Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HS encryption algorithm problem [Using 0.11.5 and SecretKey for signWith and setSigningKey] #754

Closed
Jess103 opened this issue Sep 29, 2022 · 4 comments
Closed

HS encryption algorithm problem [Using 0.11.5 and SecretKey for signWith and setSigningKey] #754

Jess103 opened this issue Sep 29, 2022 · 4 comments

Comments

@Jess103
Copy link

Jess103 commented Sep 29, 2022
edited

Hi there,
I found #749, which is the same issue with mine, and read the comment too.
But I'm already using 0.11.5 version and SecretKey (not String) for the encoding(signWith) and decoding(setSigningKey).

//Encoding
String jwt = Jwts.builder().setHeader(headers).setClaims(payload).signWith(key).compact();
//Decoding
Jws claims = Jwts.parserBuilder().setSigningKey(theKey).build().parseClaimsJws(jwt);

Does Jwts.parser().setSigningKey(key) not validate the signature? Am I missing something?
@lhazlewood
Copy link
Contributor

The signature is only validated on parsing, i.e. when .parseClaimsJws is invoked.

At first glance, your code looks a little different: you call signWith using a variable key, and then verify with setSigningKey using a variable theKey. Since key and theKey are different, I can't tell exactly what's going on here. It could be just a typo in your example, or if not, might be indicative of why you're not seeing expected results.

Were you able to see what the issue was?

@Jess103
Copy link
Author

Jess103 commented Nov 8, 2022

Hi, sorry that I forgot to mention the problem in my question; same as the issue I mentioned, I tried using different key for parsing but it doesn't throw an error. (What you see is correct. key and thekey are different)
I tried RS256 signing w/ privkey n validating w/ pubkey as well. In this case, it throws an error if I change the modulus or exponent value as I expected.
I thought it should throw an error if the keys are different but it doesn't in the case it's signed using HS... Do I need to do something else for the HS validation?

@lhazlewood
Copy link
Contributor

I'd have to see the keys (or an example that re-creates with a similar setup). Is it possible that your keys are Base64-encoded before turning them into Key instances? It is possible for different Base64 strings to decode to the same exact byte array, so you might be seeing this, but without an example, I can't tell.

For example, this is discussed in the referenced issue:

https://github.com/jwtk/jjwt#base64-security

especially:

https://github.com/jwtk/jjwt#base64-changing-characters

@lhazlewood
Copy link
Contributor

Closing due to inactivity from the OP. Happy to re-open if necessary, please advise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lhazlewood @Jess103