Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ECDSA signature verification fails for valid tokens #84

Closed
mark-adams opened this issue Jun 6, 2015 · 1 comment
Closed

ECDSA signature verification fails for valid tokens #84

mark-adams opened this issue Jun 6, 2015 · 1 comment
Labels
bug
Milestone
Version 1.5.1

Comments

@mark-adams
Copy link

ruby-jwt fails with a Signature verification failed (JWT::VerificationError) error when decoding a valid JWT signed with ES512. I believe this is due to an issue with improper ECDSA signature serialization format where the signature parameters are not concatenated in the proper order. The improper serialization results in an implementation being able to successfully verify its own JWTs but not those generated by other conforming libraries.

We encountered the same issue and fixed it on PyJWT a little while ago but some users are now reporting issues with ruby-jwt validating ECDSA-signed tokens and I wanted to pass along the information. PyJWT now has tests validating it against RFC 7520 test vectors to ensure all algorithms serialize properly. It may be a good idea to do a similar thing here.

Ruby test (using ruby-jwt):

require 'jwt'

token = 'eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJoZWxsbyI6IndvcmxkIn0.AQx1MqdTni6KuzfOoedg2-7NUiwe-b88SWbdmviz40GTwrM0Mybp1i1tVtmTSQ91oEXGXBdtwsN6yalzP9J-sp2YATX_Tv4h-BednbdSvYxZsYnUoZ--ZUdL10t7g8Yt3y9hdY_diOjIptcha6ajX8yzkDGYG42iSe3f5LywSuD6FO5c'
pubkey_pem = "-----BEGIN PUBLIC KEY-----\nMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAcpkss6wI7PPlxj3t7A1RqMH3nvL4\nL5Tzxze/XeeYZnHqxiX+gle70DlGRMqqOq+PJ6RYX7vK0PJFdiAIXlyPQq0B3KaU\ne86IvFeQSFrJdCc0K8NfiH2G1loIk3fiR+YLqlXk6FAeKtpXJKxR1pCQCAM+vBCs\nmZudf1zCUZ8/4eodlHU=\n-----END PUBLIC KEY-----"

pubkey = OpenSSL::PKey::EC.new pubkey_pem
JWT.decode token, pubkey

Python test (using pyjwt):

import jwt

token = 'eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJoZWxsbyI6IndvcmxkIn0.AQx1MqdTni6KuzfOoedg2-7NUiwe-b88SWbdmviz40GTwrM0Mybp1i1tVtmTSQ91oEXGXBdtwsN6yalzP9J-sp2YATX_Tv4h-BednbdSvYxZsYnUoZ--ZUdL10t7g8Yt3y9hdY_diOjIptcha6ajX8yzkDGYG42iSe3f5LywSuD6FO5c'
pubkey_pem = '-----BEGIN PUBLIC KEY-----\nMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAcpkss6wI7PPlxj3t7A1RqMH3nvL4\nL5Tzxze/XeeYZnHqxiX+gle70DlGRMqqOq+PJ6RYX7vK0PJFdiAIXlyPQq0B3KaU\ne86IvFeQSFrJdCc0K8NfiH2G1loIk3fiR+YLqlXk6FAeKtpXJKxR1pCQCAM+vBCs\nmZudf1zCUZ8/4eodlHU=\n-----END PUBLIC KEY-----'

jwt.decode(token, pubkey_pem)
@mark-adams mark-adams mentioned this issue Jun 6, 2015
Closed
@excpt excpt added the bug label Jun 6, 2015
@excpt excpt added this to the Version 1.5.1 milestone Jun 7, 2015
jurriaan added a commit to jurriaan/ruby-jwt that referenced this issue Jun 14, 2015
@jurriaan
Correctly sign ecdsa JWTs
5473c8d 
Fixes jwt#84
jurriaan added a commit to jurriaan/ruby-jwt that referenced this issue Jun 14, 2015
@jurriaan
Correctly sign ecdsa JWTs
6b71cb4 
Fixes jwt#84
@jurriaan jurriaan mentioned this issue Jun 14, 2015
Merged
jurriaan added a commit to jurriaan/ruby-jwt that referenced this issue Jun 14, 2015
@jurriaan
Correctly sign ECDSA JWTs
0ce0d1d 
Fixes jwt#84
@excpt excpt closed this as completed in #87 Jun 14, 2015
@excpt
Copy link
Member

excpt commented Jun 15, 2015

@jurriaan Thanks for your contribution! 👍

@jurriaan jurriaan mentioned this issue Jun 23, 2015
Closed
@jurriaan jurriaan mentioned this issue Sep 3, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
Version 1.5.1
Development

No branches or pull requests
2 participants
@excpt @mark-adams