Throw on decode certificate errors #899

tracyboehrer · 2021-01-11T15:03:25Z

JwtTokenExtractor.validateToken

                    // Note that decodeCertificate will return null if the cert could not
                    // be decoded.  This would likely be the case if it were in an unexpected
                    // encoding.  Going to err on the side of ignoring this check.
                    // May want to reconsider this and throw on null cert.
                    X509Certificate cert = decodeCertificate(key.certificateChain.get(0));
                    if (cert != null && !isCertValid(cert)) {
                        throw new JWTVerificationException("Signing certificate is not valid");
                    }

The text was updated successfully, but these errors were encountered:

tracyboehrer added P0 Must Fix. Release-blocker discussion Want to talk about this issue in order to reach a decision Area: Authentication The issue is related to authenticating users (SSO, OAuth, etc.) labels Jan 11, 2021

tracyboehrer added this to the R12 milestone Jan 11, 2021

tracyboehrer self-assigned this Jan 11, 2021

tracyboehrer removed the discussion Want to talk about this issue in order to reach a decision label Jan 13, 2021

tracyboehrer changed the title ~~Research null cert handling~~ Throw on null certificate Jan 13, 2021

tracyboehrer mentioned this issue Jan 14, 2021

Now throwing on certificate decoding errors #904

Merged

tracyboehrer changed the title ~~Throw on null certificate~~ Throw on decode certificate errors Jan 14, 2021

LeeParrishMSFT closed this as completed in #904 Jan 14, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Throw on decode certificate errors #899

Throw on decode certificate errors #899

tracyboehrer commented Jan 11, 2021

Throw on decode certificate errors #899

Throw on decode certificate errors #899

Comments

tracyboehrer commented Jan 11, 2021