Question about introducing privateKeyCertificatePassphrase

[Wstunes]

the #51commit introduced privateKeyCertificatePassphrase. I wonder if there's no privateKeyCertificatePassphrase, should I use

[JWTBuilder encodePayload:payload].secret(secret).privateKeyCertificatePassphrase(@"").algorithmName(algorithmName).encode;` or `[JWTBuilder encodePayload:payload].secret(secret).privateKeyCertificatePassphrase(nil).algorithmName(algorithmName).encode;

And could you give an example of the RSA256 algorithm(including how to use public and private keys)? When I test with RSA256, it always returns nil. I don't know what is the problem. You can use the keys of jwt.io to demonstrate .

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugdUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQsHUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5Do2kQ+X5xK9cipRgEKwIDAQAB
-----END PUBLIC KEY----- 

-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDdlatRjRjogo3WojgGHFHYLugdUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQsHUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5Do2kQ+X5xK9cipRgEKwIDAQABAoGAD+onAtVye4ic7VR7V50DF9bOnwRwNXrARcDhq9LWNRrRGElESYYTQ6EbatXS3MCyjjX2eMhu/aF5YhXBwkppwxg+EOmXeh+MzL7Zh284OuPbkglAaGhV9bb6/5CpuGb1esyPbYW+Ty2PC0GSZfIXkXs76jXAu9TOBvD0ybc2YlkCQQDywg2R/7t3Q2OE2+yo382CLJdrlSLVROWKwb4tb2PjhY4XAwV8d1vy0RenxTB+K5Mu57uVSTHtrMK0GAtFr833AkEA6avx20OHo61Yela/4k5kQDtjEf1N0LfI+BcWZtxsS3jDM3i1Hp0KSu5rsCPb8acJo5RO26gGVrfAsDcIXKC+bQJAZZ2XIpsitLyPpuiMOvBbzPavd4gY6Z8KWrfYzJoI/Q9FuBo6rKwl4BFoToD7WIUS+hpkagwWiz+6zLoX1dbOZwJACmH5fSSjAkLRi54PKJ8TFUeOP15h9sQzydI8zJU+upvDEKZsZc/UhT/SySDOxQ4G/523Y0sz/OZtSWcol/UMgQJALesy++GdvoIDLfJX5GBQpuFgFenRiRDabxrE9MNUZ2aPFaFp+DyAe+b4nDwuJaW2LURbr8AEZga7oQj0uYxcYw==
  -----END RSA PRIVATE KEY-----  

[lolgear]

I agree. Some parts of implementation are suffering from lack of descriptive errors.

[Wstunes]

@lolgear Could you please add some examples using the public and private keys now?

[lolgear]

@Wstunes well, I can't figure out how to use jwt with raw private key without passphrase. Please, look at updated readme.

[Wstunes]

@lolgear Thanks for the update. But here's another problem. What if I want to encode the payload with public key and decode it with private key? It seems that the library now only support encoding with private key.

[lolgear]

@Wstunes I agree. RS256 algorithm implementation is asymmetric for public/private keys. Should we have symmetry?

[lolgear]

@Wstunes could you write tests with desired ( public key / private key symmetry, am I right? ) functionality?

[lolgear]

@Wstunes could you check latest master? Keys PEM import introduced.

[Wstunes]

@lolgear Thanks for your effort. I think keys in pem or .p12 format is working well now. Another suggestion is that people may want to sign a token or verify a token with raw private/public key which is string not a file. I am trying to accomplish that. It's a good-to-have in this iOS JWT library.

[lolgear]

@Wstunes you could try something like:

NSError *error = nil;
[JWTEncodingBuilder encodePayload:@{}].addHolder([JWTAlgorithmRSFamilyDataHolder new].signKey());
// or multilines
id<JWTCryptoKeyProtocol> signKey = [[JWTCryptoKeyPrivate alloc] initWithBase64String:@"raw_key_string" parameters:nil error:nil];
id<JWTAlgorithmDataHolderProtocol> dataHolder = [JWTAlgorithmRSFamilyDataHolder new].signKey(signKey).algorithmName(JWTAlgorithmNameRS256);
NSDictionary *payload = @{};
JWTCodingBuilder *builder = [JWTEncodingBuilder encodePayload:payload].addHolder(dataHolder);
JWTCodingResultType *result = builder.result;

[tyleralves]

Using the above code I'm getting the following error:

2017-08-01 18:12:00.744 HappyOnboarding[11778:8398929] <JWTNative: 0x61800000a4e0> error: Error Domain=io.jwt Code=-92 "It seems that signing output corrupted. Make sure signing worked (e.g. we may have issues extracting the key from the PKCS12 bundle if passphrase is incorrect)." UserInfo={NSLocalizedDescription=It seems that signing output corrupted. Make sure signing worked (e.g. we may have issues extracting the key from the PKCS12 bundle if passphrase is incorrect)., errorDescription=JWTEncodingSigningError}

[lolgear]

@tyleralves Hi! Nice to hear about any bugs!

Could you post example of your data ( Or code that extracting your private keys data )?

[tyleralves]

@lolgear I think it might be due to not including the passphrase that goes along with the private key. How would you include a passPhrase in this example?

[lolgear]

@tyleralves As I remember, you could pass passphrase into Data Holder:

NSString *secretPassphrase = @"passphrase";
[JWTAlgorithmRSFamilyDataHolder new].privateKeyCertificatePassphrase(secretPassphrase).signKey(signKey).algorithmName(JWTAlgorithmNameRS256);

[lolgear]

@tyleralves If you have an ability to debug JWT, you could try to input this format into

[[JWTCryptoKeyPrivate alloc] initWithPemEncoded:(NSString *)encoded parameters:(NSDictionary *)parameters error:(NSError *__autoreleasing*)error];

The example above ( first example for Wstunnes ) assumes that key is in a raw format without any PEM headers.

[hfqf]

The same to me! Error Domain=io.jwt Code=-92 "It seems that signing output corrupted. Make sure signing worked (e.g. we may have issues extracting the key from the PKCS12 bundle if passphrase is incorrect)." UserInfo={NSLocalizedDescription=It seems that signing output corrupted. Make sure signing worked (e.g. we may have issues extracting the key from the PKCS12 bundle if passphrase is incorrect)., errorDescription=JWTEncodingSigningError}

The pem don't exist passphrase,so ...

[icedice]

I'm having a hard time getting this lib to work, any help would be greatly appreciated. I'm trying to decode and validate a JWT in swift using this lib. The JWT is signed with RS256 private key. What I am unable to understand is:

1) What would the proper swift syntax for this be, and what version of the lib should I use? 2) What input secret should i pass? A self signed certificate with the public key, a RSA public key and should it be with or without the ----- BEGIN and end stuff. I tried the JWTDesktopSwift example. I used the RS256 example data from jwt.io but was unable to get it to decode.

[lolgear]

@icedice I started digging inside your issue and found some memory leaks :)

Try using JWTDesktop instead of JWTDesktopSwift.

1. Version three. I will prepare later a wiki page for swift syntax.
2. It is possible to pass formats as PEM and plain Base64. PEM could contains headers.

As an example you could use a zip from issue #152

[icedice]

Awesome! It's working now. Thanks a lot for helping me out.

The only thing that still puzzles me is that this works with the plain/pem public key. I found a SO answer which is using til lib (older version) that clearly states that apple does not support doing it this way so you need to pack the public key in a self signed cert to make it work. The SO link: https://stackoverflow.com/questions/43629383/validate-jwt-token-with-rs256-or-rs512-with-swift-ios

I actually got my back-end people to prepare a endpoint with a self signed certificate with the public key for this very reason and place it next to the jwks endpoint. No this seems like its not the way to go.

[lolgear]

73

The last comment could clarify some points about Security framework.

It has options to create Security keys from the raw values, but it is too complex and Apple doesn't recommend. However, at iOS 10 they introduced method to prune down this process.

About compatibility - you could try to use certificate, I hope it works :) It would be nice to test PEM files but If you have release app - it is all on your own.