Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JwkEC uses non-standard signature format #6670

Closed
andreblanke opened this issue Apr 21, 2023 · 0 comments · Fixed by #7185
Closed

JwkEC uses non-standard signature format #6670

andreblanke opened this issue Apr 21, 2023 · 0 comments · Fixed by #7185
Assignees
Labels
3.x Issues for 3.x version branch bug Something isn't working P1 security

Comments

@andreblanke
Copy link

Environment Details

  • Helidon Version: 4.0.0-ALPHA6
  • Helidon SE
  • JDK version: OpenJDK Runtime Environment Temurin-20+36 (build 20+36)
  • OS: Linux

Problem Description

The JwkEC class produces signatures using the SHA256withECDSA, SHA384withECDSA, and SHA512withECDSA algorithms which encode signatures in the ASN.1 DER format. This appears to violate RFC 7518 - JSON Web Algorithms (JWA) which states that a raw concatenation of the pair (R, S) should be used as encoding for the signature. Tokens produced by the current implementation will fail verification (unless the token consumer accepts the non-standard ASN.1 DER format for the signature).

Possibly relevant:

  • Support for verifying tokens whose signature uses the standard format was introduced in commit 40934aa using changeSignatureEncodingToDER.
  • For compliance with RFC 7518 it should be sufficient to populate JwkEC.ALG_MAP with SHA256withECDSAinP1363Format, SHA384withECDSAinP1363Format, and SHA512withECDSAinP1363Format instead. The changeSignatureEncodingToDER method could then be removed. This change would cause signature validation to fail for tokens signed with the current implementation.

Steps to reproduce

  1. Build a Jwt and sign it using JwkEC
  2. Pass SignedJwt.tokenContent() to an other JWT implementation (e.g., JOSE4j) for signature verification
  3. The verification fails
@m0mus m0mus added the triage label May 11, 2023
@Verdent Verdent added bug Something isn't working security P1 4.x Version 4.x and removed triage labels May 18, 2023
@Verdent Verdent added 3.x Issues for 3.x version branch and removed 4.x Version 4.x labels Jul 13, 2023
@m0mus m0mus added this to Backlog Aug 12, 2024
@m0mus m0mus moved this to Closed in Backlog Aug 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.x Issues for 3.x version branch bug Something isn't working P1 security
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

3 participants