- changed status to open
JWK Constructor erroneously throws IllegalArgumentException
class: com.nimbusds.jose.jwk.JWK
RFC 7517, section 4.3 states: The "use" and "key_ops" JWK members SHOULD NOT be used together; however, if both are used, the information they convey MUST be consistent. Applications should specify which of these members they use, if either is to be used by the application.
Therefore, the following key is valid as use and key_ops are consistent. However the JWK constructor throws an IllegalArgumentException, "They key use "use" and key options "key_opts" parameters cannot be set together".
{ kid: "ZRWYHaVw_7hHzmHhxTia7Zkm-y2utoea8cQGHGeCFFI", use: "sig", key_ops: ["sign"], kty: "RSA", e: "AQAB", n: "..." }
This JWK was generated by Microsoft's B2C Premium, Identity Experience Framework.
Comments (5)
-
-
reporter Thanks Vladimir. The following modification to JWK.java meets my needs but may not cover all cases of consistency.
if (use != null && ops != null) { if (!(use.equals(KeyUse.SIGNATURE) && (ops.contains(KeyOperation.SIGN) || ops.contains(KeyOperation.VERIFY))) && !(use.equals(KeyUse.ENCRYPTION) && (ops.contains(KeyOperation.ENCRYPT) || ops.contains(KeyOperation.DECRYPT)))) { throw new IllegalArgumentException("The key use \"use\" and key options \"key_opts\" parameters cannot be set together"); } }
-
- changed status to resolved
Added a map that defines the consistent "use" <-> "key_ops" combos. This map will now be used to check the JWK params at construction time. Also added a bunch of tests, including a test for your particular case.
Commit: 24476bf
-
The fix is now on Maven Central as v4.39.1: http://search.maven.org/#artifactdetails%7Ccom.nimbusds%7Cnimbus-jose-jwt%7C4.39.1%7Cjar
-
reporter Thanks Vladimir!
- Log in to comment
Thanks for Damian for raising this issue. Will see how we can fix this.