1. connect2id Avatar connect2id
  2. Crypto
  3. Nimbus-JOSE-JWT
  4. Issues

Signature verification crashing with length error

Issue #72 resolved
jmandel created an issue

I'm hitting an occasional bug using nimbus-jose-jwt to parse JWSs generated by jwcrypto.

The error I'm seeing is:

Caught: com.nimbusds.jose.JOSEException: RSA signature exception: Signature length not correct: got 255 but was expecting 256

I'm not 100% sure who's at fault, but in any case I can report:

  1. jwcrypto is able to verify this JWS
  2. nimbus-jose-jwt should surely return false rather than crashing ;-)

Complete failing example attached. In the example, jws1 successfully verifies, while jws2 errors out.

Comments (12)

  7. Vladimir Dzhuvinov

    I just pushed a commit [see 89dbe85 ] that will cause the verifier to return false instead of re-throwing the underlying java.security.SignatureException as JOSEException.

  9. Vladimir Dzhuvinov

    The length of the key that you provided is 256 bytes:

    String json = "{\n" +
        "      \"kty\": \"RSA\",\n" +
        "      \"n\": \"f9BhJgBgoDKGcYLh+xl6qulS8fUFYxuWSz4Sk+7Yw2Wv4Wroe3yLzJjqEqH8IFR0Ow8Sr3pZo0IwOPcWHQZMQr0s2kWbKSpBrnDsK4vsdBvoP1jOaylA9XsHPF9EZ/1F+eQkVHoMsc9eccf0nmr3ubD56LjSorTsbOuxi8nqEzisvhDHthacW/qxbpR/jojQNfdWyDz6NC+MA2LYYpdsw5TG8AVdKjobHWfQvXYdcpvQRkDDhgbwQt1KD8ZJ1VL+nJcIfSppPzCbfM2eY78y/c4euL/SQPs7kGf+u3R9hden7FjMUuIFZoAictiBgjVZ/JOaK+C++L+IsnCKqauhEQ==\",\n" +
        "      \"e\": \"AQAB\",\n" +
        "      \"alg\": \"RS256\"\n" +
        "}";

    RSAKey key = RSAKey.parse(json);

    assertEquals(JWSAlgorithm.RS256, key.getAlgorithm());

    assertEquals(256, key.getModulus().decode().length);

    For a 256 bit key the resulting signature must have the same length, see http://stackoverflow.com/questions/6658728/rsa-signature-size

    I will look at the jwcrypto code for some explanation of the missing byte.

  10. Vladimir Dzhuvinov

    It looks like the jwcrypto code doesn't apply the required padding to computed signatures, which will cause them to be malformed if the resulting values are shorter than the required length.

    I posted a ticket for that https://github.com/mozilla/jwcrypto/issues/75

    By Monday we should have a new version out with the exception handling fixed, I will let you know.

  11. Vladimir Dzhuvinov

    Hi Josh,

    Just released a new version of the library (v. 2.21) which includes the above fix and should reach Maven Central by the end to today.

    version 2.21 (2013-11-25)
* Adds JWKSelector utility for retrieving one or more JSON Web Keys (JWKs)
  from a set according to selected criteria such as key type, use,
  algorithm and ID.
* Improves bad signature signalling in RSA-SSA signature verifier.
* Adds missing A192CBC-HS384 and A192GCM method support to RSA and direct
  encrypters / decrypters.
* Ensures all crypto providers advertise the supported algorithms through a
  public static unmodifiable set.

    If you encounter other problems, just let us know.

    Happy coding!

  13. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Milestone
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!