Loading...

XML

Word

Printable

Type: Bug
Resolution: Duplicate
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: Security
Labels:
None

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

8.1.0.GA
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Where a JWK definition uses key_ops instead of use a NullPointerException is reported:

2025-07-10 14:46:29,830 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /webapp-test-oidc/secured: java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because the return value of "org.wildfly.security.jose.jwk.JWK.getPublicKeyUse()" is null
        at org.wildfly.security.elytron-jose-jwk@2.2.9.Final-redhat-00001//org.wildfly.security.jose.jwk.JsonWebKeySetUtil.getKeysForUse(JsonWebKeySetUtil.java:38)
        at org.wildfly.security.elytron-http-oidc@2.2.9.Final-redhat-00001//org.wildfly.security.http.oidc.JWKPublicKeyLocator.sendRequest(JWKPublicKeyLocator.java:98)
        at org.wildfly.security.elytron-http-oidc@2.2.9.Final-redhat-00001//org.wildfly.security.http.oidc.JWKPublicKeyLocator.getPublicKey(JWKPublicKeyLocator.java:61)
        at org.wildfly.security.elytron-http-oidc@2.2.9.Final-redhat-00001//org.wildfly.security.http.oidc.TokenValidator.setVerificationKey(TokenValidator.java:150)
        at org.wildfly.security.elytron-http-oidc@2.2.9.Final-redhat-00001//org.wildfly.security.http.oidc.TokenValidator.parseAndVerifyToken(TokenValidator.java:88)

This is due to the following:

https://github.com/wildfly-security/wildfly-elytron/blob/2.2.9.Final/jose/jwk/src/main/java/org/wildfly/security/jose/jwk/JsonWebKeySetUtil.java#L34-L43

    public static Map<String, PublicKey> getKeysForUse(JsonWebKeySet keySet, JWK.Use requestedUse) {
        Map<String, PublicKey> result = new HashMap<>();
        for (JWK jwk : keySet.getKeys()) {
            JWKParser parser = JWKParser.create(jwk);
            if (jwk.getPublicKeyUse().equals(requestedUse.asString()) && parser.isKeyTypeSupported(jwk.getKeyType())) {
                result.put(jwk.getKeyId(), parser.toPublicKey());
            }
        }
        return result;
    }

At the time the JWK was parsed it did not mandate that publicKeyUse was set and here it is not verified that it has been set.

The JKS may instead use the key_ops parameter.

         "key_ops":[
            "verify"
         ],

We need to ensure when parsing the JKS we capture any provided key_ops parameter.
Within JsonWebKeySetUtil we should then support use being set to sig or a key_op of verify.
If neither were provided or they values do not match the required use we should throw a meaningful exception.

More information is available at https://datatracker.ietf.org/doc/html/rfc7517#page-6 including the expected mutual exclusivity of these two parameters.

blocks

JBEAP-30528 [GSS](8.0.z) ELY-2925 - NullPointerException where JWK uses key_ops instead of use

Verified

duplicates

JBEAP-30529 (8.1.z) ELY-2925 - NullPointerException where JWK uses key_ops instead of use

Verified

Assignee:: Darran Lofthouse

Reporter:: Darran Lofthouse

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Created:: 2025/07/31 6:50 PM

Updated:: 2025/07/31 7:10 PM

Resolved:: 2025/07/31 7:10 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide