Uploaded image for project: 'Quarkus'
  1. Quarkus
  2. QUARKUS-579

JWK doesn't support certificate chain

XMLWordPrintable

      as stated in https://vertx.io/docs/apidocs/io/vertx/ext/jwt/JWK.html, the certificate chains (x5c) in a JWK only allow a single element chain. Why so? Our company's OIDC compliant server has a certificate chain with all the CAs embedded. But the class io.vertx.ext.jwt.JWK throws an exception in this case...

      if (json.containsKey("x5c")) {
      JsonArray x5c = json.getJsonArray("x5c");
      if (x5c.size() > 1)

      { throw new RuntimeException("Certificate Chain length > 1 is not supported"); }

      CertificateFactory cf = CertificateFactory.getInstance("X.509");
      this.certificate = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(this.addBoundaries(x5c.getString(0)).getBytes(UTF8)));
      }

      Couldn't it just pick the first certificate ignoring the others in the chain and try to validate the token against that? Right now we're trying to test io.quarkus:quarkus-oidc:1.6.1.Final which includes io.vertx:vertx-auth-oauth2:3.9.1.

              jviet@redhat.com Julien Viet (Inactive)
              rhn-support-danaokar Durgesh Anaokar (Inactive)
              Kyrylo Shpak Kyrylo Shpak (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: