jjwt icon indicating copy to clipboard operation
jjwt copied to clipboard

Published 20 hours ago verified publisher icon jwtk

Remove the ability to verify asymmetric signatures with PrivateKeys

Open lhazlewood opened this issue 5 years ago • 3 comments

JJWT's early days allowed this for server-side convenience - in case a server wanted to verify a JWS with the private key it had access to. This however encourages poor security practices, potentially exposing the private key unnecessarily.

The JWT specification does require public keys to be used for signature validation (only references public key verification). Also, the JDK's Signature.initVerify only accepts PublicKey instances, reinforcing this expectation. Based on all of this, JJWT should follow suit.

While this is not a backwards-incompatible API change (it would be transparent to JJWT users), it could break existing assumed behavior, so such a change should ideally wait until the 1.0 release.

lhazlewood avatar Jul 26 '18 19:07 lhazlewood

@lhazlewood does this issue require to remove the implementation from RsaSignatureValidator that allows computing the signature using the this.SIGNER when the key type in not of the type PublicKey ?

There are 3 scenarios

  1. JwtParser setSigningKey(byte[] key) - this can remain the same as it's just plain bytes and is defining the key object.
  2. JwtParser setSigningKey(String base64EncodedSecretKey) - Same as above, as it reaches the same step as above
  3. JwtParser setSigningKey(Key key) - since this is a Key instance, it can accept the public key only. Since this diverges to Elliptic Curve and RSA. Elliptic curve is already only accepting public keys only. So the RSA implementation needs to not allow private key signer.

and appropriate messages for someone specifying private keys.

Does this sound good ?

prateeknischal avatar Nov 11 '18 12:11 prateeknischal

There is another problem with the RsaSignatureValidator. It assumes you can use the private key to generate a signature which will be identical to the signature in the JWT. This is not the case when using RSA with PSS which is a probablistic signature that includes random input with the data that will be signed. Using the private key to validate the signature will fail in this case.

ezzadeen avatar Aug 03 '22 15:08 ezzadeen

@prateeknischal the RsaSignatureValidator implementation has been removed/migrated to a new DefaultRsaSignatureAlgorithm implementation in the jwe branch: https://github.com/jwtk/jjwt/blob/jwe/impl/src/main/java/io/jsonwebtoken/impl/security/DefaultRsaSignatureAlgorithm.java

This design change was to allow for pluggable SignatureAlgorithm implementations, which was not possible previously (because they were defined in a Java Enum, and Enums are not extendible).

It is ultimate the responsibility of the SignatureAlgorithm implementation to accept/reject key types based on the algorithm requirements. At the moment, the new DefaultRsaSignatureAlgorithm implementation still allows PrivateKey verification to maintain backwards compatibility, but that will be removed for the 1.0 release per this issue. I hope that helps!

lhazlewood avatar Aug 03 '22 16:08 lhazlewood