The Base64 must not be null message verifying RSAKey
Issue #358
resolved
I have a JWKS that contain nulls in the values:
"keys": [
{
"additionalData": {},
"alg": null,
"crv": null,
"d": null,
"dp": null,
"dq": null,
"e": "AQAB",
"k": null,
"keyId": "yMPAp4MB5fMXz7U7kDdZpGK1-123",
"keyOps": [],
"kid": "yMPAp4MB5fMXz7U7kDdZpGK1-123",
"kty": "RSA",
"n": "sgJ7pH6-SF4I7YSXJbEsdYvEknFej4cT0wNrVXty0gD9WyUdhiq8giTMDkKCRGBLEcAoJKDNAetsUtD6qTBPlS5aNmuvcqVpm2WHTov_YnpE3WT-0WMozVlfzdQEwgfQlllW-A0GUYT5SI1JQpAhU6jMJKyGdtpJJYFkMadmQo6Zc6eeHNFa-yliCV31K5FHHemH1CO6ufGmvg_LBlaA_MEp12GgPT3D3NmoGe_lCwCCwYAcLIqBgJppGKeFRx7xrfoH4UvyERtNJVyU5ck0hPeNlecXdfCwLczOCSFvh7GMV5U_7TyQakEbCfdwG3tF7rdL0-apZ1h1xhUMY24RAw",
"oth": null,
"p": null,
"q": null,
"qi": null,
"use": null,
"x": null,
"x5c": [],
"x5t": null,
"x5tS256": null,
"x5u": null,
"y": null,
"keySize": 2048,
"hasPrivateKey": false,
"cryptoProviderFactory": {
"cryptoProviderCache": {},
"customCryptoProvider": null,
"cacheSignatureProviders": false
}
}
]
When I verify the JWT it fails with:
The Base64 must not be null
This is because in the RSAKey.java code it goes through:
public static RSAKey parse(final JSONObject jsonObject)
throws ParseException {
// Parse the mandatory public key parameters first
Base64URL n = new Base64URL(JSONObjectUtils.getString(jsonObject, "n"));
Base64URL e = new Base64URL(JSONObjectUtils.getString(jsonObject, "e"));
// Check key type
KeyType kty = KeyType.parse(JSONObjectUtils.getString(jsonObject, "kty"));
if (kty != KeyType.RSA) {
throw new ParseException("The key type \"kty\" must be RSA", 0);
}
// Parse the optional private key parameters
// 1st private representation
Base64URL d = null;
if (jsonObject.containsKey("d")) {
d = new Base64URL(JSONObjectUtils.getString(jsonObject, "d"));
}
// 2nd private (CRT) representation
Base64URL p = null;
if (jsonObject.containsKey("p")) {
p = new Base64URL(JSONObjectUtils.getString(jsonObject, "p"));
}
Base64URL q = null;
if (jsonObject.containsKey("q")) {
q = new Base64URL(JSONObjectUtils.getString(jsonObject, "q"));
}
…….
Where JSON values d, crv alg etc... are null.
This is a Microsoft service KeySet, so I am thinking that the keyset is valid?
Comments (8)
-
-
This is what I was thinking about doing for a work around. Do you think this might be fixed in a future release?
-
If you think you can submit a PR or patch that would help a lot :)
-
OK… I can do that.
Thanks
Steve
-
Thanks, just send us a PR / patch with the tests to capture the use case and we’ll merge it.
-
- changed status to resolved
PR 66.
-
Great.
When is the next scheduled release?
-
It was released, check out the last version.
- Log in to comment
This formatting is highly unusual.
Strictly speaking, the JWK RFC doesn’t mention that the param values can be null:
https://tools.ietf.org/html/rfc7517#section-4.4
A simple work around is to remove all keys that have null values and then parse the JWK.