By: Hugo Cisneiros user 31 Aug 2020 at 5:41 p.m. CDT

5 Responses
Hugo Cisneiros gravatar
Hi there, I am trying to use an OpenID client with Gluu. The client uses the `go-jose` library and is returning the following error after authentication is made (and gluu sends the the user to the callback request_uri): ``` failed to verify signature: fetching keys oidc: failed to decode keys: got Content-Type = application/json, but could not unmarshal as JSON: square/go-jose: invalid EC private key, wrong length for x ``` The code responsible for this error is here: ``` // The length of this octet string MUST be the full size of a coordinate for // the curve specified in the "crv" parameter. // https://tools.ietf.org/html/rfc7518#section-6.2.1.2 if curveSize(curve) != len(key.X.data) { return nil, fmt.Errorf("square/go-jose: invalid EC private key, wrong length for x") } ``` According to the RFC, the size of `x` is wrong with my Gluu server, which is reporting the following: ``` { "kty" : "EC", "use" : "sig", "crv" : "P-256", "kid" : "7edb02aa-c98d-4c54-b061-4b024ee34f4f_sig_es256", "x5c" : [ "MIIBdzCCAR6gAwIBAgIhAJPLOEgnJZfEutNrgK4BjIjhDSbQgKJRAHWiQK4uCMoRMAoGCCqGSM49BAMCMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMjAwNDI5MjMyNzEwWhcNMjAwNTAyMDAyNzE5WjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQv1+NfzyhE9huWJPqSkQ1oO1CT4lKvZXnAwLu7UoPgj4lXMfK7mKF0wdCMaiX/nJFEsiU71ijtKAQI9RKqpDwaMnMCUwIwYDVR0lBBwwGgYIKwYBBQUHAwEGCCsGAQUFBwMCBgRVHSUAMAoGCCqGSM49BAMCA0cAMEQCIEdZSR/K/GoTHjvIuhx/avOCmi+/sHJPS1npt2okt8SXAiA+HpEyPEDLE8IDnqeEj0t88xxJUowwMtC35iNegQk+jQ==" ], "x" : "Qv1-NfzyhE9huWJPqSkQ1oO1CT4lKvZXnAwLu7UoPgg", "y" : "-JVzHyu5ihdMHQjGol_5yRRLIlO9Yo7SgECPUSqqQ8E", "exp" : 1588379239581, "alg" : "ES256" }, { "kty" : "EC", "use" : "sig", "crv" : "P-384", "kid" : "c690a8b9-5301-4d66-bc59-65bdb144c3a9_sig_es384", "x5c" : [ "MIIBtTCCATugAwIBAgIhAPAFucQgta/Qgym4nIxgrAnPIR/jpK7nL/BstZcBTk0sMAoGCCqGSM49BAMDMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMjAwNDI5MjMyNzEwWhcNMjAwNTAyMDAyNzE5WjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEFU43zR05UX7XsrlPd/P6TEzBZ9h2KdeEtVwN0ppmv+kq8JRfP+Hyn8OEp0ur0H2UvXMyLtU189+/ZcYS8pM6Jvd0tcZkBOEOXW5Mp8blcY6XVPgcnJb1UB64eJTWZvVgoycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwCgYIKoZIzj0EAwMDaAAwZQIwcM5nz28X5jAB5Ct4bzAgyW5f5ZZVouxgTK4W3NjB3Q0PtOoIRkNNVHHB+uG/FZDiAjEAvKexEbQmndVpNU86EJRN73ldUeSFvrDkt7stYh0QMf49O26Cn1mY9opopnXLZWzn" ], "x" : "FU43zR05UX7XsrlPd_P6TEzBZ9h2KdeEtVwN0ppmv-kq8JRfP-Hyn8OEp0ur0H2U", "y" : "vXMyLtU189-_ZcYS8pM6Jvd0tcZkBOEOXW5Mp8blcY6XVPgcnJb1UB64eJTWZvVg", "exp" : 1588379239581, "alg" : "ES384" }, { "kty" : "EC", "use" : "sig", "crv" : "P-521", "kid" : "5de38e6a-599c-4671-8dca-e6b4bc8cd1d7_sig_es512", "x5c" : [ "MIIB/zCCAWCgAwIBAgIgPflFWWSQfPilr8DxkU8JworJqxLvNPjCnRZzvRjdxzUwCgYIKoZIzj0EAwQwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0yMDA0MjkyMzI3MTBaFw0yMDA1MDIwMDI3MTlaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABACXAlxtTvxH5SJhIgSlZ4NyHtvMqIRmc3A9OFSatwrQVEDq7H4H+l8IDyxdg2Gl1n32fCPcOLwxfJE7Z1cQVn3/0gAhjNW5QURsqM2kgg76g4zA80/E1FCPt5OkbDT2C6cutIL3QO6Dz5x//KH9kn4uo0uvvZXXl6FRwZ+iD+zSriXVgKMnMCUwIwYDVR0lBBwwGgYIKwYBBQUHAwEGCCsGAQUFBwMCBgRVHSUAMAoGCCqGSM49BAMEA4GMADCBiAJCAQC3gYCWgENLT4WsGHBYUkrCq+6WVDR3Pcy3HZUa0+8brxycZAXJurKjL3xerkPNwRMVwIjSUIWZNXXRfU3iY5+XAkIAi9/PV81q6tPhJczNGIkPRsFcZ1+P+RVTdvllTB16JkyQPP55Ctr+4U7YgKtz6zK6o85NfI2a2mpXpH9vSkwTOiY=" ], "x" : "lwJcbU78R-UiYSIEpWeDch7bzKiEZnNwPThUmrcK0FRA6ux-B_pfCA8sXYNhpdZ99nwj3Di8MXyRO2dXEFZ9_9I", "y" : "IYzVuUFEbKjNpIIO-oOMwPNPxNRQj7eTpGw09gunLrSC90Dug8-cf_yh_ZJ-LqNLr72V15ehUcGfog_s0q4l1YA", "exp" : 