Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helidon does not recognise valid EC key type though valid values are present in jwk uri #2277

Closed
PasiPraveen opened this issue Aug 20, 2020 · 3 comments · Fixed by #2281 or #2280
Closed

Helidon does not recognise valid EC key type though valid values are present in jwk uri #2277

PasiPraveen opened this issue Aug 20, 2020 · 3 comments · Fixed by #2281 or #2280
Assignees
@tomas-langer
Labels
bug Something isn't working P2 security

Comments

@PasiPraveen
Copy link

Environment Details

Helidon Version: 1.4.4
Helidon MP
JDK version: 1.8
OS: Windows 10

Problem Description

Though jwk_uri returns supported algorithms(ES384,ES256) & curves(P-384P-256) in keys array along with ES521 & P-521 in response Helidon still throws the exception 'Exception in thread “main” io.helidon.security.jwt.JwtException: Curve “P-521” not supported for EC key type. Only one of: [P-512, P-256, P-384] is supported' while starting the application

jwk_uri response

{"keys":[{"kty":"RSA","kid":"DkKMPE7hFVEn77WWhVuzaoFp4O8=","use":"enc","alg":"RSA-OAEP","n":"i7t6m4d_02dZ8dOe-DFcuUYiOWueHlNkFwdUfOs06eUETOV6Y9WCXu3D71dbF0Fhou69ez5c3HAZrSVS2qC1Htw9NkVlLDeED7qwQQMmSr7RFYNQ6BYekAtn_ScFHpq8Tx4BzhcDb6P0-PHCo-bkQedxwhbMD412KSM2UAVQaZ-TW-ngdaaVEs1Cgl4b8xxZ9ZuApXZfpddNdgvjBeeYQbZnaqU3b0P5YE0s0YvIQqYmTjxh4RyLfkt6s_BS1obWUOC-0ChRWlpWE7QTEVEWJP5yt8hgZ5MecTmBi3yZ_0ts3NsL83413NdbWYh-ChtP696mZbJozflF8jR9pewTbQ","e":"AQAB"},{"kty":"RSA","kid":"4iCKFB0RXIxytor1r3ToBdRievs=","use":"sig","alg":"RS256","n":"i7t6m4d_02dZ8dOe-DFcuUYiOWueHlNkFwdUfOs06eUETOV6Y9WCXu3D71dbF0Fhou69ez5c3HAZrSVS2qC1Htw9NkVlLDeED7qwQQMmSr7RFYNQ6BYekAtn_ScFHpq8Tx4BzhcDb6P0-PHCo-bkQedxwhbMD412KSM2UAVQaZ-TW-ngdaaVEs1Cgl4b8xxZ9ZuApXZfpddNdgvjBeeYQbZnaqU3b0P5YE0s0YvIQqYmTjxh4RyLfkt6s_BS1obWUOC-0ChRWlpWE7QTEVEWJP5yt8hgZ5MecTmBi3yZ_0ts3NsL83413NdbWYh-ChtP696mZbJozflF8jR9pewTbQ","e":"AQAB"},{"kty":"RSA","kid":"DkKMPE7hFVEn77WWhVuzaoFp4O8=","use":"enc","alg":"RSA-OAEP-256","n":"i7t6m4d_02dZ8dOe-DFcuUYiOWueHlNkFwdUfOs06eUETOV6Y9WCXu3D71dbF0Fhou69ez5c3HAZrSVS2qC1Htw9NkVlLDeED7qwQQMmSr7RFYNQ6BYekAtn_ScFHpq8Tx4BzhcDb6P0-PHCo-bkQedxwhbMD412KSM2UAVQaZ-TW-ngdaaVEs1Cgl4b8xxZ9ZuApXZfpddNdgvjBeeYQbZnaqU3b0P5YE0s0YvIQqYmTjxh4RyLfkt6s_BS1obWUOC-0ChRWlpWE7QTEVEWJP5yt8hgZ5MecTmBi3yZ_0ts3NsL83413NdbWYh-ChtP696mZbJozflF8jR9pewTbQ","e":"AQAB"},{"kty":"RSA","kid":"DkKMPE7hFVEn77WWhVuzaoFp4O8=","use":"enc","alg":"RSA1_5","n":"i7t6m4d_02dZ8dOe-DFcuUYiOWueHlNkFwdUfOs06eUETOV6Y9WCXu3D71dbF0Fhou69ez5c3HAZrSVS2qC1Htw9NkVlLDeED7qwQQMmSr7RFYNQ6BYekAtn_ScFHpq8Tx4BzhcDb6P0-PHCo-bkQedxwhbMD412KSM2UAVQaZ-TW-ngdaaVEs1Cgl4b8xxZ9ZuApXZfpddNdgvjBeeYQbZnaqU3b0P5YE0s0YvIQqYmTjxh4RyLfkt6s_BS1obWUOC-0ChRWlpWE7QTEVEWJP5yt8hgZ5MecTmBi3yZ_0ts3NsL83413NdbWYh-ChtP696mZbJozflF8jR9pewTbQ","e":"AQAB"},{"kty":"EC","kid":"pZSfpEq8tQPeiIe3fnnaWnnr/Zc=","use":"sig","alg":"ES512","x":"AHdVKbNDHym-MiUh6caaod_ktp8PXN6g1zIKLzlaCSOZP82KKaQsfwltAKnMrw129nVx-2kt8x1J1pp1ADe9HtXt","y":"AUqhRKcYvA6lElI3UrfqvpuhVsyEFBQ4cM_E9v4WGnRc_priiTVa_UC7YfCtQJT9F8Oc21v_i57Sp3Mq_vw5ueRd","crv":"P-521"},{"kty":"EC","kid":"I4x/IijvdDsUZMghwNq2gC/7pYQ=","use":"sig","alg":"ES384","x":"k5wSvW_6JhOuCj-9PdDWdEA4oH90RSmC2GTliiUHAhXj6rmTdE2S-_zGmMFxufuV","y":"XfbR-tRoVcZMCoUrkKtuZUIyfCgAy8b0FWnPZqevwpdoTzGQBOXSNi6uItN_o4tH","crv":"P-384"},{"kty":"EC","kid":"Fol7IpdKeLZmzKtCEgi1LDhSIzM=","use":"sig","alg":"ES256","x":"N7MtObVf92FJTwYvY2ZvTVT3rgZp7a7XDtzT_9Rw7IA","y":"uxNmyoocPopYh4k1FCc41yuJZVohxlhMo3KTIJVTP3c","crv":"P-256"}]}

