Result of decoding JWT is incorrect

[m-nogas]

When I encode/decode a JWT it is decoding to the incorrect string. Here is a sample with a random JWT: Sample JWT:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2MDk4ODM4MzMsImV4cCI6MTY0MTQxOTgzMywiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.e2tiZHYwmHVR-9cm5Wtuq3Ye6Ar3h3r0iqRp75XxVA0

Hidden with ./gradlew hideSecret -Pkey="$SAMPLE_JWT" -PkeyName=SampleJWT

The result of Secrets().getSampleJWT(packageName) is (newline characters included)

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2MDk4ODM4MzMsImV4cCI6MTY0MTQxOTgzMywiYXVkIjo;L~y0b71uKs"h}'TP:7"*s0
*Gwec@8W9 D:S

k#J\Awg
1D
F{P}mY.ffFRNi_HzgVgIbKHLy/cDxc] p~Dbhnkr9ZNglH1B  cWs&yl%GFMu:Wu}@OLbffJ
6D
eF7#D#.?9l

&=:]~P?{e9J)Wj,%y
Q]

Here is a screenshot of the value at the break point for better clarity:

The first part of the decoded string seems to be correct and then it goes awry

[ben-j69]

Hello, thanks for the feedback.

From my test the encoding goes fine until the key eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2MDk4ODM4MzMsImV4cCI6MTY0MTQxOTgzMywiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZX

If I add the character Q, it start to go wrong as your reported. The same problem appear if I used another character instead of Q.

It might be a string size issue as reported in https://github.com/klaxit/hidden-secrets-gradle-plugin/issues/16

I need to make more tests to see if it is an encoding or decoding issue, until the issue is fixed if you need a long key you can split it in shorter keys.

[m-nogas]

I did try splitting it in half which didn't help I will try splitting it further today if I get some time Thanks

[ben-j69]

@m-nogas I cuted it into two parts without any issue, can you try please ?

I did : eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2MDk4ODM4MzMsImV4cCI6MTY0MTQxOTgzMywiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTm and FtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.e2tiZHYwmHVR-9cm5Wtuq3Ye6Ar3h3r0iqRp75XxVA0

[m-nogas]

Sorry didn't see your comment until now I was coming back to update that I tried chopping it into four parts and it worked :)

[ben-j69]

Hello @m-nogas , I think I found the issue, the sha256 generation is broken in some cases.

From the PR : https://github.com/klaxit/hidden-secrets-gradle-plugin/pull/21 you can update your project by copying into your files :

• in secrets.cpp function getOriginalKey
• in sha256.cpp function void sha256(const char* input, char buf[2*SHA256::DIGEST_SIZE + 1]) From my tests it should solve your issue, can you try and tell me if I am correct ? Thanks !

[ben-j69]

Fixed in release 0.1.1