search

Thalhammer / jwt-cpp

A header only library for creating and validating json web tokens in c++
https://thalhammer.github.io/jwt-cpp/
MIT License
864 stars 235 forks source link

failed to load key: bio read failed #241

Closed Kautenja closed 1 year ago

Kautenja commented 1 year ago

What happened?

ed25519 does not work in place of rsa in example code; instead it yields the exception:

libc++abi: terminating with uncaught exception of type jwt::error::rsa_exception: failed to load key: bio read failed

The same is true for attempting to load public keys in my experience.

How To Reproduce?

#include <iostream>
#include <jwt-cpp/jwt.h>

int main() {
    std::string rsa_priv_key = R"(-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACD4VpZ6QtxaEusjkehxLfBoGx7n2hgcX5+PsWX9HtZcCQAAALhKiEx/SohM
fwAAAAtzc2gtZWQyNTUxOQAAACD4VpZ6QtxaEusjkehxLfBoGx7n2hgcX5+PsWX9HtZcCQ
AAAEC5cgaK1LeDbS1Yl1oCw6o4GYS8JzpDWv1gYa2PukytUvhWlnpC3FoS6yOR6HEt8Ggb
HufaGBxfn4+xZf0e1lwJAAAAMWNrYXV0ZW5AaXAtMTkyLTE2OC0xLTMudXMtd2VzdC0yLm
NvbXB1dGUuaW50ZXJuYWwBAgME
-----END OPENSSH PRIVATE KEY-----)";

    auto token = jwt::create()
                     .set_issuer("auth0")
                     .set_type("JWT")
                     .set_id("rsa-create-example")
                     .set_issued_at(std::chrono::system_clock::now())
                     .set_expires_at(std::chrono::system_clock::now() + std::chrono::seconds{36000})
                     .set_payload_claim("sample", jwt::claim(std::string{"test"}))
                     .sign(jwt::algorithm::ed25519("", rsa_priv_key, "", ""));

    std::cout << "token:\n" << token << std::endl;
}

Version

0.6.0

What OS are you seeing the problem on?

MacOS

What compiler are you seeing the problem on?

GCC

Relevant log output

The output of the standard example for RSA works as expected. Swapping out rsa for ed25519 fails with a newly generated key-pair

Code of Conduct

Thalhammer commented 1 year ago

ed25519 is based on elliptic curves, whereas rsa is based on prime factorization. The key types differ, meaning you can't use an rsa key with ed25519 (or really any other algorithm except pss* which is based on rsa). You need to generate a new key suitable for elliptic curves.

Kautenja commented 1 year ago

Ah I see. I suppose my issue then is how are these ed25519 keys supposed to be generated? The key was generated using the following which should produce an ed25519 key as far as I can tell

ssh-keygen -t ed25519 -m PEM -f jwted25519.key
Kautenja commented 1 year ago

I should mention the key in the example code was generated using the above command; it's not the RSA key from the original code.

prince-chrismc commented 1 year ago

Should be this https://stackoverflow.com/a/73118582

prince-chrismc commented 1 year ago

Cryptography libraries are not as interchangeable as we'd like... never tried ssh but I assume it's adding something special to know which alg to use

Kautenja commented 1 year ago

Oh interesting, I was unaware of that. You're totally right, the keys generated by OpenSSL 3 do work in this example and look much more like the keys that I was seeing in the test cases. Thanks for the help!