RS256, public and private keys

[jbrayton]

I notice that when generating a token using RS256 and a private key, I can verify that token with either the corresponding public key or the private key.

If I try to generate a token using RS256 and a public key, I get this error (which makes sense):

OpenSSL::PKey::ECError: Private EC key needed!

I want to be certain that either no one can possibly generate a token with RS256 and my public key, or that if they did it would fail verification. Is there a way someone could generate a token using RS256 with my public key? If they can, is there a way I can test that my code + JWT would refuse to verify it?

Thanks, and thank you for this very useful gem.

[excpt]

Hi @jbrayton,

there shouldn't be any way to recreate a private key from an existing public key. The key pair creation process is not part of the JWT specification.

By design of the private public key generation process it is only possible to create public keys from a private key. It is by design never be possible to create a private key from a public key.

The only thing you have to keep an eye on is the way you store the private key part. It should be kept secret for every 3rd party and should only be known to the token issuing instance.

[jbrayton]

Thanks, @excpt!