oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrei Dulvac (JIRA)" <j...@apache.org>
Subject [jira] [Created] (OLTU-131) Signature parsing from access token is broken for character encodings that are not single-byte
Date Thu, 19 Dec 2013 15:14:09 GMT
Andrei Dulvac created OLTU-131:
----------------------------------

             Summary: Signature parsing from access token is broken for character encodings
that are not single-byte
                 Key: OLTU-131
                 URL: https://issues.apache.org/jira/browse/OLTU-131
             Project: Apache Oltu
          Issue Type: Bug
          Components: jose, jws, jwt
    Affects Versions: 1.0
            Reporter: Andrei Dulvac
            Priority: Critical
             Fix For: 1.0


If you use the oltu JWSReader with a character encoding that is not single-byte, like UTF-8,
the signature is parsed incorrectly. 

This is because the signature, according to the JWT spec, is a base64url encoded byte array
(any byte, generated by HMAC256), which is now decoded directly into a String. If the character
encoding is set to UTF-8 (-Dfile.encoding=UTF-8), the decoded signature will be a different
byte array, usually longer. If the character encoding used is something single-byte, like
MacRoman, this happens to work.

>From the JWS spec:
{quote} Create the desired serialized output.  The JWS Compact Serialization of this result
is BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS
Signature). {quote}

The solution is to change the JWS reader to store the signature as base64url and compare that.






--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

Mime
View raw message