JWT ES256 token using ECDSA

rokko1337 · April 29, 2021, 2:35pm

I’m trying to create ES256 JWT using keys generated with openssl, my example works fine with RS256 keys - jwt.io verifies generated RS256 token, but not ES256. Here are code parts for RS256 generation:

mbedtls_pk_context pk_context;
mbedtls_pk_init(&pk_context);

mbedtls_pk_parse_key(
    &pk_context,        // The PK context to fill
    private_key,        // Input buffer to parse (must contain a null-terminated string)
    private_key_len,    // Size of the key in bytes (includes the terminating null byte)
    NULL,               // Optional password for decryption (if key was encrypted during generation)
    0);                 // Size of the password in bytes

mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ctr_drbg_init(&ctr_drbg);

mbedtls_entropy_context entropy;
mbedtls_entropy_init(&entropy);

mbedtls_ctr_drbg_seed(
    &ctr_drbg,              // The CTR_DRBG context to seed
    mbedtls_entropy_func,   // The entropy callback
    &entropy,               // The entropy context to pass to entropy callback
    NULL,                   // The personalization string
    0);                     // The length of the personalization string

uint8_t md_checksum[32];
mbedtls_md(
    mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),   // MD algorithm
    base64_header_and_payload,                      // Input data buffer
    strlen((char*)base64_header_and_payload),       // Input data length
    md_checksum);                                   // Output MD checksum

uint8_t signature[250];
size_t signature_len;
mbedtls_pk_sign(
    &pk_context,                // PK context to use
    MBEDTLS_MD_SHA256,          // Hash algorithm used
    md_checksum,                // Hash of the message to sign
    sizeof(md_checksum),        // Hash length
    signature,                  // Place to write the signature
    &signature_len,             // Number of bytes written
    mbedtls_ctr_drbg_random,    // RNG function
    &ctr_drbg);                 // RNG parameter

char base64_signature[250];
size_t base64_signature_len;
base64url_encode(
    (const void *)signature,    // Data to encode.
    signature_len,              // Length of data to encode.
    base64_signature,           // Base64 encoded data.
    &base64_signature_len);     // Length of base64 encoded data.

char* token = (char*)malloc(strlen((char*)base64_header_and_payload) + 1 + strlen((char*)base64_signature) + 1);
sprintf(token, "%s.%s", base64_header_and_payload, base64_signature);

For ES256 I generated pair of keys with:

openssl ecparam -name secp256r1 -genkey -noout -out ecdsa_private_key.pem
openssl ec -in ecdsa_private_key.pem -pubout -out ecdsa_public_key.pem

mbedtls_pk_get_type() added after mbedtls_pk_parse_key() returns MBEDTLS_PK_ECKEY. I’m not shure at this point that it’s correct, because there is also MBEDTLS_PK_ECDSA type, maybe I somehow need to get this one in return?

mbedtls_pk_type_t pk_type;
pk_type = mbedtls_pk_get_type(&pk_context);

Also was trying to work with ecdsa_context, added this part after mbedtls_pk_parse_key():

mbedtls_ecdsa_context ecdsa_context;
mbedtls_ecdsa_init(&ecdsa_context);
mbedtls_ecdsa_from_keypair(&ecdsa_context, pk_context.pk_ctx);

And this function instead of mbedtls_pk_sign():

mbedtls_ecdsa_write_signature(
    &ecdsa_context,             // PK context to use
    MBEDTLS_MD_SHA256,          // Hash algorithm used
    md_checksum,                // Hash of the message to sign
    sizeof(md_checksum),        // Hash length
    signature,                  // Place to write the signature
    &signature_len,             // Number of bytes written
    mbedtls_ctr_drbg_random,    // RNG function
    &ctr_drbg);                 // RNG parameter

It generates token in both cases, but I can’t validate it in jwt.io. Please suggest the correct way of ES256 generation with already existing private and public keys.

rokko1337 · April 30, 2021, 12:11am

Tried generated EC keys, got same result:

mbedtls_pk_setup(
    &pk_context, 
    mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)); 

mbedtls_ecp_gen_key(
    MBEDTLS_ECP_DP_SECP256R1,
    mbedtls_pk_ec(pk_context),
    mbedtls_ctr_drbg_random,
    &ctr_drbg);

mbedtls_pk_sign(
    &pk_context,                // PK context to use
    MBEDTLS_MD_SHA256,          // Hash algorithm used
    md_checksum,                // Hash of the message to sign
    sizeof(md_checksum),        // Hash length
    signature,                  // Place to write the signature
    &signature_len,             // Number of bytes written
    mbedtls_ctr_drbg_random,    // RNG function
    &ctr_drbg);                 // RNG parameter

