- edited description
Signature verification crashing with length error
I'm hitting an occasional bug using nimbus-jose-jwt
to parse JWS
s generated by jwcrypto
.
The error I'm seeing is:
Caught: com.nimbusds.jose.JOSEException: RSA signature exception: Signature length not correct: got 255 but was expecting 256
I'm not 100% sure who's at fault, but in any case I can report:
jwcrypto
is able to verify this JWSnimbus-jose-jwt
should surely returnfalse
rather than crashing ;-)
Complete failing example attached. In the example, jws1
successfully verifies, while jws2
errors out.
Comments (12)
-
reporter -
reporter -
reporter - edited description
-
reporter - edited description
-
Thanks for reporting this, we'll look at the issue.
-
reporter - edited description
-
I just pushed a commit [see 89dbe85 ] that will cause the verifier to return false instead of re-throwing the underlying java.security.SignatureException as JOSEException.
-
reporter Thanks! So your take is that
jwcrypto
is incorrectly generating + verifying this JWS? -
The length of the key that you provided is 256 bytes:
String json = "{\n" + " \"kty\": \"RSA\",\n" + " \"n\": \"f9BhJgBgoDKGcYLh+xl6qulS8fUFYxuWSz4Sk+7Yw2Wv4Wroe3yLzJjqEqH8IFR0Ow8Sr3pZo0IwOPcWHQZMQr0s2kWbKSpBrnDsK4vsdBvoP1jOaylA9XsHPF9EZ/1F+eQkVHoMsc9eccf0nmr3ubD56LjSorTsbOuxi8nqEzisvhDHthacW/qxbpR/jojQNfdWyDz6NC+MA2LYYpdsw5TG8AVdKjobHWfQvXYdcpvQRkDDhgbwQt1KD8ZJ1VL+nJcIfSppPzCbfM2eY78y/c4euL/SQPs7kGf+u3R9hden7FjMUuIFZoAictiBgjVZ/JOaK+C++L+IsnCKqauhEQ==\",\n" + " \"e\": \"AQAB\",\n" + " \"alg\": \"RS256\"\n" + "}"; RSAKey key = RSAKey.parse(json); assertEquals(JWSAlgorithm.RS256, key.getAlgorithm()); assertEquals(256, key.getModulus().decode().length);
For a 256 bit key the resulting signature must have the same length, see http://stackoverflow.com/questions/6658728/rsa-signature-size
I will look at the jwcrypto code for some explanation of the missing byte.
-
It looks like the jwcrypto code doesn't apply the required padding to computed signatures, which will cause them to be malformed if the resulting values are shorter than the required length.
I posted a ticket for that https://github.com/mozilla/jwcrypto/issues/75
By Monday we should have a new version out with the exception handling fixed, I will let you know.
-
Hi Josh,
Just released a new version of the library (v. 2.21) which includes the above fix and should reach Maven Central by the end to today.
version 2.21 (2013-11-25) * Adds JWKSelector utility for retrieving one or more JSON Web Keys (JWKs) from a set according to selected criteria such as key type, use, algorithm and ID. * Improves bad signature signalling in RSA-SSA signature verifier. * Adds missing A192CBC-HS384 and A192GCM method support to RSA and direct encrypters / decrypters. * Ensures all crypto providers advertise the supported algorithms through a public static unmodifiable set.
If you encounter other problems, just let us know.
Happy coding!
-
- changed status to resolved
- Log in to comment