- Sponsor
-
Notifications
You must be signed in to change notification settings - Fork 645
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lax JWK Decoding Issue #591
Comments
For reference, here's the script I used to convert the "wrong" form of the public key into the right form, using JOSE v4.11.1: const jose = require('jose');
(async () => {
const key = await jose.importJWK({
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "jwk-rsa",
"n": "AKLMe2qRcXdeqtYEiA5Cv64eA3TOI_eoZbwoyl20E-skY4gCExE3BBugEdyFaKiopGVczSIQJwlzI2-mJYwMBz8iDsAx913E2it84LjTELP-9D5F1N9R50eH76raBq0SxfIx-vL0mVFX7o9A6032lnwMLI3Dhj2HxGD7ZVvaj7l2mypPA2zad6JkcS6XSugI-lXxWtTHln4FxtvG7kjEpBQtjZXcsJgU-wsxdxPRIxCtm0aznSogjHgrtSuD4nsN6OAiWz154JUCq0WcB6VBMR-LaH68iSWpAjyv4sMvEVXkOOr-vqXMAhsYedKWF2496bHUhDtGMqILqprqbed3Rz0="
}, "RS256");
const pub = await jose.exportSPKI(key);
console.log(pub);
const jwkPub = await jose.exportJWK(key);
console.log(JSON.stringify(jwkPub,null,2));
})(); |
Hi @madaster97 , I got the issue.
I'll fix the issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi there,
If you format an RSA JWK in a slightly incorrect way, this tool will still count it as valid for validating JWTs. However, other tools such as JWT.IO and Microsoft libraries do not count these keys as correct, so using this tool can cause compatibility issues.
Details:
To start, JWT.IO does not like the invalid public key.
However, rsasignjs count this key as valid:
Can you tell where the inconsistency is coming from? I've run into something like this before, and it could be because of missing padding on the raw "n" field of the keys.
The text was updated successfully, but these errors were encountered: