oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrei Dulvac (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (OLTU-131) Signature parsing from access token is broken for character encodings that are not single-byte
Date Thu, 19 Dec 2013 15:18:06 GMT

     [ https://issues.apache.org/jira/browse/OLTU-131?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Andrei Dulvac updated OLTU-131:
-------------------------------

    Attachment: signature_utf8.patch

Attached patch with fix and updated unit tests.

This also fixes a minor issue where providing a longer access token (e.g. add a base64url
character at the end of a valid access token) will incorrectly match the signature.

> Signature parsing from access token is broken for character encodings that are not single-byte
> ----------------------------------------------------------------------------------------------
>
>                 Key: OLTU-131
>                 URL: https://issues.apache.org/jira/browse/OLTU-131
>             Project: Apache Oltu
>          Issue Type: Bug
>          Components: jose, jws, jwt
>    Affects Versions: 1.0
>            Reporter: Andrei Dulvac
>            Priority: Critical
>              Labels: PatchAvailable
>             Fix For: 1.0
>
>         Attachments: signature_utf8.patch
>
>
> If you use the oltu JWSReader with a character encoding that is not single-byte, like
UTF-8, the signature is parsed incorrectly. 
> This is because the signature, according to the JWT spec, is a base64url encoded byte
array (any byte, generated by HMAC256), which is now decoded directly into a String. If the
character encoding is set to UTF-8 (-Dfile.encoding=UTF-8), the decoded signature will be
a different byte array, usually longer. If the character encoding used is something single-byte,
like MacRoman, this happens to work.
> From the JWS spec:
> {quote} 
> Create the desired serialized output.  The JWS Compact Serialization of this result is
BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS
Signature). 
> {quote}
> The solution is to change the JWS reader to store the signature as base64url and compare
that.



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

Mime
View raw message