[
https://issues.apache.org/jira/browse/OLTU-131?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrei Dulvac updated OLTU-131:
-------------------------------
Description:
If you use the oltu JWSReader with a character encoding that is not
single-byte, like UTF-8, the signature is parsed incorrectly.
This is because the signature, according to the JWT spec, is a base64url
encoded byte array (any byte, generated by HMAC256), which is now decoded
directly into a String. If the character encoding is set to UTF-8
(-Dfile.encoding=UTF-8), the decoded signature will be a different byte array,
usually longer. If the character encoding used is something single-byte, like
MacRoman, this happens to work.
>From the JWS spec:
{quote}
Create the desired serialized output. The JWS Compact Serialization of this
result is BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS
Payload) || '.' || BASE64URL(JWS Signature).
{quote}
The solution is to change the JWS reader to store the signature as base64url
and compare that.
was:
If you use the oltu JWSReader with a character encoding that is not
single-byte, like UTF-8, the signature is parsed incorrectly.
This is because the signature, according to the JWT spec, is a base64url
encoded byte array (any byte, generated by HMAC256), which is now decoded
directly into a String. If the character encoding is set to UTF-8
(-Dfile.encoding=UTF-8), the decoded signature will be a different byte array,
usually longer. If the character encoding used is something single-byte, like
MacRoman, this happens to work.
>From the JWS spec:
{quote} Create the desired serialized output. The JWS Compact Serialization of
this result is BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS
Payload) || '.' || BASE64URL(JWS Signature). {quote}
The solution is to change the JWS reader to store the signature as base64url
and compare that.
> Signature parsing from access token is broken for character encodings that
> are not single-byte
> ----------------------------------------------------------------------------------------------
>
> Key: OLTU-131
> URL: https://issues.apache.org/jira/browse/OLTU-131
> Project: Apache Oltu
> Issue Type: Bug
> Components: jose, jws, jwt
> Affects Versions: 1.0
> Reporter: Andrei Dulvac
> Priority: Critical
> Labels: PatchAvailable
> Fix For: 1.0
>
>
> If you use the oltu JWSReader with a character encoding that is not
> single-byte, like UTF-8, the signature is parsed incorrectly.
> This is because the signature, according to the JWT spec, is a base64url
> encoded byte array (any byte, generated by HMAC256), which is now decoded
> directly into a String. If the character encoding is set to UTF-8
> (-Dfile.encoding=UTF-8), the decoded signature will be a different byte
> array, usually longer. If the character encoding used is something
> single-byte, like MacRoman, this happens to work.
> From the JWS spec:
> {quote}
> Create the desired serialized output. The JWS Compact Serialization of this
> result is BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS
> Payload) || '.' || BASE64URL(JWS Signature).
> {quote}
> The solution is to change the JWS reader to store the signature as base64url
> and compare that.
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