1588379239581, "alg" : "ES512" }, { "kty" : "EC", "use" : "enc", "crv" : "P-256", "kid" : "7b000067-0fdc-4b69-814b-724fc9d669ea_enc_es256", "x5c" : [ "MIIBdzCCAR6gAwIBAgIhALEAhKAYUtrQJgrNgYgsHl3x0sdGvI43iLSx9+3ZbvSjMAoGCCqGSM49BAMCMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMjAwNDI5MjMyNzEzWhcNMjAwNTAyMDAyNzIxWjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPEhVi8Mxh42bXkgfPipyXA6WC28EuTeCaBg7O5BaLF/DbGX+b3solRrP7CiKw/4XX3TY7LO6vCTsIhCOh+9SEKMnMCUwIwYDVR0lBBwwGgYIKwYBBQUHAwEGCCsGAQUFBwMCBgRVHSUAMAoGCCqGSM49BAMCA0cAMEQCIHb1+goADB4gBpxrOvBT/kZoomf3KiWexx8d4agripc7AiAOSpHFBXR4VS5w+15726okBNZkpSdyrmE1DYcttt8OEw==" ], "x" : "PEhVi8Mxh42bXkgfPipyXA6WC28EuTeCaBg7O5BaLF8", "y" : "w2xl_m97KJUaz-woisP-F1902Oyzurwk7CIQjofvUhA", "exp" : 1588379241833, "alg" : "ES256" }, { "kty" : "EC", "use" : "enc", "crv" : "P-384", "kid" : "a281cecf-4977-4940-b1a6-edc4f1e134db_enc_es384", "x5c" : [ "MIIBtjCCATugAwIBAgIhAK5PL08k1DOfKtMRGa3sPdQqnZVz+G4Z8nItDI7IhASaMAoGCCqGSM49BAMDMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwHhcNMjAwNDI5MjMyNzEzWhcNMjAwNTAyMDAyNzIxWjAhMR8wHQYDVQQDDBZveEF1dGggQ0EgQ2VydGlmaWNhdGVzMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8X8W27D7fs/FipCl8267alFsX/HLWl3R8BTlTJfzl9c5Xn1iiSpTaoO0u8EwkT3jJyp5PadPnHgfQgjD38qchSlkd1obzCBveKMP+D6OAcCPkbVG+apQMSYPkdZG7rmDoycwJTAjBgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwCgYIKoZIzj0EAwMDaQAwZgIxAINyLSJ/6CByZIkoz8irxliHucUeMRdA4M4V4oTh82dkHwlxSGSMYW6RSnOrxBiEcQIxAJGOuonHf1i5/3wb/jhW/ZnNHw/Ff16ACZsO7wWrnM7SrFE2UeHw1c2FZMY1GVNJYw==" ], "x" : "8X8W27D7fs_FipCl8267alFsX_HLWl3R8BTlTJfzl9c5Xn1iiSpTaoO0u8EwkT3j", "y" : "Jyp5PadPnHgfQgjD38qchSlkd1obzCBveKMP-D6OAcCPkbVG-apQMSYPkdZG7rmD", "exp" : 1588379241833, "alg" : "ES384" }, { "kty" : "EC", "use" : "enc", "crv" : "P-521", "kid" : "def4795c-591b-41ac-900f-dcde892d82ae_enc_es512", "x5c" : [ "MIIB/zCCAWCgAwIBAgIgCTH9g5Qpi/qhS/uerK2iXqv7aQ+Rj5A8QYBv3riIXZYwCgYIKoZIzj0EAwQwITEfMB0GA1UEAwwWb3hBdXRoIENBIENlcnRpZmljYXRlczAeFw0yMDA0MjkyMzI3MTNaFw0yMDA1MDIwMDI3MjFaMCExHzAdBgNVBAMMFm94QXV0aCBDQSBDZXJ0aWZpY2F0ZXMwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAAoRFLb4kzPVzbVzl26f8fzz5h8dzKVq0W5OYT0+UbgtYImgCy7v7qwuCF7v78oO5v5vFpghLWrLzZYCBjDVJ80dAFZtFUaJnzw4TypksSmoJopky2ZBYcnmclk7rPe7PeG2mgqcgcrXZqmUYajPR2RHmxhqAEilWeQ2DoQ1sTMUxbtu6MnMCUwIwYDVR0lBBwwGgYIKwYBBQUHAwEGCCsGAQUFBwMCBgRVHSUAMAoGCCqGSM49BAMEA4GMADCBiAJCARZcGH7llrMyJi/XmP4xHbZQOD/bEXOU+rE5IrX45lwzMm8Y9vK02JiukIkHSsT3FTmSJbYIABPS9cBO9z0EdxXnAkIA7EtWqDehVI5ZFvuHzOE1qTdarerooOVkj2m+A2j3zNTz2AnXSDcGpLaWG0ByJIwkO085QcLiHIjUXsaAGtFs/0E=" ], "x" : "KERS2-JMz1c21c5dun_H88-YfHcylatFuTmE9PlG4LWCJoAsu7-6sLghe7-_KDub-bxaYIS1qy82WAgYw1SfNHQ", "y" : "AVm0VRomfPDhPKmSxKagmimTLZkFhyeZyWTus97s94baaCpyBytdmqZRhqM9HZEebGGoASKVZ5DYOhDWxMxTFu27", "exp" : 1588379241833, "alg" : "ES512" } ``` I think there's something wrong with those values... For example, the `P-521` for `enc` has a different size between `x` and `y`. Is there anything I can do to fix this? (besides disabling the check for the values lengths)

