JWT with RS256 not working

slykar commented 3 years ago

Hi. I did a fresh Jitsi install few days ago. JWT works with HS256, but fails when using RS256. I've also tested a docker based installation and it works there.

I've noticed that luajwtjitsi has been updated 6 days ago to 2.0-0 and it got installed on my server. The docker one uses luajwtjitsi 1.3-7.

I'm using the exact same server to serve the public key based on kid.

# From my recent server installation
luarocks list

Installed rocks:
----------------
basexx
   0.4.1-1 (installed) - /usr/local/lib/luarocks/rocks
cyrussasl
   1.1.0-1 (installed) - /usr/local/lib/luarocks/rocks
lbase64
   20120807-3 (installed) - /usr/local/lib/luarocks/rocks
lua-cjson
   2.1.0-1 (installed) - /usr/local/lib/luarocks/rocks
luajwtjitsi
   2.0-0 (installed) - /usr/local/lib/luarocks/rocks
luaossl
   20200709-0 (installed) - /usr/local/lib/luarocks/rocks

Prosody Log:

Dec 09 10:33:31 mod_bosh    error   Traceback[bosh]: pkey.new: a_d2i_fp.c:198:error:0D06B08E:asn1 encoding routines:asn1_d2i_read_bio:not enough data
stack traceback:
    [C]: in function 'new'
    /usr/local/share/lua/5.2/luajwtjitsi.lua:18: in function </usr/local/share/lua/5.2/luajwtjitsi.lua:17>
    (...tail calls...)
    /usr/local/share/lua/5.2/luajwtjitsi.lua:233: in function 'decode'
    /usr/share/jitsi-meet/prosody-plugins/token/util.lib.lua:188: in function 'verify_token'
    /usr/share/jitsi-meet/prosody-plugins/token/util.lib.lua:278: in function 'process_and_verify_token'
    /usr/share/jitsi-meet/prosody-plugins/mod_auth_token.lua:90: in function 'anonymous'
    /usr/share/jitsi-meet/prosody-plugins/mod_auth_token.lua:135: in function </usr/share/jitsi-meet/prosody-plugins/mod_auth_token.lua:130>
    (...tail calls...)
    /usr/lib/prosody/modules/mod_saslauth.lua:77: in function </usr/lib/prosody/modules/mod_saslauth.lua:66>
    (...tail calls...)
    /usr/lib/prosody/util/events.lua:79: in function </usr/lib/prosody/util/events.lua:75>
    (...tail calls...)
    /usr/lib/prosody/core/stanza_router.lua:142: in function 'dispatch_stanza'
    /usr/lib/prosody/modules/mod_bosh.lua:305: in function 'func'
    /usr/lib/prosody/util/async.lua:127: in function </usr/lib/prosody/util/async.lua:125>
stack traceback:
    /usr/lib/prosody/util/async.lua:211: in function 'run'
    /usr/lib/prosody/modules/mod_bosh.lua:447: in function 'cb_handlestanza'
    /usr/lib/prosody/util/xmppstream.lua:182: in function </usr/lib/prosody/util/xmppstream.lua:162>
    [C]: in function 'parse'
    /usr/lib/prosody/util/xmppstream.lua:282: in function 'feed'
    /usr/lib/prosody/modules/mod_bosh.lua:133: in function '?'
    /usr/lib/prosody/util/events.lua:79: in function </usr/lib/prosody/util/events.lua:75>
    (...tail calls...)
    /usr/lib/prosody/net/http/server.lua:228: in function </usr/lib/prosody/net/http/server.lua:176>
    [C]: in function 'xpcall'
    /usr/lib/prosody/net/http/server.lua:108: in function 'process_next'
    /usr/lib/prosody/net/http/server.lua:124: in function 'success_cb'
    /usr/lib/prosody/net/http/parser.lua:177: in function 'feed'
    /usr/lib/prosody/net/http/server.lua:155: in function </usr/lib/prosody/net/http/server.lua:154>
    (...tail calls...)
    /usr/lib/prosody/net/server_select.lua:915: in function </usr/lib/prosody/net/server_select.lua:899>
    [C]: in function 'xpcall'
    /usr/bin/prosody:80: in function 'loop'
    /usr/bin/prosody:90: in main chunk
    [C]: in ?

slykar commented 3 years ago

Looks like a configuration issue on my side.

saghul commented 3 years ago

Good to know, thanks for checking!

jldinh commented 3 years ago

In case anybody has the same issue, this error is caused by the ASAP key server URL not being set properly (check your config files and environment variables). Because no ASAP key server is set, the module falls back to reading the JWT app secret, which is not defined because we are attempting to use RS256, leading to this error (essentially an error indicating an invalid private key format).

If you are using Docker images, make sure variable JWT_ASAP_KEYSERVER is set on the prosody container.

slykar commented 3 years ago

In my case, if I remember correctly it was an invalid response returned from asap_key_server.

mulspace commented 1 year ago

In my case with docker-compose deploy in stable-8719. RS256 failed in the prosody container with the below log.

