Generic JWC framework error JWT verifier failed to verify the JWT String signiture

[rogys88]

Hi everyone, thank you for this amazing solution.

We are from Cape Verde, We are developing covid-19 tracing app based on this implementation and so far we was able to setup the Backend and Android App (with Google approve on Google Play), but using the same Backend we are unable to put iOS app working , on every request we get this error: "Generic JWC framework error JWT verifier failed to verify the JWT String signiture"
We have the same public key as the Android App, but only in the iOS App is failing.
Can you please point us in the right direction how to better debug and fix this issues.

public func verify<ClaimType: DP3TClaims>(claimType: ClaimType.Type, httpResponse: HTTPURLResponse, httpBody: Data, claimsLeeway _: TimeInterval = 10) throws -> ClaimType {
     guard let jwtString = httpResponse.value(forHTTPHeaderField: jwtTokenHeaderKey) else {
         throw DP3TNetworkingError.jwtSignatureError(code: 1, debugDescription: "No JWT Token found in the provided response header field \(jwtTokenHeaderKey)")
     }
     do {
         let jwt = try JWT<ClaimType>(jwtString: jwtString, verifier: jwtVerifier)
         let validationResult = jwt.validateClaims(leeway: 10)
         guard validationResult == .success else {
             throw DP3TNetworkingError.jwtSignatureError(code: 2, debugDescription: "JWT signature don't match")
         }

         // Verify the hash
         let claimContentHash = Data(base64Encoded: jwt.claims.contentHash)
         let computedContentHash = Crypto.sha256(httpBody)
         guard claimContentHash == computedContentHash else {
             throw DP3TNetworkingError.jwtSignatureError(code: 4, debugDescription: "Content Hash missmatch")
         }

         return jwt.claims

     } catch let error as JWTError {
         throw DP3TNetworkingError.jwtSignatureError(code: 5, debugDescription: "Generic JWC framework error \(error.localizedDescription)")
     }
 } 

[ubamrein]

Hey there :)

So the error sounds as if something is wrong with the header field (e.g. not a valid JWT). Could you post the value of jwtString before it enters the block?

In general, debugging JWT related stuff is usually easiest by just checking the string representation and pasting it into e.g. jwt.io. Otherwise, something like:

let splits = jwtString.split('.');
//the last element is the signature and hence binary
splits.pop()
for split in splits {
 //a jwt consists of base64encoded json objects
  println!("{}", base64::decode(split));
}

to see if the values look ok.

[rogys88]

Hi Patrick :)

Thank you for your feedback and support...sorry for the late response.

here is the value of jwtString below

"eyJhbGciOiJFUzI1NiJ9.eyJjb250ZW50LWhhc2giOiJjRER2ZlhEODNzVDJTSi9ZLytRcjFMZldLamhhcW5ubXQxeFlaemR0SG40PSIsImhhc2gtYWxnIjoic2hhLTI1NiIsImlzcyI6ImRwM3QiLCJpYXQiOjE2MDQwODk4MDEsImV4cCI6MTYwNTI5OTQwMX0.hID7JJYGawUr4UxDq4GijNa8roe5PZfs2XzJgqsu-LFZij2h3eoT-EcOGm6q7THuhHbkyHgs0igT3BU09BYdSw"

Maybe the configJwtPublicKey is not generated correcty?...can you point us where we can get or generate the configJwtPublicKey, and we see that the configuration is different on Android.

[ubamrein]

Hi :)

Notes

Sorry, seems I was wrong with my suspicion of the invalid JWT (opened an issue to improve the error messages, as they seem wrong DP-3T/dp3t-sdk-ios#235).

Now to your problem:

The function probably fails to init the JWT because the signature is wrong. So you need to make sure, you use the public key corresponding to the private key used to sign the JWT.

Did you check the format of the public key is correct (I think it should be in the PEM format: https://github.com/Kitura/Swift-JWT/blob/77c141b15f773c2a9333b0cef30632d1566079f7/Sources/SwiftJWT/JWTVerifier.swift#L130)? Could you post the public key here?

Further Infos

You need a EC-KeyPair for the backend to work (producing valid JWTs) and on both Android and iOS you need to specify the public-key to use on the init function[1], to validate the signature.

The documentation on how to generate the keys for the backend should be in the backend-sdk repo. The output of the keys should be in the correct PEM format. You can enable to put the public key in the headers of the backend-responses to check if you are indeed using the correct public key.

[1] https://github.com/DP-3T/dp3t-sdk-ios/blob/f0f493971fe9d3df43fe897d7424aca35cfe21ca/Sources/DP3TSDK/utils/JWTVerification.swift#L41

 public init(publicKey: Data, jwtTokenHeaderKey: String) {
        jwtVerifier = JWTVerifier.es256(publicKey: publicKey)
        self.jwtTokenHeaderKey = jwtTokenHeaderKey
    }

[rogys88]

Hi Patrick :)
Thanks again for your useful feedback and support...I will check with my team this recommendations you just send me.

jwtPublicKey

LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0NCk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRWZOc1BOcVRUeXJIN2Zhbjh6eW5hWW9yL0Y2ZTYNCjFFbWhwSGlHUDQzWkVqUE5BYzVabU40TkFNMnBIZFdWRWt5d0pTM0hrT3J4a2pqYW9sU1VYMlNYMWc9PQ0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tDQo=

configJwtPublicKey

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNTRENDQWU2Z0F3SUJBZ0lVS3pEQlJIZlZVN2djRGZxUTBGUDFLTkJULzVJd0NnWUlLb1pJemowRUF3SXcKZXpFTE1Ba0dBMVVFQmhNQ1EwZ3hEVEFMQmdOVkJBZ01CRUpsY200eERUQUxCZ05WQkFjTUJFSmxjbTR4RERBSwpCZ05WQkFvTUEwSkpWREVNTUFvR0ExVUVDd3dEUlZkS01RMHdDd1lEVlFRRERBUlVaWE4wTVNNd0lRWUpLb1pJCmh2Y05BUWtCRmhSemRYQndiM0owUUdKcGRDNWhaRzFwYmk1amFEQWVGdzB5TURBME1qZ3hNakUwTlRGYUZ3MHkKTVRBME1qZ3hNakUwTlRGYU1Ic3hDekFKQmdOVkJBWVRBa05JTVEwd0N3WURWUVFJREFSQ1pYSnVNUTB3Q3dZRApWUVFIREFSQ1pYSnVNUXd3Q2dZRFZRUUtEQU5DU1ZReEREQUtCZ05WQkFzTUEwVlhTakVOTUFzR0ExVUVBd3dFClZHVnpkREVqTUNFR0NTcUdTSWIzRFFFSkFSWVVjM1Z3Y0c5eWRFQmlhWFF1WVdSdGFXNHVZMmd3VmpBUUJnY3EKaGtqT1BRSUJCZ1VyZ1FRQUNnTkNBQVRhc0ZoMEdLZWs1WTRKdXdnaTVIOEFrL3FmamtKQ3d6N1BYb0lVZWJnaQpzeTdUVlFMckltQlBVN2lnMDM3azBkb1V4aytYZEJLWDQzdi9yZEdZVUtmMW8xTXdVVEFkQmdOVkhRNEVGZ1FVCnVTS2lWSUdsRnpQdDdXd3Z1VGNicDNrckQ0UXdId1lEVlIwakJCZ3dGb0FVdVNLaVZJR2xGelB0N1d3dnVUY2IKcDNrckQ0UXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QUtCZ2dxaGtqT1BRUURBZ05JQURCRkFpQkRteEJUQ3BZawphN0hFeUFEWnN4d3p3b2h0TjBwNTd5QllMYjZzQ3B3ODhBSWhBSXpTUDdCV0tGWmNDSmI5ZmhwcjZaTXpJd0tlCkhhSWpIK2E4elV2Nk1PaW8KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

[ubamrein]

I see, so your public-key is packed in a certificate (x509). Could you try:

LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZZd0VBWUhLb1pJemowQ0FRWUZLNEVFQUFvRFFnQUUyckJZZEJpbnBPV09DYnNJSXVSL0FKUDZuNDVDUXNNKwp6MTZDRkhtNElyTXUwMVVDNnlKZ1QxTzRvTk4rNU5IYUZNWlBsM1FTbCtONy82M1JtRkNuOVE9PQotLS0tLUVORCBQVUJMSUMgS0VZLS0tLS0K

This is essentially the public key extracted from the certificate like this:

openssl x509 -pubkey -noout -in cert.pem > pubkey.pem

where cert.pem is the base64 decoded input (e.g. printf <configJwtPublicKey> | base64 -d on a Mac). Pubkey.pem then needs to be base64 encoded again (e.g. base64 < pubkey.pem).

[UBaggeler]

@rogys88 Do you still have issues with the setup? If not, please consider closing this issue.

[rogys88]

Hi Fabian...sorry for taking so long to reply...We did not finished yet the setup because we are fixing some other internal issues related with the project...so we didn't try yet the last solutions that Patrick gave us...We will try to fix this week and I will give you feedback.

[UBaggeler]

Hi @rogys88. Were you able to resolve the issue?