search

olehlong / jwtd

D implementation of JSON Web Token.
MIT License
30 stars 13 forks source link

ES384 Verification not working on token signed by other library #10

Open alejzeis opened 7 years ago

alejzeis commented 7 years ago

I have the following JWT signed using this java library.

eyJhbGciOiJFUzM4NCJ9.eyJoYXNoIjoiOGYwOGU1YjQzNTU1NjMxZTcyOThkMTM2ZjI3MjMzNWFkNWI0NDIxMzVjOTZhOTI3NTMwZjM0ZmE4ZDM4MmU1YyIsInRpbWVzdGFtcCI6MTQ4NzcyODIzMzIxNX0.ilQLA-7RSv1TqXVW_PfPIwxmEDoFjfrSPjqKvw7mqFrY8S14ixLd2qi39p7j_oTLMcFFs4DHqWQJP4oR00nS2l82ZPwSNPJaYik4uWr5LrA9a4jHH9WyxSAYSO5MnykV

I then try to verify the token using the following code:

import std.stdio;
import std.file;

import jwtd.jwt;

void main() {
    string token = "eyJhbGciOiJFUzM4NCJ9.eyJoYXNoIjoiOGYwOGU1YjQzNTU1NjMxZTcyOThkMTM2ZjI3MjMzNWFkNWI0NDIxMzVjOTZhOTI3NTMwZjM0ZmE4ZDM4MmU1YyIsInRpbWVzdGFtcCI6MTQ4NzcyODIzMzIxNX0.ilQLA-7RSv1TqXVW_PfPIwxmEDoFjfrSPjqKvw7mqFrY8S14ixLd2qi39p7j_oTLMcFFs4DHqWQJP4oR00nS2l82ZPwSNPJaYik4uWr5LrA9a4jHH9WyxSAYSO5MnykV";

    writeln(token);
    writeln(verify(token, readPubKey()));
}

string readPubKey() {
    return readText("server-pub.pem");
}

string readPrivateKey() {
    return readText("server.pem");
}

However, verify returns false, showing that the signature is invalid. The problem is that the signature is valid, and the java library successfully verifies the token. I have also attempted verifying using this Node.JS library, which also works perfectly.

Tokens signed using JWTD with the same keys are successfully verified by JWTD, so I'm not sure what's wrong.

Here are the keys:

-----BEGIN PRIVATE KEY-----
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDt5m9Eutu/jCqQpqFU
190GAVrI/KP84BnqNzCPjf6T1jkc7U4lAaXUSoDLUPuiALChZANiAATVzsdm18lm
R9/fhmVLHQZxSgqXd+4OW/WwwWEjF3JGJtDvZcq6cR87F73JZN4ddk0Ok8fHB6Pn
WisZ1DerPU/f4SVMo0dk+/2CIwuXlIlsPxCo/NExqbcvOtDRBVC8YJI=
-----END PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE1c7HZtfJZkff34ZlSx0GcUoKl3fuDlv1
sMFhIxdyRibQ72XKunEfOxe9yWTeHXZNDpPHxwej51orGdQ3qz1P3+ElTKNHZPv9
giMLl5SJbD8QqPzRMam3LzrQ0QVQvGCS
-----END PUBLIC KEY-----

EDIT: Tokens signed by JWTD are verified without any problems by JJWT. I'm pretty sure now that it's specific to this library.

lionello commented 7 years ago

Are you using botan or openssl? Have you tried both?

alejzeis commented 7 years ago

I have tried both. In the end I wrote an unofficial Derelict binding to the libjwt C library here. I tracked the problem down to a difference of formats in how the JWT is encoded, I solved this problem months ago so I don't really remember what it was exactly. JWTD supported only one and couldn't understand the way JJWT was encoding them, but JJWT could decode both ways. libjwt was able to understand JJWT, so I ended up using that instead through the binding.