Comments (5)
- RSA key type is for RSA algorithms (RSxxx or PSxxx).
- EC key type is for EC algorithms (ESxxx).
If you want to use the ES256 algorithm, then you have to use an EC key.
from jwt-framework.
We had solved the problem using jwt-framework in a very funny way. we guess there is a bug in it ,Otherwise we hold the wrong understanding.
we use AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256(java code)
to generate public/private key in the following format. note, we use ECDSA not RSA.
import java.security.PrivateKey;
import org.jose4j.json.JsonUtil;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jwk.RsaJwkGenerator;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.lang.JoseException;
String keyId = UUID.randomUUID().toString().replaceAll("-", "");
RsaJsonWebKey jwk = RsaJwkGenerator.generateJwk(2048);
jwk.setKeyId(keyId);
jwk.setAlgorithm(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);
String publicKey = jwk.toJson(RsaJsonWebKey.OutputControlLevel.PUBLIC_ONLY);
String privateKey = jwk.toJson(RsaJsonWebKey.OutputControlLevel.INCLUDE_PRIVATE);
public key(private key is similar format: RSA & ES256) {"kty":"RSA","kid":"***","alg":"ES256","n":"***","e":"AQAB"}
now is the miracle time:
1: we change the ES256 to RS256 in thre private key,
2: change algorithm from ES256 -> RS256 in the php code.
use Jose\Component\Signature\Algorithm\ES256;
->
use Jose\Component\Signature\Algorithm\RS256;
- The generated token is verified true by the ES256 public key stored in the RS server.
this is interesting. Other develepers have the same expierence. and We agree this is a bug for jwt-framework.
ps: we use a third-party RS server(Aliyun Api Gate), we register keyid and publickey in RS (the public key is RSA & ES256)
from jwt-framework.
Hi,
That a good news. However I am still convinced there is a problem with the result of AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256(java code)
.
This lines clearly refers to an EC key on the P-256 curve, but the key you mention has RSA components (namely n
, e
and for your private key at least d
and maybe p
, q
, dq
, dp
or qi
).
EC key components are crv
, x
, y
and for your private key d
.
So for me lgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256(java code)
produces RSA keys, not EC ones.
I can see the same confusion here.
In the given example {"kty":"RSA","kid":"88483727556929326703309904351185815489","alg":"ES256","n":"ie0IKv...8dYAFAVEFsvXCFvdaxQefwWFw","e":"AQAB"}
we can clearly see that the type is RSA
(kty
and presence of n
and e
parameters) but the associated algorithm is ES256
(an EC algorithm) which is technically impossible.
It would be interesting to contact the developer of that Java implementation to confirm or deny my assumption.
Anyway, I am happy to know that you solved that issue.
I now close it. Feel free to re-open it needed.
from jwt-framework.
Hi,
As I mentioned before, this is not a behavior of one library or the other, but the way the key is created that is not correct.
from jwt-framework.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from jwt-framework.
Related Issues (20)
- Undocumented breaking change in v3 regarding base64url padding strictness HOT 3
- jwt-signature-algorithm-eddsa not working HOT 2
- Invalid PHPDoc Syntax HOT 2
- Support Symfony 7 HOT 4
- It isnt possible to sign binary data? HOT 3
- JWT signed with EdDSA fails to be validated with nodejs/jose HOT 5
- Support for symfony 7 HOT 3
- alg dir serialized without payload HOT 10
- Deprecation: Symfony 6.4 HOT 4
- Disable data collectors in dev? HOT 1
- InvalidArgumentException: decodeNoPadding() doesn't tolerate padding HOT 2
- web-token/jwt-experimental not on packagist HOT 4
- Rsa signing works too slow HOT 5
- Potential license issue with paragonie/sodium_compat HOT 4
- Move `symfony/console` to the bundle HOT 1
- Do not deprecate the support for PSR-18 HTTP clients HOT 1
- [RFC] Option to rely on PSR Cache instead of HTTP Cache HOT 3
- Unclear dependencies HOT 1
- Unsupported key type using rsa-pss HOT 5
- It isn't possible to encrypt binary data !? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jwt-framework.