Skip to content

fix: httpvalidation with renew without cwt tags #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
birme merged 1 commit into from
May 9, 2025
Merged

fix: httpvalidation with renew without cwt tags #52

birme merged 1 commit into from
May 9, 2025

Conversation

@axeldahlberg
Copy link
Contributor

@axeldahlberg axeldahlberg commented May 9, 2025

Function validateHttpRequest in http.ts is missing CAT object with configuration "expectCwtTag: true"

if cwtTag is not expected. Then renewToken creates a token without cwt tag

await newCat.mac({ k: key, kid: opts.kid }, opts.alg, {
	noCwtTag: !this.expectCwtTag 
});

Example from http.test.ts:
where:

const validator = new CAT({
      keys: this.keys,
});
test('can autorenew when autorenew is enabled', async () => {
0YRDoQEFoQRMU3ltbWV0cmljMjU2eQE4YTYwMTY3NjU3OTY1NzY2OTZlNmUwNDFhNjgxZGRlMDkwNjFhNjgxZGRkOTEwNzUwNTJkNTliMDM4ZjA1NDlhZGJiYThjMGYxYjc1MGUyNjExOTAxMzYwMTE5MDE0M2E3MDAwMjA0Nzc2Mzc0NjEyZDYzNmY2ZDZkNmY2ZTJkNjE2MzYzNjU3MzczMmQ3NDZmNmI2NTZlMDM3NzYzNzQ2MTJkNjM2ZjZkNmQ2ZjZlMmQ2MTYzNjM2NTczNzMyZDc0NmY2YjY1NmUwNjgzNjY1MzY1NjM3NTcyNjU2ODQ4NzQ3NDcwNGY2ZTZjNzk3ODFhNDQ2ZjZkNjE2OTZlM2QyZTY1Nzk2NTc2Njk2ZTZlMmU3NDY1NjM2ODZlNmY2YzZmNjc3OTA3MTkwMTJkMDExODc4MDIxODNjWCBYRnFO6CUrd0ZoUyNWv2whDPODkhPqZlmTS7MFYZAxlw

In cbor.zone

{
  "error": "invalid_request",
  "error_description": The CBOR data item following the tag number '17' failed to be parsed as a COSE message: The third element of COSE_Mac0 must be a byte array or null.
}

In other cbor tool:
cbor.nemo tool

d18443a10105a1044c53796d6d657472696332353679013861363031363736353739363537363639366536653034316136383164646530393036316136383164646439313037353035326435396230333866303534396164626261386330663162373530653236313139303133363031313930313433613730303032303437373633373436313264363336663664366436663665326436313633363336353733373332643734366636623635366530333737363337343631326436333666366436643666366532643631363336333635373337333264373436663662363536653036383336363533363536333735373236353638343837343734373034663665366337393738316134343666366436313639366533643265363537393635373636393665366532653734363536333638366536663663366636373739303731393031326430313138373830323138336358205846714ee8252b774668532356bf6c210cf3839213ea6659934bb30561903197

17([
    h'a10105',
    {4: h'53796d6d6574726963323536'},
    "a6016765796576696e6e041a681dde09061a681ddd91075052d59b038f0549adbba8c0f1b750e26119013601190143a7000204776374612d636f6d6d6f6e2d6163636573732d746f6b656e03776374612d636f6d6d6f6e2d6163636573732d746f6b656e06836653656375726568487474704f6e6c79781a446f6d61696e3d2e65796576696e6e2e746563686e6f6c6f67790719012d01187802183c",
    h'5846714ee8252b774668532356bf6c210cf3839213ea6659934bb30561903197',
])

a6016765796576696e6e041a681dde09061a681ddd91075052d59b038f0549adbba8c0f1b750e26119013601190143a7000204776374612d636f6d6d6f6e2d6163636573732d746f6b656e03776374612d636f6d6d6f6e2d6163636573732d746f6b656e06836653656375726568487474704f6e6c79781a446f6d61696e3d2e65796576696e6e2e746563686e6f6c6f67790719012d01187802183c

{
  1: "eyevinn",
  4: 1746787849,
  6: 1746787729,
  7: h'52d59b038f0549adbba8c0f1b750e261',
  310: 1,
  323: {
    0: 2,
    4: "cta-common-access-token",
    3: "cta-common-access-token",
    6: [
      "Secure",
      "HttpOnly",
      "Domain=.eyevinn.technology"
    ],
    7: 301,
    1: 120,
    2: 60
  }
}

where:

const validator = new CAT({
      keys: this.keys,
      expectCwtTag: true
});

Generates correct tags:

2D3RhEOhAQWhBExTeW1tZXRyaWMyNTZYnKYBZ2V5ZXZpbm4EGmgd3YQGGmgd3QwHUA7FmjyptXPtib8h6UOvWR4ZATYBGQFDpwACBHdjdGEtY29tbW9uLWFjY2Vzcy10b2tlbgN3Y3RhLWNvbW1vbi1hY2Nlc3MtdG9rZW4Gg2ZTZWN1cmVoSHR0cE9ubHl4GkRvbWFpbj0uZXlldmlubi50ZWNobm9sb2d5BxkBLQEYeAIYPFggU-PqUBIv9sf148XUAgrfDfyzJspiIMleMWCkQKtbkH0

61(17(/ COSE_Mac0 / [
  / protected / <<
    {
      1: 5
    }
  >>,
  / unprotected / {
    4: h'53796d6d6574726963323536'
  },
  h'a6016765796576696e6e041a681ddd84061a681ddd0c07500ec59a3ca9b573ed89bf21e943af591e19013601190143a7000204776374612d636f6d6d6f6e2d6163636573732d746f6b656e03776374612d636f6d6d6f6e2d6163636573732d746f6b656e06836653656375726568487474704f6e6c79781a446f6d61696e3d2e65796576696e6e2e746563686e6f6c6f67790719012d01187802183c',
  h'53e3ea50122ff6c7f5e3c5d4020adf0dfcb326ca6220c95e3160a440ab5b907d'
]))

{
  1: "eyevinn",
  4: 1746787716,
  6: 1746787596,
  7: h'0ec59a3ca9b573ed89bf21e943af591e',
  310: 1,
  323: {
    0: 2,
    4: "cta-common-access-token",
    3: "cta-common-access-token",
    6: [
      "Secure",
      "HttpOnly",
      "Domain=.eyevinn.technology"
    ],
    7: 301,
    1: 120,
    2: 60
  }
}

birme
birme approved these changes May 9, 2025
View reviewed changes
Copy link
Contributor

@birme birme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@birme birme merged commit a0071f3 into Eyevinn:main May 9, 2025
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@birme birme birme approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@axeldahlberg @birme