Closed omsmith closed 9 years ago
billinghamj
commented
9 years ago This seems to have broken my signatures. I now get UnauthorizedError: "ES512" signatures must be "132" bytes, saw "139" where before the JWT worked fine. Not sure what to do about it...
billinghamj
commented
9 years ago I can probably use an older version of an upstream project to avoid this. I'm really uncertain exactly what the issue is here. There might be something wrong with how my app's signatures have been generated.
They've been generated by a Ruby gem - https://rubygems.org/gems/json-jwt
I wonder if perhaps that has been creating JWTs which are strictly speaking incorrect but do work?
billinghamj
commented
9 years ago Upstream doesn't specify an exact version so not able to avoid the new version unfortunately.
I've tested locally that running the jws package with jwa 1.0.0 does not exhibit the issue, but with jwa 1.0.1 it definitely does.
If it helps at all, the signature part of my JWT is:
MIGIAkIBqmYSTEVwuPHEOVyTFcieAcOf2hEEF9HQwGcLZUCZk9AzcWNW1dPgpObYzMu4o96mu5Gm1CugPecZFA53l0PiAbQCQgHzAuSCtEf6tWNRIm9CuHtvrY9RiPDaigyMpFcGkH3PSai9tG97g68qV9rFnNBS7nIE9pmzmZ7gvWQwT2fwqMq-kQThis is 139 bytes long when decoded from base64.
It's generated with a ES512 asymmetric key.
omsmith
commented
9 years ago Hi James,
I'll have a look at the rubygem, but I suspect it is also calling direct to openssl and thus its signatures are also incorrect for interoperability.
For the moment, you could choose to use npm shrinkwrap
On 2 Jul 2015 11:40 am, "James Billingham" notifications@github.com wrote:
Upstream doesn't specify an exact version so not able to avoid the new version unfortunately.
I've tested locally that running the jws package with jwa 1.0.0 does not exhibit the issue, but with jwa 1.0.1 it definitely does.
If it helps at all, the signature part of my JWT is:
MIGIAkIBqmYSTEVwuPHEOVyTFcieAcOf2hEEF9HQwGcLZUCZk9AzcWNW1dPgpObYzMu4o96mu5Gm1CugPecZFA53l0PiAbQCQgHzAuSCtEf6tWNRIm9CuHtvrY9RiPDaigyMpFcGkH3PSai9tG97g68qV9rFnNBS7nIE9pmzmZ7gvWQwT2fwqMq-kQ
This is 139 bytes long when decoded from base64.
It's generated with a ES512 asymmetric key.
— Reply to this email directly or view it on GitHub https://github.com/brianloveswords/node-jwa/pull/5#issuecomment-118072923 .
omsmith
commented
9 years ago Hi James
See https://github.com/nov/json-jwt/issues/21 and https://github.com/nov/json-jwt/commit/276815f1d58ba0013fc776e31ca56c6b0c4965c5 and https://github.com/nov/json-jwt/commit/9366c24d67b110c12d15d2a6ad1bcc4dd6002bb6
Update your gem to 1.0.1 and you should be good to go. On 2 Jul 2015 11:43 am, "Owen Smith" owen@omsmith.ca wrote:
Hi James,
I'll have a look at the rubygem, but I suspect it is also calling direct to openssl and thus its signatures are also incorrect for interoperability.
For the moment, you could choose to use
npm shrinkwrapOn 2 Jul 2015 11:40 am, "James Billingham" notifications@github.com wrote:Upstream doesn't specify an exact version so not able to avoid the new version unfortunately.
I've tested locally that running the jws package with jwa 1.0.0 does not exhibit the issue, but with jwa 1.0.1 it definitely does.
If it helps at all, the signature part of my JWT is:
MIGIAkIBqmYSTEVwuPHEOVyTFcieAcOf2hEEF9HQwGcLZUCZk9AzcWNW1dPgpObYzMu4o96mu5Gm1CugPecZFA53l0PiAbQCQgHzAuSCtEf6tWNRIm9CuHtvrY9RiPDaigyMpFcGkH3PSai9tG97g68qV9rFnNBS7nIE9pmzmZ7gvWQwT2fwqMq-kQ
This is 139 bytes long when decoded from base64.
It's generated with a ES512 asymmetric key.
— Reply to this email directly or view it on GitHub https://github.com/brianloveswords/node-jwa/pull/5#issuecomment-118072923 .
billinghamj
commented
9 years ago @omsmith Awesome, thank you so much. Sorry for wasting your time, I should have checked that earlier.
omsmith
commented
9 years ago No worries, glad I could help, just unlucky you've been using two libs which were equally off-spec :)
brianloveswords
commented
9 years ago Thanks @omsmith!
OpenSSL (and thus node) encode the r/s parameters of an ECDSA signature as an ASN.1 ESCDSA-Sig-Value object JOSE/JWA/RFC7518 require the parameters simply be concatenated