Modulus field is corrupted in the jwks_uri json object

By: Yuriy Lesyuk user 09 Feb 2017 at 5:33 a.m. CST

1 Response
Yuriy Lesyuk gravatar
When I fetch n field using url https://gluu.exco.com/oxauth/seam/resource/restv1/oxauth/jwks I am getting x5c and n and e properties. ``` {"keys": [ { "kid": "abcf57c8-4020-4638-aafd-1faa35ba2e44", "kty": "RSA", "use": "sig", "alg": "RS256", "exp": 1518096960426, "n": "5awKF1MZSGSAAlujSf-dRzvrK9D_vV85BMn7fZ-x5E-So580TrTxT9-vgfmTWzhDr0f240DqR6ojF_NGXh8V3QhFRM9i2p7dg7M3LO-mfYlrJ_x2Rlw-EdvMmYargk5gaM7sRQKwWnU6ajRZIDw3XbrLDvGeLWZhH1-RzV3NjlJ_0c85bXhyLg_MT9NpnGTP4CePLF0dLuQwo4ktQkkW_BwPaSUhHgPYA-M6IA9S31_vQLB4ZyN00EpdO57fEbhutkzrpb9iiXJh82DD0D5Z2eYyQdMX_7pN9frLKVhoCUelzZ887it0oIlLfpe8WUzuiDHWYThzQiepQfMBRQMJhQ", "e": "AQAB", "x5c": ["MIIDAzCCAeugAwIBAgIgLuZ\/WGm\/NwCIWOVcrvj2QuLV6yxyWQD7GEsmM1SWgP8wDQYJKoZIhvcNAQELBQAwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0xNzAyMDgxMzM1NTJaFw0xODAyMDgxMzM2MDBaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDlrAoXUxlIZIACW6NJ\/51HO+sr0P+9XzkEyft9n7HkT5KjnzROtPFP36+B+ZNbOEOvR\/bjQOpHqiMX80ZeHxXdCEVEz2Lant2Dszcs76Z9iWsn\/HZGXD4R28yZhquCTmBozuxFArBadTpqNFkgPDddussO8Z4tZmEfX5HNXc2OUn\/RzzlteHIuD8xP02mcZM\/gJ48sXR0u5DCjiS1CSRb8HA9pJSEeA9gD4zogD1LfX+9AsHhnI3TQSl07nt8RuG62TOulv2KJcmHzYMPQPlnZ5jJB0xf\/uk31+sspWGgJR6XNnzzuK3SgiUt+l7xZTO6IMdZhOHNCJ6lB8wFFAwmFAgMBAAGjJzAlMCMGA1UdJQQcMBoGCCsGAQUFBwMBBggrBgEFBQcDAgYEVR0lADANBgkqhkiG9w0BAQsFAAOCAQEAmuyIS597+LbwvKZgeshm6b8YspHYIFMRp9Pr06jp+P94oK7zgOe4x0U13+ReoTiMke0Zbq4aE93BxykyTJg+eL3qi9Nr6o6EPXC6NrSOwi7+OgkOxvy3ffOM0k9uH8kQgrSqyr4ra6GPyhAlEZShJZHtwEWSipohldi4uH1nKBR0QbFYlDrUxs1pErZT5hsDO3yaZ+XCJmsvwNqvcYTWsElbJrhMsiR3ymmjxDkQghT6TYc3LkerlFEjPE5YPT+57LTRr0Clj\/NCHtYVJM32vEqZK+trQ44wpW9UfUgivsswgaH7qpUoUd3toAzNyjYq4aRT2f+ClKkJqr30nrt7iQ=="] }, ``` Now, the problem is that n value is currently corrupted. That is a reason why we cannot recreate public key from the n and e, and use tools like jwt.io to successfully validate jwt signature. Luckily, x5c value is correct. Let's look at the steps to reproduce the problem. For an example above, public key extracted from the x5c certificate contains modulus: ``` Modulus: 00:e5:ac:0a:17:53:19:48:64:80:02:5b:a3:49:ff: 9d:47:3b:eb:2b:d0:ff:bd:5f:39:04:c9:fb:7d:9f: b1:e4:4f:92:a3:9f:34:4e:b4:f1:4f:df:af:81:f9: 93:5b:38:43:af:47:f6:e3:40:ea:47:aa:23:17:f3: 46:5e:1f:15:dd:08:45:44:cf:62:da:9e:dd:83:b3: 37:2c:ef:a6:7d:89:6b:27:fc:76:46:5c:3e:11:db: cc:99:86:ab:82:4e:60:68:ce:ec:45:02:b0:5a:75: 3a:6a:34:59:20:3c:37:5d:ba:cb:0e:f1:9e:2d:66: 61:1f:5f:91:cd:5d:cd:8e:52:7f:d1:cf:39:6d:78: 72:2e:0f:cc:4f:d3:69:9c:64:cf:e0:27:8f:2c:5d: 1d:2e:e4:30:a3:89:2d:42:49:16:fc:1c:0f:69:25: 21:1e:03:d8:03:e3:3a:20:0f:52:df:5f:ef:40:b0: 78:67:23:74:d0:4a:5d:3b:9e:df:11:b8:6e:b6:4c: eb:a5:bf:62:89:72:61:f3:60:c3:d0:3e:59:d9:e6: 32:41:d3:17:ff:ba:4d:f5:fa:cb:29:58:68:09:47: a5:cd:9f:3c:ee:2b:74:a0:89:4b:7e:97:bc:59:4c: ee:88:31:d6:61:38:73:42:27:a9:41:f3:01:45:03: 09:85 ``` but n value contains: ``` 00000000 E5 AC 0A 17 │ 53 19 48 64 │ 80 02 5B A3 │ 49 FF 9D 47 ..S.Hd .[ I G 00000010 3B EB 2B D0 │ FF BD 5F 39 │ 04 C9 FB 7D │ 9F B1 E4 4F ; + _9. } O 00000020 92 A3 9F 34 │ 4E B4 F1 4F │ DF AF 81 F9 │ 93 5B 38 43 4N O ߯ [8C 00000030 AF 47 F6 E3 │ 40 EA 47 AA │ 23 17 F3 46 │ 5E 1F 15 DD G @ G #. F^.. 00000040 08 45 44 CF │ 62 DA 9E DD │ 83 B3 37 2C │ EF A6 7D 89 .ED bڞ ݃ 7, } 00000050 6B 27 FC 76 │ 46 5C 3E 11 │ DB CC 99 86 │ AB 82 4E 60 k' vF\>. ̙ N` 00000060 68 CE EC 45 │ 02 B0 5A 75 │ 3A 6A 34 59 │ 20 3C 37 5D h E. Zu:j4Y <7] 00000070 BA CB 0E F1 │ 9E 2D 66 61 │ 1F 5F 91 CD │ 5D CD 8E 52 . -fa._ ] ͎ R 00000080 7F D1 CF 39 │ 6D 78 72 2E │ 0F CC 4F D3 │ 69 9C 64 CF . 9mxr.. O i d 00000090 E0 27 8F 2C │ 5D 1D 2E E4 │ 30 A3 89 2D │ 42 49 16 FC ' ,].. 0 -BI. 000000A0 1C 0F 69 25 │ 21 1E 03 D8 │ 03 E3 3A 20 │ 0F 52 DF 5F ..i%!.. . : .R _ 000000B0 EF 40 B0 78 │ 67 23 74 D0 │ 4A 5D 3B 9E │ DF 11 B8 6E @ xg#t J]; . n 000000C0 B6 4C EB A5 │ BF 62 89 72 │ 61 F3 60 C3 │ D0 3E 59 D9 L륿 b ra ` >Y 000000D0 E6 32 41 D3 │ 17 FF BA 4D │ F5 FA CB 29 │ 58 68 09 47 2A . M )Xh.G 000000E0 A5 CD 9F 3C │ EE 2B 74 A0 │ 89 4B 7E 97 │ BC 59 4C EE ͟ < +t K~ YL 000000F0 88 31 D6 61 │ 38 73 42 27 │ A9 41 F3 01 │ 45 03 09 1 a8sB' A .E.. ``` Notice that first 00 byte and last 85 byte are missing. If you reinstate first and last byte, then you can use n and m to generate a valid public key, using projects like rsa-pem-from-mod-exp. There is another thread in this section which discusses the same problem. https://support.gluu.org/access-management/3626/location-of-public-key-for-jwt-validation/ It is closed now without resolution. If I use Javier's KeyGenerator example, the n field is similarly corrupted. That is why an original author, Lehel, talk about a 'reliable' way to generate a public key, and cannot find it. Regards
CentOS72
closed

Answers

By Javier Rojas staff 24 Feb 2017 at 10:38 p.m. CST

Copy
Javier Rojas gravatar
