1. connect2id Avatar connect2id
  2. Crypto
  3. Nimbus-JOSE-JWT
  4. Issues

Padded Base64 string does not throw ParseException

Issue #514 wontfix
Chintankumar Soni created an issue

If we parse invalid JWE base64 should throw the exception or do we need to validate the JWE string from our side? Currently, a check is not there in the library I believe. Below JWE contains = padding character should throw the exception.

Sample JWE:
eyJraWQiOiJhMzgzY2EwNi0yYWJmLTQ1MzUtOGMzZC00NzVhOTUwNDU3YTgiLCJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..rRau10jkPFOH_hEB3W9gSA=.4kBfH_8Ceaz9kg-YRofslX0l4m1yxuKbdx2T-Jq_CSx7h-MtE293uWdzm06IboN3lMlz5f1nAHTwQwut1UElmLWLPRuXNooAude8DnzvBqURF0m2IlsArsisgTNYdPsD8RmFMkOEAQq9jeYON1SJXbvqTPB0EBXoo7c5mvSzFitMu8le0d_fLa24CZd5a276Z3DFQQZsSTRzXeXXCwEjd_0caLJXX330YBpCr59nVwtQh1oPdGDrTOh86qloiiOgyMUbceSDIGa-ydGA07cWux7xWkDAVAsAvgw5xMXrD9WjgLySsU7zAjYF3uTHPhDhNc9vbx6pmcd_0ByxI8sgOcD3q_kvlmCOA1s7UhOFZsj7qs4DQE6VmpUh5yDT4fXq1Oy42o6o64H-18_i0j9QqAezrre3_u0EVx8bTDDQ8xZKYlKiOrSDsYmZMc21HlRJIujhyewHD5jEe7B8f6IdGZgfBbFxqYoBHos5eSgKNA_HcKw1ANrw7VuhYms6EhS3TcBXLves1lY2iX9HCtsW_zR_9x5O4TZctsgO0YATfNCc28i-VfRSXQeFpvi83x8suJ5xJQ6CgHFEA-B0bkHNSAgi7qbBHWvhUC8gEeI0ZvF4a3gnpFTxuyBuLRlRoNwMG2wM6yOVk3ppOetbiAz6GR9Up8es2w0NZ49bKlbkQEIRT5BA42tfbG-_gk7o9rsppkX2j3Ak3XCQmaOiSDeTyq_Etbe99IPFeWq33QoOYjEFc16mjvk3Nc828guE31pdxDslpwJhIN-9bsJRLBGyMVBbCXm1jiPnuqT93iJ2jpwrC0AnlomaJ_tt1BZqTKQxBFDlbb5uYqaB1DunvIuOHVTTqSZYmSbBSaKfLJO89sMe3xjzk_UpJm_TRyhOUqiD1GQ7BCyRzv5T0XD6mVtKZqI2h6zmIhZt15IkABYz9iwny7D3OSub3PR3yivjjdcx2zxngcAbqaa_Jd3Sq-rrDKBFH4-keuWW8qLCKZ7yxpcqjmxptm6ZmFOXPLFcAdYF0sQ794jGiwCMkASEgrwwf2X_Wod-SMQu_uTaef73BTBSdTNh_bZ7Kch2KrhOlqpKjQeaTsvEp_wEfVQW3-CdywfbNEftl387P69MqrbSzlWePgIa7wJtxUc6sF20Qml7hNj6Qcb966YfLCGaXv0blKyfCYm_J9dfcm3Ut0TVhxsboodKFVeGD2oaaKcKqiqPfWEMZNbj3vnis0oTinYuh_hRvG6Lz8_63-AiQBx0436LdeVzNOaQXhEkimnVqoG8BcElq0x9BrtIfkG5wKn3j3ttDruh8awiOZpbOOw1V8JslHnFowPdVhp6Cee7RA6-Iy2I1LCVmh-aIu9IywaERnD9HeR-ZF1uUYDQPheUXeNVbsJOQGPiaXAOA6rnB6yo9uUMTbQdkqgt8LHhFduJZvj15yi33TfJ786zextHVc4.k4hgoVVMnltpMWcFiJ6pKA

Comments (12)

  1. Vladimir Dzhuvinov

    The current Base64URL parser allows for padding = chars at the end. The library allows for such output (but will always output compliant Base64URL).

  3. Chintankumar Soni reporter

    If I am adding = in Protected header, it does throw the error I believe. however, not for except all nodes

  6. Chintankumar Soni reporter

    Vladimir Dzhuvinov Are you guys looking into it? Shall I wait for a respond from your side? I do understand you change the title and component of the issue.

  7. Vladimir Dzhuvinov

    A “BASE64 = padding - not - present” check for received JWEs is not necessary.

    The URL-safety of the JWS / JWE / JWTs is to make them just that - URL safe, so they can be passed in URLs, etc.

    If the JWEs that you received happen to be (correctly) BASE64 encoded this will not affect the decryption or the integrity checks.

  8. Vladimir Dzhuvinov

    I edited the title so that others with the same question can find this thread more easily.

  9. Chintankumar Soni reporter

    Vladimir Dzhuvinov So given the sample invalid JWE will allow for decryption (not part of parsing or decryption in this case ) and no errors are expected right?

  11. Vladimir Dzhuvinov

    This library will accept JWEs that are BASE64 encoded as legal.

    If the private key is valid and the internal JWE structure is legal they will also be decrypted successfully.

  13. Log in to comment
Assignee
Type
bug
Priority
major
Status
wontfix
Component
JOSE Core
Milestone
Votes
0
Watchers
1
Jira Software: the preferred issue tracker for Bitbucket. Join the team!