EC512 signatures fail to interoperate with other libraries
Working on a project which requires that JWS signed JWTs work across several different platforms. Currently testing with pyjwt, json-jwt (Ruby), and Nimbus. Here are the scenarios that we've found.
- Nimbus can create and verify its own signatures correctly.
- Pyjwt and json-jwt can create and verify their own signatures and can verify one another's.
- Nimbus cannot verify signatures from either pyjwt or json-jwt.
- Neither pyjwt not json-jwt can verify signatures from Nimbus.
I've attached some tests and the keys we're using. Can someone provide some guidance on what we're doing wrong?
Comments (7)
-
Account Deactivated reporter -
Thank you for reporting this. We'll repeat the tests.
-
- changed status to open
-
Hi Eric,
We went through the ECDSA tests included Nimbus JOSE+JWT lib and there is already an ES512 junit test using the official cookbook JWS from http://tools.ietf.org/html/draft-ietf-jose-cookbook-08#section-4.3 which passes (successful verify).
Note that ESx signatures are not deterministic so the cookbook example cannot be used to verify that the Nimbus ECDSA signer is correct. This can only be verified by plugging the resulting JWS into another lib which is deemed "correct". To do that we added an ES512 interop test with another major JOSE implementation for Java, the Jose4j project, and that passes too (see commit 4dd818e).
We will now try to add more tests to pin down the actual problem.
In the meantime, if you find something that can be of help, please let us know.
-
@wooder Could you try to verify the cookbook JWS example in Python and Ruby to ensure that their ECDSA implementation is indeed correct?
http://tools.ietf.org/html/draft-ietf-jose-cookbook-08#section-4.3
You can get the EC key used in the example from here:
http://tools.ietf.org/html/draft-ietf-jose-cookbook-08#section-3.1
-
Regarding interop of OpenSSL generated EC keys: The correct name for P-256 curve keys in OpenSSL is
prime256v1
, notsecp256k1
. See commit f7bbfe6 for an automated test where OpenSSL PEM-encoded EC keys are imported for use in ES256/384/512 signing / verification.This thread from the OpenSSL mailing list can also be of help: http://openssl.6102.n7.nabble.com/P-256-curve-not-supported-in-openssl-1-0-1-td5379.html
-
- changed status to invalid
Hi Eric,
We're going to close this issue now with the assumption that the interop issues are with the mentioned counterpart libraries. Feel free to reopen it if you think something concrete should be done here.
- Log in to comment
Another interesting finding is that using Nimbus to sign and verify JWTs with EC256 keys generated as follows fail to verify with "invalid point" exceptions from Bouncy Castle.
openssl ecparam -genkey -name secp256k1 -noout -out testprivatekey-ec256.pem
512 and 384 work fine.