Open inf9144 opened 2 months ago
Hi, I will try to check this issue this weekend, there is also another to fix.
This issue was already fixed but not published. This is now available with the package https://www.nuget.org/packages/JsonWebToken/2.0.0-beta.5.
This is still a beta version, because there are still issues with some JSON structures.
Hello, in EC JWK the size is calculated by:
but it should be
because Crv.Name.EncodedUtf8Bytes is copied in Canonicalize:
This is a problem because ComputeThumbprint uses this Value for the call to ComputeHash:
Sha256.Shared.ComputeHash(buffer.Slice(0, canonicalizeSize), span);
The buffer is either from ArrayPool or from Stackalloc - ArrayPool does not garantuee to null the array. So you get random Kids when the last bytes differ because they dont get initialized.
I think the Renting is also wrong - you use Stackalloc if canonicalSize is bigger than 256 - i think the condition should be reversed - using stack alloc for smaller arrays right?
I didnt check for RSA and the others, potentially they share some of those bugs.
I can do PRs if you like. Right now our project is running on your "2.0.0-beta.4" i would like to have a stable version :-)
If you dont do maintenance on this project i would be ready to fork this - your library is awesome and much better than the crap Microsoft implemented for their authorization. Want to see it fly :-)