Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8807

RsaJWK is unable parse single x5c element in jwksContents

    Details

    • Sprint:
      AM Sustaining Sprint 24, AM Sustaining Sprint 25
    • Support Ticket IDs:
    • Needs QA verification:
      No

      Description

      Prospect is integrating OpenAM with ThinkTecture (the OIDC provider) and running into an error where the user authenticates at TT, is redirected to OpenAM, but the following error thrown in OpenAM:
      WARNING: Cannot validate JWT
      org.forgerock.json.fluent.JsonValueException: /keys/0/x5c: Expecting a List of org.forgerock.util.encode.Base64 elements
      at org.forgerock.json.fluent.JsonValue.asList(JsonValue.java:631)
      at org.forgerock.json.jose.jwk.RsaJWK.parse(RsaJWK.java:545)

      jwksContents:

      {
          "keys": [
              {
                  "kty": "RSA",
                  "use": "sig",
                  "kid": "jcxvPZPN6cSwiH8KNdpVBWB2DuI",
                  "x5t": "jcxvPZPN6cSwiH8KNdpVBWB2DuI",
                  "e": "AQAB",
                  "n": "rD7jX0NHjDidUOZofDJvUI94o83lNsuVc3Z7iPtYl9bkX6yssmMNzH_NwRK_ntqQwATbbScxIXU4-kcDi0b5kLpt8X4NkApWdvmmDT
                        -M72mZ4Xo5XBmxFQbbOjsctn-xld6pwPIbDpZ0m8U44fkrkGHrkL9hn49BTvQxzMHi_siI-yoUkEfJjp7FQt02AQsrBZDxE6SQeXmP
                        007E7M8HnMt6Ct-RV45OIWZzgNPhue3Az8pX4dHsA3Br6jGJiZBerGoKbIublGmOUC-Q0staPmgwMNWhF2vGKZf68DbL7rmNivQGEN
                        ka8CPbhkZyOmSXmKMLUwwW5Gu4zKYfGWmMzQ",
                  "x5c": [
                      "MIIDXjCCAkagAwIBAgIQE7VGrUvsEqJAppN8FO6k9TANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNDaXR5VG91Y2ggT0F1dGggU2l
                       nbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNDEyMzEyMzAwMDBaFw0yNDEyMzEyMzAwMDBaMC4xLDAqBgNVBAMTI0NpdHlUb3VjaCBPQXV0aC
                       BTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArD7jX0NHjDidUOZofDJvUI94o83lNsuVc
                       3Z7iPtYl9bkX6yssmMNzH/NwRK/ntqQwATbbScxIXU4+kcDi0b5kLpt8X4NkApWdvmmDT+M72mZ4Xo5XBmxFQbbOjsctn+xld6pwPIb
                       DpZ0m8U44fkrkGHrkL9hn49BTvQxzMHi/siI+yoUkEfJjp7FQt02AQsrBZDxE6SQeXmP007E7M8HnMt6Ct+RV45OIWZzgNPhue3Az8p
                       X4dHsA3Br6jGJiZBerGoKbIublGmOUC+Q0staPmgwMNWhF2vGKZf68DbL7rmNivQGENka8CPbhkZyOmSXmKMLUwwW5Gu4zKYfGWmMzQ
                       IDAQABo3gwdjATBgNVHSUEDDAKBggrBgEFBQcDATBfBgNVHQEEWDBWgBA3/eVVIC9e3N0+d3e3gq0uoTAwLjEsMCoGA1UEAxMjQ2l0e
                       VRvdWNoIE9BdXRoIFNpZ25pbmcgQ2VydGlmaWNhdGWCEBO1Rq1L7BKiQKaTfBTupPUwDQYJKoZIhvcNAQELBQADggEBAI+VZrjWPjqs
                       F0yg41woxVBtPtx5kEZTIr3fRIwhis8EaJf+ceFNNixvfpn5mgW4shMujtGZVjpryzgmS75Yf169lhPn6ot+mQxBGSzlWa12TE1kBwT
                       f1B1+wPcRJRG5y7Mc3VWlK581AtWG8PovcdHGRRQsTYteF899w1EsovEK6xpUzY0bXxdU7ZRL3X9kb/UlG8TS7u1PuV9n1PTec55jly
                       K6Q5r2+sxUP9YUCaRVNKtxKsdzfMm89bymT3M+6frFf4howfYjbFL2KTluTga+iXR8nLjrTCKrVHpt474XMZ2qofqi7FhdraskGCZ0r
                       V7Lj2IQIZNzdkznxpi8hHk="
                  ]
              }
          ]
      }
      

      Resolved for POC testing purposes by simply setting x5c to null and be returned in RsaJWK.parse.

      Possible resolution:
      a) parse the x5c as .getList(X509Certificate.class) and then call Base64.decode on each element in turn, b) the x5c field should really be List<X509Certificate> and pass the decoded bytes to a CertificateFactory

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                markdr Mark de Reeper
                Reporter:
                javed.shah Javed Shah
              • Votes:
                2 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: