[jira] [Commented] (CXF-8402) JwkUtils::fromECPublicKey returns key coordinates without leading zero

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (CXF-8402) JwkUtils::fromECPublicKey returns key coordinates without leading zero

Colm O hEigeartaigh (Jira)

    [ https://issues.apache.org/jira/browse/CXF-8402?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17262579#comment-17262579 ]

Dimitri Witkowski commented on CXF-8402:
----------------------------------------

Thanks! Looks good to me, just one thing, [here|https://github.com/apache/cxf/pull/739/files#diff-e091b641fd36035a7a1eca182c21263a22546773051ef0c32a5b25454d0698bbR215-R216] you compare length of base64-encoded strings, this can give a false positive result. I'd rather decode them before comparison.

> JwkUtils::fromECPublicKey returns key coordinates without leading zero
> ----------------------------------------------------------------------
>
>                 Key: CXF-8402
>                 URL: https://issues.apache.org/jira/browse/CXF-8402
>             Project: CXF
>          Issue Type: Bug
>            Reporter: Dimitri Witkowski
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 3.4.3
>
>         Attachments: Main.java, cert.pem, generate.sh, image-2021-01-07-09-35-19-811.png
>
>
> Hi!
> {{JwkUtils::fromECPublicKey}} returns key coordinates without leading zeroes because it's using {{BigInteger.toByteArray()}}, which returns only necessary bytes to encode a big integer value, here: [https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java#L378]
> This causes issues in different libraries, almost everywhere leading zeroes are expected to be present so that coordinate length is not changed depending on data.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)