Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-5429

JwkSetHandler : RSA private key with keyUsage SIGN and missing 'q' parameter

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 7.1.0
    • 7.1.0
    • None
    • None
    • OS : Linux
      jdk : OpenJDK 11.0.6
      IGStandalone: 7.1.0-SNAPSHOT e8525bc0747

    Description

      Using this route (pem file attached)

      {
        "condition": "${matches(request.uri.path, '/pem_key$')}",
        "handler": {
          "config": {
            "purposes": [
              {
                "keyUsage": "SIGN",
                "secretId": "6.pem.key.RSA.private.SIGN"
              }
            ],
            "secretsProvider": "FileSystemSecretStore-3"
          },
          "type": "JwkSetHandler"
        },
        "heap": [
          {
            "config": {
              "directory": "&{ig.instance.dir}/config/secrets_store/",
              "format": "PLAIN",
              "mappings": [
                {
                  "format": "pemPropertyFormat",
                  "secretId": "6.pem.key.RSA.private.SIGN"
                }
              ],
              "suffix": ".pem"
            },
            "name": "FileSystemSecretStore-3",
            "type": "FileSystemSecretStore"
          },
          {
            "name": "pemPropertyFormat",
            "type": "PemPropertyFormat"
          }
        ]
      }
      

      The return key returned by the JwkSetHandler is sthg like :

