1

I'm trying out JWT (JSON Web Tokens) in a Go web service. Here's what I've done so far:

package jwt

import(
    "fmt"
    "net/http"
    "github.com/gorilla/mux"
    "github.com/dgrijalva/jwt-go"
    "io/ioutil"
)

var privateKey []byte
var publicKey []byte 

func JSONWebTokensHandler(w http.ResponseWriter, r * http.Request){

    // Create the token
    encodeToken := jwt.New(jwt.SigningMethodHS256)
    // Set some claims
    encodeToken.Claims["Latitude"] = "25.000"
    encodeToken.Claims["Longitude"] = "27.000"
    // Sign and get the complete encoded token as a string
    tokenString, err := encodeToken.SignedString(privateKey)

    decodeToken, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {

        if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
            return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
        }

        return publicKey,nil
    })

    if decodeToken.Valid {

        fmt.Fprintf(w,"Lat:  %s, Lng: %s",decodeToken.Claims["Latitude"],decodeToken.Claims["Longitude"])

    }  else {

        fmt.Fprintf(w,"Couldn't handle this token: %s", err)

    }

}

func init(){

    privateKey,_ = ioutil.ReadFile("demo.rsa")
    publicKey,_ = ioutil.ReadFile("demo.rsa.pub")

    r := mux.NewRouter()
    r.HandleFunc("/jwt",JSONWebTokensHandler).Methods("GET")
    http.Handle("/", r)

}

Now if my understanding is correct, A token that is encoded using a private key can be decoded using the public key. That is what I've presumed in the code above however when I run the code I get the error:

Couldn't handle this token: signature is invalid

If I use the same key for encoding and decoding, then the code works.

What I'd like to know is, is there something wrong with my understanding or in the code?

Grokify
  • 15,092
  • 6
  • 60
  • 81
W.K.S
  • 9,787
  • 15
  • 75
  • 122

3 Answers3

3

The JWT isn't signed using an asymmetric cipher like RSA. It uses a HMAC, which uses a single, secret key. Indeed, the point here is not to prove to someone else that you signed the token. It's to prove to yourself that you signed it, and thus forbid anyone who doesn't have your secret key to modify the token.

JB Nizet
  • 678,734
  • 91
  • 1,224
  • 1,255
  • 2
    Correct, although RSA algorithms are part of the JWT 'standard' and include in the jwt-go package. However, I would strongly recommend against them: a HMAC construction is much easier to 'get right' from an implementation point-of-view and still provides the functionality needed: preventing third party modification of the token. – elithrar Jun 20 '15 at 09:49
  • @elithrar thanks. I edited the answer to say "The" JWT instead of "A" JWT. The posted code uses a HMAC. – JB Nizet Jun 20 '15 at 09:53
3

You are using jwt.SigningMethodHMAC. Therefore, you are signing using HMAC, the signature is the token ciphered by a symmetric key (secret).

You shall use: jwt.New(jwt.SigningMethodRS256) to sign with an asymmetric key-pair.

dario nascimento
  • 587
  • 5
  • 11
0

Very interesting, since I have a similar problem, when I have micro service and a client app that need to verify the token that comes from another internal server, so if you advice using HMAC over RSA them that means that I need to put the private key in both micro service and Client App? that wouldn't be a serious security hole?

Ivan Carmenates García
  • 351
  • 5
  • 5