Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] JWE header alg attribute with value http://www.w3.org/2001/04/xmlenc#rsa-oaep instead of RSA-OAEP #2089

Closed
11 tasks
RogerioWagner opened this issue May 26, 2023 · 5 comments · Fixed by #2578
Closed
11 tasks

[Bug] JWE header alg attribute with value http://www.w3.org/2001/04/xmlenc#rsa-oaep instead of RSA-OAEP #2089

RogerioWagner opened this issue May 26, 2023 · 5 comments · Fixed by #2578
Assignees
@FuPingFranco
Labels
Bug Product is not functioning as expected Compliance Internal build requires changes Customer reported Indicates issue was opened by customer P2 High, but not urgent. Needs to be addressed within the next couple of sprints
Milestone
7.6.0

Comments

@RogerioWagner
Copy link

Which version of Microsoft.IdentityModel are you using?

Microsoft.IdentityModel 6.30.1

Where is the issue?

  • [ X] M.IM.JsonWebTokens
  • M.IM.KeyVaultExtensions
  • M.IM.Logging
  • M.IM.ManagedKeyVaultSecurityKey
  • M.IM.Protocols
  • M.IM.Protocols.OpenIdConnect
  • M.IM.Protocols.SignedHttpRequest
  • M.IM.Protocols.WsFederation
  • M.IM.TestExtensions
  • [ X] M.IM.Tokens
  • M.IM.Tokens.Saml
  • M.IM.Validators
  • M.IM.Xml
  • [X ] S.IM.Tokens.Jwt
  • Other (please describe)

Is this a new or an existing app?

The app is in production and next release requires interoperability with other apps written in different languages (ie: GoLang)

Repro

*SigningCredentials and EncryptingCredentials was created using a X509Certificate2 with public and private keys

            SecurityTokenDescriptor tokenDescriptor = new SecurityTokenDescriptor
            {
                Issuer = _openIdConfigurationService.OpenIdConfiguration.Issuer,
                IssuedAt = issuedAt,
                Subject = request.Claims,
                NotBefore = issuedAt.AddSeconds(-1),
                Expires = expires,
                SigningCredentials = credentials.SigningCredentials,
                EncryptingCredentials = credentials.EncryptingCredentials,
                TokenType = "JWE"
            };

            JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
            JwtSecurityToken token = tokenHandler.CreateJwtSecurityToken(tokenDescriptor);

Expected behavior

Algorithm (alg) should be one of the registered at IANA "JSON Web Signature and Encryption Algorithms" (https://www.iana.org/assignments/jose/jose.xhtml) as described on topic 4.1.1 of RFC7516 (https://datatracker.ietf.org/doc/html/rfc7516#page-12)

{
  "alg": "RSA-OAEP",
  "enc": "A128CBC-HS256",
  "kid": "0758B2A8DF6B980E569421870D7CFE29E65D26EB",
  "typ": "JWE",
  "cty": "JWT"
}

Actual behavior

{
  "alg": "http://www.w3.org/2001/04/xmlenc#rsa-oaep",
  "enc": "A128CBC-HS256",
  "kid": "0758B2A8DF6B980E569421870D7CFE29E65D26EB",
  "typ": "JWE",
  "cty": "JWT"
}

Possible solution
Change the KeyWrapper providers to declare header alg complaint to IANA document
@RogerioWagner RogerioWagner changed the title [Bug] [Bug] JWE header alg attribute with value http://www.w3.org/2001/04/xmlenc#rsa-oaep instead of RSA-OAEP May 29, 2023
@brentschmaltz brentschmaltz added Customer reported Indicates issue was opened by customer Bug Product is not functioning as expected labels May 31, 2023
@brentschmaltz
Copy link
Member

@RogerioWagner sorry for the hassle, we will fix this.

@RogerioWagner
Copy link
Author

@brentschmaltz, thanks for the reply! I have a test environment where a Go client need to validate and decrypt a JWE issued by a dotnet core service, count on me to help test the new version identity model assembly

@jennyf19
Copy link
Collaborator

@brentschmaltz, thanks for the reply! I have a test environment where a Go client need to validate and decrypt a JWE issued by a dotnet core service, count on me to help test the new version identity model assembly

Just saw this @RogerioWagner , thanks for offering to test the new version. It's already out, we had to hit .NET 8's RC 2 with a non-preview version. If you have any feedback on 7.0.0, we would love to hear it. I assume this issue is still present in 7.0.0?

@jennyf19 jennyf19 added the Compliance Internal build requires changes label Sep 15, 2023
@RogerioWagner
Copy link
Author

@brentschmaltz, thanks for the reply! I have a test environment where a Go client need to validate and decrypt a JWE issued by a dotnet core service, count on me to help test the new version identity model assembly

Just saw this @RogerioWagner , thanks for offering to test the new version. It's already out, we had to hit .NET 8's RC 2 with a non-preview version. If you have any feedback on 7.0.0, we would love to hear it. I assume this issue is still present in 7.0.0?

Hi @jennyf19, sorry for the delay I was OOF and did not saw your post.

I think it's not fixed yet; I bumped the System.IdentityModel.Tokens.Jwt to version 7.0.1 and the JWE issued had the below header:

{
  "alg": "http://www.w3.org/2001/04/xmlenc#rsa-oaep",
  "enc": "A128CBC-HS256",
  "kid": "1359A14E054F33548B84BF8521997162EE6CC443",
  "typ": "JWE",
  "cty": "JWT"
}

Let me know if I can contribute with any further information.

@brentschmaltz
Copy link
Member

brentschmaltz commented Sep 28, 2023
edited
Loading

@RogerioWagner thanks, we will look into this.
@jennyf19 this will work with our assemblies because we treat "http://www.w3.org/2001/04/xmlenc#rsa-oaep" and "RSA-OAEP" as the same, interop could be broken.

@jennyf19 jennyf19 added the P2 High, but not urgent. Needs to be addressed within the next couple of sprints label Mar 28, 2024
@FuPingFranco FuPingFranco self-assigned this Apr 24, 2024
@FuPingFranco FuPingFranco mentioned this issue May 1, 2024
Merged
@kellyyangsong kellyyangsong added this to the 7.6.0 milestone Jun 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FuPingFranco FuPingFranco

Labels
Bug Product is not functioning as expected Compliance Internal build requires changes Customer reported Indicates issue was opened by customer P2 High, but not urgent. Needs to be addressed within the next couple of sprints
Projects
None yet
Milestone
7.6.0
5 participants
@brentschmaltz @jennyf19 @RogerioWagner @FuPingFranco @kellyyangsong