JWK hmac keys are base64url encoded not standard (#316)

sjoerdsimons · web-flow · commit a470ed015bb8 · 2023-06-15T20:28:53.000+02:00
* JWK hmac keys are base64url encoded not standard

DecodingKey::from_base64_secret uses standard decoding, while "k" field
of a jwk is expected to be in base64url instead.

Signed-off-by: Sjoerd Simons &lt;sjoerd@collabora.com&gt;

* Test validating HMAC SHA-256 example from RFC7517

Use the example form RFC7517 Appendix A.1 to validate correct handling
of JWK's containing hmac keys for decoding

Signed-off-by: Sjoerd Simons &lt;sjoerd@collabora.com&gt;

---------

Signed-off-by: Sjoerd Simons &lt;sjoerd@collabora.com&gt;
diff --git a/src/decoding.rs b/src/decoding.rs
@@ -183,7 +183,13 @@ impl DecodingKey {
                 DecodingKey::from_ec_components(&params.x, &params.y)
             }
             AlgorithmParameters::OctetKeyPair(params) => DecodingKey::from_ed_components(&params.x),
-            AlgorithmParameters::OctetKey(params) => DecodingKey::from_base64_secret(&params.value),
+            AlgorithmParameters::OctetKey(params) => {
+                let out = b64_decode(&params.value)?;
+                Ok(DecodingKey {
+                    family: AlgorithmFamily::Hmac,
+                    kind: DecodingKeyKind::SecretOrDer(out),
+                })
+            }
         }
     }
 
diff --git a/tests/hmac.rs b/tests/hmac.rs
@@ -1,4 +1,5 @@
 use jsonwebtoken::errors::ErrorKind;
+use jsonwebtoken::jwk::Jwk;
 use jsonwebtoken::{
     crypto::{sign, verify},
     decode, decode_header, encode, Algorithm, DecodingKey, EncodingKey, Header, Validation,
@@ -183,3 +184,22 @@ fn dangerous_insecure_decode_token_with_validation_wrong_algorithm() {
     let err = claims.unwrap_err();
     assert_eq!(err.kind(), &ErrorKind::ExpiredSignature);
 }
+
+#[test]
+fn verify_hs256_rfc7517_appendix_a1() {
+    #[derive(Debug, PartialEq, Eq, Clone, Deserialize)]
+    struct C {
+        iss: String,
+    }
+    let token = "eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk";
+    let jwk = r#"{"kty":"oct",
+                  "k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"
+                 }"#;
+    let jwk: Jwk = serde_json::from_str(jwk).unwrap();
+    let key = DecodingKey::from_jwk(&jwk).unwrap();
+    let mut validation = Validation::new(Algorithm::HS256);
+    // The RFC example signed jwt has expired
+    validation.validate_exp = false;
+    let c = decode::<C>(token, &key, &validation).unwrap();
+    assert_eq!(c.claims.iss, "joe");
+}

Original file line number	Diff line number	Diff line change
`@@ -183,7 +183,13 @@ impl DecodingKey {`
`183`	`183`	`DecodingKey::from_ec_components(&params.x, &params.y)`
`184`	`184`	`}`
`185`	`185`	`AlgorithmParameters::OctetKeyPair(params) => DecodingKey::from_ed_components(&params.x),`
`186`		`- AlgorithmParameters::OctetKey(params) => DecodingKey::from_base64_secret(&params.value),`
	`186`	`+ AlgorithmParameters::OctetKey(params) => {`
	`187`	`+ let out = b64_decode(&params.value)?;`
	`188`	`+ Ok(DecodingKey {`
	`189`	`+ family: AlgorithmFamily::Hmac,`
	`190`	`+ kind: DecodingKeyKind::SecretOrDer(out),`
	`191`	`+ })`
	`192`	`+ }`
`187`	`193`	`}`
`188`	`194`	`}`
`189`	`195`