Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 6D74B200C44 for ; Mon, 27 Mar 2017 17:22:47 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 6C30F160B85; Mon, 27 Mar 2017 15:22:47 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 8DCAA160B5D for ; Mon, 27 Mar 2017 17:22:46 +0200 (CEST) Received: (qmail 81876 invoked by uid 500); 27 Mar 2017 15:22:45 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 81865 invoked by uid 99); 27 Mar 2017 15:22:45 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Mar 2017 15:22:45 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 5127BC0E1F for ; Mon, 27 Mar 2017 15:22:45 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.752 X-Spam-Level: X-Spam-Status: No, score=-99.752 tagged_above=-999 required=6.31 tests=[KAM_LOTSOFHASH=0.25, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id DJO06DOk9JGC for ; Mon, 27 Mar 2017 15:22:43 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id D73C45FAD2 for ; Mon, 27 Mar 2017 15:22:42 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id E4695E059C for ; Mon, 27 Mar 2017 15:22:41 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 9D86324066 for ; Mon, 27 Mar 2017 15:22:41 +0000 (UTC) Date: Mon, 27 Mar 2017 15:22:41 +0000 (UTC) From: "Andriy (JIRA)" To: issues@cxf.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CXF-7300) JWS verification issue MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 27 Mar 2017 15:22:47 -0000 [ https://issues.apache.org/jira/browse/CXF-7300?page=3Dcom.atlassian.j= ira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D159434= 52#comment-15943452 ]=20 Andriy commented on CXF-7300: ----------------------------- Yes, you are right too. Thanks for making changes so quickly > JWS verification issue > ---------------------- > > Key: CXF-7300 > URL: https://issues.apache.org/jira/browse/CXF-7300 > Project: CXF > Issue Type: Bug > Components: JAX-RS Security > Affects Versions: 3.1.10 > Reporter: Andriy > Assignee: Sergey Beryozkin > Priority: Critical > Fix For: 3.1.11, 3.2.0 > > > The following JWS=20 > {noformat} > {"payload":"cGF5bG9hZA","protected":"eyJqd2siOnsia3R5IjoiUlNBIiwiYWxnIjoi= UlMyNTYiLCJuIjoiZ05QSjhvbVBVZTFlTUlzYUw5NGM2SlVyX0wzQnlDWGZHcnhnTGVSUEhJOWE= wZ0pBYmQwVXVwYVRrdmY4TzRIbENtc2ZTM2RrSWQ4d3VvZUE4VWdzMklHc3NuRjVKMl9wOVRZZ0= tXRUJKMXNYeEJ5bHJieWh6bGFFY2hheENWa3RJaVo3ZUlpTGNQQ19mM0trNWhQVEtndkY5X0xpW= FlLUUZTakJIUTVRUXlheW5pd1JMZmZJQmt0T0VnLVp0Zm1hdERERG9VWGw0TDBYOTFNbzZTWkEz= Uy1CVlZfMHNnQ19peTJpaXY1NXo1UDZra1kyeW5GMGJKak1MRXl6QUJrUG1VOXFsVEpiWjZoOGV= ZazAwdk4xYUpnRFFGUzNHR2V4VlJPV01nY3dkbmdyaDVacWhyQzZPdzlkdGZPWjZZbTBwWnFxcU= RtUllveHp3SGg0bmFmOUEyYmk4YzJWVmJCMXE2SFdMdlNVUTZGUFJVUy1ocld3UkFwWnlfczNSR= lhCbVl0cGpqbUhHM1NjYTVPVi01OS1vdVNscHllRjhSQTR4SmxrUGRMSHJHbG1oMENaTm9WUXlM= a2pGak9uWlJOV0haY2drMjNoQ2FaZHlPcEYyWl9NYVRLWUxueXdNUE9MbmFtSm1Mb1ZWRG1faUp= QZUgtR1AxYkVNUEhZRzFYNTZETmJVbXVvLTdrSE1rUmNPNTdjUjlBaV83Y2VEYW5KNjJqaGpQMz= dnd1dHc2FFdV9WRFpWQUhvX1pvbGJjVl9Rb2MyRHpPdUIxX1pBekZCVzRZR0NlUGdxWkZuZ0JIN= Uhucy13X0UwVFNSRWx1WEhHNFZpX0FyOS1KVzcwRHJpa2hHYlJZb2hoemlSaUZza25JZG1ZYzVE= Z0dhbklNbUszVm45WFAtR213bnMiLCJlIjoiQVFBQiJ9LCJhbGciOiJSUzI1NiJ9","signatur= e":"fvybPw1_DPy5zEWaDj2KSj6vARjiMq4EeTQ22ndrNfqDd3rYhPdvqeKVuJbPekwZG3SkmCz= f_xqxNXH9DXntku45tRYtNv3vMyqnKa_hAHLaS7DB-lnhZzYWV4-9nIJlyv652XlpS9C9UX1k9d= iItZnYezBpP3APHMtbtyJBXFcuUIeXtJNWoOtGWAjT68AqOi2Duxxe44dCgSY0hvQWCXvqwTnwO= f7kWooN_e-qRBKdgQIAmBDXUUpUoGPejImF4Xk65Ogt4rTRcdozBF21IaAbL3Go2Pw5_EZgaGkY= fr07dDr0U5qX9YA9_lBPyM7xVkX37jQs9kD_uXUFmavHd9iW_CcNqTahnqx_Q1nUzBNssCjWxel= nP6Jq4p7mQHFy8K7WQwu_yz_wyqUM94uf15PXd_ChqDE7SNZ-Bi3xGpswOwPA8rXMV72VWMwlrZ= TQ_lsYk8SmDCXpPHIlOHeJGzBRDmKJohZXJh9HNOUqTKsm577w4vBMnEKbhxFkptVvl9H3VhQMp= fGygdw7Yu20KbHrOQVeRXvX-i0GQwKjUG-7vOhlch7dTVIqLqICSwA1rkYsVsHWfQBmBnbHkvrB= N3C-yL6Vi_SIX76gWzLY0_bEf7qL45aPOZ3Sc9I8szBtEL6Hv3RflIgTlljlDna09U5R8v93fgX= sicsx-evno9c"}=20 > {noformat} > verification fails. > The public key before encoding it to jwk is > {code:java}=20 > BigInteger n =3D new BigInteger("5255695311536212281640690132069630230391= 217513352213951807414214798927258730206913361584487466507621075958352148531= 548486906896903886764928450353366890712125983926472500064566992690642117517= 954169974907061547335319004060904209007529128195511229378143873037612124976= 420527293968653459420881902363918315745609356541488156738145175359417803400= 235562240725293061187831495891482626222688601513060961596428089445136672794= 704664637866917427597486905443676772669967766269923280637049233876979061993= 814679654208850149406432368216133754409364420006370917666045132384439966716= 245130870462479005121183466778211539075450737650682471799384849191599620660= 583755880595435746242835461511629256499875808397638097872861573817280467461= 957013790902293850442561995774628930418082115864728330723111110174368232384= 797709242627319756376556142528218939778387518312333624058293826578368683620= 221070559710076509862742901729570617689050546694620740110561418927841658135= 072351486833480142011507849987150615750938676664533324336070355813782518247= 794999394860113007245546797308586043310145338620953330797301627631794650975= 659295961069452157705404946866414340860434286658747258020693897193752371261= 55948350679342167596471110676954951640992376889874630989205394080379", 10); > BigInteger e =3D new BigInteger("65537", 10); > {code} > When the public key is recreated from jwk header from JWS it becomes nega= tive, precisely because this condition is true > {code:java} > org.apache.cxf.rt.security.crypto.CryptoUtils#toBigInteger line 283 > if (bytes[0] =3D=3D -128) { > return new BigInteger(bytes); > }=20 > {code} > It seems this specification https://tools.ietf.org/html/rfc7518#section-6= .3.1.1 and RSA standard in 3.1 section (https://www.emc.com/collateral/whit= e-papers/h11300-pkcs-1v2-2-rsa-cryptography-standard-wp.pdf) say that we co= uld evaluate n always as positive. > as the else clause to the above if > {code:java} > else { > return new BigInteger(1, bytes); > } > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346)