Decoding JWT with ES256 and secp256k1 curve

[ivanovaleksey]

Hello, thank you for the great library!

I have very poor knowledge in cryptography and after receiving an error while decoding a JWT I decided to take advice with someone.

I use JWT with ES256 algorithm. I generated key pair with commands

openssl ecparam -genkey -name secp256k1 -noout -out es/private_key.pem
openssl pkey -in es/private_key.pem -pubout -out es/public_key.pem

As you can see I use secp256k1 curve.

Yesterday I tried to decode a JWT signed with es/private_key.pem.
I tried the following code:

pem_str = '' # read content of es/public_key.pem
key = OpenSSL::PKey::EC.new(pem_str)
payload, _header = JWT.decode(token, key, true, { algorithm: 'ES256' })

And I got an error

JWT::IncorrectAlgorithm (payload algorithm is ES256 but  verification key was provided)

I looked though the code and found that to work with ES256 prime256v1 curve should be used.
So, right now and can't decode JWTs with the library.

My question is:
Is it really wrong to use secp256k1 (in that case I should specify prime256v1 while generating key pair) or we can update the library by adding 'prime256v1' => 'ES256' to NAMED_CURVES)?

[excpt]

Hi @ivanovaleksey,

thanks for the detailed report.

The JWA specs allow the following algos for the signature: (source)

   +--------------+-------------------------------+--------------------+
   | "alg" Param  | Digital Signature or MAC      | Implementation     |
   | Value        | Algorithm                     | Requirements       |
   +--------------+-------------------------------+--------------------+
   | HS256        | HMAC using SHA-256            | Required           |
   | HS384        | HMAC using SHA-384            | Optional           |
   | HS512        | HMAC using SHA-512            | Optional           |
   | RS256        | RSASSA-PKCS1-v1_5 using       | Recommended        |
   |              | SHA-256                       |                    |
   | RS384        | RSASSA-PKCS1-v1_5 using       | Optional           |
   |              | SHA-384                       |                    |
   | RS512        | RSASSA-PKCS1-v1_5 using       | Optional           |
   |              | SHA-512                       |                    |
   | ES256        | ECDSA using P-256 and SHA-256 | Recommended+       |
   | ES384        | ECDSA using P-384 and SHA-384 | Optional           |
   | ES512        | ECDSA using P-521 and SHA-512 | Optional           |
   | PS256        | RSASSA-PSS using SHA-256 and  | Optional           |
   |              | MGF1 with SHA-256             |                    |
   | PS384        | RSASSA-PSS using SHA-384 and  | Optional           |
   |              | MGF1 with SHA-384             |                    |
   | PS512        | RSASSA-PSS using SHA-512 and  | Optional           |
   |              | MGF1 with SHA-512             |                    |
   | none         | No digital signature or MAC   | Optional           |
   |              | performed                     |                    |
   +--------------+-------------------------------+--------------------+

IMHO, we shouldn't add/support algos that aren't listed.

[ivanovaleksey]

Hi @excpt, thank you for the reply and for the information.
I am not an expert on this so I will take any option from you :)
Feel free to close the issue if there is nothing here to change.