[
https://issues.apache.org/jira/browse/CXF-8402?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17260314#comment-17260314
]
Dimitri Witkowski edited comment on CXF-8402 at 1/7/21, 8:35 AM:
-----------------------------------------------------------------
Yes, sure, here's an example of such a certificate: [^cert.pem]
I generated it using this script: [^generate.sh] (it requires some retries,
looks like it depends on the next byte as well).
Here's an example of jwk generated using the attached cert.pem:
{{{"kty":"EC","kid":"some-key-id","crv":"P-256","x":"CK6vBWKHcGN93VJQmxk27hbHNe4dHJpcy5t1NL6bqA","y":"LQZSz0-ZdnOHIFN2Lx9JJU74FuK18UJFON_ZssfXqQ0"}}}
Then, if you try to use this jwk, it will generate an error in all libraries,
for example you can try using WebCrypto in your browser:
{{await window.crypto.subtle.importKey("jwk",
\{"kty":"EC","kid":"some-key-id","crv":"P-256","x":"CK6vBWKHcGN93VJQmxk27hbHNe4dHJpcy5t1NL6bqA","y":"LQZSz0-ZdnOHIFN2Lx9JJU74FuK18UJFON_ZssfXqQ0"},
\{ name: "ECDSA", namedCurve: "P-256" }, false, ["verify"])}}
Which gives this error:
{{Uncaught DOMException: The JWK's "x" member defines an octet string of length
31 bytes but should be 32}}
!image-2021-01-07-09-35-19-811.png!
was (Author: antelle):
Yes, sure, here's an example of such a certificate: [^cert.pem]
I generated it using this script: [^generate.sh] (it requires some retries,
looks like it depends on the next byte as well).
Here's an example of jwk generated using the attached cert.pem:
{{{"kty":"EC","kid":"some-key-id","crv":"P-256","x":"CK6vBWKHcGN93VJQmxk27hbHNe4dHJpcy5t1NL6bqA","y":"LQZSz0-ZdnOHIFN2Lx9JJU74FuK18UJFON_ZssfXqQ0"}}}
Then, if you try to use this jwk, it will generate an error in all libraries,
for example you can try using WebCrypto in your browser:
{{await window.crypto.subtle.importKey("jwk",
\{"kty":"EC","kid":"some-key-id","crv":"P-256","x":"CK6vBWKHcGN93VJQmxk27hbHNe4dHJpcy5t1NL6bqA","y":"LQZSz0-ZdnOHIFN2Lx9JJU74FuK18UJFON_ZssfXqQ0"},
\{ name: "ECDSA", namedCurve: "P-256" }, false, ["verify"])}}
Which gives this error:
{{Uncaught DOMException: The JWK's "x" member defines an octet string of length
31 bytes but should be 32}}
!image-2021-01-07-09-35-19-811.png!
> JwkUtils::fromECPublicKey returns key coordinates without leading zero
> ----------------------------------------------------------------------
>
> Key: CXF-8402
> URL: https://issues.apache.org/jira/browse/CXF-8402
> Project: CXF
> Issue Type: Bug
> Reporter: Dimitri Witkowski
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Attachments: cert.pem, generate.sh, image-2021-01-07-09-35-19-811.png
>
>
> Hi!
> {{JwkUtils::fromECPublicKey}} returns key coordinates without leading zeroes
> because it's using {{BigInteger.toByteArray()}}, which returns only necessary
> bytes to encode a big integer value, here:
> [https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java#L378]
> This causes issues in different libraries, almost everywhere leading zeroes
> are expected to be present so that coordinate length is not changed depending
> on data.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
