NOT ABLE TO VALIDATE THE JWT SIGNATURE

[tareksahalia]

Hello, First I would like to thank you for this great opensource project, it helped me a lot. I am creating a new authentication module for Prosody, all lua-jwt functions are working as expected. but when I try to validate the token signature I am getting errors. I am pasting everything below, what I am missing here?? PLEASE HELP !!

JWT TOKEN eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlJrUXhPVEk0UmpJMU1FRXhSREpDTVRoQ1F6WXlPRVk1UlVNNU1UZ3pNamt6UkRZeU16aEZRUSJ9.eyJpc3MiOiJodHRwczovL2x5YW1yYS5hdXRoMC5jb20vIiwic3ViIjoieTZzdEQxUHFqTE9aTDhxMVh1VmFxNkNPZTJ1QUpDblBAY2xpZW50cyIsImF1ZCI6Im15and0LWFwaSIsImlhdCI6MTYwMTIzMjU5NCwiZXhwIjoxNjAxMzE4OTk0LCJhenAiOiJ5NnN0RDFQcWpMT1pMOHExWHVWYXE2Q09lMnVBSkNuUCIsImd0eSI6ImNsaWVudC1jcmVkZW50aWFscyJ9.oKFlhC1uIzKucxFNSJIIIMGAIXFvLsaOgFoqxrIGT4S_j_Wym0lBgUIVFFxpXDsXPg1o6y1g4dQP0xwlVqezXp5GXt6eZa3HHUlzQiMHBBVTFEyqmUSETXRBfBlyzAh-C5H4XwfQ5ySFJ46m8LiIPtU5lezlIIsBvAjk-IYjs0q3wLQpyEk0QtfkOKekdWV_r6U5vI06OTXJZh077ud9YXwZ2sL1890u16fH8Gz_rBO9PjKhtf2C0IUs0_sIw1ja6dzttI4fELlGwNdvYEO1R5NZd8juyttJb0BfQ3BD3f0Y0MI0gIorkHZkDCEH-1g7F77DIR-hgSBUv7HlzCDexQ

mycert.pm -----BEGIN CERTIFICATE----- MIIC+zCCAeOgAwIBAgIJNMP7yqiyHYHIMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV BAMTEGx5YW1yYS5hdXRoMC5jb20wHhcNMTkwNjI1MTUzNzA1WhcNMzMwMzAzMTUz NzA1WjAbMRkwFwYDVQQDExBseWFtcmEuYXV0aDAuY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEA7cUIgSloPuoTgzqaHBVH6hSYvKEkijVHir3c7c6I WsLNRrDWa71dtwTnnGK7/A2Vt+TdcqxAuYrHxr4nN1C3nP1XDPimP+L6fwLQArCD u7c9eAAt90ZLnfUiSlSU4YzSPdvU6SAgSzy1LUtX6mS4BMcQqEKEKeD1tUNdG55K 75KcTJi/Fh0MParu6lAOoYWiobSWHWaIfYvATJSwaGgiKKMBAx76clEbaHJRnRV2 CFgS6H4cVqZLG24cuCp9KujzisOEF941f4NshCbGZ7WWkrS9S4+7DAaq8rV3C1VF kXmZdxv/UFBY0Pzph/+aJvZuODZDC+ru7iTG3AdmQmOTJwIDAQABo0IwQDAPBgNV HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQuwEFJQWuBCbL6IF7a3WkLhekwwzAOBgNV HQ8BAf8EBAMCAoQwDQYJKoZIhvcNAQELBQADggEBAFOP/iwFTUayUtcIBNZR4zTj V7+OdfTrJtswgBYqzdp1OAL63K8iAjtVDFhIIINEMcoVz2ESNOGjHxeFhwxYRVD3 CibZWZrV1TJ3TfbZNyBAojQJNJmqE4/hfXZriYutEdt9sJb+jyr2jk/aGSgLsr4F MHnKaseVjgf6SvFsX/9AnHDwIeH9e1Z/4ayBnGNRErW+XOX/CqcRc7LzKrReGf/B D/oHJoiEZew7ZW+NzOPSulwrdF2fLHOlBw56rhJjXxqdMoRgl1+i0P7DvOyEXiB0 sfmqtJjw94iCGw9xL50y0V90eOo0oJFQVlXLCxfXRPFP3oAmThKTWFu7o8czk5A= -----END CERTIFICATE-----

