jwtk/jjwt

Unable to verify RSA signature using configured PublicKey

tsiyona opened this issue · 3 comments

tsiyona commented

We are generating a JWT using a dedicated Go library, with a .pem private key of 2048-bit length.
The jwt was signed with RS512 algorithm.
On Java server side, we verify this jwt using jjwt and a corresponding public key as follows:

Jwts.parser().setSigningKey(publicKey).parseClaimsJws(jwt);

We fail here with the following error:
Unable to verify RSA signature using configured PublicKey. Signature length not correct: got 512 but was expecting 256

Since verification determines what algorithm to use for decryption by looking at alg property in the JWT header (and our alg value is RS512), why does verification expect a shorter key?

Looking at rfc 7581, I see that for RSA signature

A key of size 2048 bits or larger MUST be used with these algorithms

This is how we read the public key:

private RSAPublicKey readPublic(String keyFileName) { 

        try {
            KeyFactory keyFactory = KeyFactory.getInstance("RSA");

            String publicKeyContent = new String(Files.readAllBytes(Paths.get(KEYS_ROOT_DIR, keyFileName)));
            publicKeyContent = publicKeyContent
                    .replaceAll(System.lineSeparator(), "")
                    .replace("-----BEGIN PUBLIC KEY-----", "")
                    .replace("-----END PUBLIC KEY-----", "");

            X509EncodedKeySpec keySpec = new X509EncodedKeySpec(Base64.getDecoder().decode(publicKeyContent));
            return (RSAPublicKey) keyFactory.generatePublic(keySpec);

        } catch (Exception e) {
            logger.error("Failed reading public key from {}", Paths.get(KEYS_ROOT_DIR, keyFileName));
            return null;
        }
    }

Additional Details:

  1. We are using java 8
  2. My maven dependencies are:
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-api</artifactId>
    <version>0.11.2</version>
</dependency>
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-impl</artifactId>
    <version>0.11.2</version>
    <scope>runtime</scope>
</dependency>
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-jackson</artifactId> <!-- or jjwt-gson if Gson is preferred -->
    <version>0.11.2</version>
    <scope>runtime</scope>
</dependency>

What are we doing wrong?

lhazlewood commented

Do you have the stack trace? I'm trying to figure out where the exception was thrown - either in JJWT or by the JDK/JCE layer.

stale commented

This issue has been automatically marked as stale due to inactivity for 60 or more days. It will be closed in 7 days if no further activity occurs.

stale commented

Closed due to inactivity.