arun11299 / cpp-jwt

JSON Web Token library for C++
MIT License
396 stars 111 forks source link

rs256 secret destructs after call #51

Closed armaansood closed 5 years ago

armaansood commented 5 years ago

auto dec_obj = jwt::decode(enc_str, algorithms({ "rs256" }), secret(key));

where key is: auto key = R"(-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoRRQG+ib30x09eWtDpL0 wWahA+hgjc0lWoQU4lwBFjXV2PfPImiAvwxOxNG34Mgnw3K9huBYLsrvOQAbMdBm E8lwz8DFKMWqHqoH3xSqDGhIYFobQDiVRkkecpberH5hqJauSD7PiwDBSQ/RCDIj b0SOmSTpZR97Ws4k1z9158VRf4BUbGjzVt4tUAz/y2cI5JsXQfcgAPB3voP8eunx GwZ/iM8evw3hUOw7+nuiPyts7HSkvV6GMwrXfOymY/w07mYxw/2LnKInfsWBtcRI DG+Nrsj237LgtBhK7TkzuVrguq//+bkDwwF3qTRXGAX9KrwY4huRxDRslMIg30Hq gwIDAQAB -----END PUBLIC KEY----- )";

After, I call dec_obj.signature() or retrieve the secret and the object itself has the secret as set to empty.

arun11299 commented 5 years ago

@armaansood Thanks for reporting the issue. I have not understood the issue exactly. Would you be able to provide with a small example reproducing the issue ?

russov commented 5 years ago

Looks like I faced the same the issue. I generated jwt via jwt.io using rs256: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.POstGetfAytaZS82wHcjoTyoqhMyxXiWdR7Nn7A29DNSl0EiXLdwJ6xC6AfgZWF1bOsS_TuYI3OG85AmiExREkrS6tDfTQ2B3WXlrr-wp5AokiRbz3_oB4OxG-W9KcEEbDRcZc0nH3L7LzYptiy1PtAylQGxHTWZXtGz4ht0bAecBgmpdgXMguEIcoqPJ1n3pIWk_dUZegpqx0Lka21H6XxUTxiy8OcaarA8zdnPUnV6AmNP3ecFawIFYdvJB_cm-GvpCSbr8G8y_Mllj8f4x9nBH8pQux89_6gUY618iYv7tuPWBFfEbLxtF2pZS6YC1aSfLQxeNe8djT9YjpvRZA"

public key: "-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzyis1ZjfNB0bBgKFMSv vkTtwlvBsaJq7S5wA+kzeVOVpVWwkWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHc aT92whREFpLv9cj5lTeJSibyr/Mrm/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIy tvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0 e+lf4s4OxQawWD79J9/5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWb V6L11BWkpzGXSW4Hv43qa+GSYOD2QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9 MwIDAQAB -----END PUBLIC KEY-----"

When I tried to parse token I got exception: "InvalidSignatureError". jwt::jwt_object obj = jwt::decode(token, jwt::params::algorithms({"rs256"}), jwt::params::verify(true), jwt::params::secret(key)); token = jwt, key = public key

Could you help me?

arun11299 commented 5 years ago

@russov I think you guys are not providing the key in correct format i.e without proper newline between lines. This worked for me:

std::string key = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzyis1ZjfNB0bBgKFMSv\nvkTtwlvBsaJq7S5wA+kzeVOVpVWwkWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHc\naT92whREFpLv9cj5lTeJSibyr/Mrm/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIy\ntvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0\ne+lf4s4OxQawWD79J9/5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWb\nV6L11BWkpzGXSW4Hv43qa+GSYOD2QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9\nMwIDAQAB\n-----END PUBLIC KEY-----";

auto dec_obj2 = jwt::decode(token, algorithms({"rs256"}), secret(key));
std::cout << dec_obj2.payload() << std::endl;

Can you confirm the same ?

arun11299 commented 5 years ago

Please reopen if the issue is seen again.