2023-09-15 01:43:51 c2s55c8c838fa20                                                error    Traceback[c2s]: pkey.new: tasn_dec.c:1149:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
    stack traceback:
    [C]: in function '_openssl.pkey.new'
    /prosody-plugins/luajwtjitsi.lib.lua:32: in function </prosody-plugins/luajwtjitsi.lib.lua:28>
    (...tail calls...)

The related code is

-- Generates an RSA signature of the data.
-- @param data The data to be signed.
-- @param key The private signing key in PEM format.
-- @param algo The digest algorithm to user when generating the signature: sha256, sha384, or sha512.
-- @return The signature or nil and an error message.
local function signRS (data, key, algo)
    local privkey = pkey.new(key)
    if privkey == nil then
        return nil, 'Not a private PEM key'
    else
        local datadigest = digest.new(algo):update(data)
        return privkey:sign(datadigest)
    end
end

To debug the issue, I writed a test lua codes "test.lua"

local pkey   = require 'openssl.pkey'
key=[[-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAyBRySGBbblhLnNTJUapMBHwVl2RDlOh3TAvGGJlpTE2VpcpbyaZx
jChLBMWeJsiujNpseaMNNfa6qAkckMm3+K0pIqm7JxfgEydhmBIhOLMs0jDIaqU2
gmuh8XzdGpDY+YCRCnuVr9iw7g2xb9aH2t4aMwsfYyvb/YwJ4X7YIRXNI1/U+ZHP
5G7LI4KjPEv0sAAorBhknCmE3e+UuiWOPNQHTSOxiYEApIYZ6hGomwrXSTB/kMtO
EKSpmoX2Tmqeq4TuA5HfNIWUQYS1cIVrxIr1KJNPv5RX0SLIxYLOGm2mQKeHu/X+
5IRuw0BmqUgIMen1ty5lmnazBKJLsnnUmQIDAQAB
-----END RSA PUBLIC KEY-----]]

local pubkey = pkey.new(key)
if pubkey == nil then
    print(": failed")
else
    print(": successed")
end

It works well in my host server (lua5.1) and still failed in prosody container (lua5.4.2) with the same log as below.

root@67748425b833:/prosody-plugins# lua test.lua

lua: pkey.new: tasn_dec.c:1149:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
stack traceback:
    [C]: in function 'openssl.pkey.new'
    test.lua:22: in main chunk
    [C]: in ?

Could you help to identy this issue?

saghul commented 1 year ago

Note we are bundling this plugin with in Jitsi Meet, not using the file over here. Check the resources/prosody-plugins folder in the Jitsi Meet repo.

giuseppCl commented 2 months ago

In my case with docker-compose deploy in stable-8719. RS256 failed in the prosody container with the below log.

2023-09-15 01:43:51 c2s55c8c838fa20                                                error  Traceback[c2s]: pkey.new: tasn_dec.c:1149:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
  stack traceback:
  [C]: in function '_openssl.pkey.new'
  /prosody-plugins/luajwtjitsi.lib.lua:32: in function </prosody-plugins/luajwtjitsi.lib.lua:28>
  (...tail calls...)

The related code is

-- Generates an RSA signature of the data.
-- @param data The data to be signed.
-- @param key The private signing key in PEM format.
-- @param algo The digest algorithm to user when generating the signature: sha256, sha384, or sha512.
-- @return The signature or nil and an error message.
local function signRS (data, key, algo)
  local privkey = pkey.new(key)
  if privkey == nil then
      return nil, 'Not a private PEM key'
  else
      local datadigest = digest.new(algo):update(data)
      return privkey:sign(datadigest)
  end
end

To debug the issue, I writed a test lua codes "test.lua"

local pkey   = require 'openssl.pkey'
key=[[-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAyBRySGBbblhLnNTJUapMBHwVl2RDlOh3TAvGGJlpTE2VpcpbyaZx
jChLBMWeJsiujNpseaMNNfa6qAkckMm3+K0pIqm7JxfgEydhmBIhOLMs0jDIaqU2
gmuh8XzdGpDY+YCRCnuVr9iw7g2xb9aH2t4aMwsfYyvb/YwJ4X7YIRXNI1/U+ZHP
5G7LI4KjPEv0sAAorBhknCmE3e+UuiWOPNQHTSOxiYEApIYZ6hGomwrXSTB/kMtO
EKSpmoX2Tmqeq4TuA5HfNIWUQYS1cIVrxIr1KJNPv5RX0SLIxYLOGm2mQKeHu/X+
5IRuw0BmqUgIMen1ty5lmnazBKJLsnnUmQIDAQAB
-----END RSA PUBLIC KEY-----]]

local pubkey = pkey.new(key)
if pubkey == nil then
  print(": failed")
else
  print(": successed")
end

It works well in my host server (lua5.1) and still failed in prosody container (lua5.4.2) with the same log as below.

root@67748425b833:/prosody-plugins# lua test.lua

lua: pkey.new: tasn_dec.c:1149:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
stack traceback:
  [C]: in function 'openssl.pkey.new'
  test.lua:22: in main chunk
  [C]: in ?

Could you help to identy this issue?

I got the same issue. Did you find a solution or the cause of the exception?

jitsi / luajwtjitsi

JWT with RS256 not working #1