JWSBuilder when used directly with AsymmetricSignatureSignerContext produces non compliant ECDSA signed JWT #29309
Labels
area/core
help wanted
kind/bug
Categorizes a PR related to a bug
priority/normal
release/25.0.0
status/auto-bump
team/core-clients
Before reporting an issue
Area
core
Describe the bug
org.keycloak.jose.jws.JWSBuilder when used directly with org.keycloak.crypto.AsymmetricSignatureSignerContext produces non compliant JWT ECDSA signed JWT.
The AsymmetricSignatureSignerContext sings using the java crypto API. The signature produced by Java. The native ECDSA encoding in java is not compatible with the JWS-ECDSA
See issues:
Version
latest
Regression
Expected behavior
For EC base signatures, JWSBuilder must throw an exception when passed the AsymmetricSignatureSignerContext and require the use of an algorithm specific Signer like the ECDSASignatureSignerContext, to get the correct behavior like for ECDSA
Result must be validated by using other progaming languages of jwt.io
Actual behavior
JWS produced using JWSBuilder & AsymmetricSignatureSignerContext can not be validated on jwt.io
How to Reproduce?
The sdjwt String in the test resource core/src/test/resources/7.3-sdjwt.txt contains an invalid jws. THis can be validated using the combination JWSBuilder & AsymmetricSignatureSignerContext. But Can not be read by any jws compliant implementation like jwt.io
Anything else?
We might be having the same problem with EdDSA and the deterministic secret point EdDSA-R follows the same logic as the random point ECDSA-R.
The text was updated successfully, but these errors were encountered: