jjwt
jjwt copied to clipboard
Remove the ability to verify asymmetric signatures with PrivateKeys
JJWT's early days allowed this for server-side convenience - in case a server wanted to verify a JWS with the private key it had access to. This however encourages poor security practices, potentially exposing the private key unnecessarily.
The JWT specification does require public keys to be used for signature validation (only references public key verification). Also, the JDK's Signature.initVerify
only accepts PublicKey
instances, reinforcing this expectation. Based on all of this, JJWT should follow suit.
While this is not a backwards-incompatible API change (it would be transparent to JJWT users), it could break existing assumed behavior, so such a change should ideally wait until the 1.0 release.
@lhazlewood does this issue require to remove the implementation from RsaSignatureValidator that allows computing the signature using the this.SIGNER
when the key type in not of the type PublicKey
?
There are 3 scenarios
-
JwtParser setSigningKey(byte[] key)
- this can remain the same as it's just plain bytes and is defining the key object. -
JwtParser setSigningKey(String base64EncodedSecretKey)
- Same as above, as it reaches the same step as above -
JwtParser setSigningKey(Key key)
- since this is aKey
instance, it can accept the public key only. Since this diverges to Elliptic Curve and RSA. Elliptic curve is already only accepting public keys only. So the RSA implementation needs to not allow private key signer.
and appropriate messages for someone specifying private keys.
Does this sound good ?
There is another problem with the RsaSignatureValidator. It assumes you can use the private key to generate a signature which will be identical to the signature in the JWT. This is not the case when using RSA with PSS which is a probablistic signature that includes random input with the data that will be signed. Using the private key to validate the signature will fail in this case.
@prateeknischal the RsaSignatureValidator implementation has been removed/migrated to a new DefaultRsaSignatureAlgorithm
implementation in the jwe
branch: https://github.com/jwtk/jjwt/blob/jwe/impl/src/main/java/io/jsonwebtoken/impl/security/DefaultRsaSignatureAlgorithm.java
This design change was to allow for pluggable SignatureAlgorithm
implementations, which was not possible previously (because they were defined in a Java Enum
, and Enum
s are not extendible).
It is ultimate the responsibility of the SignatureAlgorithm
implementation to accept/reject key types based on the algorithm requirements. At the moment, the new DefaultRsaSignatureAlgorithm
implementation still allows PrivateKey verification to maintain backwards compatibility, but that will be removed for the 1.0 release per this issue. I hope that helps!