JWT::JWK::EC#public_key returns unexpected type

[bellebaum]

Hey,

I was trying to use a JWK inside a block in JWT.decode, since I cannot use the jwks option because (for backwards compatibility reasons) I need a special handling of the situation where no kid is present in the token header (I.e. if the issuer only has one key, use that one).

When trying to get the public key from a JWT::JWK using .public_key, its usability depends on the kty.

For RSA and in particular OpenSSL::PKey::RSA, you get another OpenSSL::PKey::RSA object, for which .private? returns false. For EC and in particular OpenSSL::PKey::EC, you get a OpenSSL::PKey::EC::Point.

This seems unexpected and causes the validation to fail for EC, since a Point has no method dsa_verify_asn1 used in the EC Algo.

For me, using .keypair instead solved the issue but always exporting the private key as well seems like a bad habit. Should JWT::JWK::EC#public_key return OpenSSL::PKey::EC even though OpenSSL::PKey::EC#public_key does not?

[anakinj]

We should dig deeper into this one and fix the EC public key representation. Could also be a limitation of ruby/openssl?

[julik]

Probably the issue is that OpenSSL::PKey::EC and similar are actually keypairs - the Ruby OpenSSL docs do not really provide a nice noun for this.