Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why RSA private keys are not supported? #340

Open
zablik opened this issue Jun 3, 2021 · 2 comments
Open

Why RSA private keys are not supported? #340

zablik opened this issue Jun 3, 2021 · 2 comments
Labels
type: question

Comments

@zablik
Copy link

zablik commented Jun 3, 2021

It's not an issue, but I need some help with my case.

I guess there should be a reason for this, but why RSA private keys are not supported?
What can you recommend to use if I need to decode JWT using RSA private key, with this "d" key?

Thanks!
@bshaffer
Copy link
Collaborator

I believe you're referring to this line where an exception is thrown for private keys. The JWKs should be public keys, so the error is to provide guidance in case you accidentally supply a private key. If you have a use-case where the JWK contains both a private and public key, you should be able to simply unset "d" before parsing the key.

I'm open to removing the check if there's a good use case for doing so.

@ots-georgewilkins
Copy link

ots-georgewilkins commented Sep 9, 2022
edited
Loading

@bshaffer: I'm open to removing the check if there's a good use case for doing so.

I may be misunderstanding the intended workflow, but the RSA private key I'm testing with happens to be in the private+public JWK format, because this is the output of a tool recommended in a prior issue relating to parsing private keys:

@bshaffer: Try this tool: https://mkjwk.org/

@bshaffer: If you mean with this library, use parseKeySet:

// JSON string from jwk url
$jwk = '{"keys":[...]}';
$keys = Firebase\JWT\JWK::parseKeySet($jwk);
$privateKey = $keys['someKeyId'];

As far as I can see this isn't currently supported due to the aforementioned check; but also the parseKey/parseKeySet logic seems to be specific to public keys.

mkjwk.org "Public and Private Keypair":

{
    "p": "...",
    "kty": "RSA",
    "q": "...",
    "d": "...",
    "e": "AQAB",
    "use": "sig",
    "kid": "something",
    "qi": "...",
    "dp": "...",
    "alg": "RS512",
    "dq": "...",
    "n": "..."
}

I'm unclear on why the tool generates a combined private/public key structure. Presumably the public key attributes are required for the private key to parsed?

It sounds like the concerns regarding JWKS not containing private keys are warranted, so rather than removing the check altogether, could it be relocated to parseKeySet instead of parseKey?

This would permit a single private key to be parsed from the format, but a set to only ever contain public keys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bshaffer @zablik @ajupazhamayil @ots-georgewilkins