Comments (1)
nemonik
commented on July 16, 2024
To verify things I wrote a bash script using OpenSSL to create a signature and verify an RSA-SHA256 signature using the same sized RSA key pair. I also used one of our Java signed JWT as a basis of the comparison:
#!/bin/bash
echo "eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjEzMzI5NjMzODIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3QvIiwidXNlcl9pZCI6Im1qd2Fsc2giLCJhdWQiOiJyYXZlIiwiaWF0IjoxMzMyOTYzMzgyLCJub25jZSI6IjJmYTA3NTljZDc2NTUifQ" > signaturebase.txt
echo "UNWfV0It3_JKL2fz6SQIaL1G-M48aciogupktunf-F9c6oaoEn3fo_S-oCp6mFceOE5AEw2aOL29wP03lqHXDIHnla4cO5P3ZqGb3K7o-whoy8oHiGaLw7Kn3IgygIAXGSU_6BXGjh0bzVp0n3JSmkZbD_QwteiaZnL3_hS4rNu-9vBAd6sZd9DzkiP7kejQHrBGwEwL6P1ntmHXKYqbID-oH9SD8rOGIAN7Q36EENoVa8rr9Qp3alceyUVlHkSryL3HyXQDUbXmD4KukKrngnKP-RUnOXcnNq8oUQsdm6GDodV8miCMTe9oRquQPtEZUjD03FjnjZEDdxPVgvq4JQ" > java_rsa_sha256_signature.txt
signaturebase=`cat signaturebase.txt`
baseCharCount=`cat signaturebase.txt | wc -c`
echo "Creating signature of \"$signaturebase\" which is $count characters long."
signature=`cat java_rsa_sha256_signature.txt`
signatureCharCount=`cat java_rsa_sha256_signature.txt | wc -c`
echo "Java RSA SHA256 signature was $signatureCharCount characters long."
openssl genrsa -out private.pem 2048
#openssl genrsa -out private.pem 1024
openssl rsa -in private.pem -out public.pem -outform PEM -pubout
openssl dgst -sha256 < signaturebase.txt > hash
openssl rsautl -sign -inkey private.pem -keyform PEM -in hash > signature
openssl enc -base64 -in signature > openssl_rsa_sha256_signature.txt
export signatureCharCount=`cat openssl_rsa_sha256_signature.txt | wc -c`
signatureCharCount=`echo "$signatureCharCount - 2" | bc`
echo "OpenSSL RSA SHA256 signature was $signatureCharCount characters long."
openssl enc -d -base64 -in openssl_rsa_sha256_signature.txt -out signature2
openssl rsautl -verify -inkey public.pem -keyform PEM -pubin -in signature2 > verified
diff -s verified hash
The signature size OpenSSL creates is the same as Java. The server's RSA Signer is currently configured with a SHA-256 RSA 2048 bit key pair. Using an 1024 bit key pair would certainly create a smaller, less secure signature, but it would return the signature size that you were expecting. These days, it is completely reasonable to configure a 2048 bit key pair. We should note the necessary database change to accommodate signatures resulting from using larger keys.
I've add another RSA key to the store with the alias "rsa1024" with the password "changeit", the size change for the calculated signatures will be immediate upon configuring the server to use. To verify, swap the key pair generating lines in the above script.
from openid-connect-java-spring-server.
Related Issues (20)
- Email case in-sensitive HOT 2
- Incorrect link in documentation
- Missing dependency in OpenID Connect Common, incorrect JaCoCO version and Wro4j Maven plugin exception HOT 2
- Compilation issue HOT 1
- Authentication with Client Secret Basic and Client Secret POST are interchangeable HOT 1
- What version UMA is being currently implemented? 2.0 or 1.0 HOT 1
- Version 1.3.5 not published HOT 1
- Build failure on Java11+ HOT 2
- CVE in openid-connect-client HOT 2
- Obsolete Dependency in Use (Log4j 1.2.x)
- Several CVE's in Trivy analysis
- Error when building whith maven HOT 1
- OpenID Connect with OpenLDAP HOT 4
- Consuming restful api in spring mvc application with a token obtained directly from IDP
- (SomeBody please reply for this, it urgent) It have any code to generate a Verifiable Credential HOT 1
- Problem connecting the LDAP Overlay whith Moodle
- Regarding upgrades & other related supportability of this repo HOT 1
- OIDC certication website: No client configuration found for issuer HOT 1
- BCrypt password encoder not working due to Spring 4
- PKCE code verifier does not respect the RFC 7636
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openid-connect-java-spring-server.