JWT auth ES256

[destrihadi]

Hi all

I am having trouble when trying to use jwt auth with ES256 alg.

I want to generate token with ES256 alg and trying to verify generated token. 

I've succeeded using HS256, but no luck if I change it to ES256. Any idea ?

Here is my test :

@Test
public void testJWT() {
    JsonObject config = new JsonObject().put("keyStore", new JsonObject()
            .put("path", "/Users/xxx/Downloads/keystore/1/keystore.jceks")
            .put("type", "jceks")
            .put("password", "secret"));

    JWTAuth provider = JWTAuth.create(Vertx.vertx(), config);
    String token = provider.generateToken(new JsonObject().put("sub", "paulo"), new JWTOptions().setAlgorithm("ES256"));


    System.out.println("token " + token);


    JsonObject authInfo = new JsonObject()
            .put("jwt", token);
    provider.authenticate(authInfo, new Handler<AsyncResult<User>>() {
        @Override
        public void handle(AsyncResult<User> event) {
            if (event.cause() != null) {
                event.cause().printStackTrace();
            }
            event.result();
            System.out.println("abc " + event.succeeded());
        }
    });


}

and the output is :

token eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJwYXVsbyIsImlhdCI6MTQ0Mjk5ODIxNX0=.MEQCICUVOYsAvKSng-4SDaZBdcYTKLHtxZqHcl4wqvZcdseoAiBj7kGiOhyYES1wdpg0FashauDgue86oWmyQVYc7t7NEQ==
java.lang.RuntimeException: java.security.SignatureException: object not initialized for verification
 at io.vertx.ext.auth.jwt.impl.CryptoSignature.verify(Crypto.java:85)
 at io.vertx.ext.auth.jwt.impl.JWT.decode(JWT.java:158)
 at io.vertx.ext.auth.jwt.impl.JWTAuthProviderImpl.authenticate(JWTAuthProviderImpl.java:78)
 at id.netzme.skyfeed.ConfigurationTest.testJWT(ConfigurationTest.java:60)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:497)
 at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
 at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
 at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
 at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
 at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
 at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
 at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
 at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
 at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
 at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
 at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
 at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
 at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
 at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
 at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
 at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:78)
 at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:212)
 at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:68)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:497)
 at com.intellij.rt.execution.application.AppMain.main(AppMain.java:140)
Caused by: java.security.SignatureException: object not initialized for verification
 at java.security.Signature.verify(Signature.java:654)
 at io.vertx.ext.auth.jwt.impl.CryptoSignature.verify(Crypto.java:83)
 ... 30 more
abc false

Thanks...

[Paulo Lopes]

By any chance are you using OpenJDK? OpenJDK does not support Eliptic Curve Crypto out of the box.

I've created a test keystore and added a test and run it with success on Oracle JDK here are the steps:

1- generate keystore: keytool -genkeypair -keystore keystore.jceks -storetype jceks -storepass secret -keyalg EC -keysize 256 -alias ES256 -keypass secret -sigalg SHA256withECDSA -dname "CN=,OU=,O=,L=,ST=,C=" -validity 360
2- test code:

authProvider = JWTAuth.create(vertx, new JsonObject().put("keyStore", new JsonObject()
    .put("path", "keystore.jceks")

    .put("type", "jceks")

    .put("password", "secret")));

String token = authProvider.generateToken(new JsonObject().put("sub", "paulo"), new JWTOptions().setAlgorithm("ES256"));
assertNotNull(token);

...

[Paulo Lopes]

Hi again,

I've looked better at your log and the issue is not generating tokens that work, but validating them, i've saw a bug and am currently fixing it.

Cheers,
Paulo

[destrihadi]

Great, thanks.

One more question.

I want to build endpoint generating this token.

Can I have multiple thread accessing authProvider.generateToken(...) ? Or should I leave it being called from vertx event loop thread (single thread) ?

[Paulo Lopes]

I'd suggest that you call it from the event loop, since in the case of signatures the code needs to initialize the signature engine either to encode or decode and only after perform the action.

[Destrihadi]

Thanks for suggestion. I'll try that.