Padded Base64 string does not throw ParseException
If we parse invalid JWE base64 should throw the exception or do we need to validate the JWE string from our side? Currently, a check is not there in the library I believe. Below JWE contains = padding character should throw the exception.
Sample JWE:
eyJraWQiOiJhMzgzY2EwNi0yYWJmLTQ1MzUtOGMzZC00NzVhOTUwNDU3YTgiLCJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..rRau10jkPFOH_hEB3W9gSA=.4kBfH_8Ceaz9kg-YRofslX0l4m1yxuKbdx2T-Jq_CSx7h-MtE293uWdzm06IboN3lMlz5f1nAHTwQwut1UElmLWLPRuXNooAude8DnzvBqURF0m2IlsArsisgTNYdPsD8RmFMkOEAQq9jeYON1SJXbvqTPB0EBXoo7c5mvSzFitMu8le0d_fLa24CZd5a276Z3DFQQZsSTRzXeXXCwEjd_0caLJXX330YBpCr59nVwtQh1oPdGDrTOh86qloiiOgyMUbceSDIGa-ydGA07cWux7xWkDAVAsAvgw5xMXrD9WjgLySsU7zAjYF3uTHPhDhNc9vbx6pmcd_0ByxI8sgOcD3q_kvlmCOA1s7UhOFZsj7qs4DQE6VmpUh5yDT4fXq1Oy42o6o64H-18_i0j9QqAezrre3_u0EVx8bTDDQ8xZKYlKiOrSDsYmZMc21HlRJIujhyewHD5jEe7B8f6IdGZgfBbFxqYoBHos5eSgKNA_HcKw1ANrw7VuhYms6EhS3TcBXLves1lY2iX9HCtsW_zR_9x5O4TZctsgO0YATfNCc28i-VfRSXQeFpvi83x8suJ5xJQ6CgHFEA-B0bkHNSAgi7qbBHWvhUC8gEeI0ZvF4a3gnpFTxuyBuLRlRoNwMG2wM6yOVk3ppOetbiAz6GR9Up8es2w0NZ49bKlbkQEIRT5BA42tfbG-_gk7o9rsppkX2j3Ak3XCQmaOiSDeTyq_Etbe99IPFeWq33QoOYjEFc16mjvk3Nc828guE31pdxDslpwJhIN-9bsJRLBGyMVBbCXm1jiPnuqT93iJ2jpwrC0AnlomaJ_tt1BZqTKQxBFDlbb5uYqaB1DunvIuOHVTTqSZYmSbBSaKfLJO89sMe3xjzk_UpJm_TRyhOUqiD1GQ7BCyRzv5T0XD6mVtKZqI2h6zmIhZt15IkABYz9iwny7D3OSub3PR3yivjjdcx2zxngcAbqaa_Jd3Sq-rrDKBFH4-keuWW8qLCKZ7yxpcqjmxptm6ZmFOXPLFcAdYF0sQ794jGiwCMkASEgrwwf2X_Wod-SMQu_uTaef73BTBSdTNh_bZ7Kch2KrhOlqpKjQeaTsvEp_wEfVQW3-CdywfbNEftl387P69MqrbSzlWePgIa7wJtxUc6sF20Qml7hNj6Qcb966YfLCGaXv0blKyfCYm_J9dfcm3Ut0TVhxsboodKFVeGD2oaaKcKqiqPfWEMZNbj3vnis0oTinYuh_hRvG6Lz8_63-AiQBx0436LdeVzNOaQXhEkimnVqoG8BcElq0x9BrtIfkG5wKn3j3ttDruh8awiOZpbOOw1V8JslHnFowPdVhp6Cee7RA6-Iy2I1LCVmh-aIu9IywaERnD9HeR-ZF1uUYDQPheUXeNVbsJOQGPiaXAOA6rnB6yo9uUMTbQdkqgt8LHhFduJZvj15yi33TfJ786zextHVc4.k4hgoVVMnltpMWcFiJ6pKA
Comments (12)
-
-
reporter @Vladimir Dzhuvinov Does it mean we need to validate below guideline from our side?
-
reporter If I am adding = in Protected header, it does throw the error I believe. however, not for except all nodes
-
- changed title to Passed Base64 string does not throw ParseException
- changed component to JOSE Core
- removed milestone
Edits title for clarity
-
- changed title to Padded Base64 string does not throw ParseException
-
reporter Vladimir Dzhuvinov Are you guys looking into it? Shall I wait for a respond from your side? I do understand you change the title and component of the issue.
-
A “BASE64 = padding - not - present” check for received JWEs is not necessary.
The URL-safety of the JWS / JWE / JWTs is to make them just that - URL safe, so they can be passed in URLs, etc.
If the JWEs that you received happen to be (correctly) BASE64 encoded this will not affect the decryption or the integrity checks.
-
I edited the title so that others with the same question can find this thread more easily.
-
reporter Vladimir Dzhuvinov So given the sample invalid JWE will allow for decryption (not part of parsing or decryption in this case ) and no errors are expected right?
-
- changed status to wontfix
-
This library will accept JWEs that are BASE64 encoded as legal.
If the private key is valid and the internal JWE structure is legal they will also be decrypted successfully.
-
reporter Vladimir Dzhuvinov Thanks. Much appreciated your prompt response.
- Log in to comment
The current Base64URL parser allows for padding
=
chars at the end. The library allows for such output (but will always output compliant Base64URL).