search

googleapis / google-oauth-java-client

Google OAuth Client Library for Java
Apache License 2.0
614 stars 270 forks source link

[IdTokenVerifier] NullPointerException when JWKS URI returns keys with unsupported algorithms #1113

Open krezovic opened 6 months ago

krezovic commented 6 months ago

Environment details

  1. Specify the API at the beginning of the title. For example, "BigQuery: ..."). General, Core, and Other are also allowed as types
  2. OS type and version: Linux
  3. Java version: 21
  4. version(s): 1.35.0

Steps to reproduce

Consider the following JWKS response

image

{
"keys": [
{
"kid": "5vU583TOxhaMcRv3dCX3_mrtGUXa7pBo3sPKjl_Gv0I",
"kty": "RSA",
"alg": "RSA-OAEP",
"use": "enc",
"n": "otab_WG_YBt2shafmjhX4y2KfTSvHs-N5xxbDvrHeI7WJUPp2E4KEss4cSIApz2NHOGEdk7ZJcMMFRdMtG75BncMgiBGo5rpNsUiZDrgFLYfBrQn77x8T1QaiHMe-QSS1XY0aqyXm5OMa-Zlw3dQ_51YvQPYyNqvXC1AJveVvNU3A-JbaqfeBW42X2F8qQzJuB_jlsdITZ1R8_hvg8iIjYsZUKu4ZfyEJoAxIHbQoJngIU4NU1bqafC0sXPu82Wg4HQ7B-HGdU_Jj4lAlDDCeAiPEKnDKcyLoMHqlrGR2MT4-RWmWlGsG2qIPhQ_6yQSQtkeBqpMEe9y_P8GmZc5xQ",
"e": "AQAB",
"x5c": [
"MIICnTCCAYUCBgGMRjj7czANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdwcmltYXJ5MB4XDTIzMTIwNzIxMzgwOFoXDTMzMTIwNzIxMzk0OFowEjEQMA4GA1UEAwwHcHJpbWFyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKLWm/1hv2AbdrIWn5o4V+Mtin00rx7PjeccWw76x3iO1iVD6dhOChLLOHEiAKc9jRzhhHZO2SXDDBUXTLRu+QZ3DIIgRqOa6TbFImQ64BS2Hwa0J++8fE9UGohzHvkEktV2NGqsl5uTjGvmZcN3UP+dWL0D2Mjar1wtQCb3lbzVNwPiW2qn3gVuNl9hfKkMybgf45bHSE2dUfP4b4PIiI2LGVCruGX8hCaAMSB20KCZ4CFODVNW6mnwtLFz7vNloOB0OwfhxnVPyY+JQJQwwngIjxCpwynMi6DB6paxkdjE+PkVplpRrBtqiD4UP+skEkLZHgaqTBHvcvz/BpmXOcUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAPu1TPivm3yc38mbtJiHp8p5VtBnqVmy224COu5tV8qcWdrmDZxjhViZzMtHvQZRGZZojemffR1STvwdqHCtigjtHneGdIPoK6nMTLOciRPcLmHr8LO1r3FITAisI+Hc7S4cg9HGbSYDpfjxkVQUlyu2tjlSQJiUGUmE693RvHUBg0QcFnoiinogd7SwECRAn/suSPj1R5JN29/p4y3ebWVBusECB3Jwo+FaVFaHTxXODbLQk35VUtG4LYKgOX+vHSZ+RJEZetYUaNaX15N+yRfyJkr/BTjrTSh+/C0Y/mH69oKUnkLaMCSDGe1vPtG5t1e50gx7Xy86CAW3FchP5EA=="
],
"x5t": "7N9LQDsIRQWX1CwdB1kNS6sggoU",
"x5t#S256": "rIoxmjsp759VIeDHROwDjSz19unrnYYGxzyzUKcmGqc"
},
{
"kid": "mgBPyTnC6P8zHVSmc-KXReRfPZkzDlRMGqwprhCGjXo",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"n": "tHkQHTC_DPQJ_ugxXaXO10UUOtLROI12Jfs_hJeQFZHmU98oM6FwtnPfU89-YYYrHG4w6ZeeZ1dhIkIVgYGgTpRTeG3eNW4Xrcp62v80bmhxSIo-TGDmA-U62e1JRg4ezxaA6mxI2f9pIlHA_1HyvxoK39NukkeFSbTwpViP3Vfjf2duybdtZx1B_dQSzH-kSODQIeDAVaTNeVv3Q2SUAQTPFAFQyslTDtdEY5VL-5IhtOBNU5D6RlgC5VFZjufZMQNHiqYSGA0vYg9a0FplQlTjiqht5KL3IWEYmzkPkzD1t7ZmVM0oyeViP9BiNbXQ5pjpar9BeRlyA4r0uoS_3w",
"e": "AQAB",
"x5c": [
"MIICnTCCAYUCBgGMRjj1PDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdwcmltYXJ5MB4XDTIzMTIwNzIxMzgwN1oXDTMzMTIwNzIxMzk0N1owEjEQMA4GA1UEAwwHcHJpbWFyeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALR5EB0wvwz0Cf7oMV2lztdFFDrS0TiNdiX7P4SXkBWR5lPfKDOhcLZz31PPfmGGKxxuMOmXnmdXYSJCFYGBoE6UU3ht3jVuF63Ketr/NG5ocUiKPkxg5gPlOtntSUYOHs8WgOpsSNn/aSJRwP9R8r8aCt/TbpJHhUm08KVYj91X439nbsm3bWcdQf3UEsx/pEjg0CHgwFWkzXlb90NklAEEzxQBUMrJUw7XRGOVS/uSIbTgTVOQ+kZYAuVRWY7n2TEDR4qmEhgNL2IPWtBaZUJU44qobeSi9yFhGJs5D5Mw9be2ZlTNKMnlYj/QYjW10OaY6Wq/QXkZcgOK9LqEv98CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAsOMCNj4zF3kmnFzg5QtAw46ywFCKAyAJyklA5XsqJnqv6DzC8JzEV4YEfeBm+i7aFCfNtyoAdwY/QvCgWB8YscYOGzyQ4kBm4xzvlwWJ1RWu8nZEZF0WUCBWl7yQUFKpu4WFLJ3kC5IYCWVHk0cYKoRWnCX4g3OsJVXDRrgNzs+vVbfL7198wmAHwMxnEF5m0ggMn27NKHPYb9nSlD749GIBeESwf5+etzHUTmKHI5ZMhl7MNQimq/Ex8Mbk/X79bmAiMf3TLqgQOpZzI4cPTXFJJHGz+aKiFMfPwIcmSX/Uxnj3Dl6a+P8HIs+USBF6gkO7jI/yTzb1GnabDPVvmA=="
],
"x5t": "OqPLxU_8NuiiF15-CVzA6RYHcYw",
"x5t#S256": "F9P63VuoqJUGnWOS7WmRiTBrWMyEsq7Fg7I1qByQSV0"
}
]
}

NullPointerException will occur when buildPublicKey returns null due to unsupported algorithm which is RSA-OAEP

image

However, since this is a JWKS verifier, not decryptor, it makes sense to only process JWKS entries that have use set to sig.

Yaroslav-Nikolaev commented 3 weeks ago

I've never contributed to open source projects. As result I stuck to push fix) anyway, fix is simple.

image

1113.patch