Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid signature #372

Open
KevinNaidoo opened this issue Feb 29, 2024 · 2 comments
Open

Invalid signature #372

KevinNaidoo opened this issue Feb 29, 2024 · 2 comments

Comments

@KevinNaidoo
Copy link

Hi,

I am having an issue when I use my generated token on other services (like pasting on the jwt.io website), it gives me an "Invalid signature". I have the following minimal example:-

#[derive(Debug, serde::Serialize, serde::Deserialize)]
pub struct Claims {
  iss: String,
  sub: String,
  iat: i64,
  exp: i64,
}

fn encode_decode_example() -> Result<(), Box<dyn std::error::Error>> {
    let encoding_key =
      EncodingKey::from_rsa_pem(include_bytes!("privateKey.pem"))?;
    let decoding_key =
      DecodingKey::from_rsa_pem(include_bytes!("publicKey.pem"))?;

    let iat = 1709145470;
    let exp = 1909546370;
    let claims = Claims {
      iss: "http://test_issuer.ai".to_string(),
      sub: "subject".to_string(),
      iat,
      exp,
    };

    let header = Header {
      alg: Algorithm::RS256,
      typ: Some("JWT".to_string()),
      ..Default::default()
    };
    let token = encode(&header, &claims, &encoding_key)?;

    println!("Token: {:?}", token);

    let token_data = decode::<Claims>(&token, &decoding_key, &Validation::new(Algorithm::RS256))?;
    println!("Token Data: {:?}", token_data.claims);

    Ok(())
  }

and I generate my keys like so:-

openssl genpkey -algorithm RSA -out privateKey.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in privateKey.pem -out publicKey.pem

The code works fine, no issues.

Any idea what the issue could be? I am generating my own access tokens to use with other services.

Thank you.
@waynr
Copy link

waynr commented Mar 20, 2024
edited
Loading

I've run into a similar issue and have identified the problem as being incompatible signature format.

In the product I am working on I am attempting to validate JWTs whose signatures were produced by google cloud's KMS. In KMS signature verification example doc we can see the doc writers assume a KMS-generated signature would be in ASN1 format:

        // Verify Elliptic Curve signature.
        var parsedSig struct{ R, S *big.Int }
        if _, err = asn1.Unmarshal(signature, &parsedSig); err != nil {
                return fmt.Errorf("asn1.Unmarshal: %w", err)
        }

But jsonwebtoken seems to assume a PKCS#11 style "fixed" signature serialization format

With no way to prefer (when signing) or detect (when verifying) the use of ASN1 for signature serialization.

I'd be willing to submit a PR to address this issue if the maintainer could provide guidance on the preferred approach for enabling the detection or selection of signature serialization format at the public crate api level. I imagine it could be as simple as providing encode_asn1 and decode_asn1 funtions.

@dxvid-pts
Copy link

I have the same problem. JWT tokens generated using this library are incompatible with my other apis and jwt.io.

Does there exist a workaround?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@waynr @dxvid-pts @KevinNaidoo