after penssl x509 -pubkey -noout -in ./mycert.pem > pubkey.pem -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7cUIgSloPuoTgzqaHBVH 6hSYvKEkijVHir3c7c6IWsLNRrDWa71dtwTnnGK7/A2Vt+TdcqxAuYrHxr4nN1C3 nP1XDPimP+L6fwLQArCDu7c9eAAt90ZLnfUiSlSU4YzSPdvU6SAgSzy1LUtX6mS4 BMcQqEKEKeD1tUNdG55K75KcTJi/Fh0MParu6lAOoYWiobSWHWaIfYvATJSwaGgi KKMBAx76clEbaHJRnRV2CFgS6H4cVqZLG24cuCp9KujzisOEF941f4NshCbGZ7WW krS9S4+7DAaq8rV3C1VFkXmZdxv/UFBY0Pzph/+aJvZuODZDC+ru7iTG3AdmQmOT JwIDAQAB -----END PUBLIC KEY-----

DECLARATION IN MUY LUA CODE [PLEASE NOTE THAT I AM USING cjson, json library is throwing many errors]

local config = {

publicKey = [[-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7cUIgSloPuoTgzqaHBVH 6hSYvKEkijVHir3c7c6IWsLNRrDWa71dtwTnnGK7/A2Vt+TdcqxAuYrHxr4nN1C3 nP1XDPimP+L6fwLQArCDu7c9eAAt90ZLnfUiSlSU4YzSPdvU6SAgSzy1LUtX6mS4 BMcQqEKEKeD1tUNdG55K75KcTJi/Fh0MParu6lAOoYWiobSWHWaIfYvATJSwaGgi KKMBAx76clEbaHJRnRV2CFgS6H4cVqZLG24cuCp9KujzisOEF941f4NshCbGZ7WW krS9S4+7DAaq8rV3C1VFkXmZdxv/UFBY0Pzph/+aJvZuODZDC+ru7iTG3AdmQmOT JwIDAQAB -----END PUBLIC KEY-----]], issuer = 'https://lyamra.auth0.com/', audience = 'myjwt-api' }

local json = require 'cjson' local base64 = require 'modules.mod_auth_auth0.base64' local openssl = { pkey = require 'openssl.pkey', digest = require 'openssl.digest', x509 = require 'openssl.x509' }

local function signatureIsValid(token, publicKey) local digest = openssl.digest.new('SHA256') digest:update(token.header .. '.' .. token.payload) local vkey = openssl.pkey.new(publicKey) local isVerified = vkey:verify(token.signaturedecoded, digest) return isVerified end

ERROR Sep 27 14:29:09 c2s562ec904ed80 error Traceback[c2s]: pkey.new: tasn_dec.c:1130:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag stack traceback: [C]: in function 'new' /usr/lib/prosody/modules/mod_auth_auth0/jwtutils.lua:137: in function 'signatureIsValid' /usr/lib/prosody/modules/mod_auth_auth0/jwtutils.lua:183: in function </usr/lib/prosody/modules/mod_auth_auth0/jwtutils.lua:163> (...tail calls...) /usr/lib/prosody/modules/mod_auth_auth0/mod_auth_auth0.lua:45: in function 'plain_test' /usr/lib/prosody/util/sasl/plain.lua:75: in function </usr/lib/prosody/util/sasl/plain.lua:39> (...tail calls...) /usr/lib/prosody/modules/mod_saslauth.lua:77: in function </usr/lib/prosody/modules/mod_saslauth.lua:66> (...tail calls...) /usr/lib/prosody/util/events.lua:79: in function </usr/lib/prosody/util/events.lua:75> (...tail calls...) /usr/lib/prosody/core/stanza_router.lua:142: in function 'core_process_stanza' /usr/lib/prosody/modules/mod_c2s.lua:275: in function 'func' /usr/lib/prosody/util/async.lua:127: in function </usr/lib/prosody/util/async.lua:125>

[tareksahalia]

I update the post with the correct JWT eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlJrUXhPVEk0UmpJMU1FRXhSREpDTVRoQ1F6WXlPRVk1UlVNNU1UZ3pNamt6UkRZeU16aEZRUSJ9.eyJpc3MiOiJodHRwczovL2x5YW1yYS5hdXRoMC5jb20vIiwic3ViIjoieTZzdEQxUHFqTE9aTDhxMVh1VmFxNkNPZTJ1QUpDblBAY2xpZW50cyIsImF1ZCI6Im15and0LWFwaSIsImlhdCI6MTYwMTIzMjU5NCwiZXhwIjoxNjAxMzE4OTk0LCJhenAiOiJ5NnN0RDFQcWpMT1pMOHExWHVWYXE2Q09lMnVBSkNuUCIsImd0eSI6ImNsaWVudC1jcmVkZW50aWFscyJ9.oKFlhC1uIzKucxFNSJIIIMGAIXFvLsaOgFoqxrIGT4S_j_Wym0lBgUIVFFxpXDsXPg1o6y1g4dQP0xwlVqezXp5GXt6eZa3HHUlzQiMHBBVTFEyqmUSETXRBfBlyzAh-C5H4XwfQ5ySFJ46m8LiIPtU5lezlIIsBvAjk-IYjs0q3wLQpyEk0QtfkOKekdWV_r6U5vI06OTXJZh077ud9YXwZ2sL1890u16fH8Gz_rBO9PjKhtf2C0IUs0_sIw1ja6dzttI4fELlGwNdvYEO1R5NZd8juyttJb0BfQ3BD3f0Y0MI0gIorkHZkDCEH-1g7F77DIR-hgSBUv7HlzCDexQ

