JWK deserialization failures due to keys have near-opaque error messages

[Dessix]

data did not match any variant of untagged enum MaybePrivate

The above error results from any JWK deserialization that fails to deserialize as a signer, but- unfortunately- this can be with correct JSON and semantically invalid key values. When this is the case, it's almost impossible to determine programmatically what field was the source of the issue.

It may be worth separating parsing and validation such that a pseudo-JWK can be deserialized, then use a separate error type in the process of validating its key values, turning it into a "true" JWK instance.

[neoeinstein]

I definitely agree that we can improve the error reporting here. untagged doesn't provide very good messaging, so a custom implementation of Deserialize with custom messaging on errors might be better for this type, or, as you suggest, instead using an intermediate "DTO" JWK that we then try to transform into a normal JWK.

Do you have an example JWK that could be used as a test case here? If not, I could probably generate one myself, but if you have one from a source that you are using, then that could help me to try and discern any compatibility issues.

[Dessix]

I made a test key off of https://mkjwk.org/ and couldn't get them to work with key-size 512, key use signature, algorithm RS256/SHA256, and Key-ID test-key. If it loads that successfully when the private-keys feature is enabled, you've gotten further than I did with it, but you can still break it by changing the value stored in the d parameter by any one character.

[neoeinstein]

Ok. Interesting. The JSON Web Algorithms RFC indicates a minimum key size of 2048 bits for the RS256 algorithm. A key with a size of 512 is thus invalid according to the RFC.

I still think that it is valuable to have an appropriate and more informative error message here, so I'll work on that.