search

frasertweedale / hs-jose

Haskell JOSE and JWT library
http://hackage.haskell.org/package/jose
Apache License 2.0
122 stars 46 forks source link

CompactDecodeError "expected NonEmpty a, encountered String" when JWT includes `x5t` #75

Closed ecthiender closed 5 years ago

ecthiender commented 5 years ago

Setup

I have a JWT [1], which has a x5t parameter in the header. Which is base64url-encoded. According to https://tools.ietf.org/html/rfc7515#section-4.1.7

The "x5t" (X.509 certificate SHA-1 thumbprint) Header Parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate [RFC5280] corresponding to the key used to digitally sign the JWS.

The value of the x5t parameter is g5ZleTFZSqkxwQSbQ8eQFqfoxOE%3D.

Problem

When I call the decodeCompact function on the JWT, I get the following error: JWSError (CompactDecodeError "expected NonEmpty a, encountered String")

If I remove the x5t parameter, it works fine.

I'm unable to detect/debug what the exact issue is. Any help would be appreciated :)

Other details

[1] (the JWT) :

eyJhbGciOiJSUzI1NiIsImtpZCI6IjgzOTY2NTc5MzE1OTRBQTkzMUMxMDQ5QjQzQzc5MDE2QTdFOEM0RTEiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJnNVpsZVRGWlNxa3h3UVNiUThlUUZxZm94T0UlM0QifQ.eyJuYmYiOjE1NDMzMjAwMzksImV4cCI6MTU0NDQyNDYzOSwiaXNzIjoiaHR0cDovL3BvbGFyLXJlZnVnZS01MTAzMS5oZXJva3VhcHAuY29tIiwiYXVkIjpbImh0dHA6Ly9wb2xhci1yZWZ1Z2UtNTEwMzEuaGVyb2t1YXBwLmNvbS9yZXNvdXJjZXMiLCJhcGkxIl0sImNsaWVudF9pZCI6InJvLmNsaWVudCIsInN1YiI6IjEiLCJhdXRoX3RpbWUiOjE1NDMzMjAwMzksImlkcCI6ImxvY2FsIiwic2NvcGUiOlsiYXBpMSJdLCJhbXIiOlsicHdkIl0sInJ1bGVib29rX2NsYWltcyI6eyJ4LWhhc3VyYS1hbGxvd2VkLXJvbGVzIjpbInVzZXIiLCJhZG1pbiJdLCJ4LWhhc3VyYS1kZWZhdWx0LXJvbGUiOiJhZG1pbiIsIngtaGFzdXJhLXVzZXItaWQiOiI0ZDQwNjRkMS1jMzNmLTQyM2ItYjI2Mi1mMzJlYTE2OTY0YWEifX0.d6-Mc9E1zZJZaIpT2bSkrIrCUVirs2afGg6fYhzjrUN-WYs9aYssRrCWGTLWGDWy_aLbP1s0JJSX7R12kD9mXyKmisCfyVu40RRwF4kaRzlzB-HF7_jNrf8URzUBx46D3yNgW2jnQfFXPY7Vj3bb2iqiNPdCgiJ1wIi3KVP2TiAe2O12cvi6k5LWKsmtpM5sO2Oq8jWN0khEQsL8MrUAKLL5MLriM7s7kHRxSqJck1_2LPR05Na45lMw_LZSW10oKKSUxTlhJO2pXSc-4-fE3--UB4I9_chE7Nf4KrlLf-g-eibQ4S2oOerpnl06pxWKsLG8j0RmS0A1j4a6_U_RhH1GnKpAfZBysyYXzufEyDuhi9tGZFTy4W_qpMaxqOb8_hSxj-cm9UpEbuQOOmGxIwTw4lkJR4ZjiKcfwdCBnEm7tGGIGDkizCTtPohuVZr7LhJqGF-zUB7VbqYwtzbUs6C4qZOyhOdLUjY22rR15TlSgYPcsm4PjZV1ewPnIDCkdUXPeLgabSFr8hiaQTrWEkeqhdq0GHRxVal1KpAEzEK_crOPWQGjiyK9MwFaPiZgJGMP2LOp-TXPLxqLfK6Wruyf-AJRin4bxMyHxpG5RACymPW2IAo-NSbfEyyAMnZne1IXYfcQNTyDqecZWUBp9No3IDsxIg5N7nJBq7PHnj8

The public key part of the signing key is:

-----BEGIN CERTIFICATE-----
MIIEqjCCApICCQCLZRtRKZcpxTANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxy
dWxlYm9vay5hcHAwHhcNMTgxMTEyMTYyOTU0WhcNMTkxMTEyMTYyOTU0WjAXMRUw
EwYDVQQDDAxydWxlYm9vay5hcHAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCbBu3BlgOBDU9SKC6iroR+1aAEiUerOLwKDi0K4tqAOlXSPSOeRMlwZLMY
MKDLKgJ2ppYpFrxcm5LDwGSnk2jnw1b2JCDS57sFD3OUK59TxlHyKKmrj2pvxgDT
2tGy9Fa7ytXWu7t3hZIQJe2DkgbP9wwdKCsfUr91qI/4aFywOu9pnD9/Sz9KQlwl
CWgOGCF1ctfNPJlzVeUkwCqQ7W66rfrbwg7vBbX4bK0ZpRWai8fw7cAuITFsUgyG
lQRXidYIflKcS0gTyM4XuyXxC1eRYp/5t+e0L8zDsaShpsNXDlOKsp1PR2Bswsm3
z1Oz4FoxeqaTR58S00pr8YOhS+2x00+vf64yyLDxOkYem7Z9SNCe5drvYYZi83eZ
ezUWsVP1wpflsH0tIgaas7WIcru6BZDjjxr0fjkb4ttgHdE6gxe/3mdEmWC45Ey6
RjDuccSg9D/Fru4z3p9p6D2tUj8ftv7wPMQhfrM0bVNUfYVJ6+vQabQEWR4uZeTq
A2s8KTaKxPB4lCSQdPAQ4zCNkwe7dKAchgNZ5FMSesc5dofgW42ZrHgtOy/4Bmlr
h4HFqGxaJFxxohyQR65p3jRB2vZ2Es6LZ/ZUheXMUZGJdrciC2Fx+3RV2TuYe5y9
NzPgOGZPZtAk461kUEMzj6BzV6vHcuZzSa3+S0Fnwe7i9KzMiwIDAQABMA0GCSqG
SIb3DQEBCwUAA4ICAQB3ZgaMRwykbuFPXFQhcrG2uStwGcnjz/Z/1t9jU8PqtsqK
yS4yGWIqWKDQUaYtQNIT9BspVR0dG6rmvaUzsbhpeDure7O2Y7dF4LjhJsApOdDx
aw1T2OpU0rG0Ghy0deWuKFwL0wNQKOlxNqGQDFIttITfue8qJqDVtyMseFab/woT
WeCT6WkbTSaDPSwJQJzQha8kkcaSI+3v0cNhIdJUmCu2u+XumIw0IVWg5nU9f8t5
tGqLhxNN2CsMqg3gQur/KBqnAZPO79gJJ/fUKbCpp3/iNIJshM5sDz9NNsR1auiL
u2/HF4WyWwvrI0g8kC/8UxZs3RbcGBH4JuvuzZ6etiMcl5c/rBJjBTxYaWgb3OJX
5V8hD4Bu3cLbkTy0Gp0X7X9frXvSF60X1bIg/BA//4yBft7Sn7dvIa0WOSqDn01E
6V1kg8V0zu7X7FEQCoIdlfG6DgVelafBndeNn9brrmfBIMnnyKN+pN+AHp6NsLve
FROwQ3A60QlCln4QQrcgu4Wb61dQPkfmrwqTG0KyUWerv0v6vXkvS/HOAzR+zsgq
S0xdGJ5Q0tk+/d185wd8G9msAkjoCgwLHtHO8PEzxmx0dSrBH4oYkqZzd1ZcZF0v
UIgoD/6ufywgIvsuIrftAGD+3rn+wHwJFYgaMND+vNLxDf8fMnaH1l9cZWHDlg==
-----END CERTIFICATE-----

Using version: 0.7.0.0

frasertweedale commented 5 years ago

Hi @ecthiender, thanks for reporting.

The message is indeed cryptic. I will need to investigate why such a poor error is returned.

But the input is invalid: g5ZleTFZSqkxwQSbQ8eQFqfoxOE%3D is not a valid base64url value. Specifically, %3D is percent-encoded =. It should be stripped from the value.

I'll leave this open for now as a reminder to investigate why the error message sucks so bad :)

ecthiender commented 5 years ago

@frasertweedale ok that was me trying to be smart and followed some online blog (https://redthunder.blog/2017/06/08/jwts-jwks-kids-x5ts-oh-my/). The original x5t indeed did not have the %3D encoding. It was just g5ZleTFZSqkxwQSbQ8eQFqfoxOE. Even then I get the exact same error.

This has been an issue for a software that I write. You can find more details in the issue here: https://github.com/hasura/graphql-engine/issues/983#issuecomment-437957258

Let me know how else can I help and/or provide more details.

frasertweedale commented 5 years ago

@ecthiender ok, it's a bug that has already been fixed (https://github.com/frasertweedale/hs-jose/commit/32c3efdba2b3520a8052ba2fe07ab04c073b8ec9) but the fix hasn't made its way into a release yet. I'm planning to release v0.8 next week.

ecthiender commented 5 years ago

Thanks for your time and the fix. Eagerly waiting for the release (as this affects our users). :)

frasertweedale commented 5 years ago

Released v0.8.0.0. Closing this ticket now.