CAhSOkEBsEboWnG5JEfg
CVDsD+hc8H112HXIDs+SRkZZqmaoaQYwj8yv+KfUF8LlYhr6VAVxxvDkw9R9xAJv
mcqd0fqo+1WLHk2iLcIeBikCgYAjwW53NwduVc1SN6+iZETsU/JfqUntWpy+0vn4
rR+YkT/my9jk2K/8eXlOie1L0DHqxe8Ey/D1myvkzI6IPHYj8O8LGm/f3WgkfyVC
iTOnKhnJc0/GYm1r4ffMNy+mylnmoWrSWbMqd0j72+GGAfhmeK+lvZcJLmD6p9vr
jIXgwwKBgQDqeU6JfKhwdKaaP81UP6CDyah2bHqyQAwfUexeqBhOCHER2IIpfySy
yhChdhjqrrH6tNUFX/Lt8W+xbmpzu/4nE9lI6fbyyjvH0DjhteulNDSYORZ4h1FX
tuYupvj6wIbal9kZlkOEedseJ3hkplyymGgP7Q1cv2mpyCMD5thHyA==
-----END RSA PRIVATE KEY-----)";
from jwt-cpp.
PhilippeFerreiraDeSousa
commented on July 21, 2024
Keys were generated with:
openssl genrsa -out jwtRS256-private.pem 2048 && openssl rsa -in jwtRS256-private.pem -pubout -out jwtRS256-public.pem
from jwt-cpp.
Thalhammer
commented on July 21, 2024
@PhilippeFerreiraDeSousa If the private key is specified it overwrites the public key (if provided).
However the error should not come from a bad key. Are you sure the token is a valid token and can be verified by other libs (especially the reference implementation on jwt.io) ?
from jwt-cpp.
PhilippeFerreiraDeSousa
commented on July 21, 2024
Sorry, I hate making people waste their time. The public key was very similar but not the correct one.
So verifying with the public key only works. However, it is surprising that the verification worked when giving the wrong public key and the correct private key together when instantiating rsa256.
from jwt-cpp.
Thalhammer
commented on July 21, 2024
However, it is surprising that the verification worked when giving the wrong public key and the correct private key together when instantiating rsa256.
Like I said, the reason this works is that the public key is completely ignored if you provide a private key. I know the api does not make this obvious and I will probably change that at some point in time.
from jwt-cpp.
Related Issues (20)
- x86/Win32 compilation and using boost json HOT 2
- Private Key Signing vs Signing from Service Account file HOT 5
- undefined reference error in compiling HOT 9
- what secret format should i use for HS512 algorithm HOT 1
- Release status of 0.7.0-rc.0 HOT 3
- Guide to Setting Up jwt-cpp? HOT 4
- Building example: no matching function for call to βdecode(std::string&)β HOT 1
- Compilation error: no matching function for call to βdecode(std::string&)β HOT 2
- Build Errors For picojson.h? HOT 8
- Getting Error - namespace "jwt" has no member "claims" HOT 6
- Unable to generate token using ed25519 HOT 2
- Use of Builder explicitly
- Need help : How to Implement JWT Operations from Python Using jwt-cpp ? HOT 5
- How to use payload and get the payload data HOT 7
- Boost JSON traits kind of buggy HOT 5
- How to verify a jwt HOT 3
- Invalid input: not within alphabet HOT 6
- Locking in libcrypto in multi threaded app HOT 6
- Linker error for OpenSSL on Windows HOT 5
- Exception is thrown with the exmple private-claims.cpp HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jwt-cpp.