Handle X509 certificates in base64 without prefix/suffix

Comments (8)

1. 

   Fabricio Gregorio reporter

   • marked as enhancement

   • 2022-11-16T17:43:01+00:00
2. 

   Brian Campbell

   Hi Fabricio,

   That method fromBase64Der decodes the base64 first (https://bitbucket.org/b_c/jose4j/src/dad416151f06bcffb8ffc1a2c31b1fe741c29256/src/main/java/org/jose4j/keys/X509Util.java#lines-110) and passes the binary to generateCertificate, which does not need the “-----BEGIN/END CERTIFICATE-----” header/footer - the CertificateFactory.generateCertificate javadoc says that only applies to printable (Base64) encoding not binary. In fact, the fromBase64Der method only will parse encoded certs without the header/footer. The method is meant to help processing of the JOSE’s x5c, which has base64-encoded DER certs - see https://www.rfc-editor.org/rfc/rfc7517#section-4.7 and an example at https://www.rfc-editor.org/rfc/rfc7517#appendix-B

   This unit test also shows fromBase64Der processing input without the header/footer https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/keys/X509UtilTest.java#lines-37

   So I’m not sure what’s causing the issue you are running into (probably some kind of encoding something) but what you’ve described here isn’t it.

   And changing the fromBase64Der method to do something different/more than working with x5c values isn’t really in scope.

   ‌

   ‌

   • 2022-11-16T18:51:32+00:00
3. 

   Fabricio Gregorio reporter

   Thank you for your response! You are right. It seems that the service I am consuming is exposing the base64 public key in the x5c field, instead of the certificate. Is the service wrong?

   • 2022-11-16T19:47:11+00:00
4. 

   Brian Campbell

   Yeah, x5c is defined as follows (which is definitely not the base64 public key)

   https://www.rfc-editor.org/rfc/rfc7517#section-4.7 :

   4.7. "x5c" (X.509 Certificate Chain) Parameter

   The "x5c" (X.509 certificate chain) parameter contains a chain of one

   or more PKIX certificates [RFC5280]. The certificate chain is

   represented as a JSON array of certificate value strings. Each

   string in the array is a base64-encoded (Section 4 of [RFC4648] --

   not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.

   The PKIX certificate containing the key value MUST be the first

   certificate. This MAY be followed by additional certificates, with

   each subsequent certificate being the one used to certify the

   previous one. The key in the first certificate MUST match the public

   key represented by other members of the JWK. Use of this member is

   OPTIONAL.

   ‌

   ‌

   ‌

   • 2022-11-16T19:59:07+00:00
5. 

   Fabricio Gregorio reporter

   • changed status to resolved

   • 2022-11-16T20:21:38+00:00
6. 

   Fabricio Gregorio reporter

   As a workaround, I am using the JwksVerificationKeyResolver like this:

   byte[] byteKey = Base64.getDecoder().decode(key.getX5c()[0]); //I have the public key here
   X509EncodedKeySpec X509publicKey = new X509EncodedKeySpec(byteKey);
   KeyFactory kf = KeyFactory.getInstance(key.getKty());
   
   Key k = kf.generatePublic(X509publicKey);
   JsonWebKey jwk = JsonWebKey.Factory.newJwk(k);
   jwk.setKeyId(key.getKid());
   jwk.setAlgorithm(key.getKty());
   jwk.setUse(key.getUse());
   JsonWebKeySet jsonWebKeySet = new JsonWebKeySet(jwk);
   JwksVerificationKeyResolver jwksResolver = new JwksVerificationKeyResolver(jsonWebKeySet.getJsonWebKeys());
   

   This way, I can generate a resolver without having a certificate. Is there a way of generating a HttpsJwksVerificationKeyResolver without the certificate and only with the public key?

   Thanks

   • 2022-11-16T20:52:04+00:00
7. 

   Brian Campbell

   HttpsJwksVerificationKeyResolver doesn’t need certificates at all - it uses the public keys from JWKs. But a malformed x5c in the JWKs might cause problems. I’m not sure, to be honest.

   • 2022-11-16T21:00:48+00:00
8. 

   Fabricio Gregorio reporter

   Thank you very much for your help

   • 2022-11-16T21:07:11+00:00
9. Log in to comment