Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWSBuilder when used directly with AsymmetricSignatureSignerContext produces non compliant ECDSA signed JWT #29309

Closed
1 of 2 tasks
Tracked by #25936
francis-pouatcha opened this issue May 6, 2024 · 2 comments · Fixed by #29333
Closed
1 of 2 tasks
Tracked by #25936

JWSBuilder when used directly with AsymmetricSignatureSignerContext produces non compliant ECDSA signed JWT #29309

francis-pouatcha opened this issue May 6, 2024 · 2 comments · Fixed by #29333
Labels
area/core help wanted kind/bug Categorizes a PR related to a bug priority/normal release/25.0.0 status/auto-bump team/core-clients

Comments

@francis-pouatcha
Copy link
Contributor

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

org.keycloak.jose.jws.JWSBuilder when used directly with org.keycloak.crypto.AsymmetricSignatureSignerContext produces non compliant JWT ECDSA signed JWT.

The AsymmetricSignatureSignerContext sings using the java crypto API. The signature produced by Java. The native ECDSA encoding in java is not compatible with the JWS-ECDSA

See issues:

Version

latest

Regression

  • The issue is a regression

Expected behavior

For EC base signatures, JWSBuilder must throw an exception when passed the AsymmetricSignatureSignerContext and require the use of an algorithm specific Signer like the ECDSASignatureSignerContext, to get the correct behavior like for ECDSA

    # from org.keycloak.crypto.ECDSASignatureSignerContext
    @Override
    public byte[] sign(byte[] data) throws SignatureException {
        try {
            int size = ECDSAAlgorithm.getSignatureLength(getAlgorithm());
            return ECDSAAlgorithm.asn1derToConcatenatedRS(super.sign(data), size);
        } catch (Exception e) {
            throw new SignatureException("Signing failed", e);
        }
    }

Result must be validated by using other progaming languages of jwt.io

Actual behavior

JWS produced using JWSBuilder & AsymmetricSignatureSignerContext can not be validated on jwt.io

How to Reproduce?

The sdjwt String in the test resource core/src/test/resources/7.3-sdjwt.txt contains an invalid jws. THis can be validated using the combination JWSBuilder & AsymmetricSignatureSignerContext. But Can not be read by any jws compliant implementation like jwt.io

Anything else?

We might be having the same problem with EdDSA and the deterministic secret point EdDSA-R follows the same logic as the random point ECDSA-R.
@francis-pouatcha francis-pouatcha added kind/bug Categorizes a PR related to a bug status/triage labels May 6, 2024
@francis-pouatcha francis-pouatcha mentioned this issue May 6, 2024
Merged
@francis-pouatcha
Copy link
Contributor Author

Fixed by #29333

@wistefan wistefan mentioned this issue May 7, 2024
Open
@keycloak-github-bot
Copy link

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a 👍 to the description. We would also welcome a contribution to fix the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/core help wanted kind/bug Categorizes a PR related to a bug priority/normal release/25.0.0 status/auto-bump team/core-clients
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue 29309 adorsys/keycloak-oid4vc
3 participants
@mposolda @francis-pouatcha @stianst