luajwt icon indicating copy to clipboard operation
luajwt copied to clipboard

Published 20 hours ago verified publisher icon x25

Add RS256 support

Open paweldomas opened this issue 9 years ago • 1 comments
trafficstars

Adds basic support for RS256 signature verification. The 'key' should be passed as a string which contains public key in PEM format for example:

-----BEGIN PUBLIC KEY----- MFwwDQYJKoZIhvcN....................7ogs8j2XThEFa1iPooa RPE/2+a8z9N1+8d9a....................Ncijm15Z7y/psCAwEAAQ== -----END PUBLIC KEY-----

It would be great to have a new release available as lua rock if this PR gets merged eventually, thanks !

paweldomas avatar Jul 29 '16 21:07 paweldomas

I am not sure of the inner workings of local pubkey = crypto.pkey.from_pem(key), but this might be leading to the the latest security vulnerability: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

Right now this is not the case as only HMAC based certificates are allowed, but once public keys are used, this has to be considered.

EyMaddis avatar Jan 04 '17 20:01 EyMaddis