Using ES256 with public key from PEM? #71
Comments
|
Your public key is in the If you notice, in the docs, I haven't documented a way to convert the public key for EC keys into this form using openssl because there is apparently no way to do so. See briansmith/ring#476 and https://unix.stackexchange.com/a/349682/189657 I'm waiting for briansmith/ring#378 to land to better support this. |
|
Thanks, I didn't know that those two different forms existed. Those links were exactly what I needed! I played around a bit, and got it working now. On the way to get there I wrote a DER parser with Working example: extern crate biscuit;
extern crate pem;
extern crate ring;
extern crate serde_json;
extern crate untrusted;
use biscuit::*;
use biscuit::jwa::*;
use biscuit::jws::*;
use pem::parse;
use ring::signature::spki::ECDSA_P256_SHA256;
use ring::signature::spki::parse_spki;
use serde_json::Value as Json;
use untrusted::Input;
fn main() {
let public_key_pem = "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENyf5aq1BaIfddcwuMzw9jgbc35aLYCRXlEmiuALvyJH2OMdRz2h+b/migOEbcDZYXmDKMrtGnD5XmYoonghgpg==\n-----END PUBLIC KEY-----";
let jwt = "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoic2VydmljZSIsImlhdCI6MTQ5MjkzODU4OH0.do_XppIOFthPWlTXL95CIBfgRdyAxbcIsUfM0YxMjCjqvp4ehHFA3I-JasABKzC8CAy4ndhCHsZdpAtKkqZMEA";
let parsed_pem = parse_pem_ring(public_key_pem.as_bytes());
let signing_secret = Secret::PublicKey(parsed_pem);
let token = JWT::<Json, biscuit::Empty>::new_encoded(jwt);
let decoded = token.into_decoded(&signing_secret, SignatureAlgorithm::ES256);
println!("{:?}", decoded);
}
fn parse_pem_ring(in_pem: &[u8]) -> Vec<u8> {
let pem_contents = parse(in_pem).unwrap().contents;
let inp = Input::from(&pem_contents);
let spki = parse_spki(&ECDSA_P256_SHA256, inp).unwrap();
let public_key = spki.subject_public_key.as_slice_less_safe().to_vec();
public_key
}Inside the [replace]
"ring:0.7.5" = { git = "https://github.com/hobofan/ring", branch = "rebased_378" }
"biscuit:0.0.2" = { git = "https://github.com/hobofan/biscuit", branch = "fix_ecdsa_verify" } |
|
Thank you for digging around. I ran out of time the last time round when I was figuring this out and never got back to looking into it. Would you mind sharing the tool you wrote with |
|
It was just a small function, which I wrote after I saw that the ASN.1 structure of a SPKI is pretty simple with an online debugging tool. The License for the code is MIT, to fit the repo, so feel free to do with it what you feel is best for other users. Thanks for all the work you have done with biscuit! extern crate yasna;
extern crate pem;
use pem::parse;
fn parse_pem(in_pem: &[u8]) -> Vec<u8> {
let pem_contents = parse(in_pem).unwrap().contents;
let asn_content = yasna::parse_der(&pem_contents, |reader| {
reader.read_sequence(|reader| {
try!(reader.next().read_sequence(|info_reader| {
info_reader.next().read_oid().unwrap();
info_reader.next().read_oid().unwrap();
Ok(())
}));
let b = try!(reader.next().read_bitvec());
return Ok(b);
})
}
).unwrap();
let public_key = asn_content.to_bytes();
public_key
} |
|
Thanks. I've opened #73 to deal with this, in some form. |
I am trying to decode and verify a JWT that has been signed with ES256, where I have the public key in form of PEM.
With #53 still open, this seems to be outside of the currently supported scope, so I tried to get it to work with help of the
pemcrate. However if I try to decode the JWT I getErr(ValidationError(InvalidSignature))as a result. The same testcase implemented in node.js correctly verifies the signature.Does anybody know what I'm doing wrong? Any help is appreciated!
Testcase:
The text was updated successfully, but these errors were encountered: