Comments (5)
Hello @dvsekhvalnov,
Thanks for your answer. Yes, I was comparing the results from your library and Microsoft's implementation of JwtSecurityTokenHandler.
I tested re-importing the key and, as you said, it works fine. Then there seems to be two ways of getting it right;
a) Re-importing the parameters.
b) Specifying the "Microsoft Enhanced RSA and AES Cryptographic Provider" provider when creating the certificate. For example, I used the following line to create a certificate that then used to sign a JWT without re-importing the private key:
makecert -n "CN=JOSE_TEST" -ic "JOSE_ROOT.cer" -iv "JOSE_ROOT.pvk" -sp "Microsoft Enhanced RSA and AES Cryptographic Provider" -sy 24 -a sha256 -sky exchange -pe -sr LocalMachine -ss My
I have a another question. When signing a JWT we normally use a private key belonging to the issuer of the JWT and then the consumer of the JWT uses the corresponding public key to validate it. With encryption it seems that we need to use just the public key of the consumer and the certificate of the issuer plays no role. This seems strange to me (probably I am missing something) as there is no way for the consumer to validate the origin of the token. Is there a way to use different keys for encrypting and signing? What I am missing here?
Thanks again.
Roberto
from jose-jwt.
Hi @rmbrunet , are you talking about https://github.com/dvsekhvalnov/jose-jwt#rs--and-ps--family ?
If you using keys via RSACryptoServiceProvider
you need to re-import key to get SHA-2 crypto provider (by default it is always SHA-1).
There is a link in doc to http://clrsecurity.codeplex.com/discussions/243156 which provides details. Also you can check https://github.com/dvsekhvalnov/jose-jwt/blob/master/UnitTests/TestSuite.cs#L2346
As far as i remember it was always like this, if you know better workaround let me know or submit a patch set :)
If i didn't get your question correctly please submit minimal unit test so i can try.
Thank you.
from jose-jwt.
I think I found the answer (in RFC 7519) to my own question: Nested JWT. Here is a gist with a test in linqpad: https://gist.github.com/rmbrunet/b0036422202d0919698a6a872c5f7671
from jose-jwt.
@rmbrunet , yes you can use nested token (sign then encrypt) or also depending on your use-case you can try different keys for different parties and use key to identify origin. Check out 2-phase validation section for idea: https://github.com/dvsekhvalnov/jose-jwt#two-phase-validation
from jose-jwt.
Thanks! Great work!
from jose-jwt.
Related Issues (20)
- Support for ECDH-ES-* on Linux is possible HOT 12
- Issue when encrypt using RSA_OAEP_256 and A256GCM HOT 5
- EcdhKeyManagement alg expects key to be of CngKey or Jwk types with kty='EC HOT 11
- A128CBC+HS256 support in parity with Java's Nimbus JOSE + JWT HOT 3
- Remove legacy dependency `System.Security.Cryptography.Algorithms` for `netstandard2.1` target HOT 1
- Kinda weird code in the library HOT 2
- Play Integrity Exception "org.jose4j.lang.IntegrityException: A256KW key unwrap/decrypt failed" HOT 8
- JWT.Encode works fine on local machine in .NET7.0 Windows 11 , on windows server 2012 throw exception: Unable to sign content., inner exception: The requested operation is not supported.| HOT 4
- Get Public key from File HOT 10
- Decode throws when a nested property of an encoded model is a System.Decimal with one or more decimal places (e.g., 24.00m) HOT 2
- Windows Cryptography Next Generation (CNG) is not supported on this platform. HOT 5
- JWT Token Header HOT 1
- Is lib still supported? HOT 11
- Jose.JoseException: Unable to sign content. HOT 2
- JWE Decrypt not working for RSA algorithm HOT 9
- Susceptible to sign/encrypt confusion attack HOT 3
- Further exploitation about sign/encrypt attack HOT 6
- BCryptDecrypt error! HOT 5
- nimbus-jose-jwt change from JSON Smart to GSon upgrade has breaking changes on serialization and desrialization for jsonObject HOT 3
- Version 5: decryption of compressed token throws exception but works in 4.1 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jose-jwt.