18

I'm wanting to verify the signature of some JWTs from Microsoft. I'm using Spring-Boot, the JJWT library and following endpoint: https://login.microsoftonline.com/common/discovery/v2.0/keys

The endpoint returns an array of JSON public keys. Here is one example from the array. 

 {
            "kty": "RSA",
            "use": "sig",
            "kid": "9FXDpbfMFT2SvQuXh846YTwEIBw",
            "x5t": "9FXDpbfMFT2SvQuXh846YTwEIBw",
            "n": "kvt1VmR4nwkNM8jMU0wmj2gSS8NznbOt2pZI6Z7HQT_esF7W19GZR7Y72Xo1i5zXRDM9o3GeTIjBrnr3yy41Q_EaUQ7C-b-Hmg94Vy7EBZyBhi_mznz0dYWs2MIXwR86Nni9TmgTXvjgTPF2YGJoZt4TwcMFefW8rijCVyNrCBA0XspDouNJavvG0BEMXYigoThFjLRXS5U3h4BDfNZFZZS3dyliNOXfgRn2k7oITz8h_ueiPvmDRFh38AeQgx1cELhKWc3P5ugtttraSwgH7nP2NUguO9nCrHuL6TZ-KWpmRWZqwH-jYKFQVt3CDpzwNM6XJL-oHbl1x-gI3YYX5w",
            "e": "AQAB",
            "x5c": [
                "MIIDBTCCAe2gAwIBAgIQZSAeaqWig4BHC1ksmNNcgjANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE3MDUwNjAwMDAwMFoXDTE5MDUwNzAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJL7dVZkeJ8JDTPIzFNMJo9oEkvDc52zrdqWSOmex0E/3rBe1tfRmUe2O9l6NYuc10QzPaNxnkyIwa5698suNUPxGlEOwvm/h5oPeFcuxAWcgYYv5s589HWFrNjCF8EfOjZ4vU5oE1744EzxdmBiaGbeE8HDBXn1vK4owlcjawgQNF7KQ6LjSWr7xtARDF2IoKE4RYy0V0uVN4eAQ3zWRWWUt3cpYjTl34EZ9pO6CE8/If7noj75g0RYd/AHkIMdXBC4SlnNz+boLbba2ksIB+5z9jVILjvZwqx7i+k2filqZkVmasB/o2ChUFbdwg6c8DTOlyS/qB25dcfoCN2GF+cCAwEAAaMhMB8wHQYDVR0OBBYEFGKpXQNrF5IoxS6bL4F92+gxOJlIMA0GCSqGSIb3DQEBCwUAA4IBAQA3HgW5SoHlvvQVxqqi+mtscDZLhNfe13iG/nx8Er5il82b79RVydNs+f9sYxc4T4ctnrZu7x5e7jInJedNdAlrPorBdw+SfvKJsmiNndXugMew1FlcQTQVIFDCbziaJav8rKyMxPfeKkc1aixbajWZkKg6OPmmJn2ceTocbn8PMQy20xNvcWUwgF5FZZIuPqu6feOLJcUIYw+0JFZ265xka30QXpmytcIxajIzpD4PRdCIBuVSqgXacAs4t4+w+OhnosD72yvXck8M4GwX1j+vcuyw0yhDGNMmqsHWP7H3jnJiGDrKhhdVyplzDhTfv2Whbv/dIDn+meLE3yyC5yGL"
            ],
            "issuer": "https://login.microsoftonline.com/{tenantid}/v2.0"
        }

In JJWT I've implemented the SigningKeyResolver interface and I am required to return an instance of RSAPublicKey to do the verification. The issue I'm having is creating that Key correctly from the JSON.

Do I start with the Modulus and Exponent?

BigInteger modulus = new BigInteger(1, Base64.decodeBase64(jsonKey.getN()));
BigInteger exponent = new BigInteger(1, Base64.decodeBase64(jsonKey.getE()));
publicKey = KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(modulus, exponent));

Do I start with the x5c, generate an X509Certificate object and pull the PublicKey from there?

CertificateFactory factory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) factory
          .generateCertificate(new ByteArrayInputStream(
           DatatypeConverter.parseBase64Binary(jsonKey.getX5c())));
publicKey = (RSAPublicKey)cert.getPublicKey();

Both approaches have proved fruitless.

If I generated the RSAPublicKey from the modulus and exponent should I be able to print the Base64Binary encoded key to match the x5c property? Maybe that's not how I should be validating.

I might be misunderstanding how to use this.

As always, any documentation is appreciated as well.

Abdullah Al Noman
  • 2,817
  • 4
  • 20
  • 35
Ryan D
  • 1,023
  • 11
  • 16
  • 3
    I don't know the standard, but obviously the modulus is "n" and the public exponent is "e". x5c looks like an x509 certificate. EDIT: [Here](https://tools.ietf.org/html/rfc7517) appears to be the spec. – President James K. Polk Jun 19 '17 at 21:10
  • 1
    Actually it looks like the second approach DOES work, likely because that is the FULL certificate chain. It's still unclear to me the relationship between e, n and x5c as it is returned from that endpoint. I see other endpoints only include the cert chain. Could not find Microsoft documentation around the public keys. – Ryan D Jun 19 '17 at 21:27

1 Answers1

18

x5c contains the certification chain. The first certificate of the chain must match with the key value represented by the other values in the JWK, in this case n and e, therefore the public key extracted from x5c[0] and the one built with n and e must be exactly the same

JWK values are encoded in base64url, not in base64. Change

BigInteger modulus = new BigInteger(1, Base64.decodeBase64(jsonKey.getN()));
BigInteger exponent = new BigInteger(1, Base64.decodeBase64(jsonKey.getE()));

with 

BigInteger modulus = new BigInteger(1, Base64.getUrlDecoder().decode(jsonKey.getN()));
BigInteger exponent = new BigInteger(1, Base64.getUrlDecoder().decode(jsonKey.getE()));
pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • This helps! The modulus and exponent provided correspond to the public key of the first certificate in the certificate chain. The whole chain is needed to verify the signature and not just the mod and exp as I was initially trying. – Ryan D Jun 20 '17 at 20:17
  • @RyanD How did you solve the problem? What do you mean by saying "the whole chain is needed to verify the signature"? – Tom Reineke Feb 09 '21 at 13:06
  • @TomReineke Do a quick google search of certificate chains. There is the identity certificate, possibly multiple intermediate certificates and the root certificate. I think I was mistakenly just trying to use the identity certificate to validate, but those certs in the chain all work together, so extracting one will not help. It's been a long time since I wrote this though. – Ryan D Feb 10 '21 at 15:58
  • 1
    @TomReineke If it helps, I've created this gist that contains the method doing the work. AzurePublicKey class is just a pojo representing a single key from the url provided in the question. Hope it helps. https://gist.github.com/RyanGDay/9af0d0ba3bf5304167b6a2885c161b35 – Ryan D Feb 10 '21 at 16:01
  • 1
    @RyanD thanks for your effort. I've resolved the issue in the meantime. The key thing I didn't realize for some time, was that to verify a JWT you only need a public key - not the private key. After understanding this, the implementation was straightforward. – Tom Reineke Feb 24 '21 at 14:36