[NickMRamirez]

Hi @tareksahalia thank you for reporting this issue. I have used your token and public certificate in my own test lab (using https://github.com/haproxytechblog/haproxy-jwt-vagrant) and it works for me.

Let's see if we can figure out what's happening.

A few things caught my attention:

1. You are adding your certificate and other values directly to the Lua code in the config table. This is not how the library should be used. Instead, the certificate should be saved to a file and, along with the other values, referenced in the haproxy.cfg in its global section:

lua-load /usr/local/share/lua/5.3/jwtverify.lua

setenv OAUTH_ISSUER https://lyamra.auth0.com/
setenv OAUTH_AUDIENCE myjwt-api
setenv OAUTH_PUBKEY_PATH /etc/haproxy/pem/pubkey.pem

2. You are using different libraries (cson instead of json). I'd prefer to learn what errors you got when using the json library, so we can resolve any problems with that. It will also ensure we are working with identical environments.

(Note, I am using Postman to send a request with the JWT token.)

[tareksahalia]

Thank you so much for your reply, My use case is a bit different. I am using this module for prosody server, and this is the first time I am doing that. so, I still do not know how I can inject these variables in prosody.cfg.lua config file. One more thing about my use case, I am getting the token as part of the body, and not in the request, this is because I am using conversejs javascript plugin. in short, I am trying to build an OAUTH plugin for prosody to use auth0. and this is my first time using LUA :( :)

So, 1- I am trying to figure out how to get the pkey from file using prosody. 2- for json here is the errors I got 'localhost': /usr/share/lua/5.2/json.lua:22: Attempt to set a global: json = table: 0x555902510f00 stack traceback: [C]: in function 'error' /usr/lib/prosody/util/startup.lua:400: in function '__newindex' /usr/share/lua/5.2/json.lua:22: in main chunk [C]: in function '_real_require' /usr/lib/prosody/util/startup.lua:199: in function 'require' /usr/lib/prosody/modules/mod_auth_auth0/jwtutils.lua:40: in main chunk [C]: in function '_real_require' /usr/lib/prosody/util/startup.lua:199: in function 'require' /usr/lib/prosody/modules/mod_auth_auth0/mod_auth_auth0.lua:15: in main chunk [C]: in function 'xpcall' /usr/lib/prosody/core/modulemanager.lua:183: in function 'do_load_module' /usr/lib/prosody/core/modulemanager.lua:261: in function 'load' /usr/lib/prosody/core/usermanager.lua:67: in function '?' /usr/lib/prosody/util/events.lua:79: in function </usr/lib/prosody/util/events.lua:75> (...tail calls...) /usr/lib/prosody/core/hostmanager.lua:108: in function 'activate' /usr/lib/prosody/core/hostmanager.lua:58: in function '?' /usr/lib/prosody/util/events.lua:79: in function </usr/lib/prosody/util/events.lua:75> (...tail calls...) /usr/lib/prosody/util/startup.lua:391: in function 'prepare_to_start' /usr/lib/prosody/util/startup.lua:612: in function 'f' /usr/lib/prosody/util/async.lua:139: in function 'func' /usr/lib/prosody/util/async.lua:127: in function </usr/lib/prosody/util/async.lua:125> Thank you for your help again

[NickMRamirez]

You are not using HAProxy? Sorry, but this library has been designed for HAProxy and I'm not sure how you would reuse this code elsewhere. Ordinarily, I would say that if you put HAProxy in front of your server, then it can handle authorization at the proxy layer, but I have not done any work with XMPP, so I don't know how it should work with JWT.

[tareksahalia]

@NickMRamirez Thanks for your reply. I will try to solve this issue, and if I do that, I post the solution.

Thanks again

[NickMRamirez]

I am going to close this issue because it describes an issue when using the library not for its intended purpose.