Thalhammer / jwt-cpp

A header only library for creating and validating json web tokens in c++
https://thalhammer.github.io/jwt-cpp/
MIT License
886 stars 241 forks source link

RSA Exception #233

Closed rakesh850gs closed 2 years ago

rakesh850gs commented 2 years ago

What happened?

While trying the example in GitHub

The below mentioned error is appearing when trying to sign with RS256 , however same code works with HS 256

Exception thrown at 0x00007FFB356C4FD9 in PluginUnitApp.exe: Microsoft C++ exception: jwt::error::rsa_exception at memory location 0x000000D77DEFE5A8.
Unhandled exception at 0x00007FFB356C4FD9 in PluginUnitApp.exe: Microsoft C++ exception: jwt::error::rsa_exception at memory location 0x000000D77DEFE5A8.

How To Reproduce?

execute example code in vs2017 with rs256

Version

0.6.0

What OS are you seeing the problem on?

Windows

What compiler are you seeing the problem on?

MSVC

Relevant log output

Exception thrown at 0x00007FFB356C4FD9 in PluginUnitApp.exe: Microsoft C++ exception: jwt::error::rsa_exception at memory location 0x000000D77DEFE5A8.
Unhandled exception at 0x00007FFB356C4FD9 in PluginUnitApp.exe: Microsoft C++ exception: jwt::error::rsa_exception at memory location 0x000000D77DEFE5A8.

Code of Conduct

prince-chrismc commented 2 years ago

Can you share the error message of the exception?

Also how you are making the RSA key and signing the token?

rakesh850gs commented 2 years ago

Like below

auto token = jwt::create()
            .set_issuer("1234567890")
            .set_type("JWS")
            .set_subject("67890063dfgh")
            .set_expires_at(expireTime)
            .set_issued_at(std::chrono::system_clock::now())
            .set_audience("url")
            .set_payload_claim("sample", jwt::claim(std::string("test")))
            .sign(jwt::algorithm::rs256("","secret","",""));
prince-chrismc commented 2 years ago

You need to pass a valid RSA private key for the signing algorithm,

Check out this example https://github.com/Thalhammer/jwt-cpp/blob/5d25462e030fa20a7d7e35f5ba70c6ebb61cb1b6/example/rsa-create.cpp#L5

rakesh850gs commented 2 years ago

It worked , thanks , since and invalid key worked for HS256 , I thought it would work here too , thanks .

Thalhammer commented 2 years ago

It worked , thanks , since and invalid key worked for HS256 , I thought it would work here too , thanks .

There are no invalid keys for HS256 because HS256 works diferent. For RSA you have a public and private key, the public key can only verify a given token is valid, but can not create token on there own. HS is a synchronous scheme, which means the same key is required to verify and create tokens. It is thus only suitable if you control both the creating and verifying side. HS takes the value provided as key and hashes it together with the token to create the final signature. This means everything is a valid key, regardless of length or content. That said (random) keys larger than 24 bytes rarely make sense and you should use not use to short keys (e.g. 4) cause those will be easy to bruteforce. I usually stick to 24 byte random strings.