jwt-cpp icon indicating copy to clipboard operation
jwt-cpp copied to clipboard
verified publisher icon Thalhammer

Support load openssh oneline format public key

Open AndrewTsao opened this issue 3 years ago • 4 comments

What would you like to see added?

jwt::algorithm::rs256 support load openssh oneline format public key.

Additional Context

  std::string rsa_pub_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCPgCi68jXsRX/4bgVFBfv4vyuK0vno13FKqKmBF12YgYUQalv6Km2N6yh2llgiDRKEo/DLUvKDSSonzIZeQ396lAwqM1hEdQ9py8bUUMeX5RjUSO24TRaJhuw62sRwSxDdwBjo6F0fmugLG4tmK9ulbSpHSRQcwKGt701DmMGhyQ==";
  std::cout << "PUB KEY:\n" << rsa_pub_key << std::endl;

	try {
    auto verify = jwt::verify().allow_algorithm(jwt::algorithm::rs256(rsa_pub_key, "", "", ""));
    auto decoded = jwt::decode(token);
		verify.verify(decoded);
    for (auto& e : decoded.get_header_json())
      std::cout << e.first << " = " << e.second << std::endl;
    for (auto& e : decoded.get_payload_json())
      std::cout << e.first << " = " << e.second << std::endl;
	} catch (const std::exception& ex) {
		std::cout << "verify failed." << ex.what() << std::endl;
    return 1;
	}

throw an exception, "failed to load key: bio read failed".

AndrewTsao avatar Feb 02 '23 09:02 AndrewTsao

OpenSSL can't directly parse OpenSSH public keys because OpenSSH uses its own unique format. The format on the other hand seems to be fairly simple to parse and I think we should already have everything needed to do so, so the general idea would be as follows:

- Do a starts_with to check if it is a openssh key
- Split at the spaces and throw away everything except the middle part
- Base64 decode it
   - The contained data consists of a variable number of length prefixes blobs
   - Parse the 2. and 3. part as a OpenSSL bignum (they represent e&n)
   - Use RSA_set0_key to build a key from it

Some issues I see with this:

  • We need to find a good documentation about the key format. I googled a bit but mostly came up with "reverse engineered" samples.
  • What about non rsa openssh keys ? OpenSSH kan also do e.g. ecdsa
  • Should we even support this ? It seems like a very niche use case with a fairly high maintainance attached to it.

Generally I like the idea.

Thalhammer avatar Feb 02 '23 13:02 Thalhammer

Thank you for your anwser.

AndrewTsao avatar Feb 08 '23 02:02 AndrewTsao

Not sooo fast 😄 I said I like the idea.

@prince-chrismc What do you think about this, should we include this ? It seems definitely implementable to me.

Thalhammer avatar Feb 08 '23 14:02 Thalhammer

It's a good idea, I am not sure how other servers or clients would work though 🤔 if we can transform the format in RSA modulus and exponent than it's a good value add feature... but probably erroneous, I suspect people are just using a key they already had instead of creating proper keys.

There's a reason ssh keys are not supported by tls and I think the jwt separation also makes sense.

prince-chrismc avatar Feb 08 '23 18:02 prince-chrismc