[keycloak-user] Keycloak issue - Wrong ECDSA signature R and S encoding

Wed Oct 23 09:56:25 EDT 2019

Hi Stian,
I’ve confirmed that bug is still valid in 7.0.1.
I added the reproduction details to the Jira issue.

Can you increase priority for it?
For us, this is a blocker.

Thanks,
Ori.

From: Stian Thorgersen <sthorger at redhat.com>
Sent: Wednesday, October 23, 2019 9:13 AM
To: Ori Doolman <Ori.Doolman at cyberark.com>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak issue - Wrong ECDSA signature R and S encoding

There has been changes specifically around jwk and ecdsa I believe hence why I'm asking for you to confirm your reported bug on a recent version. It's common practice when reporting a bug to check if it's fixed in the latest release or not.
On Tue, 22 Oct 2019, 16:28 Ori Doolman, <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Hi Stian,
I doubt if this was fixed, since the issue is very specific to the algorithm. There is a link in the Jira to another page, where there is a github project simulating and testing the issue, probably you can use it to verify:
https://bitbucket.org/b_c/jose4j/issues/134/token-created-by-keycloak-cannot-be<https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_b-5Fc_jose4j_issues_134_token-2Dcreated-2Dby-2Dkeycloak-2Dcannot-2Dbe&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=NFwcBVxQuD8vaRhYdENAvFH_BrBRwo853hE5LUryG8E&s=WN_s0FRp0jM-E0qj2yGiNE35-L_Qf5xDK83Rq2dU0aQ&e=>

Regards,
Ori.

From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Sent: Tuesday, October 22, 2019 4:47 PM
To: Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>>
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak issue - Wrong ECDSA signature R and S encoding

Can you try with 7.0.1? There has been some changes here since 4.8.3.

On Tue, 22 Oct 2019 at 11:57, Ori Doolman <Ori.Doolman at cyberark.com<mailto:Ori.Doolman at cyberark.com>> wrote:
Hi,
There is a Major bug opened since February this year, which prevents us from deploying Keycloak as an IDP, since we are using Java SpringBoot and ECDSA algorithm for signing the tokens:

https://issues.jboss.org/browse/KEYCLOAK-9651<https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D9651&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=n6NO5Clze7ZchQbaP_6PQCUL6kL22YXpxa_KBwxYQf8&s=_O5q5y4n9niS8_Jr2HOCGLszT8ocilxzZGxdS5P9YAY&e=>

We cannot change the signature algorithm due to other limitations.

Is there any plan to resolve that?
Can you speed it up?

Thank you,
Ori.

----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=n6NO5Clze7ZchQbaP_6PQCUL6kL22YXpxa_KBwxYQf8&s=x9wrWgWK_2_UOgIdekONQdxy_f4eXoUb7ThQoHZ0ISQ&e=>