HS512 signature verification fails for valid tokens

[gh-spadwal]

ruby-jwt fails with a Signature verification failed (JWT::VerificationError) error when decoding a valid JWT signed with HS512.

hmac_secret = '6Pw9eSE@8XTNX]1=_kEYU~KvGz9mB*A|M=%AgsfuUH}#ZItuJ#@U#8hq}@E%dy$ljEMVvEF5G$mEcOV^+vS]F]BUvy(1_2@VtwSvpkuc73idA[{XiUY}PjZdUUl4$)W2T2uAgS$#0RJi^zw{J6feK[kP*NrW|CdBqYwrcD#F%Em~hZmQF*720Y59_tOB[daSeN-23[zO_Bcb]{GY1nN%JE)fh3ZF4N|2(J]LuSVvo=Dovu}qvrs5{8GPl]C[DVjV]Vkr4mshGqdGtIxVjtHN2^#OazRF)Q2PyBKg)nWRwFWrMni[~ue}p42MzGTL0zeNjqdqZjPSJLKSV{U$h@czZ|urEgY3=3~b2iy+RGBe3i%Jhlj+3NLQXN+aL{xy(@pP02n9j1pOGxiSV=hHBPV@Xw#}(]zc}#3=U[Fd7GTuU[k3AA4+Tii-(uIYSQfAcwG70wM[cFDwZe{I7I[245GkXJMnC6v4rdjC}16SB7^y[I$zrLWJbLr8NnNevv%$vUk)kkLNrr{H4)Noxo|yG@Qra[KtfO7qmA+v0LG)pd64XtkC8WlNDPQ]IQY7*x2wn|%k)}XbfYN}11IJFL(I0lTc9p}iHc}-%Zmk7c@%yC{gIy%R_CnSx@bj(tDwwFVi%|WsyO{^$uGzq]NFk[a]b|S#t[ua(zx99iq[b}rb9n*kv12d^1LTGeX8K1NcE+0tpo}GEYp5*pIaB*(}n|wI]*#*ovKRiR6]#ggaqlYPNo+p=4MLv^%^rFXF*]4JNF*negapf_pb_D3LD9Eo}*sY~)lRQWkjEP()0b3cHR44jlmzDgqlz8rgyDKbdbKF#hbOGoa0WHEg0Hr1UZ7EJnsl$P1h(qhXvhbU8wS03i*|2m]CW|y}1U9s5)i[R1BXYe$QLq|z*$70lzLS{L#c$vx58[s[JcaWg7W]2_iiluaTVgFvAI0}yd0ExWLQCiKt1%4Bm3_g0zBAh}Ri+]ERxT#jKqn]ZYzpk}USWE2d0gFGQywI'

token='eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJzdXBlcmdoYWRtaW5AZ3VhcmRhbnRkZW1vLmNvbSIsImlzcyI6Imh0dHBzOi8vcG9ydGFsYXBpLmd1YXJkYW50aGVhbHRoLmNvbS9vYXV0aDIvZGVmYXVsdCIsImlhdCI6MTYyODI0Mzc3OSwiZXhwIjoxNjI4MzMwMTc5LCJqdGkiOiI0YTBhMTRiZS02MDk1LTRkMWItOWU0OS0yODM0YzdjMzI3ZjUiLCJ1c2VyRGV0YWlscyI6eyJpZCI6MiwidXVpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMiIsInVzZXJuYW1lIjoic3VwZXJnaGFkbWluQGd1YXJkYW50ZGVtby5jb20iLCJyb2xlcyI6W3sidXVpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwNiIsIm5hbWUiOiJTdXBlciBHSCBBZG1pbiIsImNsYWltcyI6W3sidXVpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAxYSIsInJlc291cmNlSHR0cE1ldGhvZCI6IlBPU1QiLCJyZXNvdXJjZUVuZHBvaW50IjoiL2FwaS92MS91c2VycyJ9LHsidXVpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAyYSIsInJlc291cmNlSHR0cE1ldGhvZCI6IkdFVCIsInJlc291cmNlRW5kcG9pbnQiOiIvYXBpL3YxL3VzZXJyb2xlcyJ9LHsidXVpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAyYiIsInJlc291cmNlSHR0cE1ldGhvZCI6IlBPU1QiLCJyZXNvdXJjZUVuZHBvaW50IjoiL2FwaS92MS91c2Vycy97dXVpZH0vcm9sZXMifSx7InV1aWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMGUiLCJyZXNvdXJjZUh0dHBNZXRob2QiOiJHRVQiLCJyZXNvdXJjZUVuZHBvaW50IjoiL2FwaS92MS9vcmdhbml6YXRpb25zIn1dfV0sInRlbmFudFV1aWQiOm51bGwsInRlbmFudENvdW50cnkiOm51bGwsIm9yZ1V1aWQiOm51bGx9fQ.-1Bvmzg8xce_Poihu_IoZ_Isljrs0FVk_7vdVgGLBHH4bHkigVf1wj6HyEfaeXBTMKK3JG6prarwTN4IlE-l5A'

decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS512' }

Exception Stacktrace:

  /home/sarvesh/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/jwt-2.2.1/lib/jwt/signature.rb:45:in `verify'
  /home/sarvesh/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/jwt-2.2.1/lib/jwt/decode.rb:42:in `verify_signature'
  /home/sarvesh/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/jwt-2.2.1/lib/jwt/decode.rb:26:in `decode_segments'
  /home/sarvesh/.rbenv/versions/2.6.3/lib/ruby/gems/2.6.0/gems/jwt-2.2.1/lib/jwt.rb:28:in `decode'

Provided token is valid token. This token can be also verified at https://jwt.io/

[anakinj]

Hi,

Was trying to reproduce the problem and I am getting the same result using that snippet. But I wonder if the given secret actually is correct?