Hello Yuriy, Taking your example: ``` {"keys": [ { "kid": "abcf57c8-4020-4638-aafd-1faa35ba2e44", "kty": "RSA", "use": "sig", "alg": "RS256", "exp": 1518096960426, "n": "5awKF1MZSGSAAlujSf-dRzvrK9D_vV85BMn7fZ-x5E-So580TrTxT9-vgfmTWzhDr0f240DqR6ojF_NGXh8V3QhFRM9i2p7dg7M3LO-mfYlrJ_x2Rlw-EdvMmYargk5gaM7sRQKwWnU6ajRZIDw3XbrLDvGeLWZhH1-RzV3NjlJ_0c85bXhyLg_MT9NpnGTP4CePLF0dLuQwo4ktQkkW_BwPaSUhHgPYA-M6IA9S31_vQLB4ZyN00EpdO57fEbhutkzrpb9iiXJh82DD0D5Z2eYyQdMX_7pN9frLKVhoCUelzZ887it0oIlLfpe8WUzuiDHWYThzQiepQfMBRQMJhQ", "e": "AQAB", "x5c": ["MIIDAzCCAeugAwIBAgIgLuZ/WGm/NwCIWOVcrvj2QuLV6yxyWQD7GEsmM1SWgP8wDQYJKoZIhvcNAQELBQAwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0xNzAyMDgxMzM1NTJaFw0xODAyMDgxMzM2MDBaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDlrAoXUxlIZIACW6NJ/51HO+sr0P+9XzkEyft9n7HkT5KjnzROtPFP36+B+ZNbOEOvR/bjQOpHqiMX80ZeHxXdCEVEz2Lant2Dszcs76Z9iWsn/HZGXD4R28yZhquCTmBozuxFArBadTpqNFkgPDddussO8Z4tZmEfX5HNXc2OUn/RzzlteHIuD8xP02mcZM/gJ48sXR0u5DCjiS1CSRb8HA9pJSEeA9gD4zogD1LfX+9AsHhnI3TQSl07nt8RuG62TOulv2KJcmHzYMPQPlnZ5jJB0xf/uk31+sspWGgJR6XNnzzuK3SgiUt+l7xZTO6IMdZhOHNCJ6lB8wFFAwmFAgMBAAGjJzAlMCMGA1UdJQQcMBoGCCsGAQUFBwMBBggrBgEFBQcDAgYEVR0lADANBgkqhkiG9w0BAQsFAAOCAQEAmuyIS597+LbwvKZgeshm6b8YspHYIFMRp9Pr06jp+P94oK7zgOe4x0U13+ReoTiMke0Zbq4aE93BxykyTJg+eL3qi9Nr6o6EPXC6NrSOwi7+OgkOxvy3ffOM0k9uH8kQgrSqyr4ra6GPyhAlEZShJZHtwEWSipohldi4uH1nKBR0QbFYlDrUxs1pErZT5hsDO3yaZ+XCJmsvwNqvcYTWsElbJrhMsiR3ymmjxDkQghT6TYc3LkerlFEjPE5YPT+57LTRr0Clj/NCHtYVJM32vEqZK+trQ44wpW9UfUgivsswgaH7qpUoUd3toAzNyjYq4aRT2f+ClKkJqr30nrt7iQ=="] }, ``` And using some 3th party tools to extract the public key from the x5c: http://8gwifi.org/PemParserFunctions.jsp Enter the text of your Certificate: ``` -----BEGIN CERTIFICATE----- MIIDAzCCAeugAwIBAgIgLuZ/WGm/NwCIWOVcrvj2QuLV6yxyWQD7GEsmM1SWgP8wDQYJKoZIhvcNAQELBQAwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0xNzAyMDgxMzM1NTJaFw0xODAyMDgxMzM2MDBaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDlrAoXUxlIZIACW6NJ/51HO+sr0P+9XzkEyft9n7HkT5KjnzROtPFP36+B+ZNbOEOvR/bjQOpHqiMX80ZeHxXdCEVEz2Lant2Dszcs76Z9iWsn/HZGXD4R28yZhquCTmBozuxFArBadTpqNFkgPDddussO8Z4tZmEfX5HNXc2OUn/RzzlteHIuD8xP02mcZM/gJ48sXR0u5DCjiS1CSRb8HA9pJSEeA9gD4zogD1LfX+9AsHhnI3TQSl07nt8RuG62TOulv2KJcmHzYMPQPlnZ5jJB0xf/uk31+sspWGgJR6XNnzzuK3SgiUt+l7xZTO6IMdZhOHNCJ6lB8wFFAwmFAgMBAAGjJzAlMCMGA1UdJQQcMBoGCCsGAQUFBwMBBggrBgEFBQcDAgYEVR0lADANBgkqhkiG9w0BAQsFAAOCAQEAmuyIS597+LbwvKZgeshm6b8YspHYIFMRp9Pr06jp+P94oK7zgOe4x0U13+ReoTiMke0Zbq4aE93BxykyTJg+eL3qi9Nr6o6EPXC6NrSOwi7+OgkOxvy3ffOM0k9uH8kQgrSqyr4ra6GPyhAlEZShJZHtwEWSipohldi4uH1nKBR0QbFYlDrUxs1pErZT5hsDO3yaZ+XCJmsvwNqvcYTWsElbJrhMsiR3ymmjxDkQghT6TYc3LkerlFEjPE5YPT+57LTRr0Clj/NCHtYVJM32vEqZK+trQ44wpW9UfUgivsswgaH7qpUoUd3toAzNyjYq4aRT2f+ClKkJqr30nrt7iQ== -----END CERTIFICATE----- ``` modulus: ``` e5ac0a175319486480025ba349ff9d473beb2bd0ffbd5f3904c9fb7d9fb1e44f92a39f344eb4f14fdfaf81f9935b3843af47f6e340ea47aa2317f3465e1f15dd084544cf62da9edd83b3372cefa67d896b27fc76465c3e11dbcc9986ab824e6068ceec4502b05a753a6a3459203c375dbacb0ef19e2d66611f5f91cd5dcd8e527fd1cf396d78722e0fcc4fd3699c64cfe0278f2c5d1d2ee430a3892d424916fc1c0f6925211e03d803e33a200f52df5fef40b078672374d04a5d3b9edf11b86eb64ceba5bf62897261f360c3d03e59d9e63241d317ffba4df5facb2958680947a5cd9f3cee2b74a0894b7e97bc594cee8831d66138734227a941f30145030985 ``` public exponent: ``` 10001 ``` http://www.mobilefish.com/services/big_number/big_number.php Converto from Hex to Decimal: modulus: ``` 28993407636316571342586326348082063020266246692223724418333913002608379490300632198568169279233187952420682235686612212772603103627847523146590882187460312316648956838837097116778885973636771696889188494549387940322083331390118795874835030576258326684937151300812645138908066730449099000261041673226653042673157378057698028395027297636289368404247675458838216201820080193123003374913479093995151023569648111093571883880320424173916493048167362814646575020021098288456927240887064251420354330166178795832201737737113844777564495095942542105056776781491303061266015155151594693556327560075728324857395582069925705091461 ``` public exponent: ``` 65537 ``` Now, taking the modulus and exponent from JWK and decoding Base64 and converting the resulting byte array to a Big Integer we have the same values in decimal: ``` n: 5awKF1MZSGSAAlujSf-dRzvrK9D_vV85BMn7fZ-x5E-So580TrTxT9-vgfmTWzhDr0f240DqR6ojF_NGXh8V3QhFRM9i2p7dg7M3LO-mfYlrJ_x2Rlw-EdvMmYargk5gaM7sRQKwWnU6ajRZIDw3XbrLDvGeLWZhH1-RzV3NjlJ_0c85bXhyLg_MT9NpnGTP4CePLF0dLuQwo4ktQkkW_BwPaSUhHgPYA-M6IA9S31_vQLB4ZyN00EpdO57fEbhutkzrpb9iiXJh82DD0D5Z2eYyQdMX_7pN9frLKVhoCUelzZ887it0oIlLfpe8WUzuiDHWYThzQiepQfMBRQMJhQ n: 28993407636316571342586326348082063020266246692223724418333913002608379490300632198568169279233187952420682235686612212772603103627847523146590882187460312316648956838837097116778885973636771696889188494549387940322083331390118795874835030576258326684937151300812645138908066730449099000261041673226653042673157378057698028395027297636289368404247675458838216201820080193123003374913479093995151023569648111093571883880320424173916493048167362814646575020021098288456927240887064251420354330166178795832201737737113844777564495095942542105056776781491303061266015155151594693556327560075728324857395582069925705091461 e: AQAB e: 65537 ``` Also I have added a test to allow you verify it quickly. https://github.com/GluuFederation/oxAuth/blob/master/Client/src/test/java/org/xdi/oxauth/ws/rs/WebKeysTest.java#L59 Best Regards Javier

Post an answer