Add x5c and verify public key against x5c when extracting a public key from a JSON Web Key about fusionauth-jwt HOT 6 OPEN

Commits:

fd761c6
4465240
ec26cb7

from fusionauth-jwt.

Regarding the x5c material itself - it seems at the minimum, it would be nice to provide a feature to validate the certificate against the CAs known by the JVM

from fusionauth-jwt.

I can take a look at adding that capability.

from fusionauth-jwt.

Release 3.6.0 w/ validation for x5c. I'll keep this open to still look at adding certificate verification options.

from fusionauth-jwt.

Hello @robotdan

Came across this discussion while searching on the internet for the issue I am getting while trying to verify my Id Token.
I think you can help me with the issue so posting it here, I am sorry if this is not the correct place to ask about issues, I tried posting it on forums and stackoverflow but no help so far.

I am using fusionauth-jwt library to verify ID token signed by RSA SHA 256 key.
In my code below ,first trying to get public key using JWKS json and then trying to create a Verifier instance so that I can verify my id token.

List<JSONWebKey> keys = JSONWebKeySetHelper.retrieveKeysFromJWKS("http://localhost:9011/.well-known/jwks.json");

        Map<String, Verifier> publicKeyVerifiers = new HashMap<String,Verifier>();
        for (JSONWebKey key : keys) {
            String publicKey = key.x5c.get(0); //getting x5c element
            Verifier verifier = RSAVerifier.newVerifier(publicKey); // Creating RSA verifier instance where getting issue
            String kid = key.kid;
            publicKeyVerifiers.put(kid, verifier);
        }

JWT jwtDecoded = JWT.getDecoder().decode(idToken, publicKeyVerifiers);

Getting issue at the time of creating verifier instance because the x5c element contains Base64Encoded value and not the .pem format value which begins with "-----BEGIN"

Class "io.fusionauth.pem.PEMDecoder.java" expects "-----BEGIN" which is not present in key.x5c and hence throwing exception "throw new PEMDecoderException(new InvalidParameterException("Unexpected PEM Format"));

Screenshot of PEMDecoder.java

Please could you suggest how to fix it.
Thanks.

from fusionauth-jwt.

@GokulMahajan20 - it looks like we are expect the key to be PEM encoded. The x5c is not PEM encoded, it is just a base64 encoded version of the key. (mostly the same as PEM except no headers, and is not MIME encoded)

Could you just pass in the byte array instead?

String publicKey = key.x5c.get(0);
byte[] decoded = Base64.getDecoder().decode(publicKey);
Verifier verifier = RSAVerifier.newVerifier(decoded); // Creating RSA verifier instance where getting issue

Would that work for you?

from fusionauth-jwt.