Jan Bernhardt created CXF-9032:
----------------------------------
Summary: JWK keystore type is not getting loaded if JWT contains
x5t header
Key: CXF-9032
URL: https://issues.apache.org/jira/browse/CXF-9032
Project: CXF
Issue Type: Bug
Components: JAX-RS Security
Affects Versions: 4.0.4, 3.6.3, 3.5.8
Reporter: Jan Bernhardt
Assignee: Colm O hEigeartaigh
within the `loadSignatureVerifier` method of the
[JwsUtils|https://github.com/apache/cxf/blob/main/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java]
(line number 400) the code checks first the inHeaders and if references are
found tries to load a Java Keystore instance. Only if no matching inHeaders are
present the code checks if a keystore.type "jwk" is defined (line number 442)
and if so loads certificates from that URL.
However if an inHeader is matching (for example the JWT header contains a x5t
entry), then the following code tries to create a new keystore of type "jwk"
which leads to a no java security provider found for that keystore type
exception.
Therefore I would recommend that the code order should get changed and that the
loadSignatureVerifier method first checks if the keysotre.type is "jwk" and
only if this is not the case, continue with the inHeaders code as of now.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
