You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oltu.apache.org by "Andrei Dulvac (JIRA)" <ji...@apache.org> on 2013/12/19 16:14:09 UTC
[jira] [Created] (OLTU-131) Signature parsing from access token is
broken for character encodings that are not single-byte
Andrei Dulvac created OLTU-131:
----------------------------------
Summary: Signature parsing from access token is broken for character encodings that are not single-byte
Key: OLTU-131
URL: https://issues.apache.org/jira/browse/OLTU-131
Project: Apache Oltu
Issue Type: Bug
Components: jose, jws, jwt
Affects Versions: 1.0
Reporter: Andrei Dulvac
Priority: Critical
Fix For: 1.0
If you use the oltu JWSReader with a character encoding that is not single-byte, like UTF-8, the signature is parsed incorrectly.
This is because the signature, according to the JWT spec, is a base64url encoded byte array (any byte, generated by HMAC256), which is now decoded directly into a String. If the character encoding is set to UTF-8 (-Dfile.encoding=UTF-8), the decoded signature will be a different byte array, usually longer. If the character encoding used is something single-byte, like MacRoman, this happens to work.
>From the JWS spec:
{quote} Create the desired serialized output. The JWS Compact Serialization of this result is BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS Signature). {quote}
The solution is to change the JWS reader to store the signature as base64url and compare that.
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)