[OLTU-131] Signature parsing from access token is broken for character encodings that are not single-byte - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: oauth2-1.0.0
Fix Version/s: oauth2-1.0.0
Component/s: jose-jws, oauth2-jwt
Labels:
- PatchAvailable

Description

If you use the oltu JWSReader with a character encoding that is not single-byte, like UTF-8, the signature is parsed incorrectly.

This is because the signature, according to the JWT spec, is a base64url encoded byte array (any byte, generated by HMAC256), which is now decoded directly into a String. If the character encoding is set to UTF-8 (-Dfile.encoding=UTF-8), the decoded signature will be a different byte array, usually longer. If the character encoding used is something single-byte, like MacRoman, this happens to work.

From the JWS spec:

Create the desired serialized output. The JWS Compact Serialization of this result is BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS Signature).

The solution is to change the JWS reader to store the signature as base64url and compare that.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending

Attachments

signature_utf8.patch
19/Dec/13 15:16
10 kB
Andrei Dulvac

Activity

People

Assignee:

Antonio Sanso

Reporter:

Andrei Dulvac

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

19/Dec/13 15:13

Updated:

01/Apr/14 11:47

Resolved:

20/Dec/13 15:50