Loading...

XML

Word

Printable

Type: Bug
Resolution: Duplicate
Priority: Major
Fix Version/s: None
Affects Version/s: 7.3.6.GA
Component/s: None
Labels:
None

Blocked:
False
Ready:
False
Release Note Text:
Undefined
Market:

SFDC Cases Counter:
SFDC Cases Links:

The JwkManager class, on source code lines 177-178 loads the RSA public key value "n" with: Base64.getDecoder()decode(n1).

This is not RFC (https://tools.ietf.org/html/rfc7517) compliant. The BigInts of the RSA key are Base64URL encoded. So that code should load "n" using Base64.getUrlDecoder().decode(n1).

(Note this also applies to the other key exponents such as "e" etc)

Also the creation of the BigInteger from n1/e1 is currently wrong as it is mandatory to use:

new BigInteger(1,b,0,b.length); //where b=byte[] = Base64.getUrlDecoder().decode(n1).

As per spec it is a Base64urlUInt (https://tools.ietf.org/html/rfc7518#section-6.3)!

duplicates

JBEAP-21377 [GSS](7.3.z) ELY-2111 - JwkManager uses incorrect non url-safe Base64 to load the jwks endpoint

Verified

Assignee:: Issa Gueye

Reporter:: Issa Gueye

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2021/03/29 6:04 AM

Updated:: 2021/03/29 6:09 AM

Resolved:: 2021/03/29 6:08 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates