PublicJsonWebKey exception when x5c array has empty cert

Brian Campbell repo owner

I see something like the below when instantiating a JsonWebKeySet with that bit of JSON. x5c is defined to be an array of strings (https://tools.ietf.org/html/rfc7517#section-4.7) and the code is failing when it encounters a JSON object (represented as a Map in Java) where a string should be. The ClassCastException happens before the if in the proposed solution (which I’m assuming is decompiled code b/c that’s not the actual source https://bitbucket.org/b_c/jose4j/src/f6655ef41cff1737b52c8ba9285e819843a94b37/src/main/java/org/jose4j/jwk/PublicJsonWebKey.java#lines-77) so I don’t believe that would help.

Regardless, I’m rather hesitant to make changes in order to accommodate or accept malformed content unless there’s particularly compelling reason to do so. And I don’t think a funky ”x5c”:[{}] meets that bar. In this case it would be nice if you could get whatever is producing that JWKS to produce something that complies with the spec. Or barring that, perhaps preprocess the JSON to clean it up first.

11:18:27.946 [main] DEBUG org.jose4j.jwk.JsonWebKeySet - Ignoring an individual JWK in a JWKS due to a problem processing it. JWK params: {alg=RS256, kty=RSA, use=sig, x5c=[{}], n=yeNlzlub94YgerT030codqEztjfU_S6X4DbDA_iVKkjAWtYfPHDzz_sPCT1Axz6isZdf3lHpq_gYX4Sz-cbe4rjmigxUxr-FgKHQy3HeCdK6hNq9ASQvMK9LBOpXDNn7mei6RZWom4wo3CMvvsY1w8tjtfLb-yQwJPltHxShZq5-ihC9irpLI9xEBTgG12q5lGIFPhTl_7inA1PFK97LuSLnTJzW0bj096v_TMDg7pOWm_zHtF53qbVsI0e3v5nmdKXdFf9BjIARRfVrbxVxiZHjU6zL6jY5QJdh1QCmENoejj_ytspMmGW7yMRxzUqgxcAqOBpVm0b-_mW3HoBdjQ, e=AQAB, kid=NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg, x5t=NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg} and the full JWKS content: {
"keys": [
{
"alg": "RS256",
"kty": "RSA",
"use": "sig",
"x5c": [
{}
],
"n": "yeNlzlub94YgerT030codqEztjfU_S6X4DbDA_iVKkjAWtYfPHDzz_sPCT1Axz6isZdf3lHpq_gYX4Sz-cbe4rjmigxUxr-FgKHQy3HeCdK6hNq9ASQvMK9LBOpXDNn7mei6RZWom4wo3CMvvsY1w8tjtfLb-yQwJPltHxShZq5-ihC9irpLI9xEBTgG12q5lGIFPhTl_7inA1PFK97LuSLnTJzW0bj096v_TMDg7pOWm_zHtF53qbVsI0e3v5nmdKXdFf9BjIARRfVrbxVxiZHjU6zL6jY5QJdh1QCmENoejj_ytspMmGW7yMRxzUqgxcAqOBpVm0b-_mW3HoBdjQ",
"e": "AQAB",
"kid": "NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg",
"x5t": "NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg"
}
]}. java.lang.ClassCastException: org.jose4j.json.JsonUtil$DupeKeyDisallowingLinkedHashMap cannot be cast to java.lang.String

‌

2021-05-05T19:42:10+00:00

Comments (4)

Brian Campbell repo owner
I see something like the below when instantiating a JsonWebKeySet with that bit of JSON. x5c is defined to be an array of strings (https://tools.ietf.org/html/rfc7517#section-4.7) and the code is failing when it encounters a JSON object (represented as a Map in Java) where a string should be. The ClassCastException happens before the if in the proposed solution (which I’m assuming is decompiled code b/c that’s not the actual source https://bitbucket.org/b_c/jose4j/src/f6655ef41cff1737b52c8ba9285e819843a94b37/src/main/java/org/jose4j/jwk/PublicJsonWebKey.java#lines-77) so I don’t believe that would help.

Regardless, I’m rather hesitant to make changes in order to accommodate or accept malformed content unless there’s particularly compelling reason to do so. And I don’t think a funky ”x5c”:[{}] meets that bar. In this case it would be nice if you could get whatever is producing that JWKS to produce something that complies with the spec. Or barring that, perhaps preprocess the JSON to clean it up first.

11:18:27.946 [main] DEBUG org.jose4j.jwk.JsonWebKeySet - Ignoring an individual JWK in a JWKS due to a problem processing it. JWK params: {alg=RS256, kty=RSA, use=sig, x5c=[{}], n=yeNlzlub94YgerT030codqEztjfU_S6X4DbDA_iVKkjAWtYfPHDzz_sPCT1Axz6isZdf3lHpq_gYX4Sz-cbe4rjmigxUxr-FgKHQy3HeCdK6hNq9ASQvMK9LBOpXDNn7mei6RZWom4wo3CMvvsY1w8tjtfLb-yQwJPltHxShZq5-ihC9irpLI9xEBTgG12q5lGIFPhTl_7inA1PFK97LuSLnTJzW0bj096v_TMDg7pOWm_zHtF53qbVsI0e3v5nmdKXdFf9BjIARRfVrbxVxiZHjU6zL6jY5QJdh1QCmENoejj_ytspMmGW7yMRxzUqgxcAqOBpVm0b-_mW3HoBdjQ, e=AQAB, kid=NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg, x5t=NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg} and the full JWKS content: {
"keys": [
{
"alg": "RS256",
"kty": "RSA",
"use": "sig",
"x5c": [
{}
],
"n": "yeNlzlub94YgerT030codqEztjfU_S6X4DbDA_iVKkjAWtYfPHDzz_sPCT1Axz6isZdf3lHpq_gYX4Sz-cbe4rjmigxUxr-FgKHQy3HeCdK6hNq9ASQvMK9LBOpXDNn7mei6RZWom4wo3CMvvsY1w8tjtfLb-yQwJPltHxShZq5-ihC9irpLI9xEBTgG12q5lGIFPhTl_7inA1PFK97LuSLnTJzW0bj096v_TMDg7pOWm_zHtF53qbVsI0e3v5nmdKXdFf9BjIARRfVrbxVxiZHjU6zL6jY5QJdh1QCmENoejj_ytspMmGW7yMRxzUqgxcAqOBpVm0b-_mW3HoBdjQ",
"e": "AQAB",
"kid": "NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg",
"x5t": "NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg"
}
]}. java.lang.ClassCastException: org.jose4j.json.JsonUtil$DupeKeyDisallowingLinkedHashMap cannot be cast to java.lang.String

‌
- 2021-05-05T19:42:10+00:00
William Davis Account Deactivated reporter
Thanks for reviewing Brian!

You are correct, that was from decompiled source, my IDE wasn’t downloading true sources from Maven at the time.

I actually already updated my JWKS endpoint to remove the invalid x5c element before serving the keys to callers.

I figured I would also bring this condition to your attention if you wanted to take any action from client-side as well. Maybe some other user in the future will have the same issue and won’t be able to fix the JWKS endpoint?

However, I understand not wanting to support malformed JWKs. If that’s the direction you choose, I will close this bug.
- 2021-05-05T20:03:40+00:00
Brian Campbell repo owner
Thanks William,

I might revisit this in the future, if it comes up again but I’m inclined not to make any changes at this point.

‌
- 2021-05-05T22:18:55+00:00
Brian Campbell repo owner
- changed status to closed
- 2021-05-12T16:07:41+00:00
Log in to comment