x5t and x5t#S256 headers are not treaded as optional when verifying a JWT token
Issue #85
invalid
Hi,
I am using v0.54 of jose4j for generating and verifying JWT tokens. It works great so far, but I am running into a little problem. Initially I left out the x5t and x5t#S256 headers which should be OK according to the specification: * https://tools.ietf.org/html/rfc7515#section-4.1.7 * https://tools.ietf.org/html/rfc7515#section-4.1.8
Only when I try to verify a JWT token that does not contain these headers using a x509 certificate I get the exception: Caused by: org.jose4j.lang.UnresolvableKeyException: Neither the x5t header nor the x5t#S256 header are present in the JWS. at org.jose4j.keys.resolvers.X509VerificationKeyResolver.resolveKey(X509VerificationKeyResolver.java:92) at org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:190) ... 27 more
I created the token as follows:
JsonWebSignature jws = new JsonWebSignature();
jws.setPayload(new JwtClaims());
jws.setKey(privateKey);
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
// jws.setX509CertSha1ThumbprintHeaderValue(getX509Certificate()); // jws.setX509CertSha256ThumbprintHeaderValue(getX509Certificate()); return jws.getCompactSerialization();
I verified the token as follows: jwtConsumer = new JwtConsumerBuilder() .setVerificationKeyResolver(new X509VerificationKeyResolver(getX509Certificate())) .build();
Is this a bug?
Comments (3)
-
repo owner
-
Hi Brian, Thanks for the quick reply. My bad. I misinterpreted the API / Docs. Thanks for clarifying this. When use serVerificationkey or use setTryAllOnNoThumbHeader(true) everything works as expected and I do not need to add the headers to the JWT token.
-
repo owner
- changed status to invalid
You're welcome. Glad it helped.
- Log in to comment
No, I don't think it's a bug. The X509VerificationKeyResolver by default is requiring one of those to identify which public key / certificate to use to check the signature. It's a useful and common way to chose from more than one key / certificate, which can help facilitate smooth key rotation. The X509VerificationKeyResolver can also attempt to verify the signature with the key from each of the provided certificates, if no X.509 Certificate Thumbprint Header is present in the JWT/JWS and stop when it finds one that works. Calling setTryAllOnNoThumbHeader(true) on the X509VerificationKeyResolver instance will do that. See also https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples#markdown-header-x509
And if you are just using a single key as your example kind of suggests. You could alternatively just use new JwtConsumerBuilder().setVerificationKey(certificate.getPublicKey()) to tell the JwtConsumer to just use that key.