Skip to content

JCL-385: Improve PKCE verifier to always produce spec conforming values #517

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
acoburn merged 1 commit into from
Jun 9, 2023
Merged

JCL-385: Improve PKCE verifier to always produce spec conforming values #517

acoburn merged 1 commit into from
Jun 9, 2023

Conversation

@acoburn
Copy link
Collaborator

@acoburn acoburn commented Jun 8, 2023

Occasionally the CI/CD workflows will fail because the PKCE verifier is less than 43 characters (required by the spec). This can happen if the random number selected is too low, resulting in an encoded byte array that has too few characters.

This is fixed here by ensuring a minimum value for the BigInteger.

Effectively it changes the range from [0 - 2^256) to [2^256 - 2^257) so the generated byte array is always sufficiently long.

Imagine that the random number generator selects the number 250 -- this will be packed into a single octet and the entropy of the validator will be too low. This way, there will always be at least 32 octets.

@acoburn acoburn requested a review from a team as a code owner June 8, 2023 18:38
@acoburn acoburn force-pushed the JCL-385-pkce-verifier-length branch from a86257e to 2f301e0 Compare June 8, 2023 18:46
NSeydoux
NSeydoux reviewed Jun 9, 2023
View reviewed changes
openid/src/test/java/com/inrupt/client/openid/PKCETest.java
Comment on lines -36 to +32
assertTrue(PKCE.createChallenge("", "SHA-256").getBytes(UTF_8).length <= 128);
assertTrue(PKCE.createChallenge("🐶🐶🐶", "SHA-256").length() >= 43);
Copy link
Contributor

@NSeydoux NSeydoux Jun 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For my own understanding, was the .getBytes(UTF_8) useful in the first place?

Copy link
Collaborator Author

@acoburn acoburn Jun 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, the getBytes test was unnecessary. The spec requires checking the character length of the resulting string, not the size of the byte array. Admittedly, for ASCII strings, the two will be equivalent, but it is unnecessary

@acoburn acoburn merged commit 7226e75 into main Jun 9, 2023
@acoburn acoburn deleted the JCL-385-pkce-verifier-length branch June 9, 2023 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NSeydoux NSeydoux NSeydoux approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@acoburn @NSeydoux