Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sans cstruct #66

Merged
merged 11 commits into from
Dec 16, 2024
Merged

sans cstruct #66

merged 11 commits into from
Dec 16, 2024

Conversation

anmonteiro
Copy link
Collaborator

ulrikstrid
ulrikstrid reviewed Aug 26, 2024
View reviewed changes
jose/Jwe.ml Show resolved Hide resolved
jose/Jwk.ml
Comment on lines +27 to +28
let x = x_cs |> U_Base64.url_encode_string in
let y = y_cs |> U_Base64.url_encode_string in
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't need a pipe here anymore

@hannesm
Copy link
Contributor

hannesm commented Aug 27, 2024

I looked into the "jose doesn't produce the same signature" -- and this has been the case as well earlier (taking a look into mirage-crypto-ec 0.10.0, and RFC 7515 A.3.1 and A.4.1 testcases - the R and S aren't the same). I don't understand from the RFC how the ECDSA signature is supposed to happen -- mirage-crypto-ec computes a deterministic k, but this could as well be random (and influences the output -- R and S). What mirage-crypto-ec achieves, though, is a signature that can be successfully verified. :)

In case you've some more insight - how ECDSA is supposed to happen in jose (or how the k is chosen for the test vectors), or some test where a mirage-crypto-ec generated signature is invalid, please let me know by reporting an issue on the mirage-crypto repository.

@hannesm
Copy link
Contributor

hannesm commented Aug 27, 2024

note, I also read through RFC 7518 and couldn't find any remark how k is chosen. only a point to the NIST ECDSA standard. In mirage-crypto-ec, RFC 6979 (deterministic k) is used (unless you supply a k yourself).

@hannesm
Copy link
Contributor

hannesm commented Aug 27, 2024

Talking about your test case failure, JTW.10 "Can validate my own EC JWT (pub es512)" -- this is failing with this branch. The underlying reason is mirage/mirage-crypto#230 - which actually fixes test cases ;)

On your side, you'll need to update your Fixtures.ml:

--- a/test/Fixtures.ml
+++ b/test/Fixtures.ml
@@ -144,7 +144,7 @@ let es256_jwt_string =
   {|eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IlVYNHF1OUw3WnlvU0ZDWlJiWGlmWDdhcV94ay1QTGZQaVB5czItS05rQW8ifQ.eyJzdWIiOiJ0ZXN0ZXIifQ.PU5foY53xooRx6PlBUpD9ZPKkDbSEfoXDvBiyTvJAQl2R8ilCglPh_eCSKX6B03SDAh5TcAanche999TBOs31w|}
 
 let es512_jwt_string =
-  {|eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiIsImtpZCI6IjhmVlZQSTczRE9nZ2xKZ0Y0eXIwbkFMRmg2STVMbG9tMVhtdDhoVHVjLVUifQ.eyJzdWIiOiJ0ZXN0ZXIifQ.AWt-F7KxQnLQoCt3AjK9XBznyus1NszsLpf2o2T0QGU607A-dtdD54vDErz3QFy7LjsAZ639lQBY9ox8n-c5H24xAb5fx7-5iiE0bnIFp5UUzRiWErySV4UAqbEP_qOhewNVYoUtc2PyFZYXiI3lMgVIkJMB3MFLlylTdOe8AAyyfTu3|}
+  {|eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiIsImtpZCI6IjhmVlZQSTczRE9nZ2xKZ0Y0eXIwbkFMRmg2STVMbG9tMVhtdDhoVHVjLVUifQ.eyJzdWIiOiJ0ZXN0ZXIifQ.AWnbVz7DJ-g2J7z1a3OF9YzBy-U0o33t9S6hahokJRY126OYV5zjrwLVR5Dr97IlDJvpiDHEAkb7dnrZtE0_uxfkALwwXGit_FwnVpf-rM24OH0gY3RoT_T11OVa_QiW48lIL6NUz7ujtC1GZ9Y9xaiG3rIafxeM0RG1BrGWYYE4HIZL|}
 
 let jwt_without_kid =
   "eyJhbGciOiJSUzI1NiIsImtpZCI6Il9abjZRRXozRG42Um5XN2hvcGFBYzQ2VkZlcFpRa0x5Rk8ycE50M1VzNFkifQ.eyJpc3MiOiJodHRwczovL3JwLmNlcnRpZmljYXRpb24ub3BlbmlkLm5ldDo4MDgwL21vcnBoX2F1dGhfbG9jYWwvcnAtaWRfdG9rZW4taWF0Iiwic3ViIjoiMWIyZmM5MzQxYTE2YWU0ZTMwMDgyOTY1ZDUzN2FlNDdjMjFhMGYyN2ZkNDNlYWI3ODMzMGVkODE3NTFhZTZkYiIsImF1ZCI6WyJIQTBHT2x0ZElHVDYiXSwiZXhwIjoxNTkxMDc5Mjg4LCJhY3IiOiJQQVNTV09SRCIsInNpZCI6IjExMDAxMWE0NTdiOTgyYjA1MjRiN2QzODU4NDI4NjE4MTIwYTE0MDU4MzZiY2Y3NWIxMzEwMDUxIiwiYXV0aF90aW1lIjoxNTkwOTkyODg3LCJub25jZSI6IjFiYWEwYmJiLWM4ZGMtNDQxOS1hNDVkLWY4ZTk5OTkzNDAxMCJ9.L0xFdTBAChXQGCEK1wm7BjDJpiFOGHsGxdrRTgWKjlLKDVk0eSqJ4_zCp0xnUf-Pnzp_B9RreBEsu4RcEi0OEqS0PP1514sncGz7gsFBDfuX6opbIH5bbuhW0GkkkVooxSVkNuEgfBsaZovyo15LcQ8_zpF0nCXa_g6kyCz7KE3thBxC7u3Ex6jrk8fdt80daRn_ZDEpODlD0N6rki2fM4yAMWC6pLYrNZG9h_VIvKK947GsIsMR4CKR0OAsK4cqS3ahR3W49lP66quo6ThK8z5GMFgzlqgzt_A-tbjYmCQp2A110vvKY1U6j_WU2Vn8eHrU1rVdYaOwMlRj5RVbHw"

I've no idea how your Fixtures.ml was generated -- or that specific value in there. May be worth to document for the future.

@anmonteiro
Copy link
Collaborator Author

@hannesm thanks so much for your insights here

@ulrikstrid ulrikstrid marked this pull request as ready for review December 16, 2024 13:27
@ulrikstrid ulrikstrid merged commit ddb012d into master Dec 16, 2024
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ulrikstrid ulrikstrid ulrikstrid left review comments

@hannesm hannesm hannesm left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@anmonteiro @hannesm @ulrikstrid