Topic: WolfSSL-JSSE compatibility issues with Nimbus-jose JWT library

Built wolfssl with jni and jsse on CentOs 7. Set the instance of WolfSSLProvider for signer/verifier's JCA provider of Nimbus jose jwt. It seems that there are compatibility issues with these two. Signing fails with the error "Unsupported JWS algorithm RS256"(used RSA asymmetric keys with key-length of 2048 bits). Enabling debug logs using -Dwolfssl.debug=true didn't yield any information.

Nimbus jose jwt asymmetric key token signing and verification were seen to be working fine with all the other security providers that I tested.

Note: Octet key pair with Curve Ed25519 was seen to be working fine.

Share

Re: WolfSSL-JSSE compatibility issues with Nimbus-jose JWT library

Hi realexan,

Thanks for reaching out.  We have not tested wolfJSSE or wolfJCE with Nimbus JOSE + JWT before in-house.  Can you confirm, are you are using wolfJSSE or our cryptography provider wolfJCE?  I am not familiar enough at the moment with how Nimbus JOSE + JWT calls down into the Java Security Architecture to know if it is calling into a JCE or JSSE provider.  If you are using wolfJSSE (wolfSSL JNI/JSSE Provider), it may be worth trying to download, build, and register our JCE provider (wolfCrypt JNI/JCE) to see if that gives Nimbus access to the algorithm primitives that it is expecting.

Native wolfSSL supports RSA 2048 and SHA-256, as does wolfJSSE (in TLS cipher suites) and wolfJCE (via Signature and MessageDigest classes).

Are you able to provide more details about the project you are working on, and why you are looking to use wolfJSSE/wolfJCE in place of the default cryptography providers?

Thanks,
Chris

Re: WolfSSL-JSSE compatibility issues with Nimbus-jose JWT library

Hi Chris,

Thank you for your response. That helped. I was able to build wolfCrypt JNI/JCE, and was able to get signing/verification working with RSA 2048. For ECDSA, public certificate loading had issues with wolfcrypt JCE, however, signing using the private key worked fine.

Regarding the performance, the signing operation was seen to be expensive with wolfcrypt JCE, while verification was faster - when compared to BCFips. Here is the output of a sample program that tested the performance differences between wolfssl and BCFips:

Signer JCA:wolfJCE version 1.0
nimbus-jose JWS RSA2048 with JWSAlgorithm RS256 [Sign] - 5.27 millis
Verifier JCA:wolfJCE version 1.0
nimbus-jose JWS RSA2048 with JWSAlgorithm RS256 [Validate] - 180.383 micros


Signer JCA:BCFIPS version 1.0002
nimbus-jose JWS RSA2048 with JWSAlgorithm RS256 [Sign] - 3.55 millis
Verifier JCA:BCFIPS version 1.0002
nimbus-jose JWS RSA2048 with JWSAlgorithm RS256 [Validate] - 621.219 micros


Are there any flags to improve the signing performance(perhaps for making use of the native code)?

Regards,
Renjith Alexander

Share

Re: WolfSSL-JSSE compatibility issues with Nimbus-jose JWT library

Hi Renjith,

For ECDSA, public certificate loading had issues with wolfcrypt JCE

Are you able to share more details on the error that you saw for this?  Or, would it be easy to send over a simple sample app that reproduces the issue?  If so, I can help look into this further.  This may be due to a native build option that needs to change, or a higher-level JCE feature depending on the error.

Are there any flags to improve the signing performance(perhaps for making use of the native code)?

We have several different math libraries available in native wolfSSL now that provide varying performance and features.  We have our normal big integer library, our fastmath library, and our newest SP Math library.  On most platforms, fastmath will be the default.  Switching over to our newer SP Math should give you performance increases for public key operations (RSA, ECDSA).

If you are uisng configure with wolfSSL, you can try the following options:

./configure --enable-sp --enable-sp-math-all <other options>

Our SP Math library does also have assembly optimizations for several platforms.  Depending on your target hardware, you may be able to add --enable-sp-asm to the above options.

Let me know if that builds OK, and what you see as far as performance goes.

Thanks!
Chris

Re: WolfSSL-JSSE compatibility issues with Nimbus-jose JWT library

Hi Renjith,

Were you able to try the SP math build options to see if that helped improve performance?

Thanks,
Chris