Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.4.1.CR1, 7.4.1.GA
Affects Version/s: None
Component/s: Security
Labels:
- downstream_dependency
- test_included

Blocked:
False
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
QE Test Coverage:
+
Release Note Text:
Undefined
Target Release:

7.4.z.GA
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/commit/5831e7f959f81f63ee0dfdf00e502ec647ffe7dd
Steps to Reproduce:
Hide

Just use the attached project. It uses the google endpoint as the jkws endpoint (https://www.googleapis.com/oauth2/v3/certs). The test should return null (not validated cos the key was not found). But it fails with a exception decoding the keys from google. The test uses last wildfly-elytron 1.15.3.Final.

cd jkw-elytron-test mvn clean test ... Running com.redhat.sample.JwkManagerTest Mar 29, 2021 11:06:36 AM org.wildfly.security.auth.realm.token.validator.JwtValidator <init> WARN: ELY01126: Jwt-based token realm not configured with a list of valid issuers. Ignoring issuer verification. Mar 29, 2021 11:06:36 AM org.wildfly.security.auth.realm.token.validator.JwtValidator <init> WARN: ELY01127: Jwt-based token not configured with a list of valid audiences. Ignoring audience verification. Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.707 sec <<< FAILURE! testGoogleApiKeys(com.redhat.sample.JwkManagerTest) Time elapsed: 0.676 sec <<< ERROR! java.lang.IllegalStateException: ELY01116: Signature verification failed at org.wildfly.security.auth.realm.token.validator.JwtValidator.verifySignature(JwtValidator.java:188) at org.wildfly.security.auth.realm.token.validator.JwtValidator.validate(JwtValidator.java:127) at com.redhat.sample.JwkManagerTest.testGoogleApiKeys(JwkManagerTest.java:95) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.junit.runners.model.FrameworkMethod.runReflectiveCall(FrameworkMethod.java:59) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56) at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17) at org.junit.runners.ParentRunner.evaluate(ParentRunner.java:306) at org.junit.runners.BlockJUnit4ClassRunner.evaluate(BlockJUnit4ClassRunner.java:100) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63) at org.junit.runners.ParentRunner.run(ParentRunner.java:331) at org.junit.runners.ParentRunner.schedule(ParentRunner.java:79) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329) at org.junit.runners.ParentRunner.access(ParentRunner.java:66) at org.junit.runners.ParentRunner.evaluate(ParentRunner.java:293) at org.junit.runners.ParentRunner.evaluate(ParentRunner.java:306) at org.junit.runners.ParentRunner.run(ParentRunner.java:413) at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252) at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141) at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189) at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165) at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85) at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115) at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75) Caused by: java.lang.IllegalArgumentException: Illegal base64 character 5f at java.util.BaseDecoder.decode0(Base64.java:714) at java.util.BaseDecoder.decode(Base64.java:526) at java.util.BaseDecoder.decode(Base64.java:549) at org.wildfly.security.auth.realm.token.validator.JwkManager.getJwksFromUrl(JwkManager.java:178) at org.wildfly.security.auth.realm.token.validator.JwkManager.checkRemote(JwkManager.java:110) at org.wildfly.security.auth.realm.token.validator.JwkManager.getPublicKey(JwkManager.java:75) at org.wildfly.security.auth.realm.token.validator.JwtValidator.resolvePublicKey(JwtValidator.java:300) at org.wildfly.security.auth.realm.token.validator.JwtValidator.createSignature(JwtValidator.java:248) at org.wildfly.security.auth.realm.token.validator.JwtValidator.verifySignature(JwtValidator.java:179) ... 34 more
Show
