<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title></title>
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>Some progress: my problem is related somehow to incorrectly getting the public key from n and e stored in the keystore. If I retrieve the whole key directly (JWKSet.load) from the keystore it works. </div>
<div><br>
</div>
<div>This is the public key that can be used there for the current MitreId keys:</div>
<div><br>
</div>
<div>
<div>-----BEGIN PUBLIC KEY-----</div>
<div>MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbfOzmvw9Aqmwp6hR3YGPPdMmRSWNaowPxf3xJohvUsTt0JDOL2PA7nwUYvSJ5jUN+ev36DWKJjyw3NX5vJrAr3xb3IWKilqCF+gq3FeBQPymLR8s95aYCSe2Ofbxn9Zm+8DbrkQtsGGmE9cQlwWF3NR+ARIdW6oUwSqnWkH4I/QIDAQAB</div>
<div>-----END PUBLIC KEY----- </div>
</div>
<div><br>
</div>
<div>Regards,</div>
<div>Luiz</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Justin Richer <<a href="mailto:jricher@mit.edu">jricher@mit.edu</a>><br>
<span style="font-weight:bold">Date: </span>Monday, July 6, 2015 at 2:53 PM<br>
<span style="font-weight:bold">To: </span>Luiz Omori <<a href="mailto:luiz.omori@dm.duke.edu">luiz.omori@dm.duke.edu</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>" <<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [mitreid-connect] RS256 signature and keys<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class="">The keys on jwt.io need to be uploaded in PEM format, if I’m not mistaken. If you’re trying to paste a JWK in there it’s not going to work.</div>
<div class=""><br class="">
</div>
The signatures generated with the Nimbus library that MITREid is built in have been validated in a variety of different systems and platforms including the OpenID Foundation’s own certification tests. Same with the encrypted tokens.
<div class=""><br class="">
</div>
<div class="">I’ve never seen the message that you’re referring to below. Are you using the Nimbus library as it’s intended to be used? Are you trying to do the signing yourself or are you using the JwtSigner objects? As far as I’ve seen, there’s no chunking
or padding required by the user of the JWT libraries. You simply take your content and sign it. There might be some padding and hashing required, but that’s all under the hood in the crypto implementation, which you shouldn’t be touching. Even if you’re feeding
the crypto objects directly, which I don’t recommend, then in my experience it’s still a matter of just feeding it the right data arrays with no special preparation. </div>
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class="">
<div class="">
<div class=""><br class="">
</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Jul 6, 2015, at 1:25 PM, Luiz Omori <<a href="mailto:luiz.omori@duke.edu" class="">luiz.omori@duke.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div class="">Hi,</div>
<div class=""> </div>
<div class="">I’ve been using <a href="http://jwt.io/" class="">http://jwt.io</a> to debug JWT tokens but couldn’t verify the signature. Anybody else having problems with that? I’ve also played a bit with Jose4j and Nimbus in Java but failed also.</div>
<div class=""><br class="">
</div>
<div class="">Also, I may be wrong but apparently the RS256 minimum key size is 2048 so MitreId may want to update its default key (I know, I know, we should replace it anyway…but just to give a good example). And while at that, had an interesting error while
trying to sign (using Nimbus) a message with a locally generated key: “javax.crypto.BadPaddingException: Message is larger than modulus”. In that particular instance there was a bug in my code however while researching the error found out that there is a
limitation on the size of the encrypted text which is quite short (117 for 1024 bits key - TBC). So, is the JWT broken in chunks if above that size? How should I pad? </div>
<div class=""><br class="">
</div>
<div class="">Regards,</div>
<div class="">Luiz</div>
</div>
_______________________________________________<br class="">
mitreid-connect mailing list<br class="">
<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">
<a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</div>
</span>
</body>
</html>