[mitreid-connect] RS256 signature and keys

Justin Richer jricher at mit.edu
Mon Jul 6 14:53:50 EDT 2015 

The keys on jwt.io need to be uploaded in PEM format, if I’m not mistaken. If you’re trying to paste a JWK in there it’s not going to work.

The signatures generated with the Nimbus library that MITREid is built in have been validated in a variety of different systems and platforms including the OpenID Foundation’s own certification tests. Same with the encrypted tokens. 

I’ve never seen the message that you’re referring to below. Are you using the Nimbus library as it’s intended to be used? Are you trying to do the signing yourself or are you using the JwtSigner objects? As far as I’ve seen, there’s no chunking or padding required by the user of the JWT libraries. You simply take your content and sign it. There might be some padding and hashing required, but that’s all under the hood in the crypto implementation, which you shouldn’t be touching. Even if you’re feeding the crypto objects directly, which I don’t recommend, then in my experience it’s still a matter of just feeding it the right data arrays with no special preparation. 

 — Justin


> On Jul 6, 2015, at 1:25 PM, Luiz Omori <luiz.omori at duke.edu> wrote:
> 
> Hi,
>  
> I’ve been using http://jwt.io <http://jwt.io/> to debug JWT tokens but couldn’t verify the signature. Anybody else having problems with that? I’ve also played a bit with Jose4j and Nimbus in Java but failed also.
> 
> Also, I may be wrong but apparently the RS256 minimum key size is 2048 so MitreId may want to update its default key (I know, I know, we should replace it anyway…but just to give a good example). And while at that, had an interesting error while trying to sign (using Nimbus) a message with a locally generated key: “javax.crypto.BadPaddingException: Message is larger than modulus”.  In that particular instance there was a bug in my code however while researching the error found out that there is a limitation on the size of the encrypted text which is quite short (117 for 1024 bits key - TBC). So, is the JWT broken in chunks if above that size? How should I pad? 
> 
> Regards,
> Luiz
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150706/1fdd61a2/attachment.htm

More information about the mitreid-connect mailing list