search

paragonie / paseto-browser.js

PASETO in the Web Browser
Other
4 stars 1 forks source link

Having problems to decode a token created with python on paseto-browser.js #1

Open Fayer00 opened 1 year ago

Fayer00 commented 1 year ago

Hi, I'm trying to decode a token created with pyseto with paseto-browser.js and im getting the following error "Error: Public Key must be 32 bytes" at new PasetoV4Public I'm currently sending the token and public key created at my backend to my react project where i want to decode it and extract the data on the token

Sorry for creating an issue for this, but i couldn't find the way to contact you.

paragonie-security commented 1 year ago

How are you passing the public key? It expects a Uint8Array of length 32. If you're passing an encoded string, it's going to fail.

Fayer00 commented 1 year ago

We are passing this 

{
  "token": "v4.public.eyJkYXRhIjogInRoaXMgaXMgYSBzaWduZWQgbWVzc2FnZSB4eCIsICJleHAiOiAiMjAyMi0wOC0wMlQxNzoyNToxMCswMDowMCJ9_DsK3gg9q1_X5-wC1lOZsAXdZS1AYcLZBFWAyAw6XPk-IL08hWk3UuNka6h996lyPUToJ1OCR0FJWBHGmvxhDA.eyJraWQiOiAiazQucGlkLjB2eHRpMVB3VHhwZVZKWjBQcnl4UUdQdjMwblZtOUNBUm5SOHcyZVhtbEFwIn0",
  "pk": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAA7ly+bxmO8Tckr0Za57Zr20rGyJRqCwvrDd9NwFTes0=\n-----END PUBLIC KEY-----"
}

we are generating this pem and token with python like this

def get(self, request, format=None):
        import json
        import pyseto
        from pyseto import Key
        from Crypto.PublicKey import RSA, ECC

        key = ECC.generate(curve='Ed25519')

        private_key_pem = key.export_key(format='PEM')
        public_key_pem = key.public_key().export_key(format='PEM', compress=True)
        print(key)
        print(private_key_pem)
        print(public_key_pem)

        private_key = Key.new(version=4, purpose="public", key=private_key_pem)
        public_key = Key.new(version=4, purpose="public", key=public_key_pem)

        token = pyseto.encode(
            private_key,
            {"data": "this is a signed message xx", "exp": "2021-11-11T00:00:00+00:00"},
            footer={"kid": public_key.to_paserk_id()},
            exp=3600,
        )

        decoded = pyseto.decode(public_key, token, deserializer=json)
        return Response({'token': token.decode("utf-8"), 'pk': public_key_pem})

if we comment out the leng validations see: here

we can decode the token is there a reason for limiting the length to 32 or 64?

paragonie-security commented 1 year ago

Your public key needs to be 32 raw bytes, not a PEM-encoded string.

paragonie-security commented 1 year ago

The underlying library we're using (TweetNaCl) requires public keys to be encoded as 32 raw bytes. If you want to use a PEM-encoded public key, you must provide your own decoding logic.