[keycloak-user] Keycloak issue - Wrong ECDSA signature R and S encoding

Thu Oct 24 06:34:01 EDT 2019

Thanks for confirming with 7 release. We will discuss this one on our next
planning call. I'm a bit surprised that no-one else has reported this
though as I know there's at least a few using it with other third party
libraries.

On Wed, 23 Oct 2019, 15:56 Ori Doolman, <Ori.Doolman at cyberark.com> wrote:

> Hi Stian,
>
> I’ve confirmed that bug is still valid in 7.0.1.
>
> I added the reproduction details to the Jira issue.
>
>
>
> Can you increase priority for it?
>
> For us, this is a blocker.
>
>
>
> Thanks,
>
> Ori.
>
>
>
>
>
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *Sent:* Wednesday, October 23, 2019 9:13 AM
> *To:* Ori Doolman <Ori.Doolman at cyberark.com>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] Keycloak issue - Wrong ECDSA signature R
> and S encoding
>
>
>
> There has been changes specifically around jwk and ecdsa I believe hence
> why I'm asking for you to confirm your reported bug on a recent version.
> It's common practice when reporting a bug to check if it's fixed in the
> latest release or not.
>
> On Tue, 22 Oct 2019, 16:28 Ori Doolman, <Ori.Doolman at cyberark.com> wrote:
>
> Hi Stian,
>
> I doubt if this was fixed, since the issue is very specific to the
> algorithm. There is a link in the Jira to another page, where there is a
> github project simulating and testing the issue, probably you can use it to
> verify:
>
>
> https://bitbucket.org/b_c/jose4j/issues/134/token-created-by-keycloak-cannot-be
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_b-5Fc_jose4j_issues_134_token-2Dcreated-2Dby-2Dkeycloak-2Dcannot-2Dbe&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=NFwcBVxQuD8vaRhYdENAvFH_BrBRwo853hE5LUryG8E&s=WN_s0FRp0jM-E0qj2yGiNE35-L_Qf5xDK83Rq2dU0aQ&e=>
>
>
>
> Regards,
>
> Ori.
>
>
>
>
>
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *Sent:* Tuesday, October 22, 2019 4:47 PM
> *To:* Ori Doolman <Ori.Doolman at cyberark.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak issue - Wrong ECDSA signature R
> and S encoding
>
>
>
> Can you try with 7.0.1? There has been some changes here since 4.8.3.
>
>
>
> On Tue, 22 Oct 2019 at 11:57, Ori Doolman <Ori.Doolman at cyberark.com>
> wrote:
>
> Hi,
> There is a Major bug opened since February this year, which prevents us
> from deploying Keycloak as an IDP, since we are using Java SpringBoot and
> ECDSA algorithm for signing the tokens:
>
> https://issues.jboss.org/browse/KEYCLOAK-9651
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D9651&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=n6NO5Clze7ZchQbaP_6PQCUL6kL22YXpxa_KBwxYQf8&s=_O5q5y4n9niS8_Jr2HOCGLszT8ocilxzZGxdS5P9YAY&e=>
>
> We cannot change the signature algorithm due to other limitations.
>
> Is there any plan to resolve that?
> Can you speed it up?
>
> Thank you,
> Ori.
>
>
> ----------------------------------------------------------------------
> _______________________________________________
> This e-mail may contain information that is confidential, privileged or
> otherwise protected from disclosure.
> If you are not an intended recipient of this e-mail, do not duplicate or
> redistribute it by any means. Please delete it and any attachments and
> notify the sender that you have received it in error.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwMFaQ&c=E55fojPA83XrPGfndbiaQQ&r=o_QF9VVN9H4LTRTYF8YMPkr6mGZ6BOo1SvoOkvu0tBw&m=n6NO5Clze7ZchQbaP_6PQCUL6kL22YXpxa_KBwxYQf8&s=x9wrWgWK_2_UOgIdekONQdxy_f4eXoUb7ThQoHZ0ISQ&e=>
>
>