Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RSA verification issues #44

Closed
jurriaan opened this issue Sep 6, 2015 · 7 comments
Closed

RSA verification issues #44

jurriaan opened this issue Sep 6, 2015 · 7 comments

Comments

@jurriaan
Copy link

jurriaan commented Sep 6, 2015

It looks like this library doesn't accept valid JWTs signed with RSA.

This example shows how the JOSE and JWT libraries respond to a token I generated using ruby-jwt:

use Namshi\JOSE\SimpleJWS;
use Lcobucci\JWT\Signer\Keychain; 
use Lcobucci\JWT\Signer\Rsa\Sha256; 
use Lcobucci\JWT\Parser;

$token = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ0ZXN0Ijp0cnVlfQ.CURDYzapcj5UEjNHSJ7e0HUTp5wfIR3eugFWhx2DrfR6qs3A9YLWjZkT4owFqlqw4o-ljv4sSt0cL3jCH7J8ocn3jY8P5kRmq65ZYj_wQJf8v9Gxm_HBl3OkdHSj6PlWT57jXcKp8puzIyydnQiuA6MKlieUa3ADzKqWABbuAm2jEWEJmkgkWCNVT9_ycHWUszUVni2w7qDLO393xxoYRb_v4xRbafxZGc7_mY7H0jsThRDQgQ8gKP3wvXnWFCOokh2D28XUdg2Va1ybQQc3cya0UTNlg_4s94778TFLdePlsx6uVLW8-AFRSZXs4YSKGi1jz_xzX9IGoAP2tmvg9A';
$public_key = openssl_pkey_get_public("-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6VdCKKt7QRVz+MDknZDx\nvZ0jTUpCAtOjgfBIz9TluspLURIjMsQQJFvMidBqo/XCSQvvPOaCS+IALNWE8EKf\nGzk7gij+iXPyw/TbNFQxIXlc9LF5QTh7jfbYzCUzk7oJSurXz/pzr55QBa3o+Bky\nzWlh0dKWp7mGrHIHcMC5vlntfjaMzoFeEv6j3j+q4OPKhXigKjsvy9IS18KncyPt\nicxzo1qOz6M8usuYIGhFG/3H3hsHjhiEQNWy9WkMbtE6nDeNyDVBvxS5t1sD3Gqm\n3pvwFTbItgTcMRB2Qbo8TChm8dMqIBTX+or1dOaRbb6GeiL+nasCseabZ0LLSzp5\nuwIDAQAB\n-----END PUBLIC KEY-----\n");

echo 'namshi/jose: ';
$jws        = SimpleJWS::load($token);
var_dump($jws->isValid($public_key, 'RS256'));

echo 'lcobucci/jwt: ';
$token = (new Parser())->parse((string) $token); // Parses from a string
var_dump($token->verify(new Sha256(), (new Keychain())->getPublicKey($public_key)));

This results in the following output:

namshi/jose: bool(false)
lcobucci/jwt: bool(true)

Somehow this library considers this token invalid. Why is that?
@rsutton-va
Copy link

Thanks @jurriaan for making this issue, have the same problem myself. Any news?

@odino
Copy link
Contributor

odino commented Oct 8, 2015

It seems like the signin input is not being generated correctly -- let me have a look.

@odino
Copy link
Contributor

odino commented Oct 8, 2015

Ok got it, you should use SimpleJWS when you generate the token, as its designed to auto add the iat claim on its own. Now, when you verify a token this becomes a problem since the iat gets added by default.

You can workaround this issue by using:

$jws        = JWS::load($token);
$jws->isValid($public_key, 'RS256');

instead of SimpleJWS. I think long term we should remove automatically adding the iat...

@rsutton-va
Copy link

Thanks for the quick feedback @odino but it looks like JWS does not have a isValid function.

@odino
Copy link
Contributor

odino commented Oct 8, 2015

sorry, use verify for now :)

@rsutton-va
Copy link

Works like a charm, thanks!

@cirpo
Copy link
Contributor

cirpo commented Nov 13, 2015

closing it

@cirpo cirpo closed this as completed Nov 13, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cirpo @odino @jurriaan @rsutton-va