By Mohib Zico staff 01 Sep 2020 at 2:30 a.m. CDT

Mohib Zico gravatar
@Yuriy.Zabrovarnyy: Should we open issue in github?

By Yuriy Zabrovarnyy staff 01 Sep 2020 at 5:49 a.m. CDT

Yuriy Zabrovarnyy gravatar
@Mohib.Zico I've checked it on test server and see same problem for `P-521`, so yes, please open github ticket to fix it.

By Hugo Cisneiros user 02 Sep 2020 at 8:46 a.m. CDT

Hugo Cisneiros gravatar
Thanks for the support! Just to add some more information, I'm using the [oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxyhttp://) reverse proxy to test this as an oauth2 client. I also disabled the length check for `x` and got the same error for `y` too. When disabling length checks for `x` and `y` in the client source, the workflow works fine (but this is really a bad workaround for me). Let me know if I can help in any other way.

By Yuriy Zabrovarnyy staff 02 Sep 2020 at 8:58 a.m. CDT

Yuriy Zabrovarnyy gravatar
Thanks for reporting it. We will fix it within https://github.com/GluuFederation/oxAuth/issues/1461 BR, Yuriy Z

By Hugo Cisneiros user 02 Sep 2020 at 10:54 a.m. CDT

Hugo Cisneiros gravatar
Also for reference, I did the following workaround to disable the P-521 from EC in OxAuth: 1. Go to `JSON Configuration - OxAuth Configuration - jwksAlgorithmsSupported` 2. De-select the `ES512` item and select all the others. 3. Update 4. Test if the entries for EC P-521 are gone in the jwks_uri (i.e. https://gluu/oxauth/restv1/jwks )