Decoding with x509 certs

[gpit2286]

I'm having a hard time authenticating a token using a x5c. (MS OAuth/Azure)

Below is the code...

// Trying to isolate the problem by only checking the signature. 
let validation_config = jsonwebtoken::Validation {
            algorithms: vec![jsonwebtoken::Algorithm::RS256],
            leeway: 0,
            validate_exp: false,
            validate_iat: false,
            validate_nbf: false,
            aud: None,
            iss: None,
            sub: None
        };
let token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn...";
let x5c_cert = "MIIDBTCCAe2gAwIBAgIQKOfEJNDyDplBSXKYcM..."; 

let raw_der = base64::decode_config(der, base64::STANDARD).unwrap();
let d = jsonwebtoken::decode::<MsOAuthPayload>(&token, &raw_der, &validation_config);

The above always returns InvalidSignature.

• RS265 is the correct algo.
• The cert is correct. I tried it on jwt.io by adding a BEGIN/END cert and it validates fine.
• I used ssl to convert the BEGIN/END pem to DER and the bytes match up from the base 64 decode.
• The key URL is: https://login.microsoftonline.com/common/discovery/v2.0/keys but my specific tenant returns the same keys.

Anyone have some insight on what I'm doing wrong here?

Thanks

[maxburke]

I'm running into the same issue, too. My use case is the same as yours; I'm attempting to validate a JWT provided by Microsoft's authentication system.

[Keats]

You can try to clone jsonwebtoken locally to see where it is failing: InvalidSignature would be caused by any error in that fn https://github.com/Keats/jsonwebtoken/blob/master/src/crypto.rs#L100-L113

A first thought on why it doesn't work could be that Microsoft maybe doesn't use URL safe base64?

[maxburke]

I'm wondering, could it be because the x5c field has the x509 certificate chain and not just the public key?

[gpit2286]

I don't think this makes sense. Because using openssl extracts to the same binary representation. On March 8, 2019 at 10:29:05 AM, Max Burke (notifications@github.com) wrote: I'm wondering, could it be because the x5c field has the x509 certificate chain and not just the RSA public key? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#77 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADKeQLuzQlyns8xZ2nopZm2v3hNWoiBiks5vUqvwgaJpZM4bdTCO> .

[samuela]

I'm having the same issue with Auth0. Even with the correct certificate and a valid token (verified with jwt.io) jsonwebtoken reports InvalidSignature. (See #80 for more details.)

[samuela]

Side note: Can we change the name of this issue slightly? It doesn't really seem to be about x5c to der conversion at this point. I wasn't aware of it when I initially came across the same thing.

[Keats]

From #80 it does look like it is a common failure with x509 certificates.

Would anyone have some time to look into that? Can start with creating some test certificates and see what is happening.

The current situation with all various combinations of algorithms/key types is becoming unwieldy, hopefully after something like #76 it will be easier to use

[samuela]

@Keats I personally don't have time to look into it at the moment, but I'd be happy to help out/explain my setup/provide example test cases that are breaking for me for whoever would like to take a stab at it.

[Guara92]

I have the same issue with EC certificate, created with
openssl ecparam -name secp384r1 -genkey -noout -out p384-private-key.pem
openssl ec -in p384-private-key.pem -pubout -out p384-public-key.pem
then converted to der format
openssl pkcs8 -topk8 -inform PEM -outform DER -in p384-private-key.pem -out p384-private-key.der -nocrypt
openssl ec -pubin -inform PEM -in p384-public-key.pem -outform DER -out p384-public-key.der

I can verify the token with jwt.io using the pem file, i'm doing something wrong converting the keys?

[maxburke]

@gpit2286 I'm not quite sure this will close the issue; it isn't that the input has the ----BEGIN xxx----- tags, it's that the validation doesn't succeed when a certificate (ie: identity information + public key) is provided to validate against.

[maxburke]

I have more information now, at least with the Azure use case.

The x5c field returned by the Azure keys endpoint does have both the certificate chain and public key. If the public key is extracted (ie: with openssl x509 -pubkey ...), verifying the JWT will still fail because the DER has an object ID field prepended to the public key. When the OID field and associated TLV data is stripped off, it works.

I guess the question now is, should this parsing of the key from the cert and cleaning it up for ring's consumption be done by jsonwebtoken or by client code? I could provide a PR to do this, though it may introduce another package dependency.

Thoughts? (@Keats ?)

[maxburke]

For what it's worth, I'm using this code to extract the DER-formatted public key from an Azure ADB2C certificate and it seems to be working. It is depending on der-parser 1.1.1, nom 4.3.2, and rusticata-macros 1.1.0

#[macro_use] extern crate nom;
#[macro_use] extern crate rusticata_macros;

use der_parser::*;
use nom::{ErrorKind};

/*
 * Test for a the sequence that contains the key (ie: modulus + exponent)
 *
 * TODO: Perhaps this should test the length of the modulus?
 */
fn rsa_key_parser(seq: &[u8]) -> IResult<&[u8], DerObject> {
    parse_der_sequence_defined!(seq,
                                parse_der_integer,
                                parse_der_integer
                                )
}

/*
 * The DER-encoded public key is stored within a bitstring embedded either
 * in a certificate or an x.509 public key.
 *
 * To find the bitstring we need to sift through the DER field sequences
 * recursively.
 */
fn rec_extract_key(sequence: &Vec<DerObject>) -> Option<Vec<u8>> {
    for o in sequence {
        match &o.content {
            der_parser::DerObjectContent::BitString(_, bso) => {
                match rsa_key_parser(bso.data) {
                    Ok(_) => { 
                        let mut key: Vec<u8> = Vec::new();
                        key.extend_from_slice(bso.data);
                        
                        return Some(key)
                    },
                    Err(_) => (),
                };
            },
            der_parser::DerObjectContent::Sequence(s) => {
                match rec_extract_key(s) {
                    Some(k) => return Some(k),
                    None => ()
                }
            },
            _ => (),
        }
    }

    return None
}

/*
 * Extract a DER-formatted key from either a certificate or an x.509 public key
 */
fn extract_key(cert: &[u8]) -> Option<Vec<u8>> {
    let result = parse_der(cert);
    let parsed = match result {
        Ok(p) => p,
        _ => return None
    };

    let (_, der_object) = parsed;
    match der_object.content {
        der_parser::DerObjectContent::Sequence(s) => rec_extract_key(&s),
        _ => None
    }
}

fn crack_token(jwks: JwksResponse, token: &Adb2cToken) -> Result<Claims, Box<Error>> {
    let header = decode_header(&token.access_token)?;
    let kid = match header.kid {
        Some(k) => k,
        None => return Err("Access token header does not have kid field".into())
    };

    let key = match jwks.keys.iter().find(|&k| k.kid == kid) {
        Some(k) => k,
        None => return Err(format!("Unable to find key id {}", kid).into())
    };

    let validation = Validation::new(header.alg);
    for cert in &key.x5c {
        let cert_der = base64::decode_config(&cert, base64::STANDARD)?;
        let key_vec = match extract_key(&cert_der) {
            Some(k) => k,
            None => return Err("Unable to extract key from provided certificate".into())
        };

        match decode::<Claims>(&token.access_token, &key_vec.as_slice(), &validation) {
            Ok(c) => return Ok(c.claims),
            Err(e) => { eprintln!("Error decoding: {}", e); }
        }
    }

    Err("No signing key successfully validated JWT claims".into())
}