[jboss-jira] [JBoss JIRA] (WFWIP-288) JWT signed by 1024 bit long key is rejected

Darran Lofthouse (Jira) issues at jboss.org
Wed Dec 18 08:42:11 EST 2019 

    [ https://issues.redhat.com/browse/WFWIP-288?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13937129#comment-13937129 ] 

Darran Lofthouse commented on WFWIP-288:
----------------------------------------

This is the underlying error: -

{noformat}
Caused by: org.jose4j.jwt.consumer.InvalidJwtException: JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.InvalidKeyException: An RSA key of size 2048 bits or larger MUST be used with the all JOSE RSA algorithms (given key was only 1024 bits).): JsonWebSignature{"kid":"Test Key","typ":"jwt","alg":"RS256"}->eyJraWQiOiJUZXN0IEtleSIsInR5cCI6Imp3dCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJ0ZXN0VXNlciIsInVwbiI6InRlc3RVc2VyIiwiaXNzIjoicXVpY2tzdGFydC1qd3QtaXNzdWVyIiwiYXVkIjoiand0LWF1ZGllbmNlIiwiZ3JvdXBzIjpbIkVjaG9lciIsIlN1YnNjcmliZXIiXSwiYmlydGhkYXRlIjoiMjAxNy0wOS0xNSIsImp0aSI6IjY3ZWJmYmY0LTlhODYtNDQxYy1iMjE2LTFhN2JlZWUwOTI0YiIsImlhdCI6MTU3NjY3NjMyNCwiZXhwIjoxNTc2NjkwNzI0fQ.fWmS8EysxuWH6Te2Jn2GW30wQwayP4ySENPqqCLoKS9XTdgbjLHOlPZwAMJ-HsXKP1m6KEvgj6TGcSRJ5PKt4dJWyIIPTuBRddHtoyvFIyJGG7USRb3TFeWFhBXcgp8SMeGfEekIOtH_tKVIcpnWkfOqqEzs1JKezi4_qra_7KI]
	at org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:271)
	at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:433)
	at io.smallrye.jwt.auth.principal.DefaultJWTTokenParser.parse(DefaultJWTTokenParser.java:88)
	... 40 more
Caused by: org.jose4j.lang.InvalidKeyException: An RSA key of size 2048 bits or larger MUST be used with the all JOSE RSA algorithms (given key was only 1024 bits).
	at org.jose4j.jwx.KeyValidationSupport.checkRsaKeySize(KeyValidationSupport.java:48)
	at org.jose4j.jws.RsaUsingShaAlgorithm.validatePublicKey(RsaUsingShaAlgorithm.java:44)
	at org.jose4j.jws.BaseSignatureAlgorithm.validateVerificationKey(BaseSignatureAlgorithm.java:189)
	at org.jose4j.jws.JsonWebSignature.verifySignature(JsonWebSignature.java:185)
	at org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:222)
	... 42 more
{noformat}

> JWT signed by 1024 bit long key is rejected
> -------------------------------------------
>
>                 Key: WFWIP-288
>                 URL: https://issues.redhat.com/browse/WFWIP-288
>             Project: WildFly WIP
>          Issue Type: Bug
>          Components: MP JWT
>            Reporter: Jan Kasik
>            Assignee: Darran Lofthouse
>            Priority: Blocker
>
> According to MP-JWT 1.1 specification, 1024 and 2048 bit key sizes must be supported. Though when there is JWT signed by 1024 bit long key presented to the server, it is rejected and client receives "Unauthorized" (code 401) message.
> See chapter 9.2. Supported Public Key Formats:
> {quote}
> Support for RSA Public Keys of 1024 or 2048 bits in length is required. Other key sizes are allowed, but should be considered vendor-specific.
> {quote}



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list