When jwk_uri response is altered to contain only algorithms(ES384,ES256) in keys array then there is no exception observed.

Helidon is probably picking the first index & is throwing exception though valid keys are present.

Full stack Trace

xception in thread "main" io.helidon.security.jwt.JwtException: Curve "P-521" not supported for EC key type. Only one of: [P-512, P-256, P-384] is supported
at io.helidon.security.jwt.jwk.JwkEC$Builder.fromJson(JwkEC.java:286)
at io.helidon.security.jwt.jwk.JwkEC.create(JwkEC.java:202)
at io.helidon.security.jwt.jwk.Jwk.create(Jwk.java:198)
at io.helidon.security.jwt.jwk.JwkKeys$Builder.lambda$addKeys$0(JwkKeys.java:154)
at java.lang.Iterable.forEach(Iterable.java:75)
at io.helidon.security.jwt.jwk.JwkKeys$Builder.addKeys(JwkKeys.java:152)
at io.helidon.security.jwt.jwk.JwkKeys$Builder.resource(JwkKeys.java:142)
at io.helidon.security.providers.oidc.common.OidcConfig$Builder.build(OidcConfig.java:787)
at io.helidon.security.providers.oidc.common.OidcConfig.create(OidcConfig.java:417)
at io.helidon.security.providers.oidc.OidcProvider$Builder.config(OidcProvider.java:612)
at io.helidon.security.providers.oidc.OidcProvider.create(OidcProvider.java:172)
at io.helidon.security.providers.oidc.OidcProviderService.providerInstance(OidcProviderService.java:45)
at io.helidon.security.Security$Builder.lambda$fromConfig$2(Security.java:884)
at java.util.ArrayList.forEach(ArrayList.java:1257)
at io.helidon.security.Security$Builder.fromConfig(Security.java:844)
at io.helidon.security.Security$Builder.config(Security.java:799)
at io.helidon.security.Security.create(Security.java:187)
at io.helidon.microprofile.security.SecurityMpService.configure(SecurityMpService.java:49)
at io.helidon.microprofile.server.ServerImpl.lambda$loadExtensions$10(ServerImpl.java:376)
at java.lang.Iterable.forEach(Iterable.java:75)
at io.helidon.microprofile.server.ServerImpl.loadExtensions(ServerImpl.java:375)
at io.helidon.microprofile.server.ServerImpl.(ServerImpl.java:148)
at io.helidon.microprofile.server.Server$Builder.doBuild(Server.java:273)
at io.helidon.common.context.Contexts.runInContext(Contexts.java:118)
at io.helidon.microprofile.server.Server$Builder.build(Server.java:211)
at io.helidon.microprofile.server.Server.create(Server.java:95)
at io.helidon.examples.quickstart.mp.Main.startServer(Main.java:59)
at io.helidon.examples.quickstart.mp.Main.main(Main.java:46)
Weld SE container 9cee8502-5b6f-4e1d-9c62-0ed84ba5e51b shut down by shutdown hook

Steps to reproduce

1)Create a Helidon MP project using 1.4.4
2)Have jwk_uri return multiple keys or use the above json data

jsw_keys
@tomas-langer
Copy link
Member

I have reproduced the problem.

@tomas-langer tomas-langer added the bug Something isn't working label Aug 20, 2020
@tomas-langer
Copy link
Member

Problem comes from confusing the algorithm and curve numbers. Alg is ES512, but curve is P-521. Unfortunatelly in the code the curve is P-512.
I will do two things here:

  • fix the curve to P-521
  • accept partially understood jwk

This was referenced Aug 20, 2020
Merged
Merged
@tomas-langer tomas-langer linked a pull request Aug 20, 2020 that will close this issue
Fix for P-521 curve - wrong id 1.x. #2280
Merged
@tomas-langer
Copy link
Member

Fix read for both 1.x and 2.x, waiting for review.
The JWK you have provided is actually valid and supported by Helidon (and after the fix it will be fully parsed).
Nevertheless if there is an algorithm that is not supported by Helidon, we will still accept the JWK and process it, warning about unsupported keys.

@m0mus m0mus added this to Backlog Aug 12, 2024
@m0mus m0mus moved this to Closed in Backlog Aug 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tomas-langer tomas-langer

Labels
bug Something isn't working P2 security
Projects
Backlog
Archived in project
Milestone
No milestone
3 participants
@m0mus @tomas-langer @PasiPraveen