Closed ts5746 closed 1 month ago
As of version 9 of the jsonwebtoken
package, keys with algorithms that don’t confirm to the JWS standard will fail when signing and verifying. The ES256 algorithm using P-256
/SHA-256
digital signatures strictly require the prime256v1
curve, as per RFC 7518.
However, Whiteflag is using JSON Web Tokens just as a structure. For Whiteflag authentication method 1 to work, it is essential that the key pair and curve of the blockchain is used for the signature to prove possession of the associated secret key. For example, Bitcoin and Ethereum are using the secp256k1
curve.
To preserve the intended behaviour, the allowInvalidAsymmetricKeyTypes
should be set to true
.
Solved by adding { allowInvalidAsymmetricKeyTypes: true }
to JWT siging and verifyting functions in:
lib/protocol/authenticate.js
lib/blockchains/common.js
test/protocol/authentication.js
Description
After updating the
jsonwebtoken
package to version 9+, verifying previously valid Whiteflag authentication method 1 signatures result in an error:"alg" parameter "ES256" requires curve "prime256v1"
.Environment / Versions
Software
OS: Ubuntu 22.04 LTS Node.js:
v20.14.0
whiteflag-api:1.0.1-beta.3-dev
Blockchain
Any blockchain using the
secp256k1
curve is affected (e.g. Bitcoin and Ethereum). Other blockchains possibly too.Symptoms and Problem details
Steps to reproduce
Running
npm test
gives the same error as passing a signature to verify to the API REST interface (i.e. POST-ing a signature to the/signature/verify
endpoint).Expected result
The test should pass and the signature verification should give a positive result.
Actual result
The test run gives the following error:
Using the REST interface, a
500 Internal Server Error
is returned, with the following information about the request in the log: