jwt-cfml icon indicating copy to clipboard operation
jwt-cfml copied to clipboard

Published 20 hours ago verified publisher icon jcberquist

EC256 Private Key Issue

Open doodi-v1 opened this issue 4 years ago • 4 comments

I'm encountering an "Invalid PEM key." error while attempting to encode a token. What is strange is that when I walk through the code withing the parsePEMEncodedKey() function, the if( find( '-----BEGIN PRIVATE KEY-----', pemKey ) ) is triggered, the RSA block throws an exception and is caught as intended, but when the EC block is executed, it seems to throw a silent exception. I updated the catch to rethrow, and nothing is triggered but the return instruction is not executed, so I am assuming a silent exception.

Have you seen this behavior before?

I was able to port a bouncy castle pem reader example to CF. I then passed the private key to encode and public key to decode and it worked. The pem reader code I ported was from: https://connect2id.com/products/nimbus-jose-jwt/openssl-key-generation

doodi-v1 avatar Aug 18 '20 20:08 doodi-v1

I am not sure what is up. How did you generate your key? I presume you encoded your key in pkcs8 format? Also, could you tell me which version of ACF/Lucee are you on?

jcberquist avatar Aug 18 '20 21:08 jcberquist

CF-2016. Key generation was openssl via similar instruction to your read.me: https://developers.google.com/pay/api/web/guides/resources/payment-data-cryptography#using-openssl

doodi-v1 avatar Aug 18 '20 21:08 doodi-v1

Ok, so to be clear, after you run:

openssl ecparam -name prime256v1 -genkey -noout -out key.pem

you should run:

openssl pkcs8 -topk8 -nocrypt -in key.pem -out key.pk8

The output of this second command (the .pk8 extension is not required) is the format of the key that is needed to use with this library. Is that what you did?

jcberquist avatar Aug 18 '20 22:08 jcberquist

Correct. Strange. I can send you a snippet on how I fixed the issue. With bouncy castle I'm able to use the key.pem file directly, which is nice.

Quick question, the signing appears the be a single direction. Is this correct? Meaning I can sign with private key and validate the signature with the public key, but the other way around fails, unlike PKI encryption which can encrypt & decrypt in both directions.

On Tue, Aug 18, 2020 at 3:38 PM John Berquist [email protected] wrote:

Ok, so to be clear, after you run:

openssl ecparam -name prime256v1 -genkey -noout -out key.pem

you should run:

openssl pkcs8 -topk8 -nocrypt -in key.pem -out key.pk8

The output of this second command (the .pk8 extension is not required) is the format of the key that is needed to use with this library. Is that what you did?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jcberquist/jwt-cfml/issues/2#issuecomment-675754096, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABU4Z75DNDKMYQ5WKRRCNN3SBL7FXANCNFSM4QECZZAQ .

-- Steve Sommers Chief Application Architect Shift4 Payments 702.597.2480 ext.3121

doodi-v1 avatar Aug 20 '20 02:08 doodi-v1