According to https://jwt.io the signature when using that secret is
suWFqcqo-BpYJpX9vbkcptvc_yPBF5Q8Aztp0V5ag4tjZtq6OgzsFLFxjfOC7UVoiACZOJdczQO7AWkwGgSLUQ

This does not match with the provided token in the example:
-1Bvmzg8xce_Poihu_IoZ_Isljrs0FVk_7vdVgGLBHH4bHkigVf1wj6HyEfaeXBTMKK3JG6prarwTN4IlE-l5A

[lilisako]

As anakinj said the secret does not match to the result from https://jwt.io/. Here is the copy-pastable example.

require 'jwt'

hmac_secret = '6Pw9eSE@8XTNX]1=_kEYU~KvGz9mB*A|M=%AgsfuUH}#ZItuJ#@U#8hq}@E%dy$ljEMVvEF5G$mEcOV^+vS]F]BUvy(1_2@VtwSvpkuc73idA[{XiUY}PjZdUUl4$)W2T2uAgS$#0RJi^zw{J6feK[kP*NrW|CdBqYwrcD#F%Em~hZmQF*720Y59_tOB[daSeN-23[zO_Bcb]{GY1nN%JE)fh3ZF4N|2(J]LuSVvo=Dovu}qvrs5{8GPl]C[DVjV]Vkr4mshGqdGtIxVjtHN2^#OazRF)Q2PyBKg)nWRwFWrMni[~ue}p42MzGTL0zeNjqdqZjPSJLKSV{U$h@czZ|urEgY3=3~b2iy+RGBe3i%Jhlj+3NLQXN+aL{xy(@pP02n9j1pOGxiSV=hHBPV@Xw#}(]zc}#3=U[Fd7GTuU[k3AA4+Tii-(uIYSQfAcwG70wM[cFDwZe{I7I[245GkXJMnC6v4rdjC}16SB7^y[I$zrLWJbLr8NnNevv%$vUk)kkLNrr{H4)Noxo|yG@Qra[KtfO7qmA+v0LG)pd64XtkC8WlNDPQ]IQY7*x2wn|%k)}XbfYN}11IJFL(I0lTc9p}iHc}-%Zmk7c@%yC{gIy%R_CnSx@bj(tDwwFVi%|WsyO{^$uGzq]NFk[a]b|S#t[ua(zx99iq[b}rb9n*kv12d^1LTGeX8K1NcE+0tpo}GEYp5*pIaB*(}n|wI]*#*ovKRiR6]#ggaqlYPNo+p=4MLv^%^rFXF*]4JNF*negapf_pb_D3LD9Eo}*sY~)lRQWkjEP()0b3cHR44jlmzDgqlz8rgyDKbdbKF#hbOGoa0WHEg0Hr1UZ7EJnsl$P1h(qhXvhbU8wS03i*|2m]CW|y}1U9s5)i[R1BXYe$QLq|z*$70lzLS{L#c$vx58[s[JcaWg7W]2_iiluaTVgFvAI0}yd0ExWLQCiKt1%4Bm3_g0zBAh}Ri+]ERxT#jKqn]ZYzpk}USWE2d0gFGQywI'
token='eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJzdXBlcmdoYWRtaW5AZ3VhcmRhbnRkZW1vLmNvbSIsImlzcyI6Imh0dHBzOi8vcG9ydGFsYXBpLmd1YXJkYW50aGVhbHRoLmNvbS9vYXV0aDIvZGVmYXVsdCIsImlhdCI6MTYyODI0Mzc3OSwiZXhwIjoxNjI4MzMwMTc5LCJqdGkiOiI0YTBhMTRiZS02MDk1LTRkMWItOWU0OS0yODM0YzdjMzI3ZjUiLCJ1c2VyRGV0YWlscyI6eyJpZCI6MiwidXVpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMiIsInVzZXJuYW1lIjoic3VwZXJnaGFkbWluQGd1YXJkYW50ZGVtby5jb20iLCJyb2xlcyI6W3sidXVpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwNiIsIm5hbWUiOiJTdXBlciBHSCBBZG1pbiIsImNsYWltcyI6W3sidXVpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAxYSIsInJlc291cmNlSHR0cE1ldGhvZCI6IlBPU1QiLCJyZXNvdXJjZUVuZHBvaW50IjoiL2FwaS92MS91c2VycyJ9LHsidXVpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAyYSIsInJlc291cmNlSHR0cE1ldGhvZCI6IkdFVCIsInJlc291cmNlRW5kcG9pbnQiOiIvYXBpL3YxL3VzZXJyb2xlcyJ9LHsidXVpZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAyYiIsInJlc291cmNlSHR0cE1ldGhvZCI6IlBPU1QiLCJyZXNvdXJjZUVuZHBvaW50IjoiL2FwaS92MS91c2Vycy97dXVpZH0vcm9sZXMifSx7InV1aWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMGUiLCJyZXNvdXJjZUh0dHBNZXRob2QiOiJHRVQiLCJyZXNvdXJjZUVuZHBvaW50IjoiL2FwaS92MS9vcmdhbml6YXRpb25zIn1dfV0sInRlbmFudFV1aWQiOm51bGwsInRlbmFudENvdW50cnkiOm51bGwsIm9yZ1V1aWQiOm51bGx9fQ.suWFqcqo-BpYJpX9vbkcptvc_yPBF5Q8Aztp0V5ag4tjZtq6OgzsFLFxjfOC7UVoiACZOJdczQO7AWkwGgSLUQ'

decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS512' }
puts decoded_token
#=> Signature has expired (JWT::ExpiredSignature) 
# This is expected because the expiration is Aug 07 2021

[anakinj]

Im going to close this issue. Don't hesitate to comment and we'll re-open if this still needs some attention.