Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-21380

[GSS](7.3.z) Elytron JWK implementation is not RFC#7517 compliant

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • None
    • 7.3.6.GA
    • None
    • None
    • False
    • False
    • Undefined

    Description

      The JwkManager class, on source code lines 177-178 loads the RSA public key value "n" with: Base64.getDecoder()decode(n1).

      This is not RFC (https://tools.ietf.org/html/rfc7517) compliant. The BigInts of the RSA key are Base64URL encoded. So that code should load "n" using Base64.getUrlDecoder().decode(n1).

      (Note this also applies to the other key exponents such as "e" etc)

      Also the creation of the BigInteger from n1/e1 is currently wrong as it is mandatory to use:

      new BigInteger(1,b,0,b.length); //where b=byte[] = Base64.getUrlDecoder().decode(n1).

      As per spec it is a Base64urlUInt (https://tools.ietf.org/html/rfc7518#section-6.3)!

      Attachments

        Issue Links

          duplicates

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-21377 [GSS](7.3.z) ELY-2111 - JwkManager uses incorrect non url-safe Base64 to load the jwks endpoint

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              rhn-support-igueye Issa Gueye
              rhn-support-igueye Issa Gueye
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: