-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWT.Encode with certificate private key is not working #181
Comments
Hi @zzggs , can you post string token=Jose.JWT.Encode(payload, privateKey, JwsAlgorithm.RS256, extraHeaders: headers); ? I really can't comment on |
Hi @dvsekhvalnov , Thanks a lot for your reply. I found the issue by myself, the issue is related to free managed certificate on Azure app serive, seems it can not be used to sign and encrypt. I will try a new SSL certificate instead. I put token on https://jwt.io/ , it told me invalid signature. I take a lot time to research source code and Java JWS and JWE object, finally I'm in wrong direction. |
So do you have more questions or help? Or good to close issue? |
No, we created a self-signed SSL certificate, same issue throwed. Refer to sample code:
When I use above code to generate a signed token, it returns a string with following format: If I use above signed token to create encrypted token then post to target server as below: Response: I put signed token on https://jwt.io/ , it also told me invalid signature. |
|
Hi dvsekhvalnov, Thanks for your help, I have read the post you mentioned, still cannot find the reason. I'm using JWT.Encode twice to generate signed token with our private key and encrypted token with public key from another cert. I also try using JWK as parameter to generated signed token:
payload is our custom information, header contains a kid in. Seems nothing is different, still get Tag mismatch error. The receiver told us no signature in encrypted token, they ask us to sign payload and header with our private key first. But I have used following code to create a signed token:
Then I use public key from another cert to create encrypted token: Code is so simple but is not working in our case. So confused to use Jose. |
Can you share code? Easier to reason about when you see it :) Given error looks like key mismatch on receiver side. E.g. it verifies with different key most likely, not the one you used to encrypt. |
Hi dvsekhvalnov, I have modified my previous post, code is there, please help me check code. Seems nothing is incorrect. Do you mean receiver side is using a different cert to verify our token? Seems this is also possible. |
What's inside Do you have receiver code as well? Yes, i meant receiver side using different cert and authn tag didn't match, so it can't decrypt. |
I have checked with receiver, they are using correct cert. Header and header1 only contain one key with different kid, also will include alg after encoding. Still not found what's wrong with my code. Response : AES/GCM/NoPadding decryption failed: Tag mismatch! |
Show full snippet so i can run it and try against Nimbus. I'm assuming receiver using NimbusDS java library? |
Hi dvsekhvalnov, Yes, you are great. Receiver is using Java Nimbus-JOSE-JWT. I only got Java sample code, no .Net sample. I can share Java sample code:
Encrypt Method
And my code is so simple to use JWT.Encode twice, just 2 line:
|
Your .net code is fine. While your java snippet is not receiver, it doing same thing as .NET sign and encrypt. Can you show java part that decoding your .net created token? |
I'm afraid the answer is no. Receiver just show sample code, I had contacted them before, they told us we need to sign message with our private key first. There must be different bewteen Java and .Net code. It seems following code makes different change: Not sure what jwsObject looks like, but it must different from signedtoken we created: I think this is not a technology issue, I have no idea, so take a chance here. |
Well, it's hard for me to help further without additional info. It sounds like mismatch with keys to me, probably dig into given direction. Did you register your public key at receiver? |
Yes, we confirmed with receiver before. Receiver told us the message could be decrypted just now, I will try again to check if it is working now. Thanks. |
We are using following sample code:
`var payload = new Dictionary<string, object>()
{
{ "sub", "[email protected]" },
{ "exp", 1300819380 }
};
var headers = new Dictionary<string, object>()
{
{ "typ", "JWT" },
{ "cty", "JWT" },
{ "keyid", "111-222-333"}
};
var privateKey=new X509Certificate2("my-key.p12", "password", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet).PrivateKey as RSACryptoServiceProvider;
string token=Jose.JWT.Encode(payload, privateKey, JwsAlgorithm.RS256, extraHeaders: headers);`
It seems no signature in this token although token format is correct as "BASE64URL(UTF8(JWS Protected Header)).BASE64URL(JWS Payload).BASE64URL(JWS Signature)" and rawsignature is there, when we use JwtSecurityTokenHandler to read this token:
var handler = new JwtSecurityTokenHandler(); var tokenData = handler.ReadJwtToken(token);
No SecurityKey and SigningKey in this jwttoken. What's wrong with the code?
The text was updated successfully, but these errors were encountered: