Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jwts.parser().parseClaimsJws(badString) throws ArrayIndexOutOfBoundsException #285

Closed
ingebrigt opened this issue Nov 24, 2017 · 4 comments
Closed

Jwts.parser().parseClaimsJws(badString) throws ArrayIndexOutOfBoundsException #285

ingebrigt opened this issue Nov 24, 2017 · 4 comments
Assignees
@lhazlewood
Labels
enhancement
Milestone
0.10.0

Comments

@ingebrigt
Copy link

Hi !

I validate JWT's using: https://github.com/jwtk/jjwt/blob/master/src/main/java/io/jsonwebtoken/JwtParser.java#L396

When I tamper with my input string, JwtParser.parseClaimsJws(String var1) throws an ArrayIndexOutOfBoundException:

java.lang.ArrayIndexOutOfBoundsException: 65433
at javax.xml.bind.DatatypeConverterImpl._parseBase64Binary(DatatypeConverterImpl.java:705)
at javax.xml.bind.DatatypeConverterImpl.parseBase64Binary(DatatypeConverterImpl.java:434)
at javax.xml.bind.DatatypeConverter.parseBase64Binary(DatatypeConverter.java:342)
at io.jsonwebtoken.impl.Base64Codec.decode(Base64Codec.java:26)
at io.jsonwebtoken.impl.Base64UrlCodec.decode(Base64UrlCodec.java:78)
at io.jsonwebtoken.impl.crypto.DefaultJwtSignatureValidator.isValid(DefaultJwtSignatureValidator.java:45)
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:351)
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481)
at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)

The error can easily be reproduced by inverting the bits in a random charachter in the JWT I use as input.

(If you have trouble reproducing I can provide a test)

cheers,
Ingebrigt
@hkngln
Copy link

hkngln commented Mar 10, 2018
edited
Loading

Same error is occured my project. I changed the following lines
Jwts.parser().setSigningKey(signingKey).parseClaimsJws(this.token);
to
Jwts.parser().setSigningKey(signingKey.getBytes()).parseClaimsJws(this.token);
and
String token = Jwts.builder() .setClaims(claims) .setIssuer(settings.getTokenIssuer()) .setId(UUID.randomUUID().toString()) .setIssuedAt(Date.from(Instant.now())) .setExpiration(Date.from(Instant.now().plus(Duration.ofMinutes(settings.getRefreshTokenExpTime())))) .signWith(SignatureAlgorithm.HS512, settings.getTokenSigningKey()) //if token signing key is string value then occured this javax.xml.bind.DatatypeConverterImpl
.compact();
to
String token = Jwts.builder() .setClaims(claims) .setIssuer(settings.getTokenIssuer()) .setId(UUID.randomUUID().toString()) .setIssuedAt(Date.from(Instant.now())) .setExpiration(Date.from(Instant.now().plus(Duration.ofMinutes(settings.getRefreshTokenExpTime())))) .signWith(SignatureAlgorithm.HS512, settings.getTokenSigningKey().getBytes()) //getBytes() ok
.compact();

I guess reason this https://bugs.openjdk.java.net/browse/JDK-8168456

@ingebrigt
Copy link
Author

I guess reason this https://bugs.openjdk.java.net/browse/JDK-8168456

I agree.

For my use I handled the problem by catching and handling ArrayIndexOutOfBoundsException.
If TokenSigningKey is not a valid base64 encoded String I don't verify the JWT.

@lhazlewood
Copy link
Contributor

Keeping this issue open, and should be completed with #333. The (assumed new) JaxbBase64Codec should throw an appropriate exception after catching ArrayIndexOutOfBoundsException

@lhazlewood lhazlewood added this to the 0.10.0 milestone Jul 5, 2018
@lhazlewood lhazlewood self-assigned this Jul 23, 2018
lhazlewood added a commit that referenced this issue Jul 23, 2018
@lhazlewood
Implementation with tests. Resolves #285
0bd5dfc
lhazlewood added a commit that referenced this issue Jul 23, 2018
@lhazlewood
Implementation with tests. Resolves #285
9313e0e
lhazlewood added a commit that referenced this issue Jul 23, 2018
@lhazlewood
Implementation with tests. Resolves #285
bbfabb5
@lhazlewood lhazlewood mentioned this issue Jul 23, 2018
Merged
@lhazlewood lhazlewood mentioned this issue Jul 23, 2018
Merged
@lhazlewood
Copy link
Contributor

This has been released in 0.10.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lhazlewood lhazlewood

Labels
enhancement
Projects
None yet
Milestone
0.10.0
Development

No branches or pull requests
3 participants
@lhazlewood @ingebrigt @hkngln