Comments (5)
Thalhammer
commented on June 23, 2024
Please take a look at the above bugfix.
It should fix your issue.
Turns out the padding of ecdsa signatures was wrong all along and no one noticed.
It only happened randomly as an ECDSA signature is not identical every time you generate it.
So the bug was not in verification but instead in generating.
from jwt-cpp.
adesitter
commented on June 23, 2024
Thanks for the quick fix.
The case I provided works now as long as I use the correct algorithm (jwt::algorithm::es512).
A few comments:
#1 After the fix, the correct algorithm must to be called depending on the type of key passed by argument. Unless is can be addressed, There is now a case to be more specific in the arguments documentation.
In jwt.h:
* \param public_key ECDSA public key in PEM format
* \param private_key ECDSA private key or empty string if not available. If empty, signing will always fail.
"ECDSA with P-256 (or P-384 or, P-521)" (after https://tools.ietf.org/html/rfc7518#section-3.1)
Currently, using es256 with a P-521 key will result in an exception. It is possible to use es512 with a P-256 key ?
#2 In TokenTest.cpp, it may be worth testing jwt::algorithm::es512. Additionally, you could test that using es256 with a P-521 key result in an exception.
#3 Out of curiosity, it is there an explanation of the padding algorithm you are using somewhere ? It is somewhat puzzling that OpenSSL does not provide a function for this.
from jwt-cpp.
Thalhammer
commented on June 23, 2024
@adesitter Regarding 1: It was never a feature that es256 worked with a 512bit key, just a coincident. In fact it probably was pure luck if the tokens were standard compliant.
No you can not (should not) use es512 with a 256 bit key.
Regarding 2: Yes testcases will come once I have time to write some. After they are done I will also add a new release.
Regarding 3: JWS uses a fixed signature length for ecdsa which consists of concatenating r and s of the signature. Therefore each of them needs to be half the size of that length. I basically prepend zeros until the size matches. Not sure why OpenSSL does not provide it, might do in the future but they also might ignore it as its really simple to implement and I could not find any other applications of this specific method.
from jwt-cpp.
adesitter
commented on June 23, 2024
Thanks.
std::logic_error("bignum size exceeded expected length") could be replaced by std::invalid_argument("Incorrect key type").
from jwt-cpp.
jfinkhaeuser
commented on June 23, 2024
I mean, you basically discussed this here already. I just added some details in #53 before crawling through the entire thread here :)
from jwt-cpp.
Related Issues (20)
- x86/Win32 compilation and using boost json HOT 2
- Private Key Signing vs Signing from Service Account file HOT 5
- undefined reference error in compiling HOT 9
- what secret format should i use for HS512 algorithm HOT 1
- Release status of 0.7.0-rc.0 HOT 3
- Guide to Setting Up jwt-cpp? HOT 4
- Building example: no matching function for call to ‘decode(std::string&)’ HOT 1
- Compilation error: no matching function for call to ‘decode(std::string&)’ HOT 2
- Build Errors For picojson.h? HOT 8
- Getting Error - namespace "jwt" has no member "claims" HOT 6
- Unable to generate token using ed25519 HOT 2
- Use of Builder explicitly
- Need help : How to Implement JWT Operations from Python Using jwt-cpp ? HOT 5
- How to use payload and get the payload data HOT 7
- Boost JSON traits kind of buggy HOT 5
- How to verify a jwt HOT 3
- Invalid input: not within alphabet HOT 6
- Locking in libcrypto in multi threaded app HOT 6
- Linker error for OpenSSL on Windows HOT 5
- Exception is thrown with the exmple private-claims.cpp HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jwt-cpp.