search

hidekatsu-izuno / josekit-rs

JOSE (Javascript Object Signing and Encryption) library for Rust (based on OpenSSL).
Apache License 2.0
74 stars 31 forks source link

x509_certificate_chain must be encoded in STANDARD, not URL_SAFE_NO_PAD or STANDARD_NOPAD #20

Closed hidekatsu-izuno closed 1 year ago

hidekatsu-izuno commented 1 year ago

x509_certificate_chain is encoded STANDARD_NOPAD or STANDARD_NOPAD. But this behavior violates the specification.

https://www.rfc-editor.org/rfc/rfc7515#page-11

[4.1.6](https://www.rfc-editor.org/rfc/rfc7515#section-4.1.6).  "x5c" (X.509 Certificate Chain) Header Parameter

...
Each string in the array is a
   base64-encoded ([Section 4 of [RFC4648]](https://www.rfc-editor.org/rfc/rfc4648#section-4) -- not base64url-encoded) DER
   [[ITU.X690.2008](https://www.rfc-editor.org/rfc/rfc7515#ref-ITU.X690.2008)] PKIX certificate value.
hidekatsu-izuno commented 1 year ago

I have released v0.8.2 which fixes this bug.