[jira] [Commented] (CXF-7760) JOSE: JwsCompactConsumer parsing headers issue

[Colm O hEigeartaigh (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CXF-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16510831#comment-16510831
 ] 

Colm O hEigeartaigh commented on CXF-7760:
------------------------------------------

Can you supply a test-case? I tried with this and it worked OK:

 

    @Test
    public void testEncodedKid() throws Exception {
        String keyId = "4pZbe4shQQGzZXHbeIlbDvmHOc1/H6jH6oBk3nUrcZE=";
        JsonWebKey key = new JsonWebKey();
        key.setKeyType(KeyType.OCTET);
        key.setKeyId(keyId);
        key.setKeyOperation(Arrays.asList(
            new KeyOperation[]\{KeyOperation.SIGN, KeyOperation.VERIFY}));

        JwsHeaders headers = new JwsHeaders();
        headers.setType(JoseType.JWT);
        headers.setSignatureAlgorithm(SignatureAlgorithm.HS256);
        headers.setHeader(JoseConstants.HEADER_KEY_ID, key.getKeyId());

        JwtClaims claims = new JwtClaims();
        claims.setIssuer("joe");
        claims.setExpiryTime(1300819380L);
        claims.setClaim("http://example.com/is_root";, Boolean.TRUE);

        JwtToken token = new JwtToken(headers, claims);
        JwsCompactProducer jws = new JwsJwtCompactProducer(token, getWriter());
        jws.signWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY, 
SignatureAlgorithm.HS256));

        JwsCompactConsumer consumer = new 
JwsJwtCompactConsumer(jws.getSignedEncodedJws());
        assertTrue(consumer.verifySignatureWith(new 
HmacJwsSignatureVerifier(ENCODED_MAC_KEY, SignatureAlgorithm.HS256)));

        assertEquals(keyId, consumer.getJwsHeaders().getKeyId());
    }

> JOSE: JwsCompactConsumer parsing headers issue
> ----------------------------------------------
>
>                 Key: CXF-7760
>                 URL: https://issues.apache.org/jira/browse/CXF-7760
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 3.1.13
>            Reporter: Juan
>            Priority: Major
>
> When using the JwsCompactConsumer with a compact JWT whose kid contains a 
> slash, the json parser escapes it, which causes issues later on while 
> matching the kid to the one specified in the JWKS. For example:
> Header:
> {
>  "kid": "4pZbe4shQQGzZXHbeIlbDvmHOc1/H6jH6oBk3nUrcZE=",
>  "alg": "RS256"
> }
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)