// Get public key to verify on jwt web site
mbedtls_pk_write_pubkey_pem(pk_context, output_buf, 500);

And ECDSA generated keys:

mbedtls_ecdsa_genkey(
    &ecdsa_context,
    MBEDTLS_ECP_DP_SECP256R1,
    mbedtls_ctr_drbg_random,
    &ctr_drbg);

mbedtls_ecdsa_write_signature(
    &ecdsa_context,             // ECDSA context to use
    MBEDTLS_MD_SHA256,          // Hash algorithm used
    md_checksum,                // Hash of the message to sign
    sizeof(md_checksum),        // Hash length
    signature,                  // Place to write the signature
    &signature_len,             // Number of bytes written
    mbedtls_ctr_drbg_random,    // RNG function
    &ctr_drbg);                 // RNG parameter

// Don't know how to get public key from ECDSA context, so I'm getting X, Y points to create JWK and convert it to PEM
mbedtls_ecp_point_write_binary(&key->grp, &key->Q, MBEDTLS_ECP_PF_UNCOMPRESSED, &len, buf, sizeof buf )

Key from the buffer:
044EAE13BB1A62771AB9E1238FAA1F71A40B9AF87BC8004999E1BD1EF56470D66F0BB8B9C7774A56AD79F94BE7C466D9BA7640C0C0D9E802B494EAF042702588EC

04 - Uncompressed Public Key
0BB8B9C7774A56AD79F94BE7C466D9BA7640C0C0D9E802B494EAF042702588EC - Public Key X coord
528D77BE738FB00C96644F07F2FDAE7CFA9EEE6F6A6E0544CDFF548724D82DD4 - Public Key Y coord

JWK with these HEX values encoded with Base64:

{
"kty": "EC",
"use": "sig",
"crv": "P-256",
"x": "C7i5x3dKVq15+UvnxGbZunZAwMDZ6AK0lOrwQnAliOw=",
"y": "Uo13vnOPsAyWZE8H8v2ufPqe7m9qbgVEzf9UhyTYLdQ=",
"alg": "ES256"
}

PEM key:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEC7i5x3dKVq15+UvnxGbZunZAwMDZ
6AK0lOrwQnAliOxSjXe+c4+wDJZkTwfy/a58+p7ub2puBUTN/1SHJNgt1A==
-----END PUBLIC KEY-----

Still can’t verify in jwt.io…

Edited: I’m not 100% sure that last part with JWK creation from ECDSA hex key is correct, because I coudn’t verify generated JWT with PEM key created from that JWK after decoding ASN.1 signature.

rokko1337 · April 30, 2021, 12:21pm

Further investigation led me to github issue that was related to mine one:

