-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Base64url without padding #18
Comments
I think there are actually three different possible behaviors here:
func base64URLDecode(value string) ([]byte, error) {
if strings.HasSuffix(value, "=") {
return base64.URLEncoding.DecodeString(value)
}
return base64.RawURLEncoding.DecodeString(value)
} (Notably, the sample code in RFC 7515, Appendix C does none of these: it attempts to do (2), but in fact is perfectly willing to accept a string with a single padding character that should have had two padding characters.) |
@jsha Can we close this with the v4 release? |
We're working on upgrading letsencrypt/boulder to v3. In the process I noticed PR #3, which changes go-jose so it accepts base64url inputs with any amount of padding characters (
=
).As justification, it cites the example implementation of base64url without padding from RFC 7515, appendix C. However, I think that interpretation is incorrect. I'll reproduce the example here for convenience:
This code adds the exact correct amount of padding before handing off the now-padded string to C#'s Convert.FromBase64String function, which verifies the correct padding.
I think there is no support in RFC 7515 for arbitrarily padded base64url strings. I'd like to propose reverting PR #3.
The text was updated successfully, but these errors were encountered: