-
Bug
-
Resolution: Done
-
Undefined
-
None
-
False
-
-
False
-
-
Before reporting an issue
[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
No response
Describe the bug
The JWKSUtils.computeThumbprint(..) does not account for ECPublicJWK keys.
Keys generated or directly parsed as a ECPublicJWK will return incorrect thumbprints.
Version
26.1.4
Regression
[ ] The issue is a regression
Expected behavior
Calculating the thumbprint of a JWK does not depend on the type of its instance.
Actual behavior
The thumbprint depends on whether the same JWK is a JWK or a ECPublicJWK were the latter one is incorrect.
How to Reproduce?
String keyA = "
{" + " \"kty\": \"EC\"," + " \"use\": \"sig\"," + " \"crv\": \"P-384\"," + " \"kid\": \"key-a\"," + " \"x\": \"KVZ5h_W0-8fXmUrxmyRpO_9vwwI7urXfyxGdxm1hpEuhPj2hhDxivnb2BhNvtC6O\"," + " \"y\": \"1J3JVw_zR3uB3biAE7fs3V_4tJy2M1JinzWj9a4je5GSoW6zgGV4bk85OcuyUAhj\"," + " \"alg\": \"ES384\"" + " }";
ECPublicJWK ecPublicKey = JsonSerialization.readValue(keyA, ECPublicJWK.class);
JWK publicKey = JsonSerialization.readValue(keyA, JWK.class);
assertEquals(JWKSUtils.computeThumbprint(publicKey), JWKSUtils.computeThumbprint(ecPublicKey));
Anything else?
Pretty sure other subclasses have similar issues.
It would also be worthwile to check if all required members for the thumbprint are present while computing it.
This would prevent similar issues for new subtypes.
- links to
