Illegal token detection before jose.Decode() about jose2go HOT 11 CLOSED

Hi @pandex ,

1. yes, you never deal with compact serialization itself with jose2go. It takes your plain payload as string (can be json or whatever else). And returns always plain payload back.
2. I don't think you should care about valid base64 strings, if base64.StdEncoding fails within jose.Decode(...) call it will panic before attempting any further actions (now i think we probably can reconsider to return err instead, unsure why i did panic initially).
3. Also you may be interested in two-phase validation, checkout docs: https://github.com/dvsekhvalnov/jose2go#two-phase-validation if you want to examine headers/content before actual decoding. And/or use dynamic verification keys.

from jose2go.

In what I am doing, all operations happen in microseconds or low double-digit milliseconds, except token decoding, which can take up to triple-digit milliseconds.

So the idea is to avoid it by doing a near cost-free token length, presence of space, etc. check prior to decode. No point decoding a malformed token string, which I assume is in constant time.

I am in fact using exactly the same two-phase validation code you pointed out. However, I have to assume the token received in the Authorization Bearer is from a bad actor and headers may have been bogus. Hence the current effort to see if there's anything I'm neglecting.

from jose2go.

So, help me understand. You want to check something before base64 decoding happened, but after token have been spliced into parts?

from jose2go.

It happens in this order:

// This is where the cheap validation occurs

if !isValidTokenString(tokenString) {
    log.Println("MALFORMED")
}

// MAY BE a valid token, so decode further

keyBytes, err1 := ioutil.ReadFile(baseDir + "demo.rsa") // get PRIVATE key
if err1 != nil {
    log.Println(err1)
}

privateKey, err2 := Rsa.ReadPrivate(keyBytes)  
if err2 != nil {
    log.Println(err2)
}

j, err3 := jose.Decode(tokenString, privateKey)
if err3 != nil { 
    log.Println(err3) 
}

And encryption is via:

token, err := jose.Encrypt(string(s), jose.RSA_OAEP, jose.A256GCM, publicKey)

where s is the JWT Claims json.

from jose2go.

can you post isValidTokenString(..) source?

from jose2go.

Sure. it's a simple thing right now:

func isValidTokenString(s string) bool {
    l := len(s)
    if l < minTokenLen || l > maxTokenLen {
        fmt.Println("LENGTH ERROR") 
        return false
    }
    if strings.IndexAny(s, " ") != -1 {
       fmt.Println("SPACE ERROR") 
       return false
    }
// base64 check: THIS DID NOT WORK
// _, err := base64.StdEncoding.DecodeString(s)
// if err != nil {
//  fmt.Println("ENCODING ERROR")
//  return false
// }
    return true // string MAY BE a valid token

}

from jose2go.

I'm not sure what is minTokenLen and maxTokenLen ? How can you know max?

base64 decode failing because:

1. token should be spliced to parts by splitting on '.' This is what compact package is doing.
2. it is base64 url safe encoded. You can use base64url package inside jose2go. But honestly it doesn't make much sense to me, because jose.Decode(..) will do exactly same. No reason to do decoding twice, it is for sure performance penalty.

So, what feature are you asking for? :) I really can't see anything new right now. You can perfectly do len constraints and illegal chars test outside of library. And Base64 check will be performed by library itself anyway.

from jose2go.

Sorry, minTokenLen/maxTokenLen are my own constants, defined elsewhere.

I'm OK with base64 checking not working, it'd have been a quick check of multiple things in one swoop, but I'll do it outside the package. My assumption that any change of the string would invalidate it was wrong. Live and learn. So no new request, today. :)

from jose2go.

I just have to figure out where the missing 5th part of the token is (in code that had been working fine for weeks) tomorrow. Thanks.

from jose2go.

Hi @pandex , safe to close issue?

from jose2go.

Sorry, please close it, all's good.

from jose2go.