Skip to content

fix(ffi): validate JWK base64url encoding#329

Open
mfazrinizar wants to merge 1 commit into
google:masterfrom
mfazrinizar:fix/jwk-base64url-validation
Open

fix(ffi): validate JWK base64url encoding#329
mfazrinizar wants to merge 1 commit into
google:masterfrom
mfazrinizar:fix/jwk-base64url-validation

Conversation

@mfazrinizar

Copy link
Copy Markdown
Contributor

Summary

Fixes #328.

The shared FFI JWK decoder currently accepts padded values and characters from the standard Base64 alphabet.

This PR validates the decoded value by re-encoding it as canonical unpadded base64url and comparing it with the original input. It therefore rejects:

  • explicit Base64 padding
  • the standard Base64 alphabet
  • other non-canonical encodings

The regression tests use HMAC JWK import as a representative public API path. The decoder is shared by the FFI HMAC, AES, EC, and RSA implementations.

Testing

Verified with:

  • dart format --output=none --set-exit-if-changed .
  • git diff --check
  • dart analyze
  • dart test test/webcrypto_test.dart -p vm -n 'JWK: rejects'
  • dart test test/webcrypto_test.dart -p chrome -n 'JWK: rejects'
  • dart test test/webcrypto_test.dart -p vm
  • dart test test/webcrypto_test.dart -p chrome

@mfazrinizar mfazrinizar marked this pull request as ready for review July 16, 2026 11:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug: FFI backend's JWK imports accept padded and standard Base64 values

1 participant