rs256 secret destructs after call

Question

rs256 secret destructs after call

Closed this issue 5 years ago · 4 comments

auto dec_obj = jwt::decode(enc_str, algorithms({ "rs256" }), secret(key));

where key is: auto key = R"(-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoRRQG+ib30x09eWtDpL0 wWahA+hgjc0lWoQU4lwBFjXV2PfPImiAvwxOxNG34Mgnw3K9huBYLsrvOQAbMdBm E8lwz8DFKMWqHqoH3xSqDGhIYFobQDiVRkkecpberH5hqJauSD7PiwDBSQ/RCDIj b0SOmSTpZR97Ws4k1z9158VRf4BUbGjzVt4tUAz/y2cI5JsXQfcgAPB3voP8eunx GwZ/iM8evw3hUOw7+nuiPyts7HSkvV6GMwrXfOymY/w07mYxw/2LnKInfsWBtcRI DG+Nrsj237LgtBhK7TkzuVrguq//+bkDwwF3qTRXGAX9KrwY4huRxDRslMIg30Hq gwIDAQAB -----END PUBLIC KEY----- )";

After, I call dec_obj.signature() or retrieve the secret and the object itself has the secret as set to empty.

Answer 1 · 2019-07-26T14:42:14.000Z

@armaansood
Thanks for reporting the issue. I have not understood the issue exactly. Would you be able to provide with a small example reproducing the issue ?

Answer 2 · 2019-10-01T09:23:53.000Z

Looks like I faced the same the issue.
I generated jwt via jwt.io using rs256: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.POstGetfAytaZS82wHcjoTyoqhMyxXiWdR7Nn7A29DNSl0EiXLdwJ6xC6AfgZWF1bOsS_TuYI3OG85AmiExREkrS6tDfTQ2B3WXlrr-wp5AokiRbz3_oB4OxG-W9KcEEbDRcZc0nH3L7LzYptiy1PtAylQGxHTWZXtGz4ht0bAecBgmpdgXMguEIcoqPJ1n3pIWk_dUZegpqx0Lka21H6XxUTxiy8OcaarA8zdnPUnV6AmNP3ecFawIFYdvJB_cm-GvpCSbr8G8y_Mllj8f4x9nBH8pQux89_6gUY618iYv7tuPWBFfEbLxtF2pZS6YC1aSfLQxeNe8djT9YjpvRZA"

public key: "-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzyis1ZjfNB0bBgKFMSv
vkTtwlvBsaJq7S5wA+kzeVOVpVWwkWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHc
aT92whREFpLv9cj5lTeJSibyr/Mrm/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIy
tvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0
e+lf4s4OxQawWD79J9/5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWb
V6L11BWkpzGXSW4Hv43qa+GSYOD2QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9
MwIDAQAB
-----END PUBLIC KEY-----"

When I tried to parse token I got exception: "InvalidSignatureError".
jwt::jwt_object obj = jwt::decode(token, jwt::params::algorithms({"rs256"}), jwt::params::verify(true), jwt::params::secret(key));
token = jwt,
key = public key

Could you help me?

Answer 3 · 2019-10-01T10:15:14.000Z

@russov
I think you guys are not providing the key in correct format i.e without proper newline between lines.
This worked for me:

std::string key = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzyis1ZjfNB0bBgKFMSv\nvkTtwlvBsaJq7S5wA+kzeVOVpVWwkWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHc\naT92whREFpLv9cj5lTeJSibyr/Mrm/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIy\ntvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0\ne+lf4s4OxQawWD79J9/5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWb\nV6L11BWkpzGXSW4Hv43qa+GSYOD2QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9\nMwIDAQAB\n-----END PUBLIC KEY-----";

auto dec_obj2 = jwt::decode(token, algorithms({"rs256"}), secret(key));
std::cout << dec_obj2.payload() << std::endl;

Can you confirm the same ?

Answer 4 · 2019-10-08T07:53:40.000Z

Please reopen if the issue is seen again.