val jwtConsumer = JwtConsumerBuilder()
.setVerificationKey(getPublicKeyFromPEMString(publicKeyAuth)) // verify the signature with the public key
.setRelaxVerificationKeyValidation() // needed if the key is smaller than 256 bits
.setJwsAlgorithmConstraints( // only allow the expected signature algorithm(s) in the given context
AlgorithmConstraints.ConstraintType.PERMIT,
AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256
)
.build()
I am using jose4j 0.7.9 for verification.
where, I created a JWT with ES256 header and secp256k1 curve key using fusionAuth library. So while validating the jwt with the public key in key pair.
It gets successful only when this flag (setRelaxVerificationKeyValidation) value is set to false.
Can anyone please tell me, what relaxation it is doing? I tried with a wrong key to test, but it failed as expected. Please shed some light.
JwtConsumerBuilder.setRelaxVerificationKeyValidation() will set setDoKeyValidation(false) on the JsonWebSignature instance the JwtConsumer is using the process the JWS and verify its signature.
In general setting setDoKeyValidation(false) will skip some extra type checks and minimum key length checks with RSA and HMAC. With ECDSA it's not doing a lot - just skipping this check https://bitbucket.org/b_c/jose4j/src/1ec20f8716436857a3929f60e644d4de1e40bfd9/src/main/java/org/jose4j/jws/EcdsaUsingShaAlgorithm.java#lines-243
I honestly don't know why that would cause issues with a key/token created with the fusionAuth library.
But wait, secp256k1 is the JWS ES256K alg. Jose4j only really supports that as of https://bitbucket.org/b_c/jose4j/wiki/Release%20Notes 0.8.0. So something is off here...