alunduil · August 23, 2017 00:33
diff --git a/auth0 JWK investigation b/auth0 JWK investigation
 I did a bit more investigation. Adding two equals for padding on the end allows
 the data to be decoded by base64 on the command line. I'm not sure if I'm
 getting the correct data but it is base64 decoding with the padding.

 Assuming that the data is correct, it's too many bytes to be a DER thumbprint
 (should be 20 bytes but I get 40 bytes). This is probably due to a hex
 conversion or string format operation entering the equation that shouldn't be
 there. In fact, I did a little analysis (included for reference) and this is
 exactly what is happening:

 ```bash
 curl --silent https://alunduil.auth0.com/.well-known/jwks.json | jq -r '.keys[].x5t'
 OUJDMzVDNkM5RUUyMUZBMEU5NkNCNzgyNUMwNzk1RTc1QzYxQ0JDOA

 # Example of incorrect base64 encoding:
 echo -n OUJDMzVDNkM5RUUyMUZBMEU5NkNCNzgyNUMwNzk1RTc1QzYxQ0JDOA | base64 -d
 9BC35C6C9EE21FA0E96CB7825C0795E75C61CBC8base64: invalid input

 # Correct base64 encoding:
 echo -n OUJDMzVDNkM5RUUyMUZBMEU5NkNCNzgyNUMwNzk1RTc1QzYxQ0JDOA== | base64 -d
 9BC35C6C9EE21FA0E96CB7825C0795E75C61CBC8%

 # Key fingerprint:
 curl --silent https://alunduil.auth0.com/.well-known/jwks.json | jq -r '.keys[0].x5c[0]' | base64 -d | openssl x509 -inform der -in - -sha1 -noout -fingerprint
 SHA1 Fingerprint=9B:C3:5C:6C:9E:E2:1F:A0:E9:6C:B7:82:5C:07:95:E7:5C:61:CB:C8
 ```

 Note that the hex bytes of the fingerprint align with the string we received
 from base64 decoding. Of course, using the fact that Haskell's jose library
 spits out a very particular error (which indicates base64 decoding is working
 well enough by the way): "incorrect number of bytes". That function for
 reference is:

 ```haskell
 instance FromJSON Base64SHA1 where
  parseJSON = withText "base64url SHA-1" $ parseB64Url (\bytes ->
    case B.length bytes of
      20 -> pure $ Base64SHA1 bytes
      _  -> fail "incorrect number of bytes")
 ```

 Which indicates we're not getting 20 bytes but some other value. My guess is
 that it's 40 bytes due to the string interpretation of the fingerprint but to
 answer that definitively we need to poke in parseB64Url first:

 ```haskell
 parseB64Url :: (B.ByteString -> Parser a) -> T.Text -> Parser a
 parseB64Url f = maybe (fail "Not valid base64url") f . preview base64url . E.encodeUtf8
 ```
	I did a bit more investigation. Adding two equals for padding on the end allows
	the data to be decoded by base64 on the command line. I'm not sure if I'm
	getting the correct data but it is base64 decoding with the padding.

	Assuming that the data is correct, it's too many bytes to be a DER thumbprint
	(should be 20 bytes but I get 40 bytes). This is probably due to a hex
	conversion or string format operation entering the equation that shouldn't be
	there. In fact, I did a little analysis (included for reference) and this is
	exactly what is happening:

	```bash
	curl --silent https://alunduil.auth0.com/.well-known/jwks.json \| jq -r '.keys[].x5t'
	OUJDMzVDNkM5RUUyMUZBMEU5NkNCNzgyNUMwNzk1RTc1QzYxQ0JDOA

	# Example of incorrect base64 encoding:
	echo -n OUJDMzVDNkM5RUUyMUZBMEU5NkNCNzgyNUMwNzk1RTc1QzYxQ0JDOA \| base64 -d
	9BC35C6C9EE21FA0E96CB7825C0795E75C61CBC8base64: invalid input

	# Correct base64 encoding:
	echo -n OUJDMzVDNkM5RUUyMUZBMEU5NkNCNzgyNUMwNzk1RTc1QzYxQ0JDOA== \| base64 -d
	9BC35C6C9EE21FA0E96CB7825C0795E75C61CBC8%

	# Key fingerprint:
	curl --silent https://alunduil.auth0.com/.well-known/jwks.json \| jq -r '.keys[0].x5c[0]' \| base64 -d \| openssl x509 -inform der -in - -sha1 -noout -fingerprint
	SHA1 Fingerprint=9B:C3:5C:6C:9E:E2:1F:A0:E9:6C:B7:82:5C:07:95:E7:5C:61:CB:C8
	```

	Note that the hex bytes of the fingerprint align with the string we received
	from base64 decoding. Of course, using the fact that Haskell's jose library
	spits out a very particular error (which indicates base64 decoding is working
	well enough by the way): "incorrect number of bytes". That function for
	reference is:

	```haskell
	instance FromJSON Base64SHA1 where
	parseJSON = withText "base64url SHA-1" $ parseB64Url (\bytes ->
	case B.length bytes of
	20 -> pure $ Base64SHA1 bytes
	_ -> fail "incorrect number of bytes")
	```

	Which indicates we're not getting 20 bytes but some other value. My guess is
	that it's 40 bytes due to the string interpretation of the fingerprint but to
	answer that definitively we need to poke in parseB64Url first:

	```haskell
	parseB64Url :: (B.ByteString -> Parser a) -> T.Text -> Parser a
	parseB64Url f = maybe (fail "Not valid base64url") f . preview base64url . E.encodeUtf8
	```