-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support of hashes in base64 url encoded format without padding. End goal to support x5t (X.509 Certificate SHA-1 Thumbprint), x5t#S256 (X.509 Certificate SHA-256 Thumbprint) #2849
Comments
I wonder about that, the function as described sounds pretty specific.. I would lean towards adding smaller building blocks that we could use with the existing hash functions and our encoding ones. Although I'm not sure how we could handle it. @tsandall any ideas? I guess the root of the problem is we essentially want to pass around a byte array, its not clear how best to do that. |
Yes if these functions most likely won't be used it's also possible to add these x5t, x5t_256 fields to the certificate parsing, but that would make the Rego certificate struct to deviate from Golang. Example:
|
This feature branch implements three builtins; base64url.encode_no_pad, hex.encode and hex.decode. Example:
|
The builtin hash algorithms hex encode the result. To use the hash functions there must be possible to decode the value and re-encode it in the expected format. This enables validation of x5t/x5t_s256, which are base64 url encoded hashes. Fixes: open-policy-agent#2849 Signed-off-by: Johannes Larsson <johannes.a.larsson@gmail.com>
The builtin hash algorithms hex encode the result. To use the hash functions there must be possible to decode the value and re-encode it in the expected format. This enables validation of x5t/x5t_s256, which are base64 url encoded hashes. Fixes: #2849 Signed-off-by: Johannes Larsson <johannes.a.larsson@gmail.com>
Expected Behaviour
As part of a custom JWS validation there is a need to calculate these hashes; x5t and x5t#S256 from a x509 public certificate.
Example:
The RFC https://tools.ietf.org/html/rfc7515#section-4.1.8, mentions that
base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate
. Appendix C clarify that the base64 encoding must be unpadded (https://tools.ietf.org/html/rfc7515#appendix-C).Actual Behaviour
All existing hashing algorithms (crypto.md5, crypto.sha1 and crypto.sha256) hex encode the result. Another solution could be to introduce hex decoding, but I'm not sure how useful it would be.
Additional Info
Feature branch:
master...johanneslarsson:feature/base64_url_encode_hash
The text was updated successfully, but these errors were encountered: