Closed ericchaves closed 7 months ago
After doing a little more digging, it seems that something weird is going on with the JWK class when extracting the public key correctly.
The conversion of the private PKC#8 key to JWT using node's crypto module outputs to:
{"kty":"OKP",
"crv":"Ed25519",
"d":"9eM9ymRfGIF7wXU0alGBLQNp664KK0o4SVtDLmsMo5M",
"x":"O2_3C89eS6Yx0U6Ak4avXY2FuBLGql6y7wXirtzsYxo",
}
the same JWK created using JWKFactory::createFromKeyFile outputs to:
[values:Jose\Component\Core\JWK:private] => Array
(
[kty] => OKP
[crv] => Ed25519
[d] => 9eM9ymRfGIF7wXU0alGBLQNp664KK0o4SVtDLmsMo5M
[x] => Xx1RjKLDu76eIMjwIP_0oWy6axLLjL6-CUWxRRi-8xk
[use] => sig
)
)
the public keys does not seem to match. What is curious is that if use JWKFactory::createFromKeyFile to export the public SPKI file exported by openssl, the public key is ok.
{"kty":"OKP"
"crv":"Ed25519",
"x":"O2_3C89eS6Yx0U6Ak4avXY2FuBLGql6y7wXirtzsYxo"
}
Jose\Component\Core\JWK Object
(
[values:Jose\Component\Core\JWK:private] => Array
(
[kty] => OKP
[crv] => Ed25519
[x] => O2_3C89eS6Yx0U6Ak4avXY2FuBLGql6y7wXirtzsYxo
[use] => sig
)
)
Hi,
Many thanks for the detail. I will investigate. I do not see any reason for the public key to change.
Hi,
I investigated and indeed there is something wrong with the JWK generated from the private key: the parameter x
is incorrect.
This is the reason why the nodejs/jose rejects the tokens signed by the library.
I spotted the code section causing this issue, but have not found any fix for now.
What I suggest at the moment is to alter the x
parameter from the private JWK with the good one public key.
Wrong private key:
{"kty":"OKP"
"crv":"Ed25519",
"d":"9eM9ymRfGIF7wXU0alGBLQNp664KK0o4SVtDLmsMo5M",
"x":"Xx1RjKLDu76eIMjwIP_0oWy6axLLjL6-CUWxRRi-8xk"
}
Correct public key:
{"kty":"OKP"
"crv":"Ed25519",
"x":"O2_3C89eS6Yx0U6Ak4avXY2FuBLGql6y7wXirtzsYxo"
}
Correct private key:
{"kty":"OKP"
"crv":"Ed25519",
"d":"9eM9ymRfGIF7wXU0alGBLQNp664KK0o4SVtDLmsMo5M",
"x":"O2_3C89eS6Yx0U6Ak4avXY2FuBLGql6y7wXirtzsYxo"
}
Hi,
This should be fixed with the last release 3.2.10
.
Let me know if there is another issue.
Regards
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Version(s) affected
3.2.8
Description
Hi folks, I'm issuing a JWT signed with EdDSA (ed25519) using web-token\jwt-framework and trying to validate it using nodej's jose but the validation fails complaining that signature is invalid.
With jwt-framework I can verify a token issued and signed by nodej's jose using the same EdDSA key and I can also verify with jwt-framework a JWT signed by jwt-framework in jwt-framework with this EdDSA key.
Other EC algorithms like ES256 also works perfectly between the two libs. I can also validate other tokens issued in other languages using EdDSA in nodejs. So far only EdDSA tokens signed in PHP are failing.
Can someone help me figure out if I'm doing something wrong or if there is some interoperability issue between those two implementations?
Thanks in advance for any help and congrats for the great work done so far!
How to reproduce
Forgive me if you find any typos. Had to copy and paste partial lines of code.
create an ed25519 key pair using openssl:
Issue a signed JWS with web-token/jwt-framework and write it to file.
read it on nodejs and validate the JWT
To generate ES256 keys with openssl:
Possible Solution
No response
Additional Context
Node version: v20.5.0 node jose version: 4.13.1 Error message from nodes