github.com/ethanhuang13/CupertinoJWT

Can't verify ES256 signed token on jwt.io

opened 12:30PM - 16 Sep 18 UTC

closed 06:50AM - 17 Sep 18 UTC

jogu

Hi, I'm try to use CupertinoJWT to generate an ES256 signed jwt that's NOT f…or use with Apple services. It seems to work nicely except I just can't get the signature to verify, I wonder if you have any ideas? I'm using the example you give: ``` // Get content of the .p8 file let p8 = """ -----BEGIN PRIVATE KEY----- MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgGH2MylyZjjRdauTk xxXW6p8VSHqIeVRRKSJPg1xn6+KgCgYIKoZIzj0DAQehRANCAAS/mNzQ7aBbIBr3 DiHiJGIDEzi6+q3mmyhH6ZWQWFdFei2qgdyM1V6qtRPVq+yHBNSBebbR4noE/IYO hMdWYrKn -----END PRIVATE KEY----- """ // Assign developer information and token expiration setting let jwt = JWT(keyID: "moo", teamID: "bar", issueDate: Date(), expireDuration: 60 * 60) do { let token = try jwt.sign(with: p8) // Use the token in the authorization header in your requests connecting to Apple’s API server. // e.g. urlRequest.addValue(_ value: "bearer \(token)", forHTTPHeaderField field: "authorization") print("signed jwt:\n\(token)") } catch { // Handle error } ``` Which gives a token: `eyJhbGciOiJFUzI1NiIsImtpZCI6Im1vbyJ9.eyJpc3NYWCI6ImJhcjIiLCJpYXQiOjE1MzcwOTg0MzIsImV4cCI6MTUzNzEwMjAzMn0.MEQCIES1_Ry1Ia-l0bkOcHGQ6OSPPocvXShOCtTVo4Y4hMBDAiBRLLhebK3YoyuJ46iJpohKZgfs24E5ARp1YAFnDPu-rg ` (NB: I made a trivial mod to stop CupertinoJWT including 'iss', as I was seeing errors in the js console on jwt.io related to the iss value that I wanted to rule out as a cause of the problem.) I get the public key using: `openssl ec -in private-key.pem -pubout -out pubkey.pem` which gives: ``` -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEv5jc0O2gWyAa9w4h4iRiAxM4uvqt 5psoR+mVkFhXRXotqoHcjNVeqrUT1avshwTUgXm20eJ6BPyGDoTHVmKypw== -----END PUBLIC KEY----- ``` and then I try and verify using jwt.io, but it fails the signature validation. (I'm not including the jwt.io shareable url as I find these show 'invalid signature' even when viewing with a valid object - I've just reported a bug about that in their GitHub. Pasting things into jwt.io appears to work correctly, it's just the pre-filled out urls that don't seem to work.) I tried getting JWT.io to sign (using the same private key), and that gives this jwt, which jwt.io can verify using the public key above: `eyJhbGciOiJFUzI1NiIsImtpZCI6Im1vbyJ9.eyJpYWFhYWFhdCI6MTUzNzA5MzQ5NywiZXhlZWVlcCI6MTUzNzA5NzA5N30.fsvs3UD6zTMWvrQDqXJxzTUfanCO5ZFwRM-NeZuTJx8ICR2Hkn8K9_xzaISxHYV0jXCyuKOc5VJBUsprpMARig` One difference I noticed is that the signature jwt.io produces is 86 bytes base64 encoded (64 bytes decoded), whereas the one from Cupertino.jwt is 94 bytes of base64, decoding to 70 bytes. The example in https://tools.ietf.org/html/rfc7515#appendix-A.3.1 is 64 bytes decoded. Unless I have really misunderstood something, I believe CupertinoJWT is intended to output standard ES256, so I would have expected it to also be generating a 64 byte signature. The CupertinoJWT generated signatures also seem to always being 'ME'; this makes me suspicious that there may be a header of some kind before the actual signature. (Testing done on an iPad running iOS 11.4.1, using an app built using Xcode 10 GM.)

To be verified in jwt.io signature must be 64 bytes, but mbedtls generates 70 bytes ASN.1 encoded I suppose.

Openssl generated key pair:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErbJbQ9/uCBv+76EkuxzvzSHRNrV+
EM+xpJQXT3eI/d2ilvFM/OvTgWPU3UotDA63Snt+uZaow3YQcihzDhgsRw==
-----END PUBLIC KEY-----

JWT signed with mbedtls:

eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjUxLCJleHAiOjM2NTEsImlzcyI6ImVzcDMyIn0.MEQCICQFiUNe1WmuUUOti5YtVpKyg7vebG8JCNTbi-xBNzKYAiBQmZ5BwhbIw2xbiSSjOIfHHP-Oer4SzvrpvHziN1SFxw

Base64url signature part decoded through Hex to Base64: Encode and decode bytes online - cryptii (RFC 4648 $5) is 70 bytes:

30 44 02 20 24 05 89 43 5e d5 69 ae 51 43 ad 8b 96 2d 56 92 b2 83 bb de 6c 6f 09 08 d4 db 8b ec 41 37 32 98 02 20 50 99 9e 41 c2 16 c8 c3 6c 5b 89 24 a3 38 87 c7 1c ff 8e 7a be 12 ce fa e9 bc 7c e2 37 54 85 c7

https://lapo.it/asn1js/ parses it correctly into two integers 32 bytes each:

24 05 89 43 5e d5 69 ae 51 43 ad 8b 96 2d 56 92 b2 83 bb de 6c 6f 09 08 d4 db 8b ec 41 37 32 98

50 99 9e 41 c2 16 c8 c3 6c 5b 89 24 a3 38 87 c7 1c ff 8e 7a be 12 ce fa e9 bc 7c e2 37 54 85 c7

Concatenated and base64url encoded:

JAWJQ17Vaa5RQ62Lli1WkrKDu95sbwkI1NuL7EE3MphQmZ5BwhbIw2xbiSSjOIfHHP-Oer4SzvrpvHziN1SFxw

With this signature JWT is correctly verified in jwt.io.

Topic		Replies	Views
ECP Keypair JWT header formatting Crypto and SSL questions	0	206	June 2, 2023
Parsing EC Keys created with openssl Generic	4	3299	February 21, 2019
Verify signature of JWT Mbed TLS mbed_tls	0	674	August 10, 2021
Incompatibility between X25519 key created with OpenSSL Generic	3	2622	June 24, 2018
ECDH Shared Key Generation Crypto and SSL questions	1	2690	April 26, 2020

JWT ES256 token using ECDSA

Related topics