JWK validation fails when x5ts256 value is missing from original JWK

[joshkaplinsky]

When building a JWK from NewJWKFromMarshal, validation fails when the unmarshalled key (key from a remote host) does not contain an x5ts246 value and the x5c is present. This appears to be due to building the x5ts256 in the keyMarshal logic, resulting in a mismatch when DeepEqual the structs:

jwkset/marshal.go

Lines 195 to 206 in b7c3a1f

	haveX5C := len(options.X509.X5C) > 0
	if haveX5C {
	for i, cert := range options.X509.X5C {
	m.X5C = append(m.X5C, base64.StdEncoding.EncodeToString(cert.Raw))
	if i == 0 {
	h1 := sha1.Sum(cert.Raw)
	m.X5T = base64.RawURLEncoding.EncodeToString(h1[:])
	h256 := sha256.Sum256(cert.Raw)
	m.X5TS256 = base64.RawURLEncoding.EncodeToString(h256[:])
	}
	}
	}

This is a behavioral difference between keyfunc@2.1.0 and keyfunc@3.0.0. I'm curious if this would be expected behavior in the upgrade?

[MicahParks]

This is due to the updated JWK Set package being used. Are you able to provide the JWK Set you are working with? Ensure there is no private key material in it before passing it along.

[MicahParks]

Thank you for making this issue.

I think this feature branch commit will likely solve the problem. I'll make a test, then confirm that it matches your original problem. Could get a release out tonight.

[MicahParks]

I think this program would reproduce the error experienced. The upcoming changes should fix that.

package main

import (
	"encoding/json"
	"log/slog"
	"os"

	"github.com/MicahParks/jwkset"
)

const (
	logErr = "error"
)

func main() {
	l := slog.Default()
	const rawJWKSet = `{"keys":[{"kty":"OKP","alg":"EdDSA","kid":"my-key-id","x5c":["MIIB8TCCAaOgAwIBAgIUa/7hf5yVjhXwYLaT38DE5+y06PkwBQYDK2VwMG4xCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTERMA8GA1UEBwwIUmljaG1vbmQxFDASBgNVBAoMC01pY2FoIFBhcmtzMQ0wCwYDVQQLDARTZWxmMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0yNDAxMDQwMDE2MDVaFw0yNDAyMDMwMDE2MDVaMG4xCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhWaXJnaW5pYTERMA8GA1UEBwwIUmljaG1vbmQxFDASBgNVBAoMC01pY2FoIFBhcmtzMQ0wCwYDVQQLDARTZWxmMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAqMAUGAytlcAMhAKD0un1323TTlTlFUs5VWb+JvlToR5hMAWPfqLi4Wybpo1MwUTAdBgNVHQ4EFgQUOcvkrHIL2s+C+jq+y2V04rn1D3swHwYDVR0jBBgwFoAUOcvkrHIL2s+C+jq+y2V04rn1D3swDwYDVR0TAQH/BAUwAwEB/zAFBgMrZXADQQAHgsrxSTTK/K4hOeEldhsXooONdLR49kM/TtBqJEScxskFo51MEBRzydjwkiI7isPRgyy838Mvv9VS+nij1EAI"],"x5t":"RTwmBuuqX7XB6UlVXVck9scuJSM","x5t#S256":"bRkXmcs_Kvo6nQrYE7ZWpvDtyoI5Hj_82ASr4eauTV8","crv":"Ed25519","x":"oPS6fXfbdNOVOUVSzlVZv4m-VOhHmEwBY9-ouLhbJuk"}]}`

	var marshal jwkset.JWKSMarshal
	err := json.Unmarshal([]byte(rawJWKSet), &marshal)
	if err != nil {
		l.Error("Failed to unmarshal JWK set.",
			logErr, err,
		)
		os.Exit(1)
	}

	marshal.Keys[0].X5TS256 = ""

	jwk, err := jwkset.NewJWKFromMarshal(marshal.Keys[0], jwkset.JWKMarshalOptions{}, jwkset.JWKValidateOptions{})
	if err != nil {
		l.Error("Failed to create JWK.",
			logErr, err,
		)
		os.Exit(1)
	}

	println(jwk.Marshal().KID)
}

[MicahParks]

I've fixed the identified bug in v0.5.5. Please let me know if I identified the bug you were expecting @joshkaplinsky and if the fix is to your expectations.

Thank you again for reporting this issue 🎉

[joshkaplinsky]

Thanks for the fast turnaround! Yes, this addresses my issue. Much appreciated!