Just use the attached project. It uses the google endpoint as the jkws endpoint ( https://www.googleapis.com/oauth2/v3/certs ). The test should return null (not validated cos the key was not found). But it fails with a exception decoding the keys from google. The test uses last wildfly-elytron 1.15.3.Final. cd jkw-elytron-test mvn clean test ... Running com.redhat.sample.JwkManagerTest Mar 29, 2021 11:06:36 AM org.wildfly.security.auth.realm.token.validator.JwtValidator <init> WARN: ELY01126: Jwt-based token realm not configured with a list of valid issuers. Ignoring issuer verification. Mar 29, 2021 11:06:36 AM org.wildfly.security.auth.realm.token.validator.JwtValidator <init> WARN: ELY01127: Jwt-based token not configured with a list of valid audiences. Ignoring audience verification. Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.707 sec <<< FAILURE! testGoogleApiKeys(com.redhat.sample.JwkManagerTest) Time elapsed: 0.676 sec <<< ERROR! java.lang.IllegalStateException: ELY01116: Signature verification failed at org.wildfly.security.auth.realm.token.validator.JwtValidator.verifySignature(JwtValidator.java:188) at org.wildfly.security.auth.realm.token.validator.JwtValidator.validate(JwtValidator.java:127) at com.redhat.sample.JwkManagerTest.testGoogleApiKeys(JwkManagerTest.java:95) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.junit.runners.model.FrameworkMethod.runReflectiveCall(FrameworkMethod.java:59) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56) at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17) at org.junit.runners.ParentRunner.evaluate(ParentRunner.java:306) at org.junit.runners.BlockJUnit4ClassRunner.evaluate(BlockJUnit4ClassRunner.java:100) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63) at org.junit.runners.ParentRunner.run(ParentRunner.java:331) at org.junit.runners.ParentRunner.schedule(ParentRunner.java:79) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329) at org.junit.runners.ParentRunner.access(ParentRunner.java:66) at org.junit.runners.ParentRunner.evaluate(ParentRunner.java:293) at org.junit.runners.ParentRunner.evaluate(ParentRunner.java:306) at org.junit.runners.ParentRunner.run(ParentRunner.java:413) at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252) at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141) at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189) at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165) at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85) at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115) at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75) Caused by: java.lang.IllegalArgumentException: Illegal base64 character 5f at java.util.BaseDecoder.decode0(Base64.java:714) at java.util.BaseDecoder.decode(Base64.java:526) at java.util.BaseDecoder.decode(Base64.java:549) at org.wildfly.security.auth.realm.token.validator.JwkManager.getJwksFromUrl(JwkManager.java:178) at org.wildfly.security.auth.realm.token.validator.JwkManager.checkRemote(JwkManager.java:110) at org.wildfly.security.auth.realm.token.validator.JwkManager.getPublicKey(JwkManager.java:75) at org.wildfly.security.auth.realm.token.validator.JwtValidator.resolvePublicKey(JwtValidator.java:300) at org.wildfly.security.auth.realm.token.validator.JwtValidator.createSignature(JwtValidator.java:248) at org.wildfly.security.auth.realm.token.validator.JwtValidator.verifySignature(JwtValidator.java:179) ... 34 more
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

The JwkManager loads the RSA public key value "n" and "e" with the non url-safe base64 decoder.

This is not RFC (https://tools.ietf.org/html/rfc7517) compliant. The BigInts of the RSA key are Base64URL encoded without padding. So that code should load "n" and "e" using the RFC4648 url-safe version.

This part of the code is only used if the "jku" header is specified in the token and the implementation should retrieve the key from the endpoint to validate the token.

is caused by

ELY-2111 JwkManager uses incorrect non url-safe Base64 to load the jwks endpoint

Resolved

is cloned by

JBEAP-21377 [GSS](7.3.z) ELY-2111 - JwkManager uses incorrect non url-safe Base64 to load the jwks endpoint

Closed

is incorporated by

JBEAP-21472 (7.4.z) Upgrade Elytron from 1.15.3.Final-redhat-00001 to 1.15.5.Final-redhat-00001

Closed

Assignee:: Ricardo Martin Camarero

Reporter:: Ricardo Martin Camarero

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2021/03/29 5:12 AM

Updated:: 2024/08/27 1:48 PM

Resolved:: 2021/07/01 6:40 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates