Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT::createPemFromModulusAndExponent incorrect return value #532

Open
libertyit1 opened this issue Sep 12, 2023 · 3 comments
Open

JWT::createPemFromModulusAndExponent incorrect return value #532

libertyit1 opened this issue Sep 12, 2023 · 3 comments
Labels
type: bug

Comments

@libertyit1
Copy link

I retrieved JWKs for Google public keys from https://www.googleapis.com/oauth2/v3/certs including this one:

{
    "alg": "RS256",
    "kty": "RSA",
    "n": "hsYvCPtkUV7SIxwkOkJsJfhwV_CMdXU5i0UmY2QEs-Pa7v0-0y-s4EjEDtsQ8Yow6hc670JhkGBcMzhU4DtrqNGROXebyOse5FX0m0UvWo1qXqNTf28uBKB990mY42Icr8sGjtOw8ajyT9kufbmXi3eZKagKpG0TDGK90oBEfoGzCxoFT87F95liNth_GoyU5S8-G3OqIqLlQCwxkI5s-g2qvg_aooALfh1rhvx2wt4EJVMSrdnxtPQSPAtZBiw5SwCnVglc6OnalVNvAB2JArbqC9GAzzz9pApAk28SYg5a4hPiPyqwRv-4X1CXEK8bO5VesIeRX0oDf7UoM-pVAw",
    "use": "sig",
    "e": "AQAB",
    "kid": "838c06c62046c2d948affe137dd5310129f4d5d1"
}

JWT::createPemFromModulusAndExponent(n, e) with these values returns this PEM format:

-----BEGIN PUBLIC KEY-----
MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQCGxi8I+2RRXtIjHCQ6Qmwl
+HBX8Ix1dTmLRSZjZASz49ru/T7TL6zgSMQO2xDxijDqFzrvQmGQYFwzOFTgO2uo
0ZE5d5vI6x7kVfSbRS9ajWpeo1N/by4EoH33SZjjYhyvywaO07DxqPJP2S59uZeL
d5kpqAqkbRMMYr3SgER+gbMLGgVPzsX3mWI22H8ajJTlLz4bc6oiouVALDGQjmz6
Daq+D9qigAt+HWuG/HbC3gQlUxKt2fG09BI8C1kGLDlLAKdWCVzo6dqVU28AHYkC
tuoL0YDPPP2kCkCTbxJiDlriE+I/KrBG/7hfUJcQrxs7lV6wh5FfSgN/tSgz6lUD
AgMBAAE=
-----END PUBLIC KEY-----

JWTs from Google fail to verify using this key.

phpseclib3 and https://8gwifi.org/jwkconvertfunctions.jsp both return this PEM format:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhsYvCPtkUV7SIxwkOkJs
JfhwV/CMdXU5i0UmY2QEs+Pa7v0+0y+s4EjEDtsQ8Yow6hc670JhkGBcMzhU4Dtr
qNGROXebyOse5FX0m0UvWo1qXqNTf28uBKB990mY42Icr8sGjtOw8ajyT9kufbmX
i3eZKagKpG0TDGK90oBEfoGzCxoFT87F95liNth/GoyU5S8+G3OqIqLlQCwxkI5s
+g2qvg/aooALfh1rhvx2wt4EJVMSrdnxtPQSPAtZBiw5SwCnVglc6OnalVNvAB2J
ArbqC9GAzzz9pApAk28SYg5a4hPiPyqwRv+4X1CXEK8bO5VesIeRX0oDf7UoM+pV
AwIDAQAB
-----END PUBLIC KEY-----

and this key verifies Google JWTs correctly.
@Wedrix
Copy link

Wedrix commented Oct 1, 2023

@libertyit1 did you figure out a fix for this? I seem to be facing the same/similar issue.

Could this be related to php/php-src#11054

@Wedrix
Copy link

Wedrix commented Oct 1, 2023

Following that thread, commenting out lines 149 - 151 in JWT.php seems to have temporally fixed the issue for me, albeit most likely insecurely.

@libertyit1
Copy link
Author

@libertyit1 did you figure out a fix for this? I seem to be facing the same/similar issue.

Not in Firebase; I ended up importing phpseclib3 to convert the JWK e & n params into a PKCS8 key and used that in Firebase JWT::decode.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bshaffer @Wedrix @libertyit1