      {
          "keys": [
              {
                  "kty": "RSA",
                  "kid": "6.pem.key.RSA.private.SIGN",
                  "use": "sig",
                  "n": "s7YMCacTNP8Elu2wpuk_50VNmtuQ2Lesb8ZZ_JOIDJWWHTmvFOYVkoXx5hAdaVNlEUkXRefbVsoufUKulUiTZ9etencB3VQP9699zUGHxHSZfSv76SuAF8GeUGCpcV5x0YxSd5WtX2aTcsuWB1Ly3FiBlt_D6I_kgBU3ojAdvbYXVaz-2WbJBX_kip-V5sVhR4JXG-8jyz1P8jtuDc5YtOl2RdeoptjR4L8e0kccDOhFVFGlqxRTfLwvUMUXIwZmb_tCw_PmDL8OhqhKSs0t8uGfIXDjRPdyvCR5HYkLNrV_ywg-4KNm4i7icuG8l9sxo7d-ot5yB9qzgQHWCz-BwdBVK9x-4Q87JJvykyRtCIiUFgijv93r2l3rKMdjzEglTjtwanCxBlVsn-_0ak8D4aTsdhrmmxH3svc2kfOAiz-pmBTsN38ndAJ4-38gumIkkyvZVEQDKb17k85r-E8ScJ_7yIBP8Bb0T8-H5GnYhLV4FwFzetAlQCkkS014-WVQ4hN3F3Kgc9FIdH7ch2P_iVnqxaQeA044BbddS-8SZK4Xs_487VLtJmQcPLmJdOpj-kRd9kO53l3aQbuwMfeqKBQwJSKcLyVLWYwDY9lbn2B0fn0d3c8ixaNLrCw_mHb8_Y0mOpc9qmHnERGhh76cjlIOK2pOaZzvFspWsCqKSC0",
                  "e": "AQAB",
                  "d": "pBmkPFw4CbiktD0vhfqPw9tg1fuQ9JQj_Z0eJqmBHhyqCt3VpjvDjxyImxA0Cy1_qJ0Zh1gEzeepM_BkAyVWlQg4_Q8WwMg2HHI_aeJg21-tmMNFMNHsEcVXjwX1M_SN8k80LsaanfbIxZZp1R5FbjfTfbWu6voaKWs2df-B6O4RuMZToKle_oqeYob_Fs892VKHwJZKFRhTnFnwUOMP1YMp4PTgqBps69EZj-InFxIx3KEBqorRAaHFgve1_OGnQLIrcUuR0inUVdnunQdm4dZsvNicbymVt3-GqRWvC7IIk5lf8TjEhd1SIp1G3VPmrByuooKFle56416N2Y-QJ6bsZSRfnwWyzePcVgJU1luEMYZYPSlhQIJuG0KBQQ9Cajt6f6vllva3RPtTj4ukZdRqDSheL8xMGrQEqaKOTbGWaY3IqqZ5T1VdR8IJ1mga8ejwMJWOXoEvrpJ4onMI821eQQX7J7qcXwmvwKPYlCSZ1bT0lGrChDZAB3sDHORv_X3Zn9J-LIjlY5YGLC4gqcedAygicc9Rj8LZez3wZILH_Mo5GtUk9Vzpppf_pSCaclBG4kNhYrwSif0jruDTo9vKBdWErsq8oDi7NKR7wkR-5a0oE7OKVU_0L03W99cxtb-t-qNOFDvqC1__-xlqt7XlAeXkP-EKvZIZnA0ZYXE",
                  "p": "3YRR82bjpXBrh2WOaXmgAnWLqfDUWfFUAJqdi7_Wne_VNb0rfDiaUPGH0lRQlqkG6_8-NLMWFVWSq569lslM1jMAJRalOSUkaoa9q2fZvurZWx-IQ8agnyb769ggG4krbqJKxmrUKAsYtFfvNckriVIMr7KOlTLWRj4KzID5ONGBfLjw6xqMgB_Wz6_oBklcSKV6tMtI-9rUvGiDEVWiJFe9fTEtf2RXSfcah1r4VwOWIn5zbTaOVic1KGnH3JXRpKhOH8K6UNoWfa-VKBFfAjwv1LyKfVcK1XlqKUzbTKmYxioQKY8P7FC5Yc3wu_y8cBd8uR9_Q09IXYCF5sERAw",
                  "dp": "tdvoG9gglLYS0XnCzT0Y7GvsWXxqGd1ShZxqM00vuUIo3JGNndIqfsGMLFUkRExIbn-CZmmQe7thSpxsMdrZxhDg0ZIh2yRvHTW5iXsc_Ox5vaHJkTsEqySqNhmdYn3etllu4i7aNnXFtmlq7dFWeMpvt97zx_GQkOJmozZPZSI7GFYNFDcbmiSJisBz0JVxugKBFuS96mbhuDxlPln7X7LY0msJW0jZkNPZZ757m5RKMc92m_bqLDjMH32Yo7QsBO5YFSMdKzugs1bvMZHxWjhnXFPdrsFDF7cyPO3oLKwfzLDDzBqzi-NKDs2wEeWQHsZpkuIU7QGt-3WEeMmQWQ",
                  "dq": "gF3Re4gAcX0wjWIEsQ9y4pHjZeg8KLQh7gC9cwjc5jvLWAcXgA881LWesUJdAV8paSz-2z2zrhMFhB_eZyblD_uKNNpSGmR4F0wERxhwtwOGHbA2L9x7S9hg8B6uNE7nvQGlSCE0IivV9raIbU-y6HAy3BwsT7utKlcWWJB7te6WOHSl3-cGjvVmusjrnGoEk8SnBFbbZZk9O1urdDgiehD9l4d6PPuQ19ORCLtf8RNtitYoMN8J3Bp_CF2g7FQOM-mRObz4wCl7F4eFeRRomEj_aGjW3F8XbzrtSXgt7_V4BEdfY81zdoGlqxxwy8EteymttK6KC6iD2nhk1aGYOw",
                  "qi": "VXY9ULy8YqcGvjBeHTqVoTrRl_sL7Qi9J2d25H87OzXg9p_cB2GFnplc_L9Pmilexw3kjva9PaDwFPwUbRNnR0Ur9mMlUiQMLqO4Pz16DHEFNcMJ-J6j3BIloCkqccZVgJtdWT3rv9UpXmbWzBsFw1-Fdl17Bx1QqGCRHwtKzRLus4Tsp2rPVs3YJJv18rVlkch96in6NOmwTXsMpXGXmpRt7vXK1L3rmCOavmckixJpBMA6DwD6g7ez8DcYxY72t61KdK9uPrOhNcMdUVymb9YsTuxYA8OWh6A6CMYxgTxaQGYrUg6acBMr_nyYXLiksvEe1mcEwXyF2Xtvst5vog"
              }
          ]
      }
      

      which seems not to follow the RFC (https://tools.ietf.org/html/rfc7518#section-6.3.2), that states
      `If the producer includes any of the other private key parameters, then all of the others MUST be present, with the exception of "oth", which MUST only be present when more than two prime factors were used.`

      In the present case, some parameters are present, but the `q` parameter is missing.

      Attachments

        Issue Links

          Activity

            People

              violette Violette Roche Montane
              jcdevil Jean-Charles Deville
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: