Uploaded image for project: 'Apache Oltu'
  1. Apache Oltu
  2. OLTU-131

Signature parsing from access token is broken for character encodings that are not single-byte

    XMLWordPrintableJSON

    Details

      Description

      If you use the oltu JWSReader with a character encoding that is not single-byte, like UTF-8, the signature is parsed incorrectly.

      This is because the signature, according to the JWT spec, is a base64url encoded byte array (any byte, generated by HMAC256), which is now decoded directly into a String. If the character encoding is set to UTF-8 (-Dfile.encoding=UTF-8), the decoded signature will be a different byte array, usually longer. If the character encoding used is something single-byte, like MacRoman, this happens to work.

      From the JWS spec:

      Create the desired serialized output. The JWS Compact Serialization of this result is BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS Signature).

      The solution is to change the JWS reader to store the signature as base64url and compare that.

        Attachments

        1. signature_utf8.patch
          10 kB
          Andrei Dulvac

          Activity

            People

            • Assignee:
              asanso Antonio Sanso
              Reporter:
              andrei.dulvac Andrei Dulvac
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: