ruby-jose icon indicating copy to clipboard operation
ruby-jose copied to clipboard
verified publisher icon potatosalad

JWK key signing is broken in OpenSSL 3.0

Open deepfryed opened this issue 3 years ago • 13 comments

https://github.com/potatosalad/ruby-jose/blob/master/lib/jose/jwk/kty_ec.rb#L20

does not work with OpenSSL 3.0 and fails with error "pkeys are immutable on OpenSSL 3.0"

Potential fix is to use ASN1 sequences as done in https://github.com/googleapis/google-auth-library-ruby/pull/397/files#diff-fda73a61a26353211e861c4b1519bd86ec9abd1bfa2a044601bae498679ea7e5R160-R165

deepfryed avatar Oct 06 '22 23:10 deepfryed

Are there any plans to update this gem? It's the only one I could find for JOSE signing.

globewalldesk avatar Nov 09 '22 16:11 globewalldesk

@potatosalad if you're not planning to maintain this library, could you please add a note on the README ? OpenSSL 1.1 will not be receiving security updates beyond 2023, so making it work with OpenSSL 3.x is quite important or people will need to switch to a different library.

thanks

deepfryed avatar Jan 11 '23 23:01 deepfryed

This is thrown together and seems to work for our use https://github.com/enriquez/ruby-jose/tree/convert-to-asn1

enriquez avatar Feb 06 '23 21:02 enriquez

thanks @enriquez - we're moving away from using this gem as it seems to be unmaintained.

deepfryed avatar Feb 06 '23 22:02 deepfryed

@deepfryed can you recommend alternatives?

enriquez avatar Feb 06 '23 22:02 enriquez

we're trying out https://rubygems.org/gems/jwt

deepfryed avatar Feb 06 '23 22:02 deepfryed

We're using jwt too. Works fine.

globewalldesk avatar Feb 07 '23 20:02 globewalldesk

This is still failing after the commit:

terminated with exception (report_on_exception is true):
/root/.rbenv/versions/3.2.1/lib/ruby/gems/3.2.0/gems/jose-1.1.3/lib/jose/jwk/kty_ec.rb:20:in `public_key=': pkeys are immutable on OpenSSL 3.0 (OpenSSL::PKey::PKeyError)
        from /root/.rbenv/versions/3.2.1/lib/ruby/gems/3.2.0/gems/jose-1.1.3/lib/jose/jwk/kty_ec.rb:20:in `from_map'
        from /root/.rbenv/versions/3.2.1/lib/ruby/gems/3.2.0/gems/jose-1.1.3/lib/jose/jwk.rb:1059:in `from_fields'
        from /root/.rbenv/versions/3.2.1/lib/ruby/gems/3.2.0/gems/jose-1.1.3/lib/jose/jwk.rb:123:in `from_map'
        from /root/.rbenv/versions/3.2.1/lib/ruby/gems/3.2.0/gems/jose-1.1.3/lib/jose/jwk.rb:76:in `from_binary'
        ```

theDogOfPavlov avatar May 11 '23 06:05 theDogOfPavlov

we're trying out https://rubygems.org/gems/jwt

Thanks for that tip. Looked pretty promising until I realized it does not support RSA-OAEP-256. This seems to be the only gem that I found that does.

pean avatar Jul 03 '23 14:07 pean

Are there alternatives for JWE encrypt/decrypt? seems like jose is the only one that support an algo of ECDH-ES+A256KW

Physium avatar Oct 06 '23 06:10 Physium

I actually ended up just writing my own version in the end, as if you look at the actual sign/verify requirements, it's only a dozen lines of code to support a single set of ciphers etc.

theDogOfPavlov avatar Oct 06 '23 07:10 theDogOfPavlov

I actually ended up just writing my own version in the end, as if you look at the actual sign/verify requirements, it's only a dozen lines of code to support a single set of ciphers etc.

So did I, used JWT gem for JWT but ended up writing our own implementation for JWE with some "inspiration" from this gem to support RSA-OAEP-256.

pean avatar Oct 06 '23 07:10 pean

If anyone is still looking I believe this issue was addressed by https://github.com/potatosalad/ruby-jose/pull/25 and goes away by updating to 1.2.0

bnjix avatar Mar 28 '24 02:03 bnjix