RSA256 support?

[jonmiller1]

I'm trying to validate a token from Google Plus. I get an error that says RSA256 is not supported. I can see the algorithm in the source code. Is there any way to get this going?

[abatishchev]

What version you're​ using? Can you send your code, also exception?

[djavier]

@abatishchev I see the AlgorithmFactory is missing the RS256Algorithm, is it missing by design?

Im currently using version 2.3.2 and receiving InvalidOperationException with "Algorithm RS256 is not supported.",

[abatishchev]

Doh, yeah. I see where is the problem is: RS256Algorithm accepts X509Certificate2 in its ctor. It's not an issue for JwtEncoder because it accepts IJwtAlgorithm in its ctor and you can instantiate it directly. But it is an issue for JwtDecoder which uses AlgorithmFactory which can't pass anything other than algorithm's name. Let me think how to address this. If you have any ideas, please post immediately.

[abatishchev]

Check this out: https://github.com/jwt-dotnet/jwt/pull/101.

Since default AlgorithmFactory can't do it, let's introduce IAlgorithmFactory implemented by both default HMACSHAAlgorithmFactory and new RSAlgorithmFactory.

The latter accepts Func<X509Certificate2> so you can specify how it will instantiate new RS256Algorithm(X509Certificate2).

What do you think? if that works, I can merge and publish new nuget shortly.

[djavier]

This looks pretty neat! Thanks for the quick response.

I'll see if i can take some time this weekend and add some tests upon these classes.

[djavier]

@abatishchev this looks really good to me.

[abatishchev]

Great! Thanks for bringing-in/following-up. Let's continue the discussion (if any) in the PR.

[sparachi]

I'm having trouble verifying signature. I have an access token signed with a private key and I was given an endpoint to get the public key using the keyid. The provider basically signs each token with different keyids. So basically I followed your approach https://github.com/jwt-dotnet/jwt#parsing-decoding-and-verifying-tokens

byte[] pubKey = GetPublicKeyFromCache();
IJsonSerializer serializer = new JsonNetSerializer();
IDateTimeProvider provider = new UtcDateTimeProvider();
IJwtValidator validator = new JwtValidator(serializer, provider);
IBase64UrlEncoder urlEncoder = new JwtBase64UrlEncoder();
var algorithmFactory = new RSAlgorithmFactory(CertFactory);
IJwtDecoder decoder = new JwtDecoder(serializer, validator, urlEncoder, algorithmFactory);
var accessTokenData = decoder.DecodeToObject<JwsTokenData>(accessToken, pubKey, true);

private X509Certificate2 CertFactory()
{
        byte[] pubKey = GetPublicKeyFromCache();
        var cert = new X509Certificate2(pubKey);
        return cert;
}

alg is RS256. I get the following exception.

System.Security.Cryptography.CryptographicException was caught
  HResult=-2146885623
  Message=Cannot find the requested object.

  Source=mscorlib
  StackTrace:
       at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
       at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertBlobType(Byte[] rawData)
       at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
       at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData)
       at .CertFactory() in 
       at JWT.Algorithms.RSAlgorithmFactory.Create(JwtHashAlgorithm algorithm)
       at JWT.JwtDecoder.Validate(String payload, String payloadJson, String[] parts, Byte[] key)
       at JWT.JwtDecoder.DecodeToObject[T](String token, Byte[] key, Boolean verify)

[abatishchev]

@sparachi hi, can you please copy/paste your question to a new issue? thanks! meanwhile I'm looking into it.

[Jack3964925]

@abatishchev , @sparachi any update on the RSA256 issue?

[abatishchev]

@Jack3964925: are your facing an exception? What version are you using? Please open a new issue since this one is from August 2017.