Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ES256 signature length #163

Closed
martijndwars opened this issue Sep 11, 2016 · 8 comments
Closed

ES256 signature length #163

martijndwars opened this issue Sep 11, 2016 · 8 comments
Labels
bug duplicate
Milestone
0.7

Comments

@martijndwars
Copy link

martijndwars commented Sep 11, 2016
edited

According to draft-ietf-json-web-algorithms, the length of the signature for ES256 must be 64 bytes. The signature that is being produced by jjwt is longer (e.g. the base64 encoded string is 94 characters, which corresponds to 126 bytes).

When I replaced jjwt by jose4j, the problem was solved. Apparently, they encountered this issue as well, though I'm not sure what is going wrong in jjwt.

private Key privateKey; // BCECPrivateKey instance

// ...
public void encode() {
            String compactJws = Jwts.builder()
                .setHeaderParam("typ", "JWT")
                .setHeaderParam("alg", "ES256")
                .setAudience("xxx")
                .setExpiration(new Date(1473689295000L))
                .setSubject("yyy")
                .signWith(SignatureAlgorithm.ES256, privateKey)
                .compact();

        // compactJws will be 94 characters long -- too long
}
@lhazlewood
Copy link
Contributor

Thanks for the issue!

@lhazlewood lhazlewood added the bug label Sep 11, 2016
@lhazlewood lhazlewood mentioned this issue Sep 11, 2016
Closed
@martijndwars
Copy link
Author

martijndwars commented Sep 11, 2016
edited

I was unable to reproduce the issue in master, so I guess this is already fixed in between 0.6.0 and master.

@lhazlewood
Copy link
Contributor

Thanks @martijndwars - if you could provide even a trivial snippet of code that allows us to reproduce the problem that'd be really helpful. If I had to guess, I think it's related to the ASN.1/DER encoding that was fixed in master. @martintreurnicht might have some insight here since he graciously contributed related code.

@martijndwars
Copy link
Author

@lhazlewood thanks for your quick reply. I was unable to reproduce the issue in master, so I guess this is already fixed in between 0.6.0 and master. I'm replacing jose4j by jjwt again to see if the issue is fixed in master and will let you know the result.

Anyway, sorry for opening the issue before testing on master!

@lhazlewood
Copy link
Contributor

No worries! The help is much appreciated!

@martintreurnicht
Copy link
Contributor

Hi, yes the change i made was to change the signature from ASN.1/DER encoding (which is the standard in java) to JOSE, which is the format that should be used as per the RFC spec. @lhazlewood you guys should to an official release soon otherwise you'll keep on getting these type of issues

@martijndwars
Copy link
Author

I can confirm that the issue does not exist on master, so I'll close it. I look forward to the 0.7.0 release!

@lhazlewood
Copy link
Contributor

Thanks! I think we'll be able to release 0.7 shortly - this was the last bug.

@lhazlewood lhazlewood added this to the 0.7 milestone Sep 13, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug duplicate
Projects
None yet
Milestone
0.7
Development

No branches or pull requests
3 participants
@lhazlewood @martijndwars @martintreurnicht