Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-2681

Incorrect JWS implementation

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 3.14.0.Final, 4.6.0.Final
    • None
    • None
    • None

    Description

      Hi,

      It looks like even the latest code at https://github.com/resteasy/Resteasy/blob/master/security/jose-jwt/src/main/java/org/jboss/resteasy/jose/jws/ does not follow the RFC 7519 (JWT) specification correctly when it comes to signing. The RFC 7519 specification refers to the RFC 7515 specification (JWS) which states that the JWS Signing Input is "ASCII(BASE64URL(UTF8(JWS Protected Header)) || '.' ||
      BASE64URL(JWS Payload))". But Resteasy only signs the raw JWS Payload. This can obviously lead to serious problems, when a signed JWT is transferred between two parties and one of them is using Resteasy while the other is using a RFC 7519 compliant implementation.

       

      Fixing this issue should be fairly simple, in fact one could refer to the keycloak implementation where the issue has already been fixed: https://github.com/keycloak/keycloak/commit/0636cd898f064cf1b36e153ca1ad5c99cd6b6d91

      Attachments

        Issue Links

          Activity

            People

              rsearls r searls
              ogcio_cs Dennis Leung (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: