Comments (11)
Hi @pandex ,
- yes, you never deal with compact serialization itself with jose2go. It takes your plain payload as string (can be json or whatever else). And returns always plain payload back.
- I don't think you should care about valid base64 strings, if base64.StdEncoding fails within jose.Decode(...) call it will panic before attempting any further actions (now i think we probably can reconsider to return err instead, unsure why i did panic initially).
- Also you may be interested in two-phase validation, checkout docs: https://github.com/dvsekhvalnov/jose2go#two-phase-validation if you want to examine headers/content before actual decoding. And/or use dynamic verification keys.
from jose2go.
In what I am doing, all operations happen in microseconds or low double-digit milliseconds, except token decoding, which can take up to triple-digit milliseconds.
So the idea is to avoid it by doing a near cost-free token length, presence of space, etc. check prior to decode. No point decoding a malformed token string, which I assume is in constant time.
I am in fact using exactly the same two-phase validation code you pointed out. However, I have to assume the token received in the Authorization Bearer is from a bad actor and headers may have been bogus. Hence the current effort to see if there's anything I'm neglecting.
from jose2go.
So, help me understand. You want to check something before base64 decoding happened, but after token have been spliced into parts?
from jose2go.
It happens in this order:
// This is where the cheap validation occurs
if !isValidTokenString(tokenString) {
log.Println("MALFORMED")
}
// MAY BE a valid token, so decode further
keyBytes, err1 := ioutil.ReadFile(baseDir + "demo.rsa") // get PRIVATE key
if err1 != nil {
log.Println(err1)
}
privateKey, err2 := Rsa.ReadPrivate(keyBytes)
if err2 != nil {
log.Println(err2)
}
j, err3 := jose.Decode(tokenString, privateKey)
if err3 != nil {
log.Println(err3)
}
And encryption is via:
token, err := jose.Encrypt(string(s), jose.RSA_OAEP, jose.A256GCM, publicKey)
where s is the JWT Claims json.
from jose2go.
can you post isValidTokenString(..)
source?
from jose2go.
Sure. it's a simple thing right now:
func isValidTokenString(s string) bool {
l := len(s)
if l < minTokenLen || l > maxTokenLen {
fmt.Println("LENGTH ERROR")
return false
}
if strings.IndexAny(s, " ") != -1 {
fmt.Println("SPACE ERROR")
return false
}
// base64 check: THIS DID NOT WORK
// _, err := base64.StdEncoding.DecodeString(s)
// if err != nil {
// fmt.Println("ENCODING ERROR")
// return false
// }
return true // string MAY BE a valid token
}
from jose2go.
I'm not sure what is minTokenLen
and maxTokenLen
? How can you know max?
base64 decode failing because:
- token should be spliced to parts by splitting on '.' This is what
compact
package is doing. - it is base64 url safe encoded. You can use
base64url
package inside jose2go. But honestly it doesn't make much sense to me, because jose.Decode(..) will do exactly same. No reason to do decoding twice, it is for sure performance penalty.
So, what feature are you asking for? :) I really can't see anything new right now. You can perfectly do len constraints and illegal chars test outside of library. And Base64 check will be performed by library itself anyway.
from jose2go.
Sorry, minTokenLen/maxTokenLen are my own constants, defined elsewhere.
I'm OK with base64 checking not working, it'd have been a quick check of multiple things in one swoop, but I'll do it outside the package. My assumption that any change of the string would invalidate it was wrong. Live and learn. So no new request, today. :)
from jose2go.
I just have to figure out where the missing 5th part of the token is (in code that had been working fine for weeks) tomorrow. Thanks.
from jose2go.
Hi @pandex , safe to close issue?
from jose2go.
Sorry, please close it, all's good.
from jose2go.
Related Issues (20)
- go get command fails HOT 3
- Panic on jwt/jws verify/decrypt with bad JSON headers HOT 7
- Magic panic on Decode() HOT 7
- decode but not vertify HOT 6
- Decode without verifying HOT 2
- Security vulnerabilities HOT 3
- Decryption of Nimbus JWE using RSA 4096 bit fails HOT 11
- GCM - PANIC - incorrect nonce length HOT 2
- Remove the base64url package HOT 1
- How to decode zip DEFLATE compression token? HOT 16
- Go 1.15: broken PBSE2 KDF HOT 5
- Getting error expected key of size 256 bits, but was given 344 bits HOT 1
- Missing tag for 1.4 and 1.5 HOT 8
- Possible to get token.Header["alg"] for JWT vulnerability? HOT 8
- Billion hashes attack against Decode function HOT 6
- Last character of a jose.Encrypt() token can be altered without detection during jose.Decode()? HOT 7
- Tag for 1.2? HOT 4
- Constant overflows int while building Docker Notary HOT 2
- jose.Sign() does ignore jose.Zip(...) option HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jose2go.